Learn about the importance of data security posture management (DSPM) and its role in protecting sensitive data in cloud environments.
In this episode, the hosts and guest discuss the importance of data security posture management (DSPM) and its role in protecting sensitive data. They explore the evolution of the cybersecurity and data security market over the years, highlighting the challenges and advancements in securing data in cloud environments. The conversation also touches on the vendor landscape, the complexity of selecting security tools, and the need for organizations to invest in data security. The key takeaways include the overwhelming number of security tools available, the importance of aligning security goals with business risks, and the impact of regulations on data security.
Louis-Victor Jadavji: [00:00:00] Welcome to the Tech Decision Podcast, where we take the soul sucking work of researching enterprise technology trends and make it accessible, engaging, and insightful. Each episode dives into the vast world of tech solutions, breaking down complex choices into manageable insights to help you make informed, strategic decisions.
Louis-Victor Jadavji: Whether you're a seasoned IT professional or curious newcomer, Tech Decision is your go to resource. Tech Decision is sponsored and hosted by the team at Taloflow, the leading technology selection platform to evaluate vendors for your exact use case. I'd like to introduce my co host Abhishek Singh.
Louis-Victor Jadavji: Abhishek is the Manager of Enterprise Systems Integration at Toast. Prior to this, he was a principal analyst at Gartner in the application architecture, infrastructure, and integration group. I am your co host, Louis Victor Jodavji. I am a co founder at Taloflow and its CEO. And finally, our guest Ryan Cooke.
Louis-Victor Jadavji: Ryan is the founder and CEO of Jumpwire, [00:01:00] a YC backed data security company that helps clients handle data more securely and maintain a compliance posture aligned with SOC 2, PCI, and more. Before Jumpwire, Ryan was the CTO of Orum.io, a payments network, and also head of U. S. technology at N26. Gents,
Louis-Victor Jadavji: so Ryan, how did you end up founding Jumpwire? And what's your work like today?
Ryan Cooke: Thanks for having me. I'm really glad to be able to talk about this topic. We started jump wire to solve some of the problems that we've faced in prior companies, mostly startups, but also large technology companies grapple with how to manage data.
Ryan Cooke: And increasingly a big part of that is manage the data securely and do it in ways that comply either with. Regulations and laws or internal policies that organizations have created for their own information security programs. There's typical data stack and a lot [00:02:00] of software and applications that you use today.
Ryan Cooke: They tend to use commodity databases called relational databases. These are really fantastic at storing large amounts of data, making it easy to query large amounts of data. But they tend to handle data in a very kind of uniform and generic way. And when it comes to applying security to data there needs to be additional information about how sensitive is this data.
Ryan Cooke: And based on how sensitive that data is there may be additional rules around how that data is handled. Usually around X, who can access it. But also what programs can process it and then what third parties can it be shared with. And so we felt like there was a gap in your typical web application architecture, where you have a very dumb storage layer and you have an application layer that has your business logic, but nothing in between that's understanding.
Ryan Cooke: Pieces of data that's moving around different layers of that architecture and then making decisions [00:03:00] on how that data should be handled. So we decided to got a chance to join a good friend of mine as a co founder and we decided to tackle this problem with technology.
Louis-Victor Jadavji: Wonderful. And this falls into the space of DSPM or data security posture management, right?
Ryan Cooke: Yep. That's right. I would check. I'm guessing you're the one responsible for Gartner kind of creating all these acronyms, but DSPM is a new quadrant and within the Gartner kind of analysis space and it's been adopted by the industry stands for data security, posture management. And it's really about around a kind of a suite of tools and pieces of technology that can help companies one, inform themselves about how they are tracking towards their own policies and guidelines.
Ryan Cooke: And then also use that to make it visible to their third parties, their customers, their auditors and regulatory bodies. That they are following all the necessary compliance and regulatory requirements. [00:04:00]
Louis-Victor Jadavji: So Ryan, it looks like you have about two decades of experience in this space and you mentioned the acronyms, popping up left and center.
Louis-Victor Jadavji: So how is the state of cybersecurity and specifically the data security market Evolve over that period. And where do you see it going as well?
Ryan Cooke: Yeah it's funny. Like I grew up with the internet becoming ubiquitous in the 90s. And I recall at that time a big scandal for a software company would be, they'd lose all their customers passwords.
Ryan Cooke: And that was because they would store their passwords just in a database. In play text, and if a hacker got access to that database, they could just read all the passwords. They didn't there's no additional protections. And so it was a big overhaul in that, everybody needed to start to learn that we needed to encrypt our passwords before we store them in the database.
Ryan Cooke: And then similarly as wifi became a more ubiquitous network encryption, right? TLS. I remember first accessing Facebook over an unencrypted network. HTTP, Facebook. And people [00:05:00] would sit in coffee shops and sniff traffic off the network and grab your Facebook profile just from the packets that were flying through the air.
Ryan Cooke: I actually had a senior project where we were setting our wifi adapters in ubiquitous mode and just. Grabbing whatever we could out of the air. And so I think some of these like basic data things have then slowly adopted. And now we see that as the status quo. Certainly every website is running under HTTPS and encrypted.
Ryan Cooke: And. Then it was now, then I think that the next from a security perspective, big revolution was SAS adoption of SAS tools, the typical for large enterprises to own all their own infrastructure by software and install it in their own data center. And now you have SAS tools that are being delivered to the browser.
Ryan Cooke: Consequence of that is now you're giving a third party, some of your data, or they're hosting it for you. And so that really changed the security model of how do we protect our assets and how we protect. Our data when we don't own the infrastructure and we're not managing it. And then lastly, I think the most recent one was cloud and adoption to the cloud has [00:06:00] really upended the traditional security models where again, that's it's my software that I'm coding running in the cloud, but I don't own the infrastructure and there's a shared responsibility model between myself and a cloud provider.
Ryan Cooke: But, again, a consequence is that my data might be sitting in an S3 bucket. This S3 bucket is actually connected to the Internet, whereas, the disks in my data center would be behind a firewall. And so if I misconfigure the security settings on my S3 bucket. All of my data may be exposed to anyone on the internet.
Ryan Cooke: And that's been a kind of a big change in kind of data loss protection and how the traditional controls that we put in place for security just don't translate, there isn't a real like technical equivalent, even though there may be a philosophical equivalent. And I think that we continue to see the consequences of these.
Ryan Cooke: Radical kind of transformations at the infrastructure level. And the impacts on security where, if you follow data breaches, there are increasing in occurrence. The consequences and scale and cost of those data [00:07:00] breaches are consistently increasing year over year. And I don't think we've seen yet just like a real silver bullet to keeping data safe and how practitioners and people who build software.
Ryan Cooke: Thank you for your time. I can ensure that they're following the best practice around data security.
Louis-Victor Jadavji: Understood. And you also, I guess that CSPM or the cloud paradigm shift has led to a couple of huge companies popping on the scene like Orca and Wiz, right? Is that where they tend to focus mostly?
Ryan Cooke: Yeah. So they've been really great at looking at everything AWS account and then highlighting things that are, obviously weak. They really started with Oh, you have this. S3 bucket publicly exposed or, oh, this IP address for your database is open to the internet. But they've gotten even smarter now where they can understand both your cloud architecture and the identity and access rights that you have set up and find [00:08:00] Chains of potential vulnerabilities, so maybe there's a vulnerability in a system that doesn't have sensitive data.
Ryan Cooke: Yeah, but it has rights to access sensitive data somewhere else in your cloud that is not exposed to the Internet. And so you can start to trace these vulnerabilities through them, and they can do it fairly quickly. I think one of the real. Strong appeals for Orca and Wiz is they can connect to directly to your public cloud, so you don't need to install anything.
Ryan Cooke: They can just look at configuration and logs, so they don't need access to anything. And then they can produce a report, within hours or even minutes. And that's a very powerful tool for quickly getting visibility. Got it.
Louis-Victor Jadavji: And it's funny, I see them pop up all the time because I forget who it is Pramod Ghassavi or something like that on LinkedIn, who talks a lot about consolidation in the space. And seems to be championing Wiz and Ork and so on. Like why is this space so prone to consolidation?
Louis-Victor Jadavji: [00:09:00] Lately is there just too much splintering and not enough customers or are we just oversaturated what's happening there?
Ryan Cooke: Yeah, that's my opinion. My opinion is that it's really about the buyer and how the buyer likes to acquire security Software infrastructure. If you're a midsize business you typically lack the in house personnel to, acquire security.
Ryan Cooke: And so they'll go through service providers. And so a lot of these larger players have set up, platforms and tools for their partners and service providers to effectively secure Resell and deploy their solutions. And that's really hard for smaller companies like start security startups to build initially.
Ryan Cooke: And so you tend to just gravitate towards larger players. Serving this MSSP, the managed security service provider market. And then the second is large enterprises, even if they do have internal teams they tend to like to buy platforms. There are. Tens of thousands of security products in the market and trying to understand [00:10:00] what is the best security product across two dozen different categories, all of which I need to fulfill to implement security in my organization that's really challenging to them, like a vendor selection, you probably know how hard it is to pick just, one solution and so do that.
Ryan Cooke: 20 times. And I think that's why inner buyers tend to gravitate towards platforms like they do like that. Hey, we can solve all your security problems because we've rolled up all these solutions. Sometimes they still disparate products underneath, right? You're still implementing them individually, but from a brand and.
Ryan Cooke: Acquisition perspective, you can get it from a platform. So the big platforms, the Palo Altos and others, there's maybe three or four of those they love to acquire and roll things up in and continue to expand their reach. They'll less likely to build a DSPM tool and more likely to just acquire it when they need to fill that category.
Ryan Cooke: And so that's, I think, driving a lot of the consolidation that we see. In the past couple of years, and with that context, which, of course, is going to [00:11:00] impact innovation and what kind of startups enter the fray so where do you see this industry being? Let's say 3 to 5 years from now.
Ryan Cooke: Yeah, I think of the.
Ryan Cooke: Unfortunate drawbacks of the kind of posture management tools is they're less they're less able to actually remediate problems. They're very good at finding problems and alerting you to them. But when it comes to actually solving that, fixing a vulnerability, there's typically implementation that still has to be done by the engineers in the organization or by adopting a new control.
Ryan Cooke: They're not necessarily going to fill all those gaps. And so when it comes to building those types of controls, those are opportunities for, startups to innovate in. We've seen in the data space acquisitions very recently. Flow of security. There are three or four just in this year have been bought by some of the larger platforms [00:12:00] specifically around controlling data, controlling access to data.
Ryan Cooke: And I think that's the next level of scrutiny to that the industry is going to start to demand because knowing about a problem is only half the battle. Maybe it's the majority of the bottom in a lot of cases, but there's still work to be done. And then the second I think is. Enterprises are getting more and more reluctant to share their data.
Ryan Cooke: I started an enterprise SaaS company 10 years ago and at the time, we were able to plug directly into people's SharePoint instances and pull, confidential information out without a lot of scrutiny. I don't think you can do that anymore. And then with the kind of explosion of AI, one of the biggest narratives around open AI and the security space is, What is my data being used for in those models?
Ryan Cooke: And there's still a lot of uncertainty and gaps around. Can I use open AI with my private data and feel like that data is secure? And so I think I continue to see industries like hospitals increasingly requiring vendors to come [00:13:00] on premise instead of let the data leave their network and I think that is going to continue to.
Ryan Cooke: Be become a more or more common position that the company is taking. Yeah, it makes sense to us. So I have a question around the direction of the data production market. So what is the thing that has surprised you most about the data production market or the newer term, which is data
Louis-Victor Jadavji: security,
Abhishek Singh: yeah, data security posture market.
Abhishek Singh: So newer acronym to the similar thing, or I may be wrong on this
Louis-Victor Jadavji: every time.
Ryan Cooke: I always look them up before this meeting, I had to remind myself what CNAP meant. But yeah, I think, I'm pretty surprised around just the visibility aspect. And the, a lot of DSPM as initially focused on.
Ryan Cooke: Let's go find all your data and then tell you where the sensitive data is and who has access to it. And maybe it's cause I've always worked in smaller organizations and startups that does seem to have a lot of value for enterprises and the reflection of that [00:14:00] is that these companies just don't even know what data they have.
Ryan Cooke: They don't know where it is. They don't know, is it something that needs protection or not? And. That's, I think is a little bit shocking. I think I've seen where access controls have been over provisioned. Certainly people have too much access to data. I think that's pretty common.
Ryan Cooke: But not realizing that you have entire repositories or databases of data that just IT or the security team isn't aware of, hasn't been classified, and there's no control around is pretty surprising. But that's, a perfect. Problem for T. S. P. M. Tools to solve because they can fill out very quickly.
Ryan Cooke: And then I think that, the second piece is what do you do? It's still really challenging to process large volumes of data and move it moving bites off of disks across networks. That still can take a long time. And so if you're sitting on, petabyte scale, terabyte scale of semi structured data and you want to apply, a novel encryption to it.
Ryan Cooke: How can you do that from a technical [00:15:00] perspective? I'm still very hard. And a lot of the, I think, innovation in The big data data stack around data warehouses, ETL, ELT, data lakes different ways to just dump and process data. Those technologies haven't really translated into the security space yet.
Ryan Cooke: And we're just now starting to see. Talk about data fabrics and applying some of these either federated search processes or ETL processes that I think a lot of data teams have had in their tool belt for a while is now coming into the security space, which is exciting.
Abhishek Singh: That's very interesting. And so I have a follow up question to this. Does the over provisioning of data rules slow down the amount of. Slow down the amount of, uh, things that need to be done from the individuals. So let's say for example we don't provide access to individuals who, who need the data access for specific things in the project.
Abhishek Singh: So [00:16:00] provisioning those data accesses to individual at a slower rate, does that hinder projects in different companies? What has your experience been? Absolutely.
Ryan Cooke: And this is the trade off that engineering leaders or security leaders have to take, which is, do I try to kick everyone out of my data database, data warehouse?
Ryan Cooke: Because I know that I can't distinguish between what kind of data that they can access through that and then they can't do their job. And, there are tons of operational roles that kind of analytical roles that need pretty broad access to large data sets for them to do their daily job.
Ryan Cooke: Or do I try to. Limit what they can see, but still give them some kind of access. Incredibly difficult to manage, especially when you multiply that by the number of kind of SAS tools and the number of data repositories that most, companies are using. Every repository and tool has its slightly own different authorization schemes.
Ryan Cooke: And so creating the matrices of this role should have this kind of access [00:17:00] inside this tool, provisioning that, deprovisioning that that's a really big challenge. And then, classifying data. Typically I've fallen into this trap too in startups where I just say, you know what, everything in production is confidential because I can't really take the time right now to distinguish between what's marketing data and what's my customer PII.
Ryan Cooke: So I just say, it's all super, super controlled, but that doesn't scale either. And so some of the solutions. Privilege management, which I would say fall outside but certainly intersect with the SBM are innovating there where they're giving people temporary access. Maybe I don't need all the access all the time.
Ryan Cooke: I just need it for the next day to do my job. And then on the DSPM side, automatically classifying data. Okay, I don't need to tell you what, first name, last name means to me. You can just know, okay that's a PII. This is a social security number. This is a phone number. This is an address and very quickly create a classification scheme for large data repositories.
Ryan Cooke: And then on top of that, once I have that kind of classification scheme, [00:18:00] then it becomes a little easier for me to start to do privilege access in a way that is tailored towards people's roles and taking advantage of some of the granular authorizations.
Abhishek Singh: That makes sense. I just wanted to understand the difference between DSPM and CSPM, which is Cloud Security Posture Management.
Abhishek Singh: How are these two areas, these two technologies different? Yeah,
Ryan Cooke: I would say, I would probably roll DSPM as a subset. Although I know like you'll find things things that are distinct solutions, especially that are distinct between them. But CSPM is really just looking at your entire cloud.
Ryan Cooke: So I have an AWS account. Do I have it configured correctly? Is the security of all of my services in AWS. And of course, AWS have hundreds of different types of services. And so understanding how should I be configuring my Lambda functions for, to be secure versus my EC2 instances to be secure is all different kinds of best practices you apply between those.
Ryan Cooke: And so CSBM understands those and can apply that criteria to your [00:19:00] account and tell you very quickly. DSPM is really just focused on data and it's like, where's that data live. How sensitive or confidential is that data? And then who has access to it? And is, does it seem like too many people have access to really confidential data when I'm expecting only specific roles or a specific kind of leadership have access to types of data?
Ryan Cooke: And that's where DSPM. Carves out its niche from just the broader cloud, which can include things like compute and other digital resources.
Abhishek Singh: So what I get is CSPM is mostly focusing on data security as well as security misconfigurations that you need to manage across hybrid cloud and multi cloud environments and DSPM is emerging out of the CSPM umbrella.
Ryan Cooke: Yeah, that's good. Yeah, that makes sense. Most of the viewers of this podcast would be understanding why we need data security, but for people like me who barely understand security just wanted to ask this question, why it is important for organizations to go [00:20:00] ahead and invest in data security tools?
Abhishek Singh: And at what stage it is relevant for them to invest in data security?
Ryan Cooke: Yeah, I think security is a, an interesting industry to work in because some of the motivations look really different depending on the type of customer Or industry that you're trying to trying to serve.
Ryan Cooke: Certainly there are some companies that need security. Security is their main value proposition. Maybe they're selling to government. They're selling to hospitals, healthcare. People are making buying decisions based on that security. But for a lot of companies, interestingly enough, security is considered a cost and not an investment.
Ryan Cooke: And that's really because, the nature of their business is such where it would be unfortunate if there was a security incident, but not fatal. Or maybe their customers just don't care about security. I was just a few months ago talking to a company their consumer business. They digitize people's old phone numbers.
Ryan Cooke: Photographs and VHS [00:21:00] videotapes. And the thing that they are most worried about is not, am I leaking someone's old family photos? It's, am I losing someone's old family photos? They can't lose data because if they lose data, their customers they'll lose their customers. Their customers rely on them to keep these assets, safe forever.
Ryan Cooke: And so that's just a type of business where. They're not deliberately trying to be insecure, but it's just not a top priority for them. But when it comes to public companies, I think the most interesting thing happening both in the U S and around the world is the legislation and the government scrutiny that's coming towards.
Ryan Cooke: Security and consequences of incidents you've probably seen where chief information security officers are being held, personably liable if there's a security incident and they don't respond in the way that The government regulators expect the SEC is bringing orders and charges against folks.
Ryan Cooke: And then there's a big cost. You have some of the largest hacks, Equifax hack, Okta [00:22:00] hacks. Those can cost tens or hundreds of millions of dollars to the organization. And those companies are not out of business, but it took, it's taken a time for them to reestablish a trust in a brand.
Ryan Cooke: And they have to spend a lot of money around that. And so those are, I think are some of the biggest motivators for companies to invest in security.
Abhishek Singh: So you've touched upon the point that security investment in security initiatives are mostly a cost to the organizations and there are motivators beyond that as well.
Abhishek Singh: So how does. an individual security analyst or security people in the organization convince the leadership to invest in the discipline and the set of technologies that would help the company secure the data. And how do they go ahead and measure the efficiencies and return on investment in these security technologies?
Ryan Cooke: Yeah. So I think the most effective strategy is to align the security goals with the risks of the business. And if you can express that this weakness or vulnerability is contributing to something that's [00:23:00] considerable risk to the greater business. It's going to get the attention of leadership and ideally the prioritization.
Ryan Cooke: I think the downsides as engineers specifically we like to talk about the problems from a technical perspective, and we try often adopt this idealized state of this is insecure. And so we should fix it. And the larger business just cannot orient itself around that.
Ryan Cooke: And like I've mentioned, different businesses have their risk profiles look different. Reputation is sometimes important sometimes critical. And so certainly a lot of the risk of a security breach comes with the risk of reputational loss. And that can be one big motivation.
Ryan Cooke: Another is the regulatory side. And is there a monetary penalty here? Is there a kind of a liability that could be held to the company? And this is true both for security instances, but also a lot around privacy. You see a lot of different countries around the world [00:24:00] adopting new standards for how to manage privacy with customer information and customer consent.
Ryan Cooke: And those have the same kind of implementations. into your technology control stack as does a breach protection.
Ryan Cooke: Fascinating. It's the regulatory environment must be such a big driver for this business right now.
Ryan Cooke: It
Louis-Victor Jadavji: really
Ryan Cooke: is.
Louis-Victor Jadavji: Yeah.
Ryan Cooke: It's worked in situations where just tracking customers consent, so this is not their data. It's that they've consented for you to use their data. It's not a. Easy thing to just drop into your piece of software.
Ryan Cooke: There's quite a bit of engineering work that has to go into that.
Louis-Victor Jadavji: Exactly. And a very low threshold for compliance as well. You don't need to be a big business to need to adhere to it. Fair enough. So what are some shining examples then of let's say, case studies of data security? And done well.
Ryan Cooke: Yeah, I think, it's it's interesting. A lot of the challenges security is [00:25:00] proving a negative. The thing, the examples that stand on my mind is where there was a breach. There was an incident. I think, when you're building software, bugs are inevitable. There's always going to be problems.
Ryan Cooke: And so you don't see that as. A mistake it's part of the business. I think circle CI had an incident last year where fairly severe the, someone was able to session hijack from an engineer's laptop. Credentials that allowed them to provision resources that would read encryption keys.
Ryan Cooke: And then, read the, by, by getting access to encryption keys, they're able to get access to all the secrets and all the customer secrets. Circle CI is a platform for building and deploying software. And so a lot is managing secrets like API keys that the software needs to run and, that resulted in them needing all of their customers.
Ryan Cooke: To change all of their API keys. So if you have a, if you used open API you've probably grabbed their API key and put it somewhere in your environment so that your Python application can use it. And imagine having to do that dozens of times [00:26:00] across hundreds of customers. They're very transparent about it.
Ryan Cooke: They responded very quickly. They made it public very quickly. I think within a couple of days of the incident. And so to me, those are, really good practices. Obviously, you never want to see that happen, but it's likely to happen and the way you respond to it. And then you contrast that with something like last pass, where, I think they continue to be.
Ryan Cooke: Fairly obscure about what has happened and the level of impacts again, they're managing passwords. They're also managing secrets. And it seems likely that not only did they lose everyone's encrypted passwords but they probably lost some of the keys that can decrypt those. And they were very slow kind of to announce it months after the fact.
Ryan Cooke: They announced it in stages where they. Tried to make it seem like it wasn't a big incident and then later admitted it was a bigger incident. And, those are, the types of cases where I will never use that product. I just, I can't trust that not only that they're trying to keep my data safe, but in the event that's [00:27:00] not the case, that they're responding to it in a reasonable way.
Louis-Victor Jadavji: Yeah, I, the last pass incident hits home. I prefer BitOrdant ever since, but it's one of those things where it's deeply embarrassing. Whereas a company with ties to security, suffering such a serious breach or a series of it is deeply embarrassing. Yeah.
Abhishek Singh: So you've touched upon the different security tools available in the markets.
Abhishek Singh: And there are many options available for enterprise leaders or security leaders to invest in different technologies. So what does the vendor landscape look like? Are there too many tools to confuse the security leaders? Or too little to pick from?
Ryan Cooke: Way too many tools. I've seen numbers like startups in the security space.
Ryan Cooke: That's all security, obviously not data security. But even within data security you have hundreds of vendors. Differentiating them is very challenging as well. A lot of the terminology and acronyms are used, even [00:28:00] though the implementation and the actual control look very different.
Ryan Cooke: And so I think for decision makers that are not familiar kind of with some of the technology. Um, technology definitions or how security gets implemented would be very challenged to find that. And I think the other is that a lot of the go to market motions for security tools tend to be sales led, enterprise led.
Ryan Cooke: And so that adds another level of indirection about what am I actually buying? And what am I actually solving for? I think tools like Taloflow help that because you can take a structured approach to evaluating vendors and you can get the analysts input on what is different differentiating different vendors.
Ryan Cooke: But I tend to think in data security as, management, which is really visibility. It's I may not be aware of everything that's all the infrastructure in my enterprise which was too big too [00:29:00] disparate of a company I didn't build it all. So give me a picture of where my data is and how it's being used.
Ryan Cooke: I think that's. Very interesting. And, but they're doing it through a scanning technique where they're just looking at configurations. They're not necessarily deeply inspecting all of my data. Then we have things around encryption typically data security and encryption tend to get combined because encryption is a great way to make sure that someone I don't want looking at data can't look at it because they don't have encryption keys and it's a technology that's been around for.
Ryan Cooke: 5,000 years. It's very old and it's still effective. But you'll have vendors that are selling encryption technology specifically. And there's new encryption techniques, new algorithms that are being introduced. And so there's always kind of new tooling as a result of updates and advancements in the encryption space.
Ryan Cooke: And then, you have kind of things that control where data moves. You're starting to see this with the kind of sassy where I need to. [00:30:00] Both control my network, because that's how data moves, it moves across the network and control the tools that are in applications that are sitting on top of that network.
Ryan Cooke: And so that's a very nice combination where I can have a lot of confidence that if I'm putting a rule in place, no one's introducing an application that's actually moving data in a way I don't anticipate, because I'm also putting that control into the network layer. And that's, I think, when you go into a cloud, especially important, because you don't control what is exposed, to the Internet necessarily, and you can't control the actual machines where things are being stored.
Ryan Cooke: And so that's a kind of a new class of technology that's addressing that from a bottoms up approach in a new way. And then I think the last one is some of the data platforms and we see. Very commodity platforms, like customer data platforms, like segment. They actually allow you to designate where your data is is stored and custodied.
Ryan Cooke: This again, allow, really lets you, makes it [00:31:00] easy for you to stay within privacy regulations. Whereas if you're in the EU and serving EU customers, their data is not leaving EU data centers the physical location of that. And these are just, ways that you can set up your customer data platforms and analytical platforms.
Ryan Cooke: And so I think that's again, that's not a security product, but clearly the data security regulations and privacy regulations are driving product innovation in the vendors that are storing sensitive information for you, and they're giving you the tools to maintain the controls of those.
Louis-Victor Jadavji: Makes sense.
Louis-Victor Jadavji: So in each of those buckets, can you mention maybe two or three vendors that are leading the space that could fit each? On CDP, you mentioned Twilio Segment. There's a bunch of others like Rutterstack, I'm sure. But what about the others you mentioned prior?
Ryan Cooke: Yeah, I think BigID is one of the A larger DSPM they started in just the privacy space but have moved into the larger DSPM and again, like [00:32:00] privacy, the, one of the ways to be compliant in privacy is know where my data is, know who it belongs to and know who can access that.
Ryan Cooke: Um, Lacework is another pretty big DSPM vendor and have put I've gotten a chance to see some of their demos at conferences and they have a really great suite about being able to give you a full map of like where all your data is and who has access to it. And then of course, Palo Alto.
Ryan Cooke: Cloud strike, all of those big big vendors. They'll have a DSPM, a solution as well. Wait, I would the CSBMs are also getting into the wiz and orcas. They'll have a DSPM component. In my experience, they're a little bit limited because they actually can't inspect the data inside like databases.
Ryan Cooke: Because they're just looking at configuration and logs and not actually going and inspecting the data where it rests. They can't necessarily classify everything correctly. So they still require you to put a little bit of input in there. But they can find anything just in, in kind of cloud [00:33:00] native data repositories pretty nicely.
Louis-Victor Jadavji: And are you seeing the consolidation in DSPM that you are seeing in the broader security industry? Or is it still a lot of point solutions thriving? Despite that
Ryan Cooke: I think it's still a lot of point solutions. And I see folks that are just doing interesting things for specifically for clouds.
Ryan Cooke: Just because in cloud environments, I think just data gravitates to get just distributed everywhere. And so building things native for different cloud systems you can have a little bit more innovation.
Louis-Victor Jadavji: Got it. All right. This is great. So I think that was a good time to do our usual summary and see what we learned today and what the three or four main takeaways would be.
Louis-Victor Jadavji: So either of you feel free to interject, but I have a bit of a list, so I'd say first is there's clearly overwhelming levels of complexity in selection for security tools. There's thousands of vendors, like you mentioned, something around 10 to 12, 000 startups across 2 dozen or so [00:34:00] categories that are germane to security.
Louis-Victor Jadavji: It's a very sales led process. So maybe the broad saturation and the sales that process, has the effects of enterprises wanting to buy these as platforms. Even if it means they still have to do individual implementations, they have the single relationship to work from, and that maybe this is also related to this broader wave of consolidation that we're seeing where, Palo Alto networks keeps buying things up and so on.
Louis-Victor Jadavji: And so second, I was thinking, so we talked about the difference between DSPM and CSPM and DSPM being a bit of a subset of CSPM. And really focused on confidential information and data. And let's not forget what the acronym means. It's data security posture management. But where CSPM can focus on a broader set of things under that umbrella, including compute and other digital assets.
Louis-Victor Jadavji: And then thirdly I think another takeaway would be that security is not always a top priority. We talk about [00:35:00] it as such a lot, but it's often perceived as a cost. Like you said, and not necessarily an investment. It really depends on the relationship between the customers and the businesses.
Louis-Victor Jadavji: Investing in security and of course, at the broader regulatory environment, which has become very stringent, where you mentioned that even CSOs are now being held personally liable for breaches and so on. And, and there's no maybe more emphasis on the reputational damage that brands like Equifax and Okta have suffered in recent years.
Louis-Victor Jadavji: And and there's of course not just the direct penalties that they have to pay out, the investment in rebuilding that trust and that brand over time is significant. And that's a a big driving force behind the broader security market. Any other takeaways Abhishek or Ryan, you think the audience should take?
Abhishek Singh: So I have one, which is picking tools. It's really difficult. So go ahead and invest your time in Taloflow. Yeah, a good plug,
Ryan Cooke: really hard, and I [00:36:00] think starting to see engineers get a little more involved. I'm, I'm very excited when an engineer has got to influence the decisions that I think that data teams and data engineering has become a fairly well established discipline.
Ryan Cooke: And so if you're. Dealing with moving data around and munging it and reforming it. It seems natural that take on some responsibility for securing it. But I think, also just organizations getting better at knowing what kind of data they have and taking a measured approach to securing it, not all data needs to be protected, certainly.
Ryan Cooke: But being able to understand what is. Sensitive and what is not is an exercise and it's not necessarily something that comes naturally, I think to most enterprises.
Louis-Victor Jadavji: Absolutely. Yeah. Said Ryan. Thank you so much both of you that, thank you Abhishek, my amazing co host and our our amazing guest, Ryan and as Abhishek said, if you want help making technology decisions, it seems like the security space is ripe for a tool like ours to help make [00:37:00] the decisions easier.
Louis-Victor Jadavji: You can use Taloflow to advance your vendor research much faster. All right thank you.
