The discussion presented in this episode revolves around the intricate dynamics of the cybersecurity industry, emphasizing the multifaceted roles within it. Our esteemed guest, Zara Pirzada, the managing partner and owner of Infinitus Management Consulting, elucidates her journey into cybersecurity, highlighting the importance of understanding various market strategies for startups. She articulates a profound perspective on the necessity of aligning marketing strategies with genuine product value, thereby ensuring that organizations effectively communicate their unique selling propositions. Additionally, Zara draws attention to the critical nature of fostering trust and transparency in client relations, particularly within the context of evolving technological landscapes. As we delve deeper into these themes, listeners will gain invaluable insights into navigating the complexities of cybersecurity practices and the imperative of continuous learning and adaptation in this ever-changing field.
#Cybersecurity #MarketingChallenges #Podcast
Takeaways
The discourse presented in this podcast episode is a profound examination of the multifaceted nature of cybersecurity, featuring an engaging dialogue between the host, Joe Carson, and his esteemed guest, Zara Pirzada, the managing partner of Infinitus Management Consulting. The conversation commences with an exploration of Zara's unconventional journey into the cybersecurity domain, which was catalyzed by her academic pursuits in security policy and civil affairs. This formative background has endowed her with a unique perspective on the intersection of military and civilian dynamics in cybersecurity, particularly as it pertains to the emerging threats posed by asymmetric warfare in the digital realm. Zara elaborates on her transition from studying militant non-state actors to delving into the intricacies of governance, risk, and compliance (GRC), a field she notes serves as a pivotal entry point for many aspiring cybersecurity professionals. As the dialogue progresses, the hosts delve into the critical role of effective communication within the cybersecurity landscape, emphasizing the imperative for professionals to cultivate a shared understanding across diverse roles. This theme is further elaborated upon through the discussion of the evolving nature of cyber threats and the necessity for holistic security practices that transcend traditional silos. The conversation also touches upon the challenges associated with keeping pace with rapid technological advancements and the implications for organizational security posture. The episode culminates in a reflection on the significance of mentorship and knowledge sharing within the cybersecurity community, highlighting the collective responsibility of seasoned professionals to educate and empower the next generation of experts. Throughout the discussion, Zara's insights resonate with the audience, underscoring the importance of adaptability, collaboration, and continuous learning in navigating the complex cybersecurity landscape.
Hi everyone.
Speaker A:Welcome back to another episode of the Security by Default podcast.
Speaker A:I'm the host of the show, Joe Carson.
Speaker A:It's a pleasure to be here and always excited to bring new guests and new conversations and new knowledge to all of the audience out there.
Speaker A:And I'm really excited about today's episode.
Speaker A:I am joined with an amazing guest.
Speaker A:Zara.
Speaker A:Do you want to give the audience a bit of a background about yourself, how you got into the industry and what you do?
Speaker B:Sure, absolutely.
Speaker B:I want to remember exactly how we met.
Speaker B:This is something that's on my mind, but let's listen.
Speaker A:We did a podcast together a long time ago.
Speaker B:Yeah, we did, we did.
Speaker A:It was maybe about two or three years ago, maybe even more.
Speaker B:Well, yours was an incredible episode.
Speaker B:We can touch on that.
Speaker B:That was very similar to an experience that you've had in the past.
Speaker B:So, Zaira Pirzada.
Speaker B:I am the managing partner and owner of Infinitus Management Consulting.
Speaker B:It's a consulting firm that helps cybersecurity startups from see to series C grow by combining a very sharp go to market strategy with sleeves rolled up execution beyond just that.
Speaker B:I am an avid poetry writer, I play sitar and I love to keep fit.
Speaker B:A former powerlifter and continuous strength trainer is what I would say getting into my older age, besides that, getting into cyber security, much like anyone else who is in their 30s and above has gotten in there by stumbling into there somehow.
Speaker B:And so mine was a stumbling in kind of journey.
Speaker A:So what did you start off, what was your educational background and kind of what did you start off with?
Speaker A:Was it poetry?
Speaker A:Was it what you educated to be for writing or what was that journey like?
Speaker B:It was unintentional.
Speaker B:It was so unintentional and it slowly became intentional.
Speaker B:So I went to graduate school for security policy.
Speaker B:I was studying civil affairs, civilian military affairs.
Speaker B:And I was more, at that time, I would say, nearly obsessed with the idea of how civilian bodies could keep an equal balance with military in such a way that one wouldn't assume the other.
Speaker B:And it's a very unique balance that humans have to keep within nation states.
Speaker B:And then started to study militant non state actors.
Speaker B:And with studying militant non state actors, I grew an affinity towards their understanding of alternate forms of warfare or asymmetrical forms of warfare wherein cybersecurity fear fit in as a discipline not by way of just security as I understood it then, but this proverbial cyber warfare in quotation marks, which is something we can't attest to have fully, but more by way of, let's say state to state tiffs.
Speaker B:So I was studying that, right.
Speaker B:I was studying that for, for a bit and did some internships there and then started to grow into what I felt was the easy way in.
Speaker B:Interestingly enough I talked to a lot of kids today who feel like GRCs.
Speaker B:An interesting way in or an easy way in?
Speaker B:Governance, risk and compliance.
Speaker A:That's interesting.
Speaker A:So big, it's a big area though.
Speaker A:It's a massive.
Speaker A:I mean there's many different parts of governance side of things.
Speaker A:Whether you've got the regulatory side of things, you've got compliance, you've got insurance and those two very different viewpoints.
Speaker A:There's the ones who kind of do the audits themselves and then there's those who have to make sure that they're actually compliant with the audit.
Speaker A:So it's a massive area and a massive field and also sometimes very complex.
Speaker A:It's interesting that that's an entry point for a lot of people.
Speaker A:That's, that's a.
Speaker A:Because it's a great way to get into the industry because it will definitely give you a lot of knowledge very quickly.
Speaker B:It will.
Speaker B:There's a slight misconception that happens which is that security engineers and security architects have to be that much more engineering savvy than GRC people.
Speaker B:I'd hope that everybody is just as much right.
Speaker A:We all do have to be able to, I mean we have to be able to translate and understand interpretation, shared knowledge and a shared viewpoint that we're all on the same page.
Speaker A:The techn skills, you know, it's more about the execution side of things and that's a different kind of, kind of mindset or different approach.
Speaker A:We definitely do have to have the understanding about, you know, what, what's the impact, what's the risks, what do you need to do, how do you reduce them?
Speaker A:And we all need to be.
Speaker A:Whether you're a very kind of dev technical coding person or whether you're just somebody who's looking at making sure that the right rules are in place.
Speaker A:We definitely all have to be aligned.
Speaker B:I think so.
Speaker B:And there's so much more to say, say about this hypothetical and ideal state of security must be practiced to be understood.
Speaker B:How not ideal and how, how sometimes, how impractical sometimes configurations are.
Speaker B:Our development is for the sake of moving, be it faster or just moving in general.
Speaker B:So there's a lot to say.
Speaker B:But what, what I was trying to say initially was in fact I got in through open source intelligence, OSINT World and I did because there Were a lot of jobs and due diligence in D.C. where I was living at that time.
Speaker B:I was in the DMV area.
Speaker B:So I know people who live at DC and are from dc, but where did you live?
Speaker B:And then I'll say Virginia.
Speaker B:So let me say I was living in Virginia and in the dmv.
Speaker B:Jobs that were available to people with my, you know, knowledge and degree at that time, in my early 20s, were in due diligence or an investigation, things like that that require you to be more or less a researcher.
Speaker B: ng on the splunk of the early: Speaker B:So that was a pain, with all due respect.
Speaker B:And then realized what it was to be in the discipline, that it wasn't just investigations, diligence and research where I was.
Speaker B:But there was a practical idea about security in an enterprise.
Speaker B:And everyone had a role to play.
Speaker B:And not every role was beautiful.
Speaker B:Not every role was easy, not every role was ideal.
Speaker B:But it was all necessary.
Speaker B:As I was growing in my career and then left, that ended up on television in an interesting way for the OSINT work that I would do.
Speaker B:And there was a reality TV show that CBS wanted to create called Hunted, where they wanted to give you just the name, birth date and last known location in a confined area in the East Coast.
Speaker A:That's one of my favorite things to do.
Speaker A:It's one of my favorite things to do every year.
Speaker A:So actually it's coming.
Speaker A:It's coming up for the audience.
Speaker A:What we have is in Estonia we do, and I've been doing it now for over 10 years, is.
Speaker A:It's called in Estonian, the translation Suva Cyclist, which means summer adventure.
Speaker A:And what it is is basically a massive geocaching 4x4 in the nature looking for things that you have very little information to go by at the beginning.
Speaker A:And it's a four day event.
Speaker A:It is so much fun.
Speaker A:And it's all about the.
Speaker A:Yeah, the three days are split in so.
Speaker A:So we end up having.
Speaker A:So literally from an OSINT perspective, I'm coming in with all my gadgets and technology, drones and everything.
Speaker A:I'm like literally, fully, fully kitted for this thing.
Speaker A:And what happens is on the first day, on the Wednesday night, you get what's.
Speaker A:You get a map, a legend, and it's literally the counties where you meant to be for the next three days after that.
Speaker B:That's insane.
Speaker A:And what you get is about 70 to 80 questions, which basically are questions that will tell you where you need to be to answer the question that you get the next morning.
Speaker A:So you had to create the legend and it's riddles, it's things like tiny pieces of information of history and you had to try and find.
Speaker A:Actually we just got the massive, what's called as the, the nut, which is the big.
Speaker A:It's the big one that gives you the most points over the three days.
Speaker A:And it's a riddle.
Speaker A:Sometimes it's in binary, sometimes it's in like code or riddles or words.
Speaker A:And then you have to try and find it through open source intelligence.
Speaker A:Very difficult to do it in Estonian for me because then language becomes a bit of an issue.
Speaker A:But that's, that's one of my favorite things to do.
Speaker A:So that TV show sounds like a lot of fun.
Speaker B:It was absolutely fun.
Speaker B:But that sounds, that sounds like.
Speaker A:I will share with the, for the audience what I'm going to do.
Speaker A:I'm going to share some pictures on social media.
Speaker A:It is literally one and you've got 150 teams competing.
Speaker A:You've got about 50 different vehicles and jeeps and everyone goes by and it's the middle of nowhere.
Speaker A:Sometimes it's so frustrating because you might be like 2, 3 o' clock in the morning, you're in the middle of nowhere in the dark and you've got your phone and you're trying to answer a question that says you're too far from the answer because to answer the question you have to be within 5 meters because the off the location, because it has to be at the right location.
Speaker A:And it's so much like, it's so intense because it's so competitive that everyone's competing.
Speaker B:This is awesome.
Speaker A:And it, and it goes from you, from 7:00 o'clock in the morning, you get the first set of questions and then you have to go to all the places in the legend that you hope that you got the right locations from the night before.
Speaker A:And you literally spend 24 hours answering all of those questions.
Speaker A:So, yeah, it's like, it's like one of the biggest nature cyber hunts that you can do every year.
Speaker A:So it's coming up end of, end of July.
Speaker A:I'm so excited.
Speaker B:I want to learn more about it as well because I think it's possible in New York.
Speaker B:I'm working more in my backyard these days, finding cyber startups here to work with and trying to evangelize this as a career in my own backyard, which is an ocean of a career.
Speaker B:But at least getting people more acclimated to the fun of the discipline, which it can be.
Speaker B:This is so fun.
Speaker B:This is so fun.
Speaker B:I got in through.
Speaker B:I loved Michael Bezos work on intel techniques.
Speaker B:If you remember inteltechniques.com or even just now I was reading his work the well, open source intel techniques and then there was the Bible and then the extreme privacy book that he had and then I got into.
Speaker A:They're sitting on my shelf over there.
Speaker B:Yeah, okay, great.
Speaker B:All right.
Speaker B:Do you have Nico Decken's like work as well?
Speaker B:I'd follow Ray Bakers or Justin Seltz.
Speaker B:A lot of different great sans authors that I would follow like Mika Hoffman.
Speaker B:So all of, all of this work I started to dig deep in and really fell in love with it and that was my way in.
Speaker B:But short lived because then I, I went to Gartner and I went.
Speaker A:It's, it's a, it's a great place to get surrounded by amazing people and great knowledge.
Speaker A:It's definitely, it's a great place to really accelerate careers.
Speaker B:It is, it is.
Speaker B:I am grateful until the end of days for Gartner, for all of the incredible analysts who I've met and for all of the work that they've done.
Speaker B:It's beyond Quadrant guide hype cycle.
Speaker B:It's beyond that.
Speaker B:The notes that GTP technical professional analysts are writing, TSP is writing on the markets or IT leaders.
Speaker B:There's all these different groups at Gartner.
Speaker B:It goes beyond just the proverbial analyst and more into a Here are these multifaceted intelligent human beings with just as diverse careers as we would assume.
Speaker B:Anyone in cyber from I would say our time, which is to say we didn't have disciplines in college.
Speaker B:Right.
Speaker A:In cyber security, for me it was just when I started off, it was back in the early 90s.
Speaker A:It was just generic.
Speaker B:That was just joy.
Speaker B:That was starting.
Speaker B:It was just starting.
Speaker B:And when I was there, there was no such thing either.
Speaker B:This was a we start, we created as an enterprise function.
Speaker B: d behold, you have your early: Speaker B:And how could it even end up as a discipline in college?
Speaker B:I'm so shocked.
Speaker B:These days when I'm mentoring kids, they're like, oh, I'm taking this course, I'm taking that course in cyber.
Speaker B:And I just thought I met somebody who was great at what they did.
Speaker B:It wasn't everything in cybersecurity, but it was something.
Speaker B:And then they met.
Speaker B:They introduced me to someone else who did another something and another something.
Speaker B:It was never a.
Speaker A:It's pretty impressive how focused some of the courses getting get into is.
Speaker A:You know, for me it was.
Speaker A:I mean, I was doing basically assembly language when I started off in college and machine code.
Speaker A:I was writing machine code so in binary and everything else.
Speaker A:And it was like.
Speaker A:It was all.
Speaker A:Because then it was all about modems and you know, manual and digital communications.
Speaker A:So you were basically translating everything.
Speaker A:It was, it was pretty done to the fundamentals, which was a great start because then you learned basically the foundation of how everything's built on.
Speaker A:But now the disciplines become so narrow, so focused into very to forensics or to mal reverse engineering or looking at strategic decisions and commitment.
Speaker A:Then it was just you did everything, but you did a little bit of.
Speaker B:Everything that it's beautiful to see a discipline grow.
Speaker B:What feels like almost exponential considering the limited amount of time and the depth at which something, even just one section to say you're looking at setting identity security, even spend a life on identity security and still surface by every year something new and just by sake of innovation.
Speaker B:This is the absolute beauty of technology and also the human mind.
Speaker B:So it is beautiful to see that something is.
Speaker B:But you being an og, have such a privileged.
Speaker B:Which is a beautiful thing, which is such a privileged, privileged place to be.
Speaker B:Because it's hard in many disciplines for anyone to say what staple can you say that is an OG of cybersecurity?
Speaker B:You can be an actual OG and be here and be able to say this is where the inception, this is the starting point.
Speaker B:Now we don't have to go all the way back to our understanding of intelligence in the 60s and 70s to say that that's the inception point.
Speaker B:You know, we can.
Speaker B:But for you, at least as an enterprise function, you can, you can say, I know day one, I know day zero.
Speaker A:I remember, I remember when I started my first in university, we had, what was called was.
Speaker A:We had these kind of, you know, intern years where you go and work for a company for the year in between your course.
Speaker A:And for me it was.
Speaker A:I did it in two places.
Speaker A:The first place I did it was in medical records in the hospital.
Speaker A:And it was exactly the time of the hospital was digitalization of medical records.
Speaker A:They were taking them from old paper, so we had to take them from all the shelves and the paper like these massive folders on like.
Speaker A:Like a massive library, everyone's health information.
Speaker A:And we were moving it to basically mainframes at the time.
Speaker A:And that was basically, you're using dumb terminals, McDonnell Douglas dumb terminals.
Speaker A:And you're taking all of that information and making it available to a doctor.
Speaker A:Where previously it would have taken 30 days to get that medical record off the shelf and in the doctor's basically desk where we were then changing that, that it was actually instant.
Speaker A:Now the doctor had your medical record sitting in front of them at a dumb terminal.
Speaker A:So from an Excel, you know, efficiency side, you saw, we saw firsthand about the changes and improvements from going, it was very manual, very mundane, very resource intense to literally where the doctor could sit.
Speaker A:And then you improve accuracy as well, because then different doctors are looking at the data, are looking at people's handwriting, going, what did that person write?
Speaker A:And they misdiagnosed and misinterpreted interpret things.
Speaker A:So the, even the integrity improved significantly.
Speaker A:But even I started seeing.
Speaker A:One of the other areas that I did the intern side of things in my early career was in the general practice practitioners.
Speaker A:These are the GPs who were sitting at different branches around different health, health centers.
Speaker A:And I did the initial trans digital, the digital transformation which was going from typewriters to computers.
Speaker A:So, and that was for me, that was hilarious.
Speaker A:It was a hilarious time.
Speaker A:Every, every time I think back to a moment, what I never, I laughed so much, was that time when you were like, you know, you're getting, getting support calls and you would go, somebody saying, you know, something's not.
Speaker A:My.
Speaker A:My foot pedal's not working.
Speaker A:I.
Speaker A:Foot pedal?
Speaker A:What foot pedal?
Speaker A:I didn't install a foot pedal.
Speaker A:So you go around and basically see where the person, you know, previously had a typewriter and they had a foot pedal, which was a Dictaphone for recording.
Speaker A:And they had the mouse from the basically computer on the floor and they're stamping their foot on the mouse.
Speaker A:You're going, no, that's not, that's not a foot pedal.
Speaker A:I mean, other times I go around, I see people with their cans of drinks stuck in the CD trays because they thought it was for holding drinks, a drinks holder.
Speaker A:So you see the CD tray popped out and the actually can drink scan sitting in it.
Speaker B:Those times when I think that's just.
Speaker A:You can still do it today if you can find it.
Speaker A:But the memories of those times going.
Speaker A:And I laughed.
Speaker A:I mean, when I was watching some of the things that people were doing on computers at that time, from that early change from typewriters to proper, you know, desktop computers, I think it was at the time it was even.
Speaker A:It was Windows 3.1 plug and play, and then it was just at the verge of Windows 95.
Speaker A:And they were probably some of the most funnest times I had doing support calls, so.
Speaker A:Absolutely.
Speaker A:I mean, I've been around for a long time, but my early part of my career was at that fundamental moment where people were going from not having a computer to actually having a computer sitting in front of them and really starting their career in.
Speaker A:And the digitalization side of things we all talk about the Net boom and stuff was mostly around the web boom of web applications.
Speaker A:But even before that, when the hardware digital transformation happened, that was a fun time.
Speaker B:That's beautiful that you've seen that.
Speaker B:I think.
Speaker B:Yeah, you're right.
Speaker B:People often talk about the commercial Internet and cybersecurity from the commercial Internet perspective or the transformation of technology, at least from there.
Speaker B:I think before that, things are such a distant memory to people who feel like they're not inundated with those problems anymore because they've replaced them with a million other problems.
Speaker A:Lots of microservices.
Speaker A:One big, massive, mundane system is now, you know, thousands and tens of thousands of microservices that.
Speaker A:That.
Speaker A:That fundamentally replaced it.
Speaker B:Incredible.
Speaker B:Incredible.
Speaker B:And with that, of course, a lot more vulnerability.
Speaker A:Absolutely, absolutely.
Speaker B:Yeah.
Speaker B:You can't.
Speaker B:When the crown.
Speaker B:The shoulder has to manage the weight of the crown.
Speaker B:So.
Speaker A:Absolutely.
Speaker B:The more advanced.
Speaker A:So tell me about what you mean.
Speaker A:You spent a number of years as an analyst at Gartner.
Speaker A:How was that in your career?
Speaker A:And, you know, what did you learn from that process?
Speaker A:And then how did that shape your Nick's changing career when you moved on from Gartner?
Speaker B:The biggest lesson I've learned at Gartner is quite funny.
Speaker B:I say this to everyone to keep my ears big and my mouth shut.
Speaker A:I think that's not just a gardener.
Speaker A:I think that's in our entire industry.
Speaker A:We have to do better at that.
Speaker A:We have to do better at, you know, when we're talking to users and people, we definitely have to understand and listen more, you know, because sometimes we think more about what our job is there to do, but we have to understand about what is their job and how do we.
Speaker A:How do we help them.
Speaker A:That is definitely a lesson, I think, for everybody and a very important one.
Speaker B:Yeah, it's the best one.
Speaker B:It's the best one.
Speaker B:I've become more verbose as time has gone on, for sure.
Speaker B:But I think that comes with the confidence.
Speaker B:Having heard so much, listened to so much, and continuously practicing that ear and understanding what I'm willing to take a Risk on, especially if I espouse it.
Speaker B:So if I say something and I decide something or if I do something now, it not every risk is, is going to yield absolute success.
Speaker B:So another big lesson I've.
Speaker B:I've learned as well at Gartner is that you learn more from quote unquote failing, which I think is just falling down, than you do from succeeding.
Speaker B:And those two things.
Speaker B:Gartner analysts continuously teach me as well that the smartest person in the room is not the richest, which is one thing.
Speaker B:Having a gut, Being clever and knowing people and understanding people, moreover and acclimating to their room is going to be one of the greatest strengths.
Speaker B:All of these things are going to be our greatest strengths.
Speaker B:Because being smart is not good enough.
Speaker B:Being smart can also be a vice.
Speaker B:Being so smart can also be a vice.
Speaker B:And I think career wise.
Speaker B:I continue to learn that we have to have a balance, especially when we're oriented towards research and fact based knowledge.
Speaker B:That we have to continue to understand that the world does not work like that.
Speaker B:For as much as we believe by our compendium of knowledge.
Speaker B:What is the right or the direct way is not the way that humans act.
Speaker B:And that's why laws claim that the rational man or mens rea, the ideal human, acts this way.
Speaker B:Because there are so many non ideal irrational beings in this world and we too are liable to be that every so often.
Speaker B:So I've learned that there's a unique balance everywhere that you go to how to tap into that is art more than it is smart.
Speaker A:Absolutely.
Speaker A:I completely agree.
Speaker A:This is something for me.
Speaker A:A lesson I've always learned is definitely that the smart people in the room and the ones I've worked with over the years are always the most humble as well.
Speaker A:They tend to be the ones that are always opening, always willing to share their knowledge, sometimes in exchange, just for coffee, which is, you know, it's, it's very kind of enlightening as well.
Speaker B:Yeah, I love, I love the people.
Speaker B:You know why I love our discipline so much?
Speaker B:It's because I've met more people here that lack the hubris in the great way, in a great way that I've seen in many other disciplines, which is there is a barrier of entry.
Speaker B:To my knowledge.
Speaker B:Yes, the career may have this barrier of entry, considering many different useless blockers in the real world.
Speaker B:It must have sort of certification this age, et cetera, et cetera, et cetera, while they're being hacked by young children.
Speaker B:I think there's something dumb about that.
Speaker B:But I know that people who have actually practiced in cybersecurity have been incredible mentors and incredible in helping you grow because they have a shared mission with you.
Speaker A:Yep.
Speaker A:Yeah, everyone.
Speaker A:A lot of the people I've had as guests over the years on the podcast that I've been hosting is that they have this shared.
Speaker A:Kind of want to be educators and teachers.
Speaker A:They want to take the knowledge that they've been forced off because when they were very young getting into this industry, they also had mentors and people who helped them shape their career and help them move forward and learn new things.
Speaker A:And in turn, it's almost like they've, they've become the mentors themselves and also have now dedicated to sharing and, and passing on that knowledge.
Speaker A:And I think it's a great, it kind of circle of life in this industry that we all have this kind of passion to teach.
Speaker A:You know, it's, we do the hard research, we spend hours and weeks and, you know, time looking and trying to understand how something works and how to really get into the fine details.
Speaker A:And then once you finally get it, once you finally get that success and you see it working, you want to share it.
Speaker A:And again, that's what, you know, the community comes in together to listen to this person sharing their knowledge as well.
Speaker A:So I think it's a great, a great industry and a great community.
Speaker A:Yeah.
Speaker A:That really definitely defines knowledge sharing in such a way where it, it definitely takes on a life of its own in many cases.
Speaker B:Yeah.
Speaker B:Yeah.
Speaker B:Hope it always stays that way.
Speaker A:I hope so too.
Speaker A:So tell me, tell me a little bit more.
Speaker A:In the recent, you've been recently a CMO as well?
Speaker B:Yeah.
Speaker A:And after, you know, after doing open source intelligence, which I think that's, that's such a great place to start because it allows you to really fundamentally, you know, really help you find the data that you need to find.
Speaker A:And then an analyst is then really interesting because then it's, it's understanding and shaping the data to make it actually explainable and make it actually, you know, something that has value and has meaning and then to becoming a cmo, which is then how do you use that data in order to build trust and build what's the expectations and build explainability.
Speaker A:So for me, your journey's been very fascinating because all of those really kind of build on each other to much greater knowledge.
Speaker A:So in the recent years, how has been a CMO in this industry, how has that been different from your previous experiences in the past?
Speaker B:It's being a chief sacrificial officer.
Speaker A:Okay.
Speaker B:And it's funny, CISOs and CMOs can sit in the same room and complain about the same things in different terms.
Speaker B:And I've realized it's possible CMOs can sit there and say nobody listens and we look like a spend function and we look like a risk function and CSOs will sit there and say same.
Speaker A:Yep, it's the cost department.
Speaker B:And while CMOs give the perception of brand integrity and understanding, so we're perception functions, we're not like CFOs and CROs backed by hard dollar amounts accrued by the actual tangible efforts of our team.
Speaker B:Now, CMOs are obviously in great CMOs, let alone great marketing teams.
Speaker B:The CMO is a great title and I believe there are so many people well suited to have it and continuously, over and over because they have that resilience to understand that as much as a CISO who is revolving continuously as a CISO has that resilience to understand that this isn't going to be easy every single time and every dollar counts and we can't promise from every dollar that we'll be secure, let alone we can't promise from every dollar that we'll get a return.
Speaker B:So we see each other eye to eye and we're sailing in different boats on the same ocean of an enterprise.
Speaker B:So I have to say it's very much like that.
Speaker B:Now, more specifically, I'd say this because I didn't classically come from a marketing background, but I had all of the absolute chops to be a fantastic product marketer.
Speaker B:I came in as fractional to companies and advisory, which I am doing again now to startups to help them say, well, very much similar to what Gartner would do, but being more an interpreter of the markets.
Speaker B:Now this is where you would fit in and this is where you'll succeed and you have a high probability of success.
Speaker B:This is where you may not succeed and this is where the probabilities are less.
Speaker B:And it's not just because of perception, brand value and the acronym name game that you're playing, but more now because of my CMO position and what I've been able to understand, what the cost of your tool is, what people are willing to pay for it, what are investors willing to trust out of your company to continue funding it?
Speaker B:And if you don't have investors, what do you need to prove?
Speaker B:And furthermore, what do you have to do from a solutions engineering and architect position to a sales position and sales motion and then marry that to bring to market?
Speaker B:None of that is intimately Understood as a Gartner analyst.
Speaker B:None of that is intimately understood as a practitioner.
Speaker B:You're there buying the tool and judging the efficacy of the tool.
Speaker B:But the entire engine it takes to run a company and that to find your place in a startup, it has been a very rewarding experience.
Speaker B:I realized from that, well, you know what I can do?
Speaker B:I can.
Speaker B:I'm going to go back to Infinitus and now build my own company.
Speaker B:Put time into building your own self.
Speaker B:Why?
Speaker B:Because I feel like I've accrued so many individuals in my life, experts in what they do, be it in lead and demand generation, brand in graphic, SEO, sales in general, or architecture engineering, customer success.
Speaker B:I've learned from all of them and said, well, I found a way to package and service this for the companies I care about, which are seed to series C, but more specifically seed to series B because the failure rate is so high and it doesn't deserve to be when you know there's great product, but it's just the engine isn't running.
Speaker B:And I love great products.
Speaker B:Winning, not great.
Speaker A:I totally agree.
Speaker B:Because of the game.
Speaker A:Yes.
Speaker A:It's, it's, it's.
Speaker A:I completely agree.
Speaker A:I've been fortunate enough for me to be in across numerous startups that have succeeded really, really well.
Speaker A:And I've seen other startups where they have, you know, sometimes it's just the timing, sometimes it's their strategy to go to market, sometimes it's their pricing, pricing, sometimes it's their message.
Speaker A:And it's really important that startups are going through those early.
Speaker A:Yep.
Speaker A:When they're going through that process is they really need to make sure about who they're selling to and what their appetite is, you know, what they're willing to pay money in order to solve those problems, but also to make sure that they don't.
Speaker A:I was talking with a friend earlier this week and we were talking about rsa and everyone in RSA had the same message.
Speaker A:And it really became that for me, that if you're a buyer, and now it's hard to, you know, distinguish the unique value, each of those vendors, that if they're all having the same message, then all of a sudden you've got, you know, not just a few vendors that's, you know, trying to solve that problem.
Speaker A:You got hundreds of vendors and thousands of vendors, and now it's about what's the unique value.
Speaker A:And that just overcomplicates the market by everyone saying the same thing.
Speaker A:And it's really about kind of focusing on what you're really good at, focus on your core value that you really the problem that you're really solving and make it very clear.
Speaker A:Everyone's jumped on the AI bandwagon, the zero trust bandwagon, the security by design band begging.
Speaker A:And it's kind of like, you know, now applying buzzword bingo at a conference is actually frustrating because it's too easy.
Speaker A:It should be.
Speaker A:Buzzword bingo should be hard in order to meet all those buzzwords.
Speaker A:So for me, what do you think is, you know, taking all those lessons you've learned, you know, what, what makes good marketing?
Speaker A:What, what should the marketing, if it has been seen as a cost center and simply is seen as just, you know, a brand message for the organization, what things should it be focusing on and what should be trying to change in order to make it successful?
Speaker A:Especially for the startups, I have to.
Speaker B:Admit, it's far more complicated than just standing out at a conference or on a data sheet or in a demo.
Speaker B:It's far more complicated than that.
Speaker B:We do play buzzword bingo here, but we play it because we're stuck in it.
Speaker B:We're stuck in this maze.
Speaker B:It's the way that the markets are understood and evangelized by way of this, by people who have or vendors who have more money and more time to do it.
Speaker B:And then that becomes the ask on an RFI or RFP and then that becomes a part of the brand.
Speaker B:So even when you have the best product marketers in the room, even when you have fantastic relationship from marketing to product to product to sales and just something that works among them, you'll realize a few things.
Speaker B:One is that you can find your USP or your unique selling proposition and you can find your differentiated narrative.
Speaker B:But you have to know who to send out to deliver that message.
Speaker B:And there is an engine that goes behind this.
Speaker B:Are you going to use development reps, business or sales development reps?
Speaker B:Are you going to go on the ground because zoom meeting fatigue or teams or whatever you want, whatever platform fatigue is too much, you might just get to the first meeting, our second meeting, the demo might flop.
Speaker B:So what, what is working these days?
Speaker B:And I think great marketing is looking at this after we have tailored the suit and we have tailored it on the person who is meant to go to the party, can that person talk?
Speaker B:And that is big and are they at the right party to talk?
Speaker B:Are they at the right thing?
Speaker B:And is it costing us more than we need them to do?
Speaker B:And this is marketing becomes more of a game of not just SEO and advertisement and bringing in inbound.
Speaker B:But a, do I have the right performers out there on the field to sell this product, to get the deal through?
Speaker B:Because sales cycles are super long now.
Speaker B:And even if you have the same message across three other vendors, people buy from people, people don't buy product.
Speaker B:And so do I have the team to make it happen?
Speaker B:That's one lesson I'll share.
Speaker B:Just another one that I've realized.
Speaker B:You want everyone in the company to understand what makes them different.
Speaker B:If it's even just one niche thing across the entire swath of same in this industry, what is that one thing that makes them different?
Speaker B:They don't have to all share the same elevator pitch, but they have to share the same mission.
Speaker B:And the only people that can make this happen are dedicated founders and dedicated C suite teams.
Speaker B:If I've learned this and I've seen this over and over again, if you have founders who are just money hungry, they aren't founding a product or a team for the mission.
Speaker B:If they cannot tell you their elevator bridge, they cannot tell you why they love the product.
Speaker B:They cannot tell you what they're willing to do and what they're willing to give up in life.
Speaker B:Because you have to give up so much when you own your own company.
Speaker B:So freaking much.
Speaker B:So some people lose their marriages over this.
Speaker B:They have to have some people lose life with their children.
Speaker B:If you're willing to lose all of it, you must know what you're willing to lose it for.
Speaker B:And if I meet founders who don't know what they're willing to risk it all for and they just want to sell and move it fast, make it clear to the market, make it clear to partners, resellers.
Speaker B:Don't put all your money in an engine to make it move.
Speaker B:And to be big, you don't have to have the most unique message at that point.
Speaker B:You just have to have the best message to someone who's going to buy you.
Speaker A:Yep.
Speaker A:And something that's very clear in context.
Speaker A:You know, it's straight, straight to the point, you know, get rid of all the fluff.
Speaker A:The fluff just is to satisfy the kind of the competitive or the market differentiators.
Speaker A:It's everyone's kind of pushing people to do something or to say something just because other people's doing it.
Speaker A:I always say keep to your core and keep to what I always find that works the best is when you're educating about what you do.
Speaker A:If your education and knowledge becomes kind of fueling, which results in people then learning more about your products, it's the best way to go to market, you're giving value already by adding educational knowledge out there rather than just a product pitch, which is you're going straight to selling.
Speaker A:Then you have to have a product that really solves a big problem.
Speaker A:Mostly I hate.
Speaker A:I've been in the industry for a long time and I get so many sales pitches.
Speaker A:Do you have 30 minutes for demo?
Speaker A:What problem are you solving first?
Speaker A:Why do you want 30 minutes of my time before you, before you even tell me what problem you're solving?
Speaker A:Some of the pitches and sales kind of methods are just, I will say the most valuable thing that we all have in this world is time.
Speaker B:Yes.
Speaker A:And the moment that anyone starts asking for my time is that you got to have something of value immediately.
Speaker A:That is clear to me.
Speaker A:That doesn't take a 30 minute conversation.
Speaker A:In order for me to understand it, you have to do it in the first sentence of your email, the first sentence of your message, or the first kind of, you know, phrase that comes across.
Speaker A:It has to be simple and has to be straight to the point.
Speaker B:So true.
Speaker B:That is so true.
Speaker B:There's a lot of room in the cybersecurity vendor market for vendors to first and foremost make sure that they're offering a real product.
Speaker B:So there's a lot of room for that, number one.
Speaker B:The number two, understanding what problem they're solving.
Speaker B:I just, there's not a lot of room for those two things.
Speaker B:Make sure you're really actually offering product, number one.
Speaker B:And number two, make sure that that product is something people need and then make sure that that need is, is, you know, something you can sell in everyone's body.
Speaker A:Yes, everyone, Everyone, you know, that is, is, is kind of, you know, has similar, similar problems.
Speaker A:That's one of, it's also one of the things, you know, usually when I'm presenting at conferences, the first thing, the first, you know, pretty much slide is for me to make that connection with the audience that we all have that same fundamental problem.
Speaker A:We all have the pain of, you know, certain things in the organizations that we're struggling with and we don't have the visibility or we don't have the ability to control it or to report or to meet regulatory compliance from the GRC perspective.
Speaker A:And we all have different pain points and it's about making that connection with the audience about, do we all, we all agree that this is a pain that everybody has?
Speaker A:Not everyone, it's not 100%, not everyone's going to have it.
Speaker A:Some people solved it in their own way or own Methods but you definitely want to make sure it's the majority of the people.
Speaker A:And that's one of the things for me when I'm doing buzzword bingos at the conference, one thing as I always go and it's like, you know, take, you know, three minutes, they have to explain their product and for me to really cut through is what they're advertising really what they're doing.
Speaker A:And I can tell you in most cases it's not.
Speaker A:When I see AI at a lot of the booths and I go basically and try to get them explain it to me.
Speaker A:I'm going, what?
Speaker A:Just because you've done an integration with another GPT engine doesn't make your product AI.
Speaker A:It doesn't, it doesn't change the value.
Speaker A:So it's really important to make sure that to cut through the FUD and really get down to what organizations are doing.
Speaker A:And I think one thing I really enjoyed what you were doing the last couple of years was the report that you were creating every year which the report that was being generated, reading it showed for me as consuming that information.
Speaker A:One is that you're educating me.
Speaker A:Coming back to my fundamentals of, you know, I want to be educated.
Speaker A:Two is that a lot of effort went into creating it.
Speaker A:You can see the amount of effort that and knowledge and time that went into creating the report.
Speaker A:So that gives me kind of, that kind of, kind of assumption of expertise within the company.
Speaker A:And then in turn that creates a trust.
Speaker A:It's, there's that, okay, you're coming to it with the report, you're educating me.
Speaker A:There's a lot of time and knowledge and expertise went into creating it.
Speaker A:And that builds a trust in, in the brand and community.
Speaker A:So for me that was one thing I always actually seen and I, I think more companies should take that approach.
Speaker B:Yes.
Speaker A:Because it's a very, you can see it's approach that does work and it is something that you know then teaches me also what the organization does as well.
Speaker B:I, I thank you for that.
Speaker B:I believe companies like, you know, regardless of what people's understanding is ethic, they want to keep this out.
Speaker B:Just for sake of the example.
Speaker B:Tesla is a successful company not because it sells cars, but because of its data.
Speaker B:It's a data company.
Speaker A:It's worth because it's because of its user license agreement.
Speaker A:The user license agreement is what determines because in the user license agreement as you sit in that car and you accept that license agreement, what you're stepped in to do is all the data that that car is generating is Owned by Tesla.
Speaker A:And that's ultimately what makes the money.
Speaker B:Yes, yes.
Speaker B:You'll find I personally will invest in companies when I see their IP mode being their data.
Speaker B:And this is the same perspective I take to cybersecurity because I've seen it as a transferable lesson from other industries.
Speaker B:When you have the best data, then you need the best analysts and then the best storytellers and then the people who can make it pretty and go run with it on the streets and sell it.
Speaker B:But it must start from that IP mode.
Speaker B:And that's something I look for all the time.
Speaker B:Doesn't mean I'll always go to, you know, threat intelligence platform or I'll go to a TDIR threat detection incident response company or something.
Speaker B:I won't, I won't choose them based on them saying all we do is threat intel.
Speaker B:What I like to look at are companies that will create a strong defensible IP based on how rich their data is first and foremost and how unique it is.
Speaker B:And then where can you drive it?
Speaker B:And thank you for pointing out that report because it's about showing proof and proof of value in marketing is also here is everything that we are collecting or maybe a sliver of the pie.
Speaker B:And I want to show you how rich that is and how much more it could be if you like.
Speaker A:Absolutely.
Speaker A:For me that's one of the biggest, biggest advantages that companies can do is show the knowledge that they have and the data that they've got because it does two things.
Speaker A:It either helps educate the world and I could use that intelligence in order to do so much more with a lot of the products or a lot of the services and solutions that you're investing in already.
Speaker A:And then the second part is that how much time am I wasting doing it manually today?
Speaker A:So to my two points is the two biggest values that we get is one is that is the data something of high value that allows me to do much more automation and ultimately return reduce wasted time.
Speaker A:So does that data help provide me qualitative and quantifiable kind of intelligence that can then be used in order to either help me accelerate things much faster that would take a lot of time to do, or reduce wasted time that I'm doing trying to create it in a manual way?
Speaker A:I believe absolutely.
Speaker A:Reducing waste of time?
Speaker B:Yes.
Speaker B:And fatigue Analysis.
Speaker B:Fatigue analysis fatigue is so serious because think of how many poor decisions are made in stressful times.
Speaker B:And if we're to create trust and reliability on a fact basis, we can use that have lower cortisol response and at least channel a more direct, emotionally balanced, less stimulated response.
Speaker B:And that means we can be more centered with understanding our environment and the interplay among humans.
Speaker B:Because overall our entire discipline is human v human, initiated by process and technology.
Speaker B:That's it.
Speaker B:It's human v Human.
Speaker A:It's the process and technology are facilitators for us to make human based decisions and actions or kinetic results Right.
Speaker B:Against other humans.
Speaker A:It's to serve us, to empower us.
Speaker B:Right.
Speaker B:Defense is not done well under stress.
Speaker B:Defense is done well under not only courage, but calm, trust and confidence.
Speaker B:Defense is done very well that way.
Speaker A:It's because you simulate and you practice.
Speaker A:So that becomes, it becomes habit.
Speaker B:Yeah.
Speaker B:And data's a very big part of this.
Speaker B:It is.
Speaker B:I don't know if you started reading the book that I was releasing at all.
Speaker B:Inside the Mind of Threat Exposure.
Speaker A:No, not yet, no.
Speaker B:Okay.
Speaker B:I'm releasing a 10 part series that will go into the human idea of threat exposure.
Speaker B:So this is how do we respond to security functions?
Speaker B:What happens to us chemically?
Speaker B:What happens to us like neurobiologically?
Speaker B:What is, are the societal dynamics we're playing in US V attackers, general attackers.
Speaker B:And then slowly moving into the political, economic and then into the technology facilitation.
Speaker B:And the entire series.
Speaker B:I'm releasing it on LinkedIn.
Speaker B:You'll see that two parts have been released.
Speaker B:Another two parts are on their way just now.
Speaker B:But it, it has received some good response.
Speaker B:And this is my big research journey today.
Speaker A:Okay, fantastic.
Speaker A:Well, it's, it's interesting.
Speaker A:A lot of, you know, last year was interesting.
Speaker A:Some of the incident response cases I worked on beforehand, the first half of last year I was still, you know, you're still interacting and communicating with the attackers directly either through, you know, telegram chats or you know, burner emails and stuff.
Speaker A:Interesting.
Speaker A:The second half of last year, the incident communication was then with AI chatbots.
Speaker A:So the attack then basically had taken out the middle people.
Speaker A:Even cybercriminals were losing their jobs to AI chatbots.
Speaker A:And it was interesting because then to your point, when you're dealing with those types of communications now it's a chatbot, there is no human empathy.
Speaker A:There's no kind of ethics and response.
Speaker A:They just have a task and if I'm not satisfying the task, I'm not meeting their goals.
Speaker A:So it's quite interesting that the more of those processes we move humans out, of which then questions the integrity and the empathy that is it there to serve humans.
Speaker B:I'm more than certain that even these systems Negotiation support are going to totally create an economy in support of negotiation at a bottom dollar, a bottom line which will.
Speaker B:Maybe this will be controversial to say, but looking at the perspective you just offered, give us a more adequate and true value or range value for our own data.
Speaker B:Because right now negotiations will not give us a median value for where our data is, how it's priced, what it is and what price it ranges from.
Speaker B:But if you were to then create a logic supporting that and say this is the median or this is the, you know, nadir value, the lowest value, I'll pay for this.
Speaker B:Now we've finally found for insurance providers this range that is reliable to negotiate within, which means we are supporting that economy more or less.
Speaker B:Right, versus just saying I will not negotiate.
Speaker B:So something will come out of it by way of economy.
Speaker A:Absolutely.
Speaker A:It reminds me back of a couple of the negotiation cases that used to be years ago.
Speaker A:It was about how many terabytes the attacker stolen.
Speaker A:That was it.
Speaker A:It was a per terabyte or per gigabyte ransom or per device.
Speaker A:Now it's about the quality and the.
Speaker B:Type of data and that's so subjective.
Speaker B:And it also depends on mood, it depends on the confidence of the group, it depends on how they want to project themselves into their own environment.
Speaker A:Absolutely, yeah.
Speaker A:So a question for yourself.
Speaker A:So what?
Speaker A:I'm definitely going to get the link to your 10 part series, the threat intelligence piece.
Speaker A:So we'll make sure.
Speaker A:We will.
Speaker A:I'll add them to the show notes and make it easier for the audience to gain access to it.
Speaker A:So.
Speaker A:And what, so what do you do to keep up to date?
Speaker A:How do you stay?
Speaker A:What's your source of intelligence and knowledge?
Speaker A:Where do you go to everything?
Speaker B:I hate to say it, but everything.
Speaker B:So I'll.
Speaker B:I'll look.
Speaker B:I carry different subscriptions on medium.
Speaker B:I have behanced subscriptions as well to several, I think movers and shakers there.
Speaker B:I do the same thing on LinkedIn.
Speaker B:Of course I'll also have a Google feed going.
Speaker B:I will follow several vendors and evangelists that are present there.
Speaker B:I have your classic, like clearly I have your classics.
Speaker B:Yeah, they're good in general.
Speaker B:Right.
Speaker B:What else?
Speaker B:My mind is escaping me.
Speaker B:My problem is that this sort of obsession has to be.
Speaker B:You're never gonna get everything and you're often going to get what you need to execute on the role that you're doing on a daily basis.
Speaker B:And considering that I'm running a business, much of my knowledge then becomes very centered on what it is that I'm doing.
Speaker B:For my clients and I'm in this world specific.
Speaker B:So if I right now I have a AI agent security, I have a another vendor I'm working with that's doing autonomous red teaming.
Speaker B:I have another vendor as well that's doing the typical doctor so they're looking at three different market spaces wherein I have to keep up.
Speaker B:How much time that takes leaves this much time.
Speaker B:So for every source I gather from I have to admit to you no matter how many sources I gather from, it's not as though I get to read everything.
Speaker B:So I'm keeping something on all the time I'm watching and I'm keeping abreast when it ever comes to policy these days and regulation these days because it's so erratic as well as funding in the United States that I'm kept most busy by how economy is moving here to support the vendors I work with.
Speaker A:Yep.
Speaker A:That's I think is a global.
Speaker A:It's a global scenario.
Speaker A:We're saying that's the kind of the stability and kind of where different organizations of vendors come to from a global perspective is very unpredictable at the moment.
Speaker B:Interesting times.
Speaker A:It is interesting times.
Speaker B:Interesting products make crunch.
Speaker A:It does indeed.
Speaker A:So it does indeed.
Speaker B:I'm just keeping up.
Speaker B:I have to admit to you I wish I could take everything in with the multiple pursuits I have.
Speaker B:I take as much as I can take in to be successful, as much as I can take in to be happy and then as much as I can take in to stay curious.
Speaker A:That's the important part is make sure you always spend time on yourself to do the things you enjoy and motivations and stay happy.
Speaker A:So keep, keep up with all of your your sports activities for sure.
Speaker A:What's.
Speaker A:What's the best way for the audience to if they want to reach out, if they're interested in coming to you and learning more about your advisory side roles and the knowledge and services or what's the best way if they have follow up questions to contact you.
Speaker A:How.
Speaker A:How is the best way for the audience to get in touch?
Speaker B:Absolute best way is LinkedIn.
Speaker B:It's LinkedIn Zyrazada P I R Z A D A and then otherwise my first name Zaira Z A I R A infinitusmc.com Fantastic.
Speaker A:I'll make sure that we add those to the show notes as well so it'll be easy for people to find you.
Speaker A:Many thanks for being on the show.
Speaker A:It's been awesome.
Speaker A:I always enjoy talking to you and hopefully we'll get to catch up a conference or somewhere in the near future, grab a coffee, chat more about sports.
Speaker B:Yeah, likewise.
Speaker B:We owe it to each other.
Speaker B:We owe it to each other.
Speaker B:I feel like we're always passing each other somehow at conferences we are attending.
Speaker B:So I absolutely owe it to you too.
Speaker B:Once, once my recovery is through from sport related injuries, we will have for the audience.
Speaker A:We're both having the same recovery process from similar injuries.
Speaker A:So we'll see.
Speaker A:See, I think yours is going to take a little bit longer than mine, though, because I'm already on the recovery side.
Speaker B:Well, by the time I get out there again, you'll be first on the list.
Speaker A:Fantastic.
Speaker A:Okay, thank you very much, everyone.
Speaker A:Stay safe, take care and tune in to the Security by Default podcast every two weeks for future updates, future guests and great conversations.
Speaker A:Take care and all the best.
Speaker A:Bye.