This episode explores how cybersecurity startups form, why the market produces so many tools, and how security buyers should evaluate both emerging and established vendors. Sean Martin and Ross Haleliuk break down the forces shaping today’s innovation engine and the business realities behind modern security solutions.
⬥EPISODE NOTES⬥
Understanding the Startup Engine Behind Cybersecurity
This episode brings Sean Martin together with Ross Haleliuk, author, investor, product leader, and creator of Venture Insecurity, for a candid look at the forces shaping cybersecurity startups today. Ross shares how his decade of product leadership and long involvement in the security community give him a unique perspective on what drives founders, what creates market gaps, and why new companies keep entering a space already full of tools.
Why Security Produces So Many Products
Ross explains that the large number of security tools is not evidence of an industry losing control. Instead, it reflects a technology ecosystem where entrepreneurship has become easier and where attackers, not practitioners, define what defenders need. Because threats shift constantly, security leaders must always look for clues on what could fail next. That constant uncertainty fuels innovation.
What Motivates Founders
Despite outside assumptions, Ross observes that most founders are motivated by the problems they have lived themselves. Some come from enterprise teams. Others come from military backgrounds. Many find traction with early open source work. Few come into cybersecurity to chase quick wins, and most do not survive long enough to chase profits even if they wanted to.
Security as Business Enablement
Sean and Ross discuss the role of security as a business driver. In regulated sectors, companies invest because they must. In technology companies, strong security is a sales enabler that gives customers confidence to use their products. Outside of tech, the priority is more about resilience and operational continuity.
How Buyers Should Think About Startups
Ross outlines the tradeoffs. Startups deliver speed, responsiveness, fresh architecture, and modern user experience. Large vendors provide stability, predictability, and broad coverage. Neither is perfect. Security leaders should decide based on the importance of the capability, the level of influence they want, and the outcomes they need.
This conversation highlights the practical realities behind the security products organizations choose and the people who build them. Listeners will hear both the optimism and the honesty that define today’s cybersecurity innovation economy.
⬥GUEST⬥
Ross Haleliuk, Security product leader, author, advisor, board member and investor | On LinkedIn: https://www.linkedin.com/in/rosshaleliuk/
⬥HOST⬥
Sean Martin, Co-Founder at ITSPmagazine and Host of Redefining CyberSecurity Podcast | On LinkedIn: https://www.linkedin.com/in/imsmartin/ | Website: https://www.seanmartin.com
⬥RESOURCES⬥
Inspiring Blog: https://ventureinsecurity.net/p/not-every-security-leader-works-at
⬥ADDITIONAL INFORMATION⬥
✨ More Redefining CyberSecurity Podcast:
🎧 https://www.seanmartin.com/redefining-cybersecurity-podcast
Redefining CyberSecurity Podcast on YouTube:
📺 https://www.youtube.com/playlist?list=PLnYu0psdcllS9aVGdiakVss9u7xgYDKYq
📝 The Future of Cybersecurity Newsletter: https://www.linkedin.com/newsletters/7108625890296614912/
Contact Sean Martin to request to be a guest on an episode of Redefining CyberSecurity: https://www.seanmartin.com/contact
⬥KEYWORDS⬥
sean martin, ross haleliuk, cybersecurity, startups, venture security, founders, innovation, risk, resilience, product strategy, redefining cybersecurity, cybersecurity podcast, redefining cybersecurity podcast
[00:00:36] Sean Martin: Hello everybody. You're very welcome to a new episode of Redefining Cybersecurity. I am Sean Martin, your host, where I get to talk about all kinds of cool things, cyber connected to the business, and, uh, of course, not just by myself, but with some really cool people who have some great experiences in the, in this, in this space.
And, uh. I don't know much, which [00:01:00] is why I talk to people who know other things than me. And, uh, we're gonna spend some time today talking about the, the, the world of cybersecurity startups and kind of where, where things are headed there. And I'm thrilled to have, uh, Ross on with me. Ross, you're, you're an author, uh, an investor, a pod fellow podcaster.
Uh, I'm, I'm thrilled to have you on the show, uh, maybe a few words, uh, for folks about who you are and, and what you've been up to lately.
[00:01:27] Ross Haleliuk: Yeah, super happy to be here. Thank you so much for the invite. Uh, yes. So I am many things, but first and foremost, I'm an operator. I'm a builder. I have been, uh, building, uh, products including cybersecurity products for, uh, well over a decade.
And what I find, uh. Different about cybersecurity is just the passion that people bring to the table. Uh, I've worked across several different industries before. I've worked in retail, wholesale, financial technology for a number of years, and in no other space have I seen so much, so much energy and so many people dedicating their free time [00:02:00] to push the industry forward and to make things better.
So I'm insanely passionate about cybersecurity. Several years ago I started a blog called Venture Insecurity. And the goal at the time was to cover the business side, like the, the market side, the startup side of the cybersecurity space. Uh, the blog took off and, uh, everything else that unfold, that was sort of a continuation of that work on a blog.
I then ended up publishing a book and, and so on and so forth. But fundamentally, I'm a builder. Like career wise, I was a product manager, head of product for a number of years, and now I'm in the middle of, of launching my own thing, but still within cybersecurity and still focusing on building products.
[00:02:39] Sean Martin: Yeah, super fun. And we, we can go all over the place with this conversation on building stuff. Um, quick, quickly, your book is, uh, interesting to me as well. Gimme, gimme an overview of what that is and uh, perhaps we have a separate conversation on, on that. But let's, let's a quick word on that.
[00:02:55] Ross Haleliuk: The core thesis is that there are plenty of fantastic books about how to [00:03:00] do security, how to reduce risk, have to run security programs, be it vulnerability management, endpoint security, or, or or whatnot.
But, uh, the gap that I have realized existed was the gap around helping people. Understand what are some of the business aspects of building cybersecurity startups and also what are the different part, what are the different parts of the ecosystem? When we say cybersecurity, in my mind there are two ways of of defining cybersecurity.
On one way, there is this cybersecurity as a practice. Where you have, we have a bunch of security practitioners and security leaders in their organizations doing their best in order for them to secure the environments of the companies they work for, or consumer space, like people trying to secure their own data.
And then there is another way of looking at the security space, and it's saying that there is, I guess the other aspect is cybersecurity as an industry. Where we have an ecosystem of different players, right? We have startups, we have [00:04:00] established companies, we have resellers, distributors, SSPs, we have industry analysts, we have podcasts for the lack of better example.
And like we have all of those, all of those bits and pieces. Uh, we have events such as RS, A and and, and, and Blackhead and and, and others. And we have all of those. Uh, component sort of interacting, uh, and, and, and coexisting together complimenting one another. That is also where a lot of the money is in is exchanged, right?
If you're a security practitioner, you are not thinking about the f flows of capital. You are thinking about. Security. If you, however, are on the industry side, you are thinking about go to market, you're thinking about marketing, you're thinking about sales, you're thinking about fundraising, you're thinking about exits.
And so that was security as an industry was the area of focus for the blog. And then obviously it evolved into security as an industry and also building security, uh, products for the book. So the book is precisely about that. If you are a security [00:05:00] practitioner and you're. Interested in maybe launching a side project or, or maybe building something on the side or maybe starting your own company.
That's, that's the, the, the, the, the, the right book to read. If you are somebody who is more interested and have to do security, that is not the right book to read, although it
[00:05:17] Sean Martin: is probably useful. Uh, there's always, so never, never a bad thing to learn different, a aspects of, uh, how all this stuff works. But, uh, great overview and, um.
Yeah, I, we'll, we'll see. I'd love to have you back and we can talk a little bit more about the book and, and, uh, what that looks like. But the, I think where I wanna start, I know we have a few points we wanna cover, but kind of this idea that, that you, I think you just touched on, which is, if you're a practitioner and you're thinking about a side project, it's probably ca because.
You're dealing with something in the world that you live in where there's a gap, right? And you, and you think perhaps [00:06:00] others are experiencing this, experiencing the same gap. And therefore, if I can close this gap, maybe it'll, it'll help more than just myself. Um, I, 'cause I know one of the things we talk about, wanna talk about is kind of the past present.
Past the present of cybersecurity venture and startups. And I'll, I'll go back to, I'm, I'm a builder as well. I spent a lot of time here, but 30 years ago building products with Peter Norton Group as part of Symantec purpose built to solve a problem around viruses. Right. And then viruses morphed and we, we end up where we are today.
But that the whole point is that that was a. A market problem that was defined and a product built for that, where what I just described in connection to what you said is a, an operational, perhaps an operational problem that needs to be solved in the cyberspace. Um, maybe better detection, but probably more, more likely.
Uh. A gap [00:07:00] in how to get from detection to response faster, for response to recovery, faster recovery to um, uh, better protection, faster. So I don't, I guess I'm rambling here now, but your thoughts on. Startups. Another way to look at it is are they, are they products or are they features that get acquired and been built into other products?
So I'll, I'll stop rambling, but your thoughts on kind of the state of, state of cybersecurity startups and, and how, how they're kind of driven, I guess is really, really what I'm after.
[00:07:30] Ross Haleliuk: Uh, yeah. There, there are definitely a few aspects that I would mention. Uh, one is that obviously from the, from the startup perspective, cybersecurity is a quote unquote, a hot space.
Everybody is, is trying to build something, trying to solve problems. And, and you know, quite often in, in an industry, uh, we get into this, this thought process of saying, oh my God, there are just too many tools, too many products and too many vendors and this and that. But I think fundamentally, if you, if, if [00:08:00] you.
S don't look at the number of companies, but instead, like if you talk to the individual founders and people who are trying to pursue the solutions to those problems, you will find that the vast majority, like the overwhelming majority, are driven by the right things. They're driven by the desire to solve problem.
And some of them have experienced that problem when they were, uh, working as a security practitioner on a security team at a large enterprise. Others were maybe building something in the open source and they found that, hey, this, this problem actually resonates with other people and there is a way to achieve scale by trying to, you know, to, to get this solution touch as many potential customers as possible somebody else.
Maybe have, have, have served in the military and they were on the cyber, cyber offense or cyber defense, uh, side. And they've seen what, uh. Types of distractions can be caused by, by, by the security incidents and using cybersecurity as a, you know, as one of the, [00:09:00] uh, types of warfare. And so people come at it from different angles, like somebody was maybe a ciso, but for the most part, with some exceptions, of course, they're always exceptions.
But for the most part, people come at it with, you know, with an open heart and a passion for solving a problem. And, uh, the reason I'm talking about this is because. There's often this assumption that you're making that, oh my God, like every founder is just, is just in there for money. Well, the reality is that the vast majority of cybersecurity startups fail right as every other startup.
So if you are, if you are, if you are chasing money, they're probably much more certain ways of, you know, of, of getting paid, such as joining a large corporation and maybe, you know, getting, uh, to a certain rank. Now, the number of tools out there is a lot. That is just undeniable. That said, it's interesting to view it through the lenses of the technology space in general, not just for the lenses of [00:10:00] security, because you see, depending on, uh, which, which angle you take, like which angle or which vantage point you look at it from, your conclusion is going to be very different.
If you were a security practitioner for the past 15 years. Or 20 years and you still remember the time when cybersecurity was really about having a firewall and an antivirus, then obviously having to deal with like 75 tools in your environment is a lot. And, and if you, if you've witnessed, if you've been a part of that evolution in the market, you're most definitely going to be upset about where we ended up as an industry.
Now, I'll give you a different perspective. I've worked in the, in, in, in the financial technology space before, and when I was in FinTech we also complained about the number of vendors. But let me tell you, we had over 50 or 60,000 vendors. So that is how many FinTech tools are there? If you look at something like marketing tools, like the tools used by marketing teams, it's the exact same number, 50 to [00:11:00] 60,000 plus.
If you look at HR tools like human resources, the exact same number. So yes, cybersecurity is certainly a crowded space, but it has nothing to do with security being a crowded space. It is more that we as the technology, uh, ecosystem have democratized access to entrepreneurship like 20 years ago. How many people could even start a company?
How many people, people could raise capital? How many people could take a stab at solving different problems? The only way for you to solve problems was to start something in open source on the side. Keep your your day job and then hope that maybe somebody else will find what you're doing useful today, starting companies.
Is, it's, it's, it's a profession on its own and that's why there are many companies out there.
[00:11:42] Sean Martin: Yeah. Well, let's see. You touched on something that was in my head and, and since you mentioned, I wanna, I wanna spend a moment here, especially when, I mean you spoke to FinTech and how many, how many companies there are and tools there are and, and marketing, how many companies and tools there are [00:12:00] those, those are driven by business need and as the business.
Accepts that and, and tries to grow the business and expand their market share and do cool things and serve the customers better, and they use all these tools to do that, guess what happens, right? More exposure, more risk, more attack surface, more attackers, more need for security tooling. So I think it's, it.
Because I, I have a feeling that a lot of people think, to your point, people are trying to make money. People are trying to be clever and, and build new products and, and find a way into to solve a specific problem. But it's because the business drove this need to, well, it drove the risk exposure and, and therefore the need to shore things up.
So, I don't know. Um. Your experience with security founders kind of connecting to that in any way? Or, um, what do, what do you think?
[00:12:59] Ross Haleliuk: I think [00:13:00] I, I mean at the end of the day, it always comes down to business, right? Uh, yes, there is, there is this like, altruistic way of looking at the cybersecurity space and saying that we are defending, you know, the society, but let's be honest, we are defending the kind of organizations that are paying our salaries.
And sadly, it's often even not the kind of organizations that need support the most. Because as people, as individuals, we have to be pragmatic. We have to think about our families, we have to think about our personal goals and plans, and we have to balance that against our desire to do, to to do something for the greater good and maybe working for a utilities company.
Is that the definition of that greater good? Or maybe helping a nonprofit to defend, you know, data of, of, uh, people who donate money to their cause, or maybe people who benefit from, from their cause is really the, the real definition of doing something for the greater good, but instead the kind of companies that [00:14:00] are.
That care about security more than others are companies in, in insurance space because they're regulated our companies in the finance space. So there's a bit of that honesty that we need to have as an industry and just acknowledge that yes. Like we are trying to do the right things, but within the confines of, of, of, of what business has designed as security, as the security industry.
And so in a similar way, uh, what you were saying is, is absolutely spot on, right? Business operates a certain way. Business has certain goals, and those goals are typically growth and increase in shareholder, in shareholder value. And security is only important to the business as like in, in two ways. One, in, in way, in, in the way in which it enables the business to operate.
So if, if you work in a higher, highly regulated industry and you don't have certain security program, you [00:15:00] can have trouble staying in business. Because the government will, will, will, will, will come after you, and the regulator will come after you. And that's like, that's why security is important. So it's purely the compliance aspect of it.
And then on the other side, security is important as a way to protect the ability for the company to generate revenue. And, and, and, and keep, keep the profits. So you're not only like, and, and that's another aspect of it. So as you said, it, it always ties back to the business. And at the end of the day, security budget is the amount of money that the business believes.
It should be allocating towards security while considering all the other priorities. Like if you think about it, like we often talk about security budget as, as a, as a fraction of the IT budget. But I think a more honest and a more realistic way of, of, of making that evaluation is to say, to look at the security budget as a percentage of revenue or as a percentage of profits.
Because if you look at it from that perspective, you realize that when a company is deciding how much money to [00:16:00] invest into their cybersecurity program, they're not just saying, Hey. Are we going to invest into networking or are we going to invest into SAS tools or security? No. Their decision is, Hey, are we going to pump more money into sales that can then generate more profit?
Or are we going to invest more into security? And that's where the math starts. Starts looking very differently. Right.
[00:16:22] Sean Martin: Well, sales marketing. Then delivery. Right. And oftentimes that's where a lot of tooling comes into, into play as well, unless you're building a widget. But, um, in that case you're talking about manufacturing, which is delivery, which also needs to be secure.
Yeah. Um, so from a, from a startup perspective then, um, how do you, how do you see them defining. What their objectives are. Um, 'cause I, I still, you mentioned the, the two that I think are still very prevalent, uh, which is compliance, right? Those are typical drivers for sales, for security products and re risk [00:17:00] management, risk reduction exposure, uh, reduction.
Um, I, I very, very seldom personally here. Revenue growth, right? As a cybersecurity benefit from startups. And I don't, I don't, have we reached a point yet where we can start talking about that?
[00:17:18] Ross Haleliuk: So I think, uh, I think the answer is yes, but it has less to do with the evolution or us getting to a certain point.
And it has more to do with the fact that different companies, uh, operate under different business models and sell different things. So the way I would think about it is that. Uh, business comes down like the, the business objectives are always to either find way to generate as much revenue as possible, so focusing on the top line or, and, and avoid as many expenses as possible.
So, focusing on the bottom line, and so. There are different types of organizations, right? There are companies for, there, there are [00:18:00] companies in highly regulated industries like look at finance, look at healthcare, uh, look at, uh, critical infrastructure in those kinds of industries. The number one driver for security is the business preservation, is the ability for those companies to stay in business, right?
If they're not compliant, the regulator is going to be, is going to come after them. Now. That is a, it's it, interestingly enough, those companies are probably the biggest buyers of the cybersecurity tooling, but they're not the biggest percentage. If you look at the market, like the regulated industries is still a limited number of, of, of, uh, sectors and segments.
Now, there is also a category of companies for whom compliance and security are self enablement tools. And, and this mainly applies to tech companies, right? If I am going to, uh, let's just say I'm an enterprise and I'm considering using, uh, I don't know, Dropbox [00:19:00] or Box or some other data storage solution, for example, I very much want to make sure that the customers are going to be comfortable sharing their data with me or embedding my software into their organization.
In order for me to do it, I need to give them the peace of mind that I am going to be a secure, uh, solution. So I'm going to keep their data secure. I'm not going to cause a supply chain risk, unnecessary supply chain risks in their, in their environment. And so for cyber, for the technology vendors, cybersecurity is one of the core attributes of the product they're selling.
And that's why when you go, like when you, when you look at Bay Area companies, when you look at. Like a lot of the, uh, really technology SaaS solutions, there is so much investment. Into, uh, security at, at least compare comparably to, uh, companies and other industries. And that's also depending which CISO is, is on a panel or which CISO is giving [00:20:00] a talk about security.
You may get a very different perspective, right, because if I am, if I am buying a sofa from a, from a, like a, a, a furniture manufacturer, I honestly couldn't care less what kind of data. Uh, you know, data loss prevention tools they have in place, or what's their security program like? I'm getting sofa, like I'm getting the end product and ironically, neither do their partners or customers, right?
Like their suppliers are probably. Are, are used to getting their data lost, uh, left and right again. I'm not saying that that's the right way to, to approach it, but it's more like the reality of the space. Now, if I am buying milk, do I really care about, you know, whether or not a a, a milk, uh, facility has, has the right insider threat program?
I mean, I hope it's gonna be a safe, the safe milk to drink, but I don't care about their security posture. Now, if I am using. Google's cloud storage for my personal data and my personal [00:21:00] documentation. I very much care about their security posture because that's the security of my data. And so I think that that's what different motivations for security really come down to, because if you are a manufacturing facility.
What? What do you care about? You care about making sure that all of your machinery is going to be operational and working regardless what happens. So you care about things like ransomware. You care about things like, like just business continuity, but you don't really care as much about data loss prevention.
If you are a tech technology company, you care about apai, most certainly, but you also care about. Especially if you are in the B2B space, you care about data protection for your, uh, for your customers. And your customers are actually going to ask you, Hey, what are you doing around security? And you will show them something like SOC two to at least, again, not an ideal answer, but it at least gives people an idea of what you could be doing, of what you say you're doing.
So I think. I think the answer isn't like, is coming full [00:22:00] circle. Back to your question, it's not that there are some companies that are more mature than others and that's why they treat security as sales enablement. It's more that if you are in the business where the, where the customer that's paying you money cares about your security posture, then security becomes sales enablement.
That is realistically speaking really just the technology space. The moment you get outside of the technology space, if you're an oil. Production facility, people care about oil. They don't care about, you know what, it, it's up to you to make sure that you continue making money. So it then becomes about protecting the ability to make money, but it's not about protecting the data.
[00:22:37] Sean Martin: And the one area I'll push back and I'll, I'll use, um, so I'll connect your milk example to eggs, uhhuh, and sadly, the, the, uh, the supply chain of eggs has been impacted by. A disease. Yes. It could very easily be impacted by a technological issue like feed supply or, or [00:23:00] movement of, of, uh, food or, I don't know.
I'm, I'm, I'm stretching a little bit here, but I guess the whole point is at the end of the day, it, it's not, to your point that you made earlier as well, it's not just about data protection. Though that may have a role in what I'm about to say. It's really about resilience, right? The business needs to be resilient.
If, and in the case of the eggs, maybe, maybe the producers, granted they don't wanna lose their, their, their chickens and not not sell as many eggs. Yes, they're gonna suffer. Ultimately it's the society that suffers if we don't, if we don't protect the ecosystem and the supply chain. That's, I guess, my point that I'm making.
[00:23:40] Ross Haleliuk: Oh, I agree. You see, see, I am not necessarily, see, I'm not at all saying that, uh, you know, this way of approaching security is the right way. What I am have ever saying is that if you are a business, like, let's think about it from the business standpoint. If you're a business and you have a prospect, uh, doing a POC, and if the [00:24:00] POC closes.
You tend to make a million, 2 million, 3 million, $5 million. It doesn't matter. You name it, wherever. A, an impressive number it, it is for you. Now if that prospect comes to you and says, I'm willing to sign on the dotted line and we can start working together, but I need you to comply with the, with this like four requirements, that is a real motivator for the company to invest money into complying.
Now, if, however, I am a company that sits that, that is doing well and we are selling eggs, let's continue with your example. It's, it's much harder for me, like, let's just say I'm an executive sitting in a boardroom and people talk about how, uh, how we should allocate our investment for the next year. It's much harder for me to say that, you know what?
We should probably invest into this new security capability over investing into market expansion. And, and, and it's not because that's objectively the better way of allocating [00:25:00] capital. It's more that we as humans are pretty bad at evaluating risk. We are good at evaluating opportunity. If there is $5 million in front of us and all we need is a SOC to report, we are gonna get that SOC to that.
But trying to predict like, Hey, what are the chances that something bad is going to happen to my business next year, and should I be preparing to it? And if so, how much should I be allocating to prepare for it? We are just bad at that, and that's why self enablement has always been a stronger motivator than loss prevention.
[00:25:29] Sean Martin: Yeah. Yeah. Yep. Sad. I'm afraid it'll continue that way. I want to, um, so I, I partly brought up the egg thing, uh, just so we could add this exchange, but also to, to make a point that I think we have an opportunity to learn from the good things other industries have done. The, the lack of good things other industries have done.
So I wanna go back to your, your FinTech example where you describe a world of. Countless tools and, and products and [00:26:00] services and financial companies seem to have found a way to deal with that. So I'm wondering if there's any, any, uh, enlightening moments from your experience working in that space to say, here's how.
FinTech found its way into financial institutions successfully, that people aren't yelling and screaming and saying their, their hair's on fire all the time. Like I think we do kind of in security.
[00:26:26] Ross Haleliuk: Yeah. Sadly. Sadly, I'm not going to have a good answer. Uh, and there is a very specific reason why that is the case.
You see, uh, there is a di like security is a very unique industry in, in several aspects, but one of which it is unique is the fact that. Uh, in security, there isn't a pool for products. There is more a push for products. So let me explain. If I am, if I'm a a finance team, the number of problems I need to solve is finite, right?
I have a certain. [00:27:00] Certain types of work that I need to do, and some of it is probably manual, so I'm going to have a very specific solution I'm looking for, and I'll go to the market and I'm not going to be evaluating all the, all the tools. I'm just going to be evaluating the tools that I actually care about for my specific use case, knowing that the rest I'm consciously choosing to ignore because yeah, we could use it, but like we're probably good with what we've got now.
Security is quite different in that. I'm not just going to the market to choose the stuff I, I, I think I need, I'm also going to the market to learn what else can fail in my environment. Because like in in, in finance, you are solving a problem and, and, and if you don't have a tool for something, you're still doing that.
Something, just doing it manually. Doing it differently, like maybe spending more time, but it's up to you to decide. Now in security, it's it. It's the attacker that decides what you need. [00:28:00] It's the at, it's not your behavior, it's the attacker behavior that actually decides what you need. And you don't know how attackers are going to behave today, three months from now, six months from now.
So it, it, it, it's almost one of those areas where. You, you will never know what you need. You will never know how much you need. And, and you are looking for clues, right? You are going and you're asking analyst firms like, Hey, what should I be looking at? You're going and asking your peers as a security leaders, like, Hey, what are some of the areas that you are looking at?
Like, what's important? You are reading the news. Oh, what, what are attackers doing? What should I be preparing my organization to? So you are almost like always living in this like. Partly fear, but partly fear of missing out, right? You are like, oh my God, if I, if I don't have this, this new capability, is that gonna, is that gonna cause an issue seven months down the road, a year and a half down the road?
You never know. In, in, in fit. It's, [00:29:00] it's different. Like if you believe that this is not the problem you're going to solve, that you just don't solve that problem now over the long term. That may set you back compared to your peers. That may, uh, become a competitive disadvantage if you are not as efficient in some areas as, as you know, your, your competitors.
But at the end of the day, it's never like, Hey, on this day you are going to fail because your defenses have failed. It's, it's, it's a very different buying behavior.
[00:29:27] Sean Martin: Yeah, I I can totally see that and appreciate that. I'm glad, glad you pointed that out. Um. I'm also thinking one, one layer up though. So regardless of how it enters, whether it's a pull in or a push in, um, are there similarities or differences or maybe lessons we can learn with respect to how that stuff is managed in terms of the infrastructure?
Um. Because in your, in your scenario of the pull, it's many department, [00:30:00] maybe even more complex, yet somehow they figure it out, right? Versus one coming in through security. Um, you see,
[00:30:07] Ross Haleliuk: I, I think, I think as a security industry, we should be better and I think we have been becoming better consistently over the past number of years at pushing vendors to integrate more with other solutions at the market.
There was the time when, uh, you would, you would come to a vendor and, uh, you would essentially not just buy into that vendor, uh, but you would also buy into the ecosystem of, uh, other solutions that they work with. And if they don't have an integration with this other tool that you've got in your environment, that was your problem.
The vendor was not governed to build. Right. I think now we, we have gotten to the point where there is a good understanding that, uh, capabilities should be more or less interchangeable. They should be interoperable, they should be integrated, and so if I am buying a certain solution, I should be able to connect it to all of the other tools in my environment so that it can all work as.[00:31:00]
As a part of the cohesive fabric as opposed to this standalone thing that I just, I can't connect to and, and it's just sitting there and hopefully doing something to keep me more secure. So I think that as an industry, we've been fairly good at pushing vendors to evolve and. You can see the evolution, like you can see that at this day and age, when new vendors, when new solutions are starting out, they're fairly, like, they're fairly open when it comes to their APIs.
They're fairly open when it comes to the ability to add new integrations and so on and so forth. I think that's important. It's, it's, it's, it's also important to push vendors to offer a much more user friendly experience. For the buyers, right? In many industries, like I was, I was honestly shocked that when I ended up in cybersecurity, I was shocked by how, how far sec security vendors are, uh, how far behind the security vendors are when it comes to their user experience.
They're offer, it's, it's [00:32:00] absolutely insane. Like you see, like you are. Uh, in the world in which it takes me like five minutes to get started with something like Asana, with something like, you know, like even like per, you know, a, a tool for some. Tool for filing my personal taxes. Mm-hmm. Or a tool for doing taxes for my, you know, for my corporation.
Like, it takes me minutes to get started with that. It's easy, it's user friendly. It can take me many months to get started with the security product or even understand how it works. Again, buyers have to vote with their dollars mm-hmm. And choose products that are more user friendly, uh, compared to others.
So I think, I think there is a lot of that process of just pushing the. Players in the market to transform and do better, that needs to happen and it is happening.
[00:32:49] Sean Martin: Uh, you touched on another point that's been on, on my mind as we've been talking as well, is just security in, so, not security that plays well with, but perhaps security [00:33:00] in the ecosystem.
Uh, and in the, in the infrastructure. And I, I remember, I dunno, it's probably been 15, maybe even. It's probably at least 15, maybe 20 years ago now, there was, there was a movement for banks to embed security into the browser that they would deliver to their customers to protect their customers and ultimately their transactions that they were doing on behalf of their customers.
So that was, it seemed very interesting to me that. Banks would deliver this, this browsing capability with security built in. Now, obviously it didn't take off 'cause people wanna use their own browser, not, not the banks one. Um, so I guess my question to you is from the, from a startup perspective, are we looking enough at that or are we still looking at.
And maybe to your point, you, you just said it, right, we're still ages behind in terms of adoption and the ability and ease of use to get into this. But is there an [00:34:00] opportunity to, to do better at getting deeper into the infrastructure and become part of it and not just, uh, something that security tax on to the side when a business team says, we're deploying this new tech and now we need to secure it.
[00:34:15] Ross Haleliuk: No, I, I, I, I do agree. I think there is, there is the philosophical conversation and then there is the, the startup related conversation and they're all, they're going to be quite different, right? 'cause philosophically the answer is most certainly yes. But the reason why it is not the same if you, if you take the, the startup, uh, lenses.
Because as a startup, like if you are five people in a garage, or I think the times, the times for for to, to, to talk about garage are over like now. Now there is, there is uh, certainly less of those teams working from a garage, but the part that matters is that if you're a startup, you don't really have the ability.
To change the, the way the, the way a certain ecosystem works, what you have, you have very little [00:35:00] resources, you have a lot of passion, and you have the ability to execute and move fast. So you, as a startup, you have to find an initial entry point, and that entry point has to be pretty scoped down. It has to be fairly specific.
And that is why when, when a lot of the people complain about point solutions, what they miss is the understanding that every platform. Every solution that you call a platform started as a point solution. 'cause you have to start somewhere, right? If you are going to build a house, you're not going to build like 65 rooms at once.
You have to start with some foundation. And if you want that house to be livable like in, in three months, then you better just build one room. Then you expand into building other rooms. I know it's a very stupid example, but at the end of the day, as a startup, you have to find your initial veg and you have to find that initial use case to build around.
And so now going back full circle, yes, we should be doing better as, as, [00:36:00] as the technology ecosystem, but the reality is that the power to do better is not in the hands of startups. It's in the hands of companies that are providing that infrastructure, right? If I'm a cloud provider, I most certainly have a better ability for to secure the infrastructure that I'm providing than a startup that's trying to build some point solution on top of that infrastructure and take it on.
Like if I am a, if I am a. Uh, uh, mobile phone manufacturer and, and the os uh, manufacturer. I can most certainly provide a better mobile phone security than an, than a third party building an app. For, for, for mobile security or if I am an, you know, uh, well, we, we say endpoint, but really, like if I am, uh, building a PCs and workstations, I can most certainly provide better security.
In theory, I can most certainly provide better security. Then the third party. In practice though, what ends up happening is that if [00:37:00] security is not your core area of focus, you obviously don't pay as much attention to it. And then comes, there, comes another vendor and. Because that is their only area of focus.
They have to be good at that. And so you end up with this very interesting dynamics. But I think, I think the meta point is that I think we as an industry have been much better at improving. I think, uh, something that I, I don't see being discussed often enough is that we have achieved a lot as an industry over the past three decades.
Like we've, like this CA role itself is only like, what, three, like 30 years old. Like that's, that's, that's how many years did we actually have ciso? Steve, uh, Steve Katz, who was the first CSO at, at C Corp. Uh, cybersecurity has become a board level concern. We have evolved, like we have retrofitted a lot of the insecure infrastructure with new, more secure versions and, and, and, and equivalences that are actually solving a lot of the [00:38:00] problems that were not solved like 10, 20 years ago.
Like we're there. There's just so much that we have been doing and I think we have to give ourselves credit for that.
[00:38:08] Sean Martin: Yeah, so that's a great point. And, uh, so many things in my mind here as we're chatting. Um, yeah. 'cause I think there, there's a company, I won't mention their name because I'm not advertising for them, but they, they build, they build specifically for the SAP environment.
So they're all about assessing the risk and looking at the policies and looking at the configurations and looking controls such that. SAP administrators get the value of security built in and the environment they're familiar with. Kind of to your point now, maybe SAP is not a five minute install, but, but my point is it's security's built into the environment the user is already experienced with.
[00:38:51] Ross Haleliuk: Yeah.
[00:38:51] Sean Martin: And the security team's working with that team. So to me that's, that's a really, really cool example of, uh, of stuff being [00:39:00] built in. Um, we have a few minutes left here. I want to. We've kind of looked at, yeah. Operations and business and security startups. I wanna speak to the audience directly here with the security practitioners and security leaders and business leaders trying to, to manage risk for their company.
Um, how should they look at this? Cybersecurity startup world, you said, put your money where your mouth is, choose the technologies and the companies that are gonna work best for you. How, how do they, how do they decipher what that is, what those things are for them?
[00:39:41] Ross Haleliuk: Look, I think that at the end of the day, uh, it doesn't matter what a security leader is choosing.
What matters is that no matter what choice they make. It's going to come with trade-offs, and it's going to come with pros and cons, right? There are advantages and there are disadvantages of working with early stage startups, but there are plenty of both, [00:40:00] right? On the advantages side, early stage startups give people a much greater ability to actually influence the roadmap and co-create solutions that fit their needs and their environments, uh, much better than an, uh, than large established vendors.
They are much more responsive. So when it comes to providing customer support, when it comes to resolving bug, making changes to the product, like they are going to be on top of it, and if, uh, a security leader makes a request for a new capability, they're most likely going to get it three days later, not 17 months later, not a year and a half, about three days.
Uh, they're nimble, they're agile. Uh, they tend to have, uh, much more modern product experiences. Modern infrastructure, they often are substantially cheaper than the incumbents because they are trying to still define the niche. And there again, there are plenty of great ways and great reasons to work with startups.
Now, that also comes at the [00:41:00] cost. Right. Startups, like many startups lack consistency when it comes to their product roadmap and product focus. So it's not entirely unheard of for a startup to start in one area and then pivot or evolve into a completely different solution that is not at all in alignment.
This what that one initial customer have signed up for. When they, when, when, when they signed their contract. There is that risk 100%. Uh, not every startup has the ability to execute predictably. Like things change. People tend to be overly optimistic about what they can deliver. Uh, and the roadmap can change much more frequently than, than, than they anticipate.
Uh, and, and again, many priorities, limited resources. So obviously there are trade offs and like in some places, their solutions are not going to be great. They're trade-offs. But the same applies to working with incumbents, right? On one hand. Yeah. You have, you know, very stable, very [00:42:00] reliable, very mature product.
Uh, they're much less likely to crash in the middle of some important workflow. Guess the product has been around for a decade or two. The roadmaps are much more predictable. Their ability to execute is substantially higher. They're super slow, but they're predictable. As as, as on the other hand, uh, products built by those large vendors don't change as often and as much, which can be a bad thing, but it's also a great thing because you don't have to retrain your employees on how to use this product every year and a half now at the same time.
It comes at a bunch of downsides, right? Large companies are slow to innovate. There is a a ton of needs that they just simply won't be able to address. Because they don't have the talent, they don't have the ability to move fast, they often struggle to attract the best talent because the coolest people want to go and build something new oftentimes, as opposed to building something that was there 25 years ago.
Uh, if [00:43:00] unless, uh, the security leader is one of that, uh, large vendor's, uh, biggest customers, they will likely not be able to access quality support or get, get them to respond within three days instead of 16 weeks. And, uh, it can take many weeks for the vendor to resolve a bug to, to address a, a gap in their product.
And there's a lot of technical debt. So again, there are always trade-offs. The question is, what is the problem that you are trying to solve as a security leader and what is the best solution given the trade-offs you are aware of? What is the best solution to those problems? And in my view, if you are tackling a new need, or if you are, or if you have been using a a, a, a well established solution, but you are seeing the gaps.
And if there is a, a, a, a startup that is out there promising to solve those gaps, and not just promising, but delivering on their promises and presenting something that looks compelling, that is a great case to work [00:44:00] with that startup, assuming that the security leader cares about this specific area, because I think what that comes down to, like at the very fundamental level is that many security needs can be satisfied with good enough solutions.
Most large vendors offer fantastic, good enough solutions, right? If you're an established vendor and you offer, you know, a solution for X, Y, Z, and the CISA is like, yeah, you know, we just need some basics, because that space is commoditized. They all look the same anyway. Yeah, just go with wherever is a part of the bundle.
But if you care about something a lot, and if you care about having a best of breed solution for that specific area, then there's often very little choice. But it is to either work with startup instead or work in startup on top of and, and, and, and find a way to, to bring those two worlds together. Again, I don't think there are perfect answers, but what I do think is that as an industry, we have been doing a good job at both maintaining [00:45:00] focus on what the business needs and not going insane about just introducing 65 different startups per year to the security program, but at the same time around, uh.
Around, uh, supporting innovation and supporting founders building something new and, and working with that. So if anything, I just think we need to do more of what we have already been doing and this push on the security buyer side, this push for consolidation is the right thing to do. While keeping in mind that not everything should be consolidated and making those decisions as they come up.
[00:45:32] Sean Martin: Yeah, and I'll, I'll go back to, as we close here, kind of the, uh, the idea of resilience as well. So either, either you're gonna trust an entity to be resilient, or you're gonna have a couple in your back pocket. Yeah. That'll, that'll help support you in, in your, because security needs to be resilient as well as the rest of the work.
Yeah. Well, I have a gazillion questions. Um. We don't have time to get into all of [00:46:00] them, so maybe, uh, maybe we can have another chat down the road and, and talk about, talk about some more things. Uh, but Ross been, been great having you on this show and, uh, appreciate you, uh, sharing your insights here.
[00:46:12] Ross Haleliuk: Likewise. Thank you so much for the invite. It was a fantastic conversation. Thank you, Sean.
[00:46:16] Sean Martin: Super fun. Hopefully, uh, everybody enjoyed this chat as well, and of course, uh, I do ask that you share with your friends, subscribe if you like what you're hearing. And, uh, we'll see you on the next episode, redefining cybersecurity as we aim to do just that.
Thank you all. Thank you, Ross. Thank you.
​[00:47:00]