Regulation, Revenue, and Reluctance: Selling to OEMs in Cyber

[00:00:00] Hey, it's Andrew here. Just quickly before we start the episode, I want to tell you about one of my favorite newsletters. It's called Strategy of Security. If you want to understand the companies, ideas, and trends shaping cybersecurity and its sub-markets, you should take a look. Cole Gromos runs the newsletter and he has spent the last 20 years in cybersecurity, including stints at PwC and Momentum Cyber, the investment bank dedicated to cybersecurity. Recent articles I'd like include,

[00:00:30] how could platformization work in cybersecurity where he talks about there being lots of single-vendor platforms, but not a multi-estate platform. And also one called Demystifying Cybersecurity's Public Companies, where he explores the pure-play ones and also hybrid companies which are in cyber. He lists all of them and then breaks down the numbers in all sorts of different ways. Now, this is not a paid promotion. I just simply enjoy what Cole is publishing. Check it out at Strategy of Security.

[00:01:00] Now, on with this episode. Welcome to a special episode of the Cybersecurity Go-To-Market Podcast. We're recording this at the 2025 RSA Conference in San Francisco. And right now we're with Robbie Robbins, the VP Business Development and Partners at NetRise. Robbie, welcome to the podcast.

[00:01:32] Thank you, Andrew. I'm glad to be here. Now, you had come a long way for this conference, right? Yeah, I had a tough commute over the Bay Bridge this morning, which was a little bit longer than it normally is because of all the enthusiasm around RSA today. The bridges were packed? Is that what you're telling me? Even more than usual? Well, I'm kind of jealous because I'm not someone that sleeps well in other beds except my one at home. So the fact that you get to go home at night and have that experience, I'm very jealous. Yeah, if only it was a little longer sleep.

[00:02:02] Yeah. Well, this is the second time someone from NetRise has been on the podcast. I interviewed Tom, your CEO, two years ago, actually, this month, April 2023. And that was early on in the growth of NetRise. So I was interested in getting his perspective then. And I'm kind of interested in how things have changed. I remember talking to Tom at the time, and he was thinking about the plan, the ICP.

[00:02:30] We talked about whether it was going to be in the enterprise, enterprise buyers, whether it was going to be OEMs buying. And I'm sure you've learned a lot along the way. Now, you're in the company a whole month now, so we're going to challenge you to be a product expert and all the rest of it and know the ins and outs of it. But we'll see how the conversation goes. I'll do my best. So let's talk about where the company's focusing them for 2025. Where is the ICP that you're thinking is where the rich vein is for NetRise? Yeah, kind of taking a broad stroke, right?

[00:03:00] So we kind of look at our market in kind of three areas. One is the equipment manufacturers, the people who are creating products. Enterprises, people that are consuming those are using the products. And then there's kind of a horizontal layer of service providers, folks that are providing services to both the device makers or equipment makers and the enterprises. And when I talked to Tom, the product was primarily a firmware discovery assessment product. How has that evolved?

[00:03:30] That's right. That's kind of where we've come from. Our roots was around a binary composition analysis of looking at a firmware, reverse engineering it and finding vulnerabilities. Since 2023, you've actually expanded our capabilities quite a bit. So instead of just firmware, we're now looking at compiled code, operating systems, containers, VMs. It's a very broad solution offering as far as the types of files that we will analyze and evaluate.

[00:04:00] And on the OEM side makes sense, right? We want to go to the OEMs who actually have their firmware, which we're looking at and other things as well. What's their appetite for really tackling this? Like, is it kind of like they're interested, but not sort of motivated? Are they all in going, no, we need to know this stuff so we can go fix it? That's a great question, right? They're very reluctant to actually fix the problems unless there's a monetary penalty, so to speak, or a customer driving them to do it.

[00:04:26] So from the equipment manufacturers, often they're very reactive, you know, only fixing something once there is a product security incident that's been released, or somebody goes public with a disclosure about a problem in their equipment. And I seem to remember that we were talking with Tom that we understood the motivations, right? At the end of the day, they're manufacturers of software or hardware. That's right. They're not security companies, so they have a very different lens they look through. But it's interesting, the pressure.

[00:04:55] I'm wondering, what about legislation? What's changed in the last couple of years, three years about that that's maybe driving a little bit different behavior? Yeah, that's actually a great point, right? There's a couple inflection points, and one of them is the regulations that are really kind of driving enterprises, government agencies to really look at kind of what's inside, what they're fielding in their enterprises, right? So the executive order 14.028 that required a software bill of materials for anything running in the federal government, for example.

[00:05:24] You know, there's the Cyber Resilience Act in Europe, which requires some level of transparency of software and equipment that's being fielded. So there's a number of these global regulations that are really kind of raising the bar as far as equipment that's being deployed in critical infrastructure. Is there teeth behind the legislation? Absolutely. So what happens?

[00:05:45] You know, there's a fair amount of pressure from enterprises that they push back to the manufacturers to actually fix the problems before they fix it. So most of what happens is, you know, kind of it's not financially punitive. It's rather kind of reputation or brand damage that the equipment manufacturers will face as far as, you know, procurement officers, you know, kind of holding purchase orders or potential purchases hostage until they actually fix some of the problems.

[00:06:15] There isn't like the GDPR 4% of worldwide revenue fines if you don't do things like that, is there? I haven't seen that yet. But there's certainly in the executive order a fair amount of kind of punitive requirements to before you can field something in the federal government, you actually have to have a software bill of materials. Right. So just that requirement is pretty significant as far as the equipment manufacturers producing a manifest of what's inside. So that's where NetRise is right now. Now, you just joined a month ago. That's right.

[00:06:45] We're heading up BD and Partners. Why did you join NetRise? Yeah, I mean, that's, you know, kind of one of the topics you mentioned was really around the timing. Right. I found that the timing is right to actually surface and solve this problem. Another big reason why I joined is kind of the technology. Right. I mentioned the multiple parts of the attack surface that NetRise will approach or solve. And kind of the third component is really around the team. Right.

[00:07:13] We've got a group of former cyber operators that kind of understand this from an offensive security point of view. So the timing, the technology and the team are kind of the things that really compelled me to sign on and help lead the BD and partner effort. And what are you looking to achieve in that role in 2025? Yeah. So it's something that, you know, we're trying to build a brand and brand awareness around something that people aren't really thinking about and looking for. Right. So we've got a couple of key things that we're focused on.

[00:07:41] And one of them is really building that awareness through kind of an inbound sales motion of trying to drive people through our inbound motions. Kind of the second is our outbound of our team really looking to find buyers and people that are concerned about this problem. And the third is really around how do we build an ecosystem and a partner, a community that can help us with that brand awareness initiative. Yeah. You mentioned partners earlier on. And who is a partner then? Who's an ideal partner?

[00:08:10] So we've got a couple kind of categories of partners, right? There's the typical value added resellers, distributors, which is a big part of our go to motion market. Go to market motion, excuse me. Kind of another is around kind of managed service providers, people that are taking our technology, wrapping their services around it and offering it as a managed service.

[00:08:28] And kind of the third bucket, if you will, is around our technology ecosystem partners, people that are looking to extend their value by using our capabilities to solve more of the problem than just S-Bomb, for example. Where's the biggest opportunity of those three?

[00:08:42] In my opinion, it's with the technology ecosystem partners that really allow us to get a broader audience and people that could leverage the NetRise dataset, which we're looking at basically the compiled code, deconstructing it, finding all the components inside the code and the subcomponents and the dependencies. So it's a very rich dataset that I think will be very valuable for the technology partners in our targets. Who's an example of a technology partner?

[00:09:12] Well, you think about kind of risk scoring or people that are doing like a security scorecard or a bit site that are providing value to the C-level executives or kind of their risk posture. So wouldn't it be useful to understand what kind of the equipment in my enterprise and what the risk to the enterprise is of maybe fielding something that has bad code or implants or something along the lines of insecure software?

[00:09:39] And are they looking at NetRise as a revenue stream that they have an add-on to their product or is it going to be built in and they're looking to compete better? The former. It'll probably be a, you know, depends on, you know, each one's going to potentially be a unique snowflake, but I expect it to be kind of, we help them accelerate revenue and look at another revenue stream with the NetRise datasets. Now, just recently, you guys announced the run of funding, so congrats on that.

[00:10:04] You also announced something called ZeroLens, which I looked at and my technical chops didn't stand up very well trying to understand it all. So for a layman, I'm a simple guy from Scotland, right? So you have to kind of break it down for me a little bit simply. What is ZeroLens all about? So you think about the data that we have, right? We're basically deconstructing what's on a device.

[00:10:28] ZeroLens basically allows the penetration tester, the offensive security operator to really find weaknesses in the code and potentially find what is exploitable. So if you put your penetration test or offensive security hat on, that information is very valuable. So you can kind of whittle down what you want to focus on to what is, quote, exploitable or reachable in the environment. We allow the offensive operator to do that quicker and faster and cheaper than they had done kind of the manual way.

[00:10:58] And is that a big impact for them or is this a marginal just to do your job a little bit better? We believe it's going to be a very big impact, right? So you think about the number of CVEs or vulnerabilities that a typical device would have, maybe 10,000, 12,000. If you could whittle that down and only focus on the 200 that matter, that's really what ZeroLens is going to allow you to do. Those vulnerabilities that are CWEs or kind of categories of CVEs,

[00:11:27] that's where the offensive operator focuses their precious time on trying to understand what's exploitable and vulnerable. And when I think about lens and a name, it's probably a visibility thing. What happens on the remediation side with net? That's a great question. So we don't actually do the remediation. We simply inform a remediation process.

[00:11:47] So GraphQL API from both the ingest and the exfil have taken our data and put it into incident response workflow, for example. So you think a JIRA or ServiceNow that kind of manages the change management and remediation efforts, we're simply providing data to those workflows. Okay. You said something before about awareness, using the partners for awareness. Where is the market right now on awareness?

[00:12:16] Are you doing a lot of evangelizing? Yeah. I mean, so Andrew, I've been kind of focused on this problem for a fair number of years since 2018. And in the early days, we were doing a lot of evangelizing and events like this where we were trying to get the urgency risen. So we're still doing a fair amount of awareness and kind of evangelizing. However, it's significantly different than it was in 2018. You know, the regulations that are driving the requirements.

[00:12:44] So I would say we're still trying to build a brand, a net rise brand to the partner ecosystem and the broader community. So our evangelizing is less about the problem, but more about the partners that we want to sign on and bring along in the journey. Are there any examples of good awareness things you've done or you've heard about happen with Tom that go, oh, yeah, we need to do more of that sort of thing? Yeah. So events like this, right? So kind of one to many opportunities is where we've spent a fair amount of time.

[00:13:14] And Tom's done a great job of kind of building the brand and building the community. I would say we need to do more of this. We did a live cast on LinkedIn Live earlier today from the RSA show floor. So the more we can get kind of awareness and kind of one to many evangelizing opportunities, that's where we'll spend a fair amount of time. Now, you're heading up BDM Partners. What about the rest of the go-to-market sales team? What does that team look like, types of roles that you have?

[00:13:42] Yeah, we have kind of direct sellers, folks that are kind of this indirect team that I mentioned. We also have kind of the inbound motions that we're fielding kind of inbound requests. So typically they're kind of the same team. They're just different hats that different members of the team play.

[00:14:00] And the kind of partner focus is really kind of, you know, kind of my charter of how do I build relationships with partners that have kind of an understanding of our solution and how we can solve their customers' problems. Is it direct selling team? Are they, do you call them specialists in this area or they're just good salespeople who you've trained into working in the area? Our team, you know, that's part of the attraction for me, quite honestly, was the team, our experts, right? They kind of understand this problem area.

[00:14:28] We have a couple of kind of key engineers from this binary composition analysis background that really makes them kind of experts in the field. So you don't necessarily have to be an expert in the subject to be able to sell this and represent it. But our team is very much knowledgeable and I would consider them experts. Change of pace. AI in sales.

[00:14:53] A lot of buzz right now, what it could do, what it doesn't do now, tomorrow, next week. What are you most excited about where AI might help with your partners and BDE efforts this year? I think for me personally, I'm still a little skeptical on AI, right? I'm not writing my proposals with AI and generating all my LinkedIn posts and stuff. I see really the value for me with artificial intelligence is really how do I automate some of my outbound work that I'm doing.

[00:15:21] So I do a fair amount of automating my LinkedIn outreaches using AI that's helped me really scale my effort, right? And to touch more partners and people in the community. Seems like that's a natural place for me to start, right? It's safe, right? Right. And it's a little bit easier to audit than it would be just having, you know, Gemini write my proposals. That hallucinates 30% of the time. Or hallucinates a 30% discount. That too. Yeah. Sorry, Tom. It's a smaller deal size.

[00:15:51] It was AI that dropped our price for us. No, I think there's a lot of opportunity there, right? To really change how we go to market with some of the new tools out there. Well, Robbie, great to have you on the podcast. We appreciate you joining in a busy week for you all. Well, thank you very much, Andrew, for the opportunity and look forward to doing this again, maybe. Here we are again for Visionary or Smoking Crack. Why don't you introduce yourself? You got Jake Olasco, Valence Security, Global Channels.

[00:16:20] Jake, I'm going to throw out some bold predictions at you right now about sales and cybersecurity sales. You tell me, am I a deep thinking, insightful visionary? Or did I inhale a little bit deeply walking through the tenderloin this morning on the way to this meeting? You ready to go? I'm ready. First one.

[00:16:38] By 2030, so just in five years' time, 80% of cybersecurity purchases under $100K will happen without a human seller or a human buyer, just AI agents doing their thing. Is that visionary or is it Smoking Crack? Scarily, it could be visionary. Ooh. What gives you hope that it might be? Or what gives you fear that it might be? I think hope that it won't be is job security.

[00:17:06] But I think, you know, just with all of the stuff that's kind of like coming up on the AI side, there's a really real, you know, between marketplaces, AI and coming together. There's a real there's a real chance that happens. All right. Number two, in five years' time, more CISOs will report to the CFO than those that report to the CIO or CEO. And sales will be a finance-first, security-second motion. Is that visionary or is it Smoking Crack?

[00:17:35] Ooh, hard hitters today, Andrew. That could be a little visionary, too. I think we are seeing a trend of some of that security organization going into the finance org. And we've certainly seen in some larger prospects and customers. So I think probably go again visionary. More visionary than Smoking Crack, but maybe a little unsure. But could be a bit of a mix of both. All right. Third one.

[00:17:59] In 10 years' time, both the RSA Conference and Black Hat will be dead, completely gone. Is that visionary or Smoking Crack? Smoking Crack. I think they're here to stay. Why do you say that? You know, there's 50,000 plus people at these events, right? I think it's such an important part of the industry and how we do things. I would never want to see it go away. So maybe it's wishfully Smoking Crack. All right.

[00:18:27] Recently, Google announced they were acquiring Wiz. And some people in the industry called it G-Wiz. So prediction for you. Within 12 months, the OT security company called Insane Cyber will buy another OT security company that's called Sanctuary. And the combined company name will be changed to Insane Asylum. Is that visionary or Smoking Crack? It's visionary. Just do it. Just do it. It makes so much sense. It's fantastic. All right.

[00:18:56] Well, Jake, thanks for joining us. Thanks for having me. It would mean a lot to me and to the continued growth of the show if you'd help get the word at. So how do you do that easily? There are two ways. Firstly, just simply send a link to a friend. Send a link to the show, to this episode.

[00:19:25] You can email it, text it, Slack it, whatever works for you and it's easy for you. The second way is to leave a super quick rating. And sometimes that can seem complicated. So I've made it as easy for you as I can. You simply have to go to ratethispodcast.com slash cyber. That's ratethispodcast.com slash cyber and explains exactly how to do it. Either of these ways will take you less than 30 seconds to do and it will mean the world to me. So thank you. Thank you.