DAVID LEDGERWOOD: Tom, it’s great to have you. Thanks for joining me today.
TOM YOUNG: Absolutely, Ledge. Thanks for having us.
LEDGE: So if you don’t mind, maybe give a quick background story of yourself and your work, and let the audience get to know you a little bit.
TOM: Sure. That’s great. Thanks. I’m currently responsible for worldwide sales and marketing for a security software company called Syncurity. Think synchronize your security. I’m actually an old programmer.
I sort of joke that I've lost credibility over the years as I went from programming, to managing programmers, to then selling programming projects, then becomes a sales engineers. Like all sales engineers I thought, “Wow. The sales people are making all the money and I’m doing all the work.” Ended up in sales and after a few startups, a couple of IPOs, two founders that sued each other into oblivion, here I am working at Syncurity and loving every minute of it.
LEDGE: Good. Good. Well, it’s nice that there’s a happy ending to those stories.
I resonate with the sales and sales engineering seat. Certainly after years of being a coder and going to the business dark side, would love to still fire up the ID once in a while but do not get to do that as often as I would like these days.
Obviously, security is a huge topic and, off-mike before we started, you and I were saying it’s completely overwhelming. I mean, there are so many stories and use cases and signal noise, tools. As a consumer of this stuff, enterprise or not, everybody is just engulfed in this sort of tech pop culture of cyber security now.
Maybe, help just make a little bit of sense of where you guys fit in the world and that conversation.
TOM: That’s great. I often joke with people that there’s two buckets of security products. One which helps detect and find things – and that’s probably about 95% of all the products and vendors that people know and love. Then there’s a small subset of the market that actually tries to make sense of all that noise, and that’s the bucket that we’re in. The later.
If people think about all these great tools, and there is definitely some incredible innovation going on in the detection world. How do I find the true signal from the noise when it comes to things like network traffic, or endpoint, or user behavior?
Generally, what people do is they track those signals and they try to rationalize them through some type of consolidating mechanism. Sometimes it’s a technology called SIEM, Security Information and Event Management, or an ELK Stack, or Splunk. Try to get some sort of curated list of, hey, these are some of the things that might be bad that we need to figure out what to do.
That’s really where our story begins. The market we play in is referred to by Gartner as Security Orchestration, Automation and Response. Where we typically pick up is where somebody’s got a couple of different threads of this type of signal information from a or maybe they hire a third party to monitor part of their network. Most people have trained all their users to be very suspicious of phishing messages and so they tell them to right-click on their email client to send those emails in. That creates another stream of input for the security team to try to analyze.
Then there’s situations where somebody calls the IT help desk about something wrong with their computer, and then after a little bit of triage they think, wow, this might be a security event. Let me escalate this and throw it over the wall at the security team.
So these security teams are being inundated with these un-normalized streams, if you will, of signal. They have to quickly figure out which ones are real? Which ones represent potentially the most risk to the business. How do we validate them quickly and, of the ones that prove to be real, how do we contain and remediate them?
There’s a process that people have to go through. It’s a very non-linear process in the case of these sophisticated attacks. I was saying earlier when we were talking, in a criminal environment you don’t just plug in the data and find the perp, right? The cops have to get a clue, leads them to another clue and so forth.
So, we guide people through that investigation, and we also automate the analysis. Where, if we can find out that some signal came in, a bunch of failed logins from different places outside the country or outside the normal business hours for a user, we can quickly correlate that with other information – badge swipes or other login data from other applications – to verify whether that’s legitimate or not.
We can use automation to help get rid of some of the low value, high volume commodity noise, if you will. Still document they were looked at and defend the decision not to pursue them further, but really save the 4.5 inches between the analyst’s ears for those things that really represent a sticky wicket to the business. Does that make sense?
LEDGE: Yeah, absolutely. The first thing I think, as you’re talking about automation, I haven’t read a brief for anything in cyber security lately, especially in the startup realm, that doesn’t involve machine learning and AI; we’re going to pump all this data into machine learning and AI algorithms and it’s going to do magical security things.
If in fact that’s true, tell us how. If that’s the fact maybe a little bit of the hype bubble, it would be totally cool to unpack that because it’s an overwhelming amount of information right now just on the tooling front.
TOM: It’s funny, I give the old consulting answer that it depends, but the truth is it’s a little of both. When you think about it, machine learning/AI they perform best when they have really large sets of data. When you think about raw logs that are coming in from these devices like a firewall, every time there’s a connection acceptor denying, generating these logs. For a large enterprise or a service provider managing networks, or even a cloud provider, somebody that’s providing cloud services, they’re just generating billions of these logs.
There’s no doubt that some type of advanced analytics and processing using either methods of machine learning or forms of artificial intelligence can help rationalize or find the pattern or find the indicator that matters out of all that noise. The problem is that that type of analysis is a little bit harder when you’re talking about the investigation process.
Candidly, most enterprises, while they might get billions of logs that create maybe thousands of discreet alerts that might have to be investigated, very few of them, maybe in the dozens at most, result in something that gets investigated. Even then, very few of them turn into incidents.
When you think about it, if I only have a couple of investigations a week in my enterprise that result in me having to take action, corrective action to prevent or contain the spread of some type of penetration or exfiltration of data, that takes a long time and a lot of observations before you have a dataset that can really be adapted with machine learning and artificial intelligence.
What you have is, you have the ability on the frontend to use those types of technologies to better find the initial signal, the detection if you will. Then you need some combination of automation that can talk to other systems and verify, with context, whether or not that might be an issue. Then in the case where it turns out that this might be suspicious, you need some type of environment where the analysts can help guide their investigation. Pivot from tool to tool, using APIs to get context and validate information to help them scope the size of the problem and, more importantly if it needs to be contained or remediated, direct the actions that need to be taken.
Hopefully that helped to clear some of that confusion up.
LEDGE: Absolutely. I think, broadly speaking now, it’s a hot topic to be able to say that they’re using those techniques, but you’re right. It seems to be, in the conversations that I have with tech leaders in every industry, hey, this is great, we’re able to process a lot of data. We can learn from that data.
That does not mean we know exactly what next thing to do, nor is that next thing even close to being automated and removing the human analyst from the equation, which you can go on for hours and hours about. How do you remove the human resources, constraints and expertise around that and the whole thing.
Ultimately, 90% or more of the users don’t care. You need to be able to abstract that…
TOM: There’s definitely that hype cycle. You have VCs that go to these startups and say, “Are you using machine learning or AI?” I used to joke in the early days, I’ll show my age with this comment but it’s like, “Can you spell XML? Oh, then you’re an expert.”
People have got to understand, oh, well this is telling me the probability of what to do next. Well, I’m no statistician, but you don’t need machine learning or artificial intelligence to statistically compute probability from a dataset. I think everybody needs to take their hype blinders off and think critically about the problem that they’re trying to solve. How, given the size of the dataset available, what techniques are going to yield the objective they’re after.
In our environment, there’s a combination of things that machine learning and AI can help with. Certainly across customers, as we get observations across customers and we get a dataset of critical mass, you can start learning from that and inferring using this type of technique. That’s certainly what we’re doing now. But I do caution people, like you said, to be leery of the hype.
LEDGE: Absolutely. So you’ve got, like you said, a storied career rising out of technology into sales engineering and sales, and you do sell to enterprises.
I think that’s a thing that most people in business, especially in the technology business, as you scale and as you grow you’re going to move upmarket. You’re going to sell into the enterprises. It’s just a materially different experience than it is when you’re small and you grow up to that stage.
Having worn that sales and sales engineering hat for that level of customer, can you draw on some of your experiences and say what works when you have to grow your company to the stage where you’re selling to the very biggest dogs.
TOM: I think there’s an important distinction too. Is that, if you are selling some form of services, increasingly you’re selling both to enterprises and then to other service providers who provide services to those enterprises.
If you just think about the adoption of cloud for applications, for example, virtually nobody runs an internal payroll system anymore. Virtually everybody uses some type of service, from ADT or something like that. Increasingly, enterprises are turning for IT services to these different service providers.
So, whatever you’re selling, you have to be prepared to sell both directly to enterprises – the large one like the ones you were referring to, but also if you really want to succeed you have to be prepared to also sell to service providers. Which have some of the same requirements, but have some additional complexities around scale, segregation of data, multi-tenancy and other things depending on the application.
The key thing is that, what I've observed in my career is that the same trends that are megatrends that people talk about that are driving and changing the IT landscape, are changing the way you sell into enterprises. Everything from the emergence of the social network, the plethora of online resources, and just the nature of how organizations make decisions in a very matrixed fashion.
I think there was a study that came out recently that said that there are 72 different people that weigh in on an enterprise purchase over $100,000. Think about that for a second. Somewhere along the line, all these people touch this in some way, shape or form – either weigh in as an influencer, or they have something to do with the processing of that purchase. That’s a staggering statistic, when you think about it.
What I find is, much like you do in your personal life, you have to really adapt. You have to make yourself visible to people when they’re searching. The other stat is, I think, 67% of the research buyers do in the enterprise space, they do online or through matrixed peer resources before they ever reach out and connect with a potential supplier. That means, you can call all you want all day long and you’ll never reach anybody because nobody answers the phone anymore.
But you could also invest a lot of time and money in making sure that the services you’re providing, the benefits and the value of that, are available online and found when people that want that service are searching and looking for that. Doing their research, so to speak. Does that make sense?
LEDGE: Absolutely. Discoverability is really the biggest issue now. It’s not that different than the type of discoverability you run into and say, “Well, I've got an app store and if I’m a consumer thing this is great because now I can just expose to a billion users.” Except that it’s not because everybody else thinks the same thing, right?
So now I can’t discover your solution when I need it, and that area of research is tiny and the sales cycle is long.
TOM: In every market there’s external influencers that help augment that search. Think about it in the enterprise technology space. Any of the folks that have either done time or done work for any of the large ISVs, Independent Software Vendors, or other solution providers know that Gartner is a pretty heavily weighted influencer for a lot of enterprise decisions.
So, as you look to make yourself available online you also have to have that social network construct I was referring to earlier. It’s no different. It’s increasingly important.
It’s not selling online. It’s just being a meaningful contributor to communities of like-minded and interested people. If you've never heard of Peerlyst, they’re a sort of micro network of really passionate security professionals – cyber security professionals. A LinkedIn for cyber, in a sense.
If you’re contributing meaningful content, you’re providing value in a way as part of a network or a group of people, that helps augment that into your problem you were talking earlier about, the visibility factor.
The other is to try to cultivate relationships with those influencers in your respective market. It’s painful in some ways. In the Gartner world it is a pay-to-play franchise but it’s certainly, in my opinion, worth every penny of it. It’s invaluable to have those influencers, whoever they may be in your market, be aware of you and know of you so if a prospective customer calls up and says, “Give me a sampling of some of the providers in this market and some of their strengths and weaknesses,” you want to be in that conversation. That will absolutely help improve your demand generation, so to speak. Does that make sense?
LEDGE: Sure. Obviously, that’s a daunting task for anyone that is growing up their company and just trying to go, “Hey, man. I just want the phone to ring.” I would totally resonate with that in various roles that I've had and the phone doesn’t ring.
You have a multichannel environment now that is just increasing. The kind of attack surface, if you will, it used to just be well, we had advertising and we have PR and we have a little bit of this, a little bit of that and we should reach who we need to reach. What has happened is the field has broadened so much that becoming a meaningful voice that stands out from the crowd is a huge undertaking, and companies need to be thinking about investing there.
We’ll typically see people out of the gate spend way too much money on product and not enough on promotion in marketing and what becomes sales.
TOM: It’s definitely a science. It depends on what type of business you are. If you're a one-person shop and you’re freelancing your way through contracts, that’s different than if you're 10 people at a startup and you're trying to grow to 100. There’s obviously a different trajectory, a different business model and everything about how you promote yourself there.
But I think the stage of the enterprise also dictates, you do have to create some type of unique IP. Even if you’re a service provider or you’re a freelancer, somebody that’s hired out as a hired gun, you’ve got to be able to at least identify what it is you do and what’s differentiated about what you do. Spend the time thinking critically about that and then, to your point, promote it.
There’s an old adage in marketing that people have to hear something seven times from seven different modes of communication before it sticks. That’s, hey, I need to be out participating in some of these social networks of like-minded peers. I might need to be present in some of the venues where like-minded people, everything from [B sides to other organizations where the type of people that you guys are working with congregate and socialize. I need to be able to try to influence the influencers, to some degree.
It’s a little bit of placing bets. The old thing on a roulette wheel. Put a coin and the intersection of four numbers, it doesn’t pay out as much on each number but you spread your bet. I think it’s the same thing in these enterprises, small or medium size or even large, that are trying to make that differentiated voice heard is to spread the wealth. Use multiple channels.
You can’t underestimate the value of in-person. I always joke with people that it’s really important to meet in the carbon form. So, sometimes you may have to make some investment. Getting out of your office wherever you do your work – a beach chair in Maui or wherever – and social with the people that either help define your market or help influence it or are your potential customers. Does that make sense?
LEDGE: Absolutely. I wish that I was on a beach chair in Maui, but you know, we got to take what we can get, right?
Well, Tom, appreciate the time. You guys are tackling really important issues out there, and I don’t think that the chatter around cyber is going to go anywhere soon. So at least you’re on the front side of the hype cycle, doing the right stuff.
Thank you for the insights.
TOM: Yeah. Absolutely. Now we’re just encouraging anybody in the community of yours that’s listening, look, if you have a client that might be interested or might be thinking about how do they better leverage the limited resources they have on the security operations side, look us up at syncurity.net. Or you can always reach me on LinkedIn or Twitter. It’s tom_young22.
We really appreciate the time, and we’re looking forward to continuing this dialog with you and the whole Gun.io team.
LEDGE: Thanks so much.