[00:00:00] Speaker A: All the trends are overshadowed by the impact of AI security. Two main branches, it's security for AI, so all the ways to protect your company from people leaking data to AI. All the ways for, you know, to protect the models so people don't try and inject through prompts to pervert them in some way. That's one half of it. The other half is AI for security.
How do we use AI to improve our security processes? That's, to me, the most exciting part because the one is, okay, new technology, new attack surface area, new methodologies, yeah, we got to protect that new thing. But the other is, oh, my God, this is changing everything.
[00:00:49] Speaker B: This is KVC as a primary target for ransomware campaigns, security and testing and
[00:00:56] Speaker A: performance
[00:00:58] Speaker C: actually automatically take that data and use it.
Joining me back on the show is Richard Stearnan, chief research analyst at IT Harvest. And today we're discussing why AI security will define the future of digital defense. So, Richard, thanks for joining and welcome back.
[00:01:17] Speaker A: Oh, thank you so much, Karisa.
[00:01:19] Speaker C: Okay, so it's been a little bit of time since I've had you on the show again, and I think we discussed this just before we started the recording.
You've got an interesting background. I really enjoy talking to you because every time I talk to you, you just, it really like my head always nods and like you get the space. So perhaps I really want to start with your view as of today.
Give us a little bit of a lay of the land and maybe talk through at a high level what you do so people can connect the dots. But I'm curious to see how you see the landscape today.
[00:01:49] Speaker A: Okay, good. Yeah. So it's easy to think of me as a industry analyst, right? I'm former gartner and then it. Arbus is a firm I founded over 20 years ago.
But unlike any other analyst firm, I want to cover the entire space that I'm responsible for. In this case, cybersecurity. There are over 4,000 vendors in the space, and big analyst firms tend to just look at the big vendors because their big customers only buy from big vendors. But to me, the interesting things go on at the startup level. So I try and identify companies as soon as they launch, as soon as they have a webpage, as soon as they have a LinkedIn page, they're in our database. And then I'm tracking them. They start with two employees based on LinkedIn data, and they grow to 50 in the same year. These guys are doing something.
They either got funding that they haven't told us about or they've got a product that people really want to buy. So that's how I identify trends in the space.
And the trend today is just overshadowed. All the trends are overshadowed by the impact of AI Security. And AI Security is two main branches. It's security for AI, so all the ways to protect your company from people leaking data to AI, all the ways for, you know, to protect the models so people don't try and inject through prompts to pervert them in some way. That's one half of it. The other half is AI for security. How do we use AI to improve our security processes? And that's to me the most exciting part because the one is, okay, new technology, new attack service area, new methodologies, yeah, we got to protect that new thing. But the other is, oh my God, this is changing everything.
So since I started covering AI security as a separate category, there are now 354 vendors that fit into those two major branches that I just told you about. I've only been tracking the space for just over a year last year when sometime in April, it was the first time I said, wait a minute, if AI is really growing as fast as it is, which it is, right. AI did double the foundational models, double in capability every two and a half months.
That's what the 10x every year translates to.
So no matter what, if you think AI is horrible today, it can't do anything and hallucinates whatever, two and a half months from now, it's going to be twice as good at it.
So half the number of hallucinations if you prompt it properly. And we're just not used to thinking at scales like that of things doubling every two and a half months. And that's why I started looking really, really closely at this space because it's going to be really exciting.
[00:04:44] Speaker C: So a couple of things that I'm curious to understand.
4,000 vendors, I mean, there's maybe slightly more, maybe slightly, maybe not less, but there could be more. But do you think that's a lot? And I asked this because given what you just said around the whole AI piece, there's more. And I know we're going to get into some of the numbers around how many more you've seen in recent times. But is that a lot?
[00:05:08] Speaker A: I don't think so. You know, when I dig into may seem like a lot, right? There's over 200 SIM products on the market from like 130 vendors. It may seem like that's too many. You know, we need Splunk and a couple competitors. Why do we have so many? Well, there's regional differences in buying patterns.
People in Germany don't necessarily want to buy us technology ever since Edward Snowden or, you know, there's just different needs for all. The GRC is the biggest category of products out there and that's because there are different needs in different regions for, you know, governance and compliance.
So no, I don't think it's too many. And, and I welcome the. Typically, traditionally there's about 220 startups launching every single year.
[00:05:58] Speaker C: Yeah, that's interesting because I was thinking strokes of different folks, right? Like a smaller company doesn't need a full blown spunk capability, it's just overkill. So why are people out there saying, oh, it's crowded space, Richard, oh, I can't get a deal over line and there's 50,000 vendors trying to go in after this size. I mean, you hear a lot of that. So how does that sentiment sort of sit with you then?
[00:06:17] Speaker A: Yeah, on the CISO side, when the CISOs complaints, I just see it as whining, frankly. They complain because there is a well established way to make sense of any market and that's to turn to industry analysts whose full time job and passion is understanding the market. So they, you know, there's no way you are going as a CISO who's presumably super busy going to meetings discussing security and policies and risk registers and all the rest of the things CISOs have to do. There's no way that you can be an expert in the cybersecurity industry. You have to seek outside guidance and you'd be well served going to Gartner, you should be well served going to Forrester for that guidance and, or you know, advertising myself, or come to a niche industry analyst that can help you. And our data of course is just a stab at that. Right. It's like so simple. You want access to our data, then you can start to understand the whole space. Cause you see the whole space and you can slice and dice and, and sort it and create your own research.
[00:07:23] Speaker C: So one of the things you said before, seek out guidance. Now I'm just going to speak anecdotally because obviously I speak to a lot of people in the US market, Australia, uk, et cetera. People nowadays are probably wanting to either do a, their own reconnaissance on a tool or a product or service, for example, and you know this.
I've also seen a bit of a decline in perhaps an affinity to the larger research houses.
What are your thoughts then towards how people are approaching getting guidance in the market today, yeah, it's changing.
[00:07:58] Speaker A: I hear from mostly people who are not, you know, seed holders at the Gartners of the world who find a lot of value in just querying ChatGPT or Claude or Gemini or Perplexity, any other favorite AIs.
And you get extremely good results when you say, hey, you know, we've got Sentinel One, but we want to seek alternatives because we're not happy with this feature.
And ChatGPT will give you great answers, you know, really great guidance to explore. It won't give you the personal experience of an industry analyst who's been there, done that, or has talked to clients that have been there, done that. So qualitative difference between the two. But for speed, responsiveness, immediate, which is how we all work today, we want the answers now. We don't want to schedule a call with an analyst for three weeks from now. I think that's right. Now, the challenge that the Gartners face is that people are finding that they can get good enough answers from ChatGPT.
[00:09:06] Speaker C: Okay, I want to go into this a little bit more because this is where it gets interesting and this is the shift that I'm seeing.
So my first question would be with Gartner and friends, with the speed you mentioned before and the responsiveness, some of these reports can take like a quarter or even longer. Right. So where. How does that. Because things change, like day to day, minute to minute. I know some in media, like one minute, like every day. Why I like the space is every day something's going on, something's changing. So how, when a report is distributed in the market, how is that then relevant to when you read it?
Sort of. Even if it's a month later, how does that sort of sit then?
[00:09:42] Speaker A: Yeah, if you follow super large vendors, the report's pretty accurate six months later. Because super large vendors, I'm talking CrowdStrike, Palo Alto, Cisco, they don't change. Right. They're the same thing today as they were last year.
The thing that's changing is that they're acquiring companies, but they're acquiring companies that don't have magic quadrants about them. Right. So from the perspective of the analyst who's creating the quadrant or the wave, it doesn't change anything for their upcoming report. So it can stay pretty consistent that way.
Maybe that's one of the reasons that they don't cover what they term dismissively emerging technology.
Because it changed so quickly. A report that takes six months to generate would be out of date when it was published. And yeah, case in point. So I'm writing the biggest market research report ever created in cybersecurity and it's a complete report on all.
What's the number? Which we just updated 354AI security vendors.
So a couple paragraphs on each vendor and then my analysis. On top of that, it's going to be published in book form.
It's so difficult to do because we add two new vendors a day. When do I stop to publish the book? Luckily, acquisitions don't happen quite that fast yet. But at some point I'm going to stop and then there'll be a chapter in the back for vendors added after the designer got their hands on the manuscript. To get this book out the door, no matter what, the book has to be available at RSA conference in March.
But that's case in point. This is the fastest moving. Not only is it the fastest growing segment in security ever, it's the fastest moving. Right. So things are changing and AI governance vendors are discovering that, you know, there's demand for guardrails and the guardrails. People realize that they've got to be able to do the discovery of where people are using AI, which puts them in the governance. So those guys are already merging or converging in capabilities.
[00:11:49] Speaker C: So our next question would be going back to someone type something in. I mean this is an arbitrary basic example, top seams in the space, right? And then it's obviously gonna pop up. Bunch of responses. One of the things that we're noticing even in media is a shift and forgetting about perhaps website traffic and more about dwell time. So what I mean by that is if you do content placement as a vendor across media sites like mine and other places, means that you're gonna be feeding the LLMBs. Now journalists in the space hate this. However, it's going back to the behavior of how the consumers are wanting to understand information. Like I said before, speed, responsiveness. They just want to get a high level picture and then perhaps go and do further reconnaissance whether it's through a platform or elsewhere.
So do you think that vendors perhaps need to change their view on how they're going about marketing? Yes, is a broad, sweeping sort of term. But how they're getting is what we call reference media references, whether it's on your side or Gartner or and to some degree ours. And we're changing this to feed that even more because we want our site to show up when it's asking about top seams, for example. Not in the same way an analyst firm like you would go into it, but it's about getting that high level awareness, at least that's feeding the LM. So then you're showing up potentially as the top 10.
[00:13:12] Speaker A: Yeah, yeah. Okay. So things are changing really fast. We track the number of website visitors to every security vendor month to month and in the last several months every single one of them has had significant drops in web traffic. That's because people are going to LLMs first and relying it. So LLM is a single source that's giving them what they need.
So it's your. All the investment in SEO over the years is falling by the wayside because as one really smart marketer explained it to me, LLMs are not interested in keywords like Google is, they are interested in ideas.
So very important to be promulgating all of your marketing material in such a way that you're one. Yes, you're providing data, not the keyword stuff because the LLM knows what it's looking for, but the ideas that go around the data and the interpretation of the data and then you've got some hope of being discovered by the LLMs in reference.
[00:14:15] Speaker C: And then I think I was speaking to a marketing person the other day about this and they were like, oh my gosh, had no idea. Then going back to one thing I think to pay attention is, would be dwelt on. Dwelt on meaning how long someone's on your site for. Because again you chatgpt, they found out top 10 seams site comes up, then they're going to do a little bit more research. Then maybe they hit up, you know, your sort of platform and do a little bit more. Is that the way do you envision moving forward at a high level?
You see people in the market perhaps across the world, finding new products, understanding a little bit more about new products. Is this the way that you believe people are going to do the recon?
[00:14:53] Speaker A: I do the.
You know. And if you're monitoring it, when a LLM comes to your website, the dwell time is fractions of a second. Right. It just gets the data and it's done. And it might click through a bunch of links too, but it's still in seconds. I was doing some. Oh yeah. I have to officially identify myself to the UK government because I'm a director of a company there. I asked ChatGPT to help me debug an issue with the UK government's app that does NFC scanning of my passport and it found whatever resource somewhere, but it must have hit that page for an eighth of a second before it gave Me guidance on using an iPhone instead of a Samsung, that kind of stuff.
That's what's going to be going on. So dwell time is going to be meaningless.
It's the connections, page views those matter still because the LLMs are doing it. LLMs and their extension agents. Right, because they're using agents to do that as well. Everybody who's getting things done, it's going to be a completely new world.
We're used to asking Siri questions about time of day instead of stopwatch. Stuff like that's going to extend to all of our research and product decision support practices.
[00:16:14] Speaker C: So going back to Your comment, around 354 AI security startups, I believe, is that correct?
[00:16:22] Speaker A: That's correct.
[00:16:23] Speaker C: So tell us what's going on with them. Is there something that comes to mind straight away? Anything you can sort of see from an analytical perspective that you can share?
[00:16:31] Speaker A: Yeah, you know, I first wrote about them on my substack in April and it was the substack was Inspired by this AI 2027 report that came out of a group in California and it was way over the top. It's like, you know, it took a second to grasp what they're aiming at, but it's scenario planning. And the scenario is, you know, what happens when AI agents are used to do AI research and that, you know, so they did that planning and they recognized that most of the foundation model companies, OpenAI, Anthropic, Google, were starting to use AI agents to, you know, come up with new algorithms and do new testing of learning models.
In other words, artificial intelligence was getting in the loop of creating the next layer or level of artificial intelligence. They predict that by the end of 2026 this year, there'll be all that work will be 100% done by AI agents.
There'll be millions of them working at these AI companies to do that. And that will generate AI that we don't even understand anymore, but will get to, you know, that magic singularity where they truly are intelligent, or we're now using the term superintelligence. So it's going to be different. So it won't be a human that they create. It'll be something that's better than a human at a certain function.
I read that and I said, okay, let's assume that their scenario plays out. What does that mean for security?
And that's when I said, oh my God, all these people are telling me that they can automate triage in a soc. Agents are going to get tremendous traction. And I predicted by the end of 2025, the first sales will be made. And throughout this year of 2026, we'll see adaption. Well, I started to get calls from the founders of those companies. They said, Richard, we launched in January of 2025. We're already at a million ARR. This is only four months later. And then by the end of the year they're telling you they're at 3 million ARR.
And you know, those are, there's a bunch of them bricklayer mind presecurity. I'm sure that 7ai is already there. They're one of the biggest torque. These companies are growing massively and they will have trouble keeping up with demand. Right. And you know, whatever pricing they have set will be supported because of that inability to scale fast enough to meet the demand. Because once a CISO says, well I better try this out and so we'll have a little proof of concept or proof of value.
And they go, oh my God.
This task over here that we assigned it, it did 100% completely every day, no slowing down over the weekends with humans or during the shift change, et cetera. Just looks at every single alert, determines the root cause of the alert, decides if it's malicious, if it is, creates a case, does the research to determine what's going on, and talks to all the tools like soar for how do we mitigate it? In other words, you're no longer being asked by a machine to take action to add a firewall rule or shun a particular network connection that's going on. It's doing that for you. And all you're doing is reading the result of all the attacks that are coming against you that have been thwarted, that once you realize that works, then you're going to completely swap out your SOC for automated agents. It's not saying you're not going to fire those people. Those are still super valuable people. They're going to, you know, somebody's got to train the agents, somebody's got to look for better ways. Somebody's got to still do threat intelligence and attacker intelligence.
So plenty of work for everybody in the sac.
[00:20:29] Speaker C: I'm known for being direct. Let's be honest, nobody gets into technology leadership for the compliance paperwork headache. But if you're building or scaling a tech company, security frameworks like ISO 27001, SOC2 Essential 8, CPS 234 or GDPR aren't just tick box exercises. They are business critical. That's where Vanta comes in. Vanta automates up to 90% of the work for security and compliance, helping you get audit ready in weeks, not months. It integrates seamlessly with your tech stack so you can spend less time chasing documentation and more time leading innovation. If you're a cto, CISO or head of security, it's worth taking a closer look. Visit vanta.com kbcast V-A-N t a.com forward/kbcast to learn more.
Okay, so I'm curious then to ask, just say hypothetically, company spends a million bucks a year with some vendor out there. Now, what you're saying, do you think that because things can be automated, there's less like human in the mix, perhaps because there's agents, et cetera. Everything you sort of did mention, do you envision that a spend will drop, just for example, go down to 800k a year because it's like, well, we've sort of saved you 200 because we don't need, you know, an extra Richard in there doing this thing. So therefore the spend per year will drop or do you think it'll stay the same, but then just the capability will improve?
[00:22:02] Speaker A: Yeah, the latter, because of course nobody gives up budget. That would be insane. You are going to repurpose existing budget and get a lot more efficiency out of your budget and be a lot more secure. That's what I'm so excited about, is that this holds out the promise. Because I'm not a big fan of detection response, it seems compared to protection, which includes firewalls, right? You put in a firewall rule and you're no longer seeing alerts about somebody trying to hack into your telnet server.
[00:22:36] Speaker C: Right?
[00:22:36] Speaker A: Because the firewall blocked all access to that protocol and it's just not happening. So you don't have to worry about it and don't have to do anything. If you're into the detection and response, then you're monitoring for telnet attempts and it creates an alert and you have to do something about it and something that the SOC analysts could be better spending their time on something else.
So protection is in my book, always better than detection. If only endpoints weren't so vulnerable, right, that they constantly have a barrage of attacks against them. But pipe dream to wish that people would use secure operating systems and secure applications.
We still need detection response. The attackers are coming up with new methodologies for attack all the time.
And the question is, can we increase the cost for the attackers? So they too have to use AI, which is, you know, they're going to right now it's cheap for them to use it because it's not very sophisticated. But if they had to become, they would have to use AI to get around an AI defended company.
And they're. I don't think they're ready for that.
[00:23:45] Speaker C: So I get no one to give up the budget. But probably what I poorly asked you was, do you think clients will start to scrutinize the vendor to be like, well, hang on a second, you're automating all these things. Why are we still being charged the same? Then I guess their position will be, yeah, but we're doing all these other things, so it'll just level out. Yes. Spend or say, say the same. But you're also. Yes, we're probably not doing as much human stuff, but we're doing all these other things on top of it, where therefore it equals out.
[00:24:10] Speaker A: Well, there will be a challenge for legacy vendors, right? Because they don't have all the efficiencies of AI.
So, you know, you know, and I. Let's just pick on Splunk. Right? Right. The legacy of all legacy vendors. They don't have AI, right. So they can't like argue that you should pay them more for anything because you don't really need to have a specialized database for logs and alerts. Right. You just throw them in a big data lake and let AI figure it out. Right. It's perfectly capable. That's what it's like. That's what it's so good at is interpreting and deduping and converting everything into the same format. It is perfect for that. I use it every day for my data reduction for that. So yeah, so you don't need specialized things and specialized language query languages to do the research. Oh, it's just gone. So what do you need Splunk for? So there's a couple of companies that pay over $100 million a year to Splunk. They can save that money really, really fast. They're still going to have storage costs, they're still going to have transport costs in and out of the cloud, but they don't need all those Splunk charges. Whereas the one of these 400 plus vendors, you know, they don't have that. They can log into, they can grab Splunk Data or Elastic Data, et cetera, but you don't need to have it there. They're perfectly happy if you just dump it into S3 buckets and use it there. So I think there will be significant cost savings with legacy stuff.
[00:25:38] Speaker C: Do you think, and I mean, I'm speaking just as a outsider, do you think that their positioning Is, yes. But Cisco acquired Splunk and they're view of value perhaps is around the interoperability and now we've got full visibility because we're doing all the network stuff and we're managing everything. Do you think maybe that's more their play? I mean, I'm just giving an example, maybe I'm wrong, but I'm just curious. That's what I've been hearing about.
[00:26:03] Speaker A: Yeah. You know, Cisco's been doing acquisitions for 20 years.
They will do an acquisition for financial reasons. Right? Hey, these guys are doing well and we've got customers we could sell their stuff to, so let's just buy them. They've done that since, you know, Ironport days. Going back for email security now, mind you. Where's Ironport today? Do you use Cisco email security in your organization? I doubt it.
So, yeah, so icues Cisco architecture. So their product lineup, the way it all fits together only exists in their marketing slides, nowhere else. They do not actually integrate their products. They. They don't get the advantages from having those. Right now Cisco's got the advantage of Splunk's entire customer database. That's great. Cisco can sell routers to them, I guess, or whatever else they sell, and vice versa. They can take people who weren't Splunk customers and some Splunk stuff. It's got nothing to do with efficiencies or more security at all.
[00:27:03] Speaker C: So I'm curious to understand, who else would you put in the bucket of more of a legacy vendor?
[00:27:08] Speaker A: Oh gosh, easily. Fortinet, Watchguard, Sophos on Labs, Oracle, which believe it or not, is a big identity product. Microsoft for sure. Right. Microsoft's the lowest common denominator for security and yet claims to be one of the biggest, if not the biggest seller of security.
All legacy, nothing cutting edge, not the new stuff.
[00:27:32] Speaker C: Don't you think every vendor's saying, oh, we're leading this, we're doing that. Like I think they all sort of say it at some point though as well.
[00:27:39] Speaker A: Yeah, they lead as far as market share goes, but they're not thought leaders. They're not driving the industry.
That's why they spend tens of billions of dollars on other companies, because they have to buy that innovation and thought leadership.
[00:27:55] Speaker C: So the other thing I'm curious to get your thoughts on is now they're based in the US I've been doing a lot more conferences. One of the things I've started to notice is vendor does X. But then there's obviously creep into potentially what other vendors do, which perhaps are just more point solution style vendors.
But then I'm starting to get a little bit confused because it's like, well, they're all starting to overlap. And I know there's always been that, but there just seems to be like there's more of it.
So what do you think's going on here? And then is that just going to be what we expect? And then are we going to see more acquisitions? Because it's like, well, this company does, you know, 10% of what we do, we might as well just buy them. And that's all that they do in terms of specialization. But are you seeing this as well?
[00:28:36] Speaker A: Yeah. And it's frustrating because it's a lack of studying history of our industry. Now mind you, I've written the only history of our industry.
So if the executives at Palo Alto and CrowdStrike would read my books, they'd realize that, you know, from an industry analyst perspective, buying centers matter a lot.
So if you are a network firewall appliance vendor, as Palo Alto is, you're going to have completely different buyers than the people who buy antivirus or endpoint detection and response. So the idea that you could also sell that so you buy an EDR solution and then sell it to your existing customers is false. Right. You would need an entire new sales team that knows the endpoint people at your customers and takes them to dinner and has established trust relationships with them. And it's always been the case.
Most often it's the endpoint vendors.
If you read history, there used to be companies called Symantec and MacFee and CA that had endpoint security solutions. They all invested heavily in acquisitions to get into the security space and failed. It didn't work. Not only did they fail to make it work, the companies themselves failed and were chopped up by private equity. And they're just shells of what they used to be.
So my warning to those that are convinced that it's platform is that is a false trail to hunt that the buyers, when it comes down to it, still want best of breed. Because we're talking security, we're not talking human resource management where you make some compromises to get a better price or you listen to your purchasing department because they really want one less folder of information on a supplier. That's their whole compensation is based on reducing the number of suppliers. They want to buy everything from one company. That's why they use distributors and resellers.
Chasing that game is a losing game. Always has been, always will be. And you know, yeah, it Works to some extent. If you're, you know, a really good network firewall security vendor and you buy a technology and bundle it into what you have and charge extra, you can do that. You definitely can do that and increase your revenue and make the stock market happy. But you're taking your biting off more than you can chew if you're a network security vendor that wants to get into identity and buys the definition of legacy technology from cyberark.
[00:31:18] Speaker C: Okay, hang on, this is really interesting. So let's, let's go back through history. So let's go 20, 30 years ago, everyone went to like IBM bought everything from them. We obviously seen the rise of point solutions. Everyone went to that. Now again, platformization, I'm hearing it a lot from internal CISOs saying, oh well, we only want to deal with X amount because we've got too many tools, there's lack of interoperability, blah, blah, blah, blah, blah. So you're saying to your words, that's a false trail to hunt again now like, people should not be doing this.
[00:31:46] Speaker A: Those CISOs are, I don't know, they're listening to the CFO, they're listening to the purchasing organization. They're totally wrong. You do not get fewer dashboards by buying from Palo Alto. You will get an additional dashboard for every single product that you buy from them.
It's not integrated. You don't get fewer products and you'll be totally locked in, right? You'll have to buy the next product from them because just like Microsoft, right, once they had a monopoly on the enterprise for desktop and servers, everything had to be bought from them. That's why they own identity space, they own endpoint detection response through Windows Defender because they got a monopoly and they got everybody to buy into this. I remember the days, late 90s, when CIOs were lauded for their courageous decision to standardize on Windows for everything.
Biggest mistake ever. Maybe I should be thankful for it because that created the cybersecurity industry, right? Because now we had the exact same vulnerable ecosystem on everything. So it became a big deal to provide security for that. And you know, here we are today, your biggest spend is on Microsoft and it shouldn't be that way, right? Luckily, the saving grace is Microsoft never won in the cloud space.
So that even on Azure you use flavors of Linux for your servers or
[00:33:14] Speaker C: you should be okay. So does this mean this whole platformization approach from moving to platform platforms and all of that sort of stuff, we're consolidating all of the stuff you would have heard so you're saying that people are now going to go back to just doing point, solution, style of stuff and perhaps reduce if Palo Alto's got 10. I've heard about all of these sort of vendors. It's like you think you're getting the one, but then you got to log into another system that's just being bolted on at the 11th hour.
So you're saying that we will go back to. You're going to have your big players, but then you're going to still have your vendors that are perhaps, you know, specificity in a specific area. There will still be a need for these players.
[00:33:54] Speaker A: More than that, I'm saying that nothing's changed, that I'm just saying that platformization is not a trend, despite what you hear from everybody. It's not a trend. It's not how it works. There's 4,000 vendors out there and you know, there's no platform that can do it all and there never will be. And you wouldn't want there to be, right? Because then there's one vulnerability in your platform means an attacker can take down your entire organization and own you.
You do get additional security from having multiple vendors, right? Because you have to. You can't trust a single vendor to be perfect.
So people that are fans of buying from Fortinet discover that practically every week because there's new vulnerability that's remotely executable in a Fortinet Gateway or Fortinet anything.
It's because Fortinet is super integrated. And as a matter of fact, if you're really into platforms, you should only be talking to Fortinet. They're the only ones that don't buy other companies and patch them together. They are the best engineering company in the business and they create all their own products and they all work together, they all share code, have the same developers, and that leads to the crappy security that comes with Fortinet products. And you'd get that if you went with any platform. Luckily you don't, right? You use Duo security for strong authentication.
Boom. That's Cisco, right? You use Palo Alto for your Gateway firewalls. Use Crowdstrike for your endpoint. That is just the way it is and that you're not going to buy all three of those from one company.
[00:35:31] Speaker C: So are you a fan or not a fan of when companies buy these other smaller players and try to absorb them, bolt them on? I know it's sort of a. It's a bit of a hard question because it depends on all those things.
[00:35:40] Speaker A: But generally speaking, that is how the Industry works. So I'm a fan of it. I think it's great.
That's so the way that a large company is going to innovate and stay alive and grow over time is by paying for innovation. They pay quite a premium for it. Right. Look at CrowdStrike just paid 700 million for a signal, an identity company.
They pay for that because it's more efficient. Right. You can see it working and see it working at hundreds of customers. So you know it's a good product and you know that you can sell through to your thousands of customers. So easy decision to make and that's the way of the world. It's always been that way and I think it always will be that way. So yeah, that's just how it should be.
[00:36:22] Speaker C: So I'm curious to get your thoughts then on vendors, how they're going to market, how they're marketing, media, pr.
Given everything we've discussed today, what are your thoughts? Because I'm speaking to a lot of people in this marketing world, PR world. Oh, it's harder than ever to do these things. It's hard to get journalists.
What would be your sort of insights for those folks?
[00:36:46] Speaker A: Well, I certainly agree. I mean tech journalism is practically gone, right? It's not what it was before the financial crisis which seemed to kill and the network worlds and computer worlds off.
So yeah, so there's no tech journalism anymore, right. So the few people you call are just maybe the regurgitating press releases because they got to have some content today. And it's very sad in the, you know, the good tech journalists are way, way underpaid. It's a crime how they have to scratch and struggle to stay alive.
So yeah, forget all that. You got to create your own content.
You've got to make it valuable. Follow the lead of Verizon DVR and creating these really useful content with your own research.
Get it out there, get it in front of people.
PR work, you kind of have to replace the fact that people don't have hard copies of Network World sitting in their lobby anymore. There's no place to put your message. Obviously television is not going to work. Maybe TikTok and Instagram is.
[00:37:53] Speaker C: And what about. Do you think in person events are coming full circle again? Because it's like people seem a little bit fatigued by like stuff online after a while and the whole proverbial doom scrolling.
[00:38:04] Speaker A: Yeah, I think we all thirst for in person events because yeah, you just gotta get away from our computers and our desks and our home offices.
So I think in person, events are fantastic. I think there's a little bit of fatigue.
You know, there's only so many fancy steak dinners you can eat. Right. But the draw to those events is you're interacting with your peers. This is where you will hear a message and you'll be judged. You know, if. If a vendor sponsored it, the vendor is going to be judged in that dinner meeting. And they may all come away and be talking on the sidewalk while they wait for their Ubers, saying, yeah, I'm.
These guys, I don't. I don't trust them. Or what? Or these guys look great. I'm going to give them a try, which is the hope for outcome.
[00:38:54] Speaker C: So then for 2026, and I mean, I could probably have this list in my mind based on what you said, but I'm curious to see, like, what do you think's in fashion for 2026? What do you think's out? Curious to get bit of a high level. Maybe three and three.
[00:39:07] Speaker A: Ooh. It's funny how they. There'll be new things in fashion that. But they don't push things out. Right? Yeah. I look to AI to help us with the soc Automation Vulnerability Automation and pen testing, Red Teaming Automation. Those are the three. There are many others. I'm excited by AI being applied to email security because every day I ask the question, why are there 107 email security vendors? Everybody uses the same email provider, Microsoft, for their business.
How come Microsoft can't protect that email? You know, they got the infrastructure. They claim they've got trillions of alerts and they've seen every email. They'll see the first email that uses a new method. They don't. So those three in the AI side, I'm pretty sure that the fad around post quantum cryptography is flattening out a little bit. Yeah, it's just like, you know, this is the security world. Right. We don't invest in a single thing until after the threat arrives. Right. It'd be great if we thought five years down the road and the Chinese are collecting information right now, they're going to be able to decrypt it in a second as soon as they finish turning these qubits that are currently about a meter high and have to be kept cool to the lowest temperature in the universe in order to get them to switch a bit between several states.
Someday the Chinese are going to turn that into supercomputers that can decrypt advanced algorithms. Okay, great. Tell me when that happens and then I'll invest in swapping out our encryption algorithms because we can do that pretty fast.
So I put that on the out of fashion space right now. Anything to do with bitcoins. Right. It's just got to disappear and go away forever. Insecurity. Obviously, if you had bitcoins, it'd be nice to cash them in. Yeah. So every time I see somebody goes, we gotta use the blockchain in order to do, you know, things that PKI successfully did 25 years ago.
[00:41:18] Speaker C: The Quantum piece is interesting because I've heard a lot more people in my sort of circles raising it. So you think that's flattening out. So you think it's gonna. Do you think it's gonna be sort of like the whole web3 thing? Remember when around Covid time everyone was going nuts about that and then I haven't heard anything from it since.
[00:41:34] Speaker A: Yeah. Web3 is another one that's just laughing stock.
Just if somebody says web3 of their LinkedIn profile, I won't let them connect. It's like, no, I don't want to hear from you at all. I think Quantum is just like that. It's like, it's like the segue. When I was at Gartner, the segue came out and a bunch of analysts at Gartner and Futurists said the segue was going to change the makeup of cities because it was going to change how we move.
It was a really good experience to see people that otherwise were smart make those predictions.
[00:42:10] Speaker C: And so I know things are changing day to day and new vendors are emerging. Anything you can sort of leave us in terms of your hypothesis for the year? Perhaps.
I know you're not Nostradamus. You don't have all the answers, but you do have a lot of insight.
[00:42:23] Speaker A: Yeah, the standalone AI security industry is going to have a very, very short half life. I predict that by the end of 2026 you won't be able to say that There is an AI security industry because all of security will have AI embedded in it.
[00:42:44] Speaker B: This is KBCast, the voice of C Cyber.
[00:42:48] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:42:57] Speaker B: This episode is brought to you by Mercset. Your smarter route to security talent. Mercse Executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
