welcome to the KuppingerCole analyst chat. I'm your host. My name is Mathias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. My guest today is Alexei Balaganski. He's a lead analyst with KuppingerCole focusing on cybersecurity and much more. Hi Alex. Hello Matthias. I am so glad to be back in our podcast this year.
Yeah. Great to have you again. And, uh, as we have seen already, lots of things have happened in the meantime, since we had our last podcast episode together, I have been talking with John Tolbert, our colleague as the first episode of this year, 2021. And we talked about the solar winds. So Lori gate incident, and I think we should start with that and to catch up with that at what happened in the meantime, since John and I have been talking about that, what is the main takeaway that you now that we are six to eight weeks into this incident? What are your key takeaways? When you think about this incident? What can we learn from that?
Well, first of all, our prospects are really amazing kind of the incident on its own. The in isolation isn't really that unique. I mean, the worst things have happened earlier. What kind of repercussions of this whole incident are really kind of still can be Steven herds weeks, months after the event in very different areas for the analysts or the forensic experts like antivirus, textbook case, great opportunity to learn new stuff, new technologies, to kind of train the research teams for software vendors, especially like security company. So it's a great marketing opportunity. Everybody is now selling you on their products or applications that will product X or service. Y you would have been absolutely protected from those hackers, right? The politicians are talking about cyber war conflicts and stuff like that. I'd really rather not touch that topic at all, but for the general public, if you will, and for us analysts, I think the most important things to consider, like what are the long-term implications of this? So yeah, absolutely. We go see marketing campaigns and advertising. We will probably see a sharp rise in interest in this whole software competition security or whatever questions like, is that enough? Is it all I would argue? No, we have to think even further in the future, we have to think about the bigger picture for the lack of better word, holistic view on this whole problem. And to me, this all starts with how do we make our software more secure?
So it's really actively protecting ourselves from events like that, preventing this from happening, which would be the strategies to achieve that too, to make sure that this, even if it happens to others, it does not happen to us.
Well, I guess the biggest problem that's kind of making a secure software was never a profitable business. I mean, there was a really rare exceptions like banks, which are highly regulated by governments or like space flight, where the margin of error is extremely narrow and people die because of a software bar in every other industry, making software secure. It just doesn't pay. If you bring your software to the market as fast as possible, even if it's suddenly half working, a minimum value product, a beta version, alpha version, or the excess, that's the way how it, how it worked for at least several decades. And only now we start to understand that this approach is actually pretty dangerous in the longterm. And now somehow we have to reorient the whole software development industry if you will, into a different direction. So yeah, absolutely. It starts with some technical measures and technologies as well, but not only with them, governments have to be involved or I don't know, public pressure called grassroots campaigns. If you will, as analysts, uh, vendors themselves, everyone has to rethink like, why are we doing software this way and not the other way,
But that's also something that we will look at a different area. If you look at, for example, AI, where, um, our machine learning to be more precise, where, um, regulators step in and say, okay, we need to make sure that we understand what's going on within a, a model. What is going on within the machine learning processes to make it explainable, to understand what is happening in there. So there is an impetus to, to move towards more secure, more understandable approaches. Um, so maybe also regulators could play a role when it comes to making software more secure. So having an external force pressuring the software windows, but also all end user organization towards more security, would that be in approach?
Well, one great advantage. I believe the AI field has against the good of software development in general. It's really you, it involves a lot of really bright academic people and it draws a lot of attention from the press from the public and of course from the regulators. So yeah, with AI, we have a particularly understanding that if something goes wrong with AI, we will end up with Skynet like the terminators. So even people who have absolutely no idea how AI works, they at least feel the potential risks, right? With quote, unquote, more traditional software. People just don't feel it. They don't see like the worst thing which would happen if my game precious or my word document doesn't save properly. Right? If this is the only risks people are thinking about, they are not inclined to invest more into security. And that's exactly the biggest problem with that because the challenge and one great thing that happened finally after the solar intentions intelligence that people at least start to think about things like bomb. It's not just hackers and threats. It's like risks. I am a businessman. I do not understand hackers, but I understand risks and understand mitigations. So they are now thinking about this in the same terms, we have two similar terms they used to think about in more physical growth scenarios. Like every business has to have measures against physical risk. Like what if power goes out? What if a natural catastrophe happens? So what if an epidemic happens or, and a software supply chain risk management is just as important as we have just recently learned,
Right? When, when organizations are focusing on what they are really good at what, where they Excel, they rely for everything else on services provided by third parties. And that is exactly what happened here as well. The many organizations who aren't relying on the functionality on the surfaces that solar winds provided to them, um, without applying proper risk management that would lead to organizations being in the situation that risks can occur from everything else that they actually do not control themselves unless they are applying proper risk management here. And that is what you're aiming at really looking at controlling, understanding, mitigating the risks that come from everything else that we do not do ourselves and embed combined to our own products. How could that look like?
Well, again, first of all, we really have to learn from the businesses themselves because companies, I don't know, automotive manufacturers, construction companies, retail banks, they all have dealt with supply chain risks for decades, for centuries, maybe, I mean, power transportation or farmers that deliver products to your supermarket. This is all supply chain risks, right? And in reality, it's not that very much different from a cyber supply chain risks year. Of course, we are dealing with, uh, immaterial goods here. Like we are dealing with software, but, or the controls, which have to be in place are at least similar. And the processes are similar in terms of the implications for those risks. If we finally understand now are also similar or at least comparable in potential losses, or it's just an additional field of risk management to incorporate into your business processes and planning. And of course it has to be translated into some specific technology and real controls in place, but unless a business is start to understand that, yes, it is just another area of supply chain, risk management, nothing will happen,
Right? So we have talked about awareness about the willingness to understand that there is a risk as the starting point to, to calculate that into the equation of creating solutions apart from market success, apart from, uh, delivering quick and fast and agile solutions to also have the risk approach in mind as a starting point. The second you mentioned is the cyber supply chain risk management, as a result of that, being aware to make that efficient and to really apply that to the processes, when we take the next step, what would be then the technical outcome, the actual technical measures to mitigate these risks when it comes to creating your own software. And when it comes to judging, um, software services, infrastructure services that you're consuming from somebody else, what would be the areas to look at?
Well, it's actually very good that you just mentioned creating your own software because many companies believe that if they aren't actually in software development business and they do not create their own software, in fact, they do it just their own kind of software. Because even if your like finance department is using Excel spreadsheets to manage your finances, it's still kind of quote unquote, your software you're relying on. And if there is a bark in your Excel, macro, which handles your bank payments or whatever tax calculations, that's again, it's your software problem in the end, right? So I would say that again, environments that software security starts with security, your own software, and that starts with designing your software development around secure processes is the key. It's like the opener to all of the technologies, which you can employ afterwards. And of course, designing secure software starts with our DevOps.
People like, like the stoma shifting left, right? Don't the earlier you include your security controls into your software development. The better, ideally you should have some thinking about security even before you start writing your code. So when we are talking about developing your own software, you should really remember that software can be really, really different. Some companies would focus on like highly skilled and large internal departments, even designing mission, critical business software. Those have totally different requirements. They would probably have to invest a lot into specialized tools like software code analysis for finding potential barks in your code. Before that code even goes into compiling and then production, there are of course, absolutely need to invest in software competition security, basically understanding that every third party component open source or not, you include in your, in your application is a potential security hole. So you have to understand which risks come with those, uh, third-party libraries and there's the case and software, but even companies which only employ like non-developers and all those quote unquote, Streeters and developers, they already have to start thinking about software security, because even if Jeff mentioned that Excel spreadsheet is a potentially extremely insecure piece of software.
And if you are thinking about investing into a proper low-code slash no-code percussion development platform, those come, I mean their own sets of risks as well. And unfortunately, or as long as many companies, three, those no quarter trumps as Excel replacements, software security is absolutely not on their priority list, right? And this is extremely wrong. And there are very few, uh, no code to local vendors actually placing security on top of their priority list. And this is something that has to change. Okay.
So maybe that is also a call to action for software vendors to start investing in that.
Absolutely. Again, so this whole citizen development as a movement is now extremely popular and growing, which means that companies will adopt those solutions more and more, and they will start teaching their users to create their own programs, to deal with some small problems on their workplace problem. With that, if they start teaching them the same way they taught developers 50 years ago, not will change if you are adopting a low code application paradigm, but you were only 300,000 replacement for your Excel spreadsheet, nothing will change. And this is exactly what we have to avoid,
Right? So we have talked today about three very important aspects, uh, closely connected to what we've seen in the SolarWinds incident, but also beyond that to make own application secure, to apply proper risk management, also a software infrastructure to software development processes. I think they're at least three or four more episodes for this podcast could, um, come as a result of our discussion today. Um, I would like to recommend to our audience to, to check our website as usual because cyber supply chain risk management, but also awareness applying proper risk management in general, but also secure software development. As you've mentioned are aspects where you can find much more information on our website, in our research documents, in our webinars recordings, but also in our blog posts. Thank you very much, Alex, for giving that insight, we will continue that discussion. I think it's really important to, to also raise more awareness for these important topics, be they sexy or not. Uh, so it's really important to continue at that point. Any final remarks from mute before we close?
Yes. Ma'am I would really like to start again. Yes. As an endurance house, we offer a lot of research which covers all of technical implementation details. If you will, that will be published or the research on API security, for example, database security. And they will do much more with regards to source code security as well. But again, those are tools and unless your company finally understand that we are not talking about magic, or we're not talking about sophisticated hackers or any political things, we are talking about basic risk management hygiene, which any sensible business have to have in place all the time. So again, before, uh, investing those tools, you have to start with your strategies and your business policies and your risk management, uh, extended to cyber security and it, and, uh, cyber supply chain, because tools tend to give you the feeling that are just buying those tools solves the problem. Unfortunately, it doesn't, you have to start with a strategy and then follow up as tools.
Two, two thoughts come to my mind first, um, this rude saying that fool with a tool still as a fool. And, um, on the other hand, your early blog post about the cargo cult of cybersecurity that we have already covered in this podcast already. But I think that is something that we can pick up in an upcoming episode as well, because I think that fits neatly in here for today. Thank you very much, Alex, for being my guest today and for talking about these interesting and really challenging topics. Thank you, Alex. Say, thank you, Mathias and talk to you soon. Bye bye. Bye .
