Security Market Watch
Security Market and Vendor Health Analysis with Richard Stiennon, Founder of IT-Harvest
Get ready for an enlightening exchange with seasoned industry expert, Richard Stiennon, as he uncovers the secrets behind his successful journey in the security ecosystem. Richard, the mastermind behind IT-Harvest, offers exclusive insights into the creation and operations of a data-driven analyst product that stands in contrast to Gartner as a beacon in the crowded security market. With a deep dive into his Security Yearbook 2023 and the exciting transition to Wiley for the 2024 edition, there’s much to learn from Richard's experiences.
The conversation heats up as we tackle the impressive task of categorizing and collecting data points for over 3582 vendors! Richard unveils the mystery behind vendor health scores and web traffic analysis, shedding light on the giants of the industry and debunking common misconceptions. We delve into the intriguing case of Microsoft, its revenue claims, and the introduction of Windows. Don't miss Richard’s expert commentary on the hurdles vendors face in database inclusion and the ambitious project of encompassing all global security consulting firms.
We then set our sights on the role of artificial intelligence in security, with Richard arguing for a proactive approach towards security integration before adopting Chat GPT. He shares his views on risk identification and the importance of a threat-based security approach over a risk-centric one. We wrap up with exciting news about the launch of Richard's new book, and how to maximize the user experience on the website. Brace yourselves for a rollercoaster ride into the intense world of security market insights with Richard Stiennon!
Get ready for an enlightening exchange with seasoned industry expert, Richard Stiennon, as he uncovers the secrets behind his successful journey in the security ecosystem. Richard, the mastermind behind IT-Harvest, offers exclusive insights into the creation and operations of a data-driven analyst product that stands in contrast to Gartner as a beacon in the crowded security market. With a deep dive into his Security Yearbook 2023 and the exciting transition to Wiley for the 2024 edition, there’s much to learn from Richard's experiences.
The conversation heats up as we tackle the impressive task of categorizing and collecting data points for over 3582 vendors! Richard unveils the mystery behind vendor health scores and web traffic analysis, shedding light on the giants of the industry and debunking common misconceptions. We delve into the intriguing case of Microsoft, its revenue claims, and the introduction of Windows. Don't miss Richard’s expert commentary on the hurdles vendors face in database inclusion and the ambitious project of encompassing all global security consulting firms.
We then set our sights on the role of artificial intelligence in security, with Richard arguing for a proactive approach towards security integration before adopting Chat GPT. He shares his views on risk identification and the importance of a threat-based security approach over a risk-centric one. We wrap up with exciting news about the launch of Richard's new book, and how to maximize the user experience on the website. Brace yourselves for a rollercoaster ride into the intense world of security market insights with Richard Stiennon!
Welcome to this episode of Security Market Watch, the show that goes straight to the source for market insights, and today we are with the man, the myth, the legend, richard Steenan. Richard, thank you for being on the show. Oh, it's my pleasure, josh, thank you very much. Well, this isn't our first rodeo. We've done this before and we were on cyber chomps, and I encourage anybody to go, dig through the archives, wade through the internet and look for cyber chomps, and you'll find a conversation that we had just after you had published Security Yearbook 2022. Right, yeah, and I keep checking on Amazon for Security Yearbook 2023. Number one it's not on Amazon, but I keep forgetting it's on your website. So I'd go to Amazon, I'd look for it and then I'm like, no, it's on the website.
Speaker 2:And right here yes.
Speaker 1:And right there, You've got the entire.
Speaker 2:so I noticed that as soon as we popped up.
Speaker 1:Yes, yes, and so that's? Is that all 2023, or do you have some 2022, 2021, 2020?
Speaker 2:mixed. Then it's all 2023 there, that 2022s are on the floor over there, and then boxes Again at the warehouse. The warehouse is where they're all stored, but I have to clear all of them out because I basically sold the rights to next year's addition to Wiley, not sold. I just turned it over to them and as part of that I have to agree to stop selling all the previous editions. So by April 30th you won't be able to get the historical editions.
Speaker 1:Well, I've got a copy and I think it's. Did you sign it? You sent it to me. I don't think you signed it, but I need to get it signed.
Speaker 2:Yeah, yeah, definitely Next time I'm in Minneapolis, right.
Speaker 1:Yes, well, let me know, because I would like my signed copy. It'll be worth millions in the future.
Speaker 2:That's for sure.
Speaker 1:Very few of them signed. Yeah Well, you've been really busy with IT Harvest, not just security yearbook 2023, which I really want to dig into, but let's, let's get an update. I see you on LinkedIn, but I don't think that we've thoroughly caught up. So, if can you catch me up, can you catch our audience up? What's going on with IT Harvest? First of all, what is IT Harvest? Where are you now?
Speaker 2:Sure, it Harvest is an independent industry analyst firm. I created it back in 2005 to after I discovered that I shouldn't have left Gartner, because I really enjoy being an industry analyst, and it turns out, after several attempts at being an executive at security companies that that's really all I'm cut out for right. I'm not a good employee, but I'm good at being an industry analyst. So I created IT Harvest to allow me to research companies and do public speaking and writing for all the things I like to do so, and I've been doing that for 17 years. Next year, after publishing the third edition of security year book, I realized the data wasn't good enough shape that we could publish it online and make it available as a subscription, and that kind of was the beginning of this concept of a data driven analyst firm. And what IT Harvest is but it's growing into it too is an analyst firm much like a Gartner, where you can get advisory services from an industry analyst, but there's only one of us there's me, instead of the 54 that Gartner is, or 12 or so at Amdia and Forester and the rest. So, but I've got more experience than all the other industry analysts. I've been doing it longer as an industry analyst and instead of just research reports which of course you know I can produce them, but I can't produce that much content Instead of the research reports, I give you a tool to do your own research, and so and I think this is I'm hoping, this is the future of industry analysis is give people the tools apply you know, modern technology, ai and all the rest to derive those insights for you, so that you can get your own insights.
Speaker 2:You don't have to rely on you know the well. I won't use the term ivory tower industry analysts because Marcus random used to call me that. It's not true, right, as industry analysts have a lot of great insights, but they can only have so many insights. And you take all the data in one place and you flip it around and look at it from a different view, you get different insights. So with a platform, you could have unique insights, that ones are shared with all the other subscribers to a gardener.
Speaker 1:Sure, and you know I for this show. You are perfect. You are the perfect guest for this show, because what we do here at security market watch is try to help people cut through the noise. There's so many, so many vendors and I really want to get into that. You know, there's a question here that I post on LinkedIn is the cyber security market too fragmented? And most people granted only five people replied, but five people voted, but four out of five, I can say. In a recent poll, four out of five people said that the security market is too fragmented, and so the approach that you've taken with IT Harvest is brilliant because it's near and dear to something you know. It is something near and dear to my heart, and so having you on this show is sort of I'm going to call it an endorsement, even though you haven't explicitly endorsed it, because what we're trying to do- is yeah, yeah, yeah.
Speaker 2:Well, you're easily endorse it. Come on, that's you know you have great gas great content.
Speaker 1:Thank you, Because what we try to do is sort of what you're also trying to do with technology, we're trying to do with media, but instead of going for tons and tons of data, which you have just I mean, your database is probably the most comprehensive database on the planet of security vendors, and so you know what we try to do. We don't have that much data, but what we can do is have really good conversations with vendors, with CEOs, with CISOs, and help security leaders, basically cut through the noise, which is essentially what an analyst does. Yeah, yeah totally.
Speaker 2:Yeah, I see the, I think for the end user space, you know, CISOs and on down there's frustration because it feels like there are an infinite number of vendors and it's too confusing to understand them all. And I totally get that. I mean, I agree it's confusing. It's my full time job to not be confused, but yet I'm still confused.
Speaker 2:The vendors, in their chase for to be heard, tend to pile on new concepts like hey, if everybody's really interested in this new shiny thing like zero trust, then that's what we are. Yeah, they end up all being sounding the same, even though they get completely different Tools and you know they can apply. It's like what does that even mean? Why don't they just say, right, on their website we are, we use digital certificates embedded, you know, in your device for authentication, you know, and so we're password list. What does that mean? Right, and even that you're not password list, you've got a digital certificate. That's a really, really long password. It is, you know, it's based on the device here on and you and all sorts of data, but it's still long password. Oh, we could still be stolen.
Speaker 1:Yeah, yeah, and you know, I think Everybody's trying to differentiate themselves so much, and that's probably why the market so fragmented, because with technology, you can take a patent and tweak it and you can say well, we deal with passwords this way, you know, and then somebody else deals with it a slightly different way, and then they can. So is that? Is that the problem? Are we? Are we just creating fractals Based on minute changes to patents?
Speaker 2:Yet no, so we are the. What's causing this problem is Real things that are the threat actors, right. So we? If everything held still, then we could see consolidation ultimately and we'd have a set of solutions and the winner would take all. But there's other things that play, and one is Digital mercatilism, where all the countries are fighting for their own technology Specializations they want to have. You know, security is now super important. So France and Germany in the UK, all want to have their own security ecosystem. So they're encouraging investment. People do tend to buy local, right. It's.
Speaker 2:There's a distrust. Ever since, you know, edward Snowden revealed that the NSA is basically listening to everything from everybody. There's a distrust of all US technology and the the odd Attempt by the US government to so. Distrust of Chinese companies for the very same reasons Is is there's blowback, right? Is it if, oh if, we shouldn't trust other companies? And why should we trust Cisco for our telecom gear? Why should we trust Microsoft for our desktop operating systems? Why should we trust Google and AWS for our cloud infrastructure? No, let's build our own. So there will constantly be this effort to build companies, and I see going on in Germany now it's like Germany is coming up on having more security companies than Israel and France is really yeah, they weren't even on my radar.
Speaker 1:I always thought of you know when I think cyber security thing Israel, ukraine, russia, north Korea, china.
Speaker 2:Yeah, yeah.
Speaker 1:But Germany's, and for companies.
Speaker 2:You know, ukraine is only got a handful, and it's basically Israel in the United States, right, israel's got Just under just over a tenth that the United States has. So but and you still won't hear of German companies, right, because German companies tend to serve German customers or the or doc customers. So Germany, switzerland, austria, so that's that fragmentation that's there and you know. So that's fine. You need somebody to sort that out for you. If you're in the US, you probably don't need to buy German Technology, but they might have something that you need to look at. Mm-hmm.
Speaker 1:Yeah, but even locally you need somebody who's gonna help you sort through that right, all that mess. Yeah, when.
Speaker 2:It's like. This is what industry analysts are for is a calling up. Yeah, I'll just ask them. Right, you know they might not charge for the first call.
Speaker 1:Yeah, yeah. Well, I hope that people would listen to this show and Walk away going. Okay, I know a little bit more about Ninja. I know a little bit more about Netlify. I know a little bit more about you know you can go back and go through all the episodes and Maybe when you walk on to that floor and RSA, you don't just like have a heart attack. Maybe you know you walk in already knowing okay, I heard a podcast for about you know A half hour. I know a little bit about these guys. I'm gonna go check them out, yeah, yeah.
Speaker 1:At the end of the day we're trying to be hard to do that with 3582 vendors?
Speaker 2:No, it's. Yes, yeah.
Speaker 1:Yes, I was gonna ask you how many there were and I was gonna ask for a ballpark, but you gave the precise number.
Speaker 2:Yeah, that's that's the number we have in our database today. Okay, but we've got about 45 in our workflow to. I still have to categorize them. So that's okay. Main job is to categorize a better. You know, category and subcategory.
Speaker 2:We have 660 subcategories and and then the team you know fills out all the data we're just we're adding to the data points we collect Every week. It's amazing Now we have, you know, website visitors to the vendors website so you can track, you know, the kind of their, how's their brand doing and basically, how's their marketing team doing.
Speaker 2:We can watch some of this add it to a health score so you just kind of get a feel, for you know if it feels like there's a buzz about a the acta or a whiz, you know you look at their web traffic, it's sure enough. You know it's up 10% month over month, so that would reinforce that for you.
Speaker 1:Well, whiz is killing it, and they really are. They're doing so well, yep.
Speaker 2:Yep, they really are. It's yeah. Somebody just sent me an interview with near Zork at Palo Alto and and I'm sure he's looking at whiz going man, you know, we got to watch out for these guys. So he's yeah, he pretends that the industry is consolidating and there's only gonna be five big players at the end of the day, and I've heard that for 25 years and it's never happened. Right, we went from there were 20 vendors when I got into it and now there's 3500.
Speaker 1:Well, all the big players. If you were to put all the big players today, how much do they? How much of the market Do they account for? Percentage wise, yeah. So like the Microsoft's, you know it makes sense.
Speaker 2:Microsoft's a good player, Really no who's the biggest player? Well, the biggest standalone player is Palo Alto, no question in revenue. Accenture is slightly bigger in revenue and yet you never hear about them, because that's the consulting services, right.
Speaker 1:Yeah, they're more services, yep.
Speaker 2:Yeah. So you know, let's address Microsoft, right? So Microsoft's Claims and I think they're up to claiming there are 20 billion in revenue that's just not the case, right? Microsoft never comes knocking on anybody's door and says would you like to buy? You know some security? Right, they certainly have a big business and active directory, which is, you know, the core of identity and access management. They do own that space and they do charge for it. All the rest, Windows defender, that's just free and you can't say, because it's it's part of our Contracts for endpoints, that that share. You know it's just funny money to say that part of that is security business.
Speaker 2:So yeah not a security company. What about their enterprise? Mmm, it would be unjust for the company who caused the security issue To all of a sudden see it as a major profit center. This is crazy.
Speaker 1:Yeah, we've got holes in our OS, but we've got the fender to protect you from the bad guys coming through the holes. That's right. That's right. What about their enterprise Wing? You know, don't, don't? They sell a lot to businesses.
Speaker 2:Yeah, they saw a lot to businesses, but not in what we think of as enterprise right the it's. You know you have to have Microsoft right, so they set the terms and Maybe if you're a big enough, company gets to negotiate those terms, but otherwise you just it's just like going to sales. For us You're just signing up on their website.
Speaker 2:You know we need another license for Windows and you know which of the licenses are we gonna buy. And that's it. They get to leave it. That's you know. That's right. It's always funny when you know Microsoft, google, apple Talk about getting into enterprise sales and they don't know the first thing about it, right, they never have. They've always been consumer first and they work their way into the enterprise through the consumer door and totally ruining our IT infrastructure forever and part of Microsoft's right. But then we used to have this great Diverse computing world, right, there were mainframes. There were, you know, a dozen Linux, unix based workstations and servers, and Microsoft came along just under, sold all of them with Windows NT and Displacing all these great, you know, multi-tasking, multi-user operating systems for an operating system that can only do one thing.
Speaker 2:So you need to buy multiple copies of the operating system and run it in VMs in order to get the same capacity as the traditional Unix machine had.
Speaker 1:Yeah so. So going back to the fragmented market, actually, before that, I have a question that's been buzzing around my head and that I just want to get out of the way, because it's just it's, it's a, it's a busy bee in my head. So when there's a new company, there's a new organization, a new vendor, how long does it take from that company being a thing, an entity, to being in the IT Harvest database?
Speaker 2:Well, once we discover them, it takes four days and that's just the process that we have To be discovered. They have to. You know they can reach out to me. That's the easiest way. Or if any of 33,000 people I follow on Twitter have that do a startup, then I know about that because I see it, not Twitter, linkedin. They quite often reach out to me on Twitter first because I got the following, so I got all that. We'll find them as soon as they go to a conference anywhere in the world, because we're checking all the conference websites and sucking down the vendor participants, checking the ones we don't have, but there are many, you know. Once a week I find a vendor that's been around for three or four years. I never heard of some. Oh really.
Speaker 2:Yeah, so generally pivoted into security right. All the data discovery companies and backup and recovery companies are all under the radar, yeah. Or they'd say oh, we're anti ransomware because we do backup, so I would have covered them before. But once they start messaging around it, then I do.
Speaker 1:So do companies generally want to be a part of the database, or have you faced any resistance?
Speaker 2:Oh, yeah, they do. They really want to be in the book, right, because the database generates the book and it's nice to have your name recorded for all history in a history book.
Speaker 2:So yeah, there's no resistance. The only resistance is when I categorize them somewhere that they don't think they are. So far, the database is totally made up out of open source data. The vendors have not contributed anything to it, so I don't have to deal with vendors lying to me as you do. If you're a gardener or something like that, you've got to filter all the stuff they tell you in these big spreadsheets to make sure that you understand when they're lying and when they're not. I don't have to do any of that?
Speaker 1:Oh, I've never thought of that. That's a whole man that must take hours.
Speaker 2:Hours and you have to be kind of savvy. You know, smell it and then remember what they told you. Last time you talked to them and asked them the same question what?
Speaker 1:kind of things do they lie about? What do they? You know they come to you and you think that they're going to be.
Speaker 2:Yeah, I can give you an old example. So we were doing the Gardner Magic Quadrant for managed security services in North America and we thought the biggest one was ISS, which was what eventually turned into IBM's managed services. So my question for each of them was how many? You know? Back then it was managing firewalls and IDS devices, so sensors, right. So I would always ask them how many devices under management do you have?
Speaker 2:First time I asked ISS that the PR person I used to work with at the company that ISS bought so you know I had a good relationship. So I just asked him. He said 1500 devices and wow, okay. And then he left, moved on somewhere and a year later they had a new PR person and I asked that person and he said 1100. And then the CTO quit and went to work for a garden, a competitor, mssp. So I went up to see them in Boston and I asked, I told him that there that ISS was claiming 1100. He says, oh, that's crazy, we never had more than 500. So oh, wow, yeah, this is, this is a small community and you can't get away with crap like that right. Eventually that kind of thing is going to come to bite you.
Speaker 1:Right. So are those all billable hours? When you're just going from this person to that person as trying to gather the truth? I feel like that's no, it's no, not at all.
Speaker 2:It's just part of an analyst's job to do that Right.
Speaker 1:Okay, so they're not getting paid based on how many hours they build? No, not at all.
Speaker 2:Okay, yeah.
Speaker 1:So that's a great thing about the analyst firms.
Speaker 2:You know, industry analysts give you advice, like a consultant does, but they don't. You know they don't. You just ask them. If you're a subscriber, right, so you've already paid up front for the service and you just ask them. You know, should we do this, should we do that?
Speaker 1:Well, the founder of trend micro.
Speaker 2:once back in 2001, every single vendor was creating their own firewall and is in a meeting with his new marketing team out west and he came into the room for five minutes and he just said I just want to know, should we have a firewall? And I said hell no. And he said look at everybody in the room. He said I told you so and then he left. And then you know, whereas I assess had a firewall and everybody created their own firewall eventually, yeah, everybody in the market.
Speaker 1:It's like Oprah, you get a firewall, you get a firewall, everybody gets a firewall. Exactly. Oh man, well, it's kind of.
Speaker 2:It's kind of interesting, because you're now a vendor yourself, so is it harvest yeah Is it harvest in the book or in the database, because tabs on yourself. No, because so far I don't create, I don't have a technology that I'm selling right, so so I'm not a security solution If you, if you pay me a bunch of money, I couldn't make you more secure right With my technology, which is, you know, database. So we're more like a Dunn and Bradstreet or standard and poor or pitch book for cybersecurity data.
Speaker 1:Yes, I could see that, great, yeah. So even if you, you know you are a vendor, but even if you wanted to, you couldn't include yourself in the book of life. So that's right.
Speaker 2:So maybe I could, because we're we have a new subscriber who is very, very interested in services. So over the years I've I've always said there's, it's just too big, I can't handle all the consulting firms out there, Right, and the only reason I've got the PWCs and CAP Geminis is they have MSSP businesses, so that we do cover those. So but we agreed to kick off a project to capture all the security consulting companies in the world and track them in the same way as we track all the vendors. So that's interesting. It's going to be really a demonstration of whether or not we can expand. You know, now we've got our processes in place. I mean, it took me, you know, four or five years to get to the point where we know how many vendors are in the space and we've got all this data on them over 120 data points on each one. It's taken us that long, but now we'll see if I can add a whole new category for in three months. So sure.
Speaker 1:So that would entail going from being a sort of database to. Would you be comfortable calling it a consulting firm at that point, if you're adding services onto it?
Speaker 2:No, so what I meant was we are going to track the data on all of the services companies, so oh God, it's a change our model at all.
Speaker 1:Just expands it Okay.
Speaker 2:Okay, yep.
Speaker 1:Thanks for clarifying. Yeah, I was thinking that you were, that you were offering services, not tracking.
Speaker 2:Yeah, we're not going to not going to offer services.
Speaker 1:Okay.
Speaker 2:Good.
Speaker 1:Good, good. So how many, how many companies were added to 2023? From 2022.
Speaker 2:The net was up by 400. Oh wow, 2800. So is that kind of a?
Speaker 1:hockey stick sort of growth. Do you think this will be exponential or is there going to be?
Speaker 2:Yeah, it's going to flatten out, it has to right, because they're not being created at the rate of 400 a year, I think, if you know more closer to about 100 or 120 startups that are created every year. But it still takes, you know, can take up to two years to discover them after they've launched. So even if they have a website and a LinkedIn page, I may not find them. Sure, once they get the first funding, then well, everybody knows about them. If they show up at a conference, then we've got them.
Speaker 1:Well, 400 ain't bad. I feel like it's going to hit critical mass at some point. If there is this huge collapse, or chunk, a chunk collapse or what is the word, let's just call it a collapse, a crunch, a big crunch, you know, sort of like the submarine. Too soon, maybe too soon. Yeah, very too soon. Yeah, maybe too soon.
Speaker 2:Well, if you think about it, the opportunity for that leveling off was when the Silicon Valley Bank collapsed and all of the venture backers started to withhold funds. Right, and we're, you know, at the very least you know, want everybody to stretch out their runways, stop spending, stop hiring, start firing people there are quite a few that couldn't get any funding and ran out of money.
Speaker 1:We'll start.
Speaker 2:We'll have a better feel for that coming up here. But there's just one company I was tracking today and I had mentioned it. It came up in one of the searches I was demoing and somebody said I think that company's out of business. Sure enough, you know, they had 80 employees and they just shut the doors. That's pretty drastic. We hear that story a lot more in coming months.
Speaker 1:Really so. Do you think that that may support the crunch if there is a consolidation, if there's a point when all the companies, the big companies, just gobble up everybody?
Speaker 2:No, not going to happen, because big companies will suffer too. As a matter of fact, big companies fail very, very often. Look at Semantic. Mcvee, CA just goes on and on. Those guys own the space. 20 years ago they were the big ones. They were consolidating the industry. They just totally failed to execute on that. Now, mind you, the investors made money, the private equity made money, all the banks made money, but a lot of people got left with less than they had.
Speaker 1:Right right, all right. So in a little bit of time that we have left, let's talk market trends. This is Security Market Watch and you're Richard Steenan. So I have to ask it's on everybody's mind, it's just eating us up. What is the new buzzword? What's the new thing? You mentioned zero trust. I think zero trust was the last one, or maybe even risk is getting thrown around, but I feel like it's when you have a lot of hype and you can't live up to it and risk is having that experience. I think these days, everybody's talking about risk, trying to quantify risk. The insurance companies are talking about risk and it's a very slippery thing. You can't nail it down. So, if not risk, what is the new buzzword? What is the new thing that you think is way overhyped?
Speaker 2:Way overhyped. Certainly, artificial intelligence is way overhyped, no question, as applied to security, as applied to the broader world and the things it's going to do. Not hyped enough. Right, it's game changing. Our lives are going to change forever thanks to artificial intelligence. Just what we've seen so far. Not the promise for what could happen, but I think the security concerns, or the concept that you have to start building security in before you can let your employees use chat, gpt that's ridiculous, just stupid, doesn't work that way. You share information with Google today. You don't tell your employees not to Google the technology they're using or the help questions they have.
Speaker 2:Google knows everything about you already. So, yeah, open AI is an unknown element, but they just launched an enterprise license. It's going to have a contract that specifically says they will not use your data to train their models. If you're afraid of them using your data to train their models, as I am completely right, we use AI. We use chat GPT. We pass off all the companies to chat GPT and ask it to extract information from the company's websites. It takes three or four different tools we got to put together.
Speaker 2:There's no way that I want open AI to know the 3,500 cybersecurity companies and their categorizations, which I've done myself. I'm the only one who could do that. If we said, hey, here's all the companies and their categorizations, then chat GPT could eventually incorporate that in GPT-5. So we obfuscate the data. We say company MD5 hash here, give us all this information about it, and it comes back and gives us information. We replace the MD5 hash with the real name and we've got the data. Anybody can do that. It's the simplest thing in the world when you're using GPT. There are some tools.
Speaker 1:Is this scraping the internet or is it? Sorry, I didn't mean to cut you off, but I did.
Speaker 2:It does not, but there are tools that are scraping the entire internet.
Speaker 1:Okay.
Speaker 2:Okay.
Speaker 1:Because I was wondering if you're using chat GPT with the limitation, it only goes back to 2021?.
Speaker 2:Is there a version that it goes up to?
Speaker 1:2021. Goes up to 2021, sorry, so are you looking for companies or information on companies up until then and then beyond 2021, are using a?
Speaker 2:different technique. Yeah, so we don't ask chat GPT to discover data for us. We've got another tool that does scrape the entire internet and we ask them for give us the entire content of the websites of 3000 vendors in JSON. So it structures all the content of all the websites. Now we've got JSON blobs which we passed to chat GPT and we say from each for company named for the net, extracts all of its locations, partners, key executives, products, product descriptions and product features. So that is, we're using GPT for what it's good for, which is understanding language.
Speaker 1:Okay, so how much time do we have? Do we have five minutes? Absolutely yeah this is fun.
Speaker 1:Okay, all right, I know I just like okay, I'm going to totally nerd out here, but you're like my hero because I'm an industry junkie. We talked once and I asked you how do you become an industry analyst? And you said, well, first you said, read my book. So up into the right, I read up into the right and I read Comudgeon and I've been trying to like I have my own way of doing it, but I'm an industry junkie. I wouldn't call myself an industry analyst and you know I don't want to dilute the profession, but you know I look up to you. So, anyways, I just had to nerd out there for a second.
Speaker 1:So we talked about the trend of AI. So AI is maybe not as hyped as it's purported to be, but that's probably. It's probably a giant. So you know it's a it kind of eats itself in that way. Anything else. Let's talk, maybe, about risk a little bit. Is risk truly one of those areas that we're going to see sort of a peel back, where organizations are not going to seek to quantify cybersecurity risk as much as they've been doing? Where's the market going there?
Speaker 2:Wow, interesting question. I haven't seen any signs at all of the market backing off of risk. I've been trying to get it to do that for 20 years. I think risk is immeasurable, unquantifiable and meaningless, so you shouldn't do it. You shouldn't just. You know if anything relies on risk for your calculations, what you're doing is you shouldn't be spending money on it. You should be spending money on stopping threats. Right, you should identify threats closer you can. You know more in advance you can identify them, the better. Some people say, well, that's risk, isn't it? Well, no, you know if it's a threat when everybody. If you're a casino operator in Vegas today, right, you always had the threat of ransomware and people attacking you and all the rest. But today you've got the threat is much more real, right, as the threat actors are going to move from MGM to Caesars to you, know everybody, because it's paying off for them, and that's I call it, a threat-based approach to security. You know just it's Sure and that's not the same as risk.
Speaker 2:It's not the same as risk at all.
Speaker 2:So the my best model is look at the President of the United States usually has a daily briefing from the national security community, led by the National Security Council, and when they get in a room with them, they do not talk to them about risks, they don't come in and say well, you know, we've done a complete scan of all of our bases 256 military bases around the world plus the 270 embassies and we found, you know, 14 embassies that had backdoors without cameras and a whole bunch of military bases where the trees had overgrown the fence line so people could climb over.
Speaker 2:That's risk management. Right, that would be. You know, hey, we've got this many vulnerabilities and these are riskier than the other ones, so we got to do something about it. No, what the briefing starts with is hey, al Qaeda in, you know, in the Middle East is doing this and this threat actor group is doing that and they're chatting about possibly doing this in the future. That's the threat based briefing and actions that the President makes decisions based on. That's what we should be doing for our own IT systems.
Speaker 1:So you're saying the next buzzword is threat. Yeah Well, it may not. Well, I wouldn't call it a buzzword because I think you're absolutely right in that it is probably the best way to look at problems from a security standpoint.
Speaker 2:Yeah.
Speaker 1:Yeah, yeah.
Speaker 2:It's just like well, it's hard to get away from military metaphors, Right and?
Speaker 2:that's you know, we talked about cyber warfare and we like to think that people in our sack are like a you know platoon battling against adversaries, and maybe it is a little bit like that. And once again, that's you know. When you're in the battlefield, nobody's sitting there calculating risks, right, it's? Yeah, when you make a difficult decision, the decision makers balancing their intuition with knowledge that they have and all the rest. But better to have the spy agency tell you what the adversary's intent is, based on data, than it is to flip a coin.
Speaker 1:So if we were to go with I'm going to play devil's advocate here a little bit, because I feel like risk is just this. I mean, cybersecurity is already nebulous and philosophical, and risk takes it to another level. And so, to make sense of it, is it safe to quantify, to define risk as the likelihood and the probability, and probably how much you're going to lose if it's realized, the likelihood of it happening, the probability of it happening and how much yours it will cost if this risk were realized? Is that fair?
Speaker 2:That's fair, that's fair.
Speaker 2:And the trouble is you nobody with all those models? If you look at fair models, et cetera. And then you look at some of the biggest cyber tax in history, the costs far outweighed anything it was ever estimated. Right, the cost for a lot of cyber attacks is the entire value of the organization. Right, the market cap, because the stock go to zero, salaries of all the employees because the company could go out of business.
Speaker 2:Those are the existential risks and you can't. You know those are not scorable because they're quantum states of you know, nothing's going bad or everything went bad at once. It's, you know. I'm influenced by Nassim Taliib's books on risk because he takes the same approach I do towards markets and he criticizes the concept of risk management and stock trading. Right, and it's you know. And he uses the metaphor for the turkey. Right, if you went on what happened for the last six weeks? Every single day Turkey wakes up and he gets fed and wanders around and he goes to sleep and that's great. But the day before Thanksgiving is different than that and the turkey could not have predicted it from what went before.
Speaker 1:Right? Oh yeah, that's yeah. So the turkey can you know if the turkey was looking at risk the way we were? I'm going to get off on a tangent on this turkey thing because it's great. The turkey doesn't know that. The likelihood is 100% I guess. The probability is well so it'll happen. One day out of the year you're going to die, so the impact is severe, Right, Exactly.
Speaker 2:Yeah.
Speaker 1:Yeah, interesting. Yeah, so turkeys don't do risk management? If they did, maybe they'd know that. But certain things don't change. You know I'm car accidents. You know roughly when people die, those things are very Car accidents do change right.
Speaker 2:During COVID they drop dramatically because we stop commuting work.
Speaker 1:Yeah, and I guess nobody.
Speaker 2:Mm-hmm, we showed the real cost of commuting and working in the office is, you know, right, I haven't seen the numbers play, so I haven't seen the numbers yet, but yeah, Wow, yeah, just going to work, just getting up and getting your car and going to work is a huge risk.
Speaker 1:I guess your insurance does calculate. They do ask you know how many days a week do you commute, so they know that Right.
Speaker 2:They take that into account, yeah.
Speaker 1:Right.
Speaker 2:And you can do that with things that respond to statistics. You know so weather and accidents, and you know trees falling over those are. You know, if you have enough instances, then it can be statistically analyzed. It's a little harder to statistically analyze threat actors, because that's more of an economic thing. Exactly, it's more of a market right, because, like a stock market, you've got very, very, very smart people trying to figure out how to steal their next million dollars and innovating and developing on it, and that's you know. Wall Street has yet to figure out how to predict that.
Speaker 1:Yeah, that's a crazy model if you think about it. I mean, I have friends who trade stocks and futures and you know forex and all that, and they can swear up and down. They're like I'm not gambling, like I know how to predict the risk, I know what I'm getting. I'm like, dude, you're delusional. So that's the same thing we're doing in cyber.
Speaker 2:When you gamble, you can limit your risk by limiting your exposure, right? I always think, hey look, I can calculate probabilities at the crap table. That's my game.
Speaker 1:Mm-hmm.
Speaker 2:And and then you know so, at any one time I I, if a seven rolls after the game's been going for a while, I mean at risk of losing all the money I got got out on the table, except the money on the come line which I get back. It's easy to quantify and that's I mean, that's risk and you can't do anything like that with. You know, when humans are involved in making decisions about whether they attack you or somebody else, Right, there's this tool called it's Safe that a buddy of mine invented.
Speaker 1:I don't think it's even on your radar yet.
Speaker 2:I think so.
Speaker 1:It's safe. Yeah, it's their, their. Their approach to risk reduction is very interesting. The philosophy is if you reduce the company's footprint on the internet, then you reduce the risk of of an attack, so it's primarily a threat mitigation tool. Yep, you know it's a proactive threat mitigation tool. So a tax surface management kind of thing.
Speaker 1:Nope, so it's not chasm, it's not any kind of attack surface anything. So it is the closest that it would come to is probably an IPS, with the exception that it mitigates any kind of threats that it that it detects. So if you've got malware in the system that is tied to an IP address that's anomalous, it will block it. Oh right, so that way, what they do is they basically reduce, you know, the footprint of the company on the internet because it detects basically where it's not supposed to be, where it's not supposed to ping, and it closes that circle to a more manageable. Therefore, just like taking a big chunk out of out of any risks that would apply to intrusion or detection.
Speaker 1:Really cool stuff, really cool tech Very cool, yeah, and you know that's, maybe, that's, maybe that's the future of risk, maybe that's the future of if you, if you don't, if you can't quantify it, and it's really fuzzy and it bounces everywhere, just limit your risk or limit your internet footprint. Yeah, yeah, limit, how, yeah, anyways, all right, well, richard, I appreciate your time and you're always gracious enough to spend some time with me and let me, you know, sort of just shoot the breeze on this industry stuff. But I'm always happy when you stop by Fantastic.
Speaker 2:Thank you so much, Josh Thank you and everybody.
Speaker 1:thank you for watching this episode of security market watch. And, Richard, where can people find you?
Speaker 2:Yeah, look me up on LinkedIn. My website is it-harvestcom and that's where you get the book and get access to the dashboard as well.
Speaker 1:So, everybody, if you want to cut through the noise of cybersecurity, if you're trying to buy cybersecurity solutions, first watch security market watch and get it harvest and by all means pick up Richard's book, security yearbook 2003. It's going to be out. What's the launch date? What's the official?
Speaker 2:2023 was launched right before blackhead, so the actual launch was at blackhead. So it's out. I'm confused.
Speaker 1:I went to your website and it said I can pre-order it.
Speaker 2:No, that's my fault, my fault.
Speaker 1:Oh, okay, so anybody of the website says that you can pre-order you don't have to listen to the website. You can just order it and you should.
Speaker 2:All right Thanks everybody.