May 15, 2019 | 2 min read

Conversation with Rich Stiennon

Podcast #58: Exploring Secure Cloud Transformation

Richard Stiennon is a long-time Industry Analyst and Author of Secure Cloud Transformation: The CIO's Journey. In the book, Stiennon explores journey of sixteen leading enterprises around the world including Schneider, GE, Fannie Mae, Siemens, Google, Microsoft and Amazon. One of the key points of the book is that businesses are currently in the midst of transitioning to Office 365 for email and Office tools. Our discussion explores how the adoption of SaaS applications becomes a starting point for technological transformation, and how Office 365 has had the most dramatic impact on enterprise IT infrastructure in decades. We also look at how networks are impacted by this transition, and most importantly how the paradigm of security itself is changing, and actually improving. 


Secure Cloud Transformation: The CIO's Journey by Richard Stiennon

There Will Be Cyberwar: How The Move To Network-Centric War Fighting Has Set The Stage For Cyberwar by Richard Stiennon

UP and to the RIGHT: Strategy and Tactics of Analyst Influence: A Complete Guide to Analyst Influence by Richard Stiennon



We'll notify you bi-weekly about new podcast episodes, upcoming guests, and news. You can subscribe to the podcast and if you'd like to be considered to appear on the podcast contact us.


View Transcript

Good day everyone, and welcome to another episode of the Momenta Edge podcast, and with us today is an old friend and a very special guest, Rich Stiennon, who’s an industry analyst and author of a new book, ‘Secure Cloud Transformation’. Now, a little bit of context, I’ve known Rich for many years throughout his experience working for different technology companies, being an outspoken and really insightful industry analyst for one of the largest industry firms, he’s very well-known in the information security space, and quite coincidentally he has just published a book, ‘Secure Cloud Transformation’, at the time that we’ve been focusing a lot on digital transformation, and I thought this is the perfect opportunity to bring him on, and have him share some of the insights from the book.

Richard, it's great to have you on the podcast.

Great to talk to you again Ed.

Well first, let’s start with a bit of context, if you could share for our listeners a bit of your background, and what’s brought you to where you are, and what ended up being the impetus for your decision to write this book?

I’ve been in IT security since 1995, that was with the start-up in the manning security service space, eventually ended up being the basis of IBMs manning security today. Then I did a gig as an ethical hacker I guess we call them at Price Waterhouse Coopers, that was where I had my introduction to large enterprise because I did big railroads and banks around the US. But then I got recruited by Gartner’s as an industry analyst back in the early days, as the second industry analyst covering security at Gartner, and obviously the entire space grew dramatically in the four years I was there. Then I think you and I met when I’d joined a little company called Webroot Software in 2005 and lasted maybe two years there before I had the itch to get back on the podium, and have more people listen to what I had to say, so I started my own firm. So, I’ve pretty much been an independent industry analyst since then, with a few time-outs to take roles, companies like Fortinet and most recently a company called Blancco Technology Group that does secure data erasure.

As I came out of Blancco two years ago, I was looking at the changes that were happening in the industry, and I learned about new technologies through their security implications, I don’t pay much attention to drones or robots until they start having attacks against them, and then I started digging into it, and I start following the companies led by usually very smart people who recognize a problem and come up with the solutions. So, I follow technology through its adaption and visibility in the security spectrum. Two or three years ago there were dozens of cloud security solutions, and most of them were point products that tried to replicate what we had in our data centers and headquarters etc., they would rebuild them in virtual instances, and then figure outs the layering and the reporting, so they’re valuable additions to your suite of security products.

When I started talking to CIOs and CPOs there was a much-much bigger picture, the cloud is transformative to their businesses, and the security there on top of it is going to be transformative to the entire enterprise security stack, and it’s going to have some implications for the legacy members, they’re my friends I’ve been following for decades! It’s really-really hard to make that transition from being a big iron in the plant center with the fastest firewall, the most throughput, the most connections per second etc., to trying to do all that, and the cloud can’t do it with just virtualizing this stuff.

So, I interviewed 18 CIOs, CTOs, 16 of them made it into the book, and their stories to me were fascinating, and they were a whole value to the book, I would say it coached the book and put it inside a story arc that takes us from the transition, to applications in the cloud, to the networks transformation that has to occur for that to work properly, to learning and security on top of that. So, that’s the story arc, but then the 16 contributors had their own stories, at Siemens, or Schneider Electric, or Fannie Mae, how and when they recognized that the cloud was transformative, was something they had to do, and then how they either edged into it or a couple of them just stopped everything and said, ‘We are a cloud first company’. So, that was the origin of the book and the completion of the book.

Your perspective provides a great compliment to a lot of the conversations that we’ve been having with some other folks on this podcast where we’ve been exploring the business impact of transformation. I’d like to go to some of the areas you’ve highlighted and drill in a bit, in the book you’ve really framed nicely the… we’ll call them the mega trends, and I think what’s really helpful to put the security needs in perspective obviously, is to start with the bigger trend. One big point that you highlight is the importance and the implications of cloud application adoption, I think a lot of people know that when you move from on-premise to cloud, there are different implications for the financial model, and of course the mode of delivery is different, but how is adoption of cloud applications different, and why is it important?

It brings me back to something I’ve observed over my 30 years in IT, in that the IT department which when I started was called the MIS department, which literally was a bunch of officers down the hallway with a sign that said MIS; they would resist all new technology, and they didn’t know what to do when you wanted to bring a PC in and put it on your desk, write your own memos and not use their deck all-in-one solution! I saw them resist the introduction of email, I saw them resist the introduction of Internet connectivity, they resisted Wi-Fi, and it was always was driven by people on the inside. And the same thing of course repeated itself with cloud with so-called shadow IT, but even the IT department would eventually sanction getting rid of internal CRM and using Sales Force for instance. We’re now getting rid of heavy-duty HR platforms, moving to an online version from Workday, or maybe financials using NetSuite for the smaller enterprises.

They saw the costs were lower, there’s no engineering anymore, what you see is what you get, and the providers of those platforms enhance them; almost every week you’re getting new features and capabilities, they listen to their big customers and they improve the program as they go, so it evolves, and you usually pay per user timeframe budget so you can quickly figure out if its lower cost, and invariably it is. So, during the timeframe the Salesforce to the monster company it is today, we got over the idea that our critical data was going to reside somewhere else, outside our datacenter, we had to build in more sophisticated authentication means, so only  our sales people can get access through their CRM, and the same with the HR people who are the ones who have access to the health maintenance records, or benefits records etc.

So, they’d figured out all these aspects already, done the heavy lifting, we’d got over the fear of the cloud, enough companies have evaluated Salesforces security that they’re comfortable, that it meets all their requirements for whatever regulations in whatever industry they’re in. But now we start looking at the fact that you can start deciding for every application that you used to maintain, you can find an alternative that’s already delivered as a service, so software as a service was the first step that organizations are taking.

As you look at the processes around application transformation there are a number of decisions that need to be made up-front, and that’s one of the topics and the themes that comes up again and again in the book, is that do you lift and shift, or do you partly refactor the applications, or do you completely refactor the applications? There are a lot of dimensions that are involved with that, both businesses, operational, and organizational. Could you compare and contrast some of the experiences that you’ve seen when you have traditional organizations that are taking that inventory of their applications, and then some of the criteria that needs to come into place to successfully make the decision of what path to take?

In general they all went through the phase where everyone was enthused about moving to the cloud, but then either made mistakes, they made them pullback, or wiser heads prevailed and they said, ‘No, you’ve got to be methodical about this’, so the recommendations out of several of the people I interviewed was, step back, look at your applications, make that decision upfront about which ones are easy to lift and shift, so in other words are already an internal web application, so it doesn’t matter if you move it from the datacenter out to the cloud, and host it on Azure, Amazon, or Google, but also prioritize them on not only the total cost of maintaining and developing, and shifting it, but the security. So, it’s do you need another layer of security if you’re going to host it hosted by a third party, in essence?

Then as you’re doing that review of your applications of which there could be thousands in some of these organizations, some of them are used internally by just a small handful of people, and they haven’t had to touch it for a while, and the original software engineers are long gone, so you wouldn’t even know where to start, maybe put a lower priority on those. Then the really big investments you’ve made in a Siebel or SAP, there might be a really long time-frame before you decide to move those through cloud hosted architectures.

That sounds pretty wise, one organization I talked to just made the decision that they were going to move everything to the cloud and shutdown their datacenter, they did that at a weekend and everything broke, nothing worked and they had to revert to the datacenter, take a step back and come up with a two-year plan to make that transition. So, I think it’s valuable that I get those lessons down, because you don’t want to make this hyped, it just happens to be the way that its going, and there’s long-term benefits for doing it.

You’ve highlighted that Office 365 in itself has created an enormous amount of pressure on traditional IT organizations, and I thought this was a really interesting to point to highlight, just a single application, and when I think about the move to ERP systems in business process transformation, or business process refactoring or re-engineering in the nineties, that was pretty significant, but why is Office 365 so different from other software as service applications, what’s unique about that, and how has that informed some of the lessons that have come out in the book?

My experience with Office 365 over the years was first, as a security person I did everything in my power 10-years ago to get off of Windows as much as I could, so I switched to a Linux laptop and used early versions of WebMail, and if you use the early Microsoft WebMail solutions you’d say this is not enterprise ready, it’s slow and cumbersome. I guess Microsoft did a lift n’ shift, they just created plugins to the network in order to make that work, and then they had this transition period where they would do hosted exchange. Hosted exchange was one of the most difficult things for an IT department to do, maintain your own server, and oh man I had brothers in a small law firm, and they had to hire somebody on a contract to come in every week, and maintain their exchange server for them. So, moving to 365 was a no-brainer when it became available.

Three years ago I attended a conference for the Information Governance Institute, there were about 60 people there, all CIGOs, Chief Information Governance Officers who are a combination of CIO and a privacy officer, every single person who got on stage said their big IT project for the year (this is three years ago) was the move to Office 365, there was not one that wasn’t making that move. That really got my attention because if that was relevant to, or carried over to the rest of the industry, this was the biggest move in IT in our history, everybody doing it at once. Microsoft does report the number of subscribers they have, and they’re getting up to huge numbers for Office 365.

So, talking about Microsoft and groups like Kelly Services who is a staff augmentation company, they started to make that move, because Office 365 was where their desktop productivity tools were going to reside, plus everything else, SharePoint, Yammer, and Teams, Office Dynamics, all of this was given to you for a single price per user per year. So, you watch them do that, people do it really quickly, get it up and running, and then immediately discover all the problems with Office 365 from a networking standpoint. I’d like to say emails killer app, Office 365 is killer app that is going to kill your network just because of the way it evolved over time, to what it is. At Salesforce you have to have persistence with email because you want to receive an email as soon as it comes in, so those connections have to stay up all the time; so everybody is logged on as all these different TCPIP protocols running at once, and if Microsoft makes a change in the IT addresses of where those servers are, or the routes to them, it can cause havoc for all your operations, because we all know without email everybody just shuts down and goes to the watercooler.

So, one organization like Kelly Services, including Office 365, up to 70 percent of their band width was directed to the Internet, so they eventually ended up throttling Office 365 traffic so that it would max out at 50 percent of all their traffic. The reason is, if somebody comes in from a long distance trip and plugs a computer into the corporate network, all of a sudden it's going to try and backup everything to the shared drives, and if several people are doing that it can really augment your network down, and then that impacts on the responsiveness of your emails, so you can’t have that happening! So, that’s when they start looking at, ‘Well, how do we change our network infrastructure to accommodate all this traffic that’s already going to the internet? because the traditional network models since the time I’ve been in the networking space, when I started on IST was as you have your mode officers get online, or connect back to corporate headquarters, you would lease these expensive MPLS lines from your carrier. In my day they gave you a T1, or 1.54 Megabytes of connectivity at the cost of thousands of dollars a month for desktops. And now those lines are up to 10 to 20 megs each, they just go over the regular internet backbones anyway, but they’ve got SLAs associated with them, so you get pretty reliable throughput.

If you’re a headquarters in New York City and you’ve got an office in San Francisco, why are you hauling everybody’s traffic back to New York City, before sending them back to the datacenters in San Francisco where Salesforce resides? That was when this local internet breakout became a thing, and local network breakout is very tied to so-called software defined networking, because you decide on each connection whether it goes back to headquarters or goes out to the internet. You do that with software define devices, they’re essentially routers, they just have a little more control without over added PGP etc. to make it happen. So, we’re finallyseeing this shift that has been a long-time coming to using the internet which has become fairly reliable with broadband Internet, it's cheaper to get two different systems to go to the internet in each office location, than it is to back all the traffic.

One of the things you highlight, or one of the aspects of transformation that you highlight also that’s quite important, is this concept of moving away from a hub and spoke topology, to a hybrid topology or hybrid networks, and looking at the increase in bidirectional or multilateral traffic, because of a system like Office 365, I can see that’s clearly a catalyst but how has this dynamic changed how businesses need to think about their networking topology? Because that’s not necessarily something I would think a lot of people have thought about much for a couple of decades, since we were first building local area networks, and then wider area networks, and then virtual networks. Once you have your infrastructure people have stuck with it for a while, and what you’re identifying here is a much more profound shift that has strategic implications as well.

Completely, so in the simplest terms if you think about it, the application transformation to the cloud, you can say your corporate datacenter is now the cloud, or in the near future it will be. And the same side for network architectures whose corporate network is being replaced by the internet. So, if you ever create a large enterprise from scratch today, you wouldn’t build a single datacenter, you wouldn’t host a single server, and you wouldn’t lease a single line, you would just use the internet and host everything on the cloud. At a small scale that’s what I do for my little business, I’m sitting out in my writing shed in the garage, and if I’ve got something I need feedback on, on an invoice or something, I don’t go over any network other than the Internet to send it to my wife, who is in the house right now.  It does make a couple of trips out to the cloud and back to get it to her, but there’s no maintenance, I don’t have to do any work at all on my IP infrastructure. In the future of where the enterprise is going, that’s where I see it going.

Of course, there’s steps along the way, and right now most of the organizations I talk to are in a hybrid network mode, so all traffic destined for the Internet goes over by connections to the internet, and stuff that’s going to a corporate data center is going over the corporate network, but organizations like cloud services were able to significantly reduce their bandwidth charges for those MPLS circuits and use the savings for the refactoring their application.

Which is a healthy dynamic at least, in terms of cost.

Yes, it a first time I’ve heard people say, ‘We’re saving money, we’re more secure’, and end-users are happy with the performance, and that never happens!

Yes, it does run counter, or its oxymoronic I guess one would say, if one thinks about it; the technology laws of growing complexity and cost. This brings us to the meat of the question and your expertise, which is how the transformation of applications, or the shift of applications to the cloud, and the evolution of the network topology of course has now changed the surface area of potential attack factors for security, and how this transformation needs to be thought about and addressed, from the standpoint of a chief security officer, and a company that wants to ensure availability whilst observing all the appropriate laws and governance.

As usual, if IT is the last to jump on a transformation shift, because it’s generally driven by users and business dynamics, the CISO and the security team are the last to be brought in, so it's usually, ‘Hey, we just did this, can you look at it and make sure we did it securely?’ So, there’s an opportunity at least this time around, most organizations now do have a chief information security officer to get her involved at the start and look at the architectures required. There’re two halves to cloud security as I see it in this model…

The first half is, how do we replace the controls we used to put on every end-user about which website they could go to? This goes all the way back to cashflow, The Hub was the original company that did this, now Bluecoat, and of course WebCenter did this, and our friends at Webroot eventually got into that, and just got sold because of their capabilities there. For the longest time the solution was, we’re going to put in a really expensive server that’s going to keep track of all the good URLs, and block all the bad URLs, we’ll log everything and make sure you weren’t wasting time, but we’re going to block access to sporting sites, pornography sites, and hate sites. That became a critical function for all enterprises, and most enterprises had something like that in their datacenters, so unfortunately it twaddles user access a little bit, and was difficult to maintain, because there were some groups that needed access to some of those more nefarious sites.

So, it was a constant battle. The UTM vendors figured out what to do with the distributed enterprise, we were a retail operation, we’ve got a thousand stores, how do we provide that capability without back on everybody’s traffic, all the way to corporate to be filtered? So, the UTM vendors just added that, one feature to a firewall and started selling it. Now we see parallel to networks, and Fortinet and SonicWALL have capitalized on that for the last decade. But what do you do about the mobile user? So, the solution for mobile users was, first under VPM back to corporate, and then build through the traffic on the way out, and that obviously helps scale and makes the burden for the administrator even harder, so a cloud security solution should be doing that filtering in the cloud, and while we’re at it let’s make sure we download something that we can even- make sure it’s not malicious, all the anti-virus checks on it, we can do data leak prevention checks, and outward bound, make sure people weren’t loading back into their social security number; do all that in a distributed cloud service, something that’s almost like a reverse proxy, and its checking all the data as it goes to any user, any device, any location. So, that’s half the battle.

But the other question, we’ll got all these applications of ours out there, how do we allow our users, our customers, the partners to get access to these applications? For example, the other side of the equation. In the old days that was through DNZ inside your datacenter, you had PPM connectors, you had load balancers for the application, so they have to be multiple servers, do that and the cloud as well. You don’t have to do much over security things, the most important thing is authentication and authorization, and that ties back to how you’re doing an active directory. If you’re still hosting it internally, you’re going to ask everybody in the work to first find a way to your directory server, and that’s why I’m seeing such a shift to Azure AD, because people are hosting emails on a server where people are authenticating every day.

A lot of security functions historically used to be performed by on-premise security solutions, or on-premise software, and of course as you’ve seen more and more of software as a service now, a more of a virtual network infrastructure, there’s a growing interest certainly in hosted security as a service, I’d love to get your take on the evolution of the market; as you go back to the days of the MSSPs, the argument that you would have these intellectual economies of scale where you’d have expertise that could be levered out, but benefitting from seeing a lot of traffic, to the flip side of this which is that historically antispam, antivirus or certain types of security would be outsourced, but there’d be other types of security whether it be access management or even data management, which would be historically much more of an on-premise preference. How have you seen the industry evolving to more of I would say a virtual model in security, and are there some notable lessons or changes that you’ve observed along the way?

I’d like to say it's an evolution, I’m afraid it's going to be a disruption, in other words Alexi players are going to fall behind. In my mind and I’m kind of economy class when it comes to MSSPs, because they evolve out of this requirement to log alerts. If you go through the ISO certification process you can’t just log it, we’ve got to look at them, do something with the alerts. But you get hundreds of thousands of alerts a day, and even the best security information event management system will win all that down to 2,000 alerts, but nobody’s got a staff big enough to go through and do the forensics and figure out what happened with 2,000 alerts. So, what people tended to do was, okay there’s a regulatory requirement, or a compliance requirement to keep these logs and look at them. So, they just outsourced that.

So, it made it easy for the SecureWorks of the world to say, ‘Okay, how many devices do you have? Okay we’re going to monitor all your firewalls, all your IDS, maybe your email exchange server. We’re going to grab all the alerts, and we’ll tell you if you’ve got a problem’, which is great, but it was very expensive on top of that. As we enter this world of threat hunting and breach detection, they didn’t have enough information from their logs to actually tell you what was going on, and they didn’t have the technology or a sophisticated analyst to do that.

So what’s exciting about the new world is, you know what I’m going to outsource all my filtering, everything I did in the Davis Center with that stack of products, outsource it to one vendor, handle everything the same way, they can still send my logs to wherever I want, they can keep them in regions for various country privacy regulations, and I’m going to rely on them to do all the heavy lifting. It saves you a lot of money because now you don’t get hit by WannaCry or NotPetya, because those just don’t get through these systems, and you start having lower demand from your internal people, so you can start repurposing what they’re doing too. Everybody knows how to build a reliable sack, and an ability to track down these breaches as they’re occurring, so it gives you an opportunity to refactor your team as well, you’ll have less desktop support people there aren’t as many issues as viruses and worms, you’ll have less email support people because Microsoft is doing all that for you, and maybe alert in a proof-point for an additional layer of security on top of it, so what are those people going to do?

So, there’s great opportunities, send them back to school, or get them trained up and let them work on more exciting things than just the day-to-day break fix that they’re doing.

Absolutely. I wanted to highlight, you’ve interviewed some of the leading executives from a broad range of companies, everything from traditional industrials to truly hi-tech companies, and of course having an endorsement from Satya Nadella of Microsoft is about as good a validation as you’re going to get anywhere, but from your perspective and in experience, could you compare and contrast some of the lessons and insights that you got from say… I don’t want to take for example but, you interviewed GE, you interviewed Schneider and Siemens, companies like that which you think of as traditional, where the business is industrial capital equipment, and then some companies that are much more say digital native. What are some of the challenges that may be faced by the traditional industrial companies, and are there lessons that they have learned which are relevant for smaller companies, or also companies that are in other businesses that maybe consider themselves more advanced in terms of technology?

Yes. It’s really diverse, everybody had different ways on their journey to the cloud. I liked that they all had things to share on how to get the team on board. One company said, ‘There wasn’t an issue with upper management to get them on board, it was an issue with my staff. The guys who are running the servers didn’t want to move them into the cloud, as the new skillset they have to pick up, or the network guys who man these NPLS networks’. So, there’s more resistance from below than from above, quite often they would just be handed the responsibility, it was, ‘Hey, you’ve been talking about doing all this stuff better, it's up to you to figure out a way to do it better now’, and off they’d go.

There are some interesting lessons learned from a company you may never have heard of, National Oilwell Varco, in my mind they’re a smaller Schlumberger, so they make oil well equipment. Their success of the industry is tied directly to the price of oil, and in 2008 when we saw oil prices crash, the industry basically became unprofitable, and people weren’t drilling wells, so NOV, National Oil of Varco had to go through a major cost-cut, so they’re laying people off, and the CIO was told, ‘You’ve got to cut cost’, so he cut cost by moving to the cloud, Office 365 being one of them. An interesting reaction from his end-users, the Scuttle Buttin said the company on IT was spending like mad, because everybody had all these new features of capabilities they never had before, and yet it was a cost-cutting measure that got them to where they were.

Then the other cool one was from Tony Ferguson over at Man Energy Solutions, MAN Diesel, as I talked to him I realized that he was talking about industrial equipment, this was an IoT solution that they’re coming across. They have I think over 3000 diesel engines, big cargo ships that are at sea all the time. In the old days when they needed to check the sensors and flows, temperatures and all that, one of the diesel engines because they’re providing maintenance for it, they would call a ship on a sat phone, as the person plugged the sat phone into the network on the ship, and download all the data they needed, that was only one way they could do it securely. But when they figured out that the cloud gave them an ability to do essentially what’s called zero trust networking, so they could leave the systems on the ship connected to the internet all the time, but those systems would only be known to this cloud broker, this proxy. When someone wanted to go on again, they’d put in the address xx of the ship, the cloud proxy would make that connection, so you could be a Russian hacker scanning the IT address range for these ships, they’re completely stealth from the rest of the world.

Very similar to what people used to do with modems and these kinds of devices on oil-rigs, they would have a call home feature, so you’d dial the phone numbers and hit that particular modem on a particular control device, hang up and call back home, so it would only be able to make connections initiated by the remote site back to the home office. That’s exactly what we’re seeing replicated with zero trust networking on the cloud.

A final area that I want to explore is the growing role of the CIO, and you’ve got some interesting examples about this, we’ve seen how it’s really become a critical strategic role within the company, to think not just about the technology but also the value of data, and also the business model. Could you share some of which you learned about the transformation in what we’ve considered traditional roles in the CIO, or the CTO, and any relevant lessons you found that really stuck with you.

I think the role is changing into one of a visionary business leader, as opposed to, ‘Here’s 150 projects that have got to get done, and here’s your budget for it’. That to me is the most dramatic change, because there’s this overarching umbrella of the direction we’re taking in technology, which was moving into the cloud, and then the things that cascade out of that with cost-savings that usernames going to have enhanced capabilities that they never had before. A couple of CIOs I talked to recognize they were just in the dark ages, and a major insurance company in Canada and the US realized they need younger customers ultimately for their insurance policies, and those younger customers expected a lot more digitally from somebody that provided them with a service. So, they’re used to leading edge bank applications, and so we realized we had to get there somehow, and so incorporated that move to a more customers facing technology than they used to have, through cloud transformations.

Looking forward as you assess the lessons that you’ve learned, are there any emerging threats or considerations that are top of mind for you I would say, just having come back recently from RSA. What are you most optimistic about after doing this kind of deep survey of all these thought leaders?

Two things, as an industry analyst I always want to think of what’s the impact on the industry, the security industry in particular, and to me that means maybe a third of the IT security industry is devoted to firewall appliances, and even though I’m not going to be the one that says the firewall is dead, I think the traditional appliance market has seen the end. The end is nigh.

Some of them, Juniper, Cisco, Fortinet, are well-positioned to pivot into being a software defining networking company, you still need equipment to connect to the network, so they could provide that function, but some of them that are just hardware are going to be challenged quite a bit. If you look at the numbers, I’m sure you still do Ed, if you look at the results from these players, they’re all doing extremely well, growing 24 to 34 percent year over year. So, it obviously isn’t hitting their top line yet, but I’m just looking for signs of that.

And the optimistic side, I am so optimistic that we’ve got this licked now, we’ve lived through 25 years of the vulnerabilities introduced to our operations by a protocol that was never intended to be secure, that’s TCPIP. We’ve had a digital transformation for the entire economy, as well hooked up to the Internet, and then we had the growth of the security industries, tried to patch all the holes with all the different product and 80 different categories, and probably 2400 different vendors, each one had multiple products. But now with the zero trust networking that’s coming in, we’re going to raise the cost for the tackers dramatically, it will start with the loss of revenue for the cyber criminals, the activists that want to deface website, and jobs that’s going to get more and more technical, and we basically won’t be able to afford to do it anymore.

So, it will be down just to Nation-State hackers, and that’ll keep us going through the threat factors for quite a while, because the Nations State hackers have relatively infinite resources available to them. But I think today we’re finally seeing solutions out there that could protect a large organization from even the Nation-State hacker.

That’s a big change from where we were even just a few years ago. You and I talk periodically about the changing nature of threats from digital graffiti artists, to organized crime, to the rise of IEP theft in nation states. There’s certainly there’s obviously plenty of threats to keep the industry in a healthy state, but as a dynamic its absolutely essential that we manage the risks if we’re going to drive value out of the rest of the economy, through adoption of digital technologies.

Yes, just looking at the growth curves, we know the digital economy is going to sky-rocket, and this time 2-years from now it will be twice as big, the amount of data will be twice as much, and the amount of bandwidth usage will be twice as much, and we think we’ve got the infrastructure resources to handle that. Can we protect it without doubling the size of the security industry is the question?

Well the last question I have for you Rich is some quick observations, you’ve just had a very successful book launch at RSA, could you share any insights or observations that have come from initial feedback on the book, and also you’ve written three prior books as well, highlight if any of those others that you’d like us to recommend as well in the podcast notes.

Yes, so, I’ve written two books on cyberwarfare, one was a history of attacks, and I’m in the process of writing the second edition of what’s called, ‘Surviving Cyberwar’, that will be out later this year. Then I’ve gone back to school to learn more about warfare, if I was going to write about it! So, I took my masters dissertation at Kings College, and turned it into my last book before this one which was, ‘There will be Cyberwar’, and that’s all from a military perspective, and a better title might have been ‘The Internet of Military Things’. And then in between I wrote a book on how IT technology vendors can deal with Gartner, because I’ve got experience on both sides of that equation.

But this book at RSA this year, I was so elated because the reaction was so positive, I hit the timing just right, there was no other book that covers cloud transformation from this perspective, and there’s certainly no other book that interviews so many pioneers in the space. So, I did three books signings, the book was sold out of RSA bookstore, at the book signings we gave away 360 copies, and people were coming up, we’d announced on the first day at the Cloud Security Alliance Congress that I’d be handing these books out at book signing. People were coming up and asking for two, one for themselves, and one for their CIO, and that was the best thing that came out of that show, knowing that people got the message right away, and this was a book that they handed to their CIO and get them to understand what was happening on the cloud.

That’s terrific, and it's so encouraging and good to see that all the work and experience that you bring to the fore and pour into your work is being recognized. And with that again, Rich Stiennon has been our guest, he is the author of ‘Secure Cloud Transformation – The CIO’s Journey, Strategies and Best Practices for Building the Future’, and he’s also an experienced entrepreneur and industry analysist as well.

Rich, thank you so much for joining us.

Thank you, Ed, I enjoyed it.