Ross Haleliuk: [00:00:00] When I worked in fintech, there were 50, 000 vendors. In cybersecurity, there is about 5, 000. So that is 10 times fewer. If you say that cybersecurity is everybody's problem, then 5, 000 vendors is probably not that many. Rami McCarthy, contributed a blog post to Venture in Security talking about the fact that security engineering is not the future, it is the present.

It is just not equally distributed. I tend to agree with that thought. The vast majority of the market are companies that don't actually have incentives to invest in security, but they're the ones that need security the most. If attackers are successful, using the methods and techniques and the attack vectors that they have been using for quite some time, Why would they change?

If you're building something that targets software engineers, you're probably going to have a very hard time. Is this something that is unique to my organization? Is there a real need for me to build? In the world where breaches happen every single day, the fact that somebody gets popped [00:01:00] is no longer a reason for you to not use their product.

Ashish Rajan: If you have been in the cybersecurity industry for some time, like me, chances are you have either worked with a cybersecurity vendor or considered being a cybersecurity vendor yourself. Perhaps you wanted to start a startup because you just, here about all these amazing cybersecurity challenges being solved.

And you being an engineer or a builder, you're curious as to what's involved in building a cybersecurity startup. So in this conversation, I had Ross, who is behind the Venture in Security blog, as well as written a book called Cybersecurity for Builders, where we spoke about some of the different challenges and how us as practitioners, we walk in with a bias when we're trying to build a product.

Now, this is a very different topic to what we normally cover in cloud security podcasts. I wanted to use this as a starting point for what it could look like if you were trying to build a cloud security product yourself, or what it could look like if you're trying to build a cybersecurity startup in 2025, what that could look like. So Ross has been involved in this conversation for the past three plus years, working in the nuts and bolts of how [00:02:00] cybersecurity works. Coming from a non cybersecurity background. He has a very interesting perspective, I hope you enjoy this episode.

Again, it's not for everyone, but if you are someone who's interested in starting a company or want to understand the. zoomed out picture of what cybersecurity industry is about, which perhaps is a good idea to see how the cogwheels of IT work. This is definitely a great episode. I hope you enjoy this episode and I will talk to you next one.

Welcome to another episode of Cloud Security Podcast. This is a bit of a difference. We're looking into 2025. for what is, cyber security looking like in 2025. And I've got Ross here. Hey man, welcome to the show. We've known each other for some time, and we were talking about your book, and so many things you're working on as well.

So maybe to start off with, could you give a bit of introduction about what's your journey been so far? You don't call yourself cyber security, you still work in cyber security products, you do cyber security things. what is inspiring you these days? And what's a bit about yourself?

Ross Haleliuk: Thank you so much, Ashish.

It's a pleasure. Super happy to be here. to finally make it on your podcast. I've been a long time listener, not a very active one, but a loyal one. I [00:03:00] appreciate that. Yeah, I'll take that. How about that? Yes. On my end what am I? I'm first and foremost, an operator.

I'm a product guy. I have been in product management and focused on product, building products, go to market for the past decade or so started in e commerce, retail, wholesale. moved into financial technology, spent some time in fintech, and then at a certain point fell in love with cyber security, moved into cyber security, and have never looked back since.

I am a big fan of the industry, super passionate about the space and the difference this space is making in people's lives and in companies lives as well.

Ashish Rajan: Could you double click on that a bit? Because I think it's funny, someone who's always spend his time in cybersecurity.

How do you see, the cybersecurity industry? Why do you feel attracted to it?

Ross Haleliuk: First and foremost, I see it differently than many people.

cybersecurity is a fairly small industry. One factor that illustrated just how small it is when we had this CrowdStrike debacle several months ago, there were some news media writing articles [00:04:00] about CloudStrike, like a small cybersecurity startup called CloudStrike, which eventually ended up getting corrected.

But my point being, we in the industry, when we look at the largest security players, outside of security, most of the companies we are looking up to are not even known, right? Like when you think about large players, you think about, Amazon, you think about Google, you think about Meta, cybersecurity companies are nowhere near that. Having worked in financial technology, I know that cybersecurity is much less crowded than people think. When I worked in FinTech, there were 50, 000 vendors, in Cybersecurity, there is about 5, 000.

So that is 10 times fewer. If we say that cybersecurity is everybody's problem, then 5, 000 vendors is probably not that many. Is there more vendors than the market can handle in many of the individual categories? Absolutely. But is it really much less crowded than marketing tech, much less crowded than [00:05:00] FinTech, much less crowded than HR tech?

I find it fascinating how getting outside of the security space, the main industry you spend most of your time in and just seeing how other industries function, it will give you a different perspective.

Ashish Rajan: I love it also because a lot of people don't get to see the perspective from outside in. We're always looked at from a, hey I know the top vendors, the dinosaurs of the cybersecurity world. You see them everywhere. They're like the biggest players and a lot of people don't zoom out a bit and go, Oh, broadly, we are still tech, which is just subcategory within tech and just basically facilitating that. What I would like to take this to is the Venture in Security blog that you've been writing and I've been following for some time as well.

What is it? Cause I want to peel off a few more layers of what you've covered in some of those topics over the time you've been doing it and maybe give that a more futuristic perspective. So what is Venture in Security?

Ross Haleliuk: About three and a half years ago, I joined Lima Charlie as the head of product and I was fairly new to the security space my goal was to understand how the industry functions, to be [00:06:00] effective as a product leader I started reaching out to people. Going to different events, conferences, and very quickly what I came to realize was that there is plenty of brilliant minds in cyber security who have a fantastic understanding of the technical side of the industry, but there are very few people that have a good understanding of the business side

and my questions were to a certain degree technical and those questions I was able to successfully answer by, going to some great blogs, buying books, attending BSIdes events, Black Hat, other conferences. But I also had plenty of questions around what does the go to market look like?

Who are the different players in the space that I need to be aware of? How do incentives of different players and their agendas Influence the trends in the cyber security space. What does it take to build an open source project in this space? How many successful companies started in open source?

What does it look like to get your product [00:07:00] into the hands of security practitioners and get them to actually try it? So all of the kind of questions that are fairly far from what the majority of the technical blogs and technical writers cover. And so as I was going through that process, I spent a lot of time, aggregating my own knowledge, talking to people, asking dumb questions.

Over time, I ended up with a Google doc, that had between a hundred and two hundred pages. It was all kinds of notes charts graphs pictures and me trying to summarize some of the learnings.

Some morning in January of 2021. I looked at all of those notes. And said, you know what? If it's taken me such a long time to piece all of it together, maybe somebody else will benefit if I share a bit. I published an article and a bunch of people reached out to me saying, Hey, this was actually super useful.

I said thank you. And then I published another one. And very quickly, I got 500 subscribers and then a 1000 and then a 2, 3, 4, 5 and 10 and at a certain [00:08:00] point, it just got out of hand. And I ended up in a spot where I have a blog. It is a weekly or a bi weekly blog and people expect that I'm going to be talking about something.

I've benefited tremendously by just being able to share what I see and get continuous feedback somebody will reach out and say, Hey, this thing that you've said works this way. Actually. Here is something you haven't mentioned, and here is why it's important. That way I was able to accelerate my own learning.

So it's been a fantastic experience. I definitely recommend to anybody who is interested in learning and accelerating their own learning to share more, to speak more. And to give away as much as they can because they will get back much more.

Ashish Rajan: Oh, wow. It hits home because that's what some of the foundation of Cloud Security podcast was as well.

A lot of people who watch our content, they're cloud security people, cybersecurity people, CISOs and all that as well. A lot of them are what I was before I started the podcast. We all look at it from a, to what you said, a technical perspective. I have a problem, I want to solve it. I buy a product or I build it myself or my team builds it.[00:09:00]

Ross Haleliuk: Or you access a service.

Ashish Rajan: Or you access a service. Or MSSP as well. There you go. For us, the other half of it, like what goes behind building a product, then getting it in front of a CISO or a decision maker and buying the whole thing. That's where the GTM comes in.

Just where people like the work you and I are doing informs people of how can you make better decisions or why did someone go down the path of having a free product with a paid product at the back end of it, there's so much goes into that. And I know for sure, talking to a lot of people in the audience a lot of them are of that ethos, they want to build a cybersecurity product one day.

Taking that perspective, I have a few buckets, I've gone through your blogs and got a few buckets that I thought was interesting. One was the security engineering one. How do you see security engineering? On both sides where either security engineering you borrow from someone else because service or you build yourself because you can't buy a product or you buy a product you don't want security engineering what are your thoughts on the whole security engineering space in cyber security at the moment

Ross Haleliuk: i think it's a small space

Ashish Rajan: shrinking [00:10:00] space

Ross Haleliuk: it's a small space i think it's a small space

Ashish Rajan: right

Ross Haleliuk: For the longest time i had this idea that cyber security industry is maturing.

And as the industry is maturing, we will see more and more companies hiring security engineers, hiring security architects, developing some security capabilities in house. I don't believe that anymore. I still believe the cybersecurity industry is maturing.

But the process of maturation does not necessarily bring more security in house. On the contrary, it's pushing more security to be done by third parties. So when we were talking about security engineering, I think that there is plenty of examples of cybersecurity startups that are being built to cater towards the most like cloud native venture backed tech forward companies.

And there is absolutely nothing wrong with that. That is certainly one of the ways to enter the market. The reality, however, is that the vast majority of the market is [00:11:00] anything but cloud native, anything but tech forward. And the reason it matters is because if you look at the stats. Where the GDP of the United States or European countries or like literally pick your country, if you look at that country and where the GDP is coming from, like what are the main contributing industries to the gross domestic product, you will find that technology is actually a very small slice of that.

Instead, you have areas like services. Oil and gas, mining, healthcare. The list goes on. Somewhere around there is the IT space, but then you double click on the IT space and you realize that even within the information technology space, the vast majority of the companies that actually matter in terms of their financial performance, they're anything but cloud native, right? They are going to be tech forward.

The reason all of those things matter is because over and over when security engineers are looking to start companies, they go back in their memory to [00:12:00] all the companies they've worked at and the problems they've experienced and say, I'm going to solve that problem.

Rami McCathty, contributed a blog post to Venture in Security talking about the fact that security engineering is not the future. It is the present. It is just not equally distributed. I tend to agree with that thought. There is a big divide between the types of companies that are able to afford And have reasons to hire technical security talent, such as security engineers, security architects, and the kind of companies that just don't have the reason to do it.

I don't think that divide is going to disappear. If anything is going to get even bigger, meaning I would not expect that over the next, decade, we will start seeing a huge demand for security engineers. at the types of companies that are currently not hiring them.

Ashish Rajan: Oh, fair.

Yeah. So if an oil and gas never started with engineering, they're not going to start engineering tomorrow as well. Yeah, it's a fair point. That ties in well with what you said about the GDP of any market. [00:13:00] the listeners or watchers may be on, they may be in a market which is heavily on oil and gas or mining.

I'm going to give the example of Australia because that was my previous market. There were banks but oil and gas, mining was a big thing. It still is a big thing. I think the number one thing in Australia is still mining.

Ross Haleliuk: They also don't necessarily have the incentives to buy security tools. That's right. Yeah. Yeah. Because if you are a SaaS company, security is very much a part of what your customers expect you offer.

If you say that, hey, my value proposition is that I store your data and I do something with your data. One of the questions a customer is going to ask is my data going to be secure if I share it with you? If you, however, are talking about retail, there is less of that incentive, right?

Whenever I go and to buy a chair, be it to Ikea or to any of the other places. How much do I care about my purchase data being lost? I do care about my credit card details not being shared. And that's where PCI comes in. But apart from that I don't care all that [00:14:00] much.

There is this mismatch where the vast majority of the market are companies don't have incentives to invest in security, but they're the ones that need security the most. The difference you can make as a security practitioner by helping company go zero to one is much more impactful than helping like an already mature enterprise get just a tiny bit more mature.

Ashish Rajan: So to summarize, secure engineering and to quote Ramy it's the present, what would it become in the future where are we, is it going to be still, replaced by a services or replaced by, and I'm still talking 2025, but if you want to go next five years, more than happy to

Ross Haleliuk: genuinely don't know if that's going to change all that much.

I think the vast majority of companies are going to continue accessing security expertise through comprehensive solutions they buy from a vendor. Whether a vendor is 60 percent product. And 40 percent services or 90 percent product and 10 percent services or 90 percent services and 10 percent [00:15:00] product.

I don't think that should matter to an end user, to an end customer. It shouldn't.

And so what I think we will continue seeing more and more is that security vendors or providers of security solutions will continue accumulating that security expertise while the rest of the market is We'll be accessing security expertise through those vendors, and then the top one or two percent of the enterprises will continue doing what they're doing today, where they have an in house security team.

Ashish Rajan: Oh, actually, that's a good point as well, because worthwhile calling out to what you said about the GDP or different countries, the market itself is quite spread out. It's not that everyone's an enterprise. It's not that everyone has to be that could change I think we get a lot of questions sometimes.

So we started something called Cloud Security Bootcamp to educate more people on cloud security because there's not good knowledge on it because there's a training gap or whatever. As you went through that over the past one year or so, we also realized that problems that were being faced by a engineer and enterprise were very much for lack of a better [00:16:00] word siloed.

They're the ones who are like when you hear a vendor talk about, hey, get the engineering on board, get these people on board. In SMB, engineer is a security person, engineer is your devsecops person, engineer is the one doing zero trust, and at the same time looking at performance, optimization, cost, all of that, they have to do a lot more than just be a cloud security person or a cyber security person.

Ross Haleliuk: One of the ways in which cyber security is not necessarily unique, but different than plenty of other industries is that in many tech markets or sub segments, you can build a solution that you can sell to a mid market or to SMBs.

After you establish yourself in that market, you can move up market and start selling to the enterprise. For example, if you're talking about a task management tool, I can be an individual. that uses a task management solution for myself. I can bring it into my 45 people company.

I can get it adopted there. Once [00:17:00] that solution has gained enough credibility, they can start moving into the mid market enterprises. Then they add a bunch of security capabilities, which realistically speaking, sadly, would be SSO and audit log support or ISO

Ashish Rajan: Compliance or whatever.

Ross Haleliuk: And, like better, RBAC. And then they become an enterprise solution so they can start selling to enterprise. In security, the problems that the mid market is experiencing and the way they are looking to solve it are often very different than the problems that large enterprises are experiencing and the way they're looking to solve it.

Security solutions targeting. mid market or targeting SMBs in particular, they're really like the Swiss knife products, right? You have all kinds of different offerings bundled in one place. Large enterprise, on the other hand, is much more inclined to get the best of breed that focuses on this one problem and then another best of breed product that focuses very specifically on this other problem.

It's better if they're all offered by the same vendor, by the platform [00:18:00] providers and so on and so forth. But the mindset is still very different.

Ashish Rajan: I guess to your point, the takeaway for people who are watching and listening to this would be if you are someone who leans more on the technical engineering side, you're passionate about it, then if you are looking for a new job, perhaps in 2025, you're probably looking at, what are some of the companies that will continue to do engineering?

Now in terms of, the other aspects I also wanted to talk about, there is a cloud security space. There's the data security space. There's so many spaces in, I'll just quote you earlier, hashtag Gen AI world that we are living in as well.

What are some of the markets that are top of mind for you at the moment that you see to be top of mind for 2025.

Ross Haleliuk: I'm a big believer that trends are temporary. In order for you to succeed in life or in security or in anything else, like you can be as specific or as generic as you want, you have to stick to fundamentals.

And I think that is very much true in cyber security, where if I were to think like what were some of the problem areas that people paid attention to, three years ago, I would probably say email [00:19:00] security, endpoint security. identity. I think there was more attention paid to network security at the time.

Ashish Rajan: Cloud security was still there. Cloud security, yeah, cloud

Ross Haleliuk: security. That's your top five.

Ashish Rajan: The big ones yeah.

Ross Haleliuk: If I am looking at 2024, what are we paying attention to? Identity? Cloud, email security, endpoint security, email security, cloud security, identity. endpoint security, there is also vulnerability management, patching, all that. Those are the fundamentals, right?

The problem areas have not changed dramatically in my view, because realistically speaking, if attackers are successful using the methods and techniques they have been using for quite some time, why would they change? This is where the difference is between the attacker mindset and the defender's mindset.

Attackers care about results in their case are very easy to measure. Did I achieve the goal I was setting myself to achieve, or did I not? On the defense side?

Investors fund a [00:20:00] certain market category startups in that category after getting money from VCs now have marketing budgets. So they're starting to actively educate customers or prospects about the problem space they're tackling.

Is that the right thing to do? Absolutely. That is how I believe the industry learns. And this is where I disagree with a lot of the security leaders and people in the cyber security space who say Oh, there is too much marketing. There's too much this and too much that. Look, there are inventors.

There are security practitioners who come up with better ways of solving security problems. I don't know who came up with MFA. I genuinely don't. But in order for the MFA to get adopted, RSA first had to build RSA tokens. Then Duo Security had to build their own very intuitive MFA experience, then YubiKey and similar hardware key providers had to manufacture those and supply them, [00:21:00] all of those vendors had to go to the market and educate the market that, hey, MFA is important and here is why.

I am not making a statement that cybersecurity vendors are solving all the problems. My statement here is that whoever comes up with new ideas is not centralized, researchers at universities come up with great ideas open source software developers launching projects on the side on top of their full time jobs come up with fantastic ideas.

At the end of the day, somebody has to take this idea turn it into a product. Sell that product and educate the market about it. Sales is not a dirty word. Sales is how we solve problems. Going full circle to the question the problem areas and what people are paying attention to, those are the same problem areas.

It's just that we will never be able to come up with a perfect solution, but maybe some of the tools that we have today could equip us to build a better solution than the one we had before. But the problem areas are still the same. Still identity, still cloud, still endpoint, like for as long as attackers are going to be using the very same methods that they have been using, for as long as ransomware is going [00:22:00] to continue being a problem, the way we solve those problems is also probably not going to change all that much.

Ashish Rajan: Yeah, and maybe I'll add data security in there as well. 100%. Yeah, I think the only reason I say data security to be called out separately is because I think a lot of security people had data policies and stuff that they thought they were doing for data security. Gen AI kind of exposed that to the point that we have a policy but no one implemented it.

And I think which is like the other side of being a practitioner is that you may have the best of intent, you may have the best of cybersecurity products, but if you can't align it to what the business wants to do, If it's Gen AI, it is Gen AI to be enabling them in a way that is at least balancing the risk to a comfortable point

So the number of cybersecurity vendors we have in this space at the moment. They're all focusing on both sides, the defender side, the attacker side. Hey, we do threat intelligence. We find out the threat before you even find it. We are on top of CVE for you. And then the other side is like implementing cybersecurity products for bugs and everything else we found.[00:23:00]

We spoke about this earlier before we started recording about the general IT world, if you were to look at it, how cybersecurity fits into it. There is the people who are creating the product and then there are the people who are supporting in the background to what you said, I may be an oil and gas, energy, health, whatever.

My main business is looking after Ashish when he's sick. It's not to build the best technology that I can put on his strap or a wristband that he walks around telling him how many steps he did because he walked from point A to point B or whatever. We are primarily just supporting a existing business.

If no one spoke about, Hey, there's a better way to get from point A to point B, you don't have to go on a horse ride. You can just get a car. If no one spoke about it, we would never find out. So I think the reason I bring that up is because on the defender side, how do you see that cybersecurity landscape in terms of, you had a blog about open source as well.

Then there's a whole blog about engineering. Obviously that's I feel like this, that's the next natural step after security engineering. We're like, am I building? Am I buying? Which every decision maker has to do it with. So as a person who [00:24:00] looks at the market, how do you see that done wrong from a GTM perspective?

What are your thoughts on how people should approach the build? Accepting that there would be people who would always build. Where do you see that go specifically for vendors who are probably building today?

What is the right way to approach GTM for that?

Ross Haleliuk: Again, comes down to the market and the problem you're trying to solve. And I think that the answer is going to be true for basically just anything around go to market and around product management. If you're building something that you believe could be solving an existing problem better than it better be, 10x better, not just incrementally better, because you will have a hard time to get it adopted.

If you're building something that targets software engineers, you're probably going to have a very hard time because software engineers, don't have incentives to think about security on their day to day. If you are inside the, inside an organization, if you're a buyer of solutions and you're thinking [00:25:00] about build versus buy, then first of all, you're probably a software company or you're probably like the representative of that 1%, like that top one or two, top 2 percent because the vast majority of the companies don't have an option to build.

What do you build? Yeah, if you are a factory that manufactures some asbestos products, you need to ensure that all of your, machines on the manufacturing floor are going to be available and are not going to be ransomed, there's plenty of security needs that you will have, but you have no talent to build anything.

If you are indeed like the kind of organization that has the luxury to be able to afford the talent that can even build, then I think the question you have to ask yourself is this unique to my organization? Is there a real need for me to build? Because in most cases, the reality is that there isn't.

And so I think when AWS started, it had this concept of undifferentiated heavy lifting. And I think that most [00:26:00] security solutions, Built in house are precisely that they're undifferentiated, heavy lifting, meaning they do not help the company to build anything proprietary that would help them generate more revenue.

They don't help the company ship better products. They are simply solutions built by engineers. Engineers are passionate about specific problems and they want to get promoted and there's all kinds of incentives that are at play. But in most cases the number one driver is not that there is not a good enough solution on the market.

Now, there are plenty of emerging problems when there isn't the right solution in the market, in which case you have to build. The usual way those tech forward cloud native venture backed companies adopt security solutions is that if they run into a challenge that isn't yet being addressed by any of the existing vendors and they have the right resources, they can prioritize building it, they will build it.

But [00:27:00] the moment there is a vendor on the market, even if it's a small startup that reaches out to them and says, Hey, we are building this thing that you probably have built in house. It is usually smarter to abandon the internal development effort and become a design partner for that company because over the long term.

It's going to be cheaper and better if you can, instead of building everything in house, if you can just help shape the direction of a startup so that they ultimately end up building probably like 80 percent of what you need, because in most cases, 80 percent is good enough. There are, however, cases when the problems you're experiencing are the kind of problems that just nobody else is experiencing, in which case of course you have to build.

There is no doubt there. But I think what happens much more often in practice is that decisions are being made about building that are prioritizing the individual aspirations of people interested in building over the business needs.

But you cannot judge [00:28:00] people for doing it. From the individual standpoint, it makes sense, right? Because if you work in cyber security, a lot of the work you're doing is fairly mundane, you have to focus on business priorities.

And a lot of those business priorities, they're basic, right? They're not easy to achieve, but they're also not the most exciting, you're building some automation script, doing all of that stuff. So whenever a security engineer finally gets to build something they're excited about it just makes sense.

Ashish Rajan: Actually, it's funny because. A lot of products these days try, and cybersecurity vendors specifically, they will try and talk about developer friendly environments. But most environments aren't developer friendly because they are creating, to what you said, revenue building features, revenue building products.

They are the main source. We are there to support them. Correct. Yeah, so we're not there to be blockers. Hey, how can I enable this in a way that we don't get hacked tomorrow?

I definitely find the cybersecurity market at the moment is divided into two, where vulnerabilities, when people think about that, they're thinking about CVEs, threat detection, hey, this detection [00:29:00] response, I have a new CVE that comes out, there's a vulnerability, I'm on top of it, zero day, whatever, throw another acronym at it if you want. And the other one, which is misconfiguration where we have many C acronyms now and there's a long list and they keep maturing.

Ross Haleliuk: All SPMs.

Ashish Rajan: All SPMs as well. Do you feel there are different markets? Honestly,

Ross Haleliuk: I don't think it matters. Like maybe, see, I'm not a deeply technical security practitioner, neither am I a good philosopher. I'm a pragmatist, right? So for me does it matter if it's a vulnerability? The question is, does it impact your business?

Does it impact your ability to stay operational and generate revenue? If the answer is no. Then it doesn't matter. Even the question of data loss and I'm sure this, like what I'm about to say is not going to age well. I'm probably not setting myself up for success, but I still will say it is that the reality is that when you talk to security leaders from different organizations outside of SaaS.

I'll specifically make this statement outside of SaaS. And you ask them like, what is your biggest concern? It's not data [00:30:00] breach. It never is. Okay. It absolutely never is. It is, how do I stay operational? How do I make sure that my business keeps running? Now, there are types of companies that actually care about data breaches.

And they're not publicly traded organizations. They're not, your oil and gas, your mining, the only type of companies that actually care about data breaches and data loss are SaaS providers. Because when you're a SaaS provider, you're selling trust.

You need people to trust you. Yeah. When you're not a SaaS provider, it doesn't matter. It very much matters for us as a society. It matters for individuals whose data get lost. It matters a lot. But we have become so numb. to the idea that there is a data breach. I remember I was a speaker at a security conference about a year and a half ago.

Somebody on the stage was saying, the talk had something to do with data breaches and how we should be mindful and like all kinds of different things. And the whole premise was that data breaches are incredibly bad because they impact the perception that people have about the business.

They impact customer [00:31:00] trust. I asked people in the audience who were all security practitioners, how many of them have stopped using their favorite ride sharing app when it got breached, not a single hand went up.

And that, to me, is the point, is that in the world where breaches happen every single day, the fact that somebody gets popped is no longer a reason for you to not use their product. Now, you may argue that there are examples when a security company gets breached several times. In which case there may very well be a loss of trust, but even then, if they're so deeply embedded in the company infrastructure, how many companies are going to say that the number one priority for the business this year is not revenue generation, ensuring efficiency, enabling employees to achieve efficiency, leverage new technology, become more productive, and instead it is going to rip out this tool that really otherwise works fine.

I'm not saying that's the right approach, but [00:32:00] pragmatically, that's how I'm thinking about it. So going back the sort of full circle to your question, honestly, I don't know if configuration mistakes are vulnerabilities, are they not? I don't think it matters. What matters is ultimately, does it lead to the kind of outcome that we are trying to avoid?

If the answer is yes, how probable is that? How likely is it? I think that is where a lot of what we think about in security doesn't translate well into business outcomes yes, there is this vulnerability we've identified. There is this 10, 000 CVEs, which of them should we fix?

Just because they can be exploited doesn't mean that they're being exploited, right? So how do you prioritize? I do think that as an industry, cybersecurity is dealing with the kind of problems that sadly most organizations are not really incentivized to solve at the core.

Ashish Rajan: Even though security is number one priority?

Ross Haleliuk: Security is a stated priority, depending on your compliance regime. I believe that there are only two reasons why companies invest in security. One is sales enablement. [00:33:00] So what do we need to either remain in business, if we do not satisfy some compliance requirement and the government comes after us, they can shut down the company. Yeah. So if you have to make sure that we can remain in business, the second bit, part of the same sales enablement, we have to make sure that we can continue selling.

Why are SOC 2 automation tools so popular because they come into startups and they tell them, Hey, startups, Do you want to sell to those large enterprises? Guess what? For you to sell to those enterprises, you have to get SOC 2 compliant.

That's a good argument. The other argument is fear. And if people are afraid of something right now, what are people afraid of? Ransomware and Gen AI. So if you're building something that prevents ransomware or helps companies deal with, AI potential mistakes that they're afraid about that is going to sell.

That doesn't mean those are the only problems that have to be solved. In fact, there are plenty of problems, there is a problem with cloud configuration, endpoint security, email security phishing and all of that.

But at the very [00:34:00] fundamental level, what people are going to be drawn to and what people are going to be looking to purchase are first and foremost, sales enablement. What enables the company to generate revenue and then second is what am I really afraid of?

Ashish Rajan: And I guess to your point the word that he used from an Amazon perspective, it was what was it?

The undifferentiated heavy lifting. And I guess this is one of those where it would be a heavy lifting that's probably not needed, but if you can automate that piece, it's already enabling you to go faster into the market, do sales.

And granted we're talking specifically about startups versus enterprise. Even in the enterprise context or a large medium size, sales is still the reason why security exists, because you're building trust in the brand that, hey, I want to buy a shoe from Nike because I trust the brand.

Doesn't have to do anything with the fact that I'm passing my credit card information every time I buy a new version of shoe or whatever, I trust the brand Nike. But the day I find [00:35:00] out that, hey, they've been selling my data in the background, I would stop buying. Even when there was a bank breach, how many people actually changed their bank account?

I know people who have never changed their bank account for 20, 30 years.

Ross Haleliuk: But that's an interesting thing. I think banks are a very interesting example of something that is so fundamental. And yet we don't talk about this often enough. What happens your credit card is compromised, and somebody uses it to buy stuff that you don't want.

So what happens?

Ashish Rajan: Usually the fraud department picks it up, and they refund you the money, and they issue you a new card.

Ross Haleliuk: Then let me ask you this, like 100%, like it happened to me like once or twice. Oh, I think twice. What is the incentive for the individual that became a victim of fraud, of credit card fraud?

to change their behavior. Nothing. Like the bank abstracts away the complexity of dealing with like fraud and so on and so forth, and just lets the individual continue living their life the way they've lived it before. There is also a sentiment in cyber security.

Need to start [00:36:00] caring about security. My question is why? What is it there that should compel like an average person to start caring about their security? Now, I'm not saying this as somebody who does not believe that they should like, I do, it will come down to incentive design, right? And people's fears. And at the very basic level to them, knowing somebody who has suffered a certain, from identity theft, for example, there are plenty of those cases and they're very sad, like they're truly unfortunate, but I don't actually think the vast majority of the people feel like it relates to them.

That said, the number of security incidents. is at its highest, right? Like the number of cyber security breaches continues to climb. Now, if you are an average person watching TV at home, you're not going to hear anything about security breaches because it's boring. People don't understand cyber.

Instead, you're going to hear that, Oh, there was this shooting and this, this stabbing and this and that. [00:37:00] And so because people have a lot of exposure. to data about the crime, they believe that the crime rate is going up.

Ashish Rajan: It feels more real. Yeah, it does. Yeah.

Ross Haleliuk: Yeah. There are all of those factors that just don't necessarily compel an average person to start caring about their security.

That's why a lot of the conversations that security practitioners have is Oh, like people need to start caring, but why? What is the impact is my social security number floating somewhere on dark web, probably. Can it have impact on my life? Absolutely. Yep. Is there anything I can do to prevent it?

No, because when I'm signing up for some service and it asks me to provide social security number, I have no choice and I want to use the service, so I'll have to provide them my SSN. Will it get breached?

Probably. So we have as a society become numb. Yeah. Sadly. And obviously it may change over time, but also for right now, I don't think it is changing.

Ashish Rajan: Switching gears from security engineering and the messaging for [00:38:00] security. Are you seeing in terms of, if I were to put the five things that you called out, email security, endpoint security, cloud security, data security, all of that. In this market, do you see people who are applying or thinking of building a startup in this email, network, endpoint, whatever, just pick any category.

What should their approach be for GTM?

Ross Haleliuk: You're asking me to solve a fundamental challenge of the industry.

Ashish Rajan: No, the reason I ask you is because I feel like you have one of those perspective, which is a non cybersecurity, because a lot of us come with a bias in cybersecurity.

Ross Haleliuk: I think probably two years ago, I would agree with you at this point, I have as many biases as everybody else does. I'm so deeply entrenched in the way we in security think about stuff that I, time to time I ping my friends from, who work in other spaces, and I'm like, this thing I am seeing.

Is this real or is this just me being completely out of touch with reality? And by the way, I do think that there is also application security, which we are not calling out, and it's also fairly fair, if you were thinking about go to market, like if you're thinking about sales, [00:39:00] if you're thinking about product, you have to go back to first principles.

What is the problem you're trying to solve and who has that problem? And if you do it, then you will quickly realize that there are different buyers for different security solutions. And there are different patterns that different types of markets follow or not follow. For example, if you're selling a security tool for application security.

Then you're really talking to security engineers. You're talking to heads of AppSec or ProdSec. You're talking to CISOs. You're not talking to CTOs. You're not talking to software developers. They're not going to be buyers. In fact, the more you can build a product for a single buyer, the more likely it is that you're going to be successful because as soon as the buying decision involves more than one department, you're screwed.

You have a product that needs to be approved by software engineering and security team, it's a much harder sell than if you have a product that only needs to be approved by the security team and the friction of adoption also matters, right? You can have two cloud security solution, [00:40:00] one agentless, one with agent, which one is easier to adopt

Ashish Rajan: and which

Ross Haleliuk: one is likely to get successful.

Ashish Rajan: Agentless.

Ross Haleliuk: And that is where a lot of the security purists struggle, right? Because if you care about the depth of security, then having an agent gives you more depth. But from the customer perspective, it's the ease of use. Now, if you're looking for example at identity.

Most identity solutions are actually not bought by security. Identity is an IT problem. Corporate idea. Enterprise idea. And if you're thinking about solving a problem in identity, and you only talk to CISOs, or security engineers, you will miss the point, and you will build a product that isn't solving the problem for people who are actually going to be evaluating and buying. And like the same applies to basically any other part of the market. It's you have to start by understanding what is the problem space, who has that problem, who cares about that problem. Different types of people will care about different aspects of the same problem.

The [00:41:00] thing about not just security, but anything else is that we like to think that ideas we have are new and that in order for you to be successful, you have to come up with some new groundbreaking approach.

The reality is that most of the markets that exist today have existed for a very long time. And if the market has a track record. Several successful large scale privately owned companies. It's a big market. If that is not the case, you may be betting on something new, but you better have a good answer as to why that newness is going to translate into something big.

But when you think about the fact that the vast majority of companies do not have real incentive to spend money on security, that means they will only be doing the minimum that is mandated by compliance, by their customer expectations.

And the budgets are finite. So if the budgets are finite, then a lot of the products categories that are seen as optional are not going to get as much attention. It doesn't mean, however, that [00:42:00] those are not the right problems to solve. What it does mean is that you have to be very realistic about the type of company you are planning to build.

Ashish Rajan: It's an interesting one because a lot of people want to build startups they hear evaluations they hear big raises, someone's going to be bought by someone else, or someone has already been bought by someone else,

I think maybe you and I were talking about this, that is the one percent. It is not the majority. My question is, do you agree if we are only seeing the exceptions, not the majority, and when people aim for that kind of big evaluation.

If someone is walking into, Hey, I want to try and find a problem in cybersecurity, how do I value this as, is this a next billion dollar idea? Or to what you said, you're going to be profitable, but you're not going to be the next 100 billion dollar company,

Ross Haleliuk: I think that's a wrong lenses to look at the industry from. As an industry, we have plenty of problems to solve. We should focus on solving those problems and doing it well. The company valuation is secondary.

At the end of the day, if you're solving a real problem, you're going to find customers. If there is enough companies that [00:43:00] experience that problem. Have a budget

There are many of those parameters. But the thing about security is that It is such a diverse space.

You talk to 60 companies. Of similar size, maybe similar industry, and you will get 55 different perspectives. You will ask people like, Hey, like what are you prioritizing over the next quarter? You will get 48 different perspectives. And so at the end of the day, I believe that the fundamental problems remain, you had so many different attempts to ensure data security. The problem is just so big that it's not going to get solved over the next year and a half. There's still going to be room for somebody to do it better to maybe specialize on specific type of customers, industries, like maybe choose, to go through MSPs instead of going direct, or maybe choose to go through partners and resellers, I think.

Those are all hard problems. And frankly, listen, it's not that I'm not struggling with finding answers to all of those questions. I think everybody is. The market is [00:44:00] overwhelmed with the number of solutions. Yeah, I would agree. There's a large number of companies competing. There is a large number of companies trying to survive.

And there's a large number of companies that are probably not going to make it. And not for the lack of trying. Like companies built by incredibly brilliant founders, solving real problems. It's hard, but I do believe that there is more than one way to succeed and getting to a billion or however many, whatever numbers you've used, getting to that valuation is not the only one.

Ashish Rajan: Interesting. I'm glad you called out this because the way I've seen the product space and how it goes back to the GTM as well, a lot of people would look at that and say, that's my aim. And it's nothing wrong in having a big aim. I think people should have big aims in their lives.

So they can go broader than cyber security. And find out, oh, there's a much bigger market there. I can probably find a lot more customers if that's what the goal is. I think what I find interesting, what you just said as well about it's a complex market at this point in time.

I also feel the market is getting to a point where it's hard for me to differentiate from one product to another, [00:45:00] you could look at the biggest player, and you could look at the medium sized player. Apart from the number of features that I can count on, it's really hard for me as a practitioner or a CISO to decide outside of budget requirements, hey, should I go for the Ferrari or should I just go for the Toyota Camry?

Ross Haleliuk: Yeah, and realistically speaking, how do you even test what different products offer? I find that question fascinating. One of the articles on Venture in Security is about the fact that cyber security is a market for silver bullets. Again, I did not come up with that term, but I find it absolutely fascinating.

And the reason that is the case is because there is this assumption. Several years ago, probably about 20 years ago there was an academic article written on this exact topic, on the fact that many people believe that security is a market for lemons, and I don't know if you're familiar with the definition, but the idea being that many people believe that when you look at the security market, the buyer doesn't really know what they're buying, but the seller knows very well what they're selling. So like when you [00:46:00] look at the security vendor, many people assume that Oh, they really know what they're doing, but through their, complicated marketing, they make it hard for us to figure out. What that article about security being a market for silver bullets.

What that article discussed is the fact that neither the buyer nor the seller actually know what is being sold or what is being bought. I generally recommend reading the original article to understand what it is about.

If you're not interested in like a academic paper, you can read the Venture in Security article. But what I'm getting at is that. When you're buying, and pick your favorite category, doesn't matter. When you're buying an endpoint security solution, how do you know that vendor A is going to offer you a better coverage than a vendor B?

Are you truly going to simulate all known types of attacks to understand their coverage? More importantly how do you deal with the [00:47:00] fact that depending on your environment and depending on what's happening in your environment, the way some of them may get detected is going to be different.

How do you deal with the fact that you can only simulate every single attack possible, you can only do it with the known attacks as of today. Tomorrow, something new is going to come up. How do you know which of those two solutions is going to be better positioned to address the threat landscape of tomorrow?

The reality is, you don't.

Ashish Rajan: Because it's a time constraint as well, you only get four weeks to test it out. Correct. In a large enterprise. Correct. You can't even deploy one application in six months, but you're supposed to test a product that's going to be there on a two year contract, within your organization based on your research or analysis of four weeks.

Ross Haleliuk: It's probably going to be longer than four weeks, given that the sales cycle these days can take a year or two years. But I guess the meta point here is that if you're buying an accounting tool, you have a much better chances of identifying the [00:48:00] capabilities you need that tool to provide and of being able to test those capabilities.

Most security products are black boxes, you're buying a thing, deploying it in your environment. Clicking this big red button, activate shield. And now you're secure. Now, how secure are you? It's really hard to answer. It's also impossible to compete on efficacy. It's impossible to say that, Hey this product offers like 97. 2 percent coverage. We do 98. 4. Nobody cares. Like at that level, you don't really have the ability to assess what the greatest claims are real. That is why marketing and differentiation are so hard because you're just building a better mousetrap. How do you prove that it's a better mousetrap?

It's funny. This article about security being a market for silver bullets had a quote that made me laugh. And I'm going to butcher it, but it goes something like this, you bought a box that is supposed to light up if you spot a unicorn in a room, you walk with this box [00:49:00] into a room and it doesn't light up.

Why? Is the box not working or is there no unicorn? And that is how we are thinking about security tools, right? This tool did not detect anything today. Does it mean that there were no attacks? Or does it mean that bad guys, are already on our network? Yep. But we didn't see a detection. And so that is the state of security today.

Ashish Rajan: And I'll probably add another layer from a practitioner lens as someone who's had teams. I think in fact, when I did evaluation, we normally go with. The defaults that are there by the provider in that four week or six week or whatever that long the duration is. The cloud is a good example because initially the problem statement was a lot about visibility because people were told that, hey, you don't have enough visibility.

How many resources are there? Look at the large footprint you have for cloud, blah, blah. And you get the agentless version. You get the point that, hey, you know what time to value, blah, blah. You get there quickly. But what people failed to miss was that they would create detection for [00:50:00] products that are the most popular or more common across a wide majority of, they can't build for every single person out there.

Now you may be in an oil and gas industry and you've bought whatever the popular cloud security product is, and you've done the default check. Oh my god, 10, 000 alerts. This is exactly what I needed. Let me just sign the check right now. There's a service you use, which we don't cover, we'd love to talk about what that could look like.

My, that's my assumption. And I would think that people on the other end would do their due diligence and go, these are the common services we use across the board because we have done an analysis, the person on the buying end thinks that they have done their due diligence. So the defaults are pretty much what I need to care about. The person on the other end assumes that the practitioner has done their due diligence. They clearly know what the use cases are, because clearly they're passing my demo or whatever the testing period is.

So we're all in the end happy. And then one year passes by, contract renewal comes in. Suddenly actually we still have a lot of alerts we had to create custom things for, and you're like, yeah, but you guys passed the test.

Ross Haleliuk: [00:51:00] Yeah, I find it, fascinating that the rate with which security tools get replaced in an organization is incredible.

But you also understand that the reason why that is happening is because you already know what the gaps are. Let's just say two years ago you got a new tool and it doesn't matter in which category that tool exists. You got a new tool and you've implemented it.

At the time you thought it's gonna solve all of your problems and it solves some, yeah. It didn't solve the others. So now, two years later, the time comes to renew the contract. And you look at that tool and you're like, wow. So here is the list of. 40 things that it does not do well. Let me go and see if there is another tool that does those 40 things better.

You go to the market and look at that. And indeed, there is a great tool. You take your 40 items checklist. And compare this new tool against it, and you're like, oh yeah, this checks, fantastic. You know what, we're not going to renew this other tool, we're going to buy a new tool.

And you buy a new tool, but what you miss is that the 40 items you had on your list were [00:52:00] items that this other tool was not good at. The new tool that you bought is going to cover for maybe not 40, but like 20, 32 out of 40 gaps of the other tool, but it will have its own gaps.

That you did not test for because you didn't know what to look for. You didn't experience it. Now, two years later, you have another list of another 40 or 60, gaps that the second tool has. And you're going through this game of musical chairs, hoping that there's going to be this magic tool.

And there isn't one.

Ashish Rajan: No.

Ross Haleliuk: Everything comes with trade offs.

Ashish Rajan: Most of the times that either I have replaced products or my other CISO friends have replaced products I've lost the budget and didn't have the money for it. So I had to go for a cheaper product. Sometimes that's the call.

That's a fair call as well. It's a business. Sometimes the call has been that I was on a two year contract, which is really hard to implement. I'm talking about the dinosaurs of the world and some of them in the identity space. Some of them in the other space as well. And you realize that they are the biggest player.

Some of them are really [00:53:00] hard to implement, like you need to bring in a partner, consulting person, it's like you're building a spaceship inside your little tiny silo of security.

Ross Haleliuk: But there are reasons why that is the case. Like identity, I think it's a great example.

Every organization requires custom configuration for, identity, for example, then you need to build a product that is generic enough to fit all of those custom permutations.

And once you have that Swiss knife. You need to have somebody that would configure it. And so every product starts simple over time. It grows in complexity because the complexity required to serve large enterprises is just high. Look at some of the CRM platforms, look at Salesforce, for example, you look at it today and you're like, Oh my God, I need to hire a team of consultants to configure it.

But when it started. It wasn't that way, right? The bigger and more successful something becomes, the more like bells and whistles it.

Ashish Rajan: You need to get it for a bigger market more problems to solve.

Ross Haleliuk: Some others, just think about it in [00:54:00] very practical terms.

Like this large customer comes to, submits a feature request saying, Hey. If you need the button on this UI, because we need, and we need this button to do X, Y, Z, because that is a requirement for our environment. Okay. You can push back as much as you want, but eventually you will have to agree to something.

Once you agree to something, once you add it, you are not going to add that as one feature for one customer.

Ashish Rajan: For everyone.

Ross Haleliuk: It goes for everyone. And now everybody has this capability somewhere in their UI that they can find, they can select, but only one customer out of 10, 000 uses, or maybe five or maybe 10.

And that increases complexity. Yeah. And so that's why you have this process of bundling and unbundling. It's always cyclical, right? You have a product. It starts simple. It's very user friendly. It is user friendly by the measures and criteria of its time, because the definition of being user friendly has changed like 25 years ago, or like 30 years ago, being user friendly meant you have a [00:55:00] manual, you had a 60 page manual that described every single feature that was user friendly.

Nowadays, if trying the product takes longer than installing like Uber app on your phone, you will get frustrated.

Ashish Rajan: Yeah, that's a good point because Apple does this really well because everything you buy, there's a manual, most people just throw it away.

They just assume it should be easy to do. And Apple, I guess I'm a bit of an Apple fanboy. But I think I realized the first time I bought a MacBook, and iMac or whatever it was just the easiest thing I just had to open the damn shit and it just basically works right and walked me through the entire thing on the other hand when I was much younger I was trying to assemble a computer myself there are so many questions I had to answer what operating system what hard disk what RAM is enough am I going playing games am I going to be just watching internet like what am I doing To bring it back to what you're saying it is definitely a lot more complex as you grow in size.

Sometimes that is a differentiator as an opportunity for a startup to come in and go, Hey, I do those 20 things very well. I just [00:56:00] focus on those 20 to begin with, to be a differentiator so I can become the complex thing tomorrow.

Ross Haleliuk: And that's exactly how all of it works. Every single platform has started as a point solution. What differentiates the platforms versus companies that remain, many factors do.

One of those factors is that a point solution started in a big market. Where the founders were able to execute well, like turns into a platform.

Ashish Rajan: Fair. And to your point, it may be the complexity that leads to its demise later on in terms of losing a customer, but isn't that ultimately what you want?

You want to keep growing the business yeah, and yeah, I love this. I do. I'm just conscious of time as well. So the last question is around your book. What's it called? Why self publish versus going for it? There are two aspects that I wanted to cover.

One was the cyber security vendor space, which we've done. The other one is the book writing author, like a lot of people writing books, why go down the path of, A, what made you think of a book? Why self publish it? Why don't go for one of the other popular publishers?

Ross Haleliuk: What [00:57:00] made me think about the book? There are several factors. The number one being that one day I woke up and realized that I have 25 percent of the book already written. I have been writing a blog for several years. And the topics I have been discussing are The very same topics I wanted to expand on, and I wanted to combine it into a cohesive experience.

And I was like, you know what? I'm not staring at a blank page there is already some material and learnings accumulated. So I'm not starting with zero. And what ended up happening is that the moment I sat down to write it, I had literally probably 20, of materials already sitting there that I could build upon.

There are plenty of reasons why I wrote the book. One of them is deeply psychological. I write a blog every single week and I've been really consistent about it. There are many learnings that I would like to share.

I realized that I myself don't have time to read blogs. I don't like, man, I've read so little. I don't have enough time for podcasts, for reading [00:58:00] blogs. I have more time to read a book than I have to read a blog. Every time I get a blog post in my inbox, I'm like, Oh, what is this thing going to be about?

I click, I look at the subject. Am I'm really interested if it's not a yes, it's a no. So it goes to archive, it goes to delete. I have one folder in my email that is to read and I will stuff interesting stuff in there and I will never ever get back to it. I'll never read it.

I do it without fail. I don't know why it's like a ritual at this point. In order for me to read a blog post, I need to. find time during the week. I need to be in the space where I have the time I have to open my email. I'm like, Oh yeah, there is this blog post. I have to then allocate like enough 20 minutes of my time.

What I came to realize is that the time budget that people allocate to a book comes from a different spot. The book does not compete with your email. If you're reading a book, that means you have a book somewhere on the side and you will keep getting back to it. Now you're not competing with every [00:59:00] single email, like every single distraction, if you made a decision to read a book. You have already pre committed several hours of your time to this book. If it's not shit, you're going to read. I came to realize that I have so much stuff that I wrote over the course of the years, and any new subscriber, will start at the blog post that is the latest blog post at the time when they start reading.

Two years that, that, so I wanted to find a way to, summarize, just bring together a lot of the knowledge, experiences, perspectives, learnings, and things that I've accumulated over the course of the years and make it easy. Just something that people can read on their own time, without having to compete for the same time budget that every single social media post Why self publish? It's, again, first principles. What is the problem I'm trying to solve? I'm trying to get in front of people interested in the business side of security. Who are those people? Security practitioners interested in the business [01:00:00] side of security. Not a huge segment, but there are plenty of people who are interested in startups, maybe thinking that one day I may start something on my own.

Or like maybe they're open source maintainers and they're like, Hey, I'm interested in understanding more how the industry works so that I can, make my. Project more popular or get in front of investors, for example, and convert it into a startup. There is startup founders. There are people working at security startups, right?

Like on the marketing side, on the product side, on the cell side, on the engineering side, on the partnership side, BD. So there is their venture capital investors angel investors. They're all of those people. Once I know who they are. Where do I find them? And at that point, I came to realize that the answer is not in a bookstore.

Where do you learn about new books or new articles, new something you go to your peers, you may go online, you may stumble upon something. You probably don't go to a bookstore

Ashish Rajan: what's my technology

Ross Haleliuk: What I came to realize is look. Working with a publisher means [01:01:00] several things, good and bad. On the good side, it means that there is an entity that you delegate all the boring part about publishing the book, meaning you're just, you're giving them the manuscript.

And they're going to handle copy editing, forwards, layout design, cover design, marketing, sales, distribution, like all of that stuff. And that's fantastic, right?

You don't have to spend your own money. The other advantage is that you get paid. If you submit a manuscript somebody will give you a cash advance. That will depend on the amount of money that you've negotiated. It could be a few thousand, it could be tens of thousands if you are, experienced writer or like a high profile individual.

And you get that money before you even know that a single copy of your book is going to get sold. That's a good deal. So you haven't spent any of your money to publish the book. But I think the reality is that many of those advantages have a flip side and many of those advantages are not as strong.

As people think, for example, marketing, if [01:02:00] you think that the publisher is going to do the marketing for your book, you're mistaken, they will have some packaged offer they may do some book signing here and there. But fundamentally if you want your book to sell, You still have to go and sell it.

You still have to go to conferences, go to book signings, presentations. You still have to do that. Like it, you're not exactly outsourcing responsibility for it. You will get support. But you still have to do that.

That's great. But then once the book starts selling, you won't get any more money. until you return the money that the publisher has paid, right? And most books will never do that. Meaning let's just say the publisher paid you 10k and the deal is that you will get $2 per copy.

So that means you need to sell 5, 000 copies first. What's important is that the amount of money you will get per copy from a publisher is going to be fairly low. Or at least lower than you would if you were to self publish it. Because it just makes sense, right?

They paid for editing, marketing, all of that stuff. [01:03:00] Obviously they're going to get the majority of the revenue and you're going to get a little. But at the very fundamental level, The book I wrote is not going to be bought in a bookstore.

It is going to be bought on Amazon anyway. So if it's going to get bought on Amazon, I'd rather just find a way to sell it on Amazon. I had the benefit of having built a solid readership over the years. So when I published the book, I send an email to over 10, 000 people saying, Hey, there is this book and here is what it is about.

And it became an instant bestseller over the course of a day and a half. I cheated because I had developed over the years that, the following, the people who were, if not necessarily sharing my opinions, at least found some of those perspectives useful. I wanted to support you as well.

Or useful enough to pay 25 bucks. So it was, to a large degree, about hey, this guy has been doing something semi valuable. So why don't I give him 25 bucks? That's really it. There wasn't a long, complicated process. But, okay, there is one more factor.

[01:04:00] Two more factors. One is, I wanted to do things on my terms.

Ashish Rajan: Fair.

Ross Haleliuk: If you work with a publisher, like you have a timeline and it's taking forever to actually do something. It can take you a year to get the book out. It took me much less, and I control my time, I hired a person to do copy editing, like we've scoped out the project, I paid, amount of money, much less, by the way, than what some people would assume, like it doesn't cost astronomic amount of money to publish a book.

And then I got the result, like it's somebody I hired, it's somebody who works for me. I had friends help out with different aspects of publishing, like I had Miscreants, Sean, amazing guy, amazing team, do the book cover.

There were a lot of people involved, but ultimately it was a new experience. I own the copyright. Because if tomorrow I decide to change something, I just upload a new updated PDF to Amazon.

Ashish Rajan: Oh, cause they're the ones who physically printing it.

Ross Haleliuk: I just upload an updated file to Amazon [01:05:00] and that's it. Every new copy printed from that point onward will be an updated copy. If I want to give away the book for free as a PDF, I just do it. My book I decide. By no means am I saying that working as a publisher is a bad idea. On the contrary if your goal is to get a stamp of approval from a trusted institution.

That's the way to go. When you're self publishing you're really just another book in the ocean of books published on any platform, Amazon being one of them. It's much harder to get word out. But if you have that base, if you have people supporting you, it can also be easier.

It depends on the resources you have access to. But for me, given my case, it just made sense to go that path.

Ashish Rajan: Awesome. Thank you for sharing that. I've got three fun questions that I normally end my interviews with.

Ross Haleliuk: I'm not a fun person, so it's going to be very quick.

Ashish Rajan: Questions are fun. Let's just say questions are fun. First one being, what do you spend most time on when you're not working on your blog or the products that you're exploring?

Ross Haleliuk: So [01:06:00] when I'm not working, I try to spend time with, the loved ones and go out for a walk and go to the gym but nothing extraordinary.

When people ask me what are your hobbies? I generally say a blog. It's fun. I like watching a movie here and there, but yeah.

Ashish Rajan: Second question, what is something that you're proud of that is not on your social media?

Ross Haleliuk: I immigrated to Canada 10 years ago, and then moved to the United States, based in San Francisco.

When I first moved, I was in my early 20s, and I did not speak a single word of English. I learned the language then. It was hard. It was a very interesting journey. So my life story is not a life story of somebody who just, studied computer science and ended up in tech.

I studied history. Oh, you were studying history in college? I'm a historian. by trade. Now, I did also the master's in business and all kinds of different things. My starting point in life has absolutely nothing to do with where I am now or what I'm doing. There is no connection between anything I was [01:07:00] supposed to do a decade and a half ago and anything I'm doing today.

The reason I'm mentioning that is because when you're an immigrant, when you're a two times immigrant, in my case, there are many things that are hard. Like you have to rebuild your life all over again. You have to do it in a different society starting if not from zero, then where it was from zero.

When I moved to Canada, it was not from zero at all. When I moved to the U S there are many things that are hard. You speak with an accent and some people don't understand. Once in a while, you get frustrated with the fact that it's not always easy to convey what you're thinking.

Like you may have some deep thoughts inside but you're saying some basic shit. And like that's hard. So when I published the book, that was, that to me felt like an accomplishment. Not because the book itself is an accomplishment but it's the journey that I've been through over the past decade from when I came to Canada to learn the basics of the language, to when I wrote the book in English and it became an Amazon bestseller there are hundreds of people messaging me saying thank you for doing it.

That made me feel proud.

Ashish Rajan: That's great. I'm [01:08:00] happy for you, man. And thank you for sharing that as well. By way, I do have the book as well. So I think I was one of those people who were hanging on the roof.

Ross Haleliuk: Me, you made me and Jeff. Richer.

Ashish Rajan: More than happy to support your journey, man.

Final question. If you're stuck on an island, what is that one meal you would like to have? That's if you can only have one meal.

Ross Haleliuk: Can I get a container of canned tuna? If I'm stuck on an island, I don't know how long am I going to be stuck there.

So becomes a survival exercise.

Ashish Rajan: Can survive.

Ross Haleliuk: Not going to survive on an apple strudel, you need some energy, right? if I'm stuck on an island, I need, A lot of highly nutritious food.

Fair.

What's your favorite cuisine or restaurant that you normally recommend? I like Korean food.

Ashish Rajan: Okay, nice.

Ross Haleliuk: like Korean food. I like Japanese food. I like balanced foods, if that makes any sense.

It does. It does. Again as I told you, very boring, very practical. It's all good food. A piece of protein, some carbs, some greens, that's the food of choice. Fair. One of the reasons why I like Korean very much is because you can get the lettuce, you can get some [01:09:00] rice. Yeah. You can get some beef or some pork.

And that's, it's a balance.

Ashish Rajan: Where can people find you on the internet? They want to follow your blog, newsletter?

Ross Haleliuk: So ventureinsecurity.net is the blog. Check it out. Cyber for Builders is the name of the book. You can find it on Amazon, on all the Amazon sites, I think.

And I'm fairly active on LinkedIn. That is the only social media I'm actually active on. I also have a half dead Twitter or X page, and I have never had I think I deleted my Facebook like about over a decade ago, but I've never had the Instagram, so I'm super active on LinkedIn, but that is the place to

Ashish Rajan: I'll put those link in there, but thank you so much for coming on the show.

Man, I really appreciate this.

Thank you so much for listening and watching this episode of Cloud Security Podcast. If you've been enjoying content like this, you can find more episodes like these on www. cloudsecuritypodcast. tv. We are also publishing these episodes on social media as well, so you can definitely find these episodes there.

Oh, by the way, just in case there was interest in learning about AI cybersecurity, we also have a sister podcast called AI Cybersecurity Podcast, which may be of interest as well. I'll leave the links in the description for you to check them out. And [01:10:00] also for our weekly newsletter, where we do an in depth analysis of different topics within cloud security, ranging from identity, endpoint, all the way up to privacy.

To what is the CNAPP or whatever a new acronym that comes out tomorrow. Thank you so much for supporting, listening and watching. I'll see you next time.

‍