Leaders Make Good News Out of Bad

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 198 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

On today’s episode, a conversation with a pair of CEOs from leading cybersecurity companies. Joining us are Mårten Mickos, CEO of bug bounty platform provider HackerOne, and Christopher Ahlberg, CEO at Recorded Future.

They share their insights on what it takes to be a successful CEO in the rapidly changing cybersecurity field, the importance (or not) of having deep technical skills, differentiating yourself in a crowded marketplace, and the ongoing challenges of the unknown unknowns. Stay with us.

Dave Bittner:

So before we dig into some of the topics we're going to talk about today, our audience is familiar with Christopher, he's been on the show a few times, but Mårten, can you give us a little brief overview of the type of work that you do at HackerOne?

Mårten Mickos:

At HackerOne we crowdsource security to a million ethical hackers in the world. They come in and they hack your systems, and instead of breaking in, they tell you what they find so you can fix it. And that way you reduce your cyber risk. Your risk of data breach.

Dave Bittner:

Since we have this opportunity of having two leaders of cybersecurity companies, why don't we dig in a little bit and talk about what that experience is like, what the day-to-day is like of running successful cybersecurity companies. Christopher, why don't we start with you?

Christopher Ahlberg:

Well, that's a good question. So I think about it, you got to balance your time. First of all, start with your customers or your clients. You've got to make sure that you... And the thing when you run a company is that there are so many things that people try to make you do, so you have to be vehemently focused, and stay focused on customers, trying to understand the problems they want to solve, figure out how you can do clever things with that. I'm a technical CEO, I'm a geek by background, so I tend to try to think a fair amount and spend time in our product stuff. How can we actually shape this to solve for the customer problems?

Christopher Ahlberg:

And then making sure that you have the right people on board, which means that you're involved in recruiting and all kinds of different things that are... Whether it's very short term, get Sally or Bob or Lisa onto the team, or you think about the long-term two to three, four, five years, how do we make sure that we get great people on board and make sure that those can develop themselves in great ways inside the company, and just make sure you have a great team. So if you spend time on those three areas, I think you do pretty well. A lot of people tend to be focused on fundraising and all kinds of other weird things that I think come for free if you do what I just talked about, and so customers and product and technology, be real clever about that and your people. And then things will work out great.

Mårten Mickos:

I agree with what Christopher said, but I would also say... I mean, I built a number of businesses in my career, and in cybersecurity what I find intriguing is that we are all trying to turn bad news into good news. Cybersecurity is dealing with problems, dealing with risks, dealing with nasty things, dealing with things you wouldn't want to deal with, dealing with things where people have made mistakes. So there's a lot of cleaning up and dirt and bad stuff there. But for the business to work, we have to turn it around and show the benefit of it. And a customer, a CISO, or anybody else in the security business, they don't want to be the one saying no in their company. They want to be a business enabler. So it's mentally a demanding question of how to turn all that bad stuff into good news for business. And to me, that's an intriguing challenge with any cybersecurity business.

Dave Bittner:

Does that resonate with you Christopher?

Christopher Ahlberg:

No, I think so. It is very interesting. And in general, running companies, generally running startups, I always like to say that people say... They try to say that this startup stuff has good and bad days. And I'm like, "Nah, you know what really, it has 29 bad days, but there's just that one day out of the 30 that really awesome, and that makes up for the bad 29." So you generally in startup land live in a pretty up and down and lots of down sort of days, and then you overlay on that, to Mårten's point, the idea that you frankly are dealing with potential bad constantly, and it can be taxing, and I think I'm fine with that. I'm sure Mårten is a super strong guy, so he can deal with that. But you've got to make sure that your team can deal with that in a decent way. And through the last year, when you put COVID on top of this, it certainly hasn't been really easy. So I think it's a great point.

Mårten Mickos:

Yeah, there's this picture circulating in social media amongst cybersecurity people with, what is it, a dog or a cat sitting in a burning house and there are flames all over and then the animal says, "It's all right." Or, "It's good." Yeah, "This is fine." Exactly. It's so much the reality that we have to deal with burning fires all the time, and yet we have to maintain our calm and balance and composure and see the good news in it. So to me, that's what makes cybersecurity exciting.

Christopher Ahlberg:

I think what's interesting there Mårten is that I think about our business being intelligence and our job is to make sure that a CISO or other decision makers get the best information flow there can ever be. And what you're doing by crowdsourcing vulnerabilities across at least ethical hackers, sort of similar, you create a fantastic information flow and a decision-making flow to the CISO and other people on the client side of things. And you're right, when you get that information flow, it's not unlike somebody who works in a... Whether it's a human intelligence organization or a sigint organization, whatever it is, you're basically having bad news coming at you, potential bad news coming at you at high pace. And if you operate in a way where you panic on that, you just can't. And I think that as leaders, our job is to take this flow of information and just make sure that it turns it into something good. And I like that. I'm starting to think about product changes that we need to do to think about that. That's very powerful.

Mårten Mickos:

Yeah, I tell our customers sometimes that somebody will break into your system, and please let it be us, because when we do it, we will actually help you fix it. But there are many other people and groups and whatnot who will just break into steal information or disrupt operation or change what goes into drinking water or something like that.

Dave Bittner:

It strikes me that that many startups begin because someone has an idea about a problem they want to solve. There's something that... They have an itch they want to scratch. They want to fix something that's out there. But a lot of folks don't consider what it also takes to be the person running a company. And that solving a problem and running a company are not the same thing, and they quite often require different skillsets. I'm curious from both of you, how has that adjustment been, or how has that reality been? Is running the business itself something that you enjoy? Mårten, let's start with you.

Mårten Mickos:

Yeah, absolutely. It is the only thing I can do. I don't have business ideas. I don't start great companies. I don't do that. But I do love getting people together, aligning them behind a goal or a mission that the founders figured out, and then pushing, driving, getting to that goal, climbing the hill together. And I'm so thankful that there are founders out there who have these amazing startup ideas, because I need something like that to be successful as a CEO. And then I find founders who need me, who need a professional dedicated CEO who loves just being the CEO.

Dave Bittner:

Christopher?

Christopher Ahlberg:

Yeah, I think, that's why I always get so inspired when I get to have dinner with Mårten or get to have some drinks with him and just see he's exceedingly good at what he just described? So I'm more of the geek and I've been lucky to stumble on two ideas. One for Spotfire that came out of my PhD, and then when we cooked up Recorded Future, and that was more in that realm of like you find a big hammer and now you go look for nails to apply it to. So that's what I've been doing. We were lucky in both cases, now with Reported Future, to stumble on and intelligence and threat intelligence becoming a very big nail to try to hit it on. I certainly still love the geeky part of it, but running the company and trying to set an operational high pace with effective execution is pretty enticing too. So I like both. I certainly like both.

Dave Bittner:

Now Mårten, you came from outside of the cybersecurity field. What was that like for you? Getting up to speed in cyber?

Mårten Mickos:

I love the question because I had decided I will not go into cyber. I told myself... I falsely told myself that that industry is full of negative, cynical, nitpicky people, and I don't want to be there. So when I met with the founders of HackerOne I came with really a lot of prejudice and negativity, but they turned me around in a nanosecond. They told me how they think about security, that you need to be open, not closed. You need to collaborate, not work in silos. You need to share, not hide. And suddenly I realized that they were revolutionizing cybersecurity to turn it into positive, constructive movement. So I was ready to sign on that moment. Although I knew nothing about it.

Mårten Mickos:

In a way you could say I'm repenting now, because I've been there building internet software for 20 years that didn't have any proper cybersecurity precautions or protections, and we shipped MySQL without the password or with a default password just to make it easy for people to use. We didn't do anything to make it secure. So now I get to fix my own mistakes from the past, by making sure that we build a new internet which actually is secure, because what we've built so far is a really crappy, shitty prototype of a digital society.

Christopher Ahlberg:

That's a great point. I remember, Mårten, when you called me, I also came from outside security, but it had maybe had a few years of, I would say, being a head there, and you called me because you were coming to Boston to visit your son, I think, and said, "Look, you got to to tell me a little bit about this security stuff." And I was like, "I don't know much, but let me try to tell you the stuff that I do know."

Mårten Mickos:

So whenever I am wrong about cybersecurity, I'll just blame it on Christopher because he was my first teacher.

Dave Bittner:

It seems like it worked out fine for both of you.

Mårten Mickos:

We're working on it. We're working on it. Christopher will say that it's day one of the business and they've only touched the percent of the target market, which is true for us.

Christopher Ahlberg:

It's true. We're at 140 million of sales and we think the market is 25 billion, so it's early days.

Dave Bittner:

Let's talk about, then, how do you go about adding value in the cybersecurity field? It's such a crowded space. How do you differentiate yourselves? Christopher?

Christopher Ahlberg:

We've tried a couple of different ways. I think there is something going on in cybersecurity that there's frankly too much money going around, so people are advertising on Formula One cars, applying 10 million bucks on that, or they're doing TV advertising on Superbowl or whatever football thing. I can't say that I care much about that. And they spend literally crazy amounts of money on this stuff. And you know, we've tried to use information. We're an intelligence company, so we write intelligence. We started, as you well know, its own media outlet, The Record. We're publishing books, we're doing training on building a profession, essentially, of intel analysts. So we really try to take that sort of approach to building an information approach, or content marketing people would call it in start up-y language. Because that's how we've tried to do it, and that seems to have been working out. I don't know. What about you, Mårten?

Mårten Mickos:

We differentiate by reducing our customer's cyber risk faster than anything else. We differentiate by getting paid for results, not for empty promises. We don't ship you just more and more firewalls and antivirus software to try to make you falsely believe you're safe. But we deliver real value, tangible value, value that nobody else could find. The vulnerability our hackers find cannot be found or are not found by scanners. They are not found in pen testing. They're not found in QA processes. They are found only in two places, by criminals and by our hackers. So you have to choose. Who do you want to find... Who do you want there to be the first one finding the vulnerability.

Christopher Ahlberg:

That's good. That's good. And at some level, this is where I think there is interesting similarities to what we do with intelligence is that we go and infiltrate the hackers themselves, the bad guys. So we infiltrate them and try to find their intents and capabilities before they come at you. We try to do likewise to go after state run actors, be it Iran and China and Russia and so on, and understand their capabilities and intents and help you to defend the head of that. Getting ahead of the curve. And here is where I think we're in similar type of businesses, even though we're going at it in a very different way, instead of trying to find the bad news before a bad guy comes along with it.

Mårten Mickos:

I agree. And here you could see the immaturity of the market that we are not yet coordinating our efforts as much as we could between Recorded Future and HackerOne. We will come today when intelligence like you are collecting will be combined with the practical day-to-day findings of our world, and that will produce an even clearer picture of what's going on. Much clearer than the criminals or the adversaries have at their hands. And that's how we will ultimately beat them, by pooling the defense and using all our resources on the defense side, and then it will be much, much stronger than any nation state, any criminal group, any activities, any terrorists, whatever we have there on the other side.

Christopher Ahlberg:

That's a great point because the criminals have some levels of sharing. And in fact, in many ways they are pretty effective at sharing. Whether it's the Russian criminals who are in their forums where they're sharing methodologies. So they have actually better sharing methodologies right now than what we have. Governments are trying to set up sharing mechanisms and so on. So I think the criminals are ahead of us now, but to your point, if we were smarter around this, we could outsmart these guys just because in sheer numbers, in sheer budget, and all of that, there's no reason they should be ahead.

Mårten Mickos:

Yeah. And we have a concrete example on our side. We've been running the Hack the Pentagon program for five years now for the Pentagon. We've found 25,000 vulnerabilities in the systems. They are now rolling out an extension of it, where they go to the private sector and say, "If you are a vendor to the DOD, you can be part of this program as well," because DOD knows that they are not secure until also their vendors and suppliers are secure. So now they're extending our program to private sector companies as well. That is a very good way of strengthening the cyber defenses across organizational boundaries. And it hasn't been done before, but we we're doing it.

Christopher Ahlberg:

No, that's great. I think that's a great point, and I think we've been very proud about similarly what we've been able to do with US Cyber Command as our big contract there, being able to be part of defending both core infrastructure for the government, but then extending further into really being able to use those vast resources to make life miserable for the adversary. And eventually we'll have a good effect.

Mårten Mickos:

And people think there's a lot of advertisers and a lot of bad people. They are not many. They are bad. They're very bad. But they are not very many. So by pooling our resources and getting everybody together, we will outpower them, outsmart them, outrun them, outmaneuver them, everything. Just in our community we already have a million hackers signed up to do good work. To hack for good. That's more than there are black hats in the whole world. Much, much more.

Dave Bittner:

I'm curious. It strikes me that something perhaps both of your companies have in common is that before your customers engage with you, it's likely that they don't know what they don't know. You provide insights. You provide them with information that they likely would not have been able to get on their own. Is that an accurate description?

Mårten Mickos:

It is. It is. It's very much so. And of course everybody has this... We all don't know what we don't know. It's a universal truth. But it is very poignant in cybersecurity because that's where the worst threats and the worst breaches happen. So when you look at the absolutely worst cases, like an Equifax or something, well, they knew about the vulnerability, but it's the unknown unknown that produces the most dramatic, terrible outcomes. So you must look for them.

Mårten Mickos:

And then we have these unbiased hackers, very creative, very curious, and because they don't know the company, they're not inside the company, they actually think much more creatively and find those unknown unknowns that you never can instruct software to find, because the moment you instruct software to do something, software will do only what you told it. But our hackers, they will have the creativity to go beyond any instruction we give them. They will think the unthinkable and they will find the unknown unknowns. And that is the power of the model. And of course not all of them will all the time do it. But when you have a million, there's always somebody who does find it.

Christopher Ahlberg:

That's great. And it's similar when we think about intelligence, you want to try to... Again, you have to be careful so you don't say with intelligence that, "Look, I'm going to find you your unknown unknowns." But if you set up the right information streams, the right information flows, whether it's trying to understand what are the bad guys up to, what's their intent, a little bit more fancy language, what capabilities do they have? What have we seen elsewhere? There's a whole set of flows so you can set up. And if you get yourself in the way of those in a creative way, you're going to, again, get left of boom as people like to call it. You can do it. And this is where intelligence really can make a difference.

Christopher Ahlberg:

Now, at the same time, I also think this is where we have to be humble and not make too grandiose claims about being able to catch every unknown unknown, because if we do then not only our companies, but the industry in itself will get in a bad place. And this is where I think a lot of the cybersecurity industry looks bad after 30 years of having thrown lots of dollars at the problem and obviously I haven't sold it. So humble is the right way of going at it.

Mårten Mickos:

Yeah, partially because people used to think that in cybersecurity, it's possible to reach a hundred percent security. It isn't. It's exactly like COVID. You can be very safe and you can put one more mask on and you will reduce the risk. You will never have zero risk. It's impossible. But you will reduce it. And the wisdom is in reducing the risk, not in crazily believing in some zero risk world, because they don't exist. So you have to reduce the risk always. Keep reducing it. And the other thing which everybody has to do is act faster, because given that risk will never be zero, we will all be hacked or cracked at some point. Even if you use Recorded Future and HackerOne, you're not completely safe. So you must have quick reaction times when something bad is happening. So you must see what's coming in and act quickly. And that is how you maintain high security. Not by believing that there is some wall that you can build that will keep everything on the outside.

Christopher Ahlberg:

Exactly that wall analogy is sort of, I think, the whole idea that people think that they're just keep building every year a thicker and thicker wall and a higher and higher wall. But there's so many problems that A, the wall is obviously full of holes. That's number one. And in fact, it's full of holes that people have forgotten about. And even if they try to keep inventory of it, the cybersecurity industry has such high turnover of people so that the people that are manning the wall, running the wall, they turn over every 18 months so that all the holes are forgotten. And that's why I think what you're doing Mårten is so important because you find those holes and basically many times maybe even report them back to people, even if they, at one point, may have known about them. And we'd like to think that, again, with intelligence, we can go seek out and understand where those bad guys are going to go look for holes, but that wall analogy and the walls approach that people have taken to defense just got to go, because it's really bad.

Mårten Mickos:

Yeah. And we have to remember the more you build walls, the more there are places for holes. So you should minimize the amount of walls. You will need walls here and there, but the more you build them, the more you create risk. So it's really hard with cybersecurity because must be a minimalist. You must try to do the minimum possible thing that will create security because for every piece of software, yeah, it's a security risk. So you should try to keep it lean because that allows you to react quickly, redeploy, pull back, whatever you need to do in real time when something happens.

Mårten Mickos:

And I think what was amazing here with the SolarWinds breach was how Microsoft acted. In a few days, Microsoft got all their cybersecurity people going, they revoked all those certificates, they traced down all the places where the malware had been. I would like to read a book or a story about what happened in those three, four, five days at Microsoft in their cybersecurity center, when they decided on how to roll out the counter attack, so to speak, against the SolarWinds malware. And of course it was not just SolarWinds. We call it the SolarWinds breach, but there was more than just one company involved in the breach. But there it was beautiful to see how quickly somebody could act to stop it.

Dave Bittner:

Our thanks to Mårten Mickos, CEO at HackerOne, and Christopher Ahlberg, CEO at Recorded Future for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.