As the Digital World Expands Massively, We Have to Secure It!

Christopher Gannatti:
Welcome everybody to our discussion today. I'm particularly excited to be here as WisdomTree's Global Head of Research, because it feels to me like we're getting the band back together. Aaron, Gal, and I were traveling to five cities in five days in a row. It was a bit strenuous, so Aaron and I actually got COVID right afterwards, but in the end we had a great time back in September. And we're looking forward to essentially giving an updated view of the cybersecurity landscape today.
Before I allow Aaron and Gal to introduce themselves, I'll just give people a sense of our plan. We do have one. We're going to start, because definitely in the cyber space you see a lot of headlines, we were a year ago thinking about, okay, is Russia ultimately going to invade Ukraine? And we kind of know how that went. So a year ago we had those type of headlines, and we still see things on that topic. But you also see certain examples of things getting hacked and cyber insurance and whether or not companies are protected or have to pay out. And there's almost five or six new headlines per day depending on what publications you're focused on.
So it's always good to have Gal sort of go through the landscape, go through some of the things that he's seeing as a practitioner, an expert in the space. And then we're going to spend some time talking about themes. Frequently, in our discussions, if you basically ask us where does the rubber meet the road? The rubber meets the road with an actual investment. Why is WisdomTree here today? Well, we create innovative investment products and ultimately if people agree or if they're thinking, "Yes, that tool fits my objectives in my portfolio," there is a particular ETF that they can select.
And so if you were to say, because there are many cybersecurity ETFs, "What's unique about WisdomTree's? It really comes down to something we call these distinct themes. Last year there were seven, this year there are eight. So today's the first day that we're going to be talking about the eighth new, one of the themes is actually new, and never afford discussed on any format. But the themes are sort of how Team8, who's an expert in the cybersecurity space, helped to categorize the specific vocal points and business activities of companies.
Because you basically have to define, you can't just say, "Yeah, that company does cybersecurity." What does it mean to do cybersecurity? How do you define that? What are they seeking ultimately to protect? How is it that you can look forward and say, "Yes, that activity is going to be important to the future"? We're very future focused as well in our strategy. We're not trying to say, "Well, this worked in 2015, so we're going to keep doing it." We're saying, "what's going to protect you in 2024, 2025, and beyond?"
But with that, I probably talked enough, and I can allow Gal to do his introduction and then Aaron to do his.

Gal Hochberg:
Hello everyone, Gal Tal-Hochberg, group CTO at Team8. By the way, we're doing the intros one by one, then I do the macro or we do the macro right now. Okay, so-

Christopher Gannatti:
Intros.

Gal Hochberg:
Intros, very cool. A little bit about what I do and what I'm part of this. So I'm part of a group called Team8. We are a private venture fund. We both invest in companies and help build companies. We're an interesting venture fund, because our game isn't just to find the best teams and invest in them, but also we will find the best ideas and convince the best teams to build companies in the spaces we think are good. So we don't wait for people to come to us.
To be able to do that, we need to have very deep opinions on where it is interesting to build companies. And so a big chunk of what we do is to build thesises about what's going on in different markets. We focus on cybersecurity, but also on data and enterprise and FinTech and digital health. But in the context, today, a lot of my job is to think about thesises and where is cybersecurity today and where is it going. And I look forward to share with you some of our thoughts on how that's happening on this call. Aaron, to you.

Aaron Dubin:
Thank you very much, Gal. Hi everybody. Excited to be here. Thanks, Chris for having us. And real quick about me, I lead strategy and business research at Team8. What that means is that I'm working with the companies that we build and invest in, with the funds that we operate, and with the Team8 group as a whole to basically ideate and validate research and analyze new markets and opportunities. And to help build out the business plan and the roadmap to achieve those goals.
So I've been focusing for most of my career on cybersecurity investing. Started at a fund in Israel called Pitango Venture Capital. They're known as the oldest and largest fund in Israel. From there went to a fund called Innovation Endeavors, which is former Google CEO Eric Schmidt's VC Fund. And then from there to Goldman Sachs, where I led cyber investing for their strategic venture capital team in New York. And then I ended up at Team8 for the last three years or so. So excited to be here. Looking forward to the conversation.

Christopher Gannatti:
Excellent. And ultimately, I think everyone's in for a treat, because when we were on that five city in five day road show, Gal had the best stories. He's been involved in incident response, he's been involved in Israeli defense force. So in our opinion, Aaron and my opinion, there's no one better to basically give us a sense, what is happening in cybersecurity as we sit here today, Gal?

Gal Hochberg:
I think we're in a very interesting time in cybersecurity. I think we're going to hear in more detail about all our eight themes, which are what we think is driving the industry forward. But let's talk a little bit about from the attacker's perspective. So one of the thing nice things we do here at Team8 is that we have people like myself, we have a background coming from defense organizations which do cyber offensively. So use cyberattacks to collect information from enemy countries.
And so we have built the ability to think attackers think, which is relevant, very relevant in this space. And so today we live in a world where cyberattackers, cybercrime is a business. There's many organizations criminal organizations that are organized, they have HR meetings, maybe they have webinars like this, but at least they have yearly plans. And they go and attack all kinds of different customers or different organizations and they extort them for money.
And you have understand that for them this is a business and they act like one, they have customer success and they have chat rooms where they will help you buy the Bitcoin and they'll give you a discount and they'll price it in an intelligent way, so that you'll use them the right way. And they're a reputational based business, so I always like to say that, "Ransomware groups are kind of like banks, in that they're both a reputation-based business. And if you don't think your money is not going to be well-handled, give them your money."
There was this case recently where a ransomware group attacked a children's hospital in Canada, and then the ransomware group's operators, because it's a big business, there's like some frontline people, they said, "That's unacceptable to us. Here's the key back. We don't want to attack children's hospitals." So we live in a world with industrialized cybercrime, and it's getting worse, because if two years ago you could go to Putin and say, "Hey, there's a bunch of cybercrime come out of Russia, could you maybe do some enforcement?" That's no longer viable in today's world, Putin's not going to stop cybercrime coming from Russia to the West.
And so we're seeing more and more cybercrime. We're seeing ransomware as an all-time high. This is even getting, in a sense, worse because of the cloud. So I think it's an important point. I talk about attacker's perspective. The number one most interesting story in cyber defense is the movement to cloud. So organizations are are moving to the cloud. I want to say slowly, but I think on the scale of tech transformation is pretty fast. And once they move to the cloud, they become more efficient, they become more flexible, they also become more exposed, because the cloud tends to be on the internet.
And so with the increase in cybercrime being professional and having a better place to operate because of the geopolitical situation, it's always also easier to attack our things that are on the cloud. Now, I want to say cloud is amazing. It's good. It makes businesses more efficient. It lets you build a lot more apps. But part of the complexity of that is increasing cyberattacks. And so if I have to sum up, we're seeing cyber attackers do more attacks. Attack things that are critical infrastructure of various kinds, that could be colonial pipeline or recently the UK mail, which is something that you wouldn't think would be an interesting target for cyber attackers.
But if you think about it, if you can stop the mail of a country, the country will be very happy to pay you that ransom. And so we're seeing that happening. And we're seeing slowly movement of attackers to doing more cloud things and especially things are on identity, trying to trick people, trying to scam people.
There was a recent attack on Riot games, which are the developers of League of Legends, which is the big online game, where the entire attack was done through messages. So they tricked the organization to give them keys, and they didn't have to install a single attacker tool. They just used the same logins that an employee does to find all the data and export it. And so I think those are the biggest things that we're seeing in general, more attacks, more exposure because of cloud, more flexibility. And we'll hear more about that in detail as we go through the themes in a second.

Christopher Gannatti:
And on the trip, something, Aaron, that sort of struck my recollection is one of the things you would say is, "Many times people do that cloud migration and they don't realize that they actually have 15 pieces of software that need to all communicate clearly and properly to each other. And let's say, you set up 14 out of 15 correctly, but at 15th you just don't configure properly. And then frequently that's the avenue in that an attacker can create."
So I was curious if you could just speak a bit to this idea of not only migrating to the cloud but having that proper configuration and having that sometimes, to get to Gal's point, that the cloud is really the most important element here. Frequently the problems are almost self-inflicted in the sense that the hackers themselves barely need to do anything because the users aren't configuring the software properly.

Gal Hochberg:
So I think there's a interesting point. I want to say by the way, before I say that, I want to say I don't want to be an alarmist in saying, "Oh, it's just more cyber-attacks, et cetera, et cetera." Vendors always tend to say that, but I think we are seeing a situation where, because things are becoming much more complex, if you think about everybody on this call, how many apps you had 10 years ago, how many services you had 10 years ago that you used for work or for business, you know it's 10 times more today. And anything you add makes it a more complex environment that's more connected and there's more opportunities to attack.
Now you're not seeing 10 times the number of attacks. You're seeing three times the number of attacks, because defenders are doing a good job, but it's just the world has become harder. And to connect to your example, Chris, imagine you had this network of services working together. They were sitting in some data center somewhere, there was a big firewall in front of it, nobody but the engineers could get in and the users had to connect to some, let's say, Citrix VDI to even get access. You've moved that to the cloud. Now they're connected not only to each other but to other third service providers. The way they talk to one another is through the cloud infrastructure, which sometimes is not as separated from the rest of the world as other things are.
And so now one of these things, which wasn't born to be outside in the wild, is exposed to the internet and you forgot to enable some protection on top of it. And now the attacker gets in and starts hopping around. And so before they couldn't do that, because there was no way for them to even get there. Now things are more available and they're more connected.
And so they find one place that's weak, maybe it's your outsourced service tier one desk in a country, which isn't the western country. And maybe that tier one desk runs on low margins that didn't invest in the best security software, but they still have admin access to many of your customer account, like admin panels. And so maybe you get through there. Maybe one of your subsidiaries has some software in a country from a vendor that's not so secure. So it's really hard when everything's connected to protect in a way that you could before when things were not.

Aaron Dubin:
And I think maybe I would just add one thing to what Gal said really struck me. Lateral movement is the term that we typically use in the industry. And so it's not just about finding a vulnerability and exploiting it to the exact spot in the organization or the system that you want to get to. Often you can find some kind of hole or gap anywhere, and then stay in the system and move around, and eventually get to the place, or the crown jewels as we say, that you're trying to get to.
So sometimes getting in is just one kind of early part of the plan and they could stay in your system for weeks or months, either not doing anything, or slowly kind of moving around and trying to get to the place that they ultimately want to get to. So it doesn't have to always align to your end goal, it's just finding that way in and then going from there.

Christopher Gannatti:
Your comments guys made me think of the SolarWinds attack from a few years ago. This idea of the supply chain of software where you've got a bunch of organizations, they're all using the same or versions of the same software, the attacker gets into that software, so not even the underlying organization's, just the software and then the software itself is spreading their points of access around. And it may be the case that people still don't know exactly how many points of access they had on such a thing.
But I might be preempting one of our next topics, which is the themes discussion, because I know supply chain attacks are sort of encapsulated in at least one of eight themes there. So maybe it makes sense to lay them out, lay out the eight themes for our audience.

Aaron Dubin:
Thank you, Chris. We would be excited to do that. I think as long as we set the themes up correctly, then anything in theory that's happening right now or anything of interest should be reflected somewhere in the theme. So I think everything that we've kind of discussed up until now, we're going to touch on in one theme or another. And we hope that we can continue to add and adjust the themes in the future to reflect exactly what we see happening in the market, and where we think things are going.
So with that, happy to jump into the themes. Gal and I are going to do sort of a back and forth with the themes. At some point we'll even pull up a chart to show you, which is our latest infographic about the themes for 2023. But before we do that, maybe it's just worth saying a sentence or two of context of sort of what these themes are, how we came up with them.
So as part of Team8's cybersecurity research... So we're constantly going really deep into the cybersecurity domain for the purposes of building and investing in companies, in startup companies. But as part of this ongoing research that we do, we come up with this set of annual cybersecurity themes together with WisdomTree, our partner. And these themes are really meant to represent the areas that are driving the future growth of cyber each year.
And ultimately these themes are kind of used as the basis for the WisdomTree Team8 Cyber Index, which is designed to track high growth, publicly traded cyber companies. And the way that we come up with these themes is by a combination of leveraging public and private market research, looking at deep technology trends and regulatory trends. We incorporate the Team8 attacker's perspective. So I'm really happy that Go mentioned that earlier in the talk.
This is something that is pretty unique to Team8 that has sort of come from the years of experience in Team8 formerly from the Israeli defense forces and sort of elite intelligence units in the military. And then, finally, insights from real cyber experts like Gal and practitioners like CISOs from some of the biggest organizations in the world, whom we get to associate with and brainstorm together with as part of something we call our village.
And so the Team8 village is a community of several hundred CISOs and C-level executives from Fortune 500 and Global 2000 companies. And we, multiple times throughout the year, have the opportunity to bring them together, both virtually, like this, and-in person to brainstorm and to ideate a network with us. And think about what the biggest problems in the world are going to be in cyber or the things that they're facing on a day-to-day basis today.
We just recently brought more than a hundred CISOs to Israel for a five-day cyber bootcamp, if you will, where we took them around the country meeting with cybersecurity leaders from the commercial side, from the government and military side, from even the early stage startup side. And we just did the same thing in New York City. And this was actually the first time that we've done it in New York, where we had I think 120 CISOs, many of them new CISOs to our community in New York City.
So this is where we're getting a lot of the information that's driving the themes and we're happy to share them with you now. So with that Gal, maybe I'll pull up the chart that we talked about, and I don't know if you want to kick us off or happy to take it.

Gal Hochberg:
No, I'm happy to kick it off then you can do the...

Aaron Dubin:
Great.

Gal Hochberg:
So these are the eight themes. These are eight themes that represent what we think are the top themes driving cybersecurity. It's not every single thing that's happening in cybersecurity. Cybersecurity is a big field, but it is the top eight. So in general, they are cloud security, resilience and recovery, smarter security, security of things, perimeterless world, data security, shift left, and layer eight.
And I'm sure all of you are like, I don't know what that is and you're really excited to figure out and we're going to do that just right now. So I'll start with cloud security. As I said earlier, the number one driver of cybersecurity today from a growth perspective, so people are still buying firewalls and stuff like that. There are big existing businesses in cybersecurity, but the one that we're seeing the most growth in, the most movement in is cloud security, because organizations have moved to and are moving to the cloud. And that does three things.
Number one, they want all the same security controls that they had on-prem to also be available in the cloud. And so they need tools for that. Sometimes it's the same tools, but many times it's different tools. Number two, when things are in the cloud, they tend to be faster, they tend to be more flexible, they tend to be more dynamic, they tend to be more complex. And so there's some things you can do in the cloud you couldn't do previously, which creates new security problems. And so as people do that, they need to have more tools and new tools to do things they couldn't do before.
And finally, cloud prevents an opportunity for cybersecurity. A thing about cloud that people don't think about a lot is that given that cloud is virtualized and shared you always know where everything is. And so in a physical world, you can lose something. You can have an asset that nobody knows where it is. In a cloud environment, anything anybody does is logged. And therefore instead of having to look for things, what you are is drowning in data sometimes. And that's driving a lot of cybersecurity investment of saying, "What do we do with all this data?" If I can know every action everybody is taking, can I make places more secure? And the answer is yes, but that's driving people to think about how and to purchase. That's the first theme. Aaron over to you.

Aaron Dubin:
Thank you, Gal. So the second theme we call resilience and recovery. One of the biggest drivers of this theme is the ransomware epidemic that we've seen. And we think that this is only going to accelerate. We saw a statistic from 2022 saying that ransomware increased by nearly 13%, a number that represents the last five years of increases in ransomware combined. So we're seeing an acceleration in that.
A lot to do with what Gal mentioned earlier in the call, which is sort of the concept of the professionalization of ransomware gangs. And that this is just, at the end of the day, a really good business for them. So behind this theme, we're tracking a lot of solutions focused on data backup and disaster recovery. I think the conversation has moved from,
"How do we identify and protect ourselves from and detect these attacks?" To, "Inevitably something bad will happen at some point in time. And so when that does happen, we'll make sure that we'll be ready to basically recover as quickly as possible from that attack and get back to business."
And I think the other piece of the resilience and recovery theme is that this word resilience is becoming more and more important in the day-to-day business, and cybersecurity, which used to be on the periphery of the core of the business, is becoming really central to a company's ability to actually offer their products and services. And so we've been seeing the conversation shifting from cyber as just being a technical thing to protect your systems and your data and your tools to something that is sort of at the center of the business, and ultimately what enables the business to operate.
And so this will be a really interesting theme we think going forward. And the last thing I'll say about resilience and recovery is that we're also trying to track the changes in the themes from year to year. And although resilience and recovery was also a theme last year, so it remained on the list, it is the only theme on the list that actually moved up in ranking. So it was not in second place last year, now it is. So again, that's to reflect that sort of growth and acceleration that we feel we've been seeing. Over to you, Gal.
Gal Hochberg:
All right, so smarter security. Smarter security is interesting. Smarter security is one that's moved a little bit down, but it's still in the top three. As IT infrastructure has become more complicated, as we've moved to cloud, multi-cloud, et cetera, as we've moved to a world with IoT, which we'll hear about in a second, so things have become a 100 times more complex. But I don't know if you've noticed, we haven't hired a 100 times more security professionals or paid them a 100 times more, I'd be happy for that.
So the way that translates is that we need smarter security tooling. And so when buyers are buying security tools, they're asking their vendors, "Hey, does this have APIs? Can I automate this? Hey, does this have artificial intelligence in some level to recommend things for me? Hey, does this connect and integrate with all these 500 other tools that I've got from you or from other vendors, so that I don't have to run around just doing things by hand all day." And sometimes they say, "Hey, I've bought this tool but it's not smart enough. I'll buy another tool to put it on top of it, to orchestrate or to manage or to prioritize."
And so in general, people are asking themselves, "I want my security tools to be smarter because I'm just not keeping up." And that's something that's been driven strong across the entire field. Aaron, over to you.

Aaron Dubin:
Sorry, I was on mute. The next theme is called security of things. This theme we designed to represent anything that becomes connected to the internet. And so the way I think about it is sort of both old things and new things. Old things being desktop computers, laptops, servers, and new things being IoT devices like your smart refrigerator, your smart washing machine, your connected vehicle, things in the smart home. And then the third piece of the security of things is really, it's what we call OT, which is operational technology, which is really a lot of the heavy machinery, industrial control systems, things in factories, things in nuclear power plants, oil and gas, drilling.
Everything is coming online, so you have some things that were designed to be more secure and other things, like in the case of the factory, that were never built to be connected to the internet and have really slow kind of release cycles. And so they're hard to update, they're hard to secure.
And then the third, I think, driver here is just this massive explosion in devices themselves. So every sensor network is going to have hundreds or thousands of sensors. Every home might have 20 or 30 things connected to it. Every car might have 10 or 50 sensors in it. That all could be a breach point into the network or the organization.
And so the security of things, for us, means figuring out ways to protect all of these endpoints. And I think this is particularly relevant lately with the rise in targeted attacks focusing on critical infrastructure. Now, not all of these attacks are kind of targeting the endpoints, the things that are connected.
But a lot of times these things that are connected to the internet, if they were taken over, they could cause a lot of damage. Not just damage to the IT systems or to the data, but real life physical damage. If an attacker were able to take over a factory or the power grid or I don't need to scare you too much, but those things could be very serious. And so we're trying to think about how to protect them in the most serious way that we can.

Gal Hochberg:
All right, perimeterless worlds. So the old paradigm of doing cybersecurity is to have everything that's important surrounded by layers and layers of perimeters. So you would only be able to access your email with your company laptop and your organization has all its data sitting in a secure data center underground in some bunker somewhere.
That doesn't work today anymore. We access everything on our phones and some of us as bring your own devices. We have things running on the cloud, we have things running across organizations. Sometimes your vendors are running things for you. In the SaaS world, what does even a perimeter mean? And so this core concept, which has driven the creation of the firewall, which by the way was invented in the Army unit that I served in, which is an interesting tidbit.
So since that doesn't work anymore, it's not enough. And so what we're seeing is that organizations are asking themselves, "What is my new perimeter?" And the answer is even as network architecture becomes more and more complex, you still have people, you still have endpoints, you still have permissions. And so we're seeing identity become the new perimeter of the world. So if any of you have logged in, and it said, "Log in with your organizational ID to whatever SaaS service," that's an example of this.
And so what we're seeing is on one hand the reduction in importance of network security, in a sense. People still buy it's still a thing, because we don't want to run with nothing. But the increasing importance in identity, and actually I can say not on the public space, yet, but in the private space that we cover, we're seeing a lot of startup activity in that space as well. Aaron?

Aaron Dubin:
Thank you, Gal. So the next theme is data security. And we see sort of two sides to this theme. On the one hand, there's the data protection aspect. So how do we encrypt the data that we hold? How do we make sure that it's protected? At the end of the day, a lot of attacks are, at the end of the day, going after the data itself. That's one of the most valuable things to attackers, whether they're locking it up and extorting you for it, whether they're just kind of selling it on the dark web, or embarrassing you publicly by releasing the information that they took. Protecting the data is definitely first and foremost.
But the other side of this theme is data privacy. So it's not enough to just secure the data. We want to also make sure that the data is not being abused or misused. And so that could also come from inside or from outside of the organization. And this is maybe even more relevant lately due to the acceleration in data privacy regulations.
So it started in 2018 in Europe with GDPR, but the US has been in the process of figuring out how they can translate what they did in Europe to the US market. And so we haven't seen a federal privacy regulation yet in the US. A lot of people are hoping that they will figure it out, because at the moment, the solution has been for each individual state to release their own comprehensive privacy legislation and not all of those state's regulations match up to one another.
And so you can think of a world where we live in which there are 50 states with 50 different privacy regulations, and companies need to figure out how to comply with each of the state's regulations depending on which customers, not only where the customers are from but maybe where the customers are accessing the service at that moment. And so this creates a really complex situation and it's only going to get worse. Over to you, Gal.

Gal Hochberg:
All right, shift left. So I think I'm starting to see a theme in my themes, which is complexity. As we are developing more and more software, there's more services and even the way in... I'm not ,sure everybody on this call has developed software in their life, but over the past one, two decades, the way to develop software has become much more sophisticated. When I was younger, we'd opened a text editor and that was software development. Today you have IDE, you have CI/CD, you have artificial intelligence that completes your code for you.
It's much more complicated to write applications and code. It's faster, but there's more moving parts, and that creates complexity. And people are starting to ask themselves, "Can I secure things in a smarter way by looking at the design and then building securely from the beginning?" Now, it's not always possible, because the real life isn't like the theory. But when you think about it, when you build a bridge, you don't usually build the bridge, and then let's shake the ground, see where it breaks and then fix those parts. Usually, you make sure the bridge is built right from the beginning.
And so we're seeing this movement to what's called shift left, which is move security to be earlier and earlier in the software development lifecycle or the IQ development lifecycle, so that security becomes part of the design process. And that means scanning open source libraries before they ever hit production. It means scanning code before it hits production. It means scanning not the things that are running in the cloud, but the blueprints for what's going to run in the cloud. Make sure that's going to create a good cloud environment. This is a theme that's moving, it's slower, it's a deeper change, but it's one that's going to have significant impact, because the software industry is very, very large.

Aaron Dubin:
Great. So thanks for bearing with us. We're at the final theme here, the eighth theme, which we call layer eight, which is the newest theme that we've actually just introduced this year. And you will be the first audience that we will be publicly introducing it to live. So we're really excited about this theme. And layer eight deals with what we call the human layer, the human factor. So it's dealing with all of the security challenges and the security solutions and vendors that are focusing on this human element, this human risk in security.
And so I'll explain that for a moment. Basically, there's what they call the OSI model, which is like an IT model for the architecture of a system. And that deals with everything from the physical layer at the bottom to the network layer to the application layer. And there are seven layers in that model. Layer eight is what happens above the system and that's the human. And often, unfortunately, the human is the first entry point into the organization. It can be because of an error or a misconfiguration, a mistake that they make.
It can be because they clicked a bad link, they were phished. It can be because there was a social engineering campaign against them, they were actually tricked into providing their credentials. Or it could even be a malicious insider in the organization. So somebody who fell on hard times or was convinced by the right people at the right time to expose something in the organization, be it for financial gain or otherwise.
And so this theme is dealing with how do we understand all of the risks that are focused on the human? How do we actually train and empower the humans to learn and to do a better job of protecting themselves and their organizations? How do we monitor them for the situations in which we can't fully guarantee that they'll be able to handle it? And then at the end of the day, in certain cases, how do we actually completely remove them from the loop?
And so just to give you two data points here, according to Verizon's data breach investigations report for 2022, 82% of breaches that they saw involved this human element that we're referring to. And again, that can include anything from stolen credentials to phishing to misuse or human error. And then the other stat that I think is worth mentioning is that phishing specifically was the second most common cause of a breach and also the costliest. So that cost on average an organization close to $5 million in breach costs.
And so as I mentioned earlier in the conversation, we're always tracking some of these emerging themes. Layer eight was actually a theme that we had been tracking for several cycles, and every time we do a rebalance of the index, we're revisiting those themes and we're trying to debate among ourselves when the right time is to introduce a new theme based on signals from the market in terms of demand and supply. And so we felt that now was really perfect timing to introduce this a theme, and we're really excited to see how that will be reflected in the index and how that theme will evolve.

Christopher Gannatti:
All right, so we got through all eight themes. I had a question for Aaron and Gal sort of related to this, because essentially, the reason that we wanted to have the eight themes on the screen for as long as possible is if people walk away and they say, "I know there are five or six or seven different cybersecurity options out there in the ETF landscape, what's unique about what you're getting with WisdomTree and Team8?" Well, it's right on the page.
The other options, they don't have, to our knowledge, themes like this, they don't have these specific 8 themes. And I'll get into the portfolio a bit in a minute, but if you start to think, what is the result of focusing on these themes at least that you can see in terms of the list of roughly 25 underlying companies? Something that you tend to see by way of business model is the companies that focus on these themes, which Team8 is determining and looking at on a semi-annual basis, they tend to have a software as a service business model, more often than not.
So a lot of subscriptions, subscribers, that type of thing is sort of what you see. When the companies report earnings, they're reporting annual recurring revenue, they're reporting churn, they're reporting net retention ratio, in certain cases. So these are all sort of important metrics for companies in this business model.
And the other thing that those following cybersecurity might find interesting is certain strategies will take a view that consultants are important. And there might be consultants that are helping people set up a network or to configure the cloud properly. And what you find, I don't think Aaron and Gal and Team8 are necessarily against consultants, but they can correct me if I'm wrong there, but based on doing the analysis, rolling up the sleeves, looking at the nuts and bolts of these themes, you don't end up finding consultant oriented companies sort of meeting the criteria and making it into the portfolio. You might find those type of companies in other strategies.
And so Aaron and Gal, I was just curious if there was anything from sort of a business model, higher level evaluation that you think you're seeing that sort of favors in this approach, software as a service, and those type of newer companies, and tilts you away from say consulting companies that might have been really, really important years ago in cybersecurity.

Gal Hochberg:
I can say, I think consulting or non-consulting isn't the question. The question is can the organization drive security outcomes at scale at a high margin with something interesting going on? So I think right now many of the consulting companies in security, they're great, but what they're doing is they're selling heads. They're selling hours of people doing work. It's basically outsourcing work, which is great. And honestly they're doing interesting things, and there's a lot of need for that sort of stuff.
However, it doesn't tend to grow a lot and it's something that tools slowly are looking at to replace. I think we may see a new generation of companies, and there's a few even beginning of public ones, which are using consulting or external services in combination with products to be able to create something that's differentiated and interesting, because there is a need. So we are seeing a need with buyers to say, "Hey, don't just sell me a software product, sell me a software product with a service on top of it. Or find me someone who can do the service. I don't have enough people." Especially in current market conditions, where they want to move to non-salary opex.
However, in that sense, we would look at those companies and we would say, "Hey, if there's a company who's doing identity really well in a consulting capacity, in a differentiated way that's driving things forward, they may be in perimeter of this world." So it's less about whether the company does consulting or not, business models are business models, it's whether the way that they do it drives significant value for customers, has an avenue for growth, and is driving one of the things that we're interested in and not doing something that's undifferentiated or doing tier one support somewhere. Which is also an important thing, it just not driving how we see people think about it. Aaron, anything you want to add?

Christopher Gannatti:
What I will-

Aaron Dubin:
No, I mean think-

Christopher Gannatti:
Aaron?

Aaron Dubin:
... pretty much covered it. I think it's a really important point that Gal brought up, this idea of you can call... there are a few different I guess terms for it, but one of the terms that we use is a managed service, managed security service provider. And it's definitely an emerging trend in the market. I think we don't feel like it's represented enough in the market for it to become a formal theme, but it's something that we continue to track, and that we continue to see in the market.
And I think it really is driven as a result of all of the things that Gal mentioned, right? But it is very different than an ad hoc kind of services business, kind of a legacy consulting business in security. We see it as this kind of elegant blend of products and services that are sort of designed in a repeatable business way. So it doesn't scale as fast as just a pure software, but they are scaling in kind of becoming bigger and bigger businesses. So it's definitely something that's worth looking at. And we certainly will continue to track that in our partnership with WisdomTree.

Christopher Gannatti:
On an annual basis, we tend to look at the themes themselves. So when the strategy was being developed in 2020, we had seven themes. You saw eight on the list there. So this was the first time that we actually added a theme since the index was incepted. So it's possible we can add further themes in the future, but similarly, it's possible that certain themes might ultimately mature. And we're not necessarily close to that at the present time, but there's nothing that says eight themes that you see there can never be deleted or taken away in an ultimately maturing overall environment. So unless Gal or Aaron have any closing remarks, maybe we can call it.

Irene:
Yeah, it sounds like we're good to go. And thank you everyone for joining us today. And we look forward to seeing you on future Office Hours.

Christopher Gannatti:
Thanks everyone.