Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an Analyst and Advisor with KuppingerCole Analysts. My guest today is Alexei Balaganski. He is a Lead Analyst with KuppingerCole and he is our CTO. Hi Alexei, good to have you back.
Hello, Matthias, thanks for having me again. And I guess I have to apologize in advance: I am suffering from a terrible cold today, so if I sound weird, just let me know, please.
Our technology will fix that. We have an AI filter also for audio, so that won't be an issue. But we want to have a quick discussion, a bit more philosophical discussion around the nature of cybersecurity in general and how we as analysts and maybe you as the audience, as users, as end users, as vendors should have a maybe slightly different look at the landscape of cybersecurity. You've been traveling a lot recently, you've been visiting other events apart from the important ones, EIC and cyberevolution, of course, and you had a new updated look at what happens in technology, in cybersecurity, in the way we are doing IT in general. And that made you reach out to me and talk to me and to the audience about what's happening right now. What was your starting point to say, okay, we need to... maybe a bit reconsider cybersecurity and IT in general.
Right, right. Well, obviously, the billion-dollar question is, we spend so much more money, we, I mean, collectively, the humankind, the entire industry, so much money on cybersecurity tools and solutions, and yet the situation doesn't seem to be improving. I mean, the breaches are only increasing, and they happen more often, and they cost a lot more nowadays. So why are we not getting the results we are looking for? Maybe, just maybe we are doing something wrong and by we I mean again kind of collectively the entirety of all the IT and cybersecurity specialists around the world including of course analysts like us. And yes you are right, for me this big aha moment was at one of those conferences I have attended earlier this year specifically it was the KubeCon in Paris back in March and it got me thinking. I mean, usually our job as KuppingerCole Analysts, for example, would be something like, that something we would take pride in is that knowing every relevant vendor in the cybersecurity industry, right? And people would come to us just because we know every relevant vendor. And I think it's actually a pretty limited approach towards the entire cybersecurity as a philosophical concept, if you will, because if we only know the tools, if we only can help our customers to find the best fitting tool to solve a specific issue, we are always at least one step behind the hackers. We are always reacting, we are always responding to an existing risk using an existing tool, and we are not looking too far into the future. And... again, what made me think that way, because most of the things I've seen at KubeCon and some other similar events around the world, at least those companies, those scientists, they never had security in mind. What they are doing, they are basically designing the future of the entire IT industry for the next two years and more. And of course, this includes AI, generative AI tools, the cloud native tools, the multi-cloud and hybrid architectures and containers and Kubernetes and next generation networking and whatnot. None of those technologies are specifically marketed or even described as having anything to do with security. And yet they are. I mean, they do have everything to do with security of our collective future. So maybe just maybe we are looking at this whole thing from a slightly incorrect perspective.
Does that mean that the issue is on our side or should that also... We have been talking about this security by design, security by default an aspect for quite some time when somewhere as to presented at these events that you just mentioned, new technology is developed, introduced, presented, implemented. Shouldn't we assume that security by default, by design should be implemented there. Of course, we need to have a look at that. We need to be prepared for that, not only retrospectively acting towards what has happened already, but shouldn't that be a joint effort from those who do the technology development and us doing the cybersecurity development?
And again, Matthias, you are, of course, absolutely correct in that assumption, but you are looking at it from the wrong end, if you will. I mean, in real life, this whole development happened for one reason only. There are businesses out there which demand new capabilities, new solutions for their new business issues. The company wants to run more applications on the infrastructure and they, for example, would go out and look what's there in the academic world of the cloud technology and they would find something like, for example, I've seen a really curious and interesting solution which we could describe as a serverless Kubernetes workloads running on the WebAssembly language. We probably don't have to dive deeply into the technical intricacies of this, but the point is someone has invented the way to run many more applications on the same server infrastructure than traditional Kubernetes and containers. A company would even say they can run like 50 times more apps, meaning that in theory you can save up to 50 times more in your infrastructure cost. Awesome. Every business would jump immediately onto this opportunity. Have they ever considered security issues of those new technologies? Never. They don't care. They only want to save money. And the guys who have developed this technology, they probably care about security a little bit more because they know about it a little bit more. But for them, it's also not a priority because they engineers busy on fixing bugs and improving performance and making it a sellable product. The question is who is going to be this force, this pressure, making all those stakeholders involved in this new technology stop, sit down and discuss security and consider the implications and new risks and maybe just imagine what would happen if 50 of your obligations would be compromised with the same vulnerability instead of one. It would also cost 50 times more in non-compliance fees, for example. The question is, who is responsible for that? Is it me, an analyst? Is it you, a consultant, an advisor? Is it the vendor? Is it the customer, a journalist, a government official regulating us all? I don't have an answer for that. Probably everyone. The question is like what can we do on our end to raise this awareness to connect those people to involve the real security guys who actually do care about security and know about it and can anticipate some of those issues in advance to sit down together with those innovative vendors and talk about their issues. That's a million dollar question.
Right, but when we look again, that might be the wrong angle. If we look at what we are doing when it comes to projects, when it comes to looking at commercial environments where these solutions are actually in use right now, if we look at that, we come across lots of regulations. So having cybersecurity governance compliance and proper mitigating measures for all types of risks, be they cybersecurity or compliance, making that properly, achieving that properly is one of the key issues. And I think many organizations just want to avoid what you just said. So going for the actual benefit, having more applications around scaling up quickly, saving money when that actually means falling in compliant, when it comes to falling for high fees, when it comes to being in the press or losing data in a situation where they did not expect that. So... I know this is the analyst preaching and I know that this is this retrospective or more regulation fee discussion, but in the end, this still holds true. So why aren't these technology vendors thinking of cybersecurity at the same moment as they are describing new scalable, new sexy technologies?
Well, I guess if we knew the answer to this question, we would be the benevolent leaders of the entire world. Unfortunately, we are not. And yes, well, I guess the underlying core problem is that the majority of the businesses around the world's security is just nuisance. They do not want to think about it. They do not want to invest into it. And the only reason they would gradually even spend some money on cybersecurity because the compliance auditors tell them, right? So security sucks, security costs money, it doesn't bring any return on investment, at least that's how most people think. So yes, selling security is extremely difficult, but we have to understand, even though people do not care about security, or at least they do not care about cybersecurity, they do care a lot about being secure and safe. I guess it's just a fundamental misunderstanding and us analysts and them vendors and the customers are there speaking different languages because of course nobody wants to be hacked. Of course nobody wants to be caught in a non-compliance lawsuit or whatever hit by a regulation. They... But again, they want to earn more money because this is something which every business understands. This is tangible. Wow, this thing, I buy it today and I can save 50 times more money in comparison to an existing technology. Awesome. Give me two of those, maybe even 20. And understanding that this can actually cause some security issues in the future only comes too late usually. The question is who has to tell them? Who has to explain to them that there are those issues? And those issues are actually solvable, they are addressable. Either through an improvement directly in the product, or maybe through some compensating controls, or maybe even a boring security tool, or maybe just a change in the policy. Because again, for example, we are talking a lot about Zero Trust. And again, we are talking a lot that Zero Trust is not a tool. It's not a product, it's just a different mindset. And it's actually very easy to implement if you are ready to do it consistently. I guess the same has to be somehow invented for all these new cloud-native technologies, for example, or for AI technologies coming further in the future. Someone has to come up with this great short list of rules, how to do... again, not how to do cybersecurity for AI or cybersecurity for multi-cloud, but how to do AI securely and how to do multi-clouds securely. And this is a minor change in semantics, but it's a huge difference in the ability to actually explain and sell it to end users, I guess.
But if we look at that from that angle, could that mean that this is not necessarily an issue for the technology developing community, but it's an issue of the architects that combine all these Lego blocks of architectural building blocks for multi-cloud, for whatever you've mentioned right now, and even those technologies that we've used before or still are using right now, retrospectively looking at this as an analyst. Combining all of this into actual tangible real-life architectures. Shouldn't that then be the issue of the architect to combine existing and new security technologies together with these new shiny sexy technologies that come with the promise of more performance, greener, more ecological, leveraging of resources, et cetera, et cetera? Is this an architecture problem?
You are hitting the point, right there, Matthias. Of course it's an architecture problem. The question is who is supposed to design such an architecture and who can design such an architecture? Can you? Can a CISO of a bank do it? Does every CISO of every bank... are they supposed to do that separately? Never talking to each other and never asking an expert like us or a vendor directly to help them? Probably not. It's a lot of reinventing the wheel over and over again. So I guess the biggest thing that's lacking is basically communication and awareness, again and again. Someone has to bring it up. Someone has to bring all the right people to the same table for a discussion. And someone has to invent best practices and someone has to test those best practices maybe with their own mistakes and share those findings from their own mistakes and step by step it will come to a common blueprint for such an architecture. The question is, well, who and when and where? And I imagine that one of the better places to do this kind of discussions is again, attending the right event, the right kind of conference. You mentioned our own EIC briefly, but that's exactly the place where you probably should go to meet the right people if you are specifically looking for best practices and new architectures for, obviously, identity and cloud, because that's right in the name. Or perhaps we are not yet ready to offer you like a 100 % AI-focused conference, but we will be talking about AI and securing AIs. as well. So yes, absolutely. We welcome everyone to participate in such a discussion. We can serve as moderators and as neutral and still highly opinionated people to basically say, yes, your idea looks great and no, your idea lacks in a specific area. And hopefully in the end, someone will come up with such an architecture.
Right, and I think what you said I think is absolutely true. While we are talking, people are inventing technologies for the next 10 years and they are already there. They are in tests, they are in production. They need to be integrated into an overall architecture that claims to be secure and is secure and is designed to be secure. And as you said, we need to foster that communication between the experts of different areas. It's great that these people invent these new technologies because they will be the foundation for next years, for in two years, the infrastructures that we will be using and leverage that with this explosion of new services that we expect to happen. But the communication part is really of importance. EIC, cyberevolution, of course, are important building blocks, but just making people talk to each other, be these forums, be these industry associations where you can talk to each other. We will see at EIC that eIDAS 2.0 will take shape and form and will really take a vital role in real life. This is an example of where this happens just right now. But the next step should be and is expected to be that we as analysts, but everybody in their individual roles, vendors, end users, architects, technology providers really work together in making that not only shiny, performant, ecologically interesting, but also safe and secure.
Right. Well, you know, as Lewis Carroll said over 100 years ago, now here you see it takes all the running you can do to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that. And nowhere it applies more than in the IT industry today, because if you just want to stay relevant, you have to run as fast as you can. And if you want to actually achieve something, like better security for your business or a more sophisticated and optimized architecture blueprint or just a better product, you have to constantly continue your own education. And you cannot do it alone. You have to do it in groups, in communities, in the right venues and forums and, as you just said, conferences. So absolutely, this should be the top priority of every IT expert, regardless whether they consider themselves being involved in cybersecurity or not. So leave your ivory tower, go out for work, meet new people, learn about new technologies, even if they sound completely futuristic today, like quantum and next generation large language models and whatever, serverless WebAssembly Kubernetes workloads. Those things do already exist and they already do work. So there are probably people out there buying those tools, completely oblivious to the new risks and threats of the... Because yeah, the hackers are also out there buying the same tools and they know much better how to abuse those tools. So you have to be running all the time just to keep up with them. And well, join us in this marathon, I guess. You are very welcome.
Absolutely. Thank you very much Alexei for highlighting this and for actually doing that already great summary. So really we need to do this. And as a side note, this really enables us to have a look at all these new technologies, which are really fascinating. So there are lots of interesting technologies around that are really worth having a look beyond what we've been talking about the last four years. So there's more to come. We need to make this right. We need to make this properly. And we need to make that secure. But in the end, we are also exposed to really nice new technologies. Meeting at EIC, of course, is an important part. EIC will be from the 4th to the 7th of June this year in Berlin at Berlin Alexanderplatz at the conference center. And I'm really looking forward to meeting all these interesting people there, also these people that come with these new technologies. And let's hope that we as analysts, that we as advisors can play our role, our part in making these new technologies also more secure and not only looking back at technologies that have been around for 10, 12, 15 years already. Thanks Alexei for being my guest today. Any final words that you would like to highlight when it comes to these new technologies?
Again, never stop learning. Absolutely come visit us at our events, but also consider going to completely new ones which you have not visited before, be it a security event like RSA or a cloud conference like KubeCon or something else entirely. If it's even remotely relevant for your current and future business plans, absolutely go there and educate, educate, educate yourself as much as you can.
Thanks Alexei for being my guest today. Looking forward to having you as a guest in this podcast again. And really looking forward to learning more from your perspective when it comes to this in-depth cybersecurity knowledge that you have. Looking forward to having you again. Thanks Alexei.
Thank you, Matthias, and thanks everyone.
Bye bye.