Do you know which security categories were created this year? I have no idea. Do you know which ones were deleted? Is category growth designed to make more money for the industry? Does it help customers build a better security strategy? It seems like a necessary evil that just confuses customers. The number of categories never seems to go down or replace old categories.
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson, CISO, Rivian. Our sponsored guest is Maxime Lamothe-Brassard (@_maximelb), CEO and co-founder at LimaCharlie.
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor, LimaCharlie
For every registrant, LimaCharlie will be donating $5 to the Internet Archive. Register for the event at limacharlie.io or on the LimaCharlie LinkedIn page.
Full transcript
[Voiceover] What I love about cyber security. Go!
[Maxime Lamothe-Brassard] I love that cyber security is such a new industry. It’s still so young. And there’s still so many ways that we’re going to learn how to do things, how to improve. It’s not a settled science. There’s so many opportunities and cool things that are going to be happening in the future.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series. And joining me as my cohost, you’ve heard him before. Unless this is the first time you’ve tuned in, you’ve heard him before. It’s Mike Johnson. Mike Johnson who is the CISO of a company called Rivian, and I’m now seeing more and more of those cars popping up everywhere, Mike.
[Mike Johnson] You’re going to see them everywhere. They’re going to stalk you now, David.
[David Spark] I hope they do.
[Mike Johnson] And let me know if you’d like to buy one. I can help you with that.
[David Spark] Could you help me with that?
[Mike Johnson] Yeah, I can help you.
[David Spark] Will you get a commission? If you help me, will you actually get a commission on the sale of the car?
[Mike Johnson] I will not, but I will be more than happy to see you in one because I love the vehicles.
[David Spark] You’re ridden… Have you driven one? Because I know you’re getting one.
[Mike Johnson] I’ve driven one. And by the time of this recording I should actually have mine.
[David Spark] Let’s hope so. Hopefully I’ll get a chance to ride in yours with you as well.
[Mike Johnson] Absolutely.
[David Spark] We’re available at cisoseries.com where you cannot purchase a Rivian car.
[Mike Johnson] [Laughs]
[David Spark] Look as much…you can use the search box as much as you want. There will be no sales of Rivians on our site. Hey, LimaCharlie is our sponsor. Brand new sponsor with the CISO Series. We’re excited. They have a pretty darn cool technology. I was actually talking to their CEO just moments ago who, by the way, we’re all going to be talking to in just a moment.
Anyways, they are a cyber security SecOps Cloud Platform that gives you full control and visibility over your security posture. Very interesting stuff. A lot more about that later on. But first, Mike, I just got back from VidCon.
[Mike Johnson] Oh, the annual VidCon trip.
[David Spark] It’s the only non-cyber security thing I do every year. And it’s Anaheim, California. For those of you who don’t know, this is an event where video personalities, so people who are YouTube celebrities, who are on Instagram, who are on TikTok…the people your kids know that you do not know… And as I always say about this show, if you ever want to feel completely out of touch with teenagers, come to VidCon.
[Mike Johnson] [Laughs]
[David Spark] Because oh my God, these kids were screaming, going nuts for people I have no idea. And I sat on one session with my son. There was one of these guys who has a huge channel on YouTube. And you know what his entire channel is about?
[Mike Johnson] Is it unboxing?
[David Spark] Worse than that.
[Mike Johnson] Staring at paint drying.
[David Spark] No, better than that though.
[Laughter]
[Mike Johnson] Okay.
[David Spark] So, you got the two bookends here.
[Mike Johnson] I’ve bookended here.
[David Spark] Do you know what a Squishmallow is? You don’t have kids, so you don’t…
[Mike Johnson] I have no idea what that is.
[David Spark] Okay, a Squishmallow is a stuffed animal. And they make a whole variety of them. Kind of like the whole idea of the Beanie Babies where there was a whole variety.
[Crosstalk 00:03:15]
[David Spark] But these are much, much larger. Like some of them are like the size of beanbag chairs. They’re enormous.
[Mike Johnson] Wow, okay.
[David Spark] And by the way, they sponsored the event. Anyways, this guy has a collection of 200 of them, and his entire video channel is Squishmallows. And he has an enormous following. He doesn’t work for the company. He is a third party person who creates videos about Squishmallows, and it’s really popular.
He literally makes a very, very comfortable living talking about Squishmallows.
[Mike Johnson] Oh, good for him.
[David Spark] You didn’t think this was something you could do.
[Mike Johnson] I would not think it’s something you could do, but now I’m really wondering what it is. Does he talk about the secret lives of the individual Squishmallows?
[David Spark] They do have names. And by the way, I should have found out the name of this guy so I could tell everybody who it is.
[Mike Johnson] [Laughs]
[David Spark] Because I don’t know who it is. But there must have been a line of like 80 people who wanted to get a signature or a photo with him, my son being one of them.
[Mike Johnson] Now on the one hand I want to know. On the other hand, I’m afraid of what the YouTube algorithm will do if I start searching for that.
[David Spark] Oh, yeah. If you start watching it. [Laughs] Oh, you’re in trouble. [Laughs]
[Mike Johnson] But it’s good to see that people can make a living from their passion. That’s what we all do here, right?
[David Spark] That is the point, yes.
[Mike Johnson] That’s what we do, so it’s great for them.
[David Spark] You chose the path of cyber security and not Squishmallows.
[Mike Johnson] Not Squishmallows. And I’m happy with my decision. I can live with myself.
[David Spark] They had a big exhibit, and they were giving them away. The really big ones cost over a hundred bucks. And my kids have quite a collection of these now.
[Mike Johnson] [Laughs]
[David Spark] They have an enormous collection of Squishmallows. But they’ve been giving them away to friends, which is great, because they have too many of them.
[Mike Johnson] That’s less for you.
[David Spark] Right, less for you, less in this house as well. Let’s get to our show. I’m very excited to have our guest because actually I was chatting a lot about his technology, and it’s pretty darn cool. It is our sponsor guest. It is Maxime Lamothe-Brassard. He is the CEO and cofounder at LimaCharlie.
Max, thank you so much for joining us.
[Maxime Lamothe-Brassard] Super happy to be here.
Can this be measured?
5:21.651
[David Spark] “What makes a successful cyber security founder,” asked Ross Haleliuk on Venture in Security. Ross, by the way, also works for LimaCharlie. And Ross defines success as either achieving unicorn valuation, value on exit, acquisition or IOP. And I know these are all sort of people have different sort of definitions of success, but we were trying to see a pattern here.
But broadly summarizing, Ross offered the following key variables that usually define success. One is domain knowledge, credibility, and connections. Two is they spend a substantial amount of their time in the segment before starting a company. And they’re usually in their 40’s or 50’s, starting their first security venture.
And they started as a security practitioner from a Cloud native venture backed company. Now, these are usual. I’m going to start with you, Mike. You know plenty of founders as well. Do they usually follow this model? I know there are other outliers. But any other factors we’re not considering? Again, usual.
I know there are successful outliers. But what say you?
[Mike Johnson] One of the things I’ve really noticed from several first time founders is they started a company to solve a problem that they had while they were a practitioner.
[David Spark] I see this all the time, too.
[Mike Johnson] Yes. And what it really means is they have a passion about that problem. They’ve got a problem. They can’t find a solution in the market. So, they start a company to fill the gap.
[David Spark] Or I’ve also seen they start to write it at the company and then leave.
[Mike Johnson] Oh, absolutely. And I think it’s really beneficial when a company supports that. When it is…
[David Spark] They often become the first customer I’ve found as well.
[Mike Johnson] Right, or an investor. And it quite often works out well for everyone. Which is great. I really think that the key thing there…and it’s something that Ross is kind of getting at…is passion. These founders need to have a passion for the problem that they’re solving, for the solution that they’ve created.
Starting a company is hard. I’ve never done it. Great for you, Max. Not something that I’m going to tackle one of these days. But that passion is key because it is so hard. The other thing that comes to mind which is a little bit different than what Ross is talking about is I’ve seen a few founders that were not practitioners for security, but they were engineers.
And they were seeing their security teams struggle. They thought, “Well, we could actually solve that with technology.” And they go and solve the problem that they’re seeing through engineering. So, that’s one of the other things that is a little bit different than what Ross is talking about. But I have seen success from that direction as well.
[David Spark] All right, Max, how many of these items do you check the box on? Because you are a cofounder yourself.
[Maxime Lamothe-Brassard] Yes, that’s right. So, most of those… Cyber security is the only thing I’ve ever done, so I kind of check the background on that box.
[David Spark] By the way, was LimaCharlie…? Because by the way… And we’re going to get into this more. LimaCharlie is definitely solving a problem that a lot of people have. I got to assume this is something you saw at a previous company. Yes?
[Maxime Lamothe-Brassard] Yeah. It’s something that I saw, but sometimes you work for… Sometimes a solution to a problem only comes after you really spend a long time kind of stewing with the consequences of it.
[David Spark] Oh, that’s a good point.
[Maxime Lamothe-Brassard] Yeah, I think a lot of this wasn’t a ah-ha moment. It was really after years and years that you get the required mental gymnastics to really get to the point where you just go, “I can’t put my finger on what exactly the problem is, but I’m going to think about the same problem hundreds of times until a model immerges in your mind.” And that’s when you really go, “Okay, I have to do this.
There’s no option for me not to.”
[David Spark] Good point. Is there anything that’s missing here? Now, I’ll say one thing that I think is missing. But this is very unique to one industry. I just got back from Tel Aviv, and every single founder I spoke to met in the 8200 group because military service is mandatory in Israel or in the IDF.
And when I mean everyone, I mean everyone. So, this… If we were doing the Israeli startups, we’d have to tweak this a little bit. But is there any other sort of characteristic or trait that you’ve noticed from your fellow founders that’s not being mentioned here that’s more common?
[Maxime Lamothe-Brassard] That’s a great question. I think there is two fundamental things that I’ve seen, that I’ve noticed quite a bit. And one of them I’m going to shamelessly steal from I think it’s one of our investors that mentioned this to me, and I was just like, “Yes.” One is having issue with authority.
Having this chip on your shoulder where you go… If you played really well with authority you probably wouldn’t be a founder. And when somebody said that, I was like, “Yeah, there is something to that for sure.” For sure. I think it’s the biggest thing. And the other I think commonality is that if you’re looking at as…if you’re looking at starting a company as an ROI, no.
Don’t do it. It just does not make sense. Just go work for Google or work for one of the big firms. Great salary. You get your weekends. Everything is great. So, I think the challenge is…the yearning for challenge is the other thing that I’ve seen most other founders have where it’s almost like it’s the difficulty itself that’s attractive to them.
Is this the best solution?
11:25.984
[David Spark] What’s the good, bad, and ugly about EDR vendors? Now, this was a question that was asked on the cyber security subreddit. Actually the question was prefaced with a “Screw Gartner.” Meaning they wanted to know what practitioners, not analysts, felt about these products. So, redditors listed the companies they liked and hated, but most debated the expertise that was needed to use these programs with one redditor saying, “It’s more about how you manage the tool than the tool itself.” And I’ve heard CISOs say, “You’d probably be okay with a lot of these vendors just as long as you manage it properly.” That puts much of the responsibility on the user, not the tool.
So, what say you? We’ll start with you, Max. Could you throw a dart at a board of EDR vendors and be just as successful just as long as you spent the time to manage it like you would have to do with any of them?
[Maxime Lamothe-Brassard] Yes and no. As always, it’s always a little bit harder than yes or no. So, I think there’s a lot of truth behind that statement that EDR is one of those spaces that is becoming some say commodity, but it’s well understood. It’s kind of like the virtual machine now a days. Like if I tell you EDR, you know 90% of what I’m talking about without having to know the vendor.
I think the distinction where the no part of this comes in is if you are looking for n EDR, you need to ask yourself what is it that you’re looking for. The term EDR has gone through a whole story arc. We used to talk about APTs and EDR was this really advanced tool to go and dig in, and hunt the bad guys.
And then it kind of shifted towards, well, really it became an AV I would say. It became this thing that just protects you like an antivirus. I think the pendulum is sort of switching back. I would say if for you any EDR tool is completely equal and what you’re really having difficult with is managing it then maybe you should be looking for somebody to help you manage it.
Maybe the reality is that it’s a bit of too advanced a topic. Threat hunting or really kind of leveraging the tool well. I think there is a lot of space for MSSPs to come in to different forms where we’re going to have specialization of people that can go and perform that higher level of the usage of the tool.
[David Spark] They could come in with their own EDR that they already know for that matter rather than…
[Maxime Lamothe-Brassard] That’s right. That’s right.
[David Spark] …rebuilding. All right, good point there. Mike, what’s your feeling? Can you throw a dart at a board and just be happy with any EDR tool?
[Mike Johnson] I don’t think it’s quite there yet. I do think there’s some stratification. There are a few layers, or levels, or groupings, or what not. And in that top strata, there’s not a whole lot separating them. There’s not clear differentiators between the vendors, the players in that top tier as long as you do make that commitment to managing them.
That is a level of effort. You can’t just turn these things on and assume it’s going to be fine. But as long as you’re willing to make that commitment, you can throw a dart at that level, and you’ll be fine. That does bring it back to price, which I think is an interesting place for us to be. I kind of think that’s a good thing.
That really gets us down to a point where they must compete with each other. They must compete on price. They must compete on features, on compatibility. And that really does I think benefit the consumer, us, where we know that they’re constantly pushing each other. I do think it’s also important to realize that one of the other key things is does it integrate with your stack.
This isn’t the…a security tool and EDR, it doesn’t exist in a vacuum. You have some other infrastructure, some other systems to deal with. And if your EDR that you pick by throwing a dart doesn’t integrate within that stack, you are going to have a problem. So, as long as you’re looking at that top tier, as long as the price works for you, you’re committing to managing it, and it integrates with the rest of your stack, yeah, throw a dart.
[Maxime Lamothe-Brassard] Here’s my hot take – I think that EDR as a product is going to come to an end. I think EDR as a feature is where we need to start to be.
[David Spark] The end of EDR. Max said it here. When it actually happens, we’ll pull this soundbite out, Max.
[Laughter]
Sponsor – LimaCharlie
16:31.949
[David Spark] Well, we’ve been dancing around this topic quite a lot, and I want to talk to you a little bit about LimaCharlie before we go on any further here. We’re going to be talking more about the cool stuff they’re doing. But gone are the days of the one-size fits all security solutions that do not adequately address the complexities of modern networks and evolving threats.
These general purpose tools lack the flexibility to adapt to your unique environment and specific needs. As a result, you end up with a fragmented collection of tools that need to be manually integrated and stitched together. I don’t need to explain to you the problems of that. You don’t like that. But this leads to inefficiencies, gaps in security coverage, and extreme costs.
Sound familiar, right? We’ve been talking about this. It’s aggravating. Well, not anymore.
Introducing LimaCharlie SecOps Cloud Platform. It is the modern platform that provides businesses with comprehensive enterprise protection that brings together critical cyber security capabilities and eliminates integration challenges which we see a lot of people getting annoyed with and spending a lot of money on.
And it deals with security gaps for more affective protection against today’s threats. Whether you’re looking for end point security, an observability pipeline, a detection, automation and response rules engine, or other underlying security capabilities, LimaCharlie SecOps Cloud Platform helps you build a flexible and scalable security program that can evolve as fast a threat actor.
So, get started for free and learn more about how LimaCharlie is transforming cyber security for the modern era with the SecOps Cloud Platform. Go to their website. It’s limacharlie.io. Tell them that David or the CISO Series, one of us sent you there.
It’s time to play, “What’s worse?”
18:35.370
[David Spark] All right, Max, you know how this game is played. Two miserable options, and you get to pick between the two of them. That’s what we always like, two miserable options. Right, Mike?
[Mike Johnson] Oh, I’m here for miserable options.
[David Spark] How often is your day two miserable options, or three or four miserable options?
[Mike Johnson] I mean if I could narrow it down to two, it’d actually…
[David Spark] [Laughs]
[Mike Johnson] I’d take that win already.
[David Spark] All right. All right, this one comes from Jay Dance of StubHub, who I met in New York when we did our New York show. And he has supplied lots of wonderful “what’s worse” scenarios. Here we go. And I will tell you, these both stink. You are the director of IT security. Aw, you’ve been demoted, Mike.
I hate to break it to you. The CEO of the business you work for decides to cease operations and close up for good. Here’s what happens – the CEO sells off an unknown amount of data gathered during operation of the business to the highest bidder to generate cash for the next venture. Not good. Here’s the second one.
The CEO sells off all the computer equipment used during business operations without wiping them first to generate cash for the next venture. All right, which one is worse? Selling the data directly or selling the hardware directly with all the data on it?
[Mike Johnson] Hmm. These sound equivalent.
[David Spark] They are kind of equivalent but not exactly. They are… I was having this debate. They do, but they’re not exactly equivalent here. Because first of all, who knows where this data is being stored, and there’s a lot of unknowns here. But this is all you know.
[Mike Johnson] Okay, so this is always one of those you pick one and go with it. I look forward to the reasons why you disagree with me, Max.
[David Spark] Yeah, you can agree or disagree. I suggest disagree.
[Laughter]
[Mike Johnson] I guess looking at it in this way, you’ve got the first one, you were selling all of the data to…
[David Spark] Not necessarily an unknown amount of data.
[Mike Johnson] But presumably to one party?
[David Spark] Yes. It’s to the highest bidder, so it is to one party.
[Mike Johnson] So, it’s some amount of data to one party versus in the other case you’re essentially selling data to an unknown number of parties because you’re just putting it all up on eBay.
[David Spark] But let me clarify here. I may be tipping this right now is you’re selling the equipment. They weren’t asking for the data. That’s the difference. Max is nodding his head here.
[Mike Johnson] But you said it was not wiped.
[David Spark] No, it wasn’t wiped, but they weren’t purchasing the data. The first case, they’re purchasing the data. So, the data may be a bonus that they may or may not take advantage of.
[Mike Johnson] Or may or may not be malicious with, right?
[David Spark] Right, exactly. And also the first person may not be malicious. We don’t know. Who knows?
[Mike Johnson] Well, you would assume that if you’re selling it to the highest bidder that it is likely an above board actor. I’m going to make that conclusion.
[David Spark] That’s the way you’re going?
[Mike Johnson] Because if the CEO wants to start another company, if they then go and sell it to, oh, North Korea, then…
[David Spark] Yeah, let’s assume they’re not selling it to North Korea.
[Mike Johnson] No one is going to want to invest in their next business venture.
[David Spark] “I heard you sold your data from the last one to North Korea.”
[Mike Johnson] Yeah, maybe we’re not going to do business this time. Whereas in the second case, North Korea is just buying it off of eBay, and who knows what they’re doing with it.
[David Spark] Well, we don’t know if North Korea is buying. But whatever. Who knows?
[Mike Johnson] That’s where I’m going with it.
[David Spark] Okay, so you’re running with this theory. Okay.
[Mike Johnson] Yes. And that’s the theory upon which I’m anchoring my answer. And so I really think the second one is the worst because it really is information going to all manner of different folks who have who knows what’s intent in mind. A lot of them are going to do nothing with it. Likely someone somewhere in there is going to do something really bad with it.
There’s been plenty of stories that have shown up in the news of somebody bought a computer off of eBay, and it had somebody’s information on it. And that becomes a whole, big thing. Versus the former case, probably isn’t going to be in the news, and that’s why I think that’s the better of these two.
[David Spark] But we don’t hear a lot of stories about people using data off of hard drives. We do in the past but not that often.
[Mike Johnson] It definitely shows up. It definitely shows up. That’s my answer. I’m going for it.
[David Spark] Okay, you’re going with that. you’re sticking to it.
[Mike Johnson] I’m sticking to it.
[David Spark] Max, are you agreeing or disagreeing with Mike?
[Mike Johnson] Tell me why I’m wrong, Max.
[Maxime Lamothe-Brassard] Ten years ago, I would have agreed with you.
[Mike Johnson] Awesome.
[Maxime Lamothe-Brassard] Now today, I think really this whole thing is around a very specific question – is there full disk encryption? Because now a days if you’re dealing with modern Windows, and modern Macs, and Chromebooks, chances are there’s full disk encryption on everything. Chances are you’re using some kind of logging into Cloud.
[David Spark] You’re counting on all this data to be encrypted as it’s getting sold.
[Maxime Lamothe-Brassard] Call me optimistic.
[David Spark] So, both of you are making some big assumptions.
[Maxime Lamothe-Brassard] So, I’m hoping.
[Mike Johnson] Oh, yes.
[David Spark] Yes.
[Laughter]
[Maxime Lamothe-Brassard] That’s right. That’s right. I’m hoping that that’s the case. And if that’s the case then it’s one side you know for sure that the data is going to be used. I certainly do agree on the legal component of that. That if there’s a contract in place and people know both sides of that contract, it’s probably going to be fine.
But full disk encryption doesn’t care about a contract. It just works.
[David Spark] So, you think the first case is far worse?
[Maxime Lamothe-Brassard] Yes. Yes. Without any further information, I’ll go with the first one.
[David Spark] And why? Because you think the one actor is going to abuse this data, and they don’t have to be North Korea to do it?
[Maxime Lamothe-Brassard] Yeah. Abuse is dependent on what their intent is. But if full disk encryption is in place then I don’t have to worry about what their intent is. I know that it’s not going to go anywhere. So, my optimistic answer is yeah, the first one. It’s for sure the data is going to be used.
Nobody buys data not to use it.
[David Spark] Good point. That was my theory, too, Mike.
[Mike Johnson] It’s a good theory.
[David Spark] Max wins.
[Mike Johnson] Fair enough.
Please. Enough. No, more.
25:07.043
[David Spark] Today’s topic, I love this topic, by the way, and that is cyber security categories. I don’t think there’s anyone in the industry, Mike, that said, “You know what? We need more. There’s not enough categories to define what’s in cyber security. Why don’t we double it?” Has anyone ever said that, Mike?
[Mike Johnson] Not that I’m aware of.
[David Spark] No. So, there is a seemingly never ending growth of cyber security products and categories. So, here’s what I want to know. And there’s a lot of people that feel there’s some inside working going on in the cyber security category industry, if you will, which we think it’s being pushed by Gartner.
So, is the category growth designed to make money for the industry? Does it help customers build a better security strategy? Does it just confuse customers? Do new categories push other categories out, or does it just keep growing? Mike, what have you heard enough about in cyber security categories, and what would you like to hear a lot more?
[Mike Johnson] It’s exactly what you said. In terms of hearing enough of, like do we really need more categories. I’m done with more categories. We can stop. We don’t need more. And so what I’d like to hear more of is maybe we think about some of the existing categories a little bit differently. Maybe we turn our heads slightly to the side and go, “These are actually the same thing.
This is something that we’re used to.”
[David Spark] I brought this up with a vendor once who got excited that Gartner was creating a new category. And I said, “Isn’t it more like this?” And they’re like, “Yeah, I guess it is.”
[Mike Johnson] I’m surprised they actually admitted that. Usually people get very defensive about that sort of a thing.
[David Spark] But I wouldn’t be excited about being in a new category because they’re like, “Oh, then the CISOs need to create a new line item for me.”
[Mike Johnson] That’s one of the risks is the need for a new line item. On the flipside… And I think this is where some folks come from when they push for new category is, “Well, what we’re doing doesn’t really…isn’t really captured by one of the existing categories, so we don’t want to be lumped into that.” But, again, I think there is… I’d like to hear more of actually taking an existing category and making it exciting.
[David Spark] Make the current one more interesting.
[Mike Johnson] Yes.
[David Spark] So, let’s narrow them down and just make them more exciting and more inclusive to others.
[Mike Johnson] Absolutely.
[David Spark] All right. I throw this to you, Max. What’s your take? What have you heard enough about on cyber security categories? And what would you like to hear a lot more?
[Maxime Lamothe-Brassard] I’ll really echo what Mike said. I think the exciting word is the key word here. Categories were there to highlight new cutting edge ways and things that need to exist or that are becoming possible. And so they’re exciting. They’re interesting. We need to give them a name because nobody was even considering it before.
So, I don’t have a problem with the creation of the categories. I think what I have a problem with is with the fact that we never remove categories. Where’s the mundane? Where’s the categories that were once cutting edge and now everybody does it? And pretty much the same way because as per the hype cycle, people figured out how to leverage this new technology and figured out where the sweet spot is for that category.
So, I would kind of like to see something like maybe a set number of categories. Like for Gartner to come out and say…
[David Spark] “You got to fit in this or else.”
[Maxime Lamothe-Brassard] Yeah, exactly. Exactly. Like we get 50. And if we add five this year, we might remove five. Because they’re now just security. We don’t need to call out everything.
[David Spark] It’s like the human brain can only memorize a certain number of phone numbers. We can only memorize a certain number of cyber security categories. Same thing. So, limiting this. And I’m going to dovetail, what do…? Besides limiting it, what can we do to sort of simplify or make it more exciting, as Mike just mentioned?
[Maxime Lamothe-Brassard] I think that if we do put some kind of limitations around it, it will get more exciting. Just because of the fact that what we’ll see will actually be new. It just won’t be the same old rebranded with a different term. So, it’s really just a question of we can only pay attention to so many things at the same time.
I think the expression I’ve used in the past is that some things just become features. They’re not products anymore. And that’s the direction that we got to go in. That’s where the sweet spot is. And then what it means is that if you’re a CISO…and hopefully that’s also how Mike feels…you get the ability to say, “Yeah, we’re adding new line items for things that really are bringing in new value and are cutting edge.
But it’s okay because in many ways we just don’t need to keep every single line item. Some things just become part of just the mundane and the normal products that everybody offers at the same time.”
[David Spark] I want to just sort of take this out and honestly just literally a minute on this, no more… The reason we’re talking about this with you is because LimaCharlie may be kind of irrespective of how many categories are out there because you’re acting as the connective tissue to the enormity of the cyber security space.
Can you explain just literally under a minute what you’re doing to connect all of this?
[Maxime Lamothe-Brassard] Yeah, absolutely. So, we’re taking this thought process to its conclusion. Where we’re saying that so many core capabilities are needed by every security organization on the planet. And they’re going to be adopted in slightly different ways, but they’re well understood. I always pick on the EDR because EDR is one of those.
If I tell you EDR, you know 90% of what I’m talking about. So, if those things are really well understood then we should be able to offer them in a generic way. And if we’re going to offer them in a generic way, why not offer them in a modern way which is how Cloud providers offer them. So, we can simplify the technology, but I think it’s equally valuable to simplify the procurement space and managing of contracts, and managing of vendors by saying, “We’re going to take all of those things that are well understood, and we’re going to bring in the maturity of how Cloud providers work.” And so you’re going to be able to set up a bunch of your security operations on those really well understood solutions in a way that’s all designed to work together.
So, sometimes we’re asked if we’re a new category or what it is. We’re a new concept. We’re not a new category. We’re not reinventing the wheel that way.
Are we creating more problems?
32:16.525
[David Spark] A year ago, Gartner released a survey that claimed 75% of organizations are pursuing security vendor consolidation. The survey said a little more than half of organizations are working with fewer than ten security vendors. Actually I’ve heard most are dealing with a hell of a lot more.
But regardless, organizations want to consolidate their security vendors to reduce complexity and improve risk posture, not to save on budget or to improve procurement. Now, some do, but that’s the majority that want to do that. When does consolidation make sense or no sense? And at the same time, I get that it plays better for CISOs who don’t have big engineering teams.
That’s assuming the product suite does actually integrate. Mike, what’s your take?
[Mike Johnson] I actually think 75% seems low. It was nine months ago. I bet it is an even greater percentage today. And a lot of that actually is kind of challenging the fact that I do think a lot of this consolidation is to save on budget or to improve the procurement cycle to make vendor management easier.
[David Spark] Well, and when I say that it wasn’t…according to this research, it wasn’t the driving factor is what I’m saying.
[Mike Johnson] I would actually bet that that’s changing some now though. I think we’re in a different climate now than we were… What was this, September I think it was? I think things have changed a little bit more, and companies are getting better about managing their budgets. And CISOs, as business executives, we do not have unlimited budgets.
And we need to pay attention and make sure that we’re good stewards of our company’s money and that we’re spending on the appropriate things. So, even if we have an engineering team, it’s still worth investigating that consolidation because we shouldn’t just be lighting money on fire. There was a time where cyber security felt like it was unlimited budgets, but that’s not the case anymore.
Things are changing. We are being looked at as, like I said… We’re executives of a company. We have a budget to manage.
[David Spark] And by the way, when they cut budgets, they cut it across the board.
[Mike Johnson] They should. It should not be a case of, “Oh, well, everybody is getting cut except for cyber security.” That’s not part of being a part of a company when you’re always getting special cased because eventually you’re not going to get special cased anymore, and you’re not going to know how to deal with that.
[David Spark] All right, Max, I’m throwing this to you. The most common cases we see of consolidation is basic redundancy – two products are doing the same darn thing. We don’t need both of them. Is there anything else that is obvious consolidation?
[Maxime Lamothe-Brassard] I think consolidation is a high level strategy that can manifest itself in many different ways. And it’s important when looking at it to look at all of the aspects. So, cost reduction is a big one. But there is also cost reduction in terms of the time of managing all of the vendor, all of those relationships.
Then there’s your financial folks that will have to manage all of those MSAs. So, that’s a big factor. But don’t stop there. I think stopping there is sort of only getting half of the value. That second half is in logical consolidation, which is to say sometimes there is a lot of this complexity that exists because of different vendors.
And because the products that were conceived were never conceived to work together. So, it’s not that products are kind of bad or overtly complex, or that they’re inherently from different vendors, but that they’re just not designed to kind of go and work together. And so I think a lot of the value is in being able to reduce the complexity that goes along with this reduction of vendor.
And that’s hard to quantify. But if you ask your security team… And I think if you ask the right questions of how much effort and time is spent on various types of activity, my suspicion is that 50% of that monetary value is also around consolidation just around tasks and making things live in the security organization.
[David Spark] If I was a vendor… Again, it’s going to be different. But how would I sort of secure my spot with an organization and not be on the chopping block? What would you advise?
[Mike Johnson] I think some of it comes back to what Max is mentioning in terms of playing well with others. If you’re known for playing well with others…
[David Spark] Being the partner that all CISOs want.
[Mike Johnson] Yes. In multiple definitions. One is being a partner with my security team. But another is being partner with the rest of my technology stack. Being able for me to plumb things together and have them cohabitate and frankly add value to each other.
[David Spark] You’re speaking Max’s language here. [Laughs]
[Mike Johnson] It makes a lot of sense to me.
[David Spark] Absolutely. There is enough challenges in security that for the folks working in security, they need to be able to focus on the parts where value is added. And there is a lot of time and effort these days being spent on solving the same issues over and over in different types of organizations and places.
So, it’s… Yeah, absolutely.
Closing
38:15.336
[David Spark] Well, that brings us to the very end of the show. Max, this was fantastic. I love this episode. I’m going to let you have the very last word. But first, I want to thank your company, LimaCharlie. Remember, it’s like the lima bean and the name Charlie, then a .io. So, limacharlie.io – a cyber security SecOps Cloud Platform that gives you full control and visibility over your security posture.
Hold tight on this… And by the way, I always ask guests if you’re hiring, so make sure you have an answer for that. Mike, any last thoughts?
[Mike Johnson] Yes. Max, thank you for joining. I really loved the fact that you both talked about your experience as a founder and kind of why you’re doing what you’re doing. I think that was a good perspective that some folks might not have had. I also like how you’re thinking about the security space in general.
I really like your comment about some things become features. They’re not products anymore. Quite often I’ll look at a company and go, “That’s not a company. That’s a feature.” But what you really kind of opened my mind to on that is this could be an evolution where it actually started it was a company, it was unique, it was something special.
But over time, it’s just become a feature. So, I really think that’s something that folks should think about, thinking about the value they’re getting out of the solutions that they purchased and think about how they can play well together. So, thank you for sharing your experience, your passion. I really enjoyed the conversation.
Thank you, Max.
[David Spark] All right, Max, any last thoughts for our audience? And an offer possibly you might have for our audience? Anything they can try out with LimaCharlie.
[Maxime Lamothe-Brassard] Yeah, absolutely. So, again, we talk a lot about being a Cloud provider kind of place. And s there is a free tier – all documentations always open online. Just think of us like the infrastructure that can just help you get to do the cool stuff.
[David Spark] Oh, the infrastructure to get you to do the cool stuff. Excellent. Well, thank you very much, Max. Are you hiring, by the way?
[Maxime Lamothe-Brassard] We’re always looking for passionate people who are interested. We’re a startup, so… Yeah.
[David Spark] Yeah, so they need talent. They always need talent. All right, thank you very much, Max. Thank you very much, Mike. Thank you, audience, as well. We always greatly appreciate your contributions. Send us more “what’s worse” scenarios. I would like those. I like todays, which did sound the same, but it really wasn’t, Mike.
There were some variations in here, as both you and Max discovered. I appreciate everybody’s contributions to this show, so send more in. We love it. This is dropping in July. I’m going to be at Black Hat. Are you going to be at Black Hat, Mike, Max?
[Maxime Lamothe-Brassard] Absolutely.
[David Spark] Mike?
[Mike Johnson] I don’t know yet. I’ll figure it out by July.
[David Spark] Well, I’ll be there. I’ll be with a camera crew. If you see me on the floor, come up and say hello. I may stick a microphone in your face. All right. Bye, everybody. Thanks for contributing and listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cyber Security Headlines – Week in Review. This show thrives on your input.
Go to the participate menu on our site for plenty of ways to get involved including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark at david@cisoseries.com. Thank you for listening to the CISO Series Podcast.