Cloud Security Podcast

Cybersecurity Isn’t Crowded: Security Engineering and the 5,000 Vendor Problem

In this episode our host Ashish Rajan sat down with Ross Haleliuk, author of Cybersecurity for Builders and creator of the Venture in Security blog, to explore the current state and future of the cybersecurity industry. From understanding the challenges of building a cybersecurity startup to the dynamics of security engineering and market trends for 2025. Ross and Ashish explore why the cybersecurity industry isn’t as crowded as it seems and the divide between companies that build in-house security and those that rely on vendors.

Ross also unpacks why sales and marketing aren’t “dirty words” in cybersecurity, why security engineering is “the present,” and how practitioners can balance business needs with technical aspirations.

Guest Socials: ⁠⁠Ross's Linkedin

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Podcast- Youtube⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security Newsletter ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠

- ⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠⁠Cloud Security BootCamp

If you are interested in AI Cybersecurity, you can check out our sister podcast - AI Cybersecurity Podcast

Questions asked:

(00:00) Introduction

(05:33) How Venture in Security started?

(09:33) Security Engineering in Cybersecurity

(18:18) Cybersecurity markets that will be top of mind in 2025

(24:15) GTM for Defender Tools

(30:09) Vulnerabilities vs Misconfiguration Tools

(37:56) How should product companies think about GTM?

(44:27) How to decide between different security tools?

(56:36) Cybersecurity for Builders book

(01:05:00) The Fun Section

Resources shared during the episode:

Venture in Security Blog

Cyber for Builders Book

Challenges in Security Engineering Programs - Rami McCarthy

Cybersecurity is not a market for lemons. It is a market for silver bullets

The Market for Silver Bullets

Duration:: 1h 10m
Broadcast on:: 10 Jan 2025
Audio Format:: other

But I worked in Fintech, there were 50,000 vendors in cybersecurity. There is about 5,000, so that is 10 times fewer. If we say that cybersecurity is everybody's problem, then 5,000 vendors is probably not that many. Ramy McCartney contributed a blog post to venture in security talking about the fact that security engineering is not the future. It is the present. It is just not equally distributed. I tend to agree with that thought. The vast majority of the market are companies that don't actually have incentives to invest in security, but they're the ones that need security the most. If attackers are successful using the methods and techniques and the attack vectors that they have been using for quite some time, why would they change? If you're building something that targets software engineers, you're probably going to have a very hard time. Is this something that is unique to my organization? Is there a real need for me to build in the world where bridges happen every single day, the fact that somebody gets popped is no longer a reason for you to not use their product. If you have been in the cybersecurity industry for some time, like me, chances are you have either worked with a cybersecurity vendor or considered being a cybersecurity vendor yourself. Perhaps you wanted a startup startup because you just hear about all these amazing cybersecurity challenges being solved. And you being an engineer or a builder, you're curious as to what's involved in building a cybersecurity startup. So in this conversation, I had Ross, who is behind the venture security blog, as well as written a book called cybersecurity for builders, where we spoke about some of the different challenges and how us as practitioners, we walk in with a bias when we're trying to build a product. Now, this is a very different topic to what we normally cover in cloud security podcast. I wanted to use this as a starting point for what it could look like if you were trying to build a cloud security product yourself, or what it could look like if you're trying to build a cybersecurity startup in 2025, what that could look like. So Ross has been involved in this conversation for the past three plus years, working in the nuts and bolts of how cybersecurity works. Coming from a non cybersecurity background, he has a very interesting perspective. I hope you enjoy this episode. Again, it's not for everyone, but if you are someone who's interested in starting a company or want to understand the zoomed out picture of what cybersecurity industry is about, which perhaps is a good idea to see how the cog wheels of IT work, this is definitely a great episode. I hope you enjoy this episode and I will talk to you in the next one. Like another episode of cloud security podcast. This is a bit of a difference. We're looking into 2025 for what is cybersecurity looking like in 2025. And I'm quite Ross here. Hey, man, welcome to the show. We've known it till the first time and we're talking about your book and so many things you're working on as well. So maybe just start off with, could you give a bit of introduction about what's your journey been so far? You don't call it a cybersecurity. You still work as cybersecurity products. You do cybersecurity things. What is inspiring you these days and what's a bit of a bit about yourself? Thank you so much, Ashish. It's a pleasure. Super happy to finally make it on your podcast. I've been a long time listener, not a very active one, but a loyal one. I appreciate that. Yeah, I'll take that. How about that? Yes. On my end, what am I? I'm first and foremost an operator. I'm a product guy. I have been in product management and focused on product building products go to market for the past decade or so, started in e-commerce retail, whole cell, moved into financial technology, spent some time in FinTech. And then at a certain point, fell in love with cybersecurity, moved into cyber security and have never looked back since. I am a big fan of the industry, super passionate about the space and the difference this space is making in people's lives and in companies' lives as well. Could you double click on that a bit? Because I think it's funny, someone who's always penned his time in cybersecurity. How do you see the cybersecurity industry? Why do you feel attracted to it? First and foremost, I see it differently than many people. Cyber security is a fairly small industry. One factor that illustrated just how small it is when we had this crowd strike debacle several months ago, there were some news media writing articles about cloud strike, like a small cybersecurity startup called cloud strike, which eventually ended up getting corrected. But my point being, uh, we in the industry, when we look at the largest security players outside of security, most of the companies we are looking up to are not even known, right? Like when you think about large players, you think about Amazon, you think about Google, you think about meta, cybersecurity companies are, are nowhere near that, uh, having worked in financial technology, I know that cybersecurity is much less crowded than people think, but I worked in FinTech. There were 50,000 vendors in cybersecurity. There was about 5,000. So that is 10 times fewer. If you say that cybersecurity is everybody's problem, then 5,000 vendors is probably not that many. Is there more vendors than the market can handle in many of the individual categories? Absolutely. But is it really much less crowded than marketing tech, much less crowded than FinTech, much less crowded than HR tech? I find it fascinating how getting outside of the security space, the main industry you spend most of your time in and just seeing have other industries function, it will give you a different perspective. I love it also because a lot of people don't get to see the perspective from outside in. We're always looked at from a, hey, I know the top vendors, the dinosaurs of the cybersecurity world, you see them everywhere. They're like the biggest players. And a lot of people don't zoom out a bit and go broadly, we're still tech. We're just a subcategory within tech and just basically facilitating that. What I would like to take this to is the mentioned security blog that you've been writing and I've been following for some time as well. What is it? Because I will peel off a few more layers of what you've covered in some of those topics over the time you've been doing it and maybe give that a more futuristic perspective. So what is venture and security? About three and a half years ago, I joined Lima, Charlie as a head of product. And I was fairly new to the security space. My goal was to understand how the industry functions to be effective as a product leader. I started reaching out to people going to different events, conferences. And very quickly, what I came to realize was that there is plenty of brilliant minds in cybersecurity who have a fantastic understanding of the technical side of the industry, but there are very few people that have a good understanding of the business side. And my questions were to certain degree technical and those questions I was able to successfully answer by going to some great blogs, buying books, attending B sites, events, blackhead, other conferences, but I also had plenty of questions around what does the go-to market look like or the different players in the space that I need to be aware of have to incentives of different players and their agendas influence the trends in the cybersecurity space. What does it take to build an open source project in this space? How many successful companies started an open source? What does it look like to get your product into the hands of security practitioners and get them to actually try it? So all of the kind of questions that are fairly far from what the majority of the technical blogs and technical writers cover. And so as I was going through that process, I spent a lot of time aggregating my own knowledge, talking to people, asking dumb questions. Over time, I ended up with a Google dog that had between 100 and 200 pages with all kinds of notes, charts, graphs, pictures, and me trying to summarize some of the learnings some morning in January of 2021. I looked at all of those notes and I said, you know what, if it's taken me such a long time to piece all of it together, maybe somebody else will benefit if I share a bit, if I publish an article and a bunch of people reached out to me saying, Hey, this was actually super useful. I said, thank you. And then I published another one. And very quickly, I got 500 subscribers and a thousand and two and three and four and five and 10. And at a certain point, it just got out of hand. And I ended up in a spot where I have a blog. It is a weekly or a bi-weekly blog. And people expect that I'm going to be talking about something. I've benefited tremendously by just being able to share what I see and get continuous feedback. Somebody will reach out and say, Hey, this thing that you've said works this way, actually, here is something you haven't mentioned and here is why it's important that way I was able to accelerate my own learning. So it's been a fantastic experience. I definitely recommend to anybody who is interested in learning and accelerating their own learning to share more, to speak more, and to give away as much as they can because they will get back much more. Oh, wow. It hits home because as well, some of the foundation for Clark Kelly podcast was as well. A lot of people who watch our content. They're cloud security people, cybersecurity people. CISOs and all that as well. A lot of them are what I was before I started the podcast. We all look at from what you said, our technical perspective, I have a problem. I want to solve it. I buy a product or I build it myself or my team builds it. Or you access a service or you access service or MSP as of the day. That's a good for us. The other half of it, like what goes behind building a product, then we're getting it in front of a CISO or the decision-making, buying the whole thing. That's where the GTM comes in, just where people like the work you and I are doing in front of people of how can you make better decisions? Or why did someone go down the path of having a free product with a paid product at the back end of it? There's so much goes into that. And I know for sure, talking to a lot of people in the audience, a lot of them are off that ethos. They want to build a cybersecurity product one day, taking that perspective. I have a few buckets. I've gone through your blogs and got a few buckets. That was always interesting. One was the security engineering one. How do you see security engineering on both sides where either security engineering you borrow from someone else because of service or you build yourself because you can't buy a product or you buy a product. You don't want security engineering. What are you towards in the whole security engineering space and cybersecurity? The moment I think it's a small space, shrinking space. It's a small space. I think it's a small space. Right. For the longest time, I had this idea that cybersecurity industry is maturing. And as the industry is maturing, we will see more and more companies hiring security engineers, hiring security architects, developing some security capabilities in house. I don't believe that anymore. I still believe that the cyber security industry is maturing. But the process of maturation does not necessarily bring more security in house on the contrary, it's pushing more security to be done by third parties. So when we were talking about security engineering, I think that there is plenty of examples of cybersecurity startups that are being built to cater towards the most like cloud native venture backed tech forward companies. And there is absolutely nothing wrong with that. That is certainly one of the ways to enter the market. The reality, however, is that the vast majority of the market is anything but cloud native, anything but tech forward. And the reason it matters is because if you look at the stats where the GDP of the United States or European countries or like literally pick your country, if you look at that country and where the GDP is coming from, like what are the main contributing industries to the gross domestic product, you will find that technology is actually very, very small slice of that. Instead, you have areas like services, oil and gas mining, health care, the list goes on somewhere around there is the space. But then you double click on the IT space and you realize that even within the information technology space, the vast majority of the companies that actually matter in terms of their financial performance, they're anything but cloud native, right? They are going to be tech forward. The reason all of those things matter is because over and over when security engineers are looking to start companies, they go back in their memory to all the companies they've worked at and the problems they've experienced and say, I'm going to solve that problem. Ramen McCarthy contributed a blog post to venture and security talking about the fact that security engineering is not the future. It is the present. It is just not equally distributed. I tend to agree with that thought. There is a big divide between the types of companies that are able to afford and have reasons to hire technical security talents, such as security engineers, security architect, and the kind of companies that just don't have the reason to do it. I don't think that divide is going to disappear. If anything is going to get even bigger, meaning I would not expect that over the next decade, we will start seeing a huge demand for security engineers at the types of companies that are currently not hiring them. Oh, fair. Yeah. So if an oil and gas never started with engineering, they're not going to start managing it tomorrow as well. Yeah, fair, fair point. And that ties in well with what you said about the GDP of any market, the listeners or watchers may be on. They may be in a market which is heavily on oil and gas or mining. I'm going to give the example of Australia because I was my previous market. They were banks, but oil and oil and gas mining was a big thing. It's still is a big thing. I think the number one thing in Australia is still mining. They also don't necessarily have the incentives to buy security. That's right. Yeah. Because if you're a SaaS company, security is very much a part of what your customers expect you offer. If you say that, hey, my value proposition is that I store your data and I do something with your data, one of the questions a customer is going to ask, is my data going to be secure if I share it with you? If you, however, are talking about retail, there is less of that incentive, right? Whenever I go and buy to buy a chair, be it to IKEA or to any of the other places, how much do I care about my purchase data being lost? I do care about my credit card details not being shared and that's where PCI comes in. But apart from that, I don't care all that much. There is this mismatch where the vast majority of the market are companies don't have incentives to invest in security, but they're the ones that need security the most. The difference you can make as a security practitioner by helping a company go zero to one is much more impactful than helping an already mature enterprise get just a tiny bit more mature. So to summarize, secure engineering and data code, it's the present, what would it become in the future? Is it going to be still replaced by your services or replaced by, and I'm still talking 25, but if you want to go next five years, more than happy. Generally, I don't know if that's going to change all that much. I think the vast majority of companies are going to continue accessing security expertise through comprehensive solutions they buy from Evander. Whether Evander is 60% product and 40% services or 90% product and 10% services or 90% services and 10% product, I don't think that should matter to an end user, to an end customer. It shouldn't. And so what I think we will continue seeing more and more is that security vendors or providers of security solutions will continue accumulating that security expertise while the rest of the market will be accessing security expertise through those vendors. And then the top one or two percent of the enterprises will continue doing what they're doing today, where they have an in-house security team. Oh, actually, that's a good point as well, because what I'm calling out to what you said about the GDP or different countries, the market itself is quite spread out. It's not that everyone's an enterprise. It's not that everyone's SMB. That could change. I think we get a lot of questions sometimes. So we started something called a cloud security bootcamp to educate more people on cloud security because there was no good knowledge on it because there was a training gap, whatever. As we went through that over the past one, you know, so we also realized that problems that were being faced by a engineer and an enterprise were very much for lack of better word siloed. They're the ones who are like, when you hear a vendor talk about, hey, get the engineering on board, get these people on board, and the SMB, engineer is a security person. Engineer is your deaf side cost person. Engineer is the one doing zero trust. And at the same time looking at performance, optimization, cost, all of that, they have to do a lot more than just be a cloud security person or a cyber security person. One of the ways in which cybersecurity is not necessarily unique but different than plenty of other industries is that in many tech markets or sub segments, you can build a solution that you can sell to a mid market or to SMBs. After you establish yourself in that market, you can move up market and start selling to the enterprise. For example, if you're talking about a task management tool, I can be an individual that uses a task management solution for myself. I can bring it into my 45 people company. I can get it adopted there. Once that solution has gained enough credibility, they can start moving into the mid market enterprises. Then they add a bunch of security capabilities, which realistically speaking, sadly, would be SSO and old that log support. Or ISO compliance, whatever. And like, better are back. And then they become an enterprise solution. So they can start selling to enterprise. In security, the problems that the mid market is experiencing and the way they are looking to solve it are often very different than the problems that large enterprises are experiencing and the way they're looking to solve it. Security solutions targeting mid market or targeting SMBs in particular, they're really like this Swiss knife products. You have all kinds of different offerings bundled in one place. Large enterprise, on the other hand, is much more inclined to get the best of breed that focuses on this one problem. And then another best of breed product that focuses very specifically on this other problem. It's better if they're all offered by the same vendor, by the platform providers and so on and so forth. But the mindset is still very different. Yeah. And I guess to your point, the takeaway for people who are watching a listening to this would be, if you are someone who leans more on the technical engineering side, you're passionate about it. Then if you are looking for a new job, perhaps in 2025, you're probably looking at what are some of the companies that will continue to do engineering. Now, in terms of the other aspects, I also wanted to talk about, there is a cloud security space, there's a data security space, there's so many spaces in, I'll just do a quote you earlier, hashtag Jenny, I evolved, I feel living in as well. What are some of the markets that are top of mind for you at the moment that you see, you be top of mind for 2025. I'm a big believer that trends are temporary in order for you to succeed in life or insecurity or in anything else, like you can be as specific or as generic as you want, you have to stick to fundamentals. And I think that is very much true in cyber security, where if I were to think like, what were some of the problem areas that people paid attention to three years ago, I would probably say email security, endpoint security, identity. I think there was more attention paid to network security at the time. Card security is still there. If I'm looking at 2024, what are we paying attention to? Identity, cloud, email security, endpoint security, email security, cloud security, identity, endpoint security, there is also vulnerability management, patching, those are the fundamentals. The problem areas have not changed dramatically, in my view, because realistically speaking, if attackers are successful using the methods and techniques they have been using for quite some time, why would they change? This is where the difference is between the attacker mindset and the defenders mindset. Attackers care about results in their case are very easy to measure. Did I achieve the goal? I was setting myself to achieve or did I not? On the defense side, investors fund a certain market category. Startups in that category, after getting money from VCs, now have marketing budgets. So they're starting to actively educate customers or prospects about the problem space they're tackling. Is that the right thing to do? Absolutely. That is how I believe the industry learns. And this is where I disagree with a lot of the security leaders and people in the cybersecurity space who say, "Oh, there is too much marketing. There is too much this and too much that." Look, there are inventors, there are security practitioners who come up with better ways of solving security problems. I don't know who came up with MFA. I genuinely don't. But in order for the MFA to get adopted, RSA first had to build RSA tokens, then do a security, had to build their own very intuitive MFA experience, then you be key and similar hardware key providers had to manufacture those and supply them. All of those vendors had to go to the market and educate the market that, "Hey, MFA is important and here is why." I am not making a statement that cybersecurity vendors are solving all the problems. My statement here is that whoever comes up with new ideas is not centralized. Researchers at universities come up with great ideas, open-source software developers, launching projects on the side, on top of their full-time jobs, come up with fantastic ideas. At the end of the day, somebody has to take this idea, turn it into a product, sell that product and educate the market about it. Sales is not a dirty word. Sales is how we solve problems. Going full circle to the question, the problem areas and what people are paying attention to, those are the same problem areas. It's just that we will never be able to come up as a perfect solution. But maybe some of the tools that we have today could equip us to build a better solution than the one we had before. But the problem areas are still the same. Still identity, still cloud, it's still endpoint. As long as attackers are going to be using the very same methods that they have been using, for as long as ransomware is going to continue being a problem, the way we solve those problems is also probably not going to change all that much. Yeah, and maybe a lot of the data security in there as well as 100 percent. Yeah, because I think the only reason I say data security to be called out separately is because I think a lot of security people had data policies and stuff that they thought they were doing for data security. Gen AI kind of exposed that to the point that we have a policy but no one implemented it. And I think it's like the other side of being a practitioner is that you may have the best of intent, you may have the best of cyber security products. But if you can't align it to what the business wants to do, it fits Gen AI. It is Gen AI to be enabling them in a way that is at least balancing the risk to a comfortable point. So the number of cyber security vendors we have in this space in the moment, they're all focusing on both sides, the defender side, the attacker side, heavy to threat intelligence. We find out the threat before you even find it. We are on top of CV for you. And then the other side is like implementing cyber security products for bugs and everything as we found. We spoke with this earlier before we started recording about the general IT world. If you are looking into how cyber security fits into it, there is the people who are creating the product. And then there are other people who are supporting in the background to what you said, I may be an oil and gas energy, health, whatever. My main business is looking after Ashish when he's sick. It's not to build the best technology that I can put on his trap or a wristband that he walks around telling him how many steps he did because he walked from point A to point B or whatever. We're primarily just supporting a existing business. If no one spoke about, hey, there's a better way to get from point A to point B, you don't have to go on a horse ride. You can just get a car. If no one spoke about it, people never find out. So I think the reason I bring that up is because on the defender side, how do you see that cyber security landscape in terms of you had a blog about open source as well, then there was a whole blog about engineering. Obviously, I feel like that's the next natural step after security engineering. We're like, am I building? Am I buying? Which every decision maker has to do it with? So as a person who looks at the market, how do you see that done wrong? From a GTM perspective, what are your thoughts on how people should approach the building, accepting that there would be people who would always build? Where do you see that go? Specifically for vendors who are probably building today, what is the right way to approach GTM for that? Again, it comes down to the market and the problem you're trying to solve. And I think that the answer is going to be true for basically just anything around go to market and around product management. If you're building something that you believe could be solving an existing problem better, then it better be 10x better, not just incremental better, because you will have a hard time to get it adopted. If you're building something that targets software engineers, you're probably going to have a very hard time because software engineers don't have incentives to think about security on their day-to-day. If you're inside an organization, if you're a buyer of solutions and you're thinking about build versus buy, then first of all, you're probably a software company or you're probably representative of that 1% like that top one or 2% because the best measure of the company is don't have an option to build. Interesting. What do you build? If you are a factory that manufactures some asbestos products, you need to ensure that all of your machines on the manufacturing floor are going to be available and are not going to be ransom. There's plenty of security needs that you will have, but you have no talent to build anything. If you are indeed like the kind of organization that has the luxury to be able to afford the talent that can even build, then I think the question you have to ask yourself is this unique to my organization? Is there a real need for me to build? Because in most cases, the reality is that there isn't. And so I think when AWS started, it had this concept of undifferentiated heavy lifting. And I think that most security solutions built in-house are precisely that. They're undifferentiated heavy lifting, meaning they do not help the company to build anything proprietary that would help them generate more revenue. They don't help the company ship better products. They are simply solutions built by engineers. The engineers are passionate about specific problems and they want to get promoted. And there's all kinds of incentives that are at play. But in most cases, the number one driver is not that there is not a good enough solution on the market. Now, there are plenty of emerging problems when there isn't the right solution in the market, in which case you have to build. The usual way those tech forward, cloud, native venture-backed companies adopt security solutions is that if they run into a challenge that isn't yet being addressed by any of the existing vendors, and they have the right resources, they can prioritize building it, they will build it. But the moment there is a vendor on the market, even if it's a small startup that reaches out to them and says, "Hey, we are building this thing that you probably have built in-house." It is usually smarter to abandon the internal development effort and become a design partner for that company. Because over the long term, it's going to be cheaper and better if you can, instead of building everything in-house, if you can just help shape the direction of a startup so that they ultimately end up building probably like 80% of what you need. Because in most cases, 80% is good enough. There are however cases when the problems you're experiencing are the kind of problems that just nobody else is experiencing. In each case, of course, you have to build. There is no doubt there. But I think what happens much more often in practice is that decisions are being made about building that are prioritizing the individual aspirations of people interested in building over the business needs. But you cannot charge people for doing it from the individual standpoint. It makes sense, right? Because if you work in cybersecurity, the work you're doing is fairly mundane. You have to focus on business priorities. And a lot of those business priorities, they're basic, right? They're not easy to achieve. But they're also not the most exciting. You're building some automation script, you're doing all of that stuff. So whenever a security engineer finally gets to build something they're excited about, it just makes sense. It's funny because a lot of products these days try and cybersecurity vendors specifically. They will try and talk about developer-friendly environments. But most environments aren't developmentally because they are creating to what you said, revenue building features, revenue building products. They are the main source. We are there to support them. So we're not there to be blockers. Hey, how can I enable this in a way that we don't get hacked tomorrow? I definitely find the cybersecurity market at the moment is divided into two where vulnerabilities, when people think about that, they think about CVs, third detection, hey, this is a detection response. I have a new CV that comes out. There's a vulnerability. I'm on top of it. Zero day, whatever. Throw another acronym if you want. And the other one, which is a misconfiguration where we have many C acronyms now and there's a long list and they keep maturing all SPMs as well. Do you feel they're different markets? Honestly, I don't think it matters. Maybe, see, I'm not a deeply technical security practitioner. Neither am I a good philosopher. I'm a prime matter. Yeah. Right. So for me, it doesn't matter if it's a vulnerability. The question is, does it impact your business? Does it impact your ability to stay operational and generate revenue? If the answer is no, then it doesn't matter. Even the question of data loss. And I'm sure this, like what I'm about to say is not going to age well. I'm probably not setting myself up for success. But I still will say it is that the reality is that when you talk to security leaders from different organizations outside of SaaS specifically make this statement outside of SaaS, and you ask them like, what is your biggest concern? It's not data breach. It never is. It absolutely never is. It is, how do I stay operational? How do I make sure that my business keeps running? Now, there are types of companies that actually care about data breaches and they're not publicly traded organizations. They're not your oil and gas, your mining. The only type of companies that actually care about data breaches and data loss are SaaS providers. Because when you're a SaaS provider, you're selling trust. You need people to trust you. When you're not a SaaS provider, it doesn't matter. It very much matters for us as a society. It matters for individuals whose data get lost. It matters a lot. But we have become so numb to the idea that there is a data breach. I remember I was a speaker at a security conference about a year and a half ago. Somebody on the stage was saying the talk had something to do with data breaches and how we should be mindful and all kinds of different things. The whole premise was that data breaches are incredibly bad because they impact the perception that people have above the business. They impact customer trust. I asked people in the audience who were all security practitioners, how many of them have stopped using their favorite ride sharing app when it got breached? Not a single hand went up. That to me is the point is that in the world where breaches happen every single day, the fact that somebody gets popped is no longer a reason for you to not use their product. Now, you may argue that there are examples when a security company gets breached several times, in which case there may very well be a loss of trust. But even then, if they're so deeply embedded in the company infrastructure, how many companies are going to say that the number one priority for the business this year is not revenue generation, ensuring efficiency, enabling employees to achieve efficiency, leverage new technology, become more productive. And instead, it is going to rip out this tool that really otherwise works fine. I'm not saying that's the right approach, but pragmatically, that's how I'm thinking about it. So going back the sort of full circle to your question, honestly, I don't know if configuration mistakes are vulnerabilities, are they not? I don't think it matters. What matters is ultimately, does it lead to the kind of outcome that you're trying to avoid? If the answer is yes, how probable is that? How likely is it? I think that is where a lot of what we think about insecurity doesn't translate well into business outcomes. Yes, there is this vulnerability we've identified, there is this 10,000 CVEs, which of them should we fix? Just because they can be exploited doesn't mean that they're being exploited. So how do you prioritize? I do think that as an industry, cybersecurity is dealing with the kind of problems that, sadly, most organizations are not really incentivized to solve at the core, even though security is number one priority, security is a stated priority, depending on your compliance regime. I believe that there are only two reasons why companies invest in security. One is sales enablement. So what do we need to either remain in business, if we do not satisfy some compliance requirement, and the government comes after us, they can shut down the company. So we have to make sure that we can remain in business. Second bit, part of the same sales enablement, we have to make sure that we can continue selling. Why are Sock two automation tools so popular? Because they come into startups and they tell them, hey, startups, do you want to sell to this large enterprise? Guess what? For you to sell to this enterprise, you have to get Sock to compliant. That's a good argument. So the other argument is fear. And if people are afraid of something right now, what are people are afraid of? Ransomware and Genai. So if you're building something that prevents ransomware or helps companies deal with Genai, potential mistakes that they're afraid about, that is going to sell. That does it mean those are the only problems that have to be solved. In fact, there are plenty of problems. There is a problem with cloud configuration and point security, email security, phishing, and all of that. But at the very fundamental level, what people are going to be drawn to, and what people are going to be looking to purchase, are first and foremost, cells enable what enables the company to generate revenue. And then second, what am I really afraid of? And I guess to your point, the word that you use from an Amazon perspective, it was, what was it, the undifferential heavy lifting? And I guess this is one of those where it would be a heavy lifting that's probably not needed. But if you can automate that piece, it's already enabling you to go faster into the market, use hills, and granted with talking specifically about startups versus enterprise. Even in the enterprise context or a large meaning size, sales is still the reason why security exists, because you're building trust in the brand that, hey, I want to buy a shoe from Nike because I trust the brand. It doesn't have to do anything with the fact that I'm passing my credit cards from which I would never buy a new version of shoe or whatever. I trust the brand Nike, but the day I find out that, hey, they've been selling my day to the background, I would stop buying. Even when there was a bank breach, how many people actually change the bank account? I know people who have never changed the bank account for 20, 30 years. But that's an interesting thing. I think banks are a very interesting example of something that is so fundamental. And yet we don't talk about this often enough. What happens, your credit card is compromised. And somebody uses it to buy stuff that you don't want. So what happens? Usually the fraud department picks it up and they funny the money and issue a new card. Then let me ask you this, like 100%, like it happened to be like one sort of vice. Oh, I think twice. What is the incentive for the individual that became a victim of fraud, of credit card fraud, to change their behavior? Nothing like the bank abstracts the way the complexity of dealing with like fraud and so on and so forth. And just let's the individual continually living their life the way they've lived it before. There is also a sentiment in cyber security need to start caring about security. My question is why? What is it there? They should compel like an average person to start caring about their security. Now, I'm not saying this as somebody who does not believe that they should. Like I do, I will come down to incentive design, right? And people's fears. And at the very basic level to them knowing somebody who has suffered a cert from identity test, for example, there are plenty of those cases and they're very sad. Like they're truly unfortunate. But I don't actually think the vast majority of the people feel like it relates to them. That said, the number of security incidents is at its highest, right? Like the number of cybersecurity breaches continues to climb. Now, if you are an average person watching TV at home, you're not going to hear anything about security breaches, because it's boring. People don't understand cyber. Instead, you're going to hear that, oh, there was this shooting and this stabbing and this and that. And so because people have a lot of exposure to data about the crime, they believe that the crime rate is going up. It feels more real. Yeah. Yeah. Yeah. There are all those factors that just don't necessarily compel an average person to start caring about their security. But that's why a lot of the conversations that security practitioners have is like, people need to start caring. But why? What is the impact? Is my social security number floating somewhere on dark web? Probably. Can it have impact on my life? Absolutely. Yep. Is there anything I can do to prevent it? No, because when I'm signing up for some service and it asks me to provide social security number, I have no choice. And I want to use the service. So I'll have to provide them my SSN. Will it get breached? Probably. Yeah. So we have, as a society, become numb to this, sadly. And obviously, it may change over time. But also, right now, I don't think it is changing. Switching gears from security engineering and messaging for security. Are you seeing, in terms of, if I were to put the five things that you called out, email security, endpoint security, cloud security, data security, all of that, in this market, do you see people who are applying or thinking of building a startup in this email, network, endpoint, whatever, just pick any category? What should their approach be for GTM? You're asking me to solve a fundamental challenge of the industry. No, I ask you because I feel like you have one of those perspectives, which is a non-cyber, because all of us come with a bias in cyber security. I think probably two years ago, I would agree with you. At this point, I have as many biases as everybody else does. I am so deeply entrenched in the way we insecure the thing about stuff that I time to time, I ping my friends who work in other spaces. And I'm like, hey, this thing I am seeing, is this real or is this just me being completely out of touch with reality? And by the way, I do think that there is also application security, which we are not calling out. And that's also fairly fair. If you are thinking about go to market, like if you're thinking about sales, if you're thinking about product, you have to go back to first principles. What is the problem you are trying to solve and who has that problem? And if you do it, then you will quickly realize that there are different buyers for different security solutions. And there are different patterns that different types of markets follow or not follow. For example, if you're selling a security tool for application security, then you're really talking to security engineers. You're talking to heads of AppSec or ProdSec. You're talking to Sysus. You're not talking to CTOs. You're not talking to software developers. They're not going to be buyers. In fact, the more you can build a product for a single buyer, the more likely it is that you're going to be successful. Because as soon as the buying decision involves more than one department, you're screwed. You have a product that needs to be approved by software engineering and security team. It's a much harder sell than if you have a product that only needs to be approved by the security team. And the friction of adoption also matters. You can have two cloud security solution, one agentless, one with agent, which one is easier to adopt. Oh, well, agentless. And each one is likely to get successful, agentless. Yeah. And that is where a lot of the security purists struggle, right? Because if you care about the depth of security, then having an agent gives you more depth. But from the customer perspective, it's the ease of use. Now, if you're looking, for example, at identity, most identity solutions are actually not bought by security. Identity is an IT problem. Corporate idea. A bright idea. And if you were thinking about solving a problem in identity, and you only talk to scissors or security engineers, you will miss the point and you will build a product that isn't solving the problem for people who are actually going to be evaluating a buying. And like, the same applies to basically any other part of the market. You have to start by understanding what is the problem space? Who has that problem? Who cares about that problem? Different types of people will care about different aspects of the same problem. The thing about, not just security, but anything else, is that we like to think that ideas we have are new, and that in order for you to be successful, you have to come up with some new ground breaking approach. The reality is that most of the markets that exist today have existed for a very long time. And if the market has a track record, several successful, large-scale privately-owned companies, it's a big market. If that is not the case, you may be betting on something new. But you better have a good answer as to why that newness is going to translate into something big. But when you think about the fact that the vast majority of companies do not have real incentive to spend money on security, that means they will only be doing the minimum that is mandated by compliance by their customer expectations. And the budgets are finite. So if the budgets are finite, then a lot of the products categories that are seen as optional are not going to get as much attention. It doesn't mean, however, that those are not the right problems to solve. What it does mean is that you have to be very realistic about the type of company you're planning to build. It's an interesting one because a lot of people want to build start up. They hear big evaluations. They hear big raises. Someone's going to be bored by someone else, or someone has already been bored by someone else. I think maybe you and I were talking about this. That is the 1%. It is not the majority. My question is, do you agree? If we are only seeing the exception, nor to the majority. And when people aim for that kind of big evaluation, if someone is walking into, hey, I want to try and find a problem in cybersecurity, how do I value this as is this a next billion dollar idea? Or to what you said, you're going to be profitable, but you're not going to be the next 100 million dollar company. I think that's a wrong lenses to look at the industry from as an industry. We have a plenty of problems to solve. We should focus on solving those problems and doing it well. The company valuation is secondary. At the end of the day, if you're solving a real problem, you're going to find customers. If there is enough companies that experience that problem, have a budget, there are many of those parameters. But the thing about security is that it is such a diverse space. You talk to 60 companies of similar size, maybe similar industry, and you will get 55 different perspectives. You will ask people like, hey, what are you prioritizing over the next quarter? And you will get 48 different perspectives. And so at the end of the day, I believe that the fundamental problems remain. You had so many different attempts to ensure data security, but the problem is just so big that it's not going to get solved over the next year and a half. There's still going to be room for somebody to do it better, to maybe specialize on a specific type of customers, industries like maybe choose to go through MSPs instead of going direct, or maybe choose to go through partners and resellers. I think those are all hard problems. And frankly, listen, it's not that I'm not struggling with finding answers to all of those questions. Everybody is, the market is overwhelmed with the number of solutions. Yeah, I agree. There's a large number of companies competing. There's a large number of companies trying to survive. And there's a large number of companies that are probably not going to make it. And not for the lack of trying. The company is built by incredibly brilliant founders and solving real problems. It's hard. But I do believe that there is more than one way to succeed and getting to a billion or however many wherever numbers you've used getting to that valuation is not the only one. Interesting. I'm glad you called out this because the way I've seen the product space and how it goes back to the GTM as well. A lot of people would look at that as hey, that's why and it's nothing wrong in having a big game. I think people should have big games in their lives. They can go broader than cyber security and find out, oh, there's a much bigger market there. I can probably find a lot more customers if that's what the goal is. I think what I find interesting in what you just said as well about it's a complex market at this point in time. I also feel the market is going to a point where it's hard for me to differentiate. From one product to another, you could look at the biggest player and you could look at the medium plus highest player apart from the number of features that I can count on. It's really hard for me as a practitioner to decide outside of budget requirements. Should I go for the Ferrari or should I just go for the Toyota Camry? Realistically speaking, how do you even test what different products offer? I find that question fascinating. One of the articles on venture in security is about the fact that cyber security is a market for silver bullets. Again, I did not come up with that term, but I find it absolutely fascinating. The reason that this is the case is because there is this assumption several years ago, probably about 20 years ago, there was an academic article written on this exact topic on the fact that many people believe that security is a market for lemons. I don't know if you're familiar with the definition, but the idea being that many people believe that when you look at the security market, the buyer doesn't really know what they're buying, but the seller knows very well what they're selling. When you look at the security vendor, many people assume that, "Oh, they really know what they're doing," but through their complicated marketing, they make it hard for us to figure out. What that article about security being a market for silver bullets, what that article discussed is the fact that neither the buyer nor the seller actually know what is being sold or what is being bought. I generally recommend reading the original article to understand what it is about. If you're not interested in like an academic paper, you can read a venture in security article, but what I'm getting at is that when you're buying and pick your favorite category, it doesn't matter. When you're buying an endpoint security solution, how do you know that vendor A is going to offer you a better coverage than vendor B? Are you truly going to simulate all known types of attacks to understand their coverage? More importantly, how do you deal with the fact that depending on your environment, and depending on what's happening in your environment, the way some of them may get detected is going to be different? How do you deal with the fact that you can only simulate every single attack possible? You can only do it with the known attacks as of today. Tomorrow, something new is going to come up. How do you know which of those two solutions is going to be better positioned to address the threat landscape of tomorrow? The reality is, you don't. Because it's a time constraint as well. You only get four weeks to test it out. Correct. In a large enterprise, you can't even deploy one application in six months, but it's supposed to test a product is going to be there on a two-year contract within your organization based on your research or analysis of four weeks. It's probably going to be longer than four weeks, given that the cell cycle these days you can take for two years. But I guess the meta point here is that if you're buying an accounting tool, you have a much better chances of identifying the capabilities you need that tool to provide and of being able to test the capabilities. Most security products are black boxes. You're buying a thing, deploying it in your environment, clicking this big red button, activate shield, and now you're secure. Now, how secure are you? It's really hard to answer, but it's also impossible to compete on efficacy. It's impossible to say that, hey, this product offers like 97.2% coverage. We do 90 input for nobody cares. At that level, you don't really have the ability to assess what the greatest claims are real. That is why marketing and differentiation are so hard, because you're just building a better mouse trap. How do you prove that it's a better mouse trap? It's funny, this article about security being a market for silver bullets had a quote that made me laugh. And I'm going to butcher it, but it goes something like this. You bought box that is supposed to light up if you spot a unicorn in a room. You walk with this box to a room, and it doesn't light up. Why? Is the box not working? Or is there no unicorn? And that is how we're thinking about security tools, right? This tool did not detect anything today. Does it mean that there were no attacks? Or does it mean that bad guys are already on our network? Yep. But we didn't see a detection. And so that is the state of security today. And I'll probably add another layer from a practitioner lens as someone who has had teams. I think, in fact, when I did evaluation, we normally go with the defaults that are there by the provider in that four week or six feet or whatever that long the duration is. The cloud is a good example, because initially the problem statement is a lot about visibility. Because people were told that, hey, you don't have enough visibility. How many resources are there? Look at the large footprint you have for cloud blah, blah. And you get the agentless version, you get the point that, hey, you know, what time to value blah, blah, you get there quickly. But what people failed to miss was they would create detection for products that are the most popular or more common across a wide majority of, they can't build for every three or quite about single person out there. Now, you may be in an oil and gas industry, and you've bought whatever the popular cloud security part is, and you've done the default check. Oh my God, 10,000 alerts. This is exactly what I needed. Let me just sign the check right now. There's service you use, which you don't color would love to talk about what I could look like. My assumption. And I would think that people on the other hand would do their due diligence and go, these are the common services we use across the board, because we have done our analysis. The person on the buying end thinks that they have done their due diligence. So the defaults are pretty much what I need to care about. The person on the other end assumes that the practitioners done their due diligence, they clearly know what the use cases are, because clearly they're passing my demo or whatever the testing period is. So we're all in the end happy. And then one year passes by, contracting will come soon. Suddenly, actually, we still had a lot of alerts, we had to create custom things for any like, yeah, but you guys passed the test. Yeah, I find it fascinating that the rate with which security tools get replaced in an organization is incredible. But you also understand that the reason why that is happening is because you already know what the gaps are. Let's just say two years ago, you got a new tool and it doesn't matter in which category that tool exists. You got a new tool and you've implemented it at the time, you thought it's going to solve all of your problems. And it solved some. It didn't solve the others. So now two years later, the time comes to renew the contract and you look at that tool and you're like, well, so here is the list of 40 things that it does not do well. Let me go and see if there is another tool that does 40 things better. You go to the market and look at that. And indeed, there is a great tool. You take your 40 items checklist and compare this new tool against it. And you're like, Oh, yeah, that's fantastic. Yeah, you know what? We're not going to renew this other tool. You're going to buy a new tool and you buy a new tool. But what you miss is that the 40 items you had on your list were items that this other tool was not good. And so the new tool that you bought is going to cover for maybe not 40, but like 20 32 out of 40 gaps of the other tool. But it will have its own gaps. You did not test for because you didn't know what to look for. You didn't experience it. Now two years later, you have another list of another 40 or 60 or gaps that this second tool has. And you're going through this game of musical chairs, hoping that there is going to be this magic tool. And there isn't one. No, everything comes with straight ups. Most of the times that either I have replaced products or my other see so fantatively placed products, I've lost the budget and I didn't have the money for it. So I had to go for a cheaper product. Sometimes that's a call that's a fair call as well. It's a business. Sometimes the call has been that I was on a two-year contract, but it's really hard to implement. I'm talking about the dinosaurs of the world and some of them in the identity space, some of them in the other space as well. And you realize that they are the biggest player. Some of them are really hard to implement. Like you bring in a partner, consulting person, it's like you're building a spaceship inside your little tiny silo of security. But there are reasons why that is the case. Like identity, I think it's a great example. Every organization requires custom configuration for identity, for example. Then you need to build a product that is generic enough to fit all of those custom expectations. And once you have that Swiss knife, you need to have somebody that would configure it. And so every product starts simple over time it grows in complexity, because the complexity required to serve large enterprises is just high. Like look at some of the CRM platforms, look at Salesforce, for example. You look at it today and you're like, "Oh my god, I need to hire a team of consultants and to configure it." But when it started, it wasn't that way, right? The bigger and more successful something becomes, the more, bells and whistles it needs to get it for a bigger market, more from the false. Some others just think about it in very practical terms. Like this large customer comes to submit a feature request saying, "Hey, if we need a button in this UI, because we need this button to do XYZ because that is a requirement for our environment." Okay. You can push back as much as you want, but eventually you will have to agree to something. Once you agree to something, once you add it, you are not going to add that as one feature for one customer. It goes for everyone. And now everybody has this capability somewhere in their UI that they can find, they can select, but only one customer out of 10,000 users, or maybe five, or maybe 10. And that increases complexity. And so that's why you have this process of bundling and unbundling. It's always cyclical, right? You have a product. It starts simple. It's very user-friendly. It is user-friendly by the measures and criteria of its time, because the definition of being user-friendly has changed. Like 25 years ago, or like 30 years ago, being user-friendly meant you have a manual. You had the 60-page manual that describes every single feature. That's what user-friendly. Now a day, if trying the product takes longer than installing Uber app on your phone, you will get frustrated. Yeah. That's a good point, because Apple does this really well, because everything you buy, there's a manual, most people just throw it away. There's a zoom, it should be easy to do. And Apple, I'm a bit of an Apple fanboy, but I think I realized the first time I bought a MacBook and iMac or whatever, it was just the easiest thing. I just had to open the damn shit, and it just basically works, right? And walked me through the entire thing. On the other end, when I was much younger, I started to have my computer myself. There are so many questions I had to answer. What operating system, what hard disk, what RAM is enough? Am I going to be playing games? Am I going to be just watching internet? What am I doing? To bring it back to what you're saying, it is definitely a lot more complex as you grow in size. Sometimes that is a different share as an opportunity for the startup to come in and go, "Hey, I do those 20 things very well. I just focus on those 20 to begin with to be a differentiator so I can become the complex thing tomorrow." And that's exactly how all of it works, right? Yeah. My head off for a color. Every single platform has started as a point solution. What differentiates the platforms versus companies that remain, manufacturers do. One of those factors is that a point solution started in a big market, where the founders were able to execute well, like, turns it to a platform. Sir, and to your point, it may be the complexity that leads towards demise later on in terms of losing a customer, but isn't that ultimately what you want? You want to keep growing the business? I love this. I do. I'm just conscious of time as well. So last question is around your book. What's it called? Why self-publish versus going for... There are two aspects that I want to cover. One was the cybersecurity vendor space, which we have done. The other one is the book writing authors, like a lot of people writing books. Why go down the path of, "Hey, what made you think of a book? Why self-publish it? Why not go for one of the other popular publishers?" What made me think about the books? There are several factors. The number one being that one day I woke up and realized that I have a 25% of the book already written. I have been writing a blog for several years. And the topics I have been discussing are the very same topics I wanted to expand on, and I wanted to combine it into a cohesive experience. And I was like, "You know what? I'm not staring at a blank page. There is already some material and learnings accumulated. So I'm not starting with zero." And what I'm doing is that the moment I sat down to write it, I had literally probably 20-25% of materials already sitting there that I could build upon. There are plenty of reasons why I wrote the book. One of them is deeply psychological. I write a blog every single week, and I've been really consistent about it. There are many learnings that I would like to share. I realized that I myself don't have time to read blogs. I don't like it. Man, I've read so little. I don't have enough time for podcasts for reading blogs. I have more time to read a book than I have to read a blog. Every time I get a blog post in my inbox, I'm like, "What is this thing I'm gonna be about?" I click, I look at the subject. Am I really interested? If it's not a yes, it's a no. So it goes to archive. It goes to delete. I have one folder and my email that is to read, and I will stuff interesting stuff in there, and I will never, ever get back to it. I'll never read it. I do it without fail. I don't know why. It's like a ritual at this point. In order for me to read a blog post, I need to find time during the week. I need to be in the space where I have the time. I have to open my email. I'm like, "Oh, yeah, there is this blog post. I have to then allocate, like, you know, 20 minutes of my time." What I came to realize is that the time budget that people allocate to a book comes from a different spot. The book does not compete with your email. If you're reading a book, that means you have a book somewhere on the side, and you will keep getting back to it. Now you're not competing with every single email, like every single describe. If you made a decision to read a book, you will have already pre-committed several hours of your time to this book. If it's not shit, you're going to read. I came to realize that I have so much stuff that I wrote over the course of the years, and any new subscriber will start at the blog post that is the latest blog post at the time when they start reading, two years. So I wanted to find a way to summarize just to bring together a lot of the knowledge, experiences, perspectives, learnings, and things that I've accumulated over the course of the years, and make it easy. Just something that people can read on their own time without having to compete for the same time budget that every single social media post. By self-published, again, first principles. What is the problem I'm trying to solve? I'm trying to get in front of people interested in the business side of security. Who are those people? Security practitioners interested in the business side of security. Not a huge segment, but there are plenty of people who are interested in startups maybe thinking that one day I may start something on my own, or maybe they're open source maintainers and they're like, "Hey, I'm interested in understanding more how the industry works so that I can make my project more popular or get in front of investors, for example, and convert it into a startup." There are startup founders. There are people working at security startups, right? Like on the market inside, on the product side, on the sell side, on the engineering side, on the partnership side, BD. So there is their venture capital, investors, angel investors. They're all of those people. Once I know who they are, where do I find them? And at that point, I came to realize that the answer is not in a bookstore. Where do you learn about new books or new articles and something? You go to your peers, you may go online, you may stumble upon something. You probably don't go out to what works my technology. But I came to realize this, "Look, working with a publisher means several things, good and bad. On the good side, it means that there is an entity that you delegate all the boring part about publishing the book, meaning you're just giving them the manuscript and they're going to handle copy editing, forward, layout, design, cover, design, marketing, sales, distribution, like all of that stuff. And that's fantastic, right? You don't have to spend your own money. The other advantage is that you get paid. If you submit a manuscript, somebody will give you a cash advance. That will depend on the amount of money. You know, it could be like a few thousand, it could be tens of thousands if you are experienced writer or like a high profile individual. And you get that money before you even know that a single copy of your book is going to get sold. That's a good deal. Right? So you haven't spent any of your money to publish the book. But I think the reality is that many of those advantages have a flip side and many of those advantages are not as strong people think. For example, marketing. If you think that a publisher is going to do the marketing for your book, you're mistaken. They will have some packaged offer. They may do some book signing here and there. But fundamentally, if you want your book to sell, you still have to go and sell it. You still have to go to conferences, go to book signings, presentations. You still have to do that. Like you're not exactly outsourcing responsibility for it. You will get support, but you still have to do that. That's great. But then once the book starts selling, you won't get any more money until you return the money that the publisher has paid. Right? And most books will never do that, meaning let's just say the publisher paid you 10K. And the deal is that you will get two dollars per copy. So that means you need to sell 5,000 copies. First, what's important is that the amount of money you will get per copy from a publisher is going to be fairly low, or at least lower than you would if you were to self publish it, because it just makes sense, right? They paid for editing, market, all of that stuff. Obviously, they're going to get the majority of the revenue and you're going to get a little. But at the very fundamental level, the book I wrote is not going to be bought in a bookstore. It is going to be bought on Amazon anyway. So if it's going to get bought on Amazon, I rather just find a way to sell it on Amazon. I had the benefit of having built a solid readership over the years. So when I published a book, I send an email to over 10,000 people saying, Hey, there is this book. And here is what it is about. And it became an instant best seller over the course of the day and a half. So I cheated because I had developed over the years that the following the people who were, if not necessarily sharing my opinions, at least found some of those perspectives useful and useful enough to pay 25 bucks. So it was too large degree about, Hey, this guy has been doing something semi valuable. So why don't I give him 25 bucks? That's really it. There wasn't a law on complicated process. But okay, there is one more factor, two more factors. One is I wanted to do things on my terms. Fair. If you work with a publisher, like you have a timeline and it's taking forever to actually do something. It can take you a year to get the book out. It took me much less. And I controlled my time. I hired a person to do copy editing. Like we've scoped out the project. I paid the amount of money, much less by the way, then then what some people would assume like it doesn't cost astronomical amount of money to publish a book. And then I got the result like it's somebody I hired is somebody who works for me. I had friends help out with different aspects of publishing. Like I had miscreants. Sure. Yeah. Amazing guy, amazing team. Do the book cover. There are a lot of people involved. But ultimately, it wasn't a new experience. And I owned the copyright. Because if tomorrow, I decide to change something. Yeah. I just upload a new updated PDF to Amazon. And all because they're the other ones who physically printing it. I just upload an updated file to Amazon and that's it. Every new copy printed from that one onward will be an updated copy. If I want to give away the book for free. Yeah. As a PDF, I just do it. Like my book, I decide by no means am I saying that working as a publisher is a bad idea. On the contrary, if your goal is to get a stamp of approval from a trusted institution, that's the way to go. If you are self publishing, you're really just another book. And in the ocean of books published on any platform, Amazon being one of them, it's much harder to get word out. But if you have that base, if you have people supporting you, it can also be easier. It depends on the resources you have access to. But for me, given my case, it just made sense to go that way. Fair. Awesome. Thank you for sharing that. I've got three fun questions that I normally end my interviews with. I'm not a fun person, so it's going to be very good. I mean, it's fun questions are fun. I just have questions of fun. Okay. First one being where you spend most time when you're not working on your blog or the products that you're exploring. So when I'm not working, I try to spend time with the loud ones and go out for a walk and go to the gym. But nothing extraordinary. When people ask me, what are your hobbies? I generally say blog is this one. I like watching a movie here and there, but yeah. Second question, what is something that you're proud of that is not on your social media? I immigrated to Canada 10 years ago, and I then moved to the United States, based in San Francisco. When I first moved, I was in my early 20s, and I did not speak a single word of English. I learned the language then. It was hard. It was a very interesting journey. So my life story is not a life story of somebody who just studied computer science and ended up in tech. I studied history. Oh, you're very studying history in college. So well, historian by train now, I did also the masters in business and all kinds of different things. My starting point in life has absolutely nothing to do with where I am now or what I'm doing. There is no connection between anything I was supposed to do a decade and a half ago and anything I'm doing today. The reason I'm mentioning that is because when you're an immigrant, when you're a two times immigrant, in my case, there are many things that are hard. Like you have to rebuild your life all over again. You have to do it in a different society of starting, if not from zero, then where? It was from zero when I moved to Canada. It was not from zero at all when I moved to the US. There are many things that are hard. You speak with an accent and some people don't understand once in a while, you get frustrated with the fact that it's not always easy to convey what you're thinking. You may have some deep thoughts inside, but you're saying some basic shit. That's hard. So when I published the book, that to me felt like an accomplishment. Not because the book itself is an accomplishment, but it's the journey that I've been through over the past decade from when I came to Canada to learn the basics of the language to when I wrote the book in English, and it became an Amazon bestseller. There are hundreds of people messaging me saying, thank you for doing it. That made me feel proud. That's great. I'm happy for you, man. Thank you for sharing that as well. I do have the book as well. So I think I was one of those people who were hanging on the roof. Thank you. You made me and Jeff richer. More than happy to support your journey, man. Final question. If you're stuck in an island, what is that one meal you would like to have? That's if you can only have one meal. Can I get a container of canned tuna? If I'm stuck on an island, I don't know how long am I going to be stuck there. So then it becomes a survival exercise. It's not going to survive on an apple strudel. You need some energy, right? If I'm stuck on an island, I need a lot of highly nutritious food. What's your favorite cuisine or restaurant that you don't need? I like Korean food. I like Korean food. I like Japanese food. I like balanced food, if that makes any sense. It does. Again, as I told you, very boring, very practical. It's all good food. A piece of protein, some carbs, some greens, that's the food of choice. Fair. I don't know if the reason why I like Korean very much is because you can get the lettuce, you can get some rice, you can get some beef, or some pork. It's a balanced meal. They can be able to find you on the internet. They want to follow your blog, newsletter. So venture insecurity.net is the blog. Check it out. Cyber for builders is the name of the book. You can find it on Amazon on all the Amazon sites, I think. And I'm fairly active on LinkedIn. That is the only social media I'm actually active on. I also have a half-dead Twitter or X page. And I have never had, I think I deleted my Facebook like about over a decade ago, never had the Instagram. So I'm super active on LinkedIn, but that is the place to play. Fair. Okay. I'll put those things in there. But thank you so much for coming on the show. I really appreciate this. Thank you so much for listening and watching this episode of cloud security podcast. If you've been enjoying content like this, you can find more episodes like these on www. cloud security podcast or TV. We're also publishing these episodes on social media as well. So you can definitely find these episodes there. Oh, by the way, just in case there was an interest in learning about AI cyber security. We also have a sister podcast called AI cyber security podcast, which may be of interest as well. I'll leave the links in description for you, check them out. And also for our weekly newsletter, where we do in-depth analysis of different topics within cloud security, ranging from identity endpoint, all the way up to what is the CNAF or or whatever the new acronym that comes out tomorrow. Thank you so much for supporting, listening and watching.