Join cybersecurity executive Joe Schorr as he shares insights from his journey from penetration tester to strategic advisor, exploring how AI is reshaping security, the delicate balance of vendor relationships, and the future of cyber defense.
In this captivating discussion, veteran cybersecurity executive Joe Schorr shares invaluable insights from his journey from hands-on penetration tester to high-level strategic advisor. The conversation explores the rapidly evolving cybersecurity landscape, particularly focusing on the impact of AI, the challenges of building trust in vendor relationships, and the future of risk quantification in cybersecurity.
Timeline:
0:00 Introduction and career evolution
2:00 The art of executive-level security consulting
5:00 Transitioning from CIO to strategic advisor
9:00 Building trust in cybersecurity relationships
15:00 AI's impact on security industry
25:00 Navigating modern security complexity
35:00 Security as business enablement
45:00 Evolution of security service providers
55:00 Future of security pricing models
1:05:00 Predictive security and risk assessment
1:14:00 Closing thoughts
#CyberLeadership
#SecurityStrategy
#AIinCybersecurity
#CyberTrust
#InfoSec
#CISO
#CyberRisk
#SecuritySales
#TrustedAdvisor
#CyberDefense
#RiskQuantification
#CyberInnovation
#SecurityVendors
#CyberTransformation
#FutureOfCyber
[00:00:00] Joe Schor, thanks very much for joining me today. How are you? You have an amazing career path. You are responsible for unbelievable P&L today, profit and loss, but your career has really progressed into the pinnacle of customer facing cybersecurity. But I want to, and you carry a lot of clout, for the people that are not familiar with all the stuff you've done, maybe just walk me through them.
[00:00:32] David Raviv I like to say the front half of my career is 99% consulting. I had a stint as a CIO, so I got to sit behind the big chair in the corner office for a while. But most of it was in professional services and consulting, starting off with all the big iron Cisco routing and switching, all that kind of stuff, and then morphing into security. And I jumped into security right on the really sexy part of it, the offensive security and penetration testing and risk assessments and all the fun stuff.
[00:01:02] David Raviv And then as time went on, I got gravitated more and more towards the conversation being elevated, and you're starting to have to remediate things and explain those results and talk to people higher and higher up in the food chain.
[00:01:19] David Raviv And then as time went on, I got to say the front half of my career. And so I started to move more and more into the, like you said, the customer facing sales side of it, the go-to-market side of it.
[00:01:40] David Raviv So the past, I'd say 10, 12 years have been almost exclusively on that part of it, dealing with the C-level, the board level type of folks.
[00:01:52] Everything from trying to help them roadmap their five-year plans to, unfortunately, sometimes do a breach response or what their defensive postures could look like after a breach.
[00:02:06] David Raviv So yeah, it's been an interesting ride, like you said, from the tip of the spear to the board.
[00:02:13] David Raviv And let me ask you this, and this is why I like this type of unscripted conversation.
[00:02:20] David Raviv So there are tens of thousands of salespeople that try to elevate themselves into that next-level conversation, meaning being on the consultative side, at the eye level with the executives and providing real value, because that's where the real magic happens, at that level.
[00:02:46] David Raviv But a lot of them just stay stuck in the transactional conversation.
[00:02:53] David Raviv Now, because you've done this and you sit in that seat, what would you recommend?
[00:03:00] How do you do that?
[00:03:01] David Raviv How do you create that kind of transition from talking about tactical point-in-time conversation to the big thing?
[00:03:09] David Raviv It's funny.
[00:03:10] David Raviv It's almost like a nature versus nurture conversation.
[00:03:12] David Raviv A lot of times, like I tend, you tend to stick with what's successful for you.
[00:03:18] David Raviv So I always tend to try and keep people around me or hire people or bring people into the team that have a similar background, quite frankly.
[00:03:27] David Raviv They might have had that consulting experience in their past, or they were director or partner at a big four and had to deal with these types of issues all the time.
[00:03:35] David Raviv Or they came up through the C-suite and they sat in that chair for a long time.
[00:03:42] David Raviv There's a degree of, there's two things.
[00:03:44] David Raviv There's a degree of empathy and there's a term called radical candor.
[00:03:51] David Raviv I think a lot of people are that pure, what people think of as that pure salesperson, that bag-carrying seller, have all the candor.
[00:03:59] David Raviv They're great at selling it like it is, and they go for the sale, and they're persistent, and they do all those things you want in a great seller.
[00:04:04] David Raviv But they might lack a little bit of that emotional intelligence that only comes from having some of those scars, from feeling a little bit of that pain from either sitting in that seat as a manager or director or sitting in a sock or responding to breaches or helping clients do it.
[00:04:24] David Raviv I think the best sellers have a, they've got a, oddly they have a rather agnostic view of things.
[00:04:31] David Raviv You can be selling a SaaS cybersecurity product, and if you're the salesperson in there telling them, maybe this year isn't the year that you buy this.
[00:04:42] David Raviv Maybe you need to get your identity project squared away before you worry about whatever I'm selling.
[00:04:49] David Raviv I'll call you, I'll call you in six months, and hopefully everything's cool and we can talk again.
[00:04:54] David Raviv You have to have that ability to realize that you can't just pound it down people's throats when you're dealing with something like risk and security.
[00:05:07] David Raviv And why not, Joe, why not, as you mentioned, you had the corner office, you had a C-level title, and you could have just done phenomenally well taking that route.
[00:05:19] David Raviv We know that these are, the really good ones are hard to come by and they're responsible for the organizational direction from a technology perspective.
[00:05:30] David Raviv So why not continue?
[00:05:31] David Raviv Why did you decide to move into the kind of the other side?
[00:05:35] Joe Sopkin I think that's the consulting gene.
[00:05:37] Joe Sopkin I think there's just too much of me that likes fixing things or helping other people fix things.
[00:05:43] Joe Sopkin My name's Joseph.
[00:05:44] Joe Sopkin I'm named after Joseph the carpenter.
[00:05:47] Joe Sopkin I think I'm literally just a natural troubleshooter fixer, like the ultimate Monday morning quarterback.
[00:05:53] Joe Sopkin I make no bones about it.
[00:05:54] Joe Sopkin I love telling people what they did wrong and how to fix it.
[00:05:58] Joe Sopkin So if you're sitting there and you have your own shop, it's great that your work truck gets tired of hearing you preach to them all the time.
[00:06:08] Joe Sopkin You gotta get out there and share it.
[00:06:11] Joe Sopkin Yeah, absolutely.
[00:06:15] Joe Sopkin Absolutely.
[00:06:16] Joe Sopkin But you know what's funny because that role carries this high risk, high reward.
[00:06:23] Joe Sopkin Meaning, as you mentioned, there are cases where you have to have the difficult conversations.
[00:06:29] Joe Sopkin You're dealing with people that are in the worst time, like from a career perspective.
[00:06:36] Joe Sopkin There's a breach or something that happened.
[00:06:38] Joe Sopkin You come in and you deal with them, but they're absolutely low.
[00:06:42] Joe Sopkin So it's not all fun and games.
[00:06:45] Joe Sopkin There's difficult moments.
[00:06:47] Joe Sopkin How do you deal with those?
[00:06:49] Joe Sopkin Yeah.
[00:06:49] Joe Sopkin Maybe some share some stories.
[00:06:51] Joe Sopkin That goes back to that radical candor thing.
[00:06:53] Joe Sopkin You have to be perfectly honest with people to the point of being blunt sometimes.
[00:06:59] Joe Sopkin And you're right.
[00:07:00] Joe Sopkin You're seeing people, if you're talking about breach response and things like that,
[00:07:04] Joe Sopkin Or even if you're a new CXO level person taking over a seat, you're seeing people at their busiest,
[00:07:14] Joe Sopkin Most distracted, most worried.
[00:07:17] Joe Sopkin If it's a breach, they're worried about their job, worried about everything else.
[00:07:20] Joe Sopkin Their kids still have soccer practice, no matter what dad's got to deal with or mom's got to deal with at work.
[00:07:25] Joe Sopkin So if you're, there's a lot of press for the past 15, 20 years with the term, which I'm really starting to hate.
[00:07:36] Joe Sopkin I started hating in five years ago.
[00:07:38] Joe Sopkin It was trusted advisor.
[00:07:39] Joe Sopkin It gets overused so much.
[00:07:41] Joe Sopkin Like the person coming in and selling you desktop licenses of antivirus is not going to be your trusted advisor.
[00:07:47] Joe Sopkin I'm sorry, it's just, it's not going to happen.
[00:07:49] Joe Sopkin If you're good enough and you've got the pedigree to degree, you can be that trusted advisor.
[00:07:56] Joe Sopkin But trusted advisor doesn't mean stamping your blueprint onto something.
[00:08:02] Joe Sopkin There's a, I heard it from a marriage counselor one time.
[00:08:06] Joe Sopkin I said, do you want to be right or you want to be married?
[00:08:09] Joe Sopkin And sometimes you may think you're right, but to keep this marriage going and to really help this person through that journey, you got to put your ego in check a bit.
[00:08:21] Joe Sopkin I think a lot of consultants, a lot of salespeople tend to forget that.
[00:08:24] Joe Sopkin I've got, I have the best toy.
[00:08:26] Joe Sopkin It will fix your X problem.
[00:08:29] Joe Sopkin Period.
[00:08:30] Joe Sopkin You need to listen to me right now.
[00:08:31] Joe Sopkin And again, it's not always that.
[00:08:33] Joe Sopkin I always say it's, sometimes you almost figuratively and literally have to put yourself around that desk, put your arm around that person and just say, it's going to be okay.
[00:08:43] Joe Sopkin We're going to throw this together.
[00:08:45] Joe Sopkin Like you're not alone.
[00:08:46] Joe Sopkin I'm, I can't fix all this, but you've got a path and you've got people to help you.
[00:08:59] Joe Sopkin And speaking of trust is such a delicate thing.
[00:09:04] Joe Sopkin It takes a long time to build and almost like seconds to destroy.
[00:09:10] Joe Sopkin How does that manifest itself in kind of the corporate world?
[00:09:14] Joe Sopkin Unless you've got a super duper relationship with people, you only get so many at bats.
[00:09:21] Joe Sopkin And really so many mistakes you're able to make.
[00:09:25] Joe Sopkin A lot of times you got, you may have a bat and you've only got one strike to give.
[00:09:30] Joe Sopkin It's difficult.
[00:09:32] Joe Sopkin And sometimes it takes, I think I started to talk about, started to allude to this a little bit.
[00:09:39] Joe Sopkin Sometimes it takes walking away.
[00:09:42] Joe Sopkin I've secured, for lack of a better term, more business by really saying no to clients sometimes.
[00:09:51] Joe Sopkin Having them, they've got X amount of money for a budget.
[00:09:54] Joe Sopkin I know, I can eat that whole budget up, honestly.
[00:09:58] Joe Sopkin I can design a roadmap and a plan and project for them that'll spend their money.
[00:10:03] Joe Sopkin It'll make them more secure.
[00:10:04] Joe Sopkin They'll be less at risk.
[00:10:05] Joe Sopkin But it may not be the exact right move for what they need as a business.
[00:10:09] Joe Sopkin What they're really trying to do as a business.
[00:10:11] Joe Sopkin The best way to secure trust with any of these folks you're speaking with is really to understand literally what they do for a living.
[00:10:19] Joe Sopkin Like, understand their core business and help them make their business better.
[00:10:24] Joe Sopkin Sometimes it's not just helping them comply with the auditors and they're in the next room.
[00:10:31] Joe Sopkin That may be a tactical thing they need some help with.
[00:10:33] Joe Sopkin But the bigger issue may be, okay, once we get through this audit, we're also talking about expanding business into China in the next 18 months.
[00:10:40] Joe Sopkin Let's talk about that.
[00:10:42] Joe Sopkin That's where you need help with.
[00:10:46] Joe Sopkin I can help you with this stuff here, but let's get that done quickly.
[00:10:50] Joe Sopkin Make you look like a hero.
[00:10:53] Joe Sopkin Get you a success on the score sheet.
[00:10:55] Joe Sopkin And then let's start talking about the things that really matter to your business.
[00:10:59] Joe Sopkin Because no matter what your title is in the company, you're on the business of making widgets, which I've heard from.
[00:11:05] Joe Sopkin The old argument used to be the C-level people would say, ah, no one's going about it.
[00:11:10] Joe Sopkin Who wants to hack us?
[00:11:11] Joe Sopkin We just make widgets.
[00:11:11] Joe Sopkin I always call it the widget conversation.
[00:11:14] Joe Sopkin And luckily, people have gotten past that.
[00:11:15] Joe Sopkin They realize that everybody can be hit for a variety of reasons.
[00:11:20] Joe Sopkin But when push comes to shove, they still are making widgets, and you need to realize that they're not in the business of buying your stuff or buying your services.
[00:11:28] Joe Sopkin They're in the business of making, building, selling, educating, healing.
[00:11:33] Joe Sopkin There's a myriad of concerns and constraints they have that you need to be aware of.
[00:11:38] Joe Sopkin That's how you build trust.
[00:11:40] Joe Sopkin And it's interesting you mentioned widgets because sometimes the process that got perfected over 30 years of how to make these widgets that are, is very valuable to a nation state or someone else.
[00:11:58] Joe Sopkin And that IP is, even though they're not going to steal your widgets, they're going to steal your IP that manufactured these widgets to perfection.
[00:12:09] Joe Sopkin Now, let me ask you this.
[00:12:11] Joe Sopkin In the process of uncovering what's important to them from a business perspective, that's not, you've glassed over, but that's not trivial as well.
[00:12:18] Joe Sopkin Because first and foremost, it's a conversation that is a whole different level.
[00:12:23] Joe Sopkin Sometimes they don't know what it is that they necessarily want to do and achieve, or they think they know, yet a few more questions and you uncover the truth.
[00:12:33] Joe Sopkin So how do you gain that skill set of being able to ask the right question and really listen?
[00:12:39] Joe Sopkin I think that sometimes the salespeople are just, again, they're focused, they're fascinated, they're trying to get the sale, and they only listen to the point where they want to intervene, just wait for them to finish the talk so they can jump in and tell them why they're better.
[00:12:59] Joe Sopkin There's actually, and I'm gratified to see it, there's a new methodology starting to hit sales a little bit.
[00:13:06] Joe Sopkin And it boils down to recurring impact leads to recurring revenue.
[00:13:10] Joe Sopkin We're trying to make more money, like that's what companies do, it's a capitalist suspect.
[00:13:17] Joe Sopkin But it's a win.
[00:13:19] Joe Sopkin If you can help your clients, like your clients invest a lot of money, they've bought into services or software or something, you know, $3 million over three years, whatever it is, or $3 million or $300,000, whatever that big chunk of money is to them.
[00:13:33] Joe Sopkin They're only going to get value out of it, literally if they see some kind of impact.
[00:13:38] Joe Sopkin And the gift that the good people have is helping the client, like you said, helping the client realize what that impact is, even if they don't really recognize it.
[00:13:47] Joe Sopkin They may go into it, or with the massive turnover in the C-suite, especially with IT and security.
[00:13:56] Joe Sopkin A lot of your job sometimes revolves around getting the new person up to speed and reinforcing with them.
[00:14:03] Joe Sopkin This is why they, you're coming in, you want to change things, I get it.
[00:14:07] Joe Sopkin You've got a better way to do everything.
[00:14:09] Joe Sopkin But you can actually be that bridge that helps that new regime and that it's new people figure out why did they sign this three year contract?
[00:14:18] Joe Sopkin If you're at least getting a voice, but they're not just canceling you outright or whatever it may be.
[00:14:23] Joe Sopkin That's your big chance to say, well, they did it for these reasons.
[00:14:27] Joe Sopkin And going forward, you're going to see these impacts going down the line.
[00:14:32] Joe Sopkin In year two, you're going to get this done.
[00:14:34] Joe Sopkin In year three, it's going to be this.
[00:14:36] Joe Sopkin And hopefully by the time we get to year three and we talk about renewal, I'm not just walking in getting you to check a box and say, yeah, we'll do it for three more years.
[00:14:43] Joe Sopkin We'll be able to show what this impact was.
[00:14:47] Joe Sopkin Or if you're going to leave here and you're moving on, your successor is going to be able to see why you made this good decision and why it may be who then to keep doing the same thing moving forward.
[00:14:58] Joe Sopkin So helping the client, like you said, helping the client figure out how this impacts their business or their organization.
[00:15:07] Joe Sopkin That's a lot of the hard work that, again, goes back to if you've got a consultative mindset, it's in your DNA.
[00:15:17] Joe Sopkin You're constantly asking questions and constantly trying to look at process improvement and things like that.
[00:15:24] Joe Sopkin You touched on a little bit with process and people and policies.
[00:15:30] Joe Sopkin The worst environments you run into are where they are very people driven.
[00:15:36] Joe Sopkin Like a lot of these things are people problems, but the worst environments are where they're doing things by heroics, where they just throw bodies at problems and just try and solve it through sheer hours.
[00:15:48] Joe Sopkin The environments where they actually get it is where it is process driven.
[00:15:53] Joe Sopkin And if you're a seller that's concentrating on just the heroics part of it, buy more tools, get more people, get more stuff done, sell more stuff, just keep layering on cement onto the outside, you're going to fail.
[00:16:07] Joe Sopkin If you're the one that helps them identify those pieces of the process where they can improve, even if it doesn't help you personally that quarter make that sale, if you're helping them with that process and those impacts, you will be rewarded.
[00:16:20] It might be next quarter, it might be next year, but that's where you get to that trusted advisor stage because they do.
[00:16:26] They have millions of things they're trying to do every day.
[00:16:30] So helping them identify that these different impacts in their business is enormously helpful.
[00:16:39] Joe Sopkin And it seems like the relationship in the past several years between the vendors and enterprise has been a source of contention a little bit.
[00:16:50] Just you can see that from some comments in the social media, LinkedIn, X and so on, where the enterprise complaining about the vendors trying to shove technology down their throat products and so on.
[00:17:07] Joe Sopkin And on the other side, the vendors are complaining that the fact that they have all these excellent tools and processes and services, but nobody's willing to listen.
[00:17:17] Nobody's willing to give it a chance.
[00:17:20] So where do you think the issue would lie?
[00:17:22] Joe Sopkin And all of the above.
[00:17:25] Joe Sopkin And there are to me.
[00:17:27] We had this, we did, we had this amazing kind of SaaS revolution of like 2019 to 2021-ish timeframe where companies are just getting stood up like crazy and the money was flowing and VCs were.
[00:17:40] And you did. You had everybody that had two guys, a dog and a bag of money to build a better mousetrap. And sometimes people built 20 similar mousetraps at the same time and all went to market together and they all started hitting up everybody over LinkedIn and email and robo calls and business development, everything else.
[00:18:02] At the same time that these people in the C-suite, as the SaaS revolution is winding down a little bit and the money is starting to dry up and everybody's getting more desperate, the budgets inside the clients are getting smaller and they're having to do more with less.
[00:18:18] So it's like the market saturated with all these great products and great ideas, the budgets are getting smaller. Everybody's got to do more with less. And you wind up with one of our, one of the greatest things we do these days as a service for clients is literally tools optimization.
[00:18:34] We go in and audit what they've got, what they really need. We discover things that they bought. And this has been going on since I got into it. You find things figuratively, they're sitting on the shelf that they pay maintenance fees every month and have no clue or every year and have no clue. It's there who bought it or why they're using it.
[00:18:54] So the optimization stuff that's going on in the lot, the vendors look at probably God, this is, they're going to wind up with four products and we're never going to get in there. I think it's going to be the opposite. People are going to clean up their shops, get rid of the stuff they don't need, create. And again, this is where the good sellers get it.
[00:19:13] Help your client create a little bit of breathing room to put, blend some sanity to this whole thing. Take a little bit of a half step back so they can take two steps forward.
[00:19:24] And then again, then the products have survived this far. The new ones coming out of the pipeline. They've got a shot to get in there now. I think just the selling motions are going to have to be different. Like I said, that's why there's new go to market methodologies.
[00:19:39] The things that worked in 2019 do not work in 2024. It is definitely a different world. And then you layer on AI and the marketing you can do through that and the different sales things you get through.
[00:19:53] It's getting revolutionary. It's like everything else. It's going to be like AI fighting AI. I think that the CISOs are going to probably have some sort of automated denial mechanism to hang up on salespeople they're trying to get in.
[00:20:07] It's crazy world.
[00:20:10] But the...
[00:20:13] I think it's never been more interesting times than we are right now. It's really remarkable. We are...
[00:20:20] It's always like when you live through it, you don't understand how monumental that is until after the fact.
[00:20:26] So I think we're definitely at that turning point.
[00:20:31] So the economic condition you alluded to both provide...
[00:20:36] They're making things tougher, but also provide an opportunity to...
[00:20:41] You mentioned AI to be able to streamline processes, make things more efficient.
[00:20:47] And as you mentioned, we clutter the organization.
[00:20:51] And it's funny because even as an individual, we pay for SaaS, all kinds of SaaS products.
[00:20:56] And we sign up and we...
[00:20:57] All of a sudden, we look at the statement.
[00:20:58] I was like, I was paying eight months for what?
[00:21:01] And I haven't even logged in once.
[00:21:03] So imagine the enterprise level.
[00:21:05] So in your expert opinion, what do we see from an opportunity perspective for...
[00:21:15] Specifically for cyber to...
[00:21:16] Aside from the decluttering piece, where do you see the kind of the new opportunities for SaaS, cyber companies to assist with making the organization more secure?
[00:21:28] And it seems like there's a lot of AI sprinkled on a lot of these new...
[00:21:33] Just like the cyber...
[00:21:35] There's all these binoculars that have been used over and over again.
[00:21:39] And it's just like you mentioned, trust and advisor you don't like.
[00:21:42] There's this insert...
[00:21:44] This kind of phrase...
[00:21:48] So into the cyber marketing.
[00:21:50] I joke, but I swear it's only a half joke.
[00:21:52] I'm going to go try and find some venture capital that wants to fund me to build an app.
[00:21:56] That detects whether or not a product is really AI or it's something else.
[00:22:00] Like I want an AI that discovers whether something's really AI or it's just machine learning.
[00:22:05] Or it's 55 people in a warehouse somewhere with spreadsheets just working extra fast and producing...
[00:22:15] Everything's...
[00:22:16] Oh, they just...
[00:22:18] They subscribe to Amazon Mechanical Turk.
[00:22:22] It's like...
[00:22:23] Everything is getting stamped with AI.
[00:22:25] I used to call it the RSA elevator syndrome.
[00:22:28] Like when you went to the RSA conference every year...
[00:22:31] Before you even got in the doors, you knew what every vendor was just screaming in your face.
[00:22:35] Because as you went down the elevator, there was that one sign that somebody would always pay tons of money for...
[00:22:40] To catch you before you came in.
[00:22:42] The big, brilliant TV looking thing.
[00:22:45] And it would be AI or zero trust for years.
[00:22:51] All these different things.
[00:22:53] So every year you knew what you're pounded with.
[00:22:56] AI is not going away.
[00:22:57] This is...
[00:22:58] You're right.
[00:22:59] This is mid...
[00:23:00] I'd say like mid-1990s level of revolution.
[00:23:04] I got in it when...
[00:23:07] I remember...
[00:23:07] And it's funny because I'm in sales.
[00:23:09] So I'm seeing all these AI tools are just blasting out of nowhere.
[00:23:14] And the biggest problem is figuring out which ones really...
[00:23:16] They all seem to do something great.
[00:23:18] It's...
[00:23:19] You got to triage which one's greater than the other.
[00:23:21] But it was the same thing back in the 90s.
[00:23:24] I got into networking because of Salesforce automation.
[00:23:28] That was the first big thing I remember really being the big driver.
[00:23:32] Everybody's getting computers.
[00:23:34] But then everybody got laptops.
[00:23:35] And it was almost like laptops are available.
[00:23:38] Like what do we do with them?
[00:23:39] And one of the first things was Salesforce automation.
[00:23:42] People forget it.
[00:23:43] That was when people could pull their laptop out at the doctor's office and whip it out.
[00:23:48] And you would have pictures of something on your laptop screen.
[00:23:52] And you type in their order.
[00:23:54] People don't think of it now.
[00:23:55] That was revolutionary.
[00:23:57] You weren't...
[00:23:58] My dad was a salesman for 40 years.
[00:24:00] He literally carried a leather sample case.
[00:24:03] There's no more sample cases.
[00:24:05] There's no more paper.
[00:24:05] It's a laptop.
[00:24:06] And it was crazy.
[00:24:08] And since then, it's gone off the hook.
[00:24:11] So we're in that exact same revolutionary frontier right now.
[00:24:15] I can't imagine.
[00:24:16] Honestly, two years ago I thought I could imagine it.
[00:24:20] Now I can't imagine exactly where we're headed.
[00:24:24] The consumer drive for the things that are happening is astronomical.
[00:24:30] I used my wife as an example.
[00:24:32] She ever saw it?
[00:24:33] She killed me.
[00:24:33] She's a teacher, but she was never really like a computer person.
[00:24:36] She's so far ahead of me on the AI spectrum.
[00:24:39] It's unbelievable.
[00:24:40] Because teachers are getting just flooded with AI tools.
[00:24:44] And they're amazing.
[00:24:46] Like stuff I can't even dream of.
[00:24:48] And they're leading the charge in education.
[00:24:50] So all this AI stuff is, from a cyber perspective, we're back to that place where the cyber defense people never did get comfortable.
[00:25:01] We're always behind the eight ball, always looking over the horizon.
[00:25:04] I think we're actually farther back than we were.
[00:25:07] Because now, again, this new beast is hitting us.
[00:25:12] And it's unleashed.
[00:25:13] And we're trying to wrap controls around it.
[00:25:16] And consumer demand and clients are just pushing.
[00:25:21] It's going to be interesting how we address it.
[00:25:24] And like I said, I don't think we've been addressing cybersecurity and cyber defense that great to begin with.
[00:25:31] This, as a new stressor, is going to be a really big uphill challenge.
[00:25:36] It's tough.
[00:25:37] Like I said, everything goes back to the business.
[00:25:39] So when we're talking to clients, they're asking what you're asking.
[00:25:43] I'm in charge of risk and security.
[00:25:46] And my sales force wants to do X, Y, and Z with this new AI tool.
[00:25:51] Or the people that programmed the machinery in the widget factory have done the same thing for 40 years on these old Siemens boxes.
[00:26:00] Now they have this AI tool that can shorten their processes each week by four hours.
[00:26:06] What do I do with that?
[00:26:09] It's the same conundrum we faced when we first, I think, it's as big as when we hit the internet.
[00:26:14] It's the difference between the standalone computing and like token ring to TCPIP and everything being web enabled 20, 25 years ago.
[00:26:27] And it seems like the complexity is just going exponential.
[00:26:31] It's like a runaway train, meaning people don't understand how, I don't think people understand how the internet works to begin with.
[00:26:40] Like just how the TCPIP works and how you turn on application and it just works.
[00:26:46] And now we added another layer of complexity where we keep throwing AI and large language models around where most people have very little clue in terms of what that means.
[00:27:00] And then you start layering the risk associated with it.
[00:27:04] So there's all these reports now that are doing pen testing for large language models.
[00:27:13] Why do you even need to do that?
[00:27:14] Because people are like, oh, it doesn't make any sense.
[00:27:17] So the runaway train is moving so fast and these executives are trying to, as you mentioned, while they have to pick up their kids for soccer, they have all these fires to put out.
[00:27:28] And then they also have to figure out what is going on.
[00:27:30] What is this whole AI thing?
[00:27:31] How do we, because they get questions, right?
[00:27:35] If you're a cybersecurity executive or a CIO, your board of directors coming over to you and say, listen, we're seeing all this AI around with the promise of unbelievable efficiencies.
[00:27:47] What are the risks associated with it?
[00:27:49] Are we moving?
[00:27:51] Because if we're not doing it, someone else is doing it.
[00:27:54] So this, and so you're adding all the complexity that already exists and you added like three other layers on top of that.
[00:28:03] And then that's just not enough.
[00:28:04] You have all this cybersecurity vendor that kind of like using all this terminology, quite literally just sprinkle AI and automation orchestration, AI agents.
[00:28:17] And just, there's so many of these vernacular being used by these vendors, which makes it like even the problem even more profound.
[00:28:25] I think, and you've probably seen that executive coming over to you and saying, hold on for a second.
[00:28:30] Like, how do we, how do we deploy this?
[00:28:33] How do we protect?
[00:28:34] Because we've seen quite a vocal industry leader saying that MLMs are 5% wrong.
[00:28:44] And the problem is we don't know which 5% that, that is.
[00:28:48] So then, so they're not applicable for any kind of critical application.
[00:28:53] Yeah.
[00:28:54] Not yet.
[00:28:54] Well, everybody, it's an old military accent.
[00:28:58] You always fought the last war.
[00:29:00] And I think, like I said, we're equipped adequately at best to fight the war that we had a couple of years ago.
[00:29:09] Like we were making headway or there was a status quo.
[00:29:12] You could at least, there's a little bit of predictability.
[00:29:14] I think that's what you're hinting at.
[00:29:16] There's very little predictability into what we can do right now.
[00:29:19] We've got all the tools we fought the last war with.
[00:29:23] People are saying that now, oh, it's AI enabled just to make it sound better.
[00:29:27] Maybe it's just machine learning.
[00:29:29] Maybe it's a bunch of people in a warehouse with spreadsheets, whatever it is.
[00:29:34] They're trying to, for branding purposes, make it sound like we're hip and cool and we're with the scene, man.
[00:29:43] I don't know exactly how you do, honestly, like how do you do an AI risk assessment?
[00:29:49] We don't have the data yet.
[00:29:51] And you've, like you say, you have to factor in that the things that we're evaluating aren't 100% there.
[00:29:57] It's every other software push we've had.
[00:30:01] Even the stuff that looks trusted or seen at this point seems like an old product, like ChatGPT seems like that's almost passe at this point.
[00:30:10] But it's got problems.
[00:30:11] And that's probably the most widely known, like the water cooler one is ChatGPT.
[00:30:15] And that's got issues.
[00:30:17] Like how do you address that, much less the ones that are really bleeding edge, that are just popping off the end of the assembly line every day.
[00:30:25] And it does go back to when we were on that wild and wooly, everybody's just jumping on the internet.
[00:30:31] Like you said, like nobody understood.
[00:30:34] I used to tell people back in those days, do you get the fact that you're on a party line?
[00:30:38] Like as soon as you get on the internet or your business, everybody on the planet that has an IP address can theoretically touch your IP address.
[00:30:48] You're in one big party line.
[00:30:51] And now with AI, adding even more complexity to it or more potential for shenanigans, I'm honestly not quite sure what the next step looks like.
[00:31:05] It'll be, I think it'll follow the usual cycle.
[00:31:08] Everybody will be pretty reactive to it.
[00:31:11] We'll start to get some rudimentary defenses.
[00:31:15] And I think that everybody will fall back on the best practices that we've always had, which is simplify things.
[00:31:21] Because the more complex your environment, and I know this from my offensive security days, the more complex the environment, it's infinitely easier to get into.
[00:31:29] The people that honestly had very simple defenses and did them very well and watched their few sort of ports of entry, they were at lower risk.
[00:31:39] The ones that just had oodles of stuff layered on, layered on, out of control, or let their user base just define their risk posture.
[00:31:49] They're the ones where there's trouble.
[00:31:51] So I think people go back to the, not fighting the last war, but going back to best practices, hopefully.
[00:31:58] Simplify their environment, get a change control process in place that, yes, we agree that the business, your new AI Salesforce automation tool is the greatest thing since sliced bread.
[00:32:11] We want to help you get this in here, but this is how we do it.
[00:32:15] They're going to have to really apply a lot of rigor and a lot of discipline to the business.
[00:32:21] Which goes back to, you can be your client's best ally where you can help them talk with their business and translate things to them and figure out how to get things done without losing your job because you're the one that stands in the progress of the widgets getting made faster.
[00:32:39] So it's the same old problem that's accelerated.
[00:32:43] And then, yeah, absolutely.
[00:32:47] And that acceleration seems to be something that's ongoing.
[00:32:51] I think that if you could try to promote silos for 10 years, then, you know, then DLP for five, MDM mobile device management for two.
[00:33:05] It seems like the windows of opportunities to work on that change because the enterprise work on projects.
[00:33:15] Meaning that they have, they don't just willy-nilly decide to go in and put some money and time and effort towards fixing something.
[00:33:22] They operate in silos.
[00:33:24] But those silos, they have to either compress or become agile because it used to be 24 to 18 months from identifying a problem to implementation.
[00:33:36] Organizations don't have that timeframe anymore because by the time they implement something,
[00:33:41] but it takes them 24 months, it's already obsolete.
[00:33:46] The problem has already moved on and say the new iteration of that problem.
[00:33:49] So how do enterprise that they operate like almost like a cruise ship in terms of budgeting and operations?
[00:33:58] How do they deal with all this rapid change?
[00:34:02] The answer to what I'm going to tell you is, you know, you need this new AI tool and it'll automate that and then you'll free up all this time.
[00:34:08] And it won't take you two years, it'll take you six months.
[00:34:10] And that's the problem in a nutshell.
[00:34:15] Like I'm spending probably a good 10-15% of my time researching different AI things that make me more efficient.
[00:34:24] It's like I'm losing time to figure out how to gain back some time.
[00:34:28] So you're relying on all these recommendations from other people and I think that's what's going to drive it.
[00:34:35] It's going to be, you have to keep your business under control.
[00:34:42] Get yourself that breathing space to be able to do these things, but you're going to have to address it.
[00:34:48] There's no getting away from it.
[00:34:49] I've been in really toxic environments where people talk about security as a board-level decision.
[00:34:55] I've actually been in one board meeting where the board, one of the board members watched 60 Minutes and saw the CEO of a cybersecurity company on, I won't say who, get interviewed and came to the board meeting that week and said, we're buying that, period.
[00:35:10] End of story.
[00:35:11] We're buying that.
[00:35:11] It's the greatest thing in the world.
[00:35:13] And the IT security people just sat there and nodded.
[00:35:17] And I thought to myself, this is the most toxic thing I've ever seen.
[00:35:21] So you have to get ahead of this.
[00:35:24] If you've built a healthy environment at your business, you should be the trusted advisor, the security people and the IT people for your business.
[00:35:33] They should feel comfortable coming to you and saying, we're really afraid our competition, we all do things the same way.
[00:35:39] We all get things to market appearance the same way.
[00:35:41] Our pricing's the same.
[00:35:43] We fight branding wars, our marketing budgets.
[00:35:45] We got a Super Bowl ad last year.
[00:35:47] They're doing it this year.
[00:35:48] Now, all of a sudden, we're finding out that they're getting things to market 40% faster.
[00:35:54] And we suspect it's because they're doing X, Y, and Z.
[00:35:57] Like, can't we do that?
[00:35:59] That's the position everybody needs to be ready to face yesterday.
[00:36:06] And if you're in a healthy environment, they can come to you and you'll help with that.
[00:36:12] If you're in a bad environment and you haven't worked on this for the past couple years already, then, yeah, they're just going to go ahead and do it.
[00:36:19] Like, you used to find these shadow networks when wireless hit or mobile.
[00:36:24] All of a sudden, the salespeople weren't doing their laptop that we worked for 10 years to harden.
[00:36:30] They all of a sudden have an iPhone and they figured out, oh, I can use that.
[00:36:34] I don't need that.
[00:36:35] My kid's using a laptop at home.
[00:36:37] He's already hacked it and put games on it.
[00:36:39] I'm using my phone.
[00:36:40] And the security people wonder why they have a mobile problem.
[00:36:44] So it goes back to, like you said, with trust.
[00:36:46] If you're ingrained in the business and they trust you, they're going to be coming to you to help them, not hinder them.
[00:36:54] There's that stupid security saying that security is like brakes, but you can't run it.
[00:37:00] It's true.
[00:37:00] You can't run a car without brakes.
[00:37:02] You can only go faster if you have better brakes.
[00:37:05] And I never liked saying that because it still puts brakes in the minds of people.
[00:37:08] But that is what it is.
[00:37:11] They're wanting to go faster and faster.
[00:37:13] They're putting a bigger, better motor in this old muscle car.
[00:37:17] And the Chevy 350 was great, but now they found a Corvette engine.
[00:37:21] They dropped it in.
[00:37:21] Now they're really going fast.
[00:37:23] But you've got these old brakes, the same brakes from there since 1972, and they work great.
[00:37:28] But you need to be prepared to say, okay, I know which brakes to use because you did that.
[00:37:34] I can do it.
[00:37:35] I'm going to need this much money, this many people, whatever.
[00:37:38] The resources are.
[00:37:39] You've got the, you have the focus on exactly what you need.
[00:37:43] You have the sense of urgency because they're pounding on your door to get it done yesterday.
[00:37:47] And then your last piece of puzzle is having the resources to do it.
[00:37:51] The knowledge, the people, the money to be crafts to get these things done.
[00:37:57] Because it ain't stopping.
[00:37:59] They're going to be there.
[00:38:00] The business is pounding the doors down now.
[00:38:03] And like I said, healthy environment, they're asking you.
[00:38:06] Unhealthy environment, they're doing it behind your back and you need to get it under control.
[00:38:15] And it seems like the industry was doing the Wild West for the longest time.
[00:38:21] And I think you mentioned that as well in previous conversations.
[00:38:24] And we are, as an industry, getting more mature.
[00:38:28] But I think with that said, there's also, my sense of it, there's a race to the bottom.
[00:38:35] From a pricing and commoditization perspective, there's a lot of companies that now say, we can offer you the same X but at one-fifth of the price.
[00:38:46] And I saw an article saying that AI is a contributor to that, meaning that you can take almost any product out there and replicate that.
[00:38:54] I know Google just announced that the SEC filing that 25% of all code is now being written by AI.
[00:39:00] So you can essentially create almost a whole slew of different products and services almost, as you mentioned, two guys in the basement or in the garage.
[00:39:12] But it would do it much more effective.
[00:39:14] And all of a sudden, you become this AI-first company where you offer a similar type of service but a very fraction of the cost.
[00:39:24] And we see that.
[00:39:26] There's a lot of companies that offer a whole stack of security controls for $6, $7 per user per month.
[00:39:38] And they compete on that.
[00:39:40] They go down to...
[00:39:42] So where do you think things are going from that perspective?
[00:39:46] And the fact that there's 5,000 vendors out there trying to compete for the same pocketbook.
[00:39:52] I've said it for years.
[00:39:53] I've seen it cycle.
[00:39:56] And you've seen it cycle lots of times.
[00:39:58] I think commoditization leads to consolidation.
[00:40:01] And we're in the commoditization phase.
[00:40:05] Years ago, when the scanning tools first came out, that's when I was involved in a lot of penetration testing and ethical hacking and risk assessments.
[00:40:13] And I thought, oh, I'll make QALSs around all these different tools and tenable.
[00:40:16] And I thought, yeah, this is going to be totally commoditized.
[00:40:19] It's going to put pen testers out business.
[00:40:21] And there was no AI.
[00:40:22] This was just regular software.
[00:40:25] And there was tons of different tools came out.
[00:40:28] If you look online, we're still hiring pen testers.
[00:40:31] And it goes back to your 5% failure rate with LMs.
[00:40:35] There's always got to be, like with this specific thing, there's always got to be a person at the wheel at some point.
[00:40:41] So, like, the pen testers, that skill set is still out there.
[00:40:44] It's still valuable.
[00:40:45] There's still lots of them.
[00:40:46] There's companies that do people pen testing for a living using all these tools.
[00:40:52] So, that commoditization led to really just a consolidation.
[00:40:57] You started seeing companies use the tools and the people and package it up.
[00:41:03] Companies getting absorbed by other ones and bigger ones.
[00:41:05] I think with what's going on now, this commoditization, the business landscape of AI obviously will look radically different five or ten years from now.
[00:41:15] There will be, it may be a company we haven't even heard the name of yet.
[00:41:19] The next Google or Amazon or Microsoft may be sitting in a garage somewhere in Eastern Europe being built as we speak.
[00:41:28] We don't know.
[00:41:28] And maybe they go around, they buy up 90% of the shops we're talking about right now.
[00:41:34] And it becomes an Amazon or a Google or a Microsoft.
[00:41:38] And then there will always be the ones coming off the assembly line and feeding that cycle.
[00:41:43] Someone, like I said, there's always going to be a race to the bottom.
[00:41:46] But then the market will always adjust.
[00:41:49] It doesn't tolerate cheap for long.
[00:41:51] It always seems to come back up for some reason.
[00:41:54] And we had some of these things, even the economics of it, some of it could just be loss leaders.
[00:42:02] Like I said, back in the SAS Wild Frontier days, people are operating.
[00:42:09] No one was making a profit.
[00:42:11] They were all just grinding things out, trying to get market share.
[00:42:14] And their valuations were crazy.
[00:42:16] And it didn't really matter if you're making money.
[00:42:19] It was more like, would it make me money a few years down the line?
[00:42:22] We're in that phase again, I think.
[00:42:25] And the investors are out there, have this fear of missing out.
[00:42:29] And the FOMO is driving them to try and figure out which of these to snap up.
[00:42:34] But they'll consolidate.
[00:42:36] KKR will wind up owning.
[00:42:38] They'll add a bunch of these companies to their 250 companies they own.
[00:42:42] And they'll be part of that.
[00:42:44] And they'll be run that way into Homo, Bravo and the PE.
[00:42:46] They'll all start to absorb this stuff.
[00:42:48] So the good ones will float to the top out of that commoditization.
[00:42:53] They'll probably get absorbed or IPO and get bigger and then get absorbed or merge.
[00:42:59] And the consolidation will happen again.
[00:43:01] But this time, I just feel like it hasn't been this wild since that late 90s, early 2000s.
[00:43:12] The telco market went...
[00:43:15] I know, Joseph.
[00:43:16] It's really exciting times.
[00:43:18] I mean, it used to be we all had...
[00:43:20] I don't know if I remember, but all the ISPs that sprung out in the early 2000s.
[00:43:25] And no one even...
[00:43:25] Where did they all go?
[00:43:27] There were so many local telephone exchanges and things.
[00:43:32] The little ISPs that popped up.
[00:43:34] And Joseph, I think that now we've seen similar type of trend with all these MSPs.
[00:43:45] One of the fastest growing area of security is these managed service providers, right?
[00:43:55] They're getting into this space and they're offering, as you mentioned, this expertise around...
[00:44:03] Specifically around security services, security as a service.
[00:44:08] Because these companies realize that they don't want to do it in-house.
[00:44:11] And there's what?
[00:44:12] 20,000, 25,000 of them in the US alone?
[00:44:15] And it seems almost very similar to the ISP environment that we had before.
[00:44:21] Yeah, and that's near and dear to my heart.
[00:44:22] I think...
[00:44:24] I'm probably working...
[00:44:25] I lost count.
[00:44:26] I think I'm at my sixth or seventh MSSP that I've worked at.
[00:44:30] Or they have MSSP in the portfolio.
[00:44:34] And you're right.
[00:44:35] Back, it followed the same pattern.
[00:44:37] 20 years ago, you had a couple big name ones that started out on the frontier managing things for people.
[00:44:44] And it was basically red light, green light.
[00:44:46] Managing devices and managing firewalls.
[00:44:49] Now you've got all these boutique ones.
[00:44:52] They're an identity MSSP.
[00:44:54] So they manage SailPoint and CyberArk for you.
[00:44:57] And they're really good at that.
[00:44:59] Or they've niched out to a degree.
[00:45:02] But again, they're starting to...
[00:45:03] You see them start to consolidate.
[00:45:06] And it has to.
[00:45:07] You've got...
[00:45:08] Like you said, we have 20-some thousand managed service providers out there.
[00:45:12] It's a shopping and selling nightmare.
[00:45:17] So a lot of people still...
[00:45:20] They'll fall back on the Gartner buy.
[00:45:22] They'll just go to the Gartner quadrant and hope for the best.
[00:45:24] Get one of the bigger, more expensive ones and hope that meets their needs.
[00:45:31] Or...
[00:45:32] And I'll...
[00:45:33] And it's a great point.
[00:45:34] I'll touch upon the fact that I think that this is what...
[00:45:37] In times of uncertainty, from a technology perspective, meaning executives don't really understand the technology.
[00:45:44] And so no one got fired for buying IBM.
[00:45:47] I think that that's...
[00:45:49] We see some of that similarities where they just go out and buy a brand name as opposed to betting on the unknown.
[00:45:59] In other regards.
[00:46:00] And we see this quite often.
[00:46:03] And it's funny.
[00:46:05] Or, as you mentioned, they should advertise on 60 Minutes.
[00:46:10] What do you think was the...
[00:46:13] Out of that conversation, it was so appealing to that executive.
[00:46:17] I think...
[00:46:18] I'm trying to remember the exact context.
[00:46:19] But I think that the...
[00:46:21] That CEO brought up some case studies where it was in their industry.
[00:46:26] It was in the...
[00:46:28] It was in the aircraft supply chain industry.
[00:46:33] I'll put it.
[00:46:34] Let's say they built seats for 740...
[00:46:38] Yeah, so it's that...
[00:46:39] It's very niche.
[00:46:41] Yeah, so very niche.
[00:46:43] That long tail is really...
[00:46:45] It's a board level.
[00:46:45] It's a role, I think.
[00:46:46] Joe, meaning that people like to...
[00:46:49] It's a board level...
[00:46:51] Exactly.
[00:46:52] ...question of what does good look like and what does our competition look like?
[00:46:55] Which is basically all it boils down to.
[00:46:58] And depending on what their business follows, how do we exit?
[00:47:00] But that's the third question.
[00:47:01] But a lot of times when you get that question...
[00:47:06] Are we good?
[00:47:07] Yeah, we're okay.
[00:47:09] Is our competition better?
[00:47:11] Yeah, they might be.
[00:47:12] How do we get to that?
[00:47:13] And if that guy watches 60 Minutes that night and he says...
[00:47:17] They bought this and...
[00:47:18] It sounds like the greatest thing in the world.
[00:47:20] We gotta get that.
[00:47:21] It's funny.
[00:47:22] It's weird how...
[00:47:24] Impulse buying almost can factor into things.
[00:47:27] And the PR and advertising...
[00:47:29] Marketing is important.
[00:47:31] It may not be right.
[00:47:32] It may not be the right thing to get.
[00:47:35] But marketing is very important.
[00:47:37] You can have the...
[00:47:38] You can have the best thing out there.
[00:47:41] But if nobody knows about it...
[00:47:43] So how many good products have been swallowed?
[00:47:47] How many have been bought up?
[00:47:48] And then...
[00:47:50] Yeah.
[00:47:51] So...
[00:47:53] Like late night...
[00:47:55] Joseph, like late night QVC ads.
[00:47:58] Basically, you're sitting there flipping and you come across...
[00:48:01] Like a sham.
[00:48:02] Wow.
[00:48:04] It seems like an amazing technology.
[00:48:08] And then if it's...
[00:48:09] As you mentioned, it's very particular to my industry.
[00:48:12] That's what really...
[00:48:14] These executives really care about is the fact that they...
[00:48:17] It's the long tail.
[00:48:19] I think now with the internet...
[00:48:22] Always been tailored to the long tail.
[00:48:24] You can have a very niche discussion...
[00:48:25] On a very particular technology...
[00:48:28] In a very particular industry...
[00:48:31] For a particular use case.
[00:48:33] And that would hit...
[00:48:34] That's better than 100 sales people...
[00:48:36] Just doing cold calling.
[00:48:38] Because it's really...
[00:48:40] It's inbound versus outbound.
[00:48:42] And that executive has already made up this mind.
[00:48:46] I always pick on the RSA conference.
[00:48:50] I remember staying in the aisle one time...
[00:48:52] Talking to a buddy.
[00:48:53] And I saw these folks walk by.
[00:48:55] And they...
[00:48:55] They looked and quacked and smelled like C-level people.
[00:48:58] If you're in sales long enough...
[00:49:00] You can figure out who the buyers are.
[00:49:01] You know the guy to get the checkbook.
[00:49:03] So these guys are walking by...
[00:49:05] And they looked very kind of executive.
[00:49:07] And they had the little map out...
[00:49:08] And they had stuff circled.
[00:49:10] And they...
[00:49:11] As near as I could tell...
[00:49:13] Eavesdropping because...
[00:49:15] I did social engineering for a living for a while.
[00:49:17] I don't think I can help it.
[00:49:19] But they were using this little map...
[00:49:21] To go on a shopping expedition.
[00:49:23] Basically through RSA.
[00:49:25] And these are all the different vendors...
[00:49:26] They wanted to talk to.
[00:49:27] And I looked at my buddy.
[00:49:28] I'm like...
[00:49:29] This is how these guys are making decisions.
[00:49:32] They literally are circling brand names.
[00:49:34] And they want to go talk to the sales people...
[00:49:37] In the booth.
[00:49:39] That are going to sell them on this stuff.
[00:49:41] I said...
[00:49:41] What kind of plan is that?
[00:49:42] It's crazy.
[00:49:44] You know...
[00:49:44] If you're to the point...
[00:49:45] Where you're just walking around...
[00:49:47] RSA...
[00:49:48] With a shopping list...
[00:49:50] You're a salesperson's dream...
[00:49:51] But you're probably a security nightmare.
[00:49:55] It's not the way to go.
[00:49:59] So...
[00:49:59] How do you prove...
[00:50:01] Thought leadership?
[00:50:02] Like...
[00:50:03] How do you prove that you're the real deal?
[00:50:05] If you're like a...
[00:50:06] Vendors...
[00:50:07] One vendor out of the...
[00:50:08] Three thousand...
[00:50:09] And each category...
[00:50:10] If you're like an EDR...
[00:50:11] MDR...
[00:50:11] XDR...
[00:50:14] How do you prove...
[00:50:16] To an executive...
[00:50:17] That you're the real deal?
[00:50:18] And maybe potentially...
[00:50:20] You don't have the...
[00:50:20] Kind of the marketing budget...
[00:50:22] The big...
[00:50:24] Buying the bulletin boards...
[00:50:26] And the RSA...
[00:50:27] And the...
[00:50:27] The stickers on the elevator...
[00:50:29] Spending a gazillion dollars...
[00:50:31] On these things...
[00:50:32] How do you still...
[00:50:33] Manage to elevate yourself...
[00:50:35] From the crowd?
[00:50:36] The best tactical thing...
[00:50:37] I've seen that I recommend a lot...
[00:50:39] To startups...
[00:50:40] Is partnerships.
[00:50:41] It sounds...
[00:50:42] Trite...
[00:50:43] That...
[00:50:45] If you can...
[00:50:46] Partner yourself...
[00:50:47] With a...
[00:50:48] Figuratively...
[00:50:49] A big buddy...
[00:50:49] Or a big brother...
[00:50:51] You're gonna get...
[00:50:52] A lot more airplay...
[00:50:53] With some of these executives...
[00:50:54] And it's tough...
[00:50:56] That's a sales job...
[00:50:57] Into itself...
[00:50:58] But...
[00:50:59] The good thing about that is...
[00:51:01] Sometimes it's a lower lift...
[00:51:02] Because...
[00:51:03] You're not necessarily...
[00:51:04] Having to go to...
[00:51:05] 10,000 clients...
[00:51:07] And...
[00:51:07] Do your pitch...
[00:51:08] Over and over again...
[00:51:10] If you're dealing with a partner...
[00:51:12] You're...
[00:51:13] Pretty much talking to a peer...
[00:51:14] And if that peer is convinced...
[00:51:16] That...
[00:51:17] This is gonna improve...
[00:51:18] Their...
[00:51:19] Posture with a client...
[00:51:21] Or make them stronger...
[00:51:22] In their pitch...
[00:51:23] Not...
[00:51:23] You're not gonna embarrass them...
[00:51:24] And you're gonna make them money...
[00:51:26] That's a different...
[00:51:27] That's a different...
[00:51:29] Scenario altogether...
[00:51:30] Than...
[00:51:30] Having to convince a client...
[00:51:31] That...
[00:51:32] Give them that slide...
[00:51:34] That every vendor has...
[00:51:35] With all the red and green lights...
[00:51:36] And your column is all green lights...
[00:51:38] Because...
[00:51:39] Of course you do everything...
[00:51:40] Your competitors don't do anything...
[00:51:42] It's the worst argument in the world...
[00:51:44] But if you're part...
[00:51:45] Literally partnering...
[00:51:46] Going in the door...
[00:51:47] With someone...
[00:51:48] A two-headed model...
[00:51:49] Or...
[00:51:50] They're just...
[00:51:50] They're reselling...
[00:51:52] You're willing to...
[00:51:52] Put it on the line...
[00:51:54] That's a quick...
[00:51:55] That's a quick lift to elevate...
[00:51:57] And even with...
[00:51:58] Like online...
[00:51:59] You see all these webinars...
[00:52:01] That are two-headed...
[00:52:01] Monster webinars...
[00:52:02] A lot of times...
[00:52:03] IBM and...
[00:52:06] Whatever...
[00:52:06] Some...
[00:52:07] Joe's antivirus...
[00:52:08] And we're going to talk about...
[00:52:10] We're not going to talk about Joe's antivirus...
[00:52:11] We're going to talk about this topic...
[00:52:13] But...
[00:52:14] Here's the CTO from this company...
[00:52:16] It's a Series B...
[00:52:17] Startup...
[00:52:18] They've been in business for three or four years...
[00:52:19] They got some legitimacy...
[00:52:21] But they're not us...
[00:52:22] The fact that you're bringing them on board...
[00:52:25] They're experts...
[00:52:27] With your expert...
[00:52:28] Talking to that captive audience...
[00:52:30] That's pretty powerful...
[00:52:31] So...
[00:52:32] Partnerships are...
[00:52:33] Probably the easiest...
[00:52:35] For that...
[00:52:37] I would say...
[00:52:41] The devil's advocate here...
[00:52:43] Is that some of these partners...
[00:52:44] Do not do business...
[00:52:46] Or do not partner...
[00:52:47] Unless you have X amount of revenue...
[00:52:49] Already...
[00:52:49] They ask you...
[00:52:50] Okay...
[00:52:51] What's your revenue right now?
[00:52:52] So if you don't do...
[00:52:53] So if you're between a rock...
[00:52:55] And a hard place...
[00:52:56] You're...
[00:52:57] One side...
[00:52:58] You're trying to partner...
[00:52:59] And the other side...
[00:53:00] They're asking...
[00:53:01] Are you doing...
[00:53:03] 20 million dollars in sales?
[00:53:05] And we'll say...
[00:53:05] The reason why we don't do...
[00:53:06] 20 million dollars in sales...
[00:53:08] Because we don't have a partner like you...
[00:53:10] So...
[00:53:10] It's a catch 22...
[00:53:12] It's hard...
[00:53:12] How do you overcome that?
[00:53:14] Like...
[00:53:14] The pre...
[00:53:15] C level people are going to...
[00:53:17] Trouble...
[00:53:18] But...
[00:53:18] There's different levels to everything...
[00:53:20] You work your way up the food chain...
[00:53:22] There's partners...
[00:53:23] You might be a C...
[00:53:25] Level startup...
[00:53:26] Some little...
[00:53:27] Three guys...
[00:53:28] And...
[00:53:29] They've got a couple sales people...
[00:53:30] Or something...
[00:53:31] And...
[00:53:31] A great product...
[00:53:32] You're probably pitching to...
[00:53:35] A serious B or C or D...
[00:53:37] Company that's maybe...
[00:53:39] Three or four years ahead of you...
[00:53:41] To partner with them...
[00:53:42] And you might be a...
[00:53:44] A multi-factor authentication...
[00:53:47] Shop...
[00:53:48] And you've got a great one...
[00:53:49] It's gonna...
[00:53:50] There's a zillion...
[00:53:51] You're better than everybody else...
[00:53:53] But you manage to convince...
[00:53:55] A privilege access...
[00:53:57] Management company that's...
[00:53:59] Ten years old...
[00:54:00] But they're not huge...
[00:54:02] They're two or three in their category...
[00:54:04] You...
[00:54:05] Get to them and pitch to them that...
[00:54:07] Working with us...
[00:54:08] We've got this unified message that...
[00:54:10] When you do privilege access...
[00:54:12] You need to have a really strong...
[00:54:13] Multi-factor authentication...
[00:54:14] That's gonna be our go-to-market...
[00:54:16] And that's gonna give you an advantage...
[00:54:18] With your 800-pound gorilla...
[00:54:20] Who's not paying attention to this niche...
[00:54:22] They don't care...
[00:54:23] They're not...
[00:54:24] That's not one of their top tracks...
[00:54:25] Like this is your chance to capture...
[00:54:27] Something that's important...
[00:54:29] That the 800-pound gorilla doesn't care about...
[00:54:31] Because they're doing...
[00:54:32] They're doing commoditized...
[00:54:34] Big sales...
[00:54:35] And they're selling all their modules...
[00:54:36] And all their different...
[00:54:38] Spin-offs and add-ons to their product...
[00:54:41] So yeah...
[00:54:42] Depending on your...
[00:54:43] You always go to the...
[00:54:44] It's like when you dress for an interview...
[00:54:46] You dress one level above...
[00:54:47] And everything else...
[00:54:48] When you're trying to partner...
[00:54:50] You wanna get...
[00:54:51] You wanna try and get the...
[00:54:53] You wanna partner with a big four firm...
[00:54:55] That'd be great...
[00:54:56] If you've got E&Y...
[00:54:57] Using your tool for something...
[00:54:59] That's fantastic...
[00:55:00] But it's tough to get there...
[00:55:01] But if you've got that...
[00:55:05] I always call them like...
[00:55:06] Complimentary competition...
[00:55:08] They're in your space...
[00:55:09] But they're not directly competing with you...
[00:55:11] And you're like...
[00:55:12] You do it better together...
[00:55:13] But better together is easier...
[00:55:15] When both companies are...
[00:55:17] A little bit closer together...
[00:55:18] And then as...
[00:55:19] You grow and you start leapfrogging up...
[00:55:21] All of a sudden...
[00:55:22] Yeah...
[00:55:22] You're going to war with ServiceNow...
[00:55:24] Or you're going to war with Salesforce.com...
[00:55:26] Or...
[00:55:27] One of the big companies...
[00:55:30] By then...
[00:55:31] You probably have enough...
[00:55:34] Branding on your own...
[00:55:35] That you can do a lot of...
[00:55:36] Do a lot of things...
[00:55:37] But it's a good...
[00:55:38] It's a good leapfrog...
[00:55:45] What about the...
[00:55:46] The self-service model...
[00:55:47] Like...
[00:55:48] The try and buy...
[00:55:49] Meaning there's a lot of companies out there...
[00:55:51] That offer you...
[00:55:52] To just...
[00:55:53] Basically...
[00:55:54] You put in your credit card...
[00:55:55] You get the service for...
[00:55:56] 15 days...
[00:55:59] And...
[00:55:59] And...
[00:56:00] In that moment...
[00:56:01] Unless you cancel...
[00:56:02] Yeah...
[00:56:02] You're now a customer...
[00:56:05] And...
[00:56:06] I think that...
[00:56:07] Coming back to the consultative sale...
[00:56:09] Trust advisor...
[00:56:10] I think that the whole middle ground...
[00:56:12] Well...
[00:56:12] It was always like...
[00:56:13] The low-end transactional...
[00:56:15] The...
[00:56:16] Middle kind of sales...
[00:56:17] And then the high-end consultative...
[00:56:19] I think we're...
[00:56:22] The low-end was commoditized...
[00:56:24] It's all like...
[00:56:25] Self-service...
[00:56:27] On...
[00:56:27] Online...
[00:56:27] You can just go and buy...
[00:56:29] The middle one is also getting commoditized...
[00:56:31] Because that's also becoming...
[00:56:33] Very transactional...
[00:56:35] So...
[00:56:35] Only...
[00:56:36] The only thing that's left...
[00:56:37] Is like the high-end...
[00:56:38] Like...
[00:56:38] Bespoke solutions...
[00:56:39] But the rest of it is becoming all...
[00:56:41] Almost like self-service...
[00:56:42] Yeah...
[00:56:44] Companies are just...
[00:56:45] Putting their stuff out there...
[00:56:47] There's nothing worse...
[00:56:48] I think than saying...
[00:56:49] Okay...
[00:56:50] The price list...
[00:56:51] Yo...
[00:56:51] Like just the price list thing...
[00:56:52] Okay...
[00:56:53] Contact us...
[00:56:55] Yeah...
[00:56:55] Like...
[00:56:55] I think...
[00:56:56] Contact us...
[00:56:57] Because they don't actually provide you the pricing...
[00:56:59] I think the...
[00:57:00] The biggest thing...
[00:57:01] And the biggest...
[00:57:02] From the go-to-market people...
[00:57:03] What they're worrying about right now...
[00:57:04] Is how to address that to a large degree...
[00:57:07] I think it's gonna be a consumption model...
[00:57:09] Almost like...
[00:57:10] If you get Amazon Cloud or something...
[00:57:12] It's gonna be...
[00:57:13] Use...
[00:57:13] What was it?
[00:57:14] Use what you need...
[00:57:15] Or buy what you need...
[00:57:16] Or whatever...
[00:57:16] Buy on demand...
[00:57:17] Buy what you need...
[00:57:19] Yeah...
[00:57:20] Yeah...
[00:57:21] A lot of the markets could go to...
[00:57:23] Even the try-buy thing...
[00:57:25] I think people are almost bypassing that...
[00:57:27] It's...
[00:57:28] I'm not even...
[00:57:29] Why offer it for free?
[00:57:30] Tell people...
[00:57:31] Yeah...
[00:57:31] Buy a license...
[00:57:32] You use it...
[00:57:33] And that like...
[00:57:33] The software we're using right now...
[00:57:35] You use it...
[00:57:37] And then...
[00:57:38] If you like it...
[00:57:39] Then your team of sales people...
[00:57:40] Is gonna be using it in a month from now...
[00:57:41] I know that...
[00:57:42] But I'm not...
[00:57:43] I'll charge you...
[00:57:44] Seven bucks...
[00:57:45] For your...
[00:57:46] Your try and buy...
[00:57:48] And...
[00:57:49] You'll probably be...
[00:57:51] Having 15 to 20 people use it...
[00:57:53] The only problem from a...
[00:57:55] From my perspective...
[00:57:56] Are to go-to-market people...
[00:57:58] The predictability is difficult...
[00:57:59] The forecasting is a little bit harder...
[00:58:01] You...
[00:58:02] Get there...
[00:58:03] Amazon...
[00:58:04] Is so good at what they do...
[00:58:06] They...
[00:58:06] Are an amazing data company...
[00:58:08] But it's more difficult for these smaller companies...
[00:58:11] To have that predictability in there...
[00:58:12] Which leads to...
[00:58:13] It's more difficult for them...
[00:58:14] To get their next round of investing...
[00:58:16] So that consumption model...
[00:58:18] Is gonna be interesting...
[00:58:19] Because you need to be able to prove it out...
[00:58:21] To investors...
[00:58:22] And when you're at that...
[00:58:23] Super early stage...
[00:58:24] You know...
[00:58:25] You're trying to leap...
[00:58:26] Just get your series A funding...
[00:58:28] And they're asking you...
[00:58:29] What your five...
[00:58:29] Five-year plans...
[00:58:31] They're ridiculous anyway...
[00:58:32] But when they're looking for your...
[00:58:34] Forecasting...
[00:58:35] It's a little bit more difficult...
[00:58:36] When you have that consumption model...
[00:58:38] So there's a lot of talk...
[00:58:40] And a lot of different...
[00:58:41] Mathematical models...
[00:58:42] And data models...
[00:58:43] Going into that forecasting right now...
[00:58:45] People try to...
[00:58:46] Figure it out...
[00:58:47] How to make money...
[00:58:48] But I firmly believe...
[00:58:49] That's...
[00:58:50] That is the way...
[00:58:51] It's...
[00:58:55] And...
[00:58:56] And the next model after that...
[00:58:58] So I agree...
[00:58:58] Utility consumption...
[00:59:00] The next model after that...
[00:59:01] Is that they're trying to do...
[00:59:02] Is the outcomes model...
[00:59:05] So you're not paying...
[00:59:07] For...
[00:59:08] The actual consumption...
[00:59:10] You're paying for results...
[00:59:12] So...
[00:59:13] Okay...
[00:59:14] Like you...
[00:59:14] But it's hard to do...
[00:59:15] Because for cyber...
[00:59:18] If nothing happens...
[00:59:20] So how do you prove that you are...
[00:59:22] Let's say blocked a certain amount...
[00:59:24] Of adversaries...
[00:59:25] Or how many...
[00:59:26] Like...
[00:59:26] Or save the company...
[00:59:28] Certain amount of breaches...
[00:59:29] It's very tough...
[00:59:30] Because...
[00:59:31] Potentially you can say...
[00:59:32] Okay...
[00:59:32] I'm saying...
[00:59:33] Every time I...
[00:59:34] I protect your organization...
[00:59:36] And you're not getting breached...
[00:59:37] I'm charging you...
[00:59:38] Right...
[00:59:38] Ten thousand dollars...
[00:59:39] Yeah, it's funny...
[00:59:40] You can't see it...
[00:59:41] But I got a...
[00:59:41] There's three or four books back here...
[00:59:43] On quantification...
[00:59:44] Like risk qualification...
[00:59:45] Things like that...
[00:59:46] But quantification in general...
[00:59:48] Is something that...
[00:59:49] Security and risk people should...
[00:59:51] Again...
[00:59:51] They should have been paying attention to...
[00:59:52] For the past couple decades...
[00:59:53] To prove their worth to the business...
[00:59:56] It is more difficult...
[00:59:58] Like I used to...
[00:59:59] Say...
[01:00:00] Years ago...
[01:00:00] With the pen testing...
[01:00:01] And all...
[01:00:02] The clients...
[01:00:03] We spent a lot of time...
[01:00:04] Preaching to clients...
[01:00:05] About how great our pen testers were...
[01:00:07] We wouldn't give their names...
[01:00:08] But they say...
[01:00:09] This person did this...
[01:00:10] And this person broke the iPhone...
[01:00:12] And it was like a whole resume listing...
[01:00:14] And you should hire us...
[01:00:15] Because of that...
[01:00:16] But then it dawned on me...
[01:00:17] With one client in particular...
[01:00:19] It really sheds off...
[01:00:20] All they wanted was the report...
[01:00:23] They weren't buying the pen testers...
[01:00:24] Or their expertise...
[01:00:26] Or how good they were...
[01:00:27] Or how many talks they gave at DEFCON...
[01:00:29] They just wanted the damn report...
[01:00:31] And that's what they paid for...
[01:00:33] And oddly...
[01:00:34] Our reports were mediocre...
[01:00:36] And we worked on making them better...
[01:00:38] And putting some more...
[01:00:39] Stuff in there...
[01:00:40] Not just saying...
[01:00:41] You've got this...
[01:00:42] But here's...
[01:00:43] And now everybody does...
[01:00:44] But here's how you can remediate it...
[01:00:47] Give them different tips and things...
[01:00:48] So the value add...
[01:00:49] Wound up being on the back end of the thing...
[01:00:52] Like...
[01:00:52] It wasn't just...
[01:00:53] We did this amazing report...
[01:00:55] And we're such great hackers...
[01:00:57] It was...
[01:00:58] Here's the report...
[01:00:59] These are the steps...
[01:01:00] It's giving you the...
[01:01:01] The added value...
[01:01:02] That helps your business...
[01:01:04] So quantification is going to be a big deal...
[01:01:07] You're right...
[01:01:07] If you're just selling somebody a dashboard...
[01:01:09] That the risk needles...
[01:01:11] Go back and forth all day...
[01:01:13] What's it giving them?
[01:01:14] You have to be able to...
[01:01:16] Give them something...
[01:01:17] We always call it the board level report...
[01:01:19] One of the things that has to be built in there...
[01:01:21] Is something that...
[01:01:22] As that data goes upstream...
[01:01:26] There used to be something called...
[01:01:27] The green dashboard disease...
[01:01:29] The analyst in the SOC is...
[01:01:30] Everything looks good man...
[01:01:32] All the lights are green...
[01:01:33] Like...
[01:01:33] We're fine...
[01:01:34] That gets reported up...
[01:01:36] And then...
[01:01:36] A month later...
[01:01:37] The CISO goes into the board...
[01:01:39] With this one slide...
[01:01:40] That's got a million things on it...
[01:01:41] It says...
[01:01:41] Yep...
[01:01:42] Air the screen...
[01:01:42] We're perfect...
[01:01:43] You're not...
[01:01:44] It's not...
[01:01:45] So...
[01:01:46] You need to get your real data...
[01:01:48] And...
[01:01:49] Make it digestible...
[01:01:50] At some point...
[01:01:51] For the business...
[01:01:52] To be able to prove this out...
[01:01:53] Because next year...
[01:01:54] When you say...
[01:01:55] I need 25 million dollars...
[01:01:57] To secure us...
[01:01:58] They're going to say...
[01:01:59] What does secure mean?
[01:02:00] And you're going to have to say...
[01:02:01] Secure means...
[01:02:02] That when we went into China...
[01:02:04] To do business last year...
[01:02:06] Expanded...
[01:02:07] Bought up some factories...
[01:02:08] Over there on the cheap...
[01:02:09] And started...
[01:02:09] We brought...
[01:02:10] Our manufacturing costs down...
[01:02:12] We didn't see...
[01:02:14] A associated...
[01:02:15] Risk level go up...
[01:02:16] We stayed steady...
[01:02:17] We didn't...
[01:02:18] And give them all this business data...
[01:02:20] So that quantification...
[01:02:22] Is good...
[01:02:22] It's not just risk quantification...
[01:02:24] You have to figure out...
[01:02:25] How to quantify...
[01:02:26] Stuff across...
[01:02:27] The whole environment...
[01:02:30] And...
[01:02:31] The vendors don't...
[01:02:32] By and large...
[01:02:33] That's not something...
[01:02:35] That vendors think of...
[01:02:36] They...
[01:02:36] They think about...
[01:02:38] Annual recurring revenue...
[01:02:40] And...
[01:02:40] How to make...
[01:02:42] Their feature set...
[01:02:43] Better than their competitor...
[01:02:45] They're not always thinking about...
[01:02:47] The business...
[01:02:49] Yeah...
[01:02:49] They're focusing way...
[01:02:50] Too much on technology...
[01:02:52] I don't think they ever think about...
[01:02:54] No...
[01:02:54] And in their defense...
[01:02:55] It's tough...
[01:02:56] Because you're...
[01:02:58] Some vendors are very vertical centered...
[01:03:00] But by and large...
[01:03:01] You're trying to sell everything...
[01:03:02] To all people...
[01:03:03] It's...
[01:03:03] It is hard...
[01:03:05] Like...
[01:03:05] You might be selling...
[01:03:06] Mousetrap...
[01:03:07] The greatest mousetrap...
[01:03:08] But...
[01:03:09] You're selling it in the Amazon...
[01:03:10] Where the mice are...
[01:03:12] Four and a half pounds...
[01:03:13] But...
[01:03:14] Your great mousetrap...
[01:03:15] Is not going to address the needs of...
[01:03:16] These people have rats...
[01:03:18] That are the size of a raccoon...
[01:03:20] So...
[01:03:20] When you go into...
[01:03:22] Some of these different environments...
[01:03:23] It's a little bit easier...
[01:03:25] Now...
[01:03:25] If you're an...
[01:03:26] IoT...
[01:03:26] OT...
[01:03:28] Vendor...
[01:03:28] That's dealing with...
[01:03:29] Mainly industrial security...
[01:03:31] You actually have an easier time of it...
[01:03:33] The nichier you are...
[01:03:34] You should be able to...
[01:03:35] Get them that business result...
[01:03:37] A lot easier...
[01:03:40] If you're a service now...
[01:03:41] Then yeah...
[01:03:42] You have to make all these different models...
[01:03:44] And all these different things...
[01:03:45] And all these...
[01:03:45] And you have to be huge...
[01:03:46] But if you're doing a really good...
[01:03:51] Manufacturing plant...
[01:03:52] Security...
[01:03:53] Solution...
[01:03:54] And...
[01:03:55] It's geared towards a certain industry...
[01:03:57] You should be able to give them...
[01:03:58] Something that helps them with the business...
[01:04:00] Like you should be able to say...
[01:04:02] Because of this...
[01:04:03] We had...
[01:04:04] We experienced...
[01:04:06] Less...
[01:04:06] Failures on...
[01:04:08] X, Y, and Z...
[01:04:09] Or...
[01:04:09] The risk went down on...
[01:04:12] When these Boeing...
[01:04:13] Poor Boeing...
[01:04:15] Boeing had...
[01:04:16] The Boeing planes flew better...
[01:04:20] Whatever...
[01:04:20] Which I don't know how they're going to fix that...
[01:04:27] So...
[01:04:27] This has been great...
[01:04:28] I just wanted...
[01:04:30] Two more questions...
[01:04:30] It's been absolutely phenomenal...
[01:04:32] So...
[01:04:33] While we're chatting here...
[01:04:35] I think that one of the risks...
[01:04:37] That we are facing...
[01:04:38] Is the fact that...
[01:04:39] It seems like...
[01:04:41] We're...
[01:04:41] Defender side...
[01:04:42] And we are very cautious about...
[01:04:44] Deploying technology...
[01:04:45] Utilizing them to our advantage...
[01:04:47] Because we have...
[01:04:48] Because we have...
[01:04:49] Board of directors...
[01:04:50] Report and so on...
[01:04:51] We're not as agile...
[01:04:52] But on the other side...
[01:04:53] The adversaries are very quick...
[01:04:55] To adopt...
[01:04:56] Oh yeah...
[01:04:57] Tools...
[01:04:58] That are available to them...
[01:05:00] To hack organizations...
[01:05:01] Very quick...
[01:05:02] They...
[01:05:02] Like they're first adopted for...
[01:05:04] Well any of these...
[01:05:05] Like...
[01:05:05] AI technologies...
[01:05:06] And...
[01:05:07] Deep fake...
[01:05:08] And...
[01:05:09] You name it...
[01:05:10] And then now...
[01:05:11] It's like a business...
[01:05:12] Right?
[01:05:12] So it's a...
[01:05:14] They're using...
[01:05:15] A crime as a service...
[01:05:16] So...
[01:05:17] I think...
[01:05:18] That's the main...
[01:05:21] Issue...
[01:05:21] Is that...
[01:05:22] As you mentioned...
[01:05:22] There was...
[01:05:23] For the longest time...
[01:05:24] There was this...
[01:05:25] Almost like a...
[01:05:26] Balance between the centers...
[01:05:28] And...
[01:05:29] The adversaries...
[01:05:30] And that balance seems to be...
[01:05:32] Slightly shifting...
[01:05:34] Towards their advantage...
[01:05:35] Just because they're...
[01:05:35] Due to the fact that...
[01:05:36] They can adopt some of these...
[01:05:37] Early technologies...
[01:05:38] Yeah...
[01:05:38] And again...
[01:05:38] We should be used to that part of it...
[01:05:40] Because...
[01:05:41] Like I said...
[01:05:42] When we...
[01:05:42] When the security tools...
[01:05:44] First started coming online...
[01:05:45] 15...
[01:05:46] 20 years ago...
[01:05:47] We ran into the same problem...
[01:05:48] The criminals had access...
[01:05:50] To the same thing we did...
[01:05:51] And maybe even sooner...
[01:05:52] And they may be writing the tools...
[01:05:54] I remember...
[01:05:55] Like...
[01:05:55] People don't talk about encryption...
[01:05:56] A whole lot now...
[01:05:57] But...
[01:05:57] I remember running across...
[01:05:59] One client...
[01:06:00] One of their...
[01:06:02] Databases...
[01:06:03] Was encrypted...
[01:06:04] And we were talking to...
[01:06:04] And they said...
[01:06:05] We don't use encryption...
[01:06:06] And we found out that it was...
[01:06:08] That people had broken in...
[01:06:10] They were stealing...
[01:06:11] They were storing stuff there...
[01:06:12] And they were encrypting it...
[01:06:12] Because...
[01:06:13] They didn't want the...
[01:06:14] Other hacker gangs...
[01:06:16] Breaking in and stealing their stuff...
[01:06:17] Because it was useless...
[01:06:19] Because it was encrypted...
[01:06:20] And I remember thinking...
[01:06:21] That's cool...
[01:06:22] The attackers are actually...
[01:06:24] Using like really good security practices...
[01:06:26] In this...
[01:06:26] Wide open...
[01:06:27] Completely breached...
[01:06:29] And...
[01:06:30] We are...
[01:06:31] We're back to that...
[01:06:32] Paradigm...
[01:06:32] Where...
[01:06:35] Joe...
[01:06:35] I...
[01:06:36] I...
[01:06:37] I have to tell you...
[01:06:38] I've heard a similar story...
[01:06:40] Where...
[01:06:41] Somebody...
[01:06:42] Uncovered a...
[01:06:43] Server...
[01:06:44] That was...
[01:06:45] Being...
[01:06:46] Being used...
[01:06:47] To crypto mine...
[01:06:48] And it's funny...
[01:06:49] Because it's exactly...
[01:06:50] What they did...
[01:06:51] Is they made sure...
[01:06:52] The actual server...
[01:06:53] Is completely patched...
[01:06:54] And protected...
[01:06:55] Against others...
[01:06:57] To come in...
[01:06:57] So they...
[01:06:58] Did a phenomenal job...
[01:06:59] Bringing it off the screen...
[01:07:00] From a security perspective...
[01:07:02] Just so they can...
[01:07:02] Ensure the fact that they...
[01:07:04] It was still being utilized...
[01:07:06] By their own service...
[01:07:07] There's...
[01:07:07] People are learning stuff somewhere...
[01:07:09] It's...
[01:07:09] Don't quit your day job...
[01:07:11] I think there's a lot of people...
[01:07:12] Working and...
[01:07:13] Getting that free education...
[01:07:15] And getting the experience...
[01:07:16] And...
[01:07:16] Their night job is...
[01:07:18] Breaking into 7-Elevens...
[01:07:20] It's...
[01:07:20] It's...
[01:07:23] Soccer mom by dad...
[01:07:24] By day...
[01:07:25] And...
[01:07:25] Hack her by night...
[01:07:27] You never know...
[01:07:28] The...
[01:07:28] The other...
[01:07:30] They're getting better...
[01:07:31] And more automated...
[01:07:32] And...
[01:07:33] Like I said...
[01:07:34] It's a spy versus...
[01:07:35] Spy again...
[01:07:36] With...
[01:07:36] AI versus AI...
[01:07:38] Which I don't necessarily...
[01:07:39] I don't think...
[01:07:40] You necessarily need...
[01:07:41] AI to fight AI...
[01:07:42] Some of the stuff has to be...
[01:07:44] But that shouldn't be...
[01:07:45] The knee-jerk reaction...
[01:07:46] But...
[01:07:47] A lot...
[01:07:47] Again...
[01:07:47] A lot of the best practices...
[01:07:49] That have been proven out...
[01:07:50] Should...
[01:07:51] Mitigate a lot of this...
[01:07:52] To an extent...
[01:07:53] Why you...
[01:07:54] Are able to work in the...
[01:07:55] Deal...
[01:07:55] You work in the background...
[01:07:56] To figure out...
[01:07:57] Which of these...
[01:07:58] Newer, better, flashier things...
[01:08:00] You're going to adopt...
[01:08:01] And...
[01:08:02] Combat this stuff...
[01:08:03] But yeah...
[01:08:04] The attackers always seem to be...
[01:08:05] Have to step ahead...
[01:08:06] They...
[01:08:08] They're quicker...
[01:08:09] Years ago...
[01:08:10] Yeah...
[01:08:11] Joe...
[01:08:12] Should we move back...
[01:08:13] To what?
[01:08:16] Should we move back to...
[01:08:17] To...
[01:08:18] Pencil and paper...
[01:08:19] For a little while...
[01:08:20] Until...
[01:08:21] Everything...
[01:08:21] Can't see my watch...
[01:08:23] But I'm the most...
[01:08:24] Analog person...
[01:08:25] You could possibly meet...
[01:08:26] I have a...
[01:08:27] I'm a paper day planner...
[01:08:30] I wear a mechanical watch...
[01:08:33] I'm a complete...
[01:08:34] Luddite...
[01:08:35] I swear...
[01:08:38] No one's gonna hack...
[01:08:39] No one's gonna EMP my watch...
[01:08:43] Joseph...
[01:08:44] Because...
[01:08:44] It's like the...
[01:08:45] The carpenter...
[01:08:46] What did they say...
[01:08:47] The shoemaker...
[01:08:49] Walks around bare feet...
[01:08:50] Cobbler's kid...
[01:08:51] Have those shoes...
[01:08:53] Yeah...
[01:08:54] Yeah...
[01:08:55] Yeah...
[01:08:55] I think that's...
[01:08:57] Pretty much it...
[01:08:59] So...
[01:09:00] Last question...
[01:09:01] If you could...
[01:09:02] Make a bet...
[01:09:04] Where...
[01:09:04] Which technology...
[01:09:06] Would...
[01:09:07] Become the next...
[01:09:08] The next big thing...
[01:09:09] In security...
[01:09:12] They were saying...
[01:09:13] Like aside from AI...
[01:09:14] What...
[01:09:14] What is...
[01:09:16] Out there that's exciting...
[01:09:17] Because they're talking about...
[01:09:18] Quantum computing...
[01:09:19] And...
[01:09:20] Now there's...
[01:09:21] Anti-quantum...
[01:09:23] Computing...
[01:09:25] The...
[01:09:26] Technologies out there...
[01:09:26] There's just so much...
[01:09:27] What would be the best bet...
[01:09:29] If you had...
[01:09:29] The next...
[01:09:31] 12 to 18 months...
[01:09:32] There's companies out there doing this...
[01:09:34] But like you said...
[01:09:34] It's...
[01:09:35] They're in that...
[01:09:36] Kind of commoditization...
[01:09:37] The commoditization phase...
[01:09:39] Or they're...
[01:09:39] They haven't really consolidated...
[01:09:41] Their offerings...
[01:09:41] Or...
[01:09:42] There's a lot of voices...
[01:09:43] Out in the wilderness...
[01:09:44] I think it's the...
[01:09:45] Predictive risk part of it...
[01:09:48] We should...
[01:09:50] Just...
[01:09:50] The little bit of things...
[01:09:51] I'm seeing now...
[01:09:52] We should be able to...
[01:09:53] Be a lot better...
[01:09:54] At the predictive part of it...
[01:09:55] Like I always pound on this...
[01:09:56] Doing business in China thing...
[01:09:58] But...
[01:09:58] We should get to the point where...
[01:10:01] When the...
[01:10:02] C...
[01:10:03] I...
[01:10:03] O...
[01:10:04] Or the CEO...
[01:10:04] The company says...
[01:10:06] We need to expand to China...
[01:10:07] We don't really want to...
[01:10:08] But...
[01:10:09] Costs are cheaper...
[01:10:10] We know we can do it...
[01:10:11] The competition's all done...
[01:10:12] And we have to do it to stay competitive...
[01:10:14] We know there's a risk...
[01:10:15] But...
[01:10:15] What's going to happen?
[01:10:16] Like we should be able to tell them...
[01:10:18] Yes...
[01:10:19] There's going to be a...
[01:10:20] 27% increase in risk...
[01:10:22] By doing this and this...
[01:10:23] And then when they say...
[01:10:24] Well what's that mean?
[01:10:25] It's like the red...
[01:10:26] Like when we give them...
[01:10:27] Red and green slides...
[01:10:28] Like what is red?
[01:10:29] What is green?
[01:10:32] That quantification...
[01:10:32] That predictability...
[01:10:34] Needs to be built in...
[01:10:35] But like I said...
[01:10:36] I don't see why...
[01:10:37] With all the AI that's available...
[01:10:38] Honestly...
[01:10:39] Not the machine learning...
[01:10:40] But true AI...
[01:10:41] And the huge data leaks...
[01:10:42] And everything that's out there...
[01:10:43] That we can't...
[01:10:45] Crunch...
[01:10:46] The data a little bit better...
[01:10:47] And at least start quantifying...
[01:10:48] All the historical knowledge we have...
[01:10:50] Of all this risk...
[01:10:52] And everything that's been happening...
[01:10:53] And is happening now...
[01:10:55] And start to get some predictability around it...
[01:10:58] The insurance industry can tell you...
[01:11:01] The day that I'm going to die...
[01:11:02] You know what I mean?
[01:11:02] And I think that...
[01:11:04] Security and risk needs to get to that point...
[01:11:06] We need to be able to like...
[01:11:08] Almost to more...
[01:11:08] Be able to more...
[01:11:09] Risk out farther...
[01:11:11] And be able to give our business leaders...
[01:11:13] Some sort of...
[01:11:15] Direction...
[01:11:15] So when we say it's going to be...
[01:11:17] Our risk is going to increase by 27%...
[01:11:20] If we do X, Y, and Z...
[01:11:22] They'll start to know what that means...
[01:11:24] They're not going to need to be spoon-fed...
[01:11:26] It'll be like any other...
[01:11:27] Our marketing cost will go up 27 points...
[01:11:30] Oh, okay...
[01:11:31] I get that...
[01:11:33] Our...
[01:11:34] Our customer acquisition cost will drop by 3%...
[01:11:37] It's got to become a business discussion...
[01:11:40] Risk...
[01:11:40] The risk part of it has to be just...
[01:11:42] Woven into it...
[01:11:48] Yeah, and the insurance company is very good about doing that...
[01:11:51] They have all these morbid tables, right?
[01:11:53] Where...
[01:11:54] They can tell you...
[01:11:54] If you walk in New York City...
[01:11:56] What are the odds of you falling through a gutter?
[01:11:59] There's odds...
[01:12:00] Because they had 200 years of...
[01:12:01] And that's...
[01:12:02] Of data...
[01:12:04] So...
[01:12:04] They can tell you pretty accurately...
[01:12:05] And they've been doing that for a century...
[01:12:07] Like...
[01:12:08] If they could do it with an abacus and green...
[01:12:12] Accounting books in 1905...
[01:12:15] Then why can't we do it with quantum computing in 2024...
[01:12:19] With a different set of data?
[01:12:21] Like, it's doable...
[01:12:22] We should be looking at that...
[01:12:24] But like you said...
[01:12:25] We're very on the defensive...
[01:12:27] We're very reactive...
[01:12:28] We don't think about the business enough...
[01:12:31] And it's...
[01:12:31] A lot of it's not our fault...
[01:12:33] But we need to stop saying it's not our fault...
[01:12:35] Go out...
[01:12:36] Involve yourself in the business...
[01:12:38] Find out...
[01:12:38] It may not work...
[01:12:39] At the company you're at...
[01:12:41] That may not be the place that they're ready to deal with it...
[01:12:45] But...
[01:12:46] You learning now...
[01:12:47] Or starting yesterday to figure out...
[01:12:49] What the business constraints are...
[01:12:52] Will do you a lot of good...
[01:12:53] Maybe not the company you're at...
[01:12:54] But maybe the next one...
[01:12:55] It can bring those lessons to bear...
[01:12:57] And then hopefully...
[01:12:58] Our development market...
[01:13:01] Yeah...
[01:13:01] We'll catch up...
[01:13:07] And Joe...
[01:13:07] I would always like to...
[01:13:09] Convene with a...
[01:13:10] Positive note...
[01:13:12] But you already established that...
[01:13:13] And I love that...
[01:13:14] Because you mentioned that there is...
[01:13:15] We have the ability to...
[01:13:18] To predict the future...
[01:13:19] By utilizing a lot of the tools we have...
[01:13:21] And a lot of the...
[01:13:22] Kind of the massive data we collect...
[01:13:24] Now with the...
[01:13:25] Kind of the AI and machine learning...
[01:13:28] We have the ability to do so...
[01:13:30] And we're going to get better...
[01:13:31] Over time...
[01:13:32] And I think that we're going to be...
[01:13:33] Very useful organization to be able...
[01:13:35] To focus...
[01:13:36] To figure out what...
[01:13:38] What is coming...
[01:13:39] And be...
[01:13:40] Be proactive...
[01:13:41] Versus reactive...
[01:13:43] Because as you mentioned...
[01:13:44] We're so ADD...
[01:13:45] And we have so many things...
[01:13:47] On a regular basis...
[01:13:48] On a personal level...
[01:13:50] So you're an executive now...
[01:13:51] You have to deal with...
[01:13:52] Putting out fires...
[01:13:53] And dealing with everything else...
[01:13:54] It's very taunting...
[01:13:56] But...
[01:13:57] We have faith in the...
[01:13:59] Knowledge that we'll fix some of these...
[01:14:01] I think we will...
[01:14:05] Yeah...
[01:14:06] Awesome...
[01:14:06] Thank you very much...
[01:14:07] What's the easiest way for people to...
[01:14:09] To get in touch...
[01:14:11] To provide feedback...
[01:14:13] Just...
[01:14:13] You name it...
[01:14:14] I'm on LinkedIn a lot...
[01:14:16] What's the easiest way?
[01:14:16] I tend to lurk around there...
[01:14:19] It's the greatest social engineering...
[01:14:20] Sales tool known to man...
[01:14:22] Which I...
[01:14:25] It works great in consulting...
[01:14:26] It works great for sales...
[01:14:28] So I'm on there...
[01:14:29] You guys can find me...
[01:14:30] Joe Shore...
[01:14:31] S-C-H-O-R-N...
[01:14:34] Awesome...
[01:14:36] Fantastic...
[01:14:37] So...
[01:14:37] For everyone who joined...
[01:14:38] Thank you very much...
[01:14:39] Looking forward to seeing you...
[01:14:40] In the next episode...
[01:14:41] And until then...
[01:14:42] Stay safe...
[01:14:43] Online as well as offline...
[01:14:45] Thanks David...
[01:14:45] I'll see you again soon...
[01:14:48] Thank you very much...
[01:14:49] Thank you...
Related Episodes
LLM Kiddies: The New Script Kiddies? A Veteran SOC Analyst's Take on AI's Security Revolution
From SOC analyst to AI innovator: How Dylan Williams navigates the intersection of cybersecurity and artificial intelligence, revealing why he believes we're entering the age of 'LLM Kiddies' and what it means for the future of security operations. Synopsis: In this engaging conversation, cyb...
Signals into Symphony - Locked in Quantum Space
Verse 1: In a world of data flowing fast Traditional systems just couldn't last Enter LOGFORCE, ahead of the game Like Shazam for threats, it knows your name From the first few notes, it sees the song Predicting patterns before they go wrong Chorus: We're the Knowledge Extraction ...
Investing in Cybersecurity: The ROI Dilemma | Jamison Nesbitt
In this conversation, David Raviv interviews Jamison Nesbitt, who shares insights from his extensive experience in cybersecurity and event management. They discuss the importance of events for information sharing among C-level executives, the challenges posed by ransomware and supply chain issues, ...