A CISO Helping CISOs: Blazing the Trail with Dr. Ed Amoroso
Ed is a true pioneer as one of the first to officially hold the title of Chief Information Security Officer (CISO). His thirty plus years of service in the industry gives him insight into the ever-evolving meaning of a CISO in a world of constant digital transformation. A veteran in the business, Ed is now intently focused on what he believes will be core to its future: AI.
Episode 1
September 23, 2023
“I think cybersecurity plus AI could be the great leveler… If companies get this right we can create amazing defenses using A.I.”
Dr. Ed Amoroso CEO, TAG Cyber
About Dr. Ed Amoroso
Dr. Ed Amoroso is CEO of TAG Infosphere, a global research and advisory company focused on cybersecurity, climate tech and AI. Ed started TAG Cyber (now TAG Infosphere) in 2016 to democratize research and advisory services, support enterprise security teams and commercial security vendors, and unleash his inner entrepreneur. Business Insider tapped him as one of the country’s 50 leaders “who helped lead the cyber security industry.” He is an experienced CEO, Chief Security Officer, and Chief Information Security Officer (the second person in history to hold the position), Security Consultant, Keynote Speaker, Researcher, and Author of six books on cybersecurity as well as dozens of research and technical papers in major peer-reviewed publications. Ed’s 30+ year career in the telecommunications industry began in UNIX security R&D at Bell Labs and culminated in his roles as SVP/CSO/CISO at AT&T from 2004 to 2016. He has directly served four Presidential Administrations in cybersecurity, and now serves as a Member of the NSA Advisory Board (NSAAB), a Member of the M&T Bank Board of Directors, Senior Advisor for the Applied Physics Lab at Johns Hopkins University, a Research Professor at the Tandon School of Engineering at NYU, and an Adjunct Professor of Computer Science at the Stevens Institute of Technology, where he has taught for the past thirty years. Ed holds a B.S. degree in physics from Dickinson College, M.S./Ph.D. degrees in computer science from the Stevens Institute of Technology, and is also a graduate of Columbia Business School.
Episode Highlights
Transcript
0:24 Introduction
Alberto Yépez [AY]
Hello and welcome to the Forgecast, my name is Alberto Yépez – co-founder and managing director of Forgepoint Capital. I’m delighted to have Dr. Ed Amoroso with us today. Ed is a trailblazer in our industry and we’re honored to have him as a member on our advisory council. Ed has played numerous leadership roles in our industry. He was the very first Chief Information Seccurity Officer of AT&T where he served for many years and helped shaped the strategy and the global infrastructure for AT&T to be one of the leaders in the space. In addition, Ed is now the co-founder and CEO of TAG Cyber, a research institution that helps many organizations and individuals with both cyber security, and climate change issues. In addition, Ed is a professor at NYU giving cyber security classes and was an advisor working with our national security agency – the Department of Homeland Security. We’re delighted to have him here and hear his story and I want to welcome you, Ed. Thank you for being here.
Ed Amoroso [EA]
Alberto, thank you for inviting me.
AY
Let’s get close and personal. The first thing that I want to ask, and many people in the audience will be wondering,aa is who’s Ed Amoroso? What’s your story? Where did you grow up? Tell us the your story from the beginning.
EA
I could probably talk for days about this, but my dad was a computer scientist at The University of Pennsylvania, working on what now would be referred to as artificial intelligence. He was doing this cellular automata work, and it was quite early, kind of machine instructions, little smart machines that would do different things.
I studied physics at an undergrad, but I guess I felt the pull of computing. I really enjoyed that. My dad afterwards said, “Hey, go to Bell Labs.” I went there, joined the Bell Labs, got into a doctoral program, but my dad said, “You want to get into computer security? That’s going to be big.” This was in 1983.
So I joined the Bell Labs UNIX security group. It was like people go, “Gee, how lucky.” And I think it kind of was lucky. My dad had the insight. I got to work with some of the most amazing people in the early Unix days, died and went to heaven, worked in the lab, worked on my Ph.D., started teaching, started doing research – it was great.
The first half of my career was, you literally died, went to heaven. And then one day Frank Diana, who was running the AT&T network, came and said, “You know, we’ve been talking. We’re wondering if some of this security stuff you’re doing,” because I was doing some work with NSA at the time, “could we do something like that to protect AT&T and our network?”
1:45 How Ed Became a CISO
EA
I remember saying, “What would that be?” It wasn’t anything like that, in terms of protecting the network from security threats. I said, “gee, that’s a that’s an interesting idea. I wonder how…” So I did some nosing around. I found Steve Katz at Citigroup and he was doing something. He had a card that said Chief Information Security Officer. And I said, “Steve, what is that?” He goes, “That’s my title. I’m the CISO.” And I took it back to work and said, “Could I do this?” And my boss said, “Put whatever you want on the card” So I had a card printed that said, Ed Amoroso, Chief Information Security Officer. It’d be like the early nineties.
So I think that I might have been the second person. Maybe there were ten others, but Steve Katz was the first and he showed me, I copied him, and that became my work. And so for the last 30 years that’s been my research, that’s been my obsession, that’s been everything I do. It’s centered on trying to make the Chief Information Security Officer more productive. I provide good resources and assistance, and it’s really been my my passion for so long. That’s how you and I became friends since you work on so many of them. That’s my story. That brings me more or less to where I am now.
AY
I was afraid to call you when you were an AT&T CISO. I thought, “He’s so busy. Everybody’s calling him.” But I remember you were so warm and always open to finding more about innovation and finding ways in which we could all benefit from the interaction and weren’t always selling something. But he [Ed] was trying to understand a problem and see how do we solve that solution?
5:30 The CISO Evolution
AY
But given that you’ve gone through so many cycles and faces of the information security industry all the way from research at Bell Labs and becoming the first CISO about AT&T and now looking at the role of the CISO, how has your perspective changed over time – over how the different roles a technologist in a CISO, in an educator, and in an advisor has changed?
EA
It’s a great question. This used to be a nerd thing, be a tech nerd thing – let’s face it. The only reason anybody came to me, is because I knew how to do network security, not because I – Alberto I could barely manage my way out of a paper bag. But it was tech nerds and they sent me to Columbia Business School.
I didn’t know what an income statement was, honestly, it just wasn’t something that was part of my life. So in the early days, the people who did this – were nerds. And there’s still a lot of that.
I think you and I both agree that the position has become more business focused. We would say that when you’re doing it right, you understand the business you’re protecting. You have a sense of risk, you have a sense of balance in terms of what you’re spending, what you’re not spending. These are management issues so you know how to manage people. So that’s the biggest change – it was always this completely nerdy thing to now, it’s more of an executive role.
There’s still a big tech component. It’s still complicated to stop cyber threats but I think that it’s changed. There are a lot of [people] that you and I are friends with – they’re really good. There’s a lot of them that are wonderful balance of business, compliance, technology, and management. I’m so envious of those skills because I never had any of those skills. I just had to kind of figure out how to do it. But that that’s changed for the better.
AY
I think it’s a matter of perspective because we always started with the defender of you. I need to protect the business. I need to build the moats and make sure that my information doesn’t get compromised but cyber security over time has become an enabler. And to your point, what are you enabling? Well, what business am I in and what does the business need? And I need to be able to use my knowledge to enable these capabilities – everybody’s going through digital transformation and more.
So I think you’re right. You started with always the most technical person will get promoted, not necessarily the most business – then perhaps that person didn’t want to be promoted because they didn’t want to deal with all the management issues and all the financial stuff. But the enabling capability, that it has changed the role of the CISO, will continue to be right? I think that’s a very good point.
8:38 The Reality of a CISO
EA
I coach a lot of deputy CISOs and younger folks under CISOs and they always say, “oh, I aspire to the position.” And I usually say, “hey, look, sit down a cup of coffee will sit. We’ll talk for an hour.” I’ll take them through the day in the life and say, “are you sure you want that?”
Some of them do, but others say, “Oh, I didn’t realize there was all that.” It’s not just sitting in, hacking iPhones all day. A lot of other things that are technical, a person might find challenging.
For me, managing people turned out to be a real revelation. You take that for granted in a tech lab, when a bunch of developers are in a lab, it’s a meritocracy – where everyone refers to the smartest people.
But managing human beings in a work environment where you have to take advantage and leverage the unique skills that everyone has and make them all march to a common mission, that is really hard and it has nothing to do with whether you can write code.
In fact, I would almost argue that some of the best people I’ve seen, don’t know the first thing about tech. There’s some wonderful natural managers. You’re an example. You’re a person that all of us, you have this magnetic personality. You could probably talk me into anything Alberto. That’s a skill that some people have and you and I both could list 20 people who don’t have that skill. Put em in a lab, they’re the greatest, but they would not be the greatest people to be managing people. We all know folks like that. So it’s it’s been interesting to see how our profession has morphed into requiring both types.
AY
Appreciate the kind words and I’ll remember that. *laughs*
EA
I never say no to you. *laughs* You’re an easy person to say nice things about.
AY
Following that thread and now that you’re advising so many different CISOs, or aspiring CISOs, and organizations in their security program, what inspired you to do that? This touches on the different facets of Ed Amoroso, the entrepreneur, and says, “Hey, I need to start these.” I remember it was your business and it was your family, your son.
I remember going to the events they used do in New York, it was the family business. So what inspired you to do it? Now maybe tell us a little bit more: Where is it and where’s it going to be? It’s no longer cybersecurity or dealing with climate tech and etc. Tell us more about what you’re trying to accomplish at TAG Cyber – the broader TAG since Cyber’s only one sect.
10:40 Building Security at AT&T
EA
No, absolutely. The idea of being in business, selling, and stuff, despite the fact that I didn’t know what an income statement was in a large business, I’ve been a salesperson my whole life. Like you and I have joked that I may be one of the last living Fuller Brush salespersons. I used to go knock on doors, and then I had a painting business in high school, and my wife and I ran a retail store for many years.
At AT&T, I ran a number of businesses as I was doing the CISO position. What happened was the CISO position was elevated, but the group was still small. You’re gonna laugh, you have a thousand people and you go, “Oh my god, what a giant group.” But in say, Bell Labs or AT&T Labs, my peers had much bigger groups. I’d be sitting next to people of 15,000. I have smaller group. There were businesses that were sometimes orphaned that I’d raised my hand and say I wanted to do it. Like the intellectual property group, Pat and I grabbed that group. I loved it. I ran it, but that was an income statement. You’re selling patents as a business. I found that I had this latent passion for building business, selling, and convincing people to write a check.
You wouldn’t expect that because there’s nothing in my background that would have ever suggested that, considering my mom and dad are both in academics, I’d be the kind of person who tends to business. So I mentioned I went to Columbia Business School, I ate that up. I loved it. When I went there, I said, “Wow, this is great.”
Right around the time I needed to retire from AT&T, here’s what I mean by need to retire. And I think you know what I mean. You know that moment when you’re sitting around the team and you’re doing a staff meeting and you say, “So we need to make sure when they go-” “Oh yeah, we did that.” And you go and say, “and we also need to make sure-” And they go, “No Ed. We did that last week,” and you go, “ohh okay.” And you look and you realize this person’s been with me 17 years, 15 years, 12 years and you realize they’re staring at you thinking, “When are you leaving?” You know? They know that I teach, they knew I wanted to consult and sort of give back.
13:55 Changing Careers, Founding TAG and Redefining
I’d been there 31 years so I said, “All right, time to go.” I sat with my wife and I said, “Now it’s time to have some fun.” I’ve spent a lifetime – now I’m going to say a couple of things that I think everyone knows, but a little tough. Like in telecom, it hasn’t been an easy go the last 20 years.
I don’t care where you are in telecom, that’s a tough industry and you can almost think of it as an industry where you’re being beat up a lot. That’s just the nature of that industry. It’s not that anybody’s doing anything right or wrong. It’s just been a tough industry. I said, “I want to get into a situation where I’m kind of going after somebody instead of them going after me.” Like that’d be fun.
I knew that there were a few businesses that looked like they might be ripe for a little disruption. I’ve told you a couple of times that I have utmost respect for Gartner, but they’ve been around a long time and they make a lot of money, and I thought they would be just the kind of company that would be fun to try to disrupt a little bit.
I doubt that any of them sit up worrying about me very much but that became my passion. For the last few years we’ve grown considerably – double the company just about every year – and we add on customers. We’ve got 20% of the Fortune 500 now as research and advisory customers in cyber. It’s a thin slice but we’ve now expanded.
We have an artificial intelligence research and advisory practice. Where do you think I get the scientists there, Bell Labs. They’re all my friends. We also do work in clean energy and climate. We talk to quite a few startups in that area since it’s so exciting. I just got off the phone with a very interesting company doing solar. We’re expanding out the research, advisory and trying to build something a little different than what the existing analyst groups do.
18:09 The Importance of Purpose, Reason, and a Mission
For me, it’s a rebirth because I’ve been able to focus the company on one thing and that’s to work for purpose. Now, I learned a lot of that from you and Don. I think the only venture capital team I’ve ever met, that I really do think work, not just for the money, but because they have a heart in this whole thing, is you guys.
Again, there’s nothing wrong with a finance team working for money – that’s the point There’s a lot of VCs around, but it’s pretty black and white. We make the investments, we take the money. That’s it. But I’ve always been inspired by you guys because you’re able to combine good business savvy with also working for purpose.
That’s what we try to do because we joke with our whole analyst team, that most of us are retired CISOs. We’ve one time, calculated how much money in salaries we’ve stepped away from to make next to nothing. *laughs*
The government that does that too. If you go to work at DHS or something, you’re making nothing.
AY
*laughs* Yup.
EA
You could go to work at a big bank and make 20 times what you make, but you do it for a reason.
We feel a little bit like we do that and there’s a lot of little startups that we work with where we charge them almost nothing and we give them everything we know and we put our heart into it and we moonlight – try to help, there’s so many of those. Then we make up for it when we sell research to a gigantic bank, we’re happy to charge them a lot of money.
We have a soft spot, as I know you do. Are people on that seed to series? I just have a soft spot there. They’re working so hard and if you can say a couple of things that inspire them, they remember that. I’ve had people come back and say, “You know what? We had a meeting once and I was having a bad week and you told us X, Y, Z, and that got us through a tough period. I appreciate that and I thank you for making my week.”
*laughs* Thats the greatest thing and that’s what you do at this point in your career, you look for – you crave, those times when somebody could use some help. You do it and then it helps them out and you think, that that’s why we do that. That’s the reason. If I wanted to make money, I’d go take another CISO job. This is better.
AY
You’re off to a great start. We’ve been seeing you from the sidelines and you’ve succeeded beyond our expectations in terms of the way you got started. You’re hitting on a couple of core things that also we believe at Forgepoint. It’s all about purpose. It’s all about mission. It’ll take a village to actually get to rally the community to defend against our nation and our businesses and our respected privacy issues.
So we always say the mission continues. Sometimes, that’s only related to military people. You guys are saying the same thing. We’ve been CISO but the mission continues, right? It’s protecting our digital future, which is not technical, but world transforming. Our lives are becoming increasingly digital and therefore, we need to figure out how we can contribute towards those objectives. Right?
EA
I’m going to pay you a compliment here. I would say that from time to time we need companies that maybe you haven’t introduced us to and we’ll have a conversation afterwards. The conversation is often, “I’ll bet you the company’s funded by Don and Alberto,” and that’s a compliment as we usually see something in them, the way they handle themselves, the way they are able to describe the reason they do what they do – it usually links back to the guidance that you guys offer.
A lot of times we see ones where we know it’s not you guys. The ones – you know what a boy band is when something is manufactured and we see those, we see right through it. Where someone decided, “Wow, we can make money at whatever cloud security posture management.” You grab this person from here and these two people from the Israeli military in this market and you do a website, give them money, and boom. Then we say, “why are you in business?” And it’s crickets. They really know what the answer is – it’s to make money and get.
You think that’s not the reason you do this? You’re protecting children’s hospitals, military, and the society. That’s the reason you do that. If you happen to make out, nicely in terms of the economics, then that’s wonderful. That’s why we live in America. Wow man, the reason we do this is to protect things. That’s what the reason needs to be.
We always see that uniformly with the companies that come through your program; they always have their heads on straight. So keep doing what you’re doing. The ones that come through your program are good. They’re good for our industry, and there’s others that I think are very fine VCs, a lot of your friends, that some not so good.
AY
Yeah all of them want to want to meet you that one of the first things they said, “Oh can I be part of Ed?” You can just call him. We don’t need to ask him. We appreciate the guidance and the straightforward nature of your advice.
21:12 SEC Updated Regulations/ Risk Management
Let’s talk a little bit about current issues in our industry. The SEC is about to publish and require new regulations about how the board of directors should behave. Everybody talks about more subject matter, expertise, and more DNA in a place where they’re directing. Their goal is to protect an entity, provide the governance, and protect the shareholders.
In essence, so how do you see the modern enterprise when it comes to a board of directors role or the role of the board in helping drive these transformation that we’re going through, especially as it relates to not only CISOs? To your point, CISOs are salesmen. They need to sell to the board – THE board doesn’t understand.
Elaborate a little bit about how you think that is going to drive some of our industry. Also, what does it mean to the practitioners?
EA
Let me go up for a little bit of a subtlety that I share with the SEC and others. I’ve sat on the board over at M&T Bank. I love that.
AY
I remember that.
EA
[It was] very wonderful and I enjoyed it. I like being in a Fortune 500 bank since I learned a lot. But here’s my observation that makes sense to you. A lot of observers may not know the difference between a formal board of directors and a senior leadership team reporting to a CEO. These are two very different entities and they have different purpose.
A board of directors does governance and is there to evaluate management – to chime in on big decisions and they’re there to provide high level judgment where it’s appropriate, not to do is manage the business. They’re not. That’s enterprise, if you and I were sitting on the board of a little startup, different story.
I’m talking about a corporate – a Fortune 500 board, which is really what the SEC is aiming their guidance at. My opinion is, there’s certainly no harm in asking boards to be more proactive in their learning and understanding. I always have. If they ask for guidance, I’m always happy to help, writing things, that’s fine.
But I think the place where it gets done is the senior leadership team and that’s where the decisions are made or the budgets set. That’s where positions are put in place. Doing the org chart, they’re the ones setting the priorities, making a three year plan, deciding whether I fund this or that, It’s not the audit committee. It’s the CFO and it’s the CTO and CEO. Of course people say a board should be more engaged. You and I would always say, of course, that’s what we did. I’m not going to say no to that.
But I think the real responsibility is with the leadership team, they’re the ones that need the help. That’s where the resources, time, and attention should go. For example, I think CEOs should have a risk executive reporting to them. It may not have to be a CISO, because the risk could be financial, geopolitical, climate, it could be pandemic related risks.
Cyber is a big part of that, obviously you and I would say probably the biggest one of all. You could make the argument that in some industries there could – AI could be a gigantic risk, artificial intelligence. For me, the most urgent thing that could happen would be CEOs need to be getting better advice on risks. And I don’t think that they always do.
In banking, we always had CROs, but the CRO was a finance position. CRO was looking at investment, looking at the balance sheet and that necessary function. But a bank CRO, if you and I were having a cup of coffee with a bank CRO and said, “what do you think about A.I.?” for cyber defense, they wouldn’t know what to say.
I think if our government wants to make some difference, they should be encouraging leadership teams to have better representation than the boards, because again, I was the head turning person. Cyber thing comes up, everybody’s head turns me. “Ed, what do you think?” Alberto, I don’t think that’s the way a board is supposed to work where you just have this one person who says,” Yeah, that’s unreasonable,” that that’s not how every other issues work.
So that would be my thought. If you’re going to make a difference, you make the difference with that senior most management team, they drive a company, you show me that group and I’ll tell you whether the company is going to be successful. You show me the board and I might be able to tell you something about the CEO, but I probably can’t say much about the prospects of the company.
AY
Right. That makes total sense. It also provides a roadmap for CISOs. They really want to get into the business and become more business risk executive and they’re probably the best prepared. Right? The best prepared.
29:00 AI: The Top Priority for Enterprise Defense
EA
When people go, “should CEO report to the CEO?” I always say I like the idea, but I think it’s a broader role than just cyber. I think it should be a chief risk executive and that provides some growth that would demand that someone expand their skillset. To learn a little bit about finance, we mentioned AI. I think that that’s a pretty big topic and some pretty maybe even existential risks for some businesses, right?
I’m not going to name names or anything, but we could probably come up with five or six companies where we’d go, “Oh, I hope they’re looking at AI hope you know, I hope they have a plan.” Having good guidance at that level, a direct report who’s obsessing on that – knows the business, peer to the other executives, working plans, working out the ecosystem, talking to people like you, getting a sense of what’s going on in the innovation community.
To me…I don’t know how you require that. I’m not a big fan of the government. When the the people at SEC say you have to do something, “Yeah, whatever.” Right? But I think businesses should want to do these things because its – try to force a pill down anybody’s throat. This is supposed to be good, right? It’s supposed to help you. Not the reverse.
That senior leadership team is where it happens. That’s where our business, the cockpit, is. You get that right, you’re going to be in good shape. If you get it wrong, then God help you.
AY
I like the analogy of the cockpit. You have a lot of responsibility behind you. *laughs*
EA
There are all of us are all careers hoping the CEO gets it right. It’s not the board, we don’t sit in – the person in the cubicle is not sitting, “Gee, I hope the board makes a good decision.” No, they say, “I hope, the CEO knows what we’re doing, where we’re going and where we’re marching because the CEO is the most important position in any company.”
AY
Yeah. I should talk about AI, instead of asking you the generic questions while you think about it. So where are you focusing on your AI advisory in your launching? I’ll be interested to learn more about it and you’re constantly evolving and adding topics that are of relevance. Tell us a little bit about what you’re trying to accomplish and it’s amazing that you’ve been able to attract top talent from, you know, places.
EA
When they retire, I grab them. *laughs*
AY
*laughs* So I know where to call now.
EA
That’s right. But yes, our joint friends, Stu McClure came to see me in 2012 and he showed me Cylance. We were sitting in New York and he shows me what’s he what he wanted to do, AI for cyber defense. And I thought it was great and I bought it immediately. I became a pilot customer and then one of my partners and guys I work with in our team, Dave Neumann was Rackspace at the time, bought the thing lock, stock and barrel. We all loved it.
I think since then, my observation is because we didn’t have great computing: we didn’t have GPUs and we didn’t have good big data analytics. There was weak algorithms, we’ve seen them better. Now, Geoffrey Hinton and others were just beautiful algorithms driven by the way the human brain works like a neural network fires in much the same way as neurons in the brain, plus the ability to make money.
It’s become so exciting. What I focus my time on now, is on bigger issues because I think cybersecurity plus AI could be really good. It could be the great leveler. I think cyber defenses against AI, like offensive AI, have to be AI defenses like automation [vs] automation. So it’s possible if companies can get this right, if a community you and I are part of, we can create amazing defenses using A.I..
It’ll be sort of like, “Is it analogy?” Let’s say you worked at Goldman Sachs and you have access to Microsoft. 365 Word PowerPoint Excel. You go, “Oh my God, the great tools that I have access to.” Well, you could quit Goldman Sachs, become a two person company. You have access to the same Microsoft tools. There’s no advantage to being in a big company.
“Oh, my gosh. I’ve PowerPoint. Well, you have it yourself, too?” I think cybersecurity can be that. It could be that a big company is using the same, really smart automation to stop attacks and a little less SMB could be using the same thing. I think that’s something you and I have never seen. We’ve never seen the big guys and little guys have access to the same thing.
They don’t have the budget, they don’t have the people. They don’t have the wherewithal. That’s why the SMB market, which I know you serve, is hard to create after market. They say I don’t have the budget and the money, but if they have the equivalent of, say, M365 for cyber security, think about how awesome that is.
That starts to protect children’s hospitals, the same as a big investment bank. And that’s why we do what we do. That’s why I’ve gotten so interested in AI. I think maybe this is the key – excuse the pun, to really go into the next level where we’re not getting hacked every 2 minutes.
It would be good. Good for the startup community because we still have to provide the tech but it would be good for everybody because then all the mid-level and down companies, they’re the ones the most exposed. They would have access. So I spend about a third of my day now on really talking to companies, doing AI try to understand the analytics, trying to apply it to cyber, trying to advise government, particularly DHS, on strategies for building defense.
We’ve been talking a lot about, maybe this is because Oppenheimer’s in the movie theaters these days. I took my wife, I loved it. If you haven’t seen it, it’s great. I think we need like a Manhattan Project to protect our country using artificial intelligence where we need to be training on common data sets, coordinating on how we build protocols for different AIs, or sharing insight, and then protecting critical infrastructure, using the best available, most intelligent infrastructure.
Then you’ll be up against offensive AI. If you don’t do the defense AI, you’re sunk because people can’t – just like you and I – can’t beat a computer at chess. You’re not going to beat a computer, a smart piece of AI at cyber. So this is a time to be not walking, not running, but sprinting toward the most automated, most continuous, most intelligent solutions for cyber.
That is number one issue. If we don’t do that, then we might be seeing some pretty scary offenses we can’t deal with. So I feel like I’m busier now than ever because I’m consumed with that idea that the companies you fund and the companies that we all buy from and coach and so on might be a little bit behind on that.
I think they’re a little behind. You listen to a zillion proposals, the degree to which artificial intelligence is being used properly in cybersecurity is still a three out of ten. I would say.
AY
Yeah. Properly is the right word.
EA
Everybody use it. Really having it to where any human decision making is either complemented by or a gulp, gulp, gulp replaced by a piece of AI. If AI is finding your weaknesses and going after you, then you need to do two things. One is you need to use AI to find them before they do.
And two, you need that artificial intelligence to react quickly with the best possible solution. Where there might be a trillion possibilities. But the AI picks the one that best, you know, when you’re driving to visit your cousin, and then you go, “Hey, Google, what do I do?” I did this with my wife, I’ll follow Google. She go, “This is the dumbest thing.”
I say, “No, Google’s picking the best route. We’re going to get there 3 minutes sooner!” AI has to do the same thing. It’s going to have to pick the best defense and we have to trust it. The industry doesn’t do that at all. I don’t know of anybody sort of working on that, and that should be next few years.
As you guys should think about companies, the ones that sort of get that, I think that’s where your next CrowdStrike is going to come from. It’s not going to come from people doing the same thing better. That’s incremental improvement and that’s always welcome. But where we get stepwise the kind of really big change that you look for all the time that’s going to come, that’s going to be artificial intelligence. It’s going to be in the middle of that.
I’m sure that will be the power, that will be the fuel behind the next big massive growth highrail, accelerated growth companies. That’s my view. And I know that’s not controversial. Most people in our orbit would agree with that.
AY
Yeah, I agree with you. You said we should be sprinting towards those solutions rather than saying, “hey, put all the objections,” because the world has changed and the infrastructure is ready because we’re able to consume massive amounts of data, use predictive analytics. We have GPUs, we can do it now. It’s not like before – we even if you said, “Hey, let’s do that four years ago,” and the bad guys are already using it, they’re already – that’s the other part, right? And we were kind of sitting…
EA
That’s right. I don’t think we’ve seen the full fury of what we could see. I’m just speculating but what the heck? That’s why we get on these calls, we can speculate all we want. I’m speculating that the bad guys aren’t using, but are testing. The verb I would use would be testing it.
If you get that moment where you think, “Wow, my adversaries testing the scary thing,” if that prompts you to action, then you’re thinking about it properly. You’re supposed to prompt action. So entrepreneur is doing cyber – what a great time. Again, you don’t want to be driven by fear, That’s not reasonable. The adrenaline of we to do this to protect, that’s what should be driving an entrepreneur.
The job for you, job for me, is to be funding, advising, supporting, helping them. But it’s the job of the innovator, the developers, the people who are creating these companies to recognize where the problems are and frankly, where the problems aren’t. I think there’s some things that we’ve solved in our industry that probably don’t need another MFA solution. I think we’re good there. You know. *laughs*
38:45 Ed’s Advice for a Satisfying Career
AY
*laughs* Exactly.
We can continue for the rest of the day and called it quits and this has been an amazing ride. I’m sure we can talk about a lot of things but what advice do you have for people early in their careers? I get that question all the time, but I want to get Ed’s perspective.
What should you focus on – and it doesn’t have to be just cyber? What advice would you give, especially to incline to the science? In this whole transformation of business and everything else, and they’re more digital native than we’ve ever been.
EA
When I coach, particularly graduate students, because usually they’re just starting out, I always talk about purpose and I bet you did too. It’s way more important to work for purpose, work for something you believe in than anything else in the world. If you get up every day and you feel like what you’re doing is making the world better, I hope your purpose is making the world worse for all you evil, horrible people listening to us, don’t listen to my advice so you go do whatever. But the nice people, working for purpose is awesome because your career goes by quickly. You and I both know that it goes fast. Before you know it, you look up and your kids are grown and you got grandchildren and you look back on your career. Here’s the thing, a little exercise I would recommend you leave with everybody listening.
Let’s take a moment and think about your best day at work ever. What was it? What was the best day you ever had at work? And usually that causes someone to stop dead in their tracks because it’s amazing how many people can’t think of one. And that’s tragic. You say, What was the best day of work ever? You’ve been working for 30 years.
What was the best day? And they go, “…didn’t have one. I don’t know,” and you think, “Wow, that’s not good.” You know, I could give you a bunch of them for me. And it was always some achievement, something we thought couldn’t get done. We got it done. Then we looked at it and you want to burst into tears that you made it work and you go with a team. You worked really hard and you say, “Oh my God, we got that.” That’s working for a purpose, that’s not working for money. If you go through 30 years and you can’t think of your best day at work then at the beginning of your career, ponder that for a moment and make sure you have all kinds of great days.
It’s better if you’re doing something nice for somebody than for yourself or accomplishing. As engineers, it’s always a good engineer will list five, and it’s always this thing they did, this accomplishment, this hard thing as a group you worked on and you made something useful. Oh my gosh, died, went to heaven – and that’s why we do engineering.
That would be my purpose. Also make sure you don’t go through a career without really having those moments of service where you would achieve something that’s meaningful to you.
41:45 Closing Statements