Staying Clear and Focused on the Mission with Billy Gouveia

Andrew McClure [AM]

Welcome to the Forgecast. I’m your host Andrew McClure and I’m pleased to have with me today my good friend Billy Gouveia, the CEO and founder of Surefire Cyber. Billy!

Billy Gouveia [BG]

Hi Andrew, thanks so much for having me. Great to be here.

AM

Welcome and thank you for joining us today. Why don’t we start with your background and story? Tell us a little bit about yourself.

BG

After college, I joined the Army. I served as an intelligence officer for a number of years and following that spent about five years in the national security community. I kept running into problems that demanded public-private sector solutions. I realized that after 10 years in the national security space, I didn’t understand the private sector. I moved from the Washington, D.C. area up to the New York City area and began working with large, complex corporate organizations- primarily federal services companies- on their enterprise risks. I noticed that the one dot on the enterprise risk map that kept going up and to the right, getting bigger, was cyber.

About 15 years ago, I declared a major, if you will, on cybersecurity. I invested a portion of my career in learning those concepts and helping to translate the impact of cyber risk to a complex set of executives across a range of organizations. That was a great background for me to develop not only an understanding of some of the baseline fundamentals but also of how different organizations thought about the risks to their data.

AM

Billy, if we start with your time in the Army as an intelligence officer, what inspired you to join the service and how did your experiences there inform your leadership and communication style today?

BG

Thanks for the question. Serving our great country was the great honor of my life. There are several things that I draw from or try to draw from every single day, and I certainly hope to bring them to my leadership here at Surefire. One is just staying very mission focused. The work that we do helping organizations through cyber incidents is very purposeful, very easy to put one’s heart into, and the mission is clear. We show up when oftentimes they’re at their worst. We have the honor of helping them manage through that incident and hopefully emerge stronger as a result. The second dimension is just learning how to lead teams and learning how to take care of people working under exceptionally demanding circumstances. I think about how hard our work is- how hard our team needs to work in order to support our clients, how we need to be there for them when they need us. I want to make sure we stay very centered on that and recognize the very human dimension to what we do. I often think of the way we need to show up as similar to the way an emergency room doctor needs to provide care. It’s not just providing very specialized care with the right patient outcomes, but also creating the right experience so that as they’re going through this they have as little stress as possible, and they have confidence that you’re going to manage through this with them. When they look back on it, they think “Boy, that was a terrible event but I’m glad I had that help.” That’s what we strive to do here. I think a lot of that balance of taking care of the mission and taking care of the people- I had the experience of being formed in that type of thinking when I joined the Army at 17.

AM

No doubt what you’ve learned in the service has translated to the culture at Surefire and no doubt, too, the other experience you’ve had across industry has also lent itself to the progress you’ve seen at Surefire Cyber.

AM

Can you just walk us through the rest of the journey before founding Surefire Cyber and what you learned along the way?

BG

As I mentioned, after about 10 years in the national security space I began doing corporate consulting work, a lot of risk management work and then increasingly cyber-focused work for large organizations. I learned very quickly about the complexity of enterprise management and saw firsthand how important data is to all organizations today. Whether you’re a public school district, a dental clinic, or a large bank, data is what underpins your operations now. Working with large organizations as they sought to protect their data and make difficult tradeoffs around how to do so was an important part of the journey for me.

I also had prior experience in a startup. I was chief operating officer of a small managed services company. I spun out a product-focused cybersecurity company from that. I learned just how difficult entrepreneurship is and how getting the right support is so very difficult. It’s not enough to have a great idea and a great team, you really need the right market vision and the right support to help you put that into place. Over the last 10 years, I’ve been really focused on incident response specifically. Over the course of working with many clients, it’s been underscored to me just how difficult it is to make good decisions in times of stress. I try to make sure I never forget that when we show up to help a client through an event, sometimes they’re going through their worst professional day- sometimes they’re at their worst. It’s our goal to give them the confidence that we’re here for them, that we’re going to carry them through this event, and that we’re going to provide them with our best guidance and our best expertise. I’m proud of the work we’ve done over hundreds of cases to deliver outcomes that get them through those events.

AM

Billy, I want to get into what you’re doing at Surefire but before we do that, I want to reflect a little bit more on what you’ve learned throughout your career leading up to the founding of Surefire. You’ve had an extensive career leading specialized teams to navigate sensitive situations with stakeholders of organizations large and small ranging from highly regulated environments like global financial institutions to those across the national security space. Can you walk us through what you have learned in working with clients across your career?

BG

One thing I’ve learned is how complicated cyber response is. Data is the DNA of our organizations. It doesn’t matter what type of organization you have- data is what underpins everything from corporate America to government organizations. Data is the new oil. When we think about the different threats to that data, the different risks to that data, the complexity in securing it is so multifaceted and multi-dimensional. There’s a set of technology issues, a set of cybersecurity-specific issues, and in the work that we do, there’s a set of insurance issues related to risk transfer. One of the things I’ve developed a deep appreciation of working with executive and technical clients is just how complex the equities they have to weigh in cybersecurity are and also how difficult their decisions can be. That’s again why I think it’s an honor for us to have the opportunity to share our experience and guide them through these business decisions.

AM

Billy, that’s a great segue because in 2021 we had the pleasure of working with you here at Forgepoint as an entrepreneur in residence. At that time, taking those lessons learned, what did you aim to accomplish as an EIR with Forgepoint? What unmet need did you see in cybersecurity and incident response that led you to found Surefire Cyber?

BG

That was a tremendous opportunity and one where I have a lot to be grateful for. I learned a number of things including how you look at the market and how investors evaluate different companies. I also learned how you support the companies in your portfolio. That’s something that I’ve drawn from in our regular interactions, Andrew.

Going a bit deeper into IR specifically, that time allowed me to step out of the day-to-day of market phase-facing roles leading teams and driving client engagements. I really reflected deeply on what those unmet needs were. The reality is incident response is a well-served market. There are a lot of very good firms in our space. I did not found Surefire because the world needed another IR firm. I think there are a number of structural problems with the way organizations suffering through cybercrime get help now, and I’m happy to unpack those, but that time as an EIR allowed me to build out that thesis and really focus on a few of the particular things that would be important in designing Surefire. I think that’s led to some of the humble success we’ve enjoyed so far.

AM

Billy, by taking a step back and reflecting on not only the lessons you’ve learned but also your realization of what the industry could do better, how did you realize that the approach in incident response could be different? More specifically, what problems were you aiming to solve by founding Surefire?

BG

I mentioned structural problems. There’s a lot of high-quality talent in the market. I certainly don’t think that anyone is being inefficient, yet the reality is when you build a business on a time and materials basis and you’re conditioned to make money by the hour with a leverage model that supports that in the services space, you’re disincentivized from taking advantage of efficiencies in technology. In the last five years there have been massive leaps in the sophistication of the tools that we use in incident response and forensics, more specifically. One of the things that we believed we could do was automate a large part of the workflow and also better leverage new technologies to deliver response outcomes and forensic outcomes. So far at Surefire, we’ve automated about 80% of the work process. It has allowed us to reframe the role of our experts. Instead of putting a puzzle together piece by piece, we allow automation to create the puzzle. We use our experience to orient our clients to the picture the puzzle creates, guiding them through a set of difficult business decisions. Automation allows us to deliver more predictable and faster outcomes. It was during my time as an EIR that I was able to architect that and think it through. I had a number of conversations with those across the market and the partners we have today around what they were looking for in a response force and how we could provide a better set of outcomes.

AM

Billy, I recall that several years ago when we had talked about this vision Forgepoint came away thinking that it was exactly the playbook we wanted to support because it’s a playbook we’ve executed across other areas like consulting services for pen testing, identity entitlement, and remediation. This idea of technology enabling what was formerly a professional services business- can you tell us how you implement a broad vision like that with the team you build and the people you choose to hire?

BG

I want to be very clear that we’re not automating the incident response process in full. This is a talent business. Our role is humans helping humans make decisions through a crisis. What we wanted to do was change the framing of that role, as I talked about. By doing that, it allows us to hire very high caliber talent who can focus on showing up in an empathetic way, taking as much stress out of the equation as possible. We empower them with a set of tools that create faster and better outcomes. When I began meeting with our first set of hires and digging into how to build an all-star team, it was tech enablement that drove that vision. It was the ability to do what we were doing in a better way and be part of something that’s different. When I think back to my experiences, I did try to be an entrepreneur before. I tried to bootstrap a few companies and I noticed it was immensely difficult. The reality is, Forgepoint’s support allowed us at Surefire to assemble an A team right away and build the automation before we got started. That’s so important in response because the work we do is such an honor to do and is so important and meaningful for the organizations that we help- I didn’t want to accept any risk on quality. By starting with the support from Forgepoint, it allowed us to build the right team right off the bat and to invest in designing the right tooling which propelled us into the market.

AM

Billy- quality, an A team, and incredible service are all things that you focus on at Surefire. They have been contributors to your success to date. Can you walk us through Surefire Cyber’s growth and success in the market today? Here we are nearly two years later. How would you describe where the company is today?

BG

I’m definitely grateful for a good start. It’s important to stay aware that we’re in the early innings. We might be in the third inning of things in this current approach and while things have gone well, we have a lot of work ahead of us to fully change the game as we’re hoping. To break that down a little bit, we started almost exactly two years ago. It’s been fun in team meetings this week and last week- we had our two-year anniversary, which is cool. Those first number of months in the beginning were about designing our processes, implementing our services, and thinking through what capabilities we would need to assemble to stand shoulder to shoulder with our clients all the way through a response event. We were thinking about our capabilities to negotiate ransoms and were documenting our approaches and field-testing with our partners. Similarly with our restoration services, we were thinking about who was the best at it, how we could learn from what they were doing, how we could design each of the things we do in an integrated way, and how we could document that with rigor to be systematic in our implementation and bring the best of our collective thinking to bear in every single client opportunity.

One of the things- as a brief aside- that I think has been a challenge with firms in our stage is how to maintain even quality. One thing that we’re very wary about is making sure we’re not the kind of company that’s good to certain people and not to others. We want to invest in a very thoughtful way to make sure that we’re bringing the best approach that we can to every single client.

Over those first months, we assembled a team that I have great confidence in and am honored to work with every day. We worked out our tooling and our plays. Then, we began taking this to partners that in some cases we’ve known for years and in other cases were newer relationships. We began laying out our ask: “We’re starting a new firm in this space. We want to get your input on that and really understand your problem.” It’s important to point out that our go-to market motion is not selling direct to CISOs for the most part. It is partnering with cyber insurance carriers to be their approved response vendor on their panel of approved vendors and then working with law firms under legal privilege to support the clients that activate cyber insurance claims. It’s a bit of a different go-to market motion from most companies in your portfolio and most companies in our space, but it’s one that allowed us to think very carefully about what challenges insurance carriers and law firms and how can we be a great partner to them. My EIR time and the first number of months at Surefire before we entered the market were really important in us thinking that through and working out all those details. We launched formally into the market June of 2022 and did a little more than 150 cases that year. Last year, 2023, we did over 450 cases. The team has been pretty busy. It’s been a lot of fun, I’m very grateful for that.

AM
Billy, 600 cases later, looking back is there one incident or achievement that you’re most proud of and or that the team is most proud of that’s validated or reinforced why you set out in founding Surefire Cyber?

BG

I can’t point to one, but there are definitely a few that come to mind that I draw from. The reality is our work is really difficult. It’s something we talk a lot about as a team. We did 18 intakes last week- 11 or 12 of them were on Friday. That means it’s very difficult to manage a weekend schedule. That’s a matter of routine for us. There are definitely some cases that really resonate and validate our mission, but I want to be quite clear that we’re grateful for each of the cases we’ve had the opportunity to work on. We’re really focused on doing the best we possibly can with everyone.

Maybe I can tell a couple of stories about this because it’s really fun for me to do so. One is a cancer clinic that was hit on a Friday and had patient treatment scheduled on Monday. Our team, without being asked or directed in any way, took it upon themselves to work nonstop throughout the weekend. Monday morning, patients walked in and had no understanding that there was a network outage or any impacts. If Surefire does nothing further, I’ll have said it was worth founding the company to create that outcome.

I think of all kinds of situations where cybercrime has really impacted people’s lives. There was a great bit of research by the Royal Uniform Services Institute (RUSI), published a month or two ago called The Scourge of Ransomware. Often times when we discuss cyber incidents, we focus on the financial impact to organizations. That’s important but that’s not what drives us alone. There’s the non-financial impact to organizations- the fact that cyber incidents can lead to lower morale, more turnover, and all kinds of challenges that don’t show up in the balance sheet but lead to lower quality after the event. There’s the impact to the people involved in these organizations. Think about the stress involved in having to work night after night, weekend after weekend on a very difficult, complex restoration for weeks or sometimes months. Think about the guilt or shame that happens if you were the one that clicked on a link that brought your organization down. There are also the health impacts ransomware can have, and not just directly on those dealing with it. It’s a very easy assertion to make that if an organization is providing critical care and there’s a ransomware event that leads to an outage, there are going to be some very serious implications. Then, at a societal level when the scourge of ransomware is normalizing cybercrime, it’s giving an edge to our adversaries. When I talk about mission focused, I come back to some of the things we talked about in our first conversation. There’s a cyber war being fought and most of it is being fought in the private sector. That’s what we talk about at Surefire.

AM

Billy, that’s just incredible. The amount of care and empathy that you approach each of your clients with I’m sure is no different than the amount of care and empathy with which they treat their own patients, in the case of that cancer treatment facility. It’s a testament to the team and ethos that you’ve built at the company. When you think about cases like that and you look forward, what do you see as Surefire Cyber’s top priorities to help reduce overall cyber severity?

BG

Our biggest priority is growing with quality and sustaining our quality as we grow. You know this from our board meetings and from the regular interactions you and I have. We’re trying to be very measured and thoughtful in our approach to growth, making sure that we don’t out scale quality, that we don’t let up the rigor in our hiring process, and that we don’t over-automate or under-automate and dilute our value proposition. We’re making sure we’re staying focused on our mission, taking what we learn and sharing it with our clients to the greatest extent possible.

I talked earlier about trying to make sure that we bring the best Surefire thinking to every single client engagement. We also learn a great deal about attack typologies and response behaviors that we want to share with our clients as well. There are a few things to touch on around this. We have a robust cyber advisory group that advises our enterprise clients and a number of retainer clients on best response practices. The group helps them develop their plans, work through their playbooks, and exercise them in a really focused way. These are not check-the-box exercises- these are very demanding, complex things that mirror the demanding, complex environment that we see in response every day. There are also readiness assessments to see how resilient they are to the types of attacks we’re seeing.

Our goal is not to walk out after an event with the investigation done and the claims settled without sharing our knowledge. We do something we refer to as “they get stronger motion.” It’s a workshop at no cost to the organization that doesn’t look backward at the details of the event. We focus on the insights that we’ve learned and the trust that we’ve built to share some things they should consider along with roadmap to be more secure going forward. It’s been tremendous to talk with our cyber insurance carriers about this and say, “We’re investing in making your insurance a better risk for you and making sure that we don’t have any repeat customers.”

AM

Billy, that’s a great story- rolling up your sleeves and working with your clients through their most vulnerable periods. The amount of trust you accrue and advice you have, given your experience over hundreds of thousands of cases historically, allows you to provide a level of knowledge and experience that I’m sure is well-reputed. How has your understanding of the threat landscape changed or developed since you founded Surefire?

BG

One of the things that makes this such a fascinating discipline to work in is how dynamic it is. You and I talk about this a fair bit, we talk about what we’re seeing and things like that. The reality is our timing was interesting in that we were founded a month before Russia’s invasion of Ukraine. There was an immediate drop off in ransomware activity, thank goodness, and the very predictable dragons that we were used to contending with in the space dissolved, for lack of a better word. It took several months for activity to begin to pick back up. By this past summer, those dragons that dissolved had become a bunch of unpredictable snakes who were exhibiting very difficult to predict behavior and negotiations, along with very poor decryptors. Since then, they recoalesced into a new set of dragons and activity is now back to an all-time high, which is most unfortunate. I was thrilled to see yesterday the take down of LockBit. I encourage and applaud the efforts of our law enforcement partners and our policy partners to do all that they can to deter groups for many of our clients.

In short, we’re looking at cyber intelligence every day. We’re living with our clients through the challenges that continue to emerge. We’re always at the front of our feet trying to anticipate what’s happening, but it is ever-dynamic and ever-challenging.

AM

Billy, that’s an incredible amount of progress that we’ve seen with the ability of the company to support organizations through troubling times. No doubt those in the audience, whether they’re very familiar with this ecosystem or very new to incident response, can certainly appreciate that not a week goes by without major ransomware episodes- they’re seeing it on the news or reading in the newspaper. It’s shutting down pipelines in major regions and shutting down their primary care facilities. Ransomware, in that sense, has become very real and personable to ordinary Americans and folks across the country.

As you talk about the threat environment and how it’s changing, especially with geopolitical factors like the Russian invasion of Ukraine and how that’s modified ransomware activity, there was also the fact that in 2021, within the government there was this recognition that ransomware is no longer just an economic issue but is now a national security issue. That has given policymakers more tools to go after organizations like LockBit, among other successes we’re seeing roll in now years down the road.

Looking forward, threat actors will change and adapt- we’ve always seen that, especially from specific nation-states. Many of these actors are now using generative AI and automation to advance their capabilities. Can you describe what you’re doing or what should be done about this?

BG

As long as these conditions are fundamentally true, cybercrime is going to be with us. It is relatively easy to commit, it can be done with impunity, and it’s immensely lucrative.

Again, I commend our law enforcement partners, policy makers, and those in the intelligence and national security apparatus for the work they’re doing to change that. I commend the work of CISA (Cybersecurity & Infrastructure Security Agency) is doing to make it harder to commit cybercrimes. I also want to highlight the impact that cyber insurance has had over the last couple of years. I say often that tightened underwriting standards over the last three years have led to a stronger implementation of fundamental controls than 20 years of cybersecurity professionals howling in the RSA wilderness has. There are a lot of steps being taken to make this crime harder to commit, to make sure there are consequences (as the LockBit takedown shows), and to make it less lucrative. I certainly commend all that.

Our role is a lot more humble in that we’re focused on helping victims through the aftermath of these events. It’s our hope that we can bring our approach, our tech-enabled tooling, and our very talented and experienced response experts to take stress out of the equation, to reduce business interruptions, to make it less costly, and to give to clients a sense of confidence that we’re going to work with them and get through it. As for the broader landscape and dimensions that come into play, I have a lot of thoughts but few answers I’m afraid. As long as there are organizations getting hit by cybercrime and cyber insurers helping them mitigate that risk, we want to play our part in helping them through that.

AM

Billy, this isn’t your first rodeo. As a serial entrepreneur and second time founder, what is the biggest lesson learned or piece of advice you would give to other entrepreneurs earlier in their journeys?

BG

It comes down to staying humble, staying hungry, and being really focused on what you’ve set out to do.

We’ve talked a number of times in this conversation around our mission focus, the orientation around meaning and purpose. From a business perspective, Surefire is a response firm. That’s what we are. We’re trying to build a great response firm- we’re not trying to do any other things, to be honest. It’s just a matter of staying focused.

This also ties back to some of the lessons that I drew early in my career from my time in the Army. Keep the mission really clear and do everything you can to take care of the people that have invested in working with you. I think all the time about how difficult this work is, how I’m asking the people that joined Surefire to so often work deep into the night or deep into a weekend. That’s what our clients need, that is the fundamental part of the job- to be here for our clients. I have the easiest job at Surefire: my job is to take care of the team. The team will take care of the clients. I just have to make sure I never get that out of order.

AM

Mission-focused, service-oriented leadership. Billy, what’s the best part about what you do?

BG

There are two things. One is that I hope that I provide people on our team with opportunities to grow professionally and personally. One of the fun things about working in a startup is that you’re exposed to a lot. You have a lot of opportunities to grow. There’s no one here who isn’t client facing. There’s no one here who isn’t rolling up their sleeves and working in a hands-on way to help our clients through this stuff. The impact of what every single person on the team does to further our mission to help clients- I want to make sure that always stays visible and palpable. The chance to provide our team with growth opportunities and encourage them to develop is a deeply rewarding part of my role.

The other thing is helping people in organizations through some of the worst moments they will have in their business careers. Showing up immediately, with empathy, with the right capabilities to help, standing shoulder to shoulder with them all the way through- it’s something I can’t imagine ever getting old. It’s really heartening to be able to do this work.

AM

Continual improvement, Billy, is a hallmark of any healthy organization. At this moment in time, what do you think our industry could be doing to improve? Il there one thing that you would like to see? What would that be?

BG

I don’t know if there’s one thing, Andrew. There’s progress being made on so many different fronts. The landscape we’re operating in is evolving so quickly as well. You brought up AI. I was reading about quantum computing last night and when Q-day might be, whether that’s two years or two decades away.

When I step back and think about my several decades involved in this broadly defined space, I notice a few things. Today, there’s a lot more exposure. The importance of data is higher than it’s ever been. I also think it’s cool to think about how much talent is in this industry now, how much support there is, and how much more deeply these issues are understood.

A few years ago, it was hard getting executives in a room for a tabletop. Now it’s hard to do a technical exercise before an executive one because senior leadership and the board want to get involved. There are definitely some fair winds here. As for one single thing, I’m afraid I don’t have that magic bullet worked out. What do you think?

AM

Billy, it’s a great question- it’s part of what we’re trying to figure out as well. We’re happy to do that together and glad to be a part of your journey at Surefire Cyber. We are just incredibly proud of the team you’ve been able to assemble and the culture you’ve been able to build at the company.

Thank you, Billy, for your trust, partnership, and friendship. Here’s to the impact you and the entire team at Surefire Cyber are achieving and all that’s ahead. Thank you for joining us today.

BG

Thank you, Andrew.