THE PRODUCT SH3PHERD
Herding Products Since 1999
You Can't Solve Cybersecurity. You Can Only Manage It.
Cybersecurity Has a Vendor Problem
My first security conference was Black Hat 2014. This was around the time when all the major US defense contractors were getting into the business of building commercial security products. I happened to be working for one of them, managing one of their flagship “defense-grade” security products. Finding your perfect cybersecurity tech stack isn’t easy, but is necessary to avoid enterprise security threats.
The Evolution of Cybersecurity: From Defense Grade to Mainstream Solutions
You might think that a defense contractor focussing on protecting national security would be able to build and market some amazing security products. And you would be right… and also wrong. “Defense grade” security products come with a “defense-grade” price tag and a “defense-grade” footprint that wasn’t particularly palatable to most not on the Fortune 50 (yes, “50” without the extra “0” – a pretty narrow TAM, though one with deep pockets).
In 2014, security vendors were milking the 2013 Target data breach for all it was worth, but most people weren’t quite panicked enough yet to shell out 6, 7, or 8 figures for cybersecurity, and certainly not that much every year.
Enter: 2015. By Black Hat 2015, we got the gifts that were the Anthem breach (Feb 2015) and then the illustrious US OPM breach (June 2015). Suddenly, cybersecurity was becoming a “thing” for everyone and not just us paranoid weirdos screaming that the sky was falling. It was at this point that panic began to set in, and companies and organizations big and small were scurrying to protect their data. If you’re familiar with Crossing the Chasm by Geoffrey A. Moore, this was the catalyst for the late majority to start scrambling on board the cybersecurity train, and then regulations like GDPR brought on most of the laggards.
Suddenly the potential losses incurred by a major data breach or security incident far outweighed the high costs associated with focusing on cybersecurity throughout an organization.
The Flood of New Players in the Cybersecurity Market
As expected, this new demand triggered a flood of new players in the security solution market flush with new VC. Successful new players got acquired, got big, merged with other players, or some combination of all three. Unsuccessful new players faded into obscurity. Legacy security solutions also went through acquisitions and mergers, and sell-offs. Business halls at major security conferences got bigger. Marketing teams started making up terms and acronyms that sounded innovative and important. Everyone had some amazing new way to protect your data and your enterprise. Solutions in markets that had become commoditized, like encryption and firewalls, and AV, tried to reinvent themselves by expanding their capabilities and claiming to be “next-gen.” It might sound like I’m talking about a long, multi-decade saga, but we’re talking about all of this occurring in 5-10 years.
The Impact of Data Breaches on the Cybersecurity Market – One Platform to Rule Them All… Or Not
The kicker to this new security renaissance is that even after the flood of cash and innovation and even after the big players gobbled up little ones, there’s still no one security solution, platform, or vendor that can meet all enterprise security needs (even if we leave off stuff like DevSecOps and code security).
There are a few large vendors out there who may have most of the pieces, but nobody has been all that successful at putting them together into a cohesive platform. Many of these same vendors will argue with me over this, but I stand by this claim.
Everything I’ve seen has been smoke and mirrors, mostly by updating UX look and feel to make something look like an integrated platform, but…nope. Talk to any large security vendor and ask them if “single pane of glass” was on their roadmap 5 years ago (probably yes). Then ask if it’s still on their roadmap (also probably yes). Believe me. I was one of those vendors. Ask these questions again in 5 years, and I’d bet cash money that you’d get the same answers.
The problem is that start-ups, even with huge buckets of cash, are still going to focus on point solutions, and rightly so. Nobody can boil the ocean. Conversely, large enterprise tech companies are usually too large and bureaucratic to be innovative, so they rely on M&A to “buy” innovation, but then everything in security changes so fast that they don’t have the time to really integrate those new solutions into their portfolio well.
To add insult to injury, M&A teams that vet security solutions and negotiate their acquisition may not always be all that good at the vetting part, so often that cool, innovative startup ends up becoming an albatross that requires a lot of work before it can be brought into the fold.
The result is a large company with a bunch of point solutions that may or may not look similar that don’t talk to each other well, if at all. If you can get SSO between their products, consider this a bonus. Each product also probably has a different sales and marketing team and a different product team that may or may not talk to other teams, assuming they’ve even met.
Categorizing ALL THE (Cybersecurity) THINGS!
Navigating the Crowded Security Solutions Market
Regardless, the cybersecurity market landscape is vast, sprawling, and confusing. Solution categories differ depending on who you ask, and sometimes even when multiple sources have a few similar categories, the solutions in them are not the same. And then you end up wondering why one source doesn’t put IoT, mobile, and cloud security together or why DLP and insider threat aren’t together and with the SOC solutions. But the truth is that it’s really hard to categorize security solutions, and it’s hard to determine where one solution category ends, and another begins because often there is a whole lotta overlap.
Why is it so hard to categorize security solutions? My theory is it’s because nothing internet-related was initially designed with security in mind, so all security had to be shoehorned in after the fact. Email, websites, databases, applications, wifi protocols, cellular protocols… virtually everything internet-related created or invented before about 2004 (and lots of stuff created after) is inherently insecure. HTTPS, while introduced around 1994, didn’t become the de facto protocol for internet traffic until 2018, so even though certain security measures were developed early(ish), the adoption timeline was abysmal. “If it ain’t broke, don’t fix it” seems to be our mantra, and it’s likely the main contributor to all of our problems.
These days, even the savviest security professionals who have a good understanding of their organization’s attack surface, and what vulnerabilities they need addressed, find it difficult to identify all the solutions they need, let alone from which specific vendors, especially as new solutions with new, made-up solution types come to market, seemingly daily, proclaiming to be new and different and better. And don’t get confused between solution types and solution categories. A solution category would be something like “data security,” whereas a solution type within that category would be DLP, and that’s an easy one to define.
Security Vendor Fatigue
To be helpful, security vendors are eager to reach out all day, every day with unsolicited advice on why you need their solution and man, oh man they are a tenacious bunch. Now that I’m on the buying side of security solutions rather than the selling side, I believe I have the advantage of seeing both sides with more clarity. On the buying side, I am knee-deep in security vendor fatigue right now. I recently got called every day for 2 weeks by a particular, very established and respected vendor, so it’s not just startups. Every time I show the slightest bit of interest in a security solution, I’m engulfed in a whirlwind of emails, phone calls, and LinkedIn requests.
I get the eagerness of security vendors. I really do. I know most of them truly believe they can solve all of my security problems. I believed the same thing about my products and I was pretty darn convincing. Never underestimate the power of an earnest product manager. But you must resist. Don’t fall for it. Sitting on the buyer side, I realize now that until I understand my specific security needs, there’s no way to know who can meet them and certainly no one else can claim they have what I need if I don’t know what it is yet.
Cybersecurity Market Analysts – Who Really Benefits?
Behind the ‘Magic’ Curtain
Many security and IT leaders rely on market analysts like Gartner and ESG, but those same analysts are paid by vendors. In the case of ESG, their focus is identifying customer needs and customer buying trends for vendors, and as a vendor who had a relationship with ESG, I can vouch for their insight and services. But while their information can be valuable to buyers, their focus is really on providing value to vendors. Note here that they do provide consulting services that include vendor assessments for buyers, but they don’t make these vendor assessments public because one vendor may be awesome for someone else, but not for you. Keep this thought in mind as you read on to the next paragraph.
While Gartner does provide market analysis for buyers with their Magic Quadrant™ and other services. The greater value is also mainly for the vendor. Being in the Magic Quadrant™ is great marketing for a company and they will freely and gleefully hand out copies of Gartner’s report and generate press releases and plaster it all over their website and spam anyone and everyone who will listen.
I will also add here as a side note that ESG’s analysis is much more focussed on helping vendors with product roadmap and strategy, whereas Gartner’s analysis is much more focussed on helping vendors with product positioning and marketing. While vendors absolutely benefit from both of these things, this is a subtle, but important difference. (Note that both do both things, but each focuses more on one than the other.)
But regarding that magical square (rectangle?) of awesomeness, coming from the vendor side, I’ll let you in on a little secret: getting into that elusive quadrant has a lot to do with how much time and money you are willing to spend on having an analyst come and evaluate your solution and after several years of having said analyst come and peruse your wares, you learn quickly how to position your solution to put it in the best possible light. You’ll also learn how to subtly Jedi mind trick the analyst to skew their market definition to fit your solution. It’s possible that I have first-hand experience in working for a company that had a product that was less than stellar (not mine; obviously all my products have been spectacular) that made it to the top right bit of that chart, so maybe it really is magic. . Unfortunately, magic can’t create the perfect Cybersecurity Tech Stack.
Making Sense of Cybersecurity Market Messaging
Even industry leaders have a difficult time figuring out the security solution puzzle. At Black Hat 2022 (almost a decade since my first ) I was wandering around the business hall with a friend who also happens to be a branch chief at CISA and she was musing that it seemed like everyone’s messaging was the same and it was incredibly hard to figure out what anyone actually did anymore.
“Zero Trust” Cybersecurity
“Zero trust” was the buzz-phrase in 2022, likely stemming from the new norm of remote work ushered in by COVID. Literally every single solution, regardless of which security category they fit in, claimed they could help facilitate zero trust within your organization. But what is zero trust? (This is where I throw in the disclaimer that my last security product gig was at a company knee-deep in doling out the zero-trust Kool -Aid. To be fair, they are a pretty awesome data protection company and can probably stake one of the biggest claims on the zero trust “market.” I just think the term itself is stupid.) “Zero trust” really means “least privilege” meaning you provide everyone who has access to your organization the least amount of privilege that they need to do their job. Great concept. Stupid term. (Sorry John Kindervag I know research analysts like to come up with catchy terms and it is definitely catchier than 'least privilege', so I'll give you that. 😬)
Regardless, zero trust isn’t a solution space. It’s a framework requiring a major overhaul to an organization’s data access controls. NIST has a great guide about why moving from role-based access controls (RBAC) to attribute-based access controls (ABAC) can set the foundation for building out your zero-trust framework. It’s a super informative document with helpful little diagrams like this one:
However, while it is great at explaining what you need to do and why, it’s not so great at telling you how, and really the impetus for this document was originally for super secret squirrel air gapped networks where only people who need to know know and those who don’t don’t (literally, the 'trust no one' crowd... and now that I think about it that way, 'Zero Trust' may be growing on me...hmmm... nope - still hate it). Regardless, if you have the time and money to overhaul your entire access control system, then it’s legitimately something to consider putting in place. I’m a firm believer in encrypting everything you can and providing access only on a need to know basis. It would solve a lot of security problems today (potentially almost all of them, but don’t quote me on that and don’t flame me with hate mail).
But why would, say… a SIEM solution advertise that they help you with zero trust? I mean, every security solution can probably claim it helps but if you don’t have the framework in place, then it probably doesn’t.
XDR: The Second Coming of EDR
Even as zero trust was having its heyday as the bestest way to 'secure' your enterprise, Extended Detection and Response (XDR) was also having its moment. Note here that zero trust is trying to 'secure' your enterprise, while XDR is assuming your enterprise isn't secure so you need something to identify and mitigate security breaches quickly. So, which do you really need? Well, you need both. They actually go hand-in-hand. Lock down all access on a need-to-know basis so that when (not if) you have a data breach, the damage is minimized, that is unless the bad actor (I have opinions on this term, but let's not go down that rabbit hole) happens to be able to compromise someone with a shitton of access, though if you really do zero trust correctly, you can compartmentalize access in ways that prevent this. But nobody does zero trust correctly.
XDR evolved from EDR (Endpoint Detection and Response), which is one of the OGs of security, where security is focused on all the endpoints (think: antivirus on steroids). XDR extends this concept out to also include monitoring network traffic (SIEM), email security, and cloud security. Though in reality, Incident Detection and Response (IDR) was already a thing and has been a thing for a very long time. There just weren't single solutions that did this. XDR is really just a single solution that does IDR. In theory. Remember that 'single pane of glass' I mentioned earlier? This is that... or rather an attempt at that.
MDR: the NEW MSSP
While Zero Trust and XDR were making the buzzword rounds, we also saw a rise in Managed Detection and Response (MDR) vendors - vendors who manage your XDR/SOC ops for you. Arguably, Mandiant created the MDR space way back in the day (pre-FireEye) when legacy Managed Security Service Providers (MSSPs) only did the detection part and not the response part. Once they detected a problem, they called up their customers and told them about it and then it was the customer's responsibility to figure out what to about it. Mandiant added the "R" to the mix. Gartner coined the term in 2016 (because of course they did), but Mandiant/FireEye had been doing it for more than 10 years by then.
With the advent of XDR attempting to be that 'single pane of glass' where you could manage your entire security ecosystem from one place, MDR gained a second wind with the realization that a lot of companies didn't have the bandwidth to implement and manage XDR internally, especially SMBs, so now we're seeing a lot of MDR startups entering the market, presumably to focus on SMBs.
And with these new MDR players cropping up in recent years, we now see the MDR market touting themselves as "AI-powered' or 'AI-native' because everyone needs to climb into the AI bubble to milk as much as they can out of it before it bursts. Plus the security industry ain't going away, so as long as they don't put all their eggs in the AI basket, they'll survive the crash.
GENAI = AI, But AI <> GenAI
You can't swing a dead cat these days without hitting a tech tool or solution touting its AI-ness. However during the first couple of years after ChatGPT launched in 2022, in the security space, the discussion centered around the security risks of (generative) AI and security vendors weren't as quick to jump on the bandwagon as other tech vendors. Agentic AI has a particularly insidious security risk, because in order for it to work, it has to have access to ALL the data, which is in direct conflict with everything zero trust stands for.
The irony here is that security solutions have been using AI for years, just not generative AI. In fact, I built a security product at Raytheon that used machine learning to detect potential security badness. But now, "powered by AI" takes on a whole different meaning that isn't necessarily a selling point to security product buyers.
Still CEOs and CMOs couldn't let the AI train pass them by and so we've started to see GenAI leveraged in other security tools, but sparingly. Even in MDR we're really only seeing GenAI used during the response and reporting phase (and during the investigation phase - to finally provide that elusive "single pane of glass"). We aren't seeing GenAI agents crawling through network and endpoint data to do the detection bit, though... and rightly so. That's not what GenAI was created for and this would be a ginormous security risk.
Another bit of irony is that security customers haven't bought into all the AI hype. The industry was quick to point out all the security risks when GenAI burst onto the scene, so it's hard to reconcile that with the new 'AI-powered' messaging security vendors are touting. It would probably behove these vendors to differentiate themselves from *just* GenAI. If I were a CMO (and I am most definitely not), I'd pick a campaign, like, 'AI-native before AI was cool.' AI is suffering from the same affliction inflicted on encryption when cryptocurrency became all the rage. Crypto <> Cryptocurrency, much like AI <> GenAI.
Regardless, there are other valid use cases for GenAI in security, especially in AppSec and DevSecOps to enforce secure coding practices and identify code vulnerabilities before getting released into the wild.
So What's the Point?
If you've gotten this far, you may be wondering what the point is to all of this, so here it is: the point is that researching security solutions and miring through all their market messaging fluff and jargon to determine your security needs is kind of backwards, when you think about it. You need to identify your security needs and THEN find solutions that can meet them. Seems easy enough, right? Well, it does until you realize that all vendors will tell you they do the same thing: secure your enterprise! But their solution is the bestest! They do it in the most super-est, awesomest way! They will not just secure your enterprise. They’ll super SUPER secure it! Yayyyyyyyyy!
The Enterprise Security Elephant in the Room: Nothing is Unhackable
OK, now that I’ve gotten that out of my system, we need to pivot here and address the elephant in the room:
There is no such thing as “more” secure.
When you secure something, you are making it immovable or impenetrable or… unhackable. You can’t make something more immovable or more impenetrable or more unhackable. Something is only secure until it isn’t and then it’s not. And to be quite frank, even when nobody is attempting to gain unauthorized access to your organization, your organization isn’t really secure. There are still ways to get in. I know I’m being pedantic, but the security solution industry knows this. They wouldn’t have moved focus from “protection” to “detection and response” if they didn’t know this. They wouldn’t be tracking dwell time as one of their most important metrics unless they expected intrusions. The term “security gap” is an oxymoron when you really think about it. If your front door is locked, but you have a window 2 feet away that is cracked open you don’t say your house has a security gap. It’s either secure or it isn’t. Your front door might be secure, but your house is not.
Security solutions aren’t really securing your organization. They’re just mitigating threats and minimizing risk, but saying “we’ll mitigate threats to your network” or “we’ll minimize your risk of a data breach” doesn’t sound as sexy as “we’ll secure your enterprise.” Keeping on the house analogy, your house will never be secure. A determined criminal could probably break into any house, but if you had an alarm system or a very large dog, then those things could mitigate threats and minimize the risk of property loss. Almost all vendors have shifted overall focus to fast detection and mitigation through swift response and remediation and that’s why we’ve moved beyond firewall, IDS/IPS, and secure gateways to incident detection and response, network segmentation, granular access controls, and easier, faster encryption. And that's why zero trust and XDR are the current darlings of the security world (and API security. but we can digress on this some other time).
So then do you really need these 'security' solutions? Yes! Absolutely you do! But the key is to focus on your needs and not on the solutions. Until you've identified your specific problems (where are your biggest security risks and what's your risk tolerance?) you won't even know if a solution meets your needs. Don't let vendors tell you what you need. Tell vendors what you need and then ask them if and how they can meet them. Don't succumb to the hype. Walk the floor, get the swag, go to the parties, and then go home and block their numbers and emails until you're ready to talk.