Security Voices

The Silicon Valley legend is the college dropout who made billions… but what if instead they stayed in the dorm room? This is the intriguing story of Marcin Kleczynski and MalwareBytes, told in a candid ~1-hour interview where he explains how his company was built in vivid detail. Marcin takes us through his formative moments as a Polish immigrant in Illinois helping his family’s cleaning business to his choice to remain in school at his mother’s insistence while MalwareBytes was making millions. Dave and Marcin discuss key product questions such as how much is too much product functionality to give away, how to work with the channel, whether or not you can effectively serve both consumer and enterprise markets and the future of endpoint protection. He also explains why it still makes sense to build a great office when the world feels like it’s shifting quickly to a remote workforce. We also find out why you should never send deep dish pizza to people in California...

Joel Fulton’s journey began in Alaska as a free range kid with dreams of becoming a fireman to ultimately find him in one of the most prestigious CISO roles in cyber security at Splunk. Our conversation twists through his time as a computer auditor, MMA fighter, an author, a salesman, a PhD student and a few other positions in between. Our dialogue with Joel showcases the breadth of his interests as well as his gift for taking seemingly unrelated concepts and connecting them to illustrate a point, from choke holds to The Philosopher’s Toolkit all the way to systematic dismemberment. Joel’s interview offers plenty of practical examples for aspiring and longtime CISOs, breaking down how he thinks about discovery, orchestration and security training. Even at 80 minutes, this episode feels far too short.

Since this Spring, Security Voices have been “following the money trail” to explore all angles of how security companies are funded and run. In our final 2 episodes of the series, we’re shining a light on lesser known companies and individuals whom have avoided traditional funding and taken a more unique approach to starting their businesses. This episode showcases Tozny, an encryption company with its longstanding roots in government contracts. Isaac, the founder and CEO, explains how he’s built a stable, steady growth business in Portland by harnessing one large customer after another… using entirely publicly available information and an open submission process. His conservative “staying alive” approach stands in stark contrast to the glitzy, go-for-broke mainstream security market.

Seemingly everyday a security company announces that it has raised a new, big round of funding. As we close out our investor series, Jack and I wanted to highlight the bootstrappers— those brave people who kickstart their businesses using solely their own resources. Our interview with Zack Schuler of Ninjio illustrates the experience of a company with a big mission to reinvent security awareness that began with no funding but a loan from his bank account. While Zack had the benefit of a previous exit (he bootstrapped his 1st company at the age of 21), his mentality and practices are that of someone who hustles for every deal, obsesses over each hire and makes painstaking decisions about how he uses his time and money. Zack explains his special formula of hustle, Hollywood and a little bit of luck to build a winning company with no investors looking over his shoulder.

Dark clouds seem to hang over the security industry, especially after Black Hat and DEF CON. Playing constant defense can be disheartening, especially after hearing about every new type of possible attack in Las Vegas. We felt everyone could use a little post conference pick-me up so we pulled together this short (~15 min) episode which focuses on all the positive things that are happening in the industry from past interviews. We’ve often reflected on how interesting and encouraging it is that every guest we’ve interviewed has always had something they thought was much improved from the past— and how everyone of these industry luminaries called out something different than the others.

Robocalls have plagued our phones in recent years, prompting many of us to no longer answer calls if we don’t immediately recognize the number. Ballpark estimates put the number of calls in 2018 at 48 Billion-- a 50% increase from the previous year. Ever wondered who was behind the flood of phone spam? How much they make? Where they’re from? How they got your number? We dig deep into the robocall epidemic with telecom expert TProphet, answering all of these questions and more before breaking down what telcos and legislators are doing to try and improve the situation. After comparing the North American robocall problem to the one in China, we take a look ahead at what the future holds for phone spam.

Few topics capture our imagination like the Internet of Things (IoT); our concerns swing from how much Alexa is really listening to us all the way to doomsday scenarios orchestrated by a violent robot takeover. Our conversation with Shaun Cooley lays the foundation for a rational understanding of IoT risks, starting with its role in stopping rhino poaching in an African game preserve. After explaining the full IoT landscape, we explore how it is fundamentally different from “normal” IT security and how the coming IT/OT convergence could result in an epic clash of cultures-- not to mention a few breaches. No IoT conversation is complete without covering 5G and satellite internet, and nor do we spare you the musings on how it could all go quite wrong...

What happens when you take a longtime security pro and turn her into a venture capitalist? We find out in the 4th installment of our investor series when we interview Dr. Chenxi Wang, fresh off her 1 year anniversary starting Rain Capital. The beginning of our interview showcases the grasp of our market that makes Chenxi such a sought-after partner-- we go deep into the transformation of app sec, poking at fuzzing vs. static analysis, package vs. code level analysis and how the network-centric roots of the security may be impeding our progress. We do a brief retrospective on Kubecon before diving into her reflections on being a full-time investor, starting with what separates an angel from a true venture capitalist. Chenxi explains what sucks about being a VC (spoiler alert: it’s fund-raising) and how she’s using Rain to chip away at the longstanding diversity problem in the security industry. Before hitting our usual hype-o-meter and speed round questions, we discuss exactly how she ended up on the board of directors for a logistics company based out of North Dakota.

Mike Reavey has quietly left his fingerprints on some of the biggest moments in security. He began as a Captain in the Air Force, locking down networks from attack by adversaries back when APT was still shorthand for “apartment”. Mike recounts his time spent battling the most destructive malware the industry has ever seen (Blaster, Slammer, Code Red, etc.) while leading Microsoft Security Response and how he later kept Azure out of the headlines while heading up cloud security in Redmond. He recently made a hard turn into gaming security at Electronic Arts where he’s been learning the many nuances of protecting a fast-moving entertainment company where creativity and speed are king. Mike, who regularly competes in body-building competitions, explains why you can’t outrun a pizza and how anyone can get a little more fit while balancing a hectic schedule packed with family, work and fitness. Mike’s stories are as pragmatic as they are colorful-- this interview is a recipe for anyone who wants to know exactly what it takes to succeed in a big, high pressure cyber job.

Part 3 of our investor series offers a unique perspective on the security market as Jack and I interview Kara Nortman, partner at Los Angeles-based Upfront Ventures who balances investments in enterprise and consumer companies without an explicit focus on cyber.  Kara traces her roots back to a long ago meeting with the @Stake team when she was with Battery Ventures and we chart how security moved from an arcane art to a topic relevant to every startup no matter the industry. Our conversation covers a number of big questions: Will Silicon Valley continue as the heart of tech in the future? Is it better to have a killer insight or to know how to build a product? How exactly do VCs work in 5 minutes or less? Kara also reveals her “full family” approach to helping her portfolio companies, explaining why the key to unlocking product marketing success might actually be a curious 8 year old.

In a world not-so-long-ago, CISO’s fought for people to understand what they did and why it mattered. Fast forward to today, and the modern CISO faces a dizzying variety of challenges everywhere from the boardroom to explain 3rd party risk management to product design sessions where they might be debating anything from data anonymization to SOC2 compliance. Our guest in this episode, Justin Dolly, stands apart as a no-nonsense CISO who has covered a truly broad spectrum of problems such as negotiating consumer privacy trade-offs for fitness wearables while at Jawbone or diving headlong into the ransomware problem at MalwareBytes. During this episode, Justin weighs in on the future of identity, the death of passwords and whether moving to a ZeroTrust model is more aspirational than practical. This episode has something for everyone with the notable exception of people who love VPNs. Justin’s fiercely pragmatic approach and gift for storytelling make this one of our favorite episodes so far.

A goal of our podcast is to highlight people who don’t highlight themselves— but are every bit as deserving of the spotlight as those on the big stage. Noah fits this profile perfectly- he’s the smart guy you sat next to at an industry dinner whose perspective on network forensics and GDPR were as interesting as his weeklong isolated "vacation" on the tundra of Baffin Island. An understated yet up and coming security investor currently at Point72, Noah’s take on the security market is insightful and raw: he explains why there are too many security companies and why it matters. He details why the mid-market is underserved by security vendors. We cover how investors mistakenly overcapitalize security vendors and when is the right time to bootstrap vs. taking any funding at all.

Our latest episode features an 1 hour interview with iconic Silicon Valley CISO Justin Somaini.  He explains common mistakes made by investors and vendors, what it feels like to be a global CSO of a 90,000 person company, who the CISO should report to and how the CISO can win in the boardroom (often by staying out of it!) Sales people, this is one if for you: Justin explains how you can avoid stepping on CISOs' toes and what you can do to stand out from the crowd.  For aspiring or young security leaders, Justin shares generously from his playbook including what should be your focus in the critical first weeks of a new job.

We kick off our investor series with Ping Li of Accel who was recently named the #2 investor in the Silicon Valley and is one of the most prominent investors in the security industry. We cover the biggest mistakes security companies make, how to successfully pitch your company to a veteran investor like Ping and we play an inaugural game of buzzword bingo to see if there's truly a market for that AI-powered blockchain idea you've been kicking around.

Recently "retired" software security legend Gary McGraw joins us for an unfiltered conversation with Jack at his farmhouse in rural Virginia.  Gary's walks us through the history of software security with his characteristic sharp humor and insights, sparing no "poser or pretender" along the path to today (including the term "app sec" itself). Beyond his impressive career in security, any conversation with Gary uncovers his diverse interests from his life as a musician to his travels, from reading fiction to writing books. Jack's interview of Gary is no exception-- it paints a portrait as colorful as the man himself. This is the 4th and final episode in our app sec (er.... software) security series.