Digital Resilience | Ray Rathrock

 

About Ray Rothrock

Ray Rothrock joined RedSeal as CEO in February 2014. Prior to RedSeal he was a general partner at Venrock, one of RedSeal’s founding investors. At Venrock he invested in 53 companies including over a dozen in cybersecurity including Vontu, PGP, P-Cube, Imperva, Cloudflare, CTERA, and Shape Security. Ray is on the board of Check Point Software Technology, Ltd. an original Venrock investment, and Team8, both Tel Aviv–based companies.

A thought leader in cybersecurity and long time investor in the sector, Ray Rothrock was a participant in the White House CyberSecurity Summit held at Stanford University February 2015.

Ray holds a BS in Nuclear Engineering from Texas A & M University, a MS in Nuclear Engineering from the Massachusetts Institute of Technology and an MBA with Distinction from the Harvard Business School. Ray Rothrock is a member of the Massachusetts Institute of Technology Corporation board and his book, “Digital Resilience: Is Your Company Ready for the Next Cyber Threat?” launches in April, 2018.

 

Interview Transcript:

Alan
Welcome back. I’m busy here today with Ray Rothrock. Ray, welcome to the show.

Ray
Thank you. Oh, good to be here.

Alan
So Ray, you recently released a new book called Digital resilience. And I know that you’re, you’ve been serving for a period of years as the CEO of a cybersecurity company. Red Seal. Correct. So tell us a little bit about the inspiration for the book. And why you brought it out?

Ray
Sure. You know, it really goes sort of to the entrepreneurial venture capital background that I have. I was a VC for 25 years, I’ve done a lot of cyber deals. And I went to I retired from Venrock. And then I joined red cell as a CEO to help deal with some situations that company was having. And then this thing called Target happened, a massive attack. And a target is like a fortune 50 company, they had the best technology of engineers budget, what why did this happen? And then we had a few more, we had Sony, we had JP Morgan, Home Depot, Office of Personnel Management, the US government. Anyway, these things started happening. And all good VCs have good pattern recognition. And I saw a pattern that is people with budget, technology, and people are getting hacked, and getting hacked badly. So it made me pause and ask the question, what’s going on? And the conclusion was that the hackers were in there inside our networks, I don’t care how good your network is, I guarantee you it’s inside. So if it’s inside, how do you deal with that a better firewall won’t deal with that better intrusion detection won’t deal with that better, AV won’t deal with that. You need to have the capability to respond to that to that hack to that malware that’s in your network. And if you think about, and here’s the here’s a connection to resist the concept of resilience means the ability to respond to stop an impairment of an operation. If you look in the dictionary, that’s basically what it is. So red seals technology, I saw an opportunity to move that platform towards a resilience capability. That is giving people that operate red seal on their network, the ability to respond to the attack, because it is coming because a malware is already there.

Alan
When you when you put the book together, in clearly the industry has seen people who use it computers are aware of be careful what you click on that when you when you wrote this book. How did you how did you go about defining who your your readers will be in your audience?

Ray
Sure, you know, I have been on a lot of boards, about 70, private boards, eight public boards over my career. And one of the things that I found missing or not missing, but sort of the cyber had always been relegated to sort of the technical end of business, maybe there was a CIO or a CSO Chief Information Security Officer at a company, that person didn’t have a seat at the table in the boardroom. And honestly, cyber was dealt with quite effectively with firewalls and all that sort of stuff. But in this current era, and I call it sort of the Third Era of cyber, it’s now in and the board’s who are allocating resources, allocating engineers coming up with policies to deal with this, don’t have a vocabulary to talk about it. So this book is intended for management and boards that don’t have technical backgrounds. There’s one chapter in there that sort of talks about how all this stuff’s put together, it is layman Lee, words that I could come up with. But mostly it’s about how to think about how interconnected we are you as a manager, what is your responsibility? What does it mean to be cut? What does it mean for you to have an electronic connection? And how do I manage that, and then coming up with this concept of a score, one of the things is cyber did not have my whole career as a VC. Nobody ever gave me a number that said, all your cyber is an A or a B or a 95, or a 12, or whatever it is. So we created a score. And now there are two dozen companies with scores. Because in the boardroom, the language the board’s know is numbers, you know, the profits going up? Or the profits going down? am I investing $10 million? Am I not investing 10? What’s the ROI? What’s the what’s the quantitative element of resilience? So we’ve applied that thinking it’s all for the management and people who are making decisions, hiring the people and spending the money.

Alan
Using the term resilience, how does that differ from digital defense?

Ray
Yeah, security, well, resilience means being prepared for the unexpected. We’re in a very disruptive world, and you need to be able to respond to disruptive world defense means I know what my enemy looks like, I know how they’re gonna get me think about a castle and a moat, right? Those are built because people attacked with on horseback, right? We spent the United States has spent gobs of money on missile defense system because we think the inbound that’s gonna get us as a missile. But what if you don’t know what it is? How do you think about that? What do you do? That’s where resilience comes in. It’s being prepared for the unexpected. To do that you have to think about what could go wrong, what will go wrong. And then, if I missed it, how can I adjust quickly and that requires data and information so that people can make real time decisions.

Alan
Visiting here today with Ray Rothrock Ray, I need to take a break. And we’ll be right back after these messages.

Alan
Welcome back and busy here today with Ray Rothrock. In the first segment we we talked about your inspiration for the new book, digital resilience and then the difference between resilience and defense. I want to move into the common misconceptions and board members regarding cybersecurity.

Ray
That’s a that’s a very interesting topic because board members, they only know what they’re told, okay, for starters, and they’re not told much about cybersecurity, because it was never an issue. But now it’s an issue right when the asset when the intellectual assets of the company can leave the premise and not know about it is now a boardroom issue. And so a lot of misconceptions that they have is that well, we’ll just spend another $2 million, another 10 or another 100 million dollars and hire another bunch of engineers and we’ll just make the fortress 50 feet tall or something Janet Napolitano made the comment says if you build a 50 foot wall, someone will come up with a 51 foot ladder. That’s the way boards think they’ll just make it the moat deeper and wider and that wall taller. And that’s just flat wrong. Because digital is different, right? It’s it’s hidden it’s it’s it’s it gets in through all kinds of ways. And that is what it is. So the misconception is that we can just spend our way to solve this problem. I continue need to think your way through it. Because spending when you spend $1 on cyber defense or cybersecurity or cyber resilience in your company, you’re not spending on r&d for your products, or for your customers. And I think in time I call those tax there’s a cyberattacks going on in our economy. And that’s the misconception board they think they can spin cyber grows at 10 to 12% a year the budget IT budgets one to 3% How long can we spend 10 to 12% a year on cyber and not take a dent in company’s earnings.

Alan
What are some of the commonly overlooked areas of how, how the cyber sick you know that the hackers get inside systems?

Ray
So you know, in the old, how do they get it. So in the old days, they tried to get into the front door. A lot of them come in through web browsers, but the Verizon puts out a report every year. In fact, he’s just coming out now or it’s out this week. They show that most of 95% of the successful hacks start with a simple phishing attack and sometimes a spear phishing attack. The phishing is a very a phishing is all spycraft Benjamin Franklin employed phishing, that is to get you to do this make sends you a credible piece of information to get you to take an action on that information. And so if I send you an email, it’s coming right to the front door. It’s totally legitimate looks perfectly normal. You click on the on the attachment or whatever or hit a reply button. And all of a sudden, you’ve released the malware in your network. So how does it get in? It walks right through the front door looking like a perfectly legitimate thing. That’s how it gets it.

Alan
Is it I guess you’re stating the obvious? And over time the person learns their lesson not to click on?

Ray
Well, there you know, there was a time not too many years ago when people will train their employees against phishing. And if you the same people fail it test. And so finally now companies are putting policies in their employee manuals. If you fail three times in a row, you can be dismissed. That’s a new concept. Think about that. If you fail your cyber training, you can lose your job.

Alan
Wow. Wow. So what are some of the misconceptions about cybercrime?

Ray
Well, you know, this is an evolving subject. Cyber nearly days was truly high school guys sort of hacking around just to see if they Steve Jobs and Steve Wozniak are some of the most famous right making phone calls by whistling tones into a telephone. And but it’s gotten very sophisticated. I’ve seen numbers that say there are about 100,000 Cyber mafia criminals out there. Certainly it’s all about stealing information that Therefore you can then resell that information to other people creating in the black market to create credit cards and stuff. It’s about getting information. There was lately there’s been a few high powered wiring transaction things. Remember the I think it was Singapore or Malaysia lost $89 million on a very secure system, they wired money. So that’s not the common. The common thing is just simply taking your information, packaging it and reselling it. And that’s very common, the Equifax break in, you know, 147 million records. We’ll see the nation states. That’s that’s another whole conversation. We could have another show about if you want.

Alan
Very good. Yeah, it’s interesting, I guess that this whole area of cyber security and really spans across a vast horizon. Japan recently had a the Bitcoin was hundreds and hundreds of millions of dollars.

Ray
Yeah, no, anytime it’s cyber right? It means a human being created something it means the other another human being can crack it. And it is a risk. But, you know, back in the 30s, and 40s, in the United States, banks are getting robbed all the time. But I think Bonnie and Clyde right. We solve that problem, right? Do banks still get robbed today at gunpoint? They do indeed. But they don’t bring down the entire banking system like they did in the 30s and 40s. So we’ll figure this out, but it’s not going to get better before it gets worse.

Alan
I’m visiting here today with Ray Rothrock. He’s author of the book, digital resilience and Ray I need to take another break and we’ll be right back after these messages Thank you.

Alan
Welcome back, a busy here day three Rothrock. He’s authored the book, digital resilience in array. The first segment we talked about the inspiration for the book, and then we moved over to the, you know, the common entry points for hackers. This segment I want to focus in on the principles of resilience found in both natural and physical systems.

Ray
Sure, well, resilience is a pretty common thing in modern society. And I can let me step back in biology. People have studied biology, biological systems for a lot. In fact, there’s a whole category of investment area called biomimicry, where you try to mimic things that we know that work, for example, Velcro, is a mimic of a biologic of I forget the gecko or something like that. So that’s very common. And if you think about a human body, how resilient it is, we have a skin which is like a firewall, we have white blood cells, which are like intrusion detection systems, we have red blood cells, which are like data, leak preventers, things like, you know, clotting capability. So if we think about a system, an effective system that can can respond to an attack, whether it’s a disease or if I poke a nail in my hand, the body is pretty darn good. In the real world, we’ve done exactly the same thing. For example, the building we’re presently in has sprinkler systems, it probably has some heat detection systems, it has a burglar system, and has all these systems to to alert us if something goes wrong in this building. Do we expect this building to burn down? No, you walked in this morning I walked in while ago felt perfectly safe the elevator operator because we know it’s been built with resilience in mind. That’s a confidence building thing. So resilience can translate to confidence. And if you’re running a business, you need to know Look, look at a factory he burned a factory to the ground, you lose the ability to make your widget, you rebuild the factory. What if your digital factory burst the ground? What do you do? It’s a different question. So resilience is about that. Thinking about the system what mimicking real world physical systems and applying them in the digital universe.

Alan
You know that the rate of change in technology is so rapid it’s you know, you it’s like a river flowing you can’t stay put or you get run over it and so it’s it’s the markets are continually evolving. Throughout the questions, technology really making your life better?

Ray
Well, yes, I think it is by a lot. In there’s a ton of data on this, right? That’s a common question, by the way. And of course, while it’s making us better, it’s also threatening others right? I mean, you think about factories you think about 100 years ago, a factory, what it looked like and who worked there. And the conditions. Look, people are living longer, they have more capability in terms of what they can do with their lives, they can communicate around the world is shrunk. And remember, Friedman’s a flat earth, or the flat war, I forget what the book was. They were just fine. It was good. The World is Flat. Yeah, it was really good. So we are living higher quality lives, better lives. Even the low end of the population on the planet is living a better life. But there’s still a lot of poor people. So technology really is helping us be better, I believe.

Alan
So you the book goes through a number of case studies. You mentioned target for you on cybersecurity. What are some of the other case studies that you use in the book?

Ray
Well, the really classic one, the most recent one is the you know, John Podesta fell for the classic phishing story. And what did that lead to? So phishing? I mean, that’s such a high profile story. It just it just, you know, is it embarrassing for him is embarrassing for the Democratic, Democrat. DNC. And it just points out how bad it is. There’s, gosh, I’m trying to think of some dude, tell me what to focus on. How about public public Wi Fi and the risk with that? I’ve been in meetings where people come from a hotel, they show up, they open their computer, they’re on the local network here. And they brought with him the malware that the public Wi Fi gave them. That’s like my number one concern airplanes and public Wi Fi. Because if you’re not secure.

Alan
When people are in public places, and they get that message, is it okay to proceed? Because it’s in a public domain. Any advice? Whether they should say yes or no? And how do they protect themselves?

Ray
Well, the public want it’s very hard public Wi Fi. You know, it takes time just just because you say yes, doesn’t mean in the next second, you’re getting attacked. But if you took a raw a brand new PC and opened it up without turning on any of its security, usually they don’t come that way. But so it’s naked, we call it and you put it on a public Wi Fi, it will be attacked, within 3040 minutes, the computer will be rendered helpless. Wow. That’s, that’s just what happens. So when you go on, one of the things I do personally, is I VPN back to a known good place, VPN, virtual public, virtual private network. It’s simple. I’ve got software, I click a button, LinkedIn, and I know where I’m talking to is safe. And it’s behind firewalls. That’s one thing you do. The other thing is to use your phone. So the public telephone networks are really quite good. And these devices are especially good. So actually, rather than using whatever the public Wi Fi is, use your telephone as a hotspot and let it send your data. That’s another thing you can do.

Alan
Excellent. So when we look at companies, though, becoming more resilient, how do you recommend that they approach internet infrastructure?

Ray
You know, infrastructure is a broad word. But it starts with knowing what you have. networks have been built for 30 years by many people for many different reasons. And documentation is poor at best. Certainly, it’s dated. And so the first thing about infrastructure, you got to think about what is the point of a particular enclave? What is the purpose of that, that starts with a management decision, we’re going to build a factory, we’re going to build a a trading system, we’re going to build this or that. And you got to think about what that’s all about. And then you think about what can go wrong, you got to think about who has access and who doesn’t have access. So you can start there, unfortunately, we inherited all the systems and networks that we have. So they’re pretty raw and rough and messy. So the first thing you got to do is analyze it. And that’s one thing that my company does red seal, we analyze the total infrastructure, every pathway from every device in the network. And with that, you start there, you can begin to tease it apart and see where the problems are.

Alan
Let’s go a little bit deeper into red seal and dam. Sure. And when we look at their evaluation of the network resilience, and obviously they’re in this in this area of cybersecurity, there’s a lot of people vying for space. How do you differentiate your business model from the competition?

Ray
Oh, boy, that’s a good one. Yes, Red Seal, does what we call network modeling, we actually create a software model of every pathway in your network. Then we overlay any vulnerability assessments you’ve done from other products like rapid seven or tenable or any of those other guys. And so we take the model we overlay the vulnerability and we do a calculation that says if this asset this this endpoint asset is an important asset to you, I will tell you where that ranks and you’re vulnerable. Literally score. It’s a very complicated, dense calculation that can take hours for a large network. So we came up with this concept of digital resilience, and digital resilience comes in, and we didn’t, we didn’t make that cut, we didn’t make it up per se. There’s lots of standards bodies have said, these are the top 10 Things you need to do. And we went and glommed it all together, we said, there are three things you need to know, the, you need to know every pathway. Point one, you need to know all the vulnerabilities, point two, and you didn’t know the state of your equipment, because you have a router or an endpoint, is it at the latest patch, that you know, every vendor tells you if we put out a patch, if we put out a patch patch, get it done, because that improves your security. That’s generally true, some things can’t be improved. So you have to think about anyway, those three things. Vulnerability model, is the model. Good. I’ll tell you a side story. In every deal. We work on every company’s network we work on, we find assets that they didn’t know existed, we’ve actually found data centers that were walled off in a remodel, the the servers were hot, the lights were on and traffic was going back and forth, but they didn’t even know it. This happens all the time assets that are an offense. So how good is that model? All the imperfections, we discover all that and that’s what will get you a new seaso. The first question on the job is show me my network. It’s very hard to do.

Alan
So Ray, your your book will be available on Amazon/

Ray
Or in Barnes and Noble Amazon, first week of first or second week of April. And you know, in other places, it’s getting ready to start a roadshow tour next week.

Alan
I’m visiting here today with Ray Rothrock. He’s the author of the book digital resilience. And you can find his book out there on the web. Right. And I appreciate being on today’s show.

Ray
Thank you very much, Alan.

Alan
We’ll be right back after these messages.

Alan
Welcome back over the break, Ray and I were talking about, you know, the common insurance set that boards will often look at and in and I asked her if he could just hold over here and we can talk about should boards be considering insurance for the companies in the area of cybersecurity.

Ray
That’s a an important question and one that every board asked, in fact, when they read about their competition, or their buddy, and another company who had a cyber event, the first question they asked their board is, are we insured. So cyber insurance is a new area, it’s growing very rapidly. In fact, every week, there’s an announcement of a new startup. So a board has a choice, they can engineer the risk away, they can ignore the risk and just accept the consequences, or they can insure against it. As I said earlier, a factory burned to the ground, you rebuild the factory, but if your digital assets burned to the ground, I’m not sure you can recover the trust that goes on there. So it’s really a different story. cyber insurance is different than physical plant insurance or DNO insurance or those kinds of things. So, in your physical in your cyber world, there’s the inside of your network, which the infrastructure that you own and control and there’s the outside. Think about life insurance. When you go to get life insurance, they’ll send the nurse out to check your blood pressure, your blood type get take down your record of your diseases and all that sort of stuff. That’s your Inside Story. They’ll also look at what neighborhood you live in. What’s your zip code? What kind of car do you drive? What do your neighbors look like? We used to Venrock we used to always drive by the CEOs house to see what kind of neighborhood they lived in. It sort of said something about them. So there’s an outside in story. There are scores of companies giving you an outside in look at cyber. Who’s attacking your firewall. Where’s that IP coming from? Is it coming from an adversary? Is it coming from a competitor? Is it espionage? What is it? That’s a very big deal. wanna cry? You’re getting a wanna cry attack? Well, that’s interesting. But you know, I know that the flu is out there. I know the Colts out there. So what do I do about myself? Well, I drink more issues, take vitamins, whatever, I can do the same thing cyber wise. So there’s an inside out story and there’s an outside in story. I think the one that matters most is the Inside Out story. Am I healthy? Is my blood pressure good? You know, am I taking the right vitamins? That’s the analysis, the analytics that are necessary to do cyber insurance right. And there’s some great stories in American history The Hartford steam boilers, a good one where they insured steam boilers. You ever heard of the term boiler plate that came from Hartford steam boiler, they said, will insure your steam boiler and that ferry both in 1850, our 1860 however, you gotta let us engineer it and let us maintain it and let us management. I think that’s a future opportunity for cyber. Let someone else verify let someone else manage let someone you’re the company you worry about what you do best and let the cyber guys do what they do best.

Alan
Yeah, it’s interesting and then you get the outside perspective before a person puts their money exactly into the right.

Ray
Would you ever buy house without an inspection on the house. Of course you wouldn’t. You should. Likewise cyber is a whole adds a whole category of assets. You should have it inspected and checked before you buy something.

Alan
Thank you. Thank you. We visit here today with Ray Rothrock, the author of the book digital resilience, you can find it on Amazon, or any normal lines on Amazon. Right, right. And in the end, we appreciate you being with us today on American Dreams. Join us right here on this station next week. Have a good week.

 

We hope you enjoyed this interview; “Digital Resilience | Ray Rathrock”.

To receive our free newsletter, contact us here.

Subscribe our YouTube Channel for more updates.

This transcript was generated by software and may not accurately reflect exactly what was said.

Alan Olsen, is the Host of the American Dreams Show and the Managing Partner of GROCO.com.  GROCO is a premier family office and tax advisory firm located in the San Francisco Bay area serving clients all over the world.

Alan L. Olsen, CPA, Wikipedia Bio

 

 

GROCO.com is a proud sponsor of The American Dreams Show.

 

The American Dreams show was the brainchild of Alan Olsen, CPA, MBA. It was originally created to fill a specific need; often inexperienced entrepreneurs lacked basic information about raising capital and how to successfully start a business.

Alan sincerely wanted to respond to the many requests from aspiring entrepreneurs asking for the information and introductions they needed. But he had to find a way to help in which his venture capital clients and friends would not mind.

The American Dreams show became the solution, first as a radio show and now with YouTube videos as well. Always respectful of interview guest’s time, he’s able to give access to individuals information and inspiration previously inaccessible to the first-time entrepreneurs who need it most.

They can listen to venture capitalists and successful business people explain first-hand, how they got to where they are, how to start a company, how to overcome challenges, how they see the future evolving, opportunities, work-life balance and so much more.

MyPaths.com (Also sponsored by GROCO) provides free access to content and world-class entrepreneurs, influencers and thought leaders’ personal success stories. To help you find your path in life to true, sustainable success & happiness.  I’s mission statement:

In an increasingly complex and difficult world, we hope to help you find your personal path in life and build a strong foundation by learning how others found success and happiness. True and sustainable success and happiness are different for each one of us but possible, often despite significant challenges.

Our mission at MyPaths.com is to provide resources and firsthand accounts of how others found their paths in life, so you can do the same.