Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth. I am an analyst and advisor with KuppingerCole Analysts. My guest today is Martin Kuppinger. He's the Principal Analyst and one of the founders of KuppingerCole. Hi, Martin.
Hi Matthias, pleasure to be here
Again is a good word in that context and a pleasure to have you for that. And as you might have seen, this is episode 200. So we are looking back on a list of 200 episodes because in May 2021, you, Martin and I started with the pilot episode. So episode number zero of this podcast, way back then just audio. But that was the starting point for this podcast and it's still alive. So if you look back on that topic and we wanted to look at cybersecurity, yep.
So we don't need to celebrate because it's 201 now, isn't
That's true, it's episode 201, but from the official calculation, of course, it's 200, because episode 0, the pilot doesn't count So it's like when you print a magazine, so the number 0 is just a test drive, and we together did that test drive. Of course, when we started, that was the beginning of the pandemic.
OK.
Many organizations wanted to find new ways of communicating with their customers being locked in, locked down into their offices or their home offices. But we chose that and we really wanted to make sure that we use this as a challenge and as a chance to find new ways of communicating with our customers. Of course, many people did that. There are lots of podcasts coming out of that, but we are still there. If we look at the cybersecurity landscape way back then, Martin, have things dramatically changed since then? Working from home, cybersecurity being really challenged through many people dialing in through VPNs. Now we are three years later, things have changed.
Yeah, people are dialing in via VPNs now. No, just kidding a bit. But I think the point is that we still have a ton of things to do, we are still not yet there. And on the other hand, I think also, things have changed in a sense, some things have improved, but it's a long journey. It's probably an everlasting journey, cybersecurity. Probably the most prominent thing which happened since then was that... With the pandemic, Zero Trust experienced a hype in attention. Right now, it's like in a typical hype cycle, it's probably a bit more in, I would say, behind dissolution, but in really becoming more reality as a paradigm on how to do cybersecurity. On the other hand, I think it's still a lot of things are, as they have been, too many tools, too little integration between tools, things like that. We see some change here, like with XDR, so extended detection response where a lot of technologies come together. So we see progress, but we are definitely not at the end of the cybersecurity journey. Not at
Absolutely, and we were a bit lucky because we started as KuppingerCole very early being a cloud-only, a cloud-first company, so there is no such thing as an on-premises scenario that we at KuppingerCole can use. So we were happy to actually not having to switch from on-prem and VPN to something more modern - define modern in that context - but we could just continue working because we were in the cloud already. Many organizations had to learn that the hard way. But this is the way that many organizations went. But still, many organizations still, especially the regulated ones, are still focusing on having a secure on-prem environment still available while moving towards more cloud over time.
And not only the regulated ones, every organization that is producing something, that is manufacturing, always will have a certain part of its IT on-premises, because at least the OT part and the link to the OT part always will be there. So, and yes, the longer you're out, the more legacy you have, the longer it takes to change things. And yes, we have seen, but even ahead of the pandemic, we have seen, or someone yesterday said to me, BC - before Corona, we have seen a lot of shifts to the cloud. So really things moving, being sometimes lifted, shifted, sometimes really being changed. But yes, I think for every one of us, using Teams or Zoom has become the new normal. We spend way more time using that type of communication. And I think we have learned a bit about how to do it in a somewhat secure manner, but also that still is a learning curve we are
Right. And I think the audience or you as the audience have already realized, of course we want to leverage this episode 200 as a means to look back on 200 episodes and three years of that podcast. There's another important anniversary that we will be celebrating a bit later this year because it's 20 years of KuppingerCole but that will be a separate event and we are planning to have that in a very special episode as well. So we are now looking back on these 200 episodes and three years of being online, being on YouTube, which is also something you need to get used to. But Martin, if you look at this course of these 200 episodes and three years, how do you think this podcast has contributed to cybersecurity? And were there events that you realized, yes, we are more visible than before? There are people that... really watch this podcast and get back to us and talk to us. It's a niche, we know, but do you have any, did you have any experiences where that really played out and people asked you for that?
Yeah, so you're asking me things, I thought for episode 200, I don't need to prepare, because you will just list the 200 topics we have covered. Seems not to be the case here. So, okay. Yes, I had quite a number of people coming to me and saying, hey, this was a great episode. People sharing it on LinkedIn, coming back and saying, hey, do you also want to be part of my podcast? So it's really something which happens to me quite frequently, I have to say, even beyond that part which is sharing information on LinkedIn. So it's something where I feel that a lot of people are looking or listening to this podcast. At the beginning, it was only listening, right now, you can listen only or you can also watch us if you want to. I remember my colleague Alexei a bit earlier before we started this saying to me when I discussed, shouldn't we do some things more in a videocast style or so, where he said you know who wants to see Martin on video? So you still can go to the audio version if you want but we have it, we can use it, you can listen to us and I believe we covered really a ton of topics over these 200 episodes so I think there's not that much which remains untouched in identity and
Absolutely. And then this is actually one of my questions that I really have when it comes to this podcast, where the memorable moments and key insights that we learned through this? If I start, the most important part that I learned is that you're fact-checked, that people are listening to that and really not in a critical way, but they want to make sure that everything that we say is correct. And that sometimes leads to the fact that even something that is said by, especially by our British colleagues is meant by saying it tongue-in-cheek, so not really earnest, that these, the things are sometimes taken very serious and that you sometimes need to make sure that, Hey, this was a joke. I remember Paul mentioning in one podcast that people are currently working on a new version of ISO 27001. And he said, okay, that might be then 27002. And that was a storm of complaints, of course, because 27002 is already there, something different. It's accompanying. So I had to make sure that the waves go down a bit, but that was meant by saying it tongue-in-cheek. Any other memorable moments, key insight that you learned, or maybe feedback from vendors, from end users, from all of our peers in... all around the cybersecurity world that comes to your mind?
Yeah, so where I get most concrete feedback is really around Identity Fabric. So this is when we talk about the Identity Fabric, this seems to be something which really a lot of people listen to, a lot of people look at. And I also just had something, I think just a couple of episodes ago, we started talking about AIdentity. And I just yesterday have been asked, What this is about, what do you have in mind when you use the term AIdentity? So it's really also people are listening to it. People are picking up things we are talking about. And yes, they are listening thoroughly and giving us feedback, which is good. And we only can learn from that. And yes, I think some of our British colleagues tend to be, yeah, making their jokes sometimes in there. But I think this is also part of a podcast, otherwise it would be horribly
Exactly. And also the communication with the audience, with you out there that are listening to that or watching us, I always ask for that and it's working. We are getting feedback and that is really of importance because this is nothing that we just, we don't just sit here and talk into a camera for, because we're bored. We want to get in touch with people and that feedback is coming back just as it is at our events, at our webinars. So the feedback also is important. And I can always only highlight that, please do that. Let us know how you like an episode, if you like the topic, if this is of your interest or not. This is also of importance to say, okay, maybe this is a topic that has been touched upon many times so we can skip that. I think KuppingerCole has a broad range of topics to cover so that we can talk about many, many topics. Talking about topics that are interesting, yeah.
Or the other way around, send us your request. What do you want to hear us about? Because I think we can talk to a lot of things. And I dare to say we can provide valuable and meaningful information about everything in cybersecurity and identity. So if there's something you'd like to hear our perspective on, just reach out to Matthias, fill his inbox, so that he has more topics we can cover.
Exactly. Yeah. Usually I complain when my inbox is full, but this is the feedback that I would love to have. And if you want to do that, go to your mail client and go to mr@kuppingercole.com. So this is really meant by heart and this is really meant earnestly, just let me know. One final thought regarding three years and 200 episodes. Thinking about the changing cybersecurity infrastructure, cybersecurity world, also cybersecurity challenges that we have, what comes to your mind? What do we have right now, which was just not the case three years ago? What has changed dramatically since then while we are talking?
Generative AI came in. It also augments us in doing things in cybersecurity and identity better. But if you also need to get a grip on AI, that truly is one of the bigger events well beyond cybersecurity, but it impacts cybersecurity. I think also the learning of the world will remain hybrid for most organizations is a very important one, which became much more clear over these three years. And I would say the understanding that cybersecurity starts with identity is another one. It all starts with me or someone else, or even something authenticating to something that's about identity and access and all that stuff. And so we have this term which is way more frequently used around identity security and... Yes, there are a lot of things in cybersecurity which are not about identity. There are things in identity which are not about cybersecurity. But there's a big area where these things are very closely connected or where identity impacts cybersecurity. This is essential for cybersecurity. So if you ask me for some of the, I would say, bigger changes, we also saw a lot of sort of new types of technology emerging, like I've mentioned XDR. We had... talk about the SASE, we have the term ZTNA, Zero Trust Network Access becoming very relevant. To my opinion, a bit of this is a bit too network centric. So I think network security, yes, is important. Transport security is very important. End to end security is very important, but I think we need to also get better, much better on data security, data governance, and the entire identity piece as part of cybersecurity. So it's bigger. Maybe also what we saw is, and this is part of XDR, it's part of ITDR, identity threat detection response, that is, AI can really help us greatly in dealing with these huge numbers of signals we have to spot anomalies, to spot
You've already mentioned that. AI or machine learning, to be more precise, is one of the key challenges that we have and also the key enablers that we have. If we look at the risks and the benefits of these technologies, for both the attacker and the defender, if we look now, if we go back, if we don't look back at the history of 200 episodes, but we may take the next 200 episodes starting now, and by the way, we will come back to a weekly schedule starting with that episode. So there will be more info again. So this two week cadence is about to end. So when we look at the new technologies, the new challenges, where do you see the main changes also resulting from AI? When we look into the next, say six months, nine months, where do you expect the most dramatic changes where AI and ML will play a significant role?
Yeah, so I'd like to bring up two and there surely are more. One is, so to speak, only positive. And one is first negative and hopefully then will turn into positive. The positive side is, I mentioned gen AI, generative AI. And we've seen some great things around assistants, co-pilots, et cetera, which really augment users. I think this is the way we should think about AI as augmenting intelligence. It augments humans in doing their jobs better. It helps us in dealing with the skills gap. It guides us through complex tasks, helps us doing things better. And we see great progress here. And this helps us in cybersecurity, where we have complex tasks, where we always have skills gap. Cool stuff. And I really like what I see here. The other thing which is very prominently discussed, also in the public these days, this is deepfakes. And... So the main perception is, AI enables deepfakes. And this is problematic. And yes, deepfakes are problematic. I think what is a bit underestimated in this context is, AI is the best weapon against deepfakes. And I think this is the really cool thing here. So when we look at cybersecurity, we have this saying about an attacker only needs one working attack vector. We need to defend against all. So it's a very uneven thing. And yes, that is true. It's way more difficult to successfully defend against attacks than it is to run an attack. It's really an unfair situation in that sense. But for deepfakes, what we must not underestimate is, if we, so to speak, throw AI on that, then the defending AI only needs to spot one error, one mistake in the deepfake to say oh this is potentially a malicious thing, while creating a deepfake must then be perfect, which is specifically if you do it for live interactions, virtually impossible if you have a good AI defending it. So AI can become and already is becoming in many areas, a strong weapon in cybersecurity, including defending against AI based attacks.
So the good thing is in our outlook on 2024 and beyond, we have already managed to find the elephant in the room, which is of course AI and machine learning in cybersecurity both on the defender and on the attacker side. So we can skip that and take that off of our list. If we think of other cybersecurity areas that are important and are often... overshadowed by AI and ML as being the most significant first to be mentioned item. We just came across quite some larger recent breaches and many of those are still not yet fully clear. So cybersecurity supply chain risk management, I think, is one of the key topics that is not yet fully understood in many organizations. Many organizations are still working on, but they need to because they have to do this based on the requirements by regulations. So what is your position towards cybersecurity supply chain risk management when it comes to providers of critical infrastructure for us using that, for example, using mail, using cloud spaces, using everything that we are just using to make this podcast?
I'd like to bring in a second element here, which is cyber hygiene. And I think these are to a certain extent also related. Also, when we look at large and very, very drastic attacks, with dramatic consequences potentially, I think the challenge we have is that we see a lot of attacks not directly coming in through our organization, but some organizations hit and then mails go out that are malicious to other organizations. And that happens permanently. And usually the weak links are spotted, the small organizations, et cetera. And then they try to make their way to larger organizations. The other side of it is software supply chains, where we have seen a couple of these incidents in the past years, where the vulnerabilities come in via code that is distributed. So you attack a software vendor, you place your malware in their code. With the next update, it goes out to potentially thousands or tens of thousands of customers. And we have seen multiple, multiple scenarios here. So we need to get better in managing the entire software cycle and understanding which software we use. And there are more things right now also obliged by regulations like the software bill of materials. We see a lot of evolution here. Things are happening, things are changing and I think this is a good thing. On the other side, it is a lot of these things just happen because we are not good in cyber hygiene, because we do fundamental things like running anti-malware, like having the fundamental tools in place, like user awareness training, repeated training, phishing attack simulation, all the basic things not very well. And I think this is the other part of it that we really always need to keep in mind. Okay, there's this cool AI stuff, but we also need to solve the
Right, and if I would want to make sure, why do we do this podcast? I think one of the main things why we do that is really to get in touch with people, to convey messages that we think are important. So if you, Martin, if you wouldn't have the chance to give some advice to cybersecurity professionals around the world, be they CISOs within an organization, be they freelancers, be they system integrators working with other vendors, vendors and their teams, what would be recommendations that you would like to give to cybersecurity professionals to be prepared and to be ready to deal with these upcoming challenges, whether we know of them or not, what would be your key message for them?
If it's the key message, then... It's not just about tools. This is the key message. You need way more than tools. And if you think about then you should, as first action, you should do one thing, which is, and we have it in our advisory, we have services to do that. This is sort of understanding the slew of tools and cleaning it up, focusing on what is it what you really need. This is the one part. And the other side of it is, what is it what you need to do? You need to have an incident response management in place, you need to do a business impact analysis, you need to think about organization policies, process implemented have the governance frameworks, all that stuff which is around. This is super, super important, because that helps you also to understand where are your biggest risks, where to focus on with cybersecurity, where to spend your money. And only then you can select the right tools. And If something goes wrong, still take the time to think about what is what you need to do. Yes, you need to be prepared, not only with a backup, you need to know how to restore and you need to know how to recover quickly to get your business operations up and running again. But also then when something goes wrong, don't just say, oh, we need a new tool. Try to understand what you have, and why you may need something in addition, and what the right tool is. I've seen so many, so many organizations wasting money by acting in panic mode or headless chicken mode. This is wrong. You need really an organization and a clear thinking. Keep a clear head. Calm and then
Absolutely, I fully agree. The good thing is about moderating a podcast is that you also can choose to answer the question yourself. So I would like to add another aspect to that. Another aspect because one major advice that I would like to give is: you are not alone. You can talk to people. Of course you can talk to us, but that's not what I mean. Talk to peers, talk to others who are in similar or the same situation that you are in. Learn from each other, really create communities, work with each other and really help each other to create an infrastructure, but also a mindset that is prepared for dealing with cybersecurity in a more modern way. And I think talking to people, learning from people, having peers in other organizations, even from your competitors, don't care. And just on a speed dial on your phone or on your mobile phone or on Teams or whatever you use, I think that is most important. We are happy to communicate with you and it's not about selling products and services at the core. It's really about making things more secure. And that's why we are doing this podcast. That's why we are doing events like the EIC or cyberevolution, bringing people together. And the best part is when they talk to each other face to face, peer to peer. And that is really something that I would really like to encourage, because this is really adding value to what you're doing in cybersecurity and in IAM, which we are both stemming from. Any final thoughts regarding advice for cybersecurity professionals?
Read our research, talk to the analysts, ask the analysts, you can reach out to us, ask us, ask your peers, as Matthias said, go to the right events, be at EIC, which is European Identity and Cloud Conference, but identity is so super important for cybersecurity. Go to cyberevolution 24, by the end of this year again in Frankfurt. So really talk with others, talk with us, reach out to us. And yeah, because it's... A lot of these things have been seen, have been done by others and it helps to look at it. But also, I always step back and think about what is a common practice versus what is really a good or best practice. Not every common practice is a good practice. So, but again, this is something where you can ask us because we might be a bit more neutral on that than some
Neutral is one of our key brand promises and I think that is where we also deliver. We're closing down that episode. So this is the end of episode 200 or 201 as you said rightfully. Thank you Martin for being my guest today, for being my guest in episode number so the pilot and for many times in between. And we are looking forward to continuing that journey, for continuing that podcast. It's good to see that the podcast lasts longer than Corona making putting us in lockdown And so we are happy to do that and we are happy to receive your feedback. Again, if you have any topics to share with us, please let us know. If you have any questions regarding this podcast, please let us know. If there are any topics that you would like us to focus on to dive deeper into, let us know and any other ideas regarding that podcast. We want to improve on that. We want to make sure that we bring this community, this audience closer Please let us know. Thank you again, Martin, for being my guest today and looking forward to having you soon.
You're welcome.
Thank you.