Cybernomics: Hidden Costs of Cyber Security

Word on the Street - AI Security’s Rapid Gold Rush with Richard Stiennon

Bruyning Media

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 7:29

We reconnect with Richard Stiennon to chart how AI is rewriting cybersecurity, from the rise of 290 AI security vendors to SOC automation, investor momentum, and the criteria that separate true AI players from marketing.

• Explosion of AI security vendors since late 2022
• Criteria for defining AI-first cybersecurity companies
• Investor appetite, valuations, and looming acquisitions
• SOC automation enabling full alert triage
• Governance gains vs operational impact
• Guidance for buyers and founders on proof and outcomes

Yeah, you should definitely get my book


Josh's LinkedIn

Catching Up With Richard Stiennon

SPEAKER_00

Richard Steenan, long time no speak. Haven't heard from you in a little while. And the last time we spoke, we were as we always did. We were looking at what's new in the investment world and with the vendor world and uh what's new with IT Harvest. So let's pick up there, right? Like no time has passed. What's new with IT Harvest? What's going on in the vendor world? And what are you seeing on the street?

Writing An AI Security Book

SPEAKER_01

So all came together when uh my publisher told me that they didn't want to publish Security Your Book 2026. And I had already scheduled a week to write a new version. So I figured I better write something else. And the most timely topic I can think of is writing a book about AI security. And so that's what I decided to do. And uh it's got a title, it's got a cover design, and I went off to northern Michigan and wrote solid for five days, and I'm up to 27,000 words. There are now 290 vendors of cybersecurity AI products.

SPEAKER_00

Last time we spoke, there were probably like what? I mean, this was two months ago, 80. Yeah.

SPEAKER_01

Yeah.

SPEAKER_00

Wow. Yeah.

Defining AI Cybersecurity Vendors

SPEAKER_01

So a lot of that, a lot of that came from the fact that um I saw somebody else's infographic and I asked a couple of AI tools, hey, do a diff between the vendors they have and the vendors I have, and then identified, you know, 115 vendors that I did not have identified. And that was because during the early years of AI security, which is 2023 and the beginning of 2024, I didn't have an AI security subcategory. And you know, when I saw somebody that was, you know, building agents using large language models do pen testing, I said, okay, that's a pen tester. But going back, and which I did, um I spit out all the companies that have been founded since 2022, 512 of them. And I went through every single one of them and rechecked to see their, you know, if they had pivoted into AI. And that's what got the number up, the 290.

SPEAKER_00

So what counts as an AI cybersecurity startup?

SIM Is Dead, Data Lakes Rise

SPEAKER_01

Yeah. Um if they started after November 30th, 2022, and they say AI, then when they found, you know, if they're a young company, then they are definitely already, you know, incorporating large language models and doing what we all now think of as leveraging AI. If they are founded in, you know, 2008 and they're claiming to be AI, then they have to pass a much higher bar, right? Because if they're just doing Bayesian filtering, you know, because they use machine learning, that's not AI as we understand it today.

SPEAKER_00

Are there any new sim-like products out there? Because that seems to me like one of the best applications of AI.

SPEAKER_01

Actually, that what I'm seeing is they're eliminating the SIM altogether. They just shove all the logs into one huge data lake and we'll work with it. So that's not a sim, right? The SIM is supposed to prioritize and dedupe and all the rest of that stuff. Nope, you don't need that anymore. SIM is dead.

SPEAKER_00

So does that mean that AI cybersecurity companies are spawning new subcategories and rewriting what it means even to be a cybersecurity company?

SPEAKER_01

There's a lot to unpack there. Mike Privet said it pretty well. He said it's there is really an AI security industry. And I tend to agree with him. But for now, you know, if you're an investor especially, you're going to look at it kind of separately. Or if you're a CISO and you want to get into using automated solutions, then you would be very interested in this book and the 290 vendors in it. But eventually, you know, all vendors will adopt AI for their solutions.

SPEAKER_00

Interesting.

Investor Momentum And Unicorns

SPEAKER_01

There's some I feel sorry for that just launched and they worked on their, I won't mention names, but like there's a new vulnerability management solution that came out that you know just was doing better vulnerability management without any AI. And that's like not gonna work.

SPEAKER_00

Yeah. Yeah. So what does that mean for investors, do you think?

SOC Automation And 100% Triage

SPEAKER_01

Well, they they like the rest of AI, um, they seem extremely excited by it and are putting pretty big rounds into it, you know, 30 to 75 million dollars for a startup with an idea is it's pretty good. Um the big ones haven't happened yet. There's gonna be some massive investments, some valuations, and massive acquisitions. And one of the guarantee, one of the ones I'm I've talked to already, um, is going to be valued at a billion dollars before the game's over. And it doesn't hasn't taken in a penny of funding yet because it's already getting customers that are paying for the product. SOC Automation is the name of the game. Um, if you think of all the problems that the security teams have doing the daily triage, hoping of to get some alert that tells you that you're under attack, um, and it's buried in thousands, if not hundreds of thousands, of alerts. Uh you just don't have the people or the time to look at every alert and think about it. But uh with AI, you can't. You can you can get to 100% alert triage.

SPEAKER_00

So investors are betting on AI.

unknown

Yep.

SPEAKER_00

All right.

Governance Vs Automation Value

SPEAKER_01

Well anything that automates security processes. So that that flows over into vulnerability management, pen testing. There are more cybersecurity companies that do governance than do SOC automation. Governance was uh one of the early ones, but they won't have as much. Yeah, that they'll be providing value, no question. But this tantalizing concept that you can turn the tide in defensive security by deploying AI is just too big an opportunity to miss.

Closing Thoughts And Book Plug

SPEAKER_00

All right. Well, you've got a really good track record, and people can go back to all the podcasts that we've recorded, your track record, and making these predictions have been pretty good. And I know that your philosophy is that an analyst should say it, stick with it, die on that hill. And if his if if history proves you wrong, okay, whatever. But as it often has, history has proven you right. So I'm gonna take your word for it. Thanks, Richard. Well, it was good to talk to you again. And let's make these conversations a little bit more frequent. You've got my number, I've got your number. Any last words? You want to get something in IT harvest-wise?

SPEAKER_01

Yeah, you should definitely get my book. But more importantly, is think when you see the book, think about how the hell did he do that? He started it the week before Thanksgiving and he published it in the middle of January. How do you write a book that fast? And the answer is I've got all the data in front of me already. I just had to to pull it together into a book. Wow.

SPEAKER_00

Yeah. Well, that's that's a pretty damn good demo of uh what what's going on at uh IT Harvest. So dang, you I saw what you did there. Hit two birds with one stone, double plugged. Yeah. All right, Richard. It was good talking to you. And uh let's catch up soon. Well then.