Navigating Cybersecurity Challenges: A Conversation with Ted Gutierrez on Bridging OT and IT

Episode 5 February 27, 2024 00:51:34
Navigating Cybersecurity Challenges: A Conversation with Ted Gutierrez on Bridging OT and IT
PrOTect It All
Navigating Cybersecurity Challenges: A Conversation with Ted Gutierrez on Bridging OT and IT

Feb 27 2024 | 00:51:34

/

Hosted By

Aaron Crow

Show Notes

In this conversation, Ted Gutierrez, the leader of Security Gate, discusses the challenges and strategies in implementing cybersecurity solutions in the critical infrastructure sector. He emphasizes the importance of common language and frameworks to bridge the gap between IT and OT. Ted also highlights the need for asset owners to start slow and focus on key controls, rather than aiming for maturity level 5 in all control frameworks. He discusses the challenges of scaling OT compared to IT and the need for consolidation in the market. Ted concludes by emphasizing the power of saying no and focusing on specific goals. In this conversation, Ted Gutierrez discusses his concerns and excitement for the future of cybersecurity. He expresses concern about the global state of conflict and its impact on cybersecurity. He also discusses the balance between order and freedom in the cyber industry. On the positive side, Gutierrez is excited about the increasing focus on the business side of cybersecurity and the growing understanding of cyber as a business problem. He emphasizes the importance of non-technical leaders understanding cybersecurity. Overall, Gutierrez is confident in the people working to protect the globe.

About Ted Gutierrez

Ted Gutierrez is the CEO and Co-Founder of SecurityGate, the provider of the leading SaaS Platform for OT cyber improvement. He is dedicated to protecting what matters across operational sectors and aligning industrial cyber teams on their cyber improvement journey. With an extensive background as a compliance and risk auditor for critical infrastructure, he understands the pain associated with effectively maturing organizational resilience in a decentralized ecosystem. A United States Military Academy graduate at West Point and a veteran of the US Army as a reconnaissance and surveillance expert. 

Takeaways

 

Hosted by: Aaron Crow

Guest: Ted Gutierrez

 

Connect with Ted Gutierrez:

Connect with Aaron Crow:

Learn more about PrOTect IT All:

To be a guest, or suggest a guest/episode please email us at [email protected]

Show notes by NMP.

Audio production by NMP. We hear you loud and clear.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: You're listening to protect it all, where Aaron Crow expands the conversation beyond just ot delving into the interconnected worlds of it and OT cybersecurity. Get ready for essential strategies and insights. Here's your host, Aaron Crow. Ted. Sir, thank you for taking the time for me. We've had to reschedule this a few times, but that's what happens. Holidays and business and things come up customers first, obviously. So I appreciate you being flexible and coming back to me, getting on the podcast. So why don't you introduce yourself, tell us who you are and what it is that you guys do. [00:00:38] Speaker B: Yeah, my pleasure. Thanks so much. I think I've got to actually thank you for the leniency and the patience, because I remember, I think an asset owner, sizzle, called me right when we were in the middle of the podcast. You were more than gracious with your time, so thank you. Yeah. Thank you for the opportunity to be on the show. My name is Ted. I'm a Houstonian. I am the leader of a company called Security Gate, which I founded the better part of a decade ago, and on the premise that cyber risk assessments, cyber control gaps assessments, threat assessments, they were going to be a very important component of implementing products and solutions in the critical infrastructure sector. So have a great team based out of Houston as well as Milan, and really excited to talk about a couple of the things that I think maybe haven't been chosen to talk about on your podcast. Thanks for the opportunity. [00:01:25] Speaker A: Yeah, man. So really high level. What is it that you guys do in these asset, man? How do you help people with doing assessments and really diving into where they are and understanding where they are? Where do I need to go from a third party perspective? [00:01:40] Speaker B: Yeah. So I think it's important to understand kind of what my purpose for founding the company, along with my co founder, Sharice Barza. So I used to be an auditor at Shell, and I actually started in the quality risk management. Quality management that moved into risk management, and eventually she was an asset owner, OT budget owner. She did that for a pipeline company. Then she did it for an offshore driller. And so we came together because she had to certify the world's first rigs at Shell to a known cybersecurity standard. She said, hey, how did it work when you were at Shell? And so we just put our heads together. We recognized that asset owners have a lot on their plate, and when they decide that they want to make an improvement in their overall cybersecurity risk posture, maybe it's a compliance effort, maybe it's a visibility effort. They're generally going to start asking some questions about known controls. And we knew that that was a very manual, archaic, breaking open seashells with rocks kind of exercise with Excel. And so we just built a multi tenant software that can pull all of these OT directors, it directors, vendors, you know, think of us as some people call us a GRC for OT. It's unique. Over the course of the last decade, we've had this awesome opportunity to work with companies that are in kind of what I call a baselining stage. They don't really know what they have. Maybe they're doing a lot of M A. And they just need to figure out, what do those facilities have from a controls perspective. And then there's other customers that have been accelerating drastically their digitization and the decentralization of the overall risk management process. And so we help in both. And so I always tell people that our business model is, we are a licensed software as a service that we sell to enterprises, right. In an revenue capacity. That's like the investor answer. But if I was going to tell the average person that doesn't really understand that, I would say we are in the business of marriage counseling for OT. And it. Because right now, and this is a huge topic that I don't think, I think some people talk about, it will never converge. And we must converge. There's so many sides of the story. The truth is an extremely diverse asset owner base. And what I try to do on a regular basis, 80% of my time, is just talking to sizzos about their kind of plan and what they're trying to leave behind. And what I find is that sizzos that are really, I think, fulfilled in their work sizzles that I think are given accolades by their fellow teammates for their leadership are those that are focused on leaving a legacy. [00:04:19] Speaker A: Right. [00:04:20] Speaker B: And so when I go to work every day, I'm like, how can I visualize something to help them leave that legacy? So I hope that answers your question without being too product centric. I don't want to plug the company, but I'm in the business, on the business side of cybersecurity personally. [00:04:37] Speaker A: It's so important. And you hit on something that's not really a product conversation, but there's something there, right? So I have an IT background. I have an OT background. I spent a lot of time as an asset owner. I've worked at the big four. I've been in a lot of different seats at that table, right? So I've seen that perspective of coming in as the IT guy, coming in as the OTs at owner, as a consultant from a third party, coming in and advising. And I've seen all of those different use cases, the different problems, the different concerns. And I think that's helped me, obviously, to be able to communicate and be able to drive that conversation differently than sometimes those individuals are. Some of the problem that a lot of these folks are in is a they don't know where they are, they don't know how to communicate, these really complex problems, both directions. So ot has problems, they have their risks, they have, how are they going to secure these things? What is the operationals, all of those types of things. And it's really hard to translate, even though they have the same tech, very similar tech stack in OT. And it, especially nowadays, it's a conversation problem. And a lot of times in my experience, it and OT are talking past each other. They're on the same team, they have similar goals, but they talk past each other because they don't understand. So having tools that can help them communicate is super powerful. That's why frameworks, that's why NIST, CSF, that's why all of these things exist to help you have a standard language so understanding that helps asset owners and IT people and cISOs to understand where they are and be able to communicate to the board, to the OT guy, to the IT guy. Where am I at and where do I need to get to? Where are my risks? Where are the places that we need to focus based on where we are and where we want to go? [00:06:29] Speaker B: Yeah, I tend to agree. I think that the challenge is some people say for some companies, it's on the budget side. Right? So the asset owners, the operational players, all the automation players are really the ones driving the budget. And maybe they have an experience in cybersecurity. What I see a lot is budgets are already the budget approval process, the procurement process, the vendor selection process, the general budgets around cybersecurity have always kind of fell under it. So I see that is people are trying in my estimate to get Ot to kind of follow it's lead. And that usually means rolling up to a CISO or a CIO on what are we going to do next. And so there's a very healthy amount of the market, especially your middle market people that are not your blue chip asset owners that have had budgets forever. A lot of these, what I call new entrants to the market, not only do they not know where to start in, let's say, just in general, protecting some of these facilities that have always been running, and now they're concerned about it. They don't actually know how they're going to go about evaluating vendors and even knowing what is next. So I do think that there's a very healthy amount of what do I do next? How do I figure that out? But what also complicates that same story is there's so many different frameworks. There's so many different of these frameworks regionally. So like what I spend, I say me, it's not me, it's far smarter people on my team. There's a healthy amount of time on the roadmap. Just making sure that we stay up to the most updated version of CMMC or C, two, M two or NIST, all of them. Okay. And I think that's a challenge for asset owners too. You brought up this whole concept of language. We only talked about budget. Right. When you think about the controls, somebody says asset inventory, somebody says vulnerability management, somebody says, I saw it yesterday, business continuity planning. And somebody else says incident response planning. [00:08:37] Speaker A: Right, right. [00:08:37] Speaker B: So there are these finite differences in language that to the untrained cyber risk manager, to the younger cyber risk manager will create confusion. [00:08:49] Speaker A: Right. [00:08:49] Speaker B: And then you have the vendors coming and say, no, we call it incident response. And so I think that we're going through the motions right now where syntax matters. When I start talking to relatively kind of baselining organizations that maybe haven't done tons of assessment, maybe they don't know what their top five controls are across the company. It's all about syntax. Like you have to settle in on some level of language. And I do agree for OT and for it, I think that if you can select the right framework or the right frameworks, plural, then do so with the idea that you're trying to find common ground on the controls. And I think that's where a lot of people are going to save time, money, energy, they're going to actually get better and a lot of people don't do it. What I find with a minority today is, well, that's the OT group. They have their own budgets and they have their own program, and I'm not really a part of those meetings. So we're only going to focus on this. And if they are saying that, they're also saying at the same time we're trying to change that. So we have now a combined meeting. So time will tell. But I mean, for those, that's why I think consultants are in such a. There's a supply demand issue on the consultant side, because some people need the handholding and they want that advisory, right? [00:10:17] Speaker A: Yeah. And it's huge because I've been part of these things. This is nothing we've talked about before, but I've been part of these as an advisory role and in a lot of different capacities where a lot of these folks start out with choosing a product. They're choosing vendor a, they're choosing product B. They're choosing all this stuff. They don't have a plan, they don't have a program, they don't have a roadmap. They haven't gone through controls. They haven't done any of these things. But they're saying, hey, I need product a because that's what everybody is using in OT, or that's what everybody's using in power utilities. Without dropping names. Everybody can think of what those vendors are. And I'm not saying those vendors are bad or good. That's not the point. It's like, that's not necessarily solving your problem. It's like going to Home Depot and you want to do some work at your house, but you don't know what work you're going to do, and then you just start buying tools. Well, I'm probably going to need a drill. I'm going to need an impact wrench and all this kind of stuff. But you're going to pour concrete. Do you actually need the impact? Are you buying the tools that are going to fix the problem that you're trying to solve when you don't even know what the problem that you're trying to solve is yet, but you're already buying toolkits, which some of them may work, some of them may not, but maybe they're not the right tools because you haven't gotten clear on what you need to do and what problems, what risks that you have in your environment. [00:11:39] Speaker B: So I'm the coach of my son, great example. And as a guy who loves to play with tools and cars and stuff, I totally agree. Right? I'm the coach of a bunch of nine year olds in basketball. These kids can barely dribble. Okay. We are not the Harlem Globetrotters. Okay? [00:11:59] Speaker A: Right. [00:12:00] Speaker B: I'm the assistant coach. Okay? The coach is using one of those NCAA whiteboards with the little pegs, and he's like, okay, we got to run this play. And then he comes to the practices with this folder of all these things that we're going to work on. And honestly, they're tactics. Right? They're tactics of how do we throw the bullet? Totally important. Is it the right time to get that level of capabilities focused on that? I think the easier answer would be, let's just let these kids scrimmage for the next hour, because what they have to learn to do is move the ball. What they have to learn to do is understand, okay, now we're going this way. Now we're going this way. How do we play defense? If you translate that to a cyber risk management program, make it tough because you got global teams. Make it even tougher that those global teams speak different languages. Make it even tougher that the automation equipment at different facilities that have been acquired over the course of 30 years are all on different stacks. And everything from an infrastructure perspective may not be perfect. You've got vendors telling you they can literally fix all of it if you just come on board with them. And I kind of think, like the coach, the CISO, in some cases, it might be the board, it might be the president. If you go and run to try to solutionize your way out of cybersecurity, I think you're going to spend a lot more resources. I think that if you're like that coach that says, hey, let's pick two controls, let's focus on them and execute them brilliantly. Let's get a risk registry of all these other controls, and then maybe let's compensate those controls with our processes, maybe insurance, different things like that. Then the next year you come back and you add more controls. The same way that for a small basketball team, maybe we don't do inbound plays at age nine. [00:13:49] Speaker A: Right. [00:13:52] Speaker B: Man, I could talk about this all day long because this is what I'm going to have a very break glass topic at s four this year about investors and analysts and kind of what I think they're doing to the OT market. Bottom line is that this challenge that you and I are talking about is exacerbated with the amount of capital that has been deployed in the last three to four years. [00:14:15] Speaker A: Right. [00:14:15] Speaker B: So I think it's almost like white noise in a lot of ways to these cisos. And I feel for them, because if you really sat cisos and leaders down who were passionate about solving cybersecurity issues, don't you agree, Aaron, that most of them would be like, yeah, if I could cut my roadmap in half, if I could cut all that noise in half and just focus on this, I'll get to the next one next year? I think they do that, but I think there's so many external pressures, including kind of how they're rated at their job. They got to just go with the flow. [00:14:49] Speaker A: Yeah. And their fear of, obviously, we see all these things in the news now where ot environments are being hacked and there's malware and all of this stuff that's happening. So their fear of doing nothing, and in their mind, or at least not doing nothing, doing enough. They're trying to push that ball forward faster than maybe they are. Like they're the nine year olds and they think they have to compete with the Dallas Mavericks or the Houston Rockets. Right. They're just not in the same league. They're not there yet. It's better to crawl before you walk, before you run. I ruck every day, and when I started out, this, I started out with a jansport backpack and ten pounds in my rucks. Do you really? Like 3 miles a day? But when I started, it was ten pounds. Right. And now I do 60 pounds. But I didn't just pick up 60 pounds and start going because it would have been hard. I probably wouldn't have been successful. I probably still wouldn't be doing it. I might hurt myself a lot of the things, but it's just like with anything, you have to crawl before you run, right? You have to start where you are and when. I've done a lot of these assessments, manual on spreadsheets for the past 15 plus years, most of the time when I go in and talk to these people, they think that success, if you use the NIST framework and the maturity level, zero to five or whatever, right. They all think that five is the goal, and I have to coach them and say, look, five is not the goal. You can't be a five in all categories in the NIST framework. Like, you cannot be a five. Maturity in all control frameworks. [00:16:22] Speaker B: Right. [00:16:23] Speaker A: It's not reasonable. You don't have an unlimited amount of budget unless you have an open check and just can continue to write money. It doesn't make sense. That's not the goal. Success can be a two, success could be a one. I'm going to mitigate that control with this, this and this. Five is not the answer. But most people are scared to not have five as a goal, thinking that they're going to be judged. Well, that should be my goal, and that's what I'm going to be judged against. But that's not what success looks like. [00:16:51] Speaker B: Yeah, I talk a lot about this. I have for the past two years in Europe, at a conference in September, talked about this, and the NIST implementation tiers are pretty cool because the way that I like to look at it. Is most people coming from the investor world don't recognize that just because you have a facility out there doesn't mean that it's ultra critical to the business. So you never hear in the Wall Street Journal or, and I'm not picking one news source. Sure, it's just the first that came to mind. But when you see cyberattack happening somewhere. Okay, so out of all the facilities, or out of all of the different infrastructure, what was it? What actually happened? A lot of these people are taking assets offline just to be ultra protected. I always ask the following question, have you tiered your facilities? And maybe you used a business impact analysis to do that? Because you're right. Not everybody can and should try to reach that high level. Whether from an auditor perspective. Do you have a cyber risk management system that is in a state of constant evolution without management input? That's where everybody really wants to get, is that you've decentralized your cyber risk management program where somebody says, hey, that guy's not supposed to be in this facility, or, this looks odd, right? When you go back to a one, it's like cyber what? I don't know. So some facilities, maybe they're storage facilities, maybe they just don't have any critical processes. That's where they should be, a one or maybe a two. But the money makers or the ones that involve some sort of risk to life or ultra downtime that is going to cost the company on its PNL, that's where the majority of the resources are going to be. Take it from me, as a product CEO who really lives by the land and expand methodology, you go into one facility or one part of the organization, you add value, they talk to their brothers and their sisters, and then you start growing. Right. The problem that I think the OT market has, and I'm going to dive into this over the course of the next couple of months, is that somebody didn't tell investors about how OT doesn't scale like it fundamentally. Part of it has to do with criticality. Part of it has to do with maintenance cycles. Part of it has to do with the lifecycle of automation equipment. But I think that's one of the reasons that the product and the service market is going through. I think it's going through a lot of m a right now. I think it's going through consolidation right now. I think there's a bunch of layoffs right now. You tie that with the same frustration and turnover at the employee base of the asset owners. And what you have is, I think we're missing the opportunity to mature as an ecosystem of 10,000 people, 50,000 people. We're trying to do too much too fast. [00:19:58] Speaker A: Yeah. And you see that with, there's been a lot of purchases, splunk and Cisco and Rockwell buying products, and the commoditization of these products in this space has drove in price down, but it's pushing it out. So you see other products that are out there. Again, I don't want to name products necessarily, but you see them out there and like, well, if you're a power utility, you have to have this. Okay, but do I need that to your point, do I need that at all of my assets? Because I have this asset that only comes online once a year. It only comes during peak time. I only have it there for a backup unit. It doesn't make money except one or two days out of the year. And if I add another 50k, hell, if I had $10,000 of O and M on top of what's already there, I'm not making money on it. So does it really make sense for me to put all of this thing, should I do the same cyber foundational stuff at every facility? And again, I 100% agree with you. This is exactly what I did as an asset owner. We basically classified all of our assets first, which is the most important to the business, and then we started looking at the systems at those assets, and then we had a response when we went through controls. We were selecting this control based on the importance of the facility to the business, a business risk, like to the bottom line, et cetera, before we ever started assigning technical controls to it. Right. I wasn't going to spend $100,000 a year on this facility. That didn't make that much. I'm just going into debt for no reason. I can do controls in a different way, whereas my diamonds in my fleet, obviously, I spend more money there because if they go down, it hurts my bottom line a lot more than the others. [00:21:50] Speaker B: Well, tell salespeople in this market that are selling products and services, we need these folks. Okay. But cost of acquisition is extremely high. I am a dog guy. Dog, cat. Got any pets? [00:22:07] Speaker A: Two dogs. And you got two. Bearded dragon. [00:22:11] Speaker B: Yeah, I had two bearded dragons with my eight year old, and then one. [00:22:14] Speaker A: Of them ate the other one. [00:22:15] Speaker B: It was pretty. [00:22:15] Speaker A: Oh, nice. We only have one, so I got it for my nine year old for ChrISTmas this year. [00:22:20] Speaker B: So check this out. While you were talking, I had this visualization of when we think about how many products there are in the market and how much noise there is. Of course everybody thinks they're better than the next guy. Let's not force each other, which is fair. That's called capitalism and I love it. [00:22:36] Speaker A: Yes. [00:22:37] Speaker B: How much dog food are we honestly going to buy? When we walk through that grocery store line and there is 100 types of dog food, it doesn't really matter that there's 100 different new vendors. It doesn't really matter that there's 17 types of bones because our capacity to buy from that industry is that we got two dogs apiece, probably going to buy one bag a month. The calculation that I think is really interesting to dive into are the proposed and assumed acvs. Acv in the startup world is average contract value. Some people call it annual contract value. Same thing. I think that people think that the average asset owner is able to deploy this much capital for that product. And where I think we're having a lot of pressure in the market is that this is getting pulled down below expectations and that's where layoffs happen. Let me ask you a question. You have few folks on the show all the time. How many people do you think right now, percentage wise, have deployed highly technical guardian solutions? We can even say it on it and ot okay, in the past five years they've deployed these without really thinking about how much work it was going to take to maintain it or even configure it effectively. And then who's the bad guy? [00:23:53] Speaker A: The product company. Right. [00:23:54] Speaker B: Does that happen often in your viewpoint? [00:23:57] Speaker A: Happens a lot. One of the larger programs I did not too far in the past, that was one of the big pieces. Like there was this huge capital budget to deploy technology. But then luckily I had the foresight to really push this. But we had this whole conversation around transfer to ownership. Who is going to take this baton after I install it? And why did I have that foresight? It's not because I'm brilliant, it's because I'd seen it firsthand when I was an asset owner. I deployed a whole bunch of technology and nobody was there to take it and make the value out of it. So they weren't getting the benefit that they were expecting because they weren't focused on it. I had my entire team focused on deploying at these new power plants and deploying this technology at these power plants and substations, but nobody was behind me getting the value out of the products that I just did. Right. I tuned it up the first time, but nobody was maintaining the maintenance of the vehicle after the fact. [00:24:57] Speaker B: It's funny because, and this is not a knock to the incredible innovation that the industry has had in the past decade. I mean, hats off to some real great stories about asset owners being protected, whether that's with great service or whether that is with great products in the market. But I'm a car guy, and in cars and racing, you want to get around the racetrack as fast as you can. One thing I know, because I'm generally a novice moving into amateur, sometimes too much speed or too big of an engine or too big of a car almost always lowers your lap times. If you can't handle that car, right? So you got to start with a slower car. You got to start with a slower. You can actually gain more speed in a car that doesn't have as much momentum, that doesn't have as much horsepower. This same applies for any sort of program. I don't care if it's a basketball team or if it's a cyber risk management. Now, where I think it's really interesting, I would not say the same about safety. I would not say the same about quality, because there's a certain standard, and if you don't meet it, then you can't do business. Right. Do you think cyber has that same standard, or do you think that's the sizzo? I'm just kind of riffing now. [00:26:23] Speaker A: I don't think that. Right. I think, unfortunately, that people are wanting the higher horsepower because they think that makes them better. Right. They think that the best technology is going to solve the problem. And whether it's. Again, to your point, I think there's amazing technology out there. I've worked as a vendor. I've implemented pretty much every ot product in the marketplace, or at least a high percentage of them. And they're all great. They all have use cases and benefits. But again, I use this analogy all the time, right. I can have all the best woodworking tools in the world in my garage, but it is not going to build any furniture for me. I have to take those tools and get the wood and build a design and take it and use those tools to do the thing that they do really well, but I still have to wield them. And if nobody is wielding those tools, they're going to sit there and do nothing, and it's not going to provide any value. [00:27:19] Speaker B: Yeah. What's interesting is, so I have a unique vantage point of the market, which is a lot of people that I talk to, I talk to because they're at some point of a transition in their maturity program in the way that they're thinking about cyber. And so they want to get started and jump start something, or they want to digitize it, they want to accelerate it. They often, in some way, shape or form, are running assessments, and there's probably 20 different, I don't mean frameworks, there's 20 different types of assessments you can do, and then there's 50 plus frameworks you can use to do those. [00:27:52] Speaker A: Right? [00:27:54] Speaker B: Where was I going with this before I got off the assessment? Majority of them, the majority of them, when they're in that transitional period, I would be lying if I said 50% or more had previously implemented a really expensive solution. For whatever reason, it didn't match their expectations that they were either promised or they promised themselves, and now they don't know what to do. So the majority of people that are in some sort of transition, okay, and this is a totally different topic that I'm not going to say sours their perspective on the market, but it does incorporate one constant. Everybody wants to drive efficiency to that next layer of implementation or product purchase. So if somebody's been spending, let's say 200,000 a year on this given set of controls, if they're not ultra pleased, they're going to want to spend 160 the next year, and they're going to change vendors or they're going to change strategies. So I see that a lot. And the reason is because I'm at a juncture where people are trying to digitize or trying to change. If everybody that is trying to change is also trying to save more money, then I ask the market, is that because top line budgets are lowering, or is it because they're trying to use the same amount of budget across more controls? Or are they actually just trying to save money left and right by getting rid of things? These are the questions that I propose to market leaders, the investors in the market, the product leaders, the VPs, sales, the CTOs, the CPOs, the idea that the more that we build as a collective audience or a collective worker bees of innovation, I don't think there's a one for one ROI on everything that we build. It's almost as if we got to pace ourselves in this market. We have to stop thinking about what's my roadmap for the next twelve months, and we need to start thinking about what do I want to be true in ten years? And I think that asset owners respect that perspective. At least the ones that are going to be most successful are. I think we've run really fast as a group of people, including asset owners, and I think right now, we're all just kind of like taking our breath. We're on that ruck march with you. We've got 60 pounds in our back where you're like pacing along, you're fine. The rest of the industry is winded. And I think we're seeing that. We're seeing it with layoffs, we're seeing it with stock prices, we're seeing it with m and a. Just a couple of my perspectives, I don't know. [00:30:42] Speaker A: So how much of that do you see? And I have a perspective. I want to get your perspective on it. How much of that do you see that the asset owner or the CISO really looks that year after they've implemented two years or whatever that junction is, they're looking at that and they see it as a failure, but they blame the product or the implementation or the vendor versus. My point around this is I think you can take an inferior product if you spend the most time with it and actually devote the effort to it, you would get just as much use, or maybe more than trying to switch it out for the newest, latest, greatest bells and whistles, et cetera. In my experience, it's usually not the functionality that's the problem. It's poor implementation, or at least poor use. Again, it's not the tools in my garage building the wood that's the problem, it's me not using them correctly. [00:31:36] Speaker B: Workforce management automation digitization I think there's a lot of product finger pointing. That solution just doesn't really digitize and automate the way that I had thought it would. I'll be the first to raise my hand and say that some cyber risk assessment programs are so intricately developed manually by ultra smart people, you can't have one solution that connects to everything. And if you did, you wouldn't want it to. And that's on the it side. Right. So I think that in a lot of ways, if you're trying to automate, digitize, scale, like all of this, a lot of it is in software and a lot of it is services. Truthfully, I think that the asset owners are seeing that as a miss in the market. I know that because that's where I dove into about four years ago, this idea of configurability for my own team. And it's working because whoever can configure the best recognizes that asset owners all do things differently. If I could tell you the number of NIST CSF or ISAIEc 624-4332 or maybe ISO, that they took the standard or the framework and then they changed it. I think that the digital solution world, from a lot of our market incumbents, they just can't keep up, especially not in this space. That's where I live. So I will say from a product perspective, I think that there's a lot of finger pointed says that solution didn't do what it can't keep up with us in our OT methodology. [00:33:18] Speaker A: Right. [00:33:19] Speaker B: From a guardian solution perspective, I don't think there's a lot of product issues. I don't have probably enough data to put it on a screen. But it's a great thing to start asking folks. I mean, sometimes folks just say, I have heard in the last three months with some really big market players, yeah, we rolled that solution out. It didn't do what they promised. Not pointing any fingers, but that happens. [00:33:49] Speaker A: Sure. [00:33:50] Speaker B: What I hear more is the previous CISO had deployed this solution and that was under this sort of risk management methodology. And we're not doing that. We're doing this. So I think it's harder to judge whether or not the guardian solutions are fulfilling the tasks that they promised. What I can say without doubt is that the price points are not achievable anymore. [00:34:16] Speaker A: Right. [00:34:17] Speaker B: And that's a different conversation on why we think prices continue to increase. It's the same challenge that I think they have with scale. Right. I think that your general question is like, why are people shifting gears, going to different product types, maybe changing strategies. I think that the underlying challenge is qualified personnel within the industry. I don't know. Somebody said this. It said, before you self diagnose yourself depressed, make sure you're not surrounded by jerks. Those are not my words. And it's not jerks. Actually, something else the same thing could be applied to. Before we self diagnose that the last two years of our cyber risk journey were a failure. Let's take a look at the team that we had. Let's take a look at the strategy that we had. Right before we say that we're not a carpenter. Did we have a plan when we built that dog house or did we just start hammering? So I don't know. The one thing I can confirm, Aaron, is that there is a shift right now and it's twofold. There are, let's say, more mature asset owners that have been buying some of these new solutions since 2020. And they are battle scarred. They are hardened. They are not going to deploy resources infinitely because they're told to. Okay. [00:35:42] Speaker A: Right. [00:35:43] Speaker B: But then there's this whole other group of the market segment that really, really screws up the math, and that is new entrants to the market that are a little bit lower on the revenue side. They're smaller cap companies, but they have the same risks and they're starting to buy these. So, man, some of the data that I'm going to show at s four, let's just say that asset owners aren't buying more per unit. The number of asset owners buying is increasing and it's skewing the belief system of how valuable some of these products. [00:36:20] Speaker A: Are and how big the market is. [00:36:23] Speaker B: I don't think we have an addressable market size problem. I think we're trying to attack as much of the market as fast as humanly possible because that's what venture capital does. And when you don't really kind of hit the mark financially, what happens? Who really gets hit? When asset owners don't respond to your marketing and your sales as much? It's employees, it's team members. So now we have a cycling problem with really qualified people in the market. Part of that is capitalism, but part of that is also, I think, a little economics and assumptions that we're a little rich. We'll see. [00:37:15] Speaker A: You've seen it hugely, especially in the last 18 months. Twelve months, whatever. You see these very large organizations from Google, Facebook, the big four consulting firms, all these things, this huge expectation of how big this ot cyber market is and the lack of personnel. And I don't think they're wrong in that. I think there's a lack of skills in this space yet. We see massive layoffs. We see big four firms laying off thousands, tens of thousands of people. You see smaller vendors laying people off left and right, and it just happens. And again, some of that is because the market is slower than they expected. They thought that they were going to be able to make a bigger impact in the market that they were. Maybe they're trying to get into a new market that they're not currently in, and it's not going fast enough. There's a lot of factors that can cause that. But to your point, a lot of this is being built up because of inflated expectations, inflated cost points, inflated the amount of buyers, how much they're willing to spend, how fast they're willing to spend it, and the scope that they're willing to test it out in, they expect them to just deploy it everywhere. When a lot of these, in my experience, especially in the past two years, more and more folks are saying, I want to do this slowly. I want to do this at one or two facilities. I want to start it out small and grow this thing smarter way to. Some of that's maturity. [00:38:41] Speaker B: Yeah. I think we're all learning, right? I mean, as a product CEO myself, ask me if my assumptions have been right in my financial modeling. Right. I think we're all learning, right. And I think sometimes you get sunburned, and I think sometimes you get a bruise depending on where you place your bets. I think it's a natural evolution. I think a lot of products come into the market. Gartner has. I don't remember what it's called, but a lot of products come into the market. Everybody's super excited about it. And then I can't remember what it's called, but it's this downward swing in supply based on a downward swing in demand, because people just kind of get over that. And so where we are with various product types, I think there's some really good analysis out there, and I think a lot of it has been generally accurate. I think we've got to level out. And I think that's what's happening with the M A. You see a lot of companies that if they raised more capital, they're going to do so at a new valuation. And then to give back the ROI for those investors, they got to chase an even bigger valuation long term. And I think a lot of companies are saying, okay, we're going to cash out now because maybe we're not positioned for that. I think the consolidation of the market is the number one thing that can happen right now to save us. [00:40:06] Speaker A: All right. [00:40:08] Speaker B: And that'll keep happening. It's super interesting. I think that if you're a marketing company part, if your job is to market the value of a solution and your job is to sell the value of a solution, everything's going to be a nail if you're a hammer. Right? [00:40:28] Speaker A: Right. [00:40:28] Speaker B: So for asset inventory, it's like, you have no idea what's out there for vulnerability, folks. It's like, look at the threats, right? If you're a service company, you're like, did you know that there's a $1.8 million open jobs? It's like, who the hell comes up with these numbers? Right, right. I'm bullish on small niche players that really understand their ideal customer profile. And I'm bearish on monster companies, specifically kind of major marketing comments that have had so much market share that they feel like they can just kind of overwhelm the market and put more people in place. Advisory services I would calculate as extremely as important. Okay. But I would say implementation players players that really understand how to get a solution off the ground, those are more niche solution players. And I'm bullish on those guys because there's not that many of them. They work regionally, they work sectors. They really understand. I think that one of the core tenets that I take to work every day is if you don't really truly understand the exact customer that you're trying to serve, then you're going to try to serve too many and you're not going to win. Same goes for a sizzle. If you don't know who's the actual customer is the customer, the board is the customer. Compliance is the customer. The asset owners, nonproductive time and safety, really good risk management programs, really good product and service companies. I think they answer that question like that and it permeates across the organization. I don't see it every day. I don't see it on the vendor side and I don't see it on the asset owner side. And it's one of the top questions that I think helps illuminate whether a company in this market dynamics, where there's tons of dog food on the aisles, right. Whether they're going to make it or not. [00:42:32] Speaker A: Yeah. Well, and it's so ironic, right? It's the same thing as it is. And you can break this problem statement down to something very simple. It's like the dog food. Like, what do I need? What does my dog need? And getting clarity on what I'm looking for. Right? And it's that same thing. If I need to lose weight, I can't just say, hey, I'm going to start working out what is my goal and how am I going to get there. If I want to buy a new car, what kind of cars am I looking for? I don't want a minivan. I'm looking for a truck. Well, I shouldn't be going to the Audi dealership and looking at the s five s because that's not going to check the box for the things that I need. They're sexy, they're fun, they're amazing to drive. But it's not going to meet the criteria of what I really need. And unless I get really clear, I'm going to spend a whole bunch of time and there's a lot of good products out there, but they may or may not fit the bill for what I'm looking for. Spending time just focusing on who is my customer, what are my primary risk, what are the things that I want to focus on and drive this thing towards is hugely impactful in deciding what are the right products and people, and people, process and technology, all those things can fill in those voids. But you've got to start with, where do I want to go and where am I at today? [00:43:42] Speaker B: Yeah, I think it can apply to anything. I think there is a positive correlation with success in anything that you do and how specific you can kind of plan out what that looks like. Because if you get a really good plan, I've always said, and I didn't learn this till probably the last couple of years, but going through the really tough job of planning requires the leader of an organization to actually say no to a lot, a lot, a lot of things. Because when you actually choose the path you're going to go down, knowing and having the confidence that that's the right path is preceded by thinking about all the other paths you could take and actually saying no. So I think that the power of the critical sector, cybersecurity leaders, and it is illuminating right now, is their power of no. Yeah, maybe I title that presentation that because that's what it's about. And when assets owners start saying no to things, the product and service company is like, what do you mean? Especially these big marketing companies, like, what do you mean? And I think that's the power that we must project as asset owners because there's too much dog food in the aisle and you only have one dog. Yeah, it makes sense. [00:45:10] Speaker A: I think it makes sense 100%. So all this said, all we talked through next five to ten years, what is the one thing or a couple of things that you're looking at that maybe is concerning coming up over the horizon? Hey, we better do something, or there's some concern, and maybe what's something that you're excited about that you see that's beneficial, that you're excited to see coming. [00:45:30] Speaker B: Up on this cyberspace, professionally in the cyberspace. Sure. I spent a lot of time over the holiday as a previous soldier walking on roads that I didn't know there were ieds left and right, regardless of where geographically we look, I'm concerned about where we are as a globe. Okay. And where is that going to take us? A lot of people would say that conflict is a good thing for cyber. Okay. But is it good for humanity? Okay. I think we're balancing right now between. I wrote this in a LinkedIn post, and I can't remember what I had said, but I think we're balancing right now as a globe between order and freedom. Fundamentally, I think some countries want to be free to think, act do what they want to do. And others are saying there needs to be more order. That balance, I think, is going to play with the cyber industry a lot. I think that there's no doubt that the addressable market will continue to increase. It will be interesting to see how supply and demand curves feed off that. We had a lot of global conflict in early 23 and markets were not moving. So I don't think there's a positive correlation just because there's global chaos or global conflict, that everybody's going to buy more cyber? I don't think so. So that's one of the things that I think is concerning. The thing that is encouraging to me is I see the market coming. I see it coming to an area that I like, and I like talking about the business side of cybersecurity. I'm not a guy that has bought plcs off of Amazon and set up workstations and critical infrastructure and automation in my living room. It's just not a skill that, not really, that's not my passion. But how I serve the industry is trying to ask, okay, what are we trying to accomplish here? What are the resources that we have to do it? And so where the Industry is moving today, man, it's in my wheelhouse. So I'm really looking forward to more sizzos talking about the business side of cybersecurity and my core belief system. And I say this in the business of cyber series, is there aren't enough resources out there across time, across your team, across budgets. But the threats, the risks, the business impacts of those risks, they still exist, and I think they're growing. So at some point, leaders who deploy resources should be thinking about the business side of their job, and they are. And so I think that's a positive. And I think over the course of the next decade, we'll see more nontechnical leaders understanding cyber. I don't think we're going to stop hearing about the threats and all the markets, which is fine. But I do think that we're moving as an industry towards a more sustainable state of cybersecurity, similar to what we've seen in the safety industry, similar to what we've seen in the legal industry, similar to what we've seen in the privacy industries that support these big companies. So cyber is a business problem now? It wasn't, let's say, in every boardroom ten years ago. So I think that's a positive. So I'm concerned about where the globe is going, but I'm also confident in the people that are charged with protecting it. [00:49:23] Speaker A: Yeah, that's good. That's a good place to be. I agree with you on both of those fronts. I've been very fortunate to meet some amazing people in this space and work with many of them as well, mentors and mentees and all that. I'm extremely encouraged at the people that I meet in podcasts that I get to sit across from at conferences and having a drink and a coffee or a beer or whatever that may look like, and the conversations and the grit that they're willing to do and put in and go above and beyond, it's empowering to see, and I love it. So how do people find you? Get a hold of you if they want to engage with you guys, give us your call to action. [00:50:06] Speaker B: Call to action. My name is Ted, last name is Gutierrez. That's with a G. You can find me on LinkedIn. I've got a podcast that I call the Business of Cyber series. It's every Tuesday at 10:00 a.m. Central time, and we talk about the business side of cyber. So I love LinkedIn. I love what we're doing as a community on LinkedIn. The most awesome thing you can do is connect with me, follow me like a piece of content, because what it does, it helps me understand what does the market really want. That's my job. I'm a servant of those people. And putting out content like you are, Aaron, it's important to get feedback, so that's how you can find me. I appreciate the opportunity. Aaron, let's go build great companies and help asset owners and just keep working. [00:50:54] Speaker A: Absolutely. I appreciate it, man. Thanks for coming, and I'm glad we're able to get the schedule figured out and knock this one out. So thanks a lot, and I'll put all the details and stuff in the show notes. So thanks again, man. [00:51:08] Speaker B: My pleasure. [00:51:09] Speaker A: Thanks for joining us on protect it all, where we explore the crossroads of it and OT cybersecurity. Remember to subscribe wherever you get your podcasts to stay ahead in this ever evolving field. Until next time you.

Other Episodes

Episode 10

June 03, 2024 00:56:07
Episode Cover

Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan

In Episode 10 of Protect It All, titled "Tools and Techniques for Better Network Visibility and Vulnerability Management with Kylie McClanahan," host Aaron Crow...

Listen

Episode 32

November 18, 2024 00:57:11
Episode Cover

Enhancing OT Cybersecurity: From Legacy Systems to Cloud Solutions with Paul Shaver

In this episode, Aaron is joined by Paul Shaver, an experienced OT security consultant from Mandiant, part of Google Cloud. Together, they navigate the...

Listen

Episode 8

April 04, 2024 01:07:45
Episode Cover

Securing Our Future: The Cyber Challenge in Aging Infrastructure

Summary The conversation covers the challenges and risks associated with aging infrastructure, particularly in critical sectors such as power generation and water treatment. The...

Listen