Ron Gula, President and Co-Founder of Gula Tech Adventures, has a very specific goal: To defend the country in cyberspace by investing in companies and nonprofits that help close the gap in technology and the workforce.
He also knows that in order to successfully achieve this goal, organizations must understand the basics of data protection.
Today, Ron joins the show to talk about the mindset shift that can start in the information security disciplines through communication.
Join us as we also discuss:
- The importance of asking the right questions of business owners
- Building a trusted ecosystem within the information security disciplines
- Creating a measure of security to determine the safety of your company’s data
- The small business IT shops defining corporate America
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
Listening on a desktop & can’t see the links? Just search for The Virtual CISO Podcast in your favorite podcast player
Speaker 1 (00:06):
You’re listening to The Virtual CISO podcast, a frank discussion, providing the best information security advice and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions or simply want to stay informed and proactive, welcome to the show.
John Verry (00:26):
Hey there and welcome to yet another episode of The Virtual CISO podcast. With you is always, John Verry your host and with me today, Ron Gula. Hey Ron, how are you today?
Ron Gula (00:35):
Hey, John. How’s it going?
John Verry (00:37):
It is going well, sir. It’s a Friday afternoon, looking forward to the weekend. Always like to start simple. Tell us a little bit about who you are and what is it that you’re doing every day.
Ron Gula (00:47):
I’m Ron Gula. I have been in cyber for about 25 years. I’m the president of Gula Tech Adventures. We do investing in philanthropy, focused on cybersecurity to protect the nation’s cyberspace.
John Verry (01:01):
And if anyone doesn’t recognize Ron’s name, Ron was the, I guess founder would be the right word, Ron of Nessus, which ultimately became Tenable Security.
Ron Gula (01:10):
Actually I was the co-founder of Tenable Network Security and Renaud Deraison is the founder of Nessus. He joined Tenable with Jack Huffard and I and we ran that for 16 years or so.
John Verry (01:25):
If you think about it, going back in those days, the longevity, you guys are sort of like the Simpsons of information security. It’s amazing. You think back in time to the products of that timeframe, it’s amazing, and not only is it has it perpetuated but it’s still the best product on the market doing what it does as it was then, it is now, which is a pretty amazing accomplishment, honestly.
Ron Gula (01:50):
Well, I appreciate the kind words. There’s been a lot of changes in how people do compliance security, asset discovery over the last 20 years. But the big secret to what Tenable did is we were always one or two generations of technology ahead of what was mainstream. We were working on virtualization auditing before VMware was everywhere. We worked on mobile auditing before everybody figured out they had to have an MDM for their network. And we were always answering ways in the enterprise to solve a question with a lot of different ways. And maybe we could answer, is it vulnerable by sniffing the traffic, by talking to a patch management tool, by doing a scan, by doing a credentialed scan, the list goes on and on. I’m very proud of the team there and they kept up great work ever since I left.
John Verry (02:36):
I agree completely. Before we get down to business, we usually ask, what’s your drink of choice?
Ron Gula (02:42):
I like bourbons. Usually bourbons that go good with a cigar.
John Verry (02:46):
I’m a bourbon fanatic as well but the cigars, not so much. I would like to have them but with my history of cardiovascular disease in my family, they’re on the off. Any particular bourbons you’re aficionado of?
Ron Gula (02:57):
I like a lot of times we’ll do cigar and bourbon parties and whatnot. I tend to get access to a lot of different types. I really like Angel’s Envy right now. Of course, being from Maryland, I like Sagamore Rye Whiskey. I’ve got a lot of friends who are really into the scotch, different types of scotch out there. I’ll order Angel’s Envy if I’m out for having a drink. It’s all good. Variety is the spice of life.
John Verry (03:23):
I hear you. I hear you. I don’t know if you can see the shelf but there’s definitely a bunch of bourbon bottles on the shelf behind me and an equally nice collection at home. I thought, and why I reached out to you was I thought it would be interesting, so one of the challenges that we see in information security is that increasingly much like the medical profession, it’s not one discipline. People think of information security as being a discipline. It’s really more, a loosely correlated set of independent disciplines, information security disciplines. And so unless you are in a Fortune Global 1000 type firm, you’re really not going to have all of the skillsets that you need in house. You’ve got to build this, what I always call it, refer to it as a trusted ecosystem. Think of that as being the right people and the right products to appropriately protect the company.
And obviously if you get it right, that’s great. If you get it wrong, that’s pretty bad. But I think that makes it a massive challenge because there are literally thousands of companies and thousands of products that could be part of your trusted ecosystem. The Lord giveth, the Lord taketh away. We’ve got this great diversity but it’s equally hard to kind of know which ones we should be picking. As someone who has a portfolio of companies, I would assume that you see this problem both from your potential client’s perspective but also from the companies in your portfolio’s perspective.
Ron Gula (04:40):
That’s well said. There’s really two aspects of that. One is the people and the other one is the products or technology. From a people point of view because we talk about cybersecurity like you have to be a brain surgeon, we kind of turning off a lot of people, minorities. Everybody’s great, we want to invite more people into this but we’re really not doing a good job of appealing to them. And we’re certainly not doing a good job to appealing to people who want to go join public boards or private boards who can then make the right risk decisions for their companies.
And then on the technology side, we’ve not done a good job of defining what does it mean to be secure? And what does it mean from a society point of view? What does it mean from have I done do care for a large public company? And because of that, you have this amazing array of products that are out there that solve all sorts of different things. Some of them are solving problems you didn’t know you have, some of them are solving problems cheaper than the products you have and some of them are maybe just somewhere in the middle, 5% better, that sort of thing. And because of that, you have this amazing diverse tapestry of lack of knowledge, over concentration of knowledge, lack of product investment and maybe over invested in some cases. And we have no real common way of talking about these issues.
John Verry (06:01):
And I always say that you can tell a rookie CISO when you ask them about their information security strategy and you get a product strategy. We agree that you can’t take a product centric approach, we have to take a risk centric approach that leverages products. Do you see a solution? Most of our client base is what I’m going to call SME, 100 through 15,000 people, so they don’t have robust security teams in house. Is there a solution for them to be able to kind of, I don’t know what the right way is, shortlist this trusted ecosystem, cut through the noise and get to what they need to get to?
Ron Gula (06:39):
I think there’s a couple different things. One, to get more people involved in just understanding the basics. I think we got to talk about cyber in different way. And we talk about this in terms of data care. If you say to a board, “Are you secure? Or you’ve done everything with cyber hygiene?” You’re going to get charts and stuff like that. But if you said, “Have you protected our data? Have you protected the data of our customers, the data of our employees?” you might get a little bit different answer. And the same thing goes with small businesses and small churches and small stuff. A lot of people just kind of brush off cybersecurity and IT risk issues. But when you ask them, “Do we care about this stuff?” It kind of changes that. And it makes it a lot easier to kind of get people into this business as well.
But then on the product side, how do we answer, are we secure? And when I was the CEO at Tenable, I could answer that 50 different ways. We could measure it by NIST cybersecurity framework. Are you compliant? Are you patching things? Is one organization better than the other? Are you making improvements? And you could even start, if you go back 10 years ago or so, there started to be this, how do I compare to my neighbor? Am I better than they are? Well, I wouldn’t want that. If I’m flying on Southwest, my pilot has five times of an error rate than the next best pilot is that good or bad? I don’t know.
But I think what’s emerging now is people realize that there’s so many attackers attacking companies these days, you have to simulate malware, you have to simulate the nation state stuff and we have to do this internally. It used to be, we just hire a red team and did vulnerability scanning and here’s a report. But now it’s literally the red team is putting implants in the network, in the cloud, on the home computers and we’re seeing how long the blue team can take to find it. And that metric of can you find that? Is another measure of security. And it cuts through all that ecosystem stuff because if you get into this EDR is better than that EDR or this SIM is better, this threat feeds better. You know what? Put some freaking implants out there, see if I can exfiltrate data and see if anybody notices. And if you can notice it, then you’re probably much more secure than other people.
John Verry (08:57):
What you’re saying is, if we can create a measure of security, then we can use that measure of security to determine whether or not the products that we have and the people that we have are effective. And if they’re not effective, then we have a more focused guidance that we need to go about and solve that problem by finding the right people and the right product?
Ron Gula (09:22):
Absolutely. If you think about it from a compliance framework point of view, NIST cybersecurity framework, it spells it out. You have to know what you’re defending, defend it, assume the defending is going to fail, detect the compromises, Recover, then respond and then recover. But when you say that to a small business, they don’t readily understand that that could mean that all their Dropbox stuff in the cloud for backups is gone because somebody phished the admin account and the admin account wasn’t really locked down and whatnot or they don’t really understand that maybe that’s too much of a metric. If you read the NIST cybersecurity framework, it’s hundreds and hundreds of things. Maybe the better metric is something like what they say at CrowdStrike where any compromise you have to detect in a minute, verify it in 10 and get rid of it 60. And if you’re not going to maintain those kind of KPIs, what are you going to maintain?
And so you start having conversations like that and then you start getting into the fact that, well, maybe my network is pretty gosh darn important and I want to measure it from an operational point of view, a lot of different ways. When the airplane takes off, there’s a lot of ways to detect altitude, speed, velocity, all that sort of stuff. We need the same thing with these complex networks because they’re constantly being attacked so they should be constantly probed to see if we’re indeed protecting them.
John Verry (10:45):
It’s an interesting idea would be to, but even then defining which measures are appropriate measures of being secure is going to require a fair degree of knowledge for different types of organizations, with different types of architectures, different products.
Ron Gula (11:02):
And different types of maturity.
John Verry (11:04):
Ron Gula (11:06):
A small business, what’s your list of assets? You might actually have to do an education that, BYOD laptops maybe in some cases, customer free wifi is something you’re momentarily responsible for, all the way up to if you go to a large Fortune 200 or Fortune 20, what’s an asset? Is maybe a process where you actually have processes of how do you buy things? How do you deploy things? How do you retire things? And people do more of an enterprise lifecycle, a technology approach. The problem is, is we’re constantly improving as a small business gets better about IT, they can start getting into things like ITIL and COVID management theory and that sort of thing.
And that’s not something that’s taught a lot these days to cybersecurity folks but that’s the issue. It’s almost like we need a different way of taking people on these journeys so they understand that there’s more and more risk because they’re eventually going to understand look, they are the front line. The government’s only doing indirect prevention of attacks. If packets are on your way right now, there’s no government program that stops them. And people need to realize that they are the front line of this and the government’s do it all they can but they really have a responsibility to protect their data.
John Verry (12:20):
It sounds like we are like-minded in our approach because we talk about having this trusted ecosystem and it starts with actually using trusted frameworks because unless you really have that overarching recipe, that overarching strategy for what we’re trying to do and multiple times in our conversation, you’ve gone back to this idea of leveraging a trusted framework. Now, you mentioned NIST cybersecurity framework, which is a great one. What I like about all the good trusted frameworks and it doesn’t matter if it’s ISO 27001 series, it doesn’t matter if it’s NIST, HIPAA, any framework starts with that understand context, understand risk, understand control maturity and then drive closure based on that context. It sounds to me like you’re a trusted frameworks kind of guy.
Ron Gula (13:03):
I think that from a Tenable point of view, we took a lot of the things that we could audit against and we tried to machine it, Tried to make it so anyone could do it.
John Verry (13:13):
CIS benchmarks, you guys did a great job with the CIS benchmarks.
Ron Gula (13:17):
And a lot of the times, we get feedback from the field that says, “This stuff’s really, really hard to do and more expensive.” A lot of times take something like the DISA stake, the way you harden computers to make resistant to hacking, well, they might be resistant to rebooting if you get it wrong. If you want to lockdown, how the disc is written to and stuff like that. I’ve actually heard horror stories about doing things that are impactful but even 15 years ago, 10 years ago, applying a patch was kind of considered a risky thing. Whereas today, the patching quality has gotten so good you very rarely hear about a patch that goes down. I like to think in terms of, what are the major things that can go wrong? And frameworks are great, especially if you’re beholden to a compliance regime or however you want to look at, you have to demonstrate compliance. There’s no other layer around it.
But I like to think of a higher kind of function. How can I be attacked? If I’m going to move all my servers to the cloud and I’m going to go all in on the cloud, that’s great. Well, how do I monitor the cloud? How can I be attacked by the cloud? How can I do these functions I need to do? And a lot of times people don’t sit down and think about how are all the ways things can go wrong here? And then how am I going to go looking for those things? And some of those things could be, maybe you buy a product. Maybe it’s an education thing and you’re willing to risk it. Or maybe you can simply turn it off. For example, if you have an OT network and you’re in a place, some sort of network monitoring on it, whether you’re monitoring it for uptime or monitoring it for intrusions and you’re connecting that to the internet, that is now an attack path.
Maybe it’s better to do an optical isolation or not even connected at all or move your monitoring into that trusted ecosystem. And more often than not, I don’t see people thinking about these bigger picture decisions that are making the smaller tactical, am I secure and how do I secure it? question a lot, lot harder.
John Verry (15:15):
To me, that’s a function of I always smile, unfortunately, when I think this but if you look at any information security framework, information security is fundamentally is risk management, information related risk management, which is why all good frameworks have the concept of comprehensive risk assessment as being an upfront component of understanding context. And I think what you’re talking to is the fact that we suck as an industry when it comes to risk assessment because if we didn’t, then this idea of how is this going to happen? How am I going to be negatively impacted? That’s what a risk assessment should be telling us.
Ron Gula (15:51):
You start making a list of all those things for just web browsing and you have this random sort of configuration of what people’s appetite is. And we all know that even everything I just expressed is bypassable. You have the right combination of zero days and time and effort so you have to then do that. But then multiply that times email, times corporate chat, communications. Am I going all in with CRM types of applications? It gets really complex really, really fast and frankly, a lot of these frameworks, they kind of do fall down when you look at the modern, modern ecosystem of work from home, cloud first, a lot of data centers, little BYOD, a lot of this. It’s very interesting to try to secure all that.
John Verry (17:17):
Because effectively you want to have something which is generic enough to apply in a lot of places and that’s a valuable construct within a framework but unfortunately if it’s too generic, then it doesn’t account for all of these complexities and idiosyncrasies that you referred to.
Ron Gula (17:33):
I’ll give you a good example. We can do a lot of assessment of endpoint against DISA stake, PCI, NIST cybersecurity framework, all that kind, even the SANS CIS controls, all that kind of stuff but what’s more secure, a 1,000 Chromebooks working on Google Cloud at the business level or a 1,000 hardened Windows computers working on Office 365? That is something it’s almost a political answer and not a scientific, measurable framework answer. Yet the cyber doesn’t talk about that. When you literally go all in on a monoculture like that, yes, you are making yourself an easier target to one thing but the amount of IT overhead and complexity that you just took off the table, resources you could be putting towards monitoring and maybe making sure things work really well for your employees, we don’t really talk about that a whole lot and that’s something I think we need to be thinking about as we keep increasing the complexity of what we’re defending.
John Verry (18:31):
It’s always that challenge of effectiveness and efficiency of operation versus information security implementation. There’s always got to be that balance. I would agree with you that if you have an immutable device, that’s going to win every time in terms of longterm security. The question is, will it negatively impact your ability to be a competitive entity? If the answer is no, I couldn’t agree with you more, go with the simpler solution.
Ron Gula (18:55):
And it’s weird because the public and some folks in Congress, every now and then they’re doing things that you’re just kind of looking at that. You’re like, I can’t believe we’re kind of going in that direction. A lot of times when you want to break encryption, for example, it’s I get it. We want to break encryption for the intelligence community, law enforcement but you end up breaking encryption for everybody when you do that. Or when you look at monopolies and you look at Apple and Google and you look at their app stores and you’re saying, “You got to let other app stores onto your phone.” Well, that’s okay. Now guess what? You’re probably going to let another app store that’s not as secure as the work that Google and Apple’s putting into these things. It’s really interesting that when those things happen.
John Verry (19:38):
Quick question for you, on your website, you had a phrase, something like that Gula Tech Adventures, but that you guys are protecting our nation or a line similar to that. And now a second ago you mentioned government guidance. I’m curious about two things. First off, when you said protecting our nation, were you kind of saying that more in some level of specialization around protecting the government component to that or critical infrastructure as defined by the Critical Infrastructure Systems Agency? And then and or, how much of a proponent are you of we’re getting a ton of what I think is pretty good guidance coming out of the government, presidential executive order pointed out, I love the idea of S bombs. I love the idea of the SSDF. I love the idea of IoT device labeling. Zero trust is a big push out of CISA. Talk a little bit about like what you guys are doing from that side and what your thought process is about the guidance that we are getting.
Ron Gula (20:35):
When we started Gula Tech Adventures, the Trump administration was still going strong and you saw some progress there with basically enabling the Cyber Command to go defend forward, which means hack the bad guys before they hack us. Which is good. We saw the banning and Huawei, banning of DJI drones, that sort of thing. But when we started Gula Tech, we said, “Most of the things in the government, what are the levers the government can do?” FBI, DOJ, NSA Cyber Command, DISA, DHS, what about state, local government? What about state police? I live in Maryland and anytime I get a chance to talk to any of the governors or anything like that I’m always like, “Look, you guys could be doing a lot more. Where’s the cyber fire department? Where’s those things?”
Because if you think about what the government’s doing, it’s so high level and indirect. Yes, we get some standards out of them. Yes, they probably stop a lot of attacks that we don’t know about and probably recover keys with methods that we don’t want to talk about. But for the most part, my mom and dad are on their own. If they get malware on their computer, who do they call? It’s a random answer depending on who you talk to. A lot of what we’re trying to do at Gula Tech Adventures is really three things. We’re trying to bring more products that are security engineering. Secure by default, things that people can use that aren’t going to get hacked or they’re going to prevent hacks on a massive scale. Secondly, what we’re doing is we’re trying to make the typical hunting and hygiene investments easier for anybody.
And cyber companies can be acquired tomorrow, we can invest in new companies tomorrow but a good example of this is Huntress Labs. Huntress is an EDR client really, really focused on SMB. And when I say really, really focused on SMB, small business MSPs, I’m saying that when they started this business, nobody wanted to invest in them because they weren’t focused on enterprise. It’s the kind of thing that industry can solve and we’re trying to create companies that are going to be going along those lines. Now, as far as what the administration’s doing, yes, standards are great. S bomb’s great. But if you look at some of the, sometimes we’re over correcting, some of the guidance that the Biden administration gave to the oil and gas industry, they didn’t really want to follow because they claim they couldn’t pump gas.
I don’t know, I’m not an expert in that area. I don’t have access to all the attacks and whatnot but there’s definitely a lot of things going on. But what I would tell you this, most of corporate America is defended by small business IT shops, they’re not defended by the name brand cyber things that we know. And frankly, if Russia or China came at us, those are the people who are going to have to do the defending and don’t get me wrong. The banks are going to have their resources, the telco’s going to have their resources and there’s a lot of cool technology and people in those things. But if you think about the 99% of America who needs to pump gas at the gas station and what that can do, it’s really small business that’s making up that supply chain and I want to see more technology and people focused on that. And that’s really the basis of what we’re doing at Gula Tech.
John Verry (23:35):
Gotcha. Question for you, so if we take this idea of this trusted ecosystem and through you, you were talking about the complexities of some of this stuff, you can see what the value proposition of you need to piece together the right companies, the right products, the right people. How does that influence your portfolio construction of companies? You have a ton of companies there. Is there any consciousness of that concept as you’re building out your portfolio?
Ron Gula (24:02):
I’ve got a short list of stuff I don’t like to talk about that are some big problems I’d love to see solved because it ends up pointing fingers at some of the big tech out there and whatnot. And I don’t want to go down those roads just yet but every company we get pitched at, we’re like, look, is this a fundamental problem about how something can be fixed? And could it be applied at a great scale? For example, we’re in a company called Halcyon. Halcyon has a AI trained agent that stops ransomware. It doesn’t do all malware. Doesn’t do all APT. It just focuses on ransomware and that’s a very niche problem but that’s the kind of problem that scaring the bejesus out of boards and CISOs and that kind of stuff. That’s a kind of good example.
Or other companies like ThreatBlockr. ThreatBlockr, if you think of the traditional CISO where they buy dozens if not a 100 threat feeds and then they kind of wait to get hit and then the hunting team finds a hash or a DNS name or an IP addresses, oh my God, it was FIN7 or these people from Russia or a new malware group, who knows? Well, why couldn’t we have done block those things at the endpoints or even on the edge of the network? ThreatBlockr is a network device that can do this in the cloud and on-prem and block those things. But you see, at least these two or three things I’ve talked about so far, they’re all sort of these basic fundamental problems that it’s a technology that can do it.
We’ve done similar investments for prevention, authentication. One of the things we like to do is the SOC analyst. Typical SOC analyst is a burdensome, long, they’re overworked. We’re interested in tools that can help them. One of them is Polarity. Polarity just makes their job of chasing down IOCs and threat information and what do we know about this stuff? Almost an instantaneous type of activity because it’s a visual overlay on their desktop. I always kind of hesitate a little bit because I’m not about pitching all the portfolio and whatnot but almost everything we invest in, we really, really have some conviction that this is solving some sort of problem that I think is critical for a variety of reasons.
John Verry (26:11):
Gotcha. Quick question for you, just generally, you mentioned Huntress and then being a SMB SME focused product, do you have a preference when you’re investing? Like you said, a lot of organizations only want invest in companies that sell to the enterprise, which leaves way too many companies that are critical to our economy and our national defense not well protected. Do you have a particular target range of your investments?
Ron Gula (26:36):
I really don’t. We’ve got a great team of people working here and we can really look at a pitch and then kind of go, look, maybe it’s a great team and maybe it’s even a great deal financially but do we want to be the 10th vendor or venture capital investing in this space? I’d rather be the first person in an industry that doesn’t take off and we maybe lose a little money than be the second or third and maximize our return or something like that. Almost everything we’re doing is trying to move the needle in a direction that people should be doing things.
John Verry (27:14):
One thing we haven’t touched base on yet, so you’ve got Gula Tech Adventures but you also have Gula Tech Foundation, which looks like you’re doing some really cool stuff there as well. Could you give us a little idea what they’re doing and specifically, I thought the grant program idea that you guys have there is really interesting.
Ron Gula (27:29):
When we first started, my wife, Cindy, she worked at Tenable as well. And so when we left, we kind of branded as Gula Tech Adventures and we were writing checks, trying to get to know some of the nonprofit in cyber kind of area. When I say nonprofits in cyber, I’m not talking about cybersecurity for churches and schools. I’m talking about actual organizations that have a mission to do something in cybersecurity, such as bring more minorities, women, African Americans try to be more awareness of cyber. And we just, we met the Hewlett Foundation, talked to the Craig Newmark Organization. We talked to a lot of different folks out there. And what we found was that the need for philanthropy in those kind of programs was almost identical to venture cyber, where if you gave a small investment, they could get to that next level.
And maybe that next level, they need a bigger investment. And maybe as a venture capital, you reach a point where you’re not going to write a $100 million check but there are organizations out there who will write those kind of checks. It’s the same thing in cyber for nonprofits. We saw, maybe we wrote a check for $50,000, that kind of thing. And maybe that got them in the attention of DHS. DHS writes them a check for half a million dollars, that sort of thing. What we wanted to do is that, most of our energy is focused into investing in commercial companies but we really feel that cybersecurity nonprofits are very important and we thought was a really interesting way to kind of motivate people and raise awareness.
We started doing grant competitions. We are on our fourth grant right now. We do a million dollar grant that are topic based. We have the community come to us, we kind of ask the questions of what problems they’re solving, what are they going to do with the money? How do they measure success? That sort of thing. And we actually try to publicize all this. We publicize our finalists. We publicize the winners. We’ve actually got a, I’ll say a partnership, if you will with the RSA conference where we’ve done previous grant with award ceremony with them and we’re going to do it again in June coming up. If you’re at RSA, you’ll be able to see our fourth Gula Tech Foundation grant ceremony and the grant, this time’s focused on increasing basically cyber expertise in more governance. What sounds like a mouthful but it really means teaching people who are on boards about IT and the technology risks associated with that.
John Verry (29:53):
I think that’s a huge issue. Maybe you know this, didn’t what is it? NACD, didn’t they come out with some guidance a couple years ago or a year ago that they had that each board had to be able to demonstrate that they had sufficient cybersecurity expertise on the board?
Ron Gula (30:08):
It’s a recommendation. The National Association of Corporate Directors. This shows how much cybersecurity people live in a bubble. Typically when I say NACD they’re like, “The C’s for cybersecurity.” I’m like, “No, it’s corporate directors.” And if you haven’t been on a board, if you haven’t been working at a company that does hundreds of million dollars of revenue, you have CFOs, chief financial accountants, you’ve got lawyers, you’ve got a lot of different people responsible for how are people paid? What kind of risk are we going to take? And so on. What NACD said is that, “We want to have some cyber risk.” And a lot of times these boards don’t even talk about cyber, they talk about tech risk. Maybe your tech risk is the supply of your chips and stuff like that. Another good group out there is the Digital Director’s Network. They offer a certification called qualified technical executive, QTE.
John Verry (31:02):
That was the digital, what was the name of that?
Ron Gula (31:05):
Digital Director’s Network. And so we’ve actually blogged about a lot of these things. We’ve interviewed him at the Gula Tech website. And since we’re talking about that, everybody says, “Why shouldn’t the Securities and Exchange Commissions simply just point at all the public companies and say you need a cyber expert on the board?” And I’m going to say, look, if you can put a cyber expert on the board, that’s great but it doesn’t mean they’re going to make the right decisions. It’s kind of like pointing your finger at Microsoft and say, “Just offer services and products that don’t have vulnerabilities.” It’s easy to say that from the outside, can we all find those experts? A lot of CISOs like to go into the boards and present. I don’t know that they want to go on the board and take the risk of accepting those, especially for public companies.
And look what happened at Target. Imagine we had a technology risk executive at Target, public company, and they signed off on this or look at what happened after SolarWinds. Now that they got renamed to enable kind of is what happened there, they brought a lot of cyber folks onto that board. Some people are up for that, some people aren’t but that’s probably what’s needed, not just in public companies but every organization out there. Nonprofits, private businesses, schools, we need to have more cybersecurity people doing that. My wife is on the board of the hospital where we live. She’s the only cyber IT person on it. And it’s astounding some of the conversations that you would imagine, mostly doctors. And if you just kind of extrapolate that to maybe you’re in a farming thing or you’re an airline type of board, you’re probably going to have farmers and airlines in there and as you should but this is sort of like saying we’re so dependent upon this technology, we need to have technologists at the boardroom level.
John Verry (32:59):
I couldn’t agree with you more. And then I also think, and I think maybe this is what that Digital Director’s Network does or maybe what you’ll also do but I also think we need to educate the CXO suite for those organizations that don’t have robust boards. The vast majority of American companies don’t have a board but yet they’re critical to what we do every day. Ensuring that the guy that’s the COO or the CEO or the owner of an organization knows enough to ask the right questions. And I think what we just really need to do is get us. One of the things that we try to do is get our technical and information security folks to speak more in business language and get that comfort level so we’re talking about risk with the same impact criteria.
If you’re a CISO and you walk into the CXO suite and you’re explaining risk in terms of confidential, integrity and availability, you’re talking about an impact of malware propagating through a network or something of that nature, I think that’s, we’re not talking the same impact criteria that they think. If we could talk about that in terms of lost man hours, in terms of financial costs, whether legal and reputational costs, things of that nature, I think that would solve some of the problem.
Ron Gula (34:07):
It may. That’s also a little bit of fear because of this, if you buy this, you’re going to have less of an impact. And we’ve seen those kind of tactics kind of come and go but I still kind of believe we need awareness and fear is a type of awareness, so is just sound IT design, so is understanding all the different risks that are out there and asking the board members and the chief leaders, What responsibility are you willing to take here?
John Verry (34:37):
I hope you didn’t misinterpret anything I said is I’m not a FUD guy. I don’t believe in it at all. I was just trying to get to the point that I think that the average business guy lives his life from a risk based approach. He’s making decisions every day in terms of financial investments and markets you’re moving into, using risk based metrics. If we can get information security risk to be talked about with the same metrics, the same impact criteria as they’re using for other decisions, I think we’re putting them in a more advantageous situation to help govern cybersecurity.
Ron Gula (35:04):
I definitely agree. And FUD definitely works. And even if you’re not subjecting yourself to FUD and you’re a CISO, chances are the odd call you’re going to get from your CEO or a board member during the middle of the night is going to be FUD that they saw on some news organization or some news story or some hack of the week. And a lot of CISOs now are probably getting asked, could we with withstand an attack from the Russians if they came at us? What if the Russians tried to shut down air travel or sea travel because they didn’t want us to resupply Ukraine? Think of all the supply lines that are involved in just keeping that stuff up. That’s an easy to conceive type of situation but somebody who’s just pumping gas for a 1,000 customers and doesn’t realize that three of them are commercial flights that are going that way. I’m kind of giving it for example here but it’s hard for people to empathize that what they do in their world is impactful. And it is.
John Verry (36:05):
One of the companies you didn’t mention that when I was researching you, I thought was fascinating, was a company’s Second Front. If I understood Second Front right, so if I want to become FedRAMP ATO or perhaps StateRAMP ATO now and if I decide to put stuff into AWS or into Azure, I get to inherit a certain percentage of my controls, the physical security controls, as an example. It sounded as if what Second Front was doing was delving further down into that stack of inheritable controls and really the whole dev sec ops portion of that, which is incredibly complex for most small to medium size organizations to actually implement, that they’re implementing that in a way which I can inherit in my ATO?
Ron Gula (36:57):
The short answer is yes but I’m going to say two things. One, we’re trying to bring really good apps to the war fighter and we’re going to try to make that easy to bring the really good apps to the war fighter in a secure manner. But at the same time, since it is for the DOD, I don’t want to go into it a whole lot or talk about some of the issues that they’re trying to solve there.
John Verry (37:20):
Oh, is that only DOD? That’s not for federal agencies outside of the DOD?
Ron Gula (37:24):
I’m going to kind of leave it at that. But the focus is mostly DOD but there’s similar programs in IC, in civilian gov but a fundamental problem here is let’s say you and I go start a company and I don’t know, maybe it’s a quantum encryption communication message system. And we’re killing it. We go out, we raise a million bucks, we’re going on our first million dollars of revenue and the Air Force calls and says, “Hey guys, can you come over here and give us a demo?” Well, it’s just you and me. There’s not a lot of incentive to go do that. And even with the government, you were talking before about things that this administration, previous administrative has done, there’s been a proliferation of organizations like AffWorks and DreamPort.
My point is even with those, it’s still not an incentive enough for somebody who’s doing an app for commercial to, oh, let me stop what I’m doing and go get certified so I can then do business with the DOD. At the core, that’s what Second Front’s trying to solve. They’re trying to make it not only really easy for startups to do that but there’s basically a backlog of stuff that the DOD wants to use that they can’t use. And so that’s kind of what’s going on there.
John Verry (38:41):
That sounds win win because on the government side, they get access to something valuable sooner and on the service provider side, going to a FedRAMP moderate A2 even, not even necessarily a high is a half a million dollar plus investment, it’s 18 months or 12 months for most people’s time. Really what you’re doing is kind of win win on both sides, it sounds like.
Ron Gula (39:04):
Let’s just say they’re attacking that problem.
John Verry (39:06):
That’s cool. That’s cool as hell. Any other? You have 30-ish companies in your portfolio, any others that you’re excited about and wanted to briefly chat about?
Ron Gula (39:16):
I was happy to talk about the ones that we spoke about. One that I’m going to mention and I really feel bad for the whole portfolio because they’re all like, which one is he going to mention next? But one that’s kind of interesting and this is something I think we’ve all been there when they’ve had a parent, a grandparent get phished. One of our companies we invest in called PIXM. It’s P-I-X-M is the name of the name of the company. And what they do is they have a browser plug in that before you click on log in, they use computer vision, they look at the thing that you’re about to log into. If it looks like Amazon, Google, Facebook, eBay, that sort of thing but it’s not coming from a known domain for that, they’re like, “Look, don’t click on that.”
And this is actually a very, very simple problem. And first of all, it’s free for end users. You can give it out to people who you think might be high risk or just keep it going there. But they have an enterprise version that allows people to collect what did Larry or Sally see at the time of phishing? And that’s actually something that not a lot of phishing solutions do because most people are trying to stop it upstream, try to open up in a Sandbox, opening it up, doing some threat intel on it, that kind of stuff. But what PIXM is doing, is because they’re doing it at the time of phish and it’s independent of all that threat intel stuff, they actually get a very unique signal when it comes to what’s out there. Since there’s a free download out there, I figured that might be worth people to look.
John Verry (40:45):
That’s a really cool idea. Basically what they’re doing is that the HTML rendered becomes an image to them and they say, “This looks a lot like an Amazon page but that’s not coming from amazon.com I’m going to.”
Ron Gula (41:01):
You’re basically white listing things that look like login pages that I’m about to log into. It’s pretty slick. The corollary to this, if you’re a SOC operator and somebody in accounting got phished and they’re like, “Oh, I clicked on this link and I saw PayPal,” or, “I saw my bank’s wiring portal,” but you and I go to it now because we’re trying to investigate it. That’s gone. C2 infrastructure, the phishing infrastructure, it’s very quick. And not only that, not only is it gone but maybe I can’t even collect intelligence on it anymore. Maybe nobody else in the industry saw it because who knows what percentage of phishing infrastructure we’re actually tracking. Having that image from that endpoint is really, really interesting. And I had another CISO point this out to me, it’s also a worldwide issue.
What my employees resolve in South America might be different than in Europe, might be different than in Asia, might be different in different parts of the US based on DNS and based on who’s doing, are they routing? Are they going over their home network? That kind of stuff. Anyway, check out PIXM, I appreciate the chance to pitch any of the companies we’re working with. But obviously that one, the strategic implication with them is email phishing alone is not going to work if I’m going to get attacked over Slack, which is what happened with the Lapsus$ group. They were able to hack into somebody’s Slack channel, post some messages and if you started clicking on those trusted people giving you bad links, this would’ve been a really good defense against that.
John Verry (42:35):
That’s interesting. It’ll actually work within, and now just out of curiosity, if you were running a, and I think Slack has a dedicated Slack client in addition to working in the browser, is that just the HTML anyway and it would’ve done the same thing, even if you’re working in the dedicated client?
Ron Gula (42:49):
The plugins are inside the browsers. And so if you’ve got a URL previewer thing, like Slack is, I don’t think it would’ve picked up on that. That’s interesting but if you’re clicking on it and firing it up in Chrome, that’s what you’re eventually going to have to do before you do that, it would’ve detected it.
John Verry (43:08):
That’s cool as hell. Well, we beat things up pretty good. Anything we missed? Anything else you want to chat about before we say goodbye?
Ron Gula (43:17):
I’m always happy to join other people’s podcasts and talk about this. If this stuff’s interesting to people, we’ve got a variety of articles, short videos and blogs and podcasts on our website at gula.tech as well.
John Verry (43:28):
You’ve got a good podcast. I’ve watched a number of them. Well, this was fantastic. Wait, I forgot one. And I did a bad job and didn’t give you much warning. Did you you see that last question?
Ron Gula (43:38):
Go for it.
John Verry (43:39):
All right, good. Give me a fictional character or real world person you think would make an amazing or horrible CISO and why?
Ron Gula (43:46):
I’m going to go for Kirk, so Captain Kirk.
John Verry (43:51):
Which era of Captain Kirk, we have to specify.
Ron Gula (43:55):
Well, I’m go, so it’s the second Kirk is kind of a Shakespearean interpretation of the first Kirk but what Starship captain, who else hacked into another ship? He hacked into the Reliant. And if he understands that kind of stuff. I always think that in Star Trek, there’s always plot flaws with technology and maybe plot devices with technology and whatnot. But Kirk generally has a sense for what’s right and what’s wrong and what they should do in most of these situations. And I really view cyber as a crisis situation. Where either it’s under invested or we’re right in the moment, you need a lot of people who are making decisions and not hiding when they should hide and not over investing when they shouldn’t overinvest. And I kind of think it’s more about leaders.
John Verry (44:45):
I’m amazed that this is probably closing on podcast episode 90 or a 100 that being that so many of us are Trekkies that that’s the first time Kirk came up as the answer. My wife is going to love it. Awesome stuff, man. If somebody wants to get in touch with you, what’s the easiest way to do that?
Ron Gula (45:02):
LinkedIn, I’m Ron Gula, R-O-N G-U-L-A on LinkedIn. I generally connect with people if they have questions and try to be helpful. Sometimes I’m hard to reach, I’m on a lot of boards and I’m doing podcasts like this quite often. Happy to connect with people and help out though.
John Verry (45:17):
Ron, this has been fun, man. I appreciate it.
Ron Gula (45:19):
Thank you very much.
Speaker 1 (45:22):
You’ve been listening to The Virtual CISO podcast. As you’ve probably figured out, we really enjoy information security so if there’s a question we haven’t yet answered or you need some help, you can reach us at [email protected] And to ensure you never miss an episode, subscribe to the show in your favorite podcast player. Until next time, let’s be careful out there.