Cybersecurity complexity is growing, and organizations are struggling to manage dozens of security tools while keeping up with evolving threats. In this episode of Threat Vector, host David Moulton speaks with Mark Hughes, Global Managing Partner of Cybersecurity Services at IBM, and Karim Temsamani, President of Next Generation Security at Palo Alto Networks, about a groundbreaking study from IBM’s Institute for Business Value.
They discuss how security platformization is transforming enterprise security, reducing mean time to detect incidents by 72 days, and driving a 4x ROI on cybersecurity investments. Learn how AI-driven security, automation, and consolidation are key to improving operational efficiency and strengthening security resilience.
Download your copy of Capturing the cybersecurity dividend at https://www.paloaltonetworks.com/resources/research/ibm-study-platforms-deliver-value
Protect yourself from the evolving threat landscape - more episodes of Threat Vector are a click away
Transcript
[ Music ]
Mark Hughes: The industry has in the past wanted to always lead the CISOs and others in most organizations in to a world of more tooling, more complexity. And that's not over. The one thing it has to start with the way we have to be is now we have to tend towards a platformized approach where we can get to that world that Karim's been talking about, a single plane of glass where we can almost unleash the capability that we have in our people to be able to do as I often describe it real security as opposed to administrative tasks of having to knit together different bits of technology. [ Music ]
David Moulton: Welcome to "Threat Vector," the Palo Alto Network's podcast where we discuss pressing cybersecurity threats and resilience and uncover insights in to the latest industry trends. I'm your host David Moulton, director of thought leadership for Unit 42. [ Music ] Today I'm speaking with two exceptional leaders in the cybersecurity space, Mark Hughes, global managing partner of cybersecurity services at IBM, and Karim Temsamani, president of Next Generation Security at Palo Alto Networks. Our discussion today focuses on the findings from a groundbreaking study from IBM's Institute of Business Value in collaboration with Palo Alto Networks on cybersecurity complexity and the transformative potential of platformization for organizations. We'll explore how integrated platforms can enhance security, streamline operations, and deliver strategic business benefits. Here's our conversation. Mark and Karim, welcome to "Threat Vector." Really excited to have you today on the podcast.
Mark Hughes: Thank you very much indeed, David. It's wonderful to be here.
Karim Temsamani: Thanks David. Really lovely to see you again Mark and I look forward to a very, very strong discussion about how we together improve the security posture of our partners.
David Moulton: Mark just take a second and talk to me about why IBM decided to research the impact of cybersecurity complexity and what role security platformization can have on an organization's security posture.
Mark Hughes: So the reason why we commissioned this research, it really comes down to the fact that we have been seen working with many clients as we have in IBM across the globe that they have been struggling with the complexity that has been really introduced through many years of just building more technology solutions in case -- the case in point in the papers. Up to 29 on average in most organizations with 83 different actual solutions underneath it. Put all that together and the reason why we wanted to get in to this and talk about this today was because we feel that there is an urgent need to really change the approach in security through platformization.
David Moulton: Well today we're going to be talking about a new report from IBM called "Capturing the Cybersecurity Dividend: How Security Platforms Generate Business Value" with two incredible leaders in the industry. Mark you've had an illustrious career across organizations like DXC Technology, BT Global Services, and now you're leading IBM cybersecurity services. How has your journey shaped your views on tackling cybersecurity's complexity?
Mark Hughes: Well that's a really good question. Complexity is the name of the game and has been for quite a long time in cybersecurity. I've seen many organizations really struggling with just the plethora of security tools that have built up over the years as we've been trying to really get to grips with the types of threats that are out there. Now I've been a CISO myself and I myself have been in a situation where we've been having to respond to new types of emerging threats which new threat actors come out with ever ingenious TTTPs, and therefore often the solution has been to add in another product which is just added to the complexity. So I think you've got a number of things going on. Firstly just the changing threat landscape, the number of tools which are developed to respond to that changing threat landscape, but very, very importantly we must never forget that the security tools exist in an IT ecosystem which extends across every enterprise and right the way through their supply chain. And it's that amount of change that is happening and how organizations are rearchitecting and taking advantage of so many of those new services, especially things like AI now and how they introduce those in to their -- in to the way in which they do their business. That also is increasing complexity. Add all of those things together and where you end up is really a dire need to address that. And today I think marks a really significant milestone in how we are thinking combined with Palo Alto Networks about how we can bring together and think about creating a more simplified landscape in terms of security tooling.
David Moulton: Karim I'd like to take it over to you. Your transition leading global roles at companies like Google or Stripe to driving next gen security for Palo Alto Networks must offer you some really unique insights. How has your background in innovative tech industries influenced your approach to platformized security solutions?
Karim Temsamani: Thanks for the question, David. And great to be on this podcast with you and Mark. A great partner that we have at IBM. Very simply I've been very fortunate to see platformization in action whether it was directly driving it in the ads business with Google, in payment and financial tools with Stripe, or just from a user perspective with products from companies like Oracle and Sales Force. And all through this I've seen that the benefits for the customers of the companies or for the companies themselves of platformizations are really evident. And what I'm seeing today is that the cybersecurity industry is incredibly fragmented. And it's really at a tipping point from my perspective to be able to drive to platformization. What's different however in the cybersecurity industry when I see the opportunity versus the other type of industries I've mentioned before is that in security you can't really talk platform without being the best in class in every area of the ecosystem. Now in other industries you could get away with some of the products not being best because the platform wins overall, but in cybersecurity you have to be best in every single area of cybersecurity and then create a platform that brings all the benefits together. And what's really great about Palo Alto Networks is that we have a phenomenal platform story and products that are leading in each cybersecurity area.
David Moulton: Karim let's start with a question that I'm sure that you get all the time. Can you tell me what you mean when you say the word platformization?
Karim Temsamani: Sure. Let me first step back and give you a perspective on why platformization is required and then I can talk about what we mean exactly by platformization. We really started this journey really listening to our customers and trying to understand their pain point. And today every company deals every single day with an increasingly complex and evolving cybersecurity environment. The surface area of what you need to protect has dramatically expanded. Now think about, you know, in your daily usage at work the devices you use, the hosted apps you use, the IT devices that all have IP addresses. And of course not every company's moving to the cloud. All of this has brought tremendous complexity in the environment. Now think about the fact that the data that we used to use in our companies used to be within the company's four walls. And the networks that were running access to the data were all private and essentially run by the company. Now employees can run from anywhere and access information from everywhere. On top of that, and that's obviously a more recent factor, you now have AI adoption which is really further fueling the trend that we're seeing and also needs to be secure. And finally on the propriety side you have the fact that the attack severity really is intensifying. And just to give you a point of context here it used to take attackers nine weeks to exploit vulnerabilities three years ago. Today it takes a week and we project it will take less than 60 minutes in 2026. So, you know, when you sort of see the landscape here and you understand the pain points that customers are facing you step back and say, "How do we solve for this?" And essentially we see that platformization is a strategic approach to consolidating and integrating all security solutions. What you get is AI and automation. Much richer data so that you can understand the threat problems. Best in class products in each category. Better and faster integrations. And ultimately a single pane of glass for security operations. So the end outcome for this is no more tools from pain point solutions that don't talk to each other, but real time security with a single data platform powered by AI automation. And it means that our customers have transformed the security posture with time and money savings.
David Moulton: Mark the study reveals that organizations juggle an average of 83 different security solutions from 29 vendors. Can you set the stage for how that complexity and fragmentation is challenging organizations' security posture?
Mark Hughes: It's a great question, David. And it really is a huge challenge. I've never met a CISO or anyone in security operations who said, you know, "I really love the fact that I've got 29 different panes of glass from different vendors to be able to think across and having to really contextualize and bring those signals together and that telemetry together across all those different vendors" which they're running. And it's not just that. You said it in the question. It's 29 vendors, but 83 different security solutions as well which quite often in many organizations those solutions are not particularly integrated either. So, you know, the complexity just gets greater when you think about the permutation of 29 vendors and 83 security solutions. But there's a bit more that the study actually even talks about which I just want to just dwell on. It's that it also talks about the fact that when we asked the thousand, thousand people, which is a lot of clients about what they thought about it they said that basically half of them said that they're not really performing as well as they could be. And that their current way of operating isn't effective. And when we think about what Karim was just mentioning about how quickly we have to be off the mark to be able to thwart the threat actors today that complexity and that fragmentation immediately induces delay. And, you know, really the one thing in security that we need to buy ourselves whenever we can is time. The quicker we can detect means the quicker we can contain. And it's pretty straightforward. It's a principle that applies right across the spectrum of security, not just in cybersecurity. So add all that up and where you get to is the absolutely increased likelihood that an organization is going to not be able to get to that detection point and therefore containment point quickly enough which will absolutely render them more vulnerable to an incident. But more importantly the cost that it drives to slowing organizations down and really adopting the new types of technology which they need to remain competitive in their markets across all industries is really foundational. And that's why those organizations that we found in the study that really have adopted platformization really have seen some spectacular results. Much better return on investment from their security investment, but most importantly it just unleashes their organization to really transform and grow in a way in which those that haven't just really can't.
David Moulton: So Karim let me take it back over to you. Platformization or platformized organizations experience a 72 days shorter mean time to identify security incidents. Let me say that again. 72 days. That's several months' improvement. That's incredible. So how does this improved detection time translate to better overall security and potential cost savings?
Karim Temsamani: Every day at Palo Alto we see and block over 11 billion attacks. Over 20% of these attacks are new and unique events that weren't even there the day before. So you know the amount of problematic issues that companies are facing are not only increasing dramatically, but there's new threats and challenges every day. And on top of that the time from compromise to exfiltration is moving faster than ever because some of the trends that we just discussed. So it was 44 days in '22 which now happening in hours today. And, you know, it brings back to the point that if you really don't see all of these issues in a single platform you're not going to know how to react. And if you're not using AI to fight these attacks you're always going to be too late. So because we use AI we can really prevent these attacks 60 times faster than before without using AIs. And I think that the first point here is that when our customers are using a platforms they see a massive improvement in the security posture. That's you know before the sort of financial that's the most important point that the security posture is incredibly stronger. And essentially we see with that medium time to detection drop from weeks to hours or even minutes. And then you can think about the financial aspect of it and the consolidation of multiple tools provides a nearly 4X better ROI on the cybersecurity investment which is obviously an additional great benefit, but the more the core benefit that they get is that they've solved the security problems.
David Moulton: So it seems like the win win. You're able to go faster, get those results at the security level, and the cost is dramatically 4X better. Mark, the report indicates that organizations using platformization have an average ROI of 101% compared to 28% for non adopters. Talk to me about the factors that contribute to this significant difference in ROI.
Mark Hughes: Yeah. So I think the -- I think the first thing is just simply about having the ability to get a better security outcome as Karim was just saying in terms of being able to respond more quickly to what's actually going on. But to be able to do that I think we have to appreciate that all our clients start from different places. And here at IBM we work very closely with our clients, consult with them, to take them on that journey where quite a -- as the report suggests, many organizations aren't at the state where you can really get that return on investment that we're talking about. So understanding that there is almost a stepped approach, a modular approach. Sometimes the tools that they're running have been there for some time and transitioning away from those in to the more platformization -- platformized approach can take effort and has to be done carefully because it's security after all. And systematically. So I think the first step is always about thinking about the overall security strategy to really drive the return on investment. So there has to be that standardized approach and there really has to be that drive to say the outcome that we want to get to is that platformized approach, not, you know, we actually like a few of these things and we're going to continue with that but not this. The strategy has to start with the end in mind. That's really where the return comes from. So it has to be one of simplification. And as I often say to many of our clients that I talk to, if you actually look at the incidents and what actually is driving those incidents quite often that is not driven from the complexity of the type of threat that organizations are facing. It's more driven by the fact that they might have controls in place that are easily capable of dealing with those types of threats, but they just haven't been able to apply them comprehensively across that complex environment that they have. So simplification has to be the starting point to drive a standardized approach. And that means that there isn't then this piecemeal of something's been done fairly well and some things not and partial implementation here which is often the case. So simplification that also drives then simplification in the processes and the way in which they contextualize those alerts to be able to respond to them quickly. So all of that requires a lot of work and then I think just once the adoption of really once you've adopted the platform approach really being able to knit the processes, procedures, around that. And I think that one of the most exciting things about this is being able to -- being able to elevate the skills in the -- in those people who run these tools who before may have had, you know, work which is often having to be really forced the attempt to try and knit this stuff together whereas now almost it unleashes those individuals. But ultimately beyond that where you get to and the paper talks about you know a 5% saving overall for organizations the benefits drive even more broadly as I was alluding to earlier about the overall digital transformation for an organization being able to then really move at pace much more quickly in everything they do in IT because they can get that security in place in a much more effective way and much more quickly as well. [ Music ]
David Moulton: Karim in the paper we've got folks that have already gone through platformization. They see the benefits. They're experiencing the benefits. They're championing those benefits I hope. But in your role you're going in to a customer that maybe hasn't gone on this journey yet. How do you guide a customer to see the benefits, to see the value of the returns of platformization?
Karim Temsamani: Well very simply we talk again about a lot of the issues and pain points that they see. And, you know, interestingly often when we have discussion with customers we essentially start those conversations by listening to the voice of the customer and listening to their pain points. And every single time I've been in this presentation they talk about their pain points and then we show our slides with regards to what we hear from, you know, other customers. And they're the same pain points. And a good point here is that once we understand these pain points security is solvable. With the right combination of real time analytics, AI driven insights, and a cohesive platform you can really make the company safer and much easier to deal with. The other thing that really excites me is that this interaction, this understanding, doesn't just solve security. It really elevates it. It really creates an opportunity to unlock potential and enable growth for a company. Like platformization AI are just more than a technique or shift in our mind. They really are a business strategy. And if you really think about it and, you know, think about what you can achieve with proper cybersecurity, the shift has the potential to elevate threat intelligence, drive real time responses, and show regulatory compliances and all of that while reducing costs. And we really think that as we continue to make changes and we expect in the coming years to see the convergence of code to cloud to SOC in a unified infrastructure to enable AI powered analytics from every point around the attack surface. Now from the start of code vulnerabilities during the development of real time monitoring of your client environment down to the SOC and managing center's responses you are going to essentially drive better outcomes for the companies and better ideas and investment from all the companies.
David Moulton: Karim, according to the study 7 out of 10 highly platformized organizations say their cybersecurity investments positively impacted operational efficiencies. How does platformization drive these business benefits?
Karim Temsamani: Let me go back again to what we're hearing from customers. I think it's really important here. Leaders of various organizations told us that they estimate that fragmentation and complexity cost the organization an average of 5% of their annual revenue. 5% of their annual revenue. That's just a massive cost of doing business. We also hear that fragmentation leads to higher procurement costs and massive pressure to reduce the cost of security. And I think Mark talked to some of it. His discussions with procurement leaders in various companies. There is definitely a ton of pressure there. So it's not a surprise. If you have a massive sprawl of tools your IT needs to know how to run all the tools individually. Then they need to know how to get all these tools to work together when they actually were never designed to work together. And they need to higher a lot more people to cope with the alerts and the problems and the CISOs will tell you that finding and retaining the right cybersecurity talent is a real problem in the industry because there are far more jobs than there are experts to fill them. So with a platform approach we really can show the benefits of a simpler unified architecture and a much much better user experience and benefits across all of these issues I've just highlighted.
David Moulton: Mark, let me take it to you. Do you see a similar pattern in operational efficiencies when implementing platformization at IBM's client organizations?
Mark Hughes: Yes. Certainly. So I absolutely -- we absolutely do. And firstly we really have to understand the unique issues that each client has because they are always going to be very specific to that particular client. So being able to have that insight which we have through the work that we do and the consulting work that we do with our clients here at IBM really allows us to be able to capture that and then say well Karim was just referring to what is that architecture. What is that way now of shifting from that hitherto inefficient non resilient approach to the platformized way that we are that we've said drives so many benefits. So it's about understanding those challenges that those clients have and then really mapping out that approach often very specific to that industry that they are operating in. We know that different industry sectors have clearly different challenges when it comes to security, often are regulated in very different ways as well. So I think those are very important in terms of driving the operational efficiency because ultimately what we see in many clients is the current security posture is often very heavily over invested in and I always think that there is a paradox in many organizations when they often talk about the fact that they don't have enough to invest in security. And the general theme is one of more investment. And quite often with many clients that I see and the insight that we have here at IBM is that actually that's not the case. The reality is there's not necessarily a requirement to invest, you know, more. It's about investing smarter. And in a way in which it's going to drive much better outcomes to allow the organization -- it's a journey.
David Moulton: The study mentions that 95% of the executives who's adopted platformization see security as a source of value compared to just 8% who didn't. I'm actually curious what they were thinking when they think security provides no value, but we'll let that -- we'll let that slide. What shift in perspective does this represent? And how does this impact security investments?
Karim Temsamani: Yeah. So I think we're seeing a major shift at the very top of organizations. I was a CO of a public company before I joined Palo Alto Networks and I can tell you that cybersecurity was at that company a board level discussion and I know in most companies and certainly a lot of the companies that Mark and IBM are working with it's a top board discussion every single quarter with updates that are more frequent because it's really becoming part of the strategy for the company. An important part of the strategy. And the great thing is that it's bringing the IT team to be a very strategic team for the company. And we really have gotten there because of the speed, scale, and sophistication of the attacks we're discussing, and those attacks are only increasing every year. And the leadership therefore needs to think about all of the potential impacts a company could face from a bad security posture or even worse a security incident. Can really damage your brand reputation which is for most companies incredibly valuable. It can hurt your customers' trust in your company and makes it harder to sell to customers or retain customers. It can result in conversations you hope you never have with the SCC. It can be something that leads to loss of company secrets, intellectual property, or confidential information that can be exfiltrated. I know we've seen this year that the impact can, you know, essentially be in the millions if not billions of dollars. So it's a real problem for companies if they don't think about it from a strategy perspective with the board being involved with the executive teams really understanding where they're at. And the reality is that no company is immune. So, you know, we're seeing this shift and I think this shift is only going to accelerate and that's why we're, you know, so you know driven to be engaged in this platformization story because it can really lead to much better outcomes in solving some of these problems.
David Moulton: Mark I saw you nodding along when Karim was talking about the shift to this being a board level conversation. I'd be interested in getting your take on, you know, why this perception shift has occurred and what does it mean for security leaders.
Mark Hughes: In the board room we're having that discussion. What I have seen having done many of these discussions and been involved in them in various board rooms is that this complexity that has really grown up in security actually really hampers that discussion because quite often the ability for the individuals who are responsible for security find it very hard to articulate the real risk posture that exists within the organization. It's quite a difficult but not impossible thing to do. There are many adjacent areas where measuring risk of this type, the nature of the risk to decide a risk, is quite feasible to do. But when assessing what the risk to the organization is that can be done in a multitude of ways looking at, you know, other organizations that may have been impacted. But then understanding what the efficacy of the controls and therefore what the actual residual risk is for an organization this very complicated landscape in a non platformized world is it's actually very hard to get to the point where you can articulate quite clearly to say, "Actually how effective is this security investment that we've made? Are these controls really running in a way that actually help us manage the risk in a proportionate way and treat it in a way in which we need to that's right for our business?" And so the board room conversation is, you know, one number of reasons why it's absolutely in the board room, but also why that board room conversation has been I think really inadequate for many years. I mean I've been in the middle of many of these conversations. It's very hard for boards to really pin down really what risk. What is the residual risk that we're facing as an organization?
David Moulton: You know, Mark, I've heard you talk about this idea of procurement needing language. Now boards needing language. I think one of the things that's coming out as a theme in our conversation, maybe in the research, is the language to articulate what we do want, what we don't want, and how to talk about it in a way that's actual communication. I don't know that the theme of the paper was to get people the language they need, but it certainly strikes me that that's one of the benefits that's starting to show up here.
Mark Hughes: I certainly I really do think so. And there is just a lot of complexity that has been introduced in to this environment for one reason or another I think over as I say many years. And it has been foundationally and fundamentally unhelpful in a way in which organizations are quite good at managing and coping with an assessing risk in areas which are complicated as well. Right? Security doesn't have an automatic right to be the only complicated space in an organization, not a bit of it. You know. And it always, you know, it's always I've always been curious as about why it is that we've landed in the situation we are. But we are where we are as they all say and now is the time to move in to a world where we can put that behind us and align the security activity across an organization very much the way in which organizations understand and run and manage risk day to day operationally to make their businesses thrive.
David Moulton: Mark, Karim, thanks for a great conversation today. I really appreciate you sharing your insights on the research and why platformization is such a game changer in security.
Mark Hughes: Thank you very much indeed, David. It's been great to be here.
Karim Temsamani: Great to be with you and Mark. Thank you.
Mark Hughes: Thanks, Karim. [ Music ]
David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple podcasts of Spotify. Your reviews and feedback really do help us understand what you want to hear about. If you want to reach out to me directly about the show, email me at threatvector @paloaltonetworks.com. I want to thank our executive producer Michael Heller, our content and production teams which include Kenne Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then stay secure. Stay vigilant. Goodbye for now.
