The Voice of Cyber®

Episode 172: Richard Stiennon
First Aired: March 30, 2023

Richard Stiennon is Chief Research Analyst for IT-Harvest, the firm he founded in 2005 to cover the 3,051+ vendors that make up the IT security industry. He has presented on the topic of cybersecurity in 31 countries on six continents. He was a lecturer at Charles Sturt University in Australia. He is the author of Surviving Cyberwar (Government Institutes, 2010) and Washington Post Best Seller, There Will Be Cyberwar.  Stiennon was Chief Strategy Officer for Blancco Technology Group, the Chief Marketing Officer for Fortinet, Inc. and VP Threat Research at Webroot Software. Prior to that he was VP Research at Gartner. He has a B.S. in Aerospace Engineering and his MA in War in the Modern World from King’s College, London. His latest book Security Yearbook 2022 was released in June, 2022. Get a copy here.

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Karissa (00:00) Hey, everyone, it's KB. Thank you for being an active listener on the show. And thanks to you, we've been downloaded in 63 countries. If you haven't already, please ensure that you follow and subscribe to the show for the latest updates. Now, time to get to the interview. Richard Stiennon (00:18) So the CISOs got to take advantage of that and educate them about our language, teach them to understand our language. And just like the first time you go to a board meeting, you're just like, What are these people talking about? You turn it around on them and take the high ground and let them raise their hand and say, What's a targeted attack? What's ransomware? They should know this stuff. And it's the CISO's job to educate them about what they're talking about and the threat it poses. Introduction (00:54) You're listening to KBkast, the cyber security podcast for all executives, cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here's your host, Karissa Breen. Karissa (01:09) Joining me today is Richard Stiennon, chief research analyst from IT Harvest. And today, we're discussing Richard's insights on the cyber security industry as he sees it. So, Richard, thank you so much for joining. Richard Stiennon (01:22) Thank you for having me, Karissa. Karissa (01:25) Now, Richard, I really want to start with a little bit about you, your history. You've got quite a long history in the industry. So talk me through what you've seen in your years of analyzing this space. I'm really interested to know. Richard Stiennon (01:38) When I started at Gartner, my fellow analysts, who was the first industry analyst to cover security at Gartner, John Pescatore, told me, The great thing about our industry is it's never the next big thing, but it's always part of the next big thing. So while that's true, security is always part of the next big thing, think cloud and IoT, etc. Shortly after he said that, security became the next big thing in and of itself. And the industry, which was valued at maybe two billion back in 2000, is now estimated over $300 billion. I've watched some old themes constantly come back. But the one thing this industry has that's different from every sector of technology is an outside driver, which is the threat actors. So not only are all the vendors in the space competing with each other to improve their feeds and speeds, usability, competing on costs like in any technology industry. There's a whole another group of people that we don't know very well unless they're arrested and prosecuted by various law enforcement agencies. Those people, the threat actors, are constantly trying to subvert all the security. So they're being innovative, inventive, entrepreneurial, and creating new business models all to steal money, information. Richard Stiennon (03:14) And in the case of espionage and information warfare, to actually subvert elections and sovereignty of various countries. So that whole spread keeps growing. And the hardest thing is to predict what those bad actors are going to do because they've got their own market for the things they're doing. But you watch the two sides of it and you know that the security industry will always be here and will always be growing. Karissa (03:44) So you mentioned before old themes. What are some of the old themes that you see coming back? Richard Stiennon (03:48) A couple in the identity space. First of all, the new password list that's been pretty new, I guess, term coined. And when you dig into it, it's not password list at all. It's just that the password is a digital certificate that's written and then digitally signed and encrypted, etc. And lodged on your device, often in the web browser on your device. That is what we used to call client side certificates, which was a very common way to make sure that the connection between two parties was secure and encrypted. But it required somebody's client to have the digital keys. And today that's what password list is. What's changed is that all the devices have secure enclaves in silicon, sometimes a separate chip like a trusted platform module, but now just embedded in every modern Intel chip. And that's a special enclave within the silicon that hasn't been shown to be vulnerable to being hacked into. I don't say it's unhackable, who knows? And now the companies are coming to the floor that are saying, you know what? When you enroll somebody, you just have them answer a bunch of questions, use whatever fingerprint or face recognition on their device. Richard Stiennon (05:15) And now we've mapped that device to that person, to their account credentials, and we're done. Every time they use that device, they're automatically in. There's no friction to getting online and no passwords to remember. Karissa (05:30) Got you. Okay, that totally makes sense. So going back to terms that are coined, now there's a lot of them, as you would know, whether it's passwordless, it's zero trust, it's artificial intelligence, machine learning, whatever else. Do you think from your experience, people get a bit fatigued as soon as someone says, Oh, it's passwordless, for example, do people eyes glaze over? Because it's like, I've heard this now 50 times. What's your insight? Richard Stiennon (05:54) They do for some. Passwordless is a good example, and certainly artificial intelligence and machine learning in learning because everybody that has an algorithm claims that. And I know my eyes glaze over and I stop listening unless you start showing me the actual supervised learning model you use or unsupervised learning model, which nobody does. All they do is just make a claim. And all they're talking about is automation. And the same thing we heard 22 years ago with busy A curve fitting, it's all the same stuff. So that's another one. Zero Trust, certainly another one. People's eyes glaze over when you talk about that because the big analyst firms, Gartner in particular, but Zero Trust is a forester term, come up with these overarching concepts and put them out there. People like it. The vendors adopt it immediately because it gives them some fresh approach. And so everybody jumps on board. I did a survey of 3,000 vendors we track and 228 of them put Zero Trust front and center on their home pages. It keeps coming up. Gartner will occasionally do completely stupid things with their new categorizations. We've got a major bucket. As a matter of fact, in terms of number of vendors, the largest bucket is governance risk and compliance vendors. Richard Stiennon (07:29) Grc has been around before the Internet. And Gartner came in and said, No, we're going to call it integrated risk management. So it's IRM, which the people have been around for a while. Irm means information rights management. It's totally different than integrated risk management. So now you've got companies that are GRC vendors that have to say their IRM on their website. And it's unfortunate because there's no VP of IRM at a company. There's a VP of privacy and VP of compliance, and they're looking for GRC. That's what they got their certifications in. So it's a disservice to the vendors to immediately jump on the bandwagon just so they can be included in a new Gartner Magic quarter. The other one like that that gets under my skin is there's this industry of, I think I count 98 or so vendors that do threat intelligence. And everybody knows what that is, right? You're gathering data from open source or the Dark Web, and you're feeding it to customers so that they can use it in their various tools. Gartner came by and they said, No, we're going to call that digital risk protection. So if you're going to come up with a three letter acronym, at least it should mean something. Richard Stiennon (08:55) But digital is totally redundant because nobody in cybersecurity is talking about analogue stuff except people in information warfare, which is all about radar and radio signals. And nobody can define risk anyways. So why have that? And at the end of the day, grammatically, we don't want to protect our risks. You want to emuliate them. You want to reduce your risk. So digital risk reduction would even be better. Karissa (09:28) Yeah, that is interesting. Okay, so you mentioned something before, 228 vendors said they do zero trust. Now, I don't know whether it was you or someone else a few years ago came out with a report on companies that claimed they did machine learning, but in fact, it was like not many at all. So those 228, are they in reality doing zero trust or is this a claim? Richard Stiennon (09:49) Yeah, it's just a claim. They fit into zero trust, which is actually an architecture or way of thinking about security. But it's usually because they're identity vendors. And zero trust is all about finding your digital identity to a real person that's properly enrolled, and then often binding it to the devices they use, and then cutting out the network so that the application on the other side that somebody's logging into doesn't care that they're on the corporate network or dial in from home. You don't have to trust them just because they happen to be on the corporate network. That's the zero trust part of it. Yeah. So it's I think since you're not shopping for a zero trust product, you still go ahead and shop for an identity product, an authentication product, directory services product. You're still looking for all the old products, but you may have just changed your approach. We're going to make everybody log in with systems where we can monitor their access and use the identity as a primary control instead of what network segment they're on. Yeah. Karissa (11:15) That makes total sense. So you mentioned before bandwagon. Now, what frustrates you about some of the bandwagons that you've seen in your time? I'm just curious to know and hear your thoughts. Richard Stiennon (11:28) Oh, boy. Struck a nerve there. Karissa (11:30) Anything you'd like to share? Richard Stiennon (11:32) Yeah. So there are many somewhat of an icono class, right? So if everybody's saying something, then it's just part of me says I've got to take the other approach. So I hate several things. The constant claim that the user is the weakest link in the front line. And because the solutions provided for that are security awareness training. I think security awareness training is useless. Even the very best phishing simulation provider claims 98 % effectiveness. Well, if you're only 98 % effective, that means if I'm a phisher, I have to send 50 emails to get one person to click on something. That costs them zero to send 50 emails, and they're going to get through. Another one on the other end on the CISO side is this constant telling CISOs that they have to learn to speak the business language. They have to stop talking bits and bites. And when they go to the board meetings, they've got to use the CFO's language. And I think that's totally wrong. They should never do that. It means that they have to go into a meeting and show charts about risk, which you already know. I think the risk measurements and those risk claims are totally false. Richard Stiennon (13:03) You do not know what the attacker wants, so you can't look at all of your assets and decide which one is the most valuable asset. It might be valuable to you because you use it every day. But the attackers after maybe your least ranked or scored asset because that gives them a foothold and then they get to the crown jewels. If you speak the CFO's language, they immediately go, oh, okay, so the highest risk is from ransomware attackers. Okay, let's buy some cyber insurance against ransomware. Because they think it's the same as a risk of a commodity price going up or the risk of a supplier getting flooded and not being able to give you the equipment you need, and that they can defer that risk and reduce that risk with insurance or other measures. And it's just a false start altogether. Karissa (14:03) Interesting. Okay, so why does that frustrate you so much? Because I do see your point, but I do see the other side of it as well. I think when people say you've got to speak the CFO's language, it comes from a point of trying to find common ground because CFO is not going to necessarily understand security at the minute level. So I think there's a bit of that in there. But I'm just trying to understand your point and where you're coming from. And then I guess as a follow up, how would you recommend people go to the board? Because this is the biggest, well, one of the biggest challenges people have when it comes to the communication side of things. Richard Stiennon (14:38) Yeah. So the frustration comes from the fact that we've been... Don Rumsfield, the US Secretary of State, between his stints as Secretary of Defense, between his stints at heading up the military, worked in industry and insurance, particularly. So when he comes back in, he was all talking risk. And he started getting the government to talk about risk. All of a sudden, all of NIST, which is our National Institute of Standards and Testing, started to produce frameworks and guidance based on risk management principles. So it's totally permeated. We've been doing it for 22 years and nothing changes. We still succumb to targeted attacks. So maybe that means we should do something else, like fight the attacks. And I like to use military and government examples. You think of the leader of your country getting an intelligence briefing every morning. I guarantee you, the intelligence agencies are sitting in the office telling them about the various risk profiles of their assets deployed around the world. The US has 238 military bases, and those probably never come up in the security briefing that the President of the United States gets. The intelligence community gathers intelligence, and the briefings will say, You know what? Richard Stiennon (16:13) Al Qaida in Western Africa is starting to move here, and we're picking up chatter that they're targeting printer cartridges put on airplanes to blow up. Those are direct threats. They're not risks. So that's just the metaphor I use to understand the difference between threats and risk. And in your own home, yes, there's a risk that somebody's going to break in at any time. You've got a risk. And so you could invest a lot of money to reduce that risk. You could get bars on your windows and alarm systems and automatic lights turn on and a guard dog in your yard, which nobody does just because the risk exists. But they do do when the threat exists, right? When your neighbor gets broken into, then you start upping your security. When the police tell you there's an armed person running around on the street, I'm talking about US here, that's going to lock the door and don't open the door. Oh, my gosh. Yeah. So that's that perspective. Now, how should the CISO communicate to the board? Do it the way that I hear security people talking at conferences. It's fantastic. They can get into the nuts and bolts of a particular type of attack and make it fascinating because it is fascinating. Richard Stiennon (17:45) It's amazing stories. And I came to this realization when I talked to the CISO of Lockheed Martin, and she would meet with the executive team every week, and she would have one chart, and it was lined up based on the cyber kill chain. At the time, nowadays, people would use the M ITRE attack framework. But the cyber kill chain starts with reconnaissance and initial access or weaponization, then initial access and moving across your network and finally exfiltration. They would track attacking teams working against them. They had 30 people working day and night to monitor activity on their network and their endpoints, and they would identify the signs of an attack ongoing. They would usually be able to identify that this team is using this set of tools, and they usually operate between nine AM and five PM, Beijing time. And we're going to call it something. They just label it cheesy fingers. It's one of the teams they use. And she goes in to the executive board meeting and she just shows a chart of that team that they've been watching for weeks and how far they've gotten into the network based on the cyber kill chain. Richard Stiennon (19:12) That plays to the emotions of the executives, and it works for the boards as well. Because we all like to think that the board of directors of a big company are carefully thinking through and balancing decisions, et cetera. And yet every single day, we see them doing bizarre acquisitions that make no sense. We see them making financial moves that also make no sense. And it's because they, like every other human on the planet, is driven by emotion. And somebody at Semantic in the old days might see that, Hey, McVeigh just acquired a two factor authentication company, so we need to acquire a two factor authentication company. Who's the best one? They just buy that one because they're working from... They shoot from the hip. They are motivated by competitive and defensive nature. So the CISOs got to take advantage of that and educate them about our language, teach them to understand our language. And just like the first time you go to a board meeting, you're just like, What are these people talking about? Internal rate of return and all these their own lingo. You turn it around on them and take the high ground and let them raise their hand and say, What's a targeted attack? Richard Stiennon (20:38) What's ransomware? They should know this stuff. And it's a CISO's job to educate them about what they're talking about and the threat it poses. Karissa (20:48) Got you. Okay. Yeah, that makes so much more sense. So what I was hearing as you were speaking, Richard, is when you go to a doctor and they're like, Hey, you've got this disease. And you're like, Well, what's that? You don't just go, Oh, okay. And then you walk out. They then explain to you what it means. Richard Stiennon (21:04) This. Karissa (21:04) Is what it means. Richard Stiennon (21:06) That's great. Yeah. So I. Karissa (21:08) Think it's probably more so the CFO, for example, being inquisitive on the other end, not just dismissing it and being like, Oh, okay. Well, that's your area, Mr. Seizow. Mr. Seizow. So I think that has to be reciprocal on both ends. So I think that's a better way of. Richard Stiennon (21:24) Approaching it. Karissa (21:25) If your. Richard Stiennon (21:25) Doctor tells you you're at risk of becoming diabetic because you're overweight, you don't listen to them, right? But if they say, Hey, your liver is failing because you drink too much, then you do something about it. Karissa (21:44) Correct. And then they'll use terminology that you as a person wouldn't understand. So you ask them. Richard Stiennon (21:49) Totally. Karissa (21:50) Got you. Okay, that makes sense. Or you take. Richard Stiennon (21:51) Notes and look it up when you get home. Karissa (21:55) True. Okay. Now, I want to explore with you some recent insights, maybe you can share with that audience that you've seen recently, last few months or last six months or even last 12 months. I'm really keen to hear your thoughts. Richard Stiennon (22:12) All right. Okay. So in the last 12 months, I built and launched a platform that's so much better than my spreadsheets that I've kept for 17 years in the industry. And it takes a lot of work, about 4,000 hours of work to do this. You have to look at every single participant and figure out what they do and then track them month to month. Are they growing? Are they shrinking? Are they taking investment? Are they changing those CEO out? Whatever, you track all that. But once you've categorized them, then you look at the category as a whole. And I break the industry down into 17 categories that's aligned with the classic defense in depth model. So you got network on the outside, you got endpoint on the inside, you've got identity. All these fit into this model easily. It's very understandable. Nobody can argue with it, I guess. And once you've done that, then you say, Okay, of these 17 sectors, which one grew in headcount the most last quarter? And this insight just jumps out at you because you put it on a little bar graph and API security is growing twice as fast as any other sector. Richard Stiennon (23:30) Now it's a small sector, right? It only employs a total of 2,000 people, but it's growing at that compounded annual rate. Grew 60 % last year. And so you look at that, the other thing is, okay, who's shrinking the most? And oddly, fraud prevention is growing one or two % a year, which is abysmal. And that tells me, maybe everybody's got a fraud... All the e-commerce sites and banks have fraud prevention solutions, finally. You have to or you'd be losing so much money that you'd go out of business. And it's gotten the fraud levels down to manageable levels. So the fraud prevention industry is only growing at 2 %. An area that I'm not happy about because I think that deception is awesome. It's just such a cool thing. And deception is this idea that you put breadcrumbs all over your network and you lead an attacker, once they're in your network, to a honey pot. And then they detonate their malware in the honey pot, and you get to see how they act. And every single alert from that honey pot is an alert of a real attacker. So you can watch what they do. Richard Stiennon (24:56) And if they've done that and successfully compromised your standard image of a Windows machine, wow, you better go make sure your Windows machines can defend against that in the future if they find out that there's another path into your network. So the deception space is only out of those 17 categories. It's the only one that's shrinking so far this year, down a couple % in total headcount. Karissa (25:24) Wow. Okay, so 17 years of spreadsheets. You are right. I'm glad that you've now transformed that into a platform, which I've seen. I think it's great. I know that you released lots of insights on your LinkedIn. So I think it's valuable for people. And because you're obviously tracking it with... It's not anecdotal. It's actually driven by a science and a math, so I appreciate that. You've got a lot of engagement online, so people obviously appreciate it as well. Then with those insights, what would you say is missing then in the cybersecurity arena at the moment? Richard Stiennon (25:56) We do not have a solution to the Solar Winds problem. If you think about it, Solar Winds was probably one of the most successful nation state campaigns to infiltrate organizations. So the solar winds software update was compromised with a backdoor. The software was encrypted, digitally signed, and sent from the correct server to the servers at 18,000 of their customers, and they installed the updates, which immediately gave the attackers the SRV in Russia, so their spy agency, access to those systems. Devastating. Just an awful, awful result. Kudos to them because that's a very sophisticated attack. But it's not the first time that software updates have been compromised. So there's probably about five examples, I think. But the most important is not Petia, the most damaging attack in our history so far, where the Russian GRU sand worm team infiltrated a little tiny software company in Ukraine that provided the equivalent of QuickBooks to all their customers. So they targeted a Ukrainian software company with a big Ukrainian footprint. This was obviously meant to damage Ukraine. Of course, it's spilled over into all of Europe and some around the world to some extent, and compromised the update with malware using malware developed by the NSA. Richard Stiennon (27:39) And that was distributed to all the customers. And it just blew up within hours. You had TNT, big shipping provider, logistics company, Mirsk, the shipping company. And in total, billions of dollars was lost from that one attack. So the worst methodology of an attack, and there's no defense against it, because the defense would be to somehow have a way to check a software update to see if it was malicious. I don't have the answer. I'm not sure how you do that. You could reverse engineer it, maybe, and just look at the changed stuff, assuming the previous version was okay. But whatever it is, it's going to be complicated, but everybody needs it to be assured that their updates are secure. Instead, the industry is doubling down on shift left, which is, hey, Solar Winds, you just have to do a better job of security so that an attacker can't get on a developer's laptop and compromise their software. Great. Fine. Solar Winds definitely used to be better at security, and that shouldn't happen to you. Go ahead and do it. Well, that's Solar Winds. There are millions of software providers, and we can't change the world by just berating them that they're not secure enough. Richard Stiennon (29:10) You're not going to get millions of software developers to change the way they develop software. So we're shouting into the wind once again. Here in the United States, CISA and NIST have created frameworks and constantly tell people, got to get better at this. And it's just not going to do anything. It gives them something to talk about. They sound smart when they're talking about it, but it's not going to work. Karissa (29:41) Yeah. Okay. I've actually interviewed someone from Solowinds, and most of the interview was about their breach. So the day that we're speaking today, it hasn't been published, so it should come out soon. It was quite some interesting insights. Richard Stiennon (29:55) I hate that because I'm writing a book. Karissa (29:58) Perfect. Okay, I'll definitely send it to you. It'll be out there in the wild soon. The other thing is, does someone then have an answer? So you're saying people are just shouting into the wind, no one's really like... Maybe they're not looking at the problem the right way. So do you think that someone's working on it out there, or who knows? Richard Stiennon (30:14) I'm sure somebody's working on it. I expected to start getting briefings by now from Israeli startups that had solved it or have a solution for it. I haven't heard it yet. Obviously, I don't talk to everybody, but I want to start hearing about these solutions because that'll be a very big company. Maybe somebody in Australia should do it. Karissa (30:39) Maybe. People forget about us down here. Yeah, there are. Richard Stiennon (30:43) 54 vendors in Australia, and they should... One of them could figure this out easily. Karissa (30:50) Well, for people listening, if you want a business idea, there's one to get you started. Maybe speak to Richard about some of his insights. Okay, so I want to talk about vendors now. Now, people often say whether it's the United States or Australia, there's just too many vendors, there's just so many of them. But you think otherwise. Now, talk to me about this and then how many vendors are there exactly from your perspective as of today? Richard Stiennon (31:16) As of today, there are 3, 170, and that's worldwide. I know I haven't captured them all because we had about 10 a day, but I suspect it's going to slow down. So probably 4,000 is the top number. But it will exceed that over years because the space keeps growing. And with the explosion in technology, that just creates new need for new type of vendors. So right now, we're seeing IoT security vendors do extremely well because we're trying to fix the billions of IoT devices that are that have been deployed. The cloud probably is responsible for introducing the most vendors because everything you had in the past has to be replicated in the cloud. And the cloud is actually easier to do that with, right? It's all virtual and it's all discoverable. It's somewhat standardized, at least within the same infrastructure as a service provider. And that's just going to keep going. A lot of people are talking about the metaverse and the security problems that will evolve there. So sure enough, there'll be things to secure the metaverse going forward, and that's going to continue forever. When you think about... First of all, when Edward Snowden revealed the extent of the surveillance state that the NSA had created, that created a distrust of US companies. Richard Stiennon (33:00) Because at the time, Yahoo and Apple and Google and all of those vendors were in the documents that Edward Snowden leaked, and they were assisting the NSA to do this collection. So if you're in a very privacy conscious world like anybody in the EU, you're going to be just totally shocked and not want to have your data reside on a US company's servers, regardless of where they're located. And for that matter, the US is contributing to what I call digital Mercantilism by pushing back on Chinese vendors of technology products. They make these spurious claims that Huawei gear is spying on stuff. And that's a two edged sword because people in Europe are going to go, Yeah, what about Cisco gear? I'm sure there's some former NSA person on Cisco staff or board or et cetera. So I'm not going to trust Cisco gear either. I want a European produced security product replace all my checkpoint or all my Cisco or all my Fortinet, et cetera. And that's led to a splintering of our industry so that there are local vendors of every single one of those 17 categories and 660 subcategories. So for a country to feel like they're not beholden to the US or some other major country, they have to have their own native security solutions. Richard Stiennon (34:43) But now we track security solutions coming from 70 countries today. But if there's 600 in each one, that's 4,200 vendors that will probably exist someday. Everything is just conspiring to make more vendors, not fewer. Now, the one thing that I'll push back on, because maybe because personally, I suffered from this back when I was younger, I worked at a company that sold Sun Microsystems servers. And back then, I just countered all the time the push back, No, we're standardizing on Windows NT because I can buy 10 Windows NT machines for the cost of one sun micro systems machine, and I can hire somebody out of high school to manage them because it's all a graphical interface. And so this concept that we're going to rationalize our supplier base and focus on one only plays into the hands of the established biggest vendor and they support it. So Cisco will be the first to tell you get all your stuff from Cisco. And of course, Microsoft's been that way. And IBM used to hold that seat. And that dynamic is always going to go on. And really big companies want to rationalize their supply base because it gives them more negotiating power. Richard Stiennon (36:11) But they're always compromised because the opposite argument is to buy best of breed, which I'm a big believer in, right? You should have the best security product for each function. And if you say, well, yeah, but if we buy it from Fortinet, we'll get something that's good enough. We'll use Fortinet Sim and Fortinet two factor authentication. Fortinet has a phone, a 40 phone or a conference system. So we're not going to use the one that we've used all these years. We're just going to buy everything from Fortinet. And that's just silly. That's not going to happen. Crosses domains within the organization. The people who buy phones are not the same people who buy UTM devices. And so they're not going to put up with that. So it's just it, we'll talk about it. There'll be articles written about it, but it's not going to happen. So where do you think. Karissa (37:06) People say this is too many vendors? Does that come from them, for example, a size O, they've got like 50 pictures in their inbox every day? Do you think it stems from that? Because I mean, when you and I spoke... Yeah, totally. Yeah, okay. Because you and I spoke, you said that some people don't need high level enterprise stuff. They may need a vendor that's more suitable for SME, for example, and that's why we have many of them. Did you think people miss that point then? They're just like, Oh, I just get pitched at day in, day out, and I'm over it, and therefore there are too many vendors. Yeah. Richard Stiennon (37:37) If your job isn't to back all the vendors and understand that they, some, sell to consumer, some sell the consumer, to whoever, and you just see a list of all the vendors that do something, the stuff I post on LinkedIn all the time, they say there are too many. The market can't support them, but they don't look at the bigger picture. And they don't want... It's almost a... I don't know if it's lazy, but they don't want to have to know what all these vendors do and be able to differentiate between them. Why? They don't have time. They've decided, look at it, I spent a lot of time learning about splunk, and splunk is good enough. Yeah, it's horribly expensive, and they're not responsive to small customers, but we don't need the other 50 sim vendors out there. That goes on all the time. Have you ever been to a major used book sale? Here in the US, they hold them in malls, and there's just a million books laid out. And you go, Wow, you could say, because you're never going to read them all, you could say there are too many books. We should just whittle it down to the best books, right? Richard Stiennon (38:50) Or books published by one publisher. I know it's a spurious argument because it just doesn't make sense. Karissa (38:59) Well, that saying strokes of different folks is that that's what. Richard Stiennon (39:03) We. Karissa (39:04) Should be adapting here in the industry? That's it. Richard Stiennon (39:07) Exactly. So I've got a question. Karissa (39:10) For you. Just say, okay, you have a large vendor, they've got market share because they've been around for a long time, which is fair enough, right? They've earned their place. How does a smaller vendor, who may be better, cheaper, this, that, whatever, more agile, integrates quicker, whatever, how could they potentially overturn a larger vendor? Richard Stiennon (39:29) Great question. Because usually, if they even get close to doing that, the larger vendor just buys them. Probably the best example, and it's still in play right now, is Zskeller. So in 2008, the founder, J. Chowdry, looked at what was going on in particular in the, what's called a secure web gateway, which is nothing more than firewall to prevent bad stuff coming in and a list of inappropriate websites for employees to browse to. And that's what Blue Coat was. That's what WebSense was. Those solutions were enterprise solutions that fit in the corporate network environment of a data center and a headquarters office. And you had $100,000 appliance that did all that blocking and tackling for you. Then Fortinet came along and said, Yeah, but what about the distributed enterprise that has 5,000 locations? Hotels, retail, restaurants, distributors, etc. So they came up as did all the UTM vendors, so Watch Guard and SonnickW all. Got to mention Red Pirate based in Perth, I believe. They came up with a simple, low cost appliance that you just put in your office of 10 or 20 people, and it would provide all the same functionality as this million dollars stack of equipment you needed in your data center. Richard Stiennon (41:06) Jay Chaudry looked at it and he said, Well, what about the mobile user? So in 2008, which is about the time that the iPhone was taking off, he had the vision of a future where people would use their mobile devices to access corporate assets and go out on the internet. And they could go out on the internet and browse in a appropriate stuff from the corporate headquarters. So now you've got all the issues that come with people looking at pornography or sports betting sites or whatever from work. How are you going to protect that and stop that? And so he said, I need a solution that's all in the cloud, cloud native. All the network connections go directly to the cloud instead of back to the corporate headquarters. And with that one vision, he displaced the need for massive hardware security appliances, which Cisco produced, Palo Alto produced, Fortinet produced, etc. With a simple per user pricing, just enroll them. And then when they connect, they're essentially on a VPN and all their traffic is proxied and we can log it and set policies all in the cloud. So simple to deploy, no massive investment in gear. Richard Stiennon (42:30) It's still expensive to do it this way. So they completely shifted taking advantage out of the dual trends of cloud and mobile to displace an entire category of security appliances. And now, normally I would say, and I always think, oh, my God, this is the way the world is going. And the other vendors that do this, Netscope, Kato, a dozen others, are going to completely displace the Palo Altos of the world. Yet, Borden, that's probably the highest flying security stock today. I think the most highly valued company in security, still selling those appliances. So it turns out that cloud and modern architectures are still not penetrated as deeply as one would expect. You're like me, right? We're practically living in the future. It shocks us to discover, as we did a year and a half ago, there are 30,000 companies that have exchange servers on premises. We just assume everybody does it the modern way because it's lower cost, more effective, more uptime, etc. But the reality is, no, it's only the early adaptors are there today. Wow. Karissa (43:58) Okay, so I guess it's going to take a bit of time and it's how you go about doing it. I can think along the lines from a marketing brand media perspective, which is different. But again, I think that there are really good players out there. I mean, equally that a lot of the big companies, they're there because they are good as well. And I think that there is opportunity because a lot of people say, We're in a small company, how do we grow? And I was like, Well, I can only help you for these areas. But I think things that you've touched on now are things that people can take away for their journey to get to that growth. Richard Stiennon (44:33) Keep an eye on founder led big companies. So in Checkpoint, Palo Alto and Fortinet are included in that because New York's hook still calls the shots at Palo Alto. Founder led companies or Trend Micro, my favorite, because Eva Chen is one of the founders and she's still at the helm. They have the ability to see future threats to their business and take action and drive a direction, a technological direction for the company. Big conglomerates, Semantic and CA and very soon BMW are going to be all in this big conglomerate. Their founders aren't going to be there. The founder of Semantic is long gone anyways, and they're going to flounder. They'll be run by financial teams that know how to twist the dials to make the most profits, but they're not going to innovate and change what they do very quickly. Karissa (45:34) Good observation. Okay, so speaking of observations, now, every year you write the security yearbook. Now, I've got a physical copy of it, so thank you so much for sending that. It's quite comprehensive. And so I'm definitely going to be sitting down and getting through that. And we will be linking a link to your yearbook in the show notes. So if you want to look at it, grab a copy of it, we would encourage you to do that. But talk our listeners through what you cover in your yearbook, because you've been doing this for years, right? It's a pretty big book. It must take you literally your entire year to write it. Richard Stiennon (46:09) Yeah. Well, it took me a year to write it. Luckily, I had somewhere to start as I wanted to write a history of our industry. And luckily, I've been in it since 1995. So right at the early days of checkpoint software. And I know a lot of the pioneers, so I could reach out to them and get their stories. I record them and transcribe them and edit them. So I provide their personal stories. So founder of checkpoint, founder of Verisign, founder of RIPTE c, one of the first MSSPs and now CEO of Tenable. So at least you get their stories. But my story is the overarching. How did each of these 17 categories come about? What does it mean? Who were the early companies? What happened to them and all that. And I had to write it because, one, I'm fascinated by it. I don't like the fact that we lose that history. Young founders starting up now have no idea what went before. And they should know some of these case studies. And why did the company that used the same approach you're using, why did they fail? Or how did they succeed? And tons and tons of information like that that it's almost like doing a current history book, right? Richard Stiennon (47:38) Because most of the people who are involved are still with us. And even in the last edition, I started keeping track of those pioneers of our industry who have passed away in the previous year just to honor their contribution. And I found a lot of interest from people just getting into the industry. They get available to students all the time, as well as the current senior members of the industry. They like it from a nostalgia purpose and also from my perspective. And I clearly say this is from an industry analyst lens that I'm looking at it. So take it for what it's worth. But the book is also a vehicle for publishing my directory of all the vendors. So every year in the past, we took our spreadsheets and extracted the data and published it. Now we're going to be just pulling it directly from the database. So it'll be up to speed, up to date. It does change dramatically. That's one of the reasons I built the database that we can constantly update is by the time I went to press last year, I had to eliminate 200 companies because they had gone out of business. Richard Stiennon (48:56) And I think so far this year, there's something like 145 M&A s, so we've got to account for that in the book. And then, of course, funding is just still screaming in security. $16 billion invested in security vendors this year. And yeah, that's below last year's record of 24 billion. But it's 60 % more than the previous year's record of 10 billion. Karissa (49:23) Wow. That's incredible. I like that you're talking about the history as well. And you said, to honour some of these people who've done amazing things in the space, because you are right. I think maybe people forget that some of these larger vendors were founded by someone that started out, whether it's in the garage or whatever it is. And then they've grown to the significant level. And I'm always about the story. I like to understand the journey. So yeah, I'm definitely keen to get into it and share some insights even from my perspective. So in terms of final thoughts or closing comments, Richard, is there anything you'd like to leave our audience with today? Richard Stiennon (49:57) Yeah, think back. Whenever you hear somebody say the industry is consolidating, keep in mind that it's not. So there are a few plays where somebody wants to buy particular companies and mash them together that are all in the same space. We're seeing that in the managed security services space. That would be consolidation, but there's thousands of MSSPs. The only consolidation that's occurred over all these years is Norton LifeLock acquiring Avast and a couple of other antivirus vendors. If Semantic had done that 20 years ago, that would have been consolidation. Buy Panda, buy Kospersky, buy On Labs in South Korea. That never happened, ever. Nobody ever did that. But Norton LifeLock, with the remains of Semantic, has acquired Avast. So there's some consolidation in an industry that is already being displaced. So antivirus solution is under a lot of pressure from the EDR, CrowdStrikes and Sentinel1s that have come about with a better product. Wow. Karissa (51:14) Okay. Well, I think that's definitely been a very insightful, interesting, honest, and real interview. So I've absolutely appreciated your time, Richard. You've given me definitely something to think about for my own journey as well. So I really appreciate you giving up your time, sharing your insight, and coming on the show today. Richard Stiennon (51:33) My pleasure. Thanks, Karissa. Karissa (51:35) Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by mercsec, the specialists in security, search, and recruitment solutions. Visitmercsec. Com to connect today. If you'd like to find. Out how KBI can help grow your cyber business, then please head over to kbi.Digital. This podcast. Was brought to you by kbi.Media, the voice of cyber.
Share This