Cyber-entrepreneurship in the age of CyberAI. [CSO Perspectives] - CyberWire Daily

Summary5 min read

Podcast Summary: CyberWire Daily – "Cyber-entrepreneurship in the Age of CyberAI [CSO Perspectives]"

Podcast Information:

Title: CyberWire Daily
Host/Author: N2K Networks
Description: The daily cybersecurity news and analysis that industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations worldwide.
Episode: Cyber-entrepreneurship in the Age of CyberAI [CSO Perspectives]
Release Date: November 18, 2024

1. Introduction

The "Cyber-entrepreneurship in the Age of CyberAI" episode of CyberWire Daily delves into the evolving landscape of cybersecurity entrepreneurship amidst the rapid advancements in Artificial Intelligence (AI). Hosted by Rick Howard and featuring insights from Kevin McGee, the episode explores the intersection of innovation, AI, and cybersecurity, highlighting the challenges and opportunities that lie ahead for cyber entrepreneurs.

2. Guest Introduction

Kevin McGee, the Global Director of Cybersecurity Startups at Microsoft, is introduced as a seasoned professional with a rich background in both entrepreneurship and cybersecurity leadership. With experience at prominent organizations such as Citrix, SPLUNK, Palo Alto Networks, and Microsoft Canada, Kevin brings a comprehensive perspective to the discussion. His role involves collaborating with academics and researchers to commercialize innovative cybersecurity ideas, assisting startups in achieving product-market fit, and guiding organizations in quantifying risk and ROI for effective governance controls.

3. Main Discussion

A. The Mission and Role of Cybersecurity Entrepreneurs

Kevin emphasizes the profound sense of mission that drives individuals in the cybersecurity community. He highlights that while traditional defenders may focus on triaging alerts, cyber entrepreneurs contribute by exploring innovations and building new products that advance the field. He states:

"If you are a cybersecurity entrepreneur out there listening right now, please know I have the greatest respect for the work you do and believe we need you now more than ever."
— Kevin McGee [04:55]

B. The Impact of AI on Cybersecurity

Kevin reflects on the transformative power of AI, referencing the rapid proliferation of tools like ChatGPT since its public release on November 30, 2022. He observes that AI has not only revolutionized various industries but has also introduced unprecedented challenges and opportunities within cybersecurity at an unmatched velocity.

"AI transformation of everything... demands much quicker, even more resilient responses."
— Kevin McGee [09:28]

C. Investment Thesis: Automation, Remediation, Governance

Kevin outlines his investment thesis for cybersecurity innovation over the next three years, focusing on three core areas:

Automation:
- Objective: Enhance the efficiency and resilience of security teams through AI-driven automation.
- Insight: Automation can eliminate tedious tasks, allowing defenders to focus on strategic initiatives rather than repetitive actions.
- Quote:
  
  "Real innovation will lie not in making current tools, techniques, and procedures faster, but in reimagining how AI can transform our approach entirely."
  — Kevin McGee [12:15]
Remediation:
- Objective: Develop AI-driven solutions to automate the remediation process, addressing the scarcity of skilled cybersecurity professionals.
- Insight: Automating remediation can bridge the talent gap and ensure organizations can recover swiftly from cyber incidents.
- Quote:
  
  "Remediation holds the greatest promise for delivering substantial returns on investment for both entrepreneurs and their customers."
  — Kevin McGee [15:40]
Governance, Risk, and Compliance (GRC):
- Objective: Innovate governance frameworks to keep pace with AI advancements and ensure ethical, accountable decision-making.
- Insight: As organizations become more technology-driven, innovative governance solutions are essential to manage new vulnerabilities.
- Quote:
  
  "How can we develop compliance frameworks that go beyond static point-in-time assessments to keep pace with an environment of exponential change?"
  — Kevin McGee [17:05]

D. Historical Context and Personal Journey

Kevin shares his personal journey from a history degree to becoming a cybersecurity entrepreneur, illustrating how early exposure to technology ignited his passion for innovation. He recounts his first encounter with a computer at nine years old and how this fascination led him to start multiple companies in the 1990s.

"I became a bridge between the two. I became a bridge between the two [entrepreneurship and cybersecurity]."
— Kevin McGee [08:45]

E. The Future of Cybersecurity in the Age of AI

Kevin expresses optimism about the future, believing that the cybersecurity industry is on the cusp of an epic narrative where defenders can leverage AI to outpace and outinnovate attackers. He underscores the necessity for agility and bold action to navigate the rapidly evolving threat landscape.

"We defenders, the heroes of the story, of course, will need to act boldly, innovate quickly, and stay ahead of the attackers."
— Kevin McGee [17:50]

4. Notable Quotes

Kevin McGee [04:55]: "If you are a cybersecurity entrepreneur out there listening right now, please know I have the greatest respect for the work you do and believe we need you now more than ever."
Kevin McGee [09:28]: "AI transformation of everything... demands much quicker, even more resilient responses."
Kevin McGee [12:15]: "Real innovation will lie not in making current tools, techniques, and procedures faster, but in reimagining how AI can transform our approach entirely."
Kevin McGee [15:40]: "Remediation holds the greatest promise for delivering substantial returns on investment for both entrepreneurs and their customers."
Kevin McGee [17:05]: "How can we develop compliance frameworks that go beyond static point-in-time assessments to keep pace with an environment of exponential change?"
Kevin McGee [17:50]: "We defenders, the heroes of the story, of course, will need to act boldly, innovate quickly, and stay ahead of the attackers."

5. Conclusion

The episode "Cyber-entrepreneurship in the Age of CyberAI" offers a comprehensive exploration of how AI is reshaping cybersecurity entrepreneurship. Kevin McGee's insights provide a roadmap for innovators aiming to leverage AI to enhance automation, remediation, and governance within the cybersecurity domain. As the industry stands at the intersection of rapid technological advancement and evolving threat landscapes, the collaboration between thought leaders and entrepreneurs becomes paramount in driving meaningful and sustainable progress.

6. Additional Insights

Throughout the discussion, Kevin touches upon the historical evolution of technology and its societal impacts, drawing parallels between past innovations and the current AI-driven transformation. He highlights the importance of visionary thinking and the courage to innovate beyond conventional demands, using historical figures like Nir Zuck as exemplars of transformative leadership.

"Nir Zuck, a cyber entrepreneur and founder of Palo Alto Networks, ignored all of the requests to build a faster stateful inspection firewall, and this enabled him to envision and build the next generation firewall."
— Kevin McGee [13:30]

This narrative reinforces the episode's central theme: the critical role of forward-thinking entrepreneurs in steering the cybersecurity industry towards a resilient and innovative future.

End of Summary

Loading summary

Transcript16 lines

[00:02]
Rick Howard
You're listening to the Cyberwire network, powered by N2K.
[00:14]
Dave
Hey everybody, Dave here. I want to talk about our sponsor, LegalZoom. You know, I started my first business back in the early 90s and oh what I would have done to have been able to have the services of an organization like LegalZoom back then. Just getting all of those business ducks in a row. All of that technical stuff, the legal stuff, the registrations of the business, the taxes, all of those things that you need to go through when you're starting a business, the hard stuff, the stuff that sucks up your time when you just want to get that business launched and out there. Well, LegalZoom has everything you need to launch, run and protect your business all in one place. And they save you from wasting hours making sense of all that legal stuff. Launch, run and protect your business. To make it Official today@legalzoom.com you can use promo code CYBER10 to get 10% off any LegalZoom business information product, excluding subscriptions and renewals that expires at the end of this year. Get everything you need from set up to success@legalzoom.com and use promo code CYBER10. That's legalzoom.com and promo code CYBER10. Legalzoom provides access to independent attorneys and self service tools. Legalzoom is not a law firm and does not provide legal advice except where authorized through its subsidiary law firm, LZ Legal Services LLC.
[01:50]
Kevin McGee
Hey everybody. Welcome back to season 15 of the CSO Perspectives podcast. This is episode eight where we turn the microphone over to some of our regulars who visit us here at the N2K cyber wire # table. You all know that I have a stable of friends and colleagues who graciously come on the show to provide us some clarity about the issues we are trying to understand. At least that's the official reason we have them on the show. In truth though, I bring them on to hip. Check me back into reality when I go on some of my more crazier rants. We've been doing it that way for almost four years now and it occurred to me that these regular visitors to the hash table were some of the smartest and well respected thought leaders in the business. And in a podcast called CSO Perspectives, wouldn't it be interesting and thought provoking to turn the mic over to them for an entire show to see what's on their mind? We might call the show Other CSO Perspectives. So that's what we did over the break. The interns have been helping these hash table contributors get their thoughts together for an entire episode of this podcast. So hold on to your butts, hold on to your buts, but this should be interesting My name is Rick Howard and I'm broadcasting from the N2K CyberWire's Secret Sanctum Sanctorum Studios, located underwater somewhere along the Patapsco river near Baltimore Harbor, Maryland in the good old U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. Kevin McGee is the global Director of Cybersecurity Startups at Microsoft, and I've known him forever. He and I worked together at Palo Alto Networks back in the day, and that's where I learned that he is a voracious reader of cybersecurity books. Every time we get together, we get to argue about one or more of them, and I love and cherish that time. Basically, he's a bigger book nerd than I am. He was also around when I started tinkering with the Cybersecurity First Principles concept over 10 years ago now, and he has given me invaluable feedback of those ideas over the years. Right around the time I joined the cyberwire, he went to work for Microsoft as their CSO for Canada. So naturally, when I was looking for experts to come to the Cyberwire hash table, he was one of the first that I invited. He's been doing the startup role for just a few months now, so I asked him to come on to give his first impressions of cybersecurity entrepreneurship in the age of Cyber AI. Here's Kevin now.
[04:56]
Rick Howard
There are plenty of articles by financial journalists or reports by venture capital firms that you can read to find out about the latest hot cybersecurity startup that raised a huge round of funding or what blockbuster mergers and acquisitions happened this week. But that's not what I do. I work at the ground level of innovation in cybersecurity, helping academics and researchers commercialize their ideas. I collaborate with entrepreneurs and founders to achieve product market fit and support startups in finding new markets and customers. I engage directly with security teams and leaders in the field to accelerate innovation adoption, and I consult with business leaders and boards to guide them in quantifying risk and ROI to implement effective governance controls that ensure secure digital transformations for their organizations. My name is Kevin McGee. I'm a former startup founder and former Chief Security Officer at Microsoft Canada. I've been an entrepreneur, a cso, and an early employee at many tech and cybersecurity startups like Citrix SPLUNK and Palo Alto Networks, where I met Rick and now I can add CSO Perspective Podcast Intern to my list of accomplishments. This storied and interesting career has given me a unique perspective on the intersection of entrepreneurship and cybersecurity, which I get to use in practice every day in my current role as Global Director of Cybersecurity Startups for Microsoft. I want to thank Rick Howard and the CyberWire team for this opportunity to share my perspective on the state of CyberSecurity startups in 2024. I'm calling this essay Cyber Entrepreneurship in the Age of Cyber AI. Now this will come as no surprise to listeners to the podcast, and I'm sure that many of you will feel the same way. What first drew me to cybersecurity and what keeps me here is the sense of mission, the unique common bond of our community. At our core, we're all defenders working together to support one another, even if we happen to work for competing companies. While not typical defenders, the entrepreneurs in our industry really do play a unique role in advancing our mission. They may not take a shift in the sock triaging alerts daily, but their work exploring innovations and building new products is invaluable. They make their contribution by exploring new innovations, investing their time, money, energy, and often parts of their soul into building mere ideas into tools, tools into products, products into platforms and platforms in a company. They are hackers too, but in the original sense of the word. The homebrew computer club sense of the word. Just a different sort of hackers. So if you are a cybersecurity entrepreneur out there listening right now, please know I have the greatest respect for the work you do and believe we need you now more than ever. Like many in the industry, my career path to cybersecurity has been unconventional at best and began with a history degree. And I have been lucky enough to have these two great passions intersect on many occasions. All of which began with my first encounter with a real new technology innovation that ended up creating infinite business opportunities and other societal opportunities, but also ushered in the age of the stereotype black hoodie wearing malicious hacker while also launching our hitherto beforehand small and relatively obscure industry into the mainstream, the PC. Now I was only nine years old when I saw my first real computer, a TRS 80 Model 3, through the window of a Radio Shack at a shopping mall that no longer exists. The TRS 80 Model 3, on sale for 799 only at RadioShack and Radio Shack Computer Centers. The Computer Experts I will ask you to pause for A second. Because there really is a lot to unpack about the historical impact of the PC in that last short sentence. I didn't know it then, but I was glimpsing the future. A future that included a PC on every desk and in every house. History was being made literally right before my eyes. And I saw it manifest itself right there in that Radio Shack shop window, in all its 16 kilobytes of RAM, dual five and a quarter inch floppy drives, low resolution glory. And it was glorious. It was this first real chance encounter where I caught the computer bug that would stick for life. I saved enough money mowing lawns and shoveling snow. I should note I'm Canadian, so this is a lucrative business model for a kid on a mission to buy a computer of my very own. My prized and life changing Commodore 64, which is actually sitting beside me on the shelf right now.
[09:22]
Dave
My friends are knocking down my door.
[09:25]
Rick Howard
To get into my Commodore 64.
[09:27]
Dave
It's mind boggling.
[09:28]
Kevin McGee
Commodore 64 lets you play hundreds more.
[09:30]
Rick Howard
And of course the first thing I did was to take it apart and see how it worked. And so I became a hacker. Later, as an undergraduate history student, I logged into what would become the Internet from the windowless Unix lab under the stairs at Brock University. This time, however, I had a little better sense of the historical importance of what I was seeing. As I sent my first emails filled with ASCII art to my friends at other schools, I began to marvel at the possibilities. My fascination with this new technology, or whatever it was, led me to start three companies in the 1990s. Two successful and one. Well. I really don't like to talk about it, but in retrospect I recognize it was a valuable learning experience. And so I didn't follow the traditional hacker to cybersecurity professional path of my generation. I became an entrepreneur. And yet I never felt I left one community for the other. I became a bridge between the two. Years later, I began to see employees bringing their own devices to work. Laptops and mobile phones that they had paid for themselves. They did this because they wanted to use the latest and most innovative technologies that they were already using in their personal lives lives to do their work and to do it better, rather than use the dated Spec limited and lockdown devices provided by the company. As a result, I had the good sense to seek out startups that were positioning themselves for this new BYOD revolution which landed in Silicon Valley to ride the wave of innovation that would found our modern cybersecurity industry. From this experience, I learned firsthand how to hyperscale a startup, but also the unique challenges of bringing something new to market and overcoming the ubiquitous risk aversion that is a unique aspect of our cybersecurity industry, and this often keeps us from maximizing our potentials as defenders. And yet, having lived through all of these incredible technological revolutions and careers, as many of you have as well, I think what we are experiencing right now with the emergence of AI might be the greatest story of our industry yet untold. Seeing Chat GDP for the first time, it was clear that our industry would need to reimagine and reinvent itself. Instead of running out and starting a new venture of my own, I decided to leverage my experience to support the cyber entrepreneur community and drive innovation without the sleepless nights of coding and subsiding on family packs of Ramen noodles from Costco that I remember from my startup days. My first and likely totally obvious observation is that things are moving fast. Since ChatGPT's public release on November 30, 2022, we've entered a new era. AI has rapidly transformed industries from education and healthcare to customer service and everyday life. Even my mom, who has never heard of CNAPP or SASE, knows what ChatGPT is demonstrating just how fast it is spread throughout general society, all in just over 700 days. My next totally obvious observation is that AI transformation of everything, the sequel to Digital Transformation of Everything, has already created both unprecedented challenges and opportunities in cybersecurity, but at a velocity we have never seen before. While we've adapted to technologies like the Internet, mobile devices, the cloud over years, AI demands much quicker, even more resilient responses. Now, the pandemic gave us but a glimpse of this speed of change. However, the age of cyber AI will require a new level of agility. This will require all of us security teams, procurement departments, senior business leaders, boards of directors, policymakers, educators and individuals managing our own careers to think and work beyond traditional linear limits and natural risk aversions to embracing innovation. Because you can be certain that threat actors will not be held back by these constraints to anywhere near the extent we are. What has me optimistic and most excited about all of this tremendous change the speed at which it's happening and the uncertainty it's creating. Well, as an industry, I believe we have an epic and historic news story to write. We defenders, the heroes of the story, of course, will need to act boldly, innovate quickly, and stay ahead of the attackers. And for the first time, I am convinced we have the right technologies in place to out, innovate the attackers, and tip the scales in our favor. This is where the cyber entrepreneurs come in. The question then is what will happen next? And what will the era of cyber AI bring? It's really way too early to tell. I think we're still writing the prologue, not even the first chapter of the story. But don't worry, I've skipped ahead, and here are some of my best guesses and the things I will be watching for as the story unfolds. If I were to sum up my investment thesis for cybersecurity innovation over the next three years in just three words, they would be automation, remediation, and governance. That's where I'll be placing my big bets, and here's why. As an industry, we've made remarkable strides forward in creating tools centered on detection, zero trust and other defensive measures. Yet the future will unfold in an AI versus AI landscape where the ability to automate and deploy AI solutions will be essential not only to tackle complex challenges, but also to empower our limited teams of defenders, enhancing their effectiveness, efficiency and resilience against burnout. This is where the innovative perspective of cyber entrepreneurs becomes a true force multiplier in two ways. The simplest is through automation, eliminating tedious, repetitive tasks which, while valuable, risks merely paving go trails instead of building new highways. Real innovation will lie not in making current tools, techniques and procedures faster, but in reimagining how AI can transform our approach entirely, delivering exponential efficiencies. This is truly our Henry Ford moment, captured in his famous reflection if I had asked people what they wanted, they would have said faster horses. Nir Zuck, a cyber entrepreneur and founder of Palo Alto Networks, ignored all of the requests to build a faster stateful inspection firewall, and this enabled him to envision and build the next generation firewall, creating a leap forward in defensive technology. In both of these examples, the technology and the idea came into existence together in the right place at the right time and were championed by someone willing to choose innovation. Today, my greatest fear is that cyber entrepreneurs will ask us what we want and we will simply respond with phishing alert, triage automation, missing all sorts of opportunities to realize the full potential of AI. Another area ripe for innovation is remediation. Even with all the impressive tools available for detection and defense, organizations continue to experience material impacts due to cyber events. While some progress has been made in automating remediation, it largely remains a labor intensive process handled by a limited pool of highly skilled and experienced cybersecurity professionals. This is a resource that is increasingly scarce in our industry relative to the growing problem. The reality is that we cannot recruit, train or retain enough talent to meet this demand. To address this gap, we must evolve our business operations and culture from merely focusing on security to that of true resilience. This includes comprehensive strategies for remediation, recovery and business continuity. This domain is ideally suited for AI driven efficiencies and invites cyber entrepreneurs to create innovative business specific solutions that are designed to deal with unique challenges that happen right of bang and help organizations survive and recover from the impacts of material cyber events. Among all the potential investment areas, I believe remediation holds the greatest promise for delivering substantial returns on investment for both entrepreneurs and their customers. The third area I'm focused on is governance risk and compliance or grc. Now I believe we are in the opening stages of a new kind of organization and society, one operating with the precision of code. While this brings inherent advantages, it also introduces new potential vulnerabilities that threat actors can exploit. This transformation calls for innovative approaches to governance, oversight and compliance, ensuring that we make sound and ethical business decisions while also maintaining accountability. How can we provide board level oversight for technologies that didn't exist yesterday? How does a CISO assess the risks associated with IAI models that we don't fully understand or can explain how and why they work? And how can we develop compliance frameworks that go beyond static point in time assessments to keep pace with an environment of exponential change? These are monumental challenges, but also incredible opportunities for cyber entrepreneurs to do what they do best, solve unique problems and create something the world has never seen before. Those were my best guesses and some insight into where I'm placing my bets. Now let's talk about some indicators, trends if you will, that will tell me if my bets are on track. Market trend 1 business decision based digital transformation has gone parabolic. Human ability to comprehend and adapt has not. In a quote that seems particularly relevant today, E.O. wilson, the American biologist, naturalist and ecologist known for developing the field of sociobiological biology, said, the real problem of humanity is that we have a Paleolithic emotions, medieval institutions and God like technologies.
[18:48]
Kevin McGee
Modern humanity is distinguished by Paleolithic emotions and medieval institutions like banks and religions and God like technology. We're a mixed up and in many ways archaic. Still archaic species in transition.
[19:13]
Rick Howard
Wilson was born in 1929 and died in 2021. So he had the opportunity to witness firsthand not only the leaps and bounds that human ingenuity would apply to the acceleration of technological advances, but also the ever widening gap between these advances and our very human capabilities and human created institutions capacities to keep pace. The traditional approaches of cybersecurity focus on the technology side of things such as security endpoints and networks. Now don't get me wrong, these tools are and continue to be absolutely necessary, but they are no longer sufficient in an era where AI, cloud computing and the Internet of things devices are exponentially increasing the complexity of security challenges while infinitely increasing.
[19:58]
Kevin McGee
And that's our show. Well, you know, part of it. There's actually a whole lot more and it's all pretty great if I do say so myself. So here's the deal. We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity. If you want the full show, head on over to the cyberwire.com pro and sign up for an account that's the cyberwire all1word.com pro. For less than a dollar a day, you can help us keep the lights and the mics on and the insights flowing. Plus you get a whole bunch of other great stuff like ad free podcasts, my favorite exclusive content, newsletters and personal level up resources like practice tests with Intuit Pro. You get to help me and our team put food on the table for our families. And you also get to be smarter and more informed than any of your friends. I'd say that's a win win. So head on over to TheCyberWire.com PRO and sign up today for less than a dollar a day. Now if that's more than you can muster, that is totally fine. We're all not tech billionaires with lots of money to throw around. So if that's your case, shoot an email to pro2k.com and we'll figure something out. I would love to see you over here at Intuk Pro. One last thing. Here in Intu K, we have a wonderful team of talented people doing insanely great things to make me and this show sound good. And I think it's only appropriate you know who they are.
[21:31]
Rick Howard
I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer. I'm Trey Hester, Audio editor and Sound engineer. I'm Elliot Peltzman, Executive Director of Sound and Vision. I'm Jennifer Iban, Executive Producer. I'm Brandon Karf, Executive editor. I'm Simone Petrella, the president of N2K.
[21:51]
Kevin McGee
I'm Peter Kilpie, the CEO and publisher at N2K. And I'm Rick Howard. Thanks for your support everybody. Thanks for listening.
[21:59]
Rick Howard
Listen.
[22:28]
Dave
The IT world used to be simpler. You only had to secure and manage environments that you controlled. Then came new technologies and new ways to work. Now employees, apps and networks are everywhere. This means poor visibility, security gaps and added risk. That's why Cloudflare created the first ever connectivity cloud. Visit cloudflare.com to protect your business everywhere you do business.