With that insight in mind, I made some changes. Rather than talking, I listened. Rather than hoping for the sale, I planned for it. Rather than playing a game with the odds against me, I started changing the game, so the odds were at least even. In time, I was winning more deals than I was losing. Along the way, I accumulated a set of concepts and best practices for startup sales. Let’s walk through this list, with my favorite one at the end.

NOTE: This blog is an excerpt from The Founder’s User Manual: Practical Strategies for the Startup Leader

You Sell Pain Relief

You may think you sell products and services, but that is not what people buy. They buy pain relief. All your sales messaging must focus on this simple idea. Talk about the problems (pain points) your customers experience and how you resolve them. (I talk a lot about this in my upcoming book, Credibility Sales.)

Something Free Has No Value

Avoid giving away your company’s expertise, products, or time. Bundling free items into a paid package of products is okay. You can also do free trials. However, all of these must end with the customer paying for your products.

Furthermore, customers who demand free items do not value you. Anybody who tells you they will provide you with “exposure” in exchange for products or services is trying to cheat you.

The goal of sales is to bring in revenue. Giving away stuff is the opposite of sales.

Desperation is Repulsive

Desperation repulses good prospects and attracts bad ones. Suppress all signs of desperation, even if you really are desperate. Effective salespeople remain positive and enthusiastic during the darkest of times.

Never Waste a Loss

Salespeople are experts at inventing excuses for why a deal was lost. Avoid speculation and get the facts. Ask prospects why they chose a different product. Most people will tell you.

Understanding why you failed is more important to success than success itself.

Measure Results, Not Activity

In sales, results are all that matter. If a salesperson calls a thousand people, but sells nothing, that effort is meaningless. Monitor activity, but only measure results.

You want to track activity for analysis purposes to determine what level of effort is necessary to achieve the results you want. However, a salesperson’s incentives should never be based exclusively on activity (effort). Incentivize results.

Salespeople will constantly try to convince you that their activity is valiant and worthy of praise. Do not praise or reward people who are unable to deliver results. Instead, have them reflect on their efforts and find ways to change and improve. Activity (effort) that does not lead to results is meaningless busywork.

Salespeople who do not produce results are not merely useless, they also drag down the company. Sales is not a job for timid people. Do not retain salespeople who are not producing results.

You Cannot Sell in the Dark

No part of sales should be hidden, secret, or known only to a few people. Your processes, practices, metrics, and results must all be open, transparent, and public. Never allow your sales team to function “behind closed doors.”

Specifically, all sales goals and accomplishments must be made public. This creates pressure to perform. Weak salespeople will often complain that making sales attainment metrics public is “demotivating.” Low sales numbers should motivate salespeople to work harder. If it demotivates them, then maybe sales is not the ideal profession for them.

Hope is for the Holidays

In sales, hope is dangerous.

Salespeople would routinely tell me how they “hoped to hear from the prospect,” or similar excuses. You cannot run a business on hope. When a person is hoping, they are delegating success to fate. This allows them to dodge responsibility. Require people to have plans, not hopes. Do not even allow people to use the word hope.

No Badmouthing

Nothing telegraphs to the world your desperation, immaturity as a leader, and lack of strategy more clearly than allowing anybody in your company to badmouth competitors. As my CEO coach once said to me, “Are you in the ‘anti-them business’ or the ‘pro-you business?’”

Always be in the pro-you business.

Get to “No” Quickly

Dragging out a sales cycle for months wastes time and resources. Stress-test your prospects early in the sales process to ensure they have the budget and authority to make a sale.

Call the Bluff

One way you can get to “no” quickly is to do the opposite of what your prospect expects and call their bluff. I used this technique regularly. It is counterintuitive but astonishingly effective.

When a prospect raises an objection about your product, rather than countering their objection, agree with them. Tell them they are right and that maybe it is not a good fit. This will either cause the prospect to back down from their objection, which is good, or end the discussion.

For example:

Prospect: We require a vendor that is open 24 hours a day.

Seller: Okay. Our company is not there yet. I guess we are not a good fit for you.

Prospect: Well, that is not a deal breaker. Can you provide a dedicated support person?

Seller: Yes.

Calling the bluff (which is also called Negative Reverse Selling technique) forces the prospect to reconsider their position. If they want to work with you, they will back down from their objection. This makes the prospect convince themselves you are a good vendor.

Moreover, it encourages the prospect to negotiate and discuss other options with you. This gives you deeper insight into what the prospect really wants.

Calling someone’s bluff is difficult to do. You must resist the desire to counter objections. Moreover, you must be willing to walk away if the prospect agrees.

Calling the Bluff has multiple applications. You can also use it with a prospect who keeps putting you off or rescheduling meetings. Tell them it is obvious they are not ready for a meeting and to contact you when they are ready. This changes the dynamic and gives control to the prospect.

The Early Bird Gets the Sale

Once you have a possible prospect, get a proposal (price quote, etc.). in front of them quickly (within 24-48 hours). Without a proposal, you have nothing to sell. Moreover, invest in proposal designs and layouts that are concise and attractive.

Moving quickly shows a prospect that they are important, and you are reliable.

The Time is Now

Do not wait to contact a prospect. Do not wait to send out a quote. Do not wait. Do it now, so you can move on to the next task. Momentum begets results. Keep moving and do it now.

If It is Not in Salesforce, It Did Not Happen

Regardless of which CRM tool you use, require salespeople to enter their contacts and sales notes. I had salespeople constantly try to convince me of the important meetings or conversations they had. I would check Salesforce (the CRM we used) and they had not entered anything. I would say, “sorry, it did not happen.” Naturally, this infuriated them. I would remind them that, without documenting their engagements, I had no way to determine that they were real.

This underscores the importance of the next item on this list.

No Verbal Agreements

Never allow your employees, customers, or partners to use your own memory against you. Talk is cheap. Documentation is forever. Require all agreements, regardless of size or complexity, to be in writing.

Do Not Negotiate Against Yourself

When a customer pushes back on some aspect of a deal, resist the urge to immediately engage and negotiate. Ask the prospect for a counterproposal. Otherwise, you are negotiating against yourself.

Also, do not be afraid to walk away. This may compel the prospect to re-engage and become more agreeable to your proposal.

Ask for the Sale

Ask for payment as well. Salespeople should never feel awkward about asking a prospect to buy and pay. Closing the deal and getting paid is the entire point of sales. Salespeople who are uncomfortable asking for money should not be in the sales profession.

No Signature, No Deal

I had prospects swear up and down they were going to buy, but they could not sign a quote. I fell for this a few times and got screwed each time when the customer would not pay.

Get them to sign that is dotted. Otherwise, walk away. Without a signature, you have nothing.

Sell the Brighter Future

Focus on how your products and services will help the customer. Everybody wants to buy a brighter future.

Sell Your Way Out

When money is tight and things look bad, there is only one way out of the hole: sell your way out. Stop whining, blaming, and avoiding reality. Get out there and book meetings, do demos, and push for sales. I once turned my company from being $1M in the hole, to $750K cash positive in about 90 days. It absolutely sucked and I had to work 15 hour days, but what choice did I have? There is a limit to what you can cut, but no limit to how much you can sell.

Change the Conditions of the Test

As a startup, the odds are against you in almost every way. Your competitors have every advantage: money, time, talent, brand recognition, etc. If you look and sound exactly like your competitors, buyers have no reason to select you. They are better off sticking with an established brand. Moreover, you cannot claim to be an innovative, disruptive startup when you look like everybody else.

The only way you can start winning this game is to Change the Conditions of the Test and even up the odds. That means intentionally sounding, looking, and feeling different from your competitors. Different is good. Different closes deals. Different is your only way to stop playing your competitor’s game and make them play your game.

However, a word of warning, many of the people around you, especially investors, board members, and employees, will fight you on this. Prove them wrong.

Conclusion

You know what it takes to do startup sales? It is not made of brass. It is intelligence, discipline, and resolve. Follow these fundamentals to get your sales team on target.

Always be closing.

Need help with sales? How about a sales comp plan? Zenaciti does that. Contact us today to discuss how we can help. Also, did I miss anything in this blog? Your feedback and insights are valuable. 

The post Fundamentals of Startup Sales appeared first on Zenaciti.

However, since then, things have changed. Let’s revisit those predictions and make some new ones.

1. The Threat Landscape is Changing

2023: Not really.
2026: AI has entered the chat. 

For 2023 I wrote, “everybody will experience the same quality and quantity of attacks that we did in 2022. The technologies, personnel, and practices may change causing us to perceive security differently. However, the actual threats we face will remain mostly the same.”

For the most part, this prediction remains the same. The threat landscape in 2026 will be about the same as 2025, 2024, 2023, and so on. Malware is still a threat. Credential theft remains the primary focus of attackers. And hackers still have the upper hand in every way.

However, when we look at AI systems, there are tremendous changes in the threat landscape. Perhaps the most interesting of these threats are data poisoning attacks. These specifically target AI systems and large language models (LLMs) to produce flawed or misleading output. In 2024, NIST released an advisory about this kind of attack based on a study they conducted titled Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations. This study is an interesting read. It is extremely thorough and even identifies some lingering cybersecurity challenges such as the dilemma of open versus closed systems.

The mitigating factor with this kind of treat is that it targets the AI platforms, and not the end users of those platforms. This limits the scope of this threat to a handful of AI platform providers, such as OpenAI, Google, Microsoft, etc. Furthermore, I could not to locate any confirmed instance of a data poisoning attack, however that does not mean it has not happened.

What is a larger issue are employees sending company data into AI platforms with no regard to the sensitivity of that data. This poses a complex challenge for organizations who want to enjoy the benefits of AI but need to protect sensitive data. It also poses a massive challenge for regulated systems under standards such as FedRAMP, CMMC, etc.

Fortunately, the industry is responding to this with ample technologies to manage, monitor, and control AI access as well as model context protocol (MCP) servers. Some examples of AI security providers in this space include Obsidian, Zenity, and Cyberhaven.

2. Executives Will Start Taking Security Seriously

2023: Probably not.
2026: No, and you can turn in your badge with security. 

For 2023, I wrote, “Information security is an esoteric threat to executives. They know it exists, but they cannot quantify it with clear consequences. They know it is serious, but they do not know how to dimmish the threat. They know harm is possible, but it is easy to dismiss it as somebody else’s problem.”

Around 2016 or so, I noticed that many executives would tune out the moment cybersecurity was mentioned. I had CEOs once tell me he was sick of security slowing down his company. Here we are a decade later and this attitude has only become more prevalent. A recent example of this attitude happened in early 2025 when the Trump administration wiped out the entire Department of Homeland Security’s Cyber Safety Review board. The message was unambiguous: security is unimportant. 

Executive indifference to security is a massive barrier for security startups. Leaders only care about security when it becomes a catastrophe. And all they really want is to find somebody to blame.

3. Companies will Commit to Stronger Security Defenses

2023: No, they will stick with “good enough” security
2026: Good enough is pretty good.

What I wrote for 2023 remains relevant. “It is not that executives do not care at all about security. They care up until the exact point they are on par with everybody else. This is the “good enough” approach to cybersecurity. Companies focus on doing what is an “industry standard” rather than doing what is necessary.”

Fortunately, “good enough” security is getting pretty good. One example of this was AWS’s recent announcement of their security agent product. This is a cool new AI technology that can scan an environment, locate vulnerabilities, and suggest improvements. While no AI agent will ever be as good as a skilled human penetration tester, for most organization, this agent is all they really need.

Another good example of how “good enough” has improved is Azure Sentinel. What used to be a mediocre SIEM and endpoint product, has evolved into a respectable security platform. Azure environments have Sentinel built-in, so Azure customers can access and use it easily.

4. We Will See a Megabreach that Cannot be Ignored

2023: We are already ignoring them.
2026: Megabreaches, what’s that?

I cannot even think of a megabreach from 2025 that had any significant impact. Apparently, Verizon had a massive leak in August, which they denied. Whatever. This is a classic “boy cried wolf” problem.

5. Security Staffing will See Improvements

2023: Not likely.
2026: Define “improvements.”  

For 2023 I said, “Cybersecurity does not have a staffing problem; it has a staffing crappy jobs problem. There are ample people out there who want to pontificate about all their grand theories of security. What nobody wants to do is actually run anything.”

The most significant change for 2026 is that AI is changing who companies are hiring. AI can do what a lot of security analysts and engineers once did. It even can write NGINX config scripts, which is something nobody can successfully do. (Yes, that’s a nerdy joke.)

AI can also do a lot of the grunt work industry analysts do, as Richard Stiennon has proved with his IT Harvest platform.

None of this is good news for job seekers. While the cratering US economy accounts for a lot the downsizing, AI is only making it worse. AI will never entirely replace humans, but organizations are testing the limits of that. Teams are being shrunk, and the remaining staff is expected to fill the gaps with AI tools.

This adds up to a bleak outlook for security staffing in 2026.

6. Cloud Eats Security

However, the ultimate prediction for 2026 is that security is everywhere, integrated into everything. In 2021, I identified a growing cybersecurity trend: Cloud Eats Security (also called “platformization”.) Cloud providers, like AWS, Azure, and GCP, and SaaS providers like Salesforce or ServiceNow, were (are) slowly consuming many of the traditional security capabilities (firewall, intrusion detection, vulnerability management, web-application firewalls, etc.)

The impact of this trend is that security is now integrated into the platforms companies use. Companies do not need to purchase individual point-solutions which demand complex and expensive integration efforts. However, even the point solutions are getting on board with this trend, making their products much simpler to roll out and fully integrated into cloud and SaaS offerings.

This was one of the reasons why Google paid $32B for Wiz in 2025. Wiz is a powerful platform that simplifies a lot of cloud security functions. Cloud security providers, like Cloudflare, are also rolling out new capabilities practically everyday. And some of those are free, such as Cloudflare Tunnels which allows anybody to securely host anything on the Internet.

To help monitor all these integrated systems, there are emerging AI-powered security operations products from companies such as AI Strike, Torq, and Dropzone AI.

If all this AI stuff seems unstoppable, and wildly insecure, well, it is. However, there are promising emerging technologies such as Automated Moving Target Defense.

And the final piece of this trend is the rise of automated, integrated managed security providers who can keep an eye on everything. In early 2025, I worked on an MSSP analysis project. I was stunned at how many MSSPs had fully embraced automation, AI, and the cloud in their offerings. Unless your organization is gigantic or a government agency, there is no reason to do security internally. Hire an MSSP. There are a lot of great ones out there that can further simplify security.

Conclusion

For 2026, I predict cybersecurity will continue down the path of more integration, more platformization, and more simplicity. This will not stop attackers, but it does swing the odds of success toward the defenders.

As for the attackers, like the rest of us, they are going to use AI to do their dirty work. And like the rest of us, they are going to generate a lot of pictures of cats playing pickleball. Which means defenders do not need some whiz-bang quantum oscillating over-thruster to stop them. They merely need to make the most of the security tools they already have.

NOTE: The companies mentioned in this blog are for examples only. I received no compensation for mentioning them nor do I endorse them or their technologies. 

The post 2026 Cybersecurity Predictions appeared first on Zenaciti.

I spent over 25 years analyzing, writing, and optimizing comp plans. Along the way, I picked up a lot of best practices. Let’s explore these and how you can write an effective sales comp plan. 

NOTE: this blog uses the word incentive to refer generically to both commissions and/or bonuses.

Comp Plan Types

There are many different kinds of sales jobs and therefore different incentive structures. The most common comp plans include:  

• Salary + Commission: salesperson is paid a base salary and earns commissions on each deal. Most account executives have this kind of plan.
• Commission-only: salesperson is paid only commissions, no salary. These may include a draw on future commissions.
• Salary + Bonus: salesperson is paid a base salary and earns bonuses on meeting specific sales goals. Sales engineers and customer success roles often have this kind of plan.
• Territory / Team Volume: salesperson is paid a base salary plus commissions based on the performance of an entire team or territory. Most sales managers have this kind of plan.

While these plans may have different ways to compute incentives, they share a common set of components. Let’s take a look at those elements and how they build a reliable incentive structure.  

Comp Plan Elements

There are five critical elements to a comp plan:

1. Opportunity Types
2. Incentive Basis
3. Incentive Rate
4. Accelerators
5. Payout Process

Let’s examine each of these and why they are important. 

1. Opportunity Type

Not all customers are the same. Some deals are more difficult to close, and some customers are more desirable. Opportunity Types provide a way to differentiate, categorize, and scale incentives appropriately to the desirability and complexity of each customer type.

For example, let’s say your company wants to break into the healthcare industry. Using opportunity types, you can create a category named “Target Accounts.” Then provide each salesperson with a list of healthcare companies. Any deal a salesperson closes with an account on the list receives an increased incentive payment. This encourages the sales team to focus their efforts on these target accounts, thus driving the business you want.

Ideally, your plan should have three to five opportunity types. Too many types and your plan will become convoluted and difficult to enforce.

Here is a suggested structure:

Type	Incentive	Description
Standard	5%	An opportunity that was given to the salesperson. This includes in-bound leads, existing customers, renewals, and referrals from partners.
Organic	10%	An opportunity the salesperson generated independently without help from marketing, partners, or other employees.
Target	15%	An opportunity closed from a customer listed on the salesperson’s Target List.

The definition of each type is important. If there is confusion about what constitutes each type, this may lead to arguments and disillusioned salespeople.

2. Incentive Basis

This is the starting value to compute an incentive payment. For many companies, this is the gross profit (GP) on a deal. For example, a salesperson closes a deal classified as organic for $50,000 and it has $15,000 in costs. The incentive basis (GP) would be $35,000.  Based on the opportunity types listed in the previous section, the commission would be 10% of $35,000 or $3,500.

The key to incentive basis is an ultra-clear definition. A good comp plan never creates ambiguous incentive calculations. Therefore, when you write your plan, make sure to precisely explain how you compute incentive basis. If direct costs are included, but not indirect ones, then you need to describe what constitutes a direct cost. Always provide examples, to ensure there are no misunderstandings.

3. Incentive Rate

This is how much the salesperson earns on a sale. Typically, this is expressed as a percentage of the incentive basis value and scaled to each opportunity type. Percentages are always preferable as they scale up and down based on the size of the deal. Fixed commission payments are only effective when you want to reward specific, non-income-generating accomplishments, such as setting up meetings.

Be careful with incentive rates. They need to be high enough to motivate results, but not so high they hurt your overall profitability.  Moreover, you may need to alter the rates based on margin. Low margin sales will naturally create smaller incentives. This may discourage salespeople from selling low-margin items.

4. Accelerators

Accelerators reward salespeople with additional compensation when they exceed quota.  For example, if a salesperson hit 125% of quota for a quarter, their incentive rate could go up 1%, increasing all their incentive payments.

Here is a suggested quarterly accelerator schedule:

Accelerators can have a huge impact on a salesperson’s income and motivation. However, if the accelerators are too aggressive, they might hurt profitability.

Work with your finance manager or bookkeeper to run financial models on different accelerator structures based on historical values. You may need to implement flat-rate accelerators or limit the total amount that can be paid.

5. Payout Process

For sales incentives to work effectively, salespeople must be able to quickly and reliably compute their incentive payments. Documenting the exact process the company follows to pay incentives reassures salespeople they will get paid.

Documenting the process also creates consistency and a check-and-balance process. Here are suggested steps for a payout process:

1. Sales manager submits incentive payout request to Controller (bookkeeper, CFO, finance team member, etc.) This request details each deal closed as well as the expected incentive payment.
2. Controller reviews and validates the requests are correct and eligible to be paid. Controller works with sales manger to make any corrections or adjustments.
3. Controller obtains approval to pay incentives from CEO (COO, etc.)
4. Controller returns payout request to Sales Manager indicating which incentives are approved to be paid in the next payroll cycle.
5. Sales Manager communicates this approval to appropriate salesperson.
6. Controller processes incentive payments in payroll

Additional Guidelines

Ultra Precise Language

Among all the challenges of developing a comp plan, the most insidious is the words themselves. The language of a comp plan must be simultaneously extremely precise and easy to read. One confusing word or ambiguous definition could land you in court with an angry employee demanding more compensation than you intended.

Consider these two examples:

BAD: Account executives (AE) earn 10% commission on gross profit for all consulting sales.

BETTER: Account executives are eligible to earn 10% incentive based on the gross profit of deals the AE was assigned and closed.

The first item is too vague and lacks key qualifiers. An employee could interpret this as they earn 10% on all sales, regardless of whether they closed the deal or not.

The second item uses some important qualifiers. For example, rather than “earning” a commission, the salesperson is merely “eligible.” This gives you more room to control what is or is not a legitimate commission. Moreover, the word “commission” is replaced with “incentive.” Commission is a loaded word with a specific, legal meaning. Incentive is more generic, giving you more freedom to define what an incentive is (or is not).

If you are not familiar with writing a comp plan, hire an expert (like me) or use well-vetted template. Furthermore, have your legal counsel review the plan to ensure it is defensible in court or arbitration.

Different Plans for Different Roles

One comp plan does not fit all. Depending on the sales roles you have, you will likely need as many as five different plans. For example, the most common roles are:

1. Business Development Representatives (BDR): work on in-bound leads, set appoints, and so forth.
2. Hunters / Account Executives: actively work to drive new business.
3. Farmers / Account Managers: manage existing customers
4. Subject Matter Experts / Sales Engineers: provide subject matter expertise to close deals
5. Managers: oversee the team, set quotas, etc.

Each of these jobs is different and likewise must be compensated differently. For example, closing new business is more difficult than managing existing customers. Use the same plan template, but alter the Opportunity Types, Basis, and Rates to match the relevant effort for each role.

Reward Results, Not Effort

I spent countless sales meetings listening to struggling salespeople complaining about the effort they were pouring into sales. While I empathized with their struggle, effort without results is meaningless.

Comp plans must focus on rewarding the results of hard work, not the work itself. Moreover, do not reward “almost” results. Accelerators or bonuses should only kick in when quota is exceeded.

Everything Must Be Public

Finally, the entire sales process, comp plan, and quota attainment must be open and public to the entire company. This ensures that everybody in the company can trust the sales process and see overall performance. This also ensures the sales team is accountable to their quota.

Final Thoughts

An effective comp plan can supercharge your sales efforts and attract top talent. Most importantly, it rewards both the company and the salespeople. This is an important part of being a salesperson – the ability to make a lot of money when you are successful. 

Skilled salespeople, armed with a good product, effective sales tools, and a generous well-defined comp plan equals a successful company.

Always be closing!

Need help with your comp plan? Zenaciti offers comp plan analysis, development, and optimization services. Contact us to setup an introductory discussion. 

The post How to Write an Effective Sales Compensation Plan appeared first on Zenaciti.

Way back in 2011, I was wandering through a trade show, numb from the identical sales pitches.  Then I saw a booth advertising the “Next Generation Firewall.”  What the heck was that? As a cybersecurity geek, I had to find out more.

I trotted over to the booth, which was hopping with excitement and activity.  I listened to a passionate and absorbing presentation from the company’s founder.  This was the coolest thing to come along in cybersecurity in years.  The company was a startup, named Palo Alto Networks (PAN).  PAN is one of the largest cybersecurity companies in the world today.

While PAN’s technologies did not live up to the hype, their messaging was spectacular.  The concept of a “next generation” security technology was catnip to buyers desperate for something that could stop attacks.  This messaging was so effective, buyers were rushing to buy their products, infuriating PAN’s larger, more established competitors.

The Wall of Buyer Skepticism

When companies (especially startups) bring a new product (or service) to market, they face an imposing set of disadvantages. A lack of people, money, reputation, and customers all conspire to keep paying customers away.  However, the most insidious obstacle is Buyer Skepticism.  As a startup, you are nobody.  Prospective buyers have no reason to trust you.  Why take a chance on a startup when there are larger, more established providers?

Consequently, any startup GTM strategy must address how the company will overcome buyer skepticism.  This was exactly the conundrum PAN faced in their early days.  Their solution was to sneak right past the wall, exploiting one of the most potent human weaknesses: curiosity.

Evaluating a Product

When buyers evaluate a company and its products, they will consider a wide variety of factors.  However, we can simplify these factors into four categories (which conveniently begin with the letter “c”):

• Credibility: Is the company trustworthy? Does it have references?  Do the people at the company sound and look like they know what they are doing?
• Capability: Does the company’s products work? Do they integrate with other technologies?  Do they relieve pain?  Can the company prove that?
• Capacity: Is the company able to deliver what they say? Do they have the people, relationships, and network to function?
• Cost: Are the prices and terms reasonable? Does the company have the financial resources to delivery capability and capacity.

When a company succeeds in all four areas, they usually make the sale.

Most startups and founders focus their energy on building capability and capacity, which makes sense.  Without a product or service everything else is moot.

However, once the product is working and the company is ready to sign up customers, it is critical to start building credibility.

Established competitors already have credibility.  This is why buyers feel more comfortable buying a mediocre product from a trusted brand versus an innovative product from an untrusted company.  Credibility allows a company to pass over the Wall of Skepticism.

Using Curiosity to Build Credibility

Building credibility is exceptionally difficult, unless a startup can overcome Buyer Skepticism.  This is where curiosity becomes your superweapon.

1. Define a strong vision for your products and services
2. Pique curiosity with enticing words and ideas
3. Reassure the prospect with expertise and empathy
4. Close the deal

Let’s step through this strategy.

Define a Vision

Why?  This is the ultimate question all startups must answer about themselves and their products.

• Why you?
• Why your product?
• Why are you better than what is already out there?
• Why not your better funded, more established competitors?
• Why now?
• Why are you doing this?

As the marketing guru Simon Sinek says, “people don’t buy what you do, they buy why you do it.”  To make buyers curious, you must know why you are interesting.

Consider Disney’s vision statement: “to make people happy.”  That is a simple, strong answer to why: “Why does Disney exist? To make people happy.”  Although, considering the last Star Wars movie, their success in meeting that vision is debatable.

Exploring these why questions helps a startup understand why they are unique.

Action Plan for Building Vision

1. Get your key team members or advisors together
2. Find compelling, concise answers to those questions asked earlier
3. Document those answers
4. Ensure everybody in the company can repeat those answers with conviction

Be careful with your answers.  Keep them concise and focused on customers, not yourself or your investors.

Pique Curiosity

Modern buyers are overloaded with options, sales pitches, and marketing content.  After a while, all the marketing content sounds the same.

Curiosity is both a strength and weakness.  While curiosity can make people seek out answers to vexing problems, it can also make them lower their defenses.  This is why hackers use enticing emails to convince people to click on malware.  Curiosity makes people click.

Startups can exploit curiosity to sneak into a buyer’s mind and past the Wall of Skepticism.  The buyer must see or hear a word, phrase, artwork, or design that instantly makes them think, “What is that?” or “I want to know more about that!”

To accomplish this, a startup must sound intentionally different and unique.  PAN used the phrase “next-generation,” Nike invented the phrase “Just Do It,” and Apple was “Think Different.”  All of these were unique phrases that made people want to know more about the brand.  You do not want to reveal your entire vision, merely tease it.

Action Plan to Create Curiosity

1. What is a word, phrase, or idea you can use that makes people curious?
2. Do those words reflect the company’s vision?
3. How can you deliver those concepts effectively?

Be careful that your words do not create confusion.  Using obscure, obscene, or outlandish phrases may seem funny, but they may repel buyers.

Demonstrate Credibility

Once a curious buyer approaches, you must quickly demonstrate credibility.  This means rapidly accomplishing two things:

• Show you understand the customer’s pain
• Show that you can alleviate that pain

Only a person with extensive domain expertise can do this.  Consequently, startups must place intelligent, experienced people “upfront” to engage with potential buyers early in the sales process.  These “pre-sales” experts must be able to start and maintain engaging conversations with prospective buyers.  Mostly, they must be able to reassure the customer they are capable and credible.

Pre-sales experts are the single most important component of any go-to-market strategy.  It is a perfect role for a founder, which is exactly what PAN did back in 2011.  They deployed their founder Nir Zuk into the booth to talk directly with prospective buyers.  Zuk is a brilliant and passionate engineer, who can instantly create credibility.  Zuk continues to play a key role in evangelizing PANs products to this day.

Curiosity followed with credibility supercharges your GTM efforts.

Action Plan for Intelligence Upfront

1. Ensure the first meeting with all potential customers includes a subject matter expert
2. Ensure these experts:
   1. Communicate the company’s messaging and vision
   2. Show the customer they understand their pain
   3. Demonstrate their ability to alleviate that pain

For more information about building rapport with customers, see How to Get Sales Prospects to Discuss Pain.

Close the Deal

Once the Wall of Skepticism is down and credibility is established, it is all downhill from there.  The final stage is to pivot to a product pitch, reassure the buyer you can solve their problems, and close the deal.

In this final phase, be careful not to destroy the credibility you built.  You want to sound confident, not desperate.  Desperation is repulsive to buyers.  Allow the buyer to drive the product demonstration.  Let them explore the capabilities.  Show confidence in your products, even if they are not perfect.

Once this stage is complete, you should be sending a quote or proposal to the customer, ready to close the deal.

Conclusion

Buyer skepticism is a massive impediment for startups entering the market.  Spending millions on far-reaching marketing campaigns to reach potential buyers may feel like the right thing to do, however it rarely works.  Most buyers are not going to take a small startup seriously, regardless of how many emails you send them.

Conversely, unique, targeted messaging is relatively inexpensive to produce and disseminate and, if done correctly, can be significantly more effective.  This will attract curious buyers, which is exactly what a startup wants.  Curious buyers are open to hearing an innovative, disruptive new approach.  Skeptical buyers are not.

Palo Alto Networks was not the first company to use these GTM strategies.  Many successful companies have employed these techniques.  Curiosity is potent.  If you can make prospective buyers curious and then build credibility, you may see the same explosive growth.

What do you think?  Share your feedback: andrew.plato@zenaciti.com.  If you are looking to develop a creative GTM strategy, let’s chat.  Zenaciti can help.

The post Overcome Buyer Skepticism with a Smart Go-to-Market Strategy appeared first on Zenaciti.

Check out the full story at the Stack.

The post Is Microsoft About to Kick Security Vendors Out of the Kernel? appeared first on Zenaciti.

“The information that was suspected of being breached contained name, email address, phone number, Social Security number, and mailing address(es),” NPD said. “We cooperated with law enforcement and governmental investigators and conducted a review of the potentially affected records and will try to notify you if there are further significant developments applicable to you.” (The NPD site is now closed, due to this incident.)

CBS New York interviewed Zenaciti CEO Andrew Plato on what consumers should do. Check out the full story at CBS News.

The post What New Yorkers Should Do After the Recent Social Security Number Data Breach appeared first on Zenaciti.

NOTE: I was recently quoted in a story for NPR’s Marketplace regarding this issue.

For clarity, a software monoculture is when an organization uses a small, standardized set of software, service providers, and/or hardware. The most obvious example is the dominance of Microsoft Windows on desktop and laptop computers. Software monocultures extend to security technologies as well, which is why the CrowdStrike outage was so widespread.

Like it or not, the software monoculture is here to stay. Standardized compute environments are preferred as they are easier to monitor, manage, and secure. The recent uproar over monoculture due to the CrowdStrike incident is a distraction. It avoids the real problem that organizations are unprepared for systemic outages and looking to blame somebody else for their problems.

Marge vs. the Monoculture*

In the early 2000s, my company was conducting a penetration test on a client. One of our scans crashed the customer’s network. After a tense 30 minutes, we got them back online. However, the CIO was enraged and demanded to know why we did this. When I explained that the firewall had a bug that made it crash when scanned, he persisted with his complaints. I reminded the CIO that discovering this kind of flaw is why you conduct penetration tests.

This incident was an opportunity to build resilience into the organization. However, this immature CIO was more interested in who he could blame for the outage rather than how to recover from it. Similarly, every time there is a large outage, social media fills with “thought-leaders” whining about how evil Microsoft is and that we need the government to intervene. The recent CrowdStrike debacle is no different.

Microsoft is not evil. CrowdStrike is not incompetent. Bugs like this are not indicative of some systemic failure. Mistakes happen. The mistake is not as important as how we react to it. Either you view an outage as an opportunity to improve or as an opportunity to blame.

Blaming others for the outage does nothing of value. It merely allows people to feel better about the situation. An outage should be seen as a chance to review response, recovery, and contingency plans. Organizations that had reliable plans breezed through the latest outage. Those that did not struggled to come back online.

More is Worse

Ultimately, monocultures are a net positive. A standardized, uniform, consistent environment is immensely easier to manage, monitor, and secure. This is not a new idea. Standardization has been a driving force in technology since the dawn of civilization. The entire Internet is built on standards. The benefits of a monoculture far outweigh the negatives.

This reminds me of another immature CIO I encountered. The CIO’s security team was struggling to operate their next-generation firewall (NGFW), resulting in numerous outages and security incidents. Consequently, the CIO wanted to purchase a competitive NGFW and run them both, believing that one could monitor the other. In a moment of brutal honesty, I replied: “You cannot effectively run one firewall; why do you think running two will be better?”

This CIO believed that the firewall (or monoculture) was the problem. He also believed that adding more technologies to the environment would compensate for this perceived weakness. Of course, the problem was him (and his team). They were blaming the technology for their own inexperience and ignorance. Unsurprisingly, the new firewall they installed caused additional problems and more outages.

Single Point of Fail

This CIO was consumed with preventing a “single point of failure.” The single point of failure issue is often applied to Microsoft Windows since a single flaw in Windows can lead to systemic outages. There is truth to this. However, it is not a justification for adding complexity to the environment. Making an environment more complex with a diverse set of technologies merely to avoid a possible single-point of failure only creates lots of points of failure. At least with a single point of failure you can identify, remediate, and recover more quickly.

When redundancy is necessary, it must extend to all dimensions of the environment. This is why containerization and cloud technologies are ideal for resilience. They have redundancy integrated into the platforms.

It does not make sense to spend millions building redundancy into a cloud architecture only to entrust its successful operation to a single overworked IT person or single piece of security software (like CrowdStrike). For redundancy to truly work, it must extend to all dimensions of the environment. This becomes an immensely expensive proposition, which makes it unreasonable for all but the largest organizations.

Every organization has single points of failure. They are unavoidable. It is useful to know where they are, but it is not always useful to mitigate them. Rather than implement complex redundant systems, have a robust set of contingency plans to rapidly recover in the event of an outage.

Overcoming Monoculture Anxiety

The CrowdStrike incident added a lot of stress and anxiety to already overworked IT teams.  It is natural to seek out ways to prevent the next incident.  However, the answer is not to deploy more technology (necessarily.)  CrowdStrike is an effective security control.  It is effective a lot more than it crashes.

A more reasoned response to this (or any other outage) would be:

• Review your system backup and recovery processes. You should be able to restore any system, anywhere in your network to a previous state on a moment’s notice.
• Consider technologies that provide rapid recovery. Microsoft has many of these embedded into the operating system.  There are plenty of third-party tools as well.
• Have a contingency plan for effected workers. One suggestion is to quickly spin up cloud-workstations in AWS or Azure that employees can use to continue working.
• Have a communications plan. When systems are offline, employees, customers, and partners need to know what is going on.  Have a way to contact everybody with a unified message.  This message should come from senior leadership (like the CEO).
• Perform an annual “table top” exercises with your teams on how they would respond to an outage. This prepares people to handle the situation.
• For mission critical systems, migrate them to containerized platforms that can automatically reset to a known good state. For security, consider moving target defense technologies.

Conclusion

Outages are inevitable. No amount of technology, people, or processes can overcome this. Rather than complain about Microsoft’s dominance, work on ensuring that when those Microsoft systems go down, they can be recovered and reset quickly. Microsoft already has integrated functions in Windows to support this. Moreover, numerous third-party companies provide rapid recovery software.

This most recent outage demonstrated clearly which organizations had dependable contingency plans. Those that did were up and running in a few hours. Those that did not spent time blaming others rather than fixing their problems.

The monoculture is here to stay. How we react to it can change.

* This is a reference to the Simpson’s episode, Marge vs. the Monorail.

The post The Software Monoculture Is Here to Stay appeared first on Zenaciti.

The post When Businesses Run Standardized Software, Small Problems Can Quickly Grow appeared first on Zenaciti.

Surprisingly, not that much.

The most notable changes are the influence of cloud and AI technologies on MSSPs.  However, these factors have not altered the constituent parts of an MSSP.  

Gartner Speaks

To understand what makes an MSSP, consider Gartner’s definition:

A managed security service provider (MSSP) provides outsourced monitoring and management of security devices and systems. Common services include managed firewall, intrusion detection, virtual private network, vulnerability scanning and anti-viral services. MSSPs use high-availability security operation centers (either from their own facilities or from other data center providers) to provide 24/7 services designed to reduce the number of operational security personnel an enterprise needs to hire, train and retain to maintain an acceptable security posture.

There is nothing wrong with this definition, but it describes what an MSSP does, not what they are.  There is a big difference between those two things.  If you are looking to hire (or build) an MSSP, you must evaluate not only what an MSSP can do, but what they are made of as well.

Managed Security Service Provider Definition  

Based on my research, an MSSP consists of four primary components:

• Platform
• People
• Process
• Scale

Let’s explore each of these components and how they contribute to an MSSP.  

Platform

This is the collection of technologies, tools, and products the MSSP uses to deliver their services.  Platform technologies may be developed in-house or sourced from third party vendors.  Many MSSPs use repurposed open-source products as their proprietary platforms.

An MSSP’s platform is important, but not as important as you may think.  Buyers do not, necessarily, select an MSSP because it offers an ultra-sophisticated platform (nor should they).  Rather, an MSSP’s platform is a “ticket to ride.”  When buyers evaluate MSSPs, they look at the platform first.  If it appears capable, then they move on to evaluate the other components.

The key components of an MSSP Platform include:

People

Even with automation and AI, MSSPs are completely dependent upon people to run everything and support customers.  The team that runs, manages, and monitors the platform are what makes an MSSP function.  Without them, there is no MSSP.

MSSP teams usually include analysts, support staff, engineers, and developers.

Analysts are the primary service delivery people. They operate the platform, perform security scans, respond to incidents, and deliver reports.  Some MSSPs also employ analysts to perform adjacent professional services such as penetration testing or virtual CISO services.  Analysts form the backbone of an MSSP.

Support staff handle the logistics and customer management functions.  This team may include project managers, customer success representatives, and other non-technical people.  Effective MSSPs use the support team as a “buffer” to allow the analysts and engineers to focus on service delivery.

Engineers operate the infrastructure for the platform. They may also serve as a second-tier support for analysts. Engineers typically operate in background, and only interact with the customers for more complex or bespoke needs, such as assisting with incident response.  

Developers design, built, and deploy the platform and relevant infrastructure components.  Some MSSPs do not differentiate between engineers and developers, and unite them into a common platform group.  Developers often have their own supporting staff of project managers and testing engineers.  

For buyers, it is difficult to assess the skillset of an MSSPs people.  You are not going to be able to meet many of the analysts and engineers working on your account.  However, you can assess the team that engages you in the sales process.  Savvy MSSPs place technical resources early in the sales process.  This ensures the MSSP is building credibility with prospective customers, rather than merely explaining their capability.

Process

Process is the assortment of procedures, practices, policies, and internal culture that operates an MSSP.  Process makes an MSSP sparkle.  Good MSSPs have well defined, well documented, well-maintained processes.  Moreover, they are constantly revising, adapting, and updating them to suit the perpetually shifting threat landscape.

In contrast, bad MSSPs have … nothing.  It is not uncommon for companies to charge into the MSSP business, believing that as long as they have the correct technologies and people to staff the SOC, they are good.  An MSSP is largely useless without effective processes.

Moreover, Process is what gives an MSSP its value.  MSSPs get acquired for their processes, not for their platform or people.  If you are evaluating an MSSP, you want to look closely at the processes they use to conduct their services.

Scale

For an MSSP to be successful, it must be able to put its platform, people, and processes in motion and deliver results. This means designing those components to be agile and adaptable.  It also means having the organizational maturity to accommodate a growing customer base. Scale is therefore a facet of an MSSP’s strategic and tactical execution.

Scale kills weak MSSPs while it fuels smart MSSPs.  Once they begin to acquire customers, the MSSP reaches a critical point where the platform, processes, and people must rapidly change.  This stresses those components, particularly the people.  If the organization lacks effective leadership or empowers people who are uncomfortable with change, the MSSP will begin to struggle.  The company will become unable to handle increased customer load, which will cause customers to become dissatisfied.

Change is discomfort, and savvy MSSPs embrace this discomfort.  They have internal DevOps-style practices that integrate change, growth, and adaptability into everything.

Customers evaluating an MSSP should consider how the MSSP has adapted to the changing threat landscape.  As a customer, constant change can be frustrating. However, if an MSSP can manage this change effectively, it demonstrates and organizational strength and maturity, which is something you want as a customer.

Factors Influencing MSSPs

As I mentioned in the introduction of this article, there are number of influential factors on MSSPs at this time.  In this section, I will address some of the more prevalent influences and how they have changed the MSSP landscape in the past few years.  

Cloud

Ten years ago, MSSP was an “on-premise” business.  In other words, their products were concentrated on managing and monitoring traditional, on-premise technologies (firewalls, IDS, endpoint, etc.).  Today, nearly all MSSPs are cloud-based.  Their platform resides in the cloud and even the management of on-premise equipment, such as firewalls, is handed through cloud products.

AI

Likewise, ten years ago AI was nothing.  Now it dominates every discussion about anything.  Currently, the use of AI in MSSPs is inconsistent.  Much of the AI messaging among MSSPs feels like marketing hype, and not substantive, technical improvement.  Where AI tends to land first is inside the third-party products that use some kind of AI detection method for malware.

Slowly AI is making it into SIEM platforms. However, AI use for threat hunting remains nascent.  Most MSSPs lack the internal expertise to fully integrate AI into their platforms.  Moreover, training an AI to analyze log data is difficult.  Without a sizable set of “positive” (or wanted) events, it is difficult for an AI to identity what constitutes “negative” (or unwanted) events.  Since most SIEM platforms do not store “non-events” this blinds the AI.

Where AI is making a difference is with analysts.  Use of AI for generating scripts, tools, and automations can dramatically accelerate an analysts efforts.  What used to require hours of painstaking coding, testing, and revising of automation scripts can be done in seconds with a prompt to ChatGPT.

However, buyers of MSSP services need to be mindful of this difference.  Merely because an MSSP says they use AI, does not mean it is integrated into the platform (or accessible to the customer).  Analysts using AI to develop scripts or automation is a good thing. However, that does not make the MSSP “AI enabled.”  This is where marketing fluff and process reality can diverge.

Co-Management

Another perpetual challenge with MSSPs is the co-management conundrum.  On the one hand, customers often demand access to the controls the MSSP manages.  On the other hand, giving a customer control creates a race-condition where the customer and MSSP can conflict on management styles or discipline.  Co-management is not necessarily good for customers or MSSPs.  Customers should be prepared to pay more for co-managed platforms vs full-managed ones.

Platform Images

This MSSP platform strategy is special to me, as it was a strategy I played a hand inventing.  In 2017 when I began my research, most MSSPs used a single, monolithic platform where they co-mingled all customer data.  This presented several challenges for using MSSP services in highly regulated environments, where data co-mingling is not permitted per compliance requirements.

My innovation was to use the automation capabilities of cloud environments to deploy an MSSP platform into customer’s own cloud accounts.  This functioned much in the same way as using an Linux or Windows image from a repository.  The image is instantiated independently in each customer’s environment.  Once deployed, it is then customized to suit the customer’s unique needs.  This deployment strategy eliminates all co-mingling issues and will support restrictive compliance requirements.

In 2018 when I built this platform, it was a novel concept.  Today, it is everywhere.  Many MSSP have fully embraced this deployment strategy, as it unlocks lucrative compliance funded opportunities. These types of environments are also more adaptable to customer needs.  

Buyer’s Guide

If you are considering hiring an MSSP, here are some questions you can use to evaluate each component of a potential vendor:

Platform Questions

• Describe the architecture of your platform.
• How is the platform deployed (automation, images, hardware, etc.)?
• What services (capabilities) does it offer?
• What software (agents, etc.) must we install in our environment?
• How does this software communicate with the platform?
• What access do we have to the platform and its components?
• What third-party products does your platform use?
• How do you update the platform?
• How is the platform licensed?
• Where is the data stored?  Is the data co-mingled?
• What reports / data analysis is provided?
• If AI is used, describe how and where.

People Questions

• How is your SOC organized?
• What teams do you have?
• Describe how you on-board analysts?
• What kinds of training, education, or career development does the team receive?
• Who responds to my tickets or phone calls?
• Who manages my account?
• How often can I expect to hear from an analyst?
• Are there any regular meetings, check-ins, or reviews
• If there is an emergency, who do I call?
• How will I be contacted in the event of an incident?

Process Questions

• Describe how my company will be onboarded to the platform.
• Define the data flow within your environment.
• How are access rights assigned, managed, and monitored?
• Describe how your team manages an incident?
• Does your company perform “post-mortems” on incidents?
• If vulnerabilities are detected (if this is part of the service), how will I be notified?
• What role does your company have in remediating vulnerabilities?

Scale Questions

• What kinds of performance metrics do you have for your platform?
• How do you measure success among your teams?
• How often do you revise internal processes?
• How is your platform updated, revised, or adapted to changing conditions?
• How does the organization manage change?
• What is the experience and background of the leadership?
• Does the leadership have information security expertise?
• What is the roadmap for the MSSP?

A savvy MSSP can answer these questions (and more).  An immature one may struggle, or resort to marketing fluff.

Conclusion

MSSPs are an integral part of the information security landscape.  In the past decade they have transformed from simple firewall management, to full-service outlets that can accommodate a diverse set of security services.

There are numerous benefits to engaging an MSSP.  The most significant is that an MSSP can focus on security.  Unless your company intends to build a robust, in-house information security practice, it makes sense to outsource some (if not all) security functions to an MSSP.

For marketing and sales teams, your go to market efforts should focus on explaining the benefits of your four components.  Why is your platform unique? How is your team effective?  What practices or processes make your MSSP special?  And how do you adapt, change, and grow with the volatile security landscape.

While the MSSP market has evolved in the past few years, it has not fundamentally changed.  AI and automation are helping MSSPs scale, but they are not altering what makes an MSSP function.  If you are looking to hire, or build and MSSP, then it is important to evaluate the four primary components of an MSSP.

The post What Is a Managed Security Service Provider (MSSP) appeared first on Zenaciti.

PAN is not the first to try this strategy. Cisco, Symantec, and McAfee all tried, and all failed at building a platform of security products. Microsoft (MS) is well on their way toward a single security platform as well.

PAN’s strategy may be flawed, but the idea is not.

PAN correctly identifies that companies can benefit from a single, unified interface for security monitoring and management. However, their execution is the problem. PAN and MS are both building a Platform for Products. The PAN platform only manages other PAN products, and likewise for Microsoft. This makes these platforms limited and constrained.

What the security industry really needs is a Platform of Platforms (PoP).

What is a Platform of Platforms?

In an ideal world, cybersecurity teams would have a single portal where they could go to interact with their entire information security environment. This is a Platform of Platforms. A PoP would not necessarily manage every aspect of all those disparate products, but rather provide a simplified way to see their status, access key data, and perform routine functions. A PoP unites the entire security infrastructure into a single portal.

With a PoP, security teams could integrate any security product, whether it is PAN, Cisco, Wiz, MS, Crowdstrike, etc. into the platform. Those products would then publish a set of capabilities to the platform.

For example, the PoP would not manage an endpoint security product like Sentinel One. Yet, it could show a list of endpoints not secured along with other useful reports, such as malware blocked. It might also perform some common management functions, like kicking off a network-wide scan or search for a specific file-hash value.

The PoP is a window into endpoint security, but does not replace Sentinel One’s native management tools.

Now before you dismiss this idea, have you looked at ServiceNow or SalesForce lately? They are essentially PoPs.

PoP Drop

Naturally, you are shaking your head saying this is impossible. Ten years ago the management portals companies built for their products were completely closed. Now everybody uses an API, and those APIs are published (some publicly.) APIs are insanely powerful. They open up a product’s possibilities in ways most vendors cannot even imagine.

PoPs could use these APIs to interact with each product, to obtain data and execute functions. SIEM and XDR platforms have been building huge databases of functionality to accommodate a vast library of third party tools. This effort would only be slightly more complex than those efforts. Moreover, this is exactly the kind of problem AI could help solve.

Sounds like a SIEM

SIEMs are the closest relative to a PoP. The challenge with SIEMs is that they are focused exclusively on managing data from products. A PoP would go a step further to actually interact with a product’s native API. However, a SIEM would make a logical starting point to build a PoP. Some of the larger SIEM products are rapidly approaching a PoP-like functionality.

Who Runs PoP Town?

Naturally, the question is who owns or runs this PoP. No single security vendor could do this. Building a PoP would require a company with vast resources and a reasonably neutral position to the vast set of security products on the market.

This is why PAN’s platform is unlikely to succeed. It demands you buy completely into the Cult of Palo Alto Networks. PAN has made it clear they are not going to sell a platform that manages non-PAN products.

The obvious answer to who could do this is the cloud service providers: AWS, Microsoft, and GCP. They have the resources and are reasonably neutral to security products. AWS is already partially there with their Security Hub product. Azure has a security console now, but it is a clunky mess. And GCP has not been acquiring security companies for fun. They obviously have big ideas as well.

A PoP was part of my own vision for a product years ago. I envisioned a platform that could not only build itself but configure a disparate set of tools and provide a single management interface. My vision was too big for my funding, so I downgraded it into a compliance product.

PoP Benefits

The single greatest challenge in cybersecurity is and always has been complexity. The more complex a system is, the more difficult it is to protect it. Modern enterprise environments are insanely complex and insanely complex to secure.

The ultimate purpose of a PoP: create a simpler, more streamlined way to interact with the security architecture. Provide a single place where a diverse group of people, from leadership down to operations can access and interact with the security environment.

A PoP would not replace existing management consoles. Those would still have a place in a PoP environment. There are plenty of use-cases where administrators would need to drop down into a native console to perform administrative functions.

I fully admit that a PoP is a bit of a pipe-dream at this point. The effort necessary to build a viable, working PoP is extreme. However, this is yet another way that cloud providers could continue their consumption of the security industry (see Cloud Eats Security.)

NOTE: Since writing this blog in February of 2024 I have started seeing actual products making a run at this concept. Google’s acquisition of Wiz and Zscaler’s acquisition of Red Canary are two prominent examples of consolidation in the pursuit of an “all in one” style platform.

The post Platform of Platforms appeared first on Zenaciti.