Author: Harry Baldwin

Meet David DellaPelle, the Co-Founder & CEO of Dune Security. David’s an experienced strategist who joined us on The Cyber Security Matters Podcast to talk about his personal approach to leadership. He also has a diverse cybersecurity strategy and management consulting background and now specialises in AI-powered employee risk management. Read on for his insights into leadership, key talent topics and the most important soft skills in the sector. 

As a leader, your leadership style sets the tone for an entire company. How would you describe your approach to leadership, and how has it evolved over time?

The most important thing is to lead by example. Not to be cliché, but I think that if you want to lead a team of people, you have to believe in the company’s vision, especially in the early stages. Maybe you’re not able or allowed to pay a lot of money, or maybe you’re paying mostly in equity. It’s really just you and your vision keeping the team together. You need to firmly believe in the vision and communicate it properly. You have to paint a picture of what the future looks like for people to follow you. 

The other side is that leaders have to do the hard work in the trenches building the company. The most important thing is to lead from the front and be fair. It’s not about being nice, especially if you’re the CEO of your company. Oftentimes, people aren’t going to like you, and that’s just something that happens as you become a successful company and founder; you have to make some people unhappy.

In your view, what are the key talent topics that need addressing in cyber security? 

Location can be incredibly important. We’re a very hot cybersecurity company using AI in the heart of downtown Manhattan, so it’s been easy for us to recruit incredible talent from Columbia University and New York University. It’s quite difficult, though, as a startup, to start to hire your more senior leadership. That’s definitely challenging. Companies like Google, Facebook, Meta, Amazon, etc, can pay individuals a really high amount, so recruiting individuals away from those super high salaries takes a lot of salesmanship. You have to align those people with your vision for them to take a pay cut. Either that or you offer them more of an equity package. But overall, the hardest thing is hiring at the more senior levels.

What do you believe are the most critical soft skills for thriving in a startup business?

The most important thing is getting along with the team. Being someone who is personable, fair, and someone that other people want to be around is important, especially in startups. Candidly, startups will fail if they aren’t in person initially. That can change as the company expands and grows, when remote or even offshore might be a good option, but at least at the initial stages, if you’re trying to build a multi-billion dollar business, being in person is incredibly important. 

What we try to test for and control in our fourth or fifth round interview is a person’s cultural fit. We’ll bring them in in person and do lunch or coffee with their hiring team and with their management team to make sure that that person is a good fit for each group. Are they someone that you really want to spend time with? Being a person ready to roll up your sleeves and work super hard is important, but not as important as being a great part of the team. 

To hear more from David about his experiences as an early-stage entrepreneur, tune into Episode 44 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On episode 43 of The Cyber Security Matters Podcast, we were joined by Tristan Kalos, the Co-Founder and CEO of Escape, to talk about all things API security. He shared his perspective on the future of the API security space, as well as the current challenges that Escape solves for its customers. Read on for some fresh insights into the API security sector. 

What’s the main thing customers are looking for, and how do you solve their challenges? 

The general idea is that in the past 10-15 years, the cloud appeared, and suddenly every company started moving to the cloud. Suddenly, the previous security tools that were designed for the on-premise infrastructure were not up to date anymore. There are cloud security companies that appeared to help those companies do their transition in a safe manner, but with the transition to the cloud, the technologies used to build applications and run applications also evolved. Mobile applications suddenly appeared. Then you had single page applications and APIs, which is the technology that allowed any companies in the world to exchange data with each other and their customers. APIs also let developers enhance their capabilities and communicate and exchange data. 

APIs have become central to every data transfer on the Internet and to every business that flows to the Internet. The legacy security tools do not understand APIs or how to secure them or find security issues, so they are very vulnerable. At Escape, our ambition is to create a platform that can properly secure cloud applications, starting with securing the APIs that represent 80% of the global web traffic today. What we do is create security and engineering teams create and provide more secure APIs to empower their business.

What do you think some of the trends will be in API security in the next three to five years?

First of all, I think IA will be a catalyst for exposing APIs. It’s like mobile apps 10-15 years ago when everyone wanted to have a mobile app, so websites were not enough anymore. We have had to expose a private API portal, which was the first API revolution. Soon everyone will have LLM agents working for them. We will use applications in a completely standalone way without humans intervening in the process. What happens if, in five years, we live in a world where everyone has their own LLM assistant that does a lot of things for them? They book plane tickets, Airbnbs, and car rentals. They could do everything for you, but only if they can interact with public APIs.

If, in five years, or even less than that, your business doesn’t have a public API that LLM more external agents can connect to, you will let a lot of money slip off the table because half of the internet users will be IA and they can’t connect to your website. It’s like not having a website in 2009 – it’s already too late. My take is that the development of large language models, or large multi-model agents in general, will make having a public API required for every business. I’m pretty excited about what’s coming from the market. 

To learn more about the future uses of APIs, as well as the current API market, tune into Episode 43 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

As we rely more and more on technology, our risk of cyber attacks or information leaks is also increasing. On a joint episode of The Cyber Security Matters Podcast we spoke with Jake Bernardes, the Field CISO at anecdotes, and Ido Shlomo, the Co-founder & CTO of Token Security, about their advice for people and companies who are looking to secure their cyber assets. Read on for their insights on how to reduce your cyber security risks, including insider threats. 

Jake: “Insider threats are divided into two categories; intent and incompetence. But insider threats are real. If I look at most attacks and incidents that I’ve worked out in my time, 90%  of the insider threats have been in the incompetence category. People accidentally hard-coded credentials into IDP. That’s like identity providers leaving the credentials for the entire customer database on a public-facing URL. But there are different ways to catch them. 

There is also the compliance piece, which is where anecdotes come in. We’re really good at identifying how people will divert from the norms and what control is best to use. We could connect a US to anecdotes and say, ‘This is what a normal VM looks like. This is what it has to look like to comply with PCI SOC or ISO’. As soon as someone creates one which doesn’t comply with that regulation, our system will flag a noncompliance and therefore show what was wrong. It gives you a chance to both logically correct it and then go and work with the person to educate them or uncover their intent. You have the visibility to fix it before it becomes an issue. That’s the key point of all compliance and regulation-based security; fixing things before you have a breach or before damage occurs.”

Ido: “Incompetence is a hard word, but most of the time, it’s just a lack of education or understanding. For example, one of them is people being off-boarded from a company, and the entire resource they’d created isn’t kept track of. That’s an insider threat, but the insider is still in the company because it’s people don’t take care of it that are the problem. You see a lot of those issues in identity space. People are so passionate about technology that they make every mistake possible. They plug in their CFO’s Excel, and they allow them to query all of the organization’s data with zero limiting on the permissions they have, and nobody’s keeping track of that. In the identity space, that’s crucial. We’ve just seen Ticketmaster, Santander Bank, and TNT suffering from those types of threats. Securing your own people is the hardest thing to do right now for security teams.”

Jake: “There are a few things ways to handle insider threats, one of which is slow down. We’re obsessed with being fast to market, so we almost encourage issues and errors. Look at the desire – and desperation – to get AI chatbots to the market last year. That resulted in a flight and a car that were both bought for $1 because these tools had been improperly tested. That will have happened because someone was pressured either internally by themselves or externally by their leadership to deliver and develop quickly, so they either skipped steps or just didn’t do them thoroughly enough. 

Another way to mitigate these threats is to understand what you’re doing. A lot of the time, people build stuff without really realising what they’re doing. It’s important to understand that a software development lifecycle goes from A to B, and it shouldn’t be limited. Understanding what the end goal is means you can make sure you have those steps lined up in the process. 

Finally, getting the client there when you talk about compliance and regulations always sounds boring, but when we get a bug, we can see everything happening in security. We can see everything from identity issues or cloud security issues, onboarding issues, lack of training and policies not being signed – all of that stuff. Once you get a holistic view, you can educate the leadership and filter down the necessary information.”

Ido: “It is still very important to keep the pace. You want to understand where you’re taking too big of a risk, and you need to understand how to do things securely. Security should really invest more time into the auto-remediation of problems; not when you have an incident but much before that.”

To hear more about securing your cyber assets, tune into Episode 39 of The Cyber Security Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On Episode 38 of The Cyber Security Matters Podcast, we discussed changes to AI governance with Patrick Sullivan, the VP of Strategy and Innovation at A-Lign. He shared his insights on changing legislation and what that means for organisations that use AI as part of their workflow, as well as his definition of ‘AI governance’. Here’s what he said:

What does the term ‘AI governance’ actually mean? 

ISACA through COBIT has introduced control objectives for AI and has defined governance as a value-creation process. When we think about governance, we think about value creation. COBIT says that governance is creating desired outcomes at an optimized risk and cost. So for us, we need to ask ‘What do we want to create? What risk are we willing to bear? And what budget do we have to support all these things?’ Our practices are processes that are employed to ensure that we’re creating the outcomes that we want as an organization in both a risk-appropriate and resource-appropriate way. 

What frameworks or guidelines can organizations adopt to ensure AI systems are used responsibly and ethically, and does this vary based on the size of the organisation? 

Generally, we won’t see the applicable frameworks vary based on organizational size. In the market today, there are two frameworks that most organizations are using to build their AI governance systems to adhere to X number of regulations. For neuco as an example, we saw that the EU AI Act was written into the Official Journal last week. These regulations are pressing, which means many organizations that are bound to the AI Act now need to take significant action to prepare themselves. 

How do those frameworks and guidelines actually physically enhance trust within the supply chain?

ISO 42001 is a certifiable standard and management system. Organisations that implement ISO 42001 as their AI management system can have a third-party auditor certification body, of which A-lign is one, independently validate that appropriate processes are in place, that appropriate procedures and commitments have been made, and that the management system is running effectively to meet the intent of the standard. So there’s a certification mechanism that organisations can use to offer assurance to others in their supply chain and their value chain. 

Many in the security space are already very familiar with security questionnaires. We’re currently seeing a lot of pressure on organisations to answer AI questions because the market is really educating itself about what’s important. That is then driving the need to respond to those questions or unknowns to or from suppliers. While regulation will always be a pressing concern, self-policing in the market is where I see us go with responsible AI use.

How do you expect AI governance and compliance to change in the coming years?

Over the next five years, I think we’ll see the skills gap become more pronounced. I don’t know that there’s necessarily the awareness that there needs to be. We’re seeing groups come online like a group called the International Association for Algorithmic Auditors, which helps new algorithmic auditors or AI auditors understand what skills they need to be successful, and I think we’ll see more organisations like that come online as the recognition of the AI governance and AI assessment skills gap becomes more pronounced. As that happens, the market will really largely start self-policing, and we’ll enter the hype cycle. But, once that begins to simmer down, AI governance will become more of an operational process just like any other governance, risk governance, or vulnerability management process. 

To hear more from Patrick, tune into Episode 38 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

In episode #69 of The Tech That Connects Us, we were excited to be joined by Chris Strand, Chief Risk and Compliance officer at CyberSixGill. 

With 20 years of experience, he’s a subject-matter expert in cyber risk and compliance and a regular conference speaker, most recently holding a Chief Compliance Officer role. 

Earlier in his career, Chris founded and built the global compliance and risk strategy arm of carbon black, which became a fast-growing and critically important business unit. 

We hope you enjoy this episode as much as we did recording it. 

How has the relationship between risk compliance and securities changed over the past few years?  

I’ve experienced the good and the bad with this – a bit of both. I would say, “they’ve” – and it’s not by choice, but they have converged. And this is where I say there’s the good and the bad. There are a lot of folks in the industry that for obvious reasons, see the Risk and Compliance angle as a negative thing.  

And I understand why –  they’ve grown together, out of necessity. You fast-forward to today, and there are a lot of regulations, in fact, there’s too many regulations and frameworks, it’s confusing and mind-boggling. But, it’s still a necessity. 

Look at the state of the security industry right now. I mean, we’re under a barrage of threats, they’ve grown more than I could ever imagine when I started out in my career. So, you know, with that, you can observe almost a 45-degree angle of increase in the number of regulations, frameworks, and mandates; the privacy laws that we see  the national and regional types of mandates around privacy and data that have grown. So, they’re all in one place, because we have a need to try to measure our effectiveness to protect that data.  

And again, I don’t view it as a negative, but sometimes it is a negative because we’re under such threat, right? It’s sort of like, why do you have five locks on your door now, whereas, you know, 10 years ago, you only had one – and now we do this because there have been more break-ins, it’s the same thing. We don’t like to see the world becoming a more dangerous place.  

How have you found getting back into things such as conferences?  

So, I found it extremely refreshing. I think most of us are social creatures. And I actually tend to be a very introverted person. I’m uncertain if that would surprise people because I love being in front of people, but on the other hand, I am a bit of an introverted person. So, it’s sort of a weird mix. But,  since I’ve been able to get out in back into the public, back face to face and speaking with people, I can never look back.

I mean, it’s the most refreshing thing I’ve ever experienced, and a very surprising feeling as well, it was a euphoric feeling at the time! 

What has the ubiquity of cloud platforms and services for enterprises meant in terms of risk management? 

It’s thrown a wrench into risk management for sure. Because the accessibility of the cloud alone, I mean, there are so many security themes that we can talk about such as the move to the cloud, and what’s happened over the last five, six years or so. It’s definitely created a lot of stress for risk managers that are trying to work with what they used to see as closed systems.  

But one of the main themes that have become a huge thing and has helped evolve and create a lot of data privacy laws is the fact that data now is much more accessible than has ever been with the cloud.  

Now, that data is way more accessible, there are so many different threat vectors to that data that we’ve never ever had before we’ve never had to deal with. So, it’s made risk managers’ lives much more difficult, because there are a million more variables that you have to consider when you’re measuring the threat to that data.  

What major lessons do you feel that organisations need for this decade to better manage risk and compliance? 

When I think of lessons, it’s hard for me to say what a particular lesson is because I don’t want to sound like I’m preaching to organisations, and to say, you know, you should have learned this, you should have been doing this from day one etc.  

But I do think that there are a few lessons that we can look at. And one of the big things is, and this is very hard to talk about with different businesses is the transparency of their business process.  

The more transparent you can be with how secure your data is, the easier it can be to find faults. But, you’re basically asking someone to talk about their weaknesses.  

And businesses think “I don’t want to make it sound too weak”. Because, hey, if I’m an assessor, and I’m in an assessment with a retailer, let’s say, you know, and I’m asking them, where are all your faults and such? They’re thinking, Hmm, I don’t know if I want to tell you this. Because the minute I do, what if this gets out? What if I don’t trust this individual? Right? What if we don’t have a trusting relationship between us, and this gets out, and my brand gets damaged.  

But, the lesson is to be transparent as it’s done good for many organisations. 

To listen to the full episode click here. 

Every Wednesday we sit down with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.