Always look at infrastructure changes to make easy predictions about the future. You could get very rich.

A decade ago I attended meetings around the world where the topic was “how can we, as a country, join the Internet revolution?”  Brazil and Columbia stick in my mind. Don’t even get me started on Australia and their wasteful endeavor to create a National Broadband Network(NBN). I never had the floor but I wanted to stand up and shout “deregulation!” That is what sparked the internet revolution in the United States. In 1993, here in Michigan, it cost 8 cents a minute for telephone calls that went outside your immediate area code. You could be a mile away from your ISP’s nearest POP (Point Of Presence) and see outrageous phone bills that ratcheted up quickly at $4.80 an hour. At RustNet we sold internet access for $19.50/month. If we wanted to get customers in a different area code we had to put stacks of dial-up modems in an office in that area code. Then we backhauled the traffic to our main office and sent the packets out to the internet through our upstream provider in Chicago. (Anyone remember Net99?).

The big break up of AT&T had occurred in 1982 and the regional telephone companies (Baby Bells) started to compete for business after the 1996 telecom deregulation. Per minute charges went away just in time to fuel the rapid growth of internet subscribers. By that time the telcos offered their own backhaul so you did not need to maintain huge stacks of modems in every POP. You just paid for a T1 to the telephone company’s Central Office (CO) and they delivered the calls to you.

In 1995 I published a business plan for How to Start an ISP. It gave me great visibility into the wave of deregulation that was sweeping the world. As each country figured out that per minute charges were holding them back they would deregulate, encourage competition, and I would see sales of the plan going to that country. South Africa and Mozambique used my plan as a starting point. The internet took off. By 2005 you could tell which countries still had per minute charges. They had Internet Cafes because people could not afford to dial-in.

Of course 4G spelled the end to all that. Now you can get internet on your phone and, if you can tether your phone to your computer, you use that for internet access. I can get 95 Mbs over Verizon 4G.

Well 5G is going to explode many things. And it is coming fast. Ericsson predicts there will be one billion 5G subscribers in six short years.

What is different about 5G? It is very, very, fast. Huawei has tested 5G connections at 70 gigabits per second. Gigabits. At that speed even immersive experiences like SecondLife will work. No wonder people are excited.

But what could this do for security?

5G introduces new networking paradigms. It is going to have dramatic effects on the Internet of Things (IoT) as very small, low power radios will be able to connect. That will pose an opportunity for data theft and continue the weekly news cycle of privacy violations that we have come to know and love.

But think about what these speeds will do to your typical enterprise (and SMB) networks. Why would anyone use the pokey internet connection at work when they get 5G at home and on their smart devices? Businesses have already moved the critical tools they need to the cloud, (email to Office365, document sharing to Microsoft hosted Sharepoint or Google Docs, or DropBox, HR systems, Salesforce, etc. They don’t need your network at all. And if you force them in through a VPN they are going to be tunneling through your pokey network to get access to those mission critical services.

One company, Zscaler, saw this coming and started addressing the issue of protecting mobile connections a decade ago. 5G opens up some new business models that will compete directly with Zscaler’s offering of hosted network policy enforcement and traffic scrubbing.

Ever see the scene in Gettysburg where General Buford rants about how clearly he can see what will happen in the morning?

The hardwired connection is dead for office use. Sure, every firewall vendor will add 5G radios to their UTM devices for remote offices and HQ, just as they have added 4G. But going through a gateway means dealing with the slow wifi in the office. It will be faster for users to jump on the 5G network themselves. So they will.

Goodbye cable triple play. We won’t need twisted pair, CAT5, or fiber to the home anymore. All home devices, including your TV, will connect directly to the internet via 5G.

New, very fast growing, businesses will start up to address these problems.

Here is what happens next.

Stage 1. A startup that is probably already out there will introduce a policy overlay to the carrier networks. An enterprise will just enroll all employ devices and manage what they can over the network. It will be like a virtual UTM. They will encrypt traffic, filter content, and apply firewall rules. Managed Service Providers will do that policy work for SMBs.

Stage 2. The carriers will recognize that they have created a monster as every enterprise starts cancelling their lease line subscription. Seeing the opportunity, they will start to develop their own service offerings for security.

Stage 3. One carrier, late to the game, will acquire the fastest growing 5G security management platform from Stage 1.

Stage 4. All the other carriers will cut off that 5G management platform for their own networks and make their own acquisitions.

Stage 5. All carriers will bundle security into their offerings. Network security will finally be part of the internet.

This whole time frame will play out by 2030.

Thank you technology.

This article was updated slightly from the original post on Forbes.com from December 6, 2017

The following excerpt is from UP and to the RIGHT: Strategy and Tactics of Analyst Influence, 2nd Edition.  (That’s right look for a 2nd edition to UP and to the RIGHT, coming late 2018.)

There is a cadence to every journey UP and to the RIGHT in the Magic Quadrant.  And that cadence is different for every vendor and the journey can take many diverse paths.
The team responsible for charting the course UP and to the RIGHT is under tremendous pressure to achieve results. No board or senior executive will be happy until the only dot in the Leaders Quadrant belongs to them, or at the very least, their dot is the highest and farthest to the RIGHT.
Before discussing the value of UP versus RIGHT it is important to reiterate the difference in perception of MQs between the participating vendors and the ultimate buyers on which the MQ exerts so much influence.
Vendors tend to completely stress out over relative positioning and changes from one year to the next. Buyers look at MQs only in terms of the most current version and spend very little time parsing the nuances of which vendor is positioned in what way compared to the others.
Buyers are not stupid. They look to the MQ to validate and support their choices for short listing. They may talk to every Leader and short list a few of them for trial or proof of concept. In specific regional or vertical niches they will also talk to Niche vendors. If they are a big IBM (or Oracle, or SAS, or CA, or HPE) shop they will choose a Challenger.
To a buyer a vendor’s position in the current MQ is immediate validation. Typically they are completely unaware of the history of the path a vendor has taken to get where they are. They look at the position, they read the description and the Cautions, and make their decision on which to talk to.
Meanwhile vendors spend inordinate amounts of time and effort sweating about the deltas from year to year. While I have articulated a strategy of planning that movement, because without a plan you have no MQ strategy, it is still important to recast that strategy every year as the die is cast and the dots are placed.

DISRUPTION

In every technology industry there is a cycle of disruption. The innovators disrupt the established order with a technology that gets the job done better. Their journey involves displacing the established order. By engaging and influencing Gartner they can accelerate disruption if they can convince the analysts that they are 1.  visionary, and 2. they have demonstrated momentum.
But the current day Gartner analyst is often as conservative as their own client base. Gartner has often admitted that their own client base consists of primarily late adapters. They don’t want to change. They want to make safe decisions. They are not risk takers. If an analyst is actually visionary, if he or she has that Ah Ha! moment: this is the way the entire industry has to go, they risk everything by declaring so. This leads them to couch everything in terms of gradual changes and hope that the disruptive technologies being introduced will conform to the old way of doing things with minor enhancements.
In this way Gartner has often gotten it wrong. From networking to desktop operating systems they have missed predicting the waves of the future.
Every vendor that sets out to disrupt an industry hungers for a visionary analyst that will “get it” and help change the world by jumping on board early. That rarely, if ever, happens. The analysts have to be led the whole way. This is the reality of dealing with industry analysts, a reality that must be incorporated in an analyst relations strategy.

VISION Versus Ability to Execute

Now we turn to a specific path that a disruptive vendor takes to market leadership. Early success for a disruptive technology, especially if it generates sufficient industry buzz, gets recognized by the Gartner analyst. The most important driver for this recognition is inquiries from the Gartner client base. Early adapters (there are a few) report success with the new technology: cost savings, effective deployments, better performance, even displacing the incumbents altogether.
When the exhaustive MQ questionnaire is submitted it turns out the innovator qualifies for inclusion! It may make its first appearance as a Niche vendor to watch or even as a Visionary.  That inclusion should be leveraged as much as possible. The sales and marketing team can use inclusion in the MQ to open doors and at least start conversations. If the written commentary is positive too, the MQ can open doors to trials and eventually sales.
The real opportunity for any disruptive vendor is when its dot on the MQ starts to move upwards. This indicates that subsequent results as reported through the NDA protected questionnaire demonstrates growth in revenue, customer acquisition, partnerships, and channel participants.
Never forget that the “vision” axis of the MQ represents the Gartner analyst’s vision, not the vendor’s vision. In other words a disruptive vendor, one that is actually changing the makeup of an industry will not always be properly identified as the most visionary. That slot is held for the vendor whose products most closely match where the industry analyst sees the industry going. And analysts get it wrong. A lot.
But ability to execute, the vertical MQ axis is somewhat more objective. It includes real reported revenue. (Keeping in mind that some vendors lie. One network security vendor reported revenue based on list prices for years; in other words what customers might have paid had there been no discounts. That presented a particular problem for the new CMO who had to bring their reported revenue in line with reality at some point.)  Ability to execute also takes into account geographic expansion, funding, marketing and sales team growth and investment in product development.

UP over RIGHT
The key to understanding the value of vertical placement versus horizontal placement is understanding the buyer’s perspective. A CIO or whoever must make the vendor choice does not look at the history of previous MQs. He or she looks at the current one. Almost by definition, this is a person who is relying on a two axis chart to make important buying decisions, and they are going to be conservative, late adapting, typical Gartner clients.
The first impact of placement on the MQ is whether or not a vendor has crossed the line into the upper right quadrant, the Leaders Quadrant.  Being there means a good shot of being short listed for at least a meeting–a chance to make a sale or at minimum progress to the bake-off or Proof of Concept phase.
The second impact is validation. A buyer is leaning towards a new vendor, one which can displace the old technology that is not working. Here Ability to Execute is everything, while Vision can be a detractor. A buyer, especially a late adapter,  is not looking for vision, whiz-bang, cutting-edge, or change everything technology. The buyer is looking for a viable solution that will be the least disruptive to their current organization.  The higher the vendor places in Ability to Execute the better the validation the MQ provides.
This is why a vendor should not strive to be the most visionary. Demonstrated ability to execute is a much stronger indicator to the buyer that they are making a good decision. Gartner backs them up. Leave the “most visionary” position to the startup that happens to match the Gartner analyst’s perception of where the industry is going. Push that dot up rather than over. Get into the Leaders Quadrant early. As soon as that happens the disrupting vendor is on the same footing as the industry dinosaurs and only has to deliver to succeed.

Cybersecurity firms make a lot of claims, but the reality is that most enterprises are not as protected as they think. Mariano Nunez, founder and CEO of Onapsis, is tackling this problem from a different angle. He said that his firm is able to analyze a company’s security risks/vulnerabilities and provide an “unbiased perspective on what that risk means” for the enterprise.

“Maybe we know that because of your specific configuration or specific context, only 10 of [the vulnerabilities] are actually very critical and are the low-hanging fruit,” said Nunez. “We know that 100% security is impossible. From that perspective we help people prioritize and really only apply patches that they need to apply.”

Nunez shared these and other details with Richard Stiennon at the 2016 RSA Conference in San Francisco.

“We are really specialized and focused on business applications because they are very complex,” he said. “You’re talking about proprietary protocols, complex architectures that are dated or started in the ‘80s, as well as newer platforms like SAP HANA, which was released only a few years ago.”

Onapsis tries to simplify the process of understanding the threat model associated with these protocols.

“You really need to put a lot of effort in understanding how this is implemented and customized and deployed in real customer implementations,” Nunez added. “Anyone can look at a system in a lab and try to understand the threats to that system. What’s challenging – and where we have a lot of expertise – is understanding how these systems are run in a real life environment and what are the critical threats in those environments.”

In comparing the patch cycles for SAP and Oracle, Nunez said that he thinks that SAP is doing a better job.

“SAP is really improving in a lot of ways,” he said. “They’re improving the security patches, they’re [offering] more secure software out of the gate, and also releasing patches. But the main problem lies in people being able to digest those patches. The patch comes out, there is a known vulnerability that’s been exploited, and we have customers that we know are never going to apply the security patch. There is really a big window of exposure to both known and unknown vulnerabilities because of that. It’s mission-critical; sometimes people have fear of disruption and won’t apply the patch.”

Hackers are no longer limited in what they can accomplish. The world has transformed from an in-office corporate structure to a flexible environment that allows individuals to work for companies that are thousands of miles away. This is great for enterprises and for employees, but it has opened the door to new vulnerabilities.

“This is really challenging the existing security model,” said Junaid Islam, founder and CTO of Vidder. “One of the downsides of this new business environment is more cyber attacks. It’s so easy for hackers to get to you because there are so many ways to do it. They could go right after an employee working at home, using a home PC. They could go after a contractor.”

Vidder wanted to create a new security architecture that addressed the problems brought on by the evolving business world.

“Traditionally, security really came in the form of boxes,” said Islam, who spoke to Richard Stiennon at the 2016 RSA Conference in San Francisco. “You used to buy a box that did some security function. That was great when all your computers were in a single place and you could use a box to protect them. But now your assets are everywhere. You might have, still, applications in your datacenter. But you might have something in a cloud, so we developed a security solution based on a new concept called a Software Defined Perimeter.”

Software Defined Perimeter (SDP) allows enterprises to protect their assets wherever they are: in a datacenter, in the cloud, etc.

“We allow you as a company to have a consistent level of security across all of your assets…by having a set of checks that are performed for everybody,” he said. “The key is we do it super fast. When you want to sign in as a user, the first thing we do is check your device and see if your device is known by us. If it’s known, then you go to the next step.”

Then Vidder asks the user to sign in to see if his or her credentials are correct.

“The next thing we do is figure out what you are supposed to do in the company,” Islam continued. “Are you an executive? Are you a contractor? And then the final step is we create access for you. We use the term ‘precision access.’ This very simple mechanism is actually quite powerful. Instead of hackers being able to pretend to be you and access everything, the worst-case scenario is the hacker can only see what you can see.”

As a result, Islam said that Vidder “really changes the threat landscape by many orders of magnitude.”

Few companies have the time to worry about things outside their core businesses. This presents a distinct challenge whenever new technologies are introduced, especially as they relate to security and the rising threat of malicious actors. CloudPassage, an agile security platform for data centers, private clouds and public clouds, strives to eliminate that hassle.

“We can demo very quickly,” said Amrit Williams, CTO of CloudPassage. “It’s very easy for us to deploy. We can have somebody up and running in the afternoon and they could get a sense of how the system is looking.”

CloudPassage seeks customers that have some type of cloud initiative in place, whether it’s a shift to the public cloud or previous experience in private cloud environments.

“Most organizations are trying to understand how they can adopt this dynamic compute in one form or another,” said Williams, interviewed by Richard Stiennon in the above video. “Most companies have some type of initiative that they can get involved in, so we can show them the level of visibility and control that we can give them as they adopt the cloud.”

Enterprises are Taking Notice

CloudPassage’s Halo product (which provides protection and compliance for critical business assets) has been battle-tested by a number of leading enterprises, including eBay, Salesforce, Adobe and Capital One. They’re not the only firms that have taken notice.

“I was quite surprised when I looked back at the new customers over the past year,” said Williams. “It was very much spread across every industry. We were seeing folks in healthcare, insurance and financial services.”

Those firms were really dedicated to investing in a secure and better-protected cloud environment.

Cloud Infrastructure vs. Public Cloud

Williams said that he thinks there is a difference between the cloud infrastructure itself and the public cloud that providers protect, along with the workloads that could be compromised.

“They all have a shared responsibility model, where security is a shared responsibility between the organization adopting the cloud and public cloud providers,” Williams explained. “It’s not that you’re seeing big breaches of Amazon or Google. What you do see is people that are able to exploit companies that do take advantage of the cloud if they’re not securing their own environments properly.”

One company had to completely shut down because its keys were compromised.

“They had to put out a note within a couple days of this happening, saying, ‘We can’t recover from this,’” said Williams, who has worked hard to ensure that doesn’t happen to other firms. “Since our founding in 2010, CloudPassage has been focused on purpose building a security platform to address dynamic compute environments. It auto-scales, it can be delivered on-demand and it can work with micro services and architectures.”