It seems like cybersecurity is content to suffer death by a thousand Gartner quadrants. Why do we insist on complicating an industry that’s begging for simplification?
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Geoff Belknap (@geoffbelknap). Joining us is Alex Hutton, CISO, Atlantic Union Bank.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, ThreatLocker
Full Transcript
[David Spark] It seems like cybersecurity is content to suffer death by a thousand Gartner quadrants. Why do we insist on complicating an industry that’s begging for simplification?
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I’m the producer of the CISO Series, and joining me as my co-host, it’s Geoff Belknap. Geoff, say hello to the nice audience.
[Geoff Belknap] Hello, nice audience and the rest of you also. You’re welcome.
[David Spark] Oh, you think there’s somebody who’s not nice audience that’s listening to us?
[Geoff Belknap] I mean, statistically, there’s got to be at least one.
[David Spark] Mmm. Do you want to name them by name?
[Geoff Belknap] Well, I think it’s our guest, but I mean, we’ll see.
[David Spark] [Laughter] Our sponsor for today’s episode is ThreatLocker, Zero Trust Endpoint Protection Platform. ThreatLocker, absolutely spectacular sponsor of the CISO Series. We love their support. Thank you so much, ThreatLocker. And very soon we will be talking about their Zero Trust solution. CSPM, DSPM, FSIN, CIPM. That’s a lot of acronyms, Geoff. And as an industry, we seem to be awash in them, but as Caleb Cima of WhiteRabbit asked on LinkedIn, does defining a thousand vendor product niches actually help us with the job of cybersecurity or just make it actually easier for vendors to sell a new product category? What do you think, Geoff?
[Geoff Belknap] Nope, but let me elaborate.
[David Spark] No, leave it at that. Let’s wrap up the show. [Laughter]
[Geoff Belknap] Show over. Thanks, everybody. Good job, sponsor. You really got a good one today. I get what we’re trying to do, and certainly, I can appreciate Gartner’s challenge here of trying to help corral every individual product that’s out there into something that buyers can understand quickly. And that certainly started out with a really positive intent, and I understand where we’re coming from. Where we are today, though, pretty far from where we started. And now, it seems like everybody is just trying to get Gartner to invent a new category that’s just got them in it to make the differentiation easier. Or worse, people are just making up whether they fit into a category or not, and they don’t have those features at all. It really has gotten to the point where it’s pretty confusing for security leaders to understand what they’re buying by just acronyms only.
[David Spark] It can be tough. You bring up a very good point that it’s kind of difficult on all levels, but we’re going to kind of parse this out in today’s discussion. And I am truly thrilled that we have our guest today. This is someone I’ve known for a very long time, and because of roles that he had before has sort of prevented us from coming on the show, but I am thrilled that he is joining us now. Someone I’ve interviewed many times in the past and thrilled that this is his first time ever being on a CISO Series show.
[Geoff Belknap] Wow. No pressure here.
[David Spark] Yes. Well, thrilled. Yes, he is going to be fantastic. No pressure. He is the CISO over at Atlantic Union Bank. None other than Alex Hutton. Alex, thank you so much for joining us.
[Alex Hutton] David, thank you for having me. Geoff, thank you for having me.
Who benefits?
3:15.368
[David Spark] Ron Reiter of Sentra said, “Startups are trying to differentiate themselves between existing security vendors and between the other incumbents. As a startup guy, seeing so much competition around makes you understand that if you don’t have an edge in your storytelling above your direct competitors, CISOs will not even give you a chance because you’re yet another startup. And then second issue is they’re trying to simplify budgeting for security tools. So, large companies would understand why more money is needed to be spent on top of existing security tools. For example, a company with a CSPM still needs to secure their data, which is why it’s easier to pitch a DSPM rather than a tool that automatically detects all of the sensitive data in the cloud, understands if it’s currently at risk, and what to do to mitigate that risk, which is not what a CSPM does or is supposed to do.”
And Marty Bakal of MITRE said, “As a vendor, I don’t even think it helps us. It means we have more things to prove we support when we could just say we support security in certain ways and move on. I acknowledge individual vendors request specific ones, so they are differentiated, but it doesn’t help us as a whole. Too much confusion means we have to research and explain more all for the same thing.” Look, there is value to what Gartner is doing. It’s taking complication, putting a label on it, so we all sort of universally can say, “All right, this is that thing.” Now, yes, there could be someone who does DSPM differently than somebody else. That’s where differentiation comes in. But we do need to have a collective understanding of something. Yes, Geoff?
[Geoff Belknap] Yeah, absolutely. I think they hit the nail on the head here when we talk about the duality of the problem. Yes, as a buyer of security products, you’re generally going to budget based on a product category or a grouping. And when you’re out there looking, you’re like, “Great, I put aside N dollars for a CSPM or a DSPM or EDR or an XDR or whatever it might be.” And the vendors competing for your attention want to be in the space that they think you’ve budgeted for. They want to be able to talk to you if they know you’re out there in that product space. But the reality is, a lot of times, you’re not looking for a CSPM, a DSPM, a whatever. You’re looking to solve a problem that your organization has. And it becomes really difficult to differentiate who can solve that problem if you’re only looking at category names, and I think Marty points this out really well. A lot of the people in the different categories are highly differentiated. They solve the problem in different ways. They solve it to different degrees of completeness. Some are platforms, some are sort of niche solutions. It is helpful to a point, but beyond that point, it really can just exacerbate the confusion.
[David Spark] This is, to me, Alex, this is like when you’re pitching a movie, you have to reference other movies. So, someone just said, “Oh, this is what I’m buying right now.” But yeah, I mean, it would make your buying process tantamount difficult if all these products didn’t have labels on it, wouldn’t it?
[Alex Hutton] It would. So, Geoff brings up a good point, which is having a label makes it easier to categorize something and sell it internally, right? What if my CIO comes to me and says, “Alex, what are we doing about CSPM?” Because he read about it or heard about it on a podcast like this. And I say, “What’s a CSPM?” That doesn’t look good. That’s not going to be something useful.
[David Spark] [Laughter]
[Alex Hutton] On the other hand, I could say, “Hey, I was listening to the CISO Series Podcast, and I heard about CSPM. It’s a cloud security password management tool. You should go listen to that because I think there’s some value there and we should think about buying that.” I get all that. I have a very interesting background in this in that I have been a startup founder twice. I have actually had funds to invest or have been the security technical person that helped drive investments for large funds. And now as CISO and as former security executive at another large bank, somebody who actually goes out and buys these things. I understand that it’s not going to be quite as sexy to say, “Well, I take these permissions from here. I run them through a graph database. I do some machine learning and then I make it pretty in HTML5.” That would actually sell me 9 times out of 10, but it isn’t exactly going to be a great lead for your website.
[Geoff Belknap] Doesn’t fit on a bumper sticker.
[Alex Hutton] It’s not going to resonate with your investment.
[David Spark] So, let me ask you, since you’ve actually brought up a good point being that you’ve literally been on every side of this equation at one time or another. Is there one thing that’s frustrating continuously across all sides or does it change depending on which side you’re on?
[Alex Hutton] Wow. It’s a great question. I think the frustrating element that would be on all sides would have to be the fact that you are constantly trying to sort through marketing speak to figure out exactly what the value is. As an entrepreneur, you have to think about less is more because if I come out and I just say, “I’m some ephemeral security gobbledygook,” to someone and a bunch of buzzwords collected, that gets me nothing. So, I have to pare that back and actually express a value out of that. If I am a potential investor, right, I also need to know exactly what you’re doing. I have to figure out, are you a company or are you a feature? And how is that going to sell? And if I’m a CISO, I have to say, “Okay, is this actually worth my money and my time, which is sometimes much more valuable, to actually invest in this? Is it going to make my life better?” That’s the one thing that I think all three share is catch phrases, buzz phrases, and not getting to a point of what your value statement is, it’s endemic in our industry, I’m afraid.
What do most people think it is and what’s the reality?
9:08.932
[David Spark] Neal Hartsell of Gradient Cyber said, “The fact that there are prior market constructs – acronyms, as you say – suggests that there will always be new constructs.” I think that’s a very good point, by the way, Neal makes. “To say otherwise means that one somehow adheres strictly to the prior set, which is a function of what we knew about data ingest analysis and output representation at the time. It’s merely evolution. Don’t blame marketers for trying to participate. Gartner simply listens to the loudest signal at the moment and then attempts to profit by developing the new market quadrant. Don’t blame them either. They are clearly good at it.”
And Landon Winklevoss of Nisos said, “Right, wrong, or indifferent, the Gartner quadrants are often viewed as the pinnacle of reaching that differentiation, as often informed from the buyers – cybersecurity practitioners and defenders – and vendors. If only there were a better way.” So, Geoff, I’m throwing this to you. We’re fooling ourselves into believing that it could all stay static. I mean, we’ve all been in this industry for many years. What you’re protecting today is not the same way you were doing it 5, 10 years ago. So, of course, there is new categories of solutions, right? I mean, it’s like what Neal said, it’s evolution.
[Geoff Belknap] Yeah, I think that’s exactly right. The evolution, though, is sort of indicated by the shift across quadrants, across product categories. And I think some of the problem here is born of where Gartner really started in the industry maybe 15, 20 years ago was there just wasn’t an easy way to get information. There wasn’t a lot of product, or not nearly as much product out there, and you needed somebody to sort of sort through that for you. Today, there are tons more products, but there are a lot more ways to understand it, and the products are evolving much faster than they used to. So, I think while the categories and the quadrants are great, I think a lot of times they don’t update very quickly, and the markets shift very quickly.
I mean, one of the things with AI is you are seeing the threat landscape shift at light speed compared to how it used to shift. You’re seeing threat actors pivot sort of their techniques, their tactics, their targets rapidly and sort of locking into waiting for some analyst, whether it be Gartner or anybody else, to give you a strong signal or a quadrant or a cube or a timeline or a time crystal, whatever it might be, that might not be the way we have to go anymore. And I think this is also one of those areas where you’ve got to do the hard work. There are no free lunches and there are no easy answers. And at the end of the day, you’re going to have to go out there and work for it to figure out what product fits your need.
[David Spark] I mean, also, this is also just a classic case of market fit. The market needs a Gartner to make Magic Quadrants to hyper-simplify something unbelievably complicated. Yes, Alex?
[Alex Hutton] Yes, I’m not as cynical as most about the space. I’ll say this, there’s a missing piece to this equation, and I don’t know if the listeners or either of you are familiar with Wardley Maps. The Wardley Maps, a guy named Simon Wardley came out with this device, and what it does is it basically is a way when he was at Ubuntu to figure out, okay, what’s kind of the lifespan of a specific technology? What is its end point destination? Where will it end up? And so, it’s great for Gartner to have Magic Quadrants and leaders and followers and all that stuff. As Geoff said, however, it shifts. If as a CISO, I don’t also understand lifecycle, if I can’t prognosticate and create a model that says, “Eventually this will be commoditized. And therefore, my investment window is probably three to five years. That’s what this investment means.” Then I’m just taking whatever is spoon fed to me. I’m not doing my part of that job. That piece is missing from a lot of equation. And I think that’s a source of a lot of frustration for people is they don’t have a device in which to kind of parse the information Gartner gives them.
Sponsor – ThreatLocker
13:17.009
[David Spark] Before I go on any further, let me tell you about ThreatLocker, the spectacular sponsor of the CISO Series. I’ll ask you a question. Do zero-day exploits and supply chain attacks keep you up at night? Well, you don’t really have to worry anymore. You can actually harden your security with ThreatLocker. Imagine taking a proactive deny-by-default approach. This is key right there. The deny-by-default approach to cybersecurity blocking every action, process, and user unless specifically authorized by your team. ThreatLocker helps you do this and provides a full audit of every action, allowed or blocked, for risk management and compliance. Onboarding and operation is fully supported by their US-based support team.
So, stop the exploitation of trusted applications within your organization to keep you running efficiently and secure, protected from ransomware. Worldwide, companies like JetBlue trust ThreatLocker to secure their data and keep their business operations flying high. Now, to learn more about how ThreatLocker can mitigate unknown threats and ensure compliance for your organization, go to their website, visit ThreatLocker.com. And that’s key, by the way, is that this deny-by-default approach allows for you to be protected from unknown threats. Remember, ThreatLocker.com.
Is anyone happy with this solution?
14:32.779
[David Spark] Joshua Saleh of ITM.CX said, “Simplifying rather complex challenges isn’t as easy as it sounds, especially with the rate in which technology changes. The tech industry as a whole is constantly evolving. So, keeping current is a never-ending mission. Not staying current can lead to gaps that bad actors are on the prowl to exploit. This is why it’s often crucial to pull in the experts that have the time to keep up. One-stop shop vendors are often able to simplify management, create time-saving automations, and reduce silos, while frameworks such as zero trust are easier concepts to grasp and implement than NIST, CIS, etc.”
David Lamb of Charles Schwab said, “What if there was some kind of framework that listed out controls that translated into domains of security capabilities that somehow all security practitioners could have access to and have a common language and understanding that could be used for these security products to communicate what they do for the technology security posture for business enablement.” I read this and I was thinking about Sounil Yu’s Cyber Defense Matrix. You’re familiar with that, yes, Alex?
[Alex Hutton] Sounil Yu is fantastic. We’re huge Sounil Yu fans.
[David Spark] As am I.
[Alex Hutton] Both as a person and the work.
[David Spark] And he used to work at Bank of America, by the way.
[Alex Hutton] Sounil Yu is one of the reasons why I wanted to work there, and he’s been to my parents’ house, and we’ve sat out on the porch and just chatted about things like CDM.
[David Spark] And we’ve had him on the show many times and we’ve had him on video. He’s great too.
[Alex Hutton] I do think that Joshua has kind of a point, which is if you’re going to be a vendor, make it relevant to the buyer. I would argue that NIST and CIS is something that you can do. And I think you can use the CDM to also map, and we do this in my shop to map and say, “Aha, here’s a product, product serves a fit through the CDM. I also know what my requirements are for NIST CSF by using the CDM as well, and I can do a one-to-one mapping and connect all the dots. And therefore, this makes sense.” That allows me to go to my risk management committees and whomever and say, “I need to address, with this product, these requirements of our organization, and this is a good one to do it with.”
[David Spark] All right. I’m taking this one to you, Geoff. The ability to organize what you physically have. I mean, isn’t this kind of like a core part of the CISO, just to understand what tools I have in my environment and basically understanding that?
[Geoff Belknap] Yeah. And I think this is where breaking it into segments that are defined is really valuable. Part of the CSO’s job or any security leader is to understand their portfolio of capabilities and understand the capacity of those capabilities. If your problems fit neatly into those categories, you can very easily put your portfolio together and understand where your gaps are. The downside of that is most people’s problems are not the same as everybody else’s. And you can’t literally just go, “I will take one of each thing and then I’m done.” You have to sort of understand what’s different for you. You know, when you’re buying a car, you need to know if that car fits your needs. Just knowing if you’re buying the best car in that category doesn’t mean that it’s the best car for you. And I think it’s the same for security products. You really have to do the work to understand, great, you’re looking for something in that category. What are the specific challenges that you’ve got in that category that’ll figure out whether it fits for you?
[David Spark] And that’s a really good point because as an industry, we’re very obsessed with that Magic Quadrant. I mean, being in that upper right box, especially far in the upper right box, is that magic zone. But like you said, not everybody needs an SUV, not everybody needs a pickup. They’re all cars, but what fits right for you and your environment. And also talking about environment. Someone who lives in an area that has a lot of dirt roads is going to want a pickup truck, vice versa. Then someone in the city wants a small car so they can park it. So, understanding your environment is key.
What’s the optimal approach?
18:44.709
[David Spark] Ajish George of State Street said, “It would be great if the acronyms were at least used consistently. Some of these are applied to various tools and projects more as wishful thinking and the need to populate a sparse quadrant or wayboard rather than as any sort of meaningful taxonomy of the vendor ecosystem. CAASM, CCM, CSPM, XDR, LMAO – there is no LMAO, but I like that, throw that one out – are all as labile as shifting sands and used to bolt together non-existent categories with a marketing flyer.” All right. Well, I think Ajish is not as sort of pro wanting all these acronyms, but he kind of points out that there was a time, Alex, I would be embarrassed to ask someone, “I’m sorry, what is CSPM?” And now it’s like don’t be embarrassed. Totally okay. No one’s going to judge you as being stupid. Let me ask, did you ever have that shift yourself, Alex, of, “I used to be embarrassed to ask what it is, but now I don’t”?
[Alex Hutton] I have gone to the other side of that. In fact, if you come to me with an LMAO acronym, you might just get an eye roll.
[David Spark] [Laughter]
[Alex Hutton] There are a couple of things that drive me nuts as I’m approached with this. One is your first three slides telling me all about the threat landscape and how I really need to take security seriously. You’re talking to a CISO.
[David Spark] By the way, yeah, can I pause you on that one?
[Alex Hutton] Yeah.
[David Spark] Pitching to CISOs that they have to take security seriously is like telling a doctor they have to take their patient’s health seriously. It’s beyond insulting. Go on. [Laughter]
[Alex Hutton] No, you want to go, “Wait, what? Ransomware, what is this thing?”
[David Spark] [Laughter]
[Geoff Belknap] “I knew I was supposed to be doing something.”
[Alex Hutton] No, in all seriousness though, right, somebody comes to me, the second thing is get to the point. Sometimes that might be we take permissions from here, we put them in a graph database, we use some K-means distance-based machine learning, and here’s the output, and here’s how it’s going to make your analysts’ lives better. The amount of time it takes a sales pitch or a category or something to tell me, “Here’s how I’m going to make your analyst awesome,” is absurd in this industry. I empathize with Ajish. I think he and I could have adult beverages and many laughs together because probably suffering from that “just get to the point.”
[David Spark] Yes, I think the “get to the point” thing is something that we all want in this industry. I’m sure you’ve heard it, Geoff. You’ll sit in a pitch and it’s 10 minutes and you still don’t know what the company does? [Laughter]
[Geoff Belknap] No, that’s never happened because I refuse to do pitches now. Well, I’ll just say on that, I have learned to be pretty upfront and say like, “Look, if we’re going to meet together, bring one, maybe three slides, and they should probably just be like basic architecture slides so I can understand how this thing integrates into my environment or how it works. But I do not need a discussion about what the quadrant is and what else is in the segment. If we’re having the discussion, assume that I already know all that.” And frankly, most people get that.
I think just getting to the comment here, it is very challenging, but here’s my recommendation for everybody. My practical advice, you get it once per episode. Limit the use of acronyms down to the collection of things that you want to evaluate. If you know you’re looking for a CSPM or an XDR, go, “Okay, here’s five of them. Let’s talk to these five vendors. Let’s see if those things, when we talk to them, seem like they have decent features or they sort of address our specific threat or risk needs,” and then decide who you want to pilot. And then that’s where the fun starts. How fast can that person deliver value in your environment? How challenging is it to pilot? How effective is it or easy is it to use in your environment? How quickly is it giving you value? And I think that’s where you can start to really take off, and that’s where it’s like the acronyms start to matter once you really start to engage with the product, and then you can really get to it. The acronym is great for getting the people in the door, and they know it, but you have to just stop believing in it after that and make your own choices.
Closing
22:53.523
[David Spark] Well, that brings us to the portion of the show, Alex, where I’m going to ask you, which quote was your favorite and why. So, please take a look at the quotes and tell me which quote was your favorite.
[Alex Hutton] Can I pick something Geoff just said?
[David Spark] Sure, why not?
[Alex Hutton] I really enjoyed what Geoff said, and it’s because it really is a two-way street. We have to understand what our needs are, and what we need from our vendors is a good trust relationship. I’ll take an inferior technology over a superior delivery and a superior partnership probably 9 times out of 10. Your reputation matters. And if you’re using a bunch of acronyms, if you’re obfuscating your value because you think it’s expected of you as a marketer, you’ve already violated that initial trust impression on me. So, the faster you can get to that value, kind of drop the acronyms or scale back trying to be creative with new acronyms, the more trust you’re going to get from me and the more we’ll get to a point where you can share your value.
[David Spark] Very good. All right. So, he picked you as being the most brilliant here. Now, you do not have to reflexively say something Alex said was brilliant. You may pick a quote from one of our listeners here.
[Geoff Belknap] I’ll just pick my quote. My quote was clearly the best.
[David Spark] [Laughter] Nobody picks my quotes!
[Geoff Belknap] Well, David, we all pick your quotes. It’s just assumed you’re the best.
[David Spark] Go ahead. Your favorite quote and why, Geoff.
[Geoff Belknap] All right. I’m going to go with Marty Bakal from MITRE, who said, “As a vendor, I don’t even think it helps us. It means we have more things to prove we support than when we could just say we support security in certain ways and move on.” And I think I feel for Marty, having been on a couple different sides of this, and you really, especially if you’re somebody helping build that product, you really want to just talk to people. You want to grab them and shake them and be like, “We just do this thing, and we do it really well.” And I get that.
What I can tell you is sitting on this side as a buyer of solutions, I cannot search on the internet for, “I just need things that do these set of things well.” Although we seem to be getting really close with LLMs and agentic AI, but for now, it is really hard to describe things in that broad term, marketing’s not designed that way. And these things, they have a use. Now, are they overused? Do people maybe sort of abuse them? Yes. But that’s true of everything. I mean, come on, security people. We’re in this industry. Everybody abuses everything we build and that’s why we have jobs. So, yes, is it a pain in the butt? Sure. But you know, like buying things in general is a pain in the butt. But we need the vendors. We need the partnership. We can’t do this without each other. And this is just one more area that we need to get better at together.
[David Spark] Very, very good. And very succinctly put together. Thank you very much, Geoff. Thank you very much, Alex. I want to thank our sponsor as well. That would be ThreatLocker, Zero Trust Endpoint Protection Platform. Remember, learn more about that, deny-by-default, threatlocker.com. Go check them out. Very impressive stuff they’re doing there. We greatly thank them for their support of this show. And I want to thank our audience. As always, we greatly appreciate your contributions and listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.