Sponsored by the Shift Group – Shift Group is turning athletes into sales professionals. Is your company looking to hire driven, competitive former athletes? Shift Group not only offers a large pool of diverse sales candidates from entry level to leadership – they help early stage companies in developing their hiring strategy, interview process and build strong sales cultures that attract the best talent for early stage companies.
Sponsored by the 4-Step Guide to Delivering Extraordinary Software Demos that Win Deals – Click here and because we had such good response we have opened it up to make the eBook and Audiobook more accessible by offering it all for only 5$
Sponsored by Diabolical Coffee. Devilishly good coffee and diabolically awesome clothing
Does your startup need strategic technical content? The team at GTM Delta delivers SEO-optimized, compelling content that connects your company with technical users to help grow your credibility, and your pipeline.
Craig Goodwin is the Co-Founder and Chief Platform and Strategy Officer at Cyvatar, a technology-enabled cybersecurity as a service (CSaaS) provider.
He has over 15 years of experience leading security across both the public and private sectors, building holistic security functions that combine the range of security disciplines under a single effective function.
We talk about the method of delivering Cybersecurity-as-a-Service, the reason it’s more critical than ever, and also the approach of building leave-behind process and platforms to deliver the best customer experience.
Check out Cyvatar.ai here: https://cyvatar.ai
Watch the Full Show Here
Transcript powered by Happy Scribe
Welcome, everybody. It’s Wednesday. Or at least it is if you’re catching this when it comes out fresh because this is the DiscoPosse podcast, your weekly leading technology startup podcast, and you’re about to get exposed to a fantastic conversation with Craig Goodwin, who’s of Cyvatar.ai. Now Craig is really fantastic. He’s co founder and he’s somebody who I really enjoyed because as a chief platform and chief strategy officer, he had this beautiful mix of having lived the life of doing the things around security and now brings them to how to deliver these as a platform, as a true cybersecurity, as a service.
Really great stuff. His methods, approach, just a very enjoyable discussion as well. Somebody I would love to spend a bunch of time chatting with. And speaking of spending a bunch of time chatting with. I got to tell you that the reason I get to spend a lot of time chatting with these amazing people is because of the amazing folks that actually make this podcast happen and supporting it. So I want to implore you to please do me a favor. Number one, go check it out because everything you need for your data protection need. You can get from our good friends at Veeam Software.
I’m a longtime friend, fan, and they are really cool and that they’re supporting the podcast and making sure that as they look to bring their own message to the market. I’m pretty pleased that I’ve been able to be a part of that featuring some of the great folks at Veeam as well. So go to vee.am/DiscoPosse. They just came off of AWS re:Invent. They got a really cool campaign. It’s a comic book download, so really cool. So go there. It’s actually the landing page. If you go to vee.am/DiscoPosse, you can get your very own AWS superhero comic book.
Please do that. Very cool. I absolutely recommend it. And also, of course, speaking of protecting, the one thing you want to make sure is not just protecting your data wherever it is by protecting it inflight. Protecting your network, protecting your identity. You can do this by using ExpressVPN. I’m a longtime user of ExpressVPN because I travel a bunch and as part of it, I want to make sure that I’ve got consistency of experience and safety while I’m traveling around and using other WiFi and other networks.
So please do try that. Go to tryexpressvpn.com/DiscoPosse. It really is just that easy. Oh, that’s right. And also, have a coffee company. I hope that you enjoy it. I do. And if you want to go check it out, it’s diabolicalcoffee.com. Not much more to say about that. Really, really good coffee. Go check it out.
Hi. My name is Craig Goodwin. I’m the co-founder of Cyvatar, and you’re listening to the DiscoPosse podcast.
So thank you, Craig, for joining. I’m definitely in excited mode in what we have a chance to talk about, because when I saw Cyvatar come up on the list. You’re actually on my companies to watch. And it’s a rare treat when we can dive into, I’ll say it’s funny. It’s like this burgeoning area around cybersecurity and offering it as a service and injecting ourselves earlier in the development and operational workflow. It’s new to the world, which is terrifying because it shouldn’t be. But this is why the opportunity is huge.
So I think the best thing we can do for folks that are new to you. Craig, if you want to give a quick bio and we’ll talk about Cyvatar and the challenges that you’re solving.
Absolutely. Pleasure to be here, Eric. And thanks for adding Cyvatar to that list. I’m sure it’s a long one given what you do, but I’m privileged to be a part of that. Sure. My name is Craig Goodwin. My background. I’ve been on the end user side of cybersecurity for about 18 years before that. I was in the intelligence services with the UK government and fell out of that when chief security officer was just becoming a thing, really. And then spent 18 years building, operating, running large scale cybersecurity businesses as an end user.
So companies like Monster Worldwide, Ferguson plc, CDK Global, which is a big automotive tech firm out in Chicago and then Fujitsu before finally co founding Cyvatar with my co founder, Corey White, who is based in Orange County in California. He’s also got a long history in cybersecurity, but from the other side of the house. So he’s been building and running cybersecurity vendors for 25 years, and I come from the end user side. So the first pitch of cyberattack is always that we’ve got both ends of the spectrum.
We’ve been there and done it from an end user perspective and also a vendor’s perspective. So we know what’s broken and we know what we need to fix to deliver better outcomes for customers and businesses globally.
I think this is really why I loved your sort of mix in the founding team. It’s a fundamental problem that we have in so many startups is that we attack it purely from the intellectual like this is sort of the scientific method, and we come at things and there are points when you have to have a very opinionated resolution to things. It’s often how we succeed, is you can’t just sort of do incremental change. You have to come in and say, this is the way that it’s going to work.
We have to remap some of the processes. But because you’ve come from the experiential side, the buying side. I used to do the customer deal as well for a couple of decades, and it allows me to approach technology in a way that I know well in a pure intellectual approach. Fantastic. But will this actually get adopted and used in the way that we would hope. Really, the thing that I want to focus on, Craig, is this idea that you’ve seen it in flight. You’ve seen it in play.
You’ve actually implemented solutions, and you know that it’s much more a human problem sometimes than a technology problem, especially in the area of security and cybersecurity. So how did that two sided approach influence your choice to start the company?
Yeah. When I met Corey a couple of years ago, at the kind of founding of Cyvatar, I was in that place where the industry is going crazy right now, particularly from the VC point of view, there are, I don’t know. It changes every day, four and a half thousand plus products out there or something crazy. So I was having a lot of VC friends. A lot of founder friends say to me, you should found a business. You should do something now that you’ll be able to get the funding.
You should take that knowledge that you’ve got as an end user and create something. And I’ve been thinking about it for 6, 12, 18 months, but I wanted to find the right, and it sounds like a bit of a cliche, right? But I wanted to find the right thing, the thing that actually solve the problem as an end user. I’d fought with it for 18 years, and the kind of problems that I found were that I bought pretty much every product that existed. You could say the Noah’s Ark of Cybersecurity, but two of everything.
And that was true. You’d go out and you’d convince yourself as a CSO that your number one objective was to convince the executive team or the board to give you more budget, and you do that. And I do that really well. And then with that budget, I go and buy some more products, but still wouldn’t get to secure. I still wouldn’t get to the actual outcome that I wanted as a chief security officer. No matter how many products I bought, I still found that I needed large internal teams or my own platforms that I built myself internally to actually do the hard part.
And the hard part was actually the fixing. Actually getting into the outcome of secure. And I found that 90% of the products on the market would point out my problems for me, but simply add to that list of things I had to do. Add to the problems that I had to fix and not actually fix or solve any of those problems. When me and Corey met, he told me about his idea for Cyvatar and as a service solution, I said, Well, look, I’ve done that internally, three or four times over.
I’ve built the platform that we need to build to allow that to be successful. I’ve been the end user side consuming that. So let’s join forces. Let’s bring those two components together. He’s been running services businesses for 18 to 25 years, so he knew that one-off services just didn’t cut it anymore. I’ve been running the end user side and knew that products didn’t do it. So then things combined just led to what Cyvatar has ultimately become, which is the ability to pull to your point people, process, and technology altogether into easy to consume subscriptions that mean you’re getting to an actual outcome rather than just finding more and more problems.
Well, I remember, the thing was ADT security or something. It was like something like a physical home security company that had a great set of commercials. And it was the whole thing of there’s monitoring. And then there’s us, right? And this whole thing of like a guy, a bank is getting robbed. And someone just looks at the guard says, “Aren’t you going to do something?” And he says, “hey, he’s robbing the bank”. This is monitoring. Obviously the first layer is always discovery doing that monitoring that observability, which is sort of the new catchphrase in the industry.
But then from that point, is being able to action on it, is the gap, rather than just basically saying, hey, there’s something going on. And now it’s your fault. Your just handing it off to an operator or developer. And this is a complex ecosystem in the organization. The CSO doesn’t have effective control over IT in the same way, because they generally report up, like directly to the CEO. They report up, if anything, possibly adjacent to a CIO, possibly through legal and procurement. More so than just operational IT.
And there’s really a lot of stuff that falls under that bucket. So while they could say, there’s my aspiration to achieve a secure workplace, a secure environment, this now has to cross into seven different divisions of IT and many, many other things.
Yeah, 100%. And I could talk about that for days. I think to unpick that a little bit. You’re absolutely right. I think the trend and it’s going to continue to be a trend is decentralization of the security function. I used to joke or half joke as I was building security functions, that my ultimate goal should be to not need a budget as a chief security officer, right? Because I shouldn’t need to protect the organization. It should be so ingrained into everything we do as a business to your point, the different departments that actually, they understand it.
And I build such a strong culture of security that they pay for out of their own budget. Craig doesn’t need a separate security budget. I’ve tried to do that at the businesses that I’ve always been at, which is to put the power in the hands of the developers, for example, right? Where they have the tools, the power to be secure by design as they build their products, as opposed to what doesn’t work, which is Craig’s team coming along and acting like the police, right?
Which is definite cliche in the industry. But it’s hurt us for many, many years as that kind of outsider type approach to security. And then the other thing you touched on, which is just incredibly important and a lot of people forget is the politics associated with it. Like, how do you drive behavioral change that first day shouldn’t be about looking at technology. It should be about going to buy a Starbucks card, so you can take all the executives that you’ve got to influence out for coffee and build those relationships. Right?
Because that is 100% the most important thing. And one of the things that we’ve done from Cyvatar is enable that. The platform that we’re building or the platform that we’ve built really enables that decentralization. It enables those workflows to be created across organizational bounds and put the power in the hands of the people that actually need to fix it, as opposed to just firing a load of vulnerabilities and alerts at the security team and expecting them to do the hard work in chasing up and getting things fixed and influencing people.
It becomes the challenge. I was at an organization, and this was in the 90s through the 2000s and the CSO didn’t exist. That function wasn’t there. It was at least rare in sort of the Canadian world, particularly, we’re such a friendly bunch. We didn’t need one. Right. And all of a sudden, we see a CSO show up. And this is right around the time that Sarbanes-Oxley also was implemented. So you had, first of all, a functional change in the organization that they were separating out this role of information security officer, and also everybody that had the CXO title was signing their name on a contract that put them personally liable for the outcomes of their organization.
And it really changed things. So immediately, the first thing that happened, as we do with security organizations is they hired a bunch of VPs of security, and then they hired a bunch of directors, which are basically sort of their very high titled interns. And they began crafting policy, crafting policy. Quick. We must craft policies. And it was almost like a Monty Python ask level of, quick a proclamation. And they would come and they would post it on the board, and they would email it out and send. And immediately you’d say, “Well, we can’t do this”.
And they’re like, oh, no worries. Then file for an exception. And then they built a system to file for exceptions. And they had created the sort of process spaghetti. And I was torn, right? Because with what’s going on, I recognize what you needed to do is we need to actually look as an organization. How are we going to attack this problem? How do we recognize the problem within a medium, this is like putting a government into a functional organization and where they don’t see the outcome, they don’t see the negative side effects.
They just simply have to come in and say, policy checkbox. And then as it made it further on the organization, we would just find ways to get through the audit safely. And that was the first phase. But then from there like we’ve seen it in action. We’ve seen real. No one wants their company name to show up in the news. And it’s like when somebody has their name show up in the news and the word embattled is in front of it, there’s certain things you never want to have.
And I’ve got good friends who are solar winds, and that was a tough one to watch them go through where the reputation attached to being exposed to a vulnerability carries for a long time and has a real commercial effect on them just as an example, right?
That was one thing where they’re in the news. So at first it was like, in 2009, it was probably happening all over the place, but it wasn’t in the news. Now there’s a really significant risk that it’s prevalent that this is active in the industry, like DarkSide did it. They created ransomware as a service. This is fantastic. But how do we attack the problem and make sure that we don’t end up in the news? But most importantly, that we aren’t vulnerable. That’s the real thing. Obviously, the news is bad, but let’s actually fix the problem.
So if the ransomware has a service, then what do we do to counteract that?
Yeah. And I think you hit the nail on the head and we could talk for hours about the compliance versus security debate. But I think actually, in a number of cases, compliance is damaged, what we would call real security. Because if you think about, you mentioned the top down approach. One of the things that all those compliance standards first say is, go and get the board approval, like, get your executive buy-in all that stuff, which makes it that very policy focused, like top down approach where we create mandates and then we try and force it into the organization and actually back to that decentralization conversation.
The most effective way I build security is from the ground up. That doesn’t mean negating the executive buy, and you need the budget. You need people to understand what your objectives are, but being very clear with your sponsorship, your leadership, about what is the objective. Do we actually want to be secure, or are we just ticking a box for compliance purposes? If your answer is we actually want to be secure, that’s a very different journey than creating a ton of policies. And that’s one of the fundamental principles when we started Cyvatar, was that there’s a ton of really quick and easy ways to go and get SOC 2 compliance, for example, like, I say, 27001 compliance and will help with the operational aspects of that.
But the majority of the small to medium sized businesses and other companies that we’re serving wants is to be actually protected from ransomware, is to be actually secure. And to your point, like solar winds prevent their name from being in the media because they’ve lost data or been hacked or been interrupted or whatever it might be. They actually want to be secure, and that then differentiates them from their competitors because they’re more secure. So what we’ve done with Cyvatar is build real security in and security that actually gets you secure, which is a big step change from a policy, creating something and telling everyone that they’ve got to do it.
This is real world. How do I prevent that from actually happening and moving to that prevention? Moving to that remediation is the key step that the majority of vendors in the market just don’t appreciate or don’t help customers to achieve right now. .
When it comes to differentiation, it’s funny, I lead them. I’m not going to compare you to anybody. I’m going to compare you against the industry at large, in that you’ve chosen to price by human rather than object. And this is interesting because quite often when we think about security services, developer services, all of these services, they’re effectively marked per application per object per cloud target, per whatever. There’s always some technical target. So let’s talk about that, Craig. The idea that you’re basically working at the human layer with technology and thus you price, I’ll say differently than most folks would expect.
Yeah. 100%. And that’s another indication of number one, kind of that really customer centric approach, making the experience for the customer a lot more streamlined. One of the things me and Corey are constantly looking at the industry or taking our experience and changing the way that things should be done and making it simpler when we thought about the customer consuming it for anyone that’s ever commissioned a penetration test, for example, that horrible booklet of, like, 20 pages you get from the provider that says, and it used to take me even with a security team, four weeks to fill in the technical data to have to gather this technical data, to even get the scoping document back for a penetration test. Right?
And that just can’t be the way it is. So what we wanted to do is number one, make it customer centric, number two, make it really easy to consume. So therefore, what we do is we use the number of employees in the organization as an indicative factor for the size and scale of the organization itself. Right. And that then allows us to build those subscriptions, build those solutions based on the size of the business and scale it effectively. For example, we’ve got customers who have 500.
They’re in the entertainment industry. They have 500 employees that never touch a computer, for example. Right? And we’ll work with our customers to figure out how that subscription works and how best to address it and make it more palatable for that customer themselves. We have other customers where some of their employees have got three or four different laptops. And in the old model, that means four or five different licenses, right? We want to deliver security, true security for the customer. So we’ve build all that complexity.
And we just say, let’s base it on head count. Let’s base it on head count of the organization. As you grow, we grow, and we’ll partner with you to deliver security, whatever that means for the size and scale of your organization.
When it comes to the mapping to importance of the business, it really is a human tally, right? Because the scale of the workforce is effectively a marker of the network effect of risk, because the more people you have, like you said, they’re specific. Some employees, they’ve got seven devices hanging off them. They’re much more active, their field work, so they may be sort of more exposed than others. But then back office folks, they log into the computer only to get their morning email. And then the rest of the stuff they’re doing is they’re scanning paper into systems.
It actually makes complete sense. And you start to think like, ‘Why hasn’t someone done this before?’
That’s my favorite thing. Like, my head gets a little bit bigger because I love it when we sit down with customers. And hopefully that’s an indicator of a good idea, because we sit down with a ton of customers and customers go, doesn’t that exist already? And they’re like, actually, no, no one’s done it like this before. No one’s done it the way that we’re doing now. The reason that we built what we built is because the business model exists elsewhere. The likes of Netflix and the B2C space, the likes of Trinette and others within the B2B space for HR.
Why would you not have that model for security? And that’s what we’ve built with Cyvatar. We always use the example of why would I bother building a HR function at this point and even our revolution? I wouldn’t. I’ll go and outsource it to Trinette because they’re better at it. It makes sense. It works for the scale of business and how we operate. I don’t want to be a HR professional, just like a lot of these businesses don’t want to be security professionals, right? They want someone who can do it for them and actually get to the outcomes of secure.
So that’s why we built the business model that we did for sure.
When you looked at, obviously, the first thing we have is we have team, the three T’s. Right? Team, TAM, technology, as they call it. Right? You’ve got your co founder. You have to address on the technology side, you both come at it from each angle and see if you got a good sense of where you in the technology stack will be able to attack a problem. When assigning TAM, this is really about choosing your first market. What is the ideal customer that you wanted to begin with? Because it literally could be anywhere from SMB up to global enterprise.
There’s a lot of potential. And if you’re a VC, of course, there are like trillions of TAMs. They want this Gartner Esker type of up and to the right quadrants everywhere. They want to see a lot of that stuff. But you, as a founder, you have to be pragmatic about your first market.
Yeah, 100%. And you’re right. There’s a ton of opportunity in terms of even larger enterprise organizations. I’ll talk about that in a second. But if you think about the absolute target market, it’s those Greenfield organizations that haven’t built a security function yet. And what that normally means is probably 500 employees or less in the technology space where the ROI, the return on investment, associated with the model that we’ve created is quite frankly, a no brainer. When you talk to customers and you spell out what it takes to build a security program these days, with the cost of talent, with the complexity of tools, with just everything that’s out there.
And back to that original point about the CTO, and the startup really wants to be focused on making their products great, not doing the cybersecurity stuff. You come in and you take that pain away. And the model from a Greenfield perspective, just makes absolute perfect sense. And even a lot of our customers have got a single contributor, the first CSO hired, like you mentioned before, or the first security person hired into the organization. Even then, what they’re not going to be able to do on day one is justify another ten resources.
And that’s relatively lucky, right? So to have a solution that enables them to be successful and deliver those outcomes as well in a cost effective way, that’s number one target. Right. And also to your point, from the vendor perspective, it’s just a massively underserved market. We talk to a lot of our partners who say anyone under two and a half thousand employees. Our VCs are telling us not to touch because the economics don’t make sense when you get to a certain scale and we throw the term democratization around.
But it’s true. We’re taking these best-of breed technologies that perhaps wouldn’t be accessible to that smaller end of the market and making them accessible, making them consumable because you don’t need those internal resources or expertise to get them in and operational quickly, which is what we’re able to do.
Yeah. It’s kind of funny. Like I’m in the tech space and I meet with large organizations all the time, and they have more developers at most North American banks than the vendors they buy from. So it’s really difficult to go in there and sort of say, all right, we’re going to do a ground up development of this service approach because they’re just like, well, we’re going to use you for six months, and then we’re going to take a team and make them shadow you and then build the thing you do.
So it’s actually often a dangerous thing, especially for a start up to go in with a great fundamental challenge solver because they’re just going to go in. Tech companies are the same way. Right? Large social networks are famous for this one, right? Where they’ll buy a company, buy a product for a year and then not renew. And you’re, like some people on the sales teams are like, I don’t understand, why didn’t they renew? Because they are filled with amazing technologists. And they just watched what you did for a year. That’s all they needed, they needed to be close enough.
I think one of the real differentiators that we’ve got is that we started as a platform player. Right?
So we’re not a product led company. We are true platform. And you see it, we all see it. There are many businesses out there that claim to be platform based organizations. The problem that you’ve got is particularly with the larger businesses. They’re tied to their own products as well. So if you’ve got a shitty antivirus product and then you go and build a platform, well, guess what, which antivirus products are going to be the one you use in that platform. Right? And that’s the problem. What you’ve started from is a very blank canvas that we’ve started from a point where we’re building the platform first.
And therefore, if you want to integrate with us, we will be picking the best-of breed technologies. We’ll have a selection. We’ve got three or four different partners in each of our solution areas, and our member services team is constantly assessing what’s the best out there, what’s going to get the best value for our customers? What’s the best solution? And the customers are subscribing to a flexible subscription, which means if one day AV number one is the best one on the market, we’ll install that. If next day AV number two completely outdoes them and gets to a better state of prevention than number one, we’ll change it out for them.
And that’s all part of that subscription. So it’s focused on the subscription outcome as opposed to the particular product or technology that you’re driving.
Yeah. One of my favorite platform stories. And like, I’m in product marketing, I know, it’s always like, you’re not a tool. You’re a platform. It seems like better marketing. But Dave McJanett, who’s the CEO of HashiCorp, and I said, I described to him and I said, it’s great because you effectively got all these layers and it ultimately makes a platform. And he goes, well, we describe as it, if you squint hard enough, it’s a platform. But it really is a separated set of tools that integrate very easily.
And it was funny that even he was unwilling to use the word platform for fear that it would have this connotation of something that is easy. It’ll be automatic, you have to buy one thing, and then you have to buy the other four things. Their goal was ultimately interoperability, which is, again, this is why I wanted to pick on this point with you, Craig, by being able to know that you’re looking for the best of capabilities, the best-of breed. And you are handling the integration since the interchange.
It means that I don’t, as a customer, have to get locked into going to antivirus A and looking for the best deal, because, effectively, they’re going to tell me why I need them, and then they’re going to suddenly become the one that wants everybody else to integrate with them. I want to have a platform approach where that I can think of it as a framework that I fit things into. And then it gives me the comfort that I can negotiate with those vendors now, because before, especially an antivirus vendor, it’s the easiest thing in the world.
We have 3000 endpoints. How exactly do you think you’re going to change that over? It’s one step away from, it would be a real shame if something were to happen to your car, now, wouldn’t it? Like that’s almost a Mafia-esque type of way. But I’ve worked in organizations where we’re like, I actually had 22,000 endpoints and yeah, we got it done because we threw humans at it. But it was a huge expense. It was a huge lift. It was a huge risk. So if I can offload that risk and that assessment of the right current set of platforms to you, that’s a huge win in my eyes of why I would say Cyvatar is like, all right, this is a true platform play.
Yeah. And you got two things, I think. Number one, you’re absolutely right. A lot of those businesses, like I said before, four and a half thousand products out there, like, what startup wants to come wade through all of that.
The periodic table of things.
All Eric’s product marketing. Who wants to go wade through that to find the one problem. Sorry, the one tool that’s actually going to fix your problem, right? No one can. No one does. Right? So, yeah, that’s number one. My own member services team are experts in the field, have been doing it for 100 plus years, whatever the combined number is, and they will pick the best-of breed, right? Agnostically and build them into the partner framework, build them into the platform. And like I say, we’re not afraid, right?
When partners aren’t performing or it’s not the best tool anymore. We have the capability and the wherewithal to change that out. Because we’re so customer focused, we want it to be about the customer and delivering the right outcome for the customer. The other big deal here, I think, is really important. We went on this evolution, I think you mentioned it earlier for inSecurity from technology, and then we’re definitely focusing on the people right now. But the process bit for me, is probably even more important than the people, right?
Because you can have the best cybersecurity experts in the world. You can have the best tools in the world. If you haven’t got the process that makes those things successful, you’re still ultimately going to fail. And what we’ve built with the platform that we call the operating system for cybersecurity is the process of security, what we call, we’ve got proprietary methodology that we call ICARM, which is installation, configuration, assessment, remediation and maintenance. So you go from all the way from installation of the tools, all the way from maintaining a full security program.
But essentially all it means is the process of security. Like, how do you get from a point where you have nothing or a very immature security function to the point where you’ve got something that’s functional operational and you’re maintaining the organization in a clean maintained state and the tools can be interchangeable. The people can be interchangeable. But that process remains constant. And that’s what we built in the platform. And that’s why I think we are so successful in such a short space of time in terms of getting those outcomes for our customers.
We’ve got that experience, we’ve got that knowledge. We built those processes into the fabric of what we do. And that’s why we’re driving this speed and easiness of security that just amazes people to the point where they don’t believe us sometimes, to the point where people go, how do you do that? And it’s because you’re taking that fundamental approach and you’re building the processes right.
And I don’t want to talk about people leaving the platform, but the subscription model opens the door to a sense of freedom in that they’re not locked in to you, which is a strong thing, right? It’s sort of illegal and functional lock in is difficult, and people don’t want to take on a new thing because there’s sort of a risk there. What’s the thing that, what they say to you, Okay, Craig, I like what you’re doing, but let’s just say for whatever reason, we have to change gears in six months, and I stopped my subscription.
What does that mean for my organization?
Yeah. So we built ‘cancel anytime’ into all of our solutions, just like any other subscription but don’t like using it so much. But back to the Netflix example. For as long as you’re getting value out of Netflix, you’ll continue to pay your subscription. And me and Corey, and the whole of Cyvatar, is not afraid of that model. We truly believe that with those process components, with the people components, with the way that we’re driving value for our customers, it challenges us to continue to continuously drive value across that lifecycle and that lifetime value of that customer.
And we’re not afraid of that challenge, right? We haven’t had anyone canceled yet, and I’m hoping we’re not going to in the future because we are driving that consistent value. We all know my favorite quote ever. I don’t know who said it, so I might just claim it as my own. Security is a condition to be managed. It’s not a problem to be fixed. And that is absolutely true. It’s not a one-off engagement. This is about growing with the customer, partnering with the customer, and being that continuous source of security for the business.
So the short answer is, Eric, as long as we continue to deliver value and the customers see value from it, we’re not scared of it, but we’ve built-in’ cancel anytime’ so that customers, if they really don’t see the value, can make that break.
And I love this idea that you talk about something to be continuously managed. This is not like a juice cleanse to suddenly make you healthy. Security is something you just sort of throw a tool at it, and then by magic, it’s fixed. It really and truly is an operation, because even if the choice is right today, it’s not to say that that particular product or some process that you’ve got won’t be suddenly vulnerable just because of a change in the ecosystem or change in process in a month or two months or six months.
So that’s why it does need to be the subscription and the service model really makes sense to me, because this is something that I want to make sure is maintained. And we think about maintenance as SNS on a contract, right? Like, oh, I can phone 1800. I’ve got a problem with something, but that’s really not what maintenance is about. Maintenance is about maintaining the health of the ecosystem, right?
Yeah. I love the hygiene and health analogies. I think they’re really helpful when you’re thinking about cyber hygiene and cyber security. It’s that continuous process. Corey always gives the example of, I don’t know whether this is true or not, but always gives the example of doing the dishes, right? Doing the washing up, you leave it for three or four days and you’ve got a massive pile and it’s a hell of a workload to get through. Whereas if you do little bits on a daily basis and you could do the same analogy a million times over, whether it’s automotive maintenance or whatever, it might be doing those little things and keeping up with it means that actually over time you’re continuously maintaining that state of hygiene.
You’re continuously maintaining that in a clean state, which makes your job much easier over time, means it doesn’t cost you as much. We talk about another good example is always the developers building code. And if you wait until a vulnerability or whatever is out in the wild, it costs you 50, 60 X, the cost that it would be to fix it while it’s in the development lifecycle. The same is true for general security across the board. Fix it while it’s being happened, build it in, make it a maintenance. Again, back to process.
Make the process continuous, and you’re in that position where you’re getting much more value out of your security program. Pentest is another great example of that. How many organizations just do a one -off pen test every year? How many times have I done a one-off pen test next year. They come back the year after and say, why is it the same as it was last year? Yeah, of course it is. And that pentest somehow makes you secure. But no one does anything about it. It shouldn’t be one-off, it should be continuous.
And in our threat and vulnerability management program, that’s what we’ve done. Yes, you get a pen test every year, but also you’re continuously scanned all year round because you might do your pentest on the coming Monday. But who’s to say six months before that, you didn’t have a vulnerability that’s been hanging around for the last six months. So, yeah, I can’t say enough about the ability to be continuous in that program. And that’s what subscription brings.
This is the funny thing, right? Like you said, compliance and security, while seeming to go in the same. There’s an ampersand between them, like it’s attached to most people’s resume in that way. But it truly is separated functions because compliance is the annual or the quarterly checkbox to make sure that you’ve passed a test. Security is an ongoing operational process to make sure that that’s happening. You said pentest is one that’s interesting because as we develop more active testing, it teaches us to make antifragile systems as well, much more than defensive.
But truly, I’m going to build a system so that it can withstand continuous penetration testing. Actually, at this one place I was at, we used a product and they would do, like, regular scans. So every night, it would go and scan all this stuff and it would wipe out half of our homegrown applications because it would just basically batter them like a denial of service. And then you’d have to restart all these services. And I was like, they said, well, can you stop scanning the system?
I’m like, no, can we start developing to be prepared for it? Like, it was funny that integrating, the tooling changed the practice of development.
Yeah, one of the things that I always liked. And I was talking to someone about it the other day. I was used to just talk about, security is another facet of quality, right? Developers, a lot of development organizations understand the concept of quality. They’re constantly scanning the code for quality. They want to create quality products and quality code. But security is somehow some kind of outlier from that. And when we started to take, and one of the tips I always gave to kind of CSO as they were going into large product based or application based organizations was borrow from what’s already there.
Like take the quality scoring mechanisms and just add security in as a facet of that, because they’re building quality code. They wouldn’t, for the life of them, send out bad quality code. So security is just another facet of that. You can’t build a quality application or product if it’s not also secure. So borrow from that language of the existing business instead of trying to be a special snowflake on the side.
Yeah. Now let’s talk about the Forbes Technology Council. So this is a rare opportunity to be invited in to be a part of this. You’re involved, which it’s a testament to, obviously, your history and your skills and your involvement in affecting the industry, not just purely from your product perspective. What do you feel is a real strong opportunity with something like what the Forbes Technology Council is able to do?
Well, like you said, the name Forbes is one of those things you grow up with, I think, isn’t it? You go through school and you think about Forbes and who do I want to talk to and what’s the goals for me? So, yes, incredibly privileged. I think it’s a great group of people. There’s a great online platform where we share ideas. And to your point, Cyvatar has always been for me, about fundamentally changing the way the industry operates, not just about creating a product, not just about solving a spot problem.
Like a lot of the current solutions do. It’s about fundamentally changing the way we consume. So I think both ways, number one, giving to the Forbes Technology Council, sharing my 18 years worth of CSO experience with other members, helping them to understand how you build security programs, how you do security effectively, what you should be focusing your investment on, but then backwards as well. We get a ton of feedback from those council members about what they want to see, because ultimately, one of the things that we built with Cyvatar is we wanted it to be a business tool as much as a technical security tool, right?
Our audience in startups, particularly is CFO sometimes, it’s CEOs, it’s cofounders, who are not necessarily the most technical savvy people. They want a business outcome, not a technical outcome. So taking feedback and you see a lot of security vendors will take feedback from the technical security communities, which is great and valid. And we do that as well. But also, there’s a massive advantage to taking feedback from senior technology leaders, senior business people who can say, you know what, Craig? I don’t want to see a cross-site scripting vulnerability in an application.
Quite frankly, I couldn’t care less. Tell me how and when it’s going to be fixed. Tell me what it really means to buy business. Tell me how much it’s going to cost me to sort it out. Tell me how I can solve it in the future. Those kind of things, those ROI business based conversations is what we want to solve as a business. And therefore, hearing that feedback, having the opportunity to share that with Forbes Technology Council. Senior technology leaders really benefits Cyvatar and really benefits the way we’re building the platform and the business.
So, yeah, it’s a fantastic opportunity. And I’m proud to be a part of it.
When you’re a certified CSO, which is quite often, the CSO, sadly, is a role that they’re like, it’s like the CIO, which at one point when I was in first getting into tech, CIO used to stand for career is over, right? It was just somebody from the business unit. They were just like, you’re the CIO now. And they’ve served their two years to ride off into the sunset as they headed to retirement. Now it’s an active function and then CSO sort of fell into the same thing, like somebody has to be a CSO.
You, you’re the CSO, right? Make sure no one picks up USB sticks and push them in their laptop. And there was a sudden, you’ve heard a wide eyed thing of like, how do I be an effective CSO? And it’s because it’s a burgeoning role. Certification is something that I think had been vastly missed. So what is the path to certification and what are ways that professionals can look at working towards that?
Yeah. Well, I think that particular qualification is interesting. I think more widely the question around kind of experience as a CSO, to your point being thrust into a role where you’re told to stop USBs being put in computers, for example, I think ultimately comes back to it. And a lot of the responsibility falls on the individual. I did a talk a number of years ago about challenging CSOs as to whether they really are CSOs or not. And what does it really mean to be a CSO? And quite frankly, I don’t have the answer.
I don’t think anyone does. The answer no one likes is it depends. But what that means is when you start that job, you need to fundamentally understand why the role was created and what the executive and the business expects you to do and make sure that’s compatible with what your skill set is. And that’s what needs to happen more in the industry. It’s the same with, I always say, ton of CSOs will join a role and won’t have had a budget conversation for the first twelve months.
They just plow on, on the understanding they’re going to be allowed unlimited products and tools, right? Getting those things upfront, what is my role to our conversation about compliance versus security? All right, you’re hiring me as a CSO, but does that mean you just want us to get top two compliance if it does. And you’re happy to take that you approach that in a very different way than a role that says, actually, I want you to be the technical knowhow, I want you to work with the development teams to embed security into the development lifecycle.
Or I want you to be the strategic leader that is the figurehead for security across our business and drive sales cycles by being better at cybersecurity. All those roles are roles of the CSO, but in different organizations of different maturities and different expectations, and you’re ultimately setting yourself up for failure. If you don’t have that conversation up front with the executive team, with the business. It’s a long way of saying it depends. But as long as you’re clear up front what your role actually means, that’s the only way you’re going to be successful.
Yeah. And I think that’s the ideal thing, even like the CISSP, if you look at the foundations that it tests, it’s very wide range. And it’s everything from physical security to low level programming, understanding all the way up to much more high through technical cloud and networking. It shows you what it takes to really be a security leader in an organization or CSO. It is much more than just one aspect of it. And quite often it’s counter to what we’d expect if we make things more difficult.
If we make things technically challenging, that’s not always securing the environment, it could influence poor practices, because if you make everything super complex and people are just going to write it down, they’re going to write down their passwords. They’re going to do things that will then move against the policy setting, and it becomes, you’re effectively working against yourself by coming with this top down of you will not pass approach.
Well, the advice I’ve always given to anyone kind of early in their career or moving through their career that wants to ultimately become CSO in the end, is wider rather than deeper. It’s becoming more and more a business role. It’s becoming more and more about strategic leadership, about business leadership. There’s been a trend in many large organizations where CSOs aren’t coming from technical backgrounds anymore. You’ve seen people come from the risk function or the project management function or the program management function into CSO roles. And for me personally, I think that’s a really positive thing, bringing people in with that wider business experience.
That wider kind of programmatic experience and strategic leadership, I think, is really important because you get that separated agnostic view like boys and their toys tend to get excited about security technology and AI and all that kind of stuff, whereas someone that takes a business centric approach and says, what’s most important for the business, what is it we’re trying to protect? What is my job here? Like, all of those things contribute to being much more successful than diving in and going, oh, I need to buy this product.
So I think that’s really important. Back to SIT phase, it’s incredibly wise. I think it’s a great certification that you have, out of all the ones that exist to get you that kind of width in terms of understanding when you’re ready to do that. But I think as your career progresses, you want to know a little about a lot of different things. I’m no technical expert. I have technical people who do that for me. You can’t do everything. And it’s about having a little of a lot. I think as you grow up as a CSO.
In the world of tech, especially community is incredibly important, and the ability for people to find a peer group. We’ve talked about the Forbes Tech Council, which I primarily is savant at the C-suite. There’s a lot of folks that are there that they can really look at the leadership level. There’s others that go further down in New York. But then you’ve got the bottom up, sort of the SANS and even the BSides and those types of conference opportunities. What is if you’re saying, as a Cyvatar founder, what’s your community of practice that you feel is effective in helping your team both empower as well as to stay close to what’s really going on out in the world?
Yeah. I think it massively differs depending on the team. Right. So for me and Corey as co-founders, it’s entrepreneurial organizations. It’s learning from other founders, people that have been there and done it. And actually, one of the things that I’m really passionate about is not in cybersecurity. I’ve got some great friends who are founders in cybersecurity, which is fantastic. But you’ll see from the way that we’ve built the business, we haven’t learned from cyber, we’ve learned from other business models, and we brought that into the immature space that is cybersecurity.
So therefore, when we’re learning from other businesses, subscription based businesses like ourselves or SAAS businesses or whatever. So me and Corey have been very conscious to take those learnings from other areas. And the other thing to remember is we read a lot of books. We listen to a lot of audiobooks, get ideas from those things, but don’t prescribe to one single thing. There’s millions of different ideas from different theories and different books all come together to create a strong business model. So I would say, for me and Corey, that’s important.
But then, obviously, like our member services team, they’re heavily embedded in the ethical world of security. It’s their job to know what the best products are on behalf of our customers. So they’re absolutely interacting in the black hats of the world, the cybersecurity conferences of the world where they can hear have their ear to the ground so that ultimately our customers don’t need to do that themselves. And we’re taking that burden away from them. And then we encourage everyone. One of the things that we have all done in the business is go through a course called Scaling Up, which is a methodology for building businesses.
And we’ve been really open with the whole team from the beginning. It would be easy just to have me and Corey do that because we’re building the business. But actually, we wanted everyone to understand that methodology. The Rockefeller methodology for building a business. We wanted everyone to know what that meant, how it operated, so that as we grow, we can be completely transparent with the whole team. And everyone understands that they play a part in it. Everyone understands that they’re a part of the growth of the business. We do KPI stand up calls every day where everyone sees what the business is doing.
Are we failing in certain areas? How do we change that? And we have those open conversations with the team where everyone shares the learning and we build the business together. And me and Corey think that that visibility is incredibly key. So to your point, there’s definitely external communities, but there’s also internal communities where we bring all of that together and we grow as one team.
And I think this is also a testament to your approach in that when I choose a vendor, why we say the three T’s begins with team, I have to depend that the company that I’m buying from has viability, and it’s really difficult, right? If you’re like, they look around and know that, I’ve got twelve series A technology companies that look exciting and you know that they are close enough in their messaging and in the end, in four years or six years, there will be three series D company. But I have to lay that bet.
And your approach is beautiful, right? It’s differentiated because this means that trust that you will grow with me as an organization, as a customer versus like, yeah, we got a widget problem, I get to solve your widget problem. That’s fantastic. There are pure specific problems to solve, but being consultative and not just looking at like, all right, I’m just looking to get the CRC and get bought by Accenture like, whatever the thing is, not that that couldn’t happen, but you’re looking at growth. You’re looking at building a foundation on which you can grow with customers.
And again, like I said, the weird thing is I called on the pricing and the subscription model early because it’s such a rare treat that, you know, that the sense of freedom gives you the ability to be free to adopt. It’s such a funny thing, but it’s a welcome change, especially in the world right now, where we have to be able to adapt. We don’t know what four months from now is going to look like, and just that sense that you could buy as you need grow in a consultative approach, learn from experts who are, their economy of scale is knowledge scale.
I can’t possibly, with an 800 person organization or 4000 person organization, trust that I can hire 25 people that I’m going to send to conferences every week and make sure they’re on top of things and that they’re doing their bloody job. That’s why I love the approach.
100%. And I think that’s why it’s so important for us. If you look at me and Corey, you look at many VC funded businesses, ostensibly, you have a very technical founding team. You have a team that is focused on product building the widget, whatever it is. And that is what the team is really highly focused on. They’re very good at doing that. And then you get a ton of sales people who go out and push that with you and push that product, right? Our business is fundamentally built on the experience of the customer, where we add value is in that people and process space, it’s not necessarily what we’ve got some solid technology in the platform.
It’s not product led, and therefore it’s really important to us that the customer and the customer’s experience is at the heart of everything that we do. And that means that we approach it slightly differently. That means that all of our team members are highly skilled in what they do, highly skilled in making the customer experience incredible. And second to none, not necessarily highly experienced in selling a widget. Right?
Which is not what we’ve built the business to do. And to your point about cancel anytime we fail, we fail as a business. If the customers aren’t seeing the value and the fundamental value proposition that we deliver, so that’s where our heart is at. That’s where we focus. The business is all about that experience.
Yeah, because there’s nothing worse when you buy a product and you just look concerned. It’s always the matrix is the same and look like I said, I’m in product marketing. I know the dance we do. You’re going to have a three column thing and most people will land in the middle. You want to edge them towards the far right. You want to put them in the enterprise plus, or we call it platinum or unobtainium. We call it some exciting new thing, and it’s always like basic bronze, iron, cobalt, whatever. We try and make it like no one buys that thing.
But the fact that you’ve got a freemium entry point all the way up through effectively scaling on consultative additions to what you’re doing. You’re using a human based counter on the engagement level. Like I said, it’s a refreshing change. And I was excited by the approach, and I’ll be excited to have you on when we announced your series D as well. So mark your calendars, kids. You’ve got a lot of really good stuff coming ahead. I’m sure.
Yeah, we’re super excited as well. Thanks for having me on, Eric. Yeah, I think you mentioned it there. We want to take that consultative approach. We’re not afraid to say customers, don’t buy this. It’s too advanced for you right now. Don’t go buy APT protection against AI threats when you’ve got, you haven’t done your basics of building a threat and vulnerability management program yet. You don’t know what assets you’ve got. So we take customers through that journey. We don’t sell them something they don’t need, and we really help them to build a program that’s strong enough for where they are in their maturity in their growth phase.
But then, from a Cyvatar perspective, we grant super quick. Really excited to be on this journey. I say to the whole team, we want to enjoy the ride as much as the destination, if not more. So we’re having a great time doing it. Team is incredible. Customers are incredible. And yeah, looking forward to updating you on series B, C, and D, hopefully.
Definitely a lot of good stuff. And as far as the building approach, too, this is something we can actually, I’d love to have you back on, and we can dive into the founding team relationship of a technical founder and a nontechnical, is always such a, it sounds almost like a pejorative, but in that you’re not purely technical as a founder. It’s such an interesting mix and finding that match, it’s kind of hilarious. I’m sure when we look back on it, it’s always like chapter one of every book where you’re like, here is Craig.
And then he was sitting in a coffee shop in San Francisco.
It was a pub in San Francisco instead. I said, it super fast. The story of Cyvatar is just, the founding story is an incredible one because there were so many factors that might not have led to it happening. I lost my father a month before RSA in San Francisco. I nearly didn’t go. I was very tired at the end of a long week, and I nearly didn’t grab a beer with Corey. All those things just capitulated. And I eventually did. And the rest is history. Corey would say it was the universe.
I’m English, so I’d say it was luck, but whichever one it was worked out in the end, and like I say, the rest is history. But yeah, there’s a good story for a book there one day.
Yeah. And it’s hilarious that when you look back on it, you realize how many of those opportune moments that really, truly like I said, it’s luck of occurrence and somebody else as well. I literally just went into an Apple event and I happened to be sitting next to somebody. And next thing, they were backing my start up that I had never thought I was going to build four months later. It’s like just by the happenstance of sitting in a seat, never know what can occur. But it’s much more than the luck of the moments.
It’s the gumption and the choice of the team to put the time and work into it. So it’s pretty amazing see it come together. Good stuff. So, Craig, if people want to reach out to you and get connected, what’s the best way to do that?
I love the social media. I’m all over it, Eric. So hit me up on LinkedIn. I’m on Twitter or obviously Cyvatar.ai for Cyvatar stuff, but I’m pretty easy to find online, so feel free to reach out.
Excellent. Well, thank you very much, Craig. It’s been a real pleasure. And there you go, folks. The links will be down in the show notes and such. And yeah, this was great. And sure enough, just like I said, history always tells you that if I say I’m going to have technical problems, we had technical problems. But we got through it. And this was a really great conversation. Thank you very much.