AlienVault and TAG Cyber Interview: The State of the Cyber Security Industry
In this video interview, Founder and CEO of TAG Cyber LLC, Ed Amoroso and AlienVault CTO, Roger Thornton discuss the current state of the cyber security industry and share thoughts on how security companies will evolve into the future.
MATT: Hi. I’m Matt Amoroso from TAG Cyber. I’m here with my friend, Roger Thornton, who is the CTO of AlienVault. Roger, how are you doing?
ROGER: Good morning, everybody. Good morning. I’m doing great!
MATT: That’s great to see. You and I talk a lot. It’s nice to sit and chat in front of a camera.
ROGER: And it’s always great to get back to New York and see old friends.
MATT: That’s great.
ROGER: It’s great to be spending the morning with you.
MATT: Hey, let’s talk industry. You know as much about this industry as anybody. You're the CTO of a very cool security tech company, you’re on a lot of boards, and you’re intertwined. What are some of your thoughts? We’re sitting here in the latter portion of 2017—what do you think about the cyber security industry right now?
ROGER: A good story that I think captures the essence of what’s going on… I was delayed for about three hours because of thunderstorms, and I was sitting on the tarmac, made a bunch of phone calls. One of my calls was to a friend that runs a sales team for a great company (a start-up company)—great product, great team, they’ve got good momentum—and his Q3 was just a disaster. They probably only transacted one deal in Q3. We were talking, and I was worries that, well, maybe there’s a change in the market, or some big competitor. He was walking me through all his deals, and he said this thing.
He said, “Roger, do you know what is really going on? There’s this sense of buyer’s fatigue out there.”
And he went through his various customers, and he didn’t lose any of them. They were just having trouble getting all the products through the evaluation cycle that they were interested in. There are just too many—too many vendors, too many products—and it’s kind of slowing things down.
MATT: Do you think point-and-click provisioning, like lighter, simpler means for buying, almost like the Amazon.com effect for buying cyber security… Do you think that will make it a little easier, so you don’t have to go through a long life cycle to select a product?
ROGER: That model may be good for really big, super expensive, complicated things, but I think more products have to go through a flow, where the customer can learn on their own time and speed, evaluate on their own time and speed, and ideally, even use the product to a certain extent for free, self-provisioned, before the vendor and the customer really start to do a dance.
MATT: With so many companies, do the expectations for exit change, instead of exiting with a 10x-multiple purchase and everybody driving off rich? Is it a little dampened? Is it more about doing things you maybe really enjoy and sliding into a situation that allows you to perpetuate your work but maybe dampens the exit expectation for the founders?
ROGER: In my personal experience, meeting with entrepreneurs, they are certain of success and looking for that 10x outcome, and they’re going to change the world until the writing is so crazily on the wall that it’s not going to work out. They’re kind of in binary mode: “Everything is going to be great,” or “Oh my God, the company is gone.” I think that’s the nature of the activity. A person that doesn’t have unbelievable optimism (or maybe the ability for self-delusion at times) is never going to make it through the process. So, unfortunately, they all feel pretty sure of themselves.
But when you look… Endpoint is a great space. A lot of the vendors in that space have a ton of respect for some really great products. Frankly, that’s one of those spaces that I kind of fall in love with all of them. I’m glad I’m not a customer having to buy one. But one thing to be sure, there are several of those vendors that have a scale and a reach and a marketing budget and the sales team that the next five, ten, twenty little guys, even if the products are better, there’s a moat that you’ve got to be able to get across.
MATT: Symantec comes to mind.
ROGER: Symantec… And over the last couple of months, I probably spoke with right around ten start-up endpoint companies—great technology.
MATT: They are all good.
ROGER: Yeah, and there’s none that I could look at and say, “Well, it’s terrible. It’s bad.” In fact, some of them I look at just blow my mind. But when I look at the chasm they’ve got to cross because of the crowdedness in the market and the momentum of those guys ahead, it’s very daunting.
MATT: It’s a challenge. Now, a lot of them are doing machine learning, AI, that kind of thing. You and I chat about that occasionally. What do you think? On one end of the spectrum, it solves everything. On the other end of the spectrum, it’s hype. Most people are in the middle somewhere. What are you thinking?
ROGER: Yeah. I remember the first talk I ever went to at AI. I was a young engineer at Apple Computer, and a talk was entitled “How to Wreck a Nice Beach.” You think of a beautiful beach with beer cans and realize that’s also how to recognize speech from a computer’s point of view. Telling those two apart, to this day, is still really, really difficult.
With that temperament… With anybody of a certain generation, you’ve seen this hype and then the abject failure of delivering on that. We saw that before. You come forward and a couple of big milestones. A computer really can beat a Grand Master at chess. It’s a fixed, computational exercise. Amazingly complicated, but the fact that the computational machine couldn’t be the human for so long (had a closed, fixed, mathematical, computational game) is amazing, not the fact that the computer eventually…
MATT: Parallelism has gotten better. The algorithms have gotten better.
MATT: The ability to deal with big data sets has gotten better.
ROGER: Gotten better.
MATT: All good algorithms.
ROGER: And then the next piece that comes along (and this is where I sort of flip to positive), there’s a lot of that’s purported, under the umbrella of AI, that from my days in college, it’s statistical analysis on large data sets. If we want to call that AI, that’s great because the output of those calculations can have profound impact on businesses, on life, on the betterment of mankind.
I don’t think it’s fair to hold those developments up and say, “Look! Computers are thinking, they’re capable of inference, and they have this creative expression that humans do.” But it does fall under the umbrella of AI today, and it’s very, very, very important.
MATT: I think we’re going to see a sorting out in cyber security, where there are companies that, I think, sort of get it and understand that it’s mathematics and computer science—duh!—and then there are the ones who think they’re building some humanoid kind of capability, which is kind of ridiculous, in my opinion.
MATT: I know Elon Musk and other people disagree with that and think that it is something. My answer to the Elon Musk thing is that Newton spent about half of his career on alchemy, so you can easily be seduced into areas of science, of scientific discipline [inaudible 08:08].[JM1]
ROGER: Here’s a great circular reference to that. A great scientist and thinker like Newton spent his time on silly pursuits. Those silly pursuits are what stimulate the creativity and the mind to actually be able to make the…
MATT: Make calculus, right?
ROGER: Make calculus.
MATT: Just in his spare time. “I think I’ll do physics and then do calculus in the middle of my potions.” Crazy.
ROGER: Yeah. There’s one point I want to make sure to make. We were talking about the AI umbrella, and that’s one that I think gets overlooked too much. I wish I could cite the paper that I read. It might have been an article somewhere. I was a young engineer, and it was about Boeing and the time, and they were talking about their design imperative. Their design angle was, instead of trying to replace the pilot, to try to make the pilot a thousand times more efficient.
ROGER: And in this body of work that I read (because it wasn’t really just one article; I became interested in it and learned everything I could), any operation where you pull a human being out has areas that are really easy to do, and then you [inaudible 09:31] [JM2] hit this very hard challenge at some point. And their hypothesis was if you can put those two capabilities together in a really good way, you can perform magical stuff.
MATT: Are you enjoying what you're doing?
ROGER: I love it, yeah.
MATT: You always look like you do enjoy what you're doing.
MATT: Always smiling, always doing something interesting.
ROGER: Thanks. Well, we were talking before we went on camera. One of the things I love most about what we do at AlienVault… When you and I were working together in the past with my previous company, Fortify, we really helped the top companies, who were pretty sophisticated and smart about security, get a little bit better. At AlienVault, we focus on the average, everyday company that may have a lot of employees, but it doesn’t have enough people on the security staff, and it’s not going to be able to.
So, trying to figure out how to lessen that security fatigue (reduce the number of products, make it easier, host everything in the cloud) lets you focus on doing security and less work integrating products. It makes you feel good, especially me.
MATT: It’s satisfying work.
ROGER: It is.
MATT: Well, you're the right guy to do it. I hope you keep doing it. We all benefit from what you do.
ROGER: Thank you.
MATT: I appreciate you stopping by and chatting.
ROGER: I appreciate it.
MATT: Awesome, man. Thanks for coming by.
ROGER: Thanks so much.
MATT: We’ll see you again next time.