Hello, everybody, and welcome to What's the Problem, the podcast that explores problems that buyers of Cyber Security products and services face in today's world. Today, we are lucky to have Andy Smith, the Chief Marketing Officer at Laminar, joining us on the show.
Mike Krass: Andy, thank you for coming on.
Andy Smith: It’s great to be here, Mike. Thanks for having me.
Mike Krass: Absolutely. So let's get right into it. Andy, why are you qualified to discuss the problems of cybersecurity product buyers?
Andy Smith: Yeah. I'm a veteran of 30 plus years in Silicon Valley, 20 plus years in cybersecurity, both identity management for many years, and broader cybersecurity solutions. I just joined this new startup seminar, so we're just out of stealth. But when we were going after product-market fit, we interviewed upwards of 250 CISOs just pitching and listening and asking questions, etc., to get to work on this problem statement and try to understand one of their biggest issues. So, it's the results of many conversations over many years, but the particularly focused effort in the last few months to understand the problem,
Mike Krass: That's exciting, Andy. Everybody who is listening is getting the benefit of over 200 conversations that you don't have. Good for you, everybody who is listening. Let's get him to the problem. Andy, I know there's more than one, but what is the problem of a security buyer today?
Andy Smith: Yeah, so we'll focus on the one problem we've been focused on, and it's really the convergence of what's happening right now in the market. So what we're seeing is cloud transformation, the increase of cloud adoption with the pandemic just threw that cloud adoption up even more. So this is really timely. On top of that is data democratization, and the result is I've got more data than ever before in the cloud, and as App Dev increases, you start changing to the cloud-native App Dev. What's happening is there's a shift in power for security professionals, whereas they used to be able to act as gatekeepers. Therefore, if a developer wanted to stand up a new data store, they would have to ask permission and say, ‘’somebody brings me a server and set up a database’’ You know, some DBA involved, etc., they have to ask permission for all these things. And security could show up to those kinds of meetings and be able to say ‘’What data you're going to put into that system? Is there any sensitive data? Is this how you need to protect it with the move to the cloud and to change the way that App Developers have way more power than ever before?.’’ They can start spinning up and spinning down, moving around copying databases and data stores, and don't have to ask permission anymore. And there is now this gap between security professionals, data security professionals in particular, and their ability to be gatekeepers. And that's the problem they often don't know, more way more often than not when we're talking to these 200 Plus CISOs, where their sensitive data is in the cloud.
Mike Krass: How does that expose them as data security professionals?
Andy Smith: What's interesting is what we're finding is we've coined this term shadow data. And because it's fairly common for them to be aware of the main data store that the application is running after. They have all these shadow data stores out there, so the developer makes a copy in a dev environment for a test and then forgets to remove it. There was an original lift and shift to the cloud and then eventually, we brought a datastore over. And then eventually, re-focused that one on a cloud-native data store, something like that, and the old one is still sitting there. You know, there's just all these extra data stores sitting out there, an untethered backup, etc. Those are the ones that are often unmanaged, not following policy, not configured properly, not being monitored, and that's the ones the attackers go after. It's not often the common data store that everybody knows about. All these shadow data repositories are out there that are unmonitored unprotected and, often, the attacker's dream.
Mike Krass: You mentioned you interviewed hundreds of CISOs; as you're working on this problem statement, does the buck stop with the CISOs, in terms of, you've got this untethered back up, or another example like the one that you gave, and if somehow becomes exposed, and some bad actors get in there? Is that kind of CISOs nightmare in terms of I'm going to have to deal with this or I'm going to be relieved of my duty for not cleaning the house?
Andy Smith: Yeah, it was interesting! There was just one the other day that we were talking to, and we said, we're talking to a data protection, data protection professional, and his boss was the CISO. We said ‘’what gets your boss fired?’’ and he said, ‘’knowing that there were these extra data repositories out there and not doing anything about it’’ So maybe you get one breach, and you kind of get through it or whatever, and you clean up things afterward. But if you know you've got this problem, and you don't deal with it, that gets you fired.
Mike Krass: So same as any kind of criminal court here in the United States, ignorance is not an excuse or ignorance is an excuse once after that. You should know that's the next step. If you have more out there, you should know and find them.
Andy Smith: There's also another interesting dynamic. In addition to CISOs, we talked about Chief Data Officers, the CDOs, and obviously, large organizations tend to have. Organizations focus on having a lot of data, especially consumer and employee data, etc., and there's a shifting dynamic. They actually both feel some responsibility for this, ultimately, the breach CISOs. It really comes down to the CISOs protecting against that but what's happening in the market is we're seeing this shift from system-centric security. I'm worried about the systems, and I'm focused on the systems and the infrastructure, etc., to data-centric security. In the end, it's about securing your data, not necessarily securing the box that your data is sitting on or the VM that you're sitting. It's really about the data. It's just a shift in thinking, from system-centric to data-centric, and then what's interesting to watch hasn't shaken out yet but the role of the CISOs and the CDOs and how they interact together because they each bear a bit of this responsibility.
Mike Krass: Interesting. Well, Andy, I appreciate you dropping some knowledge on our listeners. We just talked about a few pretty intense topics, you know, breaches. You brought up the question of what gets you fired? That's pretty intense. So I figure we could end this on more of a light note. Andy, tell our listeners, the worst haircut you've ever had.
Andy Smith: Well, I grew up in Berkeley, California. So you could imagine that my parents are a bit of hippie. So I certainly had a bowl cut when I was younger, for sure. Literally, the bowl cut. But I was also thinking about the business aspect of a haircut. I've worked for many companies over the years, getting bought by private equity and having to do that business haircut of laying people off. That's probably the worst haircut I've had.
Mike Krass: I've yet to meet anybody who really enjoys that part of the business. That's always very unfun.
Andy Smith: Absolutely.
Mike Krass: Well, Andy, thank you for joining us and for all the listeners we have. We will have links to Andy's LinkedIn and Laminar’s website to learn a little more about them and some of the problems statements that Andy teased out but didn't go into too much detail on. Until next time, stay safe out there.
Andy Smith: Alright, thanks, Mike.
Mike Krass: Awesome. Thank you, Andy.
Andy Smith is the Chief Marketing Officer at Laminar