January 25, 2023 | 18 minutes
In this EXTRA! episode, Rob talks about his recent trip to "NightVision: State of Cyber 2023."
About the Guests
Rob Aragao is chief security strategist at CyberRes, a Micro Focus line of business. He has more than 20 years of information security experience, with an emphasis on cyber risk best practices, threat intelligence, security monitoring and regulatory compliance initiatives. He has worked in multiple fields, from financial services to telecommunications. Prior to joining CyberRes, he was vice president of security strategy & innovation for ReliaQuest and served as the chief security strategist for HPE.
Connect with Rob Aragao on LinkedIn
Stan Wisseman leads the Security Strategist team for Micro Focus’ CyberRes in North America. He has more than 30 years of information security experience and has built security into products, systems, software, and enterprises. Prior to joining Micro Focus in 2014, Wisseman served as chief information security officer for Fannie Mae, with responsibilities for information security and business resiliency across the organization.
Reimagining Cyber Extra! | State of Cyber 2023!| Rob Aragao and Stan Wisseman
Hello everybody, this is Stan Wisseman with another episode of Reimagining Cyber Extra. I'm with Rob Aragao, my co-host, and looking forward to hearing about a recent event, Rob, that you attended about the participated in around the state of cyber security. Can you share with our listeners some of the things you picked up from that?
Yeah, definitely saying it was actually really exciting to see something, you know, kicking off the new year. And it was an interesting perspective. So basically, it was put on by NightDragon. Those aren't familiar in the audience with NightDragon. They're basically an early-stage investment firm in cyber market.
The founder is Dave DeWalt, so you may know him from the days, for example, at McAfee and some other major security organizations. But over the past several years, he's been very heavily involved on, you know, the early-stage investment aspects of the cyber market and done obviously very well.
The approach though I really, really liked because it was bringing in perspectives from multiple streams. They initiated it with kind of a, you know, just, you know, what is the market looking like, overarching point of view. They then took in the CISO perspective and had several CISOs come on and kind of share, you know, what they're seeing out there as they're going into the new year some shifts there. And then they, they kind of rounded out with the last two pieces, two segments I should say, around what's the cyber market landscape from Wall Street perspective, right? So again, you are a public entity as a vendor, cybersecurity vendor. What is that looking like?
Not just from the financial sector?
not just from the financial sector, looking at it from like, you know, the, the impact.
And then the other side of it was the early-stage VCs. So, it was very interesting. So, if you look at it from the kind of kick off on the go to market. It was it was both EY and Kyndryl jointly participating on that portion of it. It was very much you know, just kind of what, what are they seeing and what are they driving forward that their customers are obviously asking of them from more of a services delivery perspective.
so, it's like what, where the, where's the demand? Where's the, where's the customer demand coming from? Right.
Yeah. What's the shift? Right? And, this is one thing that you know, we're seeing out there too, is in the managed security services market, that market has exploded for obvious reasons, right?
Cyber talent shortage is an issue, but the customer in the end still likes to try to, you know, have as much control as possible on whatever investments they've made on the technology they've selected and so on, and prefers that the MSS basically, work with what they have as investments with the transitioning investments from and to but make it all work seamlessly as much as they possibly can in delivering the services outcome.
Right. So, with their internal employees, enabling them to do the things that are going to be most valuable for the business. Right. Kind of, we've talked about this before, right? Business outcomes are the focus for you as an internal employee as dealing with the managed services provider. It’s how are you able to kind of offload a lot of monotonous activities, but uplevel some different capabilities of, you know, the things we really should be focused on and help us in partnering, being able to
give you the bandwidth to do some of those higher-level functions
Exactly. Alleviate, to allow you to go be more valuable to your organization and investment they're making in you and the cyber team.
And the common theme that they, they are basically all kind of came back to is that, you know, as these, and that they're, they're large in size, right? As these managed services providers out there, what they really are looking at with delivering that capability to customers is back to vendors to be more open so that they can create that platform of integration through capabilities and APIs, microservices, and everything behind that.
That really allows them to actually say, I can kind of create this that fits the mould. Of exactly what the customer wants. Now they'll work with the customer to kind of try to position it the way that they would like it to become as well. But that sense of partnership was a, a key aspect of how they see the MSS market moving forward.
I imagine that provides them an abstraction layer too, where they can replace Yes. Particular solutions without the ultimate MSSP customer having a clue with that, they exactly pulled out one and put in.
Because at the end of the day, the customer cares that they're delivering on the service that they've signed up for.
And the SLAs are being met. Right, right.
So, the openness is there. They can have that flexibility.
Absolutely. Absolutely. The other key, a couple other things, but that they brought up in that session one obviously no surprise, right? Cloud security, cloud secure, it's not slowing down. Right. And we're going to continue to see that more and more.
I think they were very much sharing how it; you can't be of the perception that everything is going to be in the cloud. As much as we'd like to get everything there as fast as possible, it's, it's still going to take quite a bit of time. So that's not really changed much.
But, but, but what are they seeing as far as the delivery model that's wanting to be consumed?
I mean, are customers going to pass? Are they going, are SaaS where everybody wants to go, but SaaS isn't always there? I mean, what, I mean, going back to your previous comment, it sounds like more of a, you know, platform as a service. Yeah. And having that ability. You know, mix and match and have that flexibility to ultimately provide the ultimate service that they're providing on top.
And I think that was actually the consistent theme across not just that part of the event in that session, but also even when we get into like the CISO conversation, is that it is more of a platform as a service model. That they're looking for. Because in that way they can take the pieces of the puzzle that they, you know, want to be able to leverage whether it's something that they own today, whether it's something they want to be able to pull in in the future and just get again to the point that they really need out of it, which is that outcome for that particular capability they're trying to accomplish.
Right. So that definitely is the case, I think.
And did you get a sense as to whether or not. Again, we, we've, we've positioned that multi-cloud is, is ultimately what we're going to migrate to. Even if you start with a single cloud provider. Did you get a sense whether or not multi-cloud is a reality?
They didn't get into that, but I think reading between the lines of some of the, the, the desired needs, it is that. Because again, if you think about, you know, if, if these larger services providers are really pushing back to say, you know, we need the cyber technology vendors to be more open because we don't necessarily kind of know where and how we're going to deliver this stuff, right?
Because we don't necessarily know yet today what that customer investment is in until we Right. Really engage with them. They need to be able to support that. And we know right as we work with customers day in day, many, many of these organizations that started off with going with something like AWS for example, have now kind of dipped their toe into Azure or to gcp or even Oracle.
I mean, whether, whether they wanted to or not, some of the development organizations or some BU is doing something off on the side. Yeah. And it may not be what their, the corporate IT folks had initially intended, but yeah, it's happening right.
You know, the other thing that I was very excited about too, continuing to hear is, and, and we were very early with this for ourselves, you know, it seems like two years ago, I think at this point for that drive of cyber resilience and that was a major theme of, you know, organizations absolutely are bought into the need for cyber resiliency and from That's great to hear.
Absolutely. And, and it's, it's from really, you know, we, we know the goals of cyber resiliency, but really the core kind of emphasis of it was around the prepare to recover. Because again, you're, you're going to be as buttoned up as possible, but things are still going to get through and happen. And so how quickly can you react to what's occurring to recover?
We've, we've, we've made the shift of, you know, perimeter's not going to hold. Yes. Don't have that illusion that it's going to hold and, and just recognize you will have attacks. You have to be able to respond and get your operations going quickly.
Yep. Yep. And, and then that leads me to like the, the second piece of the four, which is again, the CISO audience. And so, what was really interesting to me and, and, and I took away an extreme positive. We've talked about this for, for a long time, but it's just, it's, it's great to see and hear the reality of it happening, which is the consistency of the three CISOs on the panel, talking about the shift in their approach and model is very much centered around how they're actually aligning with what the business needs from the cyber organization, one. Two, to extend upon the reality of them getting to this point. This is showing me kind of, you know, hearing them say these things and showing me the maturation of, of them getting there. Is that how we do that? Well, how we do that is we need to stop for a second, hit the pause button, look at what we actually do have for investments, rationalize it, right?
We've been talking about this for the longest time. But do it. They like, they've got to do it. And by the way, it needs to be happening now because of what's happening in the market with the recession kind of aspect, and everybody not too sure what's happening, right? And so, it's like, okay, you know, you have to look at what the current investments are and tell us the business, tell us, can you get what you actually desire out of that solution.
If so, keep it in your tool belt. If not, it's out, right?
Or even double down. I mean, because a lot of times, as, as we've discovered a BU may purchase something and find success, but it isn't then carried over to the other business units. Right. So, find out where those successes are and say, yes, you know, that is effectively securing our data.
Let's go ahead and apply that to where every other sensitive data repositories might be in the business.
Right, right. The, the other element of showing this great alignment and maturation, again, of the CISO community is, and, and this was great to hear, is we need to work closely with procurement.
And so why? Because that gets to the point you were just saying., look at the current investments, understand where there's value being driven from those investments. By the way, it may not be across a major part of our organization. It may be a pocket. Mm-hmm. But when you look at that pocket and what outcomes it's been provided, does that scale to support other parts of what we need in the business?
Right. So, hearing that, again from the CISO community saying, we are working closer with procurement because we see where there's a need for us as we rationalize to try to say, you know, in some cases 80 vendors, if not more, right depending on the size of organization down to, let's say, you know, 50, 60. But maybe a handful of those are really our go-to cyber partners.
The others are going to fill these gaps and these voids and maybe something kind of brand new and innovative in the market that we're looking for. Right.
Well, that goes back to what Jim Roth was talking about, I think it was our second episode. Right. You know, he has a, a core set of capabilities that help him with compliance, et cetera, and basic compliance to frameworks.
But he has all these non-conventional controls. Yes, he has the freedom to also help you know, build up his resiliency by putting in place controls that. And, and technologies that may not be anticipated by these bad actors. And if you can work with procurement and have them understand that I need to do the best I can to consolidate and take advantage of the, the core capabilities wherever I have the need in the organization, but also have the freedom, yeah, to have a chance to experiment or to put in place controls that may not be aligned directly to the CSF or some other compliance framework.
But I need it to be able to actually, thwart, the actors that I'm anticipating.
Yeah. Yeah.it was a really good discussion. Now, if you pivot to the third part, this took us into looking at, you know, the Wall Street perspective.
And, and it was kind of funny. I mean, Dave did a great job in this because he basically said, you know I'm finally kind of flipping the tables on the panel because he was on the other side of it where they were grilling him constantly as being the CEO of a public company. Right. And now he's getting back to kind of say, you know, let me ask you some questions.
But they were very much, you know, kind of on the same page. So, you had representation from Citi, Piper was Piper Sandler was on there but very much looking and saying, hey listen, you know what? We look at what is happening in the cyber market, right? We saw what happened in over the past year in 2022 is you know, the valuations of these companies basically went down 30 plus percent right On, on average.
Yeah. That's right. That's right. And their viewpoint on it is, you know, it's a good thing. And the reason why it's a good thing is because you become much more focused in having to deliver true value. Out of what you're bringing to market
is that decrease in line with the general decrease of the tech sector?
Because if you look at 20, 20, 22, I mean the tech sector in general Yeah. Took a hit, but I don't know if that was, you know, linearly aligned with what we saw more generally
. I, I think it was maybe a little less than the general tech sec tech sector overall. But the way they spun it is it’s a good thing because there's a need to be able to ensure that you're delivering true value to the customers, right, and to the market.
And that your valuations aren't something ridiculous. But in turn, they find it as, this could be, 2023 could be the biggest opportunity for investing in the cyber market because of what those returns are going to look like going forward, because the reality of the business delivering on what they market has to come to fruition and the rates associated to that will also be much more justifiable.
So, this is teeing up for a pretty strong 23.
That's the expectation, which was, again, consistent across all three of them. And what they were sharing. The other thing that they were talking about is they do see a consolidation in the cyber landscape.
They see that, you know, again, a lot of these companies that were spun up over the past few years you know, they're, they're really looking at kind of quick little exits because they're not able to get any of the return. They're, they're underwater. And if there's good IP out there, then the IP should be applied and plugged into something in, in the market today.
so they're looking for some kind of end game
they're looking at some of that, but they're also saying that what that does then basically is it, it does drive towards more of the strategic cyber vendors and the opportunity for the strategic cyber vendors, which I'm excited about cause I, you know, I, I already felt we were, but I think where we're going and some of the things that we're working on and what the market opportunity, the timing is just perfect. Right. So, I think that's all going to be a really positive thing. And, the aspect of that that I thought was very interesting is also kind of almost turning back the clock as it relates to not looking at, you know, even if you are cybersecurity vendor that has multiple portfolios, not looking at and saying the individual product within a portfolio is kind of this, shiny object that really is the market leader. But turn it over as saying, how can we create the opportunity for these things to be kind of packaged up into suites.
Because that's how they're looking at, you know, again, this is coming from CITIs of the world, right? The investment company community saying, where can I get that bigger return from the customer? Because now I make it more sticky for the customer, more cost effective for the customer, while always delivering the value the customer is expecting of that capability.
And because there's so much pressure on the vendors to make that happen, they see that as being the opportunity, which hence turns back to the growth that they were talking about expecting later on this year.
Are they looking for that kind of integration to deliver a solution in a specific area like identity access management, you know, or Zero Trust?
Or is it that specific or more general?
Yeah, it wasn't a matter of fact. It was more where can you look for. The means of being able to actually cross over some of these portfolios.
Well we're challenged with that too.
We’re challenged with that and trying to figure out some different ways that to do that.
I think, you know, we've got some beginning kind of aspects of what we can map out, but hearing that that's what, you know, the market from Wall Street's perspective is also going to be looking for is interesting. But it did tie back into some of the feedback from the CISO community.
That's what they want to have that, that platform level, right?
Right. So that they can maybe buy multiple portfolios from a given vendor, but then where's that interlock, you know, kind of across some of those things. Not all of 'em, but some of those things where there's even more value that they can derive from it.
So the last piece of it, the fourth segment, was tied into kind of like the early-stage point of view and perspective as we go forward into 2023.
And they had Team8, they had AllegisCyber, and Forge Point represented in their panel discussion. And as you can imagine, Stan right, looking at, you know, what they typically are going after is, you know, these very early-stage companies that they're, you know, getting some seed money into and well, let's be real it hasn't been a great year in 2022 for that. No, it's been tough, very. They were very positive though,
About 22 or about what's coming in 23?
What's coming, what's coming. Yeah. And it was interesting because this isn't like, you know, we've got the same, you know, panel members between what we just came out of with the people that are, you know, on, on the you know, kind of public markets and talking about the Wall Street perspective.
In the same room or virtual room. In this case with the VCs, this was two separate segments and it's not like there was anything, you know, prepared between these, these two separate segments. And yet, and yet you had the same kind of enthusiasm. You had that same enthusiasm and, and you know, and you had that perspective of, because of the way the market is today, it, it's back to what it should be, which is, you know, VCs are not just throwing out money because you say you can do something with machine learning or AI
Things like, like I just throw out the term, automatically
There's a buzzword and therefore you'll get money, right?
Yeah. I throw up a concept, I got some architecture. Boom, here's several million dollars. Here's your seed. Go ahead, build something out. But what they're saying is there's a realization of value again, and, and what the founding team is coming forward with as this innovative solution that has been vetted out has to be vetted out because the other one's going to invest in them otherwise, in this particular given, So the expectation is you will see, and, and, and this has been proven in history. I, when we see down markets, typically that's when some really great solutions come to fruition. Right? Right, right. You have to be realistic in what you can actually create to deliver back as value to the organization that they're going to actually go and acquire.
Right? So that's why they're saying, yo, It's, it's really great from that perspective of I'm no longer throwing this money out there. The, you know, the, the checkbook is no longer open. that just says, because you told me that you're going to do something with AI or machine learning, or something that sounds interesting. The market has eaten it up. We're going to, you know, throw all these dollars at you. No. Prove it. Show me what you can do. And that, that's a great, innovative technology solution that truly solves a business problem that someone will be paying for. Yeah. And he actually has some customers. Yeah. You've got something there.
Right? So again, I think just the, the event and the timing of the event was very effective. The format of the event and the audience and the different segments and perspectives, I thought was a really nice balance. So, I came out of it very positively just hearing, you know, all of the things that, because you, you think like, you know, is it going to be this kind of, you know, ugly picture that they're going to paint of? Hey, it's going to be a bad.
No, but I, I, I like the balance you had there between the real-world practitioners of the CISOs. Mm-hmm., here's what they're actually seeing and, and dealing with in the trenches. Right. Right. Where you also had, you know, the Wall Street bankers and what they're looking at and, and their view of the perspective of the market.
Yes. And as you said, the start-up view of the world. Yes. And we've had some folks on here that were, were talking about start-ups in this last year. It was the early half of the year, so I don't think they were struggling at that point. Mm-hmm. But it's nice to have an event like that that sort of gave you well-rounded.
View of what's happening. And I, I think I, I guess what I'm walking away from the, you know, your perspective of the event and, and what they were representing is that things are looking good for 23.
Overall, it definitely was the, the consistent theme that, you know, that they feel that things are looking good overall.
Again, the CISO, you know, representation that was there was looking at it from the business perspective. Right? It's, it's not that even to them it's like, you know, no longer is this kind of an open check and we can go and decide whatever technology we want, right?
Which is healthy. I mean, it's very healthy.
It's healthy to actually have somebody holding onto their pocketbook and before they just open it up. That's right. You know, willy-nilly and, and give anybody that has a, a, a, some kind of wild hair idea. Yeah. So, hey Rob, thanks for sharing that your perspectives on the event I think we'll continue to do this kind of thing in the future where as we attend or participate in these events, we'll, we're sharing with our listeners.
Virginia Wright discusses the concept of cyber-informed engineering.
Virginia Wright discusses the concept of cyber-informed engineering.