Speaker 1:

Welcome to the Cyber Matters podcast. This podcast is brought to you by The Cyber Guild. Our mission is to bring diversity to all levels of cybersecurity in the Greater Washington Area, by unifying allies across the private and public sector, ensuring opportunities are as universal as talent, and continually transforming the industry.

Jamil Evans:

Hello and welcome to Cyber Matters podcast powered by The Cyber Guild. I’m Jamil Evans and I serve as a Cyber Guild board member, as well as co-founder and CEO of Evans and Chambers Technology. The theme for this inaugural episode of Cyber Matters is, Preparing to Launch.

Jamil Evans:

I’m excited for our guests to share their keys to success for startup founders looking to launch new cyber products, services, or initiatives. And now, I’m thrilled to welcome my two guests. They each have a unique combination of distinguished performance in both government, service, and private sector. My guests are Bill Crowell, Former Deputy Director of the NSA, and current partner at venture capital firm Alsop Louie. And Brian Hibbeln, Venture Partner at SineWave Ventures. Welcome guys, and thanks for joining us today.

Bill Crowell:

Thank you. Thanks for inviting us.

Brian Hibbeln:

Thank you, Jamil. I look forward to the discussion.

Jamil Evans:

Thank you. Thank you. So Bill, I guess we’ll start with you. You have a very impressive background. Before being CEO and board member of many firms that have achieved successful exits, you worked your way up to be Deputy Director of the NSA, which I just find extremely impressive. Where did you get that drive? Honestly, was it from how you were raised to make that rise in your career?

Bill Crowell:

It’s an interesting question, and I think you’ll find the answer rather interesting as well. At age 16, I actually got elected to be the president of Key Club International, an organization of 65,000 young people at the time. And my first trip was the trip to Europe behind the Iron Curtain with a lot of very prominent people, including the mayors of cities and the heads of magazine and so on.

Bill Crowell:

So I got a rather rocket start on my career. And it prepared me for going into industry and going into government I think in a very different way. I was hobnobbing with four-star generals when I was only 16 years old. That was fun. But then when I went to NSA right out of college, NSA is very unique in that it offers you an opportunity to do just about any job and you can move from job to job throughout your career. You don’t have to stay in one place and do one thing.

Jamil Evans:

Awesome. Well, thanks for that. And Brian, you’ve had a distinguished career yourself. I’m curious to hear more about that. But in preparing for this podcast, I ran across the book, Riding the Monster. And I understand you’re featured in the first chapter of that. What a great title for a book. But I have to ask the question, how did you get identified to be in this book? And what kind of monsters have you written?

Brian Hibbeln:

Yes, the monster in this case in the book refers to any large bureaucracy. I’ve had 30 years of government experience, which I just ended last December, but it can be any large bureaucracy such as a corporate situation. And I guess my drive have also started in my youth. I had two great parents, a school teacher and an engineer, and they just fostered my thirst for knowledge and learning.

Brian Hibbeln:

And when I went to the Air Force Academy, I just was constantly challenged and I really started to learn and understand that focus on the mission. And that focus on the mission really has guided me throughout life. And I found that if you stay focused on that mission, all of the other little things, the personnel matters and funding and finances, they all fall into place.

Jamil Evans:

Oh, that’s impressive. If you could just share one takeaway from the book in terms of, let’s say am a startup founder and I’m looking to do some business with a large organization, what would you say would be one of the keys to success?

Brian Hibbeln:

That’s an easy one because the point of my chapter is give the monster the credit. If you try to fight for the credit, you’re never going to succeed, but if you give the monster the credit, let the monster be the best idea he ever had, then you’ll always be successful.

Jamil Evans:

That sounds like a hard thing to do, but it sounds like a very wise advice for sure, definitely. All right. Now, you both are currently partners at Venture Capital firms. And so you can provide a lot of insight to our listeners that are preparing for their launches and whatever they’re looking to do.

Companies working in their garage, whether they’re going after their series A, they’re looking to launch their IPO, I think they can all benefit from the advice that you guys can lend. But so when you’re evaluating startups, specifically in the cyberspace, what are some common traits you’re looking for when you’re deciding whether to invest or not? I guess I’ll start with Bill.

Bill Crowell:

Okay. Well, since there are about 3,000 cybersecurity startups today, it goes without saying, you have to offer a unique solution to a real problem. And that’s hard to do when they’re 3,000 folks out there yelling at the top of their lungs that they have the best solution.

Bill Crowell:

So marketing is a very big challenge in the cybersecurity industry because it’s a very noisy industry. Uniqueness is a very difficult problem because there are very few new cybersecurity problems. There are new twists on them. Like ransomware is a twist in the way you use encryption against somebody instead of for somebody. Phishing is a unique way of gaining entry because you can’t train people really effectively. You can train people to avoid really sophisticated phishing attacks, particularly spear phishing attacks and so on.

Bill Crowell:

And so what you’re looking for is a unique way of treating a problem, something that is easy to integrate into your networks and these days into your cloud operations, and something that integrates with all of your other solutions so that you have a more complete picture of what’s going on in the cybersecurity world that you live in.

Brian Hibbeln:

And Jamil, I think that flows right into my thoughts quite well is, many times we meet a company and they’re really just giving us a feature, a very single purpose, single use capability, and I will tell them, “Well, this is a feature. This is not a company.” A company needs a robust end-to-end solution. And as SineWave really does focus just on enterprise IT, it really needs to be scalable too. If it’s something that’s not scalable and not a complete solution while there’s so many other of those 3,000 companies that Bill mentions in the market, that they’re probably not going to succeed.

Bill Crowell:

And you’ll recall, Brian, that I have this favorite quip where I refer to the cybersecurity industry as a 1,000 points of light and no illumination?

Brian Hibbeln:

Yeah.

Bill Crowell:

[inaudible 00:07:36]. That’s the thing they have to avoid. They have to have more than a point solution.

That makes sense. And I find it striking that both of you guys have had careers in government and in large bureaucracies that have lots of needs and make lots of purchases each year. How has that background working for the large government industry, how’s that helped you in your role now as you look at firms to decide who to invest in?

Bill Crowell:

I’ll let Brian go first this time.

Brian Hibbeln:

I think the companies we choose to invest in are the ones that have more than just a feature. They have a collection of capabilities. They’re very scalable. And as I started off this talk, they’re really focused on a mission. They have one mission in mind and stay they focused on that mission. And we’ll talk a little bit more later about how that mission can lose focus when you switch between government and commercial customers.

Bill Crowell:

Well, and I would add to that that while I agree they have to have more than one feature, the thing that turns me off very quickly in any pitch is someone who says they solve every single problem in cybersecurity. That’s virtually impossible. Quite frankly, most of the large corporations and of course, government, which is quite large, have hundreds of solutions that they’ve bought that are sitting on shelves because either they don’t work, that’s one possibility, but another big possibility is, they don’t have the people who really know how to operate those particular products or they can’t keep the people that know how to operate those products.

Bill Crowell:

I was on the board of ArcSight in the early days of ArcSight’s rocket growth, and one of the things that kept interfering with its growth was the fact that it was a complicated product and people had a hard time hiring the kind of people they needed to operate that particular product.

Jamil Evans:

So I recently had a conversation with an executive at a venture-backed startup management company, sorry, data management company. And I really think that their product will be good for the public sector given my own experiences in serving government customers with their data challenges. But it turns out that their leadership has determined that they are under no circumstances to do business with the government.

Jamil Evans:

I think from their perspective, it’s a little bit of a distraction from their focus on Fortune 500 companies, but also there’s some things about the government that just don’t move it quite as fast as they do on the commercial side. So given that you guys have experience on both sides and probably have helped drive innovation within government, what are your suggestions for companies struggling with this question of whether to do business with the government or not start? I’ll start with you, Brian.

Brian Hibbeln:

Yeah, I think the most important thing is to realize what those limitations and challenges are. And then really you need a dual strategy to work with both the government and commercial partners. Some of the challenges in working with the government, it can be very long to actually close a deal. There’s a lot of people that can say no, but not many people that can say yes. The contracting process is slow and laborious. And the budget process for our country can also get in the way, things like continuing resolution or not getting the authorization or the appropriations that you need.

Brian Hibbeln:

And that’s why I think you really need to understand each of those steps in the process and where the delays and problems can come in and any one of those can kill a small startup. So my recommendation usually to small companies, especially if they have a commercially viable product, is to build your product there first. Go to the commercial market. Then when you got a shrink wrap product that’s ready to go, then you’re ready for government sales. And when you get those lulls between budgets or lulls between program managers, you can fall back on those commercial sales and marketing.

Bill Crowell:

Well, and to add something rather different to that, one of the important lessons that most startups learn very quickly is that government is not all alike. Every agency has different kinds of people, different kinds of missions, and different kinds of systems. And so not only is it time-consuming unless you happen to be lucky enough to connect with Brian when he was there, but it’s time consuming, but it’s also challenging because you’re trying to take your product, which is hopefully shrink-wrapped and tune it to the needs of particular agency and their mission. And I guarantee you, the DoD is very different from the intelligence community. And the intelligence community is very, very different than commerce department or state department or any of the other civil parts of government.

Bill Crowell:

Important lessons along the away though, you need a champion or actually you need more than one champion in the government to be successful. You need a technical champion, you need an operational champion, and you need a fiscal or budget champion. And if you try to make it with just a technical champion, I guarantee you, you he’ll get reassigned right in the middle of your procurement and you won’t succeed.

Bill Crowell:

So climb the ladder and be willing to spend the time to make it work. One thing that is said very often about connecting with the government in particular with cyber work is, once you’re in, you are in unless you discontinue your ability to perform. They will keep you as a product as long as it performs their mission.

Brian Hibbeln:

And on the defense side, I would call those champions as Bill referred to them as the Renaissance soldiers. They got to be willing to fight the fight, do their job they’re doing today, but take on those additional duties to bring in new capabilities, foster a capability or a cyber company through all of those hoops and wickets to actually make something happen. And that really does take a special person and they can be sometimes difficult to find.

Well, and in this one last small point, and this won’t be a popular thing for me to say, but the pathway in in most cases is not through a system integrator, but unfortunately they are the ones that have most of the contracts. If your product is going to make an agency more efficient, more effective and reduce the number of people they need, that’s not very popular with system integrators who get paid by the full- time equivalent personnel that they furnished to government.

Jamil Evans:

Makes sense. On a slightly different topic, The Cyber Guild, which is the sponsor for this podcast, we have a national coverage, but initially we’re going to be focusing in and we are focusing in on building and strengthening the cyber workforce in the DC Metro area. So including Maryland and Virginia. So as DC area residents yourselves, what is your perspective on the shortage of local cyber talent and what are some ways we can maybe improve our standing? Bill, would you like to go first?

Bill Crowell:

Yeah, I think I will. First of all, there was a time when there was not a shortage of cyber talent in the Washington area. It still is in my mind the largest cadre of cybersecurity trained people in the country, but we are facing severe shortages in cybersecurity professionals. The Commerce Department and the Department of Labor got together and did an assessment. And their latest assessment is that we have about 400,000 jobs in the United States in cybersecurity that are unfilled and provide that number is a million and a half or more.

Bill Crowell:

The shortage is real. One of the things we need to do is quit thinking that there is a set model for how you find and train cybersecurity specialists. We have 12 year olds who are attacking our systems. And so I think there’s a very large cadre of people who are capable of learning cybersecurity and using the tools that we have today in cybersecurity, but we have to be more flexible in training them, and we have to have more ways of getting them into the training. I was pleased to see Cyber Command established because that’s a new way to train a lot of cybersecurity professionals and then move them on into the civil workforce over time.

Brian Hibbeln:

And I think one of those nontraditional ways in which they could do it and the government is always a little reticent, but really through public private partnerships, through outreaches to the local universities, through outreaches to industry. The Defense Department in particular has made some efforts in this area. They’ve established DIU. They have offices around the country. They have NSIN one of the units tied to DIU in the local DC area. There’s AFWERX, there’s SOFWERX. We’re seeing more and more of these opportunities for outreach.

Brian Hibbeln:

And I think as the DC area is really developing this potential here, there’s a great opportunity to leverage not only the local governments through something like Cyber Guild, but also the national government and the agencies there. And I think it’s really going to take effort on both sides. Both the government’s going to have to outreach and propose these forums, but then we need folks like that from The Cyber Guild to then to reach back and help create those public private partnerships because it’s everything from at the beginning in the education to training, to opportunities, to advancement in their careers.

One of the things that’s happened in the last 10 years that’s very important is the establishment of CISA, the part of DHS that deals with cybersecurity and infrastructure protection. In the beginning, it was a hard schlog for them. I think they’ve come an extraordinary lead long way. The leadership of CISA, particularly Chris Krebs, former leader in the Trump administration and Jen Easterly, the current head of CISA, are people who really understood cybersecurity.

Bill Crowell:

Jen’s not only a West Point grad, but a former Cyber Comm Senior Officer. And the fact that they come from that world means that they also are working very well with the intelligence organizations in particular NSA who is or DoD and the Intel community, the cyber leader. So we have a chance through those partnerships to actually affect the public private partnership. When it was just NSA, there was no hope of that happening because of the Intel nature of what they do. But it now there’s a way of moving information from classified to sensitive, to unclassified and be able to share information with the private sector.

Jamil Evans:

So both of you are investors and you both focused on some cyber products. So you see a lot of innovative ideas and innovative concepts. Now, please, would you share just a couple, one or two of the startups or ideas that you’ve come across and maybe why you selected them for investment?

Brian Hibbeln:

Sure. I’ll jump in there. Sentinel-1 was one of the earlier investments from SineWave out of our fund one and they did amazingly well. Another company that we have just as high hopes for is called Rescale.

What Rescale does is, they allow you to do high performance computing as a service. In the days of old, the company would have to buy the super computing capability or rent it from a national labs, but now with the advent of all of the web-based applications and capabilities to do processing in the cloud, they’ve turned that model around and made high performance computing as a service.

Brian Hibbeln:

And in a lot of the growing defense areas such as hypersonics and conjugation of satellite calculations, a lot of those new technologies require this high performance computing capability. And rather than a company having to acquire it organically and build up and maintain a system such as this, it can now be performed as a service. And that’s what Rescale does is, it turns that model around and provides high performance computing as a service. I’ve been really impressed with them. I see very aggressive growth for them in the coming years. And I encourage everybody to take a look at them.

Jamil Evans:

Thank you. Bill?

Bill Crowell:

One of the companies in our portfolio that I think fits this bill is a company called RunSafe. It’s a very young company. It’s already got an established footprint in DoD. They are beginning now to expand that product set to do more than one thing, which is very important.

The original product was essentially something that hardened the code of binary or source code products. Particularly for DoD, those things that were still running in old operating systems. That was an important way of getting a really big boost in security very quickly with minimum disruption in terms of software rebuilt, which is very often quite difficult.

Bill Crowell:

Now they have expanded that product where it gives people the opportunity to build their software with open source modules that are already prehardened to then build additional hardening around their entire development operations, their DevOps, and put also alarms in the system that tell the person when the system is either crashing or it’s being attacked. And that means that there’s an opportunity for people to have early warning about soft for vulnerabilities, and in particular, that works well in cloud environments with containers and all of the new ways in which we do computing.

Bill Crowell:

In my own portfolio, I have a company called Cybertron. It’s focused on threat analysis that is trying to get the latest information on threats and how they plan to attack systems. The really amazing thing is that they’ve built this completely in a artificial intelligence and machine learning environment. So for example, they go to the dark web. They collect information from the dark web, from cyber criminals and all kinds of cyber operators, including nation states. They automatically translate that material using translation tools, and then they compile and use AI and machine learning to predict which of the common vulnerability exposures are going to be used in the next set of attacks. And they’ve been very, very good at predicting, in one case, 24 out of the 25 that NSA published months ahead of when NSA published them. So real promise. And we have another company called LookingGlass that is in the thread area and it’s also very awesome in terms of its capabilities to serve the government’s interest in particular they are the prime contractor for threat information for DHS.

Jamil Evans:

Excellent. Thank you for that. Okay. So from my last question for you both today as we wrap up, what is your hope for the cybersecurity field industry for 2022? What are you looking to get done next year?

And what do you hope for the entire sector?

Brian Hibbeln:

I’m very optimistic. I see next year as being a growth year for us, both in the public sector and the commercial sector. I think ransomware is on the rise and people really now better understand the need for cybersecurity, everything from businesses to medium, to large businesses. I think the recognition is now there. And I expect the funds to follow.

Brian Hibbeln:

Another company that I work with and on the board of is Whitehawk Security. And they exemplify that in terms of trying to find those cyber solutions for the small and medium sized business, which many times get lost in that shuffle. And they want to do it in a very simple, easy approach, such as a TurboTax model. You answer a couple questions, you say what’s important, and then they can help you prioritize those needs and select the right products.

The thing I would add to Brian’s comments is that there really are three vectors that are growing and they’re getting worse and we need solutions to them. And they are one that he mentioned ransomware, which is horrible. It not only is a source of income for cyber criminals and some nation states I might add, but it also is quite destructive. It could be used by nation state to destroy industries just like the Colonial Pipeline thing was very destructive for the United States.

Bill Crowell:

Phishing is another of the big problems because it’s an enabler. It enables you to collect credentials. And so zero trust is the way that we’ll probably work our way out of that. And then the final thing is the APTs. And we are developing a lot of AI and machine learning approaches to doing malware detection and remediation, which is extremely important.

Bill Crowell:

So I see the industry continuing to expand with new technical solutions. One of the things I don’t expect to see is, I don’t expect see a lot of consolidation. There will be some. There will be some really remarkable M&A events, but there won’t be a huge reduction in the 3,000 startups that we have today.

Jamil Evans:

Excellent. Well, thank you both for joining me today on Cyber Matters.

Speaker 1:

Thank you for joining us for another episode of Cyber Matters brought to you by The Cyber Guild. You can find us at www.thecyberguild.org. If you like this episode, please download and subscribe to this podcast. And check back for more episodes featuring employers, economic development agencies, policy makers, leaders, and professionals in the cybersecurity industry.