SecOps and the keys to a successful cybersecurity startup

[00:00:00] CM: Today on Cyber Work, I talk with Raju Chekuri of NetEnrich about netops, secops and cloudops, his work with new tech and security startups and why clinging to a five-year plan can be a recipe for disaster. That's all today on Cyber Work.

Also, I want to tell you about a new hands-on training series called Cyber Work Applied. Every week expert infosec instructors and industry practitioners teach you a new cybersecurity skill and show you how that skill applies to real world scenarios. You'll learn how to carry out different cyber attacks, practice using common cybersecurity tools, follow along with walkthroughs of how major breaches occurred and more. Best of all, it's free. Go to infosecinstitute.com/learn or check out the link in the description and get started with hands-on training in a fun environment. It's a new way to learn crucial cybersecurity skills and keep the skills you have relevant. That's infosecinstitute.com/slash learn.

And now, let's begin the show.

[00:01:01] CM: Welcome to this week's episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of infosec professionals while offering tips for breaking in or moving up the ladder in the cybersecurity industry. Raju Chekuri founded NetEnrich in 2004 after a successful IT career as an entrepreneur, visionary and business leader for the Silicon Valley. He has led the company's growth as SaaS, software as a service, for digital operations while innovating for AI ops and cybersecurity solutions. Raju is currently the chairman of the board at OpsRamp, a spin-off from NetEnrich. Previously, he founded Velio Communications Inc. and led to its acquisitions by LSI Logic and Rambus in 2003.

Raju earned an MBA at St. Mary's College of California and a bachelor of technology at Kakatiya University. So we're going to talk about the whole ITops constellation today, netops, secops, cyberops and more, as well as Reju’s legacy as a startup creator, entrepreneur and humanitarian and whatever else strikes our fancy at the moment.

Raju, thank you for joining me today on Cyber Work.

[00:02:08] RC: Absolutely, Chris. Thank you for having me and my pleasure.

[00:02:12] CM: Pleasure is all mine. So have a long and storied legacy here. So I want to sort of find out where you got interested in cybersecurity first, because it seems like you started out in an initial education in electronics and then finance and then worked on system designs for semiconductors. So how did that transition to an interest in computers and security?

[00:02:31] RC: Yeah. I mean it's a pretty broad question here. Yeah, I think cybersecurity has been seen as something very new kind of a thing about a couple of decades ago, right? But as we moved into this whole operations, we pride ourselves in innovating technology and solutions to do the day-to-run operations. That's our forte, whether that’d be cloud or network, and security now.

So the more we deal with our customers, which are mid-market enterprise class customers, larger customers, SMBs, a lot of partners, as we talk to them I’ve seen – for the last decade, we're kind of looking into last five years kind of intensified and the rest is history now is mainstream. If you have a network, you have a problem – potential problem.. If you're using compute, be that being a data center that you think is very private and protected or using cloud, it doesn't really matter. You have an exposure. You use software from the best companies in the world or you use IBM or it doesn't really matter. Tried and tested in enterprise class software. You have a problem in cybersecurity. You build your own application, you have holes in there.

So I think it's getting very, very prevalent for the masses now. It's not for the elite fortune 100 that we used to think. So it's kind of a mainstream and we're putting a lot of energy and effort to kind of crack the code and really help our clients. Just kind of demand out there is huge, big problem to solve here.

[00:04:22] CM: Yeah. So I want to sort of talk about that, because this is one of the few – Cybersecurity is one of the few industries where we can really sort of still see the origin of it. Like if you think about like the auto industry or certainly finance or whatever, like it just spans decades or hundreds of years or whatever, but like there's like a start point more or less for cybersecurity. I mean there're sort of proto variations of it that probably go back to the 70s or whatever. But it seems like you were there kind of from the beginning. So can you talk about how the cyber security landscape has changed since you first got into this business and what the demands were at the time versus, as you said, now, if you have a network, you've got a problem. I think it's a great sort of tent pole to hang this on. But what was it like when you got started and how has it sort of changed and transmogrified since then?

[00:05:07] RC: Yeah. Yeah. So if you look at late 80s, you had the transceivers and ethernet and you're creating a little local LAM using some UltraSPARC or whatever you had up there. And client servers were kind of coming up that time. So it was kind of more for productivity within the organizations. And then and then you of course you saw ARPANET putting the first phase of internet and then the browsers came and made this internet accessible to the world, the open world, www came up. So they kind of opened a new connectivity increase. And then when it was kind of isolated that way, it is palatable and easy to kind of control who comes, gets out. You can just throw some devices to kind of checkpoint, right? Who comes in, who goes out, you can manage all that.

And then the evolution went from being a gatekeeper to ideas IPS and looking at the data inline and more network-centric things happened, right? Now as you evolve that, where all of us are walking with – That's the main frame computer-wise.

[00:06:22] CM: Right. Right. Yeah.

[00:06:24] RC: It's good. 100x more applications than mainframe used to have. You're accessing data, it's not someone coming in, going out, right? Everybody's observing your privacy, where you are, who's watching you. you don't know what's going on. Who's coming into –

[00:06:45] CM: There's so many attack services.

[00:06:47] RC: Yeah. Who's sitting in there? Attack surface, multitude, 100x, or 1000x, right? And then the youngsters, they don't really care. You ask them – they’re paid through any payment systems.

[00:07:04] CM: Yeah, it's just a tool.

[00:07:06] RC: There's a tool for them. And maybe that's the right thing to do to evolve as part of the evolution there. But as IT professionals, as “experts” to keep all this sane and manageable, we have to step up with this transformation. Keep up with how you run this stuff and make sure – And you can't be just kind of control freak. You can be risk and compliance and protecting the job. Well, no one's going to get fired. It has to come genuinely by design, by a plan that, “Hey, you know what? This is a big issue. How do we resolve it? Let's resolve –” Even if it’s a small piece. Get going. Don't try to boil the ocean, because it would look like as if you're boiling the ocean. You look at the tools, right? Most of the tools are for fortune 500, 1000. You look at a million dollars here, million dollars here. I don't want to do that. I'm going to use some open source tool, blah-blah-blah, or our source.

But I think the security has to become mainstream of operations. It's not working in silos, right? So that's the evolution that we have gotten into and it's getting complex and you don't have the skills to make all this work, the budgets and revenues to put so much energy into it. But you've got to get someone as a solvent, right?

[00:08:16] CM: To that end, obviously just the sort of exponential size of the sort of available places to protect as you said has grown a hundred fold. So is there is there something different in terms of – Obviously, the complexity is larger, but are we sort of having to use different solutions now than we did back when there were less places to protect? Has it changed the sort of – I don't know if the ideology is right, but sort of like the methodology. Has that changed or is it mostly the scope of it?

[00:08:49] RC: Yeah. I think there're three pieces to this from my perspective, right? And I'm not the world's big cyber security expert, but more from living in the operations world. Seeing thousands of customers out there.

[00:09:01] CM: Sure. We'll jump to that too. Yeah.

[00:09:04] RC: Yeah, I've met a lot of CIs. I feel like one is a philosophical approach. Do you want to address this problem? Do you want to contain this problem? Do you want to get it going, number one. Number two, basic hygiene in terms of what you do on a daily basis to stay secure, right? The kinds of code you're writing and spinning it off in the cloud and the quality checks you do, the security checks you do to just by design thinking in cyber security. That's more of a process and philosophy.

Then of course how do you prevent issues when things are happening? How do you look at attack circles that you may be attacked on? Or how do resolve issues when things happen? That's the tooling and people and processes and how much deep you want to go? It all depends on where your digital assets are and what you're trying to do. So all three has to be kind of worked on and get a grip around that.

[00:10:03] CM: Okay. So I want to pivot from that a little bit to your company, NetEnrich. So the biggest part of your cybersecurity career obviously is the 17 years that you've spent as president and CEO of this company, which provides services for netops, secops, cloudops and more. So considering that your company is nearly two decades old and a lot of the conversation around these concepts is maybe newer than that, I'd like to know a little bit about how the goals and services of the company have evolved over the years. Like what sorts of problems were you providing solutions to in 2003 and how if at all does that differ from the solutions and services that you handle now?

[00:10:42] RC: So over the last 16 plus years, we had I would say about three evolutions. The first chunk of thing was we wanted to kind of build a company around a run piece of it, operations piece of it. Not necessarily capX, more of an opX piece, because those days twenty percent of your IT budget was mostly capX. 80% was operations. Kind of running, you buy some bunch of compute and software and try to make it work. You had a bunch of people to – Run piece is a big piece of it. So we will kind of automate and kind of make that all done remotely. And just like if you can imagine a cloud of people outside solving your operations than having your own people sitting in a building and creating your own knock and solving problems. That was the whole idea. So we built it and applying for remote access and a gateway to kind of really – And then we satisfied all the – That was kind of really operationalized more efficiently and bring 20, 30, 40, 50 productivity and more secure way of doing it. But that was the first four, five, six years. And then luck would have it that instead of platforming, where you got to raise hundreds of millions of dollars to kind of get out and brand yourself and scale. No. We decided to go the other, which is more harder way to kind of bootstrap our way. So we were kind of in some sense driven into driving operational outcomes and we were lucky to have this platform to bring to bear and do it a little transformatively a little different than most people would do.

We spent another few years, five, six years on kind of really honing our expertise, our shared services, our remote stuff, our automation so we can bring 20%, 30%, 40% efficiency sort of enterprise and mid- market enterprise clients and some SME partners are involved. So the third piece is where we are – We evolved is to kind of more outcomes, more data-driven stuff.

So we build a digital – I would call it big data platform, Elastic within just data and at wire speed and contextualizes it. And then around network content, around cloud content, Azure data center around security movement acquisition that we funded about three years ago. A fantastic team. A company called Threat landscape. They had a massive data platform. So we kind of built that together. So we're in the convergence of all this data coming in and we want to kind of contextualize all that and eke out inside so we can resolve issues.

And our view is no matter what you do in IT, you can give all tag lines. End of the day, you have to resolve it. Resolve issues. You have a peace time environment, or you're going to resolve issues in a wartime environment. You’re resolving issues, right? So we want to be sitting and we want to be known as the number one resolution company. Someone who's going to put out this message out there, drive that agenda.

So data-driven resolution is where we are now. That's the evolution. We're kind of going through – So as part of this evolution, as we were very centered around networking and in cloud, it made a lot of sense to look at cyber security about four, five years ago. Then we made an investment. We acquired. We merged them together. So cyber security completes our story. You want to run cybersecurity in the context of network. You want to run cyber security in the context of cloud. You can't run cyber security in isolation, right? So that's where we are now.

[00:14:31] CM: Okay. So I want to uh sort of repeat a quote back to you. In our pre-show briefings, the information I got, you said, “When it comes to ensuring security, most organizations focus on governance instead of doing it right.” Can you explain that to me further? There're a lot of case studies and plenty of mountains of anecdotal stories about organizations that that this or that set of rules. The letter of the law without actually sort of improving their security in the process. So tell me a little bit about what you mean by going beyond governance and into doing it right.

[00:15:00] RC: Yeah. I think it comes from some of the genesis and the evolution stuff where if you remember when we were running networks and systems and all, cyber security was someone with some PHD or someone who was a risk and compliance person to look at intrusion. There's always an offhand risk compliance kind of a thing so that the CEO doesn't get fired and the CFO doesn't get fired. It was kind of separated from – You had to see a CSO, right? A cybersecurity officer and it was different from the CIO. And it was more of governance model. Are you guys doing the right thing? Did you deploy this tool? What's a risk profile? What are some of the types of – Okay? So looking outside in kind of an environment in many cases.

[00:15:48] CM: Right. And also kind of a checklist basically. You're just like just check the things off and –Yeah.

[00:15:51] RC: Yeah. The scary part is don't tell me how bad I am, because if I know it, I better fix it. Otherwise it's a liability issue.

[00:15:58] CM: Yeah. Yes. Exactly. I don't want to know. Yeah, head in the sand.

[00:16:00] RC: Yeah. That mindset still continues in many cases, and I don't blame them, but that's how habits are hard to break, right? And that's the world we used to live in. And that's what we run into many places. Wow! Outsource it. I give it to someone. No, I have this tool. I'm fine.

[00:16:20] CM: Yeah. Don’t really know what they’re doing. Yeah.

[00:16:21] RC: They're got it. I know more than you do. Not invented these syndromes. Some of those things, because they're kind of worried, right? It's a big liability issue for them and they want to control the situation, which is fine. You got to do it. But I feel like I think that whole industry has kind of opened up and get ahead of the game and not behind the eight ball. Compliance is necessary sometimes after the fact. What are you doing on a daily basis? What you saw with SolarWinds, right? Thousands of people out there government offices and all, they all thought they were compliant. They all thought the risk of error –

[00:16:58] CM: Yeah. We filled out the form. Yeah.

[00:17:01] RC: And there's an enterprise software. People are saying, “No. No. No. I can’t go to cloud because it’s not secure. I want to be enterprise. I want to be controlling all data center.” Look at what happened, right? So you never know what hits you. So I think if you're more open-minded and more design-centric and by design solving cyber security in the context of networking security, compute and applications are known, I think as an industry we'll protect ourselves a lot better. That's my view.

[00:17:28] CM: Yeah. So that leads perfectly to my next question here. You were saying that in certain cases the CSO or the C-suite will say, “I don't want to know how insecure I am. Don't tell me about it. Just take care of the problem or whatever.” But there're so many processes around that are aimed at improving safety or efficiency or even business growth within digital IT ops. It sounds appealing to the C-suite as something to adopt or step up to but often falls into a gap where it's implemented by half-measures or haphazardly because it might require retrofitting your entire security department at the very least or even your way of doing business. So what types of strategies have you found work best in stepping up your IT app strategy without falling behind on your business schedule?

[00:18:17] RC: Yeah. I think one of the things that we do in our own business is very apt for some teams to deploy, and maybe they're doing it, right? Like I'm not the judge here, they're doing it or not. But I think what would really help is the whole agility and scrumming to solve this cybersecurity. What I mean by that is you're going to have small teams of cyber security experts and the network guys and the risk guys, the governance guys and the leadership to kind of come together and then start looking at solving these problems on a daily basis and then be more agile in a more inclusive way. Not more isolated in a siloed way, right?

So what happens is in doing so, you're getting my network guy to be more cyber security sensitive. My application guy was deploying applications as a DevOps guy or something. He's more cyber security sensitive. So you're creating the IQ. You're raising the IQ a cybersecurity IQ for the entire organization on a daily basis and everyone's learning. You're better off doing by design. If you isolate, wait, make sure that your network is all controlled and go for some IPs, IPs devices. Put some firewalls. And it's not one event. It’s not like a balance sheet. It's like an income statement it has to be looking on a daily basis, right? You're going to improvise on a daily basis.

And I feel that if it runs scrum together to make this work, I think people are smart. Engineers and a lot of the IT guys are unbelievably smart. The leadership is smart. But I think there's a process. The past that comes and haunts the present or doesn't allow you to go to the future. So the more agility, more scrum, the desire to embrace change and get it going sooner than later and not try to boil the ocean. It does really work.

[00:20:16] CM: Yeah, that's an interesting thing, because I think – I mean do you see a lot of that sort of siloing? Because I get that sense that to collaborate means to have to learn a new thing. And for a lot of people, it's like it's hard enough just to keep up with whatever they're doing now without having to sort of up their security game and stuff like that. Have you seen that as a problem and do you have any thoughts on sort of not just changing the process but changing the minds of the people who need to sort of like adopt this this wider view?

[00:20:45] RC: Yeah. I think it was so easy, everyone will be doing it, right?

[00:20:51] CM: I keep asking and no one ever quite has the definitive answer. So we'll just keep asking it.

[00:20:55] RC: It's more deeply rooted in your traditional brick and mortar corporate America partly because they're under the water. There are a lot of things going on. They're competing the new age of everything on the web. There are no resources. It's a business issue too. They get measured differently. That there were days where it was norm, we walked into a CIO and asking, “What is your budget for IT?” Based on the industry they say, “Gartner said we should be two percent of my revenue.” Someone said, “Gartner said three percent of my revenues,” right? But those days are gone.

Now people are spending eight, nine, ten, twelve percent because IT is your business, right? And then there's the haves and have nots. The digital have nots are your classic brick and mortar enterprises, because they’re constrained. If you're not generating earnings per share, I'm not going to give you value. In other places you lose more money, you become a unicorn.

So the two ways of judging who's doing well. So there're some resource constraints. There're money constraints. So by the same time, corporate America has to go compete with all these guys. And IT has to be a big investment or at least an efficient investment. So once that gets sorted out, it's a mindset game. I think you can kind of step up, because people are smart. Putting them together, they can do it. I don't think it's the skill learning ability and at least in the US that our most our customers are real phenomenal people here, phenomenal engineers, right? I mean the smartest of the world is here, right?

[00:22:38] CM: It's about changing the sort of enthusiasm.

[00:22:40] RC: The mindset, the priority. Where you put – How do you engage him, right? That's the thing. I think we're the best in the world and I feel like we can get it done. It's just kind of mindset.

[00:22:51] CM: Yeah. I mean have you seen any sort of successful cases of places where there was a lot of resistance and then you were able to sort of get that sort of sea change within the company?

[00:23:00] RC: Yeah. Yeah. I think we have a couple of customers. Yeah, I remember. I hope I'm not getting into trouble here by naming them. But we’ve been fortunate enough to work with a company called Car Auction Services almost for a decade. And we've seen the evolution. Oh my God! They're as good as it gets, right? Yeah. I mean these guys were classic brick and mortar enterprise company through acquisitions out of Indiana. Great group of people. We are fortunate enough to kind of get involved with those guys. Almost eight nine, years ago, we're doing their network management. Brought a lot of efficiencies, first to know and things of the sort, but then you can see the whole company transform from that 300 locations, acquiring a bunch of companies, running car auctions and things sort of start growing fast. They're getting great valuation to morphing to a digital company now. Their leadership has done a phenomenal job. The CIO, to strategy folks, to the guys who run their applications. These are the guys with the mindset, they have this agility and scrum software development mindset. They see themselves as digital company, right?

So we've seen that. We've seen a few other customers like that. So we've been fortunate working with them for a long time um. So we're very excited to see more, hopefully. But that's probably one percent of corporate America. There's a lot more than for many people. Get the right people, you'll get it done. We partner with them. We do the best we can to help them out get there. But I’ve seen some good changes out there. A lot of examples like that.

[00:24:54] CM: I love it. So I want to talk to you sort of about another aspect of your life. You describe yourself as someone who “accelerates successful startups into market leading companies”. Can you tell me about your process of this? What are some of the most common things that startups are lacking that you can provide?

[00:25:11] RC: Yeah. It's, again, a very, very broad question and there's no one way of skinning the cat. There are many ways and many, many, many of them, a lot more successful than what I have done so far. But from my vantage point, there are a couple of things. One is the team. Is the early team you put together is really important. You got to be aligned. You got to be resilient. You will be resilient from your learning ability to change. Every six months, a year, there's a technology debt. No matter what you do, right?

[00:25:47] CM: Yeah, for sure.

[00:25:47] RC: I think they're changing so fast. You’re resilient against competition. How you do? You're staying power to stay. So you're going to be very conservative in the beginning to get the first minimum viable product done right, right? You constantly look at product market fit, early stages. If you don't get the product market fit, rest fall apart. If the right team to get the product market fit and being resilient about and scrumming the heck out of it in a daily and incremental progress is probably the single most thing, and you can do that with least amount of money. You can pay yourself two, three hundred thousand dollars so you don't get paid and make that stupid thing work and get your customers as quickly as you can. Most of the people are worried about printing of the presentations, working five-year plan. It's all bullshit. Every five-year plan never works.

[00:26:45] CM: Yeah. Yeah. It's going to go up in flames in a year anyway, right?

[00:26:49] RC: Yeah. And then it's end thing. You read up an article. I want to go to Sequoia. I'm going to Threatpoint. I'm going to IVP. I want to go to Benchmark. I'm going to go to this guy, that guy. But if you don't get the market product fit done right first with the resiliency and staying power month 2, 3, 4, 5, 6, and sacrificing, your priorities becoming different because now you're trying to pity up a presentation or tell some story into a fire plan, which you don't even know who's going to buy first. You're busy raising money and you're looking for some connection, some introduction.

[00:27:22] CM: Yeah. You're looking too many steps ahead, I imagine, right?

[00:27:25] RC: Absolutely. Yeah. And it becomes very difficult. It doesn't really matter. People think, “Oh, I want to go get an angel money, quarter million to half a million from someone like me,” or they want to go get eight, nine, ten million dollars. A million to two was the early stage fund in 80s and 90s, right? Now they don't talk to you. They want to put 10, 20 million dollars to work because they got big funds. But then doesn't mean that an angel guy is going to give you some funding if there's no product market fit? You can't say you're my buddy, give me some money, right? Maybe some might do that. But most of the guys, you and I don't have the chance, right? You need to be related to someone big. You are connected to someone big. But you got to get that thing done right, or two or three teams, very aligned and it gets difficult. Because in the beginning, it's like the map – When you look at the map, it’s totally different than when you put your foot on the terrain.

[00:28:15] CM: Yeah. Oh yeah.

[00:28:18] RC: Same thing as a startup. You and I and a few other guys can come together, “Let's go do this. Let’s go fund. We've been buddies. We're in the same school.” Whatever the stuff. We’re like, “I'm a Ph.D. of this. I'm putting something together.” But then when rubber meets the road, the terrain is different. You have to very careful on that. That's one big piece, product market fit.

And then also you want to pursue, at least from my standpoint, pursue something that could be big, because your risk goes down. And of course execution becomes a difficult thing too. But within a big environment, you can pick pieces off. For example, when I did the previous company, we had phenomenal guys. We had a professor from Stanford, Bill Dally, who’s NVIDIA’s chief scientist now.

We had like 16 pages from Sstanford to MITs, to Cal-techs of the world. We raised a bunch of money from Sequoia. We were trying to do something massive in terms of communication protocols in terms of moving bandwidth, but very niche. For us to succeed, I had to get the damn thing working. Then I had to get an OEM. Let's just go working. There, I get an AT&T, some telecom guy working. So you need to have a staying power.

We got the chip done, but the venture guys get tired after four or five years. And as you raise more money, the first guy who came in gets tired because he wants to see some results. He doesn't want to stay. Yeah. So structuring the right company is very, very, very important. Who you get your money from and how long does that money last? If you don't plan that right, raising 10 million dollars first round, you open a champ and you celebrate, high five, which I did 20 years ago, 25 years ago. It's good and bad. So you got to get the product market fit and structure it right from the right. Once you get that, it becomes easy. And there are a lot of great VCs, phenomenal people. Now more so now than used to be before. Now you get so much money out there. A lot of talent out there that can help you, but you got to get the product market fit first or getting close to it. Get some feedback, one or two customers looking at it. They can buy. Why they buy? And how is it going to change their life? And then you're going to finance it properly. If you don't finance, it's going to come and bite you. No matter, the great ideas are evaporated and there's some dumb ideas done well because they organize it well.

[00:30:42] CM: Right. Okay. That's a good point. Now, you've partially answered this already, I think. But to be more specific about it, like if someone comes to you looking for assistance and they show you their business plan or whatever, what are some things that you want to see in that business plan that makes you feel like obviously anything's possible. What do you what do you need to see in there to say, “Oh, they have their head in the right place. They seem like they're serious about this,” and they're not just, like you said, chasing a bunch of angel money.

[00:31:10] RC: Yeah. So my primary way is, number one, is the team. Who's done what? And who's building this? And why are they building this? What is the inspiration behind it? That's the first kind of thing, number one. And see what progress they've made or what progress they're going to make and everything. And the numbers are all assumptions, a spreadsheet. Are you looking at unit economics? Did you close a deal or two? What are they saying? When they closed it?

The basic numbers, you can look at that. And I don't look at five-year plan. Don't tell me I'm going to a billion dollar company. I don't really care. Let's talk about how do you get a million dollars’ worth of stuff. That's the biggest thing. The other thing then there's chances of getting a billion is kind of much higher. So people focus on, “Hey, I got this math. I'm going to get the thousands of this widgets. I've done in my cost of good sources this much. My operating model looks like this.” I get all that stuff, right? So don't compare yourselves to a mature operating company where you guys are various ratios and operating models. I would rather look at let's get rooted now. What do you have? Who's wanting it? Why? What value it solves? Can they test it? It doesn't have to be working in some cases. If I solved this problem for you, what value do you going to get from this and how much are you willing to pay? Or do you have alternate ways of solving this problem? If it is, why are you not solving, right? And I can do it a little better.

If that's m, I would say 80%, the rest the rest we can help them out. There are so many smart people to help you out. Let's get that first, right? So that's my view of looking at investing. That's how we did with the threat landscape company, right? They have something. They build a data platform. Great data science guys, good team of 10 folks. We said, “You know what? Let's go look at it. Talk to me a little bit about what you're trying to do. Why are you doing this? How are you going to put data to this?” There are a lot of people out there.

So once we got in, we gave them seed funding. We help them out. A million or two later, it made sense for us to come together and we built. So we look out for data science folks, cloud folks, who really want to get the product market fit. There's a passion behind it. They want to build something big. So when you meet people, you can see through the head. It's a people game. End of the days ,it’s a people game. You can say all AI and ML and NLP and bots and this and that. These are people. You can't implement all the crap.

[00:33:42] CM: Yeah. Now, obviously, apart from your actual – You’re a CEO, your position, your company. Like I get the sense from you obviously based on the fact that you're helping out these startup companies and stuff that it's very refreshing. Sometimes it's easy enough to just do your job and move. But I want to talk to you about sort of the role of veteran cyber security or tech professionals and what role they might be able to take in helping aspiring new security professionals or startups enter the industry. We hear a lot about the cyber security skills gap that there's more positions to be filled and there are people to do them and there're so many villains or solutions coming from HR, from security departments, from the tech sector. Do you have any advice to security veterans for providing direct action or by example that could tamp down the talent shortage?

[00:34:37] RC: Yeah. I think the only advice I would have if I have one is no matter what you do in cyber security because of your passion, you're learning. You're putting energy to kind of grasp new concepts and things like that, but I feel that you know it's always good to contextualize yourself to either a given domain, a vertical domain. If you’re a healthcare, see what you want to do there. Kind of thing, the rules and regulations and things are there. Start to live in that world. But more importantly, from a technology standpoint, contextualize yourself from a network side. Because if you plug network off, there's no cyber security, isn't it? Right? So if you don't get the network concepts and context understood well, you won't be the greatest practitioner. So that's number one.

Now, you can make an assumption that I don't really need to do. I want to be more of the application side. So you need to really contextualize yourself to all the cloud technologies, right? And then where can security happen? So I think adding that breadth to yourself from a cybersecurity standpoint. You would become a better practitioner and more valuable to yourself and others around you who want your skills to be used, right?

So that's probably the only advice for practitioner in my stand. But contextualize yourself beyond cyber security, right? Magic happens when two things come together. A lot of the innovations come that a physicist worked on, some biochemistry, biochemistries have worked on something else. When you have that two things coming together, there's a lot could be done. So visualizing is important.

[00:36:26] CM: So you also describe yourself in your bio as an entrepreneur and humanitarian. Can you tell me about some of your activities in this area?

[00:36:34] RC: There’s two pieces. I wouldn't call it humanitarian. I’ve done much on that other than kind of via the company kind of support roughly 200 young kids, 7 to 14 and a few orphanages. We've been doing it since the beginning. We had a rule that every employee had to kind of really donate on a yearly basis and I would match and we've been doing it for almost 15, 16 years now. Some great impact there, but nothing big to write home about or talk about much. That's one piece.

But more importantly, I'm on a pretty big high where I am today now in terms of culture. And as an entrepreneur, when you're young, I call it Silicon Valley cowboy culture, right? Your initiatives, your testosterone, your hormones.

[00:37:37] CM: Right. Conquer the world. Yeah.

[00:37:40] RC: Yeah. Got two term sheet at the end of the day, and got the best guys and the buzz goes. And when you do that, it's great, right? It's great confidence and you can attract talent. But the sad part is if things go wrong, you're not able to handle that. And things will always go wrong given a ton, right Everyone, right? So the resiliency doesn't seep-in in the early stages of life, right? So I think we're driving a lot around culture. Culture of doing things by design, like culture of keeping people accountable. Culture of getting people to kind of give experience. So if I give you the best experience with a big smile, your energy towards me is a little different than others being just different. Yes and no answers, right?

So the belief system, if I give a good experience you give me and your beliefs changes that, “Hey, this guy's a decent guy to talk to,” and I'm going to have fun doing this interview, right? When the belief system happens, magic happens, because you take the right actions. Because I'm not yes-no-yes on something, right? So the accountability, the experience that grants belief system that drives actions that produces result, the big thing for us. So we want to kind of groom. And the basic concept is everyone in our company is a leader. There's no manager. There's no NBOs, right? We do some OKRs and our own version of OKRs and things of that sort.

So that whole culture becomes significant. I wish I knew this stuff early in the carrier, right? I work with the best in the world at Sequoia and other places and I thought I knew from an operating standpoint as a CEO what I could do and founder and I had a lot of energy and passion to do what needs to be done. Build a great team. But I wish I had exposure to culture in terms of – I thought innovation was only culture. But innovation – Is sustainable innovation, resiliency and having fun and enjoying the journey as much as the destiny. Otherwise you keep probably billing our company and you keep talking about it. You're drinking your own Kool-Aid and do all things. And I did that. I did all – I learned a lot from that and I did that. So I think culture becomes a big issue, and I think I'm pretty high on that. And we're working hard. We're not there yet. Hopefully we get there. Hopefully everyone else does the same.

[00:40:13] CM: That's great. As we wrap up today, let’s talk a bit about your company. You talked at the beginning of the show, but tell us more about what NetEnrich does and specifically some projects or products that you're working on right now that you're really excited about.

[00:40:28] RC: Yeah. So three, four buckets here. One is what we do for living is we are essentially very focused on the run piece of your operations, because that's the biggest chunk of your problems, the user experience, things not working, things are not being done right. The biggest piece of spend. And particularly corporate America. I'm not talking about helping Googles of the world and LinkedIns and Facebooks of the world. They do their world. But corporate America is our focus. Mid-market to anywhere from 100, 200 million dollar, having four, five, six billion dollars is our target market across North America and some in Europe.

We want to walk in there and, really, as they are digitally transforming, as digital transformers becomes digital mandate, what can they do or what should they be doing in terms of digital operations transformation? So they're not running the race with shackles on. We want to free them up from a digital operations transformation. So that's our forte, our high, our investments, our know-how, scars on the back, experiences and customer base.

So we bring a big data platform integrations, AI, ML stuff into it. People expertise, all combined together in a unique way, man machine, interface coming together, contextualizing for your environment and making sure we run that in the most efficient way bring 30, 40, 50, 60 percent savings depending on where you are in your journey, right?

Some are really advanced. Some are very naive about it. Depending on where you are, we can bring substantial savings. That's what we do. So you can free up the resources, free up the spend you have and kind of really focus on growth and innovate, right? You've got three buckets, right? You have your run piece, which if you take up 80% of your span, you're hardly anything for growing. And if you put the remaining 20, you're not innovating anything. So you want to kind of shrink the run piece to 30% of what you need to do from an IT standpoint. Leave 70%.

If you look at SaaS companies and digital-first companies, the run will be 23% of it. They're spending 70% growth and their innovation is completely tilted upside down, right? So we want to bring that change. The cloud mindset, the devops mindset, the cyber security mindset, ASI mindset. All that to your classic mid-market enterprises. How to compete in this, I guess, digital mandate world. So that's what we do. And we have hundreds of engineers building platform, automation, integrations and all. We have hundreds of guys in the operations running 24/7/365. Run, bring them together. We believe it's more of a – You federating functional sourcing and you're getting it done remotely.

So we kind of sit between do-it-yourself world. And I don't want to do it. It's not efficient. Someone told me to outsource. The board wants me to cut the costs. The PE guys want to cut the costs. I'm going to give it to some guy. He's going to give me some cheap labor, and that's outsourcing. You want to be more closer to do it yourself because you want to be in control, otherwise you won't in no way. We don't know what you know. So we want to be there and help them innovate and make it digital-first and be more efficient like an outsourcing cost standpoint. But more innovative and resilient in terms of scale samples. So we are functional sourcing kind of a thing with a lot of point of views, a lot of technology. A lot of ready to go. We can onboard people in a week or two and start seeing the results in a month, not six months transition a year later and a five-year deal. We want to be more SaaS way of running operations or consuming SaaS solution from us. So that's where we’re in the operation space, in networks, cybersecurity and cloud. Doing the runtime operations in a remote way in a shared services for a customer base.

[00:44:47] CM: Okay. One last question. If our listeners want to learn more about Raju Chekuri or NetEnrich, where can they go online?

[00:44:54] RC: Yeah. It’s on www.netenrich.com, N-E-T-E-N-R-I-C-H.com. And there's a lot of good content there. We're going to keep working on it. And I think for cyber security practitioners, which is, Chris, your forte. We have something called know.com, K-N-O-W.com. If you come to our website, you can go. It's free. We spend a lot of money through our technology to aggregate some 25, 30 feet around the world to show you what the heck is going on in the cyber security world. Look at it, learn from it. Give us some feedback. So as a whole, that's our contribution. The best we could to kind of bring awareness to anyone for free. And it also helps us kind of interact with some great practitioners out there so we can learn from them as well.

And then one thing leads to another one. Hopefully we end up doing some business down the road. But that's for free um. Come to our website, www.netenrich.com and check out Know. A bunch of stuff there, and enjoy and give us some feedback. And I'm sure we're not perfect, but we're getting there. We're working hard towards that.

[00:46:09] CM: It sounds like you're doing everything right here. So Raju, thank you so much for being my guest today.

[00:46:14] RC: Sure. Thanks, Chris, for having me. And I enjoyed our conversation. I appreciate it.

[00:46:18] CM: My pleasure. Thank you all as ever for listening and watching. For those of you who are with us today, new episodes of the Cyber Work podcast are available every Monday at 1 PM Central both on video at our YouTube page and on audio wherever fine podcasts are downloaded. You can also find them at infosecinstitute.com/podcast. Also, don't forget to check out our hands-on training series, Cyber Work Applied. Each week in expert infosec instructors teach you a new cybersecurity skill and show you how that skill applies to real world scenarios, and it's free. Go to infosecinstitute.com/learn to stay up to date on all things Cyber Work.

Thank you once again to Raju Chekuri and NetEnrich and thank you all again for watching and listening. We'll speak to you next week.