A Zero Trust Leadership Podcast
Why Doing the Basics in Cyber Is So Hard—and So Necessary | Ross Haleliuk
In this episode of The Segment, Raghu sits down with Ross Haleliuk to unpack why most security failures aren’t caused by a lack of tools, but by a failure to execute the fundamentals.
Transcript
Raghu Nandakumara 00:12
So, for this episode of The Segment, it gives me great pleasure and a massive honor to welcome to our listeners, Ross Haleliuk. Ross, welcome to The Segment!
Ross Haleliuk 00:26
Super happy to be here. Thank you so much for the invite.
Raghu Nandakumara 00:29
The pleasure is all ours. And for anyone who's even remotely familiar with the world of cyber and cyber startups, Ross will be a household name. But a quick bio about him. He's the co-founder and CEO of a stealth-mode cybersecurity startup, and someone whose thinking has consistently cut through the noise in the cybersecurity industry. He hosts Inside the Network, a podcast that takes listeners inside cybersecurity entrepreneurship by talking to founders, operators, and investors building the future and the present of the industry. He's also the author of Cyber for Builders, an Amazon bestseller and a go-to read for early-stage security founders. And he's also the publisher of the incredible Venture and Security sub-stack. So, lots of different ways to go and consume Ross's thoughts. I urge you all to go and do that.
Well, today we're going to be talking to Ross on a variety of cybersecurity-related topics, some stuff about the fundamentals, about incentives, and what it takes to build security technology that actually sticks. So, with all of that, Ross, again, thanks for being on The Segment. I guess before we kind of get into all that, I'd love to hear your background, because yours isn't the conventional cybersecurity background, is it?
Ross Haleliuk 01:52
You know, if you would have asked me this question about two or three years ago, I would have agreed with you. I think today, my personal conclusion is that my background is the most conventional background in cybersecurity. And I'm saying this because I barely meet any people these days who started in cyber, like, whose first job was cybersecurity. Usually, people come from all sorts of backgrounds and all walks of life. I know I've met some teachers who became cybersecurity engineers. I've met some history major who became a fantastic security professional. I meet people from all walks of life, and I'll tell you that’s what security is known for. In fact, even if you started your career two or three decades ago, which I haven't, you would have still probably ended up in cybersecurity coming out of IT, or some other discipline. So no, no, I disagree. My background is very, very conventional. I started my career in product management. I worked across several different industries, e-commerce, retail, wholesale, and financial technology, for a number of years, and then became super passionate about security, and you know now, years later, I enjoy it as much as I did when I just started.
Raghu Nandakumara03:07
So, I'd say, maybe then I'm the unconventional one, because my first job as a graduate was actually in cyber. So, what got you so excited about cyber, because when I read your content, your posts, etc., I find myself a lot of the time thinking I absolutely align with that way of thought, right, with that idea, with what's being proposed there. So what gave you the tools to understand the security market in that way?
Ross Haleliuk 03:39
Yeah, I think the story is really a pretty simple one. When I ended up in cybersecurity, I was fortunate to join a startup as a head of product. And I knew there was a lot I needed to learn. I knew there was a lot I needed to do for myself to get up to speed quickly. And so, what I started doing was consuming a lot of content and reading a lot of books. I literally, you know, I bought probably 30 or 40 books about different aspects of security events, super deep on some technical, some non-technical areas, and I would attend every single event I could go to, all the mainstream ones, but also some small, almost underground conferences and meet-ups. I would speak to everybody in the industry who would be willing to talk to me. Doing that over the course of about half a year gave me exposure to different parts of the industry and gave me a perspective. And one of the things that I realized very, very quickly, was that although cybersecurity has a ton of amazing technical talent, and a lot of people who truly know the ins and outs of the like, of the technical fundamentals of security. The industry is lacking, and at the time, was lacking even more, more of a business level perspective, more of you know, a perspective for focused more around the why of security, focused more around the business aspects of things, the operational aspects of things, the startup aspect of things, the venture aspect of things. And I found it really fascinating, because I would look at the market, I would talk to people, and I would ask questions, and over time, I ended up with, you know, hundreds and hundreds of pages in Google Docs scattered all over, sort of explaining for myself how different parts of the ecosystem function. And eventually I was like, it took me, like, nearly a year to piece all of it together. Maybe somebody else is going to benefit from some of the things as well. And so, I wrote the blog post, and I saw a fantastic response. And then I wrote another one, and more people reached out, saying, “Hey, this was actually super useful.” And then I just said, like, look, I guess there is a need for a different perspective, a perspective that's not grounded in, like, a lot of that technical depth, but the perspective that offers people into the business of cyber, and that's how I slowly started sharing some of my thoughts. And over time, it’s kind of snowballed and grown into something much bigger than I've originally anticipated.
Raghu Nandakumara06:18
Well, in preparation for this conversation, I think I've got about a dozen tabs of your blog open, various things that I've been consuming. So, you said that you essentially went out and pretty much bought and consumed every cybersecurity book out there. Other than, of course, Cyber for Builders, which is your own book. What is the one book that you recommend for anyone who wants to get into cyber to understand this industry?
Ross Haleliuk 06:44
Yeah, like, look, I don't know if I would even recommend my own book for somebody who is looking to understand the industry while getting into cyber. I think that fundamentally, the answer is going to depend on the path you're taking and what it is that you're planning to do in the industry. Right? If you are getting into security engineering, you're probably, you should probably read a book that I've never read, and I don't even know what that book is going to be, but it's going to be something very, very different than if you're looking to get into compliance, into GRC. Which, again, I don't think I have a great recommendation. I think as far as building startups goes, I would argue, like, obviously, Cyber for Builders, you know, selfishly, I do think that it is, it is helpful, at least it's a perspective. But I honestly think that for people looking to build a cybersecurity company or startup, the most helpful thing is to read books that have nothing to do with cybersecurity. There are plenty of great books for CEOs, for startup founders, you know, lean startup. And what do I have on my bookshelf? Make it Punchy: The Founders’ Dilemmas. There are so many, so many, so many different books. The one, like a cyber-focused book that I personally found super helpful to structure my thinking about the industry, is Sunil's The Cyber Defense Matrix. It's not, you know, it's not 700 pages. It's very, very digestible. And it gave me the framework to understand how to sort of categorize and have to back at different products into where they belong. Because the tendency of like, there is this habit that security vendors have, where they pitch that they can do 75 different things, and it's really hard to understand, okay, this vendor, who are they like? What problem are they trying to solve, and in what bucket do they fit? And Sunil's book gave me that, that framework for the lack of a better word. Then there is a book, Lessons from Frontlines, by Assaf Keren, talking about the leadership aspects of security, and like, talking about his career and what he's learned and what mistakes he has made as a leader, as a security professional, as a CISO, like, incredibly helpful. I'm about 80% in, and I would definitely recommend it. There are many great books about security, but the industry is so diverse, and the problem space is so broad and so vast that I don't think anybody can recommend a book or two, like you need to read a lot more.
Raghu Nandakumara09:18
Yeah, absolutely. So before we move on from the book recommendation section, I'd say you mentioned about someone who wants to get into security engineering. So I'll recommend a book which is actually titled very simply, Security Engineering by Ross Anderson, who was the late great Ross Anderson, who I was fortunate enough to be lectured by at university. So yeah, that's another recommendation for our listeners. So there was something I was looking through, I think your most recent blog post, which is titled “Going into 2026: what founders and security leaders need to know,” and there's a particular point that I want to pick up on. And to quote you, you say, “companies continue to get breached because they are not doing the basics well, not because they haven't bought some next gen, whatever.” But I also see that a lot of the time, on LinkedIn and at conferences, etc., people say, "Oh, stop saying that we're not doing the basics well." Right? “Stop saying that we need to do the fundamentals.” So I think the point you make is absolutely valid, and I would agree with it, but if we know this is a problem we need to fix and address to actually fundamentally shift our ability to limit the impact of cyber-attacks. Why are we not putting enough focus on it?
Ross Haleliuk 10:33
Yeah, I mean, look, first of all, I don't know what LinkedIn says. I have my perspective, and I stand by it. Most breaches are not caused by some novel, groundbreaking technology chain; wherever it is, they're not. They're also not a result of some mysterious, never-before-seen zero days. The vast majority of security problems are not really security problems. They're the problems that originate in other types, in other parts of the organization and happen to introduce security risk, or to put it differently, the vast majority of the companies get breached because of some boring problems, right? Somebody set a default password. Oh, somebody added this exception to, you know, be it an identity solution or a network security solution or some other, you know, like engineering-focused solution. Somebody added an exception. A year later, nobody remembers why it's there. And guess what? Two years later, the company gets popped, so it's the boring, very simple, I guess, very common problems. Oh, there was this asset within it. Now it exists. There was this unpatched server that we didn't patch because we didn't have it mapped it wasn't in our system. So, it's really the fundamentals. And I can answer the question why that is the case and why we don't want to pay attention by really drawing a very simple, a very simple parallel or using a very simple analogy. You know, it's January, February, the beginning of the year. Everybody starts the year by making New Year's resolutions. And everybody starts, and everybody buys a gym membership, right? And this is the time of the year when the gyms are overflowing because of the overjoyed people who are looking to get in shape. And that lasts until about, like, mid-February, early March. That's when you start, you know, seeing the traffic go back to normal, and suddenly, like 95% of the people who made all of those New Year's resolutions to become super fit in 2026 are going to be back home on their couches eating chips and watching TV shows. And so why am I talking about this? Well, because when you're thinking about the process of getting fit, it’s also all about fundamentals, right? If you are trying to get fit, there are really very few simple things that you need to do, right? You need to watch what you eat. Again, super boring, super boring, but fundamental. You need to make sure you get enough sleep. Super boring, but fundamental. And then you need to exercise. And when we are talking about exercising, we don't mean doing it. We don't mean showing up at the gym once per week or once every month. You need to do it consistently. And if you do all of those things for a month, you're still probably not going to see any result. If you do it for three months, like then in May, yes, slowly, you will start seeing some early signs that it is hopefully working. But it's only after you've done it for six months or a year that you will start seeing that, “hey, you know, there is a reason to keep doing this”, but even then, it is just the beginning. You have to do this for a year, two years, three years, for you to truly get into good shape. But even then, the work doesn't really stop. You have to truly make a commitment to keep doing this until the day you die, because that is really what healthy lifestyle is, that parallel works really, really well in security, because if you think about the fundamentals, why are they so hard? Because they require commitment. They require consistency. And they require you to keep doing them every single day for as long as the company is in existence, right? You cannot just inventory all of your assets once per year and just call it a day. You have to make sure that anything new that gets spun up will end up in the same system. You cannot, you know, you cannot govern your policies. You cannot govern your configurations. You know, once every three years, in order for all of that to be in a good shape. You have to be able to do it daily. And it's hard. It is legitimately hard. So, it's not that people don't care; it's that doing the fundamentals at scale is insanely complex. There are some tools that help with different aspects, but even then, it still requires a commitment. It requires consistency. It requires the company to keep doing those things, even at times where it's not clear how exactly it is going to protect them, because it never is. The hope is that you will do the right thing. You know, you will eat well, and you will exercise, and that is going to make you healthier and will lead to some longevity. Now, the reality is you may still get cancer five years down the road, like you can be super healthy, and you know, drink juices and smoothies and all of this cool stuff with supplements, and still end up getting sick. But the idea is that if you do the right things, you will more likely than not stay healthy. And it's hard in real life, and if it were easy, then everybody around would have been walking fit. And it's hard in security for all the same reasons.
Raghu Nandakumara15:58
So, and I agree, right? And I think your analogy of fitness and health is a great one. But what I would say is that, and I think this is where the parallel potentially doesn't extend, is that with health and fitness, depending on what your goals are, measuring the success of those goals is relatively straightforward, right? So, so let's say, I mean, in my case, my objective this year is to lose a few pounds or kilograms, if you're in the metric system, right? And I've got a very easy measure, right? I weigh myself today, and I weigh myself in, I don't know, a month's time, and track that. I think, in cyber, the challenge that we've got is that what we're measuring to indicate an improvement in state is far less, is not, not far, far less accurate, but doesn't tell us whether we have become more secure, right? Whether we've averted, let's say, an attack on us, a threat. Do you think that's a fundamental problem from an incentive perspective, to motivate organizations to get it, as you said, right? You've got to be in for this long in for the long haul, right? Is that a challenge, the lack of good ways to measure success?
Ross Haleliuk 17:16
So I will talk about the challenge, but I do want to challenge you on the analogy, because I actually think it works pretty well. You see, if you can set a goal for yourself, saying, I'm going to lose this many pounds. The question is, does it make you healthier? Like you truly like, nobody can tell that there are truly healthy like, maybe somebody, maybe somebody who is in a great shape is going to have a cardiac arrest two years down the road. You don't know. All you know is that, hopefully the fact that you weigh less is going to make you healthier. I think, in a same way you know if you have a goal to make sure that, let's just say, all of your identity configurations get reviewed every two months, if you have that goal, the hope would be that doing that is going to make you more secure, but is it going to prevent a breach two years later, you don't know. In the same way as you don't know if you're going to have a cardiac arrest. Now, I do think that in security, like if you put the healthcare problems aside, because there is definitely a lot of them, if you look at security, I think there is a fantastic article called The Market for Silver Bullets, which I recommend to every single security practitioner to read, because it is just so simple and yet so profound. And what that article written, by the way, about two decades ago, by an academic, or two academics, the article talks about the fact that there are four types of markets, and I'm not going to get into the explanation of all of four types. But, what matters is that security, it is often said that security is a market for lemons because the buyer doesn't know what it is that they're buying, but the seller or the vendor most definitely knows what it is that they're selling. The reality is that this article specifically argues that this is not true, because in security, neither the buyer nor the seller truly knows what they're buying or selling. The vendor is going to try their very best to make sure that the product is as robust as possible, and it offers the broadest and deepest possible coverage. But the reality is that no vendor can ever guarantee that their product is going to be able to protect the customer against all kinds of attacks, in particular, against the attacks that are not even in the vial today. They may happen tomorrow, like we don't know what that's going to look like, and so subsequently, the buyer has no idea and no way of knowing if the product they're buying actually adds as much value as the vendor says it will. And if you extend this analogy, and if you keep going down that rabbit hole, this article, the market for silver bullets, article has an interesting anecdote where authors say you buy a box, the job of which is to light up if you walk into a room that has a unicorn in it. So you buy this box, you carry it into a room, and the box doesn't light up. Yeah, the question is: why is it? Is it that the box is broken, or there is no unicorn in the room? You have no way of knowing; you have no way of validating. And that's what's so fascinating about security, is that we are talking about efficacy. We are talking about, like, some of those things. But really, do we have an objective way of measuring it? I don't think we do. Now that said, obviously, it would have been great if we did, but I also don't know if it truly matters. Because look at healthcare as an analogy, like, there is enough, yeah, nobody can tell you, 100% that you are healthy. People can do all kinds of diagnostics, all kinds of tests. But in the end of the day, what matters is that there are some core, core aspects of health that we know we need to take care of, and by just focusing on those, we can most definitely solve, like, potentially, 80% of the problems if you eat well, if you get the right nutrients, if you sleep well, if you exercise certain amount of time, if you spend time with, you know, with your relatives, if you're active socially. There's, like, a set of things that we know need to happen. But also, you can go deeper, and you can go, and you can get the blood work done, and it's going to tell you that you're lacking some element. And then you go, and you deal with those elements. On one hand, it's an infinite number of possibilities of what can go wrong. But on the other hand, there is really just, you know, there's really just a few problems that matter more than anything else. And there are statistics on what those problems are. Right? If you look at the statistics, and you say that, hey, the majority of the men die because of heart attacks, like you should probably take care of your heart. Like if you look at the point is, we can pontificate all we want about how complex security is, and it is complex, but in the end of the day, I think instead of talking about all of that big game, all we really need to do is to just pick an area of focus and get the fundamentals right. It's that simple.
Raghu Nandakumara22:30
I agree. I agree. I agree completely. And I think by doing that, I think what you'll see, and again, this is kind of where it comes harder to measure, but you'll see that the impact of future cyberattacks is significantly less compared to if you hadn't addressed those fundamentals. Because, as you said, right, so rightly said, that ultimately attackers are doing the same things again and again and again because they're not having to go and suddenly be creative and think of something novel, right? There's enough attack surface there that they can rinse and rinse and repeat. So I kind of want to follow up on what you said to just very quickly talk about that, given that we've just discussed here, when the question is, what is the ROI on this investment? Like, what is the ROI on this particular technology, right? How should that be looked at answered? So let's look at this from two lenses. If you're a vendor being asked, okay, well, what is the ROI on your product? How would you best frame that response?
Ross Haleliuk 23:34
Look, you're not asking easy questions. You promised me it was going to be an easier conversation. And now where we ended up.
Raghu Nandakumara23:42
You, you let me go freeform. So this is what happens.
Ross Haleliuk 23:46
Look, look, it's, I don't think there are any easy answers. I genuinely don't. I think at the end of, at the end of the day, the ROI is going to be largely dependent on the business context, and I'm not going to leave it there. Like, let's go deeper and discuss what that actually means. So if you are the type of company, if you are the type of business for whom the customer trust matters a lot, and for whom the customer trust defines the priorities that the company is going to focus on, then, to me, the question is a no-brainer. You need to invest in security in order for you to be able to sell security then becomes a sales enablement discipline. Look at the vast majority of the tech companies, especially B2B Tech, if your customer is a bank, and if that bank is going to come to you and ask you, “Hey, we would like to do an audit or show us the proof that you're doing X”, you need to be able to let them do an audit or show them the proof that you're doing X. It's really that simple. So, the ROI in that case is tied to the revenue. If you want to keep getting paid by this bank or by this other institution, you need to do what that institution needs from you to see the evidence that you're doing security, right? Like that case, to me, is kind of super straightforward. The ROI is plain and simple. Now it gets much complicated if you are in the kind of business that is not expected by either the customer or the regulators to provide evidence of security controls. Now, in that case, you have to look at the potential of losses, and you have to try and understand what's at stake, and that's oftentimes really hard, because everything is so interconnected these days, right? It used to be very simple, like, oh, this system is isolated. If it gets breached, like nothing else is going to be affected. Now, everything is interconnected, not just within the company, but but across different companies, across different industries. Then you have your own third-party risk problems, and you have all kinds of other problems. In that case, look, I think the conversation still has to be centered around business and around money, and it should probably, it's probably going to sound like this, “Hey, how much do we stand to lose if you're not operational for a week? What happens if you're not operational for a day? What happens if you're not operational for an hour?” And at what point do we think that risk is acceptable? Oftentimes, the answer is going to be, you know what? That's okay, yeah, maybe our factory works in such a way that if we were to shut down for four hours, not a big deal, in which case, like, yeah, sure, make your own decisions. But if you are, like, if the company is at the point where shutting down for a day or two would lead to the like, massive loss of business and reputational damage and so on and so forth. Then the ROI becomes much more tangible. Now, is it easy to predict what is going to happen? Is it easy to know those are all again. We can try. You know, there is this whole discipline of cyber quantification and risk quantification. Like, we can do all kinds of esoteric math, but at the end of the day, somebody still needs to take a guess based on what they're comfortable with. And the good news is that there is a lot of statistics out there. Like, I think if you were working in manufacturing, you can very much look at your peers. You can talk to your to your friends in the industry, and you can figure out if a company of our size or in our industry was to get breached, how long does it take to recover. For example or what are the typical damages? The good, bad news is that we have enough of those stories, and we have again, every company is different, but in the end, they're much more similar and alike than we want to admit. So I think it's again, it's the same. Analogies can be used about just everything else, like, Hey, is spending three, four, or five hours per week exercising ultimately helpful? I don't know if I'm a busy founder, maybe, I don't think that that's important. Maybe not in the next two years or three years, but if I look at my life from a perspective of the next 2030, 4050 years, I should probably be making different decisions that come down to risk tolerance. I think ultimately, the way attackers work, and the way statistics work is that companies end up being held accountable for the decisions they make or don't make. It truly is sad when you see companies getting breached that do everything right. They do invest into establishing the right security measures. Do invest into that operational discipline. Do invest into their security measures, into their prevention, detection, recovery, response, and still suffer. Then it's not great in the same way as it is not great when you know, when somebody gets cancer, who is 35 and who has been around there for the entire life.
Raghu Nandakumara29:03
I think on that last point, and I agree that when you have an organization that does all that, truly is bought into, that I need to invest in this program, because it is good for my cyber health, for my own safety. Beyond security, it's good for my own safety, and yet they're the victims of a of an attack that that is, that is that is truly disappointing, but also is then the learning from that, that the fact that they did all these things ensured that the damage that they suffered was like, was less than it could have been like. Is that the sort of positive message to take from it, which I don't think is ever reported, but we don't talk about that? But is that a way to look at it? Because I was thinking, I kind of want to understand and ask you about sort of incentivizing, right? Because we've spoken about sort of the like, it's a good thing to invest in your health, right? But often we need stronger incentives than it being a good thing to make things happen. Do you think in cyber we have the right incentives to get things done and to make progress?
Ross Haleliuk 30:10
I think, I think the answer is going to be more no than yes. And so, okay, let's, let's first address the question about the outcomes of security investments. Yes, I do. I do agree with you that in the end of the day, a company that does that does invest into their security posture, that does do the right thing, even if that company gets breached, it typically, at least, again, I have not done any kind of calculations myself, but subjectively and logically, I think they do typically see lower, lower cost of breaches for two reasons. One, obviously, if they have compensating controls in different places, if they segment their networks, if they have their identity in check, then the lateral movement typically doesn't look the same and can be contained. But also, importantly, when the breach becomes public, the security community and the industry as a whole tend to respond to it much more rationally. And we've seen several examples of this happening. I'm not going to call out any company in particular, but over the past year, I think many of us have read the same news and watched the same videos where the CEO would go on the record to say, like, “Look, we've done our very best. Unfortunately, some of the controls were not able to contain the attack, and we are now dealing with the remediation. And here is our plan, here is what we are going to do, and here is how we are going to address this.” And you see, it never turns into, you know, into a shit show in the industry. Like security practitioners understand it. Markets respond their own ways. But if a company is private, then it doesn't have that much of an impact, and then customers also get it for the most part. So I think, definitely, like financial and reputational damages can be contained if the right security measures are in place. Now talking about the incentives, I think it shifts the conversation into an entirely different direction, and it does because the very fundamental level is a security practitioners like to talk about security, like to talk about the importance of defending companies from the attacks, but at the very fundamental level, businesses exist to make money. And so when we talk about incentives, we have to look at it from those lenses. And we have to look at the KPIs, the different departments, and different people in the organization are being held accountable for meeting. The reason it is important is that, without being realistic about what the KPIs are, and without knowing what they are, we truly cannot implement successful security measures. Think about software engineers. What are engineers incentivized to do? They're incentivized to ship code and do so quickly and do so frequently. Security is the responsibility of the security team. It is not necessarily a responsibility of the engineering team. If a breach, if something gets breached, whose head is going to be on the chopping block, not the software engineering team, the security team. In the same way, and again, I'm not saying it's a bad thing, I'm just saying that is how it works. If you look at it, its job is like it for the most part, live in ticketing systems. They have a request coming in. Somebody is asking for something. Everything is urgent. Everything in it is always urgent. Every single employee that needs access to the application needs so urgently. Every single person that's having an issue accessing something or maybe using something, everything is urgent. Everybody, everybody has their managers asking what's going on. And so from the IT perspective, the best they can do is to make sure that they deliver on their own KPIs, which typically track how quickly they're closing tickets, how quickly they're resolving issues. So obviously, like you can complain all you want as a security professional that the it should be spend more time analyzing if something makes sense. But ultimately, that is not their job. It would be nice if they had time to do so, but they're overworked. They don't they're just trying to do their job. Well, it's the same when it comes to salespeople. Yeah, you can say that, “Oh, this salesperson just shared a sensitive document that they shouldn't have shared.” And yes, that is obviously a security issue. But guess what? Salespeople are incentivized to do anything possible and impossible, to close the deal, and to generate revenue. And if the salesperson makes their judgment, thinking, “Hey, if I share this document, the prospect is going to be excited, or maybe they get an answer to the questions they had, and they will close this deal and the deal will close sooner.” They're going to do it. And so I think that understanding incentives, and I'm understanding where does security come in, is super important. And the reason I say understanding where security comes in is because there's only one team at an average enterprise that is incentivized to think about security. And that is a surprise to a security team, yeah. And that's kind of how it works. You see, we like to say that security is everyone's job. So is company culture, and so is recruitment. But at the end of the day, security is a job of the security team. It is incredible when the security team, when the leadership at the company decides to embrace the idea of being very mature on the security side. It is incredible when the security team gets the say. It is incredible when some of those incentives do sort of permutate into different parts of the company, and you start seeing executives from different functions being asked, What do you do about security? But that is still an exception in most companies, rather than the rule.
Raghu Nandakumara36:00
I think the way you explain that is brilliant because I think what we often think about, the way we simplify this conversation, is really around, okay, how does Security Leadership need to talk to executive leadership, slash the board, right? And there, it's often a simple conversation. And I think, as you laid out earlier in our conversation, they're aligned to one of two things. By doing this or by not doing this, how do I impact revenue and or productivity? And one of those two. But I think what you described here just now is actually, once you get one level down, two levels down, you start going into the individual business units, the incentives that at that level is different for each team or in each individual and that's when it becomes complicated for the security team to then get buy in from all of their stakeholders, because they're having to essentially navigate a bunch of different incentives.
 Ross Haleliuk 37:01
And I think you see, I started my career in product management. And there is one thing that I don't think is being discussed enough, and it is that cybersecurity and product management have some very interesting parallels. In that, a product manager at the company has to lead without authority, right? They like, if I am a PM on a software team, none of the developers are going to be reporting to me. Yeah. They have their own leadership. They have their own incentives, and yet, it is my job to make sure that the work that is being done is going to focus on delivering the highest value work for the company, not that is just within my team. Then, in order for me to be able to achieve this work, I have to work with legal. I have to work with finance, I have to work with, you know, with operations. I have to work with literally every other department who, by the way, has no business in dealing with me whatsoever. They have their own jobs. They are not there to babysit product managers. It is my job to make sure that the analytics team is going to be happy regardless of what the product does. And that wherever we need the analytics team to do, they will do. They don't report to me, but it is my job to do it. Now, it's been some time since I've been a product manager at the company, but I do think that a lot of the skills and a lot of the same mindset translates. That is why they say that the product manager has to be a servant leader, because you don't really have the ability to fire anybody. You don't really have the ability to enforce anything you like. The best you can hope for is that you will build the relationships with every single person at the company that you need something from, and you build the relationships in such a way that you work together and people like you enough to actually prioritize what you're asking them to do or what somebody else is asking them to do. Security is the exact same thing. The difference is that in security, I think security has been spoiled thinking that you can enforce stuff by the virtue of pushing the policy down. And that's, I think, is the difference. Because at the very fundamental level, if the security team wants to achieve something, wants to achieve a lasting change, they have to do the exact same thing that the product team needs to do. They have to build relationships, become evangelists for their cause. That's how you do it, not by pushing the policy and saying, “signed off because people don't follow policies.” And an easy way to check it is to ask security teams, how often or how many times do they follow HR policies? You know, the security team is not the only team that sends their policies. Human Resources teams love to do it as well. Now everybody signs those policies. How many people read them? How many people go through the mandatory workplace like harassment prevention trainings now, people may go through it. How many people care about those? Not many. And so if people don't care about harassment prevention, why do they treat security any differently? To me, I think we just have to be realistic, and security teams to be very fair. Security Teams have no choice but to go and become evangelists for their cause. Yeah. The downside is that in many companies, people don't want to listen, because that is not the you know, that is not a part of the culture. And the same, by the way, is true for human resources, those two functions are also kind of similar, yeah, in that the only you know, every great HR leader I've met always thinks about building the right culture at the company, making sure that people are empowered, making sure that people have a room to grow. But the majority, probably like 90% what they end up doing is just sending policies, because all of this other liberal arts stuff is not interested to the business. The business does not want to invest into the business. And so security is kind of similar. Security teams want to go out and build the right culture, make sure that the company is actually resilient, and it can withstand breaches. The business doesn't care. The business just cares about the fundamentals.
Raghu Nandakumara 41:21
I think that's a fantastic analogy. And I think the other thing there is that if all you're trying to do is push down policy, well, there's always an exception to every policy, and all you end up doing is managing exceptions.
Ross Haleliuk 41:34
And look, the reality is that policies are needed, but they're not like 100% I think. Like every enterprise at scale has to rely on policies as the way to implement security, but that cannot be the only way. Yeah, there is so much that has to come around it, and I think the industry is in a very interesting spot. Because I do, I do see more and more companies starting to understand the importance of security, not because they want to. I mean, if they could, they would just not care, but because they read the news. The executives read the news, and they see, oh, this company, like, this body of mine, really, I know, like, you know, we drink together, we go out, we meet at conferences together. They just got breached. Can we get breached? Like they were just down for a week and a half. Can we be down? So it's, it's starting to feel a bit more real. But again, it all comes down to the ROI and companies that understand ROI, companies that, for example, decide not to invest in some security measures because they think that, you know, addressing the breach post factum is a better idea. I think those companies are making decisions, and they should be willing to live with those decisions. The unfortunate part, however, is that security people at those companies aren't the ones making those decisions, and so the company decides, you know what, it's okay, we are not going to invest in this set of security controls. And then when the breach inevitably happens, the security team is expected to work 24/7 to remediate it. It's like, those people have already been trying to do their very best, like, leave them alone. I don't think, like, if people are looking for fairness, security is probably not the place to find it.
Raghu Nandakumara43:20
It's so true. So I didn't realize you're going to take the incentive conversation in this angle, but I'm glad you did, because I think it's great, because we've spoken very much about incentives within an organization. So very briefly, I'd love to get your thoughts on external incentives. And by this, what I mean is, do you think that, whether it's industry regulators or government organizations, I see that there are a lot of sort of sticks so, and we see this how, if you don't achieve this compliance, and you'll get this fine, or you won't be able to do this business, etc. But do you think there are enough in the way of positive incentives, carrots for organizations to truly improve their security posture? Focus on the basics, because something came out in the UK last week. The UK government announced, like, I think it was a two, £10 million sort of funding for the public sector, for improving security in the public sector. And initially, I had two thoughts. I said, “Well, that's great, but it's a drop in an ocean.” Like, what are your thoughts about those external incentives to encourage or force organizations to improve their security posture?
Ross Haleliuk 44:28
Yeah. I mean, look, we know, we know for sure that compliance regulations and the government checking in on companies to see if they, if they implement certain types of controls, most definitely do work. They work up to a degree. But unlike some people who like to talk about compliance as being something bad, I actually think compliance is a great thing for the industry, because it sets that foundational set of controls and it forces companies to invest at least some and think about their security. So it's not that they will never go beyond it, like compliance, like, by no means does the compliance say, “oh, you should only do the bare minimum.” It says you should at least do the bare minimum. So from that perspective, it is great. As far as the carrots are concerned, look, it's hard to know, because the carrots, the carrots come down to money, right? And insofar as a company can make more money by investing more in its security controls, we will see the carrots working. So, for example, a company in an industry where it needs to prove to their customers that it handles their database care will most definitely want to invest into security. A company in the market where they might find a way to differentiate against the competitor by being more secure and having a more robust security posture will most definitely find a way to differentiate and make these investments. But that's like, that's a small percentage of the market, the majority of the market. I don't know what kind of carrots can we can? Can we think about like, we can, we can just hope that the carrot of not getting breached, breached is enough of a carrot, whether it's a stick or a carrot. You can view it in, you know, through your own lenses. But I think, I think as an industry, look, I'm very optimistic. I talk to different companies, I talk to different founders, I talk to different security leaders, and it's apparent to me that things are evolving. People are trying to do their best, and in more cases than not, they're actually succeeding. Like, yes, we do see a growing number of breaches, but at the same time, the infrastructure has been getting more and more complex year after year, and there are more and more companies out there that are being built on, like digital first. So there is the attack surface is expanding. At the same time, I think there is an opportunity for us to do even better, but I do think that as an industry, we have to learn to celebrate the small wins and be happy about the state we are at and continuously use that as a foundation and use that as a baseline and continue to improve. I think there is a lot of doom and gloom in the industry, and I think we can do better.
Raghu Nandakumara47:21
Yeah, I like that sort of the message of the message of hope, I think is important and correct and positive. Because a lot of work, good work is absolutely being done. And I think that, I think to sort of reinforce some things that you've said, is often the gaps are what get highlighted, but those who are actually investing the time and the effort and the skill to improve security posture aren't celebrated nearly often enough before we before we wrap, because I realized that we're sort of close to time I just get love to get as someone who is so kind of ears, eyes To the ground of the cybersecurity, sort of vendor ecosystem, like as you've watched this space over the last couple of years, and sort of every vendor presentation, every conference just turned into a sort of an AI word cloud. How have you been navigating through the fog and being able to extract, sort of identify where vendors are really putting AI to productive and genuine use?
Ross Haleliuk 48:31
Look, I'm going to say something controversial and probably something that I will regret saying publicly and on the record, I just don't think it matters. I generally don't think it matters. I think to me, with AI or without AI, the conversation is really, really simple. When a security buyer approaches a vendor and the vendor pitches their AI as something, there are really two steps they can take to get the answers they need. One is try removing AI from the pitch and see if the pitch still makes sense, because it should right. If people think that they're using AI to do X like try to remove AI and say, do you still care about that X? Because if you do, it may still be a good conversation to have. And if you don't, it doesn't matter if there is AI, yeah, just move on. And then the second bit that's a bit deeper, is just ask what problem they're trying to solve. Because it's one thing to say that, “hey, we are using AI and we are solving the problem XYZ”, and it's another thing to just say we're using AI, like too many companies say, we are AI-powered, you know, three-letter acronym, and that's nice. But what problem are you trying to solve a different problem than this other tool that the company already has, or are you solving it better? So I think, look, it shouldn't be a security leader's job to try and understand how the company uses AI, like that's really not what security leaders are there for. It should be a security team's job to try and understand that the questions they should be trying to answer is, hey, does this solve my problem? Do it better, cheaper, and more efficiently than this tool that I already have, and if the answer is yes, who cares how they use AI? Obviously, make sure that you know the data is being used and not shared, and so obviously go through all the right security checks. But as far as the functionality is concerned, focus on capabilities, focus on the outcomes. And if vendors cannot do it, at least the buyers can.
Raghu Nandakumara50:43
Yeah, absolutely. Last 30 seconds. Ross, what gives you hope in 2026 when you look at the site, when you look at cyber,
Ross Haleliuk 50:50
Look, I think it's the fact that, as you've said, a lot of the industry has been focused starting to refocus a lot on fundamentals, like we are seeing, like the companies that have been getting acquired, are the companies focused on fundamentals, the companies who have been getting great exist if they’re focused on fundamentals. Security leaders that have done well have been focused on fundamentals. So to me, that is really the biggest message. But aside from it, look, I think the industry in general have matured incredibly well. It's been only 30 years since the first security leader, the first CISO, was hired by a US Bank. 30 years is not a long time. Fast forward to today, and we are at the point where we have the number of security leaders getting a seat at the leadership table, the number of security leaders being able to talk to the board and raise their concerns and talk towards holistic risk management like it's, I think it's a great time to be in security. I absolutely don't subscribe to the whole, to this whole, like doom and gloom. We've achieved a lot on the industry. We've, you know, we've been able to address a lot of the very basic problems that have been plaguing, plaguing this industry for a while. We've been able to replace a lot of insecure protocols with more secure protocols. We've been able to replace a lot of insecure defaults with secure defaults. There is so much that we have done, and I think we should be proud of that work, and we should continue building on top of it.
Raghu Nandakumara52:21
Ross, it's been such a pleasure. Thank you being so for being so generous with your time. Just had a great conversation. Really appreciate it. Thank you.
Ross Haleliuk 52:31
It's a pleasure. Thank you so much.
Raghu Nandakumara52:33
Thanks for tuning in to this week's episode of The Segment for even more information and Zero Trust resources, check out our website at illumio.com you can also connect with us on LinkedIn and Twitter at Illumio. And if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon.