Richard Stiennon [00:00:00]:
All the trends are overshadowed by the impact of AI security. Two main branches, it’s security for AI, so all the ways to protect your company from people leaking data to AI. All the ways for, you know, to protect the models so people don’t try and inject through prompts to pervert them in some way. That’s one half of it. The other half is AI for security. How do we use AI to improve our security processes? That’s, to me, the most exciting part because the one is, okay, new technology, new attack surface area, new methodologies, yeah, we got to protect that new thing. But the other is, oh, my God, this is changing everything.
Karissa Breen [00:00:58]:
Joining me back on the show is Richard Stearnan, chief research analyst at IT Harvest. And today we’re discussing why AI security will define the future of digital defense. So, Richard, thanks for joining and welcome back.
Richard Stiennon [00:01:17]:
Oh, thank you so much, Karisa.
Karissa Breen [00:01:19]:
Okay, so it’s been a little bit of time since I’ve had you on the show again, and I think we discussed this just before we started the recording. You’ve got an interesting background. I really enjoy talking to you because every time I talk to you, you just, it really like my head always nods and like you get the space. So perhaps I really want to start with your view as of today. Give us a little bit of a lay of the land and maybe talk through at a high level what you do so people can connect the dots. But I’m curious to see how you see the landscape today.
Richard Stiennon [00:01:49]:
Okay, good. Yeah. So it’s easy to think of me as a industry analyst, right? I’m former gartner and then it. Arbus is a firm I founded over 20 years ago. But unlike any other analyst firm, I want to cover the entire space that I’m responsible for. In this case, cybersecurity. There are over 4,000 vendors in the space, and big analyst firms tend to just look at the big vendors because their big customers only buy from big vendors. But to me, the interesting things go on at the startup level.
Richard Stiennon [00:02:23]:
So I try and identify companies as soon as they launch, as soon as they have a web page, as soon as they have a LinkedIn page, they’re in our database, and then I’m tracking them. They start with two employees based on LinkedIn data, and they grow to 50 in the same year. These guys are doing something. They either got funding that they haven’t told us about or they’ve got a product that people really want to buy. So that’s how I identify trends in the space. And the trend today is just overshadowed. All the trends are overshadowed by the impact of AI Security. And AI Security is two main branches.
Richard Stiennon [00:03:01]:
It’s security for AI, so all the ways to protect your company from people leaking data to AI, all the ways for, you know, to protect the models so people don’t try and inject through prompts to pervert them in some way. That’s one half of it. The other half is AI for security. How do we use AI to improve our security processes? And that’s to me the most exciting part because the one is, okay, new technology, new attack service area, new methodologies, yeah, we got to protect that new thing. But the other is, oh my God, this is changing everything. So since I started covering AI security as a separate category, there are now 354 vendors that fit into those two major branches that I just told you about. I’ve only been tracking the space for just over a year last year when sometime in April, it was the first time I said, wait a minute, if AI is really growing as fast as it is, which it is, right. AI did double the foundational models, double in capability every two and a half months.
Richard Stiennon [00:04:14]:
That’s what the 10x every year translates to. So no matter what, if you think AI is horrible today, it can’t do anything and hallucinates whatever, two and a half months from now, it’s going to be twice as good at it. So half the number of hallucinations if you prompt it properly. And we’re just not used to thinking at scales like that of things doubling every two and a half months. And that’s why I started looking really, really closely at this space because it’s going to be really exciting.
Karissa Breen [00:04:44]:
So a couple of things that I’m curious to understand. 4,000 vendors, I mean, there’s maybe slightly more, maybe slightly, maybe not less, but there could be more. But do you think that’s a lot? And I asked this because given what you just said around the whole AI piece, there’s more. And I know we’re going to get into some of the numbers around how many more you’ve seen in recent times. But is that a lot?
Richard Stiennon [00:05:08]:
I don’t think so. You know, when I dig into may seem like a lot, right? There’s over 200 SIM products on the market from like 130 vendors. It may seem like that’s too many. You know, we need Splunk and a couple competitors. Why do we have so many? Well, there’s regional differences in buying patterns. People in Germany don’t necessarily want to buy us technology ever since Edward Snowden. Or there’s just different needs for all. The GRC is the biggest category of products out there and that’s because there are different needs in different regions for governance and compliance.
Richard Stiennon [00:05:48]:
So no, I don’t think it’s too many. And I welcome the. Typically, traditionally there’s about 220 startups launching every single year.
Karissa Breen [00:05:58]:
Yeah, that’s interesting because I was thinking strokes of different folks, right? Like a smaller company doesn’t need a full blown spunk capability, it’s just overkill. So why are people out there saying, oh, it’s crowded space, Richard, oh, I can’t get a deal over line and there’s 50,000 vendors trying to go in after this size. I mean, you hear a lot of that. So how does that sentiment sort of sit with you then?
Richard Stiennon [00:06:17]:
Yeah. On the CISO side, when the CISOs complaints, I just see it as whining, frankly. They complain because there is a well established way to make sense of any market and that’s to turn to industry analysts whose full time job and passion is understanding the market. So they, you know, there’s no way you are going as a CISO who’s presumably super busy going to meetings discussing security and policies and risk registers and all the rest of the things CISOs have to do. There’s no way that you can be an expert in the cybersecurity industry. You have to seek outside guidance and you’d be well served going to Gartner, you should be well served going to Forrester for that guidance and, or you know, advertising myself, or come to a niche industry analyst that can help you. And our data of course is just a stab at that. Right.
Richard Stiennon [00:07:12]:
It’s like so simple. You want access to our data, then you can start to understand the whole space. Cause you see the whole space and you can slice and dice and, and sort it and create your own research.
Karissa Breen [00:07:23]:
So one of the things you said before, seek out guidance. Now I’m just going to speak anecdotally because obviously I speak to a lot of people in the US market, Australia, uk, et cetera. People nowadays are probably wanting to either do a, their own reconnaissance on a tool or a product or service, for example. And you know this. I’ve also seen a bit of a decline in perhaps an affinity to the larger research houses. What are your thoughts then towards how people are approaching getting guidance in the market today?
Richard Stiennon [00:07:57]:
Yeah, it’s changing. I hear from mostly people who are not, you know, seed holders at the Gartners of the world who find a lot of value in just querying ChatGPT or Claude or Gemini or Perplexity, any other favorite AIs. And you get extremely good results when you say, hey, you know, we’ve got Sentinel 1, but we want to seek alternatives because we’re not happy with this feature. And ChatGPT will give you great answers, you know, really great guidance to explore. It won’t give you the personal experience of an industry analyst who’s been there, done that, or has talked to clients that have been there, done that. So qualitative difference between the two. But for speed, responsiveness, immediate, which is how we all work today, we want the answers now. We don’t want to schedule a call with an analyst for three weeks from now.
Richard Stiennon [00:08:56]:
I think that’s right. Now the challenge that the Gartners face is that people are finding that they can get good enough answers from ChatGPT.
Karissa Breen [00:09:06]:
Okay, I want to go into this a little bit more because this is where it gets interesting and this is the shift that I’m seeing. So my first question would be with Gartner and friends, with the speed you mentioned before and the responsiveness, some of these reports can take like a quarter or even longer. Right. So where. How does that. Because things change, like day to day, minute to minute. I know some in media, like one minute, like every day. Why I like the space is every day something’s going on, something’s changing.
Karissa Breen [00:09:32]:
So how, when a report is distributed in the market, how is that then relevant to when you read it? Sort of. Even if it’s a month later, how does that sort of sit then?
Richard Stiennon [00:09:42]:
Yeah, if you follow super large vendors, the report’s pretty accurate six months later. Because super large vendors, I’m talking CrowdStrike, Palo Alto, Cisco, they don’t change. Right. They’re the same thing today as they were last year. The thing that’s changing is that they’re acquiring companies, but they’re acquiring companies that don’t have magic quadrants about them. Right. So from the perspective of the analyst who’s creating the quadrant or the wave, it doesn’t change anything for their upcoming report. So it can stay pretty consistent that way.
Richard Stiennon [00:10:18]:
Maybe that’s one of the reasons that they don’t cover what they term dismissively emerging technology. Because it changed so quickly, a report that takes six months to generate would be out of date when it was published. And case in point, so I’m Writing the biggest market research report ever created in cybersecurity. And it’s a complete report on all. What’s the number? Which we just updated 354AI security vendors. So a couple paragraphs on each vendor and then my analysis on top of that, it’s going to be published in book form. It’s so difficult to do because we add two new vendors a day. When do I stop to publish the book? Luckily, acquisitions don’t happen quite that fast yet.
Richard Stiennon [00:11:05]:
But at some point I’m going to stop and then there’ll be a chapter in the back for vendors added after the designer got their hands on the manuscript. To get this book out the door, no matter what, the book has to be available at RSA conference in March. But that’s case in point. This is the fastest moving. Not only is it the fastest growing segment in security ever, it’s the fastest moving. Right. So things are changing and AI governance vendors are discovering that, you know, there’s demand for guardrails and the guardrails people realize that they’ve got to be able to do the discovery of where people are using AI, which puts them in the governance. So those guys are already merging or converging in capabilities.
Karissa Breen [00:11:49]:
So our next question would be going back to someone type something in. I mean this is an arbitrary basic example, top seams in the space, right? And then it’s obviously gonna pop up. Bunch of responses. One of the things that we’re noticing even in media is a shift and forgetting about perhaps website traffic and more about dwell time. So what I mean by that is if you do content placement as a vendor across media sites like mine and other places means that you’re gonna be feeding the LLMBs. Now journalists in the space hate this. However, it’s going back to the behavior of how the consumers are wanting to understand information. Like I said before, speed, responsiveness.
Karissa Breen [00:12:26]:
They just want to get a high level picture and then perhaps go and do further reconnaissance, whether it’s through a platform or elsewhere. So do you think that vendors perhaps need to change their view on how they’re going about marketing? Yes, is a broad, sweeping sort of term. But how they’re getting is what we call reference media references, whether it’s on your side or Gartner or and to some degree ours. And we’re changing this to feed that even more because we want our site to show up when it’s asking about top seams, for example. Not in the same way an analyst firm like you would go into it, but it’s about getting that high level awareness, at least that’s feeding the LM. So then you’re showing up potentially as the top 10.
Richard Stiennon [00:13:12]:
Yeah, yeah. Okay. So things are changing really fast. We track the number of website visitors to every security vendor month to month and in the last several months every single one of them has had significant drops in web traffic. That’s because people are going to LLMs first and relying it. So LLM is a single source that’s giving them what they need. So it’s your. All the investment in SEO over the years is falling by the wayside because as one really smart marketer explained it to me, LLMs are not interested in keywords like Google is, they are interested in ideas.
Richard Stiennon [00:13:53]:
So very important to be promulgating all of your marketing material in such a way that you’re one. Yes, you’re providing data, not the keyword stuff because LLM knows what it’s looking for, but the ideas that go around the data and the interpretation of the data and then you’ve got some hope of being discovered by the LLMs in reference.
Karissa Breen [00:14:15]:
And then I think I was speaking to a marketing person the other day about this and they were like, oh my gosh, had no idea. Then going back to one thing I think to pay attention is would be dwelt on. Dwelt on meaning how long someone’s on your site for. Because again you chatgpt, they found out top 10 seams site comes up, then they’re going to do a little bit more research. Then maybe they hit up, you know, your sort of platform and do a little bit more. Is that the way do you envision moving forward at a high level? You see people in the market perhaps across the world, finding new products, understanding a little bit more about new products. Is this the way that you believe people are going to do the recon?
Richard Stiennon [00:14:53]:
I do the, you know. And if you’re monitoring it, when a LLM comes to your website, the dwell time is fractions of a second. Right. It just gets the data and it’s done. And it might click through a bunch of links too, but it’s still in seconds. I was doing some. Oh yeah. I have to officially identify myself to the UK government because I’m a director of a company there.
Richard Stiennon [00:15:19]:
I asked ChatGPT to help me debug an issue with the UK government’s app that does NFC scanning of my passport and it found whatever resource somewhere, but it must have hit that page for an eighth of a second before it gave me guidance on using an iPhone instead of a Samsung, that kind of stuff, that’s what’s going to be going on. So dwell time is going to be meaningless. It’s the connections, page views, those matter still because the LLMs are doing it. LLMs and their extension agents. Right, because they’re using agents to do that as well. Everybody who’s getting things done, it’s going to be a completely new world. We’re used to asking Siri questions about time of day instead of stopwatch. Stuff like that’s going to extend to all of our research and product decision support practices.
Karissa Breen [00:16:14]:
So going back to Your comment, around 354 AI security startups, I believe, is that correct?
Richard Stiennon [00:16:22]:
That’s correct.
Karissa Breen [00:16:23]:
So tell us what’s going on with them. Is there something that comes to mind straight away? Anything you can sort of see from an analytical perspective that you can share?
Richard Stiennon [00:16:31]:
Yeah, you know, I first wrote about them on my substack in April and it was the substack was Inspired by this AI 2027 report that came out of a group in California and it was way over the top. It’s like, you know, it took a second to grasp what they’re aiming at, but it’s scenario planning. And the scenario is, you know, what happens when AI agents are used to do AI research and that, you know, so they did that planning and they recognized that most of the foundation model companies, OpenAI Anthropic, Google, were starting to use AI agents to, you know, come up with new algorithms and do new testing of learning models. In other words, artificial intelligence was getting in the loop of creating the next layer or level of artificial intelligence. They predict that by the end of 2026 this year, there’ll be all that work will be 100% done by AI agents. There’ll be millions of them working at these AI companies to do that. And that will generate AI that we don’t even understand anymore, but will get to, you know, that magic singularity where they truly are intelligent, or we’re now using the term superintelligence. So it’s going to be different.
Richard Stiennon [00:17:54]:
So it won’t be a human that they create. It’ll be something that’s better than a human at a certain function. I read that and I said, okay, let’s assume that their scenario plays out. What does that mean for security? And that’s when I said, oh my God, all these people are telling me that they can automate triage in a soc. Agents are going to get tremendous traction. And I predicted by the end of 2025, the first sales will be made. And throughout this year of 2026, we’ll see adaption. Well, I started to get calls from the founders of those companies.
Richard Stiennon [00:18:29]:
They said, richard, we launched in January of 2025. We’re already at a million ARR. This is only four months later. And then by the end of the year, they’re telling you they’re at 3 million ARR. And you know, those are. There’s a bunch of them, bricklayer mind presecurity. I’m sure that 7ai is already there. They’re one of the biggest torque.
Richard Stiennon [00:18:51]:
These companies are growing massively and they will have trouble keeping up with demand. Right. And you know, whatever pricing they have set will be supported because of that inability to scale fast enough to meet the demand. Because once a CISO says, well, I better try this out, and so we’ll have a little proof of concept or proof of value. And they go, oh my God. This task over here that we assigned it, it did 100% completely every day, no slowing down over the weekends with humans or during the shift change, et cetera. Just looks at every single alert, determines the root cause of the alert, decides if it’s malicious, if it is, creates a case, does the research to determine what’s going on, and talks to all the tools like soar for how do we mitigate it. In other words, you’re no longer being asked by a machine to take action to add a firewall rule or shun a particular network connection that’s going on.
Richard Stiennon [00:19:54]:
It’s doing that for you. And all you’re doing is reading the result of all the attacks that are coming against you that have been thwarted, that once you realize that works, then you’re going to completely swap out your SOC for automated agents. It’s not saying you’re not going to fire those people. Those are still super valuable people. They’re going to, you know, somebody’s got to train the agents. Somebody’s got to look for better ways. Somebody’s got to still do threat intelligence and attacker intelligence. So plenty of work for everybody in the sack.
Karissa Breen [00:20:26]:
Okay, so I’m curious then to ask, just say hypothetically, company spends a million bucks a year with some vendor out there. Now, what you’re saying, do you think that because things can be automated, there’s less, like, human in the mix, perhaps because there’s agents, et cetera. Everything you sort of did mention, do you envision that the spend will drop, just, for example, go down to 800k a year? Because it’s like, well, we’ve Sort of saved you 200 because we don’t need, you know, an extra Richard in there doing this thing. So therefore the spend per year will drop or do you think it’ll stay the same, but then just the capability will improve?
Richard Stiennon [00:21:04]:
Yeah, the latter because of course nobody gives up budget. That would be insane. You are going to repurpose existing budget and get a lot more efficiency out of your budget and be a lot more secure. That’s what I’m so excited about, is that this holds out the promise because I’m, I’m not a big fan of detection and response, it seems compared to protection, which includes firewalls. Right. You put in a firewall rule and you’re no longer seeing alerts about somebody trying to hack into your telnet server. Right. Because the firewall blocked all access to that protocol and it’s just not happening.
Richard Stiennon [00:21:42]:
So you don’t have to worry about it and don’t have to do anything. If you’re into the detection and response, then you’re monitoring for telnet attempts and it creates an alert and you have to do something about it and something that the SOC analysts could be better spending their time on something else. So protection is in my book always better than detection. If only endpoints weren’t so vulnerable, right, that they constantly have a barrage of attacks against them. But pipe dream to wish that people would use secure operating systems and secure applications. We still need detection, response. The attackers are coming up with new methodologies for attack all the time. And the question is, can we increase the cost for the attackers? So they too have to use AI, which you know, they’re going to right now it’s cheap for them to use it because it’s not very sophisticated.
Richard Stiennon [00:22:37]:
But if they had to become, they would have to use AI to get around an AI defended company and they’re. I don’t think they’re ready for that.
Karissa Breen [00:22:46]:
So I get no one’s to give up the budget. But probably what I poorly asked you was do you think clients will start to scrutinize the vendor to be like, well, hang on a second, you’re automating all of these things. Why are we still being charged the same then? I guess their position will be, yeah, but we’re doing all these other things. So it’ll just level out. Yes. Spend or say, say the same. But you’re also. Yes, we’re probably not doing as much human stuff, but we’re doing all these other things on top of it.
Karissa Breen [00:23:09]:
We’re there for it equals that.
Richard Stiennon [00:23:12]:
Well, there will Be a challenge for legacy vendors, right? Because they don’t have all the efficiencies of AI. So, you know, and let’s just pick on Splunk, right? The legacy of all legacy vendors. They don’t have AI, right? So they can’t argue that you should pay them more for anything because you don’t really need to have a specialized database for logs and alerts, Right? You just throw them in a big data lake and let AI figure it out. Right? It’s perfectly capable. That’s what it’s like. That’s what it’s so good at, is interpreting and deduping and converting everything into the same format. It is perfect for that. I use it every day for my data reduction, for that.
Richard Stiennon [00:23:56]:
So you don’t need specialized things and specialized language query languages to do the research. Oh, it’s just gone. So what do you need Splunk for? So there’s. There’s a couple of companies that pay over $100 million a year to Splunk. They can save that money really, really fast. They’re still going to have storage costs, they’re still going to have transport costs in and out of the cloud, but they don’t need all those Splunk charges. Whereas one of these 400 plus vendors, they don’t have that. They can log into.
Richard Stiennon [00:24:25]:
They can grab Splunk data or Elastic data, et cetera, but you don’t need to have it there. They’re perfectly happy if you just dump it into S3 buckets and use it there. So I think there will be significant cost savings with legacy stuff.
Karissa Breen [00:24:40]:
Do you think, and I mean, I’m speaking just as a outsider, do you think that their positioning is. Yes, but Cisco acquired Splunk and their view of value perhaps is around the interoperability, and now we’ve got full visibility because we’re doing all the network stuff and we’re managing everything. Do you think maybe that’s more their play? I mean, I’m just giving an example. Maybe I’m wrong, but I’m just curious. That’s what I’ve been hearing about.
Richard Stiennon [00:25:05]:
Yeah. You know, Cisco’s been doing acquisitions for 20 years. They will do an acquisition for financial reasons. Right. Hey, these guys are doing well and we’ve got customers we can sell their stuff to. So let’s just buy them. They’ve done that since, you know, Ironport days. Going back for email security now, mind you.
Richard Stiennon [00:25:25]:
Where’s Ironport today? Do you use Cisco email security in your organization? I doubt it. So, yeah. So ICUES Cisco architecture. So their product lineup, the way it all fits together only exists in their marketing slides, nowhere else. They do not actually integrate their products. They don’t get the advantages from having those. Right now, Cisco’s got the advantage of Splunk’s entire customer database. That’s great.
Richard Stiennon [00:25:51]:
Cisco can sell routers to them, I guess, or whatever else they sell, and vice versa. They can take people who weren’t Splunk customers and some Splunk stuff, but it’s got nothing to do with efficiencies or more security at all.
Karissa Breen [00:26:05]:
So I’m curious to understand, who else would you put in the bucket of more of a legacy vendor?
Richard Stiennon [00:26:10]:
Oh, gosh, easily. Fortinet, watchguard, Sophos on Labs, Oracle, which believe it or not, is a big identity product. Microsoft for sure. Right. Microsoft’s the lowest common denominator for security and yet claims to be one of the biggest, if not the biggest seller of security. All legacy, nothing cutting edge, not the new stuff.
Karissa Breen [00:26:33]:
Don’t you think every vendor’s saying, oh, we’re leading this, we’re doing that? I think they all sort of say it at some point though as well.
Richard Stiennon [00:26:41]:
Yeah, they lead as far as market share goes, but they’re not thought leaders. They’re not driving the industry. That’s why they spend tens of billions of dollars on other companies, because they have to buy that innovation and thought leadership.
Karissa Breen [00:26:56]:
So the other thing I’m curious to get your thoughts on is now based in the US we’ve been doing a lot more conferences. One of the things I’ve started to notice is vendor does X. But then there’s obviously creep into potentially what other vendors do, which perhaps are just more point solution style vendors. But then I’m starting to get a little bit confused because it’s like, well, they’re all starting to overlap. And I know there’s always been that, but there just seems to be like there’s more, more of it. So what do you think’s going on here? And then is that just going to be what we expect? And then are we going to see more acquisitions? Because it’s like, well, this company does, you know, 10% of what we do, may as well just buy them. And that’s all that they do in terms of specialization. But are you seeing this as well?
Richard Stiennon [00:27:38]:
Yeah, and it’s frustrating because it’s a lack of studying history of our industry. Now, mind you, I’m, I’ve written the only history of our industry. So if the executives at Palo Alto and CrowdStrike would read my books, they’d realize that from an industry analyst perspective, buying centers matter a lot. So if you are a network firewall appliance vendor, as Palo Alto is, you’re going to have completely different buyers than the people who buy antivirus so, or endpoint detection or response. So the idea that you could also sell that so you buy an EDR solution and then sell it to your existing customers is false. Right. You would need an entire new sales team that knows the endpoint people at your customers and takes them to dinner and has established trust relationships with them. And it’s always been the case.
Richard Stiennon [00:28:40]:
It’s most often it’s the endpoint vendors. If you read history, there used to be companies called Symantec and MacFee and CA that had endpoint security solutions. They all invested heavily in acquisitions to get into the security space and failed. Didn’t work. Not only did they fail to make it work, the companies themselves failed and were chopped up by private equity. And they’re just shells of what they used to be. So my warning to those that are convinced that it’s platform is that is a false trail to hunt that the buyers, when it comes down to it, still want best of breed. Because we’re talking security, we’re not talking human resource management where you make some compromises to get a better price or you listen to your purchasing department because they really want one less folder of information on a supplier.
Richard Stiennon [00:29:35]:
That’s their whole, you know, compensation is based on reducing the number of suppliers. They want to buy everything from one company. That’s why they use distributors and resellers. Chasing that game is a losing game. Always has been, always will be. And you know, yeah, it works to some extent. If you’re, you know, a really good network firewall security vendor and you buy a technology and bundle it into what you have and charge extra, you can do that, you definitely can do that and increase your revenue and make the stock market happy. But you’re taking, you’re biting off more than you could chew.
Richard Stiennon [00:30:11]:
If you’re a network security vendor that wants to get into identity and buys the definition of legacy technology from Cyberark.
Karissa Breen [00:30:20]:
Okay, hang on, this is really interesting. So let’s, let’s go back through history. So let’s go 20, 30 years ago, everyone went to IBM, bought everything from them. We obviously seen the rise of point solutions, everyone to that. Now again, platformization. I’m hearing it a lot from internal CISOs saying, oh well, we only want to deal with X amount because we’ve got too many tools, there’s lack of interoperability, blah, blah, blah, blah, blah. So you’re saying to your words, that’s a false trail to hunt again now like people should not be doing this.
Richard Stiennon [00:30:48]:
Those CISOs are, I don’t know, they’re listening to the CFO, they’re listening to the purchasing organization. They’re totally wrong. You do not get fewer dashboards by buying from Palo Alto. You will get an additional dashboard for every single product that you buy from them. It’s not integrated. You don’t get fewer products and you’ll be totally locked in, right? You’ll have to buy the next product from them because like, just like Microsoft, right, once they had a monopoly on the enterprise for desktop and servers, everything had to be bought for them from them. That’s why they own identity space by their own endpoint detection response through Windows Defender, because they got a monopoly and they got everybody to buy into this. I remember the days late 90s when CIOs were lauded for their courageous decision to standardize on Windows for everything.
Richard Stiennon [00:31:44]:
Biggest mistake ever. Maybe I should be thankful for it because that created the cybersecurity industry because now we had the exact same vulnerable ecosystem on everything. So it became a big deal to provide security for that. And here we are. Today your biggest spend is on Microsoft and it shouldn’t be that way, right? Luckily, the saving grace is Microsoft never won in the cloud space. So that even on Azure you use flavors of Linux for your servers or
Karissa Breen [00:32:15]:
you should be okay. So does this mean this whole platformization approach, we’re moving to platforms and all of that sort of stuff, we’re consolidating all of the stuff you would have heard. So you’re saying that people are now going to go back to just doing point solution, style of stuff and perhaps reduce if Palo Alto’s got 10. I’ve heard about all of these sort of vendors. It’s like you think you’re getting the one, but then you’re going to log into another system that’s just being bolted on at the 11th hour. So you’re saying that we will go back to. You’re going to have your big players, but then you’re going to still have your vendors that are perhaps, you know, specificity in specific area. There will still be a need for these players.
Richard Stiennon [00:32:55]:
More than that, I’m saying that nothing’s changed, that I’m just saying that platformization is not a trend. Despite what you hear from everybody. It’s not a trend, it’s not how it works. There’s 4,000 vendors out there. And you know, there’s no platform that can do it all and there never will be. And you wouldn’t want there to be, right? Because then there’s one vulnerability in your platform means an attacker can take down your entire organization and own you. You do get additional security from having multiple vendors, right? Because you have to. You can’t trust a single vendor to be perfect.
Richard Stiennon [00:33:32]:
So in people that are, you know, fans of buying from Fortinet, discover that practically every week because there’s new vulnerability that’s remotely executable in a Fortinet Gateway or Fortinet anything. It’s because Fortinet is super integrated. And as a matter of fact, if you’re really into platforms, you should only be talking to Fortinet. They’re the only ones that don’t buy other companies and patch them together. They are, you know, the best engineering company in the business and they create all their own products and they all work together, they all share code, have the same developers, and that leads to, you know, the crappy security that comes with Fortinet products. And you’d get that if you went with any platform. Luckily you don’t, right? You use Duo security for strong authentication. That boom, that’s Cisco, right? You use Palo Alto for your gateway firewalls.
Richard Stiennon [00:34:25]:
Use CrowdStrike for your endpoint. That is just the way it is and that you’re not going to buy all three of those from one company.
Karissa Breen [00:34:33]:
So are you a fan or not a fan of when companies buy these other smaller players and try to absorb them, bolt them on? I know it’s sort of a. It’s a bit of a hard question because it depends on all those things.
Richard Stiennon [00:34:42]:
But generally speaking, that is how the industry works. So I’m a fan of it. I think it’s great. So the way that a large company is going to innovate and stay alive and grow over time is by paying for innovation. They pay quite a premium for it. Right? Look at CrowdStrike just paid 700 million for Signal, an identity company. They pay for that because it’s more efficient. Right? You can see it working and see it working at hundreds of customers.
Richard Stiennon [00:35:11]:
So you know it’s a good product and you know that you can sell through to your thousands of customers. So easy decision to make and that’s the way of the world. It’s always been that way and I think it’s always will be that way. So, yeah, that’s just how it should be.
Karissa Breen [00:35:24]:
So I’m curious to get Your thoughts then on vendors, how they’re going to market, how they’re marketing, media, pr. Given everything we discussed today, what are your thoughts? Because I’m speaking to a lot of people in this marketing world, PR world. Oh, it’s harder than ever to do these things. It’s hard to get journalists. What would be your sort of insights for those folks?
Richard Stiennon [00:35:48]:
Well, I certainly agree. I mean, tech journalism is practically gone, right? It’s not what it was before the financial crisis which seemed to kill the network worlds and computer worlds off. So yeah, so there’s no tech journalism anymore. Right. So the few people you call are just maybe the regurgitating press releases because they got to have some content today. And it’s very sad in the. The good tech journalists are way, way underpaid. It’s a crime how they have to scratch and struggle to stay alive.
Richard Stiennon [00:36:21]:
So yeah, forget all that. You gotta create your own content. You’ve got to make it valuable. Follow the lead of the Verizon DVR and creating these really useful content with your own research. Get it out there, get it in front of people. PR work, you know, you kind of have to replace the fact that people don’t have hard copies of Network World sitting in their lobby anymore. There’s no place to put your message. You know, obviously television is not going to work.
Richard Stiennon [00:36:52]:
Maybe TikTok and Instagram is.
Karissa Breen [00:36:55]:
And what about. Do you think in person events are coming full circle again? Because it’s like, people seem a little bit fatigued by like stuff online after a while and the whole proverbial doom scrolling.
Richard Stiennon [00:37:06]:
Yeah, I think we all thirst for in person events because, yeah, you just got to get away from our computers and our desks and our home offices. So I think in person events are fantastic. I think there’s a little bit of fatigue. There’s only so many fancy steak dinners you can eat, right? But the draw to those events is you’re interacting with your peers. This is where you will hear a message and you’ll be judged. You know, if a vendor sponsored it, the vendor is going to be judged in that dinner meeting. And they may all come away and be talking on the sidewalk while they wait for their Ubers, saying, yeah, these guys, I don’t, I don’t trust them, or whatever. Or these guys look great.
Richard Stiennon [00:37:52]:
I’m going to give them a try, which is the hopeful or outcome.
Karissa Breen [00:37:56]:
So then for 2026, and I mean, I could probably have this list in my mind based on what you said, but I’m curious to see like what do you think’s in fashion for 2026? What do you think’s out? Curious to get a bit of a high level. Maybe three and three.
Richard Stiennon [00:38:08]:
Ooh. It’s funny how there’ll be new things in fashion that. But they don’t push things out. Right. Yeah. I look to AI to help us with the soc Automation Vulnerability Automation and pen testing, Red Teaming Automation. Those are the three. There are many others.
Richard Stiennon [00:38:29]:
I’m excited by AI being applied to email security because every day I ask the question, why are there 107 email security vendors? Everybody uses the same email provider, Microsoft, for their business. How come Microsoft can’t protect that email? You know, they got the infrastructure. They claim they’ve got trillions of alerts and they’ve seen every email. They’ll see the first email that uses a new method. They don’t. So those three in the AI side, I’m pretty sure that the fad around post quantum cryptography is flattening out a little bit. Yeah. It’s just like this is the security world, right.
Richard Stiennon [00:39:09]:
We don’t invest in a single thing until after the threat arrives. Right. It’d be great if we thought five years down the road and the Chinese are collecting information right now, they’re going to be able to decrypt it in a second as soon as they finished turning these qubits that are currently about a meter high and have to be kept cooled to the lowest temperature in the universe in order to get them to switch a bit between several states. Someday the Chinese are going to turn that into supercomputers that can decrypt the advanced algorithms. Okay, great. Tell me when that happens and then I’ll. Then I’ll invest in, you know, swapping out our encryption algorithms because we can do that pretty fast. So, yeah.
Richard Stiennon [00:39:55]:
So I put that on the out of fashion space right now. Anything to do with bitcoins. Right. It’s just gotta. Gotta disappear and go away forever. Insecurity. Obviously, if you had bitcoins, it’d be nice to cash them in. Yeah.
Richard Stiennon [00:40:11]:
So every time I see somebody go, we’re gonna use the blockchain in order to do, you know, things that PKI successfully did 25 years ago.
Karissa Breen [00:40:20]:
The quandum piece is interesting because I’ve heard a lot more people in my sort of circles raising it. So you think that’s flattening out. So you think it’s gonna. Do you think it’s gonna be sort of like the whole web3 thing? Remember when around Covid time, everyone was going nuts about that and then I haven’t heard anything from it since.
Richard Stiennon [00:40:36]:
Yeah, web3 is another one that’s just laughing stock. Just if somebody says web3 of their LinkedIn profile, I won’t let them connect. It’s like, no, I don’t want to hear from you at all. I think Quantum is just like that. It’s like the segue. When I was at Gartner, the segue came out and a bunch of analysts at Gartner and Futurist said the segue was going to change the makeup of cities because it was going to change how we move. It was a really good experience to seeing people that otherwise were smart make those predictions.
Karissa Breen [00:41:12]:
And so I know things are changing day to day and like new vendors are emerging. Anything you can sort of leave us in terms of like your hypothesis for the year perhaps? I know you’re not Nostradamus, you don’t have all of the answers, but you do have a lot of insight.
Richard Stiennon [00:41:24]:
Yeah, the standalone AI security industry is going to have a very, very short half life. I predict that by the end of 2020, 26th, you won’t be able to say that there is an AI security industry because all of security will have AI embedded in there.
