CISO Talk: The Winners and Losers of the New Normal - Security Boulevard

CISO Talk: The Winners and Losers of the New Normal

As we adapt to the new normal of remote work, we have started to adopt new technologies, strategies and practices. Since the pandemic started, we have seen a rapid acceleration of digital transformation, which has definitely made cloud providers big winners in the COVID-19 era. So, who are the potential losers in this scenario? And who else is a potential winner?

In this episode of CISO Talk, Mat Newfield, Mitchell Ashley and Alan Shimel are joined by Chenxi Wang and Richard Stiennon for a great discussion on which cybersecurity technologies are winners and losers in the new COVID-19 environment.

The video of the conversation is below, followed by the transcript. Enjoy!

Transcript

Alan Shimel: Hey, everyone. Thanks for joining us. This is another episode of CISO Talk. I’m your host, Alan Shimel; editor-in-chief of Security Boulevard, founder and CEO of MediaOps. And I want to introduce you to our guest today. First of all, my co-host is Mat Newfield. Mat is the CISO at Unisys. Mat, welcome. Thanks for joining and co-hosting.

Mathew Newfield: It’s a pleasure, Alan. It’s always good to speak with you.

Shimel: All right. And then also, kind of regular here on CISO Talk the partner of mine in Accelerated Strategies Group. He’s the founder and president, CEO Mitchell Ashley. Mitch, welcome. Welcome back.

Mitchell Ashley: Great to be here. And exciting panel. I love all of these folks, so it’s good to be with you.

Shimel: It’s going to be a good one. And then, our two guest stars; son of Joe Collins and, you know, special guest star. I’m old. I remember that. Anyway. [Laughs] Let me introduce, first of all, my good friend Chenxi Wang. Chenxi, you know what? You tell them about who’s Chenxi.

Chenxi Wang: [Laughs] Thank you, Mat – I mean, Alan. I’m Chenxi Wang. I’m a former Forrester analyst. Right now, I run a cyber-focused venture fund investing early-stage Venture – early-stage cybersecurity companies. It’s always good to be here, Alan. 

Shimel: Pleasure. And the fund is called Rain Capital. Correct?

Wang: Yep. That’s right. Rain Capital. Thank you.

Shimel: No problem. And then last but certainly not least, the dean of security analysts just about… we only know of one doing it longer than him – which he’ll remain nameless for today, maybe. But none other than our friend Richard Stiennon of IT harvest. Hey, Richard. You want to give your quick background?

Richard Stiennon: Yeah. Sure. Former Gartner analyst and moved on to join the vendor, which is about the only exit from being a Gartner analyst there is. But that didn’t last, and I loved being an analyst. So I started my own firm; written a bunch of books about our industry and several warfare. And that’s what I do, is I write. 

Shimel: Excellent. And of course, your latest book is called “Curmudgeon: How to Become an Industry Analyst.” But really, it’s the book you wrote before. You held up the book. Okay? Mat. Mat? You won the price. [Laughs] And that, Richard – of course, the book before “Curmudgeon,” though, is one that I think is really relevant to maybe today’s discussion. And that is your security yearbook for 2020. Came out around ours, say.

And it really is sort of a comprehensive guide to the present players in the security field and sort of their DNA and pedigrees and the whole kind of history, if you will, of the cyber industry from a tools vendor, service vendor perspective, and great book. Great reference for any CISO’s out there. Or doesn’t have to be a CISO, for anyone who’s interested in the security industry. So with that being said, folks, I’ve invited you on – Mat and I invited you on today because, you know, we are halfway through August; more than halfway through August. We’re almost six months into this COVID everyday-calamity kind of thing. And though we’ve settled into patterns and things we do… we Zoom a lot. Right? We don’t go out a lot – most of us. We wear masks. But there’s been really, you know – it’s sort of a new normal. And this new normal has resulted in – especially in the cyber world – new patterns; new tools, new ways of doing things. There’s been winners, and there’s been losers. And I think we – it’s not too early to start recognizing now what some of these winners and losers may be. So I wanted to talk about that with us for a minute or for the next 40 minutes or so. Mat, you’re the co-host. So I’m going to give you the chance to kick it off. And what do you see as winners and losers? And we’ll run with it from there.

Newfield: So I’m very excited to have this conversation with everybody. And I thought we could start with an easy one that will move us along. And it’s a winner and a loser depending on your perspective and depending on the platform you chose and your viewpoint. It’s actually what we’re doing right now. Videoconferencing and the ability to have mobile videoconferencing really is a winner right now. There was a lot of push for in-person over the last few years.

We saw it really coming in that 2015 time frame. You heard CIO’s around the world starting to make statements. “People must be in offices again. We have this real estate. You got to come in.” And there wasn’t a lot of need for video teleconferencing like this. We spent money on making our conference rooms – through very expensive technology – video-capable and video-ready for a conference room to conference room. But this kind of interaction didn’t’ really happen.

So it’s become a winner as people sign up, but I think it’s also become a loser. And I’m looking for, you know the conversation because it’s also exposed a lot of risks and a lot of weaknesses. And, again, as stated we’re not going to slam any particular platform or vendor. But quite a few of the monarchs have been in the news over the past few months because of their ability to be exploited, misconfigurations, weaknesses in cryptography, weaknesses in the utilization of passwords. So for me, the first one I talk about is videoconferencing. I’d love to get everybody’s opinion on that.

Shimel: Great. Anybody with thoughts on that?

Ashley: I’ve got a lot of-

Wang: Yeah.

Ashley: Go ahead, Chen. I know you would jump in. [Laughs] I knew one of you would.

Wang: The force of Gartner battle.

Ashley: That’s right.

Shimel: Manifesting itself. Go ahead, Chen.

Wang: Totally agree. I mean, certainly we – everybody uses videoconferencing; which I have a platform that you’re comfortable with every day. Right? So I’m on like three different platforms on the given day. Yes. Two days ago, I was on – yesterday and the day before was an all-day board meeting. Used to be that I would fly out to the Midwest for a board meeting, and the whole trip will take four days. And now, the board meeting is two solid days in front of my computer.

And I could – at the end of the day, I could spend time with my family. I’d really, really enjoy it to be honest. But I read some analysis, to a point, Mat. I forgot the outfit that did this analysis. They said, “This was pre-COVID days.” The ROI of flying somebody to meet together in person is 10 times of having videoconferencing. Because the interpersonal communication, the bandwidth of discussion, is so much better for business. So that was a pre-COVID analysis. I don’t know if post-COVID world will see things differently. But that was the reason that – and humans social and also be… we crave that attraction. But given the state of things today, obviously videoconferencing is the method of interaction for us; both for business and for personal.

But I think, Mat, you talked about some of these tools were in the spotlight because the lack of security or maybe the – not quite as robust security. But I think it’s a good thing because all the products go through that journey. Right? When you are a little product on the corner of the industry nobody pays attention to, you also don’t pay attention to your security. And then when you become a target, everybody’s looking at you, and you’ve been exploited. And you’re like, “Okay. We need to invest in security.” So I think it’s a good thing that these products now are strengthening security and getting expert advisor panels to help them. And overall, it’s a good thing for the industry.

Newfield: Yeah. And, Richard, before I hand it off, I couldn’t agree with you more. And what’s also very interesting – a lot of these companies are still growing. They’re trying to create a product that is easy to use for the masses. And that’s a fine line to walk when you get with people like us and security folks; that sometimes, we swing too hard one way or the other and can make things more difficult. And even something as simple as requiring a password for every call that you’re on, every videocall… a year ago would’ve probably been frowned on as compared to now. So, Richard, I know you wanted to jump in.

Shimel: Yeah. Totally agree on the security side. I am not concerned with the security vulnerabilities, the ads that some nation state is going to harness all of your conferences. Because, you know, first of all, who cares? If you’re going to have private conversations, you’re going to be using signal anyways. So don’t hold the videoconferencing tools to the same standard that you hold Signal and WhatsApp. Those are – and Telegram and all the rest of those. But the remarkable capability of Zoom to pivot and add security in the fast manner they have blows me away.

And then, the other thing I’ve never seen before is the rapid copying of Zoom’s interface. Right? So all the other platforms – which, frankly, everybody hates. Right? They’re horrible. They’ve always been horrible. And I’m not going to call out by name. We all know who they are. And there’s one in particular that wants to load software every single time you use it. So you got to get into the meeting 20 minutes before, the conflict, and it screws up your audio so you can’t hear. You got to reboot your computer. Zoom got rid of all of that. And everybody else is copying the interface.

So once you’re used to Zoom, you can use the other platforms, too. And I think back to Cisco – and I always… I’m going to – this will be a little bit of vendor-bashing, but it’s sold. Nobody’s there anymore that remembers this. But at one point, Cisco – when I was at Gartner’s, Cisco was claiming to be the leader in security, blah-blah. “Buy everything from us,” as they still try and do. But then, John Chambers – who’s one of the smartest people on the planet – decided that the future was in videoconferencing. And he pivoted the entire company. And remember the six-page ads in the Wall Street Journal for videoconferencing.

And he was wrong. He blew it. It wasn’t the driver for network bandwidth, which is what Cisco relies on. ‘Cause they actually sell switches and routers. And he just totally missed it. So they were out of the security space ’cause he can’t market two different messages at the same time. They were out of it for five or six years until he started doing acquisitions again. So Zoom came along. Zoom won this battle, you know, for – and all the power to them and thankful to them for creating this tool that we can all use. 

Wang: Can I add one more thing? That Zoom’s interface… yes, everybody’s copying. I actually don’t like. It’s a single channel communication. Right? Doesn’t matter you have two people or you have 100 people. Only one person can speak at one time. It’s just not conducive to all forms of conversation. 

Shimel: Yeah.

Wang: So I’m actually looking at new platforms that will allow you very seamlessly have multiple groups of conversation happening at the same time. And you don’t have to interfere with each other. There’s one particular platform called Toucan T. It’s fantastic. And it’s done by-

Shimel: What was the name, Chenxi?

Wang: It’s Toucan T. Yeah. It’s like the bird, toucan.

Shimel: Toucan. Yep.

Wang: Toucan. And it’s done by Toucan For Students. And they’re fantastic. If you have a chance, check it out.

Shimel: How secure is it? Or is it-

Wang: Oh, that I don’t know. [Laughs] 

Ashley: If I can jump in, too…yeah. The user interface. I think what Zoom got right is instant on.

Wang: Yes.

Ashley: It’s easy to get there. The other things, you know… and the thing they got right was responding to, you know, Zoom-bombing and security issues that pop… as well were-

Stiennon: You know, they were extremely responsive. You got to get-

Wang: Yeah. Very much so.

Ashley: You know what? What I would – the thing I would mention, though… I think the other winner in it is not videoconferencing. It’s the fast decision-making that happened in IT organizations to get on a collaboration tool, get on a Zoom or whatever we’re going to use. Those decisions were in the debate cycle for probably years if not months.

Wang: Yep.

Ashley: And in a week, it’s decided. We had to. So– [laughs]

Wang: It’s by necessity, right?

Ashley: By necessity-

Shimel: But isn’t that-

Ashley: -Those decisions got made.

Shimel: Right. But that’s just not video. You know, as I was talking to – I was talking to some VC’s last week, you know, in the space. And their take is that we’ve seen six years of cloud transformation in six months.

Ashley: Yep. I believe it. 

Wang: Yeah. Yeah. I was going to say. Cloud providers and cloud application providers is a big category winner right now. Because if your organization is cloud-heavy, using cloud, using SASS, moving to work from home, working from home is not a big deal. But if you are enterprise infrastructure, enterprise application-heavy, boy; that’s a huge lift to putting enough of the VPN infrastructure to have enough capacity for everybody. It’s just a really difficult thing to do. 

Ashley: Yeah. I know the buster that’s the winner, too, is remote work. There’s all that stigma around, “It’s not productive.” It’s whatever, whatever. You know what? It’s working fine; working great.

Stiennon: Yes.

Ashley: In many offices in many cases.

Newfield: And some jobs in some industries in which I absolutely agree. But there are others that has really come to light that either you need better training, you need better experiential services for those individuals. And one of the things that I think is a winner and a loser – the loser’s side of everything we’re seeing is, in those IT organizations we’ve moved everything really quickly to home. And we’re an example of that. And under a week, we went to 95% work from home.

We were averaging 14% before we did it. And I like to say we did it securely. But, you know, you talk to a lot of CIO’s out there, and moving someone home and saying, “I give you a laptop. I give you a desktop, and now you’re working for home” – I think that’s a loser kind of concept. Because not everybody in the world has good power, good internet, nor the space to do what… let’s be honest, the five of us were doing right. If you were in a much smaller space with bad power, bad internet, no air conditioning, doing this can be very, very difficult.

And I think one of the other potential losers here – and I really want to get your opinion on this. It’s not technology, but it’s some of the people who are entering the market. So newer in their role. They’re brand-new. Maybe they just graduated from a university or even a high school a couple of years ago. And now, instead of being able to go into a space and work with people like you – the experts – and get that learning experience, they’re stuck at home. And there’s an expectation that they understand the difference between working and going to play some video games or going for, you know… doing things in their personal space they’re trying to work. I think there’s a bit of potential loser there over the next couple of years.

Stiennon: Yep. Yep.

Wang: Yeah.

Ashley: I think another set of losers that I’m looking for signs of… so we all talk, “Oh, my gosh. this is great. We can all work from home” – especially tech workers, right? Programmers, developers. And they’re all saying, “Oh, this is great. I can move out of San Francisco to somewhere else. It’s nicer, quieter, more space and cleaner. And I have the same job hopefully at the same salary.” But the companies are going to think, “You know what? Now we don’t need to hire these expensive people, and we can go to Saint Louis – just picking that – or Detroit, and we hire people for half the salaries who are perfectly happy to work from home remotely. And/or go outside the country.

Shimel: You know, Richard, I’ve had this conversation with Sid Sijbrandij, the CEO of GitLab. Right? So GitLab has1,200-plys people and 1,200-plus offices – not since COVID; from day one.

Wang: Right. Right.

Shimel: And, you know, onto that point, Richard, Sid has sort of a mirror image opinion to you on it; in that the reason I had to pay those high salaries is because that’s where the concentration of workers with that skill level, that talent resided. And so, I had to hire people there. I had to open my office there because that was the only place I could get those people. And as a result, I had to pay them a lot more money, and I had to pay a lot of money for offices.” Where – and that may be okay if you’re Unisys or IBM or a large, you know, Fortune 500 company who’s going to have offices in all the usual suspects. Right?

You’re going to have a Boston, New York or San Francisco kind of office and a London and an Amsterdam and maybe a Shanghai or something. But for startups, which is – you know, in smaller companies it didn’t make a lot of sense. Because either you had to commit to spending a ton of money to, let’s say, be in the valley… right? To be in Silicon Valley and play with that, you know, cost of living and the economics of Silicon Valley. Or you do what Sid did at GitLab. Which is, “You know what? I’m going to hire talent wherever the talent is. I’m not going to worry about concentrating in Boston or New York or San Francisco or Austin or Boulder. And I’m just going to – I’m going to be totally distributed.” And so, they’re in 30 or 40 countries; have been. And he thinks that’s the wave of the future. 

Ashley: I agree it is. But the people that have been pulled into the vortex of Silicon Valley are going to be short-changed ’cause now somebody’s going to say, “Aha. Guy’s got two years of experience. He wants $250,000 a year. And there’s this guy with 10 years’ experience in Finland who will work for $90,000.”

Shimel: There’s only one of us here who lives in Silicon Valley. Why don’t we ask her? [laughs]

Ashley: Yeah.

Shimel: Chenxi, what do you think? What does it mean?

Wang: I don’t know. The opinions on this are split. Right? So they are – I certainly have heard a lot about people moving out of San Francisco; high-rent areas going into more spacious geo’s. And with this working from home, sure. Why not? I’ve also heard that the – so where I live, I’m in the middle of Silicon Valley outside of San Francisco but in the middle of Silicon Valley on the peninsula. The housing price is not going down because of the lack of inventory. And there’s still a lot of optimism that it’s going to come back, and everything is going to go back to normal. I don’t know which one. I think that the future is probably somewhere in the middle where we probably are still going to see certain levels of concentration in Metropolitan geo’s like San Francisco and New York and Washington DC and others.

But there will be a larger percentage of workers that will be satellite workers. The thing that GitLab does… I mean, they’ve been doing this from day one, as you said. Like, that they have a culture internally to do that; to manage it and I think sort of instilled that culture from day one. Now, if you don’t have that culture and you have to accommodate this working from home, it is difficult. So my friends who are managers in large companies who used to have their teams local, now they tell me they work a lot harder; a lot harder doing a lot more one-on-one meetings to keep people motivated, to build this sense of community. So they are tired, to be honest. So I don’t know whether the future will be completely work from home. I think not. So that’s my view. 

Newfield: Yep.

Ashley: Yeah. I need to jump in and speak up for – I can’t speak for, but speak up for the Gen Z Millennials. I have a little bit of a different take, Mat, on what you were saying. And that is that folks that I’ve worked with coming right out of college right now, I’ve been just struck by how fearless they are about technology. They don’t care. It is not an intimidator to them at all. They are so used to remote communication. Maybe that’s the [laughs] – they’ve already been practicing social distancing because they’re looking at their phones all the time or whatever.

To be honest with you, I think they’re the best-equipped to work this. ‘Cause they don’t need to sit by next to sort of the apprentice model. “Let me sit next to the experienced person and learn from them physically.” You know? There are trades, that’s true. But in some ways, it may be kind of the middle generation who – to your point around pricing of cost of people – that might have a tougher time. I’m not sure where that-

Shimel: So Gen X gets screwed again?

Ashley: Younger folks are very well-equipped for this.

Newfield: Depends on the role. And just to throw what Chenxi was saying, I agree. We’re not going to see one or the other. I don’t think we’re ever going to go back to that 90-plus-percent in an office or even large corporations like the one I work for. You know, you’re going to see that middle split. Because there’s something to be said for a lot of the functions to having a campus, to having people in offices, to having those kinds of roles; even from just the sense of community. And there’s still a lot of people who suffer – all ages.

Because, you know, if you’ve got a family, if you’ve got things around you, you don’t potentially need to go somewhere for that social experience. And if you buy yourself all the time, this is not social enough for a lot of people. So you’re going to get that split. And to your point, Chenxi, I’ve heard anywhere from it’s going to be 25% to 60%. And, you know, it’s somewhere in that 40’s most likely is going to be the norm for a period of time. Right? There was a large period of time where we were pushing for work from home in the early 2000’s, and it knee-jerked into offices. And it is just the way of society.

Ashley: The pendulum.

Shimel: Yeah.

Stiennon: Yep.

Newfield: I agree with Mitch on the capability of new grads, et cetera. I was interviewing the CISO For Great-West Life. And, you know, old stodgy Canadian insurance company. And he said they recognized that their customers were dying. [Laughs] Which is expensive. So they needed a bunch of young customers to pay premiums and all that. And they needed to hire young people. And they both needed the same thing. And that’s what pushed some into the digital transformation that they’re going through. Right? To modernize, do work from home when needed, supply laptops to employees and all of that stuff that, like, we began with got accelerated dramatically.

Wang: Yeah. My son, who’s a – sorry.

Shimel: No. No. You go, Chen.

Wang: My son, who’s 11, you know – well, he’s starting his school next week. All virtual. And for the last semester, a large part of last semester was home as well. And he manages his Google calendar perfectly. He runs Netflix parties with his friends. And they Send each other URL’s and look at things. And, you know, it’s like he lives his life and his Google infrastructure [laughs] – the design Google Classroom and Google Docs…and speaking of – so Richard and I are trying to have a – we have a weekly writing session going on right now. And my son, who started writing his own novel – and he writes Google Doc with two of his friends. You know? It’s like they just pick that up really easy.

Newfield: They’re natives. They’re natives.

Wang: Yeah.

Newfield: They’re natives. We’re not. They are.

Stiennon: Now that you’re saying that, it brings back to me – and you’re right. I could’ve even change the core of that statement I made. ‘Cause I remember a couple years ago – I have three sons. And my oldest who was a little younger, was not going out on the weekends for this period of time. And I went to his room one day. I’m like, “Son, you’ve got to go out. I know that we live in the middle of nowhere, but you need to go hang with people. Go play with friends.” And he sort of looked at me as like, “I am?” [Laughter] Like, I came around, and he was in a Chat with all of his friends, and they were playing some games together. It was like, “Oh.” 

Shimel: It’s a different – there’s a whole thing to that, though, that we can talk about social interactions versus online social. But let me bring this back to some security winners and losers in technologies. Someone mentioned – I think it was Chen. Chez Z mentioned VPN’s. Right? So-

Newfield: Short – I say short-term. Very short-term.

Shimel: Short-term winner, right? For companies that really transform. And, you know, they had to buy some more concentrators, maybe more licenses. But long-term, they’re done. I mean, that’s a loser. You know-

Newfield: Oh, I vote for a short-term winner? Because a lot of the license for the companies I talk to that needed to expand their licenses got them for free.

Stiennon: Yeah. But they needed the concentrators… can’t handle the-

Shimel: Right. They had to buy the razors for the razor blades. But here’s the thing. Conversely, the winner there, though – I forgot what company I spoke to. Was it Zettaset or… something with a Z. They call it SASS ops.

Newfield: Yeah.

Shimel: Right? So instead of doing VPN, back in, out, all that, you are setting up or securing your remote workers who live on SASS-based ops. Right? So they’re going direct to cloud. But they still – they got to be – it’s got to be done, you hope, with some security. Right? With some process and control in place. So SASS ops, which is – you know, and there’s a cyber element to it – I think is going to be a long-term winner here.

Wang: There’s a bunch of people – a bunch of companies in that area that is doing, you know, largely… you can call that 0-trust networking. Right? So your endpoint is connecting directly to application in the cloud, and you typically have something on your endpoint that is doing the context and vetting of the device, and then you got a shim in the cloud right in front of the application that is filtering the access. And I think that is the future. I mean, if it’s not here already, I think it’s largely – for a lot of companies – here already.

Ashley: Yep.

Wang: One thing that’s interesting, you mentioned VPN is, I think there’s a portion of the hackers in these days. ‘Cause they are picking on this particular mode of communication. So I was chatting with unit 221B guys, and they were telling me they’ve been tracking a to of criminal groups right now… is doing specifically VPN phishing. Right? So the way they do it is, they will look up – they will do reconnaissance of who your IT guys are. Their support, their number, their names and their co-op workers they – “m from the IT department.” Right? So our VPN is down,” because it does go down all the time. And we set up this new VPN infrastructure. “And let me Send you a portal. You know, to use the URL, you go to that Portal. You Log in there instead.” You know? How many companies have successful phishing? A lot of them.

Newfield: Yeah.

Ashley: The thing is – I mean, then that would be another winner/loser, is adversaries in phishing campaigns.

Newfield: Right. It’s 600% up.

Ashley: 600%

Wang: 600%. Wow.

Newfield: Yeah. What’s interesting, you say VPN’s… and it’s our potential losers. But it is also – that ties into corporate infrastructure. We talked a little earlier. I think that lower as well. And companies move into the cloud, they move into SASS…they’re just not in need anymore.

Wang: Yeah.

Ashley: Yep. Yep. You don’t need _____ because you got the internet. You don’t need a corporate network. You don’t need a data center ’cause you got the cloud. So you just need that security shim that Chenxi called it.

Newfield: And what would be the potential winner and loser as well – and I don’t’ mean to sit right in the middle. But it is always great going to these SASS platforms. But if you don’t have control as a CISO, to be able to – you know, the behavioral context, the location context, you’re-

Ashley: Access control.

Stiennon: Yep.

Newfield: Access controls. You’re going to be a loser even though you may feel like a winner today.

Ashley: Yep.

Wang: Yeah. Absolutely. So the ones that are doing really well – like, Google moved to 100% working from home without skipping a beat ’cause they have all that infrastructure. They will go best infrastructure built already. And a lot of other companies that I have seen really have to scramble. They have to, you know, build up capacity, VPN. And I asked a few CISO’s. I said, “Can’t you just take this opportunity to move away from VPM?” They were like – they looked at me like I was crazy. 

Newfield: Yep. Well, ’cause they look at you and go, “There’s something else?” [Laughter] This is not the only thing to be doing. And you also have, you know – again, security can be losers. I talked to a lot of CISO’s who have made these moves. And they’ve shoved everybody home. They’ve done the bare minimums, and they go, “I haven’t heard any noise. So I think I’m good.” And you’re like, “You’re not.”

Wang: Yeah. No.

Ashley: I wonder about the end user side of this. What about the whole pan password managers credentials management. You know, we’re using so many more services. Is it getting worse, or is – you could say the same thing for data. You know, data loss.

Newfield: But the solution providers are the winners. Right? So all of these – the other side of network access with Zero Trust is also named Zero Trust. But it’s really just application – user access to applications. And it’s single sign-on, again. But there’s a central repository. It ties into your actual directory; authenticates first and then connects you to the App. And that is so simple. You can have completely granular controls. But most of the companies that have provided that are startups. Right? So they’re winners. They’re going like gangbusters right now rolling up-

Shimel: And it’s relatively simple. I mean, we do one with a company called strongDM. I’ve done a bunch of interviews with a bunch of the archive stories. It’s a proxy. Right? It’s a proxy.

Ashley: It’s a proxy. You start it up on this side, comes into their proxy and they hook you up on the back end with everything.

Ashley: Uh-huh.

Newfield: Yep.

Shimel: You know, really simple stuff. Mitchell, we will probably do – and just in-house it’s still secure 20 years ago. Right? But maybe not as out to the cloud. But, you know, that idea of that proxy and adding firewalls and so forth. But it’s interesting. I want to throw another kind of loser thing out and get you guys’ opinion on – guys’ and gals’ opinion on this. And that is, the security professional, the security admin. It’s great to be in the spotlight. It’s great to get a little love. It’s great to get a little more budget to, you know…whether I’m spending it on VPN’s or 0 Trust-

Wang: Are they getting more budget? I don’t think they’re getting more budget. I don’t think so.

Shimel: No? You don’t think so?

Wang: No.

Ashley: Let me take a look at my budget really quick.

Shimel: They never get budget. [Laughs] They never admit to getting budget.

Newfield: Not from having… right.

Stiennon: Yeah.

Shimel: Right.

Wang: No. I disagree. I think a few years ago, they are getting more budget. Right now, the budget’s shrinking for security.

Shimel: Yeah?

Newfield: So budgets generally are – in general are shrinking. Let’s be honest. Across the board. And we’re in no different boat. Companies are seeing a reduction in revenues and a reduction of collectibles when they are looking at their accounts receivables, everybody is going to be hit by that, including-

Shimel: You’re right.

Newfield: Especially the joke of, “Nothing has happened.” It’s hard for a lot of CISO’s who don’t have a business context to defend their spends. 

Shimel: In that same vein, though, the security people are working harder and harder defending a new territory, a new terrain. And, you know, you can do that for a month or two or even three. But now, we’re in six, and it’s not letting up. Right? Does there come a point of burnout of security? You know, and working from home, a lot of people don’t have the kind of self-control to say, “I’m off. I’m off. It’s five o’clock. I’m done. It’s six o’clock. I’m done.” Right? They’re on all the time. And, you know, burnout’s always been an issue in our industry. Has this exasperated that?

Newfield: So I like to pull just from personal experience. For some cyber professionals, let’s be honest. This is Superbowl time or whatever, you know – World Cup time. It’s when cyber professionals can actually – if you have the right mindset, you work for the right CISO, you work for the right company, this is a time to really shine and show who you really are and what you can do. And for a lot of the cyber professionals I talk to on a day-to-day basis, while they’re tired they’re still excited.

Because they’re getting recognition. They’re not the hoodie person sitting in the basement. They’re not the – now the business disabler. They’re seen as enablers. They’re seen correctly. And in some capacity – so there’s some excitement. But that can be short-lived and can burn out. I’ve seen the opposite where they’re just getting just beat on a daily basis, and they’re tried. And they’re ready to move on. And, you know, I’ve talked to some CISO’s who are – you know, they may have been at that 8 to 12% turnover rate are seeing 20 or 30% now or, “Anything is better than here,” mindset. 

Shimel: Anybody else on that?

Wang: But isn’t it – Mat. But isn’t right now a difficult time to be leaving a job, to look for a new one? Even, you know with all this reduction budget? No?

Newfield: In the cyber world, a lot – what I have seen is, a lot of companies who never invested in the past in cyber all-of-a-sudden are investing. And they are looking to hire. They’re looking to bring experts in. Or they’re looking to what they call “upskill their staff.” And they realize trying to upskill people they may already have that have been there for 5, 10, 15, 20 years is not going to work. And they’re trying to bring fresh blood in. And the market’s pretty hot. My staff get regularly recruited. And, you know, I talk to a lot of recruiter space, and then market’s pretty hot.

Ashley: The issue is speed too, right? They can’t get there fast enough with the current staff.

Wang: Yeah. That’s true.

Ashley: They’re probably… but, yeah, you need them now.

Newfield: The one thing I don’t see yet is companies as large as Unisys, for example, investing and training new hires out of school. Which to me is just a, you know – there’s a potential goldmine there. Right? You hire 50 people… this is what we used to do with GM. We’d hire 50 engineers, and we built them out. At the end of the day, 10 of them would go onto be chief engineers. And even – I talked to Bank of America. And they hire 200 security people a year. But they hire them at all experience levels up to director. Right? And that none of them have training programs to bring people on board and get them up to speed. And I spent seven months researching that and could not find a single company that had big pools of incoming people.

Stiennon: And it’s difficult to do. I mean, I’ve worked at much larger companies that really struggled with that concept. And I have two – I have one more loser I’d like to put in. And that’s internships. and I’d love to get your thoughts on internships. Because most companies I talked to killed them this summer. And for the remainder of the year, they’ve either significantly reduced their intern programs or they’ve completely wiped them. And for the interest of time, I would love to throw biometric – and I don’t mean CDC biometrics but corporate biometrics – and get your thoughts. Because that is a potential big loser as well. Or if you’re into Zero Trust authentication, could be a big winner. So let’s start with internship. Thoughts on that? What do you all think?

Wang: Yeah. I think internship is tough. Personal experience. My friend’s daughter and sons were either sign up for internship and got cancelled or worse. This one daughter of a friend of mine just got a job offer from one of the big five, right? A consulting firm – and was happy to look forward to starting the job, and they got all deferred.

Shimel: Yes.

Newfield: Yeah.

Wang: Yeah.

Shimel: So it’s worked for us. One gal we’ve got working for us now who’s dynamite and turning our organization upside-down… was deferred out of EY from – she was supposed to start like in May. Now she’s starting maybe in January. So we went from – yeah. And can I… Mitchell knows. And it’s a shot out if  she’s watching Inaara Padani on our team. Inaara has just – their loss was our gain. [Laughs] Right? I mean, so, you know… and I’m constantly torn. “Do I try to convince her, ‘To heck with EY and just stay with us,’ though EY’s a better career path for her?”

Ashley: No, it isn’t. No. I’d keep working on her.

Shimel: Yeah. Mitchell, we all work on her because she’s great. She’s great. She’s a recent graduate of Emery University, and she just does great stuff. And she’s great to have on the team. Yeah. We want – but yeah. For every winner, sometimes there’s a loser there, Chenxi. And-

Newfield: Well, that’s [laughs]

Shimel: We don’t tell them.

Ashley: Her name is spelled ZZYX.

Shimel: Yeah. Exactly. [Laughs] Yeah. Exactly. But anyway. But for every winner, there is a loser. Folks, we are getting near the end of our time. I want to give everyone a chance to kind of have some final thoughts. So, Richard, I think you went last on the introduction. So I’m going to ask if you’d like to go first on final thoughts.

Ashley: Yeah. One more thought on losers, and I think that’s teachers. My daughter’s a teacher, and she’s just entering the field. So she’s great doing online stuff, but older teachers just can’t do the mind shift to teaching online. And a lot of them here in Michigan are just taking early retirement.

Shimel: Here too.

Ashley: Yeah. And I’m upset about that. Right? I wish there were some way to create that. And then, students. You know? Grade school and high school students are not going to get the rich environment that they would get in school. I think I’m a digital person from start to finish, and I think you could have a much better education digitally than you could in a school. But nobody’s making plans or demonstrating the innovation to get there.

Shimel: Agreed. Agreed. My sister’s a teacher as well; early 50’s and diabetic. And so, going back to school for her to teach is-

Stiennon: Dangerous.

Shimel: Really taking her life in her hands. And she’s also contemplating early retirement or leave of absence. Which she has to figure out how to support, and she’ll lose her benefits. But it is. And then as a result – young teachers are great. But it’s a lot of those teachers that have 15, 20 years’ experience that really impart wisdom to your children. And our children will lose from not having that generation of teachers there.

Ashley: And the other teachers, right? Having seasoned veterans being able to collaborate with the newer teachers in those kinds of safer environments at a school, from the teachers I know, was a great opportunity.

Wang: Yeah.

Ashley: Now they don’t get that.

Shimel: Yep.

Wang: I think I want to say that we haven’t touched on is education startup; new education, remote education, startup. So I think they’re getting great response and attention. Alt school, for instance. Their enrollment number’s been up tremendously. A lot of the – because a lot of parents are looking for alternative sources of educational environment for their kids. ‘Cause school’s not given that, as you said, rich environment. And so, I think that’s going to impact the long-term model of doing education. I think that’s interesting thing to watch.

Shimel: You know, I was – you brought up education, which I think is great. I think there’s a resurge of mentoring. And not people just looking help to find a job. People, I mean, have had – so many people reach out and say, “Hey, reconnecting,” or whatever. But also asking for some type of mentoring. And I think you have kind of adopted this – had this mantra of connect with someone I haven’t talked to for over a year, every day; one person a day. And now, it’s, “Help someone every day in some small way.” You know? In maybe a big way. But I think the security field especially because it’s so easy to get wrapped up in the technology and all the business of it to the point of phishing for VPN”s. Right? It’s always the lowest common – easiest way to get in. Which is through people usually.

Ashley: Mm-hmm.

Shimel: So the process is broken. So I think mentoring is a big winner right now.

Newfield: I agree. And you know what’s interesting? We can go ahead and just be normal now. ‘Cause with them off, I don’t think we’re recording.

Shimel: Oh, okay. No. It’s still recording. It’s in the cloud. You know, I see it. It’s turned on.

Newfield: Okay. Good. Oh, I see the recording button as well.

Shimel: It’s up to you if you want to pause and wait for him.

Newfield: We can pause. Yeah. It would be good at some point. I do want to talk about biometrics at some point because I have to tell you. Depending on who I talk to, depending on startups that I talk to on Silicon Valley, if I’m talking to the large companies that have gone very public with their biometric thoughts, it is just a really interestingly split field right now. And there are a lot of companies. Ours as well, we’re implementing more and more biometrics as an authentication mechanism – especially facial recognition. Because you can’t phish my face. 

Wang: Yeah. Also – yeah. Also, it’s probably not a good idea to have any kind of a, you know…like a fingerprint thing that’s shared. [Laughs] Nobody wants to do that. So the facial recognition is more hands-off.

Newfield: Let’s be honest. Well before COVID, if I went to a data center and they’re like, “Put your hand there,” I’m like, “No.” Or put your eye up against something. You’re like, “Seriously, I’m not leaving this place with pink eye. It is just not happening. You can look at me, or I can talk into something if you want.” But yeah. The fingerprint thing on a public environment is just – can be very, very strange. At least you can’t break into them with gummy bears anymore. That would be a fun thing to do back in the day.

Shimel: And we’re coming up on the top of the hour. I’m not sure if we’ll jump back in. Mat, you want to just close this out as…?

Newfield: So I want to thank you all very much for joining us today. Richard, look forward to reading your book. As always, it’s a pleasure to speak with you. Chenxi, really it’s a pleasure having you on today. Thank you so much for everything you’re doing. 

Wang: Thank you.

Newfield: Mitch, as always it’s good to have you as a regular. We appreciate it. We look forward to the next CISO Talk. Have a good day.

Shimel: All right. Thank you, everybody.

Wang: Thank you. Bye.

Newfield: Bye.

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 55 posts and counting.See all posts by alan