In this episode, Lucas Nelson welcomes back Mike Privette, founder of Return On Security. Together, they discuss Mike’s role as a fractional CISO and his unique blend of consulting, research, and insights into cybersecurity funding and market trends. The conversation covers highlights from major conferences like Black Hat and DEF CON, the evolution of AI in cybersecurity, and the importance of staying ahead of emerging threats. We’re excited to make discussions with Mike a regular segment.
Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.
Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.
Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.
PODCAST TRANSCRIPT
Lucas Nelson:
Hi, and welcome to Cyber Thoughts podcast. We explore the areas of cybersecurity through leaders in the field. Today it's my great pleasure to introduce my good friend, Mike Privet from Return On Security. Hey Mike.
Mike Privette:
Hey, Louis, hey, thanks for having me back.
Lucas Nelson:
Thanks for joining us. So for those who haven't seen the first episode, give us a quick overview of what you do and then I'll talk quickly about what I do and then we're going to launch into a discussion.
Mike Privette:
Yeah, yeah, so my full -time day job now is I run Return on Security. It's a one -part data and kind of researching business and one -part fractional CISO consulting. So I use the CISO consulting to meet with a bunch of different companies in different stages and help them through like setting up security programs, most often as their first security hire.
And then I'd use Return on Security to just kind of scratch my ish on anything around the cybersecurity funding market, the M&A industry, economics broadly and how cybersecurity impacts investors and founders and practitioners all kind of in this like three -legged stool thing I like to call. And so then I just kind of riff off of each other and have this interesting conglomeration of interests that I do every day.
Lucas Nelson:
And so for those who don't know, I'm with Litticle Ventures. We're an early stage fund focused on cybersecurity and AI. And today, Mike and I are just going to have a talk about kind of what we do in the market, as opposed to more of an interview style, which is what I often do. So I thought we could do a review of August. And one of the big things that happened is we all went to hacker summer camps at DEF CON and Black Hat. And so I thought I'd start out with, know, what did you think of Black Hat this year as kind of the big industry con...
Mike Privette:
us.
Lucas Nelson:
one of the biggest consequences.
Mike Privette:
Yeah, I thought it was pretty good. I'm gonna say this and it may make some people cringe a bit, but it's getting a bit more like RSA, but like in the good ways, I think. It was like more representative of just purely hacker in a hoodie kind of style. So I think a lot more people were there. I think this might've been the year they had the largest attendance. But it's not so overly commercial and overly done the way some conferences can be.
And so I think everyone seemed to have a really good energy, everybody was really excited about it. And so I think it was a good year.
Lucas Nelson:
Yeah, so I get to be on the steering committee for some of the stuff and some of the talks. And so I got to hear kind of the recap from the firm itself, from Informa. And yeah, they were really happy with, attendance was up. They launched a few new events, so a few new summits. So there's always been like the CISO summit, but this year they added the Innovator Summit and an AI summit. And those seem to really well attended. And I'll use this to launch back into you.
Mike Privette:
Yeah.
Lucas Nelson:
You got to do a panel at the innovator summit. How'd that go? Would you talk on your panel?
Mike Privette:
Yeah, no, the panel was great. You know, I wasn't exactly sure, you know, what the kind of mix of the day would be like. But it was it was a really good mix overall of just founders and investors and builders in general. And there's people who are kind of interested in that side of the cybersecurity market. But I I thought the micro conference is really nice. I definitely want to go again. Hope you guys run it again.
But the talk was good. At least the feedback I got was good. I felt like it was okay. The panel I was on, I tried to make it knowing that we were the last panel before everybody went to go get drinks was tricky. So I'm like, all right, I've got to manage that carefully and not to go over time. But I also wanted to make it was more or less like industry trends. like what's coming around the corner? What, you know, now that we're, know,
Lucas Nelson:
What was your subject matter?
Mike Privette:
two quarters through the year, plus a little extra. What are we seeing? What trends are emerging? And then what's coming next what's kind of the focus of that panel. You can't do that without talking about AI. So that was a big piece of it too. But then I'll try to make it also interactive too with not only the panelists, but a little bit of the audience as well. But it's...
I thought it was a good representative between all three panelists. We had Katie from 1011ventures, we had John Cicotta from Decibel, and then Ross Haliou. So we had a good mixture of people who have kind of been in and around all those sides. And I think it went well.
Lucas Nelson:
Anything that surprised you from it or was there any one or two takeaways that you think we should share with the group?
Mike Privette:
You know, I think it was interesting to hear, like, obviously, AI is such a top of mind, but it's interesting to hear people, you know, try to, like, not go past that. Like, yes, that's like, yes, we expect there to be, like, continued iteration here, but it was interesting to see, like, well, you this is just, one set of tools that can do, help us with our job, but, you so I kind of thought there'd be a bit more, you know, leading edge kind of, like, thought on that.
But I know it's hard when there's such, you know, AI overload, like information overload.
Lucas Nelson:
I mean, yeah, there was a whole different AI summit, right? and my, yeah, no, my understanding was the AI summit sold out almost immediately. Like it was just one of those like, which is unsurprising, guess, given the zeitgeist, but it's still pretty funny that like, yeah, people can't get enough of it.
Mike Privette:
Yeah, which is great because it needs to happen.
Yeah.
Yeah.
Yeah, you can't ignore it. And there's so many different variations and flavors of it today. And like, you've got some really cool advanced research coming out. I think, know, to be fair, most of it flies like right over my head, but it's interesting to see just how much energy there is like going into it. And into this like little, like it's not little, but this like part of the industry. And then, you know, it was awesome to see George Kurtz in the morning. You know, everybody wanted to know like at the CrowdStrike outage, like
How you doing, man? That was pretty bad.
Lucas Nelson:
Hahaha
I gave him credit for showing up on stage because it's not a time when you wanted to. But with that said, I don't think he gave anything other than the pre -written, bad things happen to all of us and aw shucks. Again, I give him credit for showing up on stage, but it was a pretty friendly set of questioning on that.
Mike Privette:
Yeah.
No.
Yeah, I think so too. I agree that they've done probably as best jobs they can respond to this, like knowing just how bad it was and knowing that it's everything they say or don't say or write or don't write will be combed over with a very fine legal comb. And so I think there's still probably a lot of fallout to happen from that if it goes to Congress and whatnot.
But I think, you know, it was, was good to see people kind of like support them, it up as opposed to like, you know, some of the competitors were trying to like, you know, kick them while they was down. They're like, well, you know, our architecture would never do that kind of thing. Yeah, exactly. So it's which, you know, the community sees that they're like, all right, we know, you know, we know a snake oil salesperson when we see one with that kind of stuff. So like people don't forget that kind of stuff.
Lucas Nelson:
Right, yeah, our code's perfect.
Mike Privette:
But no, it was good overall and I think a lot of people wished that they was like double the attendance, honestly, for that conference just because more people wanted to be in on it.
Lucas Nelson:
Yep. Yeah. So let's, I'm going to use this as a chance to switch over and talk about the trends, right? You're clear and expert on it. You write about it every week. For those who don't know, return on securities must read. It's awesome. You've got great data. And then when you do your deep dives and insights, that's awesome as well. But like some weekly just, you know, here's what happened. So let's do like, let's do August. What did August look like? Was was it, you know, up, was it down? And then how does it compare to, you know, summer's past, I guess.
Mike Privette:
Yeah, so August this year was a pretty good month still, to be honest. We jumped back up over a billion again in funding, which over the course of the year, more months have hit over a billion dollars in funding in cybersecurity than not, which sounds like a no -brainer, but if you remember in 2023, that didn't happen.
But then if you remember even further back, 2022 and 2021, like it was normal to have two to $3 billion months. So like it's, there was, know, that big cliff that everybody fell off of and interest rates skyrocketed and.
you know, everyone felt the economic crunch that really slowed a bunch of investing down, not just cyber, but like, you know, worldwide across all industries. so there's definitely been a, like pockets of rebounds this year in cyber on the funding. There's a lot more late stage funding, than in years past, which is like, kind of like a, I always view that as like a healthy sign. cause when like the later stage companies are still, you know, raising money and still make
acquisitions, like you can tell that those later stage companies are still finding customers and they're still finding creative ways to make sales and that kind of just helps like replicate, know, or it helps like perpetuate more people entering into the field, trying to upstage them, trying to, helps create innovation like where it doesn't exist today and so...
It's like a healthy kind of churning of the industry. And when you don't see that happening, like we saw last year as much, that's when you're like, man, how many of these companies are gonna shut their doors? Or how many of them are actually gonna make it to 2025 or things like that without a lifeline from private equity or something like that? But it's been good.
Like overall, even if it's trending down slightly, like the year itself is still trending less than last year right now on a couple fronts, but it's still been a strong year.
I think August is, there's typically some, it's kind of like the calm before the storm. There's a bunch that ramps up early in the year, especially as, and I know a lot of this is just news timing, but people kind of wait for RSA and for Black Cat to make big announcements and big splashes, because they can ride the wave of the news cycles then.
And so you see a lot of like kind of a concentration there, but, and, know, then the tapers off a bit in September, everybody goes to Burning Man and you know, but then like they come back off, they come back in VC summer and they come, know, and then things start ramping up again, but, it's, you know, it's no surprise that AI is still really hot. I think we just, you know, just last week there was a, the third AI security acquisition this year, which is like incredibly fast, given how quickly that this.
Lucas Nelson:
Ha
Mike Privette:
category or like set of categories has evolved. So it's definitely really fast moving and I think it's a positive sign, yeah.
Lucas Nelson:
So any notable mergers and acquisitions that you want to talk about? And there's at least one I want to put on, which is lacework. I think I got to talk about that one. yeah, what have we seen? then let's talk about lacework.
Mike Privette:
Yeah.
Yeah, I mean, so there's, there's been obviously like, you know, services based businesses are still predominantly most of what acquisitions are in an industry. I know people really look at like large companies buying other large companies or like large companies like Dark Trace getting taken, you know, private by private equity. yeah, those are like big and they're, they're exciting and they have a lot of giant price tags on them, which is, which is cool. Or like at least makes good for good news. But
That's not even half of what makes up the industry in terms of acquisitions. It's usually one services business buying another services business. which is, the VCs don't like services business because, you know, revenue is lumpy and unpredictable and doesn't have good multiples and all that. But if you want to make money, you should start a service business. Like get a fire and another service business. So it all depends on like what kind of, you know, return you're looking for.
Lucas Nelson:
Yeah.
Mike Privette:
And so that's just been an interesting clip. Ross and I did a post about the last couple of years to date on acquisitions, and it's like 60 to 70 % are services business. But then outside of the services, there's always really interesting ones. Data security posture management is always still really interesting.
and still just like, it's one of those things that like, there will always be point solutions getting bought by much bigger ones. trying to, everybody's trying to build a platform basically. At least a lot of these later stage companies are. But you gotta talk about like, know, Lacework, obviously that was a big one. Like, love to hear your take on that one.
Lucas Nelson:
So, know, Lacework is or was a unicorn that got bought for, I forget the number, 250 million, maybe a little north of that, maybe a little south of that, I forget the exact number. And, know, they just took in a billion dollars of financing earlier in the year. So my first take was a bunch of it was giving money back to their investors, right? Like, hey, we'll give you 800 million of the billion we took in.
Mike Privette:
Yeah.
Mm
Lucas Nelson:
and then we'll sell it for $200 million. And so maybe you get your money back on that round. But yeah, that's that's waving a pretty big white flag when you've got money in the bank and you're still going to sell for a fraction of your last year evaluation.
Mike Privette:
Yeah.
Yeah. mean, like, I think at some of the lowest points, it was like a 98 % haircut, which is like, there's just no way that like, you can't make that sound good in any way. and it was like also from an unlikely source, I think, I got like a lot of people scratching their heads saying, why, why did they do that? Why the four didn't that do that? cause it just didn't seem to fit with any of rest of the portfolio, which may be the reason why, but also,
It's not like people were like, well, all of sudden now think of them and that when there's the gorilla of whiz that's still there. So I think, you know, I think that that was an interesting one. Like overall this year, there's been fewer acquisitions like by like.
I don't know, 25 % or 30 % fewer acquisitions a year to date than last year. But the ones that have happened have been like higher profile, like that. they've either been high profile good or higher profile, not growth. And so I think that's kind of a, what you're seeing is like that lull period where there wasn't a lot of money or there wasn't a lot of growth happening in the industry is now coming like, okay, now I've got
my feet under me again as a business, now I think I can make some strategic bets and moves and like, you know, acquire some talent, require some tech or require some industries that I'm not like in fully now.
Lucas Nelson:
So yeah, that barbell effect to me feels like awesome and excellent businesses always, know, like, you know, the top 10%, you know, you can do whatever you want, good markets, bad markets. And then the bottom, I don't know, let's say 20 % where, nope, there's just no answer, right? Like you have to sell. If you have a choice, you try to ride out a period like this one, it sounds like. Is that what it feels like there?
Mike Privette:
Yeah.
Yeah, for sure. Exactly. Like they're, they're, those who could just sat back and waited for like the right time, whether for them to get acquired or for them to make some acquisitions. And then others are like, like you just kind of, you run to the closest, you know, open arms or you've you'd like close your doors. You don't really hear a ton of that. cause I think you can really like kind of bleed that out really slowly over several years. which, which is not a good thing, but it does happen.
Lucas Nelson:
Yeah, no, we're just starting to see the rationalization, right? Lace work is a big example of that, but there's a bunch of smaller examples. So you also wrote an in -depth piece on, let me see if I get this right, AI and the shared responsibility model. And so I was hoping you explained it to me because while I read it, I've got ideas in question.
Mike Privette:
Yeah.
Yeah, no, it's honestly, I've been trying to study AI for a long time now, because it's like we're like anybody else in the security industry, you got to stay somewhat close to it to even understand what people are talking about now. All the research is coming out about it. it's what struck me about this, about what I've seen so far, is like, think we're on two separate, like the people will talk about AI security in two separate and like very distinct constructs. And like, you can see this.
by the types of startups that have emerged, by going one end, you have, my gosh, you have to block chat GPT and block Claude and all these things. Like we can't let people put sensitive data in there, put IP data or put source code in there because then all of a sudden our data will be out there in the training models and in the wild and could be exposed and we'll lose our competitive edge. And so a lot of startups started here and say, well, let's just block chat GPT or.
Hey, let's redirect the sanitize checks before you get there. Or let's let's make sure that you put a DLP in front of it, better DLP in front of it. And I don't think anything, any of those are wrong, but it was like kind of a knee jerk reaction. It was like, it was a legal and compliance CYA reaction. Like, my gosh, like we might lose like all this like, you know, private data. So they had to, something had to emerge here to fix this and calm down legal and calm down the board, calm down CEO, you know.
all that, all these people. And then at the very opposite end of the spectrum you have here are super crazy and very Mission Impossible sounding Red Team AI models attacking other AI models to make them cough up their secrets. And we can do that and or we can prevent your model from being like coughing up their secrets when you run your own model.
which sounds really awesome and I think it's needed, but like the number of companies that need this one are pretty big, but the number of companies that need this one is like five, like total.
Lucas Nelson:
So the red teaming piece is a much smaller market than the compliance piece is what you're saying.
Mike Privette:
It's small in the compliance, but it's way deeper. like OpenAI, Claude or Anthropic will pay everything for that. Whereas these companies that are there in will not pay that much for it. And so there's not much in between. And most of the research that come out is really about like attacking foundational models or attacking like...
or like securing like model deployment pipelines and like model data pipelines and super advanced use cases that most companies don't have that problem. Like most companies are not, do not have the level of funding people or time to roll all of this themselves. And so it's strange to me that there was such a disconnect between like this end and like the very, very small end.
And it just, after going through, like talking to many people and I read in a bunch of different publications and research pieces and then going to different like kind of like trainings around, like nobody could, nobody was actually like consistent in how they explain how the AI models work. Like how are you using AI matters wildly differently on like what you have to do to secure it.
Like if I'm just using Chatch -GPT versus if I'm running, building my own neural networks and running my own training platforms and all these things and wildly different. And then I just thought there was no consistent way to do it. So I'm like, I should probably make something simple that will help me explain to somebody else which model they're using. And then you can turn up the dials up or down based on where you're at.
And that's kind of how the model was born in like least version one of it anyway.
Lucas Nelson:
So yeah, I'm going to use the word model and use framework only because we're talking about AI models to make it easier on our listeners. So what's the framework you're suggesting and kind of how you think people should implement it?
Mike Privette:
Yep.
So I think you should think about it a bit like the cloud security shared responsibility model in terms of breaking it down into platform as a service, infrastructure as a service, or SaaS on -prem. But then I actually broke it out a bit more into there's public SaaS AI, meaning like ChatGPT .com.
But then there's the private SaaS version of ChatGPT if you get the Microsoft Enterprise edition. So you have, there's two difference between those. They still use some of the underlying foundational models from OpenAI, but there's governance on the Enterprise one. I can tune what comes in and out. I can tune what leaves, can tune who has access to it. I can't do that on the individual level. So like there's already an inherent risk reduction in using the Enterprise version of that.
But it was just like kind of helping people understand like which figure out which deployment use case or framework you're using today. And then you can apply the security controls and set up jumping all the way to the end of like, do I need to red team my models that I don't actually have or run? And so like, that's what kind of borrowed heavily from the cloud security model and like broke it up into like different components of like.
know, application security, model security itself, obviously like kind of traditional access controls, data privacy, data loss prevention, like compliance, monitoring log, all those kinds of things. And of course, incident response. But then, you know, overlaying like, you know, some of the new things about securing the model themselves or securing the data pipelines themselves.
or like what sort of like ethical usage standards go into these things. Like some of it's soft, some of it's like tangible, but then some of it's like you have to like put forth like company guidance or like in like stances of how you will use these things. Cause it's kind of one of the few technologies that spans it's like, you know,
ethical implications. Like nobody says, is it ethical to use the cloud? Like you just use it. You just launch it on AWS or Google and like there it is. But people do question because of like the unknown power of AI, known and unknown. And so you have to put some of these more like human effects on top of it, if that makes sense.
Lucas Nelson:
Nice. Yeah, totally.
Mike Privette:
It was fun to make. I got a lot of good feedback. I hope we can just keep building on it and iterating on
Lucas Nelson:
For people who want to find it, where does that live right now?
Mike Privette:
It's on Return on Security .com and it's actually the number one featured post. So it's like the very first one if you scroll down on the left. Yeah.
Lucas Nelson:
All right. All right. So kind one last broad topic and then we'll talk about Starps a little bit and then we'll let everyone get out of here. I wanted to talk about what I'm calling free speech fall in that in the last week or so there's been a number of things in the free speech category. So I'll run them down really quickly. Love to hear your thoughts and we can just chat about them for a minute or three. So first you've got the, let's call it kerfuffle with X or Twitter being blocked in Brazil.
And so for those who don't know, a Brazilian judge is blocking X in Brazil because they wouldn't take down certain data. And then you've got the arrest of Pavel Girov, who's the founder of Telegram. So he landed his plane in France. He's Russian, I believe, and he landed his plane in France and they picked him up. And that's an interesting, you know,
interesting case. I think he's got 12, is it 12 counts? Anyway, they, know, and then last but not least to go up in the US, the Senate has just passed two privacy bills. Let me read these. The Kids Online Safety Act, which is KOSA and the Children and Teens Online Privacy Protection Act, which is COPPA 2. And so these are again, basically limits on free speech.
Mike Privette:
Yeah.
Lucas Nelson:
for people under the age of 18. So the teens one moves the COPA, which used to be 13 and under up to 17 and makes a duty of care. And the Child Online Safety Act is for kids, obviously. you know, I think this is an interesting thing that's happening. So like, what's your view on free speech versus safety and privacy? Pick any of one out of three, go from there.
Mike Privette:
Yeah, man, this is a tricky topic too. And there's been so much that's happened all at once like this. And then there was also a lot of stuff in the UK about there were riots in the northern part of the UK that was propagated through online misinformation. And people were misreporting it and it caused a bunch of violence and a bunch of destruction as well. It's a...
It's really tricky, I think, because like, where does the line start and stop on privacy? And where does the line start and stop on free speech?
Mike Privette:
Yeah, honestly, I think this is a really tricky topic because it's hard to know where is the line when free speech is like too free and when, when's enough data privacy or when is too much data privacy. And it's, it's really fickle because if you'll let one thing slide, then a lot of people jumped assume like you'll, you'll either let many other things slide or you'll, and then the opposite of that, like if you say, you can't say this thing on social media in this country.
I think it's good that they push back on that. I think that's tricky, but of course, not everybody around the world has free speech. think that's a, it's something easy to forget, but it's not as, it's a Western concept. It's not a global concept in all cases. I think it should be a global concept, but that doesn't mean I can just make it so. But it's an.
Lucas Nelson:
So I love it as a concept, but I'll also point out that free speech is government repression, right? So we'll take Zuck. Zuck doesn't want to talk about, you know, have Nazis on Facebook. Completely his free speech right, because he owns the platform, right? So there's two different pieces there, because people often conflate free speech with, well, this is the internet's, you know,
Mike Privette:
Yeah.
Lucas Nelson:
it. The internet's a central meeting place and therefore, you know, they have to let everything through, which is what 4chan does.
Mike Privette:
Yeah. Yeah. And I don't, and I think that's tricky too, because there's some stuff that clearly causes violence and clearly causes like hate and racism. like, I don't think that has a place anywhere. and that's, know, the old adage is like, you know, freedom of speech does not mean freedom of consequences, you know, and a lot of this stuff. I think that's, you're seeing that some of that play out. and then, you know, even with Pavel's is, you know, or telegram is it's very tricky because like,
his platform facilitated lots of these things in the end. argument was that, you didn't help the policing agencies thwart any of that. You didn't help at all in any way, like combat any of the known terrorism, the known illicit drugs and content and other kinds of like payments that were happening on the platform or activity. that one's...
trickier because it's like truly hands off and no censorship whatsoever. But I think it's hard to, you everyone's lines would be personally different on that one, which is the hard part.
Lucas Nelson:
So I invested in a secure messaging platform. We invest in Wicker and it got bought by Amazon. But the beginning of every board meeting, which was fascinating to me, we started out with, here's the lawsuits against us right now. Here's the number of requests we've got from the government and so on and so forth. Because if you've got an end -to -end encrypted platform, you're going to have bad actors using it for drugs, pornography, all those things. And so we had to have it very well.
Mike Privette:
What?
you
Yeah.
Lucas Nelson:
If we get a court order for this, we're going to turn it over to the... And so in Telegram's case, he just wasn't playing that game. okay, you're Russian citizen. Technically, you don't have to follow the laws of France when you're not in France, but he landed in France. And so, same thing with Elon, right? Yeah, you know what? You don't have to listen to the Brazilian government, but if you don't, they're within their right to take down your service.
Mike Privette:
Yeah.
Lucas Nelson:
much like we're talking about getting rid of TikTok in the United States, right? Like if we feel it's propaganda, yeah, hit it up.
Mike Privette:
Yeah.
Yeah, exactly. It's true. like governments are not always like, they don't act as rational people. Like they, they can do different things. They can say, we'll just seize your stuff. Like we can, we can just take this from you. Like we can seize your assets. We can seize your money. and, they can tie it up long enough that like a regular individual can't do that. and so it's, know, it's always tricky. you know, finding that line between like.
what is enough versus too much. Because especially, and it's hard to talk about this stuff without dipping into politics, but like, you may be okay with it if you align with the politics on the side of that today. You may be wholly against it tomorrow if the politics flip, and now it's against you as the one who used to be for that. So I think it's like kind of wise not to take like super hard stances on those, because like you can flip against you at any moment.
Lucas Nelson:
I forgot who it was, but somebody tweeted or wrote, it's really tough being an independent free speech advocate, because you lose half your team, each election cycle. Right? like, you know, people are like, well, now I'm fine with it, right? Like, my guy who wants to curb it, must be a good idea.
Mike Privette:
Yeah.
Yeah.
Yeah, that's right. Yeah. I'm with this side now. Yeah.
Lucas Nelson:
Yeah, exactly. All right, so last one, let's do it quickly. Any areas you're particularly interested in? Did you see any companies at summer camp that you thought, you know, that's a standout? And listen, you know, this is also your chance if there's anything AI related you want to say that you haven't said in you know, AI, you have to talk about AI, right? So.
Mike Privette:
You have to talk about AI. I'm excited for this next wave of AI security companies that are, but not focused on securing AI, but in fact, AI for security. so the ones that are... And I'm ready for the next wave of getting past the AI SOC agent or the autonomous...
a sock analyst who's like correlating events for you. I think those are good. That's a good like kind of needed iteration of things. You know, I think there's probably like 20 or 30 companies all doing something very similar in that space now. So it's, definitely in like a micro bubble there. It's not necessarily a bad thing, but it's like, it's time to go to like the next wave. Like, all right, what's gonna actually make a difference in like what's gonna give context is that.
I think it's got a lot of power. AI in general has a lot of power to help provide super effective decision making if you can give it the right sets of context and data at the right time, or at least allow the humans to make a lot better decision making. I'm excited for that. I've talked to a few companies who are kind of dancing in and around that space at Black Hat.
You know, and I think there's a, AppSec, people keep trying, that's like kind of the quickest path to that, where like AI is also shining as well, because it's, is just text. And so there's ways you can like really evaluate that. you know, I'm hoping, I'm really hoping that we can kind of elevate third party risk management as well. Like it doesn't sound very exciting, but.
These point in time, one off questionnaires with stale questions and stale answers and this game is really about legal CYA. think it's pointless outside of contracts. But if you really want to manage your third parties and I think...
monitor their health and performance over time to really monitor your supply chain and have a good idea. I think there's huge opportunity for that space. And so I think there people who trying to solve it, but I don't know how close anyone is yet. What about you?
Lucas Nelson:
So I had an answer just two seconds ago and then you asked. What I'm most interested in right now is building on the high ground. So I've got this thesis that we keep building our castles in the middle of the swamp. The first one sank in the swamp and then we build a second one and it fell over and sank in the swamp. So we keep building on the low ground. why is every port open by default? And that's king.
Mike Privette:
Mm.
Yeah.
Lucas Nelson:
But like that's the easiest example is like when we used to attach the internet, you're like, I'm available to everybody and every port's open. And so we've gotten slightly better at that. But still, if you put up a website, the entire world can come to your door. And let's be honest. I don't know. There's probably 6 billion people that you really actually are never going to serve. And so why can they access it at all? Right? Like, no, only people in United States get to buy my website because I'm a small business owner in Detroit. Right. Like done. Just, you know,
Mike Privette:
Great.
Hmm.
Lucas Nelson:
And so the idea that we can do better. So I gave pedantic examples, but some good examples like, Hey, let's build everything in Rust, right? Like we can get rid of an entire class of error of buffer overflow. Let's just get rid of those. but that's really hard to do, right? Like, no, we've got 30, 40, 50 years of legacy stuff. And so how do you convert that? So I think that's really interesting. and people are different, having different ways of attacking it, but the idea of, let's build the high ground. Let's stop.
Mike Privette:
Yeah, yeah.
Lucas Nelson:
doing what we've done for 30 years now, let's try something different and new because what we're doing is clearly just not working. So that's what I'm most focused on, but I can't point like a simple space because it's not, no, you need that networking. You need that in code review. You need it everywhere. Yeah. So that's my thesis. Yeah, go ahead.
Mike Privette:
Yeah.
Yeah.
Yeah, everywhere. Yeah. No, like that.
Cause I think we've kind of just as an industry always focus on the exact opposite end where it's like, just need better detection and response. We just need better. In fact, like everybody's agentless and like actually it'd be better if we had an agent and agentless. so then we have another set of like, the industry has just kind of evolved over the years. It'd be just like, like here's, here's a view of like some loosely couple things and like, but let's put another view on top of that to make a better view of the, the bad data below. then like, it just keeps, you know, extrapolating upward and upward.
which I think is like, some of that's needed, but it's definitely not like, you can't keep doing that. It's not gonna work. You have to change like foundational things.
Lucas Nelson:
Yep. Cool, man. let's remind everyone where can people find you.
Mike Privette:
Returnonsecurity .com is the main place where I do all my writing and my weekly newsletter. We're always on LinkedIn or it's Mike Privette or Twitter Mike P. Security. I made that name like a long time ago and it just stuck. But yeah.
Lucas Nelson:
Love it. Well, thank you for joining me. And obviously, people can find us here. So have a great weekend. It was wonderful talking to you. Be good. All right. Cheers.
Mike Privette:
Yes.
Yeah, likewise. Thanks for having me on. Cheers.
Comments