Transcript
Opening
Mike Krass: Hello, everybody and welcome to What's the Problem, the podcast where we dive deep into pressing issues facing cyber and data security leaders today. In each episode, we are joined by guest experts who share their insights and their experience in the world of cyber and data security. So whether you're a seasoned veteran or a new leader in the field, this podcast provides some valuable info, some strategies, and some takeaways to get your organization to the next level. So join us as we explore the changing landscape of cyber and data security, and discover new ways to tackle problems or issues in the field. This is What's the Problem. I am your host, Mike Krass. Let's get started.
Conversation
Mike Krass: Today we are joined by Andres Andreu. Andres, say hello to our listeners.
Andres Andreu: Hello, everyone. Thanks for having me.
Mike Krass: Absolutely. We appreciate you taking the time to talk with us. Now Andres, tell our listeners, who don't know you like I do, why you are qualified to talk about security.
Andres Andreu: So I've been in this space since 1992. I have worked in federal law enforcement here in the US. I've worked globally in the private sector. I’ve consulted. Relative to this conversation, I think the interesting part is I left the corporate world in 2012. And I was employee number three at a startup where we invented three cybersecurity products, and took that all the way to an acquisition by a larger company. And so I've lived and currently live on the corporate side or the purchasing side in respect to cybersecurity products. But I also lived on the product side, which I think gives me an interesting perspective.
Mike Krass: Yeah, so let's dive into that perspective. The topic that you and I kept talking about, Andres, is as you speak with cybersecurity founders, there seems to be… In your words. I’m paraphrasing you. There seems to be this hard time dealing with the fact that no matter how strong their product might be, it's not a case of build the best product and everyone will come to you. They'll just divest from their current investments in other cybersecurity vendors and come to you. There's a couple things that I wanted to talk to you about. So what are those challenges that they most often don't see? Could you give a couple examples of those that you are able to share from experience?
Andres Andreu: There's a reality to the purchasing lifecycle of products on the corporate side, for instance. You could have the greatest product on the planet, but if I already have one that covers the functional areas that you're coming to the table with and I'm on a five year depreciation cycle or something of that sort, it is not easy to uproot an existing product. Not from a finance perspective, not from a legal perspective, not from a privacy perspective. And so I think if founders understand the complexity of our (the purchaser’s) side of things, it may give them an interesting perspective in terms of the path that they try to pave towards selling us a product. If you really step back and think about it, a seamless integration is probably Nirvana of selling a cybersecurity product. But seamless integrations today, given the saturation of the market with so many vendors, it's kind of hard to find.
Mike Krass: We see in our work, if you're trying to introduce a point solution. You just talked about the integrations. That seems to be a challenge too. We've got the strongest point solution for this exact thing. And it seems like the question that a lot of buyers come back with is, “That's great. How is this going to integrate with everything else I've invested in and stood up?” Is that something that you see in your work day-to-day?
Andres Andreu: Oh, absolutely. The last thing I need as a 15th dashboard to go look at. Irrespective of how great your product is. You touched upon a keyword, in my opinion. If you think in terms of solutions. Not point solutions, but solutions. It's a different mindset. For instance, rolling up data points from n point solutions up to one dashboard that someone like me can look at before I go talk to a board or to the C suite, that's very useful. But I find very few products actually come to the table with that mode of operation in mind. They just kind of come with their little enclave, their little silo. They say here's this great product. And you say I'm trying to simplify my ecosystem. The last thing I need is a new product. I'm trying to get rid of products.
Mike Krass: You've touched on something there as well. This story of a vendor coming to somebody like you, Andres. They've got this outside-in story. Like, here's what we're doing here. What I just heard you say indirectly is, well, actually, I'm looking from the inside-out. I've got to look that way. Can you tell us a little bit more about that from a Chief Information Security Officer standpoint?
Andres Andreu: Yeah. One of the toughest things when you start in a new role is taking an objective and an honest look at the products that have been deployed and whether you're, one, using them properly and, two, whether you really need them or not. Just because the product’s been here for three years, for instance, are we using it properly? Do we really need this? I can tell you from conversations with them, a lot of my peers and myself look at the ecosystem in terms of “What can I get rid of to simplify my world?” I don't need five products telling me the same thing. I really don't. And the funny thing is, if you point the five products at the same problem, you get five different sets of results. So you're gonna have to just pick one and say this is what I'm gonna live with. You know, that's a challenge. And I think it's a tough one because it's easier to come into an environment and say I don't want to rock the boat. I'll just leave everything that's there now. Just leave it in place. And our job is to ask the tough questions or face the tough situations. And so cleaning up an environment from a product perspective is just part of the job.
Mike Krass: So you've got five products that you’re trying to simplify. I might have to just pick one and go. As you're evaluating, how important is it for you to see with your own eyes their product roadmap for the future? Is that something that you often ask for? You say to pull up your screen right now. You better bring someone to this meeting who can show me the product roadmap. Don't tell me that they're not available. You book me when they're available.
Andres Andreu: I don't do it often. I do it 100% of the time. I'm a very difficult customer to sell to. Because I know all the corners these companies cut, I lived it. When it comes to the product roadmap, either you have it or you don't. Don't tell me you're gonna go get it and come back to me in a week. Because that means you don't have it. You're gonna go make it up and come back to me with something in a week. I've been around too long. I know better than that. If you come to sell me something, you better have that roadmap ready to share on your screen right now. And if you tell me something verbally, that is not matched by what's on that roadmap, we're done. Because trust and honesty in this industry is of paramount importance. I value that. I value my relationships with good salespeople more than I value the products they bring to the table.
Mike Krass: A couple words there: trust and honesty. It reminds me of, I forget who was originally attributed with this quote. It goes something like “Character can't be learned. You either have it or you don't.” And character, having integrity…
Andres Andreu: I said that.
Mike Krass: Oh, there we go. So I just gave you a little plug. That was a leading question, Andres.
Andres Andreu: You're testing me to see if I remember what I say. I like it.
Mike Krass: Yeah, this is a memory check. We're gonna see how you're doing over there. But it comes back to telling the truth and being honest and direct at all times. I can do this. Here, I'm going to show you what this is going to look like. And when it's going to happen, at least on the roadmap. I'm sure that you probably give a little bit of leeway on the roadmap for timing. Is that correct?
Andres Andreu: Of course
Mike Krass: They said it's gonna happen in May and it's June, you're not going to grill him on dates.
Andres Andreu: Of course. It's more of a temperature check for that honesty factor. And I would much rather you sit there and give me a negative answer. Meaning no, we don't do that. And no, it's not on my roadmap. But I can take it back to my people and discuss putting it on the roadmap. That's entirely fine. You just gave me an honest answer to a challenge that I posed to you. There's nothing wrong with that. But the worst is when you try to give me some non truthful information to make me feel better about considering your product. That is death in terms of the relationship.
Mike Krass: As you mentioned your experience earlier in this episode, you skipped over the fact that you have actually written a book and gone on a global book tour after publishing that book. Can you tell our listeners a little bit more about that book? What was the subject matter? What was that experience like touring on that book tour?
Andres Andreu: So my book was on pentesting for web applications. But let me qualify that. That book was written at a time when not everyone and their grandmother was a pen tester. There were only a few of us in the industry that were actually doing pen testing as an actual function. Funny story from when I wrote the book. The editor calls me and says let's discuss the title. It should say “pentesting.” And I was like, what is that? She said that’s what you do. Because to us, it was just security testing. I came from the government world where you security tested everything. And so the concept of penetration testing to us by name was a physical penetration of a facility. So I never thought in terms of applying that title, pen testing.
Mike Krass: That’s your law enforcement background right there.
Andres Andreu: Yeah. And so I never put one and one together. But the industry had adopted the term. And so when she brought that to my attention, I kind of chuckled and I was like, okay. That's cool. And so, I was legitimately pentesting applications before it was a thing. A lot of developers that I worked with back in the mid 2000s, when I would bring my findings to them. The reactions were funny because they would look at me and go, “Who's gonna do that?” And you're like, a bad guy, a nefarious entity. Are you kidding? But developers don't think like that. That mindset, still to this day, is not prevalent within the software engineering mindset. Hence, a lot of the security problems we have.
Mike Krass: I think this is a pretty good last question to end on. I'd like to revisit that outside-in vs inside-out conversation we just had a moment ago. As a cybersecurity founder, how can you tell a stronger inside-out story? What do you need to know? What do you need to be equipped with to tell that story accurately?
Andres Andreu: I think the first thing is understanding the challenges that we're up against on the corporate side or on the purchasing side. For instance, the uprooting of existing products is probably the biggest one. The integration within a larger ecosystem or a larger solution is an absolute must. The third point, going back to the saturation of the market, is understanding that the modern day sales cycle is way longer than what it used to be. When there was one vendor on the market, the sales cycle was pretty short. You didn't really have to go compare, do a product comparison or anything of the sort.
Mike Krass: How long was it when there was one vendor? Do you remember, roughly?
Andres Andreu: We would do two week POCs. If everything worked, the purchase was done. I remember those days. Now, you end up in a 30 day POC with three products. And then you have to do an analysis of all three to see which one checks off all the boxes that you're interested in. Which is the best value? There's a reality to that. And another thing that I think a lot of modern day founders should be aware of is that certain things are now frowned upon. For example, 7-10 years ago, you could sell a product and say this product will require that your people come to a week of training. That was acceptable back then. That is no longer acceptable. If you require my folks to get trained on your product, I'm looking for something easier to use. I don't have enough staff to lose a whole week getting trained on a product. Understanding our realities, I think, would go a long way.
Mike Krass: Just kind of summarizing, tell me if I got this right for the listeners as kind of a takeaway. To tell this inside-out story accurately, you're talking about longer sales cycles driven by longer POC cycles with multiple vendors. Those cycles are followed by an analysis of which ones actually check the boxes. Which one is the best for our organization? So it's no longer two weeks, and as long as the rack didn't catch on fire, it's like, yeah, we'll go with you. That sounds great. It’s 30 days and then a review period after that, followed by... Basically, it's the same decision, but it's the second time. This is who we're actually gonna go with in the long run. And in terms of onboarding and bringing this into your company, I'm not sending people to your Scottsdale, Arizona office to do an afternoon of golf and four days of intensive training. If it takes four days of intensive training on site, that’s not a product that I can literally afford to purchase. With the team that I have today, I can't afford to just send them away to do this one thing. That was kind of the thing you didn't finish with, but that's what I heard you say. To do this one thing, I can't afford that. I'm sorry. That's out of the question.
Andres Andreu: Yeah. So that's one of the elements that we actually implement in our analysis, our product comparison, rather, so that we can analyze that as part of the overall equation in terms of making a decision.
Mike Krass: And I guess the obvious question… My journalism background would slap me for not asking this one first. Have you recently been asked to send your staff on site for training? Or are you speaking like this happened in the past?
Andres Andreu: No, no, no, this literally happened last week. We were down to two products in an analysis. And one of the differentiating factors…because feature by feature, they were almost identical. One of the differentiating factors was ease of use. And the product that ended up on the lower end of things, it's a very robust product, but it required people to get trained. Their competitor did not. There's just a reality to that.
Mike Krass: Well, Andres, this has been a real pleasure to have you on the show.
Outro
Mike Krass: And, for our listeners, that is a wrap for this episode of What's the Problem. We hope you found our conversation with Andres to be insightful, to be informative. We hope that there's some key takeaways for you there to bring back to your organization. Remember to tune in next time for more discussions on cyber and data security. And I also want to give a quick shout out to our host MKG Marketing. MKG is focused on helping cybersecurity companies get found, drive leads, and close deals. So if your cybersecurity firm is struggling to generate leads or close deals, let us help you. You can learn more on our website mkgmarketinginc.com. Thank you for listening. Don't forget to subscribe and leave a rating for the podcast. I've heard that Andres only likes five stars. So don't let him down, people. We appreciate your support. And until next time, our friends. We'll see you later. Andres, say goodbye to everybody.
Andres Andreu: Thank you. This was great. Appreciate it.
Andres Andreu
We are joined by Andres Andreu, a cybersecurity industry veteran with 30 years of experience, to delve into what truly matters to CISOs during the purchasing cycle.