Q&A with Dr. Shane Shook: Cyber Crime and Security Investigations, Advice and Venture Capital
Shane Shook
March 30, 2023
- Blog Post
Shane Shook is a Venture Partner at Forgepoint. Learn more about his background here.
Shane, your background is fascinating. You started your career as a Cryptologic Linguist for the United States Air Force- thank you for your service. You have since advised a multitude of clients and organizations in information security, risk management, and cybercrime investigations. Tell us about your journey to where you are today.
Shhh… just kidding. I joined the USAF from high school with my father’s signature (I was 17) and tested well with aptitude for languages, both real and constructed. Having grown up in the rural northwest (a fishing boat in Alaska, farms in Oregon, a mountain top in Idaho, and the almost-backwoods of Montana) I always had friends who spoke other languages, and I was good at math and computers in school.
Over 10 years, my Air Force experience took me around the world and helped me develop those interests while gaining my education along the way. In particular I learned the “red team” side of security, and how to analyze and report complex details with actionable outcomes.
After leaving the Air Force I put those skills to work with different industries facing technical risks and threats. I spent several years working with large financial services firms to revise their systems in preparation (and response) to Y2K. That led to the OCC recommending me to a startup bank (Aerobank NA) in Silicon Valley who they had received a charter request from – the first nationally chartered internet bank. While there I moonlighted as an EIR with an incubator that NASA operated in Mountain View, and I got to collaborate with some emerging tech companies including a small startup with a funny name (Google), as well as other emerging companies including Yahoo, Facebook and PayPal. From there I worked as a consultant for KPMG and PwC with large companies including Microsoft and Oracle who were transitioning from software to services and needed security, privacy and continuity program evolutions. I also worked with an Expert Witness firm called LECG which led me into legal cases as a testifying analyst in criminal, class action, civil, and regulatory cases. I was additionally on the founding team at Cylance, where I served on the Board of Advisors all the way through their acquisition by Blackberry in 2019. I’m currently a visiting fellow at the National Security Institute as well, and authored CIBOK, the first body of knowledge on cybercrime and investigations.
My work with large and small companies and government agencies around the world over the past 25 years has developed my “blue team” experience in technical development, advisory services, investigations, and educational roles. That background, and the network I gained, help me contribute to Forgepoint’s mission and portfolio.
You have extensive experience providing analysis, reporting, and expert witness testimony in cybercrime and other cases, in addition to advising companies around risk and incident management. What does an effective response to a cybercrime look like?
‘Cybercrime’ assumes that a crime has been committed – in my investigations and incident response experiences, that is actually a key question being assessed (what crime?). In any case, an effective response to a cybercrime is similar to any other crime.
First, it is important to ensure public safety; second, to isolate the crime scene; and third, to conduct an investigation with the understanding that you don’t yet know what has happened or who will need evidence later for what purposes. Basically, you assess, isolate, triage, and treat the incident based on its context. The most important thing, though, is to report results with actionable resolutions.
Rarely is the security ‘incident’ (i.e. a phishing email or account takeover) the actual root cause of the problem. In most cases flawed security architecture and organizational posture lead to vulnerabilities which are then exploited by bad actors. Interestingly, more actual cyber ”crimes” are committed by employees than hackers, simply because an employee’s actions can be classified as a violation of law, whereas what hackers do often isn’t globally (or even situationally) codified or recognized as a crime.
Having consulted across so many industries globally – including financial services, healthcare, media & entertainment, retail, and the public sector – do you believe there are any universal truths when it comes to strong information security? How much does the specific context matter when a company is developing its security capabilities?
Each organization has its own culture that influences its functional needs. Put simply, security isn’t just tools (NGFW + MFA + EDR): context is key. Security means something different to every organization.
Consider what security means to a Highway Patrol Officer (safety through traffic control), a librarian (availability through access control), and a lab manager (observability and verification through process control). Similarly, security context for a Doctor (privacy) is different than for a power plant operator (continuity) or a warehouse manager (availability).
Tools are helpful when their utility is understood in context of the security feature they are meant to provide. They are not as helpful when applied as a general solution. An organization is a complex society that requires support across the dimensions of time, place, and function rather than just time and utility.
In your role at Forgepoint Capital, you both assist investors with technical due diligence and support growing portfolio companies. What’s the importance of creating shared understanding between investors and companies?
There is nothing more important in a client relationship than empathy. Understanding client needs, considering timing, and being sensitive to the conditions of engagement determine how successful the relationship is. What an organization needs, when, and why they need it is always completely unique.
There are a few universal truths: every organization needs some type of access control, endpoint protection, and information security. Emerging needs from evolving industry capabilities, though, are anything but universal. Ultimately, the opportunity for growth lies in how solutions meet an organization’s needs.
It’s important for clients to have a clear understanding of a solution’s “fit” and not to simply buy (or invest) on impulse or peer pressure. On the other side of the equation, innovators must clearly articulate their value proposition in context to meet client and industry needs. I help our investment team understand that context as we invest and help develop our portfolio companies.
What are some examples of how you collaborate with our investment team and portfolio companies?
I am flattered and fortunate as a Venture Partner to participate in the investment team and all related investment decisions. The collaboration at Forgepoint is unparalleled in my experience.
I first met Don and Alberto at Forgepoint (at the time called Trident Capital) through 4IQ (now known as Constella) where I am on the Board of Advisors and with whom I’d been engaging for advisory and investigation work with clients in the US and UK, and BehavioSec (acquired by LexisNexis Risk Solutions last year), where I was providing due diligence assistance. Don and Alberto asked me to perform technical and market diligence on both companies and later invited me to join Forgepoint’s Advisory Council in 2017. I eventually became a Venture Consultant then a Venture Partner with Forgepoint.
I currently assist Forgepoint with due diligence to inform the investment team’s reference calls and understanding of market context around security problems which investment opportunities address.
I am equally flattered to serve on the boards of directors and boards of advisors for several portfolio companies, in addition to serving as an occasional advisor. For instance, after meeting the Forgepoint team, I went on to serve on BehavioSec’s Board of Directors and helped plan their product vision in addition to doing extensive work to raise market awareness and explain the utility of their behavioral authentication and biometrics capabilities.
Working directly with portfolio companies has expanded my understanding of company performance and growth. I have the opportunity to help companies by organizing connections in my network, contributing to blogs and podcasts, presenting with or for the companies, and positioning their products and services into my own global customer base.
I continue to leverage portfolio companies in the work I do with customers around the world. Constella, who I mentioned earlier, is a great example of this. I’ve used Constella’s brand monitoring and identity intelligence capabilities in numerous client cases. For example, with one of my clients- a law firm in the UK- I used Constella’s tools to quickly show how over 1700 corporate credentials had been stolen from the company. My work consulting with federal law enforcement agencies has benefited greatly from Constella as well- based on social media posts with sensitive content, I’ve used Constella’s Hunter platform to triangulate criminals’ real identities. Constella has been a cornerstone for both corporate audits and law enforcement investigations in my work.
Another recent example involves Cyberhaven (where I serve as a Board Observer on the BOD), a pioneer in data lineage and data detection and response who is particularly well-suited to both meet emerging board governance mandates and detail corporate data stolen in cyber incidents. A client I’ve been working with recently had a concern that one of their founders was recruiting key staff to leave and start a competing company. Additionally, the company had an upcoming RIF (reduction in force) planned – as we know, a large portion of departing employees take data with them when they leave a company. Given these overlapping concerns around data security, they were interested in securing their systems and gathering evidence around data usage. I did a data security posture assessment on access and usage in their cloud data services and recommended Cyberhaven to meet their needs. Cyberhaven’s data lineage and data loss prevention capabilities were a perfect fit.
What areas of anti-fraud innovation are you most excited about right now?
Anti-fraud has been a personal interest of mine since I first joined Forgepoint 5 years ago. Most of my investigations have come down to two types of fraud: account fraud and transaction fraud. While the two are often interrelated, they can also be independent issues in investigations and prosecutions.
For example, I have worked on many credit card, BEC, retail securities trading, and network breach cases where accounts and transactions were correlated in fraud. I have also had many cases where market or institutional fraud was committed (or believed to be) via transactions enabled by technical vulnerabilities – such as market manipulation, trades exceeding capital risk allowances, trades in violations of contractual terms, inappropriate financial clearing and settlement, and illegal wire transfers.
With the evolution of Artificial Intelligence technologies like biometrics and identity validation (such as our investments in Behavosec and Verituity) and Large Language Models, as well as Machine Learning (particularly, recent developments of Iterative AI embodied in Deep Learning systems such as our investment in DeepSee.AI), Forgepoint can impede fraud and support safer financial services. That is exactly where context meets innovation to solve for an organization’s needs.
What’s the most rewarding aspect of your work?
Access. I get the opportunity to be part of innovation at the investor, startup, customer, and market levels. That means I get to keep learning and meeting more people. The access to new knowledge and to new people gives me the other most rewarding opportunity in my work, which is to mentor. I’ve always believed mentoring is important. Working with eager new talented people who are seeking to learn and grow is the most self-rewarding aspect of what I do.
If you weren’t a Venture Partner and consultant, what would you be doing?
It would be great to say that I’d travel the world with my wife and find the places best suited for a surfer in their 50’s… but I’d probably be heading up another incident response or investigation somewhere, or reviewing someone else’s work. I still find that work stimulating.