21 yrs in Cybersecurity: Challenges THEN & NOW

View Show Notes and Transcript

Episode Description

What We Discuss with Andy Ellis:

Questions asked during the Interview

  • 00:00 Intro
  • 03:12 Andy’s journey to CISO role?
  • 07:07 Securing a Site a Military Perspective vs CyberSecurity Perspective
  • 13:04 What Security things did you have to convince people off that are now standards?
  • 15:05 Is CyberSecurity Enabling business?
  • 16:59 What is Zero Trust?
  • 19:29 Is ability for a Staff to login from any Company Device wrong?
  • 21:00 CISO Challenges in a Security Company?
  • 21:52 How Akamai became a Security Company?
  • 25:22 Building a Security Product in your non-Security company?
  • 26:55 Challenges for CISO’s role in a Pandemic World
  • 30:01 Qualities of a Successful CISO
  • 31:31 Challenge of implementing 2FA in a company?
  • 32:45 What is an Operating Partner in a VC Firm?
  • 36:23 Are the Israeli startups you advice Security companies?
  • 38:02 Challenges as a CISO Advisor for Startup
  • 40:35 Patterns that Israeli Startups are doing wrong?
  • 43:38 Two Fav Startups currently in the YL Partner Portfolio
  • 45:54 What skillset should one have to get into a CISO Advisory Role?
  • 47:26 Sales element to the CISO Advisory Role?
  • 49:11 Fun Section

THANKS, Andy Ellis!

If you enjoyed this session with Andy Ellis, let him know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank Andy Ellis at Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

  • Tools & services, discussed during the Interview
  • NA

[00:00:00] Ashish Rajan: First of all, congratulations on being the CSO hall of fame winner for 2021. Great. What an honor.

I think I’ve been connected with, you have a couple of conversations on clubhouse as well. And it was really interesting that once I started digging into well online, stalking you, for lack of better word, I’m realized that wow, you have such an interesting background and you probably want to shed some light on that as well as we go through this 21 years in Akamai.

And before we get into any of that and how you’ve kind of saw cyber security change, I would love to get the audience to know a bit about yourself. So if you can tell us a bit about Andy Ellis and I guess, how did he reach the whole CSOs spot?

Andy Ellis: Yeah, so I guess it’s one of those really long and strange journeys and conveniently, I have it documented here.

So I actually used to work at Disneyland a long time ago. Wow. That’s actually the spirit of Disneyland award that I was a costume issue, like gave people their clothing. And I remember at the time, one of the things we were doing was moving from a paper based system where you’d like wrote [00:01:00] down what people had to a mainframe system.

And I hacked the system in the good term of hacking. There were these function keys. And like, there were these places where we kept typing in the same things over and over again. And so I found a little macro programmer where you could grab the function keys to like type in anything else. And so I literally went to every computer and did this cause I’m like, I’m tired of waiting for the screens and I did it.

And then one day somebody saw me pushing the button and they’re like, what is that? So like, I had to document it and then a supervisor finds out that I’ve done this and they couldn’t decide whether to reprimand me or award me something. But yeah, something like that. You could almost say that might’ve been, you know, the, the early start of it a little later, I actually worked in the hospitality industry.

My family owned an Inn in Vermont and actually this is the award of excellence from the wine spectator for the wine cellar that I managed. So normally we would be doing wine here, but I am a little jet lag. So that’s why I went with something a little bit different today. And that’s [00:02:00] again, you know, that’s, .

An art being a bartender or wine stored where it’s all about learning someone’s story and telling them a story and fitting into what they want. You know, if somebody walks in and says, you know, can you recommend a wine? You have to figure out how much money they’re willing to spend. Yep. Right, because you can’t just say, Oh, pick this wine.

And if it’s an expensive wine, they’re going to look at you like, Oh, you’re just trying to rip me off. But on the other hand, if they’re coming in, planning on spending a couple of hundred dollars on a bottle of wine, you probably don’t want to recommend it. $34 dollar bottle, because then they’re going to be like, come on.

What are you doing to me? No, I went after I graduated from MIT, I went into the air force. I have my air force commendation medal it’s over on that side. That’s actually where it really got into serious operational security. I did information warfare for central command. I’m responsible for mostly defensive operations.

Although our unit did work both sides of the house there. And when I got out, I came to Akamai where I spent 21 years. That’s my 20 year plan. I got it just before I left doing every job insecurity from security [00:03:00] engineering, security architecture, compliance management, sales support. Product development, product marketing you name it.

I’ve probably done the job in information security and in physical security too. I actually once was a security guard at a condo complex and I literally walked a beat, making sure people left their head, locked their doors when they, it was a vacation place. So like on Monday, you’d go make sure all the doors were locked.

Ashish Rajan: Interesting. So, wow. That’s such a very, so from Disneyland to bartending, to working in Akamai. Really interesting. And you went to a different roles in cyber security as well. Thing you start, well, you make me jealous. You started like way, way, way earlier. And I, I almost feel like that’s really interesting how some of the experiences you may have seen from being a security engineer to all the way to the CSO and by the way, thank you for your service as well.

For the air force. I was also gonna say, I remember. The air force conversation reminded me of your conversation about the relationship between [00:04:00] safety and secure the site, do a lame person versus the military. Can you share some light on that?

Andy Ellis: Well, yeah, so I always love words like secure and safe because they have no.

Common meaning. And there was this anecdote that Caspar Weinberger used to tell who was the secretary of defense in the U S and he said, he was asked like, what was the hardest part of his job? And it was like finding the right tool to solve a problem. He said, look, I can give orders. And the military will go execute my orders.

But if I tell somebody to go secure a building, If I tell the army to secure the building, they’re going to put up concertina wire and you know, sandbags and they’ll have password of the day to show up. And, you know, maybe the HUBZones of conflating fire. So if you try to rush the building, they’ll kill you.

The Marines there’s going to get right to the point. They’ll kill everybody inside the building and probably blow it up for good measure. If you asked the Navy to secure the building, they’re going to turn off all the lights close and latch all the windows and lock the door on the way out. And the building’s been secured and the air force will give me a three-year lease with an option to buy.

And that’s really always stuck with me because people will say [00:05:00] things like I’m building this system. Is it safe? And I’m like, what does safe mean. Because it means so many different things to different people. And I actually knew that security is a subdiscipline of safety and it’s the sub-discipline that most safety experts pretend doesn’t exist, which is often problematic.

So it gets excluded from safety conversations. Safety is just making sure that your system does not enter into a state where it will have an unacceptable loss. Based on triggering some hazard in the system. And so your goal is minimize hazards, protect against triggers and security is the exact same thing, except it’s when an adversary triggers it.

Right. Think about like, imagine like a big red button to shut down a system and that big red button, like, you’d say, Oh, look, when I put it in our knock, we’re going to protect it with like a little flip cover. So you can’t accidentally hit it. Those were all these safety controls. But if you put that button on the outside of the knock with no security around it, where anybody could walk up and push the button, you still have a safety problem.

Like the system could turn off when you really don’t want [00:06:00] it to, but it’s an adversarial one. So now it’s a security problem.

I love the, I loved it. I definitely want to do, to share that with my audience as well. Cause I think the gastric report guts audience definitely appreciate this. And considering it starts to get your podcasts as well.

One question that we ask every guest is like, w what does security mean for you?

It’s like five different disciplines. I’ll probably lose track as I go through. So my apologies that if you’re trying to figure out which, which five I listed, that’s one piece of it is how use secure inside an infrastructure as a service environment.

Right. And that’s a really interesting question because when you think about normal it security, pre-cloud what often happens is somebody else provided security outside your device for you? Like you said, Oh, I need a web server. And it provided you a server that they were hardening and they were patching and they did install the backup server and 17 agents on it.

It made your web server slow, but at least it was relatively secure and maybe they stuck a laugh at a load balancer and they did all of these things for you. [00:07:00] And now you go and you say, Oh, I need a web server. Hey, I go to Amazon. I’m like, yeah, give me a web server. Well, nobody’s doing all that for you.

Like Amazon provides a lot of the capabilities to do it, but they don’t do it for you. Right. And so a piece of cloud security is literally how do you just do it? Security off premises. Where your, it is not the intermediary to make sure you set it up. So that’s one aspect of cloud security, another aspect, which is really the business I was in with Akamai is how do you deliver security capabilities through a cloud-based system?

You know, we did DDoSs defense where we were doing the DDoSs away from your network. Like that’s where we were going to eat it. Because if we let the DDoSs get onto your premises, you were already in trouble. You know, same thing. How do you deliver whack out at the edge? That’s sort of another way to think about cloud security then of course there’s how are you doing security for how you use the cloud, which isn’t just infrastructure as a service.

That’s also software as a service. So do you know even what software is a service platforms you have set up. Yeah. Are those [00:08:00] integrated into your standard controls? And then that has sort of sub split outs that you would look at, like what data is in your clouds environments, and how do you know that your SAS players aren’t sharing it with one another in a way that you really didn’t want them to.

So I guess I only went through four there there’s probably a fifth one I’ll remember later. Well,

Ashish Rajan: that’s actually a really interesting way to put it because it’s your point. I love the one where you called out. It’s. Doing IT security. Off-premise . And this is kind of where a lot of people throw the whole shared responsibility model as well, and we’ll be going into this, but I love how you kind of went through different layers as well of Hey, I may need of WAF I mean, from the sales channel makes me question.

Like, because clearly you’ve been I guess with the CSO hall of fame and the 21 years that you’ve done already. Offline, we were talking about the whole SSO conversation. So you may have seen quite a few changes which a lot of us take as given, like, I obviously use the SSO example. Like right now, if you talk to anyone, they talk about, Hey, we should single sign on this.

I don’t know why we were trying to keep [00:09:00] remembering credentials and I could not imagine a time when it was, this is like requiring convincing to people. So keen, to knows from you for many started to now, what are some of the things that you use to convince people on, Hey, we should do this.

I’m sure. Multi- factor authentication still there as well, but. What are some of the things that coming up to your mind on that one,

Andy Ellis: obviously single sign on was a huge one. I remember when we installed pub cookie was how we did single sign on like that’s a package. I don’t know if it even exists anymore, if anybody uses it.

So I think we were one of the last enterprises it’s still used it and it was a fight cause people were like, why do I, why do I want to integrate my web server with some other web server? Like I can just do active directory or LDAP based authentication right here. So that was a big challenge. Just getting people to think about doing, you know, building from an already hardened image.

It used to be that when you built systems, you would just like take stock off the shelf, you know, possibly didn’t Slack where, you know, something, you know, and you’d install it and then you would go and say, [00:10:00] okay, how do I harden it? You know, go take bus steel or something else, and I’d run it here. And like, now that just seems so foolish.

Like why would you do that to an operating system? Yeah, right. We have the stripped down version and then we install and only add the packages that we want. So those are probably two really big ones that stand out to me, but some of it is just, it happens so gradually, you know, the conversations about network segmentation, sorry, we’re supposed to zero trust these days.

I mean, that’s now the new thing. So in 10 years, everyone’s going to take for granted that, of course you do. Know, micro segmentation and you do app based authentication for everything, but that wasn’t even on anybody’s radar 20 years ago. Like if you tried to talk about doing that, we didn’t have any devices that would support network segmentation at line rate.

Ashish Rajan: Lot of people talk about, Hey, security is not enabling business, but clearly single sign on is a clear sign that it was enabling business as an individual. Who’s probably working in a company with over 300 applications. I don’t have to remember 300 passwords because one of the security policies should have unique [00:11:00] password everywhere. Totally enabling business.

Andy Ellis: Now I actually think 90% of security is enabling business, but it’s. Only enabling business. If you don’t tack it on so much of the time we’re playing this catch up game, if somebody has already deployed something and they’ve deployed the leanest fastest thing they can do. And so of course, you’re going to get in the way of the business now to make that more secure.

But if you didn’t just have to tack on the minimal security, you say, well, what do we build? So let’s take single sign on, for instance, you know, we were deploying that at and it was fantastic. You know, we’d moved over and we’re, we, we put our cloud in front of everything. So we said, rather than even making your app integrate backwards to single sign-on, we’re just going to have a front end to do it for you.

And so if you don’t need any authorization other than is this an AKA, my employee, don’t worry about it because the only thing that can talk to you is our cloud service. And it has already validated that it’s an online play like, boom, instantly we could take any website. It didn’t have to have TLS and we could bump it up to a TLS front-end that was doing authentication.

[00:12:00] And people love that. But then we’re, we’re working on this. We said, you know, we were doing X five Oh nine surplus password, and we decided we were going to add push based off using duo. And, and we were really worried about rolling that out. And then all of a sudden we said, our goal is two factor authentication, and we’re about to add three factors.

So why don’t we get rid of passwords? So what most of you in we’re in, passwordless like there’s a cert on your laptop and it’s a, and it’s going to push to your phone to make sure it’s you, you had to type a password into each one of those. Why do I need a third password?

Ashish Rajan: Wait, wait. So we’re definitely going to zero trust territory and network segmentation.

So I know you did some implementation of this and I’m keen to know how do you explain zero trust to people when, like, I know obviously keeping the buzzword aside, like, how do you explain to your trust?

Andy Ellis: Zero trust is a principle. For a set of principles. You know, we used to call it least privilege in some senses.

What it really says is don’t assume anything that you have that you don’t have to. So just because somebody is on your network, doesn’t mean they’re legitimate. Just because [00:13:00] you’ve talked to this person before, doesn’t mean you’re still allowed to talk to them. Those are two principles you might think about.

So it’s make sure that every request is authenticated. And so that means usually doing requests up at the application layer. It’s minimize network conductivity. So in the old world, like a user was connecting to the HTTP Porter, HTTPS port on a web server. They could probably also probably connect to SSH, but why there’s no reason it’s just a user.

So how do you even segment at the protocol? So it’s not just about IP segmentation, it’s also protocol segmentation. So I look at it that way, say how do I make sure that every time a user does the thing that we’ve authenticated as simply as possible that user and the, I think the biggest change that we did, my, my philosophy difference is there are no more people on the internet.

There are cyborgs and this sounds kind of wacky and weird, but here’s the difference? The keyboard isn’t the perimeter anymore. People think about, you know, how does the user authenticate to the computer? Forget about that. If you’re out in the network somewhere, that’s not the point of authentication you care about to [00:14:00] you.

The computer is part of the person.

Peter that’s my device. Like that’s my boundary. So you just need to authenticate at the BA at the edge of my boundary. And you just want authenticate two places and say, let’s check two devices that you have control of. But look, if somebody is here with a gun to my head and I’ve had to unlock both of my devices, yes.

That person gets to emulate who I am. There’s nothing we can do at this point to then sort of protect against that model. But that’s the model that some people like, Oh my goodness, we have to always test when they’re logging into this laptop. But if you do that, you create so many vulnerabilities on that laptop.

If this laptop trusts somebody outside of me to log in and run anything, this laptop is no longer trustworthy to anyone.

Ashish Rajan: Love it. I love it. Because that challenges the norm again, that we have kind of gotten used to that, Andy is able to log into my laptop. I’m able to log into my laptop. Anyone can log into anyone’s laptop.

Andy Ellis: It’s awful, like, especially given what computers cost these days, like laptops are tied to human beings in 99% of enterprises. [00:15:00] Anyway. So just part of the system make the laptop part of the user’s environment and like cut out as much administrative access as you can.

In fact, I would actually advocate that Apple does a better job of securing my computer than almost any other enterprise camp. And so we should Apple’s updates and say, Hey, , here’s some software that might improve it. But if I have an agent running here that somebody else can log into, that’s how ransomware propagates just takes over the agents.

Ashish Rajan: I do want her to get into some of the challenges that you have faced across your 20 years of history as well.

As a CSO, if you can share some of the good, bad and ugly of being a, CSO for a security company, because I imagine that’s a different kind of challenge in itself.

Andy Ellis: So it definitely is especially company that wasn’t security when I started, but we made it into a security company.

Ashish Rajan: Wait, it wasn’t

Andy Ellis: Akamai was a, CDN. We did delivery of objects. Our very first product literally was if you went to a website, All of the images on it had had their URLs rewritten.

So the image [00:16:00] bags, instead of being, you know, you know, your site.com, we said, you know, a 17 dot G dot dot net slash had like three things and then slash you know, your site.com and wherever the original thing was literally, we just did on demand caching of objects. That was our very first product. And the whole idea was like you had a website.

If you had a flash crowd, all you had to deliver, there was the HTML and we would deliver the objects. That was our first product.

Ashish Rajan: So what made that shift to your security company?

Andy Ellis: So we move to the next product after that, which was called edge suite. And that was the one where you see named the domain to us.

And we would deliver the HTML. Like we just did that just to deliver the HTML. And then we looked at it and we said, you know, There are these events that keep happening that look a lot, like DDoSs attacks, they’re called flash crowds. Like whether it’s, you know, somebody has a hot sale or a big news event, like we were protecting websites by offloading all of this traffic.

We said, what if there’s a security service there? Could we just do DDoSs [00:17:00] mitigation. And so we launched that product. That was actually the, the de facto product manager for it. Cause we didn’t have that. So the head of sales looked at me, you know, that they assigned me a junior product manager at the time to work on it.

And you know, we’re going to launch this at our sales kickoff and the. The day before, like it’s going to be a senior product manager is launching every other product and he comes up, he says, Andy, you’re the one getting up on stage. And I’m like, put you have a product manager and he’s looking at me and he’s like, he’s not going to cut it.

This is your job. So I had to get up on stage and like introduce the product and launch the product with our Salesforce. And then along the way, it’s like, Oh, you know, we needed to build a secure product, not a security product, just to be able to do financial transactions. And then we’re doing compliance and we start developing these features and we build tokenization.

So, if you were doing credit card tokenization, rather than the credit card entering into your enterprise to get tokenized, we would just abducted it basically, you know, so it would post a credit card. We would take the credit card number, use the tokenization [00:18:00] API of whoever you’re using for tokenizing.

Get the token back and only send you the token. So credit card never entered your infrastructure, took you entirely out of PCI scope. That was a fun product for a while. And then people decided they would do their own tokenization. They didn’t really want to rely on third-party tokenizes so it didn’t really help that we would pull it off for them.

But so we just kept adding these features and at some points, okay. We added a WAF during operation payback, you know, operation Ababil. We built out more DDoSs defense capabilities and our security revenue just kept growing faster and faster because we had this one thing we could do, I could walk in.

And what’s the hardest part about selling a security pro technology in the non-cloud world is that it slows everything down. Right.

Ashish Rajan: Yup. I remember the annual update as well.

Andy Ellis: You put in a WAF in the last mixer website break because when vendors don’t understand websites, we have websites. So we would walk in and say, we have a cloud-based web that will speed up your website.

And people just didn’t believe it. They’re like, how does that work? And I’m like, I’m built it on top of this amazing performance [00:19:00] service. And it sold like hotcakes. And now when people think about, well, how many people think about buying a box? Cloud is the default, but we were the first people to really be selling that commercially with any success.

Ashish Rajan: This is probably one of those examples where a lot of CSOs or security leaders listening to this may be considering, Hey my company is primarily, I don’t know, in retail or something else completely. And changing that into like, Hey, you could actually have a security product.

Like you could become a product manager in your own company, come up with the product for whatever the company may be, whatever industry they may be in. They could be a security product angle there.

Andy Ellis: Yeah. And that’s the way I looked at my job is that every day my job was to get rid of whatever I was doing.

That if I was doing over and over again. How do I get rid of that work? How do I hire somebody to do it? Because once I know how to do it, I can teach somebody else to do it. That my value was doing things nobody else had ever done.

Ashish Rajan: The conversation that people have about security, not contributing to revenue, it’d being, it, being an expense it’s only true if we allow it to be true, I guess we can definitely look at options like [00:20:00] that.

Andy Ellis: So there are times where you’re literally just spending money just to be clear, like there isn’t some silver bullet that says, like, go find this thing and then, you know, you’ll have no budget woes.

I still had budget woes. But budget was in a growing company where we were growing and the fastest growing find a business was one that I’d innovated.

Ashish Rajan: Perfect. And I love the answer because that makes me beg the question in a pandemic world and CISO’s role, is more and more and more zero trust

what do you think are some of the changes that you’ve seen in the industry that have been bought because of COVID I guess, which maybe CSOs are facing as challenges and you may have seen them as well.

Andy Ellis: Yeah, so I think it really varies where people were you know, for me COVID really was a non event. I mean, personally, it was a huge event just to be very clear.

We had designed our system to support remote and distributed work. The biggest challenge was around the norms of having meetings and conversations and what would we do? But we had built our system for remote work, but I’ve talked to CSOs that they had [00:21:00] never let one employee work from home. Ever, like they didn’t have laptops.

They had desktops because they were cheaper. Nobody could work from home and all of a sudden it’s like, wow, you have to support employees working from home. I knew people who basically were furloughed for three months. While their company argued about whether they would support them in working from home.

You know, other people who had to buy legacy equipment cause they’re like I got a VPN and, but it was only designed for 10% of the company. And now it’s a hundred percent. So I have to go buy every one of these outdated systems. And I talked to one who that basically he was one of the first people to figure that out.

And so he found every single one on the market and he bought them all. Anyway, green businessman. I’m not going to be able to get them anywhere else. And then he, he didn’t, I think he didn’t use any of them. And he might’ve made some friends by, you know, hooking them up and selling them on the side. I don’t know if it was a business line.

But it does remind me of like for a while, it was American airlines that innovated the buying oil futures. For a long time, American airlines made its entire profit was on reselling jet [00:22:00] fuel to other airlines. And then all the airlines now do that. So if you actually look at many of the airlines, a lot of their money is in come on.

They don’t want to be subject to like a spike in jet fuel prices today. So they’re going to buy it out in advance. And now, I don’t know, it feels of it, but like, those are the, that’s the sort of example of somebody thinking outside the box and saying we’re not just an airline, we’re an integrated supply chain.

Ashish Rajan: And to your point, it kind of goes back to the, having a security product as like, if that’s the way that’s where your expertise is, you could look at that opportunity that they might be a security opportunity, even in midst of COVID as well somewhere. How do we do the remote work, but not just do it for ourselves, but make it a service that we make available to other people as well.

Andy Ellis: Yeah. So think about like how many people are podcasting more maybe than they were before, or have, you know, amazing equipment. Like literally I did not have a sound room like this a year and a half ago. Like this was built during COVID so that I could do conferences and meet with customers and has like this, you know, better audio quality.

Ashish Rajan: The role [00:23:00] of a CSO, has that changed? What kind of qualities does someone need to be a successful CSO.

Andy Ellis: So it’s really, again, going to depend on the environment.

I don’t know. I’ve said that like seven times, but I don’t think I can say it too many times. So that’s one piece of it, but you have to recognize that as a CSO, you are not a technician. It’s okay to have technical expertise. I have some amazing technical expertise. Although I have some people who will tell you it’s merely mediocre that’s okay.

Because it doesn’t matter how deep it is what’s limit you is do you understand how processes work? Can you design them? Can you understand how to work with people? We talk often about hard skills and soft skills. I hate those phrases. I’ve just used them as touchstones there’s technical skills, which is how you change the world through your own willpower.

There’s people skills, which is how you convince other people to change the world for you. And there’s process skills, which is the hardest, which is how do you convince people that you’re never going to meet to continue to change the world on your behalf. And those are powerful skills that you really need to understand.

You’re going to roll out [00:24:00] some new initiative and you have to understand how is everybody in the company going to react to this new program? And how many of them are going to sabotage it because it’s a disaster that doesn’t understand them.

Ashish Rajan: Yep. I imagine rolling. 2FA to everyone for the first time , in a company that’s never done the 2FA before, cause that doesn’t require a technical skill.

Cause the technical part of it super easy,

Andy Ellis: easy part. Like now it’s the process of you. You got to roll it out. But what we found is that because we rolled it out in a way that made it easier for our users. It was our users that would actually force the rollout for us when somebody would roll, like stand up a new web service, like, and they just connected active directory to it.

I would get an email probably within two or three days from one of our other architects, because he’d have to log into it. He’d be like, Andy, why did you let this system get stood up? I’m sitting here going, I didn’t know this system existed, but now I can go chase that down. Right. And I’d go look, and I just reach out to a VP and I’d say, Hey, I don’t know what your folks are doing, but here’s the way to do it.

Right. And they’d be like, okay, great. I’ll go take care of it. There you go. [00:25:00] And that’s because I understood the people in the process, the technical was the easy part.

Ashish Rajan: I’m glad called out the people process technology part as well. And. I’m gonna switch gears a bit as well, because outside of just being a CSO for Akamai, now you’re just trying to change roles as well. And you’ve kind of switched into the whole operating partner for a VC fund. Can you just tell us about a bit about that as well?

Andy Ellis: Sure. So I love my job. I’m basically an executive without portfolio inside a portfolio of companies. So my job is to make them successful. Once we’ve been invested money in one, in a company and we have 10 or 11 companies under in our portfolios right now, my job has helped them be successful, whatever that looks like.

I was just in Israel, you know, meeting with the head of HR for one of them. That was the only reason I was there, there, but sitting down just to walk through, how do you build a strong US presence? How do we build culture? Because it’s a small, tight knit Israeli group, and then everybody in the U S is working in a different city.

And it’s fantastic. They can hire people wherever they need to, but there isn’t a [00:26:00] US office and they’re very worried about culture. So it’s, I’m sitting in is a HR consultant because that’s helpful there. I would meet with product managers and talk about, you know, what should be the next feature on their roadmap.

And, you know, they’d walk through the roadmap and then grill me. I sit down and I get the sales pitch. Every one of our companies gives me their sales pitch and I am brutal. I am probably the hardest person they’re going to give the sales pitch too. Cause I’m going to critique everything about the pitch.

How did I make it better? So at the next CSO who walks in, won’t be like, Oh, I don’t like that, but I’m not going to tell them. Right. I don’t want to have that moment. So I would rather, and literally I’ve done things like you have the same image on two slides and there are pixel apart. And I noticed you clicked forward in the image.

Just moved a little bit. You got to fix that. And they’re like, how did you notice that? And I’m like, because I noticed that sort of a thing, that sort of thing, anything. From, you know, engineering. I mean, I’m not writing code for anybody because nobody needs me to write code anymore, but I love this job.

And you know, we don’t have that many companies under our [00:27:00] portfolio. We’re a seed round venture capital firm. So for those who don’t understand how sort of venture capital works basically give people money across the course of their growth. So seed is the first round, and then they’re basically labeled a through whatever you, hopefully you don’t get into like And so what happens is, you know, you sell part of your company in exchange for money.

And so people, you know, some amount of money, we get ownership of part of the company. We then our job is to make them grow. It was a seed round venture capital firm. We’re not investing in companies, we’re investing in people so they can build companies. And so our job is to help them build the company.

And so we provide marketing support, business development, you know, researchers. So if they say, Hey, we’re, we’re interested in that addressable market. You know, we have some amazing researchers in Israel who will go, you know, research the market, figure out who all the competitors are, go talk to CSOs to figure out, you know, what do they really care about in that market?

And write them a research report. No, that’s just because they’re, they’re part of our portfolio. That’s not [00:28:00] like an added service. That’s just value add for how we’re going to get them to be a leader in their market.

Ashish Rajan: Worthwhile calling out why, you’ve been specifically calling out Israel.

Cause I think so the company focuses on Israel. Right?

Andy Ellis: Yep. That’s our focus is Israeli cyber security firms

Ashish Rajan: Because as we have a huge community Israel as well, so I’m sure they’re listening in some of them, or most of them may have already got a startup as well.

Are these companies like security companies or are they like the ones that you’re advising to or are they non-security.

Andy Ellis: Yeah. They’re so the ones I’m working with are generally all security. I think we have one non-security active company in our portfolio, which is RideVision, which actually I think is sort of a safety company.

It’s about providing vision assistance for motorcycle operators to tell them what’s in their blind spot and has fascinating user experience issues. It’s not like you can give them a computer screen because you need while they’re there bike riding. So I love ride vision. They’re fun, but almost everybody else is in the security space.

Because that’s where we have the expertise, you know, going to introduce them [00:29:00] to, you know, our advisors. We have a hundred CSOs who are advisors to the fund. So the part of the thing is there we’ll, we’ll say, Oh, Hey, we think this is interesting and get, and, you know, help them with that.

Ashish Rajan: If your cybersecurity companies and CSOs advise those that are being given out what I wanted to call out over here is cause a lot of CSOs, when you kind of look at trajectory for a lot of CSOs, for a certain industry, you go on to become CISO of another industry.

That’s usually the trajectory for a lot of CISOs in terms of What do I become next after a CISO? So this is probably not. That heard of, so what made you go into this? And what’s exciting , you already mentioned the being an executive without a portfolio, but what are some of the challenges in here that you see, which are probably not the same from a, that kind of enterprise?

Andy Ellis: Very different, because I’m not actually responsible for anybody’s security, sort of, other than my own, although it doesn’t stop me from providing advice and guidance. But it’s, I work with, you know, the security teams or whoever’s responsible for security, you know, I’ll talk with them, [00:30:00] but that’s not my principal role.

My principal role is how do I model what a CSO wants. So right. When we, when we bring in companies and I’ll often meet with companies before we invest, I’m going to, I do help vet them a number of our advisors. Also do that. And I look and say, is this something anybody’s going to buy? Because if nobody’s going to buy this from you, like, we don’t want to put money in it.

A lot of our time and energy in something that isn’t going to change the world, which is ultimately what my mission is, is how do I make the world better? And I think that’s the place where I can have an outsized impact, frankly, even more than the impact I had securing planetary scale CDN. Which I’ve already done.

So it’s not like, yeah, I have to start over too though.

Ashish Rajan: In this new role where obviously the challenges are slightly different, but starting a cybersecurity company . Security is already on top of the list, I’m assuming you’ve seen through a few already, what are some of the patterns that are standing out for you? Because I imagine the community who’s listening to this and especially from the Israeli cyber security space, they might be going are there obvious patterns that you may have seen that people are doing [00:31:00] wrong?

And just because clearly my problem is the best problem to solve.

Andy Ellis: Yeah. A lot of people have that, you know, we’ll, I’ll sometimes see people who you know, they have this great idea, but it’s first space they’ve never worked in. And like, sometimes they think there’s an easy solution because they’re on the outside and sometimes they’re right.

But a lot of times they’re really wrong, but. I think of security features as being like bricks that you’re in, like build a city wall with much. I hate the city metaphor because the cloud looks nothing like a city, but let’s just pretend and say, if you’re going to build a wall, there’s really sort of four dimensions you care about.

Right. There’s the linear length of the wall. Like, are you covering everything? And often I see people who don’t think about that. They’re like, Oh, I have this brick. I’m like, sure. But if I have to put this brick on every piece of the wall all around, like, think about like, Axonius right. That’s literally, that’s what they do is they find your entire wall for you.

But if I have to argue with somebody every time I’m going to lay down a new brick, that’s hard, but that’s going to security program. If it’s not easy to integrate it scale. Right. So that’s one [00:32:00] area, second area, I think of sort of vertical things about sort of how comprehensive is your security. Like, if you’re just telling me one brick, I got a security feature.

Even if you could drop it on everything, like how much work do I have to do to add one brick in height? If I got 20 bricks instead, like that’s more powerful than one brick. So things that have more comprehensive security coverage rather than just one thing. And then of course, like depth. Think about the context what’s behind the wall.

Like, I don’t want to build a thousand foot wall in front of like my daisies. I got a ton of daisies. Like I don’t need to protect them from you. But where my treasury is, maybe I do want a really tall wall. So what’s behind any piece of the wall so that if the wall is thin, I know that that matters and I should do something about it.

And then of course, across time, you want to think about, you know, how has continuity happening? Is this Walter King? Is it growing better? Like, what am I going to have to do a lot of security products that I’ve run into in my career lasted for two years. And then you had to rip it out and buy a new one.

It’s like, wow, I kid you not some of the threat intelligence things. [00:33:00] We’re like, Oh yeah, put this in. And it’ll identify, but it brings out a hard coded list of botnets. No bot net lasts that long you work fooled. Right. You bought it. And then two years later they’re like, Oh, you should buy our upgraded service.

And I’m like, I’m not falling for that one a second time.

Ashish Rajan: This kind of makes me think if people are trying to solve problems that they may not have had themselves, it kind of makes me also question are there one or two cloud security companies that are maybe in may in your portfolio that you may be excited


Andy Ellis: So I’m excited about all of them. There’s one of those dangerous questions it’s like, do you have a favorite child? I’m going to go for I’ll name two of them right now that I really enjoy. One of them people probably heard about and one they might not have. So I’ll go with, when you probably heard about, which is Orca.

So Orca security is basically taking the problem how do you secure in the cloud? So whether an AWS Azure, GCP, like you don’t want to deploy an agent on everything. So they came up with a model that does side scanning, you know, connecting your admin interface, look at all the snapshots and give you that context to tell you .

Which vulnerabilities matter, like [00:34:00] you haven’t updated 75 machines, but one of them has a database behind it that has PII in it. So maybe you should go update that one first because you have an imminent compromise. So that’s one of my favorite ones, just because it’s so easy to integrate and see value, but it’s not this cost to get lateral coverage.

Another one, which a lot of folks haven’t heard about it’s MetaGate their in their clinical zero trust network. Approach that basically, you know, the big challenge, if you’re in healthcare is in the clinical environment, you have PCs and you have medical devices that you can’t update. He was just trying to understand like how you do your rules to do Netflix.

Segmentation is almost impossible. And so their model is basically they drop a virtual device or. We are hardware into those networks. They map the whole network for you, and then they can tell things, do things like, tell your vulnerability scanner, please don’t scan those five machines. Cause you really don’t want, you have that pacemaker to like reboot because you’d port scanned it.

And so it’s a really fantastic models of very perfect for that to healthcare [00:35:00] clinical settings.

Ashish Rajan: I’m definitely gonna check on both of them, but I think I love the one where you’re talking about ease of integration is the key in both scenarios. It sounds like. Yeah. Maybe the specs, the question that a lot of CSOs may be listening to this and going actually hard was how does someone get into the space that you are in?

Like what their special skill sets that you had to, obviously you were doing a CISO role for some time already, but are there like specific skills good or just being a CISO is good enough to start applying for these kinds of roles.

Andy Ellis: So I think this is the sort of thing that if you said, Hey, I wanted to do this role.

I would recommend that you start about five years before. To build her same thing for anything. Like if you said today that you, you wanted to go to be a sports reporter, you wouldn’t quit your job and go apply to be a sports reporter, right? You’d say, Oh, I should start studying whatever sports I’m going to go.

Do. I should be doing these things. Same thing, wanting to move to the VC world. Then you start working in the VC world, doing something a little gentler. So, like I mentioned that we have like a hundred advisors. [00:36:00] I used to be one of the, those advisors I’ve been doing it for four years. And so I sort of was always done that I could provide value here because I could meet with these companies and they would say, Oh man, this is great value.

And Hey, we want Andy to be a direct advisor to this company. So I’m an advisor directly to a number of the portfolio companies, even before I became an operating partner. So that’s sort of is what you need to do because in this space, you know, people here there are very fast moving. They really want to know that you’re going to bring value that this isn’t really a retirement gig.

Even if it might look like one. You know, but it’s, it’s a fun job. I love it.

Ashish Rajan: Wait. So are there sales elements to this as well then? Or is more, you’re still doing the same thing that say If I’m a CISO. So I’m doing the same thing as I was doing, but now I’m just zoning in on. What this ever has solved my problem in the years that I’ve worked in CSO, is that how

Andy Ellis: do that?

And then, you know, if I’m having a conversation with somebody and they’re like, yeah, you know, we’re in cloud and I’m really worried about it. I’m like, Oh, Hey, you know, maybe, you know, interested in hearing about Orca. And if they’re like, no, [00:37:00] look great. I’m done. If they’re like, what is that? I’m like, I keep these one paragraphs in my, in a Google doc.

And so I can just, here’s the one paragraph description of this company. So they can say, Oh yeah, I’m interested in them. Can you introduce me? And maybe they’re on a vulnerability management care and I’m like, Oh, let me tell you about Vulcan. Or you’re, they’re a, an IOT manufacturer worrying about supply chain and their bill of materials.

I can say, Oh, let me tell you about caramba. And so there’s this little piece of it. I’m not on a quota. So if somebody says, no, I’m not hurt. Ah, yeah, look, I know these companies and if you’re interested, I’ll make an introduction. If you’re not, it’s fine. It’s sort of the flip of as a CSO. What I hated was people wouldn’t take them though.

Like most sales conversations ended in a no. And so you just, like I said, if the goal is to get to a no, then get to a no as fast as you possibly can. And if you don’t get to get to the, no, that means there’s probably yes, there, the problem is people who are good at the opposite. They’re trying to get to a yes, but they can’t get there and they don’t recognize that means that there’s really a no under the covers.

Ashish Rajan: That was the last question as well. So I’m sure people would be in [00:38:00] touch with you and get to know a bit more about yourself and how maybe some Israeli companies can have conversations with you or maybe even non Israeli companies and get your insight on them as well. Where can people find you online?

Andy Ellis: Probably the easiest place is Twitter. I’m CSO andy on Twitter also is my website is csoandy.com.

I’m more active on LinkedIn now than I used to be. So you can sometimes find me there as well.

Ashish Rajan: Perfect. I’ll leave those links in the show notes as well, but thank you so much for coming on board and while sharing all the experiences that you’ve had over the years and what you’re doing now as well.

Andy Ellis: Thanks for having me. I really appreciate it. That it was a great time.

Ashish Rajan: Thank you.