All right, Christine, welcome to unsupervised Learning.
Thank you for having me.
All right. We're going to, uh, we're going to jump into some stuff, uh, pretty quick here. Uh, start with the easy stuff. Um, I. So, uh, the cybersecurity industry has made a lot of, I guess, hubbub about AI and basically how big it's getting. And I'm wondering, just what are you hearing about? Like the contrast between is it is it hype? Is it really happening? Is it really, really happening? Like how much of it is like potential
energy versus kinetic energy. Like what are you seeing and hearing.
So that's a great question to start. Um, it you know, I guess I'll, I'll start with your first ask, which is is it real? Uh, absolutely. It's real. I think that when you look at the security industry as a whole, um, when you look at the the places that we have to focus most of our time and energy as leaders or, you know, budget or, you know, actually just doing pure security work, um, you know, you can't help but miss things like incident response, threat hunting, you know, looking at
indications of compromise, because that's kind of where it all starts. Uh, and I has a beautiful ability, um, in my opinion, to, you know, empower smarter decisions, um, quicker, more accurate assessments, especially when looking at indicators of compromise. Um, within your incident response team, which again, takes to, you know, tends to be one of the most critical functions in any security team, uh, and also one of the hardest to
staff and most costly. Um, so I think that there, you know, it's definitely real and there's lot of opportunity to take that and make it, um, much more intelligent. Uh, you know, it's a battlefield. So as we get smarter, our adversaries get smarter. So I think there's also a kind of a give and take of almost that you have to pay attention. Um, because if you're not paying attention, obviously your enemies are. Yeah.
Yeah, that makes sense. So you mentioned incident response. So what are some other areas that, um, seem pretty ripe for you?
Yeah. Well, I mean, the entire security program and it's in in its functions and roles are all right for automation. Um, and I think that companies that are really on the forefront of this technology are doing things like, you know, sandboxing their own data lakes and then using AI to really plug into that to make really great automated decisions. Uh, I mean, there's definitely a ton of power in that. Um, if you're a bigger company and have a lot of data,
you know, that's kind of the way to go. But I think it's really important to to look at the types of industries and companies that really need to be focusing on AI. And I think there's a difference between, you know, I use this example when I'm speaking to others in the industry, if you are a, you know, a company that, uh, is a, um, I don't know, a lumber distributor, you know, you're, you're building boards that
are going to go build somebody's houses. Your attack surface is absolutely not the same as a company developing security software, right? You know, the the company that is, you know, maybe not publicly traded also and doesn't really have that that risk from, um, customer information might be worried about protecting maybe their financial data, or maybe their even their company
trade secrets. But a secure software developer who has a product they're actually selling into, you know, the highly regulated environment, who inherits their attack surface and becomes part of their supply chain. You know, that's a more a different role for AI, right? So I think it's also imperative that we balance kind of the need for that. And and you know, where you're going to to invest, so to
speak for that. You know, that latter example of, you know, companies like ours that are selling, you know, security software into highly regulated environments. It's we, you know, it's table stakes. We have to understand that landscape, um, and automation and AI driven, you know, response really is the value. I mean, there's lots of value in AI, but that's definitely where I see the, the most value because you're, you know,
you're you're hitting in so many areas. Um, not only are you able to look at indicators of compromise and make quicker, faster decisions, but you can look at hypothesis driven decisions that have already been proven, which is, you know, really brings on to the intelligence. So, um, it's kind of like driving a car from 1986 and driving the space shuttle. You know, there's just so much more, um,
overwhelming capability. But, you know, of course, that also comes with, uh, responsibility. Um, but that's, you know, definitely an area I see, um, disrupting the industry for sure.
Yeah. And you're the VP of product security over there at BlackBerry. So how are you seeing it in your products?
Well, I think probably the biggest, um, impact we're seeing in our products is actually the services we're offering with the AI, you know, included in it. So, you know, our guard team has, uh, which is professional services that does, you know, incident response for these, these mid to smaller enterprise companies or any company for that matter. But where I really see the pain from this is coming from these you know many companies that just don't have the
ability to scale this fast enough. Um, you know, attackers are getting smarter and it takes time. Um, staffing challenges, all of that great stuff to really scale to that. And where we're really seeing, I think the most impact there is, you know, our services team who has the ability to scale for, you know, for the company that might not be able to, um, you know, they have a dashboard and they can literally hit, you know, a
help me button, so to speak. And then we have a team of people that can run these AI and automation driven decisions for them. So I think that that's really been one of the bigger things that we've seen. Uh, you know, we as a company, historically when we, um, purchased silence as a company, you know, brought AI into our company long before I was really even talked about. So we've we've definitely got the, the historical, um, expertise built into, um, to some of that decision making with AI.
Yeah, that makes sense. I mean, I guess can I step back? Um, really interesting. So you have all this stuff going on there at BlackBerry. You have. I've talked to multiple people over there, uh, through unsupervised learning, and it's like you've got a whole bunch of AI research going on. You've got your whole team there, you've got all these, uh, different service offerings like you mentioned, incident response, like, uh, like other players there. And it's like, how often do
you get the question of like, oh, BlackBerry. Oh, I didn't realize they were doing all these elite things. Is that pretty much a regular conversation with, uh, outsiders?
It is. It is because, you know, back from the days of the handset, um, you know, I think everybody knew and everybody knows that BlackBerry does amazing security things. You know, I don't think there's any question the brand has has done us well for that over the years. And, and, you know, the the unsaid thing is the highly regulated and people that really, really, really care. And, you know, again, in my example of the lumber manufacturer to a highly
regulated environment, it's not the same. And BlackBerry has played in that highly regulated environment, you know, for a very, very, very long time. And so we do understand, uh, the importance and the, the just the value of just doing pure security work. Um, and that's tough in the industry when you're a, a security software vendor because you're, you're, you're in security. You're doing security, you have products that do security. And then the outcome is security. So it's
kind of embedded into, you know, everything that you do. Um, but I think what's really been cool to see over the years has been to watch, um, sort of the, the, the things out of the handset that we were really
good at and to put that into a service. Um, again, you know, nowhere is that more applicable than what we're talking about today with our acquisition of silence and just running, you know, the managed endpoint detection with AI in it has been really cool to see us take our really intelligent, smart security thinking and sort of turn it and evolve into what is the most important thing today. Um, so you know that that's been really cool to watch. But yes,
I run into that. If I had a nickel for every time someone asked me if we were going to make phones again. Oh my gosh, if we ever, you know, we're I'm not saying we're making phones again. We're not. But, you know, if we ever were to.
Do that, you heard it here first.
If we ever were, if we ever did that again. Oh my gosh. Uh, I would have to then go change my narrative after changing my narrative after changing it one more time. So yes, it is, um, it is a complicated world and security, and we definitely play in lots of facets in it. So it is we make it complicated too.
So yeah. And now that I'm thinking about it, I'm thinking about all the places that the handset had sort of penetration. It was it was really big with the federal space in the US. And I imagine with governments all over the world. So if you have talent and you have tech and you get out of a particular market, you still have the that talent in tech and you still have the relationships. So that's that's seems to be why BlackBerry's security has survived and thrived.
Absolutely, 100%. Um, you know, the one thing over the years that I've learned is, is as these, uh, regulated markets, um, the wheel just keeps turning, the regulation just keeps getting harder. The attackers get smarter, it never stops to evolve. So if you think about, like, the crystal, I always talk
about my crystal ball. Like, you know, we had a crystal ball ten years ago, and we were looking at this like, you know, hey, these are the things that are going to be important coming up in the next, you know, ten years. And if you look back at that crystal ball, um, you know, we were really highly accurate on a lot of things, both in our team
and in the product teams. Um, and that trust that you have with the highly regulated market, whether it's banks or medical or, you know, us federal, um, or any of the agencies, it's it's really, really, um, important to them that they, they can trust their vendors because their
security is really only as good as their vendor security. Um, you know, we can look at, you know, go back to just outside of AI and malware, but going back to things like, um, you know, log for J, you know, just things where it really proved that the supply chain was really only as strong as its is its weakest link. Uh, and so I really think that, you know, vendors that have that trust built in that, you know, really focus on this. Um, have, have sort of proven their value over the years. Yeah.
This is actually what I'm most excited about with AI is, um, what what I call like the mini AIS or whatever it was stolen from open source. But if you look at how many, uh, contracts are coming through or like, vendors. Um, and then supply chain relationships. How complex and like web do they are. And then you have like this team of four people or whatever for most companies, or let's
say it's 14 people. Like if you're super lucky, you might be looking at tens of thousands of connections and then secondary connections on top of that for like all this different stuff. And then you're looking at billions of log events per day or whatever. And it kind of reminds me of, um, a lot of people don't know that when you're watching, uh, asteroids or meteors in the sky, it's actually not NASA. It's backyard people with telescopes. Right?
And there simply aren't enough eyes to watch everything that we have to watch for. And so I really love the fact that we can very soon we're going to have so many different eyes and they're going to start as like, you know, lower intern level or whatever. But people are already saying 2025, those very cheap eyes might be like PhD level, right? But imagine you have thousands of them or millions of them. It's just bottom line. It's more coverage. It's more coverage of things in security.
And there's many of them that don't have enough people looking at them.
Yeah, yeah. And you know, the truth of the matter is, um, you know, if, if in your example, which I love, that, uh, if, if we don't look at it, you know, apt 32 is right. So it doesn't, you know, we we you almost don't have a choice because as the evolution of technology, you know, goes forward, our attackers are going to look at that no matter what. Right? So you almost have to respond. It is. And it's a it's a game
of cat and mouse. I'm the first one to admit it. Um, but you know, it is your responsibility, at least from, you know, from my perspective, to make sure that my company knows that, that we don't have a choice what to look at that stuff because they will be. So if we're going to fight that fire with fire, you know, the then, you know, we we have to look at it which, which is always, um, at the purest form
of the security puzzle. Um, you know, that's always the fun thing is to sort of think about, you know, what are their next moves going to be and what are they going to use, and how do we get in front of that? And how do we think faster, smarter, you know, cheaper, better, more efficient? Um, but staffing is
absolutely hands down a challenge. Um, and again, what I see in the staffing challenge of this is as companies evolve, technically, it gets harder and harder to understand the technical landscape, let alone know who to hire, to look at the technical landscape. So I think you have a few challenges in, in that area that are making it tough for companies to scale 100%.
Yeah. Okay. Let's talk about that. Um, a lot a lot of hiring managers say they can't find people, and people say they can't find jobs. So what do you think the disconnect is?
Well, you know, I just read something somewhere. I believe it was a Gartner. Maybe it was a Gartner report that said something like, and I might butcher this, and I apologize if I do, but it was something like, you know, in the next year, 25% will change jobs, 25% of of of security staff will change jobs. That's crazy to me. Like, yeah, just start with that data point. That's that's insane. That's a quarter of the workforce. I haven't dug into that enough to know what where the
data came from. But if that's really true, that means a lot of things. So number one, you know, as a as a leader that hires and runs a team, you know, I think are my people. I hear about the burnout, I get it. I you know what? We're fighting a war. A virtual war is being fought every day with these teams. We all know that, right? But, you know, the burnout factor is real. And I and
I see that. But but also are you know, I think about things like do we do we understand that technical landscape enough to be hiring people for the right roles? Why are people burning out? Um, you know, is it is it this tug of war of people aren't happy because the jobs are so hard, and because they're evolving so fast that we we aren't keeping up or, you know, is it the tug of war of there's a greener
pasture somewhere else? And then people are finding out that it's really not I'm not really sure where the, the balance of of why those numbers are the way they are, but that was really over overwhelming to me. Um, yeah. You know, and I and I and there is some interesting research coming out that I just got a preview of. That kind of blew me away, too. And it was the where do you see your the question was, where
do you see your hiring challenges in security. And it was it wasn't necessarily the staff as it was the technical complication. Like it was almost like how the question was, was put out there was we don't understand or we're having problems scaling our environments technically, let alone hiring staff to to run that. So it was almost like an after effect of, you know, we we don't know what tools to use. We we aren't really sure how to
plug in the right efficiency models. And so because we can't grasp our technical environment, we're really struggling to hire people because we don't even know what to ask for. It was kind of that string of things, and so I wonder how much that weighs into that as well.
Yeah, I've been pretty skeptical of these things because, like you, I've been watching these things for, for years. And so one report comes out, it's like we're going to need whatever, 70 million new cyber jobs within the next few years. And I'm like, so whatever the number is, 2 million, 70 million. I'm like, first of all, every report comes out. The number is wildly different. Second of all, the numbers
just seem crazy. And then third, if you look on Hacker News, it's like, oh, here's all the cybersecurity people who just got laid off. And then you go on the Reddit boards and you see a bunch of hiring boards. So these are all the people trying to hire. I'm like, okay, which one is it? Do we need millions or more people? Or are we actually having all these layoffs in cyber? And like you said, let's say we trust that number of 25% is that people just trading up and they're
going to a better job. Like it's it's quite confusing. Um, yeah, it.
Is. And I just found it. So Gartner recently reported that by 2025, nearly half of all cybersecurity leaders will change jobs. Half and 25% will leave for entirely different roles. So, I mean, you know, I, I, I am so fortunate that, you know, working for a company that does security. It's not really I don't go into work every day and have to, you know, defend my position. We take it so seriously that it's in every meeting and every discussion. And, you know, I don't have to I don't have to
fight to get air time. It's like, you know, I just go in and security is important. It's just table stakes. Right. But but many companies, it's not. And and you're seeing more and more of the outsourcing too, right. Like you're seeing more of these companies just raise their hand and be like, you know, I'm tapping out. Just do it. I can't I can't scale it. I don't understand it. I can't hire the people fast enough. I can't get enough automation. I have a budget and I don't know
where to spend it. I don't know what to prioritize because again, you know, the the the evolution of security keeps rolling and attackers keep rolling. And so they're just constantly on the hamster wheel of spinning, trying to become more efficient with less money. And, you know, meanwhile we got a board that's, you know, absolutely doing their jobs and saying, you know, and this has changed a lot. And I feel like what we're not talking about as leaders is the role of the board. The role of
the board. Driving this down has really put a lot of pressure on many leaders to really scale with, with their budget. So, you know, I do feel like the leaders do take a lot. I mean, I know it's stressful. I feel it too. But, you know, leadership does take the brunt of like do the thing, do all the things with this, you know, and that and that bucket might be great or it might not be great depending on, on the company that you're at or you know, what
scope you're able to to do. But 25% leaving for entirely different roles says a lot.
Yeah, I really liked your earlier point about maybe people just not being able to articulate what they need. Because if you think like because the security security group is usually just responding to engineering and leadership and engineering and leadership are moving according to the market and according to whatever drama is happening at the company. So it's like security is always having to rehash their goals and everything.
So it's like, oh, I guess we're not hiring that team anymore because that's no longer our focus because we got a new CEO. So it's like the faster tech moves and the more chaotic a given company is, the harder it is to hire for anything really, because things aren't static.
100%. 100%. And as that technology gets smarter, the people will have to scale to be the people have to be smarter to scale. And where are we training all these amazing people? Is is security evolving and training as fast as technology is growing? I don't know. That's the reality. I don't know and I don't know in security, you know, we've always had this challenge. You kind of have to be in it and do.
It to learn.
It. Right. There's no right. You can't you can't. Even with the role of I attack. Scenarios need humans, you know, it's like I will always be great at being hypothesis driven and being able to crowdsource brains, but it won't tell you if it's raining on Thursday right now. You know it won't. It won't take into account your environmental stuff. It won't. It won't say, oh, the wind's blowing at 15 degrees. We better not land this plane over here where it's 70 degrees. I mean, it's never going to
be that that agile. It's always going to be a thinking brain. Right. So so in order to to really use that to its firepower, we have to have humans in front of it that know how to execute with it. And that to me is what I'm seeing is sort of like the big challenges. We're driving a space shuttle, right? It's not the 86 Camry. We're driving a space shuttle.
And in order to do that, you got to have really qualified people on the front end of those space shuttles to make sure that they get to the right places, or you know that all the functionality is used. You know that you're making those right decisions, and it's a split second in time that I will just always sort of have that, that it is like giving you a space shuttle. You still got to know how to drive it, right? You still got to know how to take off and
you still got to know how to land. And so I see that as a big challenge. You could peanut butter that story sort of across all of technology right now in security, it's only going to be as good as the people leading it. Mhm.
Yeah I do think AI is going to fill in some of those gaps. Most importantly the one that you mentioned, which is um adding context. I think that'll get easier. But ultimately you still, like you said, got to have
humans running the show at some level. Yeah. The other problem with the the talent thing, I think, is we don't really have what the military has, which is, um, you start at E-1 and you must do E-1 things before you become an E-2, and you have this pipeline, and the pipeline is a talent pipeline, and it's also a maturity pipeline. So and they watch very carefully how many e-1's do we have? How many e2's do we have enough e2's to keep the pipeline healthy for e-3s
and same for officers and whatever. So the thing that we don't have here and actually gets worse with AI if you start automating away tier one SoC analysts, okay, so the tier one goes away, how you're going to go from 0 to 2 or 0 to 3, that's going to be messed up.
Hundred percent agree with you. And this is again where silence guard. You know our our service that really is SOC as a service. This is an absolutely why the people that I talk to and you know I do I talk to our customers and I ask them questions. And I want to learn more about why they came to us for help. This is their reason. They can't. So you look at the big 70,000 person company. They've got that pipeline, they've got the e-1s sitting there getting
trained right. And they know their progression through the system. Yes. Mid to smaller enterprise companies don't have the staff to do that. They don't have the luxury to build that firepower. Right. And so they're constantly hamster wheel chasing the evolvement of this technology with being able to hire and keep the senior or senior enough people to be able to make good decisions. And how do you you know and and you know this as well as I do, how do
you take one person and scale all of that? When you're a small company? The answer is you don't. You can't. There's no way you're either going to have to hire somebody so senior that, you know, they they can do all of the things. And then does the senior person want to do that stuff anymore in their career? Right. This is why we we can't have nice things in security, right? We we have all these really amazingly intelligent people. But then the the work, the actual analyst level work that
needs to happen, you know, it's it's hard. It's it's a grind. Right. And this is again AI is going to come in and make smarter decisions. But you still got to have someone at the dashboard right. Yeah.
And yeah. And maybe that senior person comes in, finds out they have to do tier one, tier two and tier three, and they become part of your 25% who jumps jobs? Right, right. Yeah.
Or with half. It's actually that number was half.
That was half. It was.
Half. The leaders are leaving and then 25% are getting out of or completely doing different jobs. Didn't say they're out of getting out of I have to go back. I didn't say that they were getting out of security, but they're going to do completely different jobs, which is crazy. That just says they're entirely different roles is what is what the report says. So I mean, that just says that, you know, like, uh.
I think they weren't happy for some reason.
Right. And I think that the pressure cooker that the other side is facing that companies are facing is, you know, the evolvement of things like reporting, you know, reporting requirements, um, the evolvement of breaches that are happening, all of these things, and they're costing more money. And then you have all this regulation coming in on top of it, which is just creating so much more of a pressure cooker for companies to operate in. Um, you know, and they're worried
about reputational damage. So, you know, that's something that, you know, before what I don't know, maybe three, 4 or 5 years ago, we all knew, I mean, you know, our brand, of course, you know, we talk about it all the time, but but, you know, other companies really didn't I didn't have any peers in the industry where this was a huge concern for them. And now it's a concern for everybody, which is the reporting requirements, your air and your dirty
laundry no matter what. Right. So you're going to have to take into account with the board, you know, the damage that it could happen to your brand. So I think there is so much more of a, of a, of a willingness for so many more CISOs to sort of raise their hand and be like, you know, hey, I'm tapping out. I got to hire a service to do this. I have to go to a third party. I just can't it's not it's not helping me drive
my business forward. I have to just have other other companies and other other, you know, technologies help me with this. So it is a really interesting evolvement. Um, in, in the the pressure cooker of the Y, I guess I is so needed is is definitely interesting, especially over the last year. Yeah.
So here's, uh, something I didn't plan on saying in 2024, but, um, it seems like crypto is coming back. Um, or at least the interest is I, I haven't been tracking it closely, but it seems like the attacks are coming with it. Are you all seeing a lot more attacks inside of crypto?
Yeah, I mean, I think I think you're right. I think it is interesting how crypto and crypto mining specifically has sort of done this. I think it hit like this really. I think when crypto was kind of new, it hit like this. Wow, you can mine. And then I think it went kind of quiet for a while and I didn't hear a lot more about it. But again, you know, going back to something like apt 32 where, you know, that is like kind of their common theme
and they're really, really. So, I mean, right, as security professionals, we got to respect the fine art. The fine art might not be what we want to see every day, but we do have to respect the fine art of, you know, what they do, you know, and, and and what we see as far as in its simplest form, um, you know, of using a computer to do a lot of really hard math problems, you know, to make money. Great. Okay.
But when you have a group like apt 32, that is, you know, from writing their own custom spyware, um, you know, or Mac OS malware that's using, you know, double extension, uh, techniques written in Perl. That's crazy to me, all the way to going on Facebook and getting people to click phishing links, which in it's also simplest form is the
need to train employees. Right? So, you know, when you get in the leadership level of talking about this stuff, you know as well as I do, you know, the CEO is always want to know, okay, how do I how do I stop this. How do I how do I do how do I deal with things like, um, crypto mining and how do we protect ourselves from stuff like this? And it all comes back to kind of the same thing, right? It's all, you know, training your employees to not click on, you know, links in emails
or here or there. But again, AI is making that so hard to detect that that is becoming a, you know, kind of a huge arms race is who's going to be faster at that, you know, are we going to train our employees faster? Are we going to, um, you know, or are we going to let AI sort of take over that, that, uh, you know, that space and let it become even even more relevant to crypto mining and all things malware?
Yeah, that makes sense. And I guess these names here are cryptojacking. Is that really just stealing crypto? Yeah. And then, uh, crypto mining is just, uh, taking control of a resource, uh, someone else's resource and using that to mine, right?
Yeah, yeah. And with crypto mining, it's really interesting because, you know, again, back in the day when it was sort of up and coming, it was such a big surprise. I feel like we almost got to a point where
we got overloaded on it and became so common. But the thing with crypto mining is that most I would say I'll go on a limb and say most, most companies that aren't really looking for that sort of traffic don't really know that adversaries are using their systems to do crypto mining until they get the hide power bill, or they experience a lag, you know, a systems lag where, you know, hey, how come this, you know, application is taking so long to load or you know, or why
why is this system running so slow or it just took four minutes to download this one, you know, web page or whatever. You know, they're having some sort of indicator that they don't even really know as an indicator. Right? So I think that that is the beauty in its simplest form of a system being taken over to do those hard math problems as it takes resources to do
the math problems. Right. Um, you know, criminal scan machines for ones they can, you know, they can penetrate and get into and then they're in and they're in the compromised systems and victims just don't realize it. And they don't they don't know they're compromised until they see something. And then when they see something, they don't even know, that's what it is. Right? So I think that's the beauty of it is from an attacker perspective, is they
can be in there undetected forever. And then until you get this really high power bill and someone in procurements like something is wrong, I'm paying this bill. It's four times the size. We should go look at that.
Yeah, it reminds me of, uh, Cuckoo's Egg. If you remember that book, um, where, um, who was it? Cliff Stoll? Uh, I think he was at, um, Lawrence Livermore lab, and he was just checking logs and noticed, like, a weird spike of, like, someone buying something for, like, $0.02 or something and just starts digging and ends up uncovering, like, this massive, like, German and Russian, uh, spy operation and everything.
And as you were saying that I was thinking of like, I wonder if really, really smart crypto miners, they throttle their stuff to try to fly under the radar, you know, because if you just go crazy, you're more likely to get caught.
Yeah, that that is a really, really, really, really good good point and good question. And again you know I can't I can't just help but use my, my my my crystal ball. I mean there will be I that will help detect that stuff, right. Like like I'm a I'm a criminal. I need to figure out how to fly a detector on the radar. Give me all the paths, performance issues that have caused, you know, this to be detected. They're going to learn from that. Of course they are.
I gotta learn from that too. Right. So, you know, there is as I keeps, criminals are just going to get smarter and smarter and smarter.
Yeah, yeah. The I basically look at the, the legitimate load on the system. Although the question is like how does it know the difference between legitimate and not. But if you if you could look at like what the business is supposed to do and see like all the different processes running and then it sees, wait a minute, what's this weird process that's got, you know, spiked usage? Maybe that's worth looking into. Well, um.
I mean, I don't want to help exploit anything, but if this were me, okay, if this were me, I would want to know what normal is. Yes. Right. I'd want to. I'd want to be there silently looking at normal. I'd want to track normal for a very long time, and I'd want to set that as a baseline, and then I'd want to increase that by 4% and let it go. Right. Or whatever your, your throttle looks like. But you're absolutely right. I mean, sorry, that was probably
I want to be helpful to anybody. But that is what I absolutely I mean of course. And I can provide that.
Okay. So you mentioned the crystal ball. What is, uh, 2025 look like for you? What do you, uh, what are you anticipating or what might surprise you? What are you thinking?
Um, so, I mean, for the year in for 2025, even. What is it, July? So maybe not even the rest of the calendar year, but for 2025, I think I, you know, the one thing that I'm watching very closely is regulation. Um, what how we evolve as a security industry is really interesting from the from the very, very, very top perspective. What I see is companies being held
accountable more so than ever. Right. So you see a lot of very big companies publicly being held accountable in where it's hurting them the most, which is how they make money procurement. Right. You see lots of we see a lot of government regulation. We see a lot of industry regulation. We're seeing that across the board. And it's, you know, table stakes for companies like ours where that's where we're really selling into those environments a lot the
highly regulated environments. So we really do have to pay attention and understand that. So that's the first thing. I think that's where the pressure will come for, for all companies. I think the result of that will be you're going to see lots of kicking and screaming, lots of, you know, translation of things that what I always say internally is
it defies gravity. There are a lot of really well intentioned regulations and things that we have to pay attention to as companies or as, you know, as security practitioners that don't translate well into reality. Well, and I'll give you an example, you need to stop all vulnerabilities, right? Said who ever. There can be no vulnerabilities and you must respond to everything in four minutes. Well, that's great in theory, that's amazing. Right? But but you know as
well as I do that defies gravity. There's just, you know, nobody can do that. So no company it doesn't matter how big you are. As a matter of fact, it almost becomes more difficult for the bigger companies because their surface tends to be so much bigger, right? They have so much more to watch than maybe the lumber manufacturer, as you know this much. And the huge software producer
has a supply chain, um, in it. So I think that in 2025, we're really going to see a lot of pressure on supply chains knowing what's, you know, you're a producer, you're a seller, you're a consumer. You wear one of three hats. Are you wearing all three hats? Are you wearing two of those hats? Are you wearing one of those hats? And I think what we'll see is a lot of pressure on those roles to know where they are. We're going to see a lot more, um,
arms races and security. And what I mean by arms races is how fast can you scale the the technology evolvement and the AI machine. It's fighting AI with AI and it absolutely is a thing. And, and, you know, uh, I do talk to a lot of other CISOs about this that, you know, if you sleep on that one, you're going to end up getting outpaced faster than you can grow. So don't don't, you know, don't think for a second that you don't have to worry about it
because you do. That's you know, I rinse and repeat that all the time. Um, the other thing I think we're going to see in 25 is a lot more companies looking at the liability hot potato. So there's a hot potato in all of this. That's a liability right. To reporting to a board of directors, to procurement, to how we make money and to revenue and to what we report publicly. You will see a lot more CISOs realize that liability hot potato is something that they need
to start taking chunks out of that they own. So you're going to see a lot more managed services, right? You're going to see a lot more scalability with bigger vendors where, you know, I can go to a bigger vendor and they can provide me these services. I can then check that off my list and not necessarily have to worry about it.
And guarantees the bigger ones can provide guarantees.
Absolutely, absolutely. We just did our own right. We just did $1 million guarantee. And so you're going to see a lot more CISOs raise their hand and be like, are you going to reduce my liability? Not even just security, but but how are you going to take the pressure off my shoulders so that I can go worry about doing other stuff so my company can make money? You're going to see that in 2025, really take a much
more of a balancing act. So I do suspect that that companies that offer managed services or that can scale, offering more sort of chunks of availability for their their customers are really going to start to see, as companies wake up and sort of be like, oh, I don't have to do that. I can hire someone else to do it. Um, you know, and honestly, in my bottom line, that saves me 10% because of the staffing issue or the technology scalability issue. Um, I think we're going to
see a lot of that. And that will be a combination of regulation, putting pressure on companies to pay attention, causing liability. I mean, look at Executive Order 14028. You know, CEOs are signing personal attestment. When does that ever happen in history? Yeah.
Yeah. And what about insurance? Insurance probably be more popular because of that.
Well and cyber insurance rates. Right. They're going through the roof because there's so you know, if their rates go down by 10% and they're saving, you know, you know, maybe the managed service that they have costs, you know, 5% more. But in reality it would cost them 20% more than that to hire the people. And then their cyber insurance
rates drop by 10%. You're going to see a lot more evening of the scale of of how companies look at how to manage their, you know, their incident detection response, especially especially, um, I think that's just one area that's ripe for disruption.
So yeah, I, I love these three that you mentioned. I think you're spot on. Um, I've got a friend named, uh, Sasha Ziegler who is talking about basically this big evolution. Basically Enron, you had CFOs got woken up, um, right. And now, uh, this year and last year, basically, the SEC is causing CISOs to wake up. So he's talking about cyber CFO. So it's basically this bifurcation where you have technical CISOs potentially dropping down to like VP of security.
And like the the more business oriented move up into like head of risk.
Absolutely. 100%. It's a.
Business. Yeah, it's a business.
And it's a costly business to maintain this company, right? I mean, the budgets are huge or the, you know, the it's a forcing function of. I absolutely think you're right. And that person in that role has to balance out the ability to generate revenue of a company to the liability that that is on that curve of security, because you can't, you know, the the awakening of the CISO has been, oh, gosh, you know, security is really, really
important to my company. But if I don't do it, if we don't do it, you know, now with the evolution of regulation that's happening, the brand is going to be toast. So we won't have anything to sell in the first place. Right? So no one will trust us. So especially if you're in the supply chain, I think that role will be very popular if you're in the supply chain somewhere. Um, and you actually are selling a widget or a part of a widget to another company
that has to sell a widget, right? And so you're buried in there's a liability factor where, you know, the company may be selling the end widget is going to, because of regulation, are going to turn around and hold you accountable. So that is going to be the really and I mean, you know, as far as our IoT brand with with QNX in vehicles, things like that or satellites or anything where they're going to turn around and
start pointing fingers. You know, that's where that that role, I think, is really going to be critical is to understand the entire liability to a revenue chain and not just a CISO looking at risk to, you know, it's a different skill.
Yeah. Yeah, absolutely. Well, uh, I love these predictions. I think you're absolutely right. And perhaps we can revisit, uh, here shortly. But, uh, thank you so much for your time.
Yeah, absolutely. We'd love to.
All right. Where, um, where can we follow, uh, your work. Your team's work? BlackBerry's work.
Yeah, absolutely. Well, blackberry.com for our external, uh, website. Um, you follow me on LinkedIn. I'm Christine Gadsby on LinkedIn, and I'll connect. You know, just send me an invite. I'll connect and happy to chat. I have lots of amazing conversations with other CISOs and other VP of Product Security, or even on the network side, just chatting with other people around these future future predictions. And I wrote down the name that you just gave me. I'm going to
I'm going to reach out to Sasha to. That's a fun conversation. I love having it. Awesome.
All right. Well, I enjoyed it.
Awesome. Same. Thank you. Daniel.
All right. Take care.
You too. Cheers.