Introduction (00:30) You are listening to KBKast Cyber Security podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host, karissa breen. Karissa (00:45) Joining me today is Mark Guntrip, senior Director cyber Security Strategy from Menlo Security. And today we're discussing the failure of security solutions. So, Mr. Guntrip, thank you so much for joining. It was wonderful to meet you. Here at the event in Sydney a few months ago, your last name did stand out to me and I think, like you mentioned, there's seven Guntrips in the world. So I appreciate you being here and. Mark Guntrip (01:09) You'Re now talking to one of them. Karissa (01:12) I've got to find the other six and then I'm good. So, Mark, I really want to start with now, you mentioned that the failure of security solutions. So this is interesting, probably controversial because people are probably implementing solutions that are failing, right? So I'm really keen to get into this. So tell me everything. What are your thoughts? Let's hear it. Mark Guntrip (01:34) Well, hopefully, if you look at the plethora of security vendors out there, looking at the threat landscape, looking at threats, looking at costs, looking at everything else, I don't think it should be too surprising to come across the fact that security is failing because the band graphs keep on going up and to the right, it's going to be how many threats? How much does it cost? How quick are they coming? And then you look at the other side of the things of how much money am I spending on security? It's kind of all going in the wrong direction. And this isn't necessarily a new phenomenon. I haven't discovered anything that's drastically surprising here. It's happened over the last 1015 years. But I think if you start to take one level down and think about, why is this happening? Honestly, I think the security, security solutions, security technology security teams are just being outpaced by the threat actors in terms of innovation, of what are they going to do and how is it going to work? And in terms of adoption of let's just do this, let's do it really fast, let's do it on a global scale and then push it all out. Mark Guntrip (02:47) And these threat actors are basically taking the legitimate technology advancements and everything that's moved forward and using it for their own purposes. So they're very much a fast follower in terms of using what's available to them, but they're doing it in a much faster method of rolling out on a global scale. So I think the threat actors are moving faster, the security teams are being a little bit more conservative. But I think the the other element at play here is the fact that the the world has moved on over the last 1015 years. As I mentioned earlier, that what we do, how we work, where we work, is very much different. And so if you take your I'll use a larger organisation, maybe as an example, that invested a lot of money 45678, 910 years ago and has maybe renewed and maybe updated and maybe added a couple of things. The problem that they were trying to solve eight years ago is not necessarily the problem that they need to solve today. So when those solutions were designed, they were designed for something, a world that was different, a world that doesn't exist or at least is very different today. Mark Guntrip (04:00) And I'm not just talking about the remote and the hybrid piece, just about how work gets done. If you go back again, eight years ago, there were a lot of applications on your machine to do specific tasks. And now the vast majority of everything we do, including recording this podcast today, is done through the browser, whether that's collaboration, content creation, application access tools, document sharing, everything is to the browser. And that wasn't necessarily what the security solutions were designed to stop and to secure and to make safe. And so I think, as we look at why is security failing, I think it's really that we don't have enough visibility and control into what happens in the browser, because that's where everything is happening. And if you want to secure the workplace of today, you kind of need to start there. If you look at for any organisation on the planet. So I'm going to make a wild generalisation, but I believe it to be absolutely true that for every organisation on the planet, every device that connects into their network, whether remotely or in a building, whether they manage that device or not, it has a browser, it's everywhere, it's the most pervasive application anywhere you want to be. Mark Guntrip (05:23) And you can slice it whichever way you want, from your Chrome to your Safari to anything else, but it's really how work gets done. And I think the shift from application to browser is something that's been absolutely and fundamentally missed by security. But I think for me, the biggest thing, and I've been talking for a while, so I'm going to pause in a minute the biggest thing is about the attitude and the expectation of security teams, about whether they can win the fight against the attackers, whether they can win against those threat actors. And I talk at a lot of conferences around the world and I will often ask this question, not always, but if I ask this question in person, I get one answer. And if I ask it anonymously, I get a completely different answer. And that question is mr Cecil VP of Security. Ms VP of Security, do you think you will be the victim of a successful cyber attack in the next twelve months? If you ask that question in person, I can tell you from experience, it's a really crunchy question. You will not get much response from the audience. Mark Guntrip (06:36) It's going to be kind of crickets, it's going to be silence, and I'm not going to be the one that's going to put my hand up and say, yeah, I think I will be. But asking that same question through an anonymous survey, through a report, you get a very different answer. And there's a report out there of which Menlo Security is a part of a sponsor that has asked this same question for the last eight years, and it's gone from about a third going back eight years. That said, 33% said I will be the victim, and you come forward to 2022, and more than 76% of the people responding said, I am likely to be the victim of a successful cyber attack in the next twelve months. As three in four people said, my security isn't going to stand up, my security team isn't going to be able to match what they've got. And I think for me, that's the telling point of it's not just me being here saying, is security failing? Three and four companies are saying that I'm likely to fall prey to this. And looking at the landscape we're going up against in terms of the rise in volume of threats, cost, everything I've already mentioned, and the fact we're more spending more than ever on security. Mark Guntrip (07:57) I think that that's the telling point of is security failing or yes, because everybody from the practitioners to the support teams to the vendors, the security vendors, are all basically saying the same thing it's getting worse and we're spending more and we're getting less. So I think it's across the board that it's getting worse. And I think the final point that I'll make in terms of how bad it's getting and the failures is that obviously there's security teams, security technologies, there's SoC teams out there security analysts, and the cost of investigating of remediating threats of paying ransomware demands. If that is outpacing the cost of what you're spending on security technology as a whole, then that's a huge, huge problem, because you're fighting a losing battle. You're spending $100 to spend another $1,000 because the $100 didn't work. So it's everything, it's everywhere that we see. And I think we need to do something different if we're going to be successful. And if we keep on looking at things in the same way, then we're going to walk down the same path that we have been for the last 8910 years. Karissa (09:15) Well, this podcast is about you talking. I would be concerned if I was doing more of the talking than you are, so really appreciate that. I think that was a great analysis, especially that you said 76% know that they probably will fall victim of some type cyber security attack within the next twelve months. You mentioned something though, Mark, you said security teams are being conservative, give me an example. Mark Guntrip (09:37) Well, I think that as you look at people that have careers in cyber security, people maybe of my age, I'm not going to tell you my age, but I've been around a while you did something, you do it again, you do it again and do you know what happens? That becomes the habit. And you do it again and again and again. And you might make small Tweaks in terms of how you view security. You might take on additional projects or areas of concern or different ways of looking at things. But ultimately, I think that a lot of teams out there are seeing what they have and seeing how I can make Tweaks to this. How can I make it a bit better? And I think that's part of the problem. I think that if we're going to answer the rising tide I'll call it of ransomware and malware and everything else we kind of have to have a wholesale change of mindset in terms of how we go about it and I'm going to use a buzzword in terms of zero trust. It's everywhere, everybody has it, everybody's got one but I think it's the right idea. Mark Guntrip (10:41) I do think that that's the level of change that we need, that you know, what I used to do? I'm going to spin that thing around, turn it on its head and do it completely the other way around because if we do that then we stand a chance of winning and if we just stay on the same path at the same speed then we're going to lose this race. As we look at spending, if you spend more money on the same type of technology, maybe not exactly the same technology, maybe it evolves a bit, maybe it changes a bit. Maybe you take what you used to have in a box in your data centre and you put it up in the cloud. You can't really expect a different outcome if it's fundamentally the same thing. So as I look at the area where Menlo security sits, in terms of network security, in terms of web security, I think, realistically, the last time that there was an adoption of en masse, an adoption of new technology, was basically sandboxing, and that was more than a decade ago. So if that's the best thing that we've got to fight against the attackers coming in through these browserbased threats so if we're doing everything through the browser then that's what we care about. Mark Guntrip (11:50) We've basically given some very smart people with a lot of tools ten years to figure out how to get past our defences and so as going back to the first question you asked, it's almost inevitable in terms of what's going to happen and yes, things evolve over time in terms of the technology. But the constraints of that technology, the limitations of the technology, rarely change. So looking at Sandbox, there are still very fundamental limits in terms of file size. File type if something's password protected, that is just so easy for an attacker to try and get through, and then if they can get past the security decision. Then it gets to the business decision that says, well, if I have a large file that's too big for my sandbox, what do I do? Do I let it through or do I stop it? It has nothing to do with security. There's everything to do with does security want to be in the way of business? And I would hazard a guess that the answer is yes, I do want to let that file through because I don't want to impact anything in a negative way. Mark Guntrip (12:56) So I think it's almost looking at things in just the same light again and again and again and then wondering why things keep on getting worse when you keep on doing the same thing again and again and again. Karissa (13:08) Yeah, that is very interesting, everything that you said. One of the things that I really want to maybe talk to you a little bit more about, though, is you said that every couple of years we were doing renewals. We're just going to do the same thing. Do you think that sort of stems from just being human beings? Like we're creatures of habit? And I hate to say it because everyone knows that that's a thing, but do you think there's just a little bit of that in there and it's a lot easier? Right? You don't have to use cognitive ability to think about something. I'm not saying that that's what people should be doing. I'm just saying that maybe as I'm looking at the human being aspect, that's probably why people keep doing the same thing all the time easier. They've got so many other things on their mind, they're like, okay, we'll just keep doing this. Maybe it's not the best, maybe they're aware it's not the best decision, but it's just easier. And then maybe that's why there is that considered a bit of complacency in there. But you also then made a comment that there are people out there investing in more of the same type of security. Karissa (14:03) What is that type of security people are investing in? Mark Guntrip (14:05) I think we've had an overrotation in terms of the confidence that we have in detection technologies and detection and remediation. So I think whether that's a combination of many, many companies marketing this market segments being developed, I think it's probably a combination of a few things. But I do believe that what's happened over the last few years is that detection, rather than being a piece of the puzzle, has become the first layer of defence. And going back to the first question about why is security failing? If detection is the first thing you've got, then by definition, you're going to be in a worse place because something has to get in before I do something. And so it's almost a self fulfilling prophecy in terms of what's going on. So I do believe that, again, whether it's marketing, whether it's anything else, whether it's evolution of technology over time, this reliance on technology as the front door to stop these threats coming in is a big problem. And absolutely there is a place for detection and remediation. Absolutely. It just shouldn't be at the front of everything that an organisation should do. And I do, by the way, entirely agree that the easy button is a whole lot of an attraction to people when you've got all of this stuff going on right. Mark Guntrip (15:39) If I can renew the solution I've got, if I can move to something that's really similar but a little bit better, then that's an easy thing to do. And I think that the harder decisions come when you go, you know what, I'm going to change the structure of my security stack, I'm going to change how things happen. Maybe you have to communicate to the board why you're going to do things. You have to send emails out to all end users to say things are going to be a little bit different. Maybe you do, maybe you don't, but it's definitely not the easy path, as you said, so it's needed. But I think that if we look at why people are going with investing for the same I think you hit the nail on the head. If I think of what it needs to be, I think the detection and response market that's blown up, whether it's EDR, Mdrndr, XDR, pick a letter, put it in front of Dr, there's one of those for you. It's the same sort of outcome everywhere, no matter where you put it. It needs to get in before I fix it. Mark Guntrip (16:52) And I think that's the bit going back to my point about zero trust, that if we maybe don't rely on that as the tip of the spear of everything we're doing, but maybe it's a layer further down, then it can offer huge benefits. But we have to have something a little stronger at the top so that we can then make it easier for all the technologies further down in the stack that are sitting behind that layer of, hopefully, threat prevention in there. Karissa (17:20) Yeah, okay. So there's a lot of things in there which is really interesting to me. One of the things I want to focus on is, yeah, you are right. Especially when you're changing technology, depending on the size of the organisation as well. I've worked in big firms before and you've got 50, 60,000 people, you got to change something. It's a big process. And then when something changes, you get all these emails and change managers saying, oh, we've got to use this new system now. And everyone's like oh, but I just learnt the last system and I couldn't be bothered. And then everyone starts complaining, right? So I think that potentially when people are looking to do things differently, like oh, we don't want to disrupt how people are working, right? We lose time, not as productive. People are frustrated, they complain. So there's that element. I know it sounds trivial, but it is part of the decision because all these little things lead into making an overall larger decision to maybe stay with the current provider because it's a bit easier or potentially move. So I think that even going back to when they put new changes in or new tech and you have to learn a whole new vendor comes in, you have to learn a whole new like their platform, how it works, when there's an issue, who do you have to go to, all of that type of stuff. Karissa (18:24) If you're dealing with so many different systems and platforms, it can be quite overwhelming. So I definitely have empathy on that end of things. But then I also then see it from gets bit into the complacency side. So how would you approach someone finding an equilibrium? Yes, we don't want to frustrate people, we're losing productivity and people complaining, but if we do too much of that we're going to get complacent. But then of course, when we are trying to be, quote unquote, movers and shakers and do things differently and make us more secure as organisations, how do you manage that where you're getting the best of both worlds? And is there a possibility of getting best of both worlds? Mark Guntrip (19:00) First of all, I want to meet the security team that wants to be movers and shakers because those guys are cool, I like them, but I think that the point you make is critical. Right? I think that my view on security as a whole is that it should be invisible, it should be intangible, if you put in place whatever you have today, if you put in place something new but nothing changes, then as far as the end users are concerned, nothing has changed and so why would I do anything different? Why would I try and change what I do? And that could be performance, it could be application or website features and anything else that's in there. But I think I could be wrong. But I think this has come around or at least become more prominent since remote working and hybrid and everything else where security used to be. Okay, saying it's going to be this way and you kind of have to suck it up, but now the end users are going, well, but when I work at home, it's not like this, so maybe it shouldn't be like this. And the power has shifted a little bit. Mark Guntrip (20:14) So security vendors then have to respond to that and go, well, I want to give the security team everything they want. The visibility, the control, all of that stuff. But the end users can't feel this security layer that's being put around them at all, otherwise they might try and circumvent it. And if they do, then that's a bad thing. That's the opposite of what we want with security. So we just want them to kind of not feel it at all. And it's kind of the opposite of when you go through the airport. When you go through the airport, you want security to be felt. I want you to know you can't do this, you can do this. You take your shoes off, you take your laptop out, all of these things because I want you to know I'm checking you. But it's the complete opposite. And as you look at implementing security or choosing security solutions, it can be really easy for a security vendor to say, I've got a thing, whatever that thing is, right? You can decide what that is. But if that thing makes you use a different application or change how you access your resources or make things run slower, then that thing is irrelevant because every single end user is going to try and work around the controls that you put in place. Mark Guntrip (21:28) But if the security vendor can say, I can give you better security and you will have zero impact to your end users, then that's a win win situation because the end users don't even know there's anything there. They don't know what's going on. They just get on with their day. They go to their websites, they use their applications, they access their resources, whatever it might be. But the security team has everything that they need. So I think it's very much shifted in terms of the importance it isn't just that a solution has a feature, but it's how does that feature affect impact my end users and what are they going to have to do that's different? Because if you make them jump through hoops, then it's not going to end well basically for that solution and we'll need to do something else. And so as we kind of look at the security landscape, as it were, in terms of vendors, in terms of solutions, and obviously there's hundreds of thousands of them out there. I think the ones that will succeed in the end are the ones that offer the security team everything they need and have a minimal impact to end users for their experience, how they work, where they work, how they access their data and how they expect that to be realistically managed through their working day. Mark Guntrip (22:43) Whether it's on their managed device, unmanaged device, or the combination of both, don't. Karissa (22:48) You think every vendor is going to say, oh, it's easy, there'll be no stress on you, it's all done for you and you won't even notice? Like every vendor says that and I mean, there's a good reason for it. I understand that's not always the reality of what happens they may say that, but then the reality is, no, it's actually going to be more of a problem. It's really hard to implement or it's not plug and play, we can't just switch it on and that's it. Sometimes that's the case, but a lot of times it's not. When you're getting into something like a bank and you've got legacy systems, technical debt pretty complex. It's a bit different to like a company that's been born like a month ago, that they're all cloud it's all, everything SAS, it's a bit easier. But we know these larger organisations, maybe some of them are heavily regulated, they need to have things that are on Prem, because I don't know that's what the regulation says they need to do in terms of certain mastering certain amount of data or whatever it is. I feel like it gets really complex, though. Karissa (23:38) So talk to me about this. Mark Guntrip (23:40) Well, I think that brings to the forefront the need to actually do that proof of concept and not necessarily just say, you know what, I'm going to take 20 of my It team and put them through a solution, but actually take a chunk of people, real people, real end users, and figure out what it means to them. So I've worked for, without naming any, but many security companies with many great products and many awful products, and one company will have both. And I think that's the point here, is that just because you go with vendor A doesn't mean that vendor A's everything products are the right ones for you. So looking at whether it's the big ones, even whether it's the small ones, I would argue even the small ones, where the they're CloudFirst they're everything everywhere. Probably the end user expectations are even higher, probably much higher than they are in a large organisation. But you have to manage that balance between the two. As you look at kind of the market definitions with SSE, from Gartner and Sassy and everything else, I think that's maybe directionally correct. I personally have many issues with the SSE definition and how broad it is and the consolidation focus that's in there. Mark Guntrip (25:06) But I do believe that companies can consolidate their security vendors. I don't think they should or would do it to the level that Gartner suggests in SSE, but that consolidation from many to some, I think would help in terms of what they're trying to accomplish in today's financial environment. But it has to be more than just the RFP, it has to be more than just what they say they can do. Exactly to your point. Prove it to me. Show me what you can do. Show me how it works. Show me. Let me just ask my end users, what did you think? And if they say, I didn't even know anything was going on, then it's a winwin. But then also looking at the ability to maybe remove certain other pieces of technology, again, consolidation down to some rather than one. Because I do believe kind of going back jeez, many years ago, going back to UTM, the unified threat management, that if you take one thing and try and make it 20 things, you know what it's going to be. Really good at maybe two of them, and it's going to be okay at about four of them, and it's going to be awful at about the last ten. Mark Guntrip (26:17) But you know what? You got all one. And I think that's what we need to shy away from as we go through the economic downturn and still maintaining a focus on security, that compromise isn't the way to go. And compromise can be in terms of threats that get through. Compromise can be in terms of my end users complaining to me, compromise can be in terms of my end users are actually just going around my security and doing whatever they want anyway. And it was a pointless project in the first place. So I think there's a whole host of things in there. But I think you're perfectly correct in saying that end user experience has gone from a nice to have to an absolutely vital for many organisations that are out there. Karissa (27:01) You mentioned consolidation. Now, I want to get into that. I'm with you and I agree with you that people should be looking to do this. And I guess even if you're looking at a big organisation who sometimes they put off like lots of people, it may not even be in relation to economic downturn, may just be like, hey, we're doing more of a lean approach or we're looking at the structure of the business and we're reshaping it. And I guess they have to do. And it sounds bad because people lose their jobs or whatever it is. I understand that. But from a business perspective, you do need to do that every now and again, because if you've got a larger organisation, for example, and you've got people that are hiring and then they start hiring people, and then after so many years of being in that model, then people leave. You need to restructure things and it's the same way that you need to look at restructuring your security products, your solutions, and getting that consolidation. So on that note, how can people start to have this conversation? Where do you start? Mark Guntrip (27:51) Well, I think it comes down to priorities, number one, right? So if you're going to consolidate what's most important, what's middle of the road and what's least important, so that you can define where you're willing to make concessions if you need to. Again, going back to my earlier point, I don't believe in this environment that we're in, any company should be making concessions on their security posture, but it's still a thought process worth having. But then I kind of come back to my original point of the security that we have in place. What was it built to. Protect and where are we now? Where are the overlaps and where are the things that we've left behind and the things that we just don't need to touch anymore? Or in terms of looking at adjacent technologies, not necessarily overlapping, but just what problems don't I have anymore? Because I've implemented things in a different way to kind of give an example on that in terms of looking at ZTNA. So zero trust network access, it's a good thing. We all agree it's a good thing. It stops lateral movement, it's great good thing. But what it makes you do the vast majority of the time is take your private applications and make them a little bit public. Mark Guntrip (29:05) So you have to be able to connect to it externally, which means it has to have a resolvable address, it has to have an IP address. So now it's effectively a non publicised public application and that means you have to put a web application firewall in front of it, DDoS protection, a whole host of things. Again, we like ZTNA, that's great, but it has downfalls. So what if we can find a solution that allows me to keep my private applications private? Now, all the additional things that I thought I had to put in, like the web application firewall, the denial of service protection, I don't need that anymore. So just taking a net viewpoint of what's accepted or what's the norm and what's maybe on offer in terms of the market can help you look at your overall security stack and say, if I implement it in a slightly different way with a different vendor, I can actually save money, make changes, reduce vendors on a completely other side of my business. So I think there's a whole lot to think about and go through there. Obviously, depending on the size of an organisation, it will be, or that could be a massive, massive conversation. Mark Guntrip (30:25) But I think that's just kind of a simple example to think about how you can consolidate without going, you know what, I'm going to take all of these 15 security things, I'm just going to get them all from one vendor. And that's my view of consolidation. I think the earlier example is probably a lot more realistic in terms of maintaining security, in terms of saving money and vendor management and ongoing solution management and everything else, rather than trying to make compromises on some adjacent security markets or solutions that you have in place where you have to settle for not great in order to save money and kind of go through the whole streamlined process of purchasing. I would put security posture ahead of purchase simplicity any day of the week. Karissa (31:14) That was, that was excellent. I really appreciate you sharing that in detail. So a couple of things were coming up in my mind as you were speaking and I think it's super rare nowadays for any organisation to go, oh, okay, we're going to cut 15 vendors off, it's going to be one, like, maybe like 1015 years ago. But back then, like, there wasn't as many things that people were covering as they are now. And I think now, much to your point, Mark, people have got specialisation in doing the one thing, so you want to get one company that's a ten at doing that one thing and then find the other tens doing the other things. And I totally understand you don't have too many. It can be difficult. There has to be that balance. I rarely see people nowadays outsourcing just to one company and say, yeah, run everything, whether that's a managed security solution model, but then also just like one vendor doing everything, like you mentioned before, they may be good at two things, but then the other eight, like middle of the road and then the rest of them not good at all. Mark Guntrip (32:06) Yeah, exactly. And I think, again, going back, I don't want to pick on Gartner, but the Gartner definition of SSE is massively, massively, broad. It incorporates markets that are multiple billion dollars each into one thing. And so I think there's a danger to considering security through only that lens. For many organisations, that might work flawlessly, but I think for many others, it absolutely will not. In terms of figuring out what the approach is, what the right compromise, the right level of number of vendors that are in there. It's going to come down to an individual organisation, but there's certainly enough specialisation and in depth requirements within, whether it's securing SaaS applications, how SAS applications talk to each other, versus malware prevention coming in compared to Shadow. It that the Gartner has rolled into this SSE definition that is just above and beyond what any single organisation could offer at an excellent level across all of that. So I think it's a good exercise, it's the right approach. I think it's maybe a bridge too far for many who are trying to maintain that security posture whilst consolidating and saving money. Karissa (33:33) So you mentioned before, looking at your security stack internally now, obviously that takes time to do. It's not an easy task, be quite convoluted and quite indepth, quite arduous. So how often would you say, should people be analysing this? Like once a year? Because then I guess the other side of that is you need to have time to do it, and everyone's always complaining that they don't have any time. How do you manage that? Mark Guntrip (33:58) Well, I think that one will come down to an individual decision as well. From my experience, the catalyst to that will be that there's a problem. That problem could be a breach, it could be an increase in threats, it could be something that's trigger conversation around that. But I think beyond that, in terms of an incident causing the decision process to kick off, I think rather than putting it at a specific time cadence of how often you should look at it, you should look at why you put something in place. So if you put in place a security solution to protect a particular group of users or type of application or something, is that still relevant? Are you still using it? Is that still important to the business? And if the answer is yes, then great, just keep going. And maybe you look around, that becomes one of your areas of focus. And as you look at consolidation down to some, maybe you look at maybe some of the adjacent markets around that or the adjacent technologies and see if you can collapse something down to that. But if the answer is no, or I don't know, then maybe that's the point where you go, okay, we need to reevaluate what's going on, how we do it, how we've implemented it, what the problem is that we need to solve now. Mark Guntrip (35:17) But exactly to your point that this is not, let's meet for an hour and figure this out. This is probably part of a broader discussion that you need to have. If it involves budget, if it involves communication to the board, if it involves security teams and deployment and implementation and end users, obviously that's never going to be a small consideration, but I certainly wouldn't put it down to you should do this every six months or a year. It should be when you evaluate or when your work environment changes sufficiently, that the reason you put something in place doesn't exist anymore or is lessened in terms of importance, that's when you need to go in and go, okay, let's refigure out how this needs to work for now and for the next three, four, five years going forward. Karissa (36:06) So basically what you're saying, Mark, is no one's routinely doing this in terms of auditing their security stack and looking at how they can do things differently, whether that's getting different vendors in or consolidation towards certain vendors. And then maybe the only reason or impetus that people are doing this is because there was a breach or something significant happened. Is that right? Mark Guntrip (36:24) Yeah. Or if there's been a significant shift in the business. So it might not come down to the breach or something else that's going on, but to use the coverage situation as the example, if I have put in place all of my security to protect people in this building, and the people aren't in this building anymore, then that security is irrelevant. And that absolutely did happen when everybody went home or worked remotely, hybrid, whatever the mix might have been, that you were protecting things that nobody used anymore. And their security policies were there, and the barriers were there, and everything was there. The visibility was there, and nobody touched it because VPN broke and we needed to do something different. ZTNA, as we mentioned earlier, was great for lateral movement, not great for visibility. So that's the point where you go, this is a waste of money. We need to do it differently. We need to rethink it. So I think some of them will be as obvious as that. Hopefully touch wood. Not that obvious in the near future that we need to go through anything like that again. But I think there's the I'll say the red flags about why we did something, and a lot of it will come down to the metrics of how you measure success. Mark Guntrip (37:39) If you spent a million dollars to put in place a piece of security solution and nobody went through it, when you come back to look at your metrics of what did we do? What was our return on investment? What did we stop? How much did we save? And the answer is nobody touched it, then that's going to be your telltale sign that says, okay, this is something that either we don't need anymore or we need to do something that's different. Karissa (38:06) So what's the future look like from your perspective, Mark? Like, what can we sort of expect to see? And I mean, this is a hard one, and I understand that you don't have a crystal ball or you're not nostradamus, but I'm just sort of trying to get a gauge from you as you sit across multiple different companies, multiple different verticals. So I'm just keen to hear your thoughts. Mark Guntrip (38:24) That just means that you can't see the crystal ball that I have in front of me. Karissa (38:28) Sorry, I lost. Mark Guntrip (38:30) My desk is adorned. No, I'm just kidding. If you look forward, honestly, with the way things are going with the financial environment, with the threat environment, I think the one thing that is for sure is that things are going to change over the next year or the next years, potentially with budgets, potentially with threat volume type, complexity, all of that stuff. But I do think for the first time in my career, this is the first time where there's been a financial downturn and security isn't the thing that's most impacted by that. So I do think there's a realisation that even though I might have less money, less budget to spend, I'm in an environment where I cannot compromise or lessen my security posture. I need to prioritise that. So I think that's a positive. We've already spoken about consolidation. I do think that there will be consolidation, but again, as we spoke about probably from many to some rather than down to just a handful, because I do believe that over consolidation is going to be very bad for security posture for making exceptions and compromises in terms of what we do great, what we don't do great, and what we kind of have to live with. Mark Guntrip (39:51) So I think there's a decision to make there. But ultimately, I think it will come down to two things. I think it'll come down to the vendors and the security solutions out there that can prove the value that they bring if they can show in real world terms. Again, going back to my point of not just the 1015 people in it, but over a subset of users or even maybe over the whole company if it's already been purchased, what did you do? What exposure did you did you reduce or eliminate? How did you help me save money? How did you help me save time? How did you make my whole life easier? Those vendors as we go through that consolidation curve will be the ones that will survive. Those will be the ones from director to VP to CISO, CISO to the board can actually show the value that they brought for the investment that was put in them. So I think that's, number one, it's going to come down to proof, it's going to come down to metrics. I think number two, in terms of going back to the earlier points about not doing the same thing and expecting a different outcome, I do think there'll be an increase in interest and adoption in more innovative technology. Mark Guntrip (41:06) So from the menlo perspective, looking at that with isolation powered technology and security and how we can actually do things in a preventative way, rather than relying on detection and putting that prevention at the tip of the spear, but also looking at things like micro segmentation, looking at things like deception technology so that we can really just kind of try and change the game for the attacker. I think it's been a whole easier than it should have been. Maybe massively, massively too easy for the attackers because the security technology and community really hasn't kept pace, has done more or less the same thing over time again and again. But if we can give those threat actors something they weren't expecting, give them deception so that they think they're doing something, but they're wasting them, they're entirely wasting their time. Micro segmentation so they can't move laterally, isolation powered security so they don't even know that the end user behind this whole session exists. They believe that they're attacking an end user where in reality they're not. They're just attacking a virtual browser. That's when we'll start to see the change in the security landscape into the playing field and try and even it out a little bit so that maybe the security team can go from 76% believing they're going to fail, to hopefully the majority of companies believe that they're going to succeed. Mark Guntrip (42:35) I think that will be the barometer and it'll be many years from now by the time we go through all these surveys to figure out we're going in the right direction. But I think that will be the point where confidence starts to get returned and the security team is again fighting a fair fight against the threat actors out there and that they're not fighting a losing battle. Karissa (42:55) Well, as the saying goes, a time will tell. I think that those are very tangible insights for the audience to take away, to start thinking about, start considering and maybe things that they can start to work towards for 2023. So thank you so much, Mark, for your time, for your insights, and thank you again, also for you're, quite in depth, everything that you explained. And I genuinely appreciate that on my show because really I'm here to serve the audience at the end of the day and I think you did exactly that. So I really appreciate it. Mark Guntrip (43:25) Thank you. It's been a pleasure to be here. Karissa (43:27) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercksec, the specialists in security search and recruitment solutions. Visit mercsec.com to connect today.If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital.This podcast was brought to you by KBI Media, the voice of Cyber.