Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Hey, everybody. How are you doing today? In this episode of the show? I wanna talk about the state of the cybersecurity industry. Now, I just got back a little bit early from RS A 2019 in San Francisco. And as always, this is sort of the event uh in North America around cybersecurity. It was uh no exception this year, about 40,000 people on site.
Um Mosconi uh North South and West was just bustling. Um tons of stuff going on, fantastic talks, great keynotes, um interesting exhibition floor um and lots of great people for a hallway con so to meet friends, to meet people in the community. Um It was really, really exciting. There's a lot of energy and buzz around it.
Um But I wanted to talk about specifically um the perspective somebody would have new coming into this. Um So caveat, I work uh for Trend Micro. I'm the Vice President of Cloud Research um Trend Micro was a sponsor of the show and an exhibitor on the floor. Um So obviously, you know, I have that view in my head as well, but I sort of always try to put somebody else's perspective on what I'm doing this research and, and going around the exhibition floor to see sort of the state of marketing and the state of positioning and messaging around the industry.
So I'm not gonna call anybody in particular out. Um There were fantastic examples of uh great honest pragmatic marketing of, hey, here's a really good solution for X but if it's for y don't bother um all the way through to the snake oily. If you hit this button, you will have rain, uh rain, a cords, rain a corns.
Um The combination of unicorns and rainbows all in one and solve all of your problems. Um You know, which, hey, I'm gonna tm That, that's a fantastic thing uh to do rain of corns. Um But that's the point is, you know, it goes all the way through to realistic, uh firm, realistic all the way to crazy outlandish.
Um You know, people trying to garner your attention and that's understandable because there is a disconnect between marketing and the actual product. Um And you hope that uh marketing, good marketing is just positioning that product of the problem um in the light that best suits it versus outright, um you know, bombastic claims or things that they can't back up.
Now, the 740 exhibitors on the floor at Rs A which is crazy. So that alone would be utterly overwhelming for somebody coming at it and actually visiting the show. So I didn't want to kind of put that perspective in my head. What I wanted to do was use this as an easy way to see the entire field or a vast majority of the field to get a representative sample.
And what I found if I put sort of like a CIO or a CTO or a CEO S uh cap on trying to understand cybersecurity from the indu industry point of view. It's crazy hard like, wow, it was really difficult to wrap your head around because a lot of the claims were this one thing is the most important.
Deception is the number one technology you need to be deploying to the cloud is full of threats and fear and you really shouldn't be going there. But if you are our product will help you get there. Um And all this messaging, I understand, you know, the business aspect of it, you're trying to get people in um interested to have a conversation to hopefully have a product fit for that customer.
Um But it, it makes it really, really difficult for people to prioritize what they actually should be doing. And for me that's the basics, that's the fundamentals. I had a fantastic conversation um uh on a podcast episode actually for Vince the Bay um which will be coming up soon and I'll link to that on all my social channels when it comes out because Vince is a great guy.
He really knows his stuff and we had a really, really fun chat and one of the things that came up in that discussion was around, OK, like what's the cool new tech, what do you need to be doing? And I went back again to, to what I truly and firmly believe is that you need to cover the basics.
You absolutely need to cover the basics, but you're not gonna see that at all within this representation of the industry because it's all on the cutting edge and I get it, that's where uh innovation can happen. That's where um you know, the business of running a cybersecurity business can be extremely exciting. It's where you can get a lot of uh VC investment.
You can um you know, make a lot of money from that way. But does it actually help um organizations defend themselves? And that's a real question, that's a legitimate question. So if you had money to buy one product, what would that product be as a cio or as a cio, what was the one thing that could do the most?
Bang for your buck? And that's a really hard thing to answer. But if you walk around the floor and you see all these marketing claims, several people are going to be offering you that answer. And of course, it's probably not the right one. So there's no real, I'm not driving at any particular point here, um which is always bad for a video, but I just, I was honestly surprised at, you know, if I kind of blanked my mind and got rid of security mark and just said, ok, if I'm coming at this, um, fresh eyes trying to get a handle, um, and, you know, representative of this Expo Hall would be a bunch of Googling to check out all these um different companies, what's going on, you know, what truly will add value to the defense of an organization.
For me, it's really all about nailing the fundamentals, nailing the basics and then working your way up the ladder. So if you're deploying some really advanced, crazy cutting edge stuff, you better have the basics covered off. And that's not the case. I know that from real me going out and talking to organizations around the world, a lot of the time these uh companies, these teams are investing where uh they're not gonna get the biggest return on their uh on their dollar.
Now, the products are gonna do what they bought them to do. But my point and I guess the thing I wanted to raise here was is that the most effective thing you can be doing for your organization and time again, time again over my 25 plus year career. It's no, you gotta start with the fundamentals. They're boring, they're dull, they're difficult to sell people on because you go through and uh you know, you go up to the board for funding and they're like what do you want funding for?
And you're like, I want funding for two extra operational people to make sure that we've got monitoring adequately or I want funding for developers to go, you know, do code quality training. Um That stuff doesn't sound nearly as cool as I'm going to buy a cyber deception box or I'm gonna deploy this security platform that is built with A I from the ground up and it's not that those technologies aren't valid and aren't useful and aren't a smart investment, but they're smart investment further down the maturity chain.
And I think if anything that's the number one thing I see is people overestimate their cybersecurity, maturity level within the organization and they invest based on their perception of their maturity level, not the actual reality of it. Um So folks like myself, educators within the space, I think we have a lot more work to do to get out there.
Um And particularly for me along the cloud lines, the amount of claims I fundamentally and strongly disagreed with that I saw this week um around cloud and the security of the cloud were astonishing. Um And for me that I took that as a bit of a personal fail that, that, that people still feel that they can do that kind of a claim that the cloud is less secure than your on premise environment that you need all this security layering tools on top of it instead of a smart automated approach.
I took that as a failure on my part to not educate wide enough and broad enough and to get the message out there of how to do strong fundamentals in the cloud. So that is something I will be doubling down on in the next few weeks and months um and hitting those basics again and again and showing people um and getting them on that point of view that cloud security is uh can be a much more secure environment for you because you're working with your cloud provider, um who should be top notch world class security.
So if you're going to one of the big three, you're already ahead of the game. Um but it's, it is a new environment and it is baby steps as far as teaching people again and again and again. Um but I think as an industry as a whole, we need to understand um that we're over complicating things that we need to help people understand the basics and help them grasp where they really are on that maturity model.
So that is the thought for today. Um What are your experiences? What do you think about this? Let me know, hit me up, mark NC A, the comments down below and as always by email me at Mark N dot C A, um I look forward to the discussion and we'll see you on the next show.
