Session Video
Session Transcript
Dinis Cruz:
Hi. Welcome to this open security summit session in April 2023. We’re going to be talking about security vendors operating model and hopefully set up the beginning of a nice, again, community infrastructure for us to have a much more productive relationship with a lot of the vendors and really ratchet up right where the states or where we currently are. So I’m Denis. I’m the chief scientist of Glasswall. I run a lot of stuff in the Summit. I’m also the CEO of Holland and Barrett, so also been CISO for quite a long time. Nick, quick introduction from you. Yeah.
Nick Harris:
Nick Harris, deputy CISO and Head of Cybersecurity here at Holland and Barrett. So work very closely with Dennis.
Dinis Cruz:
Yeah, me and Nick work really close together. There’s a number of stuff that we kind of have done in the past, and I just want to very quickly walk through it because I feel that sets the stage. There’s a really cool presentation that Dan Cutbird has been done recently, I think, with Black Hat Europe, where he was really talking about the state of the vendors and the state of the especially security vendors and how we’re really not in a good place. And I kind of agree with him. Right. I also agree that we probably need a bit more regulation in our industry, but I feel at the moment, like the quality and the service and basically what we get from a lot of our vendors is not where we need to be. Given the fact that with the new GPT and the Chat GPT and the evolution of that into the products, a lot of the vendors we really need to ratchet up.
Dinis Cruz:
In terms of the quality, what they provide, the service they do, I really feel that the time is right for the best vendors to actually really come on top and we’re creating an economic model that really rewards them. There’s a couple of two parts in here. One of the elements is that what we really need to see a lot more. This is now a call for a lot of other CSVs, a lot of other companies that we need to be working together much closely. Me and Ants did a bunch of sessions in the last Summit. This is actually started in 2008, right? Incredibly. Right. So we did a session in 2022. We actually talked about the CDC, and I actually got the slides here. Right. This idea is about creating these collective defense clusters that initially started in 17 and 2018 in one of the first Summits.
Dinis Cruz:
Incredibly tom flies. Right. We did this session in there and we did a follow up, and again, there was some good stuff. Ironically, again, sometimes if you don’t put energy, things don’t really happen. Right. Me and him actually created some really nice documents about basically thinking and how would we set this up. The original idea of the defense cluster was almost the article is it article nine or whatever that article is article five of NATO, which is actually this day quite relevant, right? Also that was the idea of creating relationships within companies that for example, if one gets really attacked, all the other companies will go to the defense. It’s almost like try to pull the resources that exist across multiple companies and really help each other out. This works really well when you have companies of reasonable size of maturity. It doesn’t work if you have a Microsoft GitHub type of security team with a much smaller company.
Dinis Cruz:
What works is when you have security teams of certain level of maturity, it basically band together and really leverage that. We put a bit of thinking of this and there’s almost like this agreement that we can do. The importance again of doing this stuff like this is that you need to make some of these formal agreements within companies. And it was about improving sharing. We talk about some of the confidential data that we share, some of the resources, the pool, the trade intelligence. One of the things we actually end up doing a bit is also vendor knowledge because this already happens unofficially, right? A lot of the systems, a lot of security professionals would talk to their friends, their colleagues, their mentors and I think we need to really formalize this a lot better, right? We could even have some share funds, share research, share sharing resources.
Dinis Cruz:
That was kind of the idea, right, that we could play and there’s already some good stuff out there, right? So there’s already some good forums. This was kind of the creation of these semi structured groups of companies that then come together and band together to really leverage this. If you then apply this, for example, to the not just to the response, but for the vendor and make sure that we get the best of the products that we have, one of the things that we’re kind of thinking is, and this is something I shared with some of the vendors that we have, is that basically what you really want is have this model where we are one team, right? A lot of vendors sell a product and then almost like they don’t care until they care. You can really see a big difference between the moment of the sale and the moment of the reset of the renewal.
Dinis Cruz"
In the middle it’s they go, well here’s the product, you make the mode out of it, right? So I think that is very wrong. The other one is that you really want a massive degrees of openness within the system, right? I still don’t feel that we have the right level of openness and sharing of information. Right? The other one is, again, we want to be a partner, not a client, right? That means that we want to give a lot more to the vendors, right? We want to give them much more feedback. We want to have shared communication platforms. It’s amazing how many vendors still don’t have an easy place to file bugs, file issues. Even something as big simple as to collaborate is not there, right? The other one is that we invest in our vendors. We spend the time, we really invest. We really spend the time to make the most out of it and collaborate in the error.
Dinis Cruz:
Again, there needs to be a two way street. It’s super critical that every vendor at any moment in time really shows the value, right, that we need internally, but also that we can use a lot more of the products. This is the thing I really like. At any moment in time, we should be either buying more or reducing the spend on a product until we reach a state of balance. This should not be a one year or whatever contract. We should be adjusting the spend according to what we use. We can go up, but also we can go down because that’s a healthy relationship, right? Which kind of takes us to the model that, again, companies like AWS already do. I think a lot of the industry needs to move again too, which is we should be paying by usage, not block of licenses. We really should be doing this again, if you’re in here in the right side of history, if you’re not, you might still have clients and people who pay you money, right?
Dinis Cruz:
Definitely your customers are not really going to like a lot of the stuff that’s happening, right? We really need for me, it’s almost like the key area, right? Again, automation and scale creating graphs focus on the value proposition. To be honest, I would actually now add here, make sure that tools like Chat GPT or GPT, like technology can consume you because that’s literally the next evolution. Again, people’s personal technology help us to make the most out of it. And a worldly map, right? The thing that also I found funny, right? Nick here got a nice taste of worldly maps when he was joining, right? He created really great worldly maps which actually have a session in the Summit. It’s like every vendor should give us a worldly map to say, where do you add value? Like, what are you commoditizing, what are the things that you’re enabling?
Dinis Cruz:
What are you moving the needs? Even if it’s like, oh, we got this custom build that we’re making, it almost as a product. Are we improving this today or there? Right? They really should be giving that across the board. So Nick, some comments on this, right? I just drop a whole bunch of stuff in there, right? Where do you want to start on your views on this.
Nick Harris:
Yeah, I think it’s about disrupting the model. I think there’s a momentum growing that vendors have possibly got quite comfortable that we go through this onboarding, we give them security assessments, we go through POVs, we scorecard them, we choose the rest one, the CSM that works with you and you have monthly calls and it’s all going well, and then you come back for renewal. Well, I think does that work? Really? We’re spending all this money, we’re putting all the hard work in. They provided good products, definitely. There’s a lot of R and D that’s gone into the back end. Are they truly working with us as partners to make best use of it? Some vendors better than others, but a lot will be first on your back if you’ve gone over the license count. There’ll be chew ups and true ups, which is fine, that’s the business model.
Nick Harris:
But where’s the true down? If we pay for 2000 licenses and we’re only consuming 1000 because the adoption hasn’t gone well and we need more time with a partner to drive that adoption, where’s the true down to say, well, we paid for that, but we’re not getting any use from this? I think there’s a massive shift that needs to happen in partners getting beyond this customer Success Manager, the Customer Relationship Manager, whatever they call themselves, and properly partnering that they don’t just give you the product at the front door and go over to you tell me how it’s going. They actually drive the adoption and facilitate that. It’s not about professional services and kind of extra stuff. It’s just that it’s about really getting the best out of the whole platform. Product, service, whatever they’re providing, the partnership really needs to link up. Less transactional, more collaborative.
Dinis Cruz:
I agree. Right. I think one of the areas to facilitate that is, I think for a lot of companies to start to collaborate because it’s easy to do sometimes those moves when you’re dealing with one company. If you’re now dealing with a band of companies, or a group, or a cluster, or a sector, or a government right. Or a set of regulations that defines how you interact with industries, then that’s a much stronger proposition.
Nick Harris:
Yeah. There are a couple of bits in there. The first one is probably a real stretch, but how amazing would this be? Under your CDC concept, it’s not the mobile phone provider I have, but there are mobile phone providers which, if you as the brother, don’t use your full contracts, your sister can use it. Why can’t if we’ve paid for 2000 licenses to use 1000, another company that we’re partnered with can consume the rest and we can then negotiate around that and they can send some others our way where we’ve missed. About kind of spreading in an exchange way, some of that licensing and really therefore kind of evening out. Maybe they’ve overused in one underneath the other. Actually we could benefit with some of that. How can we bitcoin anyway, or transact and pass those licenses around where they’re just not being used?
Dinis Cruz:
Yeah. No, I like that. Right. Because that’s having that value added of a cluster of companies, right, that some negotiate well. You could even think like when you have for example, groups of companies, you can have the same structure. If you have even investor groups that they all are on this or certain companies who are aligned on specific objectives where they all care about a particular thing, where we once get hit, everybody else suffers. It makes sense to be leveraging this, right, even cross company arrangements. Like you said, you can have a case where you do an agreement that actually addresses multiple companies and then people can use licenses right, in the most effective way.
Nick Harris:
Yeah, definitely. That once it is a very good point as well. We talked haven’t we, about, I guess peacetime activity, how vendors can work with us. Peacetime non article five. We’re in NATO and we’re kind of getting the best of the tool and driving the right adoption and adoption just beyond the security adoption to the business, whether it’s in the Accept Team or DevOps or in HR, whatever it might be. What about when it gets to wartime? I think we’ve talked about this previously, where are the vendors when the incident happens? They need to be pulled in part of the incident response team. It’s not just that we are using that platform to do some investigation, whatever it might be. Where are they saying, did you could use your platform for this? I’m going to bring my engineer in from the vendor and be part of your sponsoring to get the best out of the platform and really drive in on that incident to help us out.
Nick Harris:
If we need to sort the professional services out or whatever it is after the event, then we’ll do that. But when it’s proper crisis, the vendors.
Dinis Cruz:
Need to be in the room and then have that experience, right, have the experience of how to bring them on board, how to create the communication channels. At the moment, if you think about it, every company needs to set that up. Some companies might have done it better than others, right? Every company needs to set up the environment, the relationships, the connections. And again, we don’t leverage that. It’s almost like you just need somebody in that group to have that relationship. Somebody it’s almost like in a weird way, again, within a group, we can even have certain parts of the group saying well, we are really good at this because for whatever reason in our world, we have to be really good at this response where maybe another group is really good at DLP, right? Another group is really good at managing cloud assets. Another group is really good at this.
Dinis Cruz:
Again, think about being able to leverage that and then being able to bring the vendors in and bring the partners in on peace, but also on incident wartime, right, where you get the best out of the shared intelligence and the shared knowledge within those clusters.
Nick Harris:
That exact example can work for the vendor because if the vendors, the DLP vendor, let’s take that example, working really well with that company and they’re part of the border community, well, that message is going to translate. The other parts of the community are going to use the same vendor. They’re going to take the recommendation they’ve probably already been part of some demonstrations or actually sitting with the analysts doing some collaboration and saying, actually just show me how this tool works. And that’s going to drive their business. By putting the time and effort in to make their product really work. The business will follow off the back of that.
Dinis Cruz:
Absolutely. There’s a business incentive for them to do that. Right. The other element is that we now also start to need the security vendors to be secure. Right? Which sounds ironic, but come on, let’s be clear. Some of the security vendors, some of them can be the worst ones in security practices. As the market is evolving and we now need S bombs for everything, we need really good understanding and really good mappings. This is also a nice way to ratchet up the quality of the vendors. I already know stories of some big players who are already putting financial penalties on companies who don’t provide good information about their security, don’t do good due diligence, don’t really in a way provide that good service or that quality product and then really drive independence down. My comment, I had a panel yesterday, but my comment is like, we need to make a lot of those things public and there needs to be a lot more openness industry.
Dinis Cruz:
I think what we can be thinking here is we need to start working on that model. This is like the worldly maps, right? We know that in the next couple of years the openness will commoditize and it’s either going to be by regulation, by incidents, or by force or by market momentum. There’s going to be a move from where we are with the crew relationship with the products and the isolation that you have per client to a lot more openness and cluster driven negotiations. We can already operate at that level and start thinking about the logistics of making that happen.
Nick Harris:
No, you’re right. Everyone harps back to Solar Winds being a prime example of where a close vendor has caused big problems. I think in the same manner that with shared intelligence, so to speak, but with sharing happening across the companies about what vendors can work really well, that you see them invest their time and their effort making things work. The sharing of the Glitches and the negative side is also going to be more prolific and get around. If the company that you collaborate with, part of the CDC over there has a glitch with a vendor, whether it be their own breach, their own security issue that will come round. Instead of it being closed, shop and the vendor thinking, well, maybe I’ll lag it until it goes public. Actually, the threat of that knowledge being much more readily shared, much more public, should drive their own practices in the first place.
Dinis Cruz:
Yeah. And we know that works, right? Because there’s already real data that shows that. Cool. Look, I think this is a first step on this, right? I feel that let’s plan more sessions at the next summits. Let’s start bringing people together. Let’s try to make some of these work right, collaborate a bit more, use this video, right, to generate some more energy. Right? I think the momentum now is starting to be with, let’s create some groups, let’s create some clusters. Let’s kind of collaborate, and let’s find the vendors that are working well, the good ones. Right? Because they should be rewarded. Right? The ones who don’t have either good products stop, innovating, are not providing a great service. They need to steal the market economics. Right? It’s that simple. We want to create an economic model that rewards investment in good security practice, in good engineering, good customer services, great relationships, and then they should get the financial reward and the business out of it.
Dinis Cruz:
Right?
Nick Harris:
I’m sure if for those that we have that relationship with, we could bring them along to this thing. Equally, people that watch this, if they got great vendors that really partner in the way that we talked, bring them along and generate that kind of that interest and show how well it can work.
Dinis Cruz:
Yeah. Cool. There you go. There’s the challenge. So, unless in any final comments, I don’t know if Billy want to throw a couple ideas to the table or Nick final comments. Cool. I think all right, then I see you in the next one.
Nick Harris:
Thank you, everybody. Bye.