0:00

It seems like cyber security

0:02

is content to suffer

0:04

deaths by a thousand

0:06

gardener quadrants. Why do

0:08

we insist on complicating

0:10

an industry that's begging

0:13

for simplification? You're

0:15

listening to Defense in

0:17

Depth. Welcome to Defense and

0:19

Deafs. My name is David

0:21

Spark. I'm the producer of the

0:23

C show series and joining me.

0:26

As my co-host, it's Jeff Belknap.

0:28

Jeff, say hello to the nice

0:30

audience. Hello, a nice audience, and

0:32

the rest of you also. You're

0:35

welcome. Oh, you think there's somebody

0:37

who's not nice audience that's listening

0:39

to us? I mean, statistically, there's

0:42

got to be at least one. Do you want

0:44

to name them by name? Well, I think

0:46

it's our guest, but I mean, we'll see.

0:48

Our sponsor for today's episode

0:50

is Threatlocker, Zero Trust, End

0:52

Point Protection Platform, Threatlocker, absolutely

0:55

spectacular sponsor of the CSO

0:57

series. We love their support.

0:59

Thank you so much Threatlocker.

1:02

And very soon we will

1:04

be talking about their Zero

1:07

Trust solution. CSPM, DSPM, F-S-I-N-C-I-P-M. That's

1:09

a lot of acronyms, Jeff. And

1:11

as an industry, we seem to

1:13

be awash in them. But as

1:16

Caleb Sima of White rabbit, white

1:18

rabbit. asked on LinkedIn, does defining

1:20

a thousand vendor product niches actually

1:23

help us with the job of

1:25

cyber security or just

1:27

make it actually easier for vendors

1:29

to sell a new product category?

1:32

What do you think Jeff? Nope,

1:34

but let me elaborate. No, leave

1:36

it at that. Let's wrap up

1:38

the show. Show over. Thanks everybody.

1:41

Good job sponsor. You really got

1:43

a good one today. I get

1:46

what we're trying to do. And

1:48

certainly I can appreciate Gartner's challenge

1:50

here of trying to help corral

1:53

every individual product that's out there

1:55

into something that buyers can understand

1:58

quickly. And you know, that's out

2:00

with a really positive intent and I

2:03

understand we were coming from where we

2:05

are today though pretty far from where

2:07

we started and now it seems like

2:10

everybody is just trying to get Gardner

2:12

to invent the new categories it's just

2:14

got them in it to make the

2:16

differentiation easier or worse. People are just

2:19

making up whether they fit into category

2:21

or not and they don't, you know,

2:23

they don't have those features at all.

2:26

It really has gotten to the point

2:28

where it's pretty confusing for security leaders

2:30

to understand what they're buying by just

2:32

acronyms only. It can be tough. You

2:35

bring up a very good point that

2:37

it's kind of difficult on all levels,

2:39

but we're going to kind of parse

2:41

this out on today's discussion. And I

2:44

am truly thrilled that we have our

2:46

guests today. This is someone I've known

2:48

for a very long time. And because

2:51

of roles that he had before has

2:53

sort of prevented us from coming on

2:55

the show, but I am thrilled that

2:57

he is joining us now. Someone I've

3:00

interviewed many times in the past and

3:02

thrilled that this is his first time

3:04

ever. being on a Cso series show.

3:06

So, wow, no pressure here. Yes, well,

3:09

yes, he is going to be fantastic.

3:11

No pressure. He is the Cso over

3:13

at Atlantic Union Bank, none other than

3:16

Alex Hutton. Thank you so much for

3:18

joining us. David, thank you for having

3:20

me. Jeff, thank you for having me.

3:23

Ron Reiter of Center said quote startups

3:26

are trying to differentiate themselves between existing

3:28

security vendors and between the other incumbents

3:30

As a startup guy, seeing so much

3:32

competition around makes you understand that if

3:35

you don't have an edge in your

3:37

storytelling above your direct competitors, CESOS will

3:39

not even give you a chance because

3:42

you're yet another startup. And then the

3:44

second issue is they're trying to simplify

3:46

budgeting for security tools, so large companies

3:48

would understand why more money is needed

3:51

to be spent on top of existing

3:53

security tools. For example, a company with

3:55

the CSPM... still needs to secure their

3:58

data, which is why it's easier to

4:00

pitch a DSPM rather than a tool

4:02

that automatically detects all of the sense

4:04

of data in the cloud, understands if

4:07

it's currently at risk, and what to

4:09

do to mitigate that risk, which is

4:11

not what a CSPM does or is

4:14

supposed to do. And Marty Bacal of

4:16

Miter said, quote, has vendor, I don't

4:18

even think it helps us. It means

4:20

we have more things to prove we

4:23

support when we could just say we

4:25

support security in certain ways to move

4:27

on. I acknowledge individual vendors request specific

4:30

ones, so they are differentiated, but it

4:32

doesn't help us as a whole. Too

4:34

much confusion means we have to research

4:36

and explain more all for the same

4:39

thing. Look, there is value to what

4:41

Gartner's doing. It's taking complication, putting a

4:43

label on it, so we all sort

4:45

of universally can say, all right. This

4:48

is that. Now, yes, there could be

4:50

someone who does DSPM differently than somebody

4:52

else. That's where differentiation comes in. But

4:55

we do need to have a collective

4:57

understanding of something. Yes, Jeff? Yeah, absolutely.

4:59

I think, you know, they hit the

5:01

nail on the head here when we

5:04

talk about the duality of the problem.

5:06

Yes, as a buyer of security products,

5:08

you're generally going to budget based on

5:11

a product category or grouping. And when

5:13

you're out there looking, you're like, great,

5:15

I put aside n dollars for a

5:17

CSPM or a DSM or EDR or

5:20

an XDR or whatever it might be.

5:22

And the vendors competing for your attention

5:24

want to be in the space that

5:27

they think you've budgeted for. They want

5:29

to be able to talk to you

5:31

if they know you're out there in

5:33

that product space. But the reality is,

5:36

a lot of times you're not looking

5:38

for a CSPM, a DSPM, or whatever,

5:40

you're looking to solve a problem that

5:43

your organization has. And it becomes really

5:45

difficult to differentiate who can solve that

5:47

problem if you're only looking at category

5:49

names. And I think Marty points this

5:52

out really well. A lot of the

5:54

people in the different categories are highly

5:56

differentiated. They solve the problem in different

5:59

ways. They solve it to different degrees

6:01

of completeness. Some are platforms, some are

6:03

sort of, you know, niche solutions. It

6:05

is helpful to a point, but beyond

6:08

that point, it really can just exacerbate

6:10

the confusion. This is, to me, Alex,

6:12

this is like when you're pitching a

6:15

movie, you have to reference other movies.

6:17

So someone understood, oh, this is what

6:19

I'm buying right now. But yeah, I

6:21

mean, it would make your buying process

6:24

tantamount difficult if all these products didn't

6:26

have labels on it, wouldn't it? Jeff

6:28

brings up a good point. which is

6:31

having a label makes it easier to

6:33

categorize something and sell it internally, right?

6:35

What if my CIO comes to me

6:37

and says, Alex, what are we doing

6:40

about CSPM? Because he read about it

6:42

or heard about it on a podcast

6:44

like this, and I say, what's the

6:47

CSPM? That doesn't look good. That's not

6:49

going to be something useful. On the

6:51

other hand, I could say, hey, I

6:53

was listening to the CSPO series podcast

6:56

and I heard about CSPM. It's a

6:58

cloud security posture management tool. You should

7:00

go listen to that because I think

7:03

there's some value there and we should

7:05

think about buying that. I get all

7:07

that. I have a very interesting background

7:09

in this and that. I have been

7:12

a startup founder twice. I have actually

7:14

had funds to invest or have been

7:16

the security technical person that helped drive

7:19

investments for large funds. And now as

7:21

CISO and as former security executive at

7:23

another large bank, somebody who actually goes

7:25

out and buys these things. I understand

7:28

that it's not going to be quite

7:30

as sexy to say, well, I take

7:32

these permissions from here, I run them

7:35

through a graph database, I do some

7:37

machine learning, and then I make it

7:39

pretty in HDML5. That would actually sell

7:41

me nine times out of 10, but

7:44

it isn't exactly going to be a

7:46

great lead for your website. It doesn't

7:48

fit on a bumper sticker. It's not

7:51

going to resonate with your investment. So

7:53

let me ask you, since you've actually

7:55

grown up a good point being that

7:57

you've literally been on every side of

8:00

this equation at one time or another,

8:02

is there one thing that's frustrating continuously?

8:04

across all sides or does it change

8:07

depending on which side you're on? Wow,

8:09

it's a great question. I think the

8:11

frustrating element that would be on all

8:13

sides would have to be the fact

8:16

that you are constantly trying to sort

8:18

through marketing speak to figure out exactly

8:20

what the value is. as an entrepreneur,

8:23

you have to think about less is

8:25

more. Because if I come out and

8:27

I just say I'm some ephemeral security

8:29

gobbledygook to someone and a bunch of

8:32

buzzwords collected, that gets me nothing, right?

8:34

So I have to pair that back

8:36

and actually express a value out of

8:38

that. If I am a potential investor,

8:41

right, I also need to know exactly

8:43

what you're doing. I have to figure

8:45

out, are you a company or are

8:48

you a feature? And how is that

8:50

going to sell? And if I'm a

8:52

C-so, I have to say, okay, is

8:54

this actually worth my money and my

8:57

time, which is sometimes much more valuable,

8:59

to actually invest in this, is it

9:01

going to make my life better? That's

9:04

the one thing that I think all

9:06

three share is catch raises, buzz phrases,

9:08

and not getting to a point of

9:10

what your value statement is. It's endemic

9:13

in our industry, I'm afraid. Neil Hardsell

9:15

of gradient cyber said, quote, the fact

9:17

that there are prior market constructs, acronyms

9:20

as you say, suggests that there will

9:22

always be new constructs. I think that's

9:24

a very good point, by the way,

9:26

Neil makes. To say otherwise means that

9:29

one somehow adheres strictly to the prior

9:31

set, which is a function of what

9:33

we knew about data ingest analysis and

9:36

output representation at the time, it's merely

9:38

evolution. Don't blame marketers for trying to

9:40

participate. Gartner simply listens to the loudest

9:42

signal at the moment and then attempts

9:45

to profit by developing the new market

9:47

quadrant. Don't blame them either. They are

9:49

clearly good at it. And landed, Winklevos

9:52

of Neso said, right, wrong or indifferent,

9:54

the Gartner quadrant. are often views. It's

9:56

the pinnacle of reaching that differentiation as

9:58

often informed from the buyers, cyber security

10:01

practitioners and offenders and vendors. If only

10:03

there were a better way. So Jeff,

10:05

I'm throwing this to you. We're fooling

10:08

ourselves into believing that it could all

10:10

stay static. I mean... We've all been

10:12

in this industry for many years. What

10:14

you're protecting today is not the same

10:17

way you were doing it five, ten

10:19

years ago. So of course there is

10:21

new categories of solutions, right? I mean,

10:24

it's like what Neil said, it's evolution.

10:26

Yeah, I think that's exactly right. The

10:28

evolution, though, is, you know, sort of

10:30

indicated by the shift across quadrants, across

10:33

product categories. And, you know, I think

10:35

some of the problem here is born

10:37

of where Gartner really started in the

10:40

industry maybe 15-20 years ago was there

10:42

just wasn't an easy way to get

10:44

information, there wasn't a lot of product

10:46

or not nearly as much product out

10:49

there, and you needed somebody to sort

10:51

through that for you. Today, there are

10:53

tons more products, but there are a

10:56

lot more ways to understand it, and

10:58

the products are evolving much faster than

11:00

they used to. So I think while

11:02

the categories in the quadrants are great,

11:05

I think a lot of times they

11:07

don't update very quickly, and the markets

11:09

shift very quickly. I mean, one of

11:12

the things with AIs, you know, you

11:14

are seeing the threat landscape shift at

11:16

light speed compared to how it used

11:18

to shift. You're seeing threat actors pivot,

11:21

you know, sort of their techniques, their

11:23

tactics, their targets rapidly, and sort of

11:25

locking into waiting for some analyst, whether

11:28

it be Gartner or anybody else, to

11:30

give you or a quadrant or a

11:32

cube or a... timeline or, you know,

11:34

a time crystal or whatever it might

11:37

be, that might not be the way

11:39

we have to go anymore. And I

11:41

think this is also one of those

11:44

areas where, you know, we've got to

11:46

do the hard work. There are no

11:48

free lunches and there are no easy

11:50

answers. And at the end of the

11:53

day, you're going to have to go

11:55

out there and work for it to

11:57

figure out what product fits your need.

12:00

a gardener to make magic

12:02

quadrant to hyper simplify something

12:04

unbelievably complicated. Yes, Alex? Yes,

12:06

I'm not as cynical as

12:08

most about the space. I'll

12:10

say this, there's a missing

12:13

piece of this equation. And

12:15

I don't know if the listeners or

12:17

either of you are familiar with Wardley

12:19

Maps. But Wardley Maps, guy named Simon

12:21

Wardley, came out with this device. And

12:23

what it does is it basically is

12:25

a way when he was at a

12:27

bun too to figure out, okay, what's

12:30

kind of the lifespan of a specific

12:32

technology? What is its end point destination?

12:34

Where will it end up? And so

12:36

it's great for Gartner to have magic

12:38

quadrants and leaders and all that stuff.

12:40

As Jeff said, however, however, it shifts.

12:42

If as a C cell I don't

12:45

also understand life cycle, if I can't

12:47

prognosticate and create a model that

12:49

says eventually this will be commoditized

12:51

and therefore my investment window is

12:53

probably three to five years, that's

12:55

what this investment means, then I'm

12:57

just taking whatever is spoon fed

12:59

to me. I'm not doing my

13:01

part of that job. That piece

13:03

is missing from a lot of

13:05

equation. And I think that's a

13:07

source of a lot of frustration

13:09

for people as they don't have

13:11

a device. in which to kind

13:13

of parse the information Gartner gives

13:15

them. Before I go on any further, let

13:17

me tell you about threat locker, the spectacular

13:20

sponsor of the CISO series. I'll ask

13:22

you a question. Do zero-day exploits

13:24

in supply chain attacks keep you up

13:26

at night? You don't really have to

13:28

worry anymore. You can actually harden your

13:30

security with threat locker. Imagine taking

13:32

a proactive, deny-by-default approach. This

13:35

is key, right there, the

13:37

deny-by-default approach to cybersecurity blocking

13:39

every action process and user

13:42

unless specifically authorized by your

13:44

team. Threatlocker helps you do

13:46

this and provides a full audit

13:48

of every action. A louder blocked

13:51

for risk management and compliance. On-boarding

13:53

and operation is fully supported by

13:55

their U.S.-based support team. So stop

13:58

the exploitation of trusted applications. within

14:00

your organization to keep you

14:02

running efficiently and secure protected

14:04

from ransomware. Worldwide companies like

14:06

JetBlue trust ThreatLocker to secure

14:08

their data and keep their

14:10

business operations flying high. And

14:12

to learn more about how

14:14

ThreatLocker can mitigate unknown threats

14:16

and ensure compliance for your

14:19

organization, go to their website.

14:21

Visit ThreatLocker .com. And that's

14:23

key, by the way, is

14:25

that this deny by default

14:27

approach allows for you to

14:29

be protected from unknown threats.

14:31

Remember ThreatLocker .com. Is

14:35

anyone happy with this solution?

14:41

Joshua Sela of ITMCX said, quote,

14:43

simplifying rather complex challenges isn't

14:45

as easy as it sounds, especially

14:47

with the rate in which

14:49

technology changes. The tech industry as

14:51

a whole is constantly evolving.

14:53

So keeping current is a never

14:55

ending mission. Not staying current

14:57

can lead to gaps that bad

14:59

actors are on the prowl

15:01

to exploit. This is why it's

15:03

often crucial to pull in

15:05

the experts that have the time

15:07

to keep up. One -stop shop

15:10

vendors are often able to

15:12

simplify management, create time saving automations

15:14

and reduce silos while frameworks

15:16

such as Zero Trust are easier

15:18

concepts to grasp and implement

15:20

than NIS, CIS, etc. David Lamb

15:22

of Charles Schwab said, quote,

15:24

What if there was some kind

15:26

of framework that listed out

15:28

controls that translated into domains of

15:30

security capabilities that somehow all

15:32

security practitioners could have access to

15:34

and have a common language

15:37

and understanding that could be used

15:39

for these security products to

15:41

communicate what they do for the

15:43

technology security posture for business

15:45

enablement. I read this and I

15:47

was thinking about Sunil Yu's

15:49

cyber defense matrix. You're familiar with

15:51

that? Yes, Alex. Sunil Yu

15:53

is fantastic. We're huge Sunil Yu

15:55

fans. As am I. Both

15:57

as a person in the work.

15:59

And he used to work

16:01

at Bank - of America, by the way. Signale U

16:03

is one of the reasons why I wanted to work there.

16:06

And he's been to my parents' house, and we've sat out

16:08

on the porch and just chatted about things like CDM. And

16:10

we've had him on the show many times, and we've had

16:12

him on video. He's great, too. I do think that Joshua

16:14

is kind of a point, which is

16:16

if you're going to be a vendor,

16:18

make it relevant to the buyer, I

16:20

would argue that NIST and CIS is

16:22

something that you can do, and I

16:24

think you can use the CDM to

16:27

also map, and we do this in

16:29

my shop, to map and say, aha,

16:31

here's a product. product serves a

16:33

fit through the CDM. I also know

16:35

what my requirements are for NIST CSF

16:37

by using the CDM as well, and

16:39

I can do a one-to-one mapping and

16:42

connect all the dots, and therefore, this

16:44

makes sense. That allows me to go

16:46

to, you know, my risk management committees

16:48

and whomever and say, I need to

16:50

address, you know, with this product, these

16:53

requirements of our organization, and this is

16:55

a good one to do it with.

16:57

All right. I'm taking this one to

16:59

you, Jeff. the ability to organize what

17:01

you physically have. I mean, in this

17:03

kind of like a core part of the

17:06

CISO, just to understand what tools I have

17:08

in my environment and basically understanding that?

17:10

Yeah, and I think this is where,

17:13

you know, breaking it into segments that

17:15

are defined is really valuable. You

17:17

know, part of the CISO's job

17:19

or any security leader is to

17:21

understand their portfolio of capabilities and

17:23

understand the capacity of those capabilities.

17:26

If your problems fit neatly into

17:28

those categories, you can very easily

17:30

put your portfolio together and understand

17:32

where your gaps are. The downside

17:34

of that is most people's problems

17:37

are not the same as everybody

17:39

else's. And you can't literally just

17:41

go, I will take one of

17:43

each thing, and then I'm done. You have to

17:45

sort of understand what's different for you. You know,

17:47

when you're buying a car, you need to know

17:49

if that car fits your needs. Just knowing if

17:51

you're buying the best car in that category doesn't

17:53

mean that it's the best car for you. And

17:55

I think it's the same for security products.

17:58

You really have to do the work done. understand.

18:00

Great. You're looking for some of that category.

18:02

What are the specific challenges that you've

18:04

got in that category that'll figure out whether

18:06

it fits for you? That's a

18:08

really good point because as an

18:10

industry, you're very obsessed with that

18:13

magic quadrant. Being in

18:15

that upper right box, especially

18:17

far in the upper right box,

18:19

is that magic zone. But

18:21

like you said, not everybody needs

18:23

an SUV. Not everybody needs

18:25

a pickup. They're all cars, but

18:28

what fits right for you

18:30

in your environment? And also talk about environment. Someone

18:32

who lives in an area that has a

18:34

lot of dirt roads is going to want to

18:36

pick up truck. Vice versa. Then someone

18:38

in the city wants a small car so they can

18:40

park it. So understanding your

18:42

environment is key. What's

18:47

the optimal approach? Ajish

18:53

George of State Street said, quote,

18:55

it would be great if the

18:57

acronyms were at least used consistently.

18:59

Some of these are applied to

19:01

various tools and projects, more as

19:03

wishful thinking and the need to

19:05

populate a sparse quadrant or way

19:07

board rather than as any sort

19:09

of meaningful taxonomy of the vendor

19:11

ecosystem. C -A -A -S -M -C -C -M -C

19:13

-S -P -M -X -E -R -L -M -A -O. There

19:15

is no L -M -A -O, but

19:17

I like that you throw that

19:19

one out. Are all as

19:21

label as shifting sands in used

19:23

to bolt together non -existing categories with

19:25

a marketing flyer? All right. Well, I

19:27

think Ajish is not as sort

19:30

of pro wanting all these

19:32

acronyms, but he kind of points

19:34

out that there was a time, Alex,

19:36

I would be embarrassed to ask

19:39

someone, I'm sorry, what

19:41

is CSPM? And now it's

19:43

like, don't be embarrassed, totally

19:45

okay. No one's going to judge you as

19:47

being stupid. Let me ask you, did

19:49

you ever have that shift yourself,

19:51

Alex, of I used to be embarrassed to

19:53

ask what it is, but now I

19:55

don't? I have gone to the other

19:57

side of that. In fact, if you

19:59

come to me with an - Ameo

20:02

acronym. You might just get an eye

20:04

roll. There are a couple of things

20:06

that drive me nuts as I'm approached

20:08

with this. One is your first three

20:10

slides telling me all about the threat

20:12

landscape and how I really need to

20:14

take security seriously. You're talking to a

20:16

CISO. Can I pause you on that

20:19

one? Yeah. Pitching to CISOs that they

20:21

have to take security seriously is like

20:23

telling a doctor they have to take

20:25

their patients health seriously. It's beyond insulting.

20:27

Go on. You want to go wait.

20:29

What? What is this thing? I

20:32

knew I was supposed to be doing something. No,

20:34

in all seriousness though, right? As somebody

20:37

comes to me, I really want the

20:39

second thing is get to the point.

20:41

And sometimes that might be we take

20:43

permissions from here. We put them in

20:45

a graph database. We use some K

20:47

-means distance -based machine learning. And here's the

20:49

output. And here's how it's going to

20:51

make your analyst's lives better. The amount

20:53

of time it takes a sales pitch

20:55

or a category or something to tell

20:57

me, here's how I'm going to make

20:59

your analyst awesome is absurd in

21:01

this industry. And I empathize

21:04

with this. I think he

21:06

and I could have adult

21:08

beverages and many laughs together

21:10

because probably suffering from that just get

21:12

to the point. Yes. I think the get

21:14

to the point thing is something that

21:16

we all want in this industry. I'm sure

21:18

you've heard it, Jeff. You'll sit in

21:21

a pitch and it's 10 minutes and you

21:23

still don't know what the company does.

21:25

No, that's never happened because I refuse to

21:27

do pitches now. Well, I'll just say

21:29

on that, I have learned to be pretty

21:31

upfront and say, look, if we're going

21:33

to meet together, bring one, maybe three slides.

21:36

And they should probably just be like

21:38

basic architecture slides so I can understand how

21:40

this thing integrates into my environment or

21:42

how it works. But I do not

21:44

need a discussion about what the quadrant

21:46

is and what else is in the

21:48

segment. If we're having the discussion, assume

21:50

that I already know all that. And

21:52

frankly, most people get that. I think

21:54

just getting to the comment here, it

21:56

is very challenging. But here's my recommendation

21:58

for everybody, my practice. school advice. You get

22:01

it once per episode. Limit the use of

22:03

acronyms down to the collection of things that

22:05

you want to evaluate. If you know you're

22:07

looking for a CSPM or an XDR, go,

22:10

okay, here's five of them, let's talk to

22:12

these five vendors, let's see if those things

22:14

when we talk to them seem like they

22:16

have decent features or they sort of address

22:19

our specific threat or risk needs, and then

22:21

decide who you want to pilot. And then

22:23

that's where the fun starts. How fast can

22:25

that person deliver value in deliver value in

22:28

your value in your environment? How challenging is

22:30

it to pilot? How effective is it

22:32

or easy is it to use in

22:34

your environment? How quickly is it giving

22:36

you value? And I think that's where

22:38

you can start to really take off

22:41

and that's where it's like... The acronyms

22:43

start to matter once you really start

22:45

to engage with the product and then

22:47

you can really get to it. The

22:49

acronym is great for getting the people

22:51

in the door and they know it,

22:53

but you have to just stop believing

22:55

in it after that and make your

22:58

own choices. Well that brings us to

23:00

the portion that showed Alex, where I'm

23:02

going to ask you which quote was

23:04

your favorite and why. So please take

23:06

a look at the quote and tell

23:08

me which quote was your favorite. And

23:10

I picked something Jeff just said. Sure,

23:12

why not? I really enjoyed what Jeff

23:15

said, and it's because it really is

23:17

a two-way street. We have to understand

23:19

what our needs are, and what we

23:21

need from our vendors is a good

23:23

trust relationship. I'll take an inferior technology

23:25

over a superior delivery and a superior

23:27

partnership, probably nine times out of 10.

23:30

your reputation matters. And if you're using

23:32

a bunch of acronyms, if you're obfuscating

23:34

your value because you think it's expected

23:36

of you as a marketer, you've already

23:38

violated that initial trust impression on me.

23:40

So the faster you can get to

23:43

that value, kind of drop the acronyms

23:45

or scale back trying to be creative

23:47

with new acronyms, the more trust you're

23:49

going to get from me and the

23:51

more we'll get to a point where

23:54

you can share your value. Very good.

23:56

All right. So he picked you as

23:58

being the most brilliant here. You do

24:00

not have to reflexively say something Alex said

24:02

was brilliant. You may pick a quote

24:04

from one of our listeners here. I'll just

24:06

pick my quote. My quote was clearly

24:08

the best. Nobody picks my quotes. Well, David,

24:10

we all pick your quotes. It's just

24:13

assumed you're the best. Go ahead. Your favorite

24:15

quote of mine, Jeff. All right, I'm

24:17

going to go with Marty Bacall from MITRE,

24:19

who said, as a vendor, I don't

24:21

even think it helps us. It means we

24:23

have more things to prove we support

24:25

than when we could just say we support

24:27

security in certain ways and move on. And

24:30

I think I feel for Marty, having

24:32

been on a couple different sides of this,

24:34

and you really, especially if you're somebody

24:36

helping build that product, you really want to

24:38

just talk people. You want to grab

24:40

them and shake them and be like, we

24:43

just do this thing. We do it

24:45

really well. And I get that. What I

24:47

can tell you is sitting on this

24:49

side as a buyer of solutions, I cannot

24:51

search on the internet for I just

24:53

need things that do these set of things

24:55

well. Although we seem to be getting

24:57

really close with LLMs and agentic AI. But

24:59

for now, it is really hard to

25:01

describe things in that broad term. Marketing

25:03

is not designed that way. And these

25:06

things, they have a use. Now, are

25:08

they overused? Do people maybe sort of

25:10

abuse them? Yes, but that's true of

25:12

everything. I mean, come on, security people,

25:14

we're in this industry. Everybody abuses everything

25:16

we build, and that's why we have

25:18

jobs. So yes, is it a pain

25:20

in the butt? Sure, but like buying

25:22

things in general is a pain in

25:24

the butt, but we need the vendors.

25:26

We need the partnership. We can't do

25:28

this without each other. And this is

25:30

just one more area that we need

25:33

to get better at together. Very, very

25:35

good. And very succinctly put together. Thank

25:37

you very much, Jeff. Thank you very

25:39

much, Alex. I want to thank our

25:41

sponsor as well. That would be ThreatLocker,

25:43

zero trust endpoint protection platform. Remember, learn

25:45

more about that. Deny by default, ThreatLocker

25:47

.com. Go check them out. Very impressive

25:49

stuff they're doing there. We greatly thank

25:51

them for their support of this show.

25:54

And I want to thank our audience.

25:56

As always, we greatly appreciate your contributions

25:58

and listening to Defense In. We've

26:00

reached the end of Defense in-depth. Make

26:02

sure to subscribe, so you

26:04

don't miss yet another hot

26:06

topic in cyber security. This

26:08

show thrives on your contributions.

26:10

Please write a review. Leave

26:12

a comment on LinkedIn or

26:14

on our site, ceaseo-series.com, where

26:17

you'll also see plenty of

26:19

ways to participate, including recording

26:21

a question or a comment

26:23

for the show. If you're

26:25

interested in sponsoring the podcast,

26:27

contact David Spark directly. at

26:29

David at ceaseo series.com thank

26:31

you for listening to defense

26:33

in depth