CyberWire Daily - Cyber-entrepreneurship in the age of CyberAI. [CSO Perspectives]
Episode Date: November 18, 2024Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, turns over hosting duties to Kevin Magee, the Global Director of Cybersecurity Startups at Microsoft to discuss Cyber-entrepreneurship i...n the age of CyberAI. For a complete reading list and even more information, check out Rick’s more detailed essay on the topic. References: Andrew McCarty, Emma Eschweiler, Natalie Fratto, Andrew Pardo, Jake Ledbetter, 2024. The Rise of CyberAI [Analysis]. Silicon Valley Bank. Camille Périssère, 2024. 2024 cybersecurity market trends [Analysis]. AXA Venture Partners. Jeffrey Grabow, 2024. AI continues to drive venture capital activity [Analysis]. EY. Kaloyan Andonov, 2024. Energy companies increase investment in cybersecurity startups [Analysis]. Global Corporate Venturing. Staff, 2024. Cybersecurity Market Size, Share, Analysis Analysis]. Fortune Business Insights. Staff, 2024. RBC FinSec Incubator [Analysis]. Rogers Cybersecure Catalyst. Staff, 2024. Microsoft Digital Defense Report 2024 [White Paper]. Microsoft. Steve Morgan, 2022. Cybercrime To Cost The World 8 Trillion Annually In 2023 [Analysis]. Cybercrime Magazine. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K.
Hey, everybody.
Welcome back to season 15 of the CSO Perspectives podcast.
This is Episode 8, where we turn the microphone over to some of our regulars
who visit us here at the N2K CyberWire hash table.
You all know that I have a stable of friends and colleagues who graciously come on the show
to provide us some clarity about the issues we are trying to understand. At least that's the official reason we have them on the show to provide us some clarity about the issues we were trying to understand.
At least that's the official reason we have them on the show.
In truth, though, I bring them on to hip-check me back into reality
when I go on some of my more crazier rants.
We've been doing it that way for almost four years now.
And it occurred to me that these regular visitors to the hash table
were some of the smartest and well-respected thought leaders in the business. And in a podcast called CSO Perspectives, wouldn't it be interesting and
thought-provoking to turn the mic over to them for an entire show to see what's on their mind?
We might call the show Other CSO Perspectives. So that's what we did. Over the break, the interns
have been helping these hash table contributors get their thoughts together for an entire episode of this podcast.
So hold on to your butts.
Hold on to your butts.
This should be interesting. My name is Rick Howard, and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A. And you're listening to CSO
Perspectives, my podcast about the ideas, strategies, and technologies that senior
security executives wrestle with on a daily basis. Kevin McGee is the Global Director of Cybersecurity Startups at Microsoft,
and I've known him forever.
He and I worked together at Palo Alto Networks back in the day,
and that's where I learned that he is a voracious reader of cybersecurity books.
Every time we get together, we get to argue about one or more of them,
and I love and cherish that time.
Basically, he's a bigger book
nerd than I am. He was also around when I started tinkering with the cybersecurity first principles
concept over 10 years ago now, and he has given me invaluable feedback of those ideas over the years.
Right around the time I joined the Cyber Wire, he went to work for Microsoft as their CSO for
Canada. So naturally, when I was looking for experts to come to the Cyber Wire, he went to work for Microsoft as their CSO for Canada. So naturally,
when I was looking for experts to come to the Cyber Wire hash table, he was one of the first
that I invited. He's been doing the startup role for just a few months now. So I asked him to come
on to give his first impressions of cybersecurity entrepreneurship in the age of cyber AI.
in the age of cyber AI.
Here's Kevin.
Now, there are plenty of articles by financial journalists or reports by venture capital firms
that you can read to find out
about the latest hot cybersecurity startup
that raised a huge round of funding
or what blockbuster mergers and acquisitions
happened this week.
But that's not what I do.
I work at the ground level of innovation in cybersecurity, helping academics and researchers commercialize their ideas. I
collaborate with entrepreneurs and founders to achieve product market fit and support startups
in finding new markets and customers. I engage directly with security teams and leaders in the
field to accelerate innovation adoption, and I consult with business leaders and boards to guide
them in quantifying
risk and ROI to implement effective governance controls that ensure secure digital transformations
for their organizations. My name is Kevin McGee. I'm a former startup founder and former chief
security officer at Microsoft Canada. I've been an entrepreneur, a CSO, and an early employee at
many tech and cybersecurity startups like Citrix, Splunk, and Palo Alto Networks,
where I met Rick.
And now I can add CSO Perspective podcast intern
to my list of accomplishments.
This storied and interesting career
has given me a unique perspective
on the intersection of entrepreneurship and cybersecurity,
which I get to use in practice every day
in my current role as Global Director
of Cybersecurity Startups for Microsoft.
I want to thank Rick Howard and the CyberWire team for this opportunity to share my perspective on the
state of cybersecurity startups in 2024. I'm calling this essay, Cyber Entrepreneurship in
the Age of Cyber AI. Now, this will come as no surprise to listeners to the podcast, and I'm sure
that many of you will feel the same way. What first drew me to cybersecurity and what keeps me here is the sense of mission, the unique common bond of our community.
At our core, we're all defenders working together to support one another, even if we happen to work
for competing companies. While not typical defenders, the entrepreneurs in our industry
really do play a unique role in advancing our mission. They may not take a shift in the SOC
triaging alerts daily, but their work exploring innovations and building new products is
invaluable. They make their contribution by exploring new innovations, investing their time,
money, energy, and often parts of their soul into building mere ideas into tools,
tools into products, products into platforms, and platforms into company. They are hackers too,
but in the original sense of the word,
the homebrew computer club sense of the word.
Just a different sort of hackers.
So if you are a cybersecurity entrepreneur out there listening right now,
please know I have the greatest respect for the work you do
and believe we need you now more than ever. Like many in the industry, my career path to cybersecurity has been unconventional at best and began with a history degree.
And I have been lucky enough to have these two great passions intersect on many occasions,
all of which began with my first encounter
with a real new technology innovation
that ended up creating infinite business opportunities
and other societal opportunities,
but also ushered in the age of the stereotype
black hoodie-wearing malicious hacker,
while also launching our hitherto beforehand
small and relatively obscure industry
into the mainstream, the PC.
Now,
I was only nine years old when I saw my first real computer, a TRS-80 Model 3, through the window of a Radio Shack at a shopping mall that no longer exists. The TRS-80 Model 3, on sale for $7.99,
only at Radio Shack and Radio Shack Computer Centers, the computer experts. I will ask you to pause for a second,
because there really is a lot to unpack
about the historical impact of the PC
in that last short sentence.
I didn't know it then, but I was glimpsing the future.
A future that included a PC on every desk
and in every house.
History was being made literally right before my eyes,
and I saw it manifest itself
right there in that Radio Shack shop window
in all its 16 kilobytes of RAM, dual 5.25-inch floppy drives,
low-resolution glory, and it was glorious.
It was this first real chance encounter where I caught the computer bug
that would stick for life.
I saved enough money mowing lawns in Chevrolet in snow.
I should note I'm Canadian, so this is a lucrative business model for a kid on a mission. To buy a computer of my
very own, my prized and life-changing Commodore 64, which is actually sitting beside me on the
shelf right now. And of course, the first thing I did was to take it apart and see how it worked.
And so I became a hacker.
Later, as an undergraduate history student, I logged into what would become the Internet
from the windowless Unix lab under the stairs at Brock University.
This time, however, I had a little better sense of the historical importance of what I was seeing.
As I sent my first emails filled with
ASCII art to my friends at other schools, I began to marvel at the possibilities.
My fascination with this new technology, or whatever it was, led me to start three companies
in the 1990s. Two successful and one, well, I really don't like to talk about it. But in retrospect,
I recognized it was a valuable learning experience. And so I didn't follow the traditional hacker to cybersecurity professional path of my generation. I became
an entrepreneur. And yet I never felt I left one community for the other. I became a bridge between
the two. Years later, I began to see employees bringing their own devices to work, laptops and
mobile phones that they had paid for themselves. They did this because they wanted to use the latest
and most innovative technologies that they were already using in their personal lives to do their
work and to do it better, rather than use the dated spec-limited and locked-down devices provided
by the company. As a result, I had the good sense to seek out startups that were positioning
themselves for this new BYOD revolution, which landed in Silicon Valley, to ride the wave of
innovation that would found our modern cybersecurity industry.
From this experience, I learned firsthand how to hyperscale a startup, but also the
unique challenges of bringing something new to market and overcoming the ubiquitous risk
aversion that is a unique aspect of our cybersecurity industry.
And this often keeps us from maximizing our potentials as defenders.
And this often keeps us from maximizing our potentials as defenders.
And yet, having lived through all of these incredible technological revolutions and careers, as many of you have as well, I think what we are experiencing right now with the emergence of AI might be the greatest story of our industry, yet untold.
Seeing chat GDP for the first time, it was clear that our industry would need to reimagine and reinvent itself. Instead of running out and starting a new venture of my own, I decided to leverage my experience to support the cyber entrepreneur community and drive innovation without the
sleepless nights of coding and subsiding on family packs of ramen noodles from Costco that I remember
from my startup days. My first and likely totally obvious observation is that things are moving fast.
Since ChatGDP's public release on November 30, 2022, we've entered a new era.
AI has rapidly transformed industries from education and healthcare to customer service
and everyday life.
Even my mom, who has never heard of CNAP or SASE, knows what ChatGDP is, demonstrating
just how fast it is spread throughout
general society, all in just over 700 days. My next totally obvious observation is that AI
transformation of everything, the sequel to digital transformation of everything, has already created
both unprecedented challenges and opportunities in cybersecurity, but at a velocity we have never
seen before. While we've adapted to
technologies like the internet, mobile devices, the cloud, over years, AI demands much quicker,
even more resilient responses. Now, the pandemic gave us but a glimpse of this speed of change.
However, the age of cyber AI will require a new level of agility. This will require all of us,
security teams, procurement departments,
senior business leaders, boards of directors,
policymakers, educators,
and individuals managing our own careers
to think and work beyond traditional linear limits
and natural risk aversions to embracing innovation.
Because you can be certain that threat actors
will not be held back by these constraints
to anywhere near the extent we are. What has me optimistic and most excited about all of this tremendous change, the speed at
which it's happening, and the uncertainty it's creating? Well, as an industry, I believe we have
an epic and historic new story to write. We defenders, the heroes of the story of course,
will need to act boldly, innovate quickly, and stay ahead of the attackers. And for the first time, I am convinced we have the right technologies in place to out
innovate the attackers and tip the scales in our favor. This is where the cyber entrepreneurs come The question then is, what will happen next?
And what will the era of cyber AI bring?
It's really way too early to tell.
I think we're still writing the prologue, not even the first chapter of the story.
But don't worry, I've skipped ahead.
And here are some of my best guesses and the things I will be watching for as the story unfolds. If I were to sum up my
investment thesis for cybersecurity innovation over the next three years in just three words,
they would be automation, remediation, and governance. That's where I'll be placing my
big bets, and here's why. As an industry, we've made remarkable strides forward in creating tools
centered on detection, zero trust, and other defensive measures. Yet, the future will unfold in an AI versus AI landscape
where the ability to automate and deploy AI solutions will be essential, not only to tackle
complex challenges, but also to empower our limited teams of defenders, enhancing their
effectiveness, efficiency, and resilience against burnout. This is where the innovative perspective
of cyber entrepreneurs
becomes a true force multiplier in two ways.
The simplest is through automation,
eliminating tedious, repetitive tasks,
which, while valuable,
risks merely paving go-trails
instead of building new highways.
Real innovation will lie
not in making current tools,
techniques, and procedures faster,
but in reimagining how AI can transform our approach entirely, delivering exponential efficiencies.
This is truly our Henry Ford moment, captured in his famous reflection,
if I had asked people what they wanted, they would have said faster horses.
Nir Zuck, a cyber entrepreneur and founder of Palo Alto Networks,
ignored all of the requests to build a faster, stateful inspection firewall, and this enabled him to envision and build the next generation firewall, creating a leap forward in defensive technology.
In both of these examples, the technology and the idea came into existence together in the right place at the right time and were championed by someone willing to choose innovation.
time and were championed by someone willing to choose innovation. Today, my greatest fear is that cyber entrepreneurs will ask us what we want and we will simply respond with phishing alert triage
automation, missing all sorts of opportunities to realize the full potential of AI. Another area
ripe for innovation is remediation. Even with all the impressive tools available for detection and
defense, organizations continue to experience material impacts due to cyber events.
While some progress has been made in automating remediation, it largely remains a labor-intensive process, handled by a limited pool of highly skilled and experienced cybersecurity professionals.
This is a resource that is increasingly scarce in our industry relative to the growing problem.
The reality is that we cannot recruit, train, or retain enough talent to meet this demand. To address this gap, we must evolve our business
operations and culture from merely focusing on security to that of true resilience. This includes
comprehensive strategies for remediation, recovery, and business continuity. This domain is ideally
suited for AI-driven efficiencies and invites cyber entrepreneurs to create innovative business-specific solutions that are designed to deal with unique challenges that happen right off the bat and help organizations survive and recover from the impacts of material cyber events.
Among all the potential investment areas, I believe remediation holds the greatest promise for delivering substantial returns on investment for both entrepreneurs and their customers.
the greatest promise for delivering substantial returns on investment for both entrepreneurs and their customers. The third area I'm focused on is governance, risk, and compliance, or GRC.
Now, I believe we are in the opening stages of a new kind of organization and society,
one operating with the precision of code. While this brings inherited advantages,
it also introduces new potential vulnerabilities that threat actors can exploit.
This transformation calls for innovative approaches to governance, oversight, and compliance,
ensuring that we make sound and ethical business decisions while also maintaining accountability.
How can we provide board-level oversight for technologies that didn't exist yesterday?
How does a CISO assess the risks associated with IAI models that we don't fully understand
or can explain
how and why they work? And how can we develop compliance frameworks that go beyond static
point-in-time assessments to keep pace with an environment of exponential change?
These are monumental challenges, but also incredible opportunities for cyber entrepreneurs
to do what they do best, solve unique problems and create something the world has never seen before.
Those were my best guesses and some insight into where I'm placing my bets.
Now let's talk about some indicators, trends if you will, that will tell me if my bets are on track.
Market trend number one, business decision-based digital transformation has gone parabolic.
Human ability to comprehend and adapt has not. In a quote that seems particularly relevant today,
E.O. Wilson, the American biologist, naturalist, and ecologist
known for developing the field of sociobiology said,
the real problem of humanity is that we have
apaleolithic emotions, medieval institutions,
and godlike technologies.
Modern humanity is distinguished by paleolithic emotions
and
medieval
institutions like
banks and religions
and godlike
technology. We're a
mixed up and
in many ways
still archaic species
in transition.
Wilson was born in 1929 and died in 2021,
so he had the opportunity to witness firsthand
not only the leaps and bounds that human ingenuity
would apply to the acceleration of technological advances,
but also the ever-widening gap between these advances
and our very human capabilities
and human-created institutions' capacities to keep pace.
The traditional approaches of cybersecurity
focus on the technology side of things,
such as securing endpoints and networks.
Now, don't get me wrong.
These tools are and continue to be absolutely necessary,
but they are no longer sufficient in an era
where AI, cloud computing, and the Internet of Things devices
are exponentially increasing the complexity of security challenges.
And that's our show.
Well, you know, part of it.
There's actually a whole lot more,
and it's all pretty great if I do say so myself.
So here's the deal.
We need your help so we can keep producing the insights
that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity.
If you want the full show, head on over to the cyberwire.com slash pro and sign up for an account.
That's the cyberwire, all one word, dot com slash pro.
For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing.
Plus, you get a whole bunch of other great stuff like ad-free podcasts, my favorite, exclusive content, newsletters, and personal level-up resources like practice tests.
With N2K Pro, you get to help me and our team put food on the table for our families, and you also get to be smarter and more informed than any of your friends.
I'd say that's a win-win.
So head on over to thecyberwire.com slash pro
and sign up today for less than a dollar a day.
Now, if that's more than you can muster, that is totally fine.
We're all not tech billionaires with lots of money to throw around.
So if that's your case, shoot an email to pro at n2k.com and we'll figure something out.
I would love to see you over here at n2k Pro.
One last thing, here at n2k, we have a wonderful team of talented people doing insanely great things to make me and this show sound good.
And I think it's only appropriate you know who they are.
I'm Liz Stokes. I'm N2K's
CyberWire's Associate Producer. I'm Trey Hester, Audio Editor and Sound Engineer. I'm Elliot
Peltzman, Executive Director of Sound and Vision. I'm Jennifer Iben, Executive Producer. I'm Brandon
Karf, Executive Editor. I'm Simone Petrella, the President of N2K. I'm Peter Kilby, the CEO and publisher at N2K.
And I'm Rick Howard. Thanks for your support, everybody.
And thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps
tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.