Richard Stiennon joins the CISO Sandbox and talks cyberwar and the cybersecurity industry: watch the video!

Lengendary analyst, founder of IT-Harvest, and author of Security Yearbook 2022 and There Will Be Cyberwar joined the CISO sandbox to shed some light on the scary topic of cyber war and give insights into its effect on the 2850 vendors comprising the $26 billion security industry that Richard mapped out in his Analyst Dashboard, available at IT-Harvest.com.

Post hero image

Table of contents

Video and transcript of Richard Stiennon's visit with Eliot Baker in the CISO Sandbox webinar.

0:03

okay good morning good afternoon good evening wherever you are welcome to the cso sandbox webinar i am Eliot Baker and our guest today is the legendary analyst Richard Stiennon welcome Richard

0:17

Hey how's it going Eliot

0:22

It's going good it's going good just enjoying the sunshine out here in Finland.

Nice to be in Finland

0:27

Yeah, yeah, not so bad, not so bad. Well i'll go ahead and introduce you to the audience a bit here. I know that some if not most are are familiar with you but some may not be and i encourage our audience to ask questions as this is a Q and A and this is a truly great opportunity to get answers from one of cyber security's leading if not its foremost subject matter expert

0:53

so Richard Stiennon is chief research analyst for IT-Harvest the firm he founded in 2005 to cover the roughly 2 900 vendors that make up the IT security industry we'll go over the precise numbers as the webinar progresses here he's widely recognized as i said as one of the top if not the foremost cyber security industry analyst he has presented on cyber security in 29 countries on six continents he is a lecturer at charles stewart university Richard has a truly unusual background he has a bachelor's in aerospace engineering and a masters in war in the modern world from king's college in london he is the author of surviving cyber war and there will be cyber war as well as the security yearbook series talk about talking to the right expert at the right time few are better equipped to speak on the emerging cyber war and its impact on us and on the cyber security industry as a whole which is what we will do today Richard held leadership roles at blanco technology group fortinet webroot software and gartner and as we begin here I want to talk about the legend of Richard Stiennon uh because the legend uh Richard Stiennon as is told today often begins with his ids is dead piece written when he was essentially the top ranking analyst for the cyber security industry as i think i got this right vp of Gartner cyber security research his what i would maybe call emperor hath no clothes smackdown of this fatally flawed security category foretold the shocking death within a year which only he seemed willing or able to vocalize he has a talent for seeing around corners

2:35

Richard is in the final stages of publishing security yearbook 2022 which is a really unusual book in that it doesn't just cover the most recent developments of the cybersecurity landscape but it also chronicles its history in a very engaging way he has also released a unique analyst dashboard categorizing and covering the financial activity of that roughly 2 900 security vendors making up the security uh cybersecurity space so uh Richard if you don't mind before we start talking about the cyberwar and cyber security industry and your book and your analyst dashboard uh could we begin with talking a bit about your background as an analyst because i think it's relevant here seeing as the story involves you telling hard truths that few wanted to hear to powerful people in the military brass i'm fascinated by you calling out the entire ids category which you might have to define for a few people here in the audience and you did this in the 2000s and it just reveals so much about the fascinating dynamic between analysts and industry so could you take us through that experience in its aftermath

Sure and to set the record straight i never said ids is dead i said it was a a failed uh market effort and the products were useless and you shouldn't spend any money on them much different yeah much different that was Gartner's pr team that said ibs is dead yeah you know i'd been at gartner for two years i was one of only two industry analysts that covered network security and i would hear from the intrusion detection software vendors who all had sensors that would tap into network traffic and then they'd do signature matching against the traffic and they would send an alert when they saw something that matched a signature and of course uh if you know if you know about snort the open source ids solution which is practically the only thing anybody uses anymore so it's you know it's free it's not a product so there is no market for ids anymore um it was still the only other thing that you could do on the network back then we're talking 2002. you had a firewall and that was it you could do ids and on the endpoint you had antivirus that was pretty much the entire security industry back then other than encryption um and i just for two years i went around and i asked not only gartner clients but i would talk to the uh security teams at some of the big vendors that sold ids like cisco and they'd say so tell me about your ideas and they'd always tell me how many alerts they generated a day you know millions or whatever and then i'd say so how many staff do you have oh well at cisco which at the time was one of the biggest it companies in the world had four people in the ids team and i said gosh that must be long hours covering weekends and holidays and they go oh you know we just work nine to five and well well what's the point you know what are you reacting to and it turned out nobody was taking action on the alerts they were just logging them because logging is a requirement of any security framework so it you know it was a hard thing to realize that wow everybody's talking about this product and how important it is and yet nobody's actually using it so that's why i finally had my presentation at a gartner security symposium the cio of the pentagon was there and he buttonholed me in the hallway and he said you've got to come into the pentagon because shortly after you know the airplane crashed into the pentagon they're rebuilding all their i.t infrastructure and they're going to spend 120 million dollars on ids so as walked down the hallway of the pentagon and walked into a conference room at which we're sitting all of the founders of all the ids companies and and then up against me the industry analysts and i'm horrible at debate right i get emotional they get flustered and hot under the collar literally and it you know so it was a long debate i set the ground rules i said we're going to talk about ids without using metaphors so nobody can bring up security cameras and you know bars on the windows which are firewalls and the security cameras of course are ideas um we're just going to talk about you know what it does and what its value is if it has any and why i don't think it has any value at the end of the two hours the assistant cio the regular cio couldn't make it declared that it was a draw but the pentagon changed all their requests for proposals to be worded intrusion prevention system instead of intrusion detection system which was the next level of what the technology was going to do so my only claim to fame is i got the letter changed in an acronym

8:22

It's an amazing story and maybe you could explain to the audience a little bit about how the role of the analyst is and that dynamic between the analysts and the industry and why this was such a big shock to so many people because occasionally you see something the wall street journal where a big time ceo willget really angry at a wall street journal reporter for calling out something uh you don't see it as widely reported when it happens between industry and analysts but you do see it i saw something fairly recently where that happened so what's going on there

8:39

yeah so you know an industry analyst has to be an advocate for the industry as a whole um you know they can't hate the industry they're in and they have to use their experience and the fact that it's their full-time job to know the industry they have to use that to call out uh characters that are making false claims for their products or set the world straight when they start you know moving towards a new buzzword um and and helping people understand what the news buzzword is supposed to mean you know a classic example right now is zero trust i had my team in india survey 2850 vendors to see how many of them said zero trust first thing on their website and there there were 188 right so zero trust is a fairly new strategy for approaching security and vendors that align perfectly with it didn't exist until fairly recently but you'll see vendors that are 20 years old saying hey that's us we're zero trust whereas two years ago they were we're machine learning and artificial intelligence right so uh all vendors want to be relevant and you know cutting edge and the next big thing so they tend to jump on buzzwords created by quite often industry analysts so the zero trust work you know phrase was created by forester analysts um uh you know the all the cloud security stuff that gartner's putting a lot of effort into you know they're creating they've created over 25 new acronyms just for various things you do in cloud security but that's you know kind of the dynamic the industry analyst you know speaks to end users all the time it speaks to vendors all the time when i was at gartner i probably took i don't know 10 to 15 vendor briefings a week and i was on the road 50 days out of 250. it was just they're super super busy you know CISOs like to think they've got the pulse of the industry because the vendors come to them and brief and ask them for briefings and all that all they see are emails from marketers at vendors saying you gotta talk to us and learn about our cool product but there's no way that a cso is gonna talk to as many vendors as an industry analyst does and and to start categorizing them all without that vested interest right i'll look at any vendor you know ceso will say well no you're too small you're or you're in finland and you can't support us here in south america we're not going to talk to you i talk to all vendors so i can understand you know what's happening in the space and you know new technology comes out of any country in the world at any time

11:44

Right. it's such a fascinating dynamic to me i suppose it's a little similar a to certain roles of journalism but it's different you're being looked to as someone who can effectively make or break a vendor whether it's you know emerging or established but at the same time you have to be true right you have to be direct you have to get it right to maintain credibility of your analyst firm and you also have to somehow be a cheerleader for the industry itself it's it's a tricky it's a tricky path to walk i imagine

12:09

yeah yeah and it you know it changes too and you're an independent analyst like me right so at Gartner um i had olive gartner behind me and a vendor would be less likely to sue gartner even though that's happened many times in the past but as an independent you know if i came out and totally slammed the company as i've done several times thankfully they don't feel compelled to sue me because that would just draw more attention to what's going on but they blackball me immediately there are a couple huge vendors directly in the space that i'm a specialist in the firewall space that never briefed me and never talked to me and it's okay you know it's even though you know at least one of them has proved me wrong by their success when they criticize their ipo you know they they could have won that battle if only they had taken it to the mat right so i think that also drives home the fact that while the legend of Richard Stiennon might have begun with something a bit of a creative destruction uh at the same time Richard is far more than a uh destroyer of worlds definitely a creative person author of many books you're also a tech founder going way back and you started your own analyst firm so i think you also have a sensitivity towards uh what people are going through when they are running their own companies when they're trying to get through there absolutely yeah yeah yep yes i've lived it i've actually started 24 companies practically all of them complete failures um and so yeah i understand how that how that works

13:57

did you say 24 companies?

14:04

Yeah when i was young i just i had a new idea every six months oh i'm gonna do this and never raised funding for any of them because i'm in michigan right since michigan does have a vibrant vc world 14:29

14:35

ah okay that is amazing uh yeah it's an amazing wide-ranging career you've had so far. So i do encourage the audience so we're 15 minutes in please do ask some questions here this is a really special opportunity to talk to Richard and ask them a question it's on your mind uh and as far as why you would ask risker toquestion i think that we need to get into now a little bit about security yearbook and the and the analyst dashboard because tell us a little bit about what that book is and why you wrote it

14:46

sure yeah what i actually when i joined gartner i thought i would have access to something gartner had acquired called data quest which i assumed was this huge data collection uh capability so you'd have all the data at your fingertips there was nothing at gartner that i could use in a new space like cyber security so when i launched it harvest way back in 2005 the name harvest was associated incorporated because i wanted to harvest all the data and i continued to do that over the years but then about three years ago i started publishing the data which was in good enough shape to put in a directory format in a printed book this is the only drm i could think of that would keep people from stealing my data and you know either monetizing it themselves or putting it online for free and destroying the value and so after three years of that it's getting pretty clean right we've looked at these companies over and over every quarter we have to go through and clean up the ones that have failed and of course there's startups coming out of stealth every quarter and adding them but an annual book it doesn't have a time granularity that somebody might need if they really wanted to understand the industry so i took all my data and put it in a database and brought it intern on it was just brilliant and we built using no code the application so that you can now subscribe and get access to all the same data i do and sort it by you knowfastest growing you know either the previous year or the last quarter sorted by the most investment received recently over the last year sort by category read all my reports in it so basically a supportive app for the access you get to the analyst and then it's bundled so it's much like you know if you went to gartner or forester they sell you seats that give you the right to schedule calls with the analysts same thing with IT-Harvest now but you also get the data you may never want to talk to the analyst um but you always can if you want to understand why i categorize things a certain way or you know why i don't have a a cloud security category right now i've got you can search on cloud security because i'm tagging all the vendors that um think of themselves as cloud security but it's not a standalone market it's like iot right there's i do have a standalone iot market but that's because the buying centers are different cloud security the kubernetes security are is the same as endpoint and the you know vpc might be the same as the network security etc [Music]

17:40

If i'm not mistaken you have those 16 categories and just just from the teeny bit i'd be able to see on your website would you be able to place those three or place those categories into a couple of tiers like a distinct upper class middle class and lower class in terms of activity and investment? Or is there many? Is that too simplified if you were to look at it that way

18:07

That's not too simplified because i think of security in a you know a very engineering-like way right with multiple layers and there are five major buckets network endpoint identity um data and governance risk and compliance right those have the most standard all have you know over 200 most have over 300 vendors in each of those categories and then the the rest of them are kind of the faster moving things that i want to segment out just so i can watch them so operational security security analytics threat intelligence email security just because there's so many vendors that do email security and and it's hard to say well that's just network security sometimes it is endpoint and application security so yes that's why i look at it and then when i've got those 16 categories for the first time ever last year i looked at the growth in each category that was very revealing so i'm starting finally got the data to the point where i could start having insights based on the data for instance uh security operations you know vendors that sell into the sock grew the fastest out of all the categories last year 25 growth year over year it's still relatively small but that's where all the xgr goes and things that support threat hunting etc and i'm elated by that because that means that the buyers that are spending all this money are finally you know mature enough that they're building socks and supporting socks and you know starting to bump into the problem of it's hard to hire people in our sock so we need tools to help make them more efficient and that's a great sign because they're you know for years and years all we talked about in security was better vulnerability management better patch management better configuration management um you know it was all just just hygiene stuff and hygiene stuff does you no good at all against a targeted attacker right they're busy meeting your employees at bars and bribing them to install you know uh back doors and their phones so that they can get access to the system uh you've got to focus on targeted attacks

20:27

Let's talk about these attackers now uh we have come through exponential growth and attacks in the threat landscape it looks like over the last couple of years for probably obvious reasons to many to everyone between the uh you know rapid move to the cloud the uh distributed nature of work nowadays now now we're facing what is being frighteningly called cyber war and you're an expert in this as well and i'd love to hear you talk about are we in a cyber war have we been in have we already been in a cyber war are we is it going to come later what is a cyber war what is that going to look like and how is that going to affect us

21:07

yeah so luckily it all comes down to definitions and thanks to going back to school and having to you know just be aware that thomas ridd is out there who's a professor at johns hopkins and he comes from he's not a technologist at all got into cyber after i started at king's college um and he came from a historian's perspective right and an historian of warfare and law of armed conflict um takes a very clausewitzing approach to warfare right warfare is this in anything else is not warfare so there's no such thing as a trade war or a war of words those are all just you know linguistics so warfare is the use of force you know to project a uh a country's um you know desires and accomplish their goals and therefore cyber war there is no cyber war be according to the thomas ridge of the world because there's no force involved nobody dies right even though there have been a few cases of people dying because their health clinics were not operating um but nobody's targeted for death and very little destruction other than stuxnet you know which did cause things to blow up um so you know they've said so thomas Rid was able to write an entire book taking all of the same instances that i used to depict cyber war and say nope that's not warfare therefore it's not cyber war so stop talking about that so when i wrote my master's thesis which turned into there will be cyber war the definition is you know cyber cyber network attack and exploitation in support of a military so in other words if ships in the south china sea are engaged in a battle and one side or both sides use cyber attacks to get the upper hand in that battle that is most assuredly cyber war so then you take that to and the expectation was as we built up to the invasion of ukraine by russia um the expectation was that they would thought that russia would follow very very traditional uh military progression just almost you know an extension of what we used to do and both sides did world war one right so you everybody's lined up on either side of a no man's land and before you send your infantry in you you know launch a barrage of shelling in order to try and kill the people in the trenches ahead of you and then you'd let up the barrage so that your people could pass forward the idea was in that what should have been the traditional way of thinking is before you invade ukraine you completely debilitate their communications in their power grid uh you know shut down their gas pumps so they can't fill up their vehicles all the rest of that stuff right it just see makes so much sense to everybody and yet russia didn't do that at all right they engaged in some minor wiper attacks against ukrainian um systems where they used you know a worm-like attack to wipe a lot of disks similar to not petya but certainly not as extensive they deface websites just like russia did in georgia and estonia in 2007 and 2008. um it didn't feel like cyber war and then after the actual war started um you know you had anonymous declaring war on russia cyber war on russia and is defacing websites and leaking data from the ministry of defense warfare no um that's information operations at its best um so you know from a purely academic standpoint we're not at cyber war with russia and even ukraine's not at cyber with russia they're literally at war with russia no question about that um so i think we're we're still to see two nations with sophisticated uh cyber attack capabilities actually engaging in warfare and that it's not going to happen until it's china versus russia or china versus the u.s or russia versus the u.s and some nato countries so that's where we stand today i think

26:06

boy i wish i would not have spoken so much at the beginning and we could have just launched right into this because i have so many questions uh you know in the time we have left here in our first half hour uh whatever is called cyber war or some kind of a spillover from the i think the terms kinetic war um is there anything that you you anticipate seeing impact the industry impact the way that the industry behaves the way that the investments pouring into the industry

26:31

yeah you know the a whole bunch of things are impacting the industry the first of all the number one driver for the industry is threat

26:36

actors and that's why this industry is different from all the rest of technology

26:42

which is driven by you know faster and cheaper and lighter etc

26:49

in security you've got a outside actor who is pushing the envelope all the time

26:54

so you throw up some good defense they come up with a new way to get around it and just goes on and on and on therefore

27:00

the industry is not going to consolidate there will always be more security vendors

27:06

and you know there'll always be a need for doing things more securely

27:12

the but what does happen every time there's a major successful attack even though

27:18

you know uh here in the u.s you know a pipeline company

27:23

suffered ransomware right it was all that indicates is both companies especially in the us are horribly

27:30

prepared to to do anything when it comes to backup and recovery and and update their

27:36

antivirus system and all the rest right it's just all it's saying is well nobody's been listening to me for 25

27:43

years um and but the government

27:49

start to get involved and they start to message around it and so when you have the president biden

27:57

issue an executive order that basically is very prescriptive for government agencies

28:03

that they will use uh multi-factor authentication hey finally you know it's

28:08

literally 25 years since since Richard clark first said that when he was in the government

28:14

um and you you will use zero trust uh strategies or approaches uh you will

28:21

encrypt data you know all the stuff which is security 101 but for the government to tell

28:28

for the executive office to tell you know the biggest employer

28:34

outside of china the military and the federal agencies to

28:39

do something about it is a big deal that means more spending they're going to spend more money you know all their

28:45

money goes to backfee and semantic and ibm and you know big companies but that

28:51

means that you know there'll be other companies who'll get some of the windfall from that spending as well

29:00

and it means regulations will follow afterwards too to help enforce some of

29:06

this and regulations are the other big driver for a lot of spending because a lot of companies don't care that they're

29:13

you know they're not secure and attackers can steal their stuff they really don't care but they do care when

29:18

the lawyers come back and demonstrate that they weren't following best practices so then they'll

29:24

spend money yeah boy when you when you map out an

29:29

industry in the cash flows within the industry the way that you have i'm sure that you were able to and you when you

29:34

can start to see kind of the big disruption drivers on the horizon be it you know pestilence plague famine war

29:40

whatever is going on here or just a better breakthrough innovation uh i can only imagine that you might

29:47

have a couple things that you think oh that that's something that people should really keep an eye on as a real

29:52

opportunity to invest in is there anything that you think is there a category or a company or anything you're

29:57

seeing that is under invested given all these different levers that are out there yeah for uh yeah i think i

30:03

think for sure right now api security is the one that stands out the most to me

30:10

you know because it whenever there's a new technology that gets widely deployed before people come back and start

30:16

thinking about the security of it that's an opportunity because you have to move fast to

30:23

and so the industry will spend a lot of money patching and fixing the way they've deployed apis there are

30:30

22 standalone vendors and four or five vendors that have already made

30:35

acquisitions of api security technology um so i'm watching that closely

30:41

fast growing space there are two vendors that have taken huge funding amounts um they're growing you know because

30:48

they're spending all that money and hiring people so they're growing quickly as well um there's numbers that say 80 percent

30:55

of internet traffic is actually api traffic which kind of makes sense when you think that all the

31:02

all the traffic between your google maps and your phone and google servers is api

31:07

traffic for the most part uh kind of makes sense that that's all out there

31:12

so that's what i'm looking at i'm also the one area that i haven't seen yet

31:19

is so it's now a year and a half since the solar winds breach that involved you know

31:27

russian spy agencies infiltrating a u.s

31:33

software company and modifying their code and getting it

31:39

you know properly encapsulated in their update servers and then shipped out to their 18 000 customers

31:46

giving a backdoor access to all those including many government agencies what a

31:52

horrendous first of all that's a sophisticated attack no question but it means so so much for everybody

32:00

because you know we security people for years have said update you know patch as

32:05

soon as there's the updates available um and you know i stopped doing that years

32:11

ago with i'm a macbook user and itunes used to try and update every six days or so and i you know i'm

32:19

going why should i update piece of software that does just what i want um and i bet you anything those updates are

32:27

trying to monetize more information about me right there a lot of these updates are ooh somebody

32:34

had a bright idea on how to you know sell more tunes or movies by tracking

32:40

more of what you do with with their product so

32:45

but you know if if there's a security patch every patch tuesday for windows

32:51

you're supposed to update really quickly a lot of organizations update automatically

32:56

but what if you can't trust the updates and that's going to just it targets our

33:03

trust of the software update ecosystem and i'm waiting for somebody to go hey we've

33:09

got a solution we know how to solve this problem and so far all i hear is

33:15

from companies that want to would sell to the solar winds of the world

33:20

to help them do a better job of protecting their developers and their cicd process

33:27

fine but that is never going to solve a problem you can never go to the source and tell

33:33

them to change their behavior and hope the problem goes away because you're just never going to get 100 penetration

33:39

there'll always be somebody that that is vulnerable and it could be

33:44

a two-person team creating the next really cool game that everybody uses right

33:50

so so what do you do on the end um the end users point how can you well

33:57

you cannot update right that's just don't update and or wait

34:02

six weeks to update and then you'll know because everybody else who updated faster will get hit by

34:08

whatever the attacks are and then you wouldn't have been exposed to it well that's great except that solar winds

34:14

took nine months to trigger so you would have had to wait nine months not getting all the new features

34:20

that solarwinds had embedded and that's really hard you could

34:26

at least sandbox updates put them in a you know beautiful environment that

34:31

looks just like your production environment and launch and test the update as you're supposed to anyways but

34:37

most people don't but that won't detect the one that's triggered later

34:44

and you can reverse engineer the software right you look for changes from the last image

34:50

and then try and figure out what they did but every single software license i've ever seen says you will not reverse

34:56

engineer or code right so the vendors will have you to makes change something on their code and

35:03

they'll do that because customers will require it so have to let you do something to look

35:09

at that code to make sure it's not doing that um i'm still at a loss still waiting for it

35:15

to happen but that'll when that happens that'll be a great thing to invest in

35:21

wow both intriguing and scary all in one uh all-in-one story there that's my life

35:28

well you mentioned the word ransomware we have a question from ashley chachman uh about uh ransomware and that is do

35:36

you think that the regulations that cesa is suggesting around ransomware payments will provide more insight into these

35:43

threat actors than we currently have

35:50

if the regulations actually get people to comply and reveal stuff

35:56

and if cesa shares what they learn then 18 months to two years from now

36:02

we will learn what more about what ransomware people are doing today and of course they will have completely

36:09

moved on they'll be all new actors all new technology and all new methodologies

36:14

two years from now so i guess shorter answer is no i don't and i'm not a big fan of the

36:22

government's constant brain about um we need we need

36:28

you to tell us your information right the command the nsa is monitoring all

36:34

network traffic between all people outside the us and in the us they know

36:40

exactly what's going on so just go ask them what's going on and start doing

36:45

something with that data don't don't go putting these regulatory burdens on

36:52

companies that don't even have a security team how are they going to do that

36:59

right and because i've heard you talk before about the actual sophistication of the nsa as a security apparatus and

37:06

just for those of you who aren't familiar maybe just a quick brief uh mention about how surprised you were maybe when you

37:12

first learned just how capable and how sophisticated they are and how much they actually do know

37:18

yeah i was aghast and accused by everybody who is in the know of being

37:23

very naive and i was just you know back then i thought nsa

37:30

fbi same thing right because you know i worked with a lot of fbi agents would

37:35

never owned a computer you know and we're talking all the way up to

37:41

2015 right they were not chosen for their computer abilities obviously

37:46

that's changed dramatically so i assume the nsa was kind of in the

37:51

same boat and then we discovered no there's a tailored axis operations group

37:56

that has published internally a now now leaked catalog the ant catalog

38:03

of the super sophisticated things they've done the testing involved in

38:09

uh developing and releasing stuxnet was astounding and talk about

38:15

sophisticated burn five zero days and uh create something that targets a

38:21

specific um uh you know rotator controller and a

38:27

centrifuge just astounding and obviously that was way

38:32

back in 20 that was in 2008 we learned more about what they could do

38:38

by 2013 thanks to edward snowden you know so that's 12 what's that seven

38:45

nine years ago and just imagine what they've done since then

38:51

right uh we have another question here from yari pierronen uh who's asking

38:59

a couple of years ago your yearbook listed nine finnish companies i wonder what's the latest number of

39:05

finnish companies you have included ooh i'd have to look it up but oh folks a live demo here how fast

39:12

can it happen it's going to happen fast this is going to be like the new the new

39:18

search engine ask Richard yeah luckily i've just recently been searching on south korea's everything's still

39:25

sorted that way 22. that was fast 22 a couple years ago was

39:30

nine yep yep now mind you you know the you know

39:36

every time i publish my numbers people tell me about oh you've got you know our country wrong and i just

39:43

published if you go to my linkedin i had published a list of a number of vendors

39:48

in each country and people in ireland were pushing back and

39:53

they so they sent me their lists which i have to go through and i actually added 20 vendors so ireland popped up to

40:02

number two in the world um for vendors per million of population

40:08

and of course israel is first with 25 vendors per million of population

40:13

and uh ireland ireland and singapore came in at eight vendors so it doesn't won't

40:19

doesn't take very many more in a small country to get that number up

40:26

well if we had more time that is one entire webinar right there is looking at the

40:32

idea of kind of the central locations for innovation in

40:37

cyber security because when i saw that i didn't know that about ireland that's news to me that's kind of amazing i'm not sure what the reason

40:43

behind that is but israel is somewhat i wouldn't say self-explanatory but it's not like shocking it's a little shocking

40:50

just how much ahead they are i mean when you look at that bar graph it really is kind of shocking just how in

40:56

i think that these are also what i understand really high quality uh technologies that are coming out of

41:01

there too yeah so yeah and you know israel i explained you know of course we know the mythology

41:08

about their military you know they have universal subscriptions as subscriptions that we see um drafts

41:15

conscription conscription and uh and they cherry pick the brightest

41:20

math students to put them into unit 802 so they're filtering right and uh turning out people who when they come

41:28

out can get funded very quickly for their startups because israel has a venture capital

41:34

community ecosystem that grew up after checkpoint went public in 1993.

41:40

so people made millions of millions of dollars in that founder's case billions

41:46

and nothing you know pulls in more money like people making money

41:51

so you know so that's always it of course that happens in silicon valley as well

41:56

and there's little spots right ann arbor michigan sold dual security to cisco for 2.1 billion dollars so now

42:04

there's startups in ann arbor uh at one point in atlanta georgia iss sold ibm for uh

42:12

1.8 billion dollars so georgia became kind of the hot spot

42:18

source fire sold to cisco and now dc is a hot spot so that's always that's going to be the

42:24

case unfortunately in spain france

42:30

yes finland um there aren't you know if you think of finland right the big

42:37

thing is um uh shoot what's the

42:42

no well nokia had spinoffs from nokia but also

42:47

um well stone soft was was finland and they got acquired

42:52

and but the um shoot the microsoft acquired um

42:58

chat platform so that was that was just a giant shot in the arm to

43:04

both estonia and in finland because you know the founders were from both

43:09

countries 660 million dollars to a little startup um

43:15

and and i think so when you have technology centers like finland you've got all the elements

43:23

right but you don't have the investment coming in and that's the one element that you need to add into it

43:28

and certainly you know the some of the best security people i know are in finland and

43:35

some of the best companies start up in finland but if they want to take over the world they have to leave finland in

43:42

order to attract the investment dollars and scale besides

43:48

you know finland's winters are not that fun

43:54

it was just snowing today so winter's not over winter is coming winter is always coming in finland yeah yeah i'll

44:00

tell you what though keep an eye on that scrappy startup hawks hunt you know they're i hear good things about them

44:05

yep and yeah uh i had i spent a wonderful week in yoensu when i worked at uh blanco oh

44:13

yeah which was founded in finland and just wow it's a beautiful beautiful country

44:20

and i would move there in a minute yeah well i've been here for over 10 years now and i love it i'll tell you

44:26

what come here any time we'll uh we'll show you around Richard it would be great to have you here that'd be awesome hey yeah

44:33

it would be awesome awesome happy hey thank you so much for giving your time here everyone please check out security

44:38

yearbook 2022 is coming out i believe on may 24th or 25th go to

The #1 Source For Domain Names | HugeDomains  make sure you check

44:45

out the industry dashboard not only are they really amazing tools and amazing pieces of reading uh the value you get for

44:53

these things is pretty amazing i've been at companies where we've spent tens of thousands for uh for industry overviews uh that is

45:00

uh out there so Richard's really kind of doing this almost like a volunteer service is how it feels for my from

45:06

where i'm sitting here so financially it feels like that too

45:11

right well hey we appreciate it okay uh thanks Richard you you take care and hopefully

45:17

we'll be in touch all right thanks so much elliot okay have a good one bye

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this