Redefining CyberSecurity

A Reality Check: Platforms vs. Standalone Solutions and Their Place in an Expanding and Contracting Cybersecurity Market | A Conversation with Eric Parizo and Richard Stiennon | Redefining CyberSecurity Podcast with Sean Martin

Episode Summary

In this long-awaited episode of Redefining CyberSecurity, security experts and analysts, Eric Parizo and Richard Stiennon, join Sean Martin to dive into a deep debate about cybersecurity platforms' future viability. Their combination of divergent insights and in-depth analysis of the complex market dynamics surrounding cybersecurity platforms—and the state of the market overall—offers listeners a fresh perspective, as they demystify the commonly pitched narrative heralding platforms as the ultimate solution amidst the expanding (and sometimes contracting) field of cybersecurity offerings.

Episode Notes

Guests:

Eric Parizo, Managing Principle Analyst at Omdia [@OmdiaHQ]

On Linkedin | https://www.linkedin.com/in/ericparizo/

On Twitter | https://twitter.com/EricParizo

Richard Stiennon, Chief Research Analyst at IT-Harvest [@cyberwar]

On Twitter | https://twitter.com/stiennon

On LinkedIn | https://www.linkedin.com/in/stiennon/

On YouTube | https://www.youtube.com/channel/UCJbNLvhmVGnRerhrSU1mFug

____________________________

Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

____________________________

This Episode’s Sponsors

Imperva | https://itspm.ag/imperva277117988

Devo | https://itspm.ag/itspdvweb

___________________________

Episode Notes

In this episode of the Redefining CyberSecurity Podcast, host Sean Martin engages in an enlightening dialogue with industry analysts and cybersecurity veterans, Eric Parizo and Richard Stiennon. The trio explored various aspects of the vendor space in cybersecurity, discussing topics like vendor consolidation, market contraction, and the state of M&A inundating an already-overwhelmed IT environment with complex products.

Parizo, a managing principal analyst, counters the narrative of large vendors, stating that most companies desire best-of-breed solutions that offer better integration and measurable outcomes. However, he sees challenges in getting standalone solutions to work together efficiently. To tackle this, Parizo envisages a shift from product integration to data integration, enabling enterprises to handle security data in centralized repositories like Amazon Security Lake.

Stiennon, a chief research analyst, points out that security will always be a subpart of the next big thing. Despite the increase in intelligent security systems and development in DevSecOps, Stiennon expresses doubt about a total transformation in security due to the potential disruption to business productivity. Instead of seeking transformation in security, he urges CISOs to first identify and reduce the number of redundant products they pay for, as vendors often progressively add features that might already be available in their product pool.

Parizo and Stiennon both offered unique insights into the future of cybersecurity platforms. Parizo acknowledged the merits of the platform approach but challenged the assertion made by large vendors about the superiority and cost-effectiveness of cybersecurity platforms over standalone solutions. He suggested most companies prefer best-of-breed solutions due to enhanced integration and measurable performance outcomes. Conversely, Stiennon expressed skepticism about cybersecurity platforms becoming predominant in the market, asserting that new threats and ongoing innovation make it impossible for one vendor to fully secure an enterprise. Both analysts indicate that, although cybersecurity platforms offer some benefits, the continually evolving security landscape ensures that no single platform approach will dominate the market.

Ultimately, Parizo and Stiennon believe that, while consolidation and platform approaches have some benefits, the key to organizational security lies in continuous innovation, knowing the full capabilities of products, and utilizing comprehensive data management to communicate more effectively and make better decisions. Despite the inherent challenges, both experts also remain optimistic about the evolving role of data and AI in driving efficient cyber security practices.

Episode Transcription

A Reality Check: Platforms vs. Standalone Solutions and Their Place in an Expanding and Contracting Cybersecurity Market | A Conversation with Eric Parizo and Richard Stiennon | Redefining CyberSecurity Podcast with Sean Martin

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] Hello everybody. You're very welcome to a new episode of Redefining Cybersecurity podcast here on the ITSP Magazine Podcast Network. This is Sean Martin, your host, where I get the joy of chatting with super cool people who know a lot of stuff much more than me. Um, I have ideas, my guests have the answers a lot of times, or at least get us to think about, uh, the answers for our own organizations as we try to, uh.

Not just protect the revenue the company creates, but hopefully generate, uh, more revenue in a safe and secure manner. So today's topic, um, you see my two guests, those watching, um, you're, if you're like me, you're both excited to hear what we're gonna talk about today. We're gonna be looking at, uh. The state of the market are, and more specifically the the vendor space.

Is there contraction? Is there continued growth? What's the state of M&A and a and and uh, and I don't know, maybe closures, perhaps we'll [00:01:00] talk about that I suppose. But then that, so that's kind the outside view. And then we're gonna look inward to see what organizations are doing from consolidations, simplification.

Procurement perspective. Uh, how did, and then how do those two things line up? So I'm thrilled to have Eric Parizzo and Richard Stiennon on. Thank you so much guys for, uh, being part of this. It's good to see you both, of course.

Richard Stiennon: Awesome to be here.

Sean Martin: Yeah. It's a, it's an honor to have you both on together. Um.

So before we get into that, that fun topic, uh, a few words from each of you, uh, a little bit about your background and what you're up to at the moment. Richard, I'll, uh, start with you.

Eric Parizo: Okay.

Richard Stiennon: Thanks so much, Sean. Yeah, so I'm Richard Stiennon. I'm a industry analyst. Uh, started in that role, uh. 24 years ago at Gartner and when I left Gartner, I started my own firm.

'cause I didn't realize that the only thing I'm cut out for is being an industry analyst. I can't stay employed doing anything else. [00:02:00] Um, and it's been, uh, a fun time because I'm just fascinated by all of the security solutions out there. And I've been collecting. Data on all of the companies, and only recently I've been actually collecting data on their products.

So I've got, uh, a pretty good picture of the industry. I put it all in a copy of cybersecurity yearbook every year. Uh, 2023 is behind me and it just got off the phone talking to Wiley about the 2024 edition, which is coming out in June. Uh, so that's what I'm up to. I love

Sean Martin: it. And we've had a chat about, uh, the yearbook, so I encourage folks to, to listen to that episode.

I think we're gonna have to get an update from you when you're ready for that too, Richard. Sure. Eric,

Eric Parizo: so I'm, uh, managing principal analyst here at Omnia, part of the cybersecurity team. Uh, I've been, uh, an industry analyst for about eight, almost nine years [00:03:00] now. Uh, I was, uh, been here since, uh, 2019 and, and previously with another.

Firm. Before that, I was a technology journalist, uh, an editor for about, uh, 15 years, most of that covering cyber security. Today, I, I focus on the world of, of SecOps, which is everything, uh, involving threat detection, investigation and response. The people, the processes, and the, uh, solutions. And, uh, for those who don't know, UMD is, uh, of course part of, uh, informa.

So we're part of the, uh, big cybersecurity family that includes dark reading and black hat. So we always have, uh, a pretty heavy pre presence at, uh, black hat USA. Uh, in August in, uh, Las Vegas and excited to, uh, talk about the, uh, the changing world or maybe not so changing world of, of cybersecurity, uh, platforms and consolidation today.

Sean Martin: Exactly. And, uh, yeah, [00:04:00] we'll, we'll see you in Las Vegas for Black Hat for sure. It's one of, uh, it's one of our favorite moments during the year to, uh, to see everybody. Flock to Vegas and, and chat about cyber. Right. That's, that's a good time to say the least. Um, so Eric, this chat, I mean, I'm always thinking about this stuff.

Um, I, I pretend to be, I pretend to want to be an analyst in, in another life. I think I've mentioned that to both you at some point. Um, maybe someday I'll, I'll, uh, be one, but who knows? But this post. On LinkedIn is what prompted this. And it was in relation to vendors trying to get organizations to buy into a platform play where you, you buy the platform you get and the product's on top of that and you get an all-in-one solution.

Um, years ago, and I was at, uh, a big yellow company, I, I built the sim platform in that. It was the same story then, right? You get the platform, you get our net [00:05:00] network security, you get our endpoint security, you get our risk. All this stuff all comes together nicely. You have, you have one vendor to uh, one vendor to choke, as they say.

Um, so nothing's changed in terms of objective there, but I don't know how successful things have been over. Over time, a lot of growth in the, in the industry. A lot of new technologies moved to the cloud since my days semantic. So, Eric, I'm gonna start with you the, the inspiration for that post. Um, I know you do a lot of research.

I, I suspect there's some numbers and, and some data behind it as well. But what prompted you actually put that out there in the first place?

Eric Parizo: It's been, uh, on my, uh, to-do list for a long time to, uh, to get that, uh, that post out there, which is, is based on a, uh, an article i I wrote for our, our dark reading website.

Essentially, we see a lot of the same things I think you and, and Richard and others in the industry have seen, which is [00:06:00] there's. For a long time now been this, uh, uh, evangelism effort among the most, primarily the largest cyber security. Vendors in the industry, um, evangelizing around the idea of the cybersecurity platform, namely, that it is a better, more cost-effective, uh, better outcome proposition.

To buy into a platform that instead of providing, you know, standalone solutions brings together a variety of different, previously separate capabilities into one integrated solution. And there are allegedly a lot of benefits from that. From better integration, workflow, measurable outcomes, even compliance and reporting.

So of course, that has been how these large vendors seek to get enterprises to not just buy one product. But [00:07:00] by all their different products. Right? So we wanted to do some research to really bear that out and say, okay, is that what's actually happening out there? So as part of our 20 Twenty-Three Omnia, Cybersecurity Decision Maker survey, we asked the question, how has the number of standalone security products in your organization changed during the past 12 months?

And this was essentially from. Uh, may of, of, uh, 2022 through May of, of, or, uh, late April of 2023. So, you know, we ha you know, we had kind of suspected, okay, we've seen a lot of, of, of these platforms, right? We're gonna see a, a pretty significant, uh, you know, increase in terms of the, the, the, uh, or, or decrease, rather than a number of standalone security products.

Um. However, we saw the opposite. Um, more than 80% of our survey respondents saw an increase in the [00:08:00] number of standalone security products in their organizations, and forty-four percent of respondents said it wasn't just a minor increase, that it was an increase in, uh, 11% or more. So it's not. Not, not what the big vendors want you to believe at all.

Organizations, according to our data, want best of breed solutions because they, we believe they desire that best of breed functionality. Now, in a perfect world, all those best of breed solutions would work together. I think better than they do today, but it certainly, uh, paints an interesting picture that the reality that the platform vendors are, are trying to espouse is a bit different from what's actually happening in the enterprise.

Sean Martin: So Richard, I have a ton of thoughts, but I want to hear your, your, your

perspective on that even

Richard Stiennon: So I think that's why I [00:09:00] reacted so positively to Eric's research, um, and kudos for highlighting that. Um, because there's many, many instances where. Uh, CISOs or just a group of people, but CISOs in particular, uh, are very, very loud about, uh, certain aspects of our world.

Um, one of 'em is they hate salespeople and they hate the sales process. They hate being approached by salespeople Message. Received loud and clear. Um, number two is they are extremely confused and frustrated at the variety of products out there, right? So in other words, they are in, uh, you know, they're almost like an open port on the internet.

They're just listening for people to ping them and offer them solutions. And unfortunately, way, way too often, the only reason they ever discover that they need a particular product is from a sales call. Um, if it's a reseller, they've got a relationship and that reseller says, boy, you should really use this [00:10:00] latest DNS, whatever, and they buy it.

So, and you know, I do a lot of research in how many pe, how many people actually use, uh, analysts, uh, in their product discovery and decision making. Just a minuscule number, right. Just. You know, I know Gartner has 15,000, uh, customers worldwide, which is a very small number, but those are the 15,000 biggest companies in the world.

In North America alone, there are 75,000 CISOs, so there are 65,000 CISOs that don't take advantage of Gartner. They might. Be Andean or Forrester, uh, customers, um, they're not my customers. And, um, how are they making their decisions? Right? Do they, they have nobody to turn to. So all they have is this confusion.

Um, I have the reaction. I totally in agreement with Eric. There is no. Um, legitimate strategy for, uh, a vendor, be it Palo, Alto, or Cisco, [00:11:00] to think that they can, uh, be the source for all security for a company. Not gonna happen. It's completely impossible. Um, and it's because. You know, they, first of all, the big vendors, the Google, Microsoft don't know how to sell to the enterprise, right?

They have monopolies, the enterprise has to buy from 'em. So they just do, um, maybe they get to negotiate contract terms, but usually not it. The only time I. A consolidation play makes sense is when you're sitting in the architecture in a place where you can do multiple things and that's, that works so well for network security.

In the old appliance days when Fortinet and Palo Alto said, Hey, look it, it's. The packets are going through our network, so we can do stuff and we can apply, you know, application layer filtering and we can play IPS filtering and, and we can even do secure web gateway stuff because we can [00:12:00] block going to pornography sites.

So that worked. Everybody consolidate it. It would be stupid for any CISO to, to make a best of breed argument that hey, this Blue Coat standalone software, uh, secure web gateway should be in front of my Palo Alto or anything like that. Just ridiculous. Just use one product for that on the point, no less so, right.

It's, um, you know, we. Do have the crowd strikes, the Sentinel ones certainly displacing anti-virus, but there are a whole bunch of other endpoint solutions that have not been consolidated. It would be nice to have one agent to deploy, but yeah, nobody's done that very well, uh, and have not won that, that space over.

But buying your endpoint and network security and identity security and encryption and, and data security from the same vendor, never. It's never gonna happen. So, you know, if you're [00:13:00] Cisco thinking, you can create a PowerPoint presentation that says you do all that, just forget it. Go home, you know, pick some silos and go after them.

That's what you're good at.

Sean Martin: So I'm gonna stick with you for a moment, Richard. So I'd like to get a view from you for. What activities taking place in terms of mergers and acquisitions? Maybe partnerships that don't go all the way to, uh, to something as extreme as an acquisition, but Yep. Do maybe in some of those categories, um, where do you see some of the consolidation and perhaps, uh, in terms of feature set?

Um, sure. And then also, um, do you still see. Stuff at the platform, or aside from the couple that you mentioned? Yeah. Do you see, do you see organizations still trying to make that play?

Eric Parizo: Yeah. Yeah.

Richard Stiennon: Um, so first, you know, let's talk about some of the, uh, activity, I guess. So last year, um, was certainly down year from, [00:14:00] uh, from the year before as far as M&A and a and funding.

So there were 250, uh, uh, acquisitions, um, spread across strategic, uh, versus private equity kind of deals. And that was down twenty-five percent from the 300 fifty-five the year before. So significant drop and kind of contrary to what you'd expect, right? If, if as well heard valuations were plummeting and down rounds all over the place, you would think it'd be cheaper to acquire companies and therefore there would be more.

Weren't acquired, but it turns out that private equity and even strategic buyers have the same qualms about making investments that we do as individuals in the stock market. Right. It's, you know, come on, CrowdStrike, Palo, Alto, Cisco, Fortinet. Were all down 60% from their, in November of 20 twenty-one. Um, and.

Yet people weren't thinking they should buy the stock at, at that huge discount. And so they missed out on, you [00:15:00] know, the 240% increase, a crowd strikes made in the last year. Um, and same thing with investors in big stuff, right? They just are, they're waiting. See what happens. So rather than buy at the best price, they are are gonna wait until the price is double again and then buy in then and, we'll, I think this year will be a blowout year for, for acquisitions.

On consolidation. I'm, you know, uh, I, I always beat the drum. There's no consolidation in the cybersecurity industry. Um, there is, there's no roll-up play to be had. All that said, the endpoint security sub-segment has consolidated and just like I used to break the journalist, um, not present company, I'm sure who would, every time an Symantec made an acquisition would say the industry is consolidating.

And any further sign of industry consolidation, Symantec acquired, so-and-So, uh, it was just like a trope [00:16:00] almost. Um. I'd always chime in and I'd say, you know, give all my arguments why the industry doesn't consolidate. That always end with will. No consolidation is happening when semantic buys McAfee.

Right? That's consolidation when likes, buy likes. That's what you got in Detroit when the 104 automotive companies, you know, consolidated to four back in 1925, um, or, or hotel chains in the US right? I think there's three or four left. Um. That's consolidation. And sure enough, it was semantic, it was what was left of them.

Norton LifeLock, so a public company and they acquired a vast Vyra and AVG. And if there are any other AV vendors that begin with a, they'll acquire them too and consolidate them all into one thing. And now it's the, it's the highest revenue per employee. Public company that's in cyber security, they do over a million in revenue per employee.

'cause [00:17:00] it's super efficient to just babysit a whole bunch of continuous revenue streams at twenty-five dollars or thirty-nine dollars a year from the Avast and AVG's because those people don't know how to unsubscribe. So it's, they're just gonna tail that out forever and probably a great stock investment, uh, to get a piece of that, that action from people who don't know.

Enough to know that they can just use Windows Defender, it's free. And that's the other reason, of course, that sparked all of this is, uh, they, the, the big antivirus vendors can't fight against Microsoft. It just, it's so frustrating. It's just, so we're just gonna give it to you. You got it. You know, pay us whatever it is, $150 a year per E-five license, and you automatically get all this good stuff for free.

So. Um, Fundings were in pretty good shape last year as well, but only just over $10 billion. So same level as, uh, twenty-twenty fundings. [00:18:00] Um, so we're just kind of back. It's almost like we cut the hump out of the curve and we're just gonna grow from here, I think.

Sean Martin: Interesting. Interesting. And I, thanks for all that insight, Richard and, and Eric.

I, I wanna bring it. Back inside, and maybe your thoughts on some of what Richard just described because. My view, I get to talk to a lot of people. Thankfully, there seems to be a tremendous amount of complexity when you start adding all of these things. And Richard, I think, uh, I think you nailed it when you, when you said that, uh, it's the sales calls that determine how CISOs become aware.

I was just talking about this yesterday with, uh, with a doctor who, who now does cybersecurity for healthcare. Cool. Actual phy a medical doctor. Um, but we talked about the fact that. It's the, it's the vendor-driven awareness of what's required that drives the purchase of stuff, not, not a business decision to say where, where [00:19:00] are we at risk and how do we, how do we plug these holes?

Um, but so they buy a lot of stuff and they try to get it all worked together. And of course with the complexity comes, uh, additional risk and the gaps and the holes and the mis configs and all the other stuff that comes with it. So my view is that the. There's a desire, at least maybe not enough action, but at least a desire to simplify and I'll say consolidate tools inside.

Some of your research suggests otherwise, Eric, but what do you, what else do you have in that light? I.

Eric Parizo: Yeah. Uh, lots unpacked there, Sean. So let me see where to, where to begin. Um, I, I, I generally agree as far as, uh, products in need. I'll say in, in my experience, it's a little bit of a mix between the two. I think what often happens is.

Enterprises CISOs. They do, it does start with recognizing a [00:20:00] general need that they have either, um, you know, they were breached in some way and they need to, to shore up the, the, their security capabilities in the, in the ways that, uh, we're insufficient or, um, they have a, a risk. Problem that they need to mitigate or reduce or offload, um, some kind of issue that they need to solve.

But because there is such a big, um, market for cybersecurity solutions out there, it's hard to really do. An in-depth search and get a sense of every possible solution that's that's out there. So that's where those vendors that do have the aggressive marketing, uh, come into play. And that gives them an advantage because they can do a better job of getting in front of those.

Enterprises that, that do have, have the need. Um, as far as, um, you know, some of the data Richard, uh, mentioned, you know, our, our data is similar as far as, uh, cybersecurity acquisitions. [00:21:00] Uh, last year, 2023 was essentially, uh, a flat year and, and we're anticipating a little bit more of a bump, um, this year. To Richard's credit, he has some of the industry's best data on cyber security funding.

And I think Richard's data really shores up this, this ongoing cycle we have where uh, yes, there is a steady number of acquisitions. All this funding is continued. Billions of dollars is continually coming into the market to fund new startups that just come in and take their place at an even, even greater rate.

So there's a constantly growing number of, of cybersecurity vendors in the industry that's only adding, you know, to the confusion until they in turn do get acquired and the cycle starts all over again. Um. In terms of the complexity, um, I, about five, six years ago, I, um, I, I [00:22:00] sort of coined a, a, a term for what was then kind of an emerging security market segment.

I called it security platform integration, Frameworks or SPFs. The idea was. The solving this very problem organizations purchase so many best-of-breed solutions. They need them, they solve legitimate problems, but it's hard to get them all to work together, um, do so efficiently and get the cybersecurity outcomes they want.

So SPFs were designed to kind of help with that integration. Process. The irony there, SPFs were too complicated, they were too hard to work with, so ultimately they just added to, to the problem. So what we're starting to see now as an alternative is that it's not necessarily about integrating the products as much.

Yes, we still see that in certain areas. Richard mentioned, you know, the, the network side and, and certainly. Um, the, the network edge and, and content gateways and such, it makes sense to have integration there. [00:23:00] Same with SecOps, you know, threat detection, investigation response. That's all a process. You need product integration there in a pretty tight, effective way.

But more broadly, it's become too challenging just to integrate the dozens and dozens of security solutions organizations have. So instead we're seeing. Not a product integration, but increasing work on data integration. How can organizations instead bring together all their security data into few or ideally one centralized location, and then work with that data and provide it in the ways that they want?

To any number of different security solutions. It's kind of a different approach to the integration problem, but avoid some of the traditional challenges we've seen actually making solutions work together directly, and it has the additional benefit of helping enterprises get away from these proprietary solution driven, uh, [00:24:00] data storage and management mechanisms.

It's been an issue for decades with the SIM market. Where if you buy into a SIM, you have to buy into that vendor's proprietary data format in many, in most instances. And that in itself becomes more costly than actually buying the solution itself. So organization enterprise are finally getting wide to that and saying, why don't we try to circumvent that problem, uh, altogether?

And that's part of the rise of. We're seeing these solutions like Amazon Security Lake and, and things like that to try to create these new centralized data repositories.

Richard Stiennon: Yeah, I, I totally see that happening, Eric and the, you know, I, I track the 3,700 and forty-three vendors this morning, and there's only one that is not a security vendor that I track, and that's Cripple because every CISO I talk to is using Cripple to manage the, the, just the data flow.

They're not. [00:25:00] You know, yeah, they're deduping and stuff like that. But, um, another interesting point is that hey, integration is so important that everybody's publishing APIs. So now you can connect all these different tools together with APIs, but ironically, that led to, you know, thirty-nine API security vendors to come around and say, Hey, you're, you, you just opened all these doors.

You haven't done anything about them.

Sean Martin: So I. I want to let, let's stick with the data piece. 'cause the, I think one, one area, and I had had an episode just the other day looking at the, whether or not LLMs or AI belongs in a SIM. And, uh, it was a heated debate by Mick Douglas and Dennis Cruz, uh, against and for in that order.

Um, and it, it begs the question for me. Who, 'cause I I [00:26:00] security data is one thing and I, I have a whole other idea about security data and how it can actually help drive better business, not just beef up security operations, but security is just one piece of the data pie that I think is relevant and important to a broader risk management view.

So, I don't know, are you seeing any movements where. Risk type activities or, or somebody else is, is starting to dip their, dip their fingers into the security space. Uh, you, you mentioned the Cribble one, uh, that you're tracking, but are there any other examples like that, either both of you, if you have.

Some, something to share.

Eric Parizo: Take that first, Richard.

Richard Stiennon: Yeah, sure. So I've seen dozens of examples of new database vendors coming along and they might have a security aspect to them. Um, like, uh, remember Squirrel, right? Um. They eventually got acquired [00:27:00] by AWS, but they'll, they'll come up with a data analysis tool and they'll just sell it as a generic, Hey, if you've got data we can help make sense of it.

Uh, and then they discover that security is the best use case. So all of a sudden they pivot into a security company. And that's exactly what Splunk did. Right. Um, and that. Ultimately paid off for them, right? They, um, getting acquired, uh, by Cisco, presumably maybe for their security aspect of what they do.

But if you think about it, Cisco's machines generate all the machine data that's. The alerts on. So it's kind of a good marriage there. Um, of course they'll spin it as, okay, you don't need any more security products 'cause we've got the ultimate platform and we've got all the data in one place just by us instead of Elastic.

Um, you know, so that's just gonna go on forever. But I see that I, I don't see anybody in the risk space, um, you know, [00:28:00] getting close to doing anything, you know, interesting or helpful. In the space, right? They're not technologists, they don't have technologists on staff, they don't have machine learning people.

Uh, they can't afford those people anymore. So I don't think the risk centric people, which are, you know, it's just bookkeeping for, um, security events is how I view. What they bring to the market.

Sean Martin: And before you answer, Eric, I'm gonna stick with, with Richard and add compliance that that's not, that's not slowing down as a,

as a growth area.

Richard Stiennon: True, true. Oh yeah. And I, I see AI applied to compliance everywhere because compliance is such a documentation nightmare. And if there's one thing a large language model can do is it can write stuff and it can interpret. Things are written in other languages and write them in the language you want. And the other language might be that the data reporting that's coming into them.

So yeah, huge opportunities there.

Eric Parizo: Yeah, I'll [00:29:00] jump in. Richard touched on kinda a point I was gonna make. I'll, so I'll, I'll just add to say it's no coincidence that the, um, you know, vendors like, you know, Splunk and Elastic and Snowflake, you know, now even AWS. Companies that ultimately kind of have, you know, started or, or a big portion of their business is data management have made big pivots towards security because the security data problem is so large, it's a massive opportunity for those.

For those vendors. It's just not only, you know, it, it, it, it's all across security, but it's specific to the area I cover, uh, SecOps because the TDIR data is the biggest part of, of threat detection investigation and response. Yeah. It's the very start of that process, ironically. But if you don't get your data pipeline right.

You're not gonna get the, the detections and hence the, the response and outcomes that you want. So it's, it's, it's critical to get that right. I [00:30:00] wrote last year a whole 6,000 word report on threat detection data, life cycle engineering. And there's so much to it that unless you live it every day, you don't realize just how hard it is and how.

The smallest of missteps as far as data gathering and correlation and deduping can have such a huge negative impact on your TGIR outcomes. It's, it's, it's fascinating. Really deep in the weeds stuff. Um. Separately on the risk piece. What I would say to that is we're seeing the emergence of a really fascinating area of cybersecurity that we're calling proactive security up to Recently, there have been really two different classifications of security products.

There've been preventative. Products. Products you put in place to try to prevent an attack from affecting you or reactive products. Products that can help you [00:31:00] after the already the attack is either already, uh, at on your doorstep or busted down your door, but both of those categories are essentially only helping you for attacks that are already streaming your way.

But enterprises realize this isn't very efficient. Buy products and just wait for them. Wait for the bad stuff to come at us. What if we buy, what if we focus our security investments? Enterprises are increasingly saying on solutions that help us prevent the attacks from ever coming at us in the first place.

And that's where proactive is. So security is coming in it's solutions that generally help organizations establish better visibility. Understand their risk and take action based on that risk. We've seen a big rise in the last couple of years in things, uh, surrounding, uh, posture management, attack surface management in different ways.

That's all part of this bigger, proactive [00:32:00] puzzle that we're seeing come together, and we think it's ultimately going to have a big impact. On bringing together cybersecurity with organizational risk to date, that's been a challenging proposition because in cybersecurity, gee, how can we measure the risk of something that may or may not happen?

And then all the different things that may or may not happen. It's really challenging, but the industry is finally getting more sophisticated in how you actually measure risk. Tying it increasingly to actual dollar amounts, because that's what enterprise decision makers understand. How much do I need to spend?

How much could I lose if I don't spend it? Break it down. Really simple. So we're starting to see that come together and it's be creating some really interesting conversations about how much cyber security risk really exists, what really matters, how much it costs, and in turn, what enterprises should do about it.

Richard Stiennon: And I [00:33:00] will believe that that's happening or getting traction when I see companies, um, deciding that it's too risky and expensive. To use Windows as their operating system or take a step back and use Google Chrome as their browser, right? Why in the world would you opt to use a browser as we are, because we're forced to for this, this screen capture and recording system that we're using.

Um, why would you use a system that has 2000 critical vulnerabilities every 12 months that have to be patched? You know, why not pick one that doesn't have those vulnerabilities?

Eric Parizo: Yeah, it goes back to that ongoing battle that exists right between security and usability. If an organization, um, has its, you know, it infrastructure based on a certain application or stack or paradigm, uh, it's hard to go away from that.

Because ultimately it can affect business productivity. Right? Right. It's, it's [00:34:00] fighting that balance that I think is, has been an issue for years and, and, and, and always will be. It doesn't mean organizations shouldn't take the opportunity to, to mitigate their risk where they can, where they can make that effective business case.

But in many cases, you're, you're absolutely right, rich Richard. It's just, it's seen as too big of a battle, even though from the security side. The, the security risk is enormous, but then. It's still not enough to counter the risk on, on the business side and the lost dollars or productivity.

Richard Stiennon: I was, I was trying to gain perspective whenever I see a, a conflict in names between a, you know, security guard company and a, uh, IT security company.

And then I just have to remember that the security guard company business is about 10 times bigger than the entire cybersecurity industry. Um, so it's just. Yeah, the, the, we we're only a tiny part of [00:35:00] this ecosystem and the business owners treat us like a tiny part of it.

Sean Martin: Yeah. You, you've both pushed out.

Uh, the, the soapbox for me, this has been, this is my mantra on my show for the last, I dunno, six plus months, maybe longer, where I believe, and I was with the same doctor yesterday. I was having the same conversation as well, where. I believe what security is trying to push into the business. This is risky.

We can, we can reduce the risk. We might, we might increase, uh, reliability and availability. It's still a push into the business and I think the business needs to pull. Where are we inefficient? Where can we accomplish greater, bigger, better outcomes, achieve something that wasn't possible using, this goes back to the security data.

Using the security data to say we have this vulnerable system that we're spending money on building teams and buying products, and. [00:36:00] Building processes to patch over and over and over again. If we, just your point, Richard, if we swapped it for something else, we might eliminate all that. Have better up time, maybe even open up new capabilities.

'cause it's a newer system that allows us to do something that we can do yesterday. Yeah. Yep. That's my, I think you're on That's my, it's a good one. I, I wanna throw, um, a fastball. It's gonna be a, a. A, uh, let's see, a slider and a, and a curve ball in one because I, another conversation I've been having, and I think it connects well with what we're talking about here, is that we hear a lot about, and again, this is probably a lot of marketing from tech vendors.

We hear a lot about transformation in the business. And I wonder when does security. Transform. When do we have our shot to do something beyond what we're able to do today instead of just adding to [00:37:00] this, the, the products set that we have. And so that's, maybe that's the curve ball, that the, uh, the slider part of it is the role of platform engineering.

'cause I, I see another area which is this for the, the more mature organizations, the Fortune 500 maybe, where they're building out. It platforms with a bunch of shared services and a lot of capabilities where they're, they're really honing in on the, the core workflows that are critical of their business and building out the systems in a platform to, to support those can security fit in there somehow.

So. Fastball, curveball, slider, coming at your way. Who wants to respond with what?

Richard Stiennon: I'll start this time. I'm not gonna take the wind out of anybody's sails because it's, you know, just ad hoc thinking that, uh, thinking back to when I, when I joined Gartner, I was the second. Industry analysts at Gartner to cover security.

And John Pescadori was the only one. [00:38:00] And so we sat down, uh, our first day and he said, you know, the great thing about our industry is that it's never the next big thing. In other words, it's never gonna be the things front and center, you know, companies building their strategies around it, uh, et cetera. Um, but he said it's always part of the next big thing.

And that has played out over and over, right? So as the cloud came about, boom. Security everywhere for the cloud stuff. Uh, as IOT, um, started getting connected to the internet, boom, security, every, your mobile devices, boom, security. So we'll always be there. And even right now we see, uh, I track, uh, eight vendors that are offering, uh, security for large language models.

And, you know, definitely AI is the next big thing, but, um, it, and usually nothing gets traction until there's a threat that. That justifies it. Um, so, so I don't see. The first part, the [00:39:00] slider? No, the curve part, um, happening. Um, I just see continual, and this is why we're all still in business, um, as analysts, journalists, et cetera, is the, all of the sakes of the past will always be repeated, right?

Companies will come on the market, they'll do fantastic cool stuff in a new space. Um, and it gets. To the certain level that attackers see what's going on and recognize the value to them for attacking it and boom, they attack it. And then the cybersecurity vendors that have solutions will. Do well and they'll just continue.

Nobody is ever gonna come to market with a brand new, cool, awesome thing that everybody needs right away and make it secure when they start. It's not gonna happen because they don't know. It's just like Twitter when they still had only a million users, um, had no timeouts on a number of times. You could attempt to log in, so you could run a, um, a brute force attack against any Twitter account and in the morning you'd have the password.[00:40:00]

It was, they just. And I don't blame 'em for doing that. Why would you invest in security when you don't even know if you're gonna succeed for your back? Then a stupid, you know, way for people to organize, uh, who's paying for lunch, uh, which is all it was for. So, yeah. So I don't, things are just gonna continue the way they are.

Sorry.

Eric Parizo: I, I, I can't disagree as usual. Can't disagree with anything Richard says, but I'll take it from a different angle to provide a, you're crushing my vision, guys. You're crushing a little bit of hope for you in this way, Sean. I do feel like in the last three, four years, we've seen steady growth and interest in, um, the area of, of, of, of DevSecOps.

And I think that dovetails with. What you were talking about earlier where this concept of, you know, from the very beginning of the, the software development lifecycle, making sure security secure [00:41:00] concepts, secure code security best practices are built in both from a, a development as well as a, a capabilities and lifecycle standpoint.

So that. You have less Ideally, you have less insecure code that ever finds its way into production. And then less, uh, downtime and effort having to go back and, and patch vulnerabilities later because they're weeded out of the, of the process again, ideally before it ever, uh, gets, gets fully published anyway.

Now. It takes a bit of a security culture, and this is where it gets really challenged. You need really good business and security leadership because ultimately the foundation to DevSecOps is you have to position security as a business enabler. Security has to be able to go to the table with other business decision makers and say.

Work with us more because ultimately we can help you from a business standpoint. We [00:42:00] can save you time, save you money, save, reduce business risk. Ultimately it's a good proposition to give us a seat at the table and help and work with you to implement these, these kinds of secure processes. Now many organizations never get to that point, and, and that's a shame because I think more if, if more did, it ultimately would lead to more efficient organizations, reduce security risk.

Uh, fewer exploits all good things, but it takes. An ability for security leaders to grow and, and develop that culture of security and build trust with those decision makers and partners across the business to say that, listen, we're not gonna slow you down. We're gonna help you ultimately meet the goals, um, that you have to meet for this business.

Um, I optimistically believe that as time goes on, we're gonna continue to make. [00:43:00] Steady gains in that area. I feel like, uh, using, uh, an analogy, well-worn by Richard's former employer, we're a little bit in that trough of disillusionment right now with DevSecOps, but I believe that over time we're gonna head back in a very positive trajectory and organizations are, are gonna realize the, the many benefits of, of building security in,

Richard Stiennon: if, if we had time, I spend an hour.

Disagreeing with you.

Eric Parizo: Richard's been around long enough to, to not, to not to learn, learn the, the folly of optimism.

Richard Stiennon: And I'm truly an optimist and, and I totally believe that yes, you should build security in. Um, I just don't. Think it'll ever happen. 'cause there are millions of independent software vendors, is that what we call 'em?

ISVs. And you know, the Jenny Easterly at CESA is just. They [00:44:00] think that the solution to our problem is that everybody produced better software, and that is gonna happen about the same time as, uh, everybody is patched, uh, within a day of any new vulnerability being announced, right? Two aspirational things that are never, ever gonna happen.

And from personal experience, um, I was once trying to push this. This code, uh, analysis tool that would, uh, show you a diff between the old version and the new version, and, uh. I was helping somebody who was trying to be the distributor for that in the US couldn't, they did not get a single sale. They could not even identify the title of the person in the DevOps or the development world who would buy security products, right?

There's nobody can call up and say, Hey, we've got a solution that fits with your IDE and prevents people from making mistakes. There's nobody there except the actual VP of engineering who's busy trying to get a product out the door, so he doesn't wanna [00:45:00] talk to you. So, and has no budget for adding in additional steps.

It's like, no way. Sorry. Wait. You're gonna slow me down. You're gonna, you know your ID is gonna show stuff in red when it's not doing a memory check in C++. Yeah. Oh, sorry. You know who cares, right? The Chinese aren't gonna get that software and hack it. We're done.

Eric Parizo: We'll counter that just by saying, I think.

I, if I may, Sean. I think an interesting change, a I, again, I, I have a hard time disagreeing with anything Richard offers up there. I think a, a fascinating change agent. There really could be ai and as time goes on, as AI becomes more of a part of the software development life cycle, yeah, it, I think it will get easier for dev for, as development becomes more automated and AI becomes a part of that, it'll be easier to make.

Better choices with security in mind. You know, developers are creatures of habit. They do what they know. [00:46:00] And it's hard to go outside that sometimes. But if you have kind of that assistant there saying, Hey, you can use this other newer, you know, piece of code that HA doesn't have, you know, is confirmed not to have any security vulnerabilities in it.

Would you like to use this instead? Click yes. And then it's that easy. Totally. To me. Gonna change the paradigm. Are we years away from that? Yes. But ultimately I think that has, that gives us a little reason for hope.

Richard Stiennon: I, I totally agree with you there, because the, it's not that AI is gonna continue. Always be an assistant to developers.

Someday, you'll just tell ai, you know, act, read it like a black box. Write me the code that takes this input and outputs that you'll test it. It does it. And then you can tell the ai, make it secure and you, you'll never look at the inside of it, but it is more secure. So that's a good thing. And the other change agent is you, Eric, right?

You're, you're on the soapbox and you're promoting this and encouraging [00:47:00] companies and hopefully, you know, some of the large banks I've talked to who have 6,000 developers and then they have a security team of six people who go in and check. Pieces of code to see if they've done everything right. And it's like, maybe someday it'll go the other way around.

Eric Parizo: Yeah.

Sean Martin: Yeah. That's definitely not the right ratio. No. Listen, uh, Gentlemen, it's been been fantastic. What I wanna do as, as we wrap here, uh, brief word from each of you. Um. For the CISOs and security leaders listening and watching to this, a lot of cool conversations and good data, a lot of analysis of what's been happening, where we might be heading.

Uh, let, let's bring it down to reality, little brass tacks. Uh, what should, uh, security leaders and CISO CSOs kind of do today, do you think, given what we just talked about? [00:48:00]

Eric Parizo: Yeah. So to, to go back to where we started, Sean, I, I don't necessarily think the, the platform approach is, is necessarily the wrong approach.

You know, where, where you can, you should try to consolidate security capabilities because there are advantages to it. Ultimately, though, it's, it's often hard in, in, in our experience to achieve best of breed that way. However, a good point to make is that. If, you know, sometimes consolidating onto a platform can enable you to then add another capability elsewhere that you need, that you don't necessarily have the, the, the budget or capability to bring in today.

So I think it's not a one size fits all approach, but. That said, don't necessarily believe the hype either, that it's, you know, the future is all about these cybersecurity platforms because ultimately the industry thrives on the innovation that new vendors, startups bring into [00:49:00] the industry because there're always new security problems to solve.

So like everything in security, it's a balance.

Richard Stiennon: Mm-Hmm. And I'd leave CISOs with the, you know, task of, um, first of all, knowing what products you actually have a paid relationship with. That's not an easy task. Uh, talked to one, uh, bank that has 750 security products 'cause they've got 50 divisions and everybody just bought independently.

Um, if you looked at that, you may have the same product in each division, and if you had just combined them into a single deal, you could have gotten a better price. So. There's easy, easy pickings for negotiating, uh, reductions in costs that will help you spend budget on people and other important things.

And then also, you know, each vendor is constantly adding features, so you may want to go back and look at them and lay out all the capabilities that they already have and see if you're paying [00:50:00] for, uh, multiple vendors. Because you didn't realize that some of them do more than one thing. Uh, and do that, that whole analysis or have your team do that whole analysis.

And if you need help, I've got a, I'm working on a tool that will do that for you automatically.

Sean Martin: Nice. Automation to the rescue. I love it. And, uh, I, I'll add, uh, first thank you both for, for, uh, being here today and sharing your thoughts and insights and thank everybody for listening and watching and, and.

Please don't forget the reason why we're doing all of this, which is to secure the business, right? It's not to have a, just to have a well-oiled program. Uh, it it's beyond the program. It's, it's to make sure the business is secure. Make sure that the customers and society that's impacted by those businesses aren't, uh, affected negatively.

So, uh, let's keep that in mind and. Thank you both. Thank you all for listening. [00:51:00] Please do subscribe, share, and uh, if you have your own thoughts, please do comment as well. Thanks everybody. We'll see you on the next episode.

Richard Stiennon: Thanks,

Sean.

Eric Parizo: Thank you.