Sponsored by our friends at Veeam Software! Make sure to click here and get the latest and greatest data protection platform for everything from containers to your cloud!


Sponsored by the Shift Group – Shift Group is turning athletes into sales professionals. Is your company looking to hire driven, competitive former athletes? Shift Group not only offers a large pool of diverse sales candidates from entry level to leadership – they help early stage companies in developing their hiring strategy, interview process and build strong sales cultures that attract the best talent for early stage companies.


Sponsored by the 4-Step Guide to Delivering Extraordinary Software Demos that Win DealsClick here and because we had such good response we have opened it up to make the eBook and Audiobook more accessible by offering it all for only 5$


Sponsored by Diabolical Coffee. Devilishly good coffee and diabolically awesome clothing


Does your startup need strategic technical content? The team at GTM Delta delivers SEO-optimized, compelling content that connects your company with technical users to help grow your credibility, and your pipeline.


Need Podcast gear? We are partnered up with Podcast Gear Pro to share tips, gear ideas and much more. Check it out at PodcastGearPro.com.


Danny Allan is the CTO at Veeam Software and shares updates and news that we will see happening at VeeamON in Las Vegas May 16-19. On top of that, we cover why system-level protection is a fundamental need, plus some great discussion on why data protection for containerized apps is the new normal.

Check out VeeamON here: https://www.veeam.com/veeamon (includes virtual registration for free!) Grab all the latest news on Veeam products here: https://vee.am/DiscoPosse

Transcript powered by Happy Scribe

Oh, yeah, that’s right. Welcome to the DiscoPosse podcast. Thank you for listening. And hey, thank you for watching. If you’re heading on over to youtube.com/discoposse, make sure you go get a like, subscribe to the channel because we’re spinning things up in big way over on the visual side as well. And this is a great chance for you to see the one and only – someone who is fantastic, love having him on the show. This is Danny Allan. Danny is the CTO at Veeam Software. Also got to give a shout-out of course, because Veeam are some of the supporters of the podcast. So this is cool because I get to talk, shop with Danny. We talk about the Ransomware challenge because, hey, Ransomware is a disaster. And I mean literally, if you’re not ready and thinking business continuity and disaster, we talk about methodologies and real stuff that I remember from the field. So this is a good exploration. Plus, of course, they have their VeeamOn -their annual conference, which is going on in Vegas right now. It’s super cool to see that they’re back in person and doing some really neat stuff. So big thanks to Danny, of course, for coming on.

And of course, like I said, if you want to check out more about Veeam, you can go to vee.am/discoposse and you can get all that you need for your data protection needs because they got you covered in all sorts of ways. Actually, it was just a bonus. I had Danny on just because I wanted to talk to Danny. Just so happens that he’s from Veeam. And speaking of great supporters, of course, I got to give a shout out to JR and the team over the Shift Group. Because if you are running a company and you need to bring on a sales team that’s going to make the difference, Shift Group is in turning athletes into sales pros. So if you’re looking to hire driven, competitive former athletes or even thinking how do you build a go-to market that can actually scale both efficiently and effectively? Shift Group is not only offering a huge pool of really awesome diverse sales candidates from everything – from entry-level to leadership, but they’re also helping you to develop your overall hiring strategy, interview process, and truly building a culture of success and talent. What you need in those early stages. So get on in, head on over shiftgroup.io and you can find out more about that. And while you’re at it, of course, one last little shadow. Do you like coffee? So do I. Go to diabolicalcoffee.com. It’s super good! It’s tasty, it’s devilishly good, diabolically awesome. And hey, we support a bunch of podcasts. Oh, by the way, it’s me. Full disclosure, it’s my coffee company. So check it out. All right, this is Danny Allen from Veeam.

My name is Danny Allen. I’m the CTO at Veeam Software. Very excited to be with you. And you are listening to the DiscoPosse podcast.

Another all Canadian episode. It’s a rare treat when I get to have fellow Canadians on. We actually had a fun one. There was a team of folks that do a podcast called The Produce Stand. It’s actually for a very Canadian show called Letter Kenny. And the amount of Canadianness that came out in that episode was laughable. It’s so funny how we all kind of like, especially if you talk about something that’s really based in Northern Ontario but has sort of Eastern Canada roots. We all very much adopted good, strong Canadian accents by the end of the hour.

I’ve watched all the Letter Kenny episodes. They’re awesome.

Nice. So, Danny, thanks very much. This is great to have you back because we’ve been apart for a while as humans, as society and as technologists. We’ve seen them move towards virtual for a couple of years for very obvious reasons. And we saw a real fundamental shift in kind of how we engage with people. And I was lucky for the podcast has been greatly successful because people are tapping into this type of learning and exploring these conversations. But at the same time, good golly, it feels good to know that when you were talking before we started to record here that we got plane tickets booked, we’ve got VeeamON, which is live in Las Vegas. So you’ve got a real in-person event coming up. So maybe if you want to just first of all, give a quick intro for folks that are brand new to you, and then let’s talk about VeeamON and kind of the excitement around that right away.

Sure. So my name is Danny Allen and the CTO at Veeam Software. We’ve been in business now for almost 15 years doing data protection. Which I point out is not just backup, but also recovery, recovery at scale, doing it instantly and doing all the things around the management of that data over its life cycle. Along the way, over the past decade or so, we have created and been privileged to have behind us a green army that loves the Veeam software. And one of the things that we’ve done since 2015 is an industry conference. And so coming up next week, it begins May 16th. We are having an in-person event in Vegas for the first time in three years. But I want to highlight for people, we are going back to the in-person event, but it will be hybrid. There will also be a virtual experience. And one of the things that we’re very focused on is making sure we have an equitable experience for those who can be there in person and we can shake hands and have fellowship together. We plan to do that. But also we want to make sure that the information and the content we’re providing is equally available for those who are attending virtually. So we’re very excited to have this event coming up.

It also brings up as excited as many of the folks in the industry are to get back together, there’s still a lot of trepidation around travel and personal risks like this. Everybody’s got their own sort of their comfort level with getting back, especially in big crowds. So I do like that you’re taking the hybrid approach. And it’s a tricky balance like to have information be broadly shareable, but then have an experience that like you described to make it an equitable experience so that people in the remote situation have almost their own show that we can add other elements to it. Because it’s been a real challenge I think, as an industry, for us to have meaningful engagement through conference experiences because we’ve often turned them into 7-hour webinars. Which it’s tough, like good golly, 1-hour webinar is enough to put anybody into a nap mode. So it’s been tough to maintain meaningful engagement and meaningful collaboration as well. So that will be one thing. Danny, I’d love to get your experience, like looking back over the last little while, how have you and the team stayed really collaborative with both customer and just general industry peers?

Well, one of the things that we have certainly gone deep on is online meetings, virtual meetings. Starting out, I told everyone I want your video cameras on because I want it to be like we’re in the office together and seeing one another. And what you learn over time is you mentioned something very important. Everyone is different. Some people like being together. Some people don’t like being together. That’s true. Not just across the industry, but within a company and within teams. We have people who are more comfortable than others being together. And you need to or I would argue you need to. Some people say you want to. I say you need to accommodate for that. That’s why the hybrid is so important. But to share with you one of the learnings that I learned, we switched to video meetings all day long. I sat in front of this webcam, and this is what we did for 8 hours a day or I did for 8 hours a day. But even that, I learned over the past two years, sometimes that is exhausting for people. And so I actually change the models. If I do one-on-one meetings for example, I still have the camera on. But if I’m doing a one to many meetings, I don’t require cameras to be on.

And what you find is everyone is different. Everyone adapts a little bit differently. And the important thing is to seek to understand the person on the other side of 100 milliseconds of latency and help them to be the most productive that they can possibly be. And so whether it be meetings within Veeam or industry conferences, I do believe that this is the shift, the 2020 shift that happened. And as we go forward over the next decade and decades, I think the norm will be this hybrid experience that does its best to accommodate individuals where they are.

And it speaks to the power of empathy. Right. We’ve kind of over injected that phrase into, you know, it’s like customer centric. People say it a lot. And it looks great on a brochure or, you know, a header on a web page. But it’s activity and action that prove empathy in real life. And actually seeing it in motion the way you just talked about it is important because we’re now seeing the return to work and return to office wave and you can see that it’s having a pretty significant impact on people’s sense of what the current culture and future culture they want out of their organizations is. Both as the organization leaders as well as the broad base of employees. They don’t want to say rank and file, but especially you think if you’ve got a thousand people that are normally coming to an office and then out of those pretty significant numbers are going to say that, yeah, we’re good back here. I’m just going to be at home. You call me when you need me. But it’s a real shift, which is, I mean, it’s exciting to see us navigate it and I think we’ll get to something unique and new, but I think it’ll become as normal as normal can be described these days.

Yeah. If you think about the generations that have come out of college in the last two years, this is all they’ve ever known. They have learned to be productive in this world. And so if we don’t seek to accommodate that and empathize with that, then we won’t have a bridge or a place to start. One of the interesting things that has occurred for me in the last little bit as we started to go back to in-person meetings, they don’t tend to be in an office. It tends to be at a coffee shop or at a restaurant. And even when I have team meetings now, I don’t look to sit around a table and hammer out our strategy for the next year. Typically my team meetings are let’s get together and have a meal and establish that relationship. But we don’t focus on the tactical things. So it really has changed every organization is my belief.

And let’s just hope we all take the good lessons and the tough lessons and merge those together into new ways of doing great things together. Because it’s a very empowering thing when you can now enable remote workforce and embrace it because look, we remember how many companies have I worked for and talked to over the years that just said straight up like no, we can’t support a remote experience for our employees. It would impact the business too much. Now we didn’t have a choice and, good golly, we’d have all in the world traded the reason for the result. But now that we’ve had to live through it because of lack of choice. Now all of a sudden when choice is brought upon us, we’re like, oh wait, we do have choice and we can tackle it a different way.

Yeah, and I would push back on the, it hasn’t been successful because, well, if you take when the pandemic first hit and people started working from home, we had over 30 releases of products within the first year. I would argue that our research and development at Veeam and I know this isn’t Veeam, but we were even more productive when employees were working at home. The cadence and of the product releases that were coming out was incredible. And I do think the key to all of this is data, which ironically, of course is what would be protects because organizations will be able to go back and look at that data and examine how people operated and what made the most productive. And so I think we’re going to find those nuggets of information within the data that we’re creating or have created over the last two years that will help all of us within the industry to evolve and increase our productivity.

I think it brings up a good, I’ll say a parallel topic on the new way of doing business. And I see you’ve got a cast and logo on and looking at the evolution of application architectures, the evolution of the way that we run businesses and build IT services and applications now, obviously now it’s been a while since cast and been integrated through acquisition so, congratulations again on that continued success and seeing the growth there. But early on, we got a lot of I’ll say “we” as an industry, there was a lot of push back on data protection doesn’t belong in containerized micro services architectures because the thrust behind the architecture is that it’s completely immutable. But it was really like saying security doesn’t belong because you could just destroy it and rebuild it again and it would be secure when you rebuilt it. You’re like, no, that’s not how it works actually. And we have data persistence, we have legacy. So Danny, I’d love to hear about now, especially that you’re further in, what is the impact of new application architectures and now seeing where data predictions being recognized as critical function.

Yeah. Well, two things I would point out. I’m a big believer in containers as the future of architecture and we see this just from results. I mean, we had 900% growth with our Kasten K10 products last year and that’s because containers are taking off. No question about it. There’s not a lot of migrations, I’ll say, from traditional applications to the new container-based application, but all the greenfield opportunities, every organization that I’m talking to is building on containers and they’re doing that for all of the benefits that container based architectures give, which is elasticity and portability and it’s more modern, it’s more resilient. All of those benefits come into play. So all the greenfield opportunities are going in that direction. But the other interesting thing that I’ve seen, and this connects with the data. When containers first came out, everyone said I’ll put all my stateless workloads in there and I’ll connect it up to some stateful location. Stipulate for a moment that that is true, you still need to protect the container architecture because the configuration at any given point matters when it’s talking to that data warehouse or data repository, whatever that happens to be.

And we’ve seen multiple kinds of repositories. We see structured data, we see a lot of unstructured data, we see message queues, we see object storage, lots of stateful data that is offline, I’ll say, from the containers. But the most fascinating part of this journey to me is in the last 12 months-18 months, we’ve actually beginning to see more stateful data pools end up in the containers themselves. People are saying I’m not going to run RDS over here on the side, I’m going to take PostgreSQL and put it inside the containers. And I expect that to continue as well. So people who say it’s for that stateless environment doesn’t need protection. I’d say wrong in both cases, you still need to protect it if it’s stateless. But we’re seeing more stateful environments too.

Yeah. This is the intellectual view of it is that, persistent data and especially distributed data architectures inside a container is an anti-pattern, and we’ve long held on to this. So the researchers in the industry have said that the architecture is not designed for it because in fact it’s designed against it. However in practice, we know it’s going on and then if it works in practice, at some point you have to say, it’s like the old picture of UI versus UX, this 90 degree sidewalk and then the dog path that goes 45 degrees across it on the grass. If eventually enough people are doing the thing that’s the anti-pattern, it’s no longer the anti-pattern. Right. If every hipster wears a Monocle and rides a unicycle, then they’re no longer unique.

Right. Do you write code, Eric?

Enough to consider myself happy. I don’t do it full time, yeah.

So the reason I ask is because I write code. I try not to, I’ll be honest, but sometimes I just can’t help myself. There’s a problem I need to solve, and I often will put my structured database in containers. And the reason I do that, it’s so simple. I have a container infrastructure. I don’t have to call up a DBA and say, hey, can you carve me out a piece that needs to look like this and perform like this? I just spin up the database inside the container because it takes me 2 seconds to do and it’s completely ephemeral. I use it, I might destroy it afterwards. I might not. But the simplicity drives me as a developer to want to do it and like you say, I think that anti-pattern is becoming the pattern for the norm within the industry now.

There’s that interesting thing that is, we see adoption and adaptation, and those are two very important distinctions that just like when we saw I often talk about private cloud. Like, here we are. I’ve been a private cloud advocate since I was on the customer side of the world building private cloud architectures, doing bizarre things like getting OpenStack fronting of VMware environment when they weren’t really meant to play together at the time. And successfully deployed a private cloud architecture for self service for my development team. Well, here we are. Now it’s ten years later, twelve years later, and we’re finally arriving at private cloud democratization. And it’s really neat to see. And same thing as what was told to me at that time was like, well, why would you put a different front-end on a legacy back-end? Well, that’s because it’s solution oriented, right. My solution was I needed a developer self service front-end, and I wasn’t going to re-architect my applications and my virtual machines to run on OpenStack and with a different hypervisor. So I made something work that some people think wasn’t really a slick idea. But here we are, same thing. It’s like many years later. Well, what do you think that all these products are? It is merging of traditional architectures with fresh, new, available technologies to solve an actual bloody problem. Which is really what we’re here for, right?

Yeah. It is definitely about solving the problem. We tend to think of it, or at least and I’ll criticize myself in this. We tend to think of it from an IT perspective of I’m here to protect the data or I’m here to make sure that the data is secure. That’s not the motivation at all. The motivation is that the company makes money and we deliver a service that makes people more productive. And recognizing that and fitting in within that pattern is far more important than saying “thou shaltl not put state in containers or thou shall not do this”. And if we facilitate the business because it is about the business, then we will ultimately be successful. My only hope is as we go forward, we don’t forget the lessons that we’ve learned. And we often do that over and over. You know, we learned about the secure development lifecycle. We learned about the essential need to protect traditional physical systems. When we went to the virtual world, we forgot about it for a period of time. Then we brought it in a broken way. And as we go forward to not just containers, but serverless and Lambda-based architectures, we can’t afford to lose the learnings that we’ve learned over the last 50 years.

Yeah. And I often find, especially if you get into very developer centric technologies, that they have their sense of understanding of protection and mitigation. And we’ve talked about you know, as an industry, DevOps was meant to sort of release the reins of the BOFH, right? The old school operator, that’s just getting the way of innovation. But it didn’t take away the need for the practices that still happen on the offside. It just meant that the deployments and the life cycles moved into this more fluid cross team method. And I was using things like get ups and using ways in which that we could have lifecycle management, version control. But version control is not data protection. It’s point in time state capturing. But what’s protecting that? Every once in a while you meet somebody, you grab them by the caller and say, well, what’s protecting your version control? And they’re like, oh, yeah, I never thought about that. And like, well, I’m sure someone has got it on their laptop. That’s not data protection. That’s luck.

We can’t depend on luck, clearly as a strategy. But you find people that say, just use the infrastructure as a model of data protection. Snapshots are backup. And same thing. You see that in Kubernetes, too. People say, well, just take a snapshot of the data at any given point and you have data protection. But unless you think of it, backup is more than that. Thinking about the system in the context of that application or service, which is far more complex than a single VM or a single database or a single snapshot on a storage array. What are all the components that have to come together to recreate the environment at any given time? Because that’s really what the business needs when it’s going to recover. And we see this more than ever now, these massive ransomware attacks that are hitting us, they’re not just hitting a single database or a single component. It’s the whole thing that goes down. And all of a sudden you need to bring up something that is not just multiple terabytes. I mean, approaching petabytes. Sometimes these systems that have to come back online at scale quickly to what it looked like at a given point in time, that’s never just a single system. It’s a very complex array of environment that you have to bring back.

Yeah, this is the challenge. I did disaster recovery and business continuity for a long time, and it taught me this idea of system level thinking in that protecting the data was only as good as the matching protection of the application code, because I’m protecting my application code every 48 hours or every 24 hours, but my data is being snapshotted every seven days. Or maybe it’s completely other side where it’s like I’m getting data protection every 2 hours or every 15 minutes really, like near real time stuff. But none of the other adjacent protected systems align with those schedules. Well, how do you recover the whole system? And it’s this complex symphony of scheduling. And that’s why system-level protection now is finally sort of hitting us. That as much as we like the idea of decentralized IT. The applications are system central and it’s a very tough mindset for people to adapt. They kind of think of it as like, oh yeah, we’re a distributed team, so all we have to worry about is our stuff. You’re like, well, there’s somebody out there who has to know all of the stuff and protect all the stuff and be able to actively recover all the stuff. And I think that backing it up is one thing, but actually recovering it in practice is where the rubber hits the road.

Yeah. There’s two folks on my team that are far smarter than I will ever be, who always say ransomware is a disaster. Melissa Palmer and Jason Buffington, they all repeat that all the time. If you’re looking for the silver lining in ransomware and some of the cyber threats that we’re facing now, it’s causing people to think more in terms of the system than in terms of a VM gets deleted or an array goes down or a computing server goes down because you do need to think of it in terms of the holistic system to bring it back. So if you’re looking for silver lining and ransomware, people are thinking more about business continuity and environments where we mentioned Kubernetes earlier, you can have a multi-cluster environment that spread not only across multiple clouds, but you can have clusters that are on premises, too, on Tanzu or Rancher or OpenShift. In these complex environments, you want to bring it back to the point that it was when it was targeted by a malicious attack or whatever happened.

Yeah. It’s exciting to see the work being able to be done now in these like, they’re multi-disciplinary Ops teams now. And we’ve gone away from like, yeah, VMware was the sort of Ops-centric and Ops-focused community for a long time. And now we used to sort of poke fun at HyperV, but if they’ve got a pretty broad adoption public cloud. And what’s happened now is that same 12-year VMware V expert is now AWS certified and learning Kubernetes because we have to. The industry shifting on our behalf whether we want it to or not. And with that, they have to adopt new practices, bring over the lessons of the previous generation, but also not just try and shove those on top of new technologies. So how have you found the sort of human understanding of adopting protection practices across shifting infrastructure patterns?

I guess one of the things that I’ve seen to be very successful and you see this in verticals more than anything else. Financial services certainly come into play here. Technology comes into play. Those who take the approach of my development teams are going to focus on the creativity side of it. So it’s true that they shift left and there’s DevOps and they’re going to agile and new models of development even within Veeam, for example, Kasten K10 team, they drop code every two weeks, we have a new release of our product. So you want to allow the freedom of that creativity to shift left, move faster, deliver code, be more responsive in the service delivery. But the companies that have truly been successful have not told that team, hey, you’re now responsible for performance and backup and security and all the things monitoring and all of that. What they’ve done is they’ve created a team, I suppose the evolution of the IT team, but Platform Ops is what I call it. There’s a team that enables them to turn those capabilities on for the creativity teams while they’re going through their process and not be a burden. Don’t slow them down, don’t go back to the old waterfall way of doing it. So the most successful companies are companies that still have two different teams, the DevOps people shifting left and being faster. But they still have a team that thinks about the architecture and resiliency and building in the properties that we’ve learned over the last few decades.

Yeah. And I guess it’s the thing, if you look at standing up an RDS database does not relieve the need for a DBA. It just changes the way in which they apply their practice. So the act of getting access to the resources is significantly faster. But the requirement for true design still exists. And so that’s another example of that sort of merger. And it’s funny, but we’re also sticky humans, right? We really kind of resist change, but I think once changes around us long enough, we get better at it. I’ve definitely seen even my own adoption of new things. My habit was always like, okay, stand up a VM, run a local instance, build my Ruby on Rails app, deploy my SQL. And also I’m like, let me learn PostgreSQL. So I learned Postgres. It’s better performance, easier to get at. And then also like, okay, let me containerize my application and like, pushing away the crutch of like, I’ve already got a template that I can spin up really fast with Vagrant, and I could be up and running in no time. Like, no, no, I’m going to take a week and I’m going to do it in a new way. And then at that point, I’m like, okay, I want to do it again, but faster. But it’s hard for me to necessitate it for myself. I think that’s on the human interaction side, Danny, how have you found the love of learning of these new technologies? Because people have finally accepted like, that’s it I have no choice now, but they are enjoying the transition.

Yeah, I am by nature, myself personally, just very curious people. How person, how can I do things easier, faster? I mean, I remember the transition you spoke of standing up databases and then making that easier and easier. I remember going to the Lamp appliances because how easy it was to deliver a Lamp appliance and turn things on and now it’s a home command to do the same thing. And so I’m always looking for those opportunities to make it easier for myself. Selfishly. But then to communicate that with other people. That’s why I think containers present such an interesting opportunity, because we can make it easier for the industry. And so it’s not about the technology for the technology’s sake is my own thought on this. It’s how can I make the life of people around me easier? And this is true of everything. I mean, we used to grow all our food in the backyard. Actually, there might be a little bit of going back to that, but now we go to a grocery store, right? We move generate our own energy. We don’t do that anymore. And so on a personal level, I just find it exciting to learn about what the future is bringing and then share it with customers and partners and everyone, because that’s what gets me out of bed in the morning. So it makes me excited.

Yeah. I always say, like I love organic food, or as my grandparents used to call it, food. Never had to go out of your way to certify it as organic. There was just no choice. That’s just how it came.

Yes. But on a personal note, as you denoted, I am by nature a curious person. And then the extension of that is I’m an excitable person because I see the benefits in the new ways of doing that. And frankly, that’s a big role of what my job is here at Veeam is to communicate externally where the industry is going and making things easier for everyone. Making it easier for that DBA who had to spend half of his day doing pointless, repetitive tasks that really provided no value. Can we eliminate those things and let him focus on the things that makes him great at his job?

Yeah. And I think, to me really, that’s where, maybe it’s just because I’m at this point in my career, I’m far more excited by that outcome. Like watching somebody’s life gets better because of a new process they take on, and especially bringing new generations, people who’ve been exposed to technology so early in their life, but then bring use cases to it where they can make a career out of it. That’s what makes me tick now, because I realize, like, I could learn it and I enjoy the process of learning. But there’s nothing more beautiful to me than empowering somebody else to find their journey and help them along it. It’s just something that maybe it’s because I’m an older fellow now. That’s the thing that makes me smile a lot more than just me learning Kubernetes.

No, it’s the same for myself as well. I have six children and thankfully a number of them, I shouldn’t say thankfully. Thankfully, they all follow their passions, but some of them are very computer centric. But I don’t take them back to what I learned in COBOL, and mainframes, and Banyan VINES network. I mean, I want them to focus on the now and the possible of the future. And so, languages for example, my son started learning programming languages. I didn’t start them back on Basic. I said, no, you should start with Go and modern languages and figuring out how to use existing frameworks, don’t go back to assembly. And so I am excited that a lot of the things that we had to figure out are just inherent properties now of the platforms that the future will use.

Yes. It is amazing when you can unlock that with your kids where they can, you can give them that option now that we didn’t have. Like, I remember when I was a kid, like my dad brought home, he bought Sinclair ZX-1000s. And these were like little tiny black things, and they actually had an integrated keyboard. So it was like pressing on a calculator button kind of thing. And it was a 16K expander in the back. Clearly dating myself here when I came up in technology. But just like I have a picture of me as a kid, like just sitting there with this little tiny tube TV plugged into my ZX-81 and my ZX-1000. My sister Ad and mucking around with basic because that was all it was there at the time. And then now to be able to have kids use Scratch as a programming language or use very visual programming languages and no code stuff. And they’re learning process thinking and system thinking so much earlier, I think, or the opportunities there more so, which is exciting. So that when they get to the point where they take it on as a career, they’ve had much more exposure versus, like, we had to grind it out and just say you could do stuff that you didn’t necessarily know you could do and just hope you could pull it off. And now they’ve got opportunity there.

Yeah. And the no code, low code, Scratch type models. The benefit, of course, is that the line of business can focus on delivering what they’re trying to deliver. Because really, do you want your value to be on writing if-then-else statements? Probably not. You want to focus on what it is you’re actually bringing out to market. Now there’s going to be some people that need to focus on the core fundamentals. The challenge that I see, of course, is that the stock is getting so much more complex. It used to be that you could get a Full Stack developer who understood everything from the top to the bottom. These days, in modern infrastructure, there’s not many people. I confess I’m not one of them that can fully understand everything from the top to the bottom the way there used to be 20 years ago.

The sort of mythic Full Stack developer, because I’d say the phrase came because it meant you could write PHP and do MySQL queries like, that was pretty full back. And now it’s like the work that goes on in Visual and just JavaScript frameworks, you can’t sneeze without hitting the JavaScript framework and eleven of its neighbors. But every single one I want to learn, I kind of get overwhelmed because look and say, oh, I should learn Angular and so perfect. Let me stand up something in Angular and then it says, oh, you also need React and then this framework and then you need a package manager. And then I’m eleven products deep and I still don’t know what Angular is versus like, I just do Ruby on Rails. It’s one of my favorite frameworks. It’s just like it’s a beautiful DSL. I know enough Ruby to be dangerous. Stand it up really quick, set up the back end. Understand enough about choosing my JavaScript front end. You know, use something simple like Tailwind or whatever. And that’s enough of my full stack. But true like end-to-end full stack engineers, it’s a tough thing to find. They’re very unicorn-like.

That is true. And even more so with modern platforms that exist today. And truly, can you have a full Stack developer if you’re writing using Lambda functions where you don’t even see or know what is writing on the back end? Probably not. You’re only getting a stub to an API that does something for you. But that’s not to say it’s a bad thing. I go back to the exciting thing about the industry right now is, data is driving all the value within organizations. That’s even more true, I would argue, after the last two years, because we couldn’t be together in person, we didn’t have physical value to drive in the same way. And so data became even more valuable if it was possible. And so protecting that, enabling that, facilitating that, managing the life cycle of that. It just it’s what makes things so exciting for where we are right now in history.

And as we move to ephemeral and immutable being standardized as patterns of infrastructure and application deployment, I’m glad to see that protection, at least at some layers. We hear about the shift left idea of introducing security and protection. Well, like I said, ransomware is a disaster. If we think about disaster recovery and business continuity, ransomware, security, these are vulnerabilities. These are risk components to an organization. I’m in the risk business. I love mitigating risk. It’s probably one of the weirdest things to say you’re in love with, but understanding where the edges are and then mitigating for the edges and then finding that edge. It’s effectively theory of constraints in the risk world. So as you see, chief risk officers and chief data officers, they’re introduced in security and data protection in their mandates now for the organization. Right. So what are you seeing as an evolution on the executive team’s understanding of the impact of protection?

Well, we’re certainly seeing the emergence of chief data officers and risk officers, because there is a balance there and an anti-pattern between two things that you just mentioned, Ephemeral and Immutable. Both things are needed. Sometimes you want to keep things for a little bit of time, sometimes you want them for a lot of time. We just did a study on ransomware, we’re actually releasing it at VeeamON around ransomware specifically, and 94% of attacks now are going after backup repositories because it is the last line of defense they want to delete that, right. And so Immutability becomes really critical. But I think what we’re seeing is kind of two things at a board level. One is how do we balance things being Ephemeral that we use them only for when we need them and keep the things that we actually need to keep. And then for the things that we need to keep, how do we manage the privacy of that? We focused on security now for 20, 30, 40 years. Privacy is coming to the forefront of executive senior leadership teams or board teams. In fact, there was a recent framework just released between Europe and the US around privacy and exchanging of data.

And I’m excited for that because, frankly, there’s been a hodgepodge of different regulations. There’s GDPR and CCPA, and we’re going to see more of those. And that fragmentation kills organizations. So two things that I would say we’re seeing within the enterprises. One is the policies that enable the balancing between Ephemeral and Immutable. And secondly is, okay, now that we have the data that is Immutable that we do need to keep for whatever period of time that is, how do we delegate down access to users if they own the data, that they can control it, and they have some say in the data that we’re collecting about them?

I think we’re probably at the verge, if not already happening, of what we saw with Sarbanes Oxley. Right. So when SOX compliance came in, and I remember being in the financial services and the insurance organization, and we talked about the implementation, and it’s a fairly loose framework. It’s loose and tight at the same time. Very specific, but also general in its specificity, like a typical lawyers speak.

Yes.

But what was important about the actual implementation was it meant the executive team and the board actually signed a declaration that they hold personal responsibility for maintaining compliance. So you are very personally vested in the success of a program wrapped around compliance in that. And I think we’re going to see that in the data Privacy Arena soon that we are I mean, we already are to a degree, but I think we will see a much more formal standard where you will have officers signing a declaration and saying that we hold this to be true, and I’m to be held responsible if it’s not true.

And that’s a good thing for the industry, of course, because as the saying goes, if you’re not paying for the product, you are the product, which means that organizations are collecting more and more data. And we want to give people the ability to control what is held about them by organizations. So I am grateful and thankful for the elevation of the criticality of this topic. And while SOX was both loose and tight – Serbanes Oxley, I believe, that same model would be very appropriate for data retention as well. Because I have six children. Do I want an organization that I am not paying money to start collecting data about them, their birthdays and their health information and shopping habits and whatever it is that they do? No. I want some degree of control over what is permissible and what is not permissible.

When it comes to then designing protection systems. Now, this is interesting when you think about like right to be forgotten and this is why I’d love to sort of hear your view on the approaching it systematically across the whole environment now. Because as the right to be forgotten and the right to be protected are now system wide. The interlinking and using sort of centralized platforms is much more critical now. Right. It’s no longer I’m going to protect my VMware with this, I’m going to protect my containerized stuff with this. I’m going to protect my cloud with this. The system level understanding for data awareness and traceability now is critical because you have to be able to get rid of it systematically on demand, but also be able to recall it systematically on demand. It’s a really complex challenge.

It is. And it’s one that Veeam has been very focused on from the very beginning. If you go back a decade, people don’t realize this often about us. But if you take security for example, before we get to privacy, we were leading the industry in a lot of the capabilities now that people just take for granted. Immutability for example, or tagging data. The first step of the NIST cybersecurity framework is identify your data. Right. And that capability we have carried forward from security to Privacy. So with GDPR, we would tag data that this data belongs in Germany, can’t leave Germany. This data is in the US, it can’t be recovered elsewhere. And so those concepts of securing the data, identifying, classifying the data, knowing who can have access to it, where it’s allowed to be spun up is something that we’ve built into the platform from the very beginning. We’ve been very thoughtful and intentional about. Now, I know the latest hot topics are zero trust this and whatever the buzzwords are around those things. But we’ve been building this into our platform for the last decade, and it’s why we have such a large customer base and so many passionate customers coming to our conferences.

I always tell people that I’m a firm believer in zero trust security and that I have zero trust in your security. The thing that I had to learn through business continuity was both the systematic level of managing business continuity and data protection and application protection, as well as the human element. Because this was an interesting thing that we saw play out because it was active in a huge multi-million dollar program. And I covered, distributed my 1200 servers that I had to do protection for. And this is everything, every organic service that was everything that was oxygen from up like DNS and active directory like the order of recovery. I had to have this all done at a systematic layer. Like, can I recover it as much without human touch. But also then, understand the availability of humans for it. And we’d often like, I feel bad in hindsight, right? You get a little bit gallows humor, but say, okay, so imagine the data center blows up. So it’s just a big smoking hole, right? You start to create these images and then somebody from human resources, can we please not say that? That’s really not appropriate.

I’m like, oh, yeah, sorry. But imagine we lose access to the building. So we had to understand the availability of human elements because if, let’s just say we lose access to the entire environment or a major attack occurs or a power outage, you also have to weigh out availability of human resources like actual people. And so when we again thinking system approach, how have you seen the change in automating recovery and adoption of more automation in these protection systems?

It’s exploded in the last few years, Eric. And the reason I say this, we have a product orchestrator that does exactly this, that stands out in the industry because it orchestrates complex environments. What I say by that, I mean by that is anyone can spin up a few VMs or any good backup vendor. Of course, that does back up can recover a few VMs. But what they can’t necessarily do is I need to spin up 46 VMs in this specific order, create some VLANs. I need you to move this from here to there. I need you to change DNS. That is a very complex, orchestrated workflow that I argue that organizations will need to do, whether it be for natural disasters, whether it be cyber events, because you’re going to have to prove to your cyber insurance company or to your board of directors that you can actually recover. And the events of the last four months have highlighted this more than anything. We had a development team in Ukraine, for example. So you can imagine the types of things that we had to think about at a people level because your systems can go offline. But what happens if your people are no longer available to work on a project? So automation not just of the technology stacks but of the people involved becomes absolutely critical.

Yeah, this is the and it’s automation by people. So we’re taking people processes and automating it. Not eliminating the need for them but ultimately freeing them from those extreme situations where you need it. Because that’s exactly it. Right. These are complex, multi-tiered, multi-faceted systems. And it’s just not feasible that you would have somebody who’s got anecdotal tribal knowledge to do recovery. Not at any decent scale. It’s tough. And that’s why I’ve always liked that your approach through Veeam has always been like the core out versus a lot of folks that have kind of like, folks that focus purely on disaster recovery. But then they had to build data protection and then try to build continuous data protection. But it was never their focus. It’s much easier to go this sort of Spider diagram outwards to like if this is your core and you always go back to the core while adding containerized complex recovery in a second environment. We already have all the images, we have all these, all the data. We’ve got a second cloud. It speaks Kubernetes, do it. Right. That if you didn’t have the core nailed down, you’re writing the whole system top down, which is a horrifying way to build a company.

Yeah, you’re speaking my language now because the core of what Veeam has always focused on is – protect the data and recover it as fast as humanly possible. Right. That is the essential core of what Veeam does. And we’ve done that for virtual systems. But over time, we expand that into physical and into cloud and into SaaS and into containers and all of these different models to protect and recover that data. But you don’t stop it at protecting and recovering the data. You want to orchestrate complex workflows and migration and copies of data for other people. And what really gets me excited, and I think that Veeam is positioned better than anyone else in the industry. Of course, I’m biased. I work for Veeam, but we own all of the data. You know, an interesting thing, Eric, people come to us and say, I want you to tell me where I have malware in my environment, where I’ve ran somewhere. And I think, why would you do that on a secondary system? Like, why don’t you do that out at the edge in your IDs or your IPS or your firewall? Why? If you’re discovering it in the backup, it means you’re already too late.

But here’s the interesting thing. It’s because we have every piece of data that they have in their entire estate, whether it’s in the cloud, on premises, I shouldn’t say “or”, it’s “and”, right? In the cloud and on premises and in SaaS, we have the best data warehouse lake pool that is possible to have. And from that, you can of course protect it and recover it. But you can also begin to use that data for new and interesting things. And that’s what’s really interesting. If you own all of the data that you generated in the last two years during COVID, where are you going to go to to find out, how do I make my company more productive? What are employees actually doing? You’re going to go to the person who houses all of that information, which is a man, you’re going to spin up copies, and you’re going to begin applying TensorFlow and machine learning techniques and artificial intelligence to make the business smarter about all of the data that it already has.

Yeah, it’s an interesting thing. Right. Like you said there’s at Ingress and Egress. Right. So that’s where IPS ID systems come into play. But any true sort of CISO worth their salt will tell you assume you’ve been compromised. And how do you do that? Right. Well, it’s going to be data at rest or data in flight during process -internal processing. So assuming that you’re not going to it’s already in here, and it could have come in by a USB stick or by a laptop that accidentally plugged into a Starbucks and connected to a WiFi pineapple instead of an actual WiFi. Right. Then it goes in and it bypasses ideas, IPS, and it gets backed up. And that data now is in some beautiful static Immutable repository. You can do all sorts of exciting intelligence on it at that point. But again, to the core story being first, do that fantastically. So, you know, that’s what you can do things on top of versus go figure out how to build a machine learning company to go through data. But like, what data you’re going to go through? There’s all sorts of assumptions where you’ve eliminated the assumptions because we own the data.

The edge should be informed by the core, right? You don’t want your Tesla, self-driving Tesla, going down the road figuring out what a stop sign is. That’s already been figured out in the cloud and has been instructions have been given to your self driving vehicle. This is when you stop. This is when you go. And so it’s not that IDs and IPS and data loss prevention systems and all of these security tools are going to go away. It simply means that they’re going to be informed and configured by the Core where you have all of your data. And so if you know what all of your data looks like, you know what’s in there, what’s normal. You can begin to do the heuristics and anomaly detection that actually does the configuration because you don’t want humans doing that if you can avoid it. You don’t want a human programming the Tesla and what a stop sign is. The Core is telling the Edge how to configure itself. And so in my mind, all of those platforms become more critical, but they’re configured by the central repository of your data, which VeeamOn is all of that.

Yeah. And again, it’s that thing that assume you’ve been compromised has to be the default state of any offset system security person. Because even if you’ve got incredible endpoint protection and DLP, all it takes is for you to be one signature late. And I’ve seen this in practice where you start to get weird errors. Like, you know what? We’re getting a weird error. The signatures aren’t updating. Tell you what, just hit OK on the error message. It’s all good. 4 hours later, found out that we’ve been ravaged by a system which was ultimately trying to become a botnet. And then seeing all this stuff, which is doing all this phone home stuff. So all of those edge systems are coming into play. So what do you do? Well, we shut down the edge, we literally closed the door. Well, now what do you do? How do you find where the data lives? How do you go back to the most recent immutable backups and ultimately find the origin, build the heuristic and enable the end point? It’s an orchestration of all these incredibly complex systems. But again, if you don’t have safe origin, immutable source, everything is a variable and you cannot, it’s the traveling salesman machine learning problem. It’s impossible to solve, but yet we get stuck on like, oh yeah, just put up better firewalls.

Yeah, it’s owning the data, managing the data, tearing that data. In my mind, it’s what gets me out of bed in the morning. And frankly, a lot of that comes from our customer base too. It’s not just Veeam engineering and isolation. We’re constantly talking to partners and analysts in our customer base. And we have an unfair advantage because of the size of who we are, perhaps. But I think the best is still out in front of us.

Unearned advantage, I would call it. Because it’s proof in staying a core mission, delivering a product and a method by which people can adopt it that it’d be successful. Right. The stuff doesn’t happen by accident, for sure. And we know we’ve all every company will. There are things you never want to be in the news, and certainly a victim of ransomware. It’s like my only goal in life is to never be referred to as embattled. I don’t even know what it actually means, but it seems like when you get that tag, it’s a problem. And these affect shareholder value when somebody gets affected by ransomware. So we have a vested interest in succeeding in adapting the ways in which we can do it because the systems are changing.

And the mindset there should be, we should just assume that we are going to be compromised by ransomware. Then what? Now, clearly we don’t want to be. In that study that we just did recently, 76% of organizations had at least one ransomware event in the last year. And I would argue that probably the other 24% may not be aware that they had a ransomware in the last year. But you should start from that as the starting point. Okay, what is our plan if we get hit by ransomware? Do we start at the firewalls, at the edge, at the core? And I’m not here to dictate you, do this or do that, but you should start with the plan of managing your data and operations and business continuity from the expectation of we’ve been compromised. Now what?

Yeah, I always as a track cyclist, we have a famous saying we have there are two kinds of track cyclists, those who’ve crashed and those who are about to. And that’s exactly it. Right. 76% say they acknowledge they’ve been hit by it and the other 24% are just closing their eyes and hoping that it’s not true. So that’s it – “assume compromise, now what?” And build system to be prepared for it. And it’s good. So I’m excited. I’m going to be watching a lot of the content for VeeamON. What are the big ticket items that people can be watching for as far as, like, cool sessions and stuff that’s happening on the ground at the event?

So the core is as many organizations right now are very much highlighting security and our security capabilities that we’ve been developing over the last weekend. So you’ll see, in the technology sessions, we go deep on security and hybrid cloud and multi-cloud and containers. But if you’re really interested in the sessions, everyone loves our flagship product, Veeam backup and replication. We’re going to be giving a sneak peek at version twelve of that.

In that long already, it’s amazing to see the growth in the product. And then the version numbers are indicating how long we’ve been at this.

A very significant footprint. I mean, we have over a million installations, real installations out in the wild now of the flagship product. But then everyone is really interested to hear and see what we’re doing on our cloud products. We have a cloud-native product for AWS, Azure, and GCP, and we have new releases of all of those coming this quarter. So as you might imagine, there’s some really good sessions on that. And then you started by asking how we were doing during the Pandemic. We’re communicating via teams. Everyone is. So our Veeam backup for Microsoft 365 product. Very excited about that. We’re going to be demonstrating that on main stage and what we’ve done to reduce costs and make it more self-sufficient for users to go in and recover their own data. And the one that I am personally most passionate about probably is our orchestrator product. We talked earlier about a systems mentality. We’re going to be talking about recovering from ransomware. So taking that security concept and applying it from an orchestration point of view to bring organizations back in line. So we’re going to be breaking news on coming features within product, but also focusing heavily on security and hybrid cloud incoming products.

Amazing. Yeah. As a long-time person trying to hack together systems to do what orchestrators are able to do, it’s amazing to see every time I would think of like, you know, what I would have needed to do and see it show up in there. And the fact that it’s being created as a framework, more so than a pure core product that people are sort of writing SDKs against. I like that it’s flexible in the capabilities. And then we’re going to see, thank goodness for API bi-directional API access to so many things now that it’s very easy to trigger really clean workflows and you don’t have to depend on you building it as a Veeam core function. But now I have the ability to adapt my own systems, add my own chat Ops, add my own external integrations. Super cool. So framework for the Win as far as I’m concerned.

Well, it’s easier for those people who haven’t registered and are listening to this. You’re going to see on main stage and the technology keynote using APIs to do something really interesting. So an API, we discovered some ransomware. What can we do? So that’s a teaser for people. But yes, API is for the Win. We have a very modular framework, of course, that connects together so that you can start with whatever component you need, but you can expand beyond that across your organization to do all the things that your organization needs to do.

I like that. And I can’t remember if I told this to me before, Dave Mcjanett, also a fellow Canadian CEO of Hashy Corp. And I talked with Dave at one point about you’ve got this beautiful, sort of like multilayered set of frameworks that can tie together beautifully, and it truly is a platform. And he’s like, if you squint hard enough, it’s a platform. But we truly treat it as a framework more than a platform, because platform indicates that you require interdependencies, and that’s actually not the case. Their frameworks with layers. So happens they sell you a thing at each layer, but you don’t need to be using that thing at that layer. So that’s why the flexibility of this framework approach in where Veeam core platform still exists. But then having framework extensions, that is a fantastic approach for as a consumer, it means that I’ve got flexibility. And flexibility is something I’m willing to pay for, for sure.

Yeah. My single controversial statement would be, I don’t like platforms. Single glass of pane. Single pane is a single glass of pane. Because the release of that is painful. Right. If you can create a framework with small modular components that are right sized for the environment and there’s a framework for communication, that’s a far more effective solution, I would argue, for every organization, from the smallest all the way up to the largest. And it’s actually why we have the same product. I installed the product in my basement. I have six use of compute. I know most people may not have racks in their basement, but I do. But that is the same software that actually protects our largest service providers with hundreds of thousands of machines or the largest financial institutions with hundreds of thousands of machines and petabytes of data. Same software because it’s a modular framework.

Yeah, I can say that truly. People often ask like you know, you talk a lot about beaming. And obviously, I’ve known you and the team for a long time, and they actually do support the podcast and my blog as well and have been fantastic partners on that side. But I legitimately use it. I actually took a Synology that I loaded up with all of my podcast episodes. So this is the trust. And I just like, unplugged all the drives one by one. And I was like, oh, boy, how this works. Go to the second Synology and all right, start the restore process. And as if by bloody magic, there was all my data. And so the proof is in the pudding at that level to use it and succeed so easily. And then knowing at the enterprise layer. Yeah. The scale that MSP stuff that you’re targeting is incredible.

Yeah, it really is. People don’t realize what a significant part of the business that is for Veeam. We’re the largest as a service provider in the world. And I think I can say that backup as a service provider in the world. I think I can say that based on data, because if you look at the accounts of VMs and users protected from Microsoft 365, we’re in the millions. We’re not small. We’re going to be sharing more numbers of this at VeeamON. But we have a massive business. We drive definitively if you do the mathematical analysis on this, Veeam drives over a billion dollars of revenue in the same as a service space. Forget about the direct to customer sales. These are now cloud service providers delivering services out to market. We drive over a billion dollars of sales in that.

And it’s amazing. They said, well, people may look and it’s so funny, too, because, you know, the logo and we sort of have like, oh, yeah, I remember it’s like, even when I remember doing disaster recovery, my favorite thing is I built the first VMware environment in one organization and then we did disaster recovery on it. And people were like, this is fantastic, right? And so we were using Veeam and very early adopter of Veeam. And it was funny because then all of a sudden it was like five years later. And people just said like, oh, how long will it take us to recover? How many servers do we have? What about 30? I’m like, we have 480 servers now. The last time you counted, apparently was the first time I showed you at work. But to see that growth and the platform adopt and the company grow. And like I said, cast and doing some huge growth numbers. So, yeah, I’ll be watching for sure from afar. Unfortunately, I can’t make it to Vegas, but I look forward to good luck. Have a great trip. Enjoy the event. And for folks that wanted to connect to you, Danny, and find out more about what you and the team are doing. What’s the best way they can do that?

Well, Veeam.com is always the best place for information on Veeam. I’m happy to connect with anyone on LinkedIn or Twitter. On LinkedIn, I’m Danny Allan. @dannyallan and then on Twitter, @dannyallan5 is my handle. I’m semi-active. Not as active probably as you, Eric, but I always enjoy meeting new people so please reach out.

And I imagine you’ll be not watching Twitter for the next week except for seeing your notifications light up and grow because people will be announcing lots of stuff and live-tweeting everything so it’s going to be a great event. There you go, folks. Go check it out. Links down below of course. What’s happening and yeah, excited. So we’ll catch up after. I would love to hear. I’m going to pour over the announcements and watch sort of the analyst view of it and I’m excited on your behalf of what’s coming up.

Excellent. Well, thank you, Eric. I appreciate this time to chat about it and look forward to everyone being able to join us either in person or virtually.

All right. Get it done. Yeah.

Sponsored by our friends at Veeam Software! Make sure to click here and get the latest and greatest data protection platform for everything from containers to your cloud!


Sponsored by the Shift Group – Shift Group is turning athletes into sales professionals. Is your company looking to hire driven, competitive former athletes? Shift Group not only offers a large pool of diverse sales candidates from entry level to leadership – they help early stage companies in developing their hiring strategy, interview process and build strong sales cultures that attract the best talent for early stage companies.


Sponsored by the 4-Step Guide to Delivering Extraordinary Software Demos that Win DealsClick here and because we had such good response we have opened it up to make the eBook and Audiobook more accessible by offering it all for only 5$


Sponsored by Diabolical Coffee. Devilishly good coffee and diabolically awesome clothing


Does your startup need strategic technical content? The team at GTM Delta delivers SEO-optimized, compelling content that connects your company with technical users to help grow your credibility, and your pipeline.


Need Podcast gear? We are partnered up with Podcast Gear Pro to share tips, gear ideas and much more. Check it out at PodcastGearPro.com.


Craig Goodwin is the Co-Founder and Chief Platform and Strategy Officer at Cyvatar, a technology-enabled cybersecurity as a service (CSaaS) provider.

He has over 15 years of experience leading security across both the public and private sectors, building holistic security functions that combine the range of security disciplines under a single effective function.

We talk about the method of delivering Cybersecurity-as-a-Service, the reason it’s more critical than ever, and also the approach of building leave-behind process and platforms to deliver the best customer experience. 

Check out Cyvatar.ai here:  https://cyvatar.ai 

Watch the Full Show Here

Transcript powered by Happy Scribe

Welcome, everybody. It’s Wednesday. Or at least it is if you’re catching this when it comes out fresh because this is the DiscoPosse podcast, your weekly leading technology startup podcast, and you’re about to get exposed to a fantastic conversation with Craig Goodwin, who’s of Cyvatar.ai. Now Craig is really fantastic. He’s co founder and he’s somebody who I really enjoyed because as a chief platform and chief strategy officer, he had this beautiful mix of having lived the life of doing the things around security and now brings them to how to deliver these as a platform, as a true cybersecurity, as a service.

Really great stuff. His methods, approach, just a very enjoyable discussion as well. Somebody I would love to spend a bunch of time chatting with. And speaking of spending a bunch of time chatting with. I got to tell you that the reason I get to spend a lot of time chatting with these amazing people is because of the amazing folks that actually make this podcast happen and supporting it. So I want to implore you to please do me a favor. Number one, go check it out because everything you need for your data protection need. You can get from our good friends at Veeam Software.

I’m a longtime friend, fan, and they are really cool and that they’re supporting the podcast and making sure that as they look to bring their own message to the market. I’m pretty pleased that I’ve been able to be a part of that featuring some of the great folks at Veeam as well. So go to vee.am/DiscoPosse. They just came off of AWS re:Invent. They got a really cool campaign. It’s a comic book download, so really cool. So go there. It’s actually the landing page. If you go to vee.am/DiscoPosse, you can get your very own AWS superhero comic book.

Please do that. Very cool. I absolutely recommend it. And also, of course, speaking of protecting, the one thing you want to make sure is not just protecting your data wherever it is by protecting it inflight. Protecting your network, protecting your identity. You can do this by using ExpressVPN. I’m a longtime user of ExpressVPN because I travel a bunch and as part of it, I want to make sure that I’ve got consistency of experience and safety while I’m traveling around and using other WiFi and other networks.

So please do try that. Go to tryexpressvpn.com/DiscoPosse. It really is just that easy. Oh, that’s right. And also, have a coffee company. I hope that you enjoy it. I do. And if you want to go check it out, it’s diabolicalcoffee.com. Not much more to say about that. Really, really good coffee. Go check it out.

Hi. My name is Craig Goodwin. I’m the co-founder of Cyvatar, and you’re listening to the DiscoPosse podcast.

So thank you, Craig, for joining. I’m definitely in excited mode in what we have a chance to talk about, because when I saw Cyvatar come up on the list. You’re actually on my companies to watch. And it’s a rare treat when we can dive into, I’ll say it’s funny. It’s like this burgeoning area around cybersecurity and offering it as a service and injecting ourselves earlier in the development and operational workflow. It’s new to the world, which is terrifying because it shouldn’t be. But this is why the opportunity is huge.

So I think the best thing we can do for folks that are new to you. Craig, if you want to give a quick bio and we’ll talk about Cyvatar and the challenges that you’re solving.

Absolutely. Pleasure to be here, Eric. And thanks for adding Cyvatar to that list. I’m sure it’s a long one given what you do, but I’m privileged to be a part of that. Sure. My name is Craig Goodwin. My background. I’ve been on the end user side of cybersecurity for about 18 years before that. I was in the intelligence services with the UK government and fell out of that when chief security officer was just becoming a thing, really. And then spent 18 years building, operating, running large scale cybersecurity businesses as an end user.

So companies like Monster Worldwide, Ferguson plc, CDK Global, which is a big automotive tech firm out in Chicago and then Fujitsu before finally co founding Cyvatar with my co founder, Corey White, who is based in Orange County in California. He’s also got a long history in cybersecurity, but from the other side of the house. So he’s been building and running cybersecurity vendors for 25 years, and I come from the end user side. So the first pitch of cyberattack is always that we’ve got both ends of the spectrum.

We’ve been there and done it from an end user perspective and also a vendor’s perspective. So we know what’s broken and we know what we need to fix to deliver better outcomes for customers and businesses globally.

I think this is really why I loved your sort of mix in the founding team. It’s a fundamental problem that we have in so many startups is that we attack it purely from the intellectual like this is sort of the scientific method, and we come at things and there are points when you have to have a very opinionated resolution to things. It’s often how we succeed, is you can’t just sort of do incremental change. You have to come in and say, this is the way that it’s going to work.

We have to remap some of the processes. But because you’ve come from the experiential side, the buying side. I used to do the customer deal as well for a couple of decades, and it allows me to approach technology in a way that I know well in a pure intellectual approach. Fantastic. But will this actually get adopted and used in the way that we would hope. Really, the thing that I want to focus on, Craig, is this idea that you’ve seen it in flight. You’ve seen it in play.

You’ve actually implemented solutions, and you know that it’s much more a human problem sometimes than a technology problem, especially in the area of security and cybersecurity. So how did that two sided approach influence your choice to start the company?

Yeah. When I met Corey a couple of years ago, at the kind of founding of Cyvatar, I was in that place where the industry is going crazy right now, particularly from the VC point of view, there are, I don’t know. It changes every day, four and a half thousand plus products out there or something crazy. So I was having a lot of VC friends. A lot of founder friends say to me, you should found a business. You should do something now that you’ll be able to get the funding.

You should take that knowledge that you’ve got as an end user and create something. And I’ve been thinking about it for 6, 12, 18 months, but I wanted to find the right, and it sounds like a bit of a cliche, right? But I wanted to find the right thing, the thing that actually solve the problem as an end user. I’d fought with it for 18 years, and the kind of problems that I found were that I bought pretty much every product that existed. You could say the Noah’s Ark of Cybersecurity, but two of everything.

And that was true. You’d go out and you’d convince yourself as a CSO that your number one objective was to convince the executive team or the board to give you more budget, and you do that. And I do that really well. And then with that budget, I go and buy some more products, but still wouldn’t get to secure. I still wouldn’t get to the actual outcome that I wanted as a chief security officer. No matter how many products I bought, I still found that I needed large internal teams or my own platforms that I built myself internally to actually do the hard part.

And the hard part was actually the fixing. Actually getting into the outcome of secure. And I found that 90% of the products on the market would point out my problems for me, but simply add to that list of things I had to do. Add to the problems that I had to fix and not actually fix or solve any of those problems. When me and Corey met, he told me about his idea for Cyvatar and as a service solution, I said, Well, look, I’ve done that internally, three or four times over.

I’ve built the platform that we need to build to allow that to be successful. I’ve been the end user side consuming that. So let’s join forces. Let’s bring those two components together. He’s been running services businesses for 18 to 25 years, so he knew that one-off services just didn’t cut it anymore. I’ve been running the end user side and knew that products didn’t do it. So then things combined just led to what Cyvatar has ultimately become, which is the ability to pull to your point people, process, and technology altogether into easy to consume subscriptions that mean you’re getting to an actual outcome rather than just finding more and more problems.

Well, I remember, the thing was ADT security or something. It was like something like a physical home security company that had a great set of commercials. And it was the whole thing of there’s monitoring. And then there’s us, right? And this whole thing of like a guy, a bank is getting robbed. And someone just looks at the guard says, “Aren’t you going to do something?” And he says, “hey, he’s robbing the bank”. This is monitoring. Obviously the first layer is always discovery doing that monitoring that observability, which is sort of the new catchphrase in the industry.

But then from that point, is being able to action on it, is the gap, rather than just basically saying, hey, there’s something going on. And now it’s your fault. Your just handing it off to an operator or developer. And this is a complex ecosystem in the organization. The CSO doesn’t have effective control over IT in the same way, because they generally report up, like directly to the CEO. They report up, if anything, possibly adjacent to a CIO, possibly through legal and procurement. More so than just operational IT.

And there’s really a lot of stuff that falls under that bucket. So while they could say, there’s my aspiration to achieve a secure workplace, a secure environment, this now has to cross into seven different divisions of IT and many, many other things.

Yeah, 100%. And I could talk about that for days. I think to unpick that a little bit. You’re absolutely right. I think the trend and it’s going to continue to be a trend is decentralization of the security function. I used to joke or half joke as I was building security functions, that my ultimate goal should be to not need a budget as a chief security officer, right? Because I shouldn’t need to protect the organization. It should be so ingrained into everything we do as a business to your point, the different departments that actually, they understand it.

And I build such a strong culture of security that they pay for out of their own budget. Craig doesn’t need a separate security budget. I’ve tried to do that at the businesses that I’ve always been at, which is to put the power in the hands of the developers, for example, right? Where they have the tools, the power to be secure by design as they build their products, as opposed to what doesn’t work, which is Craig’s team coming along and acting like the police, right?

Which is definite cliche in the industry. But it’s hurt us for many, many years as that kind of outsider type approach to security. And then the other thing you touched on, which is just incredibly important and a lot of people forget is the politics associated with it. Like, how do you drive behavioral change that first day shouldn’t be about looking at technology. It should be about going to buy a Starbucks card, so you can take all the executives that you’ve got to influence out for coffee and build those relationships. Right?

Because that is 100% the most important thing. And one of the things that we’ve done from Cyvatar is enable that. The platform that we’re building or the platform that we’ve built really enables that decentralization. It enables those workflows to be created across organizational bounds and put the power in the hands of the people that actually need to fix it, as opposed to just firing a load of vulnerabilities and alerts at the security team and expecting them to do the hard work in chasing up and getting things fixed and influencing people.

It becomes the challenge. I was at an organization, and this was in the 90s through the 2000s and the CSO didn’t exist. That function wasn’t there. It was at least rare in sort of the Canadian world, particularly, we’re such a friendly bunch. We didn’t need one. Right. And all of a sudden, we see a CSO show up. And this is right around the time that Sarbanes-Oxley also was implemented. So you had, first of all, a functional change in the organization that they were separating out this role of information security officer, and also everybody that had the CXO title was signing their name on a contract that put them personally liable for the outcomes of their organization.

And it really changed things. So immediately, the first thing that happened, as we do with security organizations is they hired a bunch of VPs of security, and then they hired a bunch of directors, which are basically sort of their very high titled interns. And they began crafting policy, crafting policy. Quick. We must craft policies. And it was almost like a Monty Python ask level of, quick a proclamation. And they would come and they would post it on the board, and they would email it out and send. And immediately you’d say, “Well, we can’t do this”.

And they’re like, oh, no worries. Then file for an exception. And then they built a system to file for exceptions. And they had created the sort of process spaghetti. And I was torn, right? Because with what’s going on, I recognize what you needed to do is we need to actually look as an organization. How are we going to attack this problem? How do we recognize the problem within a medium, this is like putting a government into a functional organization and where they don’t see the outcome, they don’t see the negative side effects.

They just simply have to come in and say, policy checkbox. And then as it made it further on the organization, we would just find ways to get through the audit safely. And that was the first phase. But then from there like we’ve seen it in action. We’ve seen real. No one wants their company name to show up in the news. And it’s like when somebody has their name show up in the news and the word embattled is in front of it, there’s certain things you never want to have.

And I’ve got good friends who are solar winds, and that was a tough one to watch them go through where the reputation attached to being exposed to a vulnerability carries for a long time and has a real commercial effect on them just as an example, right?

That was one thing where they’re in the news. So at first it was like, in 2009, it was probably happening all over the place, but it wasn’t in the news. Now there’s a really significant risk that it’s prevalent that this is active in the industry, like DarkSide did it. They created ransomware as a service. This is fantastic. But how do we attack the problem and make sure that we don’t end up in the news? But most importantly, that we aren’t vulnerable. That’s the real thing. Obviously, the news is bad, but let’s actually fix the problem.

So if the ransomware has a service, then what do we do to counteract that?

Yeah. And I think you hit the nail on the head and we could talk for hours about the compliance versus security debate. But I think actually, in a number of cases, compliance is damaged, what we would call real security. Because if you think about, you mentioned the top down approach. One of the things that all those compliance standards first say is, go and get the board approval, like, get your executive buy-in all that stuff, which makes it that very policy focused, like top down approach where we create mandates and then we try and force it into the organization and actually back to that decentralization conversation.

The most effective way I build security is from the ground up. That doesn’t mean negating the executive buy, and you need the budget. You need people to understand what your objectives are, but being very clear with your sponsorship, your leadership, about what is the objective. Do we actually want to be secure, or are we just ticking a box for compliance purposes? If your answer is we actually want to be secure, that’s a very different journey than creating a ton of policies. And that’s one of the fundamental principles when we started Cyvatar, was that there’s a ton of really quick and easy ways to go and get SOC 2 compliance, for example, like, I say, 27001 compliance and will help with the operational aspects of that.

But the majority of the small to medium sized businesses and other companies that we’re serving wants is to be actually protected from ransomware, is to be actually secure. And to your point, like solar winds prevent their name from being in the media because they’ve lost data or been hacked or been interrupted or whatever it might be. They actually want to be secure, and that then differentiates them from their competitors because they’re more secure. So what we’ve done with Cyvatar is build real security in and security that actually gets you secure, which is a big step change from a policy, creating something and telling everyone that they’ve got to do it.

This is real world. How do I prevent that from actually happening and moving to that prevention? Moving to that remediation is the key step that the majority of vendors in the market just don’t appreciate or don’t help customers to achieve right now. .

When it comes to differentiation, it’s funny, I lead them. I’m not going to compare you to anybody. I’m going to compare you against the industry at large, in that you’ve chosen to price by human rather than object. And this is interesting because quite often when we think about security services, developer services, all of these services, they’re effectively marked per application per object per cloud target, per whatever. There’s always some technical target. So let’s talk about that, Craig. The idea that you’re basically working at the human layer with technology and thus you price, I’ll say differently than most folks would expect.

Yeah. 100%. And that’s another indication of number one, kind of that really customer centric approach, making the experience for the customer a lot more streamlined. One of the things me and Corey are constantly looking at the industry or taking our experience and changing the way that things should be done and making it simpler when we thought about the customer consuming it for anyone that’s ever commissioned a penetration test, for example, that horrible booklet of, like, 20 pages you get from the provider that says, and it used to take me even with a security team, four weeks to fill in the technical data to have to gather this technical data, to even get the scoping document back for a penetration test. Right?

And that just can’t be the way it is. So what we wanted to do is number one, make it customer centric, number two, make it really easy to consume. So therefore, what we do is we use the number of employees in the organization as an indicative factor for the size and scale of the organization itself. Right. And that then allows us to build those subscriptions, build those solutions based on the size of the business and scale it effectively. For example, we’ve got customers who have 500.

They’re in the entertainment industry. They have 500 employees that never touch a computer, for example. Right? And we’ll work with our customers to figure out how that subscription works and how best to address it and make it more palatable for that customer themselves. We have other customers where some of their employees have got three or four different laptops. And in the old model, that means four or five different licenses, right? We want to deliver security, true security for the customer. So we’ve build all that complexity.

And we just say, let’s base it on head count. Let’s base it on head count of the organization. As you grow, we grow, and we’ll partner with you to deliver security, whatever that means for the size and scale of your organization.

When it comes to the mapping to importance of the business, it really is a human tally, right? Because the scale of the workforce is effectively a marker of the network effect of risk, because the more people you have, like you said, they’re specific. Some employees, they’ve got seven devices hanging off them. They’re much more active, their field work, so they may be sort of more exposed than others. But then back office folks, they log into the computer only to get their morning email. And then the rest of the stuff they’re doing is they’re scanning paper into systems.

It actually makes complete sense. And you start to think like, ‘Why hasn’t someone done this before?’

That’s my favorite thing. Like, my head gets a little bit bigger because I love it when we sit down with customers. And hopefully that’s an indicator of a good idea, because we sit down with a ton of customers and customers go, doesn’t that exist already? And they’re like, actually, no, no one’s done it like this before. No one’s done it the way that we’re doing now. The reason that we built what we built is because the business model exists elsewhere. The likes of Netflix and the B2C space, the likes of Trinette and others within the B2B space for HR.

Why would you not have that model for security? And that’s what we’ve built with Cyvatar. We always use the example of why would I bother building a HR function at this point and even our revolution? I wouldn’t. I’ll go and outsource it to Trinette because they’re better at it. It makes sense. It works for the scale of business and how we operate. I don’t want to be a HR professional, just like a lot of these businesses don’t want to be security professionals, right? They want someone who can do it for them and actually get to the outcomes of secure.

So that’s why we built the business model that we did for sure.

When you looked at, obviously, the first thing we have is we have team, the three T’s. Right? Team, TAM, technology, as they call it. Right? You’ve got your co founder. You have to address on the technology side, you both come at it from each angle and see if you got a good sense of where you in the technology stack will be able to attack a problem. When assigning TAM, this is really about choosing your first market. What is the ideal customer that you wanted to begin with? Because it literally could be anywhere from SMB up to global enterprise.

There’s a lot of potential. And if you’re a VC, of course, there are like trillions of TAMs. They want this Gartner Esker type of up and to the right quadrants everywhere. They want to see a lot of that stuff. But you, as a founder, you have to be pragmatic about your first market.

Yeah, 100%. And you’re right. There’s a ton of opportunity in terms of even larger enterprise organizations. I’ll talk about that in a second. But if you think about the absolute target market, it’s those Greenfield organizations that haven’t built a security function yet. And what that normally means is probably 500 employees or less in the technology space where the ROI, the return on investment, associated with the model that we’ve created is quite frankly, a no brainer. When you talk to customers and you spell out what it takes to build a security program these days, with the cost of talent, with the complexity of tools, with just everything that’s out there.

And back to that original point about the CTO, and the startup really wants to be focused on making their products great, not doing the cybersecurity stuff. You come in and you take that pain away. And the model from a Greenfield perspective, just makes absolute perfect sense. And even a lot of our customers have got a single contributor, the first CSO hired, like you mentioned before, or the first security person hired into the organization. Even then, what they’re not going to be able to do on day one is justify another ten resources.

And that’s relatively lucky, right? So to have a solution that enables them to be successful and deliver those outcomes as well in a cost effective way, that’s number one target. Right. And also to your point, from the vendor perspective, it’s just a massively underserved market. We talk to a lot of our partners who say anyone under two and a half thousand employees. Our VCs are telling us not to touch because the economics don’t make sense when you get to a certain scale and we throw the term democratization around.

But it’s true. We’re taking these best-of breed technologies that perhaps wouldn’t be accessible to that smaller end of the market and making them accessible, making them consumable because you don’t need those internal resources or expertise to get them in and operational quickly, which is what we’re able to do.

Yeah. It’s kind of funny. Like I’m in the tech space and I meet with large organizations all the time, and they have more developers at most North American banks than the vendors they buy from. So it’s really difficult to go in there and sort of say, all right, we’re going to do a ground up development of this service approach because they’re just like, well, we’re going to use you for six months, and then we’re going to take a team and make them shadow you and then build the thing you do.

So it’s actually often a dangerous thing, especially for a start up to go in with a great fundamental challenge solver because they’re just going to go in. Tech companies are the same way. Right? Large social networks are famous for this one, right? Where they’ll buy a company, buy a product for a year and then not renew. And you’re, like some people on the sales teams are like, I don’t understand, why didn’t they renew? Because they are filled with amazing technologists. And they just watched what you did for a year. That’s all they needed, they needed to be close enough.

I think one of the real differentiators that we’ve got is that we started as a platform player. Right?

So we’re not a product led company. We are true platform. And you see it, we all see it. There are many businesses out there that claim to be platform based organizations. The problem that you’ve got is particularly with the larger businesses. They’re tied to their own products as well. So if you’ve got a shitty antivirus product and then you go and build a platform, well, guess what, which antivirus products are going to be the one you use in that platform. Right? And that’s the problem. What you’ve started from is a very blank canvas that we’ve started from a point where we’re building the platform first.

And therefore, if you want to integrate with us, we will be picking the best-of breed technologies. We’ll have a selection. We’ve got three or four different partners in each of our solution areas, and our member services team is constantly assessing what’s the best out there, what’s going to get the best value for our customers? What’s the best solution? And the customers are subscribing to a flexible subscription, which means if one day AV number one is the best one on the market, we’ll install that. If next day AV number two completely outdoes them and gets to a better state of prevention than number one, we’ll change it out for them.

And that’s all part of that subscription. So it’s focused on the subscription outcome as opposed to the particular product or technology that you’re driving.

Yeah. One of my favorite platform stories. And like, I’m in product marketing, I know, it’s always like, you’re not a tool. You’re a platform. It seems like better marketing. But Dave McJanett, who’s the CEO of HashiCorp, and I said, I described to him and I said, it’s great because you effectively got all these layers and it ultimately makes a platform. And he goes, well, we describe as it, if you squint hard enough, it’s a platform. But it really is a separated set of tools that integrate very easily.

And it was funny that even he was unwilling to use the word platform for fear that it would have this connotation of something that is easy. It’ll be automatic, you have to buy one thing, and then you have to buy the other four things. Their goal was ultimately interoperability, which is, again, this is why I wanted to pick on this point with you, Craig, by being able to know that you’re looking for the best of capabilities, the best-of breed. And you are handling the integration since the interchange.

It means that I don’t, as a customer, have to get locked into going to antivirus A and looking for the best deal, because, effectively, they’re going to tell me why I need them, and then they’re going to suddenly become the one that wants everybody else to integrate with them. I want to have a platform approach where that I can think of it as a framework that I fit things into. And then it gives me the comfort that I can negotiate with those vendors now, because before, especially an antivirus vendor, it’s the easiest thing in the world.

We have 3000 endpoints. How exactly do you think you’re going to change that over? It’s one step away from, it would be a real shame if something were to happen to your car, now, wouldn’t it? Like that’s almost a Mafia-esque type of way. But I’ve worked in organizations where we’re like, I actually had 22,000 endpoints and yeah, we got it done because we threw humans at it. But it was a huge expense. It was a huge lift. It was a huge risk. So if I can offload that risk and that assessment of the right current set of platforms to you, that’s a huge win in my eyes of why I would say Cyvatar is like, all right, this is a true platform play.

Yeah. And you got two things, I think. Number one, you’re absolutely right. A lot of those businesses, like I said before, four and a half thousand products out there, like, what startup wants to come wade through all of that.

The periodic table of things.

All Eric’s product marketing. Who wants to go wade through that to find the one problem. Sorry, the one tool that’s actually going to fix your problem, right? No one can. No one does. Right? So, yeah, that’s number one. My own member services team are experts in the field, have been doing it for 100 plus years, whatever the combined number is, and they will pick the best-of breed, right? Agnostically and build them into the partner framework, build them into the platform. And like I say, we’re not afraid, right?

When partners aren’t performing or it’s not the best tool anymore. We have the capability and the wherewithal to change that out. Because we’re so customer focused, we want it to be about the customer and delivering the right outcome for the customer. The other big deal here, I think, is really important. We went on this evolution, I think you mentioned it earlier for inSecurity from technology, and then we’re definitely focusing on the people right now. But the process bit for me, is probably even more important than the people, right?

Because you can have the best cybersecurity experts in the world. You can have the best tools in the world. If you haven’t got the process that makes those things successful, you’re still ultimately going to fail. And what we’ve built with the platform that we call the operating system for cybersecurity is the process of security, what we call, we’ve got proprietary methodology that we call ICARM, which is installation, configuration, assessment, remediation and maintenance. So you go from all the way from installation of the tools, all the way from maintaining a full security program.

But essentially all it means is the process of security. Like, how do you get from a point where you have nothing or a very immature security function to the point where you’ve got something that’s functional operational and you’re maintaining the organization in a clean maintained state and the tools can be interchangeable. The people can be interchangeable. But that process remains constant. And that’s what we built in the platform. And that’s why I think we are so successful in such a short space of time in terms of getting those outcomes for our customers.

We’ve got that experience, we’ve got that knowledge. We built those processes into the fabric of what we do. And that’s why we’re driving this speed and easiness of security that just amazes people to the point where they don’t believe us sometimes, to the point where people go, how do you do that? And it’s because you’re taking that fundamental approach and you’re building the processes right.

And I don’t want to talk about people leaving the platform, but the subscription model opens the door to a sense of freedom in that they’re not locked in to you, which is a strong thing, right? It’s sort of illegal and functional lock in is difficult, and people don’t want to take on a new thing because there’s sort of a risk there. What’s the thing that, what they say to you, Okay, Craig, I like what you’re doing, but let’s just say for whatever reason, we have to change gears in six months, and I stopped my subscription.

What does that mean for my organization?

Yeah. So we built ‘cancel anytime’ into all of our solutions, just like any other subscription but don’t like using it so much. But back to the Netflix example. For as long as you’re getting value out of Netflix, you’ll continue to pay your subscription. And me and Corey, and the whole of Cyvatar, is not afraid of that model. We truly believe that with those process components, with the people components, with the way that we’re driving value for our customers, it challenges us to continue to continuously drive value across that lifecycle and that lifetime value of that customer.

And we’re not afraid of that challenge, right? We haven’t had anyone canceled yet, and I’m hoping we’re not going to in the future because we are driving that consistent value. We all know my favorite quote ever. I don’t know who said it, so I might just claim it as my own. Security is a condition to be managed. It’s not a problem to be fixed. And that is absolutely true. It’s not a one-off engagement. This is about growing with the customer, partnering with the customer, and being that continuous source of security for the business.

So the short answer is, Eric, as long as we continue to deliver value and the customers see value from it, we’re not scared of it, but we’ve built-in’ cancel anytime’ so that customers, if they really don’t see the value, can make that break.

And I love this idea that you talk about something to be continuously managed. This is not like a juice cleanse to suddenly make you healthy. Security is something you just sort of throw a tool at it, and then by magic, it’s fixed. It really and truly is an operation, because even if the choice is right today, it’s not to say that that particular product or some process that you’ve got won’t be suddenly vulnerable just because of a change in the ecosystem or change in process in a month or two months or six months.

So that’s why it does need to be the subscription and the service model really makes sense to me, because this is something that I want to make sure is maintained. And we think about maintenance as SNS on a contract, right? Like, oh, I can phone 1800. I’ve got a problem with something, but that’s really not what maintenance is about. Maintenance is about maintaining the health of the ecosystem, right?

Yeah. I love the hygiene and health analogies. I think they’re really helpful when you’re thinking about cyber hygiene and cyber security. It’s that continuous process. Corey always gives the example of, I don’t know whether this is true or not, but always gives the example of doing the dishes, right? Doing the washing up, you leave it for three or four days and you’ve got a massive pile and it’s a hell of a workload to get through. Whereas if you do little bits on a daily basis and you could do the same analogy a million times over, whether it’s automotive maintenance or whatever, it might be doing those little things and keeping up with it means that actually over time you’re continuously maintaining that state of hygiene.

You’re continuously maintaining that in a clean state, which makes your job much easier over time, means it doesn’t cost you as much. We talk about another good example is always the developers building code. And if you wait until a vulnerability or whatever is out in the wild, it costs you 50, 60 X, the cost that it would be to fix it while it’s in the development lifecycle. The same is true for general security across the board. Fix it while it’s being happened, build it in, make it a maintenance. Again, back to process.

Make the process continuous, and you’re in that position where you’re getting much more value out of your security program. Pentest is another great example of that. How many organizations just do a one -off pen test every year? How many times have I done a one-off pen test next year. They come back the year after and say, why is it the same as it was last year? Yeah, of course it is. And that pentest somehow makes you secure. But no one does anything about it. It shouldn’t be one-off, it should be continuous.

And in our threat and vulnerability management program, that’s what we’ve done. Yes, you get a pen test every year, but also you’re continuously scanned all year round because you might do your pentest on the coming Monday. But who’s to say six months before that, you didn’t have a vulnerability that’s been hanging around for the last six months. So, yeah, I can’t say enough about the ability to be continuous in that program. And that’s what subscription brings.

This is the funny thing, right? Like you said, compliance and security, while seeming to go in the same. There’s an ampersand between them, like it’s attached to most people’s resume in that way. But it truly is separated functions because compliance is the annual or the quarterly checkbox to make sure that you’ve passed a test. Security is an ongoing operational process to make sure that that’s happening. You said pentest is one that’s interesting because as we develop more active testing, it teaches us to make antifragile systems as well, much more than defensive.

But truly, I’m going to build a system so that it can withstand continuous penetration testing. Actually, at this one place I was at, we used a product and they would do, like, regular scans. So every night, it would go and scan all this stuff and it would wipe out half of our homegrown applications because it would just basically batter them like a denial of service. And then you’d have to restart all these services. And I was like, they said, well, can you stop scanning the system?

I’m like, no, can we start developing to be prepared for it? Like, it was funny that integrating, the tooling changed the practice of development.

Yeah, one of the things that I always liked. And I was talking to someone about it the other day. I was used to just talk about, security is another facet of quality, right? Developers, a lot of development organizations understand the concept of quality. They’re constantly scanning the code for quality. They want to create quality products and quality code. But security is somehow some kind of outlier from that. And when we started to take, and one of the tips I always gave to kind of CSO as they were going into large product based or application based organizations was borrow from what’s already there.

Like take the quality scoring mechanisms and just add security in as a facet of that, because they’re building quality code. They wouldn’t, for the life of them, send out bad quality code. So security is just another facet of that. You can’t build a quality application or product if it’s not also secure. So borrow from that language of the existing business instead of trying to be a special snowflake on the side.

Yeah. Now let’s talk about the Forbes Technology Council. So this is a rare opportunity to be invited in to be a part of this. You’re involved, which it’s a testament to, obviously, your history and your skills and your involvement in affecting the industry, not just purely from your product perspective. What do you feel is a real strong opportunity with something like what the Forbes Technology Council is able to do?

Well, like you said, the name Forbes is one of those things you grow up with, I think, isn’t it? You go through school and you think about Forbes and who do I want to talk to and what’s the goals for me? So, yes, incredibly privileged. I think it’s a great group of people. There’s a great online platform where we share ideas. And to your point, Cyvatar has always been for me, about fundamentally changing the way the industry operates, not just about creating a product, not just about solving a spot problem.

Like a lot of the current solutions do. It’s about fundamentally changing the way we consume. So I think both ways, number one, giving to the Forbes Technology Council, sharing my 18 years worth of CSO experience with other members, helping them to understand how you build security programs, how you do security effectively, what you should be focusing your investment on, but then backwards as well. We get a ton of feedback from those council members about what they want to see, because ultimately, one of the things that we built with Cyvatar is we wanted it to be a business tool as much as a technical security tool, right?

Our audience in startups, particularly is CFO sometimes, it’s CEOs, it’s cofounders, who are not necessarily the most technical savvy people. They want a business outcome, not a technical outcome. So taking feedback and you see a lot of security vendors will take feedback from the technical security communities, which is great and valid. And we do that as well. But also, there’s a massive advantage to taking feedback from senior technology leaders, senior business people who can say, you know what, Craig? I don’t want to see a cross-site scripting vulnerability in an application.

Quite frankly, I couldn’t care less. Tell me how and when it’s going to be fixed. Tell me what it really means to buy business. Tell me how much it’s going to cost me to sort it out. Tell me how I can solve it in the future. Those kind of things, those ROI business based conversations is what we want to solve as a business. And therefore, hearing that feedback, having the opportunity to share that with Forbes Technology Council. Senior technology leaders really benefits Cyvatar and really benefits the way we’re building the platform and the business.

So, yeah, it’s a fantastic opportunity. And I’m proud to be a part of it.

When you’re a certified CSO, which is quite often, the CSO, sadly, is a role that they’re like, it’s like the CIO, which at one point when I was in first getting into tech, CIO used to stand for career is over, right? It was just somebody from the business unit. They were just like, you’re the CIO now. And they’ve served their two years to ride off into the sunset as they headed to retirement. Now it’s an active function and then CSO sort of fell into the same thing, like somebody has to be a CSO.

You, you’re the CSO, right? Make sure no one picks up USB sticks and push them in their laptop. And there was a sudden, you’ve heard a wide eyed thing of like, how do I be an effective CSO? And it’s because it’s a burgeoning role. Certification is something that I think had been vastly missed. So what is the path to certification and what are ways that professionals can look at working towards that?

Yeah. Well, I think that particular qualification is interesting. I think more widely the question around kind of experience as a CSO, to your point being thrust into a role where you’re told to stop USBs being put in computers, for example, I think ultimately comes back to it. And a lot of the responsibility falls on the individual. I did a talk a number of years ago about challenging CSOs as to whether they really are CSOs or not. And what does it really mean to be a CSO? And quite frankly, I don’t have the answer.

I don’t think anyone does. The answer no one likes is it depends. But what that means is when you start that job, you need to fundamentally understand why the role was created and what the executive and the business expects you to do and make sure that’s compatible with what your skill set is. And that’s what needs to happen more in the industry. It’s the same with, I always say, ton of CSOs will join a role and won’t have had a budget conversation for the first twelve months.

They just plow on, on the understanding they’re going to be allowed unlimited products and tools, right? Getting those things upfront, what is my role to our conversation about compliance versus security? All right, you’re hiring me as a CSO, but does that mean you just want us to get top two compliance if it does. And you’re happy to take that you approach that in a very different way than a role that says, actually, I want you to be the technical knowhow, I want you to work with the development teams to embed security into the development lifecycle.

Or I want you to be the strategic leader that is the figurehead for security across our business and drive sales cycles by being better at cybersecurity. All those roles are roles of the CSO, but in different organizations of different maturities and different expectations, and you’re ultimately setting yourself up for failure. If you don’t have that conversation up front with the executive team, with the business. It’s a long way of saying it depends. But as long as you’re clear up front what your role actually means, that’s the only way you’re going to be successful.

Yeah. And I think that’s the ideal thing, even like the CISSP, if you look at the foundations that it tests, it’s very wide range. And it’s everything from physical security to low level programming, understanding all the way up to much more high through technical cloud and networking. It shows you what it takes to really be a security leader in an organization or CSO. It is much more than just one aspect of it. And quite often it’s counter to what we’d expect if we make things more difficult.

If we make things technically challenging, that’s not always securing the environment, it could influence poor practices, because if you make everything super complex and people are just going to write it down, they’re going to write down their passwords. They’re going to do things that will then move against the policy setting, and it becomes, you’re effectively working against yourself by coming with this top down of you will not pass approach.

Well, the advice I’ve always given to anyone kind of early in their career or moving through their career that wants to ultimately become CSO in the end, is wider rather than deeper. It’s becoming more and more a business role. It’s becoming more and more about strategic leadership, about business leadership. There’s been a trend in many large organizations where CSOs aren’t coming from technical backgrounds anymore. You’ve seen people come from the risk function or the project management function or the program management function into CSO roles. And for me personally, I think that’s a really positive thing, bringing people in with that wider business experience.

That wider kind of programmatic experience and strategic leadership, I think, is really important because you get that separated agnostic view like boys and their toys tend to get excited about security technology and AI and all that kind of stuff, whereas someone that takes a business centric approach and says, what’s most important for the business, what is it we’re trying to protect? What is my job here? Like, all of those things contribute to being much more successful than diving in and going, oh, I need to buy this product.

So I think that’s really important. Back to SIT phase, it’s incredibly wise. I think it’s a great certification that you have, out of all the ones that exist to get you that kind of width in terms of understanding when you’re ready to do that. But I think as your career progresses, you want to know a little about a lot of different things. I’m no technical expert. I have technical people who do that for me. You can’t do everything. And it’s about having a little of a lot. I think as you grow up as a CSO.

In the world of tech, especially community is incredibly important, and the ability for people to find a peer group. We’ve talked about the Forbes Tech Council, which I primarily is savant at the C-suite. There’s a lot of folks that are there that they can really look at the leadership level. There’s others that go further down in New York. But then you’ve got the bottom up, sort of the SANS and even the BSides and those types of conference opportunities. What is if you’re saying, as a Cyvatar founder, what’s your community of practice that you feel is effective in helping your team both empower as well as to stay close to what’s really going on out in the world?

Yeah. I think it massively differs depending on the team. Right. So for me and Corey as co-founders, it’s entrepreneurial organizations. It’s learning from other founders, people that have been there and done it. And actually, one of the things that I’m really passionate about is not in cybersecurity. I’ve got some great friends who are founders in cybersecurity, which is fantastic. But you’ll see from the way that we’ve built the business, we haven’t learned from cyber, we’ve learned from other business models, and we brought that into the immature space that is cybersecurity.

So therefore, when we’re learning from other businesses, subscription based businesses like ourselves or SAAS businesses or whatever. So me and Corey have been very conscious to take those learnings from other areas. And the other thing to remember is we read a lot of books. We listen to a lot of audiobooks, get ideas from those things, but don’t prescribe to one single thing. There’s millions of different ideas from different theories and different books all come together to create a strong business model. So I would say, for me and Corey, that’s important.

But then, obviously, like our member services team, they’re heavily embedded in the ethical world of security. It’s their job to know what the best products are on behalf of our customers. So they’re absolutely interacting in the black hats of the world, the cybersecurity conferences of the world where they can hear have their ear to the ground so that ultimately our customers don’t need to do that themselves. And we’re taking that burden away from them. And then we encourage everyone. One of the things that we have all done in the business is go through a course called Scaling Up, which is a methodology for building businesses.

And we’ve been really open with the whole team from the beginning. It would be easy just to have me and Corey do that because we’re building the business. But actually, we wanted everyone to understand that methodology. The Rockefeller methodology for building a business. We wanted everyone to know what that meant, how it operated, so that as we grow, we can be completely transparent with the whole team. And everyone understands that they play a part in it. Everyone understands that they’re a part of the growth of the business. We do KPI stand up calls every day where everyone sees what the business is doing.

Are we failing in certain areas? How do we change that? And we have those open conversations with the team where everyone shares the learning and we build the business together. And me and Corey think that that visibility is incredibly key. So to your point, there’s definitely external communities, but there’s also internal communities where we bring all of that together and we grow as one team.

And I think this is also a testament to your approach in that when I choose a vendor, why we say the three T’s begins with team, I have to depend that the company that I’m buying from has viability, and it’s really difficult, right? If you’re like, they look around and know that, I’ve got twelve series A technology companies that look exciting and you know that they are close enough in their messaging and in the end, in four years or six years, there will be three series D company. But I have to lay that bet.

And your approach is beautiful, right? It’s differentiated because this means that trust that you will grow with me as an organization, as a customer versus like, yeah, we got a widget problem, I get to solve your widget problem. That’s fantastic. There are pure specific problems to solve, but being consultative and not just looking at like, all right, I’m just looking to get the CRC and get bought by Accenture like, whatever the thing is, not that that couldn’t happen, but you’re looking at growth. You’re looking at building a foundation on which you can grow with customers.

And again, like I said, the weird thing is I called on the pricing and the subscription model early because it’s such a rare treat that, you know, that the sense of freedom gives you the ability to be free to adopt. It’s such a funny thing, but it’s a welcome change, especially in the world right now, where we have to be able to adapt. We don’t know what four months from now is going to look like, and just that sense that you could buy as you need grow in a consultative approach, learn from experts who are, their economy of scale is knowledge scale.

I can’t possibly, with an 800 person organization or 4000 person organization, trust that I can hire 25 people that I’m going to send to conferences every week and make sure they’re on top of things and that they’re doing their bloody job. That’s why I love the approach.

100%. And I think that’s why it’s so important for us. If you look at me and Corey, you look at many VC funded businesses, ostensibly, you have a very technical founding team. You have a team that is focused on product building the widget, whatever it is. And that is what the team is really highly focused on. They’re very good at doing that. And then you get a ton of sales people who go out and push that with you and push that product, right? Our business is fundamentally built on the experience of the customer, where we add value is in that people and process space, it’s not necessarily what we’ve got some solid technology in the platform.

It’s not product led, and therefore it’s really important to us that the customer and the customer’s experience is at the heart of everything that we do. And that means that we approach it slightly differently. That means that all of our team members are highly skilled in what they do, highly skilled in making the customer experience incredible. And second to none, not necessarily highly experienced in selling a widget. Right?

Which is not what we’ve built the business to do. And to your point about cancel anytime we fail, we fail as a business. If the customers aren’t seeing the value and the fundamental value proposition that we deliver, so that’s where our heart is at. That’s where we focus. The business is all about that experience.

Yeah, because there’s nothing worse when you buy a product and you just look concerned. It’s always the matrix is the same and look like I said, I’m in product marketing. I know the dance we do. You’re going to have a three column thing and most people will land in the middle. You want to edge them towards the far right. You want to put them in the enterprise plus, or we call it platinum or unobtainium. We call it some exciting new thing, and it’s always like basic bronze, iron, cobalt, whatever. We try and make it like no one buys that thing.

But the fact that you’ve got a freemium entry point all the way up through effectively scaling on consultative additions to what you’re doing. You’re using a human based counter on the engagement level. Like I said, it’s a refreshing change. And I was excited by the approach, and I’ll be excited to have you on when we announced your series D as well. So mark your calendars, kids. You’ve got a lot of really good stuff coming ahead. I’m sure.

Yeah, we’re super excited as well. Thanks for having me on, Eric. Yeah, I think you mentioned it there. We want to take that consultative approach. We’re not afraid to say customers, don’t buy this. It’s too advanced for you right now. Don’t go buy APT protection against AI threats when you’ve got, you haven’t done your basics of building a threat and vulnerability management program yet. You don’t know what assets you’ve got. So we take customers through that journey. We don’t sell them something they don’t need, and we really help them to build a program that’s strong enough for where they are in their maturity in their growth phase.

But then, from a Cyvatar perspective, we grant super quick. Really excited to be on this journey. I say to the whole team, we want to enjoy the ride as much as the destination, if not more. So we’re having a great time doing it. Team is incredible. Customers are incredible. And yeah, looking forward to updating you on series B, C, and D, hopefully.

Definitely a lot of good stuff. And as far as the building approach, too, this is something we can actually, I’d love to have you back on, and we can dive into the founding team relationship of a technical founder and a nontechnical, is always such a, it sounds almost like a pejorative, but in that you’re not purely technical as a founder. It’s such an interesting mix and finding that match, it’s kind of hilarious. I’m sure when we look back on it, it’s always like chapter one of every book where you’re like, here is Craig.

And then he was sitting in a coffee shop in San Francisco.

It was a pub in San Francisco instead. I said, it super fast. The story of Cyvatar is just, the founding story is an incredible one because there were so many factors that might not have led to it happening. I lost my father a month before RSA in San Francisco. I nearly didn’t go. I was very tired at the end of a long week, and I nearly didn’t grab a beer with Corey. All those things just capitulated. And I eventually did. And the rest is history. Corey would say it was the universe.

I’m English, so I’d say it was luck, but whichever one it was worked out in the end, and like I say, the rest is history. But yeah, there’s a good story for a book there one day.

Yeah. And it’s hilarious that when you look back on it, you realize how many of those opportune moments that really, truly like I said, it’s luck of occurrence and somebody else as well. I literally just went into an Apple event and I happened to be sitting next to somebody. And next thing, they were backing my start up that I had never thought I was going to build four months later. It’s like just by the happenstance of sitting in a seat, never know what can occur. But it’s much more than the luck of the moments.

It’s the gumption and the choice of the team to put the time and work into it. So it’s pretty amazing see it come together. Good stuff. So, Craig, if people want to reach out to you and get connected, what’s the best way to do that?

I love the social media. I’m all over it, Eric. So hit me up on LinkedIn. I’m on Twitter or obviously Cyvatar.ai for Cyvatar stuff, but I’m pretty easy to find online, so feel free to reach out.

Excellent. Well, thank you very much, Craig. It’s been a real pleasure. And there you go, folks. The links will be down in the show notes and such. And yeah, this was great. And sure enough, just like I said, history always tells you that if I say I’m going to have technical problems, we had technical problems. But we got through it. And this was a really great conversation. Thank you very much.