The Cyber Analyst in the Mirror

When I was back in high school, if some movie got two thumbs down from Siskel and Ebert, then you knew to spend your money elsewhere – maybe on an Orange Julius at the mall or something. I just loved how those two guys took their jobs so seriously, usually with dead-on accuracy. (Although, Ebert took Zoolander way too seriously, connecting it to child labor and 9/11 terrorism. I mean – c’mon, dude. That movie was genius.)

Anyway, I believe that all industries should have their unbiased commentators. Such observers should be highly experienced, and should never kowtow to the barons of their sector. Craig Moffett, for example, is the resident curmudgeon of telecommunications in the US. I suspect that his Valentine’s Day in-box is empty of any love poems post-stamped from Basking Ridge or Dallas. And that is how it should be with analysts.

In cyber security, we’ve not had much impartial analysis from unbiased experts. Gartner and Forrester publish their waves, of course, but these are long-viewed as pay-for-play by most practitioners. Other commentary comes from nice people with media backgrounds who do decent work, but who’ve never actually strapped on the helmet. (And yes, Siskel and Ebert were a couple of couch potatoes, but cyber security is sooo much more complicated.)

During a recent layover in Palm Springs, I caught up with Ed Amoroso, CEO of Manhattan-based TAG Cyber. This was no accident, because he – of course – is me. I noticed myself staring back at me from the mirror in the outdoor airport bar, so I requested an interview. I wanted to know how TAG Cyber offers expert, unbiased commentary on the cyber security industry. He agreed to share (over a drink) his insights with me (him) and you (uh, you):

EA: You’ve been critical of existing cyber security analysts. Why is that?

EA: First, thanks for speaking with me. You are an awesome interviewer, and I respect your creative skills. Now, uh, regarding your question, the problem is not with security analysts, but rather with the rigged model governing how most analysts cover our industry. If your objective is to maximize revenue, then you will exaggerate your emphasis toward the technology and offerings from your biggest paying customers. This is Business 101 – and it is not evil. But everyone should recognize that the large research companies peddling cyber security industry analysis are biased toward the interests of their shareholders.

EA: Despite the bias, should CISO teams pay attention to reports from large analysts such as Gartner and Forrester?

EA: CISO teams should be careful assigning weight to these sources, especially for quadrants and waves. A poorly-kept secret is that the path to the top right of any analyst’s graph is by paying money. And I know that this has been challenged in court, and who knows whether the issue was properly addressed. But my advice is that if you see that a vendor in top right of a quadrant, and you are using this for source selection, then ask the analyst or vendor about their financial arrangements. You can make up your own mind based on their response (or non-response). At TAG Cyber, we never rate vendors; instead, we do everything we can to educate buyers about technology, products, and services available from the 1600 or so vendors that we review, as well as the 400 or so that we research more carefully.

EA: What type of content and services are available from TAG Cyber?

EA: We produce content intended to democratize cyber security industry analysis. And I know others provide free content on our industry, and I am generally supportive of such efforts. But our work is based 100% on experience, expertise, and insights developed through decades of intense focus on the industry. By the way, we monetize our work through vendor-funded research, commissioned technical writing, and sponsorship grants for our annual volumes. You might also have seen our original Charlie Ciso cartoons developed with our lead illustrator, Rich Powell. We have a growing base of enterprise customers who use these cartoons for security awareness programs. And yes, we also provide consulting and managed services for select customers.

EA: I see that you do quite a bit of video as well. How is that going?

EA: In one sense, it’s going great, because we bring cyber security experts in from around the world and interview them in our awesome studio built in our offices on Fulton Street. But this trend toward video is also a bit depressing to me, because I sometimes wonder if people in our industry actually read anymore. For an author and stuffy college professor like me, having people reading less is bad for your academic resume.

EA: I’ve heard that you also do CISO coaching. How does that work?

EA: Thanks for asking, Ed. And yes, I do provide personalized coaching for a small number of CISOs – although TAG Cyber is expanding this service with experienced, former CISOs and security executives who will serve as our coaches. I think it’s crazy for CISOs to not have an excellent coach they can confide in and get some help from when things get sticky. I had a coach when I was starting out as a CISO and it helped me immensely.

EA: Any trends you are seeing from an analysis perspective?

EA: We see advanced analytics, public cloud usage, and increased dependence on automation as three technology trends driving much of what’s going on in the cyber security industry today. We also expect to see continued consolidation of the enormous number of start-ups into a more reasonable and workable community of security vendors offering world-class cyber security solutions to government, enterprise, and citizens.

EA: Will you stop back for another interview sometime soon?

EA: Let’s see what sort of comments this weird recursive interview generates on LinkedIn. If we get lots of enthusiastic thumbs up, then we’ll do this sort of thing regularly. But if we get mostly thumbs down, then I (you) can just take this article down and make believe the whole things never happened.