Tune in to this episode of Ask A CISO to hear:
- What the Gartner Magic Quadrant is and what does each of the quadrants represent?
- How the Magic Quadrant helps CISOs decide on a security tool to purchase and deploy.
- Other considerations besides the tool's position on the Quadrant a CISO or Security Leader should consider when looking at and choosing a security tool to purchase and deploy.
- Are there different considerations when evaluating tools for existing and innovative threat mitigation technologies?
- What is the single most important consideration you should have when evaluating tools listed on the Magic Quadrant.
About The Guest: Anthony Johnson
Anthony Johnson is a former CISO at multiple Fortune 100 Companies and is currently a Managing Partner at Delve Risk. He has led some of the largest global cybersecurity programs in Financial Services and is a passionate advocate for addressing the issues of diversity and inclusion within the IT domains.
Throughout his career, Anthony has led some of the largest cybersecurity programs in the world as the Chief Information Security Officer; dealing with highly complex multi-national regulatory requirements and ever-evolving sophisticated threats. He has driven dramatic program transformations across hundreds of people, with budgets in the hundreds of millions of dollars; emphasizing the expansion of analytics, secure from the start architecture, incident response, and cloud-first security approaches to shatter expectations of what is possible with “classic corporate teams”. He leads with a people-first mentality and is a coach to existing CISOs around the world, helping to translate complicated technology issues into actionable strategic plans that align with the corporate and Board objectives.
Anthony is a global speaker on the topic of cyber security and enterprise risk, an active technology evangelist/advisor to emerging and startup companies, and has multiple patents in progress related to both risk management and blockchain.
Prior to joining Delve Risk, he served as the Global CISO and Managing Director for multiple Fortune 100 companies, including Fannie Mae ($120bn) and the Corporate & Investment Bank (CIB) at J.P. Morgan Chase & Company ($35bn).
His other passions include advancing the discussion on diversity and inclusion in the workforce and creating channels for disadvantaged youth to enter the technology field. He lives in the Washington D.C. metropolitan area with his wife and daughter.
About The Host: Paul Hadjy
Paul Hadjy is co-founder and CEO of Horangi Cyber Security.
Paul leads a team of cybersecurity specialists who create software to solve challenging cybersecurity problems. Horangi brings world-class solutions to provide clients in the Asian market with the right, actionable data to make critical cybersecurity decisions.
Prior to Horangi, Paul worked at Palantir Technologies, where he was instrumental in expanding Palantir’s footprint in the Asia Pacific.
He worked across Singapore, Korea, and New Zealand to build Palantir's business in both the commercial and government space and grow its regional teams.
He has over a decade of experience and expertise in Anti-Money Laundering, Insider Threats, Cyber Security, Government, and Commercial Banking.
Transcript
Jeremy
All right. Have a wonderful day. Thank you very much for spending some time with us.
Welcome to today's episode of Ask A CISO podcastAsk A CISO podcast. I'm Jeremy Snyder filling in for your regularly scheduled host Paul Hadjy. I'm joining you from the U.S. today and I will be a semi-regular host going forward so you will hear more speakers joining us not have heard on the podcast in the past.
And today I'm thrilled to be joined by Anthony Johnson from Delve Risk.
Anthony is a distinguished person in the InfoSec space. He's the former CISO at multiple Fortune 100 companies and is currently the managing partner at Delve Risk. We'll hear a little bit more about Delve Risk later on in today's episode, but Anthony has led some of the largest global cybersecurity programs in financial services and is a passionate advocate for addressing the issues of diversity and inclusion within the IT domains.
Anthony, I know that's actually only part of the story of you and your career, and we could take the whole episode just talking about some of the things you've done and some of the great teams and experiences that you've had over the course of your career. but in addition to kind of what I've laid out, what do you think are some of the most interesting or important things that you'd like to share with the listeners today?
Anthony
I think that probably the, besides being a bit of a cyber geek and really just, you know, loving, enjoying, just talking about the industry, I like talking about and emphasizing the people side, and that goes beyond just like talent and what skills you need, but actually like how companies work and you know, how promotions work, and there are so many of these tribal knowledge rules that we kind of live in and play in, or how purchases work, right?
Like how all of that kind of stuff comes together.
So those are all really big pieces for me and they've definitely influenced how I built Delve Risk and what we're doing there as well, so ...
Jeremy
Yeah, I think that's a fantastic point and I think it's often overlooked by those of us who are technologists by background. We think of cybersecurity as being a technical problem.
To a large extent, I think that is true. It's a technical problem.
It's a data science problem in a way and we tend to look for technical solutions to technical problems, but at the end of the day, as you said, it comes back largely to the people who are running this technology and how well you can get them to work together and understand the goals of the organization, right?
Anthony
Yeah, absolutely.
I mean, what really breaks down, it's ... I think if you look at like over the past 20, 30 years of how we've been trying to solve IT or solve cybersecurity issues, what really makes the difference between really successful organizations isn't whether they have enough money to buy the newest thing. It actually comes down to does the team trust each other and do they trust who they're working with?
Because when you have that type of trust, they solve all sorts of crazy problems and in really innovative ways and I think that great technology solutions enable them to kind of do, do things almost in spite of themselves as an organization, right? Like processes are too painful or whatever that is.
Jeremy
Yeah, absolutely. And I think you can find numerous examples of really high-performing teams that were seriously budget-constrained, but had great team culture, great team chemistry, and great trust as you say, and did wonderful things.
So, yeah, that's awesome.
Today's topic: One of the things I wanted to get in with you and you and I have had previous conversations on this topic a little bit, but I want to kind of break it down for the listeners today and that's really the Gartner Magic QuadrantGartner Magic Quadrant.
This is kind of, let's say from a vendor perspective, and I come from the vendor world, you know, working at multiple software and technology companies, but from the vendor perspective, this is one of those things that we're always striving for.
We all want to be a part of that magic quadrant and for anybody who's not familiar, you know, it really is a four-quadrant layout that breaks down on an X-axis and a Y-axis, right?
And on the X-axis, if we look kind of left to right, we've got completeness of vision. and then on the Y axis, we've got that ability to execute and we'll share a standard image of this in the show notes for today's episode, or of course, you can just google Gartner magic quadrant. You'll see, you know, gazillions of examples of magic quadrants.
Jeremy
But when we kind of put those two axes together and we overlay them, we break out into these four quadrants where we've got the bottom left, that's our niche players.
We've got the top left which is our challengers.
We've got the bottom right who are visionaries.
And then we've got the top right which is our leaders.
And of course, you know, every technology vendor, every provider wants to be in that top right quadrant, in the leaders' quadrant. But I guess to just kind of kick the conversation off, how would you say you and your past experience as a CISO ... I guess the first question is did you look at these regularly?
Anthony
Yeah, I have a love-hate relationship with Gartner.
I think there's a lot of, you know, security leaders and a lot of people in the industry do, right? They do some really, really great things. The magic quadrant is one of those, I don't want to say necessary evils, because I think that it does add some good value., but I would actually look at this and look at where it's at in the magic quadrant to confirm an assumption of what I would be looking for and then to possibly utilize it to get additional buy-in, right?
When there are, there are times when you're looking at a technology solution where you are doing something and solving a very myopic or specific problem that it doesn't necessarily need to be, you know, the well-established market leader.
Jeremy
Okay.
Anthony
You want something where you can say, hey, it's, it's solving a unique problem. We can go with a niche player or we can go with, you know, one of the other quadrants here. But when you're looking for something that's truly a leader, you're trying to get a different level of confirmation.
When you're trying to get that confirmation from perhaps other C's, your CIO, who says, you know, Hey, where are they fit in the industry? You're like, oh, they're the, they're the top right magic quadrant, like, oh, okay, that kind of gives them, you know, that fuzzy warm blanket, because that assumes or imply certain things.
But what you'd find is that the magic quadrant is based off of, or, you know, a particular set of assumptions that Gartner's using to measure that, and that might not be your environment, right? That might not be the solution set in, in other tools, maturity training, whatever it is that kind of makes it your totality.
And a really, really great example might just be, you have a ton of resources that are already trained in something that's, you know, in the challenger (quadrant).
Jeremy
Okay.
Anthony
And they know how to do it really, really well. They know how to use that toolset. For whatever reason, they've, you know, maybe you hired them as a team at large. And in order to adopt something in the leader category, you have to retrain your team.
Jeremy
Right.
Anthony
Right. And that's a cost that the vendors won't actually mention as much, but you know, oh, it's the software, it's the hardware, it's the whatever. You're like, all right now, my team has to learn a totally new application. Yes, it works in the magic quadrant top leader, but it doesn't integrate into our other solutions in this challenger one which already has those integrations built-in.
So I think it's a good directional roadmap if you're looking for that confirmation or if you're just trying to, you know, you're really uneducated about that space, maybe figure out which players are where.
But it's, it is really important to still go out and have that deeper analysis and conversation of what you're looking for specifically.
Jeremy
So is it fair to say, though, if you have, let's say, let's say you have zero footprints in, I don't know, let's say the attack surface coverage that you're looking to solve for something like that? You've got no previous experience. You've got kind of no previous implementation in that space. Your team members don't have previous experience from past jobs or whatever.
In a case like that where you're really looking at something fresh, in that case, are you more inclined towards that top right? Or are you still very open when you don't have any kind of, let's say, background or history in an area?
Anthony
For me personally, I would still be very open. Here's why: sometimes companies buy a product because they need to, one, they need to solve a problem. Like, so just kind of put that aside, but sometimes they buy a product because a lot of their peers have also given that validationvalidation that, Hey, this is a good product that works well. I get the right responses.
Sometimes they buy a product though because they want to be able to influence the direction of that product.
Jeremy
Right.
Anthony
And so they might say, Hey, I could absolutely go with product A that's in the leader category, but I don't like the way product A do is, where they're going.
Jeremy
Roadmap, direction, strategy.
Anthony
Exactly right. So I might go with product B because my purchase gets me a bigger voice in that roadmap, direction, and strategy there, right? I might have a better relationship or it might look at that team and be like, wow, I know that leadership team or the tech team, they've done some amazing things in the past at another company or whatever,
And I'm actually investing in the team more so than the product, right?
Jeremy
Yeah.
Anthony
Yeah, go ahead.
Jeremy
Would you say in a case like that, so let's say we're not focused on that top right leaders' quadrant then though, would you be looking more towards, let's say, the top left challenger's quadrant where, you know, according to the Gartner axes, the completeness of vision is lower, but the ability to execute is high, and you're saying that you, as the customer might have a lot to contribute towards that vision, or would you be looking more towards the visionary where you're saying like, they've got a great idea, they've got the great, or let's say the great beginning of an idea, and we're going to invest in this company as a strategic customer because we know our investment is going to help them increase their ability to execute or is it not quite that cut and dry?
Anthony
I think, well, I think it actually is almost, it is a cut and dry, but it depends on the situation, right? Like, I'll give you an example.
So when I was at JP Morgan, I actually carved out a percentage of my budget of sending a Fannie Mae, a percentage of my budget for a new inventive and innovative tech, right?
Jeremy
Oh, that's interesting.
Anthony
I deliberately would not look for something at the top right quadrant.
Jeremy
OK.
Anthony
We would deliberately look at every other thing and then we would say, okay, we have this problem. Which team do we think that like, let's meet the tech teams, let's see where they're going.
What's the vision?
And sometimes that would actually also turn into an investment opportunity for our investment arm.
I'd say, Hey, you guys think this is great. We trust you as well. You're going to be able to help shape X, Y, or Z. Let's go ahead and make a big investment in the organization so the company would then participate in, you know, maybe the next round.
And I think it is an important piece of looking at both the tech, the organization. And so it's that combination.
Now if you're like the bottom left all the way to here, you know, the, in the bottom left corner, that's probably a different conversation. You know, hopefully, you kind of just came out, you know, just, you know, starting to kind of get that market awareness.
But one thing I would like to call out is that I personally would rarely look at the Gartner quadrants. I ... meaning the Gartner reports. I might look at the quadrant where they're at, you know, get that sense. But most of the time, if someone says, Hey, you know, I'm going to go look at the Gardner report. They're delegating that down to a direct report or somebody who has access, right?
I would say that probably very few security leaders themselves are logging in on a regular basis. That's why, I guess, based off of my personal experience with peers. But, so I do think you have to strike that right balance there.
Jeremy
Got it.
So is it fair to say you don't want to be bottom left? So if you're, if you're going to land on the quadrant anywhere, better to land top left or bottom right than bottom left?
Anthony
I think so. I definitely think so.
And I would say it's probably even more important though to understand if you're in one of those other two quadrants to have a really clear picture of where you're going because early-stage companies, you know, with like
Delve Risk or, you know, any product that you might buy, like your ... sometimes we think that we're buying a product or buying a thing because it meets that solution. It meets that itch but most of the time I think the security teams and leaders, they recognize like, hey, this product, isn't going to solve everything, right?
They're not going to solve all the things they say they're going to solve, right?
But the question is, is like, do I trust that they're eventually going to get there?
Jeremy
Yeah.
Anthony
And cause there's going to be the hiccups. There's going to be the bumps. And so a lot of times security leaders are buying or investing in that team and vision.
So I would say wherever you're at, making sure you have a clear understanding of the vision of where you're going to, you know, talking about how your teams are doing at these new innovative things to kind of solve that challenge. I think that's almost even more important than your market position because you see some players just totally get disrupted and you're like, huh, I didn't see that one happening.
But all of a sudden, there's some new incumbents and they're, you know, they're hovering everywhere else on the quadrant too.
Jeremy
Yeah.
You've used a word a couple of times that I want to dive into for a second, that's really "innovative". The question that I, that it brings to mind for me is do you look more at these things when it is kind of a new area of technology versus let's say an established use case, like let's take endpoint protection as an example, right?
Whether it's EPP, whether you're more focused on kind of preventative endpoint protection platforms, or whether it's you know, EDR, Endpoint Detection, and Response. This is a category that's been around for 20-plus years, right? We've been dealing with antivirus, anti-malware, centralized logging, telemetry, blah, blah, blah, of the endpoint for a long time. That is a much more established category, but let's say we're talking about something like SaaS Security Posture Management, SSPM. Is something like a magic quadrant more impactful in these new use cases versus the long-term established ones, or it doesn't make any difference for you?
Anthony
For me, it would probably make less of a difference simply because the relative position of where they're at in the quadrant can shift so dramatically in the scope of a year, right?
Like when you're seeing some of the ... some truly innovative solutions, sometimes they come out with something and you're like, wow, like that's a game-changing feature or a way to think about it. And I would expect in next year, they're at a totally different position in the quadrant, right? And you, or sometimes you see people who are leaders fall off in a really dramatic way because they'd lost the credibility. They did something. Didn't respond to something fast enough or appropriately enough, so I think that the quadrant view, at least for me, and the number of the peers I've talked to, it's more directional.
Jeremy
Okay.
Anthony
Directionally, hey, I can get there, but again, if I'm pitching a solution and trying to get buy-in from a bunch of other executives, it's always easier to be like there in the top right perspective of the quadrant.
If they're in the top left or bottom right, then I'm having to, to talk up more of the, but you haven't seen the strategy like you, but they've got a killer team. They just did X, Y, or Z. And then you're selling more of the future state, I think there.
Jeremy
So there's a little bit of a parallel to the old adage that is, you know, no CIO ever got fired for buying IBM, Microsoft, Oracle, whatever, you know, over time. Okay, that's fair enough.
Anthony
And the reality is like, that's a factor here, right?
Like, you know, I have a friend at a pretty sizable organization. They have decided what their solutions should be. They're looking at, I won't say what space, but they're looking at a particular solution and they're like, Hey, it's most cloud-focused? It's this it's that it's, you know, X, Y, or Z. And the rest of the leadership team above them is like, I don't know that name. In like, but on the technical merit, You're like, Ooh, I think that that's the right solution but we also have to realize that the OSI model isn't just are seven layers.
There's the eighth layer, which is the political layer, and sometimes that political layer just trumps, but it's, but it is the most forward-leaning, it is this, and it's like, yeah, but I don't know that I want to be the first one through that gate. So there's that factor.
So I think that there's a lot of value in the Gartner quadrants on the ... helping with that too.
Jeremy
Yeah. So there's that kind of organizational perspective on it, which is tied into another adage that I like, and you've probably heard, culture eats strategy for breakfast.
You know, you can bring in a product that has the best strategy has the best vision, the best roadmap, maybe even the best technical capabilities today but if the culture of your organization is not one that is of a mindset to bring in innovative solutions or solutions that work very differently from what you're used to, you know, to me, I think one of the ones over the last 10 years or so that I've seen more organizations struggle with any other is SOAR, you know, Security Orchestration and Automated Response, just because to me, automation is a cultural and an organizational constraint more than it is a technical constraint, right?
We can automate things and we've been able to automate processes for, you know, 10 plus years at this point but if your team's not comfortable with it, your organization's not comfortable with it, your auditors, your regulators, aren't comfortable with it.
You know, that's a real uphill battle to fight.
Anthony
It's super, it's super tough.
We actually have a large enterprise that we advise and they will not put, and this is the craziest thing, they won't even put Microsoft products, particular Microsoft products in, until Microsoft has been selling it for two to three years, right? Even though Microsoft ...
Jeremy
Yeah, it's like a blanket rule.
Anthony
It's just like, they are so averse to any sort of a technology risk, right? And so they were looking at a particular Microsoft product and they're like, yeah, but they were only been working on selling that for about a year and a half. And you know, what's funny is that the organization hired a bunch of really innovative, what we would classify as innovator technologists, to come in and change the tech stack and do these things. And then, so, you know, these cyber leaders and tech leaders come in and like, oh, we're going to do this and this and the rest of the corporate culture is like, yeah, but, you know, I don't know where we kind of think about that, Mike.
And they're like, well, it's a Microsoft product. It's a, it's this. Yeah, but we want to let it get some more time to bake.
Jeremy
Yeah.
Anthony
So you're right.
Jeremy
Yeah, and this is talking about Microsoft, not my stealth-mode startupstartup.
Anthony
Exactly right.
Now there are other companies who you can kind of say, Hey, they're not even on the Gartner quadrant, but I've met the team, they're doing some amazing things. We're going to be able to get a great deal. And I think this is an interesting point.
For me, I love innovation. I love innovative solutions, but one thing I've talked about a lot is that I think integrated solutions are way more powerful. It would be fascinating if you took the Gartner quadrant and instead of just having these, you know, the most innovative, leading, but you actually say, Hey, which ones are the most integrated into the number of other solutions out there?
You would get different results, right?
Jeremy
Yeah.
Make a 3D magic quadrant here. A little bit like that chess game that we used to see them play in Star Trek, where you've got, you know, the different layers of the board.
Anthony
The layers, 3D chess, yeah!
Jeremy
Yeah, totally, I completely agree with you, by the way, on this point about integration.
I think, you know, if we look at, I come from the cloud security background, as you know, and in cloud security for a long time, it was a very binary game. There were very simple, you know, like, yes, no, we had problems or we didn't have problems.
And for a long time, that was the case but what we started to see about two, three years ago was a real evolutionary shift away from these kinds of accidental data breaches and accidental data exposures towards real attacks against cloud platforms and those, every single one of them that I've looked at or I've done root cause analysis on was a transversal of multiple kinds of OSI layers of the attack surface.
So to your point, this point about integration is so critical moving forward so fully agree with you there.
We've got just about two, three minutes to wrap up here so I wanted to give you an opportunity to maybe share with the audience, you know, kind of 30 seconds to a minute on what you guys are working on over there at Delve Risk. I'm obviously familiar, but for those who haven't heard, please.
Anthony
Yeah, I appreciate it.
Yeah, so over at Delve Risk what we do is, we've created a kind of a new way of doing market research. Most of our customers are sales and marketing teams that are trying to get a better sense of understanding the insights about, you know, large enterprises, you know, their preferences, how they function, the priorities, all the research that your sales and marketing teams would want to do. We've already done for the majority of, you know, the large buyers there.
So, you know, we don't actually usually sell to the enterprises. And so even the references I mentioned, those are long friend relationships where like, Hey, we were in Vegas 10 years ago and normally a favor kind of things.
And we're like, but it's a long way of saying, I think there's a relevant back to this conversation is that there's a tremendous amount of data that's publicly accessible publicly available. Open-source feedback, thoughts, you know, on forums where you can see what buyers think about a particular solution, right? Because when you ask your vendor, you're like, Hey, tell me about your, let me get some reference calls. They're never going to give you the reference that they struggled with, right?
Jeremy
Yeah.
Anthony
So, you know, I think that using open-source information is really important as well as the Gartner quadrants and those types of things to make a more informed decision.
Jeremy
Yeah. That's fantastic.
Where can people find more information about that?
Anthony
Yeah. Just go to delverisk.com. And then, you know, we actually, you can sign up for a free account and you can reach out to us and we'd love to chat with you, particularly if you're in that space, so ...
Jeremy
Yeah, awesome. And I think it's a really great service.
I mean, I can speak as someone who's been in the industry for a while. I think, actually, the information that you guys present is actually really important when you think about engaging with potential customer organizations or just organizations in general, having a level of understanding about how these organizations work, who the people are, what their attitudes, what their tech stacks might be. A layer of customer empathy, I think it makes for a better conversation in a more, you know, more informed and more relevant conversation for both parties.
So I think that is super important.
Anthony, thank you so much for your time here today. It's been a pleasure and hopefully, we'll be able to have you back on a future episode and thanks again.
Anthony
Absolutely, would love to.
Jeremy
Awesome. And to all our listeners out there, we'll see you next time on Ask A CISO.
