Gartner Created Product Categories

Do We Need New Categories of Security Products?

Do we really need more categories of security products? Every new Gartner magic quadrant complicates the marketplace but at the same time helps us understand the other vectors we need to protect. Do new categories of security products help or hurt the industry?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Our guest is Corey Elinburg (@celinburg), CISO, CommonSpirit Health.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor Egress

Egress helps organization stop email security risks is by addressing both inbound and outbound threats together,. We recognize that people get hacked, make mistakes, and break the rules. Egress’s Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss. Learn more at

Full transcript

[David Spark] Do we really need more categories of cybersecurity products? Every new Gartner Magic Quadrant complicates the marketplace but at the same time helps us to understand the other vectors we need to protect. Do new categories of security products help or hurt the industry?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series. And joining me for this very episode, you’ve heard him before, and I hate to break it to you, you’re going to hear him again. His name is Steve Zalewski. Steve, say hello to the nice audience.

[Steve Zalewski] Hello, nice audience.

[David Spark] That is Steve. You’re going to hear a lot more of his voice later in the show. Our sponsor for today’s episode is Egress – integrated cloud email security that prevents human-activated risk. They will deal with those emails that get through your regular defenses, those advanced phishing attacks. Egress – more about that later in the show. But first, Steve, I want to talk about today’s topic, and this is a really good one. And this, I will just say from the quotes, there’s a lot of division on this topic. All right? Let me bring it up. It was Caleb Sima who’s the CSO over at Robinhood, and he said on LinkedIn, “Why do we insist on creating a new Gartner quadrant for every single unique angle or take on a security solution? I consider myself fairly up to date on the market, but I can’t keep up anymore. This helps only vendors and not security practitioners. It’s overcomplicating a space that needs more simplification. Please stop.”

Now, I second this feeling and remember talking to a vendor at RSA who was excited that Gartner was creating a new category for them. To which I responded, “But now everyone needs a new line item in their budget.” So you don’t want to be a new line item. And after she described her product to me, I said, “Isn’t it just this?” mentioning another category. To which her eyes lit up and she agreed. So, we have categories of products today that didn’t exist five years ago. I don’t know of any other industry that behaves like this. It’s quite maddening. And I don’t know if it actually helps vendors. I think it might just actually hurt them, given that they need to be a new line item in a budget. Now, Steve, what do you think? I want sort of a general, and I don’t want to hear, “It depends,” because I know you’re going to say, “It depends,” is it helping us or hurting us?

[Steve Zalewski] At this point if I had to pick, it’s hurting us, definitely hurting us, and with 3,000 products vendors are out there pitching…

[David Spark] Could be a lot more.

[Steve Zalewski] It could be a lot more, could be a lot less.

[David Spark] Well, there’d be a lot of people out of work too for that matter.

[Steve Zalewski] [Laughter] Which is leading us up to why this is such a meaty topic today because the dimensions of this simple perspective are much deeper than it would otherwise lend you to believe.

[David Spark] Well, to help us in this very discussion that we’re about to have on this, which is a hot topic, I know, very excited to have a brand-new guest onboard. It is the CISO for CommonSpirit Health, Corey Elinburg. Corey, thank you so much for joining us today.

[Corey Elinburg] Well, thank you David for the invite, and Steve, I’m looking forward to talking with you about this.

Why is this relevant?


[David Spark] Neal Hartsell of Mile1 Marketing said, “The fact that there are prior market constructs suggests that there will always be new constructs. To say otherwise means that one somehow adheres strictly to the prior set, which is a function of what we knew about data ingest, analysis, and output representation at the time. It’s merely evolution. Don’t blame marketers for trying to participate.” A very good argument. And Ian Tibble of Seven Stones Infosec said, “I’ve been on projects where new acronyms were invented on a daily basis. It’s insecurity that drives it. With vendors, a new acronym helps to convince the uninitiated that their solution is a new solution, and not what it really is – a mix of old stuff.” So, two very divergent thoughts here. I believe both Neal and Ian make very good arguments here. What’s your thought, Steve?

[Steve Zalewski] So, it’s what I started with. If you have 3,000 vendors for 3,000 products, in essence, to what Caleb said, it’s way beyond anything I can understand. I can’t hear 3,000 of anything. So therefore I need to find a way to bucket them. And because we say that – what bucket do you fit in because we need to try to make it a more tractable problem, therein lies the rub. Because for every new vendor who’s coming out, and I work with many of them as an advisor, their point being is, “Steve, I have to be in a bucket.”

[David Spark] That is true. You got to be in a bucket.

[Steve Zalewski] You have to be in a bucket for any CISO to be able to try to figure out what you do because you can’t all be unique. And so I would say that’s kind of the yin and the yang of the problem, and then they all want to be unique, so therefore they want to be able to create a new bucket.

[David Spark] Which we will get more to that coming up. Corey?

[Corey Elinburg] I was just going to add in by saying I think one of the other things is the tension between being a niche player and being a platform player. It’s a rarity to see a new platform player come into the cybersecurity market, but all of the new entries seem to be niche players. And that makes it very difficult, as you were mentioning, Steve, for a CISO to lend enough attention there. And a CISO has much more to deal with on a daily basis than just keeping up with the various products in the markets and how they match to their threats. They’ve got people to deal with, they’ve got risk issues to deal with, they’ve got budget issues to deal with, and they better make sure they understand their business. And I would submit even if you had a brilliant cybersecurity architect, chief technical architect, you would still struggle to keep up. So, it makes me question whether or not the new entries in the market should be marketing themselves exclusively to CISOs, who in large companies may not even want to take a risk on a small company, or do they market themselves to some smaller companies and to the platform players.

How are the vendors handling this?


[David Spark] Adrian Sanabria of Valence Security said, “Naming a technology makes communication easier. Where all this falls apart is when marketing is given the job of differentiating the product in their messaging. Often, they differentiate by creating a new acronym or a category, whether it’s justified or not. That’s where everything explodes. Everyone wants to be in a bucket of one.” Steve, he’s speaking your language here, and he continues on here, “So they can claim to have no competition, to be unchallenged.” And Dick Wilkinson of Proof Labs said, “Yes, sales are driven by newness or differentiation from other products, and so vendors literally make up imaginary trends and then try to corner the market on the trend with a rebranded version of the same old tool, and they add a couple acronyms and abbreviations to make it sound cutting edge. It’s all BS.” All right. So, Adrian and Dick bring up some interesting points, and honestly, think about what the CISOs say to vendors. They say to vendors, “Hey, how are you differentiating from the competition? What are you doing different?” So, I can see where the pressure comes from. So Corey, how do you explain all of this?

[Corey Elinburg] I think part of it is, as Steve is mentioning, lack of focus, and sometimes not just on the vendor’s part but even on the CISO’s part in terms of what the problem is. We’re always searching for that new one feature that drives the newness we were talking about. But then we could ask the question, “Do you really have your inventory management under control? Or are you looking for another feature in this product to compensate for the fact that you don’t have your inventory management under control?” And so I think it’s a combination of looking for a newness of one little shiny object to differentiate me, and then on the other hand I think it’s a lack of really focusing on the core problems and looking for patches in 15 products to solve a core problem that we’ve not been able to address.

[David Spark] Steve, Corey brings up an excellent point is that there seems like a lot of sort of chipping away at smaller things rather than getting in deep, and this is what I think a lot of the vendors may be doing. And just having that one magical little chip may be the trigger that gets them to buy.

[Steve Zalewski] So, we’ve talked about this. Let’s use an analogy which is let’s sell shoes for a minute because I think this is a good one. Because look, over 200 years, we’ve introduced thousands of styles of shoes, but only a few different types of shoes – sneakers, loafers, high heels. You can kind of go through that. That’s the way I look at security which is there are a certain number of unique capabilities that we all understand, like shoes. I think at 3,000 types of shoes, okay, what we’re leaving with is, “Hey, I sell sneakers. That’s not good enough. I sell sneakers with gold loops. I sell sneakers you can put five different types of laces in it.” That’s I think where we’re running into the challenge and now, we’re all just being overwhelmed because what they’re articulating as uniqueness might be interesting but it’s not important.

[Corey Elinburg] And Steve, could we be solving the wrong problem sometimes too? If you go to the floor on RSA, you’ll see that there’s a million vendors for endpoint protection, next gen endpoint protection, EDR, etc., etc. And then you go home and do a quick Google search and you can find the 10 ways to bypass EDR. Maybe the real problem is that we just keep delivering data to our endpoints when we shouldn’t, right?

[Steve Zalewski] Well, there is that. I mean, there’s the real problem that we’re getting at which was too many vendors doing too few things. But when you look at the whole conversation for today was, look, the analysts play a role in the security village to try to be able to give us their value around differentiation. And there are just too many companies doing too few unique things, and that’s what we were getting at now. So, the differentiation is not at the company level, it’s not at the product level, it might be at the feature level, and it can be as low as the function level, and they’re building product around that, and it just doesn’t make sense. And so that’s why I was really excited about this conversation is you look at the Gartners of the world or the analysts and they’re trying to make sense of everybody that’s coming at them with capability.

[David Spark] Which, by the way, you look at the analysts, they can’t keep up with this either and that’s their full-time job. Right? So, if that’s your full-time job, what can you expect from the CISO where this is a portion of their job.

[Steve Zalewski] And what’s the responsibility for the analysts that are trying to synthesize all this and create categories to give everybody their space? As opposed to them to be able to say, “There isn’t any new categories. We’re going to mash you into existing categories.” And so there’s a dissatisfaction.

[David Spark] Well, that goes back to the very first quote from Neal Hartsell and it goes, “This is just an evolution of products.” And he makes a really good argument. You can’t assume that the same marketplace from 10 years ago is going to be the marketplace for today. So I think there’s a weird balance we’re running into.

[Corey Elinburg] Yeah, isn’t that the struggle is can I wait on my platform vendor to evolve or do I need something to help me bridge the gap for that feature.

[David Spark] Good point. Very good point. Because ultimately the platform vendor would like to be your answer to every problem you have, but they won’t take the money or time to innovate themselves. They’re going to wait till what you were saying, the point solutions, which when succeed, then they’ll just buy them because it’s far less costly and far less risky to them.

[Steve Zalewski] And I want to put another spin on this too which was if you look historically, we’ve had on prem, we’ve had 20 years to build product, and then cloud hit us. And now data protection in the cloud is a new generation. And instead of building products that solve the identify, detect, prevent, respond, recover, which is what I had, they’re all going after, “Let me give you visibility. Let me give you detection.” So, they’re rebuilding that capability for me in the cloud but instead of building one product that does the entire thing, they’re generationally generating five times as many products because they’re taking me through the maturity. And that’s a problem too because the vendors and the analysts are realizing, look, I got to be able to bring you visibility now to where your data is in the cloud with microservice APIs. And then I want to give you a single pane of glass in that visibility, and then I want to be able to give you policy management, then I want to give you single pane of glass for policy management. So, I would argue some of this too is the speed of evolution of solving these problems and the sheer amount of money is making us look at it more granularly than we have historically, and that’s part of what’s generating this problem.

Sponsor – Egress


[David Spark] You know, I talk to a lot of CISOs and I’ve yet to meet one who feels fully at ease with their email security, and that brings up our sponsor Egress. At Egress, they believe the only way to stop email security risk is to address both inbound and outbound threats together and put people at the front and center of the solution. So, as advances in persistent cybersecurity threats continue to evolve, Egress recognizes that people do get hacked, they make mistakes, and they break the rules. This is something we talk about all the time on the show.

So, there’s a solution here. Egress’s Intelligent Cloud Email Security Suite uses patented self-learning technology to detect sophisticated inbound and outbound threats and protect against data loss. In particular, inbound email threats have evolved, as we know. In fact, as I’m speaking, they’re evolving. Account compromise and advanced phishing techniques mean that increasing numbers of attacks get through signature-based detection. So, Egress takes a zero-trust approach to inbound threat detection, inspecting every email into your organization using AI models and natural language processing to detect anomalies to protect your organization from the attacks that matter most, including the classics – business email compromise, supply chain compromise, invoice and payment fraud, and ransomware. So, go to their site Go there to learn more about Egress’s Intelligent Cloud Email Security Suite and start detecting email threats your existing solution is missing today.

What aspects haven’t been considered?


[David Spark] Zach of Britive said, “A lot of vendors will adopt the acronym of the month and market their product as ‘a new feature,’ leading security practitioners to believe they can have or have that capability.” And Lior Yaari of Grip Security said, “Analysts would never include us in a report without a category,” this goes back to what we were saying earlier, “As we would never fit the criteria for their existing categories, or we’ll be on the losing side of an existing quadrant, as we don’t have the ‘basic features’ required to be a leader.”

This is a really good point Lior brings up. You could be a point solution that’s amazing in one spot, but because you don’t fit neatly into a category, even though you are a rock star in this one thing, because that category covers these other three items you’re going to look like a loser. So, it requires a new category just so they don’t look like crap in their category. Corey, what would you advise to that kind of group? And would you even know they exist?

[Corey Elinburg] I do think that’s true, and I think part of it is maybe CISOs getting a little more involved in the startup communities than they are today. The VC model of funding lends a certain amount of pressure on a startup, and they immediately encumber debt, even beginning. And maybe that’s appropriate to a degree, but if CISOs were involved earlier, that may allow earlier trials on a broader basis than just the handful of CISOs. I know quite a few that are involved in the startup community, but maybe we need a little bit heavier lean-in on the CISOs from the beginning. And maybe that lens then for those folks to find their way to integrate and make their way, either to a platform or build into a platform earlier.

[David Spark] Steve, you work with a lot of startups, has this run into with some of the startups you’re advising?

[Steve Zalewski] Oh! This separation and your channels play are the two top items for every one of the companies I advise.

[David Spark] So this drives them crazy.

[Steve Zalewski] This drives them crazy, and it goes both ways. I’ve worked with them where they’re like, “Steve, the CISOs won’t talk to me unless I’m in a category. And Steve, the category that they want to put me in I don’t think actually reflects the value that I provide.”

[David Spark] And so therefore you look like crap.

[Steve Zalewski] Therefore you look like crap. But then I challenge them because they said you want to be different, right? But what is an appropriate new category? Because a category with only one vendor isn’t valuable. Even if you’re emerging, right, you’ve got to have three, four, five, six in there to actually give credibility to the new market segment acronym that’s being created.

[David Spark] But could we have categories and then the redefining categories, like we have the general category EDR, and then unique players that solve solutions that are sort of like around the orbit. They’re not in the center of the orbit because they’re not fully featured but they have great value in [Inaudible 00:19:18]. My feeling is that if the Gartners and also the GigaOms of the world and the 451 Research…

[Steve Zalewski] Forresters, right?

[David Spark] If they produce the reports to reflect that behavior because it’s a real, real issue in the industry and if the analysts continue to only analyze a certain way, it’s going to force these companies to build their products in a way that may not be valuable for the industry. Corey, your thought.

[Corey Elinburg] Yeah. That makes sense to me. And as you were speaking, David, I also started thinking about the ecosystems because my company’s going to have a certain ecosystem of products that we’ve assembled over a period of time, and hopefully we’ve done that so that those products integrate well together and are better coupled together. But when you read the analysts’ reports, they rarely consider things like an ecosystem or that a company may be trying to build an ecosystem together. So, you’ll hear a loose reference to interoperability but what about a guide for a person who has gone down a Microsoft path or a person who’s gone down a Google path or that type of thing to create an ecosystem of the best products for that core ecosystem. That might be a way to drive some consolidation of the categories as well.

[Steve Zalewski] Well, and then to counter to that, how many vendors in essence when they build their next gen product, what they do is they try to blend two categories, they do both. So, XDR is a classic example of taking endpoint detection which everybody knows and then they try to bring in additional threat intelligence so now they’re extended detection and response. Whereas today, that was different two categories. So now they’re saying, “Well, we’re unique because we’re bringing both together, therefore you have to give us something new because we’re additive.” So, it’s like this Venn diagram thing where the circles are all overlapping each other because everybody’s trying to find a way to be unique.

[Corey Elinburg] That overlap is tough. It’s tough as a CISO because you end up inevitably spending money on products and leaving some value on the shelf.

[Steve Zalewski] Yep. Or spending an awful lot of time realizing that their marketing position is not accurately reflecting uniqueness so much as blending. And therefore you’re wasting a lot of time on potential products that actually aren’t going to give you value, which adds to the additional frustration on the analysts to do a better job of giving us the positioning to do our jobs.

Who’s making money here?


[David Spark] Eric Michaud of Unciphered said, “Gartner is funded by companies to create new quadrants to new companies and incumbents alike so buyers at corporate think they need the products and can justify to upper management that Gartner approves. They’ll say otherwise but people angle around to earn the curry of the analysts just like lobbyists in DC.” All right, pretty harsh attack to Gartner. Now, Lawrence Pingree of Gartner said, “No vendor pays to be included. Quite in fact the opposite. We do our very best including forbidding any analyst from any conflict of interest investing in tech to ensure our independence.”

Okay. I’ve heard this line a lot. There’s been no outright saying one way or the other, but we do know that companies do invest in Gartner, and we do know that they are in the Magic Quadrant but there’s no clear line of pay to play. But as Lawrence Pingree says of Gartner, they go out of their way to try to avoid this, but the problem is the rest of the industry feels this way. I’ll start with you, Corey. What’s your thoughts? Have you been pushed one way or the other because of an analyst or have you heard from vendors saying this? What has been your experience?

[Corey Elinburg] I’ve never had an analyst push me one way or the other. I’ve had them try to inform me. I would say they definitely get paid because they’re after me…

[David Spark] Well, they have to get paid to do their work.

[Corey Elinburg] They’re after me for more subscriptions and more all of the time and they compete with each other on, “Well, we give a better technical analysis, we give a better business analysis,” so on and so forth. So, I don’t think there’s any question that they get paid. In fact, that goes on even beyond your subscriptions.

[David Spark] But first of all, they get paid to do their work and to do analysis and that’s understood, and they need contributions to be able to continue doing that. We’re not saying that. Of course they have to do that. Go on.

[Corey Elinburg] Well, the other part is there is something that the vendors have to contribute and even if they don’t pay money, the amount of time you’re willing to give up through your product development lifecycle in order to give Gartner the appropriate attention to give them their answers is something that’s necessary to contribute. And I would say that definitely has an influence.

[David Spark] Steve, have you heard anything from the companies you’re advising?

[Steve Zalewski] Yes, I have, and I’m going to just leave it there.

[David Spark] [Laughter] Oh, you’re going to just leave it there?! What are you talking about?

[Steve Zalewski] [Laughter] All the audience is now waiting, “Oh, he can’t just leave it there.” I’m going to start with as a whole I think the analysts – Gartner, Forrester, all of them – do a great job. I know many of them, we talk. Okay?

[David Spark] Yes.

[Steve Zalewski] I think they really are trying to do the right thing, absolutely, I’m going to put it right out there, to understand how to do that. Now, that being said, I look at what Lawrence said. To that point is none of them, right, investing companies, they don’t take positions where they’re biased because there’s an opportunity for them to win if a company wins. I don’t see it. Again, that ethics is very high for everybody I’ve seen. But the key is it’s not pay to play but it’s pay to be heard. Because analysts…

[David Spark] Well, and this is where they argue now. But this is where it’s also debatable and nobody knows.

[Steve Zalewski] Well, again, I’m leveraging my knowledge on both sides of the house, as a CISO and as a…

[David Spark] By the way, pay to play and pay to be heard I think are synonymous, to tell you the honest truth.

[Steve Zalewski] You could argue that. And I’m willing to say but I’m wanting to tease that out a little bit. Pay to be heard, as an analyst. Analysts will talk to lots of companies. They’ll take a call, no money on the table, nothing, to be able to just do their job in trying to understand what’s out there. But you can buy subscription services with Gartner and have the opportunity to talk to particular analysts to be able to do that. And that’s what I was saying which was it’s not pay to play but it’s pay to be heard because analysts will take calls with lots of companies, no money on the table, what are you trying to do, everything else. But others can get that opportunity, like lobbyists, to have them be heard. And then as an analyst, right, you’re looking at this and saying, “Well, who’s talking to me? What am I seeing?” I’m trying to synthesize that all and I have to come to a decision. So, it’s a good ecosystem. It’s got its faults. But the point being 3,000 companies create these, I don’t want to say inefficiencies, but the challenges that we continue to lay at the feet of analysts to do a better job.

[David Spark] And I want to clarify this term pay to play, which by the way, I don’t like the term. The thing is there is something called advertising and there’s something called sponsorship, which is what we do on here. The term pay to play came about because things were not being disclosed. And by the way, I am not attacking anyone, this is not towards any analysts or anything like that. I’m just saying this term in general. Because things were not disclosed. People spend money on advertising, people spend money on sponsorship, and it is disclosed that that is what they’re doing. When it is not disclosed and it’s confusing as to what’s going on and who’s paying for what when, that’s when people get their feathers ruffled, if you will. And that’s one thing we stay away from in our…everything, we disclose what we do here. So, that’s where people get a little frustrated. And you’re nodding your head here, Steve. What’s your thoughts on that?

[Steve Zalewski] And that’s why I said I wanted to separate pay to play versus pay to be heard, right? To your point, disclosures of how the process works.

[David Spark] It’s just simply advertising.

[Steve Zalewski] Yes.

[David Spark] If you’re doing it that way.

[Steve Zalewski] And it’s a form of advertising. And that was why when you said, “Well, Steve, isn’t it the same thing?” and the answer is no. And you did a really good job of highlighting what some would say was just a nuance, “No, David, that’s just a nuance.” But the reality of the role of an analyst, if you want to be an analyst one day, you don’t just sit there and make things up. They work really, really hard to try to do this.

[David Spark] Right.

[Steve Zalewski] And that’s what I said, remember what I…

[David Spark] And we don’t want to go after the analysts because analysts are independent and they’re just doing their job. A good point.

[Steve Zalewski] Right.

[David Spark] Corey, I want you to have the last thought on this.

[Corey Elinburg] I would maybe take the last thought and make it a question to Steve and give him a second to comment. Steve, what do you think about not just the analysts and the subscriptions that a CISO like myself would subscribe to, but also the role that the Gartner conferences or Forrester conference or what have you, and then you have certain vendors there that are invited to come in and present? Or maybe they’re invited, maybe they pay to present, I don’t know the answer to that question, hence the argument. But I think those are important as well because rather than just reading a Magic Quadrant where multiple folks [Phonetic 00:29:18] are presented, you’re now being confronted with a single vendor to have the opportunity to tell their story.

[Steve Zalewski] And this is the full disclosure part, right? It’s okay if you go to a Gartner event or a Forrester event, part of it is understand how that’s working. So, what you realize is, yes, there’s some companies that are paying to have some quality time up there, right, to be able to pitch. That’s a revenue-generating opportunity that Gartner, the larger company, does because they have to pay. But let’s go back for a minute and say the analysts themselves at those events, okay, analysts have two roles in my mind. The first is to be able to offer us concise ability to look at different quadrants, whatever you want to call it, describe what they are. So set the definitions. And then enforce those definitions in looking at what the vendors look like.

But there’s a second role they play – thought leadership, okay? They’re also there and it’s a great opportunity to talk to those analysts that you respect or think have thought leadership to be able to help you understand your problem as well as from their perspective to help lead you down the path going forward to figure out which quadrant you might be interested in based on the use cases that you have. And so I say those are really, really interesting, right, because then they can potentially work with vendors that are supporting that thought leadership going forward so that somebody like you, Corey, can come in and go, “Okay, I don’t get zero trust, but now I’m understanding what that looks like and a path forward.”



[David Spark] Well, that brings us to the very end of this very show. And now we come to the point where I ask both of you which quote was your favorite and why. Corey, your favorite quote and why.

[Corey Elinburg] I think my favorite was, “A lot of vendors will adopt the acronym of the month and market their product as new feature, leading security practitioners to believe they can have or that they do have that capability.”

[David Spark] That’s from Zach L. of Britive. Go ahead.

[Corey Elinburg] Yeah. That one really hits home to me because I’ve struggled with it multiple times. And then you waste so much time getting all the way into a proof of concept only to discover that it’s not there, that it was smoke and mirrors.

[David Spark] Ugh. Nobody likes that. Steve, your favorite quote, why.

[Steve Zalewski] There were some good ones and I’m balancing the perspectives but I’m going to go with Lior Yaari from Grip Security because I think he actually did a really good job of kind of showing the tension between the different sides. Not that there’s an answer, but to give everybody an appreciation of where the CISO and the founder and the analysts in the security village have that shared responsibility but the tensions between. And that’s analysts would never include us in a report without a category because we would never fit the criteria for their existing application, or we’ll be on the losing side of an existing quadrant because we don’t have the basic features required to be a leader. And that is the conundrum I think that everybody is facing that we’re trying to be able to figure out, what is the right middle ground for all three of the players to be able to trust each other and manage that friction and uniqueness to be able to make revenue.

[David Spark] Excellent point. Well, thank you very much, Corey Elinburg, who is my guest for this very episode. Actually, Steve is my guest too. He is the CISO over at CommonSpirit Health. Are you hiring over there at CommonSpirit?

[Corey Elinburg] We are hiring. We’ve got quite a few positions posted. Please check us out on LinkedIn.

[David Spark] Oh, awesome. So, check that out. By the way, can people contact you directly through LinkedIn, yes?

[Corey Elinburg] Absolutely. They’re more than welcome to.

[David Spark] Oh, awesome. I want to thank our sponsor Egress – integrated cloud email security that prevents human-activated risk. They are available at Thank you, Egress, for sponsoring this episode of the show. Steve, thank you very much for bringing it. Corey, thank you very much for bringing it. And thank you to the audience for contributing to this great discussion, by the way. I loved this discussion, it was awesome. We always greatly appreciate your contributions and listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe, so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site,, where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at Thank you for listening to Defense in Depth.