.gif)
Unspoken Security
Unspoken Security is a raw and gritty podcast for security professionals who are looking to understand the most important issues related to making the world a safer place, including intelligence-driven security, risks and threats in the digital and physical world, and discussions related to corporate culture, leadership, and how world events impact all of us on and off our keyboards.
In each episode, host AJ Nash engages with a range of industry experts to dissect current trends, share practical insights, and address the blunt truths surrounding all aspects of the security industry.
Unspoken Security
Is it Pay to Play? Working with Industry Analysts
In this episode of Unspoken Security, host AJ Nash sits down with intelligence and security expert Brian Kime to explore the often misunderstood world of industry analysts. With years of experience at Forrester, Brian pulls back the curtain on how analysts conduct research, engage with vendors, and influence the cybersecurity landscape. Together, they address the widespread belief that vendor evaluations are purely “pay to play” and explain why this assumption misses the mark.
Brian shares insights into the rigorous methodologies analysts use, the importance of vendor neutrality, and how advisory services help enterprises make informed decisions. He highlights how analysts serve as a bridge between security leaders and vendors, often guiding product development and procurement strategies. The discussion also touches on the value of contributing to analyst research, even for smaller vendors, and how to effectively build relationships with analysts.
Whether you're a vendor aiming to get noticed or a CISO navigating technology decisions, this episode offers valuable takeaways on leveraging industry analysts for growth and strategic alignment.
Is it Pay to Play? Working with Industry Analysts
Brian Kime: [00:00:00] if you're a vendor, especially a small one, you know, go and reach out to them. Just. You know, like I said, you don't have to be a client to do a briefing, to show your company, introduce your company to a forester analyst, at least no, no charge to do that.
It's up to the analysts to decide if they have the time and if they, and some of that depends on their research calendar. So dovetail into that, if you're a vendor. You probably have data and you talk to customers too. You have some insights in the marketplace, try to contribute, try to help that analyst do research.
AJ Nash: [00:01:00] Hello and welcome to another episode of Unspoken Security. I'm your host, AJ Nash. I spent 19 years in the intelligence community, mostly at NSA, and I've been building and maturing intelligence programs in the private sector for, I don't know, almost nine years now, I suppose. I'm passionate about intelligence, security, uh, public speaking, mentoring, and teaching.
I also have a master's degree in organizational leadership from Gonzaga University, go Zags! And I continue to be deeply committed to servant leadership. This podcast brings all of these elements together with some incredible guests have authentic unfiltered conversations on a wide range of challenging topics.
It's not your typical polished podcast. My dog makes occasional appearances. She [00:02:00] is in fact sleeping right next to me today. So if anybody comes to the door, you know, the wind blows funny, you might all get to meet her again. Uh, that's just how it works though. You know, so. The point here though, is that people argue, we debate, we even swear here.
I promise I will be doing some swearing and that's all okay. think of this podcast as a conversation you'd overhear at a bar after a long day at one of the larger cybersecurity conferences. These are the conversations we usually have when nobody's listening. Now, admittedly, my dog doesn't go to those usually.
today I'm joined Kime. Uh, he's an intelligence professional. Serve 20 years combined active and reserve service in the U S army. he's been in cyber threat intelligence for over a decade, uh, across many industries, including critical infrastructure, finance, manufacturing, uh, he's worked in multiple cybersecurity vendors.
Uh, you know, and the topic of this episode, uh, the reason we're going to Tell you what it is in a second. But he was also an industry analyst at Forrester, uh, leading the research on threat intelligence, vulnerability management, and ICS OT security vendors and their best practices. Brian, is there anything about your [00:03:00] long and distinguished profile that I left out?
Brian: Well, it's right here on my hoodie. I'm a Ramblin Ref from Georgia Tech. Did my bachelor's there. I got a couple master's degrees too, but I don't have any hoodies. From those schools. And I see you're repping your, your local, uh, big research university there too, so
AJ: That's right. And the University of Minnesota, Golden Gophers. Now, Brian didn't mention, uh, yeah, if you're going to say this, like Brian went to Georgia Tech, what he didn't mention is his degree is in architecture, which, uh, is pretty interesting. If you think about it, we just talked about the background here.
And I've worked with Brian, by the way, we work together. Uh, we've known each other prior to that, but we have worked together. I have yet to see Brian design any buildings. Um, uh, or, you know, maybe he's got some, he and he and some famous architects I'm unaware of, but to my knowledge, he doesn't design buildings, uh, but he's a damn damn smart guy.
Uh, maybe we'll talk about that. That's not part of today's discussion, but actually I should have thrown it in some place to talk about architecture. Actually, what today, what we're going to talk about the topic is, isn't it just pay, pay to play, you know, it's about working with industry analysts. And as, you know, as you mentioned, [00:04:00] you know, and as we talked about in the opening, Brian did spend time working at Forrester, it's actually where.
We originally crossed paths, um, you know, because I've been in the industry for a while, which means you run into everybody eventually. And so listen, let's jump right into this one, man. So when we talk about industry analysts, like first thing, like setting the stage for those who aren't familiar with the topic, who are we actually talking about?
Like what industry analysts, what organizations, you know, and a little bit about what they do.
Brian: Yeah. You're talking about companies like Forrester where I obviously worked and there's tons of other firms. There's the big biggest one, Gartner, which pretty much everyone is familiar with. There's smaller firms like IDC and uh, frost and Sullivan. There's a lot of firms that are, that focus on a particular technology area where the bigger folks like Gartner Forrester have.
have research teams across many different, uh, personas. And so I was on the security and risk team at Forrester. And so obviously we served, uh, security and risk [00:05:00] professionals. So mostly CISOs, but your enterprise risk managers, uh, and so forth, anyone that was in that kind of security space.
Aj: Mhm. Okay. That makes sense. And I want to get into a little more detail on this one a little further down. But so, I mean, in the, in the high level, like I've seen some of these, right? Like Gartner has what the wave or something like that, right? And Forrester does, I don't know. What do you guys do?
A shiny pickle or a
Brian: it's actually Forrester does the wave
AJ: See, that's the issue. That's I
Brian: and Gardner has the magic quadrant,
AJ: magic quadrant, right? That's right.
Brian: And every one of the firm has their own type of, of, of vendor evaluation with a name. And typically the result is vendors want to be up into the right. Um, but that's, that's the main goal really, uh, of vendors that, that are selected from one of those, uh, research reports, uh, but they don't just Analyze and report on vendors.
We do, they do a lot of best practices. Uh, so at Forrester, the biggest [00:06:00] thing, at least from the security and risk team that folks would be familiar with is zero trust. Uh, about 2009, 2010, uh, predecessor of mine there, John Kindervag started talking about concept of zero trust, how networks should not be trusted regardless of where you
AJ: wait a minute, you're saying John Kindervag invented the term zero trust?
Brian: Uh, I, I believe he takes credit for it. There's, there's, I'm sure someone else out there would say like, no, no, it was so and so, or
AJ: Hmm. Well, there's always some of that. Yeah,
Brian: say it was, it was them themselves, but,
AJ: interesting.
Brian: um, That evolved obviously into various products and services amongst cybersecurity companies.
You now have, uh, the white house has a zero trust strategy. Do D now has a zero trust strategy, each military branch, uh, the air force where you were, uh, someone showed me the other day, the air force department, the air force is zero trust strategy. And I hear down in corporate. Uh, areas there. So my last employer, they were talking about [00:07:00] doing zero trust and, uh, Google even they've done zero trust.
If you've heard the term beyond corp, that's Google's implementation
Aj: Okay. All right.
Brian: strategies. Zero trust is a, uh, a big thing at Forrester. It still is to this day. They continue to do research on it. That's way more than just network. Obviously now. Uh, but that's one of the bigger things that they've done there.
Aj: Interesting. I'm as you're talking, I'm over here googling John. Really is like universally apparently accepted as having coined the term zero trust. So no, that's a feather in the cap of forestry research. Apparently. Um, do you want to just briefly for those who don't know, like, cause that's kind of a big deal.
So you talk about vendors and what they do. I mean, in this case, John's words under Forrester kind of changed the industry, right? What's zero trust. I know we're not gonna have that discussion today. It's not the big topic, but for those who are wondering, like, I mean, zero trust sounds like a good dating strategy, but like, what does it, I've just, just saying, uh, especially for some people I know, but, uh, what, I mean, so he, he [00:08:00] coined the phrase, I assume, cause he was working, was he working with others when he did this?
Or was this, is this something that these vendors do? They're not vendors. These analyst organizations do their own research and just come up with their own concepts as well. Was this separate from working with other orgs and, and like, what did he invent basically? Got
Brian: That was quite a long, uh, question there. So let's, let's break it down a little bit. Let's define Zero Trust real quick. Zero Trust basically is, On the network side, it's all networks are untrusted. So it doesn't matter. Internal network, the hotel, wifi, your Starbucks, your home network, whatever it is, when we were all like in offices, you used to just trust the enterprise network, you plugged in, boom, you're on.
Right. You know, if you've got physical access to the building, you plugged in and it's all good to go now. Now. We don't want to even trust the, the local network, right? Cause I can sniff packets. I can sniff PII and PHI coming over the, the, uh, network. And when I'm in the office, uh, VPNs [00:09:00] are great, but VPNs can be vulnerabilities themselves.
So, uh, one of the key points from the White House strategy actually is to authenticate to applications, not to networks. So it's flipping that a little bit where, where do we authenticate to and conditional like risk based authentication, uh, dovetails on that. So new devices, new locations, whatever you make it prompted for more multi factor authentication prompts.
MFA is absolutely part of a good zero trust strategy. Uh, you get into segmenting networks there. So traditionally you kind of just monitored the perimeter of your network. Now we encourage monitoring inside the perimeter, controlling what a lot of folks on the network side called East West traffic. So through your network, not necessarily.
To the internet and with that monitoring, you then start to segment. Your network. So an R and D lab kind of gets its own VLAN [00:10:00] or, or firewalled off from maybe production spaces. Accountants don't necessarily talk to ops or, or programmers or whatever. So you start to segment networks down, you segment identity.
So if you, if you're a cloud admin, you should have a specific identity to perform those admin actions. Anything on prem. Um, You know, unique credentials everywhere. So when one credential gets compromised, which it will eventually, it doesn't lead to a catastrophic takeover, you know, a catastrophic ransomware rights of your network.
Um, so it's a lot about micro segmenting identities, data networks, workloads, and everything. Uh, it's to help you build resilience, um, recover easier, limit the damage from a breach, uh, cause we're all going to get breached of course. And, you know, zero trust is a good way. To limit the damage, to recover quicker, uh, and keep yourself out of the news really, out of the breach news.
AJ: Yeah, so it sort of sounds like [00:11:00] I'm a dummy, so I'm gonna break it down in simple terms the before times, right? When we were all in the office space like that's sort of like to compare it to say international travel You get to the US border They check your passport then you're in then you can go anywhere you want the States you're trusted to be in the States Basically, right zero trust would be like if every state you went to they had to check your paperwork again or every city They like it's Like check and check and check.
Right. And so, you know, if they're, you know, checkpoints all the way through, but it's technical and digital and, you know, not as overt as, you know, somebody at the gate saying, may I see your papers, please? Um, I mean, that's, that's what it sounds like, right? That's the way you're describing it. By the way, for those listening or watching who are pedantic, uh, like me, frankly, uh, apparently John can, um, Uh, argue with, uh, Stephen Paul Marsh, apparently invected the term zero trust in 1994 as part of a doctoral thesis.
Yes, the internet's wonderful like that.
Brian: I knew there was someone out there that would argue that they
AJ: 1994, yes, Stephen Paul
Brian: breach. But
AJ: uh, but then it, uh, John Kindervag still is credited, um, with [00:12:00] putting it more in this context in 2010 and then, you know, now it's really taking off, taking off, you know,
Brian: I'll give you a better metaphor actually, that's a little more
AJ: Sure. Show me up. Give me a better metaphor, Brian.
Go for it.
Brian: You spent plenty of time at Fort Meade. I spent plenty of time at Fort Gordon, now known as Fort Eisenhower. And just to get through that main gate, think about like that main fence. You've got a couple of places to get in.
They check IDs, but there's not a whole lot of scrutiny there. You can, it's easy to get a guest pass, you know, get on post. Right. Uh, but then you get in there and then. Certain buildings, you know, have higher levels of security buildings that we used to work in, and you may have a different badge, a different ID to get in there.
AJ: a secret handshake at the agency for those who don't know.
Brian: little fist bump, you
AJ: Yeah. It was a little song. I was a little, a little Macarena kind of thing. You know, yeah, go on.
Brian: Right. Right. And even then, once you're in the buildings, then there's other segments, you know, this badge gets you into this door and it doesn't get you into that one, and then you've got to get different tickets, [00:13:00] uh, if you will, to get in different places and all.
And so everything's very segmented. Uh, so zero trust is a little bit, you know, like that.
AJ: Okay, that's cool. I was a little sidebar, but I thought it was interesting as you're going on the path because we talked about these vendors or these, I keep saying vendors because I'm a vendor guy. Normally the analysts, right? So, you know, this is part of what happens though. Like john went and did research on this and obviously again, build off the shoulders of somebody else a little bit.
Maybe I'm not trying to take away from john. That's awesome. But he's the one that coined the phrase in this context and really started talking about zero trust architectures. And I mean, that's a big contribution. Um, yeah, To the entire cybersecurity industry. So it's not just about, you know, waves and magic quadrants.
Um, and, you know, getting ratings and awards and, and that kind of a thing. I'm sure it's some of it, but there's legitimate contributions independent of that back to the cybersecurity community. So, I mean, I think that's important to note, frankly, because I don't I don't know that a lot of people know that it doesn't come up much.
I think a lot of people go, Oh,
Brian: wish I had a concept or a report that was as [00:14:00] influential as zero trust. Um, No,
AJ: man? Let's go ahead. Tell me what your version of zero trust is. What's the awesome thing you wrote for Forrester that changed the industry? No pressure, no pressure, man. Get on it. No,
Brian: I wish, but I'll, you know, one of my predecessors, Rick Holland, uh, was the
AJ: Oh,
Brian: one to start really evaluating the threat intelligence space. He was an enlisted army Intel guy back in like the nineties, and he also helped create the SANS cyber threat Intel summit, which continues to go on today. He's still a co chair of that along with Katie Nichols, and
AJ: These are people I need to get on the show.
Brian: Yeah. Yeah. Yeah. So, so Rick kind of started that over there. And that term kind of became the, the overall kind of industry term for what you and I've spent a lot of our private sector careers doing when I first got into what is it? Now, cyber threat intelligence. I was an it security [00:15:00] Intel analyst. Cyber wasn't even in there for one.
And then my second role at secure works, I was a, uh, cyber intelligence, senior advisor. Threat was not even in there yet. And it wasn't until, um, I was at Southern company that. Threat and all the words got put together. Cyber threat intel analyst, uh, finally got put together on one business card. And, and Rick is definitely partially responsible for that.
Uh, but other things I wrote, uh, I, I, one, I, I did the first, um, full Forrester wave on threat intelligence. There was a lightweight wave years before, but I did the full, um, the whole process with all the, uh, checks and editing and, and, and everything. Uh, I also wrote a report called how to operationalize threat intelligence in your, in your
AJ: Oh yeah, I read that one actually. I think that's how I first met you. I think that's what I came across of originally was that one,
Brian: I'm glad somebody wrote it, uh, read, read it
AJ: right? Yeah.
Brian: And, um, because a lot of the [00:16:00] research, uh, a lot of the vendors at that time and everything, you know, it was, it was IOC feeds and stuff. And, and you had some of the, the APT fuzzy, stony duck type reports and all of that, and the industry was still a little immature, but And I, I would like to think that, uh, it's matured a little bit, it's, it's more valuable to enterprises than it's ever been.
Uh, then I like to think that I played a small part in that and helping the field grow and professionalize.
AJ: Yeah. No, I think that's true. Like I, it's, yeah, I, it might have been that one or something. I don't remember exactly. I think it was that piece, but I think that's how we cross paths. I'd been someplace else and I was like, oh, this is really interesting. Um, and so I think that's important that people know, like I said, that, you know, there's contributions here.
I think a lot of people, not everybody, and we can get into in a minute, but, um. I think I've been in plenty of companies where it's like, all right, well, all right, Gartner's coming or foresters come. All right. You know, do we, are we going to pay them? Like, how are we going to get represented? Where are we going to be in their quadrant or their wave or, you know, their, their shiny pickle or whatever their, their, the reports going to be from this, this analyst group.
Um, and I think a lot of people I [00:17:00] work with. You know, think of them from that standpoint, uh, which is, you know, the evaluation portion and the, the, that piece matters, but I don't think everybody gathers that, Hey, these are also legitimate professionals who go out and do research and write new things and change stuff.
Um, you know, Rick Holland, uh, probably, I mean, Rick and I are friends, but probably don't love the fact that I've actually. Trying to reverse a lot of his shit. I don't believe cyber threat intelligence is the right term. And I've hammered that for years. Threat is a subset of Intel. It shouldn't be its own damn thing.
I don't, I've, I've pushed the other direction to cyber Intel and I've actually pushed further and down said, just call it Intel. It's all Intel. You know, just stop trying to segment it out. These are
Brian: Yeah. On that note, I didn't write a report about this, but I had vendors that came to me for advisory and they wanted help, like understanding. Intelligence, threat intelligence, cyber intelligence versus other things. So, and in the business world, what I discovered there's like business intelligence and consumer intelligence, market intelligence, competitive intelligence.
Location [00:18:00] intelligence. There are tons of different things in the business world that co opted that term intelligence. And for you and I and folks that came up through government and military intelligence, it's probably a little bit confusing. And we took that and we said, Oh, well, this cyber thing, that's, that's definitely intelligence and I think we're correct.
Uh, but what, uh, a lot of the other folks did is, is I think this is like a post nine 11 kind of thing where. Intelligence just became more, uh, accessible to the lay person that a lot of business people co opted that term and said, well, instead of just data analysis, now it's business intelligence, you know, and, and what I, what I told folks in the vendor space was all those things kind of at their core are doing some of the same things they're trying to improve decision making use the data to develop some insights.
Sometimes it's about consumers, sometimes about competitors. The difference between what you and I have done and what [00:19:00] we do for CISOs and other security leaders is there's risks and threats here, and I don't know about you, but my job description as an army intel officer always started with reduced risk and uncertainty to the command, the unit, the team, the whatever.
And that's where the difference is. In cyber threat, intelligence, cyber intelligence, threat, intelligence, whatever term you want to use, we're there to help folks make better decisions so that we don't have breaches. Or if there is a breach that we identify it and contain it and eradicate that threat quicker than we would have otherwise.
AJ: Yeah, exactly. I mean, I say it, I know you've, you've said it too. You don't get the right people, the right context, the right time to make The right decision, or at least the most informed decision, like I can't guarantee they'll make the right decision, right? Is very subjective. Um, but yeah, I mean, that's how it works.
And, and in terms of that, you know, business intelligence, that is kind of their goal as well. A lot of times and competitive, competitive intelligence. I mean, some of their it's in there, I guess. [00:20:00] Right. And that's why I've been saying, listen, this is all Intel, but I'm with you. Like there was a point where it was so bastardized as a term.
I'm already getting frustrated about it. I used to. Yeah. You know, talk to people about all these things. I said, I, everything's intelligence, network intelligence, and this and that is, I'm pretty sure my dry cleaner is a dry cleaner intelligence analyst. Now, you know, it's, it's just everywhere, right? It just became a thing and it frustrated me when I first got in the private sector because like intelligence means something, but there's a real word to this.
There's, there's definition, there's a meaning it, and that's what led to an opportunity and how I started talking more about this stuff publicly and why, you know, I ended up gravitating towards people like you and others who come out of the industry and said, Hey, how do we help private sector understand?
If you're gonna use this term, let's get it right. It makes, you're gonna, you're gonna water it down. It's not gonna make any sense anymore. It's all gonna become just regurgitated news or information or whatever. And it's very hard to explain to people later why this, this is an intelligence and this is and all these structures, right?
Um, and so I don't, again, I don't think Rick's wrong. I don't think you guys are wrong with, you know, cyber intelligence, whatever, threat intelligence, whatever. I just said, Hey, that's all a subset, like threats, a subset, just you're complicating things too much. Let's, Get everybody understand what intelligence is, and then we'll just park everything [00:21:00] underneath it as pillars, but we don't even have anyone understanding intelligence first, and they're just going to willy nilly throw this everywhere.
I'm like, and that's how you end up with people who are intelligence analysts in our industry. And you're looking like, nope, you're a, an incident responder, a really, really good one, but you're, you're not an intelligence analyst. That's not what you do. Uh, you know, that's, that's just not it. And you go, God, it's hard to explain.
And then I could go on that tangent, but I won't because people are tired of that. So, all right. Okay. Moving on in some of the core topics of our discussion down on industry analysts, so we've, I think, hit pretty hard on, like, who are these people and what do they do? Right? And even a little more than we thought.
But in doing that, like, Yeah, the topic is about pay for play. So, you know, what value do the industry analysts bring to these organizations bring? And as the opening says, is it just all pay for play? I mean, we already talked a little bit. We hinted because some of the other stuff that's written, but in terms of interactions between these advisory groups.
These analysts and, you know, vendors or potential customers of vendors, et cetera, you know, what's the [00:22:00] value, uh, that these folks bring and, you know, how does that work?
Brian: So the value that I brought to clients at Forrester and those clients could be security vendors, all the big names you've heard of could be startups. security vendors, all the big names you've heard of could be startups. And lots of large enterprises, fortune 500 companies, manufacturing companies, finance, you name it, you name the vertical, they probably subscribe to one of these, uh, firms and our advice is research based.
It's neutral. I don't care, you know, really what industry you were in, uh, who they are individually. Whether they are private equity backed, uh, startup or venture backed, if they are publicly traded security company, you know, they're going to get the research backed advice, uh, from Forrester and for me personally, and I owned those 3 [00:23:00] topics.
Threat intelligence, vulnerability management, and ICS OT security. And so my view on, on the, uh, the industry and the vendors there, you know, that was, that was like the singular voice at Forrester for those things. So everyone got basically the same advice, you know, for threat intelligence. Yeah. You should, you should really have a threat intel team if you're like a fortune 500 company, right?
Uh, if you want to stay out of the breach news, you know, it's one thing just to stick firewalls and EDR in there, but. You can't defend against every threat out there and not every threat cares, sees you the same as, as a different target. So Intel, you know, I, I said to people, it's to help you be efficient with your security spending with your staff.
Should you be writing detections for every state nexus threat actor out there? If you are an accounting firm, maybe not. Maybe, [00:24:00] maybe you have clients that are the targets of Of those state actors, and they're going to look to breach you to steal that information, that confidential financial information there.
So, uh, you know, helping clients prioritize spend efficiently, uh, if they're, they're tech budgets, tech budgets are not, you know, infinite, they have caps and especially for security teams. You know, most companies are incentivized to spend about as little on security as possible. So, uh, you know, we helped, uh, enterprise clients make their vendor selection.
You know, they might ask me, Brian, I've got, here's my tech stack and here's my staffing, you know, what Intel vendors should I go with to maximize the value of all those things, of all those controls. And, and we talked through it, you know, maybe they need to, maybe they're mature enough to use your APT fuzzy [00:25:00] snuggly duck type reporting and, and really design their security stack for a particular threat group that is known to target their industry.
Or maybe they just need an IOC fee. They plug into the firewall and the EDR and just call it a day. So we, uh, Forrester analysts and similar, you know, help folks make procurement decisions.
AJ: So it's a consulting role. I mean, at least part of it
Brian: It's, we called it advisory because there actually is a consulting practice at Forrester and all the consulting is based on Forrester research.
So unlike a, uh, a big four firm, and I'm not saying that they're consulting has no research behind it, but all Forrester consulting. Whether it was a longer term project, implement zero trust for an enterprise client. Or it was some, um, lead generation type of project for a SAS vendor was all backed by [00:26:00] research.
So I did, I supported a consulting engagement that was creating basically a CyberThreat Intel maturity model. And now years later, um, Nicole Beckwith and. Uh, Mike from Intel 471, Mike DeBolt and, and a bunch of other folks got together and they created another one. And I'm, I'm so happy to see that it's, that there is something out there now.
Um, but yeah, I helped create that, uh, back in the day at Forrester. It was a bespoke thing for one client and, and I don't believe it's even out there anymore. It was like one marketing campaign. And, and once it was over, it got shut down.
AJ: you were ahead of your time, basically, because it was
Brian: maybe, maybe.
AJ: to know what to do with it. Yeah, because I also had talked about usually when I was at semantic and I talked about, Hey, we really should establish something. That's kind of the equivalent of CMMI coming out of the government space.
Defense contracting for me was familiar with that. CMMI Big deal. And it had a big push about 10 years ago. Like you couldn't bid on contracts unless you were CMMI two level certified or whatever. [00:27:00] And I said, we should try to do that in the private sector with Intel. You know, we had a whole discussion about it.
Nobody ever did the work, you know, myself included. Um, and so it sounds like you did the work, you're just ahead of schedule, which makes me feel better that I didn't burn my time doing the work, I guess. Cause I, I would have failed. Um, and I saw the same thing when this came out not long ago, brilliant people, good people, smart people, you know, we know most of them, I'm sure.
And I was like, this is great. I'm glad it's here. I'm not gonna lie. I had a twinge of jealousy, like, God damn it. I probably should have just done it years ago. Or how can you invite me to be part of the cool kids group? But it doesn't matter. Like it's, I'm glad it's out there. I'm with you. The having that model matters, you know, and should help us going forward.
Um, So, so I'm curious, these are some questions that you didn't know were coming 'cause I didn't know I was gonna ask 'em until now. Um, and did a little research, so this, if this throws you off, we'll edit shit out I guess. Um, but I'm looking through like, so Forrester and Gartner are just the two I chose to pick on.
And of course the big four firms are out there, but, so Gartner's annual revenues over $6 billion. Um, and Forrester's annual revenue is about a half a billion, 450 million, give or take. Um, so. So you got, you got [00:28:00] the research that's out there doing what's doing it. As you've said, this is independent, right?
And you've got consulting type stuff, advisory, as you said, and that clearly generates some revenue. And there's also, listen, there is a pay for play component somewhere in this. Is, is there not, or is that totally wrong? I mean, I get the feeling there is, cause I know, you know, people have discussions about, you know, paying to be in these quadrants, et cetera, but are they paying, is it?
How do I ask the question politely? Is it a rigged system where if you pay, you get where you want to be? Or is it just paying as part of the opportunity to work together? Whatever. Do these organizations, the foresters and gardeners at all, do they really get to continue to stay independent regardless of, you know, their customers and their funding?
And, you know, are vendors able to put their thumb on the scale and say, Hey, how about if I slide you some money, it moved me up the chart a little bit.
Brian: So in short, no, it's not pay for play, right? Uh, SAS vendors, technology vendors can be clients of any of these firms and what they [00:29:00] pay for and get is different than what a lot of enterprise customers get and ask for from a Forester. I guess the, um, thought from folks that are uninformed is that that is the pay and that gets them into a vendor evaluation, a wave or a magic quadrant.
And that's just wrong. The, the research team has Robust methodologies, a very strict integrity policy. I couldn't own stock in a company that was part of research. I actually did sell some stock that I owned when I arrived at Forrester, because that vendor was likely to be in my research at some point.
And I practically went out and, and sold that, uh, gift policy, like. You can't accept a big screen TV or a trip to the super bowl from a vendor that's in your research. You can't [00:30:00] do that stuff. So there's, there's very strict integrity and research policies there that they all follow. And frankly, like the, the, the relation to the reputation of a forester or an individual analyst would go to crap.
If it was. Patently obvious that we're taking essentially bribes or some quid pro quo you know, to speak better of them and in research.
AJ: So pay for play is actually insulting. I mean, it's,
Brian: yeah,
AJ: really insulting your integrity when, when people suggest it.
Brian: is, you know, and, and I feel that I have high integrity and I was not going to compromise that at Forrester. And like I said, I sold some that, you know, could potentially have.
Been a conflict of interest and, and I, and I jettisoned that, you know, after I started there, it wasn't, it wasn't worth it. And, if you look at, at the end of every, at least Forrester report, Forrester wave report, you'll see the, the, um, uh, the, the qualities [00:31:00] that, that got vendors into there, the, um, inclusion criteria, and there's always like Forrester client mindshare.
So we'd look to the enterprise clients. What vendors are you interested in? We look at folks in the community. Uh, what are people talking about on social media when someone, you know, mentions you on Twitter, LinkedIn or whatever, and they say, Hey, you've got a, there's a new startup out there. You know, we, uh, you know, we take some interest in that, that, that some of our audience is interested in, in a particular vendor now going back to my earlier response that vendors can be clients, but a client relationship does not matter.
When anyone wants to brief a Forrester analyst, at least, and the same should apply to any of the companies in there that any vendor can go and brief the aligned [00:32:00] analyst on their company, on what they do, what the value they provide for their customers and clients that costs absolutely zero. Now it's up to the analyst to accept a vendor briefing.
Some have very busy schedules. They may not have time. I try to fit these in, uh, when possible. Some technology vendors have these big analyst relations teams that hound you often like, Oh, we've, you know, we're on version 17. 1 one now. Can we brief you on the updates in 17. 1 one? And you're like, no, that's, that's, that's not enough.
AJ: Tell me when you're on 18,
Brian: You know, like just send me a, uh, an email about it.
AJ: Right.
Brian: Um, and, and it's up to the analyst to, to accept that vendor briefing or not. And I mean, I loved hearing what like brand new startups, you know, with just a seed round we're doing, they're the ones that typically have the brand new ideas.
And, and I would keep my [00:33:00] pulse on, on the industry by accepting a lot of the startup interviews, startup briefings, uh, cause they, they were fascinating. And seeing what the, the, the new hotness may be out there. And sometimes like the ideas are just, you know, way off in left field. but never did, uh, did I even consider a client relationship, uh, to be a criteria for inclusion in any of the vendor reports,
Aj: Yeah. Well, that's good to hear. I mean, a couple of interesting things that stand out with it, I guess. Like, so a lot of the vendors, they want Gartner or Forrester or, you know, All these one right to recognize them, right? They want because, because, because there's an audience and it amplifies. So they're pitching you guys like, Hey, come listen to me, please.
Um, and you guys can choose to or not. Um, but I think that's really interesting. Also, you know, in mentioning the revenues, listen, uh, 450 million for Forrester, 6 billion for Gartner. Yeah, it actually, I think, lends credence to the idea, listen, it's probably not pay for play, because [00:34:00] how much can I really influence a company that's already got 6 billion in revenue?
Do they really care if I give them an extra 20 grand to be in the report? Probably not. I mean, on the macro scale, but you also notice for anybody who's ever looked at these Forrester, you know, the Forrester Wave or the Gartner Magic Quadrant. It doesn't have 612 vendors. It's not that big, right? So like, you'd have to be paying an awful lot, I guess, to influence companies with that kind of revenue.
So, and I, to be honest, had not thought about that until just now when I was looking at revenues that it does blow a bit of an argument. And now, I will ask you, and I won't ask you to name any names. Are there companies out there that look like these companies, but are just pay for play and just marketing and they run their own little thing.
And it looks the same, but basically you just pay to get in there. I can say for a fact, by the way, for anybody wondering, there are awards like that for sure. Like there's plenty of awards that you get pitchers. Like, you know, how would you like to win this amazing cybersecurity award? It's just 1, 500.
You're like, well, that's not really an award. That is it.
Brian: there are those.
AJ: Is that the same thing for analysts?
Brian: You know, back at our former employer, [00:35:00] we saw those even on the enterprise side, cause they'll they'll have like. The hundred next CISOs and the last, my last job, the deputy CISO was on one of those lists of like future CISOs. And yeah, it's like, uh, you know, pay a few bucks and get your name on there.
There's basically no methodology. Uh, there's, there's, it's just a marketing thing, uh, purely and you know.
AJ: So you got to watch out for those that
Brian: Forrester, IDC and, and vendors like that. That's, that's not what, um, what Forrester does. Forrester runs global surveys that collect just oodles of data across tons of different tech spaces.
You know, so obviously there's a security one, there's marketing ones, there's, you know, general IT stuff. Um, healthcare, they have a ton of different research specialties and robust surveys, you know, with good [00:36:00] solid methodologies, uh, good tools for analyzing the data. Um, and if you, and then speaking about a wave or a vendor evaluation, you know, that's like a six month process. I can say that at Forrester, we interviewed and surveyed, uh, The vendors customers. So we spoke to them directly and, you know, we, we ask them deep questions and we probe and we poke and, you know, we, we try to find where the warts are in the product and, and, you know, where all the good stuff is. Uh, and, and.
And, you know, we don't just take the vendor word for it. Um, you know, we give them a questionnaire and they're going to say, yeah, we're at 10 on this thing or five out of five, whatever the scoring criteria is. But, you know, we validate as best we can. And with the resources we have, you know, all the PR and marketing stuff that those vendors come with there.
So we never take their [00:37:00] word. You know, for it, you know, we validate everything that we possibly can. And we call shenanigans on stuff and vendors will often complain and there's a dispute process and sometimes they will threaten to not be clients anymore. Okay. Pound sand.
AJ: right? Yeah. Yeah. Again, a half a billion dollars or 6 billion in revenue. I'm guessing
Brian: can say the Forrester wouldn't sacrifice their reputation just so that a vendor got, you know, slightly more up into the right.
Like it's not how it happens there. Like, unless the vendor could prove that I used bad methodology, that maybe, Maybe they, they could say that, um, you know, um, I didn't consider a particular feature of their product. If they could point to it and, you know, say that I missed it. And if I did, okay, cool. My bad.
We'll go and do it again. If I, if I didn't follow the methodology. Sure, but if they just didn't like where they ended up, [00:38:00] we never changed the score, didn't, it didn't matter what they said. Didn't matter if there were tears I had, I had vendor people actually cry. I mean, I think they thought they were going to get fired because they weren't a leader that they were like, uh, I don't know, a challenger or, uh, I've heard the other categories actually, it's been a couple of years, but. Um, no, I mean, tears, emotion, you know, you can yell at me all you want. It was not going to change your
AJ: Oh, that's true. I yell at Brian all the time. It's you should leave his wife. She yells at him a lot too. Um, it's all deserved by the way. She's she's brilliant. So, uh, uh, But, uh, yeah, Brian's gonna get yelled at. That's the truth. Um, well, it sounds like you have to sometimes, but I mean, this is actually really good information about the industry.
Right. So, um, I mean, these are, these are sort of the honest brokers of our business. Right. And, and yeah, they make enough revenue. It sounds like that you can't really influence. Um, and so if you're looking to understand the environment or do some comp intel, maybe you don't have your own comp intel and you're trying to figure out, I need a solution, but I don't know [00:39:00] which one, it sounds like there's a real value in working with, you know, some of these animalist organizations.
So. With that in mind, you've been on both sides, like you work, you know, we talked about Forrester, uh, you know, quite a bit. You worked there, you've worked in vendors, you've, you've been on customer side. Um, what recommendations do you have for building relationships with the analysts? I mean, whether it's a vendor who wants to get noticed, uh, clearly bribes aren't the way to go.
Uh, whether it's, uh, you know, whether it's somebody who's thinking about, you know, changing their structure, their infrastructure, their security posture, and they're looking to you. Work with some of these companies, like what's, uh, what kind of recommendations you have having been on both sides? What's, what's a good way to go about it?
Brian: So if you're a vendor, if you're a startup and you're entering, let's say the threat Intel space, right? Uh, you know, go find the. Analysts at the various firms that cover that area. It should be pretty easy to find. We're all. Public because the analysts are the product at the gardeners and foresters and IDCs of the world.
So all, all the [00:40:00] forester folks have usually a pretty big profile on LinkedIn, Twitter, blue sky, whatever social media they prefer. It's pretty easy to get in touch with them. They, they, they. Will preview research. They will talk about research on those forums. Often folks, uh, like when I was there, I would do press interviews.
I'd be quoted somewhere. And also it's pretty easy to find the analysts that are in your particular technology space. So if you're a vendor, especially a small one, you know, go and reach out to them. Just. You know, like I said, you don't have to be a client to do a briefing, to show your company, introduce your company to a forester analyst, at least no, no charge to do that.
It's up to the analysts to decide if they have the time and if they, and some of that depends on their research calendar. So dovetail into that, if you're a vendor. You probably have data and you talk to customers too. You have some insights in the marketplace, try [00:41:00] to contribute, try to help that analyst do research.
Right. A lot of the bigger firms are going to have analyst relations managers. And usually they would check in about once a quarter with me and ask me, what, what's my research schedule like? And what often help connect me to someone that may have some data or some insights. Into the problem that I'm trying to address, which the problem usually came from some other client, you know, or they said, Hey, I'm having trouble with whatever it might be. Um, could be OT security, right? You know, what do I do? What's what's my, what should be my strategy and OT security be right. And just to kind of go full circle back to zero trust is I didn't get to it, but I wanted to write a paper called zero trust for. Operational technology or ZT for OT, didn't, I ended up leaving, uh, to go work with AJ actually, and, and never got to that, but, um, that engagement, you know, it's free, you know, anyone can connect [00:42:00] with folks on LinkedIn, uh, and they'll announce, Research.
And if you've got a particular idea, go for it. If you're an individual contributor at some large enterprise and your leadership only listens to the foresters, gardeners, and Deloitte's and KPMGs and stuff of the world. And you're saying the same things, you know, go talk to those analysts and tell them what you're seeing.
As a, you know, a, a technician in these areas. If you're that programmer or that security operations, uh, person, that security architect, go and talk to these folks. I, I felt like I was a little bit of a, a proxy for some of my, my peers in the industry when I went to Forrester. Is I can take everything that they're seeing, everything they say to their leadership, and I can write it in research and then it goes back to that CISO and then they're like, Oh, wow.
Like. I should do [00:43:00] Intel that way. Cool. Like let's do it that way. And, you know, it came from the brand, you know, a Forrester or whoever. And, you know, but that those ideas, like they come from somewhere, you know, we, we, we talk, you know, and maybe informally, it may not be a formal interview, research interview.
I may not have a research assistant on the line taking notes, but you know, you talk on Twitter and Signal Slack, whatever it is with people. You know, you detect themes, people are complaining about maybe a particular feature or security control or usage of threat intelligence. And then we're pulling that out and we're looking through survey data and we're validating or where, you know, refuting. What, what, what folks are complaining about that? Like, eh, that's not really a problem or yours is an edge case or something. And, you know, we take inputs from a ton of different places, you know, to build these best practices reports to, uh, guide folks [00:44:00] on what's the next thing. Insecurity. What's the thing that comes after zero trust?
AJ: Right. Yeah. That's a good, we haven't gotten there yet, obviously,
Brian: Yeah. And then, and if you're in an enterprise too. Uh, if you're that individual contributor or a lower level manager, you probably only have a couple of contacts for some of the bigger farms, like a Forrester. Go and find out who that POC is, and then use that person to get some inquiry time. So an inquiry with at least a Forrester analyst is like a 30 to 45 minute conversation about existing research.
So I wrote a report, uh, for example, on how to hire your first director of threat intelligence. So maybe you're hiring, maybe you're the CISO hiring that director of threat intelligence, and you want to bounce a candidate, you know, a profile, like a resume off of someone like. Like me, when I was there, you could schedule an inquiry [00:45:00] about existing research and, and, and answer some questions and go deeper for all those best practices reports and waves and, and everything.
There's always research. There's always notes that were left on the editing room floor. Forrester writes really sharp, concise reports, really digestible, which means that we often do cut out a lot of insights. A lot of data that we discovered during the research process. So go and ask, you know, to go deeper and, and have those conversations with them.
There's always more inside. There's so much information inside, uh, some of these analysts brains. Um, most come from industry. They, they were sales engineers. They were, you know, threat Intel analysts like me, they were network architects. Uh, there were programmers, developers, they are most come in, haven't done a lot of the job that their clients.
Are doing and and they've been in their shoes. They feel they felt the pain. They have empathy and they, they have so much [00:46:00] knowledge. And sometimes it's like, based on their own experience that another, you know, the company before Forrester before a Gartner, um. So have that, find out who your contact is at your enterprise and see about scheduling inquiries.
A lot of, a lot of inquiry privileges just don't even get used. Uh, which is sad. Um, we want to talk, we want to have the conversations. We, that's why we. Join the company to do research and, and then to turn that into something that helps, you know, technology leaders be more efficient and effective. And then from the, um, uh, uh, you know, other vendor, um, uses there too, is, um, you know, find out if, if you've even got a product market fit.
Uh, you may have this crazy idea, right? And so use that briefing as an opportunity to get, you know, a response, you know, a briefing, it's, it's all about the vendor talking to the analyst, but you know, there's always questions and you can pick up on themes. And, you know, if, if, if I ask about a particular. Uh, feature or product, uh, quality or whatever.
And I, and I, I keep asking [00:47:00] about that one thing. That's probably an indicator of something like, like maybe I'm not buying what you're selling because I know my enterprise clients don't care about that. Right. You know, before getting really far into a, uh, a product life cycle, Before, you know, when you've just got a, you know, an alpha or a beta or something before you're getting really to an MVP, you know, brief, go brief an analyst and get the reaction.
Um, that can tell you a lot, you know, it's, it's almost free inquiry, you know, just a way, uh, someone like I would, would respond to a new product or service offering from a vendor.
AJ: Is there, is there a
Brian: tell you
AJ: sorry to interrupt on this one, but is there a trick? So, so on the one hand there's 850 million vendors out there, right? So I'm sure none of these analysts want the 12 people listen to this show to tell everybody to, to go ahead and flood them with things. [00:48:00] So like, is there a way to stand out if you're gonna reach out to, you know, somebody at Forrester or Gartner or whatever and say, Hey listen, I want to.
I want an opportunity to, to chat with you. I wanna brief you on, you know, what we're up to, et cetera. Like what is the right way, what is an effective way, how do you stand out? Um, you know, how do you make it so it's worth their time, right? As opposed to just being one of this hoard that's like, please, please, please, you know, see my stuff.
So you can amplify me. Like, is there, is there a trick to it? Is there a better way to do it?
Brian: you know, just saying, Hey, we're a new threat intelligence vendor. It's not going to be enough, right? I've got a ton of time, or I don't have a ton of time. And that's not going to really interest me. But if you tell me that, Hey, we are extracting signals across the internet that detect malware, you know, earlier, uh, you know, before, uh, ransomware is deployed or something like that.
Now you've got some interest. Like. If you've got to be, you've got to be able to distill down the value that your product or service provides in like one bullet, [00:49:00] right? If you, if you can't do that, I don't think you were really that mature yet. And then the other thing is when, when I do get the, the vendor briefing, typically one of the questions in this, I learned this there at Forrester was, was to see how mature that vendor is, is ask them.
You know, when you win or lose a competitive deal, you know, why, why do you lose two competitors? Why do you beat your competitors? Like that shows that they are extracting some insights from their own customer and prospect base. And that's hugely, um, that's important. Like they should be able to, they should know that, right.
And then that also does help the analysts understand if there is like a product market fit and, and if this is a vendor that maybe should be in research someday. And, um, you know, fairly easy questions that should be easy questions to answer short questions, you know, that you can ask any, any vendor. And, you know, [00:50:00] we would typically ask that like to any new vendor out there, you know, to see if they understand.
They're, they're, they're customers and prospects.
AJ: So what I'm hearing is if I want to get the attention of somebody, if I've got a new product and service, what I need to do, because it's got to be quick and effective is just tell them that, you know, we're, we're cutting edge, uh, new wave technologies, you know, utilizing AI, uh, in unforeseen ways to secure all networks proactively for 100 percent protection, uh, using blockchain technology like that, that should be enough, right?
That would get me in the door and zero trust. I got to throw that in someplace. I don't know,
Brian: Yeah, yeah, yeah. Definitely a
AJ: a less than zero trust? Is there somebody out there writing that right now? The less than zero trust,
Brian: But I mean that
AJ: zero.
Brian: your example there, while, while hilarious, I mean, that's, that's like all marketing basically. Like don't tell me it's AI and it's blockchain, whatever they're, what's the actual value that it brings? What does it do?
That's better than [00:51:00] legacy products and services.
AJ: So if I just said, Hey, we've developed a new technology and capability that is faster, uh, more effective, less noise. You know, we can prove it to you with the data and statistics and it's, you know, faster, cheaper, better, that kind of thing. That's more likely to get a response than just throwing all the marketing
Brian: definitely. The marketing buzzwords don't work very well on, on folks like me.
AJ: Yeah. Well, that, I mean, that's probably good advice for folks out there. Cause a lot of these. Our type of the marketing organizations and no offense to marketing. Listen, we've, you know, I've talked a little about it. We have a show a few episodes back. That was, you know, it's all security marketing bullshit.
If you didn't see it, shame on you for not watching it. Everybody is a good friend of both of ours. Actually. Uh, Emily Phelps, that was the guest on
Brian: I introduced the two of them.
AJ: yes, you did. Yeah. And now she and I are really good friends. Brian and I talk occasionally. Uh, but anyway, no, but I think that's important, right? Is, Hey, listen, marketing is a lot of times the front end of this.
Okay. Make sure that you're working with practitioners or product people. If you're building something right to get the real answer, like the value piece, I think that's important and marketing those value to [00:52:00] write. So instead of using the buzzword, skip to, Hey, the value prop, that sounds like the better way to get noticed
Brian: additionally for, for B2B folks, like don't market to your own executives, right? You got to market to the buyers. Like your executives know if there's some AI or ML or whatever that's in the product, right? And the buyers don't really care as long as it provides value, as long as it solves the problem that they're having there.
So focus on the problem and the value and get rid of the buzzwords.
Aj: I think that's good advice. That's probably we buried the lead. That's probably the best part of the whole show, you know, is, Hey, how do we make this work for us? And the answer is, you know, skip the buzzwords and just focus on value, which makes sense. We all talk about that, right? People just want return on investment.
They want value, you know, yeah. Tell them to them, get the, uh, get the, uh, attention of these analysts and then prove it to them, you know, show it to them, give them a demo, et cetera, and if you can do that, you'll probably get a good write up and then you'll draw a business and you can be super rich and famous.
Uh, like, you know, I don't know, pick somebody. Um, so, all right, this is really cool, man. And listen, we're [00:53:00] coming up on time. We're, we're getting. You know, a little short here, but which is fine. This has been a good conversation. I think it's really interesting. Like it's not all pay for play. Um, in fact, these companies make enough money that you probably just can't bribe your way into their charts.
So we can actually probably have some reason to trust and believe it's nice to know that there's processes, uh, behind the scenes on this stuff and documented processes and the legitimate research processes like, uh, like you would expect from people, you know, who are professionals in our industry, whether Intel professionals or, you know, Academics are a bit of both.
I mean, again, Brian went to the prestigious Georgia tech university. Um, and others went to, went to other
Brian: Man, you did a faux pas there, man.
AJ: you're not prestigious Georgia tech university
Brian: We are, it's the Georgia Institute
AJ: or Georgia Institute of technology, right? I forgot. It's not
Brian: You watch enough college football. You should know. It's always that trivia question. We're like the four schools that don't have university
AJ: And yet you don't go by GIT, though. Well, you don't go by GIT.
You just go by Georgia Tech. So, but I guess Caltech doesn't either, and they're probably the same way. So, um, anyway, no, it's a good point, right? So, [00:54:00] uh, go to universities, you know, good, legitimate research, not really bribable, not pay for play. There are some others out there that are actually going to watch for that.
Um, and the best way to really get engaged and get involved is to To go out there and do so, you know, if you're a vendor, you want to pitch, use your value prop, not your marketing shit. And if you're somebody looking for help figuring out how to navigate the industry and get better, um, these are people that actually are looking for those conversations.
So I think that's actually really good. You know, I think, I think this
Brian: and you know, a lot of folks will say that I'm in a particular Slack group, a signal group, a text group, email chain, whatever, with other CISOs or, um, different security leaders, it leaders there. And I just asked them what they. Think about a particular vendor or what I think about zero trust. And, and that's good.
Keep doing that. I'm not saying don't do that, but a Forrester has just a bigger aperture, a global aperture. You know, the. Their survey goes globally to the point where you can get specific insights by region. So if you're a vendor and you're looking to [00:55:00] sell an APAC, you're going to have some different, uh, buyer attitudes over there than you might have in North America, you know, that's the global scale of like a Forrester that, that survey data is, is, is huge and you can.
Bisected and break it all up and get some really neat insights by, uh, region and industry. And, you know, if you're a CISO, you're probably, you know, very similar CISOs and you don't necessarily know, you know, their experience is going to be very different than other folks elsewhere. And so, um, use it to compliment, uh, each other there.
Oh, another thing, uh, that I wanted to, to mention is. With a Forrester wave, especially, and this probably is similar to the other vendor evaluations is the, the end research is not simply the graphic, right? That's what gets shared on social and whatever. It's not even just the full PDF, uh, that has some of the breakdowns and scores there.
But at Forrester. There's a tool [00:56:00] that clients get that is customizable. So I'll use threat Intel as an example. If you, uh, are great and, and technical tactical threat intelligence, maybe you don't need that. Maybe your gap is strategic. And so you can use that tool, change the weightings. Say drop technical tactical down to zero tune strategic up to a hundred and it re plots all the vendors out there and you get a new set of leaders and then you can use that, like I said, to make, make better decisions on your technology, uh, procurement there.
Um, so it's not just that particular image, uh, there's way more to it. And of course, if you need help navigating that tool and that report and all, that's where the inquiry comes in with talking to the analyst. Um, You know, to go deeper than maybe what the WAVE report. You know, talked about
AJ: Yeah, that's actually really interesting. I didn't know that. Um, and so you can, you can customize it and tune it further. This is turning into a really good advertisement for Forrester. By the way, those, those guys should probably [00:57:00] be sponsoring the show. I'm going to reach out to them and tell them I'm not putting this thing out until they actually put some money on this thing.
Damn it. No, they don't, they don't care about me. And obviously I can't bully them because they make half a billion dollars a year. But, um, But it's good to know that I didn't know you could actually tune the tool. Cause that is a good point. Like it's a segmentation piece, right? You might say I'm good at this, uh, but not that.
And Intel's a perfect example in that you might have great strat and lousy tack, uh, and operational or vice versa. Um, and to be able to tune it and go, that's important because maybe I'm great at tactical. Well, the number one group, according to the wave, uh, you know, or magic quadrant or whatever, I shouldn't just.
Assume that's the one because maybe if I tune, I find out, well, they're great at tactical and then lousy at strategic. Well, why the hell would I buy more tactical? Now, the group that was actually down the wave, it turns out for strategic, though, they're great. Well, that's the group I should be looking at.
So that's actually a really good tip for those who are working with these organizations or thinking about it. That there's, there's more than what we see publicly, I guess. So listen, we're, we're We're coming down to it. The name of the show, like you don't get a pass. Nobody ever has yet. Uh, don't be a coward.
Uh, the name of the show is unspoken security. Right? So the closing question is always the same with [00:58:00] that in mind. You know, tell me something you've never told anyone, something unspoken.
Brian: mean, I, I never take risks. I'm very conservative, you know, by the book, never pushed boundaries or anything. I mean, I've, I've got nothing really, uh, I don't have any skeletons in my closet, right?
AJ: Uh, do you want
Brian: don't think I've ever said that, by the way, that's, that was, you know, but now, uh,
AJ: tell stories. I'll get on the phone right now. I'll get some stories.
Brian: Oh yeah. Yeah. Emily's got some stories.
Um, and one thing that she probably wouldn't even know. Um, I mentioned, you know, Fort Gordon now for Eisenhower, uh, between reserve and active time, I pretty much commuted. Between Atlanta and Fort Gordon throughout 20 years of service. And anyone that's from this area knows Interstate 20 is pretty boring.
Lots of pine trees. Um, and I, I, I kind of got in the habit of, Testing my vehicle at the time. Uh, so a lot of [00:59:00] times I was driving like really early morning, so I can make PT at like six, seven, whatever it was am. And, um, so every car I owned during that 20 years, I, I. I, I validated that. The vehicle's top speed, including a Jeep Wrangler, which is like driving a billboard.
So I, I think I, I'm not even sure
AJ: That's good. 62.
Brian: hour there, but my current car, which I've had for 12 years now, um, I did validate the electronic governor. Does cut off at 155.
AJ: Ooh, jeez.
Brian: Yep. Are you getting some of these stretches there and you can see for miles and there's not a, there's no tail lights there and you know,
AJ: anybody from the Georgia state patrol that might be listening to this sounds like I 20 is a place to hang out and wait for Brian kind to come by. Uh, look up his vehicle and plate. I don't have that available to you. Um, but, uh, that's, you beat me. I've done 140 a couple of times. Uh, I haven't done 155 though.
That's I think one 40s. My top, and I don't recommend it for those who are asking. Um, I mean, it's fun. Don't get me wrong. I'm not saying I don't recommend it cause it wasn't fun. It's just, I, I'm not going to [01:00:00] be responsible for bad things happening to people. I'm actually going to share one. I don't, uh, I don't usually do this as the host anymore, but, uh, cause people know things, but I got a funny one cause it's about you.
So I'll get to do it. Um, So Brian mentioned that he, uh, when he left Forrester, he came to work with me, uh, which is, which is true. We worked together. We both were hired, uh, roughly almost the same time I was hired right before him. Basically, we both had interviewed around the same time we were hired together.
Um, and we had peer roles in the company and not long after we were hired, there was a holiday party, um, because that's just the time of the year. Right. And so we're all sitting nice, nice party and you know, it's a fancy get together and whatever. And I get to meet Brian's wonderful wife, who obviously has terrible taste in men.
And, uh, And, and we're around this table and it's, you know, it's, it's a really nice event. Right. And, uh, and Brian was very happy to have joined the company, um, and maybe had one or two drinks or more. Um, and so our CEO is standing up, uh, we're talking about the year in review and, and, and to be honest with you, it was a few people were kind of kissing the ring of the CEO.
That was kind of how the vibe was in the room. And, uh, And Brian stands up, uh, and, and kindly says, you know, I'm so thankful to be [01:01:00] here. I really appreciate you hiring me. And then spends the next two minutes or so raving about me. Uh, and, and just, it was very kind, but also very embarrassing. I'm like, Jesus Christ, dude, you're going to get me fired.
Fired. You're, you're showing up the boss. This is his moment. You're supposed to kiss in his ring and suddenly it's me. And it was, listen, Brian's a really nice guy and it was genuine and he was very happy to be there and we were lucky to work together and we had some good times. Um, uh, but if, if Brian has one too many, I promise you, you will get all sorts of sweet honesty from him.
I'm just glad Brian likes me or it would have been just a terrible, terrible night for me because he had no problem saying what was on his mind. It was a lot of fun. It was very sweet. It was kind, it was a little embarrassing for me, but, um, But it's one of the funnier things I can actually remember in my career.
Cause I thought, sat there thinking, dude, I don't know this guy that well yet. Like you might've gotten new fired. You just showed up the CEO and I'm going to look like the jackass somehow.
Brian: you were there longer than me. So you're welcome. Uh,
AJ: no, it was good. And I appreciate it. And we had a good time working together.
And it's a shame it doesn't happen anymore. And maybe somewhere in the future we'll get another chance to do so. I think you should do the ZT for OT thing. You got some time on [01:02:00] around, I think you should sit down and write. I'm serious. You should sit down and write the paper. Like. Publish it, you know, do it.
But, um, but listen, so you got to share your little story about, you know, driving a million miles an hour and I got to embarrass you, which is fun. Um, we're kind of under time, but the last thing, uh, you know, after that is just, you know, is there anything that you want to add as we come up on time? Any last thoughts, anything you want to plug, um, you know, anything, anything you want to say before I, you know, we call it a show and hop out of here.
Brian: you know, I'll, I'll make a plug for myself, really. I, I don't often do that. I, I, I like to, you know, say good things about people like AJ, right. But, um, you know, I'm on the job market too. So I'm looking for threat intelligence, leadership positions, a vendor or enterprise. So if you know something in the Atlanta area or remote, um, you know, hit me up on, uh, the socials and, you know, let me know
AJ: Yeah. And I, and listen, I, I think you should hire Brian. Like if you guys are listening and you have that, I've worked with him, he's a good guy and his resume is fucking amazing. Obviously you can read it and we talked about it and he went to the Georgia Institute of technology, um, where he got his architecture degree, but, uh, but also the, you know, the military background, but the truth of the matter is the guy's a good guy to work with.
Like I trust him. He's reliable. He's a good [01:03:00] person. He's easy to work with. I'd work with you in a heartbeat, Brian. If I had the opportunity to do so, if I could hire you, uh, I would, but I have like 3 and a ham sandwich a week. If you're interested in that job. Otherwise, I recommend you hold out for something a little bit more.
Um, but no, I think it's good. Yeah, plugging yourself is the best way to go in this place. Uh, hopefully, hell, by the time this thing, by the time anybody other than the two of us sees this, you might already have a new gig. But if not, uh, yeah, I highly recommend, you know, Brian's a good guy to work with, to build teams, to build organizational structure, to do intel stuff.
Uh, he's a good one. So, all right. Listen, man, with that, thanks. Uh, thanks for being here. And thanks for, for the topic. This was 100 percent Brian's idea to talk about, you know, analysts. I think it's great because I wouldn't have thought of it. And we don't do enough of this stuff and hopefully it helped it.
Frankly, I learned a few things about it's not all pay for play and you know, there's value in this. And now we know how to, to work with these guys, uh, and maybe pilfer some good talent from them eventually. So thanks again for, for being on the show, man. I appreciate it. Uh, you know, have a, uh, You know, good luck with, with the search, et cetera.
We'll keep talking offline, obviously. Uh, and for everybody else listening and watching, thanks for spending some time with us today. Uh, if you like the show, I appreciate it. If you can [01:04:00] like it and recommend it to people, subscribe, all that stuff. If you don't like the show, shut the hell up. Um, no, that's not true.
If you don't like it, please do tell me, like, I'd prefer you don't tell the world, but please do reach out and let me know if you, if you've got ideas to improve it. If you know people you think should be on the show. Uh, you know, I, I'm open to ideas. Um, but again, thanks for, for taking the time to listen and watch today.
And, and until next time, uh, this has been another episode of Unspoken Security.