Cybernomics Radio
Welcome to Cybernomics, the podcast where we break down the latest enterprise innovations and challenges shaping the Information Security industry. Whether it’s AI, cloud computing, or digital transformation, we dive deep into the forces driving businesses forward.
Join host Josh Bruyning as he engages with industry experts and technology leaders to explore how businesses are leveraging technology for growth. From cutting-edge advancements to the economic impact of tech decisions, Cybernomics delivers insights that keep you ahead of the curve.
Tune in for expert analysis, compelling discussions, and a front-row seat to the future of Information Security.
Cybernomics Radio
#31 A Look back at Cybersecurity Investment in 2024 with Richard Stiennon, CEO and Co-Founder @IT-Harvest
Richard Stiennon, the acclaimed author of "Security Yearbook 2024" and CEO of IT Harvest, joins us to unravel the intricacies of the cybersecurity landscape. Discover how IT Harvest is redefining industry analysis with its SaaS platform, offering a fresh, data-driven alternative to traditional analyst firms. Richard shares his journey from independent publishing to a partnership with Wiley and previews the much-anticipated 2025 edition of his yearbook series. Our discussion highlights the role of AI in transforming industry practices, emphasizing efficiency and innovation in identifying security solutions through natural language queries.
Explore the evolving dynamics of cybersecurity investment amidst economic and political upheavals. We dissect the strategic shifts of venture capitalists in the wake of market fluctuations and incidents like the Silicon Valley Bank collapse. Despite these challenges, the current climate presents a unique opportunity for investment, with expectations of a market rebound by 2025. Richard provides insights into the unorthodox nature of cybersecurity stocks, where traditional market logic often takes a back seat to unpredictable events that influence valuations and investor confidence.
Join us as we navigate the complex world of fear-based marketing and the communication of cybersecurity risks. From the effective yet controversial tactics employed to highlight security threats, to the nuanced task of educating business leaders on potential cyber pitfalls, the stakes are high. Richard discusses the balance required to ensure genuine threat awareness without falling into the trap of fear-mongering. We also explore the necessity of authenticity and vendor trust in the tech sector, drawing on real-world examples and the role of analysts in maintaining accountability.
Welcome to this episode of Cybernomics brought to you by Bruning Media, a New York-based firm that specializes in helping tech companies achieve thought leadership, one podcast at a time. I'm your host, josh Bruning, and my guest today is the man, the myth, the legend, richard Steen. Richard, good to see you, thanks for coming back on the show.
Speaker 2:Likewise, josh, and thanks for that. That was nice.
Speaker 1:Yes, and Richard, for those who don't know and I mean who doesn't know you at this point, everybody knows Richard. He's got over 30,000 followers on LinkedIn. He is the author of Security Yearbook 2024. Going back to what was the first one, that that the first year that you did security yearbook 2020 2020. So, look, you've got a backlog. You can catch up on your security reading 2020, 2021, 2022, 2023 and 2024 is the most updated and you are currently working on 2025. Correct?
Speaker 2:Correct Yep, it's just got the cover design and it's due at the printers on January 13th.
Speaker 1:Awesome, so make sure that you head over to wherever Richard's got his. Where could they find that book?
Speaker 2:Both are on Amazon, you can pre-order the 2025.
Speaker 1:And do you have a website where I remember one you can get it directly from your website. Is that still the case?
Speaker 2:Yeah, I stopped doing that when the book moved to Wiley as a publisher, so they had me stop selling books, obviously, and I had to get rid of everything in the warehouse. I kind of overestimated the number I could sell, because selling books is really really hard. Doing it independently, yes, really hard Doing it independently.
Speaker 1:Yes, of course.
Speaker 2:Doing it, even with a publisher. It's hard. It's just hard right? Yeah, it takes as much effort to sell a book as it does to sell. You know subscription to your SaaS service. Yes, you know multiple touch points. You feel like all you're doing is hawking your stupid book, and I do sell 2,000 of them a year, which is good for most people, for most books, yeah, impressive. But I had to send to the recyclers 16, or not 16, 12,000 copies of the book.
Speaker 1:Wow, You'll give them a new life In the afterlife. Maybe they'll become some other different book or a milk carton Next book.
Speaker 2:Yeah, yeah.
Speaker 1:Yeah, all right. Well, in addition to being the author and the man behind the industry's I would say the definitive catalog of all vendors and solutions in the security space, you're also the CEO and the founder of IT Harvest, which is a platform. You know what? I can explain it. I'll give you my little understanding of what IT Harvest is, and if I leave anything out, please let me know.
Speaker 1:It Harvest, for those who don't know, is an online platform. It's a SaaS platform that catalogs basically all of these vendors, all the solutions, the ones that you know, the ones that you don't know, the ones that are not in the book, the ones that are, you know, that you may be interested in, maybe are in stealth mode is. Could I go as far to say that there's some that are, yeah, some that are in stealth mode. Um, so for, for those who are hunting those solutions that may be, you know, right now may be a bargain because they're not publicly traded or the valuation hasn't been completely overblown and the prices aren't overblown. Maybe they're looking for beta testers or something like that.
Speaker 1:You can find it all on this platform called IT Harvest. You can really think about it as the security yearbook, but in SaaS form and interactive form. So, richard, since we've spoken last, a lot has changed over at IT Harvest. You guys have upgraded your tech, you're doing a lot more, so could you give us a little bit more background and some color around what's changed in IT Harvest?
Speaker 2:Sure, and if you think about it, we're kind of uncovering our grand vision as we go, because we started out as hey, this is a better way to do. The traditional industry analyst firm, right, you've got advisory services from the expert that would be me, and you know, yeah, I used to write white papers and create research reports, etc. Research reports, et cetera. But as we built this platform, I realized that we could have something we call the data-driven analyst firm, which you know, if you're familiar with my alma mater Gartner or the Forrester's Omnia's of the world, you realize they're not data-driven, right, they're experience-driven. They draw from their customers who are asking questions all the time. They draw from them to gain insights into what's going on out there, which is all asking questions all the time. They draw from them to gain insights into what's going on out there. But it's all well and good, super valuable, obviously people spend a lot of money in Gartner to the tune of $5 billion a year.
Speaker 2:But in the back of everyone's mind, I'm sure, right now, is this nagging question. It's like wait a minute, how does AI fit into all this? An analyst firm produces content and then the salespeople at the analyst firm use that content as justification for selling subscriptions. And it costs right $100,000 to get access to Gartner analysts Well, couldn't that be automated? Analysts Well, couldn't that be automated? And we now have this vision that, yes, you can automate it. We've demonstrated it. We are playing with it internally and doing our own beta testing on tools where we can supply natural language queries. We can say, hey, I've got Splunk and we've got all these other tools. We don't want to store our data in the cloud. What are some alternatives to Splunk kind?
Speaker 2:of thing, and then have an answer, come back, but not in the usual soft speak of chat. Gpt Right.
Speaker 1:Which is everything in kind of a whimsical term, very generic. Yeah Right, so Chad GPT, you go into it, you ask it a question. It gives you some generic answers. But you can take that a step further by building a capability into your platform that optimizes for one particular task, and in your case it's for searching for the correct solution.
Speaker 2:Correct, that's exactly it. We've got the data. So now how do we just tack a large language models on the front of it in order to extract that? And, unfortunately, it's incredibly expensive to do. Right, it costs us, you know, under 50 cents, but not much for every single question, so it really cranks up the costs very, very quickly.
Speaker 1:And is that the cost of optimizing?
Speaker 2:It's the cost of tokens from the LLM? Oh wow, Because we've got millions of data points that we have to front load into the LLM every time you have a question.
Speaker 2:So it uses up tens of thousands of tokens for every question. And even more if you supply your own files, because you might say here's our security stack or here's our findings, or whatever, and that is going to be even more expensive. But luckily, in the world of LLMs, when the costs come down every six months, they drop by 99% Really. They dropped by 99% Really. Yeah, so you build with this expensive model, hoping that it'll be less expensive in the future.
Speaker 1:So two years ago to do this it would have cost you probably a dollar or something for every question, and now it's 50 cents, and then next year it'll be 5 cents. So it makes sense to do the upfront investment and just to be one of the first, instead of waiting for the cost to come down to jump in when even now you've got a little bit of.
Speaker 1:You know, this is cybernomics, so we're going to use a little bit of economics lingo which there is the barrier to entry, which is the price, and so it sounds like you guys are kind of in that sweet spot where the barrier to entry is relatively high, even at 50 cents, but you would have established yourself in this space by the time the price comes down low, and then you can. You know, at that point it's great, it's good.
Speaker 2:So this is a good problem to have, at the same time, the power of large language models. You know the intelligence, however you want to measure, that is going up at a rate of 100x, 10x a year. So that means in two years it'll be 100 times as powerful.
Speaker 1:Yeah, so it's better and cheaper as time goes on. Yeah.
Speaker 2:And you really have to plan for that. Come on when you're in a fever, yeah, yep, and you really have to plan for that. So we're trying to build something that demonstrates that it works today, and when we plug in GPT-5, which might be available in the next six months, it works 100 times better.
Speaker 1:Mm-hmm, mm-hmm, yeah, and then your platform is going to take your place as CEO and can't take your place as founder, because that's already happened. You've already founded it, but IT Harvest might wake up one day and go. Hmm, I'm sick of Richard telling me what to do towards AI. One question that I've asked myself time and time again, and a subject that I've become increasingly interested in, is the human element in AI, right. So executives, theoretically, would be using IT harvest right, and especially they would be using the AI capabilities. But is there room between the executive uh, buyer and the solution? Is there room for any other human uh within that space? Or is it just, you know, human, less touchless, between the, the executive and the technology?
Speaker 2:no, there's right now. There's room for that human I think back to. I went to a cyber reason conference in Boston, I think and they had Gary Kasparov speaking back before Kasparov became a political advisor. But he gets up on stage. We're all scratching our heads. What's he going to tell us? He's a chess master and he's one who lost to Big Blue. Right, he lost the game and got put out of business, technically so, and he gets up there and he basically spells out a vision of machine-augmented human chess players. Great vision, never really panned out. You don't really have two chess masters playing with their computers over here and, you know, leading the strategy, but still a good metaphor for what I think is happening.
Speaker 2:Because I know just having data helps me answer people's questions. Somebody can reach out and say you know, I don't know. They could say hey, richard, you know, I know you think that security awareness training is a complete waste of time and money, but we have to do it. So who should we use? I've got the data on 45 security awareness training solutions that I can help you out with. Do you want somebody down the road from you? Because there's, you know, a security awareness training startup in every single town in the country, practically. Or do you want the big guy that was publicly traded for a while? You know, you tell me the criteria and I'll introduce you to a short list. Fantastic, I did that, having data in front of me. Now, with even with the AI agents that we're building, I can still have somebody who's really good at using it. Just like you know in your family, you're the expert at doing a Google search. Everybody else is like, oh man, I can't find the answer to this question.
Speaker 1:You're like bam here it is yeah way better than Google.
Speaker 2:Yeah, yeah, exactly. And that empowering people, it's already part of our business model. Usually, when we sell a single seat to a company, they assign one person to become the expert on the industry. That person can easily be as expert as I am very quickly, because the data is right there, and I can't, even though I'm now the only person in the world who's looked at all these companies. You know 4,006 this morning. Well, that's not true. Erica is too.
Speaker 1:She's my researcher as to you know, find them and find where the rest of the data is.
Speaker 2:So that's the official count of, as far as we know, of all of the cybersecurity companies in the world. No, because Eric and I work off a spreadsheet and I've got 45 that I haven't categorized yet and put in and I've got an intern in Pakistan, salar, and an intern in Nigeria, samuel, who are constantly looking for new vendors. So they go to Vent venture capitalists website see what they've invested their portfolio companies are.
Speaker 2:They go to conferences and they do that first pass to make sure that it's not yet another reseller that sneaks in and then pass them to me. I categorize them and I pass them to Erica.
Speaker 1:So yet another, another application or another example of having humans in the picture. Yeah, where the technology might get you 99% there, you can scrape the internet, you can scrape G2. You can scrape and, scrape and scrape. But for that you know that 1% that makes all the difference. Where that may be, where the value is, you do need to have some humans involved.
Speaker 2:Oh, absolutely. And right now PitchBook, I think, has maybe 2,000 people, mostly in the Philippines, doing that annually all the time.
Speaker 2:Wow, and remember, we're talking about costs. So, for instance, to write a description of 3,000 companies, as we did two years ago, write a description of 3,000 companies as we did two years ago, like four weeks after ChatGPT was made available via API, it took three days and it cost $450. Great, you know something I just couldn't do right. Personally, I could not write 3,000 descriptions of companies, right, and I'd have to hire 20 people and it'd take them a year to do that, right, and by then everything has changed, yeah, and everything's changing all the time, so, anyways, so keep that in mind. You know three days, exactly 72 hours, and $450.
Speaker 2:So I said well, geez, you know, pitchbook could do this too. If PitchBook had the same access that we do to OpenAI, it would take 17 years to write descriptions of three and a half million companies that they have, and it would cost several million dollars. So now, mind you, for several million dollars, you can get better responses out of OpenAI, so they could do it faster, but it's still expensive. So this is a case where focusing on a niche gives you a competitive advantage. Yes, you have to do it all.
Speaker 1:Yes, yes, which you guys? I mean you've cornered the market, really, in terms of cataloging the cybersecurity companies out there with your book and the platform, which I found just that's amazing that you've been able to build a solution empire or you know you're, you're the king of the vendor Hill.
Speaker 1:I love it, and so, okay, well, you know, as as we're, we're looking to 2025 and the landscape is always changing geopolitics we've got a new administration coming in. We've got, you know, the Biden administration going out. What were some of the big changes in 2024 that are going to really impact the way that we're looking at cybersecurity in 2025 and beyond?
Speaker 2:Yeah, first of all, the economy is driving a lot right. And in 2023, was it that Silicon Valley bank collapsed and was reborn, you know, all in the space of a couple of weeks. That just scared the investors. No it, they just stopped everything and the valuation started to fall apart because nobody put in more money at the old valuations. So we're getting past that. I've discovered that investors VCs are inordinately impacted by the stock market. They shouldn't be right. It's like, yes, the exits are generated by IPOs. Those are kind of the pots of gold at the end of the rainbow, and the best exits are IPOs usually. And, yes, they've been totally dried up for the last two and a half three years. But what really happens is that the investors you know they're not always super wealthy. You know the guys who've been in it for a long time are very wealthy people. But even if you're just a partner for a year or so, you start to accumulate a little wealth and then what do you do with it?
Speaker 2:You turn it over to a financial advisor and they put it in stocks and bonds, whatever. So when we had a from 2020, from November of 2023, 2022 to January of 2023, the valuation of cybersecurity companies fell in half. So CrowdStrike, zscaler, palo Alto, their valuations just plummeted. And that was all driven by interest rates.
Speaker 1:Right, and by the way, richard, remember the last show you said I think we did like a buy hold sell and you were on the money. You were on the money. Yeah, if people had listened to you on that episode, they may have made a little bit of money. Honestly, I wish I had the fortitude and the insight that I have now in hindsight to do that. But yeah, so I just want to plug you real quick that your analysis was spot on Cool.
Speaker 2:And don't anybody ever think that I can do that for my own investments, because I can't.
Speaker 2:That's how it goes yeah, so anyways, during that time, of course, is when the Silicon Valley Bank eventually failed and the investors were like, oh my God, it's like I've lost half of my net worth. I have to become more conservative, Right? So I'm not going to invest and I'm going to tell my port coves to stop spending money to extend their runway. That's what we've been going through Now, mind you. You know, I think everybody learns on their father's knee to buy low and sell high. So if the stock market was low and obviously that followed on from that was that private companies have lower valuations, now would be the time to be investing, and over the last six months would have been the time to be investing.
Speaker 2:Because, everything is low. Because everything is low, Because everything is low. So invest, Buy now. It's reduced your overall risk, right? Because the need is still there. Luckily, in cybersecurity it's not like, oh my gosh, the cyber criminals are having a bad year, so they're going home.
Speaker 1:It doesn't work that way.
Speaker 2:Right, they're going constantly yeah, so cybersecurity is worth investing in at any time. You know, pretty safe future, though with one caveat there is a possibility of the entire industry to be impacted by Russia's collapse. But anyways, now's the time to be making those investments, and I think that 2025 will be the year that we get back to the exciting levels of 2021 and 2022.
Speaker 1:And cybersecurity is one of those weird industries where conventional wisdom doesn't really prevail in terms of buying stocks, where you would think that after a cybersecurity event, something happens like the change healthcare debacle right, you think that stock prices would go down right, but stock prices went up after that and also I mean and this is kind of timely, going into the, I don't want to get too much into the politics of what happened?
Speaker 2:Who owns change healthcare?
Speaker 1:Exactly, exactly, and so, yeah, I mean you would think that in this industry that the news it used to be really predictable. I guess in other industries I remember, you could watch the news and you can say, all right, this is an adverse event, there's an economic shock that will impact the stock of this company and it will go down or it will go up. But in cyber security it's kind of weird. You just kind of have to like watch and see what happens. It's almost like if anything happens it's gonna go up, and if anything happens it's gonna go down and there's no rhyme or reason to it. So how would you advise? I mean, we can look back and say that right now it's a historical low for a lot of stocks and inevitably they will not inevitably, but most likely they will go up in value. But for the people who are used to the conventional ways of choosing stocks especially if you're looking at the news to see whether it goes up or down how are you picking? How are people choosing what to invest in?
Speaker 1:uh, in this space, it seems to me very like up in the air yeah, and we're in a really stupid transition phase.
Speaker 2:Um, so look at, uh, cyber security stocks are growth stocks. It's market share grab and it's the same as the dot com boom and it's same as as it's always always been. This is a growth game. So when we entered the period, as we did two years ago, of oh my gosh, we want profitability, and all of the bigger public companies CrowdStrike, et cetera decided to demonstrate that they could get to profitability.
Speaker 2:Historically, if a cybersecurity company is starting to show profits, it's over. The growth is over Now. It's just a profit game. So, instead of multiples of 40 or 60 in some cases, all you can expect is multiples of 20 from a growth stock. So get out of that stock as soon as they start reporting profits or they're making so much profits or buying their stock back. That's how they're going to compensate investors is by upping their stock. It's over. So right now, all of a sudden, growth is back and unfortunately, that means that all these public companies who, if they had been focusing on growth during the recession and getting more customers and growing that revenue at the expense of profitability, they would have grabbed market share away from their competitors, you know, was contrarian this time around, because it takes a pretty gutsy move to go. No, I'm sorry, we're just going to keep getting customers instead of, you know, satisfying your need for our profitability right, right.
Speaker 1:So it's just knowing when to go in, when to come out, but the overall trajectory is going to be up and, depending on the type of investor you are, that might be good, might be bad. Yep, uh so with that caveat.
Speaker 2:So look what's happening in the world, right? So Syria, romania, georgia all having troubles, all regimes supported propped up by Russia. They're collapsing. Russia could collapse, right, and the collapse might mean disposing, deposing Putin, a new regime. You know, we all hope that it's a democratic regime and life is good again, but it's most likely just going to be another oligarch right? They're going to point the finger at Putin for all the evils in the world. They're going to say that Ukraine is all him, not them. So please be nice, and you know we'll. We'll not complain about Ukraine joining NATO or something like that. And as part of that new realm and being nice, they're going to crack down on cybercrime. All the ransomware guys. Go away fast, I mean like overnight gone. No more news articles, no more colonial pipelines, nothing to get investor interest, because every time there's a new breach, I get calls from investors saying, hey, I heard cybersecurity is hot, yeah. So no more investor interest and no more customer interest, because they're not reading about it in the paper every day.
Speaker 1:Yeah, for yourselves, it's going to get really it in the paper every day yeah, fear sells. It's going to get really, really hard to sell cybersecurity.
Speaker 2:Yeah, yeah, need is still there. You're still just as vulnerable as you ever were. You just don't have these helpful ransomware guys showing that you need it.
Speaker 1:Right, right, and this is something I'm glad you brought that up, this is something that I go back and forth all the time. I change my mind, I flip-flop is the fact that fear does sell. We're in, we're in the security industry and fear sells, right, there's a reason, there's a reason why tony soprano comes to your, to your shop, and says, hey, you know what, give me 10 of your profits or and we'll protect you from you know bad things that might otherwise happen, right. And then that fear, obviously, if you're a mafioso, you're not protecting them from an external threat You're protecting them from yourself, which is a terrible practice.
Speaker 1:I'm not telling people that you know to do that, or that's what I think should be done, but the fact is fear does sell, right? I was talking to Chad Beckman about this in one of our previous episodes. We recorded it. I don't know if it's going to air before this one, so you know we can look it up. If it's not there, stay tuned.
Speaker 1:This idea of should we use fear to sell cybersecurity, because if I go to a CISO or CTO and I say, hey, look, you guys don't have MFA. If you don't have MFA, here are all the bad things that could happen. And I'm in the minority where I do think that if you're selling cybersecurity, you should expose what could happen. So it's not that I'm selling fear necessarily, but we're talking about security here. If we're talking about securing your house, what's the risk? It's getting broken into and someone tying your family up and taking all your stuff. Right. You can call that fear mongering if I'm trying to sell you a lock, but the fact is that's the truth and I find myself in the minority, which is kind of frustrating. Where do you stand on using fear or at least highlighting the risks, the real risk of not purchasing a cybersecurity service or product.
Speaker 2:Yep, I'm totally on your side. A cybersecurity service or product? Yep, I'm totally on your side. But I come at it from the CISO's perspective, right? So for years and years we've been giving security leaders bad advice.
Speaker 2:So, pre-CISO right One, we tell them to patch everything you know, which is just craziness. But two, we tell them to talk the business language, In other words, adopt the language of the board members. I've sat on a lot of boards and that board language is the language of the CFO. Everybody over the years has adjusted themselves to talk to the baby with the spreadsheet, right, and make sure we use his or her nomenclature, which is weird, right? Internal rate of return and all this stuff. Right and easy to learn. Pick up a textbook and you got it. Why shouldn't the CFO learn our language? Why don't they learn what TTPs are and what APTs are? And so my advice to CISOs is you step into that boardroom if you ever get a chance and you educate everybody about what's actually happening. Don't try and turn it into business terms at all and never, ever try and turn it into risk. If you say risk, the CFO goes insurance.
Speaker 1:You know that's so funny. You said that Chad and I had the same exact conversation and he's on the opposing view. I wish I could just get you guys in a room and we can have this discussion again. Yeah, I think you're right. I think that there's some measure of the board has to understand exactly what's going on in the cybersecurity world, and maybe it's not fear mongering. What some people would call fear mongering, I would call education.
Speaker 2:Yeah, education is what it's at. You know, even when I go to a security conference, I love the ones where the researchers are getting up on stage and they just dig way deep into some really cool. You know mean cats exploit that they figured out and you know, you learn from that. You get educated and you understand how easy it is to exploit your system. And that gives you this underlying fear Next time you click on a link. Should I click on that? No, right, right. So it really, really, really works. It works for all of us. Why shouldn't it work for these relatively intelligent business people?
Speaker 1:Exactly. I think people divorce the word security from cybersecurity. Yeah, what is security? Security is inherently about your safety, your well-being, and we talk about national security. Do you think that the government says, no, don't tell people that, like north korea is, uh, is a threat. If we tell people that, then you know they'll just be too wary of of the? Obviously there can be so much fear-mongering that people, you know you think that you're crying wolf, not thinking to cry wolf, but at the same time we're in the business of security and so with that, there are risks to the business, and I think that the board should be aware of those risks. Where are they going to hit you and where? Where is it going to hurt? You should make it as visceral as possible, right?
Speaker 2:So the you know. So the best example I ever saw was at Lockheed Martin. So I go in there to see how they operate these guys and this is 14 years ago and they would track threat actors in their systems and they would label them, give them a name. They didn't care who they were, because ultimately it doesn't matter if it's China or Russia trying to hack you, right, Maybe, but it shouldn't matter, because you just treat it like they're an attacker. And they give them a name and up on the big screens I saw the names. One of them was Cheesy Fingers.
Speaker 2:So the actions are tied to the same group based on time of day, the TTPs that they use. You know all that stuff. And then they use the Lockheed Martin kill chain as their methodology to track it and they can show you a chart which they did, and every week they showed it to the executive staff of these seven different teams working at different times of day are all trying to infiltrate our network all the time, but some of those teams are 24 by 7. We can tell when they shift to the other shift every eight hours, because the people type slower or faster or something. Yeah, If that doesn't scare you and if it doesn't engender the response from the board of how much money do you need? What can you do to help us here? You know, last time they almost got to the Active Directory server. What are you going to do next? Right, it's the only way to sell security internally.
Speaker 1:Yeah, they're at the door, they're at the walls. You know, they've got the Trojan horse prepared.
Speaker 2:Exactly they are. You know they're buying information on the dark web about a server in one of our subsidiaries in Florida, yeah, and you know they're selling it for $180. You can buy root access on that stupid server and because you allowed me to buy threat intelligence, I know that and we fixed it before it was even sold.
Speaker 1:Yeah, even salt. Yeah, I'm glad that Lockheed Martin is taking that approach, because if you look at the alternative to not, if you're saying that you're not going to use fear or I call it you know, we'll call it education and informing the board or the business folks of what's actually happening, then guess what? They're going to ask you why. They're going to say why, richard, why do I need that? Tell me? Tell me, why do I need that. And if your response is not some measure of you need this because it will impact your bottom line and you may have to answer to your customers, you have to answer to your employees and you may go to jail if you don't do this. I'm sorry, am I crazy? Yeah, I feel like that's the business we're in.
Speaker 2:And once you say that in a board meeting where the minutes are being recorded, you've just created a pretty serious liability. Yeah, that had to be addressed. Yeah, it had to do what you said after that.
Speaker 1:Yeah, I think the scientist type, the technician, engineering type of people are experiencing a measure of PTSD from all the movies where the scientist was saying, hey, the asteroid's going to hit, the asteroid's going to hit, it's going to wipe us out. And then eventually, you know, the asteroid misses us and then the government says, ah, that guy's crying wolf. So I do see that perspective of crying wolf. But hey, man, we're not crying wolf, we're saying that these things are real and it might happen. And if it does happen, it most certainly will impact your bottom line.
Speaker 2:Yep, yeah, if it doesn't happen, you should get a bonus.
Speaker 1:Yes, exactly. If it doesn't happen, we should be rewarded, because cybersecurity leaders are judged on their failures and it's about time that we are judged on our wins, and when something doesn't happen, that's a win. I feel like we're in the twilight zone where we're thinking that we're just going to keep taking the losses and not highlighting where we've won. Now the problem is probably quantifying those wins and proving that something didn't happen. Right, but so hard. But that's a problem that exists in security universally. I mean, look at you. I can convince my neighbor that you're safe because of particular measures that the government has taken in the geopolitical landscape. And we've bought more guns, we've got more nukes, we've got X, Y and Z, and that's why you can enjoy the way of life that you enjoy today for most people. Okay, they may not see it, it may not be tangible, but it's intuitive.
Speaker 1:Right right, yeah.
Speaker 2:And you can take it closer to the. You know, I used to think of all the metaphors about keeping your house safe, right, and the guard dogs and security lights come on and all that. And then I went to South Africa and in South Africa people live in gated communities and the one percenters do, which wouldn't be us if we moved to South Africa, right? So people work in companies, live in gated communities that are surrounded by very, very tall fences and you have to get in through a security guard. Every single house and yard is surrounded by a 10-foot fence with razor wire. Inside the community and inside the house at the top of the stairs they have what they call rape gates. They have barred gates so the bad guys can get in, but they can still television, but not the kids. Wow, that just shows you what people are willing to live with.
Speaker 1:Right yeah.
Speaker 2:So a parent of one of my daughter's classmates and she said, yeah, she lived in Johannesburg. I said, oh man, you know, didn't she have to live in a gated community with barbed wire fences and gates? At the top of the stairs and she goes oh yeah, just normal, just normal. You know there's millions of people who live in Syria and life there is. You know they have accommodated a horrible, horrible situation Throughout the world. Yeah, so yeah, I guess I don't know what point I'm making there.
Speaker 1:No, the point is that you need security. And it sounds like those people who are selling the barbed wires and the locks and all that kind of stuff, guess what it's those locals, they understand. You don't have to go to them and make the argument that those things are needed. And so one, one last thing on this topic. I know we're beating this dead horse into into the, into oblivion, the, uh, into oblivion.
Speaker 1:But one thing that chad said to me and I'm glad that that you're here because you're the, I think you're the person that could shed some light on this his main thing that kind of got me a little bit more on their side was that everybody is saying this if one person is fear-mongering and if it works, if one vendor, one company is fear-mongering or, you know, educating, whatever we want to call it, then and they and they know that it sells, it works, and everybody's going to do it, and then you know, and then we're all crying wolf. So how do we strike this balance between being real? I, I think I know what my solution is. I'd like to hear yours, and then I'll tell you what my solution is. I.
Speaker 2:I bet I know what yours is, and that is the education side. That's actually what I've been doing in my blogs since 2003,. So 21 years is highlighting the events, digging into what caused them, what would have prevented them. My favorite example is right two miles from my home here. The big Lowe's home store was attacked by a couple kids in a car with a Pringles can Wi-Fi antenna, you know, wrapped in aluminum foil, and the FBI had known something was going on. So they deployed 20 agents and one agent on the roof of Lowe's saw the car with the Pringles can and said hey, something strange is going on down there, check these guys out. So they followed that person to his home. One of the people in the car is a good friend of mine who was, I don't know, one for the ride. Somehow he got out of it.
Speaker 2:And so I wrote that whole story up and you know, with my naive he was stealing credit card information from point of sale terminals to sell to the Russian mafia. I remember poo-pooing that whole concept Until I got a call from my friend Richard. No, that's Michigan, really happening. There's a whole bunch of Russian mafia here, carters, that do that all the time. Now I know, but I wrote that up and I forget what year it was. But it was two years later that Target got hit with the exact same attack and had to tell people they lost, you know, tens of millions of credit cards because somebody parked in their parking lot with a Pringles can antenna, right, they didn't read my blog and why did?
Speaker 2:they read my blog. Because there's nobody there whose job it is to understand the threats. Right there probably is now.
Speaker 1:Yeah, if there's a killer on the loose, I'd like to know. Yeah, yeah, if there's a killer on the loose.
Speaker 2:I'd like to know. Yeah, yeah, I don't want to know, because there's a helicopter with a spotlight running around the neighborhood.
Speaker 1:Right, that's too late, or what's going on.
Speaker 1:Yeah, I want you to tell me ahead of time so I can get the hell out of Dodge, you know. So, yeah, and you're correct, my solution would be to educate more, to be more authentic. I think that just technology sellers across the board, companies across the board, not just even in technology, just across the board we can use, with more authenticity and being real, that when we say that something exists, it exists and honestly get the bad actors out. I think your book highlights something to me and honestly get the bad actors out. I think your book highlights something to me, which is we've got too many vendors, we have too many people in this space and the ones that have to resort to crying wolf in order to sell guess what. There's a market correction that needs to happen and those companies need to go.
Speaker 2:Well, I don't agree with that at all. I don't think there's too many vendors, but of course I would say that, since my business is counting all the vendors Mm-hmm, mm-hmm, but and look at, there are 350 of those vendors get acquired every year Almost 10% of the entire market, Mm-hmm so your desire to see fewer is happening.
Speaker 2:Right, they're all getting sucked into Pal Altos and Ciscos of the world. But we also need multiple vendors, because we need vendors of the exact same kind of product in every single region. And that's thanks to Edward Snowden though, in effect, thanks to the NSA spying on everybody and using US technology in order to spy on everybody that in Germany, in France, italy, they don't trust US technology anymore, so they destroyed that trust that we used to have, so they need their own vendors in their own countries. That's why there are 250 security vendors in Germany and 250 in the UK and coming up on that in France. So we're always going to have that.
Speaker 2:I call it digital mercantilism, where they're supporting, you know, by local kind of ideas and of course, the us, you know, especially during the trump administration, but on both sides, democrat and republican have vilified chinese, uh right. So, oh my god, why would you buy from a company that has somebody on the board who is a member of, you know, the B-Men's Club of China, which is the People's Liberation Army? You know, I'm sure you'd find somebody on the board of Cisco who worked at the NSA. The building that mistrust in technology for technology's sake was a big mistake, because the backfire right. Nobody buys from China directly, right? You know Huawei? Yeah, maybe some telecom gear in Europe, and yes, our Lenovo laptops are all Chinese and, of course, our MacBooks are all made in China, but we don't look for Chinese brands in particular. But if you vilify Huawei, it works the other way. People are just like, yeah, well, what about Cisco? Sure, I want Cisco gear now.
Speaker 1:Yeah, I think we can find common ground on that. I think that the localization of vendors and it inevitably splits off and splits and splits and splits you get more. Just the way that you've specialized with IT Harvest, you get higher quality, a better service. That's happening and that's one of the reasons we have so many vendors. All I'm saying is that if you have to lie and you have to make up fears, and you have to like really fear monger and create threats that don't really exist in order to sell your service or product.
Speaker 1:You don't deserve to exist, yeah.
Speaker 2:The market has, yeah, and. But I would like to point out that it's not the little vendors that do that, it's the big vendors.
Speaker 1:Oh snap, OK, I'm not picking a fight with the big boys.
Speaker 2:That's the job of analyst firms should be, and it should be the job of Gartner analysts? Yes, because they've got air cover. Yes, and unfortunately, I left Gartner and I continued to do it. Yeah, very dangerous for an independent to take on.
Speaker 1:Palo Alto, for instance.
Speaker 2:I just got off an analyst call with you know one of the big vendors and man, I just feel I as getting hot under the collar and it's like because they just pitch all this vaporware at you. You just want to challenge every single thing. They say you can't, they don't control the world that they're in.
Speaker 1:Yeah, yeah, that's a really good point, wow, yeah, well, you know what. You know what? Yeah, I'll have to think about that a lot more, because that's the problem that you solve and, to some extent, that we solve, which is providing more transparency and visibility into the vendor landscape so that people can make better choices about where they put their money, their investments and what they buy.
Speaker 2:All right. One last warning. I got to get it out there. This is a talk I've submitted to RSA. I doubt they'll accept it, but it's why you know it's the platformization versus best of breed. And when you hear a large vendor I'm looking at you, palo Alto talk about platform, they have to go to their constituency, the stockholders, and explain their massive reason why they're going to grow. They claim it's platformization and then they turn around and convince CISOs that, hey, this is great, you'll buy everything from one vendor, which we all know is a really bad idea. Just don't go there. But I just want to point out that every single security platform vendor has failed. And what is different, now that Palo Alto, fortinet, trend Micro is doing differently, that they are not going to fail and end up working for Broadcom.
Speaker 1:Any company.
Speaker 2:Broadcom. Just keep that in mind. Dire company yeah, just out of mind Dire yes, yes, yeah.
Speaker 1:That is a dire warning and I think it's a, it's a caution to to all of us moving into 2025 and beyond is to be aware, don't be scared and, in some cases, be very afraid, but you know, just be aware of what's going on. All right, richard, thank you so much for joining us today. Uh, I know you got to run, you've got a company to run and you've got things to do and books to sign, and I look forward to the next time you're on the show. If people want to find you, how can they find you?
Speaker 2:Yeah, just find me on LinkedIn, right, steenan? I accept all requests except from people whose specialty is Web3. So, yeah, we can just be connected Awesome.
Speaker 1:And if you want to learn more about Bruning Media and what we do, visit us at bruningcom. That's B-R-U-Y-N-I-N-Gcom. You can look me up on LinkedIn. Shoot me an email. My email address is josh at bruningcom. So, richard, thanks again. Thank you for listening to this episode of Cybernomics, thanks, bye. Thanks, josh.