A Conversation With Niloofar Howe and Teresa Shea
February 27, 2019 • Christopher Ahlberg
In February 2019, Niloofar Razi Howe joined the Recorded Future board of directors as an independent director. Niloofar spent her career as a cybersecurity entrepreneur, investor, and operator — most recently, she was chief strategy officer and senior vice president of strategy and operations at RSA, and prior to that, she was managing director at Paladin Capital Group, where she led the investment teams. Niloofar brings a wealth of experience to Recorded Future and we are excited to have her join the board.
I sat down with Niloofar and Teresa Shea, who is also on the Recorded Future board as an independent director, to discuss the diversity of challenges the world continues to face in cybersecurity and their ideas to move the needle in this daunting environment. Teresa is the executive vice president of technology at In-Q-Tel and was previously the director of SIGINT at the National Security Agency (NSA).
Niloo, welcome to the board of Recorded Future! You bring such a great wealth and diversity of experiences to Recorded Future — I think people would love to hear why you’re excited to join.
Niloofar Razi Howe:
I have been tracking the threat intelligence market and of course, Recorded Future, for some time because of how essential the capabilities you bring are to the industry. The concept of perimeter defense died close to a decade ago as innovation and competition drove businesses to embrace new waves of technology such as mobile applications, IoT, cloud computing, and a remote workforce, all of which blew up any concept of a defensible network perimeter.
As the perimeter evaporated, understanding the threat landscape by incorporating external threat intelligence became a critical security requirement, and the only way to truly understand and manage organizational risk. The challenge security teams faced, of course, was how to manage and operationalize all of this threat information. This is where Recorded Future has done something unique — not only automating the collection of threat data from an immense range of technical, dark web, and open web sources in any language, but also using machine learning to enrich that data, and most importantly, integrating insights and indicators gleaned from that data into existing cybersecurity solutions.
Essentially, Recorded Future’s threat intelligence software not only operationalizes what is a critical requirement, but has done it in a way that lets organizations get more value out of their existing security investments. That is the holy grail of security. With this capability, security teams have the ability to be proactive in addressing the threats their organizations face for the first time. Having tracked your incredible success over the years — and I don’t just mean business success — but your technical vision, organizational execution, and the incredible culture you have built at Recorded Future, I am incredibly excited to join your board and help you and your team in any way I can as you execute your vision for the company and for the industry.
Niloo, given your background, what do you think about serving on the board of a technology company? What’s the role of board members in start-ups in this day and age?
Niloofar Razi Howe:
When I think about serving on a board, the two questions I ask are, “Do I believe in the team and the mission?” and, “Do I believe I can contribute positively to the outcome?” To answer those questions, I have to believe that the company is operating in a market I am passionate about and that I understand, that I have a trusted relationship with the CEO or believe I can build one quickly, that I have the skills, experience, and network to uniquely contribute to creating shareholder value, and that the existing board dynamic is constructive.
Some people overlook the importance of board dynamics, which admittedly, is not always easy to get at. But it’s critical because when you’re building your board, you’re building a team, and to be a well-functioning team, there has to be trust, transparency, and accountability among team members. I’ve served on some great boards where everyone was focused on the same outcome, contributed evenly to creating value, checked their self-interest and ego at the door, and most importantly, disagreed openly and in real time. When the chemistry is right, when the conversations are open and respectful, when people disagree openly and constructively, you get better outcomes and the decisions are more likely to be durable.
Serving on those boards has always been an incredible experience. All of this is true whether you’re on the board of a start-up or a later-stage company. I find the engagement model and how often you interact with the CEO and the team is not so much determined by the stage of the company, but rather, the CEO’s desire to leverage board members.
I did not have the board experience that Niloo benefits from when I joined the Recorded Future board back in 2015. I was drawn to Recorded Future because I believed in and was impressed with both you, Christopher, and the actionable threat intelligence Recorded Future produced.
One thing we always drove home at NSA was that intelligence must be timely and actionable to be of value, and I found Recorded Future to deliver both. The contextual and relevant intelligence produced by Recorded Future tailored to customers was empowering security teams to prioritize and often defeat security threats in real time — very impressive!
Although, I will admit that I somehow thought — given that I had just spent 33 years at NSA — that serving on a technology company board, especially one focused on delivering actionable intelligence to customers, was right up my alley. But in reality, the experience has been a bit like being a fish out of water. I find myself thinking very differently than the other board members, and the dynamic working well.
To echo Niloo’s point, when the chemistry is right, when the conversations are open and respectful, when people disagree openly and constructively, you get better outcomes and the decisions are more likely to be durable. I think we are achieving this on the Recorded Future board, and having Niloo join only enriches this outcome. It is yet another example of the value of diversity in talent and experiences — and yes, gender as well — contributing to the best possible outcome. I am grateful for my Recorded Future experience as I learn from every engagement and I honestly did not anticipate that value proposition.
Let’s discuss the role of intelligence in cybersecurity. Obviously, the U.S. government has been a big consumer and proponent of classified intelligence as a component of cybersecurity programs. But it’s not until very recently that enterprises outside the Fortune 100 have really started adopting threat intelligence in a significant way. Why do you think this is?
Because they are swamped! They are fighting the tactical fight every day, and it is very hard for the cyber team to get their head above water to experience the plethora of products and stuff that is being thrown at them from so many vendors. They rarely have the time to spend differentiating and validating marketing pitches.
An increasing awareness of the consequences of breaches and attacks has demanded attention from the C-Suite, and they are more supportive of resource commitments to their cyber teams. CISOs realize the merit from solutions like Recorded Future that are improving both their team’s efficiency and effectiveness by enabling them to respond up to 10 times faster, for example. These bad actors spend a lot of time researching their victims and understanding where they are most vulnerable for a successful attack, and they like to brag about it — usually in the dark or deep web sources.
Recorded Future is able to detect and analyze these threats and serve them up to customers for immediate action and prevention, and sometimes that awareness alone is enough to guard against certain attacks. Today, as we see companies deploying Recorded Future, bad guys will have to focus their attacks on those without solid threat intelligence, as they are typically more vulnerable.
Niloofar Razi Howe:
Teresa is exactly right. It has been an overwhelming journey for security teams. It is hard enough for them to have visibility into all of their digital assets, let alone protect them from all manner of malfeasance. Even operationalizing and getting value from existing security investments takes time and commitment, so adding new capabilities is often not the burning issue of the day.
Having said that, given the way the threat landscape has evolved over the past decade, security teams know that the only way to manage risk and get maybe a half step ahead of the adversary is to understand what those adversaries are up to outside of their networks, enrich and correlate that intelligence with internal controls, and have a more proactive response to organizational threats. Also, given how many large breaches originate outside our organizations, it has become clear that understanding third-party risk is a critical requirement of any sophisticated security program.
So, we are now seeing the meaningful adoption of threat intelligence products in the market, and we expect the growth rate to increase as security teams operationalize these capabilities and experience firsthand how Recorded Future’s product can help them identify, prioritize, and quickly respond to threats targeting their organization in a way not possible before. We are at an inflection point in this market because companies like Recorded Future are delivering real value to organizations.
Teresa, you joined the Recorded Future board right after leaving the National Security Agency. What are the biggest similarities and differences between government agencies and a start-up like Recorded Future? Why do you think the IC has been so reluctant to consume external data?
The good news is, the government is increasingly seeking out innovation to stay ahead of the bad guys, and the start-up community innovates by design. However, a big difference is simply scale. The government is comprised of large organizations with long-established cultures that are governed by laws, policies, and rules. This is unlike the start-up environment, where development very well may begin in someone’s garage, and the new beginning can be shaped and molded.
Change is hard for the government, and they must maintain their output while trying to evolve. For example, many of the laws and policies strictly regulate data access to ensure that our privacy and civil liberties are well protected. Consequently, venturing into the world of open source threat intelligence requires time and effort. It is worth noting that for several years in a row now, the Office of the Director of National Intelligence (ODNI) has started the worldwide threat assessment with the cyber threat. The 2019 report begins with:
“Our adversaries and strategic competitors will increasingly use cyber capabilities — including cyberespionage, attack, and influence — to seek political, economic, and military advantage over the United States and its allies and partners. China, Russia, Iran, and North Korea increasingly use cyber operations to threaten both minds and machines in an expanding number of ways — to steal information, to influence our citizens, or to disrupt critical infrastructure.”
And cyber threat intelligence — I believe for the first time — is called out in the ODNI 2019 National Intelligence Strategy as a strategic objective of the intelligence community, specifically referring to “all sources.” So the acknowledgement of the threat and need for cyber threat intelligence has been acknowledged by the intelligence community.
Niloo, why do you think it took a long time for companies to really become the proficient intelligence consumers that we are observing every day now?
Niloofar Razi Howe:
It took time for organizations to realize that the only way to develop a proactive security posture is to understand what is happening outside of their network, and it took an equally long time for product solutions that delivered actionable insights to emerge from threat intelligence vendors.
As Teresa said, the government always understood the value of actionable threat intelligence — it had no choice but to try to map adversary activity and techniques for national security. It took a while for private sector organizations to realize that they face the same threats today as governments always have, especially with national strategies that countries like China have articulated, which involves going after the intellectual property of our companies.
But we have arrived. Actionable intelligence is a critical requirement, and Recorded Future’s capabilities are impressively broad and deep, and importantly, delivered in a manner that is easily consumable by organizations. We are at a moment in time where out of necessity, and because we are enabled by companies like Recorded Future, we’re going to see more and more companies becoming proficient intelligence consumers.
Niloo, you’ve worked at big companies and early-stage companies. What are some similarities and differences?
Niloofar Razi Howe:
Wow … We can devote an entire book to this one. Let’s start with similarities.
There are some things that all organizations have in common regardless of their size. First, there’s culture. No matter how big or small you are, the culture of the company starts and kind of ends with the CEO. We see that at start-ups and we see that at “unicorns.” And it’s not just about what the CEO says, it’s about how the CEO lives the culture and breathes the culture. Of course, a company’s culture is bigger than the CEO, but it starts and ends with her.
Second, there’s the team. Whether you have a big company or a small company, investing in the right people, with the right skills, who can be cultural standard-bearers is just as critical as getting rid of anyone who is poisoning the well and making it difficult for teams to succeed. In big and small companies, talent decisions are often the hardest. We often wait too long to acknowledge that we need new skill sets or that we need to transition people out. Change is hard, no matter how big or small the company is.
Finally, there is strategic focus. Amazon is focused on delivering the best customer experience in everything it does. Recorded Future is focused on delivering the most comprehensive threat intelligence software. Focusing on what you are best at in the world drives all the best companies, regardless of size.
What’s different? Start-ups succeed by taking risks, large companies succeed by managing risk. At an early-stage company, every day can feel existential, and there is an energy, a speed of decision-making, accountability, and agility that comes with that. Start-ups are about embracing risk, innovation, and disruption. They’re about seeing the impossible as a challenge and not an obstacle. Decisions are made fast because there is no other choice if you want to live to fight another day.
This is why start-ups are our innovation engine. They have no debt — no technical debt, no operational debt, no organizational debt, and that lets them be nimble, agile, and modern. Large companies have to continue delivering to their customers as they innovate, and that creates some real and important constraints. Large companies have a much broader reach and incredible impact, and they are often amazing partners to young start-ups. While they usually don’t move as fast as a start-up, their wake is formidable.
What are the attributes of a great company in the cybersecurity space?
Niloofar Razi Howe:
Deep technical talent. Vision, speed, scale. There are, by some estimates, 12,000 companies in the cybersecurity space. Many are indistinguishable and many market segments are overcrowded with too many players.
When I’m looking at a company, I ask whether or not they are solving a real and important customer problem for which there is no good solution today. Do they have a team with the right technical skills that has delivered product to market before? Do they have an inspiring vision for the future? Is the market large enough to sustain them as they grow?
Scale is a real differentiator in the cybersecurity market. I would guess that a very small percentage of the 12,000 cybersecurity companies has revenues greater than $20 million, or frankly, a path to get there. Long-term viability of the company and its business model has to be critically evaluated because once a security product is deployed, rip and replace is very difficult in most categories.
I think Niloo says it all! I learned from my experience at In-Q-Tel, a strategic investor in start-up technologies for the intelligence community, that the team is most important. Can the CEO succeed at penetrating an often-crowded space? Can the team differentiate and address a specific unmet need? To succeed, it requires success on the part of the team, the technology, product, or service, and the market penetration. Easier said than done!
Niloo, we’ve both spent long careers in cyber and it’s a very challenging problem. As a country (and world), our information infrastructure is now arguably our most important critical infrastructure, and data the most valuable asset. Beyond the standard comment, “We must share more,” do you have any thoughts on how we could significantly impact security as it relates to government and private sector collaboration?
Niloofar Razi Howe:
There is no question that the private sector has information that government agencies do not have and do not have access to, and there is no question that the U.S. government and specifically, the intelligence community, has access to information, especially nation-state adversary information that the private sector does not have and does not legally have access to. As it relates to things like attribution of nation-state activity, the intelligence community has a huge advantage over the private sector, and is pretty good at it. This is why everyone knows we must share more.
There is also no question that the more data we have to correlate, integrate, analyze, and enrich, the better insights we will derive. But there are two big problems. First, there are some legal and policy impediments to the intelligence community directly sharing intelligence with the private sector, largely because of the need to protect sources and methods. However, there is recognition in the value of sharing critical contextual attack information, and much work has been done to declassify this information and share it with other government agencies who can in turn share it with the private sector, including critical infrastructure.
Today, the policy governing declassification of this information is cumbersome and doesn’t happen in real time. The most direct way for the IC to get important information to the private sector in a timely manner would be to develop a policy that promotes the downgrading of this classified information and a pathway to get the information out in real time. Today’s policies and authorities were written when there was no asymmetry in cyber conflict. We lived in a world of state-on-state action for a long period of time. That’s fair game. Then, we moved from state-on-state activity to state-on-private enterprise: the Iranian attacks on U.S. banks, the Chinese hack into Google, and so on.
Today, we are dealing with state-on-individual activity — that is, nation-state actors are targeting individual citizens, and the 2016 Russian influence campaign is just one example of that. In a world where individual citizens are being targeted by nation-states on a mass scale, we have to be willing to go back to the drawing board with respect to the lines of law and policy we drew half a century ago, so that we can navigate this new world order effectively.
Even if we solve the problem of policy and legal authorities, we still need to address the bigger problem, which is the lack of trust that exists between the private sector and USG. Rebuilding that trust will not be easy, but given the general awareness of nation-state action against democracies worldwide, the door is more open than it has been in a long time. The government has to take the first step, which would involve sharing more contextual information with the U.S. public, being more transparent about how operations are conducted, including the controls and oversight that are in place, and the activity that they see that threaten our way of life. “Trust me” will not be an effective strategy. In an era where data is our currency, sharing data is the only way to rebuild trust.
Niloo and Teresa, how can we get more women into the cybersecurity industry? And extending that, how can we increase diversity in general in information security?
Niloofar Razi Howe:
Our industry is evolving rapidly. The threat landscape is changing, technology is creating new opportunities and new risks, and the old models of thinking about security are outdated.
We need new thinking, new disciplines, and new skills in our industry, and to get that right, we have to inspire a new generation of people who look and think very differently from what you might see if you walk the floor of a typical information security conference today. People don’t know this, but the most prolific codebreaker during World War II was a woman by the name of Elizebeth Friedman — she had no formal training in mathematics and was, at different times, a hairdresser, a seamstress, and a school teacher. She was smart, and she ended up breaking more code in more languages than anyone else employed by the U.S. government. We need more Elizabeth Friedmans to consider a career in information security. By the way, “The Woman Who Smashed Code” is a must-read book about Friedman’s life. When we find people like Elizebeth Friedman, we need to embrace them, mentor them, advocate for them, and advance them.
In the meantime, there are some real tactics we can use. For example, we can insist that for any given job, a certain portion of candidates must be external, and that the goal is to have a diverse pipeline. Of course, you can’t force people to apply for jobs, but you can make sure that your job descriptions do not contain any form of inadvertent bias in them and that your recruiters keep an open mind about talent. When I used a recruiter for executive hires, my rule was 50 percent pipeline diversity. Always hire the best, but if you insist on pipeline diversity and measure your recruiters by that metric, it’s incredible the diversity of talent they will unearth.
The goal here isn’t just gender diversity, but to force your talent or HR teams to think outside of the box when they are recruiting for a role, to be expansive in how they think about the job description and skill set required, and to be forced to consider candidates that don’t look exactly like everyone else on the team. Every study shows that teams perform better when there is diversity of thought around the table.
Start when they are girls! We need to get our elementary schools to encourage girls in the fields of math and science and provide lots of support along the way.
Also, learn from our history. As Niloo points out, women were essential to our success in World War II, breaking codes of the enemy not previously broken. Another great book documenting these contributions is “Code Girls: The Untold Story of the American Women Code Breakers of World War II.” It’s an enlightening read about those women that came to Arlington, VA to break codes because the men were needed at the fronts.
I would also point out that Ann Caracristi, who was instrumental in World War II and became NSA’s first female Deputy Director, had a degree in english and history! She was recruited to do “exotic” work that can truly make a difference, and she did. We all looked up to her as a role model, someone we wanted to emulate. Role models are important. The CIA, for the first time in its history, has a female director. Imagine every girl in America growing up believing they could become director of the CIA!