Capture the CISO S1E2: Lightspin, PlexTrac, and Torq

Capture the CISO S1E2: Lightspin, PlexTrac, and Torq

Welcome to episode two of Capture the CISO, hosted by Johna Till Johnson (@JohnaTillJohnso), CEO, Nemertes.

Our judges are Edward Contreras (@CISOEdwardC), CISO, Frost Bank and Mark Eggleston (@meggleston), CISO, CSC.

Our contestants:

Got feedback? Join the conversation on LinkedIn.

Huge thanks to all our contestants who are also sponsors of Capture the CISO

Lightspin

Lightspin’s next-gen cloud security platform built on Neo4j graph database prioritizes risk in cloud and Kubernetes environments focusing DevSecOps efforts on the critical issues that matter most. Our developer friendly platform provides plug and play remediation in the form of IaC, and scans pre-production code to catch misconfigurations, which are the main cause of breaches. Lighstpin proudly focuses on small and medium-sized businesses running workloads in the cloud, offering a free version of the platform including the industry’s only graph-based Attack Path risk prioritization. For an affordable, efficient, and secure cloud experience loved by engineers learn more at www.lightspin.io.

Lightspin

PlexTrac

A better security posture begins and ends with PlexTrac, the Proactive Cybersecurity Management Platform that streamlines your entire security workflow. Maximize ROI by aggregating findings from all your sources, generating robust analytics, cutting reporting time in half, and assigning and tracking remediation — all in one platform. Facilitate collaboration and communication across offensive engagements, monitor team performance, and analyze your security posture in real-time. PlexTrac makes cybersecurity teams more efficient, effective, and proactive to help them win the right security battles.

Generate better reports. Promote closer collaboration. Enable faster remediation. Gain more insights. PlexTrac is the must-have platform for security teams.

PlexTrac

Torq

Torq is a no-code automation platform for security teams. It helps people of any skill level automate workflows to streamline and reinforce security processes, using a drag-and-drop editor and guided configurations. Workflows can be built with templates from our ever-growing library, helping users automate even the most complex processes with ease. The platform readily integrates with any other system out of the box—no special connectors, just limitless integrations. With Torq, teams maximize protection while minimizing complexity, creating a more dynamic and enduring security posture.

Torq

Full Transcript

[Vladi Sandler] Graph-based cloud security developed by Cloud engineers for Cloud engineers.

[Nick Popovich] We empower teams to win the right cyber security battles.

[Ivan Leonid Belkind] No codes automation platform for security teams.

[Voiceover] Capture the CISO begins now.

[Johns Till Johnson] Hi, everybody. Welcome to Capture the CISO. I’m your host, Johna Till Johnson, and today we have three contestants – Lightspin, PlexTrac, and Torq. These companies are not direct competitors, but they are being equally judged on three axis – is their solution innovative, does it solve a real need, how easy is it to deploy. Now I’d like to introduce this episode’s CISO judges. First up, we have the CISO for Frost Bank, Eddie Contreras. Eddie, thanks for joining us today.

[Edward Contreras] Great to be here. Thanks for having me.

[Johns Till Johnson] I just want to acknowledge that Eddie has a little bit of a cold, so that’s not how he typically sounds. But he’s motivated and super excited to be with us today. And we also have Mark Eggleston, the enterprise CISO for CSC who does not have a cold but is also excited to be here. Mark, welcome to the show.

[Mark Eggleston] Thank you, Johna. Thank you, Eddie. Great to be here.

[Johns Till Johnson] Our judges have already watched short demos of each company’s product, and they know what the products do. And they’ve come armed with questions. You can also watch the demos of our contestants’ products. Please go to our site, CISOseries.com, and then click the blue “Capture the CISO” button. Before we get started on the contestants though, Eddie and Mark, we have three axis that we’re judging in. I’d like each of you to tell us which of the three you think is the most important and why. We’re weighing all three equivalently, but it just will be interesting to hear which of those three axis are most important to you and why. Again, those are innovation, ease of us, and solving a real problem. Mark?

[Mark Eggleston] Well, I think the second is probably the most important – does it solve a real need. There’s lots of tools out there that are like candy – nice to have. Maybe it’s a little visually appealing, but does it really solve or fix. So, that’s really the number one in my book.

[Edward Contreras] I agree. But I also think innovation is really important as well. A lot of people do things similarly, and so having somebody come in and do it a little bit different kind of gives them the edge.

[Johns Till Johnson] I would have to say I go for the third one, which is ease of use. I heard a really interesting comment on LinkedIn the other day where essentially the number of curses while implementing the product is directly proportional to the efficacy of the security product. The reason is because if you’re cursing that means you’re actually implementing it as opposed to having it become shelf ware because it’s so difficult to deploy. So, that stuck with me because I thought, you know, that is a huge problem with security products is they’re too difficult to deploy, so you can’t get the most use out of them.

[Mark Eggleston] Yeah, I’m struggling with the ease of deployment, too. When I’m asked what are the criteria you evaluate, it’s really these top three I would say the most important. I’m glad to see price isn’t necessarily one of the top ones out there as well.

[Johns Till Johnson] This is our second episode, and I just want to echo my sentiments from the previous episode. I really want to give huge kudos to our contestants for sponsoring this new show. We’re super excited to be rolling out the new format, which would not have been possible without their support.           

Lightspin

3:14

[Vladi Sandler] We created Lightspin when we tried to solve our own problems of cloud security posture management. We just tried to understand how better we can handle the implementation, the configuration in our Cloud. We discovered there is no solution can do it in an efficient and simple way.

[Johns Till Johnson] Our first contestant is Vladi Sandler, who’s the CEO of Lightspin. Vladi, welcome.

[Vladi Sandler] Thank you for inviting me.

[Johns Till Johnson] First question I have for you is maybe the easiest one or maybe not. Can you give us a quick 30-second explanation of what Lightspin does?

[Vladi Sandler] I think the main unique value propositions are click to prioritize, click to remediate. Lightspin is a contextual based Cloud security platform that uses graph algorithms to highlight only your Cloud environment’s critical pattern issues. And Lightspin, we actually believe in offensive approach. The “attacker’s perspective” approach is helping to reduce the noise often generated by security platforms to present only the critical risks and also help you to remediate them using our own technology developed for you – the infrastructure as a code – to eliminate it.

[Johns Till Johnson] So, essentially the elevator pitch is we tell you what the threats are and tell you how to remediate them, single click both times.

[Vladi Sandler] It’s actually to show you what that hacker can do. It’s how to prioritize it, helping you to give the focus using our technology we developed based on graph-algorithms to calculate for you the shortest path to the damage.  

[Johns Till Johnson] So, Eddie, you were talking about innovation being kind of one of the key factors. Do you have questions for Vladi on this?

[Edward Contreras] I do, and I enjoyed the video. I went through the 30 seconds, and I wanted more. Because I have a lot of questions. So, maybe my first question, Vladi, is do you see your product as a disruptor product, or are you more of an enhancement and an expansion to my existing stack? I’m curious, because my stack is well defined. Where do we put your product?

[Vladi Sandler] I think we’re both because from one side I’m one holistic solution. I mentioned it before, the click to prioritize, click to remediate any kind of risk in your Cloud environment. [Inaudible] one platform [Inaudible] from your infrastructure service to Kubernetes [Inaudible] one holistic solution. Having said that, in so that it is my responsibility to give you this coverage. Also, my responsibility to help you with your current stack. So, I’m going to integrate your current security stack and help you to prioritize the feed to my graph solutions as well and put them on the graph as data enrichment to the attack point. We are even proud to in some cases we are running in an environment with some of our competitors. We integrate to part of them and help them with specific models, specific features   to help to prioritize and give them a focused [Inaudible 00:06:43] when I give the second advanced part.

[Mark Eggleston] So, like Eddie, I was attracted to the GUI. I thought it was pretty slick. But a couple things kind of caught my eye, so I’m going to ask a couple more targeted questions. I saw that you had a section in there called identity risk, and identity is a very big principle of zero trust. It’s getting a lot more attention from a lot of organizations. So, tell me a little bit more about how you’re assessing identity risk and how that folks into your product.

[Vladi Sandler] We have the perimeter. It can be zero trust solution integration with Okta whenever.  But the real question is what happens next – the machine to machine relationship. And the machine to machine relationship, it has a layer called identity – the permissions. So, this specific sector you mentioned before analyzed specifically the identity or relationship permission between your different assets in your Cloud environment and maps the problems. Again, the most important thing is not to look at it as a singular point but how this point leads to another point, leads to damage. And that is what the attack pattern algorithm can actually do, but it’s calculated the path based on this weight as  part of the assumptions.

[Mark Eggleston] I hear it’s part of the threat modeling. It’s looking at identity risk. But what kind of…? Do you have an example of an identity risk? I’m just curious.

[Vladi Sandler] Yeah, sure. So, it can be from the most simple thing I have full permissions to your S3 buckets. S3 [Inaudible 00:08:53] So, it’s an identity problem. But realistically for a moment if you look at it as a singular finding, it’s not too big issue. The question is who can use this permission, what can be done. Other options can be our ability to run instances in your environment which can lead to privilege escalation and persistency.

[Edward Contreras] One of the phrases I hear especially in this area is perceived risk versus actual risk. The use case of Java comes to mind. Not all Java risk is the same. And so a lot of time the triage happens within my team when they come back and say, “Well, it didn’t really… Yes, it scored high. But when we actually triaged it, it didn’t actually end up being the risk that we thought it was.” And so that leaves a bad taste in the mouth of my developers. How do you solve that problem?

[Vladi Sandler] Two things should be done. At some point, customers a lot of times starting using our asset management and also tagging some sensitive assets. And based on those sensitive assets, the algorithm will calculate again the attacks. Second point is, I mentioned before, enrichment. What do I mean by enrichment? The minimum I need to do to do my magic is to get access to your meta data. So, I can build for you a server exposed to the internet with over permissive roles, and you can say, “Yeah, but how can you access the server?” Because it has a threat intelligence engine, it can show you fingerprint for the [Inaudible 00:10:48] There is an open SSH.  Let’s assume with the authentication by PVE Or you can activate our agentless snapshot to give you all the [Inaudible 00:10:59] Log4J exploitable on the server. Plus integration to OpSec will give you the ability to understand, “Okay, we found out the applications running from servers also have an SQL injection or SSRF. Also there is meta data version one. Also the server has flux permission. So, now you don’t get one layer. You get multi-layer correlated with the context to  give you a contextual approach tailor made to your environment. So, what we succeed to do is to calculate a weight based algorithm that calculates for you tailor made risk to your enterprise, to your organization as a CISO. There’s the big advantage that we bring to the market.

PlexTrac

9:44

[Nick Popovich] We came up with the PlexTrac platform when our founder, Dan DeCloss, was in the trenches performing web application security assessments and tests. He became frustrated finding the same vulnerabilities year after year on different penetration tests. He decided to create a platform that would allow him to collaborate, organize, triage, and report on the output from security assessment and testing.

[Johns Till Johnson] That was Nick Popovich, hacker in residence at PlexTrac. Thanks for joining us, Nick.

[Nick Popovich] Thank you for having me.

[Johns Till Johnson] Nick, go ahead and give us your 30-second pitch about PlexTrac.

[Nick Popovich] The PlexTrac platform is a system wherein organizations can report on, manage, and collaborate with the data and artifacts from security assessment and testing activity. Further, PlexTrac affords insight, oversight, and accountability relating to assets and vulnerabilities.

[Johns Till Johnson] So, that insight, oversight, etc., means you can see who screwed up and where if something happens.

[Nick Popovich] Yeah, the idea is to be able to afford that insight via tagging and assigning ownership of assets and vulnerabilities beyond just showing that there are vulnerabilities.

[Johns Till Johnson] Got it. So, this is a vulnerability. Johna, you fix it.

[Nick Popovich] Assuming that the organization has taken the effort to assign assets to owners and those types of.. But yes.

[Johns Till Johnson] Which of course is a vulnerability by itself. Okay. Well, Eddie and Mark, I know you have watched the videos, so you know a lot more about PlexTrac’s solution. Eddie, why don’t you go ahead and ask Nick some questions.

[Edward Contreras] Yeah, Nick. So, this is such a bloated area because so many companies are focusing on asset management. How do you enter this market space where I don’t see agent growth on the endpoint, but I see value growth? How do you get into that market space?

[Nick Popovich] The idea is that the PlexTrac platform is meant to become that single pane of glass. So, we’re not going to be the single source of truth for an organization’s asset management or vulnerability paradigms. What we’re going to do is we’re going to curate and engage with that data, and create the ability to view with, collaborate, and interact with the data. We’re not going to say we’re the asset management solution, but we’re going to leverage the data from asset management, or we’re going to leverage the data that’s provided, put in via API fees, tool ingestion, etc. The main function of the platform is to allow that working with the data and collaborating with the data, so it’s less of being a vulnerability management solution and more of being that overlay so that you can have insight and oversight of the data provided by other solutions.

[Mark Eggleston] Yeah, I actually had the same sentiments as Eddie. This is a rather crowded space. Vulnerability management tools have been out for literally probably decades at this point, and there’s usually a top three that do it really well. So, there’s other vendors such as Kenna, and that was the kind of reaction I had when I saw your tool. You’re a meta data aggregator, but you allow people to come in and collaborate on the data [Inaudible 00:14:40] It seems like there’s a lot of those tools out there, and there’s a lot of tool presence for vulnerability management. So, what do you say to folks that are kind of scratching their head and saying, “How does this really work? How does this really fit for me?”

[Nick Popovich] It’s funny that you mention that. To me when I hear… And I agree. My background… And the reason that I’m a hacker in residence at PlexTrac is my background has been since 2009 as a penetration tester and red teamer. When you have bloat of tools, it seems like none of them are solving the problem completely. And so when you look at a lot of vulnerability management solutions, some of them are birthed out of very opinionated needs of practitioners that built a tool or built a toolset based on their unique either methodologies or paradigms. And so we’re really not in the space to try and compete with vulnerability management platforms. We’re not in the space to complete with those tools that you’re mentioning. Our focus is to be able to take the workflows that organizations have already invested in, their methodologies, their tooling, their feeds, the things that they’re already invested spend, and time, and training, and we’re trying to enhance that so that we can come in and provide… Because we all have dashboard overload. We have steaming pile of report overload.

[Mark Eggleston] Something like that.

[Nick Popovich] [Laughs] So, the idea is this solution is really meant to enhance the current spend and the methodologies, and it is focused on taking the output from typical penetration testing, vulnerability assessment, red teaming, purple teaming activity. Although customers have found novel and new ways to utilize it in blue teaming and incident response activities as well. That’s kind of… I don’t consider myself and PlexTrac doesn’t consider itself in competition with that tool sets that you’ve spoken of. We’re really just supposed to enhance where those…maybe folks are already using those. But the collaboration aspects and the aspect of being able to interact with the methodology that they’re already using was really where we shine.

[Edward Contreras] When you see these videos, a lot of times there’s an expectation that a company has to be at a certain maturity level. And so when you see the product working well, when you see the value coming back, the expectation is the company has a lot of things in place. So, when it looks at… When I look at your company and we say, “Okay, do we have to have a 100% inventoried asset environment? Do we have to have asset owners defined? Do we have to be consistent on our risk ratings across the board to get the value that you bring? Or do you help us get there…?” I’m curious what your level of expectations are of my company.

[Nick Popovich] The reality is PlexTrac comes in at any maturity level and absolutely can be used to help you get there, and enhance your security posture, and enhance your ability to have oversight of your own environment. Certainly organizations that have a well defined vulnerability management paradigm are going to execute and have their own methodologies. However, the platform can be used to help build those methodologies and assist you to get there. So, really PlexTrac can be used to enhance you if you are a brand new organization that needs to define vulnerability management and how to deal with findings of vulnerabilities from the output of the litany of security assessments and tests that I’m sure that you undergo. Whether it be regulatory requirement audits, pen tests, red team activity, if you’re building an internal red team. So, it really doesn’t matter. PlexTrac can be used for the school district or for the Fortune 50 company. And plug into whichever methodology. Because, again, we’re not here to define you have to do things the PlexTrac way. We’re here to give you oversight and that single pane of glass into your existing stack and methodology and how you do business. With that collaborative aspect of being able to work with the vulnerabilities, and findings, etc.

Torq

16:27

[Ivan Leonid Belkind] We came up with Torq when we realized how revolutionary the no code approach was for so many industries and how underserved security professionals are in this field.

[Johns Till Johnson] That was Leonid Belkind, cofounder and CTO at Torq. Leonid, thank you so much for joining us.

[Ivan Leonid Belkind] Thank you for having me.

[Johns Till Johnson] So, you know how this goes. We’d like to ask you for a 30-second explanation of what Torq does.

[Ivan Leonid Belkind] When you manage an information security program at an enterprise, it inherently means that you have to deal with a lot of incoming events. I’m not only talking about the traditional world of incident response, reacting to detection system. I’m talking about vulnerability reports, Cloud security posture findings, threat intel feeds, many, many more things. Each and every one of them requiring follow up action items from some security practitioners. In many cases even whole processes that may cross the boundary of our security teams and connect to developers, dev ops, IT people, and more. As we become more digital, variety and intensity of these increases, what do we do? How do we deal with it? Trying to apply traditional automation tools…and we all know that such exist…is usually quite costly – requires engineering talent, and it impacts on this having a really slow velocity, a lot of time and costs, not too many automations. At Torq, we try to change that paradigm by offering every security professional visual, no code automation through which they can express their processes. Any process within minutes.

[Johns Till Johnson] Mark, I know you have questions from your expression. Do you want to go ahead and take the first stab?

[Mark Eggleston] So, my first reaction when I saw the video is wow, this is great because we’re having staffing issues in security. It’s always hard to find great staff or talented staff. So, anything that’s going to help that team out, security orchestration is great. How is this different than say some of the existing tools that I have a large footprint out there such as Recorded Future?

[Ivan Leonid Belkind] Recorded Future, first of all, we are proud to be partnering with them and delivering joint solutions, is a solution targeting very specific threat intelligence use cases. Whereas we are talking at taking any security process, be it your app sec people, or your GRC people the moment they come and tell you, “You know, Mark, I noticed that three times this week I had to do action one,” like open a UI and look something up, then take something from it and go to action two, and then take something and do action three. This is enough to say, “Oh, you’ve identified a repetitive security process, and this is the reason to automate it.” And again, it doesn’t have to deal just with threat intel. It could be any process, saving time, increasing consistency. That’s what we do. Workflow automation for security processes.

[Mark Eggleston] I’m hearing your solution is probably a little bit more broad.

[Ivan Leonid Belkind] Definitely. We address various security use cases.

[Johns Till Johnson] It sounds almost like a Service Now for security if that’s a fair statement. Service Now does a lot more, but the workflow component.

[Ivan Leonid Belkind] If you take the automation component, indeed Service Now was born for the ITSM world whereas we built a purposeful solution for security automation. But indeed there are commonalities in the approach.

[Edward Contreras] It sounds like the team that I would put this in front of would be my Splunk experts. Splunk is a unique talent. They do a lot of these automation alerts. They know the code. Do they have to relearn that? are you looking to replace Splunk and save me money, or are you looking to simplify Splunk and get my Splunk people working on different things? How should I look at that?

[Ivan Leonid Belkind] That kind of depends on your own architecture. We are active engaged with organizations that for whatever reasons not related to Torq decided to change their security events data structure. And instead of using a monolithic SIEM, whatever brand it would be, to take the more generic Data Lake approach, collect more data, and so on. All right? In this world, we probably replace the compute part where we can now define triggers, act upon this data, ensure a full life cycle. Other companies still remain with their traditional SIEM architecture as the center of the data flow, and the challenge there is who takes over. So, we brought it to the point where we have phished for the relevant information, within a really actionable alert, what happens now. So, in this companies, we are responsible for answering that question. Both work equally well.

[Mark Eggleston] When you’re talking about this solution and rolling it out, is this one of those products that you need to have pretty good documented process in order for your tool to make it better, or can you be an immature shop, and this helps you get your processes documented? Which one is your product geared towards?

[Ivan Leonid Belkind] The answer is that one size doesn’t fit all. Huge surprise. And I can tell you that at any operational maturity level of your sec ops program, you will find people who do repetitive processes. Sometimes these are very complex and very well documented, which probably hints at high maturity. In other cases they are tribal knowledge. People do them and so on. In both cases the fact that the tool is giving these very people, the ones that were just doing the process manually a second ago and not somebody else, and not a developer dedicated architect to express their workflow, that’s where the real change is. Probably for traditional automation that needs engineers, you’d be right. I’d need mature, well defined, ironed out processes. Not for this. It’s all very iterative. Start your process with just do A, do B. Not a big challenge and see it evolve into AB. Then if something happens, C. Something other, D, etc. As you learn.

[Johns Till Johnson] Eddie, any parting questions here for Leonid?

[Edward Contreras] Yeah, just curious – do you track the cost that is saved based on the level of effort of people putting more into your product than other areas? Are you saving me two hours for investigation, 20%? Are you helping me save money in that manner?

[Ivan Leonid Belkind] Absolutely. We do collect a lot of telemetry. However, we are not fresh, if you will, enough to come and tell you how many hours or how many dollars I saved you. We help you by completely deterministic data – what operations we did for you, how many events were triggered, out of them how many required interaction, how many were resolved automatically, and so on. We’ll give this data and help you build the equation that will lead to your KPI – time, money, headcounts, whatever it is. But it is, as you can probably imagine, different for any organization. That’s why we do it this way – very collaboratively with cyber security program owners.

What do our CISOs think?

23:03

[Johns Till Johnson] All right, well, Eddie and Mark, all the contestants have dropped off, so we can now begin deliberations. I just want to remind you again that we have three variables – innovation, need for the product, and ease of use. What I’d like to do is go through company by company, and I’d like your general thoughts without giving the scores. Eddie, what are your thoughts about Lightspin against the three axis we talked about?

[Edward Contreras] When I look at the criteria, innovation comes to mind. Those were the areas that I think if I was to bring that company into my security stack, they would help me be innovative on my digital channel. We’re really an agile shop to be building things for our customers, and it feels like they have innovation capabilities that would allow us to be innovative ourselves. So, for me, they were really creeping toward that innovation area. And my digital space would be where I’d see the most benefit.

[Mark Eggleston] I thought it was quite innovative. I like the SMB focus. A lot of tools don’t seem to target that area. Then giving you the free ware version to start off with, the multi Cloud options, the ability to do asset management. I really liked the attack path risk prioritization because that kind of gives you that listing of your true vulnerability over the existing risk. So, I think it was helpful.

[Johns Till Johnson] And what about PlexTrac stacking up against those three variables?

[Mark Eggleston] Sure. Well, as you head in my question, I thought it was similar to Kenna, but I heard otherwise from his explanation. So, I think giving the experience of having a place where people can collaborate on the risks such as like Log4Shell, that would be very interesting to pull in other teams and have them really pick apart the vulnerability and come up with a statement. So, I could see those type of things being very helpful when we get these top priority through the CVE risk, and we really need an urgent response – something we can get back to our customers. So, I could see it becoming very helpful in a situation like that.

[Johns Till Johnson] And how do you see it against those three axis?

[Mark Eggleston] I do think it solves a real need. There’s some existing vulnerability management tools that just don’t give you what PlexTrac is able to give you. I think the other piece about having more efficiency, more affective proactive ways to solve some of those issues I think is very helpful as well.

[Edward Contreras] I kept on getting towards ease of use. This is such a big market space, and they’re really telling me that they can make my vulnerability program a little bit easier and a little bit more user friendly. So, I felt like the value add there would be that I could ingest some of my current platform and program efforts and use this as a better storytelling mechanism or maybe even a better delivery mechanism. So, ease of use was kind of where I felt they were playing a bigger space for me.

[Johns Till Johnson] What about Torq, again, against those three axis?

[Mark Eggleston] Yeah, as I was noting my question to them with staffing issues being where they are, any kind of more maturation of our security orchestration automated response tools I think is head on. And going beyond the simple like phishing scenario. He described their product as being a little bit broader than that, so I could really appreciate that. We’ve had great success with phishing automation response. So, if I could take something like Torq and then expand that into other areas and save my staff some time, that sounds really good. So, I do think it’s innovative, and it does solve a real need there.

[Johns Till Johnson] Yeah, and I went way beyond phishing to compliance issues and auditing issues because basically the gist is anything slightly security related that needs to be automated can be automatically quickly. That was kind of my takeaway.

[Edward Contreras] I was looking at them very similarly. They’re solving for a gap. We have a lot of manual processes when it comes to compliance reports, security reports. And taking that and being able to automate, it seems to me that I can save time within my program where my team may not have to spend 20 hours on a report that should take them 10 minutes to produce. So, for me it seems like it’s a gap around hours saved that I would put them there.

[Johns Till Johnson] Yeah, and I also think one of the questions that was asked, does this work even if you don’t have good well documented processes, I love that the answer is absolutely, you just… It’s a no code answer that says, “In future, do this.” What do you…if anything, what do each of you…and I’ll start with you, Mark… What did you like, and what do you think held any of the companies back?

[Mark Eggleston] Well, they all had a very Cloud based deployment model up very soon, which you’re seeing a lot of products do the last several years actually. So, I really liked that they were agile to roll out and immediately start adding value to teams. I am curious to learn more about the engineering skillset required. I think some comments were made about it’s enough to use that you don’t really need a lot of those engineering skillsets, but I think I’d love to dive in there a little bit more and really assess that for myself when I have more time.

[Johns Till Johnson] And, Eddie, on any of the companies, and what do you think held them back?

[Edward Contreras] I really liked the dialogue. What I left wanting more information on was some of the underlying things that I’d probably put some of my managers on to get some of the specifics. I think conceptually that they hit the mark. But I know the devil is in the details. I understand not every environment is the same. And so deployment would be another criteria that would help me make that final decision, and I don’t think I got to that answer in this series where I could say this could be in my production environment in ten minutes versus ten months. I didn’t get that answer, but I think that’s one of those things where you do need a follow up conversation to get to that point.

[Johns Till Johnson] Absolutely, and that’s what this series is really designed to elicit – to help people focus their efforts if they’re intrigued and want to learn more.

Final Scores

29:36

[Johns Till Johnson] Okay, CISOs, it’s time to give us your scores. As a reminder, these are the total scores across all three variables. Mark, let’s start with you.

[Mark Eggleston] With PlexTrac, I thought being innovative, and solving a real need, and ease of development, I would give it a 20 out of 30. For Torq, I thought this one was really, really interesting with the SOAR piece, so I would give this a 27 out of 30. Lightspin, from what I’ve seen of it and where my environment is, I’m giving this one more of a 20 across the board.

[Johns Till Johnson] And Eddie?

[Edward Contreras] I had the exact same score on PlexTrac, which was 20. And the criteria that I used was if I had one project that I had to deliver in 2022, where would I put my money. That’s how I started my scoring. PlexTrac was kind of the same score area. And for Torq, it actually came in at 17 because it seems more concentrated to my program as opposed to bringing a benefit to the overall business. So, I think it would bring tremendous benefit to my business…or to my program but not to the business. And Lightspin actually was my lowest scoring when I started, and then it ended up being my highest scoring. I gave them a 24 because I felt if I had one project to deliver and I can partner with my digital channel, it seemed like the developer group would get the most benefit from this area and help me solve for a problem that’s existing. So, Lightspin came out on top for me at 24.

[Johns Till Johnson] That means PlexTrac has a score of 40. Lightspin has a score of 44. And Torq also has a score of 44, which means Torq and Lightspin are tied for winning, which means both of them will be appearing on our grand finale. Lightspin and Torq are not here, and they won’t hear this result until the episode airs. But they will both be joining us on June 17th for our live finale, which you can go ahead and register for now by going to CISOseries.com and capturing the blue “Capture the CISO” logo. Huge thanks to our judges – Eddie Contreras from Frost Bank and Mark Eggleston from CSC. Also major thanks to our contestants – Vladi Sandler, the CEO of Lightspin, Nick Popovich, hacker in residence over at PlexTrac, and Leonid Belkind, cofounder and CTO at Torq. Check out the demos for next week’s contestants – Farut [Phonetic 00:32:51], Perception Point, and Sunday Security. Then tune in next week to hear them compete for a chance to join Lightspin, Torq, and Votiro to see who will win Capture the CISO.

[Voiceover] That wraps up another episode of Capture the CISO. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, Virtual Meetup, and Cyber Security Headlines, Week in Review. All contestants of the show are sponsors of the podcast. If you’d like to sponsor and be a contestant, contact David Spark directly at David@CISOseries.com. Thank you for listening to Capture the CISO.