Wolverine and Cyber Happiness with John DiLullo
Joining the podcast this week is John DiLullo, Chief Revenue Officer for Forcepoint and former CEO at LastLine Security, acquired by VMWare in 2020. He's spent decades in the security world working on cyber happiness. John has traveled the globe this year after things opened up visiting every continent but Antarctica. He shares insights from his many meetings with customers, partners, and security companies around the world.
He also shares perspective on this year's RSA conference, the future of security trade shows, and the future of the security industry—particularly as the economy stares down the barrel of an impending bear market. But it's not all doom and gloom, John shares a recent epiphany after seeing the "Wolverine" actor on Broadway and it paints a very positive picture for the cyber path ahead!
Wolverine and Cyber Happiness with John DiLullo
[01:35] A Big Proponent For Cyber Happiness
Eric: Let's get to our guest, who we just learned is a first-time guest. He's very close to us, an expert in the space, and has never even listened to the podcast.
Rachael: Let's welcome John DiLullo, the chief revenue officer for Force Point.
John: Thank you very much, team. Very glad to be here today.
Rachael: I know you're a big proponent, as things are opening, of the importance of in-person connections and going out to meet people. In doing so this year, you've pretty much been to every continent except for Antarctica, As you're traveling around regions and talking to so many different people, customers and partners, are you seeing any trends or interesting or disparate security perspectives and how geos are attacking their cyber challenge?
John: Well, that's interesting. Getting back out into the field, and talking with our customers in different countries, in different regions, is so vitally important to understand the unique challenges that everybody faces. I would share with you, that it is not exactly as you would expect when you live in the US, as I do. I've been trapped in the US for the last two and a half years. You tend to think that everybody is attacking you.
When you get out into the world and you talk to the people that are dealing with security issues, you realize that in reality, everyone is attacking everyone. The symmetry is amazing. Just like we've seen trade walls and barriers that have been erected during the pandemic, similarly, I think we've seen exactly the same thing when it comes to data privacy.
Data Losses Behind Physical Borders
John: Countries are really freaked out about data leakage on a worldwide basis. They're very concerned about data losses behind their physical borders. This feels new. People seem to, in the past, be a little bit more experimental in this area. Today, it seems to me that everybody is worried about, "Where is my data? How do I make sure that it doesn't fall into the hands of the wrong people." You asked also thought leaders. Who's leading the charge here?
I'm going to have to give four gold stars to the Europeans, I think because they were really the first ones out with the GDPR policies. That is the anchor that a lot of other countries are now leveraging to amplify, or I should say, to complete their data privacy, their data residency concerns that they're dealing with in the commercial environment.
Eric: It's interesting you say that because they have led with GDPR. I don't want to use the word Balkanizing, but there are a lot of countries that are creating their own castle wall, moat, whatever you want to call it, scenario, where they want to keep data local. But when I look at the tech giants in the world, Facebook, or Meta, Alphabet, not Google, sorry, and Apple and everybody else. The big guys who are out there. Even Twitter might be in that. They're all American companies.
I think America's laws and innovation and freedom to go out allow for that. Do you see these European countries, I was going to say artificially, but constraining themselves because they're trying to protect data and they're trying to protect themselves more? Constraining innovation and things like that.
Incredible Innovations That Brought Cyber Happiness
John: First of all, I think you need to recognize, that there is an incredible innovation that happens in the US. But in many areas, the US is not necessarily a technology innovation leader. If you look at some of the incredible innovations that are coming out elsewhere in the world, I'm talking about things, companies like Weibo and Alibaba, you really need to put things into perspective, in some cases. But some of the commercial cases have certainly been the Googles and the Facebooks of the world. Whereas I think that what the governments are doing, rightfully so, is not necessarily constraining innovation, but rather directing it.
I do think that customers require innovative approaches to managing their information assets. That's one of the things that we do as a company. We're trying to rise to that challenge that the governments are giving us. I think that rising to the challenge of what governments are asking technology providers to do is actually providing an opportunity. These are not wanton, frivolous requests. As more and more of the economy is digitized, maintaining providence over those digital assets is incredibly important. I'm glad to see the response that
Forcepoint and so many other companies are doing to try to meet these needs.
Eric: It's interesting. As you talk about it, I'm thinking about these countries. Let's pick on Europe for a second. It's almost like, they understand the risk and value their data. They value what they have from an IT perspective, more than let's say the US or other countries do because they are taking a lead in these areas, in many of these areas.
The European Economic Zone
John: I think some of this might be cultural. The US and the way that we've treated data in the US for many years now is much more promiscuous than the way they do in Europe. I think we have some maturing to do perhaps in the US. I like looking at the example that the Europeans are setting. I'll remind you that the European economic zone is certainly bigger. It's the second, largest economy in the world, bigger than the US, in fact. They're doing so with an air of credibility that I think we should learn from.
Eric: We were talking earlier about crime and cybercrime. What were your comments there about individuals? It's the crime where we have to take care of ourselves. The police forces of our nations aren't necessarily protecting us.
John: I think the ironies in cybercrime are just almost enumerable. When you compare the number, the average hacker can make $70,000 to $100,000 USD per year. The average burglar is lucky to clear $2,500 in a heist. And yet there are 7 million burglars in prison in the US alone compared to the number of hackers, I don't know, that are in prison right now probably numbers in the dozens.
The take last year was certainly north of a half a trillion dollars. I really don't even know how to compare this. This is something that didn't take us one year to get here if you look at the expansion that's happened. In 2005, the whole world spent $3 billion on cybersecurity solutions. 10 years later, in 2015, we spent 300 billion.
Cyber Happiness Constitutes a Consequence-Free Crime
John: There's a market that's growing a hundredfold or thousandfold over that period, and yet, you have nobody actually serving time for these breaches. It's almost a consequence-free crime today and it's going to require a lot of vigilance on our part.
Rachael: It's a great point, there are not a lot of crimes happening, although I will suggest people start watching Web of Reality on Netflix. It's looking at various cyber crimes and some people go to prison, but I think it’s an anomaly. What it took to get that person to prison is crazy. But when these cybercrime syndicates are operating as global enterprises, with HR departments, and with impunity, they know they're good to go. How do you fight that? You've been in security quite a long time. Are we going to get ahead of this thing?
John: We certainly are. We're not going to lose the battle. We're not going to unring the bell that is the digitization of the economy. That is not going to happen. There are far too many benefits that have come to humankind through all these innovations. We are just going to start to embrace better solutions. Those better solutions, I think some of them we've seen spawned in the last five years in the environment of zero trust.
It's probably the most profound where you finally have at least an approach to ensure that there's not quite so much implicit trust in the way that we handle the assets of the people of our nation. You also see that in the move from cybersecurity being just a commercial problem, to also be a problem that the entire population faces.
[10:53] Victims of Cybercrime
John: You see surveys where eight out of 10 or nine out of 10 companies are now saying that in the prior 12 months, they were the victim of a cybercrime. It's ubiquitous. As a result, you're going to see a constant progression of security postures and improvement in the science that helps us to be successful. Now, I would say that one of the challenges I think we have right now is that there are so many vendors.
There are so many errors of commission and so many surface areas that have been increased in part by the number of vendors that are participating in this space. But also just because of the changing topography of the workplace, especially during the pandemic. These changes have dramatically made the job tougher, but I don't think it gets much tougher from here. I do think the science of security starts to catch up with what's been the science of this kleptocracy around the misappropriation of information assets.
Eric: We've seen over time since the first virus. Let's go back to the 70s. We've seen people spend more money, we've seen the adversary make more money or steal more data, whatever their treasure is. Why do you see it changing now? We've got thousands and thousands of vendors. You and Rachael just came off the show at RSA last week. As we're recording this, what do you see to make you feel like we are going to get ahead? I know you mentioned zero trust in architecture.
John: I think architectural approaches, more disciplined approaches. I actually think the breaking with the past. There is no castle wall, no drawbridge, no secret handshake, and no moat.
Changing People’s View on Cyber Happiness
John: I think understanding that the network and the information, the surface area, is very porous will actually change people's view away from the historical wall building model. So, changing that approach is going to put application access and sensitive information access into a completely different security posture. You see some of those technologies emerging right now, you hear Zero Trust deployments of things like SAS. CDR is another great one, Content Disarm, and Reconstruction.
You see things such as private application access, and all of these technologies. Now they're much harder to take advantage of. They're much more difficult to secure a toehold. But I would go further to say that there's also, I believe, and I saw this at RSA first hand, an acknowledgment that the battle if it’s not in its final hours, it's getting close. The 4001st security vendor is not going to be met with open arms; that the markets want, that customers want a simplification; that customers cannot handle any longer having 75 or 100 vendors in their environment.
They cannot handle 10,000 alerts per day in their environment any longer. The new technologies that I mentioned, the Zero Trust technologies that we're deploying, and others are deploying, finally, start to chip away at that. I do believe we're going to make the computing environment much safer.
Eric: I think, if the global economy recesses or we have some challenges here, that may be one of the driving factors, also. You don't go from 4,000 to 5,000 or 6,000 cyber security companies. We see some consolidation which may help, but you bring up RSA. Both you and Rachael, as I mentioned, were at RSA. I wasn't able to go.
A Two-Year Hiatus
Eric: I'd love to hear from the two of you. What did you hear from customers, from partners, what trends, and what observations? It was a two-year hiatus, a little more than two years, I believe, from the last one. What did you guys hear on the floor and as you were meeting with people?
John: Most of my meetings were with customers, of course. But I'm going to paint the RSA show maybe in a different light than others would. It seemed to me that more than anything, people just wanted to talk and were excited to be out. For probably 50% of the people that I met, it was their first time out. I don't think I remember more socializing at an event, and maybe in that regard, less business talk. But I'm sure as RSA closes, they'll say this was the vendor of the year. This was the hot topic of the year.
But I think the real hot topic was just people getting back out into the whole swing of things, understanding what's happening, embracing best practices, and learning from their peers in the industry. I would say that's what the real benefit of the show was this past week.
Eric: I caught a lot of that on Twitter and with people I talked to. They were either complaining about it being a COVID massive event.
Rachael: COVID is swag.
Eric: A super spreader event.
Rachael: That's what I was hearing on Twitter.
Eric: You saw a ton of that, or you saw people talking about how great it was to get together after over two years, as an industry with people they knew they haven't seen. RSA brings people together. It's the biggest show out there.
Both Perspectives on Cyber Happiness
Eric: You saw both perspectives. Those were the two I heard from afar. Rachael, what did you see? You run a massive event there. We did a podcast two years ago on what it's like to do it. What's the difference?
Rachael: We did one last week with Miko, too, and it was good. It's interesting but it felt like a very different event, though. I think John was talking a little bit about this. You get the sense that maybe there's that traditional trade show fatigue. As people are starting to come back, they have different perspectives and different needs, and things that they want to get out of personal engagements. It made me start wondering. Are we starting to see these big, massive shows, are they going to jump the shark? We've seen Comdex go away. You see it every decade.
Eric: Every industry.
Rachael: Are we starting to come on that precipice where things like an RSA, maybe even Black Hat, start kind of tapering down. Then you see things like DEF CON, where there are no sponsorships and they're doing lots of cool stuff. Is that going to become the model forward? I think it's an interesting thing. John, I'd be interested in your thoughts, as well.
John: I'd probably propose the third op. First of all, I love the DEF CON show and what the teams do there. All the "capture the flag" events and you have the real live white hats there. Everybody is trying to crack people's code. I wouldn't use public wifi at Black Hat or DEF CON. I think that's a pretty dangerous proposition.
A Cloud Show
John: But I would argue, that I had the opportunity a few weeks ago, maybe it was two months ago now in the United Kingdom, to visit a Cloud show. I was refreshed compared to all of these shows. When you go to every booth at RSA, pretty much everyone tells you that they can stop breaches. That they're going to secure your perimeter or your PC or your sensitive data. But it all becomes a giant blur when you're walking through the trade show.
That’s not what I see at some of the other big trade shows like GI Text, Mobile World Congress, and this Cloud show that I just visited a few weeks ago. That Cloud show depended on where you were, but I saw interesting things, such as wiring solutions or cooling solutions and fire prevention. How to rack and stack more tightly, or different ways to set up the cores in your shared computing resources. Everything was different and helped attack, what is this giant problem of delivering a comprehensive Cloud solution by offering the peace parts?
Whereas a lot of what I feel the flaw that security providers have done today is that they just, here's another feature that helps you be a little bit more secure. I believe what customers are looking for moving forward. These trade shows, I think they're going to be in security, smaller in the future, but much more focused on the embracing of things like Zero Trust, philosophical security approaches, and then consolidation of all of these vendors.
It's a shocking statistic. By some estimates, there are 4,000 security vendors, and yet not a single security vendor has more than a 3% revenue share of the entire market. That is not a sustainable situation.
[20:58] People are Rewarded with Cyber Happiness
Eric: We've sustained it for decades now.
Rachael: That's what's so bizarre. In every other industry, you've got your top four, top three, and stuff. Here we are.
John: I think if you want to swallow the shark or jump the shark or whatever you want to call it a moment, I think this is the jump. This is the Happy Days, Fonzie, jump the shark moment. We will start to see the people that are rewarded with the best real estate at shows like RSA, are going to be the ones that are figuring out how to simplify security, how to streamline security, how to consolidate vendors, how to reduce, spend. That's what it's going to become. How much should you spend on security?
Today, that number is every dollar you can. That is just not a reasonable proposition moving forward. I do believe the pandemic and events like this year's, illuminated that for a lot of people.
Eric: Again, I think any economic contradiction, taking some of that crazy speculative investment out of the market, will also limit the number of companies who are coming up with crazy ideas or the next new thing and allow for some consolidation there. There are big companies with money still. But John, I'm with you. I was at the SOFIC show, the Special Operations Forces Industry Conference.
It was all about something new or how you can do more. They had really cool toys and stuff, and it was very energizing compared to a typical cybersecurity show. Where it's all about, "Look at my artificial intelligence widget," or look at this, and it's going to save everything. You know it's not going to do that. I think Eric's spot on there.
What Will Force People to Come Together
Rachael: What is it going to take to get better consolidation? Is it one of those things that just naturally is going to happen, even though it hasn't happened in 40, or 50 years? How are we going to get there?
John: Well, touch wood. This economy that Eric brought up a couple of times is going to help us out here. People are not going to be able to get more funding in a lot of cases. Most of the companies in those three halls there in San Francisco were losing money. Even some of the big public ones.
When the funds dry up when you can't indefinitely carry losses, which I think that has already happened, all the checkbooks on Sand Hill Road have closed for these types of speculative investments. So, I think that is going to force people to come together, merge, simplify, streamline, to shed businesses that are not thriving. Ultimately, that'll be something that's very good for this security technology consumer.
Eric: I agree. It may slow down some innovation, but the innovation we're seeing, in my opinion, in the space is at a huge cost. People are doing some crazy stuff but they're not making money. We're talking hundreds and hundreds, maybe thousands of companies.
So, they're innovating. But if you can't productize it, if you can't monetize it, the best you can hope for is somebody, I guess you monetize it if they buy your idea and stuff. But if these companies disappear, if we see some consolidation, I think the innovative personnel will work for companies in the industry. They will just be larger companies.
We Need Good People to Ensure Cyber Happiness
Eric: Hopefully, they have more resources to do that and they're not constrained by those companies where they can focus, and get the resources they need to innovate. But they're not doing crazy stuff that'll never see the light of day. We'll see. That's my theory on this one.
Rachael: It would be helpful to consolidate the simple fact of the cyber talent shortage, too. We need good people and focus. Right now. we're spreading peanut butter quite a bit.
Eric: If you have a million dollars and you want to invest it and concentrate on something, you can do a lot with that. If you have a million dollars and you give a dollar to a million different people, it's so diversified. The effectiveness is zero or near zero. I think consolidation and focus. There are some things that have proven themselves out in not just IT, but industries across the board. Consolidation and focus is a good thing. Hopefully, we do get there.
We're seeing a lot of commentary from senses out there saying shields up. We are seeing a lot of noise coming from the government. Protect yourselves. Just this week, the national cyber director, Neil Higgins, the deputy national cyber director, said, "There's an enhanced risk of the Russians getting more aggressive in cyber operations." American companies and global companies are being told to be more prepared, do more, and focus on this. Are you seeing it?
John: I think that the entire community of practitioners for security is running at about 110% right now. While I do think it's an accurate assessment, some of these reports that you're quoting, I don't know that there's really much capacity to do anything about it.
Cyber Happiness Is Stretching Thin
John: By some estimates, there are as many as 3 million open jobs in cyber right now. I can share with you that my customers are completely consumed with doing everything that they can to keep their companies, their countries, and their principalities, as safe as humanly possible.
So, I think, this is good to know and certainly helpful. I just don't know what more a lot of our companies could be doing. What I think the call to action should be to vendors like Forcepoint and others that we need to do a better job of inter-operating, making our products easier to use, consolidating, of making the deployment simpler, and more secure.
We're redoubling our efforts there. I'm hoping that that ultimately gives a little bit of relief to our customers. I think they are stretched thin to the point that these public advisories probably just stress them out more.
There was a study that I glanced at just a few weeks ago that talked about burnout in cybersecurity. It's true. You've got CISOs, for instance. It's very rare that a CISO lasts even two years in an assignment. That's not all that dissimilar from other people in the organizations.
There's just no way to run a security practice inside a company. I think, noted that the threats are getting more real, but we need to stay the course and just continue to simplify what our customers and companies are doing to be successful.
Eric: We have a new concept coming up in the US Federal space called a virtual CISO. It's a real thing that's happening in the US government.
Rachael: Is it like an AI CISO, that's just standing by like, "Hey, Alexa," but it's like, "Hey, virtual CISO."
Eric: You're so advanced. It's actually a consultancy, a CISO. Companies and the government is putting consulting contracts out for CISOs who come in for six months, or 12 months. You don't even own a C-level personality or person in your organization. It's being contracted out. Craziness. It's growing into something big.
John: If one of our children came home and said, "Mom, Dad, I want to grow up to be a CISO," I think you'd say, "Listen, I know a lot of them. They look pretty stressed out right now. Maybe you might want to consider something different."
Rachael: Lots of cynicism creeps up over time.
Eric: There's some good advice, but I see the same thing. It's almost like you're in customer service. Everything is going wrong. You've got to deal with it. You don't get a lot of credit; you don't get ahead of the problems. Every day, you just get more problems. It is a high-stress environment for cyber defenders, InfoSec personnel, and CISOs.
John: If that isn't enough, you can't even do it in anonymity anymore. The board wants to talk to you every 90 days and see how you're doing.
Eric: So, call out to all CISOs out there or aspiring ones, let us know if you want to come on the show. If you're happy and know it, and everything's going perfectly in your environment, we'd like to talk to you and figure out what the secret sauce is.
John: There won't be an answer to that call. It’s sad, but if you look out on LinkedIn, even a lot of CISOs have now removed their identity from it.
John They just don't want to be a target in any way. They're certainly not going to come on a show like this and say how happy they are.
Eric: We can do the masked CISO. We'll be okay there.
Rachael: The masked CISO, like they're in witness protection. We modulate the voice. You'll never know who they are. I think we got something going there. We invite everyone, whether you're a criminal or a legitimate CISO, to come on the show as a masked CISO and we will protect your identity. I’d like to end on a positive note. I think about the great resignation.
You follow InfoSec, and Twitter and people are feeling really beat down and not finding a lot of joy in their work. John, you were sharing this really great story, this epiphany moment you had, while you were watching a Broadway show. I was hoping you could share that with our listeners.
John: It was the Music Man, which was starring Hugh Jackman, who my wife has an endless amount of time for. It’s one of those things where I just was fortunate enough to get a ticket. It was an eye-opener for me. And it reminded me of something pretty important, that is how much better we do our jobs when we're having fun.
I think that extends to the practitioners in the security space that we work with, too. But I'll tell you, Hugh Jackman, he's a very wealthy guy. He is probably best known for the Wolverine, but he was also Jean Valjean. He's got a very big career. He owns a plane. He's very wealthy, he's got a lovely family.
[32:54] Cyber Happiness Is What Everybody Wants
John: He is what everybody wants to be and yet he gave up the big stage and decided to eight shows a week, with all his bones at high velocity, and very kinetic dancing and singing routines. You can see him perspire; you can see this is very physical, hard work for somebody that is really made it already. But you could also see, he's probably not the best singer.
He's probably not the best dancer, he's not the best, you know? You saw him make a couple of mistakes even during the presentation. But what you also saw was this guy had not a Pan Am smile, a real sincere ear-to-ear smile for the two hours that he was performing.
He loved what he was doing. As a result, you saw him really inspire the rest of the cast to love what they were doing. Everybody enjoyed watching his perhaps imperfect performance, but they were really motivated and inspired by it, including yours truly. What I would say is that we have to get back into that space, into security, into the practitioner of all technology.
It's got to be fun, exciting, something that we enjoy every day, not dread every day. I guess a message out to all of our customers, to all of our partners, it's going to get better. We're trying here at Forcepoint, and I know a lot of other companies are, too, to put the fun back into the digital revolution that everybody's experiencing here.
We Are About to Get Cyber Happiness
John: Ultimately, if we're successful, if our peers in the industry are successful, that's why I'm so positive. I think that the next 10 years of this space, of this segment, of this gigantic market that we're working in, are about to get a lot more fun, as some of the stress and some of the nuances and some of the approaches that really didn't pan out start to fade away.
So, I'm upbeat. I'm positive. I thank Wolverine for opening my eyes, in that one case. The most important thing is to have fun at work. If you're not having fun, that doesn't necessarily mean that you have to change the way you're doing things. It means you need to focus on how to have fun. If Hugh Jackman can do it, we all can do it, and I think we can make the industry better in the process.
Eric: Now, that is great advice. For all our millennial and younger listeners, Pan Am smile, I believe, refers to Pan-American World Airways.
John: Yes. That may not, but it is a thing called a Pan Am smile. The other thing is the Duchenne smile. In the Duchenne smile, you actually see with the ears. You can see even if someone is wearing a mask. But a Pan Am smile, you can't tell if they're smiling or not when they're wearing a mask.
Eric: If they really mean it.
John: Yes, so I always try to do Duchenne smiles.
Eric: Pan Am went out of business over 30 years ago. Most of our listeners have no idea who they are. I appreciate the explanation because really what you're saying is, make it a real smile, not a fake smile. Find a way to enjoy what you're doing.
John: Pan Am was the largest international carrier. I guess it was 30 years ago, but it seems like yesterday. They trained the flight attendants and pilots. Everybody had to have this painted-on smile. It didn't mean that it was any better place to work. I want to see our people with real smiles, proper Duchenne smiles. That's what we strive to do every day here at Forcepoint. I'd say it's a motivator. It’s been a consistent objective of mine throughout my career.
Rachael: It's infectious like the pandemic when you smile, for sure.
Eric: John, we're going to update your references here. Pan Am came into the business in 1927, and went out of business in 1991. So we're going to modernize that one, but we get what you're saying.
Rachael: John DiLullo, thank you so much for joining us today. This has been a really awesome conversation. I hope you listen to this episode that you're on.
John: I'll play it back at 1.35, but I will listen to it.
Rachael: That's all we could ask for. To all our listeners out there, again, don't forget to smash the subscription button. You get John's episode right to your email inbox every single Tuesday and so much more. We really appreciate all our listeners out there. Please give us feedback, good, bad, and different. Again, any cyber criminals out there, DM me on LinkedIn or hit me up on Twitter. Love to hear from you because we'd love to do the masked CISO. Until next time everybody, be safe.
About Our Guest
John DiLullo is Chief Revenue Officer (CRO) at Forcepoint. He has nearly 30 years experience in enterprise security, networking, cloud, and AI, plus go-to-market expertise spanning sales, marketing, customer success, technical support, and operations. Throughout the course of his career, DiLullo’s special devotion has always been to improving the customer experience and embracing specialized routes to market for transformational business solutions.
DiLullo’s professional experience includes extensive time domestically and abroad with market leaders such as Cisco Systems, Avaya, SonicWall, and Aruba Networks/Hewlett-Packard Enterprise serving customers large and small through traditional and emerging channels.
Prior to Forcepoint, he was Senior Operating Partner at Francisco Partners Consulting, a leading global investment firm that specializes in partnering with technology and technology-enabled businesses. He has also served as CEO of Lastline Security, a fast-growing Network Threat Detection company acquired by VMware in 2020.
Listen and subscribe on your favorite platform