Fernando Montenegro, a distinguished industry analyst in cybersecurity, articulates the pivotal best practices that analysts should adopt to navigate the complexities of the cybersecurity landscape effectively. Throughout our discourse, he elucidates the necessity for analysts to function as intermediaries among various stakeholders, including buyers, sellers, and investors, thus facilitating informed decision-making processes. Montenegro emphasizes the importance of clarity in communication, advocating for an open-minded approach during analyst interactions to maximize the value derived from these engagements. He further discusses the strategic implications of cybersecurity decisions, urging organizations to appreciate the multifaceted influences that shape their security postures. Ultimately, this episode serves as an invaluable resource for professionals seeking to enhance their analytical practices within the rapidly evolving cybersecurity domain.
In this episode, Fernando Montenegro shares his journey into the cybersecurity industry, insights on industry analysis, and the evolving trends shaping cybersecurity today. Discover how analysts bridge the gap between vendors, buyers, investors, and academia, and learn practical tips for engaging effectively with industry experts.
key Takeaways
sound bites
"Understanding what's going on in the world"
"Good enough security can be effective"
"Workload AI versus workforce AI"
Chapters
00:00 Introduction to Security by Default Podcast
00:53 Fernando Montenegro's Origin Story
05:16 The Role of an Industry Analyst
08:55 Maximizing Value from Analyst Interactions
13:16 Understanding AI in Conversations
15:44 Choosing the Right Solutions
16:40 Decision-Making in Technology and Business
17:13 Trends in Cybersecurity and AI
18:26 Understanding Workload vs. Workforce AI
19:40 The Evolving Role of Security Professionals
21:43 The Strategic Importance of Cybersecurity
23:58 Incentives and Decision-Making in Security
25:53 The Shift Left Approach in Development
27:16 Budgeting for Cybersecurity Investments
30:47 Navigating Cybersecurity Budgets
32:26 Engaging with Analysts and Staying Informed
34:33 Curating Information in a Data-Driven World
36:55 Balancing Operational and Strategic Insights
37:51 Connecting with Analysts and Final Thoughts
Resources
LinkedIn Profile of Fernando Montenegro - https://www.linkedin.com/in/fsmontenegro/
Futurum Group - https://futurumgroup.com/
Obsidian Knowledge Management System - https://obsidian.md/
Book: Why Most Security Budgets Go to Waste by Ross Young - https://a.co/d/02BZPwdO
In this thought-provoking episode, Fernando Montenegro imparts his extensive expertise on the best practices for analysts within the cybersecurity industry. He begins by delineating the multifaceted role of an analyst, which encompasses serving as a conduit for communication between buyers, sellers, investors, and other relevant stakeholders. By elucidating the distinct motivations and concerns of each group, Fernando illustrates how analysts can effectively tailor their insights and recommendations, thereby enhancing the decision-making process for all parties involved. The dialogue further explores the significance of maintaining an open-minded approach during analyst interactions, as well as the necessity for analysts to remain well-informed about emerging trends and challenges in the cybersecurity landscape. Fernando identifies several pivotal trends, including the integration of artificial intelligence, the expansion of the attack surface, and the transition towards a more resilient approach to data protection. Each of these trends reflects the evolving priorities of organizations as they seek to mitigate risks and enhance their security postures. Through this episode, listeners are not only provided with actionable insights into the workings of an industry analyst but are also encouraged to consider the broader implications of their roles in shaping cybersecurity strategies. As Fernando articulates, the responsibility of analysts extends beyond mere data analysis; they must also facilitate meaningful dialogue among stakeholders to drive informed decisions that bolster organizational security in an increasingly complex digital landscape.
Hello, everyone.
Speaker A:Welcome back to another episode of the Security By Default podcast.
Speaker A:I'm the host of the show, Joe Carson, and it's a pleasure to be here with you all again.
Speaker A:And I'm always excited.
Speaker A:This is my favorite time of the.
Speaker B:Week, is to get to talk to.
Speaker A:Really amazing, awesome people.
Speaker A:And I'm really excited about today.
Speaker A:Somebody who I've known for quite a few years and somebody who has such a wealth of knowledge in this industry and is an amazing person.
Speaker A:And the whole purpose of this show is to really, you know, security by default is about bringing security for everyone, is making sure that everyone has the possibility of getting security.
Speaker A:It's really democratizing it.
Speaker A:And we live in a world of chaos all the time.
Speaker A:And it's also about bringing clarity to that chaos so that you can actually have a clear picture that will actually provide you knowledge and education and lessons learned from very experienced wisdom and knowledgeable people in the industry.
Speaker A:So welcome to the show, Fernando.
Speaker B:Thank you.
Speaker A:It's an honor and pleasure to have you on the show.
Speaker A:If you want to give the audience since your first time on the episode and podcast your origin story, you know, what's your background?
Speaker A:How did you get into the industry?
Speaker A:Did it choose you?
Speaker B:Did you choose?
Speaker C:So.
Speaker C:Oh, my God.
Speaker C:Yeah.
Speaker C:So background story.
Speaker C:Weird.
Speaker C:Starting.
Speaker C:Starting at the beginning.
Speaker C:I'm based out of just outside Toronto, Canada.
Speaker C:We've been here for 25 years.
Speaker C:I'm originally from Brazil.
Speaker C:Long story.
Speaker C:How we.
Speaker C:So we moved here as adults, right.
Speaker C:And before that I had lived abroad.
Speaker C:And that doesn't concern the audience as much.
Speaker C: nd technology since the Atari: Speaker A:Favorite games, consoles, the.
Speaker C:Back in the.
Speaker C:So we're talking.
Speaker C:I'm.
Speaker C:I'm in my mid-50s.
Speaker C:This was in the early, early, early-80s.
Speaker C:We were chatting.
Speaker C:My.
Speaker C:My first computer was a Brazilian clone of a Sinclair ZX VX 80.
Speaker C:And I've been around.
Speaker C:So I've been around technology for the longest time.
Speaker C:As far as Origin story is concerned, my background is more traditional in the sense that I did computer science and then got into the industry.
Speaker C:But in my current role as an analyst, what I did was like I said, I did computer science.
Speaker C:I worked at the Brazilian startup that later became one of the first Brazilian Internet service providers.
Speaker C:So tons of experience there, moved to Canada in working with.
Speaker C:With larger vendors and smaller vendors as professional services, then sales, engineering.
Speaker C:And then eventually I was invited to come to work as an analyst.
Speaker C:And you, you, you ask about, okay, what happened with the like, Origin Story in the sense that did it choose me?
Speaker C:I don't know.
Speaker C:I honestly don't know.
Speaker C:The thing I will say is that somewhere along the lines I remember taking a personality test.
Speaker C:Not the Myers Briggs, but I'm not sure if you remember Strength finder Alepp.
Speaker C:Strength finder.
Speaker B:Yes, I do remember.
Speaker A:I remember we did like in the.
Speaker B:Workplace, we did this kind of like, you know, if you were introvert, extrovert, and you're kind of looking for your personality, what are your strengths?
Speaker B:In order to help you focus on your strengths rather than your weaknesses to become like enhance your skills.
Speaker C:Exactly.
Speaker C:So I leaned into what StrengthsFinder called out as my skills as my strengths.
Speaker C:So that's, that's one interpretation.
Speaker C:The other interpretation is that I've been heavily influenced by movies, right.
Speaker C:And the joke I make.
Speaker B:Haven't we all?
Speaker C:The joke I make here is, remember Highlander, the first one?
Speaker C:Of course, there was only one.
Speaker B:Yes, yes, yes.
Speaker C:Do you remember what the prize was in Highlander?
Speaker B:I can't.
Speaker B:I can't recall.
Speaker C:So after, after he vanquished all the other immortal, after you was the, the only one, right.
Speaker C:Deprived was this idea that you could know everything, that you could understand what people were thinking so you could get them to talk to each other.
Speaker C:Right.
Speaker C:I think about that often because of course, nowhere near there, but that's what I think I like.
Speaker C:It's the idea of understanding what's going on in the world and then explaining it to people and hearing what they are saying and passing it on to others.
Speaker C:And the way I explain the analyst role, is that your industry analyst different than a cybersecurity analyst, just to be clear.
Speaker C:Right, but different.
Speaker C:The role of an industry analyst is to sit between four major groups.
Speaker C:You have buyers of something, whatever that is, you have sellers of something, you have investors, and then you have everybody else.
Speaker C:And everybody else can be media, can be academia, can be government, other stakeholders.
Speaker C:And then in between all of these four people, all these four groups, you put an analyst and the analyst, their job is much more, okay, let's observe what each one of these groups is doing and then tell the others in a way that makes sense to them.
Speaker C:Right.
Speaker C:So for example, we get buyers asking us, okay, what's going on with what options exist from the seller markets to do this?
Speaker C:We have investors asking us, okay, what do buyers currently want?
Speaker C:Because of course, the investors want to invest in the seller sellers that are doing the right things.
Speaker C:Right.
Speaker C:We have sellers asking us, what do buyers want?
Speaker C:Or what's the impact of particular regulation or Something like that.
Speaker C:So we sit in the middle and we answer these questions.
Speaker C:So I love the role.
Speaker C:It's the kind of thing that one can do from 6am in the morning until 11pm at night or whatever time you choose to go to sleep.
Speaker C:But yeah, so the origin story is a somewhat traditional path in terms of education, computer science and then.
Speaker C:But the job role was interesting because I was basically invited.
Speaker C:You're writing, you're blogging.
Speaker C:Why don't you want to do this as a role kind of thing?
Speaker C:And that's how I ended up here.
Speaker C:And I have my good friend Adrian Sanabria to thank for that.
Speaker C:So Adrian found me.
Speaker C:Right.
Speaker C:And then I worked under Scott Crawford over at 451 Research S&P Global now.
Speaker B:With a lot of good friends of mine with Wendy and Garrett and all.
Speaker C:Yeah.
Speaker B:Such an amazing group of people.
Speaker C:Yes.
Speaker C:And now.
Speaker C:So I worked under Scott.
Speaker C:I worked then at Omdia under Maxine Holt.
Speaker C:She's awesome too.
Speaker C:I'm not sure if you've met her.
Speaker C:And then for about a year now, I've been with the Futurum Group, which is new type of analyst firm.
Speaker C:We're doing things a little bit differently under Daniel Newman is the CEO.
Speaker C:And yeah, it's a blast.
Speaker C:It's just a matter of keeping up with what's going on in the world.
Speaker B:I'm sorry, I do like your comparison to the Highlander and an analyst.
Speaker C:Another comparison is that I'm like, his acting skills are probably better than mine and you know what people say about Christopher Lambert for the acting skills.
Speaker C:So I'm.
Speaker A:Yeah, but I really like the kind of metaphor of the wisdom side of.
Speaker B:Things and knowledge that sits in between those four pillars.
Speaker B:I think it's an amazing kind of like when you think about is that.
Speaker A:Ultimately you are the Rosetta Stone between.
Speaker B:Each of those, the translator, the knowledge, you know, to really kind of make sure that each is on par with each other and understands how to get the best.
Speaker A:How to make the best decisions.
Speaker B:Because ultimately that's what we want to do.
Speaker B:Analysts.
Speaker B:I always see analysts helping, you know, kind of me going through my process of really kind of decisioning and understanding about what's.
Speaker B:The prioritizations.
Speaker B:And sometimes I've got my kind of, let's say, signals and people that I communicate with, but I don't have it from a much more kind of, let's.
Speaker A:Say, a larger perspective.
Speaker A:And analysts cannot help.
Speaker B:They help keep me grounded in many ways in order to make sure that I'm not missing something.
Speaker A:And I'll even like, go ahead.
Speaker C:Yeah, I was going to say that you're spot on and I think that there's two, there's, there's a couple of areas where, where it works really well.
Speaker C:I'll tell you where it doesn't work.
Speaker C:Right.
Speaker C:And I'll be the first to say it.
Speaker C:Analysts are not the final word on anything.
Speaker C:We are a data point.
Speaker C:I loved how you framed it in terms of make decision.
Speaker C:We are providing decision support, not decision authority that relies that, that remains with whomever.
Speaker C:But come to us for the perspectives that you as a decision maker don't have time to make or don't have time to gather information around.
Speaker C:So as a seller you might come to us and say our customers really feeling this particular pain that we are seeing is this message.
Speaker C:Like I was, I was doing message testing for somebody the other day.
Speaker C:Does this message resonate?
Speaker C:And then for the buyers is okay, we know about vendors.
Speaker C:1, 2, 3, 4.
Speaker C:What are other vendors in this space that we should potentially consider for this or this kind of problem I'm having, I'm going down this particular path.
Speaker C:What do you think?
Speaker C:And we'll provide input.
Speaker C:Look based on what we've seen, based on what's going on.
Speaker C:So yes, you're absolutely right.
Speaker C:It's about decision support.
Speaker A:So, so all of the years experience.
Speaker B:You've had as an analyst, what's the, what's the best for each of those kind of different pillars to get the best value and the best interactions, how.
Speaker A:Frequent, you know, what's the format, how.
Speaker B:Much should they prepare, what should they prepare beforehand?
Speaker B:So what's some of the best ways to get the most value out of, you know, a session with an analyst.
Speaker C:So I think that over time the best, best interactions you have with an analyst is when you come, there's, there's two things that I think are essential.
Speaker C:One is understand what role the analyst is playing in that conversation.
Speaker C:Point number one, point number and prepare for that role.
Speaker C:And point number two is keep an open mind.
Speaker C:Right.
Speaker C:Those are the two things because the conversations will be different.
Speaker C:I'm going to pick on, I'm going to pick on.
Speaker C:I'll talk about both invest buyers and sellers.
Speaker C:When we're talking with, with investors, they want to understand what's going on in the world.
Speaker C:I have this wonderful company that, that I'm, that I'm considering investing.
Speaker C:They're going to kill it, aren't they?
Speaker C:And then you look at it, look based on what we've seen, this kind of features.
Speaker C:Yes, this Is different.
Speaker C:This is not different.
Speaker C:But look, this kind of problem that, that, that they are, they are bringing to you.
Speaker C:Yes, it might be an important problem, but there are, there's 15 other things in front of an executive's shopping list before they get to you.
Speaker C:Being open to that kind of method.
Speaker C:Right?
Speaker C:For buyers, it's, it's more about come to us, not asking for the holy grail.
Speaker C:Give me the which product do I need to buy?
Speaker C:Do I buy?
Speaker C:I'm not going to name vendors, but do I, do I buy vendor A, vendor B or vendor C?
Speaker C:I'm not in a position to say that.
Speaker C:What I can tell you is based on our analysis, vendor A has these strengths.
Speaker C:Vendor B has these strengths.
Speaker C:Vendor C has these strengths as a, as a, as a, as an offering.
Speaker C:Funny, funny word is that as an analyst, dislike using the word solution because to me solution implies endorsement and I'm not endorsing anybody.
Speaker C:So vendor A, offering is strong here, perhaps a little weaker here.
Speaker C:B, C and by.
Speaker C:And that's one level of analysis.
Speaker C:And the other is okay, Vendor A is doing really well in the market comparing with what we've talked about.
Speaker C:Vendor C is doing that's on the vendor side.
Speaker C:And then talking to vendors.
Speaker C:It's about I'm here, I tell vendors, talk to me as if I am two people, right?
Speaker C:Talk to me as if I am a managing director at the VC where you're doing your next funding raise.
Speaker C:So I need to understand you as a business, right?
Speaker C:Who's your ideal customer profile?
Speaker C:Which verticals are you going after?
Speaker C:What is your true differentiation both as a business and as a technology, right?
Speaker C:What's your go to market strategy, who are your key partners and blah, blah, blah, blah, blah, right?
Speaker C:That's one.
Speaker C:The other is talk to me as if I am the technical decision maker within your sweet spot type of account.
Speaker C:Imagine that I'm the one.
Speaker C:Perhaps I'm cosplaying of the fiso or I'm cosplaying as the CTO or as A, and you are pitching me your product and I am the one who is going to evaluate your product and I am the one who is going to have to defend your product inside my company so that I like to understand, okay, what exactly can you do and what can't you do?
Speaker C:What how do I like?
Speaker C:Who did I compare you with, right?
Speaker C:In terms of, in order.
Speaker C:Eventually I chose you.
Speaker C:Who else did was in the running, right?
Speaker C:The joke I like to make is it's like I'm getting a new puppy Right.
Speaker C:What kind of puppy am I getting?
Speaker C:Am I getting a lovely Shih Tzu or am I getting a San Bernard?
Speaker C:Right.
Speaker C:They are both lovely puppies in their own ways, but they're very different.
Speaker C:Right?
Speaker C:So help me understand what I'm getting.
Speaker C:I'll go back to this.
Speaker C:The best way to understand an analyst or to work with an analyst is understand what role we're playing and keep an open mind.
Speaker C:I was having a conversation just the other day where I had told someone, a vendor, in this case, that they had perhaps just a tad too much AI in their messaging.
Speaker C:Right?
Speaker C:Just a tad too.
Speaker C:Look, and they're like, oh, but don't people want to hear about AI?
Speaker C:Yes, they do, but to a point, right?
Speaker C:So it's funny, here we are halfway through the conversation, and it's the first time I brought up AI.
Speaker A:First time I brought up AI.
Speaker C:Yeah, funny story.
Speaker C: RFA: Speaker C: Conference, ISAC Conference,: Speaker C:I actually kept an informal tracker of how soon in the meetings we were having would someone bring up AI, right?
Speaker C:And that was measured in the single digit minutes, right?
Speaker C:Like four minutes into the conversation, AI, there was a vendor who shall remain nameless and that they actually had a negative.
Speaker C:I called it the tta, the time to AI.
Speaker C:And there even they had a negative tta.
Speaker C:Sorry, I'm just joking.
Speaker C:Is that they would usually be.
Speaker C:My methodology was to.
Speaker C:Was to start thinking about the time.
Speaker C:The moment that we sit down, open a notebook and I start taking notes.
Speaker C:And then that's when my, my mental clock started.
Speaker C:This particular vendor greeted me at the door, like, shake my hand.
Speaker C:Before we sat down.
Speaker C:He said, we are here to talk about a.
Speaker C:So it had a negative tta.
Speaker C:Anyway, sorry, we're past that now.
Speaker C:I think that we're talking about AI all the time.
Speaker C:But.
Speaker B:I always say that every time the conversation about AI comes up, I always prefer to think about what's always missing is context.
Speaker B:Because then it's back to a tech, it's a technology capability and it's about, okay, what does that impact have to the business?
Speaker B:You brought up a couple of points in recent times.
Speaker B:I always have life memories that comes during these conversations.
Speaker B:I recently did a hackathon and one of the things, you know, you were bringing up is that during the hackathons you practice all those things, your pitches, your defending, your mentoring, your openness.
Speaker B:I think for organizations, you know, sometimes even doing those mini hackathon style, you know, and bringing somebody who you know.
Speaker A:Is professional at doing those into the.
Speaker B:Organization can definitely help you, you know, get a lot of the readiness in order to have the communication with an analyst and to train you and prepare you for those conversations as well.
Speaker A:And the other thing about was choosing.
Speaker B:A puppy because I went through that same experience about two years ago and I completely agree is one of the things is my daughter wanted a puppy.
Speaker A:And I was like, okay, okay, we.
Speaker B:Have to have a big conversation.
Speaker B:So think of me as the investor, my daughter, the company that actually is going to make the decision.
Speaker B:So it was me and the investor, I was like, okay, and let's go through all the requirements.
Speaker B:Okay, well we have allergies, so it should be a puppy that has the least amount of allergy impact.
Speaker B:Other thing is it should be small if we want to travel, has to fit under the seat on a plane, you know, easy to, to drive around because we travel quite a bit.
Speaker B:Must, must be minimal cost as well.
Speaker B:We don't want something that's like, you know, Heidi pedigree type of, you know, like must be quiet, shouldn't park much.
Speaker A:And we, so we, we thought, we.
Speaker B:Set the impossible challenge.
Speaker B:We thought no dog existed on this planet that met all of those requirements.
Speaker B:And that's to your point, is that sometimes there might not be one exists.
Speaker B:So you have to then prioritize what's your requirements into which ones that I want to get first.
Speaker B:We ended up with a miniature like a, it fit all those requirements.
Speaker B:And that's a lot of.
Speaker B:When I think about the decision making that we do in the daily lives, it's very similar to that what we do with software technologies and products.
Speaker B:They all have some type of impact.
Speaker B:You know, they make, make you happy, they, they reduce, you know, wasted time, they help you meet some type of governance compliance.
Speaker B:So you know, they help you do business, they help you move faster, they help make your employers more productive.
Speaker B:So a lot of the things you.
Speaker A:Have to beforehand, you have to think.
Speaker B:About all of those.
Speaker B:What's those requirements and how do you weight against each of those impacts that you have to the business.
Speaker C:And one of the things that, that you, you're spot on.
Speaker C:One of the things that I would try to have a conversation is that people will often ask, okay, what is the best product in category X?
Speaker C:And, and it's this conversation.
Speaker C:What do you mean by best product?
Speaker C:What do you need?
Speaker C:Right.
Speaker C:And so we talk about the trends that we follow and so on and so forth.
Speaker C:There are four major trends that.
Speaker C:There are five major trends I'm following as an analyst overall in Industry, okay, and, and we write about those all the time.
Speaker C:Trend number one of course is AI, right?
Speaker C:AI for security, security for AI.
Speaker C:And we also talk about security from AI.
Speaker B:Right.
Speaker C:Those are the three big ones.
Speaker C:I personally like to make a distinction as well between what I call workload AI versus workforce AI.
Speaker C:Workload AI is okay.
Speaker C:Our company is implementing AI within our application xyz.
Speaker C:We're going to deploy models, we're going to deploy this, we're going to deploy that and so on.
Speaker C:That's one thing.
Speaker C:Workforce AI is okay.
Speaker C:We are unleashing AI in the hands of our employees.
Speaker C:Perhaps they are using the co pilots, perhaps they are using a third party services.
Speaker C:Those are two distinct usages of AI and they require different controls and solutions.
Speaker C:Anyway, that's trend number one.
Speaker C:Trend number two is the explosion of the attack surface, which I mean.
Speaker C:By which we mean that maybe 10 years ago you could have a phenomenal career as a SOC analyst dealing with endpoint alerts.
Speaker C:Right?
Speaker C:You know what, that's my job.
Speaker C:And so on.
Speaker C:Now we've asked you to do more things, we asked you to handle more instances of things.
Speaker C:We're also asking you to handle different things.
Speaker C:The same SOC analyst now needs to be able to deal with identity topics, they need to be able to deal with data, they need to be able to deal with application, they need to be able to deal with blah blah blah blah blah.
Speaker C:So that's number two, trend number three, which is kind of what got me onto this.
Speaker C:If you express a preference for.
Speaker C:Our buyers typically express a preference for platforms over non platforms, but people usually frame it as platform versus best of breed.
Speaker C:And that's the wrong question.
Speaker C:I think.
Speaker C:It's not platform versus best of breed, it's platform versus point product, best of breed versus good enough.
Speaker C:And if you want to be really fancy about it, you could easily add a third dimension which is built by versus outsource.
Speaker B:Right?
Speaker C:So let's.
Speaker C:But what I want to bring up here is that there are parts of your security program where you just need good enough security given your threat model.
Speaker C:Sure, there are areas where you might need, okay, for this we need best of breed, blah blah, blah blah blah.
Speaker C:But there are areas where good enough is quote unquote good enough.
Speaker C:Now just the fourth trend is we're watching this change in how data protection type, backup recovery type of vendors, they have been much, much closer to, to what we call cyber resilience.
Speaker C:Right.
Speaker C:They are now doing a lot more around data security in terms of security posture and discovery and so on.
Speaker C:So forth.
Speaker C:So those are the four major trends we're watching.
Speaker C:Sorry, I got on a rant as.
Speaker A:As it's listen to your talking.
Speaker A:So for me, I'm learning.
Speaker A:I'm learning.
Speaker A:Every second you're speaking, I'll add one more thing.
Speaker C:There's a fifth major trend, this, which sounds like here in North America people say motherhood and apple pie.
Speaker C:It's obvious, right?
Speaker C:Which is the notion that this is now that much more strategic right.
Speaker C:To organizations overall.
Speaker C: rc Andreessen, I think it was: Speaker C:And yes, technology is now essential.
Speaker C:Whether it's on healthcare, whether it's on the battlefield, whether it's on finances.
Speaker C:It's all over the place.
Speaker C:And because it has become that much more important, it changes the nature of how decisions.
Speaker C:We go back to decisions, how decisions are being made about cybersecurity.
Speaker C:What factors are influencing cybersecurity decisions?
Speaker C:Who is influencing cybersecurity decisions within an organization?
Speaker C:Right.
Speaker C:What skills do you need as a cybersecurity practitioner, as a cybersecurity executive in this more evolved world?
Speaker C:So it's a phenomenal topic.
Speaker C:I think that if there is I mentioned my background is.
Speaker C:Is computer science.
Speaker C:If I ever go back to school, why not it'll be for something like economics or organizational psychology or something along those lines because those are the areas that are affecting how security decisions get made.
Speaker A:It's the influence.
Speaker A:It's.
Speaker A:It's how.
Speaker A:How you, you know, come to the conclusions is how the mind works.
Speaker A:There's lots of great like books that I've read over the.
Speaker A:Of the recent times is the battle for your brain was a great one into understanding the brain.
Speaker A:And then there's also one for Mecho.
Speaker A:I'm trying to remember that as well.
Speaker A:But it's, it's kind of how, how your, your mind comes to decisions and the influence and the impacts that you have and then the prioritization of things.
Speaker A:And I always find it, you know, it's, it's fascinating, you know, when I always sit and watch how decisions are made and what was the major influences as well.
Speaker A:And I'm always kind of trying to kind of understand and I completely agree is.
Speaker A:Is that anytime you go to is you have to think of it as not you're not just getting technology because today, you know, as you mentioned, it used to be a supporting part of a business, you know, you know, let's say its own silo.
Speaker A:It was always separate.
Speaker A:You know, it could be decisions could be Made without actually impacting the rest of the business.
Speaker A:Today, the business is dependent on technology.
Speaker A:You can do it today without actually having a technology at, you know, the kind of the core part of it.
Speaker A:So now it's becoming a kind of across the entire business stack.
Speaker A:So you now have to think of technology and security very differently.
Speaker A:What is your operational resiliency or what's your operational, you know, desire, how you want things to be in the perfect world and then looking at all the things that needs to support that and security.
Speaker A:You shouldn't be looking at it from a cost center anymore.
Speaker A:It should be as, how does it make it go?
Speaker A:Just like you're looking at AI.
Speaker A:How does it make it go faster?
Speaker A:I always compare AI to being like the mushroom in Super Mario Kart.
Speaker A:It makes you go faster, but without the right training, without the right resources, without the right technology to kind of sit on it, you then if you're driving like me in Mario Kart, when I get that.
Speaker A:Exactly.
Speaker A:So it's about making sure that all of the components that need to be working together are possible.
Speaker A:So it means that, yes, training is important.
Speaker A:It means that context, measurement, what's the interoperability between all the things that you have?
Speaker A:Where do you want to be in two, five years time?
Speaker A:You have to factor all of those, all those in.
Speaker A:So now a lot of decisions are not just left with one person, but it has to now be inclusive across many parts of the business.
Speaker C:Absolutely.
Speaker C:And I'll add one more.
Speaker C:Like, I love economics, I love behavior economics.
Speaker C:One of the things that not a week goes by where I don't quote Upton Sinclair.
Speaker C:He had a quote that said, it's difficult to get a man, sorry for the sex, but it's difficult to get a man to understand something when his salary depends on him not understanding it.
Speaker C:Understanding incentives within organizations is absolutely critical.
Speaker C:So, for example, I wholeheartedly support the idea of fixing security in development.
Speaker C:Yes, of course we're going to test at runtime, given we need to fix security in development.
Speaker C:How do we fix security in development?
Speaker C:Well, let's shift security left.
Speaker C:I completely agree with the message, but I think that we're aiming that message at the wrong people.
Speaker C:It's not that developers don't care.
Speaker C:They deeply care about the quality and yes, the security they want to do to do good work.
Speaker C:But look, security fixes represent X percent of my budget for this sprint.
Speaker C:Right, For.
Speaker C:So it's not about telling developers, please be more secure.
Speaker C:It's about telling development management, please make time and give your Developers the right to knowledge and tools so that they can make your code more secure.
Speaker C:And perhaps it's not development managers, perhaps it's develop, perhaps it's the executive, the CTOs.
Speaker C:Look, security is part of your, you own security for your product.
Speaker C:Right.
Speaker C:And security instance are part of your product.
Speaker C:Right.
Speaker C:Perhaps it goes there and perhaps it goes even further up.
Speaker C:Perhaps it goes to the CEO and the board of the company saying look, our organizational success depends on us being secure.
Speaker C:And then the board and the CEO approve that kind of message that flows down.
Speaker C:We may think get developers to write more secure code, but that's not it.
Speaker C:Right.
Speaker C:There is a whole chain of events that need to happen and incentives that need to align.
Speaker A:Before that, there has to be the motivation.
Speaker A:I remember doing pen test years ago, parse station.
Speaker A:It was a very big realization for me because when me and the CISO kind of, we went to fud the scare tactics approach and the CFO said you have to show me how you're making the employees lives better and how you actually do return on investment.
Speaker A:And that was like it was always.
Speaker A:We were measuring things always wrong.
Speaker A:We were measuring the operations efficiency of technology but not actually the business outcome of how it's impact.
Speaker A:And you kind of brought up, you know, the whole shift left approach.
Speaker A:You're absolutely right.
Speaker A:It makes me think about one of the areas, just the shift left.
Speaker A:So one of the areas is that you know, if you're in even the insurance industry, that if you make a decision to go down, let's say you're in a ship and you can take a longer route to get to that destination, but it's safer or you can go through the storm, but that storm might impact, you know, the result of getting to your destination.
Speaker A:You're ultimately going to be, you know, your insurance premium is going to be way much lower to take the safer path path.
Speaker A:And I think we really need to start thinking about, is that we have to show about the ROI of making secure code and secure solutions versus making unsecure, the maintenance overhead, the cost of fixing afterwards.
Speaker A:And that by highlighting those and bringing those to the surface will definitely mean that developers will, you know, if they're measured against it, it's going to change the path.
Speaker A:Because ultimately that's one thing is the incentives then becomes real.
Speaker C:Absolutely.
Speaker C:I think that we are observing over time an evolution of the cybersecurity industry and professions and so on.
Speaker C:And one of the things that we have to acknowledge is that these things cost money.
Speaker C:At some point we are moving to a Scenario where some parts may be more expensive, and then we have to help customers understand what they are buying in terms of cybersecurity.
Speaker C:But that is an imperfect evolution.
Speaker C:I think that there's fundamental economics research about information asymmetry and how you evaluate the quality of what's being bought and sold.
Speaker C:There are principal agent problems, again from economics, that explain why someone acts in a, in a particular way or another.
Speaker C:So we are in this evolution of the, of the profession in the sense that I.
Speaker C:It's great for security teams to get this broader view of how the world works beyond technology.
Speaker C:Exactly.
Speaker C:As you said.
Speaker C:Right.
Speaker C:Just a funny story that you were mentioning, your experience with pen testing.
Speaker C:I remember experience with security assessments.
Speaker C:Right.
Speaker C:And I remember one time for a particular banking client, I spent hours going over with them the findings of the.
Speaker C:That we did and we were classifying those reports and the amount of time that people from the client were, were debating that they, they were pushing, they weren't pushing for us to eliminate the, the vulnerability.
Speaker C:Oh, no, yeah, no, this, they said, yeah, yeah, this is a problem.
Speaker C:We know this is a problem.
Speaker C:But you know what?
Speaker C:It's not a high, it's a medium.
Speaker C:No, no, no, no, this is pretty high.
Speaker C:No, no, no, no, It's a medium.
Speaker C:Right.
Speaker C:Why is that?
Speaker C:Because from their incentives, the only ones they had to report up to management were the highs.
Speaker A:Yep.
Speaker C:So if you, if you push down again, people respond to incentives.
Speaker B:Yes.
Speaker C:And this is the, this is the thing that if they want people to understand that cybersecurity becomes that much more important, how the world works.
Speaker C:Economics, psychology, political science, et cetera.
Speaker C:The humanities.
Speaker C:Right.
Speaker C:Become that much more important.
Speaker A:Absolutely.
Speaker A:It reminds me back, you know, in that same pen test, one of the things we, our budget was, was aligned to the technology costs.
Speaker A:That was our budget was about.
Speaker A:This is the software and this is the solutions and the training and everything it needs to be to implement those technologies.
Speaker A:So that's how we were viewing.
Speaker A:It was a technology cost.
Speaker A:And the CFO taught us a valuable lesson is that we shouldn't be looking at it from a technology cost.
Speaker A:We should be looking at our investments from how much we're reducing the risk to the business, and that's how should we be measuring it.
Speaker A:And he said, you know, for high risk, parts of the business are willing to spend up to 30% of the business revenue to protect it.
Speaker A:And it was interesting because then we realized when we actually were given the proper, you know, quantum measurements, we went back and we reassessed our budget request and we actually able to request more because we looked at it from actually offsetting the risk to the business versus the cost of technology.
Speaker A:And it was a massive difference.
Speaker A:If you look at it from how much you're protecting and reducing risk to the business revenue and the impact of that service that the business is providing, you can sometimes actually find that you're actually able to do and get a lot more than just looking at it from a cost perspective.
Speaker A:And it does change a lot of.
Speaker A:A lot of the kind of, you know, the way that you actually communicate with the business as well.
Speaker A:You have to look at how you're helping that employee do their job better and align your metrics to those types of activities a hundred percent.
Speaker C:And since we're on the subject of budgets, I'm going to make a plug for a friend.
Speaker C:So Raf Young just wrote an interesting book.
Speaker C:I just started Cybersecurity Is Dirty Secret why Most Security Budgets Goes to Waste.
Speaker C:Right.
Speaker C:So I'm really curious about it because he has a good background as a ciso.
Speaker C:And how do we help navigate that budgeting conversation is essential.
Speaker C:Right.
Speaker C:So I just got started.
Speaker A:Oh, I'm going to add that to my list as well.
Speaker A:And I'm going to add it to.
Speaker B:The show notes as well.
Speaker A:Because for me, I think one of you know, I always love talking to Rick Ferguson.
Speaker A:We had a discussion years ago on this topic.
Speaker A:Yeah, we had the whole big discussion of technical debt is that we have a huge amount of technical debt software that we acquire and we just never have the resources and time because we get sometimes the balance wrong.
Speaker A:We don't think about how it's going to be implemented, how it's going to be maintained, who needs to operate it, all those things that need to be making it an integral part of the business.
Speaker A:Sometimes we look at just, just a license, but we don't look at, you know, how we make it operational.
Speaker A:And that's the total cost and that's what, you know, cost the technical debt.
Speaker A:And we need to find a way to reduce waste.
Speaker C:Yep.
Speaker C:And.
Speaker C:And we need to find a way to have more nuanced conversations about where is cybersecurity spending actually going?
Speaker C:Right.
Speaker C:Is the cost of fixing a particular vulnerability, does it fit with the product or does it fit with the security team?
Speaker C:So does it roll up the cto?
Speaker C:Does it roll up the ciso?
Speaker C:Right.
Speaker C:Those are, those are interesting conversations to be had, for sure.
Speaker B:Absolutely.
Speaker A:So what's the frequency?
Speaker A:What do you recommend for people to.
Speaker A:How often should they be talking with analysts?
Speaker A:Is it Like a monthly basis or is it like, you know, a couple of times a year?
Speaker A:What's the best kind of frequency in order for vendors?
Speaker C:So I'll say that for vendors, I think that when they brief analysts, they should be.
Speaker C:So first of all, let me be clear.
Speaker C:I wish I had time to take every briefing that comes to me.
Speaker C:Right.
Speaker C:And I'm sure other analysts are the same, right?
Speaker C:We don't.
Speaker C:We have to align briefings with availability and research and agenda and so on.
Speaker C:I would say that, that at quarterly, I mean keep.
Speaker C:Nowadays, and this is the thing we danced or we haven't really talked on is the information landscape has changed, right.
Speaker C:AI is doing a ton of things.
Speaker C:The information availability that we have now from mailing lists, podcasts, books, whatever.
Speaker C:Right.
Speaker C:And where.
Speaker C:So I'd say that keep analysts.
Speaker C:So for vendors, keep analysts informed whether it's a mailing list, whether that is, hey, we want to have a regular briefing with you, which again, we may or may not be able to accommodate.
Speaker C:For vendors, I would say at least quarterly, right?
Speaker C:No more than quarterly.
Speaker C:Somewhere between quarterly and six months, right.
Speaker C:For customers, I think that it boils down to when are you making decisions where you want analyst input.
Speaker C:You don't have to.
Speaker C:A good time is always before as you are doing the early planning of your budget for next year.
Speaker C:Hey, what do you think is happening next year?
Speaker C:Kind of stuff, right?
Speaker C:Or when you are, okay, we are now going to set aside, we have a budget for a particular tooling.
Speaker C:Let's get some budget.
Speaker C:Ballpark pricing.
Speaker C:Do you happen to know any ballpark pricing?
Speaker C:Sometimes we're not the best sources for pricing because you will work with your resellers and so on.
Speaker C:But so I would say for vendors, at least biannually or every six months for buyers, when you need a decision.
Speaker B:Right.
Speaker C:And similar for investors, right.
Speaker C:If you're, if you, if you're coming to us, okay, we have this now.
Speaker C:Investors have, they have a longer term cadence in terms of, okay, this is the phase where the fund that we're running, where we are taking pitches or we're not taking pictures.
Speaker C:So it varies.
Speaker C:But, but, so I'm sorry, it's your old consultant.
Speaker C:To me, the answer is it depends,.
Speaker A:But it gives, it gives a good ballpark and way to at least kind of, you know, analyze you know, how much, how much you know or how often or when you're coming up to decisions.
Speaker A:It's a good kind of indicator.
Speaker A:So at least it gives the audience and those who need to make those decisions kind of analysis can really inform.
Speaker A:So what's some of the ways that you stay up to date?
Speaker A:How do you, how do you what you know, because you need to analyze, you need to be, you're probably getting a lot of information for vendors, a lot of information for the buyers, investors, all the time.
Speaker C:So every analyst is different.
Speaker C:And I encourage people to be, in a sense, think like analysts.
Speaker C:You need to curate.
Speaker C:The problem nowadays is not finding information, it's curating information.
Speaker C:What information is relevant?
Speaker C:Right.
Speaker C:I probably have over 100 mailing lists that come into my inboxes on a regular basis.
Speaker C:Podcasts.
Speaker C:I like to listen to yours, of course, and others when, when, when I'm driving and so on.
Speaker C:I, I, I like knowledge management as a topic itself.
Speaker C:So I'm always trying to stay.
Speaker C:Okay, where does this fit into my worldview?
Speaker C:I, and conversations at events.
Speaker C:Like, I love talking to people at events.
Speaker C:You go to an event not just to listen to lectures or not just to walk the show floor, but to talk to people.
Speaker C:And then this works at different stages of your career.
Speaker C:If you're early on, you're, you're exchanging information with people who may be early in their careers as well as you get more senior in your career, you, you're always exchanging information.
Speaker C:So the way that we keep up to date is this ongoing deluge of information.
Speaker C:I love short explainer videos or on YouTube, for example.
Speaker C:They're great.
Speaker C:Hey, let me take a look at this and see what's going on here.
Speaker C:Right?
Speaker C:This is a topic that I haven't covered before.
Speaker C:Let me take a look.
Speaker C:Right?
Speaker C:The conversations with buyers and sellers, like the questions that I get asked from buyers are themselves interesting, right?
Speaker C:Because these are the kinds of things that's an.
Speaker C:It's interesting that everyone is asking me about performance characteristics of vendor X.
Speaker C:Okay, let me go poke vendor X about performance characteristics, stuff like that.
Speaker C:And it feeds back to each other.
Speaker C:It doesn't end.
Speaker C:Right.
Speaker C:This is the thing I can do from 6am till 11pm if not more.
Speaker C:And, but yeah, it's, you have good conversations, you stay in touch with people.
Speaker A:That's fantastic.
Speaker A:How do you keep the balance?
Speaker A:How do you keep any, any, any things you do in the, and it's.
Speaker C:A balance like in my role, in my specific role, I am not as involved in the, in the operational aspects of breaches.
Speaker C:So for me, tracking IOCs is not as relevant.
Speaker C:So I don't need to worry about cve, X, Y, Z, V, whatever, right?
Speaker C:On the, on, on the flip side, I am interested in Hearing what's going on with, with FIFA or within IFA or, or, or.
Speaker C:Okay.
Speaker C:Because these things again, goes back to how this is all strategic, how these things are influencing the, the, the strategic buying behaviors that are going to happen.
Speaker C:So it's a balance of ingestion curation tied to your interests.
Speaker C:Right, that's, that's the best way to describe it.
Speaker A:So if the audience does have any follow up questions, what's the best way for them to contact you or stay in touch or to reach out?
Speaker A:Anyone who's on, you know, the audience is interested in, you know, in getting involved and getting an analyst meeting.
Speaker C:So I'd say I'm, I'm, I'm pretty available on LinkedIn.
Speaker C:I try to, I try to be responsive there.
Speaker C:I apologize in advance sometimes, like analysts travel a lot.
Speaker C:So during travel season, which is, we're on right now, it's a little bit of a mess, but LinkedIn is probably the most, the most relevant one.
Speaker C:I'm, I'm also on Blue Sky.
Speaker C:I'm also on Mastodon.
Speaker C:One of the places that I found some, I'm really enjoying right now of all places is Reddit.
Speaker C:Right.
Speaker A:Reddit's become a big, big, big this past couple of years now and it's.
Speaker C:Great because I can follow, follow the network security cybersecurity subreddit.
Speaker C:I can also follow like I'm, I mentioned, I'm bigger knowledge management.
Speaker C:I use Obsidian as my, as my knowledge management.
Speaker C:Yeah.
Speaker C:So I follow the Obsidian side of things.
Speaker C:There's some local subreddits for the Toronto area.
Speaker C:Oh, it's awesome.
Speaker A:I'm doing the same in 3D printing as well on Reddit.
Speaker A:So I get all of the kind of solutions and ideas, which is great.
Speaker A:It's been fantastic.
Speaker A:I always enjoy speaking with you and it's fantastic having you on the show and it's, you know, definitely.
Speaker A:And we have to get, you know, at some point in time you have to give me a few more tips and lessons in Portuguese.
Speaker A:It's an area that I need to improve.
Speaker C:Oh, I know.
Speaker C:My suggestion is for you specifically find opportunities to travel to Brazil, often to Brazil.
Speaker C:And while you're being immersed in Portuguese, you can get some awesome, awesome food in Sao Paulo.
Speaker B:Fantastic.
Speaker C:I lived in Sao Paulo for many years.
Speaker C:I loved, I got the pizza in Sao Paulo.
Speaker C:Oh my God.
Speaker C:Yes.
Speaker A:I have not pizza yet, but I've had lots of.
Speaker C:Yeah, yeah.
Speaker C:I'm from the south of Brazil where we started with the whole gaucho thing and whatnot.
Speaker C:Yeah, I love barbecue, but when you go to Sao Paulo next, pizza and Sushi.
Speaker C:Trust me.
Speaker A:Okay, two of my favorite things.
Speaker A:So Fernando, it's been fantastic having you on.
Speaker A:Many thanks for taking the opportunity and sharing your story and origin with the guests on the show.
Speaker A:So for everyone, this is a security by default podcast, bringing new knowledge, insights, lessons and hopefully making your world better and the world a safer place.
Speaker A:So for everyone, every two weeks, new episodes.
Speaker A:Stay tuned, subscribe, share with your friends and hopefully I'll see you on a future episode.
Speaker A:So thank you and take care everyone.