Category: Cyber Security

Meet David DellaPelle, the Co-Founder & CEO of Dune Security. David’s an experienced strategist who joined us on The Cyber Security Matters Podcast to talk about his personal approach to leadership. He also has a diverse cybersecurity strategy and management consulting background and now specialises in AI-powered employee risk management. Read on for his insights into leadership, key talent topics and the most important soft skills in the sector. 

As a leader, your leadership style sets the tone for an entire company. How would you describe your approach to leadership, and how has it evolved over time?

The most important thing is to lead by example. Not to be cliché, but I think that if you want to lead a team of people, you have to believe in the company’s vision, especially in the early stages. Maybe you’re not able or allowed to pay a lot of money, or maybe you’re paying mostly in equity. It’s really just you and your vision keeping the team together. You need to firmly believe in the vision and communicate it properly. You have to paint a picture of what the future looks like for people to follow you. 

The other side is that leaders have to do the hard work in the trenches building the company. The most important thing is to lead from the front and be fair. It’s not about being nice, especially if you’re the CEO of your company. Oftentimes, people aren’t going to like you, and that’s just something that happens as you become a successful company and founder; you have to make some people unhappy.

In your view, what are the key talent topics that need addressing in cyber security? 

Location can be incredibly important. We’re a very hot cybersecurity company using AI in the heart of downtown Manhattan, so it’s been easy for us to recruit incredible talent from Columbia University and New York University. It’s quite difficult, though, as a startup, to start to hire your more senior leadership. That’s definitely challenging. Companies like Google, Facebook, Meta, Amazon, etc, can pay individuals a really high amount, so recruiting individuals away from those super high salaries takes a lot of salesmanship. You have to align those people with your vision for them to take a pay cut. Either that or you offer them more of an equity package. But overall, the hardest thing is hiring at the more senior levels.

What do you believe are the most critical soft skills for thriving in a startup business?

The most important thing is getting along with the team. Being someone who is personable, fair, and someone that other people want to be around is important, especially in startups. Candidly, startups will fail if they aren’t in person initially. That can change as the company expands and grows, when remote or even offshore might be a good option, but at least at the initial stages, if you’re trying to build a multi-billion dollar business, being in person is incredibly important. 

What we try to test for and control in our fourth or fifth round interview is a person’s cultural fit. We’ll bring them in in person and do lunch or coffee with their hiring team and with their management team to make sure that that person is a good fit for each group. Are they someone that you really want to spend time with? Being a person ready to roll up your sleeves and work super hard is important, but not as important as being a great part of the team. 

To hear more from David about his experiences as an early-stage entrepreneur, tune into Episode 44 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On episode 43 of The Cyber Security Matters Podcast, we were joined by Tristan Kalos, the Co-Founder and CEO of Escape, to talk about all things API security. He shared his perspective on the future of the API security space, as well as the current challenges that Escape solves for its customers. Read on for some fresh insights into the API security sector. 

What’s the main thing customers are looking for, and how do you solve their challenges? 

The general idea is that in the past 10-15 years, the cloud appeared, and suddenly every company started moving to the cloud. Suddenly, the previous security tools that were designed for the on-premise infrastructure were not up to date anymore. There are cloud security companies that appeared to help those companies do their transition in a safe manner, but with the transition to the cloud, the technologies used to build applications and run applications also evolved. Mobile applications suddenly appeared. Then you had single page applications and APIs, which is the technology that allowed any companies in the world to exchange data with each other and their customers. APIs also let developers enhance their capabilities and communicate and exchange data. 

APIs have become central to every data transfer on the Internet and to every business that flows to the Internet. The legacy security tools do not understand APIs or how to secure them or find security issues, so they are very vulnerable. At Escape, our ambition is to create a platform that can properly secure cloud applications, starting with securing the APIs that represent 80% of the global web traffic today. What we do is create security and engineering teams create and provide more secure APIs to empower their business.

What do you think some of the trends will be in API security in the next three to five years?

First of all, I think IA will be a catalyst for exposing APIs. It’s like mobile apps 10-15 years ago when everyone wanted to have a mobile app, so websites were not enough anymore. We have had to expose a private API portal, which was the first API revolution. Soon everyone will have LLM agents working for them. We will use applications in a completely standalone way without humans intervening in the process. What happens if, in five years, we live in a world where everyone has their own LLM assistant that does a lot of things for them? They book plane tickets, Airbnbs, and car rentals. They could do everything for you, but only if they can interact with public APIs.

If, in five years, or even less than that, your business doesn’t have a public API that LLM more external agents can connect to, you will let a lot of money slip off the table because half of the internet users will be IA and they can’t connect to your website. It’s like not having a website in 2009 – it’s already too late. My take is that the development of large language models, or large multi-model agents in general, will make having a public API required for every business. I’m pretty excited about what’s coming from the market. 

To learn more about the future uses of APIs, as well as the current API market, tune into Episode 43 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

With a growing number of companies building Channel offerings to distribute their products, understanding this space and how to navigate it is of increasing importance. In a special roundtable episode of The Cyber Security Matters Podcast, we were joined by four women who work in the channel to explore their experiences of the space. Read on for their insights on why businesses are focusing on their channel offerings more. 

Surja Chatterjea, the Senior Director of Channels and Alliances at Cobalt

“It’s really about the extension of your sales force. It’s about the force multiplier effect because your partners are your trusted advisors. Not only do they expand your sales motions and build out scale and reach in the channel, but your partner advisory board will also be a point of validation for your product and revenue strategies across your entire go to market process.”

Deborah Caldwell, the Global Channel Account Director at Illumio

“Creating a channel is a definite win relationship for everybody involved. That’s because it’s an easier and more efficient way to scale for the organisation, but it also provides better service for customers as well because you can connect with them at multiple points. Those intersection points make the whole relationship stronger.”

Christine Camp, the Fractional Chief Partner Officer at Conatus Advisors

“There’s a lot of consolidation going on in the market. There’s some and platformisation too. Both of those things drive the the demand and the need for channel go-to-market strategies, because people can’t be as efficient anymore when it comes to scaling and consolidation. I think it’s the era of the channel.”

Sara Verri, the Global Head of Field & Partner Marketing at Nozomi Networks

“Being based in the EMEA region, there is a cultural component as well. Having local partners in every territory brings certain advantages. If you look at somewhere like the Middle East or China, if you’re a smaller company, having someone on the ground that understands the local language, the local culture and how to do business there, that definitely accelerates the power of your organisation. The extension and collaboration you get in the channel are amazing.”

To hear more about working in the channel, tune in to Episode 42 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

AI has been one of the biggest technological developments of the last decade. Cloud security is another growing concern as so many people and businesses move their assets onto digital storage platforms. Both come with increased security concerns, but what happens when you combine the two? On Episode 41 of The Cyber Security Matters Podcast we spoke with Raf Chiodo and Shai Alon, the Chief Revenue Officer and Director of AI Innovation at Orca Security, about their experience of blending AI and cloud security to create innovative new cyber security solutions. Here are their insights: 

The cloud security space is both innovative and hugely competitive. How does Orca Security distinguish itself from some of the other players in the field?

Raf: “First and foremost, we’ve got to make cloud security easy. We’re coming from the days where every little niche and security had a different tool, and the complexity was really overwhelming. We’re taking a holistic view and helping our customers really focus on what matters most. Secondly, the platform has to help stakeholders communicate across teams and make their security tools generate alerts. It’s got to be a great platform to help teams communicate, whether you’re in security or DevOps and engineering or compliance, it’s got to be something that helps facilitate that communication. Our vision and our approach is to help drive more security earlier into the development lifecycle because that creates such strong results. Finally, we’re building partnerships and integrations that really matter, helping customers take this platform approach, and integrating it with other tools that they’re already using, so that they collectively get a better outcome.”

How do you see AI integrating with cloud security?

Shai: “The capabilities brought about by the modern AI are profound. There’s an endless selection of opportunities to create and unlock new value – and specifically in cybersecurity, we found it very useful for enhancing our product and improving the user experience. One of the standout features we developed allows natural language search across the Orca data model by integrating AI. Orca goes and scans all these cloud environments and finds thousands, sometimes millions, of different things. They are often a bit cumbersome to navigate. So we created an AI that lets our customers search using their own words instead of traditional UI filters, and it’s something they really love. It’s been especially popular with non-native speakers who prefer searching in their native language, which is a testament to the accessibility that AI can provide. We’ve been working on dozens of user experience enhancements for the product. Each one unlocks new personas that can use the product because it’s much easier. 

Another interesting avenue that we took is optimizing the workflow of our security researchers. We have dozens of security researchers at Orca who are the ones behind the scenes, creating all the configurations for how you map out the cloud, how you create alerts, how you prioritize these alerts, how you remediate them, etc. It’s a lot of work. Unlike developers that have coding assistance, like GitHub or CoPilot, our cloud researchers have a dynamic field where they are able to create AI that helps them streamline their processes. It can do the tasks that require expertise, but it mainly helps with mundane tasks. For example, our AI helps with creating metadata, so writing descriptions for cloud entities, or documenting alerts with their remediation steps. This doesn’t replace our researchers, it serves as a force multiplier, boosting their productivity and allowing them to accomplish much more.”

What change have you seen in the appetite for customers using AI or learning how AI can influence and impact their cloud security solutions?

Raf: “AI discovery and natural language applications are very natural extensions for customers to expect in their environment. What they love and are surprised about our use of AI to create remediation steps. The overhanging issue in our industry is the skills gap, right? There are so many unfilled jobs of increasing complexity, so any tool that can be used as a force multiplier to boost productivity is greatly welcomed. On the other side though, there’s a lot of concern. We’re starting to see customers require not just a standard master services agreement in terms of service documents, but data security agreements that incorporate AI, as well, covering what data is feeding the models, where the data goes, who owns the data, what the risks are, etc? AI is adding a new complexity that customers are clearly concerned about.”

Where would you hope the cloud security space develops over the next 10 years? 

Shai: “It is a long horizon, but I am looking forward to seeing products that can take action on your behalf. Today, as an industry, we started by just being able to map out what exists and where the risks are, and we’ve transitioned to integrating all your tools to helping you solve problems. I would like to see a future where the products solve the easier problems themselves, and don’t even involve human beings, leaving us to solve the most challenging and influential parts of security.”

To find out more about the relationship between AI and cloud security, tune into Episode 41 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Small-medium businesses (SMBs) often struggle to create effective cyber security solutions. On Episode 40 of The Cyber Security Matters Podcast, we spoke to Amanda Berlin, the Director of Incident Detection Engineering at Blumira, about her company’s innovative solutions that are specifically tailored to SMBs. Amanda is also the Author of The Defensive Security Handbook, Co-Host of the Breaking Down Security Podcast, and CEO of Mental Health Hackers, giving her a wealth of insights into the space. Read on for her insights on cyber security solutions for SMBs. 

What challenges do SMBs face from a security perspective, and how do their challenges differ from larger enterprises?

Enterprises usually are bigger targets. When they get a breach, they have a budget, people, software and all the implementations necessary to deal with it. SMBs, even if they are breached, don’t necessarily get that afterwards. They have to make do with the software that they have at their disposal, and usually not many people. There are multiple roles that these people play. SMBs don’t have a CISO or anybody in charge of cyber security. Many times, they won’t even have a security team. There are just one or two tech people who are fixing everything from printers to security breaches. 

How have you seen the awareness of SMB business security changing over your time in the space at Blumira? 

When we started Blumira, people said it’s not changing that fast. They thought we were crazy for creating a product for SMBs because it’s a hard market to reach. A lot of them don’t realise that they need the security that they do, or they think they can’t afford it. There are all of these software platforms that are built for enterprises that SMBs are trying to implement themselves, but they can’t maintain it forever. We saw the constant struggle for SMBs to implement anything that was designed for a larger scale, and having worked at SMBs for pretty much my entire life, it’s a problem that I’m really passionate about fixing. I tried to implement a SIM once too, and it was terrible.

How does Blumira fit into the SIM and XDR market, and what’s your approach to securing those businesses? 

When we started Blumira, our leadership talked about making a sim for SMBs that you could implement in under a week. I thought they were insane because our onboarding process was at least six months in the companies I’d worked in before. You had to set up the servers and ingest the logs, which was a two-month-long process. You had to talk to them about all their use cases and work with the customer one-on-one. Coming from that, I was like, ‘There’s absolutely no way we can create a product that you can do in three months.’ But then we did it. And that’s why I’m still here because I never thought it would happen. We’ve had customers roll out their entire infrastructure in less than an hour. Just from the technology perspective, that’s a really difficult thing to accomplish. 

When you work in a SOC, there are a lot of level-one analysts who are fresh out of college or really new to the space and are doing a lot of repetitive work and missing things. Because they’re seeing 10,000 alerts a day, they have to make sure they don’t miss escalating something that could be worse. We’re leaving that to the most junior people in the company. Instead, we automated everything that we possibly could in a SOC and the platform. Anytime we have a network scan done, we would get an email from every single UPS device underneath somebody’s desk. That’s how a lot of SIMs are, but we just automated all of that because you shouldn’t have to deal with 10,000 alerts every time you do a scan.

To hear more from Amanda, tune in to Episode 40 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

As we rely more and more on technology, our risk of cyber attacks or information leaks is also increasing. On a joint episode of The Cyber Security Matters Podcast we spoke with Jake Bernardes, the Field CISO at anecdotes, and Ido Shlomo, the Co-founder & CTO of Token Security, about their advice for people and companies who are looking to secure their cyber assets. Read on for their insights on how to reduce your cyber security risks, including insider threats. 

Jake: “Insider threats are divided into two categories; intent and incompetence. But insider threats are real. If I look at most attacks and incidents that I’ve worked out in my time, 90%  of the insider threats have been in the incompetence category. People accidentally hard-coded credentials into IDP. That’s like identity providers leaving the credentials for the entire customer database on a public-facing URL. But there are different ways to catch them. 

There is also the compliance piece, which is where anecdotes come in. We’re really good at identifying how people will divert from the norms and what control is best to use. We could connect a US to anecdotes and say, ‘This is what a normal VM looks like. This is what it has to look like to comply with PCI SOC or ISO’. As soon as someone creates one which doesn’t comply with that regulation, our system will flag a noncompliance and therefore show what was wrong. It gives you a chance to both logically correct it and then go and work with the person to educate them or uncover their intent. You have the visibility to fix it before it becomes an issue. That’s the key point of all compliance and regulation-based security; fixing things before you have a breach or before damage occurs.”

Ido: “Incompetence is a hard word, but most of the time, it’s just a lack of education or understanding. For example, one of them is people being off-boarded from a company, and the entire resource they’d created isn’t kept track of. That’s an insider threat, but the insider is still in the company because it’s people don’t take care of it that are the problem. You see a lot of those issues in identity space. People are so passionate about technology that they make every mistake possible. They plug in their CFO’s Excel, and they allow them to query all of the organization’s data with zero limiting on the permissions they have, and nobody’s keeping track of that. In the identity space, that’s crucial. We’ve just seen Ticketmaster, Santander Bank, and TNT suffering from those types of threats. Securing your own people is the hardest thing to do right now for security teams.”

Jake: “There are a few things ways to handle insider threats, one of which is slow down. We’re obsessed with being fast to market, so we almost encourage issues and errors. Look at the desire – and desperation – to get AI chatbots to the market last year. That resulted in a flight and a car that were both bought for $1 because these tools had been improperly tested. That will have happened because someone was pressured either internally by themselves or externally by their leadership to deliver and develop quickly, so they either skipped steps or just didn’t do them thoroughly enough. 

Another way to mitigate these threats is to understand what you’re doing. A lot of the time, people build stuff without really realising what they’re doing. It’s important to understand that a software development lifecycle goes from A to B, and it shouldn’t be limited. Understanding what the end goal is means you can make sure you have those steps lined up in the process. 

Finally, getting the client there when you talk about compliance and regulations always sounds boring, but when we get a bug, we can see everything happening in security. We can see everything from identity issues or cloud security issues, onboarding issues, lack of training and policies not being signed – all of that stuff. Once you get a holistic view, you can educate the leadership and filter down the necessary information.”

Ido: “It is still very important to keep the pace. You want to understand where you’re taking too big of a risk, and you need to understand how to do things securely. Security should really invest more time into the auto-remediation of problems; not when you have an incident but much before that.”

To hear more about securing your cyber assets, tune into Episode 39 of The Cyber Security Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On Episode 38 of The Cyber Security Matters Podcast, we discussed changes to AI governance with Patrick Sullivan, the VP of Strategy and Innovation at A-Lign. He shared his insights on changing legislation and what that means for organisations that use AI as part of their workflow, as well as his definition of ‘AI governance’. Here’s what he said:

What does the term ‘AI governance’ actually mean? 

ISACA through COBIT has introduced control objectives for AI and has defined governance as a value-creation process. When we think about governance, we think about value creation. COBIT says that governance is creating desired outcomes at an optimized risk and cost. So for us, we need to ask ‘What do we want to create? What risk are we willing to bear? And what budget do we have to support all these things?’ Our practices are processes that are employed to ensure that we’re creating the outcomes that we want as an organization in both a risk-appropriate and resource-appropriate way. 

What frameworks or guidelines can organizations adopt to ensure AI systems are used responsibly and ethically, and does this vary based on the size of the organisation? 

Generally, we won’t see the applicable frameworks vary based on organizational size. In the market today, there are two frameworks that most organizations are using to build their AI governance systems to adhere to X number of regulations. For neuco as an example, we saw that the EU AI Act was written into the Official Journal last week. These regulations are pressing, which means many organizations that are bound to the AI Act now need to take significant action to prepare themselves. 

How do those frameworks and guidelines actually physically enhance trust within the supply chain?

ISO 42001 is a certifiable standard and management system. Organisations that implement ISO 42001 as their AI management system can have a third-party auditor certification body, of which A-lign is one, independently validate that appropriate processes are in place, that appropriate procedures and commitments have been made, and that the management system is running effectively to meet the intent of the standard. So there’s a certification mechanism that organisations can use to offer assurance to others in their supply chain and their value chain. 

Many in the security space are already very familiar with security questionnaires. We’re currently seeing a lot of pressure on organisations to answer AI questions because the market is really educating itself about what’s important. That is then driving the need to respond to those questions or unknowns to or from suppliers. While regulation will always be a pressing concern, self-policing in the market is where I see us go with responsible AI use.

How do you expect AI governance and compliance to change in the coming years?

Over the next five years, I think we’ll see the skills gap become more pronounced. I don’t know that there’s necessarily the awareness that there needs to be. We’re seeing groups come online like a group called the International Association for Algorithmic Auditors, which helps new algorithmic auditors or AI auditors understand what skills they need to be successful, and I think we’ll see more organisations like that come online as the recognition of the AI governance and AI assessment skills gap becomes more pronounced. As that happens, the market will really largely start self-policing, and we’ll enter the hype cycle. But, once that begins to simmer down, AI governance will become more of an operational process just like any other governance, risk governance, or vulnerability management process. 

To hear more from Patrick, tune into Episode 38 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Matthew Chiodi, the Chief Trust Officer at Cerby, joined us on Episode 37 of The Cyber Security Matters Podcast to share his insights into the industry. One of the topics that stood out to us was the best practices that he shared from Cerby’s work on securing cloud-native applications. Here are the highlights of his answers: 

“When people say cloud-native application, that refers to applications that are built cloud-first. If you have a VM that’s running on-prem and you move it to run in the cloud, that’s not cloud-native – that’s just cloud transferring. Quite frankly, it’s a waste of time and money to do that. Cloud-native means that your infrastructure was not built manually, but it was built using infrastructure as code templates, defining what your infrastructure would look like in code first. Then you’re using code to bring up things like lambda functions that only work during a certain period of execution. That doesn’t use a typical VM, it’s usually a microservices-based architecture. 

When it comes to cyber security, the basics still apply. Organisations have a massive data sprawl issue in the cloud because it’s so easy to upload to. If you go back 5+ years ago, if you needed a new data store, you had to open a ticket with your IT department and wait 2-3 weeks or even months, depending on the size of the organisation, before you got access to it. Data also tended to be much more centralised, and there were checks and balances. For a lot of cloud environments, that’s not a problem anymore. Developers generally have a fairly high level of access to create new services and they can create new data stores on demand by calling APIs, so you tend to get data in all different places. 

You have to know where your data is and what it is because if you don’t, sensitive data, like personally identifiable information, can easily end up in the wrong place. Health information that was intended to only be in a production environment can very easily be moved to lower environments that don’t have the same level of governance. I’d advise having a good tool that can tell you what you have and who has access to it. 

Knowing your code – specifically your application security code – is still highly important because you might know where your data is, and who has access to it, but if you’re writing crappy code, you’re introducing a vulnerability to your digital environment. So, you have to know who has access to your data and your code. If I get access to your data, I can do what I want with it. Or, if I get access to your code, I can inject things into your code that will then give me access to your data. 

In terms of what Cerby does; I usually say that in all organisations, you have two different types of applications. A lot of times we think of cloud apps versus on-prem apps, and that’s true, but really it comes down to identity and access management. You have standard apps that you can very easily integrate with your identity provider, and your IT team can manage them centrally in terms of who should have access through that type of identity provider. The other category is what we call non-standard applications or disconnected applications. This is a massive problem space because the apps that fall into the nonstandard category can’t be managed with your central identity systems. Cerby is focused on that non-standard space. 

We connect those non-standard applications back into identity platforms on trial ID. We did a little bit of research last year, and what we really wanted to understand was the scope and scale of the problem, and we found that organisations have a median of about 175 of these non-standard apps. We’ve spoken to some large healthcare companies who have 1000s of these, and we know there are hard costs associated with these applications because if you as an IT admin in one of these organisations have an employee who needs access to one of these non-standard apps, they can’t go through any kind of automated process – they can’t go into your access request system, they’re going to put a ticket in. Once you get to it, you have to manually log into this app, figure out what access they need, etc. and it’s all a lot of hassle. We make it so that you can centrally manage these non-standard disconnected apps, using your existing native tools.

To find out more about securing cloud-based applications, tune into Episode 37 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

As the Cyber Security industry expands, growing your team has become more difficult than ever. On Episode 36 of The Cyber Security Matters Podcast we spoke with Julia Doronina, the Co-founder and CMO at G-71 Security, about the challenges she’s faced when it comes to scaling her team. Julia is also a passionate advocate and mentor for women in tech, giving her some valuable insights into diversifying the sector’s talent pool and making it more accessible. 

What are the key talent topics that need addressing the most?

I believe that it’s important to focus on employee development and to provide opportunities for career growth. With the rise of artificial intelligence, there are many new solutions and projects on the market, so companies and executive teams need to encourage their employees to learn new things and understand these new approaches because they can help optimise processes. The main thing is to support your employees and help them to grow themselves.

Do you struggle to hire based on talent shortages?

We’re a startup and we don’t have a big team right now. We were dealing with different outsourced people who can help us with different activities, like design, copywriting, analysis, and so on. I think that it’s very important when you’re talking with people who you want to attract to your company, to talk to them about the use cases for their skills, not just their CV, to understand how they think and how they can implement their skills into your business. Figure out how they can expand your current situation or activities. 

Early in my career, my skill set was straightforward. I knew the general and traditional channels, and I implemented them. Now I’m trying to use AI. I use Chat GPT, about 20, 30 or even 40 times per day for different tasks because it can help me optimise my processes. My worldview and approach to problem-solving are changing as the world evolves, and I think that we need to encourage people to develop themselves in the same way.

There’s a lack of diversity at a grassroots level, so what can we do to address this?

We need to create an inclusive culture in companies, even in startups. We need to include different inclusivity training and actively attract candidates from diverse demographic groups because they have a lot of insights and skills. It can be great to create programmes to support the development of underrepresented people. It’s important for companies to actively support these initiatives, mostly from the executive point of view, because they are the drivers of the company, so they need to support it.

To hear more from Julia, tune into Episode 36 of The Cyber Security Matters Podcast here.

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Cyber Security is a growing sector, with plenty of startups evolving in the space to meet the need for unique solutions. On Episode 35 of The Cyber Security Matters Podcast we were joined by Alexandre Sieira, the Co-Founder and CTO of Tenchi Security, to talk about his experiences of startups and entrepreneurship within the sector. Alexandre is an executive with over two decades of experience in cyber security who is currently focused on helping companies leverage the benefits of cloud computing with security compliance through his startup, giving him some great insights into the topic. Here are the highlights of our conversation. 

What’s it like running a security startup?

It seems so glamorous – like it’s all staying in swanky hotels and talking to high-flying financiers in the VC world. Actually, it’s a lot of hard work. It’s it’s long hours. There’s no limit to the work you have to do – you can’t just say, ‘This is not my job description’ because, as an entrepreneur, your job description is infinite. When you’re an early-stage employee or a founder, you have to do everything from carrying boxes to making customers their coffee. You’re writing proposals, paying the accountant, double-checking the tax calculations, interviewing, hiring and leading people. It’s super hard to find people that are decent at all of those things or that enjoy doing all of those things, so at least 40-50% of the time, you’re doing stuff you’re not very good at or that you don’t enjoy until the company becomes big enough to hire people who are specialised in that task. You have to have a lot of energy to keep working, and you need a high tolerance for doing things you don’t enjoy. But the upside is getting to build something from scratch, and that’s super amazing.

You’ve been involved in several startups. Can you pinpoint any key themes that have made them successful?

It seems obvious when you say it, but you need to be doing something that people need. In technical startup terms, that’s called product market fit. You need to be building a product or service that people actually need and are willing to pay good money for. Then you need to execute it well because even if you are building something that people are willing to pay for, if you don’t make them aware that you exist, or you’re spending more than you’re earning on marketing, you’ll go broke. It all comes down to ideas and execution.

What do you think are the key ingredients you need to get investment?

I’ve been involved with three companies, one of which we started bootstrapped, then raised private equity for very late in the game. That was CIPHER. With a services company, it’s super easy for you to finance yourself, and you typically don’t need a lot of investment at the beginning like you do when you’re building a product. It’s very easy to get started and generate cash flow if you’re in the services business and you know what you’re doing. We wanted to do international expansion, so that’s when we raised private equity, which is a whole different ballgame from venture capital. 

Then with Niddel, we were a product company, but we weren’t bootstrapped. We could afford it because we had sold CIPHER, so we were using our own money to work for a year without getting paid because we had our savings. With Tenchi, this is our first VC-backed company, which is a completely different experience. It’s a different kind of sale. But, if you know how to run a company and you know how to sell, you just need to figure out what the buyer wants. You need to find the right buyers for what you’re selling and figure out the best way to communicate what you’re offering to them. Fundraising is no different. You need to be able to describe what you’re doing and why it’s interesting, and you need to find the right VCs who are active in your industry or sector but don’t have a conflict. 

The biggest difference is that when you’re talking to a customer, you’re saying, ‘Hey, this is the product, these are the technical features, these are the benefits of using the product’. Whereas with VCs, they’re looking for different things. They’re trying to assess the team background, dynamics, founders etc, especially if you’re an early-stage startup. The thing you need to think always when you’re talking to VCs is that much like security people, they’re trying to mitigate their risks. They’re so interested in founders because a lot of companies and founders fight amongst themselves and split up. Venture capital is a high-risk investment strategy, so you need to try to mitigate your risk for them as much as possible. 

What makes a good entrepreneur?

You need to have a high tolerance for pressure, handling setbacks and adjusting to doing everything yourself. There are a lot of people who flourish in the large enterprise environment where your job is narrow, and they get super specialised in what they do. They get to know everyone, work the political channels inside the company to get things done and they get joy out of it. One of my startups was acquired by a large company, and we were able to deliver amazing results there, but I did not enjoy the process of working there as much as doing entrepreneurship. 

If you get the right person in the wrong environment, they’re not going to succeed. There are people that would be amazing at an enterprise that would suck at being entrepreneurs. I’m the reverse; I think I’m good at entrepreneurship, but if you put me in a large political enterprise with lots of well-established processes and bureaucracy, I’ll slowly wither and die. It’s just I’m not going to enjoy myself and I’m not going to flourish. It’s all about matching the person with the environment. 

To hear more from Alexandre, tune into Episode 35 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.