How to get a cybersecurity startup off the ground

Chris Sienko: Cyber Work with Infosec has recently celebrated its 100th episode. Thank you to all of you that watch and listened and subscribed to both the audio Podcast and our YouTube channel. We're so grateful to hear from all of you and we look forward to speaking with you more about all aspects of the cyber security industry. To celebrate this milestone we have a very special offer for listeners of the Podcast. We're giving 30 days of free training through our Infosec skills platform. Go to infosecinstitute.com/skills and sign up for an account or just click the link in the description below. While you're there, enter the coupon code cyberwork one word all lowercase, c-y-b-e-r-w-o-r-k, when signing up and you will get your free access. You'll get 30 days of unlimited projects to over 500 cyber security courses featuring Cloud hosted Cyber Ranges, hands on projects, customizable certification, practice exams, skills assessments and more. Again, check out the link in the description below. And use the code cyberwork, c-y-b-e-r-w-o-r-k, to get your free month cyber security training today. And thank you once again for listening and watching. Now, let's get to the episode.

Welcome to this week's episode of the Cyber Work with Infosec Podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cyber security trends, how those trends are affecting the work of Infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. Today's guest Kevin O'Brien is the CEO and co-founder of GreatHorn, a high growth venture-based email security company based in Boston, Massachusetts that's focused on solving phishing, credential theft, malware, ransomware, and business email compromised for cloud email platforms and was named a Gartner Cool Vendor RSA Innovation Sandbox finalist and Infosec Awards Cutting Edge winner. For those of you who are well on your way up to the cybersecurity career ladder, you might think that the position of startup would be the next step. So, Kevin is going to tell us about his career to this point and some of the highlights and pitfalls of such a massive endeavor.

Currently CEO and co-founder of email security company GreatHorn, Kevin O’Brien is a frequent speaker, commentator and author that advises customers and the public on data security and privacy issues. With 20 years of deep cybersecurity expertise, most notably with CloudLock (Cisco), Conjur (CyberArk) and @stake (Symantec), Kevin also serves as co-chair for the Mass Technology Leadership Council’s cybersecurity group. Outside of security, Kevin is a lifelong martial artist, avid skier and amateur sailor.

Kevin: Pleasure, Chris. Thanks for having me.

Chris: So, we always like to hear origin stories. And in this case, we definitely want to. So, tell us how and when you got interested in computers and tech and also when did security become part of that?

Kevin: Yeah, sure. So, I entered the security space in probably 1999. And I did so as part of @stake and you mentioned that in the introduction which Semantic acquired back in 2004. And what's unique about the @stake story was that it was a group of hackers in Boston, the L0pht who testified in front of the US Senate in the late 1990s about their capabilities and that they could take the internet offline in about a half hour. And they were testifying because they were saying we shouldn't put critical infrastructure on the internet because it was so fundamentally insecure. I think everyone knows that was basically ignored as a message. And so, consequently, you've got a space that created a tremendous amount of economic opportunity for guys on my side of the table, on the vendor side, but really not great for society at large. But I was there early.

And I was part of the initial team and was doing reverse engineering and pen testing work and probably the last time I was technically useful for anybody, but working in assembler and bringing things down to figure out where there's actual potential to smash the stack and do something with the code exploit. And I fell in love with cybersecurity but I also fell in love with startups. And so, from there, a small deviation for first time in school have done startups. This is number six, GreatHorn. But I've been fortunate and that the other five that I've worked at have all been successfully exited. And so, I've had this opportunity to really have a bunch of different roles and we'll talk more about that. But my origin story is that. It's working alongside a bunch of grey hat hackers who are tremendous folks, I'm still friends with a number of them and they've gone on to found big companies like Veracode or Carbon Black, whatever.

So, there's just this great group of folks that I got to know in the Boston CyberSecurity community right as I was starting my career. And it probably changed the course of my life because, otherwise, I would have pursued that degree which was in philosophy and I was eventually doing PhD work before I realized that there's just too much money in philosophy and it would ruin me so I don't want to sellout.

Chris: All my philosophy friends all waving their wads in front of my face here.

Kevin: That's right.

Chris: So, yeah. I guess, how'd you say you got, you fell in with this group?

Kevin: So, actually was fortunate. I met one of the principals and met them socially. And we got to talking. And I had always been a technologist, I guess, not necessarily a good one but I was always interested in it. And so, if you roll the clock back, I was sitting in my family's basement in the 1980s with the Commodore 64 128 with copies of Byte magazine and learning to program in basic, right? And in those days, every one of those magazines would come with a story and it usually involved the Russians to some degree, everything well it's new again. And the stories were incomplete and you had to like finish the program and then you'd get the answer to the puzzle and then whatever. And so, I really thought, "How cool is that?" And maybe because it was coming out of this cold war era timeline that the technology and computers weren't just the thing that if you were 10 years earlier, we're like ham radio aficionados working on things that you would play around with this tech.

But it was actually starting to have this connection to national security and what the world looked like. And of course, late 1980s, you also have this infusion of the punk scene and do it yourself culture and all of that came together. So, I mean, that's the coolest thing. And by then, I met these folks who are real like old school hackers and I had been on IRC and in the '90s, the early '90s and hanging out with some of these folks and chatting with some of them.

Funny side story, it turns out my wife, who I met much later in life and is a family nurse practitioner and a very sweet woman from Texas was hanging out on IRC channels in the '90s because she was dating someone who was part of the Legion of Doom which was another hacking collective. She is not a computer technologist but we ended up knowing a bunch of the same people from those days. And then so, it's a fun overlap.

Chris: Were these hacking group, were these people noticed way older than you like 10 years older or were they peers?

Kevin: They were a little bit older than I was. So, I was 17, 18 years old when I started hanging out with the L0pht crew and the @stake crew. And I think I was just old enough to be a legal employee. So, I was very young, in a lot of ways. And-

Chris: How did they feel about hanging out with someone 10 years younger than them?

Kevin: I mean, they're very nice to me. And so, we were in the Boston area and I was going to Red Sox games with some of them. And we were launching product and we had the RSA crew, Circa 2000. We did a private showing of might have been Swordfish, I have to go back and look one of those terrible early late 90s, early 2000s movies. And so, we were doing things sponsored by the company. And so, they were very courteous and nice. I'm sure that in hindsight they probably were like, "Who is this kid who has no skills?" But it was my start.

Chris: Yeah, it's exciting. So, I guess you've got a nice long trail here. So, how has the cybersecurity landscape procedurally or directionally changed since you first got involved?

Kevin: Great question. I think that we want, we see that cyber security remains a top line issue. And in some ways, it has become a more serious issue. Remember, 1999 when I got started, I had a 56k modem and I had a computer in my bedroom growing up and maybe had a phone line if you were like me that was dedicated to it. But you didn't have a cell phone. And if you were really cutting edge, maybe you have like a cell phone in a bag that was pretty large. But for the most part, the world is different and it was more offline. And the @steak t-shirt that I still have somewhere says hacker on the front and on the back, it says securing the digital economy which was our official tagline, our unofficial tagline was putting a dent in the universe.

But that concept the digital economy, can you imagine saying that today? But that is the economy, the only economy is the digital economy. But the world has changed in that. We now are in some ways more technological. And probably in some ways worse off because everything that you are, everything about you if you live in a Western civilization. And increasingly anywhere on the planet, culture and civilization area, you're going to have accounts that are sold that contain data about you. And we can figure out where you drive, when you drive there or what your house looks like, how much money you make, what your marital says, everything all of that's there. And this wasn't the case 25 years ago. And so-

Chris: It was pretty optional still at that point.

Kevin: I mean, it wasn't optional because the companies that would eventually emerge to own this stuff-

Chris: Well, in the sense that-

Kevin: ... weren't in existence.

Chris: ... not everyone was using it. It was optional. And that there were the people who are surging ahead and those who are still clinging to the idea that it was going to be necessary.

Kevin: Yeah. I mean, I've still got a low digit /.number somewhere and most of your listeners probably don't have any idea what I'm talking about. And that's how old I feel. But look, the thing about that is, we were the technologists, but we were the counterculture. And now, it is to not be a technologist that would make you counterculture.

So, there's been an inversion of society. And I think that's the biggest change. And all the cyber security stuff that trickles down from that. The fact that I can compromise an organization, I can send an email to somebody and get them to give me their credentials. And now, I am that person. I can get all of this data and I can sell it and there's a dark web and I mean know that that stuff was real back then and given us fantasy rather than near reality.

Chris: Yeah. I guess what I meant by optional was... and this also dates me. But and maybe this was just where I grew up. But I felt like for some years there was this feeling that not everyone was going to eventually be on the internet, I always thought it was going to be boutique in the sense that some people would be interested and get on and some people never would. I just never had the sense that every man, woman, child is going to have an email account or has interest or wants to comment or whatever. So, I guess that's what-

Kevin: I think you're right. And so, and my point was only that it was when I say it wasn't optional. What I mean is the commoditization and the consolidation of every facet of your life wasn't something that even the future looking technologists really taking seriously. I mean, we called it cyberspace as though or this other thing. And now, it is everything. And so, it's good if you're in security, because what is the biggest challenge? Well, okay. The biggest challenge is probably climate change. The second largest challenge I think most of us face is probably this idea that all of this personally identifiable information and privacy information is in the hands of companies and maybe not companies that are protecting that data as well as they should.

Chris: Yeah. So, let's start by talking a little bit about GreatHorn. What does the company do that you are the co-founder over the startup and what are its primary products? And what its statement or purpose?

Kevin: Yeah. So, we are a cloud native email security company and we help Global 2000 organizations protect themselves when they're using Office 365 or G Suite from Google from advanced email threats, phishing, business email compromised, advanced malware, impersonations, account takeovers. And the reason that that matters is because email, which is a very old system, right? So, email is interesting. Email is 50-ish years old, it cannot own by anybody. And so, it's not a proprietary platform is venerable but it's vulnerable. And %90-ish plus of all data breaches that actually occur involve email in the early stages, because it is the simplest way to get to almost anyone in the working world.

And in today's hyper connected environments, corporate environments, your email account is probably your identity. And if I can compromise you in some fashion, I can either get you to do something that you shouldn't. And so, there's social engineering tactics or I can directly become you and I can get access to things that you have access to that I want to steal or I can use your identity to then move east, west and escalate my privileges and do other things. And that ranges from one of our customers had an individual get stopped at a convenience store because they were about to spend two or $3,000 in a, small bit embarrassing attack worked on gift cards all the way to another customer of ours nearly wired $34 million to an international agency based on billing, which they would never have gotten back. And we stopped those things from happening, we help prevent the email portion of that attack. A market that's been around for 20-ish years, companies that existed when I started an email security space but we're very much stagnant companies.

They were perimeter security appliance tools and they were not well adapted to the cloud ecosystem that now exists. So, we said, we're going to do this in a different way. And we're going to change the narrative from perimeter blocking security to a continuous risk model. And what's nice about that, and that sounds like corporate speak, but what I mean is that now we can identify before during and after an attack an arm an information security professional and team with the tooling they need to minimize the aperture of exposure, the amount of time in which they're at risk based on one of these attacks being executed against their company.

Chris: Okay. So, you mentioned that you're a serial startup guru. You've done a number of them over the years here. So, let's get granular about the types of skills and jobs and experiences that you had that were crucial in co-founding of GreatHorn and of the places before. How does the opportunity to create a company present itself and what are you doing at the time when that comes up?

Kevin: Sure. Well, first, guru is the wrong term, I have a problem. And the problem is that I'm not employable. So, and it's only a joke, somebody who starts a company, I often will tell people look, if you can work for somebody else go do it because you can get to the same rough degree of economic success and be just as satisfied but you get a lot more sleep and it's a lot easier. And if you're an entrepreneur, it's often because you cannot be. And I think that is something that I can look all the way back to being a kid, running lemonade stands and whatever instead of just getting a paper out. Like It's harder to do but there's something about it that's in your DNA.

Chris: Yeah, do you dig the rush of insecurity in the sense that some people are just absolutely hate routine. And once they know how to do a thing they move on. Is that what you're like, or?

Kevin: I don't have that itch where I have to do something that is brand new but I do like novelty. I mean, I think everyone does and we could wax philosophically about why novelty is an interesting thing. But look, I do things the hard way and that's not necessarily good. My hobbies involve being armbar to joked and learning to say and putting my life at risk on the ocean and crashing through the waves. Like why? And that's just there's nature nurtured, et cetera. But there's a lot going on there and starting the company and having that environment can be incredibly rewarding and it is true, startups are the highest of highs professionally, but they're also the lowest of lows. And crescendo and fall and that's hard but the skills that you asked about. So, I spent the vast majority of the 20-ish years in cyber security that I've been working as a sales engineer in a bunch of different companies. And so, that's a really intriguing place because you're technical but you're translating problems to the business to non-technical people.

You're working hand in hand with sales people. And so, you're going on the road, you're meeting customers, you're hearing problems firsthand, but your job isn't sell, sell, sell, it's figure out what's really going on, pay attention to how people are receiving a message, shift the message on the fly. And I think those things are really well aligned towards being good at launching products because what are startups with the creation of new products and offerings in highly volatile and competitive situations. And so, all of the skills about listening and learning how to launch products and learning how to do those things phase in. After 15-ish years as especially a bit less, something like 12 years of sales engineer. I spent a number of years as a product marketer and then a VP of Marketing and eventually a Chief Operating Officer. But being in the marketing side, especially the product marketing side is also very useful because what you get is exposure to how products get launched and how you do qualification. And how you take things and get people excited about them and really get people enamored with doing something that is new and risky. And so, I think those skills dovetail well. It's not the only path but if you're a non-technical person and I can code but I'm terrible at it. And I have a technical co-founder that I've known for 20 odd years, he's brilliant, who can make up for those deficiencies. But if you're non-technical but understand how to talk to technology, people and how to talk to business people and you confuse those, I think we'll see that's a pretty good place to be as a founder.

Chris: Now, it sounds like especially with the first step. I met a guy, he introduced me to some folks, we did this thing. If you're minded towards these types of things but there isn't a guy to me in your area like how do you like get yourself into situations like this where you can because obviously no one's going to do the thing all by themselves. So, you're going to want to find a group like what are some tips or advice do you have if you think you're the person to turn to find your tribe?

Kevin: Yeah. Look, we are in probably the best time to start a technology startup industry. You can go online and you can read everything Paul Graham has ever written. I'm not a Y Combinator guy. But Paul is great and then he's written all of this stuff. And you can go and start to understand this. You can go and read in the startup hacks that Alex Iskold formerly of Techstars, he's now at a venture firm called 2048. Alex writes tons and tons of articles about all of the dynamics of starting a company and finding a co-founder and figuring out founder market fit before you get to product market fit.

You can get books guys like David Cohen have written books about and Brad Feld have written books about how to structure a venture deal. And if you're going to go get funding, what's that look like? We didn't have any of that 20 years ago. And so, our venture deals were worse and our outcomes were smaller. So, the starting place is to educate yourself on the structural components of building a company, which means I got to get a product, it's got to be a minimum viable product most likely. I've got to get it out to some people, I got to get some feedback. And I got to get that feedback going where someone's asking me for something and I build it. They ask me for something and I build it. And then you can start to think about is this viable? And the questions that you need to answer and not for the venture guys.

They're going to ask these questions but you need to understand for yourself how big is this market? And you have to be ruthlessly honest because you have a great business in a small market but it's probably not a venture business, it's probably a lifestyle business and that's okay. Or you can have a product that works in the huge market and it might be a venture scale business and whatever that looks like you then start to have a strategy. Okay, I'm going to build this thing that people need, I think people need it. So, I build a first version of it and I get some feedback, iterate on it, I might pivot, I might abandon it and do something else. And then I educate myself about the structure of what I'm doing. And so, if I'm in technology, I figure out what I need to do from a capital requirements perspective. And then you can start to look at. If you don't have any connections, one of the great ways of getting into the venture market the side of it to get funded, there are accelerator programs. And I took this company for Techstars, I'm a big fan of them. And there are tons of tech stars affiliates. There's Y Combinator on the west coast. There are smaller accelerator programs everywhere. And if you've never done it that will be one path. The other is to go work for a startup and say, look, I'm going to spend three years but I'm going to maybe get myself to an area with some economic activity it looks and I'm going to start to understand how this works. I'm slower than most people I guess, it took me 20 years to get to that place where I felt like I know some guys on the venture side, on the tech side and I'm going to make a go and I bet it a bunch of companies. But you can also shorten that loop by getting into those areas sooner and essentially getting yourself to a point where the venture market. There's a finance route to which I don't know anything about, but there are guys who go and get great careers and work at Blackstone and then find their way into venture deals. But I only know the technology hard way because I like it dong things the hard way.

Chris: Yeah. That's what the other parts of the team and for. So, and we've had episodes of what's it like to be a cyber security analyst or an incident responder, other things. So, this is the top here. Walk me through, your average day is a CEO of a cyber security startup, what are some of the job responsibilities that are part of your daily basis?

Kevin: Yeah. Look, there's an answer that's different at each stage of the business. In the earliest days of GreatHorn when I started it, I went to an office and we intentionally rented a very small office early on and I built sales materials and decks and tried to draw a business and wrote blog posts and did viral marketing and that's the inception. At the same time, my co-founder was writing product and we were working on design and whiteboarding and that's the hardest. I think that phase of birthing something from nothing is in some ways the most difficult. The next phase of the business where you start to get some customer traction, if you're the CEO, you damn well better be in front of those customers and learning what's working and what's not. And it is on you to figure that out and qualify that and spend time there. And then a little later, you're starting to manage a team and your initial team may not be your ultimate team. You might not be able to afford the people that you really want to bring in or you might be able to.

You're able to convince them but you're going to start having a people management side of that. And now, today we're 20 plus million in venture and been around for five years and multiple millions of dollars, et cetera. My day is, it's very but I am up early and I am doing email for the first hour. So, my day I got a couple hundred emails a day. So, I prioritize and delegate when I need to. Once I'm in the office, I'm usually spending most of my days split between talking to my staff and I've got a great leadership team, my direct employees, customers.  I might be interviewing people because we're growing very rapidly and hiring across the board right now. There are a handful of operational and structural things need to happen. I've got a great CFO and a great team but looking at the financials of the business and planning for the future. I think the best way to describe it is that the further down the path you are, the fewer decisions you should make directly and the more impactful those decisions should be. Which means that you will spend a lot of time listening and a lot of time taking in information.

And I may make a decision about over the course of a month, what are we going to be doing this launch of this new product? What features does it need to have? And how does it how's it going to shake out? I'm not going to do that in a vacuum. I'm going to be talking to people and collecting that data. And I think that the jobs of a founder don't run out of money. So, and sometimes you're a fundraiser. And so, job number one, keep the doors open. Two, set the strategic vision for the company. And that means getting everybody on board. It's not done with a gavel. It's done with conversation and consensus. Sometimes you have to use the heavy hand in the office. But for the most part, you're trying to listen because you're probably wrong. You just don't know how yet. So, hire smart people and get them to tell you what you need to hear. And then culture. The third thing you do is hiring, firing and managing culture and not doing it with lip service paid, the culture but doing it in the right way where the people that you spend a lot of time working with and bringing into the organization and who represent your organization externally are doing it in a way that's consistent with the values of the organization. And ultimately, those values are your values if you're the founder so be damn sure you know who those are and make sure that you're managing those correctly so that the culture represents the company you want to work for. Good work done well as Jerry Colonna sometimes says is, I think the best part of culture.

Chris: So, let's rank some of these obligations and tasks and stuff. What are the best most interesting parts of the job as a CEO? And what are the most difficult or repetitive things, things you don't like to do?

Kevin: Yeah. The best part is getting to work with customers. Listening to people who have actually spent real significant money on a product that at one point in time, if you roll the clock way back to like 2014 for us was an idea on the back of a piece of printer paper that Ray, my co-founder, and I sat down and sketched out. And now, it's this big multimillion-dollar international business and we have people who are putting their careers on the line as security professionals to use our software. So, making certain that we're delivering on what we say we're going to do and that we are ahead of the curve with respect to what people need and that we're driving a market that isn't a market segment we created.

There were no cloud email security companies before GreatHorn and now there's a bunch but we created that market, we have an obligation I think to set the vision for it and innovate within it. That's the best part. And that happens in the product management world there's an acronym NIHITO, Nothing Important Happens In The Office. And to a degree, I think that's true, right? So that's the stuff that I love the most, getting out in front of prospects and customers. Second best is working with my team. And I've got an amazingly sharp group of people and I'm fortunate to work with them. I believe that you build the company you want to work for. So, if you're in that seat and you're making those decisions, you are certainly getting value from the people whom you hire but you need to deliver it to. You need to inspire and lead and listen and grow people and give them opportunity to do the things you hired them to do which means trusting them and empowering them. There's operational stuff that just has to happen, right? Like your designer and you're the guy who will make sure or the woman who makes sure that everything runs and doing that. And that's probably my least favorite part. I don't mind doing it at all. And I'm process oriented. But it's not exciting just to be delivering x report to somebody and that's fine but that's probably the least exciting part of the day-to-day.

Chris: I mentioned that. I had an old roommate who wanted to be a film director and I just had the sense that he thought that being a director was the person that says action. And I was like, "You're going to be up at 2:00 a.m. looking at fabric swatches," right? And I think when people think CEO, they're just, I get to walk around and talk to my coworkers. And so, yeah, I like to hear things like for instance, what are the parts of the job that you stress out over on Sunday before your work week? Do you have things you're, "Oh, I don't want to deal with this?" Or is it just the process stuff?

Kevin: I don't mind the process stuff. I've recently been looking at fabrics batches, swatches in particular because we have a new office we're opening. And we're opening a couple HQ and it's 17,000 plus square feet. And like every piece of furniture and every stitch of fabric at some point crossed my desk, have a great team. So, what crossed my desk for good things to start with? But yeah, you do that on. Sunday, that's cute. Sunday afternoon, I'm still working. I wake up about once a week between three and four in the morning, sometimes it's two or three times a week. And I don't have interesting nightmares anymore. I have nightmares that I missed something in a spreadsheet or a big customer canceled. And once that happens, that gets in your head. And inevitably, what then happens is I get up and I said, "Look, I'm not going to sleep anymore tonight."

So, I'm just going to go and try to write down what we can do or to think about this problem or whatever. And I actually perversely like it. So, this is why I say, if you cannot be a CEO or founder don't. And if it's in your DNA, then you have to do it. And you're going to find that those things are in some ways interesting. I mean, I'm tired a lot. But that is the recurring stuff. And ultimately, what I care about most more than anything else is are we delivering on the promise we make for our customers. Customers believe in us, we're not the safe option. We haven't been around for 25 years. They're betting on our ability to outperform a legacy market. And we do and we do it consistently and we do it really, really well. But you get to see. So, an international business, you're spending seven figures under technology which happens, you damn well better show up and work. And so, that's what matters to me. And that's what keeps me going.

Chris: Oh, I guess you're answering this for me. But what people tend to excel in CEO positions? What are the key traits that you think?

Kevin: I can't answer that. I think that all of us who sit in roles like this or any role really have tremendous imposter syndrome. I have worked for people a heck of a lot longer than I've worked as CEO. And so, I can't tell you, I don't have any wisdom. Ask me when I'm 60 or 70 and they don't have an answer for you. Look, the folks that I look up to who are brilliant and have written books and have reached the apex of their careers talk about listening and talk about leading with authenticity and talk about being customer obsessed and talk about humility. I think those are the characteristics that I aspire towards. But 37 years old, Chris, I can't tell you what makes a great CEO. And hopefully, I will get there and some will ask me that question I'll have a sharp answer, but it's not today.

Chris: Okay. So, what do you feel the role of freshman certifications play in the enhancement of a security career? Do you think there are certain certifications that are more important for security aspirants in 2020?

Kevin: Depends on what you want to do. If you are in the trenches security analyst and you're struggling to find work and I know that happens and I follow a lot of folks on Twitter who are aspirants and they go get a CISSP or they will get some other certification, I think it can be helpful. I don't carry any security certifications today and wouldn't make sense for me to. Most of the CSOs I know might have one might have a CISSP. Ultimately, your ability to do the job and your ability to operate within your organization are far more important than the letters after your name. But breaking in to the industry, I think some of those sorts can be helpful. And if you don't know anything, what they say is I have a survey of security that I had gone through. And if I'm a CISSP or something like that, I know a little bit about a lot and I can come in and then double down onto the area that I'd be focused on. But that answer is going to be really different for someone who's in the weeds doing security response at a Fortune 500 in the sock versus someone who's at a startup as the director of Infosec and spending most of their time on compliance for GPR. And those certifications are just very different.

Chris: Okay. So, let's turn now to some specific aspects of GreatHorn. GreatHorn, obviously, we talked about a little bit email security company focused on solving phishing credential theft, malware, ransomware and business email compromised for cloud email platforms. And you talked a little bit about some of the strategies you have. But what mechanisms or systems does your platform use to solve these types of problems?

Kevin: If this was a drinking game you'd take a drink because I'm about to say data science and machine learning and AI. But the thing is-

Chris: I'm familiar-

Kevin: So, look, what's that really mean? When you start dealing with threat, I was just having this conversation with a peer and former colleague, you can be deterministic in your risk management security strategy. You can be prescriptive or you can be heuristic. And you can't be 100% deterministic because if you're 100% deterministic and you know everything, you'd be all set, right? We're going to say, these are all the threats and we just solved for them. But there's no such thing. And we can do that for some degrees, right? So, we can TTPs and we can take IOCs, indicator of compromise, tactics, techniques and procedures, things that are published consume them and block them.

If I could tell you, every bad packet you're ever going to get is going to come from these 100 IP addresses, that's deterministic, great block those, done, check. You need some of that. Prescriptive is we can in real time start to understand some of those threat factors and we can address them and great one does that. And so, we have threat intelligence sources and we have things we look for using various components of our architecture and our data science platform. And that's great because prescriptive can be informed more quickly than descriptive and you can actually start to apply that framework to threats that are coming in. So, over email, I can tell you this is a known malicious sender. This looks like this could be a threat here or there, we're going to do something with it. And then heuristic. Look, if you don't have a prescriptive or a descriptive model, then you need the data and you need to parse that data, you need to come up with a heuristic on a spectrum between good and bad, somewhere in there is where this thing sits. And you can't do everything in your sixth sense because you spend all your time analyzing data. But data science and machine learning help you cut that time down and can make decisions or help you make decisions. Because I don't think AI is real, that will make a better chance or give you a better chance of stopping something or reducing what I said earlier the aperture of exposure, how long you're at risk.

The old days, the CrowdStrike guys used to talk about the 1-10-90, right? So, you'd have one minute to detect, 10 minutes to analyze, 90 minutes to do response. Well, that idea is what this multi-tiered defense in depth model or risk management model gets to, we do a little bit of all of that. So, I can take a website, you click on a link in your email. I can run it through convolutional neural net which is a fancy way of saying, I can compare what that looks like to a train bottle a bunch of other things and say, that looks like a Dropbox login page. And this is on some compromised WordPress site, so that's a credential theft attack and then I can prescriptively block it. So, there's some heuristic and some prescriptive. So, having those different techniques are what underpin a lot of the system. And we do this for every stitch of data that you can get over this point. We look at billions of emails on a monthly basis.And using all of that, we can help organizations articulate an enterprise security strategy that minimizes their risk. And then if they need to, they can use GreatHorn to very quickly do response. So, we talked about driving down two things, time to detection, how long does it take me, can I get to that one minute or less time frame to see something is wrong? And time response, how quickly can I go and respond, deal with this.

Chris: I had another question. But you stopped me in my tracks. What do you mean by AI doesn't exist?

Kevin: Oh. So, look, I'm maybe overstating this a little bit. But when I-

Chris: Intrigued.

Kevin: ... think about it, yeah, sure. What do we mean by Artificial Intelligence? And so, there is a concept of artificial intelligence that artificial intelligence is this thing that I can feed data to and it's going to go and actually consume that data and think like a human would, right, which is philosophically probably not possible. And we could go on at length about why many, not just I, I think that's not possible. I think a best read and augmented intelligence level where we can say, look, we can take that information, feed it into something that maybe I can't even really tell you why it's making the decisions it's making, instantly, that's the categorical definition of a neural net.: And yet, the outcomes are pretty well aligned to what a human would do, but that's not artificial intelligence. And there's an argument there. A lot of companies are saying, "Man, it doesn't sound cool that we have an AI thing." There are companies in our space who even named their AI and the AI engine like it's supposed to do something and they use some Greek name.

And it's just an eye roll. I mean, look, if you're at CSA you know that's not what's happening. And you know it's still human in the loop. And that's okay. But maybe as vendors, we can stop spewing this nonsense at very intelligent, sophisticated buyers and just tell the truth about what it is that we're doing. And it's still valuable and helpful even if it's not as sexy from a marketing perspective.

Chris: Okay. So, what in your opinion should be done to curb dangerous activity like ransomware, BEC, but currently isn't? Obviously, everyone should have GreatHorn products on their network. But what combination of tech and security awareness education do you think needs to happen to make a significant dent in the problem?

Kevin: Well, let's clarify that security awareness education is a compliance exercise, not a security exercise. Over a billion dollars is spent on security awareness training in 2019. The net change between 2018, 2019 according to a number of studies, 2%. So, a billion bucks for a 2% reduction in efficacy of phishing. It's great, well spent, well done. You can't train the problem away. And so, what you can do is alert someone to the problem. And I'll draw it up by analogy. If you've gone to elementary or primary school in the United States, then you know that at some point they brought in someone from the fire department who told you as a young child that if there's a fire in your house, you should not crawl into your bed or hide your closet because that's a really bad strategy. And you should go outside because that's a better strategy for surviving a fire. If your house burns the ground and you're not in it, hey, that's better than being under the bed, that's training. And yeah, sure, we should do that. We should tell people what they should do.

But everybody has a smoke detector too, right? And so, the difference here is can I provide contextual information not, hey, theoretically, Chris, you could get a business email compromise email and it might look like someone you know and ask you to do something and you should do it. That's great, wonderful, thank you. But better is if you now have an integrated way of saying this email, the one you're looking at right now on your phone in the airport running onto that plane, it says, I need you to send me your phone number. I need you to go do this thing for this customer, this is fake. And if I can tell you that you can drive down your risk significantly. And that's a big deal. That's what we really want someone to have. And if you can do that, you can really materially drop the risk of being a victim of BEC.

Chris: And do you see any cutting edge, types of deception going on right now? Are we still just seeing the same send me an invoice, send me this, send me that or are you seeing more pernicious types of BEC or phishing coming on the horizon?

Kevin: Oh, we're definitely seeing more pernicious types and these things move all the time, right? And this is why it's not a descriptive protection model and it's not even a prescriptive protection model, you have to have some heuristics in there. We have seen the rise of sophisticated impersonations of business services. We have customers who are running best of breed incredibly expensive, securing gateway products that they'll send up at GreatHorn in instance and we'll see 30,000, 40,000, 50,000 threats get around those gateways because they just weren't threats when they were delivered. I send you something with the URL, they detect to attack or weaponize that you were on that website. An hour after deliver this, I sent it to 10,000 people, someone clicks on it. After it's been delivered, after I've weaponized it got through, that's a huge issue.

We see out-of-band account takeovers, where the attacker then has legitimate credentials into your email environment. How do we stop that? Stay tuned at RSA. We have some ideas about that, it comes up in two weeks. So, there's a ton of stuff that can happen there. We see events, the voicemail session, everybody gets voicemail emails these days. And so, they're ShoreTel is a company that does voice services and what services. And we see Shore wave or other permutations of that. And it looks just like the real thing, its users. And if you go click on it, it could be a virus or could be a credential theft attack. We see folks standing up service accounts that are using services for email delivery for marketing. So, I go when I look on security trails I see that your company were built with, I see your company uses, I don't know, SendGrid, let's say. Taking about SendGrid great company but you're using it for transactional marketing. I'm the attacker, I warm up an IP, I set something up that looks like your domain, I use SendGrid. I send it to someone inside, it gets passed, because I'm passing for the same SPF address, the same IP address as your legitimate service, so it gets delivered.

All that is suspense. You were saying it looks real. And yeah, everything I'm doing is an attack. And so, there are all of these different techniques and they shift, right? They shift every couple of weeks. And that is why this problem is so intractable and why companies like mine exist.

Chris: So, that's pretty scary. But so, where do you see these issues being in five- or 10-years' time? I feel like we get spam still, but like spam has been solved. We have spam filters we have this and that. Is this something that you think can you envision a time where these sorts of things become more like background noise, the way you just look in your filter and deal with stuff?

Kevin: Yeah. That's a great question. Look, I think that email is a system that with the right controls and probably not controls that are part of email but rather stick orthogonal to email. We can make email a trustworthy system. And we can do it without going down the Silicon Valley startup path of saying that we're going to replace email with something else. The beauty of email is that nobody owns it, right? The beauty of email is that it's an RFC somewhere. It's SMTP IMAP mail exchange models that we can set up our own server and go use. But It is vulnerable because it's so flexible, because it's so open. And there are companies that are trying to replace email. I think that's a fool's errand. And I think that we shouldn't do that to begin with because it is so good at being a communication platform. But if you go and look at things like how the German mathematician girl talks about incompleteness in mathematics, betraying my philosophy a little bit.

But if you go look at this, you can see that there are various theorems that in a very reductive form state, you can't prove a given system within that system. Well, email I don't think can be made safe within the confines of email, because if it's in an email header, I can spoof it. But if you have external systems and these externalities are able to observe and look at all of this, you can do it at a high enough scale, we could start to create a confidence model. Phil Zimmerman got this right in the 1990s with pretty good privacy. And this idea of a web of trust was ahead of its time perhaps, but the idea of it, if you have a PKI infrastructure, a private key infrastructure and two people could sign something, and I can trust those people because I'm in this web of trust, we could start to solve for encryption in that case, but also digital signing.

That didn't work because it's really hard to build that web of trust. But those concepts could still work. The idea of an external trusted system that observes things and provides a layer of authentication and trust over a system like email is nothing fundamentally right. So yeah, we'll get there. It's going to take a while and it's not going to be universal but it won't be done by somebody replacing email with some new system and it won't be done exclusively within email, it'll be something external to it.

Chris: Alright. So, to wrap up today, if our listeners want to know more about Kevin O'Brien or GreatHorn, where can they go online?

Kevin: So www.greathorn G-R-E-A-T-H-O-R-N.com is the website of the company. We have a lot of information out there. We'll also be at the RSA Conference in a couple of weeks. So, if you're listening and you're using security, dropped by. We've got a big booth. And we'd love to chat and hear what you think. And beyond that, you can also follow us on Twitter @greathorn. And we're also on LinkedIn and all the other major social channels.

Chris: Kevin, thank you so much for your time today. Really, this was fascinating.

Kevin: Thanks, Chris. Appreciate it. A lot of fun.

Chris: All right. And thank you all for listening and watching. If you enjoyed today's video, you can find many more on our YouTube page, just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews, and past webinars. If you'd rather have us in your ears during your work day, all our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your favorite podcast catcher of choice. And for a free month of our Infosec skills platform which you heard a little bit about in a promo at the start of today's show. Just go to infosecinstitute.com/skills and sign up for an account. And while you're there in the coupon code, type in cyberwork, all one word, all small letters, no spaces for your free month. Thank you once again to Kevin O'Brien and thank you all for watching and listening. We'll speak to you next week.