December 20, 2024 • 47 mins
Richard Stiennon, the acclaimed author of "Security Yearbook 2024" and CEO of IT Harvest, joins us to unravel the intricacies of the cybersecurity landscape. Discover how IT Harvest is redefining industry analysis with its SaaS platform, offering a fresh, data-driven alternative to traditional analyst firms. Richard shares his journey from independent publishing to a partnership with Wiley and previews the much-anticipated 2025 edition of his yearbook series. Our discussion highlights the role of AI in transforming industry practices, emphasizing efficiency and innovation in identifying security solutions through natural language queries.
Explore the evolving dynamics of cybersecurity investment amidst economic and political upheavals. We dissect the strategic shifts of venture capitalists in the wake of market fluctuations and incidents like the Silicon Valley Bank collapse. Despite these challenges, the current climate presents a unique opportunity for investment, with expectations of a market rebound by 2025. Richard provides insights into the unorthodox nature of cybersecurity stocks, where traditional market logic often takes a back seat to unpredictable events that influence valuations and investor confidence.
Join us as we navigate the complex world of fear-based marketing and the communication of cybersecurity risks. From the effective yet controversial tactics employed to highlight security threats, to the nuanced task of educating business leaders on potential cyber pitfalls, the stakes are high. Richard discusses the balance required to ensure genuine threat awareness without falling into the trap of fear-mongering. We also explore the necessity of authenticity and vendor trust in the tech sector, drawing on real-world examples and the role of analysts in maintaining accountability.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to this episode of Cybernomics brought
to you by Bruning Media, a NewYork-based firm that specializes
in helping tech companiesachieve thought leadership, one
podcast at a time.
I'm your host, josh Bruning,and my guest today is the man,
the myth, the legend, richardSteen.
(00:22):
Richard, good to see you,thanks for coming back on the
show.
Speaker 2 (00:28):
Likewise, josh, and thanks for that.
That was nice.
Speaker 1 (00:31):
Yes, and Richard, for those who don't know and I mean
who doesn't know you at thispoint, everybody knows Richard.
He's got over 30,000 followerson LinkedIn.
He is the author of SecurityYearbook 2024.
Going back to what was thefirst one, that that the first
year that you did securityyearbook 2020 2020.
(00:52):
So, look, you've got a backlog.
You can catch up on yoursecurity reading 2020, 2021,
2022, 2023 and 2024 is the mostupdated and you are currently
working on 2025.
Correct?
Speaker 2 (01:05):
Correct Yep, it's just got the cover design and
it's due at the printers onJanuary 13th.
Speaker 1 (01:12):
Awesome, so make sure that you head over to wherever
Richard's got his.
Where could they find that book?
Speaker 2 (01:21):
Both are on Amazon, you can pre-order the 2025.
Speaker 1 (01:24):
And do you have a website where I remember one you
can get it directly from yourwebsite.
Is that still the case?
Speaker 2 (01:28):
Yeah, I stopped doing that when the book moved to
Wiley as a publisher, so theyhad me stop selling books,
obviously, and I had to get ridof everything in the warehouse.
I kind of overestimated thenumber I could sell, because
selling books is really reallyhard.
Doing it independently, yes,really hard Doing it
independently.
Speaker 1 (01:45):
Yes, of course.
Speaker 2 (01:46):
Doing it, even with a publisher.
It's hard.
It's just hard right?
Yeah, it takes as much effortto sell a book as it does to
sell.
You know subscription to yourSaaS service.
Yes, you know multiple touchpoints.
You feel like all you're doingis hawking your stupid book, and
I do sell 2,000 of them a year,which is good for most people,
(02:08):
for most books, yeah, impressive.
But I had to send to therecyclers 16, or not 16, 12,000
copies of the book.
Speaker 1 (02:17):
Wow, You'll give them a new life In the afterlife.
Maybe they'll become some otherdifferent book or a milk carton
Next book.
Speaker 2 (02:27):
Yeah, yeah.
Speaker 1 (02:28):
Yeah, all right.
Well, in addition to being theauthor and the man behind the
industry's I would say thedefinitive catalog of all
vendors and solutions in thesecurity space, you're also the
CEO and the founder of ITHarvest, which is a platform.
(02:52):
You know what?
I can explain it.
I'll give you my littleunderstanding of what IT Harvest
is, and if I leave anything out, please let me know.
It Harvest, for those who don'tknow, is an online platform.
It's a SaaS platform thatcatalogs basically all of these
vendors, all the solutions, theones that you know, the ones
that you don't know, the onesthat are not in the book, the
ones that are, you know, thatyou may be interested in, maybe
(03:14):
are in stealth mode is.
Could I go as far to say thatthere's some that are, yeah,
some that are in stealth mode.
Um, so for, for those who arehunting those solutions that may
be, you know, right now may bea bargain because they're not
publicly traded or the valuationhasn't been completely
overblown and the prices aren'toverblown.
Maybe they're looking for betatesters or something like that.
(03:35):
You can find it all on thisplatform called IT Harvest.
You can really think about itas the security yearbook, but in
SaaS form and interactive form.
So, richard, since we've spokenlast, a lot has changed over at
IT Harvest.
You guys have upgraded yourtech, you're doing a lot more,
so could you give us a littlebit more background and some
(03:57):
color around what's changed inIT Harvest?
Speaker 2 (04:00):
Sure, and if you think about it, we're kind of
uncovering our grand vision aswe go, because we started out as
hey, this is a better way to do.
The traditional industryanalyst firm, right, you've got
advisory services from theexpert that would be me, and you
know, yeah, I used to writewhite papers and create research
reports, etc.
(04:20):
Research reports, et cetera.
But as we built this platform,I realized that we could have
something we call thedata-driven analyst firm, which
you know, if you're familiarwith my alma mater Gartner or
the Forrester's Omnia's of theworld, you realize they're not
data-driven, right, they'reexperience-driven.
They draw from their customerswho are asking questions all the
(04:43):
time.
They draw from them to gaininsights into what's going on
out there, which is all askingquestions all the time.
They draw from them to gaininsights into what's going on
out there.
But it's all well and good,super valuable, obviously people
spend a lot of money in Gartnerto the tune of $5 billion a
year.
But in the back of everyone'smind, I'm sure, right now, is
this nagging question.
It's like wait a minute, howdoes AI fit into all this?
(05:04):
An analyst firm producescontent and then the salespeople
at the analyst firm use thatcontent as justification for
selling subscriptions.
And it costs right $100,000 toget access to Gartner analysts
Well, couldn't that be automated?
Analysts Well, couldn't that beautomated?
(05:30):
And we now have this visionthat, yes, you can automate it.
We've demonstrated it.
We are playing with itinternally and doing our own
beta testing on tools where wecan supply natural language
queries.
We can say, hey, I've gotSplunk and we've got all these
other tools.
We don't want to store our datain the cloud.
What are some alternatives toSplunk kind?
(05:52):
of thing, and then have ananswer, come back, but not in
the usual soft speak of chat.
Gpt Right.
Speaker 1 (06:18):
Which is everything in kind of a whimsical term,
very generic.
Yeah Right, so Chad GPT, you gointo it, you ask it a question.
It gives you some genericanswers.
But you can take that a stepfurther by building a capability
into your platform thatoptimizes for one particular
task, and in your case it's forsearching for the correct
(06:39):
solution.
Speaker 2 (06:40):
Correct, that's exactly it.
We've got the data.
So now how do we just tack alarge language models on the
front of it in order to extractthat?
And, unfortunately, it'sincredibly expensive to do.
Right, it costs us, you know,under 50 cents, but not much for
every single question, so itreally cranks up the costs very,
(07:05):
very quickly.
Speaker 1 (07:05):
And is that the cost of optimizing?
Speaker 2 (07:07):
It's the cost of tokens from the LLM?
Oh wow, Because we've gotmillions of data points that we
have to front load into the LLMevery time you have a question.
So it uses up tens of thousandsof tokens for every question.
And even more if you supplyyour own files, because you
might say here's our securitystack or here's our findings, or
(07:30):
whatever, and that is going tobe even more expensive.
But luckily, in the world ofLLMs, when the costs come down
every six months, they drop by99% Really.
They dropped by 99% Really.
Yeah, so you build with thisexpensive model, hoping that
it'll be less expensive in thefuture.
Speaker 1 (07:51):
So two years ago to do this it would have cost you
probably a dollar or somethingfor every question, and now it's
50 cents, and then next yearit'll be 5 cents.
So it makes sense to do theupfront investment and just to
be one of the first, instead ofwaiting for the cost to come
down to jump in when even nowyou've got a little bit of.
(08:14):
You know, this is cybernomics,so we're going to use a little
bit of economics lingo whichthere is the barrier to entry,
which is the price, and so itsounds like you guys are kind of
in that sweet spot where thebarrier to entry is relatively
high, even at 50 cents, but youwould have established yourself
in this space by the time theprice comes down low, and then
(08:35):
you can.
You know, at that point it'sgreat, it's good.
Speaker 2 (08:39):
So this is a good problem to have, at the same
time, the power of largelanguage models.
You know the intelligence,however you want to measure,
that is going up at a rate of100x, 10x a year.
So that means in two yearsit'll be 100 times as powerful.
Speaker 1 (08:58):
Yeah, so it's better and cheaper as time goes on.
Yeah.
Speaker 2 (09:01):
And you really have to plan for that.
Come on when you're in a fever,yeah, yep, and you really have
to plan for that.
So we're trying to buildsomething that demonstrates that
it works today, and when weplug in GPT-5, which might be
available in the next six months, it works 100 times better.
Speaker 1 (09:19):
Mm-hmm, mm-hmm, yeah, and then your platform is going
to take your place as CEO andcan't take your place as founder
, because that's alreadyhappened.
You've already founded it, butIT Harvest might wake up one day
and go.
Hmm, I'm sick of Richardtelling me what to do towards AI
(09:47):
.
One question that I've askedmyself time and time again, and
a subject that I've becomeincreasingly interested in, is
the human element in AI, right.
So executives, theoretically,would be using IT harvest right,
and especially they would beusing the AI capabilities.
But is there room between theexecutive uh, buyer and the
solution?
Is there room for any otherhuman uh within that space?
(10:11):
Or is it just, you know, human,less touchless, between the,
the executive and the technology?
Speaker 2 (10:17):
no, there's right now .
There's room for that human Ithink back to.
I went to a cyber reasonconference in Boston, I think
and they had Gary Kasparovspeaking back before Kasparov
became a political advisor.
But he gets up on stage.
(10:38):
We're all scratching our heads.
What's he going to tell us?
He's a chess master and he'sone who lost to Big Blue.
Right, he lost the game and gotput out of business,
technically so, and he gets upthere and he basically spells
out a vision ofmachine-augmented human chess
(11:00):
players.
Great vision, never reallypanned out.
You don't really have two chessmasters playing with their
computers over here and, youknow, leading the strategy, but
still a good metaphor for what Ithink is happening.
Because I know just having datahelps me answer people's
questions.
Somebody can reach out and sayyou know, I don't know.
(11:23):
They could say hey, richard,you know, I know you think that
security awareness training is acomplete waste of time and
money, but we have to do it.
So who should we use?
I've got the data on 45security awareness training
solutions that I can help youout with.
Do you want somebody down theroad from you?
Because there's, you know, asecurity awareness training
startup in every single town inthe country, practically.
(11:46):
Or do you want the big guy thatwas publicly traded for a while
?
You know, you tell me thecriteria and I'll introduce you
to a short list.
Fantastic, I did that, havingdata in front of me.
Now, with even with the AIagents that we're building, I
can still have somebody who'sreally good at using it.
(12:06):
Just like you know in yourfamily, you're the expert at
doing a Google search.
Everybody else is like, oh man,I can't find the answer to this
question.
Speaker 1 (12:14):
You're like bam here it is yeah way better than
Google.
Speaker 2 (12:18):
Yeah, yeah, exactly.
And that empowering people,it's already part of our
business model.
Usually, when we sell a singleseat to a company, they assign
one person to become the experton the industry.
That person can easily be asexpert as I am very quickly,
because the data is right there,and I can't, even though I'm
(12:47):
now the only person in the worldwho's looked at all these
companies.
You know 4,006 this morning.
Well, that's not true.
Erica is too.
Speaker 1 (12:55):
She's my researcher as to you know, find them and
find where the rest of the datais.
Speaker 2 (13:04):
So that's the official count of, as far as we
know, of all of thecybersecurity companies in the
world.
No, because Eric and I work offa spreadsheet and I've got 45
that I haven't categorized yetand put in and I've got an
intern in Pakistan, salar, andan intern in Nigeria, samuel,
who are constantly looking fornew vendors.
So they go to Vent venturecapitalists website see what
(13:28):
they've invested their portfoliocompanies are.
They go to conferences and theydo that first pass to make sure
that it's not yet anotherreseller that sneaks in and then
pass them to me.
I categorize them and I passthem to Erica.
Speaker 1 (13:43):
So yet another, another application or another
example of having humans in thepicture.
Yeah, where the technologymight get you 99% there, you can
scrape the internet, you canscrape G2.
You can scrape and, scrape andscrape.
But for that you know that 1%that makes all the difference.
Where that may be, where thevalue is, you do need to have
some humans involved.
Speaker 2 (14:05):
Oh, absolutely.
And right now PitchBook, Ithink, has maybe 2,000 people,
mostly in the Philippines, doingthat annually all the time.
Wow, and remember, we're talkingabout costs.
So, for instance, to write adescription of 3,000 companies,
as we did two years ago, write adescription of 3,000 companies
as we did two years ago, likefour weeks after ChatGPT was
(14:27):
made available via API, it tookthree days and it cost $450.
Great, you know something Ijust couldn't do right.
Personally, I could not write3,000 descriptions of companies,
right, and I'd have to hire 20people and it'd take them a year
to do that, right, and by theneverything has changed, yeah,
(14:49):
and everything's changing allthe time, so, anyways, so keep
that in mind.
You know three days, exactly 72hours, and $450.
So I said well, geez, you know,pitchbook could do this too.
If PitchBook had the sameaccess that we do to OpenAI, it
would take 17 years to writedescriptions of three and a half
(15:09):
million companies that theyhave, and it would cost several
million dollars.
So now, mind you, for severalmillion dollars, you can get
better responses out of OpenAI,so they could do it faster, but
it's still expensive.
So this is a case wherefocusing on a niche gives you a
competitive advantage.
(15:30):
Yes, you have to do it all.
Speaker 1 (15:32):
Yes, yes, which you guys?
I mean you've cornered themarket, really, in terms of
cataloging the cybersecuritycompanies out there with your
book and the platform, which Ifound just that's amazing that
you've been able to build asolution empire or you know
you're, you're the king of thevendor Hill.
I love it, and so, okay, well,you know, as as we're, we're
(15:57):
looking to 2025 and thelandscape is always changing
geopolitics we've got a newadministration coming in.
We've got, you know, the Bidenadministration going out.
What were some of the bigchanges in 2024 that are going
to really impact the way thatwe're looking at cybersecurity
(16:19):
in 2025 and beyond?
Speaker 2 (16:22):
Yeah, first of all, the economy is driving a lot
right.
And in 2023, was it thatSilicon Valley bank collapsed
and was reborn, you know, all inthe space of a couple of weeks.
That just scared the investors.
No it, they just stoppedeverything and the valuation
started to fall apart becausenobody put in more money at the
(16:45):
old valuations.
So we're getting past that.
I've discovered that investorsVCs are inordinately impacted by
the stock market.
They shouldn't be right.
It's like, yes, the exits aregenerated by IPOs.
Those are kind of the pots ofgold at the end of the rainbow,
(17:07):
and the best exits are IPOsusually.
And, yes, they've been totallydried up for the last two and a
half three years.
But what really happens is thatthe investors you know they're
not always super wealthy.
You know the guys who've beenin it for a long time are very
wealthy people.
But even if you're just apartner for a year or so, you
(17:30):
start to accumulate a littlewealth and then what do you do
with it?
You turn it over to a financialadvisor and they put it in
stocks and bonds, whatever.
So when we had a from 2020,from November of 2023, 2022 to
January of 2023, the valuationof cybersecurity companies fell
(17:53):
in half.
So CrowdStrike, zscaler, paloAlto, their valuations just
plummeted.
And that was all driven byinterest rates.
Speaker 1 (18:02):
Right, and by the way , richard, remember the last
show you said I think we didlike a buy hold sell and you
were on the money.
You were on the money.
Yeah, if people had listened toyou on that episode, they may
have made a little bit of money.
Honestly, I wish I had thefortitude and the insight that I
(18:24):
have now in hindsight to dothat.
But yeah, so I just want toplug you real quick that your
analysis was spot on Cool.
Speaker 2 (18:34):
And don't anybody ever think that I can do that
for my own investments, becauseI can't.
That's how it goes yeah, soanyways, during that time, of
course, is when the SiliconValley Bank eventually failed
and the investors were like, ohmy God, it's like I've lost half
of my net worth.
I have to become moreconservative, Right?
So I'm not going to invest andI'm going to tell my port coves
(18:57):
to stop spending money to extendtheir runway.
That's what we've been goingthrough Now, mind you.
You know, I think everybodylearns on their father's knee to
buy low and sell high.
So if the stock market was lowand obviously that followed on
from that was that privatecompanies have lower valuations,
(19:19):
now would be the time to beinvesting, and over the last six
months would have been the timeto be investing.
Because, everything is low.
Because everything is low,Because everything is low.
So invest, Buy now.
It's reduced your overall risk,right?
Because the need is still there.
Luckily, in cybersecurity it'snot like, oh my gosh, the cyber
criminals are having a bad year,so they're going home.
Speaker 1 (19:39):
It doesn't work that way.
Speaker 2 (19:40):
Right, they're going constantly yeah, so
cybersecurity is worth investingin at any time.
You know, pretty safe future,though with one caveat there is
a possibility of the entireindustry to be impacted by
Russia's collapse.
But anyways, now's the time tobe making those investments, and
(20:01):
I think that 2025 will be theyear that we get back to the
exciting levels of 2021 and 2022.
Speaker 1 (20:09):
And cybersecurity is one of those weird industries
where conventional wisdomdoesn't really prevail in terms
of buying stocks, where youwould think that after a
cybersecurity event, somethinghappens like the change
healthcare debacle right, youthink that stock prices would go
down right, but stock priceswent up after that and also I
(20:34):
mean and this is kind of timely,going into the, I don't want to
get too much into the politicsof what happened?
Speaker 2 (20:39):
Who owns change healthcare?
Speaker 1 (20:41):
Exactly, exactly, and so, yeah, I mean you would
think that in this industry thatthe news it used to be really
predictable.
I guess in other industries Iremember, you could watch the
news and you can say, all right,this is an adverse event,
there's an economic shock thatwill impact the stock of this
(21:01):
company and it will go down orit will go up.
But in cyber security it's kindof weird.
You just kind of have to likewatch and see what happens.
It's almost like if anythinghappens it's gonna go up, and if
anything happens it's gonna godown and there's no rhyme or
reason to it.
So how would you advise?
I mean, we can look back andsay that right now it's a
(21:22):
historical low for a lot ofstocks and inevitably they will
not inevitably, but most likelythey will go up in value.
But for the people who are usedto the conventional ways of
choosing stocks especially ifyou're looking at the news to
(21:43):
see whether it goes up or downhow are you picking?
How are people choosing what toinvest in?
uh, in this space, it seems tome very like up in the air yeah,
and we're in a really stupidtransition phase.
Speaker 2 (21:54):
Um, so look at, uh, cyber security stocks are growth
stocks.
It's market share grab and it'sthe same as the dot com boom
and it's same as as it's alwaysalways been.
This is a growth game.
So when we entered the period,as we did two years ago, of oh
my gosh, we want profitability,and all of the bigger public
(22:17):
companies CrowdStrike, et ceteradecided to demonstrate that
they could get to profitability.
Historically, if a cybersecuritycompany is starting to show
profits, it's over.
The growth is over Now.
It's just a profit game.
So, instead of multiples of 40or 60 in some cases, all you can
(22:38):
expect is multiples of 20 froma growth stock.
So get out of that stock assoon as they start reporting
profits or they're making somuch profits or buying their
stock back.
That's how they're going tocompensate investors is by
upping their stock.
It's over.
(22:58):
So right now, all of a sudden,growth is back and unfortunately
, that means that all thesepublic companies who, if they
had been focusing on growthduring the recession and getting
more customers and growing thatrevenue at the expense of
profitability, they would havegrabbed market share away from
their competitors, you know, wascontrarian this time around,
(23:27):
because it takes a pretty gutsymove to go.
No, I'm sorry, we're just goingto keep getting customers
instead of, you know, satisfyingyour need for our profitability
right, right.
Speaker 1 (23:33):
So it's just knowing when to go in, when to come out,
but the overall trajectory isgoing to be up and, depending on
the type of investor you are,that might be good, might be bad
.
Yep, uh so with that caveat.
Speaker 2 (23:45):
So look what's happening in the world, right?
So Syria, romania, georgia allhaving troubles, all regimes
supported propped up by Russia.
They're collapsing.
Russia could collapse, right,and the collapse might mean
disposing, deposing Putin, a newregime.
(24:07):
You know, we all hope that it'sa democratic regime and life is
good again, but it's mostlikely just going to be another
oligarch right?
They're going to point thefinger at Putin for all the
evils in the world.
They're going to say thatUkraine is all him, not them.
So please be nice, and you knowwe'll.
(24:27):
We'll not complain aboutUkraine joining NATO or
something like that.
And as part of that new realmand being nice, they're going to
crack down on cybercrime.
All the ransomware guys.
Go away fast, I mean likeovernight gone.
No more news articles, no morecolonial pipelines, nothing to
(24:52):
get investor interest, becauseevery time there's a new breach,
I get calls from investorssaying, hey, I heard
cybersecurity is hot, yeah.
So no more investor interestand no more customer interest,
because they're not readingabout it in the paper every day.
Speaker 1 (25:03):
Yeah, for yourselves, it's going to get really it in
the paper every day yeah, fearsells.
It's going to get really,really hard to sell
cybersecurity.
Speaker 2 (25:08):
Yeah, yeah, need is still there.
You're still just as vulnerableas you ever were.
You just don't have thesehelpful ransomware guys showing
that you need it.
Speaker 1 (25:18):
Right, right, and this is something I'm glad you
brought that up, this issomething that I go back and
forth all the time.
I change my mind, I flip-flopis the fact that fear does sell.
We're in, we're in the securityindustry and fear sells, right,
there's a reason, there's areason why tony soprano comes to
your, to your shop, and says,hey, you know what, give me 10
(25:40):
of your profits or and we'llprotect you from you know bad
things that might otherwisehappen, right.
And then that fear, obviously,if you're a mafioso, you're not
protecting them from an externalthreat You're protecting them
from yourself, which is aterrible practice.
I'm not telling people that youknow to do that, or that's what
I think should be done, but thefact is fear does sell, right?
(26:04):
I was talking to Chad Beckmanabout this in one of our
previous episodes.
We recorded it.
I don't know if it's going toair before this one, so you know
we can look it up.
If it's not there, stay tuned.
(26:28):
This idea of should we use fearto sell cybersecurity, because
if I go to a CISO or CTO and Isay, hey, look, you guys don't
have MFA.
If you don't have MFA, here areall the bad things that could
happen.
And I'm in the minority where Ido think that if you're selling
cybersecurity, you shouldexpose what could happen.
So it's not that I'm sellingfear necessarily, but we're
(26:49):
talking about security here.
If we're talking about securingyour house, what's the risk?
It's getting broken into andsomeone tying your family up and
taking all your stuff.
Right.
You can call that fearmongering if I'm trying to sell
you a lock, but the fact isthat's the truth and I find
myself in the minority, which iskind of frustrating.
Where do you stand on usingfear or at least highlighting
(27:15):
the risks, the real risk of notpurchasing a cybersecurity
service or product.
Speaker 2 (27:23):
Yep, I'm totally on your side.
A cybersecurity service orproduct?
Yep, I'm totally on your side.
But I come at it from theCISO's perspective, right?
So for years and years we'vebeen giving security leaders bad
advice.
So, pre-CISO right One, we tellthem to patch everything you
know, which is just craziness.
But two, we tell them to talkthe business language, In other
(27:45):
words, adopt the language of theboard members.
I've sat on a lot of boards andthat board language is the
language of the CFO.
Everybody over the years hasadjusted themselves to talk to
the baby with the spreadsheet,right, and make sure we use his
or her nomenclature, which isweird, right?
(28:08):
Internal rate of return and allthis stuff.
Right and easy to learn.
Pick up a textbook and you gotit.
Why shouldn't the CFO learn ourlanguage?
Why don't they learn what TTPsare and what APTs are?
And so my advice to CISOs isyou step into that boardroom if
you ever get a chance and youeducate everybody about what's
(28:29):
actually happening.
Don't try and turn it intobusiness terms at all and never,
ever try and turn it into risk.
If you say risk, the CFO goesinsurance.
Speaker 1 (28:41):
You know that's so funny.
You said that Chad and I hadthe same exact conversation and
he's on the opposing view.
I wish I could just get youguys in a room and we can have
this discussion again.
Yeah, I think you're right.
I think that there's somemeasure of the board has to
understand exactly what's goingon in the cybersecurity world,
and maybe it's not fearmongering.
(29:02):
What some people would callfear mongering, I would call
education.
Speaker 2 (29:05):
Yeah, education is what it's at.
You know, even when I go to asecurity conference, I love the
ones where the researchers aregetting up on stage and they
just dig way deep into somereally cool.
You know mean cats exploit thatthey figured out and you know,
you learn from that.
You get educated and youunderstand how easy it is to
(29:28):
exploit your system.
And that gives you thisunderlying fear Next time you
click on a link.
Should I click on that?
No, right, right.
So it really, really, reallyworks.
It works for all of us.
Why shouldn't it work for theserelatively intelligent business
people?
Speaker 1 (29:41):
Exactly.
I think people divorce the wordsecurity from cybersecurity.
Yeah, what is security?
Security is inherently aboutyour safety, your well-being,
and we talk about nationalsecurity.
Do you think that thegovernment says, no, don't tell
people that, like north korea is, uh, is a threat.
(30:02):
If we tell people that, thenyou know they'll just be too
wary of of the?
Obviously there can be so muchfear-mongering that people, you
know you think that you'recrying wolf, not thinking to cry
wolf, but at the same timewe're in the business of
security and so with that, thereare risks to the business, and
I think that the board should beaware of those risks.
(30:24):
Where are they going to hit youand where?
Where is it going to hurt?
You should make it as visceralas possible, right?
Speaker 2 (30:29):
So the you know.
So the best example I ever sawwas at Lockheed Martin.
So I go in there to see howthey operate these guys and this
is 14 years ago and they wouldtrack threat actors in their
systems and they would labelthem, give them a name.
They didn't care who they were,because ultimately it doesn't
(30:49):
matter if it's China or Russiatrying to hack you, right, Maybe
, but it shouldn't matter,because you just treat it like
they're an attacker.
And they give them a name andup on the big screens I saw the
names.
One of them was Cheesy Fingers.
So the actions are tied to thesame group based on time of day,
the TTPs that they use.
(31:09):
You know all that stuff.
And then they use the LockheedMartin kill chain as their
methodology to track it and theycan show you a chart which they
did, and every week they showedit to the executive staff of
these seven different teamsworking at different times of
day are all trying to infiltrateour network all the time, but
(31:30):
some of those teams are 24 by 7.
We can tell when they shift tothe other shift every eight
hours, because the people typeslower or faster or something.
Yeah, If that doesn't scare youand if it doesn't engender the
response from the board of howmuch money do you need?
What can you do to help us here?
You know, last time they almostgot to the Active Directory
(31:52):
server.
What are you going to do next?
Right, it's the only way tosell security internally.
Speaker 1 (31:58):
Yeah, they're at the door, they're at the walls.
You know, they've got theTrojan horse prepared.
Speaker 2 (32:03):
Exactly they are.
You know they're buyinginformation on the dark web
about a server in one of oursubsidiaries in Florida, yeah,
and you know they're selling itfor $180.
You can buy root access on thatstupid server and because you
allowed me to buy threatintelligence, I know that and we
(32:23):
fixed it before it was evensold.
Speaker 1 (32:26):
Yeah, even salt.
Yeah, I'm glad that LockheedMartin is taking that approach,
because if you look at thealternative to not, if you're
saying that you're not going touse fear or I call it you know,
we'll call it education andinforming the board or the
business folks of what'sactually happening, then guess
what?
They're going to ask you why.
They're going to say why,richard, why do I need that?
(32:47):
Tell me?
Tell me, why do I need that.
And if your response is notsome measure of you need this
because it will impact yourbottom line and you may have to
answer to your customers, youhave to answer to your employees
and you may go to jail if youdon't do this.
I'm sorry, am I crazy?
(33:08):
Yeah, I feel like that's thebusiness we're in.
Speaker 2 (33:12):
And once you say that in a board meeting where the
minutes are being recorded,you've just created a pretty
serious liability.
Yeah, that had to be addressed.
Yeah, it had to do what yousaid after that.
Speaker 1 (33:26):
Yeah, I think the scientist type, the technician,
engineering type of people areexperiencing a measure of PTSD
from all the movies where thescientist was saying, hey, the
asteroid's going to hit, theasteroid's going to hit, it's
going to wipe us out.
And then eventually, you know,the asteroid misses us and then
the government says, ah, thatguy's crying wolf.
(33:47):
So I do see that perspective ofcrying wolf.
But hey, man, we're not cryingwolf, we're saying that these
things are real and it mighthappen.
And if it does happen, it mostcertainly will impact your
bottom line.
Speaker 2 (34:02):
Yep, yeah, if it doesn't happen, you should get a
bonus.
Speaker 1 (34:05):
Yes, exactly.
If it doesn't happen, we shouldbe rewarded, because
cybersecurity leaders are judgedon their failures and it's
about time that we are judged onour wins, and when something
doesn't happen, that's a win.
I feel like we're in thetwilight zone where we're
thinking that we're just goingto keep taking the losses and
(34:28):
not highlighting where we've won.
Now the problem is probablyquantifying those wins and
proving that something didn'thappen.
Right, but so hard.
But that's a problem thatexists in security universally.
I mean, look at you.
I can convince my neighbor thatyou're safe because of
particular measures that thegovernment has taken in the
geopolitical landscape.
(34:50):
And we've bought more guns,we've got more nukes, we've got
X, Y and Z, and that's why youcan enjoy the way of life that
you enjoy today for most people.
Okay, they may not see it, itmay not be tangible, but it's
intuitive.
Right right, yeah.
Speaker 2 (35:06):
And you can take it closer to the.
You know, I used to think ofall the metaphors about keeping
your house safe, right, and theguard dogs and security lights
come on and all that.
And then I went to South Africaand in South Africa people live
in gated communities and theone percenters do, which
(35:27):
wouldn't be us if we moved toSouth Africa, right?
So people work in companies,live in gated communities that
are surrounded by very, verytall fences and you have to get
in through a security guard.
Every single house and yard issurrounded by a 10-foot fence
with razor wire.
Inside the community and insidethe house at the top of the
(35:48):
stairs they have what they callrape gates.
They have barred gates so thebad guys can get in, but they
can still television, but notthe kids.
Wow, that just shows you whatpeople are willing to live with.
Speaker 1 (36:03):
Right yeah.
Speaker 2 (36:07):
So a parent of one of my daughter's classmates and
she said, yeah, she lived inJohannesburg.
I said, oh man, you know,didn't she have to live in a
gated community with barbed wirefences and gates?
At the top of the stairs andshe goes oh yeah, just normal,
just normal.
You know there's millions ofpeople who live in Syria and
(36:29):
life there is.
You know they have accommodateda horrible, horrible situation
Throughout the world.
Yeah, so yeah, I guess I don'tknow what point I'm making there
.
Speaker 1 (36:42):
No, the point is that you need security.
And it sounds like those peoplewho are selling the barbed
wires and the locks and all thatkind of stuff, guess what it's
those locals, they understand.
You don't have to go to themand make the argument that those
things are needed.
And so one, one last thing onthis topic.
I know we're beating this deadhorse into into the, into
(37:06):
oblivion, the, uh, into oblivion.
But one thing that chad said tome and I'm glad that that you're
here because you're the, Ithink you're the person that
could shed some light on thishis main thing that kind of got
me a little bit more on theirside was that everybody is
saying this if one person isfear-mongering and if it works,
(37:27):
if one vendor, one company isfear-mongering or, you know,
educating, whatever we want tocall it, then and they and they
know that it sells, it works,and everybody's going to do it,
and then you know, and thenwe're all crying wolf.
So how do we strike thisbalance between being real?
I, I think I know what mysolution is.
(37:48):
I'd like to hear yours, andthen I'll tell you what my
solution is.
I.
Speaker 2 (37:51):
I bet I know what yours is, and that is the
education side.
That's actually what I've beendoing in my blogs since 2003,.
So 21 years is highlighting theevents, digging into what
caused them, what would haveprevented them.
My favorite example is righttwo miles from my home here.
(38:14):
The big Lowe's home store wasattacked by a couple kids in a
car with a Pringles can Wi-Fiantenna, you know, wrapped in
aluminum foil, and the FBI hadknown something was going on.
So they deployed 20 agents andone agent on the roof of Lowe's
(38:35):
saw the car with the Pringlescan and said hey, something
strange is going on down there,check these guys out.
So they followed that person tohis home.
One of the people in the car isa good friend of mine who was,
I don't know, one for the ride.
Somehow he got out of it.
And so I wrote that whole storyup and you know, with my naive
(38:59):
he was stealing credit cardinformation from point of sale
terminals to sell to the Russianmafia.
I remember poo-pooing thatwhole concept Until I got a call
from my friend Richard.
No, that's Michigan, reallyhappening.
There's a whole bunch ofRussian mafia here, carters,
that do that all the time.
Now I know, but I wrote that upand I forget what year it was.
(39:29):
But it was two years later thatTarget got hit with the exact
same attack and had to tellpeople they lost, you know, tens
of millions of credit cardsbecause somebody parked in their
parking lot with a Pringles canantenna, right, they didn't
read my blog and why did?
they read my blog.
Because there's nobody therewhose job it is to understand
the threats.
Right there probably is now.
Speaker 1 (39:47):
Yeah, if there's a killer on the loose, I'd like to
know.
Yeah, yeah, if there's a killeron the loose.
Speaker 2 (39:50):
I'd like to know.
Yeah, yeah, I don't want toknow, because there's a
helicopter with a spotlightrunning around the neighborhood.
Speaker 1 (39:56):
Right, that's too late, or what's going on.
Yeah, I want you to tell meahead of time so I can get the
hell out of Dodge, you know.
So, yeah, and you're correct,my solution would be to educate
more, to be more authentic.
I think that just technologysellers across the board,
(40:16):
companies across the board, notjust even in technology, just
across the board we can use,with more authenticity and being
real, that when we say thatsomething exists, it exists and
honestly get the bad actors out.
I think your book highlightssomething to me and honestly get
the bad actors out.
I think your book highlightssomething to me, which is we've
got too many vendors, we havetoo many people in this space
and the ones that have to resortto crying wolf in order to sell
(40:39):
guess what.
There's a market correctionthat needs to happen and those
companies need to go.
Speaker 2 (40:44):
Well, I don't agree with that at all.
I don't think there's too manyvendors, but of course I would
say that, since my business iscounting all the vendors Mm-hmm,
mm-hmm, but and look at, thereare 350 of those vendors get
acquired every year Almost 10%of the entire market, Mm-hmm so
your desire to see fewer ishappening.
Right, they're all gettingsucked into Pal Altos and Ciscos
(41:06):
of the world.
But we also need multiplevendors, because we need vendors
of the exact same kind ofproduct in every single region.
And that's thanks to EdwardSnowden though, in effect,
thanks to the NSA spying oneverybody and using US
technology in order to spy oneverybody that in Germany, in
(41:29):
France, italy, they don't trustUS technology anymore, so they
destroyed that trust that weused to have, so they need their
own vendors in their owncountries.
That's why there are 250security vendors in Germany and
250 in the UK and coming up onthat in France.
So we're always going to havethat.
I call it digital mercantilism,where they're supporting, you
(41:53):
know, by local kind of ideas andof course, the us, you know,
especially during the trumpadministration, but on both
sides, democrat and republicanhave vilified chinese, uh right.
So, oh my god, why would youbuy from a company that has
somebody on the board who is amember of, you know, the B-Men's
(42:13):
Club of China, which is thePeople's Liberation Army?
You know, I'm sure you'd findsomebody on the board of Cisco
who worked at the NSA.
The building that mistrust intechnology for technology's sake
was a big mistake, because thebackfire right.
Nobody buys from China directly, right?
(42:34):
You know Huawei?
Yeah, maybe some telecom gearin Europe, and yes, our Lenovo
laptops are all Chinese and, ofcourse, our MacBooks are all
made in China, but we don't lookfor Chinese brands in
particular.
But if you vilify Huawei, itworks the other way.
People are just like, yeah,well, what about Cisco?
(42:55):
Sure, I want Cisco gear now.
Speaker 1 (42:57):
Yeah, I think we can find common ground on that.
I think that the localizationof vendors and it inevitably
splits off and splits and splitsand splits you get more.
Just the way that you'vespecialized with IT Harvest, you
get higher quality, a betterservice.
That's happening and that's oneof the reasons we have so many
(43:18):
vendors.
All I'm saying is that if youhave to lie and you have to make
up fears, and you have to likereally fear monger and create
threats that don't really existin order to sell your service or
product.
You don't deserve to exist, yeah.
Speaker 2 (43:36):
The market has, yeah, and.
But I would like to point outthat it's not the little vendors
that do that, it's the bigvendors.
Speaker 1 (43:43):
Oh snap, OK, I'm not picking a fight with the big
boys.
Speaker 2 (43:46):
That's the job of analyst firms should be, and it
should be the job of Gartneranalysts?
Yes, because they've got aircover.
Yes, and unfortunately, I leftGartner and I continued to do it
.
Yeah, very dangerous for anindependent to take on.
Speaker 1 (44:01):
Palo Alto, for instance.
Speaker 2 (44:04):
I just got off an analyst call with you know one
of the big vendors and man, Ijust feel I as getting hot under
the collar and it's likebecause they just pitch all this
vaporware at you.
You just want to challengeevery single thing.
They say you can't, they don'tcontrol the world that they're
in.
Speaker 1 (44:20):
Yeah, yeah, that's a really good point, wow, yeah,
well, you know what.
You know what?
Yeah, I'll have to think aboutthat a lot more, because that's
the problem that you solve and,to some extent, that we solve,
which is providing moretransparency and visibility into
the vendor landscape so thatpeople can make better choices
(44:42):
about where they put their money, their investments and what
they buy.
Speaker 2 (44:46):
All right.
One last warning.
I got to get it out there.
This is a talk I've submittedto RSA.
I doubt they'll accept it, butit's why you know it's the
platformization versus best ofbreed.
And when you hear a largevendor I'm looking at you, palo
Alto talk about platform, theyhave to go to their constituency
(45:06):
, the stockholders, and explaintheir massive reason why they're
going to grow.
They claim it's platformizationand then they turn around and
convince CISOs that, hey, thisis great, you'll buy everything
from one vendor, which we allknow is a really bad idea.
Just don't go there.
But I just want to point outthat every single security
(45:28):
platform vendor has failed.
And what is different, now thatPalo Alto, fortinet, trend
Micro is doing differently, thatthey are not going to fail and
end up working for Broadcom.
Speaker 1 (45:46):
Any company.
Speaker 2 (45:47):
Broadcom.
Just keep that in mind.
Dire company yeah, just out ofmind Dire yes, yes, yeah.
Speaker 1 (45:54):
That is a dire warning and I think it's a, it's
a caution to to all of usmoving into 2025 and beyond is
to be aware, don't be scared and, in some cases, be very afraid,
but you know, just be aware ofwhat's going on.
All right, richard, thank youso much for joining us today.
(46:15):
Uh, I know you got to run,you've got a company to run and
you've got things to do andbooks to sign, and I look
forward to the next time you'reon the show.
If people want to find you, howcan they find you?
Speaker 2 (46:26):
Yeah, just find me on LinkedIn, right, steenan?
I accept all requests exceptfrom people whose specialty is
Web3.
So, yeah, we can just beconnected Awesome.
Speaker 1 (46:37):
And if you want to learn more about Bruning Media
and what we do, visit us atbruningcom.
That's B-R-U-Y-N-I-N-Gcom.
You can look me up on LinkedIn.
Shoot me an email.
My email address is josh atbruningcom.
So, richard, thanks again.
Thank you for listening to thisepisode of Cybernomics, thanks,
bye.
Thanks, josh.
Welcome to this episode of Cybernomics brought
to you by Bruning Media, a NewYork-based firm that specializes
in helping tech companiesachieve thought leadership, one
podcast at a time.
I'm your host, josh Bruning,and my guest today is the man,
the myth, the legend, richardSteen.
(00:22):
Richard, good to see you,thanks for coming back on the
show.
Speaker 2 (00:28):
Likewise, josh, and thanks for that.
That was nice.
Speaker 1 (00:31):
Yes, and Richard, for those who don't know and I mean
who doesn't know you at thispoint, everybody knows Richard.
He's got over 30,000 followerson LinkedIn.
He is the author of SecurityYearbook 2024.
Going back to what was thefirst one, that that the first
year that you did securityyearbook 2020 2020.
(00:52):
So, look, you've got a backlog.
You can catch up on yoursecurity reading 2020, 2021,
2022, 2023 and 2024 is the mostupdated and you are currently
working on 2025.
Correct?
Speaker 2 (01:05):
Correct Yep, it's just got the cover design and
it's due at the printers onJanuary 13th.
Speaker 1 (01:12):
Awesome, so make sure that you head over to wherever
Richard's got his.
Where could they find that book?
Speaker 2 (01:21):
Both are on Amazon, you can pre-order the 2025.
Speaker 1 (01:24):
And do you have a website where I remember one you
can get it directly from yourwebsite.
Is that still the case?
Speaker 2 (01:28):
Yeah, I stopped doing that when the book moved to
Wiley as a publisher, so theyhad me stop selling books,
obviously, and I had to get ridof everything in the warehouse.
I kind of overestimated thenumber I could sell, because
selling books is really reallyhard.
Doing it independently, yes,really hard Doing it
independently.
Speaker 1 (01:45):
Yes, of course.
Speaker 2 (01:46):
Doing it, even with a publisher.
It's hard.
It's just hard right?
Yeah, it takes as much effortto sell a book as it does to
sell.
You know subscription to yourSaaS service.
Yes, you know multiple touchpoints.
You feel like all you're doingis hawking your stupid book, and
I do sell 2,000 of them a year,which is good for most people,
(02:08):
for most books, yeah, impressive.
But I had to send to therecyclers 16, or not 16, 12,000
copies of the book.
Speaker 1 (02:17):
Wow, You'll give them a new life In the afterlife.
Maybe they'll become some otherdifferent book or a milk carton
Next book.
Speaker 2 (02:27):
Yeah, yeah.
Speaker 1 (02:28):
Yeah, all right.
Well, in addition to being theauthor and the man behind the
industry's I would say thedefinitive catalog of all
vendors and solutions in thesecurity space, you're also the
CEO and the founder of ITHarvest, which is a platform.
(02:52):
You know what?
I can explain it.
I'll give you my littleunderstanding of what IT Harvest
is, and if I leave anything out, please let me know.
It Harvest, for those who don'tknow, is an online platform.
It's a SaaS platform thatcatalogs basically all of these
vendors, all the solutions, theones that you know, the ones
that you don't know, the onesthat are not in the book, the
ones that are, you know, thatyou may be interested in, maybe
(03:14):
are in stealth mode is.
Could I go as far to say thatthere's some that are, yeah,
some that are in stealth mode.
Um, so for, for those who arehunting those solutions that may
be, you know, right now may bea bargain because they're not
publicly traded or the valuationhasn't been completely
overblown and the prices aren'toverblown.
Maybe they're looking for betatesters or something like that.
(03:35):
You can find it all on thisplatform called IT Harvest.
You can really think about itas the security yearbook, but in
SaaS form and interactive form.
So, richard, since we've spokenlast, a lot has changed over at
IT Harvest.
You guys have upgraded yourtech, you're doing a lot more,
so could you give us a littlebit more background and some
(03:57):
color around what's changed inIT Harvest?
Speaker 2 (04:00):
Sure, and if you think about it, we're kind of
uncovering our grand vision aswe go, because we started out as
hey, this is a better way to do.
The traditional industryanalyst firm, right, you've got
advisory services from theexpert that would be me, and you
know, yeah, I used to writewhite papers and create research
reports, etc.
(04:20):
Research reports, et cetera.
But as we built this platform,I realized that we could have
something we call thedata-driven analyst firm, which
you know, if you're familiarwith my alma mater Gartner or
the Forrester's Omnia's of theworld, you realize they're not
data-driven, right, they'reexperience-driven.
They draw from their customerswho are asking questions all the
(04:43):
time.
They draw from them to gaininsights into what's going on
out there, which is all askingquestions all the time.
They draw from them to gaininsights into what's going on
out there.
But it's all well and good,super valuable, obviously people
spend a lot of money in Gartnerto the tune of $5 billion a
year.
But in the back of everyone'smind, I'm sure, right now, is
this nagging question.
It's like wait a minute, howdoes AI fit into all this?
(05:04):
An analyst firm producescontent and then the salespeople
at the analyst firm use thatcontent as justification for
selling subscriptions.
And it costs right $100,000 toget access to Gartner analysts
Well, couldn't that be automated?
Analysts Well, couldn't that beautomated?
(05:30):
And we now have this visionthat, yes, you can automate it.
We've demonstrated it.
We are playing with itinternally and doing our own
beta testing on tools where wecan supply natural language
queries.
We can say, hey, I've gotSplunk and we've got all these
other tools.
We don't want to store our datain the cloud.
What are some alternatives toSplunk kind?
(05:52):
of thing, and then have ananswer, come back, but not in
the usual soft speak of chat.
Gpt Right.
Speaker 1 (06:18):
Which is everything in kind of a whimsical term,
very generic.
Yeah Right, so Chad GPT, you gointo it, you ask it a question.
It gives you some genericanswers.
But you can take that a stepfurther by building a capability
into your platform thatoptimizes for one particular
task, and in your case it's forsearching for the correct
(06:39):
solution.
Speaker 2 (06:40):
Correct, that's exactly it.
We've got the data.
So now how do we just tack alarge language models on the
front of it in order to extractthat?
And, unfortunately, it'sincredibly expensive to do.
Right, it costs us, you know,under 50 cents, but not much for
every single question, so itreally cranks up the costs very,
(07:05):
very quickly.
Speaker 1 (07:05):
And is that the cost of optimizing?
Speaker 2 (07:07):
It's the cost of tokens from the LLM?
Oh wow, Because we've gotmillions of data points that we
have to front load into the LLMevery time you have a question.
So it uses up tens of thousandsof tokens for every question.
And even more if you supplyyour own files, because you
might say here's our securitystack or here's our findings, or
(07:30):
whatever, and that is going tobe even more expensive.
But luckily, in the world ofLLMs, when the costs come down
every six months, they drop by99% Really.
They dropped by 99% Really.
Yeah, so you build with thisexpensive model, hoping that
it'll be less expensive in thefuture.
Speaker 1 (07:51):
So two years ago to do this it would have cost you
probably a dollar or somethingfor every question, and now it's
50 cents, and then next yearit'll be 5 cents.
So it makes sense to do theupfront investment and just to
be one of the first, instead ofwaiting for the cost to come
down to jump in when even nowyou've got a little bit of.
(08:14):
You know, this is cybernomics,so we're going to use a little
bit of economics lingo whichthere is the barrier to entry,
which is the price, and so itsounds like you guys are kind of
in that sweet spot where thebarrier to entry is relatively
high, even at 50 cents, but youwould have established yourself
in this space by the time theprice comes down low, and then
(08:35):
you can.
You know, at that point it'sgreat, it's good.
Speaker 2 (08:39):
So this is a good problem to have, at the same
time, the power of largelanguage models.
You know the intelligence,however you want to measure,
that is going up at a rate of100x, 10x a year.
So that means in two yearsit'll be 100 times as powerful.
Speaker 1 (08:58):
Yeah, so it's better and cheaper as time goes on.
Yeah.
Speaker 2 (09:01):
And you really have to plan for that.
Come on when you're in a fever,yeah, yep, and you really have
to plan for that.
So we're trying to buildsomething that demonstrates that
it works today, and when weplug in GPT-5, which might be
available in the next six months, it works 100 times better.
Speaker 1 (09:19):
Mm-hmm, mm-hmm, yeah, and then your platform is going
to take your place as CEO andcan't take your place as founder
, because that's alreadyhappened.
You've already founded it, butIT Harvest might wake up one day
and go.
Hmm, I'm sick of Richardtelling me what to do towards AI
(09:47):
.
One question that I've askedmyself time and time again, and
a subject that I've becomeincreasingly interested in, is
the human element in AI, right.
So executives, theoretically,would be using IT harvest right,
and especially they would beusing the AI capabilities.
But is there room between theexecutive uh, buyer and the
solution?
Is there room for any otherhuman uh within that space?
(10:11):
Or is it just, you know, human,less touchless, between the,
the executive and the technology?
Speaker 2 (10:17):
no, there's right now .
There's room for that human Ithink back to.
I went to a cyber reasonconference in Boston, I think
and they had Gary Kasparovspeaking back before Kasparov
became a political advisor.
But he gets up on stage.
(10:38):
We're all scratching our heads.
What's he going to tell us?
He's a chess master and he'sone who lost to Big Blue.
Right, he lost the game and gotput out of business,
technically so, and he gets upthere and he basically spells
out a vision ofmachine-augmented human chess
(11:00):
players.
Great vision, never reallypanned out.
You don't really have two chessmasters playing with their
computers over here and, youknow, leading the strategy, but
still a good metaphor for what Ithink is happening.
Because I know just having datahelps me answer people's
questions.
Somebody can reach out and sayyou know, I don't know.
(11:23):
They could say hey, richard,you know, I know you think that
security awareness training is acomplete waste of time and
money, but we have to do it.
So who should we use?
I've got the data on 45security awareness training
solutions that I can help youout with.
Do you want somebody down theroad from you?
Because there's, you know, asecurity awareness training
startup in every single town inthe country, practically.
(11:46):
Or do you want the big guy thatwas publicly traded for a while
?
You know, you tell me thecriteria and I'll introduce you
to a short list.
Fantastic, I did that, havingdata in front of me.
Now, with even with the AIagents that we're building, I
can still have somebody who'sreally good at using it.
(12:06):
Just like you know in yourfamily, you're the expert at
doing a Google search.
Everybody else is like, oh man,I can't find the answer to this
question.
Speaker 1 (12:14):
You're like bam here it is yeah way better than
Google.
Speaker 2 (12:18):
Yeah, yeah, exactly.
And that empowering people,it's already part of our
business model.
Usually, when we sell a singleseat to a company, they assign
one person to become the experton the industry.
That person can easily be asexpert as I am very quickly,
because the data is right there,and I can't, even though I'm
(12:47):
now the only person in the worldwho's looked at all these
companies.
You know 4,006 this morning.
Well, that's not true.
Erica is too.
Speaker 1 (12:55):
She's my researcher as to you know, find them and
find where the rest of the datais.
Speaker 2 (13:04):
So that's the official count of, as far as we
know, of all of thecybersecurity companies in the
world.
No, because Eric and I work offa spreadsheet and I've got 45
that I haven't categorized yetand put in and I've got an
intern in Pakistan, salar, andan intern in Nigeria, samuel,
who are constantly looking fornew vendors.
So they go to Vent venturecapitalists website see what
(13:28):
they've invested their portfoliocompanies are.
They go to conferences and theydo that first pass to make sure
that it's not yet anotherreseller that sneaks in and then
pass them to me.
I categorize them and I passthem to Erica.
Speaker 1 (13:43):
So yet another, another application or another
example of having humans in thepicture.
Yeah, where the technologymight get you 99% there, you can
scrape the internet, you canscrape G2.
You can scrape and, scrape andscrape.
But for that you know that 1%that makes all the difference.
Where that may be, where thevalue is, you do need to have
some humans involved.
Speaker 2 (14:05):
Oh, absolutely.
And right now PitchBook, Ithink, has maybe 2,000 people,
mostly in the Philippines, doingthat annually all the time.
Wow, and remember, we're talkingabout costs.
So, for instance, to write adescription of 3,000 companies,
as we did two years ago, write adescription of 3,000 companies
as we did two years ago, likefour weeks after ChatGPT was
(14:27):
made available via API, it tookthree days and it cost $450.
Great, you know something Ijust couldn't do right.
Personally, I could not write3,000 descriptions of companies,
right, and I'd have to hire 20people and it'd take them a year
to do that, right, and by theneverything has changed, yeah,
(14:49):
and everything's changing allthe time, so, anyways, so keep
that in mind.
You know three days, exactly 72hours, and $450.
So I said well, geez, you know,pitchbook could do this too.
If PitchBook had the sameaccess that we do to OpenAI, it
would take 17 years to writedescriptions of three and a half
(15:09):
million companies that theyhave, and it would cost several
million dollars.
So now, mind you, for severalmillion dollars, you can get
better responses out of OpenAI,so they could do it faster, but
it's still expensive.
So this is a case wherefocusing on a niche gives you a
competitive advantage.
(15:30):
Yes, you have to do it all.
Speaker 1 (15:32):
Yes, yes, which you guys?
I mean you've cornered themarket, really, in terms of
cataloging the cybersecuritycompanies out there with your
book and the platform, which Ifound just that's amazing that
you've been able to build asolution empire or you know
you're, you're the king of thevendor Hill.
I love it, and so, okay, well,you know, as as we're, we're
(15:57):
looking to 2025 and thelandscape is always changing
geopolitics we've got a newadministration coming in.
We've got, you know, the Bidenadministration going out.
What were some of the bigchanges in 2024 that are going
to really impact the way thatwe're looking at cybersecurity
(16:19):
in 2025 and beyond?
Speaker 2 (16:22):
Yeah, first of all, the economy is driving a lot
right.
And in 2023, was it thatSilicon Valley bank collapsed
and was reborn, you know, all inthe space of a couple of weeks.
That just scared the investors.
No it, they just stoppedeverything and the valuation
started to fall apart becausenobody put in more money at the
(16:45):
old valuations.
So we're getting past that.
I've discovered that investorsVCs are inordinately impacted by
the stock market.
They shouldn't be right.
It's like, yes, the exits aregenerated by IPOs.
Those are kind of the pots ofgold at the end of the rainbow,
(17:07):
and the best exits are IPOsusually.
And, yes, they've been totallydried up for the last two and a
half three years.
But what really happens is thatthe investors you know they're
not always super wealthy.
You know the guys who've beenin it for a long time are very
wealthy people.
But even if you're just apartner for a year or so, you
(17:30):
start to accumulate a littlewealth and then what do you do
with it?
You turn it over to a financialadvisor and they put it in
stocks and bonds, whatever.
So when we had a from 2020,from November of 2023, 2022 to
January of 2023, the valuationof cybersecurity companies fell
(17:53):
in half.
So CrowdStrike, zscaler, paloAlto, their valuations just
plummeted.
And that was all driven byinterest rates.
Speaker 1 (18:02):
Right, and by the way , richard, remember the last
show you said I think we didlike a buy hold sell and you
were on the money.
You were on the money.
Yeah, if people had listened toyou on that episode, they may
have made a little bit of money.
Honestly, I wish I had thefortitude and the insight that I
(18:24):
have now in hindsight to dothat.
But yeah, so I just want toplug you real quick that your
analysis was spot on Cool.
Speaker 2 (18:34):
And don't anybody ever think that I can do that
for my own investments, becauseI can't.
That's how it goes yeah, soanyways, during that time, of
course, is when the SiliconValley Bank eventually failed
and the investors were like, ohmy God, it's like I've lost half
of my net worth.
I have to become moreconservative, Right?
So I'm not going to invest andI'm going to tell my port coves
(18:57):
to stop spending money to extendtheir runway.
That's what we've been goingthrough Now, mind you.
You know, I think everybodylearns on their father's knee to
buy low and sell high.
So if the stock market was lowand obviously that followed on
from that was that privatecompanies have lower valuations,
(19:19):
now would be the time to beinvesting, and over the last six
months would have been the timeto be investing.
Because, everything is low.
Because everything is low,Because everything is low.
So invest, Buy now.
It's reduced your overall risk,right?
Because the need is still there.
Luckily, in cybersecurity it'snot like, oh my gosh, the cyber
criminals are having a bad year,so they're going home.
Speaker 1 (19:39):
It doesn't work that way.
Speaker 2 (19:40):
Right, they're going constantly yeah, so
cybersecurity is worth investingin at any time.
You know, pretty safe future,though with one caveat there is
a possibility of the entireindustry to be impacted by
Russia's collapse.
But anyways, now's the time tobe making those investments, and
(20:01):
I think that 2025 will be theyear that we get back to the
exciting levels of 2021 and 2022.
Speaker 1 (20:09):
And cybersecurity is one of those weird industries
where conventional wisdomdoesn't really prevail in terms
of buying stocks, where youwould think that after a
cybersecurity event, somethinghappens like the change
healthcare debacle right, youthink that stock prices would go
down right, but stock priceswent up after that and also I
(20:34):
mean and this is kind of timely,going into the, I don't want to
get too much into the politicsof what happened?
Speaker 2 (20:39):
Who owns change healthcare?
Speaker 1 (20:41):
Exactly, exactly, and so, yeah, I mean you would
think that in this industry thatthe news it used to be really
predictable.
I guess in other industries Iremember, you could watch the
news and you can say, all right,this is an adverse event,
there's an economic shock thatwill impact the stock of this
(21:01):
company and it will go down orit will go up.
But in cyber security it's kindof weird.
You just kind of have to likewatch and see what happens.
It's almost like if anythinghappens it's gonna go up, and if
anything happens it's gonna godown and there's no rhyme or
reason to it.
So how would you advise?
I mean, we can look back andsay that right now it's a
(21:22):
historical low for a lot ofstocks and inevitably they will
not inevitably, but most likelythey will go up in value.
But for the people who are usedto the conventional ways of
choosing stocks especially ifyou're looking at the news to
(21:43):
see whether it goes up or downhow are you picking?
How are people choosing what toinvest in?
uh, in this space, it seems tome very like up in the air yeah,
and we're in a really stupidtransition phase.
Speaker 2 (21:54):
Um, so look at, uh, cyber security stocks are growth
stocks.
It's market share grab and it'sthe same as the dot com boom
and it's same as as it's alwaysalways been.
This is a growth game.
So when we entered the period,as we did two years ago, of oh
my gosh, we want profitability,and all of the bigger public
(22:17):
companies CrowdStrike, et ceteradecided to demonstrate that
they could get to profitability.
Historically, if a cybersecuritycompany is starting to show
profits, it's over.
The growth is over Now.
It's just a profit game.
So, instead of multiples of 40or 60 in some cases, all you can
(22:38):
expect is multiples of 20 froma growth stock.
So get out of that stock assoon as they start reporting
profits or they're making somuch profits or buying their
stock back.
That's how they're going tocompensate investors is by
upping their stock.
It's over.
(22:58):
So right now, all of a sudden,growth is back and unfortunately
, that means that all thesepublic companies who, if they
had been focusing on growthduring the recession and getting
more customers and growing thatrevenue at the expense of
profitability, they would havegrabbed market share away from
their competitors, you know, wascontrarian this time around,
(23:27):
because it takes a pretty gutsymove to go.
No, I'm sorry, we're just goingto keep getting customers
instead of, you know, satisfyingyour need for our profitability
right, right.
Speaker 1 (23:33):
So it's just knowing when to go in, when to come out,
but the overall trajectory isgoing to be up and, depending on
the type of investor you are,that might be good, might be bad
.
Yep, uh so with that caveat.
Speaker 2 (23:45):
So look what's happening in the world, right?
So Syria, romania, georgia allhaving troubles, all regimes
supported propped up by Russia.
They're collapsing.
Russia could collapse, right,and the collapse might mean
disposing, deposing Putin, a newregime.
(24:07):
You know, we all hope that it'sa democratic regime and life is
good again, but it's mostlikely just going to be another
oligarch right?
They're going to point thefinger at Putin for all the
evils in the world.
They're going to say thatUkraine is all him, not them.
So please be nice, and you knowwe'll.
(24:27):
We'll not complain aboutUkraine joining NATO or
something like that.
And as part of that new realmand being nice, they're going to
crack down on cybercrime.
All the ransomware guys.
Go away fast, I mean likeovernight gone.
No more news articles, no morecolonial pipelines, nothing to
(24:52):
get investor interest, becauseevery time there's a new breach,
I get calls from investorssaying, hey, I heard
cybersecurity is hot, yeah.
So no more investor interestand no more customer interest,
because they're not readingabout it in the paper every day.
Speaker 1 (25:03):
Yeah, for yourselves, it's going to get really it in
the paper every day yeah, fearsells.
It's going to get really,really hard to sell
cybersecurity.
Speaker 2 (25:08):
Yeah, yeah, need is still there.
You're still just as vulnerableas you ever were.
You just don't have thesehelpful ransomware guys showing
that you need it.
Speaker 1 (25:18):
Right, right, and this is something I'm glad you
brought that up, this issomething that I go back and
forth all the time.
I change my mind, I flip-flopis the fact that fear does sell.
We're in, we're in the securityindustry and fear sells, right,
there's a reason, there's areason why tony soprano comes to
your, to your shop, and says,hey, you know what, give me 10
(25:40):
of your profits or and we'llprotect you from you know bad
things that might otherwisehappen, right.
And then that fear, obviously,if you're a mafioso, you're not
protecting them from an externalthreat You're protecting them
from yourself, which is aterrible practice.
I'm not telling people that youknow to do that, or that's what
I think should be done, but thefact is fear does sell, right?
(26:04):
I was talking to Chad Beckmanabout this in one of our
previous episodes.
We recorded it.
I don't know if it's going toair before this one, so you know
we can look it up.
If it's not there, stay tuned.
(26:28):
This idea of should we use fearto sell cybersecurity, because
if I go to a CISO or CTO and Isay, hey, look, you guys don't
have MFA.
If you don't have MFA, here areall the bad things that could
happen.
And I'm in the minority where Ido think that if you're selling
cybersecurity, you shouldexpose what could happen.
So it's not that I'm sellingfear necessarily, but we're
(26:49):
talking about security here.
If we're talking about securingyour house, what's the risk?
It's getting broken into andsomeone tying your family up and
taking all your stuff.
Right.
You can call that fearmongering if I'm trying to sell
you a lock, but the fact isthat's the truth and I find
myself in the minority, which iskind of frustrating.
Where do you stand on usingfear or at least highlighting
(27:15):
the risks, the real risk of notpurchasing a cybersecurity
service or product.
Speaker 2 (27:23):
Yep, I'm totally on your side.
A cybersecurity service orproduct?
Yep, I'm totally on your side.
But I come at it from theCISO's perspective, right?
So for years and years we'vebeen giving security leaders bad
advice.
So, pre-CISO right One, we tellthem to patch everything you
know, which is just craziness.
But two, we tell them to talkthe business language, In other
(27:45):
words, adopt the language of theboard members.
I've sat on a lot of boards andthat board language is the
language of the CFO.
Everybody over the years hasadjusted themselves to talk to
the baby with the spreadsheet,right, and make sure we use his
or her nomenclature, which isweird, right?
(28:08):
Internal rate of return and allthis stuff.
Right and easy to learn.
Pick up a textbook and you gotit.
Why shouldn't the CFO learn ourlanguage?
Why don't they learn what TTPsare and what APTs are?
And so my advice to CISOs isyou step into that boardroom if
you ever get a chance and youeducate everybody about what's
(28:29):
actually happening.
Don't try and turn it intobusiness terms at all and never,
ever try and turn it into risk.
If you say risk, the CFO goesinsurance.
Speaker 1 (28:41):
You know that's so funny.
You said that Chad and I hadthe same exact conversation and
he's on the opposing view.
I wish I could just get youguys in a room and we can have
this discussion again.
Yeah, I think you're right.
I think that there's somemeasure of the board has to
understand exactly what's goingon in the cybersecurity world,
and maybe it's not fearmongering.
(29:02):
What some people would callfear mongering, I would call
education.
Speaker 2 (29:05):
Yeah, education is what it's at.
You know, even when I go to asecurity conference, I love the
ones where the researchers aregetting up on stage and they
just dig way deep into somereally cool.
You know mean cats exploit thatthey figured out and you know,
you learn from that.
You get educated and youunderstand how easy it is to
(29:28):
exploit your system.
And that gives you thisunderlying fear Next time you
click on a link.
Should I click on that?
No, right, right.
So it really, really, reallyworks.
It works for all of us.
Why shouldn't it work for theserelatively intelligent business
people?
Speaker 1 (29:41):
Exactly.
I think people divorce the wordsecurity from cybersecurity.
Yeah, what is security?
Security is inherently aboutyour safety, your well-being,
and we talk about nationalsecurity.
Do you think that thegovernment says, no, don't tell
people that, like north korea is, uh, is a threat.
(30:02):
If we tell people that, thenyou know they'll just be too
wary of of the?
Obviously there can be so muchfear-mongering that people, you
know you think that you'recrying wolf, not thinking to cry
wolf, but at the same timewe're in the business of
security and so with that, thereare risks to the business, and
I think that the board should beaware of those risks.
(30:24):
Where are they going to hit youand where?
Where is it going to hurt?
You should make it as visceralas possible, right?
Speaker 2 (30:29):
So the you know.
So the best example I ever sawwas at Lockheed Martin.
So I go in there to see howthey operate these guys and this
is 14 years ago and they wouldtrack threat actors in their
systems and they would labelthem, give them a name.
They didn't care who they were,because ultimately it doesn't
(30:49):
matter if it's China or Russiatrying to hack you, right, Maybe
, but it shouldn't matter,because you just treat it like
they're an attacker.
And they give them a name andup on the big screens I saw the
names.
One of them was Cheesy Fingers.
So the actions are tied to thesame group based on time of day,
the TTPs that they use.
(31:09):
You know all that stuff.
And then they use the LockheedMartin kill chain as their
methodology to track it and theycan show you a chart which they
did, and every week they showedit to the executive staff of
these seven different teamsworking at different times of
day are all trying to infiltrateour network all the time, but
(31:30):
some of those teams are 24 by 7.
We can tell when they shift tothe other shift every eight
hours, because the people typeslower or faster or something.
Yeah, If that doesn't scare youand if it doesn't engender the
response from the board of howmuch money do you need?
What can you do to help us here?
You know, last time they almostgot to the Active Directory
(31:52):
server.
What are you going to do next?
Right, it's the only way tosell security internally.
Speaker 1 (31:58):
Yeah, they're at the door, they're at the walls.
You know, they've got theTrojan horse prepared.
Speaker 2 (32:03):
Exactly they are.
You know they're buyinginformation on the dark web
about a server in one of oursubsidiaries in Florida, yeah,
and you know they're selling itfor $180.
You can buy root access on thatstupid server and because you
allowed me to buy threatintelligence, I know that and we
(32:23):
fixed it before it was evensold.
Speaker 1 (32:26):
Yeah, even salt.
Yeah, I'm glad that LockheedMartin is taking that approach,
because if you look at thealternative to not, if you're
saying that you're not going touse fear or I call it you know,
we'll call it education andinforming the board or the
business folks of what'sactually happening, then guess
what?
They're going to ask you why.
They're going to say why,richard, why do I need that?
(32:47):
Tell me?
Tell me, why do I need that.
And if your response is notsome measure of you need this
because it will impact yourbottom line and you may have to
answer to your customers, youhave to answer to your employees
and you may go to jail if youdon't do this.
I'm sorry, am I crazy?
(33:08):
Yeah, I feel like that's thebusiness we're in.
Speaker 2 (33:12):
And once you say that in a board meeting where the
minutes are being recorded,you've just created a pretty
serious liability.
Yeah, that had to be addressed.
Yeah, it had to do what yousaid after that.
Speaker 1 (33:26):
Yeah, I think the scientist type, the technician,
engineering type of people areexperiencing a measure of PTSD
from all the movies where thescientist was saying, hey, the
asteroid's going to hit, theasteroid's going to hit, it's
going to wipe us out.
And then eventually, you know,the asteroid misses us and then
the government says, ah, thatguy's crying wolf.
(33:47):
So I do see that perspective ofcrying wolf.
But hey, man, we're not cryingwolf, we're saying that these
things are real and it mighthappen.
And if it does happen, it mostcertainly will impact your
bottom line.
Speaker 2 (34:02):
Yep, yeah, if it doesn't happen, you should get a
bonus.
Speaker 1 (34:05):
Yes, exactly.
If it doesn't happen, we shouldbe rewarded, because
cybersecurity leaders are judgedon their failures and it's
about time that we are judged onour wins, and when something
doesn't happen, that's a win.
I feel like we're in thetwilight zone where we're
thinking that we're just goingto keep taking the losses and
(34:28):
not highlighting where we've won.
Now the problem is probablyquantifying those wins and
proving that something didn'thappen.
Right, but so hard.
But that's a problem thatexists in security universally.
I mean, look at you.
I can convince my neighbor thatyou're safe because of
particular measures that thegovernment has taken in the
geopolitical landscape.
(34:50):
And we've bought more guns,we've got more nukes, we've got
X, Y and Z, and that's why youcan enjoy the way of life that
you enjoy today for most people.
Okay, they may not see it, itmay not be tangible, but it's
intuitive.
Right right, yeah.
Speaker 2 (35:06):
And you can take it closer to the.
You know, I used to think ofall the metaphors about keeping
your house safe, right, and theguard dogs and security lights
come on and all that.
And then I went to South Africaand in South Africa people live
in gated communities and theone percenters do, which
(35:27):
wouldn't be us if we moved toSouth Africa, right?
So people work in companies,live in gated communities that
are surrounded by very, verytall fences and you have to get
in through a security guard.
Every single house and yard issurrounded by a 10-foot fence
with razor wire.
Inside the community and insidethe house at the top of the
(35:48):
stairs they have what they callrape gates.
They have barred gates so thebad guys can get in, but they
can still television, but notthe kids.
Wow, that just shows you whatpeople are willing to live with.
Speaker 1 (36:03):
Right yeah.
Speaker 2 (36:07):
So a parent of one of my daughter's classmates and
she said, yeah, she lived inJohannesburg.
I said, oh man, you know,didn't she have to live in a
gated community with barbed wirefences and gates?
At the top of the stairs andshe goes oh yeah, just normal,
just normal.
You know there's millions ofpeople who live in Syria and
(36:29):
life there is.
You know they have accommodateda horrible, horrible situation
Throughout the world.
Yeah, so yeah, I guess I don'tknow what point I'm making there
.
Speaker 1 (36:42):
No, the point is that you need security.
And it sounds like those peoplewho are selling the barbed
wires and the locks and all thatkind of stuff, guess what it's
those locals, they understand.
You don't have to go to themand make the argument that those
things are needed.
And so one, one last thing onthis topic.
I know we're beating this deadhorse into into the, into
(37:06):
oblivion, the, uh, into oblivion.
But one thing that chad said tome and I'm glad that that you're
here because you're the, Ithink you're the person that
could shed some light on thishis main thing that kind of got
me a little bit more on theirside was that everybody is
saying this if one person isfear-mongering and if it works,
(37:27):
if one vendor, one company isfear-mongering or, you know,
educating, whatever we want tocall it, then and they and they
know that it sells, it works,and everybody's going to do it,
and then you know, and thenwe're all crying wolf.
So how do we strike thisbalance between being real?
I, I think I know what mysolution is.
(37:48):
I'd like to hear yours, andthen I'll tell you what my
solution is.
I.
Speaker 2 (37:51):
I bet I know what yours is, and that is the
education side.
That's actually what I've beendoing in my blogs since 2003,.
So 21 years is highlighting theevents, digging into what
caused them, what would haveprevented them.
My favorite example is righttwo miles from my home here.
(38:14):
The big Lowe's home store wasattacked by a couple kids in a
car with a Pringles can Wi-Fiantenna, you know, wrapped in
aluminum foil, and the FBI hadknown something was going on.
So they deployed 20 agents andone agent on the roof of Lowe's
(38:35):
saw the car with the Pringlescan and said hey, something
strange is going on down there,check these guys out.
So they followed that person tohis home.
One of the people in the car isa good friend of mine who was,
I don't know, one for the ride.
Somehow he got out of it.
And so I wrote that whole storyup and you know, with my naive
(38:59):
he was stealing credit cardinformation from point of sale
terminals to sell to the Russianmafia.
I remember poo-pooing thatwhole concept Until I got a call
from my friend Richard.
No, that's Michigan, reallyhappening.
There's a whole bunch ofRussian mafia here, carters,
that do that all the time.
Now I know, but I wrote that upand I forget what year it was.
(39:29):
But it was two years later thatTarget got hit with the exact
same attack and had to tellpeople they lost, you know, tens
of millions of credit cardsbecause somebody parked in their
parking lot with a Pringles canantenna, right, they didn't
read my blog and why did?
they read my blog.
Because there's nobody therewhose job it is to understand
the threats.
Right there probably is now.
Speaker 1 (39:47):
Yeah, if there's a killer on the loose, I'd like to
know.
Yeah, yeah, if there's a killeron the loose.
Speaker 2 (39:50):
I'd like to know.
Yeah, yeah, I don't want toknow, because there's a
helicopter with a spotlightrunning around the neighborhood.
Speaker 1 (39:56):
Right, that's too late, or what's going on.
Yeah, I want you to tell meahead of time so I can get the
hell out of Dodge, you know.
So, yeah, and you're correct,my solution would be to educate
more, to be more authentic.
I think that just technologysellers across the board,
(40:16):
companies across the board, notjust even in technology, just
across the board we can use,with more authenticity and being
real, that when we say thatsomething exists, it exists and
honestly get the bad actors out.
I think your book highlightssomething to me and honestly get
the bad actors out.
I think your book highlightssomething to me, which is we've
got too many vendors, we havetoo many people in this space
and the ones that have to resortto crying wolf in order to sell
(40:39):
guess what.
There's a market correctionthat needs to happen and those
companies need to go.
Speaker 2 (40:44):
Well, I don't agree with that at all.
I don't think there's too manyvendors, but of course I would
say that, since my business iscounting all the vendors Mm-hmm,
mm-hmm, but and look at, thereare 350 of those vendors get
acquired every year Almost 10%of the entire market, Mm-hmm so
your desire to see fewer ishappening.
Right, they're all gettingsucked into Pal Altos and Ciscos
(41:06):
of the world.
But we also need multiplevendors, because we need vendors
of the exact same kind ofproduct in every single region.
And that's thanks to EdwardSnowden though, in effect,
thanks to the NSA spying oneverybody and using US
technology in order to spy oneverybody that in Germany, in
(41:29):
France, italy, they don't trustUS technology anymore, so they
destroyed that trust that weused to have, so they need their
own vendors in their owncountries.
That's why there are 250security vendors in Germany and
250 in the UK and coming up onthat in France.
So we're always going to havethat.
I call it digital mercantilism,where they're supporting, you
(41:53):
know, by local kind of ideas andof course, the us, you know,
especially during the trumpadministration, but on both
sides, democrat and republicanhave vilified chinese, uh right.
So, oh my god, why would youbuy from a company that has
somebody on the board who is amember of, you know, the B-Men's
(42:13):
Club of China, which is thePeople's Liberation Army?
You know, I'm sure you'd findsomebody on the board of Cisco
who worked at the NSA.
The building that mistrust intechnology for technology's sake
was a big mistake, because thebackfire right.
Nobody buys from China directly, right?
(42:34):
You know Huawei?
Yeah, maybe some telecom gearin Europe, and yes, our Lenovo
laptops are all Chinese and, ofcourse, our MacBooks are all
made in China, but we don't lookfor Chinese brands in
particular.
But if you vilify Huawei, itworks the other way.
People are just like, yeah,well, what about Cisco?
(42:55):
Sure, I want Cisco gear now.
Speaker 1 (42:57):
Yeah, I think we can find common ground on that.
I think that the localizationof vendors and it inevitably
splits off and splits and splitsand splits you get more.
Just the way that you'vespecialized with IT Harvest, you
get higher quality, a betterservice.
That's happening and that's oneof the reasons we have so many
(43:18):
vendors.
All I'm saying is that if youhave to lie and you have to make
up fears, and you have to likereally fear monger and create
threats that don't really existin order to sell your service or
product.
You don't deserve to exist, yeah.
Speaker 2 (43:36):
The market has, yeah, and.
But I would like to point outthat it's not the little vendors
that do that, it's the bigvendors.
Speaker 1 (43:43):
Oh snap, OK, I'm not picking a fight with the big
boys.
Speaker 2 (43:46):
That's the job of analyst firms should be, and it
should be the job of Gartneranalysts?
Yes, because they've got aircover.
Yes, and unfortunately, I leftGartner and I continued to do it
.
Yeah, very dangerous for anindependent to take on.
Speaker 1 (44:01):
Palo Alto, for instance.
Speaker 2 (44:04):
I just got off an analyst call with you know one
of the big vendors and man, Ijust feel I as getting hot under
the collar and it's likebecause they just pitch all this
vaporware at you.
You just want to challengeevery single thing.
They say you can't, they don'tcontrol the world that they're
in.
Speaker 1 (44:20):
Yeah, yeah, that's a really good point, wow, yeah,
well, you know what.
You know what?
Yeah, I'll have to think aboutthat a lot more, because that's
the problem that you solve and,to some extent, that we solve,
which is providing moretransparency and visibility into
the vendor landscape so thatpeople can make better choices
(44:42):
about where they put their money, their investments and what
they buy.
Speaker 2 (44:46):
All right.
One last warning.
I got to get it out there.
This is a talk I've submittedto RSA.
I doubt they'll accept it, butit's why you know it's the
platformization versus best ofbreed.
And when you hear a largevendor I'm looking at you, palo
Alto talk about platform, theyhave to go to their constituency
(45:06):
, the stockholders, and explaintheir massive reason why they're
going to grow.
They claim it's platformizationand then they turn around and
convince CISOs that, hey, thisis great, you'll buy everything
from one vendor, which we allknow is a really bad idea.
Just don't go there.
But I just want to point outthat every single security
(45:28):
platform vendor has failed.
And what is different, now thatPalo Alto, fortinet, trend
Micro is doing differently, thatthey are not going to fail and
end up working for Broadcom.
Speaker 1 (45:46):
Any company.
Speaker 2 (45:47):
Broadcom.
Just keep that in mind.
Dire company yeah, just out ofmind Dire yes, yes, yeah.
Speaker 1 (45:54):
That is a dire warning and I think it's a, it's
a caution to to all of usmoving into 2025 and beyond is
to be aware, don't be scared and, in some cases, be very afraid,
but you know, just be aware ofwhat's going on.
All right, richard, thank youso much for joining us today.
(46:15):
Uh, I know you got to run,you've got a company to run and
you've got things to do andbooks to sign, and I look
forward to the next time you'reon the show.
If people want to find you, howcan they find you?
Speaker 2 (46:26):
Yeah, just find me on LinkedIn, right, steenan?
I accept all requests exceptfrom people whose specialty is
Web3.
So, yeah, we can just beconnected Awesome.
Speaker 1 (46:37):
And if you want to learn more about Bruning Media
and what we do, visit us atbruningcom.
That's B-R-U-Y-N-I-N-Gcom.
You can look me up on LinkedIn.
Shoot me an email.
My email address is josh atbruningcom.
So, richard, thanks again.
Thank you for listening to thisepisode of Cybernomics, thanks,
bye.
Thanks, josh.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com