WEBVTT 1 00:00:00.000 --> 00:00:02.580 Tom Field: Hi there. I'm Tom Field. I'm senior vice president 2 00:00:02.580 --> 00:00:05.160 of editorial with Information Security Media Group, and I am 3 00:00:05.160 --> 00:00:08.700 privileged to have with me today Art Coviello. He is managing 4 00:00:08.700 --> 00:00:12.780 partner with SYN Ventures. Art, that's a new designation. Tell 5 00:00:12.780 --> 00:00:13.830 me about the new role. 6 00:00:13.900 --> 00:00:17.290 Art Coviello: Yeah, it's a role that I took on last summer. I 7 00:00:17.290 --> 00:00:23.260 had been investment chair at SYN Ventures, which Jay Leek and 8 00:00:23.260 --> 00:00:27.640 Patrick Heim formed just a couple of years ago. And it's 9 00:00:27.670 --> 00:00:33.340 dedicated security fund. So that's where my heart is. And so 10 00:00:33.790 --> 00:00:37.030 I joined up with them full time, this past summer. 11 00:00:37.060 --> 00:00:39.010 Tom Field: When you say full time, it strikes me that you've 12 00:00:39.010 --> 00:00:42.070 been just as busy in retirement as you were when you were chair 13 00:00:42.070 --> 00:00:43.420 of RSA. Is that fair? 14 00:00:43.870 --> 00:00:46.300 Art Coviello: Yeah, I'd say it's a safe bet that I've failed 15 00:00:46.300 --> 00:00:51.310 retirement miserably. But, you know, back in the day the Boston 16 00:00:51.310 --> 00:00:54.700 Pops conductor, Arthur Fiedler said, if you rest you're rust. 17 00:00:55.030 --> 00:00:57.940 And he conducted the Pops in the 90. I don't think I'm going to 18 00:00:57.940 --> 00:01:00.760 be around RSA Conference till I'm 90. But I'm going to be 19 00:01:00.760 --> 00:01:01.480 around for a while. 20 00:01:01.000 --> 00:01:04.900 Tom Field: We do have a goal. Speaking of 90, so much has 21 00:01:04.900 --> 00:01:08.740 changed since the 1990s turned into 2000. You got a timeline on 22 00:01:08.740 --> 00:01:12.250 digital transformation you want to talk about? Give me some 23 00:01:12.250 --> 00:01:17.350 sense of where we've been, and how we're exploring anew roaring 24 00:01:17.350 --> 00:01:17.830 20s? 25 00:01:17.900 --> 00:01:20.810 Art Coviello: Well, one of the ways that I like to talk to 26 00:01:20.810 --> 00:01:25.460 boards of directors about the problem and the issue is not in 27 00:01:25.460 --> 00:01:30.500 terms of the APT attack, or what the latest vulnerability might 28 00:01:30.500 --> 00:01:35.420 be. But just in terms of how the attack surface expanded, and I 29 00:01:35.420 --> 00:01:40.250 do it in terms of the hardware, the applications that were being 30 00:01:40.250 --> 00:01:45.740 used, how the perimeter evolved, and how digital transformation 31 00:01:45.740 --> 00:01:49.370 basically took place over the last 20 years. But if past is 32 00:01:49.370 --> 00:01:53.120 prologue, we're going to see an acceleration or are seeing an 33 00:01:53.120 --> 00:01:56.240 acceleration in the 20s. That's why I call it the roaring 20s 34 00:01:56.540 --> 00:02:00.890 for technology's innovation on top of innovation has just 35 00:02:00.890 --> 00:02:05.030 accelerated the pace of digital transformation. But that's also 36 00:02:05.030 --> 00:02:08.360 accelerated the expansion of the attack surface and brought on 37 00:02:08.600 --> 00:02:11.960 new threats and issues that we've had to deal with as an 38 00:02:11.960 --> 00:02:12.500 industry. 39 00:02:12.520 --> 00:02:15.760 Tom Field: In your career, have you seen a period such as the 40 00:02:15.760 --> 00:02:18.970 past three years, spurred by the pandemic, a period of 41 00:02:18.970 --> 00:02:19.570 innovation? 42 00:02:20.800 --> 00:02:24.009 Art Coviello: It has absolutely been crazy. There's no doubt 43 00:02:24.079 --> 00:02:27.987 about it, the pace of investment by venture capital, the 44 00:02:28.056 --> 00:02:31.825 acceleration of private equity in buying companies and 45 00:02:31.894 --> 00:02:35.872 consolidating, I used to say that the private equity guys 46 00:02:35.941 --> 00:02:40.477 used to clean up the messes that the VCs made, but they've gotten 47 00:02:40.547 --> 00:02:44.454 to be quite sophisticated themselves. And that's enabled 48 00:02:44.524 --> 00:02:48.502 us to actually do more and more innovation, which is been 49 00:02:48.571 --> 00:02:52.828 desperately needed. So no, this is kind of unprecedented what 50 00:02:52.898 --> 00:02:55.480 we've seen in the last several years. 51 00:02:55.000 --> 00:02:57.610 Tom Field: So we've got the largest potential attack surface 52 00:02:57.610 --> 00:03:00.730 in history. We've got adversaries that a more 53 00:03:00.730 --> 00:03:04.330 efficient and more automated and effective than ever before. I 54 00:03:04.330 --> 00:03:08.110 think our risk is probably greater. How would you describe 55 00:03:08.110 --> 00:03:09.970 the state of cybersecurity defense? 56 00:03:09.930 --> 00:03:13.136 Art Coviello: Well if it's the roaring 20s, for technology, I 57 00:03:13.205 --> 00:03:17.571 think we could be looking at the calamitous 20s if we don't keep 58 00:03:17.640 --> 00:03:21.597 pace with what's going out there, and at a perfect example 59 00:03:21.665 --> 00:03:25.691 is in the realm of IT and IoT. You know, most companies are 60 00:03:25.759 --> 00:03:29.717 still worried about somebody coming in the front door. But 61 00:03:29.785 --> 00:03:34.015 increasingly, the attackers are coming in the back end and the 62 00:03:34.083 --> 00:03:38.177 side door, and there's just many, many millions and millions 63 00:03:38.245 --> 00:03:42.476 more of IoT and OT devices out there that can become a threat. 64 00:03:42.544 --> 00:03:46.638 So that's one avenue of attack that has to be looked at. And 65 00:03:46.706 --> 00:03:50.527 we've invested in a company called Phosphorus, which not 66 00:03:50.595 --> 00:03:54.826 only discovers because you can't secure what you don't know is 67 00:03:54.894 --> 00:03:58.851 out there, but enables you to remediate things like static 68 00:03:58.919 --> 00:04:03.218 passwords and vulnerabilities in the firmware itself. So that's 69 00:04:03.286 --> 00:04:07.653 one avenue of attack that we're trying to close off. Most people 70 00:04:07.721 --> 00:04:11.406 think that would the next generation anti-malware that 71 00:04:11.474 --> 00:04:15.090 you've seen come out of Microsoft and CrowdStrike and 72 00:04:15.158 --> 00:04:19.252 Sentinel One, that that problem has largely been solved. But 73 00:04:19.320 --> 00:04:23.210 ransomware presents entirely differently from traditional 74 00:04:23.278 --> 00:04:27.167 malware. And I think you had John Miller from Halcyon on, 75 00:04:27.235 --> 00:04:30.374 that has an incredible technology for fighting 76 00:04:30.442 --> 00:04:34.741 ransomware. And by the way, he's been teasing people and saying 77 00:04:34.809 --> 00:04:39.107 that he's my illegitimate son, and he's been good, that I asked 78 00:04:39.176 --> 00:04:42.928 him to actually start that company up. I want to dispel 79 00:04:42.997 --> 00:04:44.430 that rumor right now. 80 00:04:44.460 --> 00:04:45.360 Tom Field: We will not be testing. 81 00:04:45.390 --> 00:04:46.710 Art Coviello: Yeah. Okay. Thank you. Thanks. 82 00:04:47.050 --> 00:04:49.720 Tom Field: Art, if you had envisioned a world where we'd 83 00:04:49.720 --> 00:04:53.050 have a hybrid workforce - sounds like NFL films - a world where 84 00:04:53.050 --> 00:04:57.730 there's a hybrid workforce or the cloud migration or the app 85 00:04:57.730 --> 00:05:00.700 culture that we have right now. You didn't envision the 86 00:05:00.700 --> 00:05:02.410 different kinds of identity company? 87 00:05:02.960 --> 00:05:06.500 Art Coviello: Well, there's absolutely no question of that. 88 00:05:06.530 --> 00:05:10.940 And not surprisingly, identity is still at the forefront, 89 00:05:10.940 --> 00:05:15.110 because that's where everything starts. And you talk about the 90 00:05:15.110 --> 00:05:19.370 pandemic earlier, that's just changed the game as to how 91 00:05:19.370 --> 00:05:26.150 people work. So we do work from home, we do go on Zoom. And 92 00:05:26.180 --> 00:05:30.770 we're getting more and more third-party access, We're going 93 00:05:30.770 --> 00:05:33.560 directly to the cloud without touching any physical 94 00:05:33.560 --> 00:05:38.300 infrastructure. So all elements, all elements of identity become 95 00:05:38.660 --> 00:05:42.230 critically important. And again, we've got an investment in 96 00:05:42.230 --> 00:05:46.370 Transmit software. But we've also got an investment in a 97 00:05:46.370 --> 00:05:51.140 company called Talon, which replaces the virtual desktop 98 00:05:51.140 --> 00:05:55.070 infrastructure with a more secure browser. And that right 99 00:05:55.070 --> 00:05:58.190 from the get go makes the user that much more secure. 100 00:05:58.340 --> 00:05:59.720 Tom Field: And before we came here and sat down, we were 101 00:05:59.720 --> 00:06:02.390 talking outside and we talked about visibility, and no 102 00:06:02.390 --> 00:06:07.370 question. Organizations need to know who, what, what apps are on 103 00:06:07.370 --> 00:06:09.800 their networks. But visibility is not enough. Is that something 104 00:06:09.800 --> 00:06:10.460 that concerns you? 105 00:06:11.090 --> 00:06:14.570 Art Coviello: Yeah, again, visibility is like jacks are 106 00:06:14.570 --> 00:06:19.970 better. And, again, it's just critically important to 107 00:06:20.030 --> 00:06:23.750 establish the workflows between all of these applications, once 108 00:06:23.750 --> 00:06:28.580 you discover what you've gotten once. And to be able to secure 109 00:06:28.580 --> 00:06:32.750 elements of that. And a perfect example is offboarding and 110 00:06:32.750 --> 00:06:37.640 onboarding, not just your own employees, but your outside 111 00:06:37.670 --> 00:06:42.470 third-party people. So if you don't have visibility, as to who 112 00:06:42.470 --> 00:06:46.160 these people are, you can't have the identity protections you 113 00:06:46.160 --> 00:06:48.680 need to stop people from taking advantage. 114 00:06:48.740 --> 00:06:51.710 Tom Field: Now, perhaps the best marketing technology evolution 115 00:06:51.710 --> 00:06:57.050 in history has been ChatGPT. And the conversation about AI or 116 00:06:57.050 --> 00:06:59.390 machine learning has progressed to the point, I think they're 117 00:06:59.390 --> 00:07:03.620 talking about referring to the RSA AI conference now. Your 118 00:07:03.620 --> 00:07:07.250 thoughts on this conversation about machine learning and AI? 119 00:07:08.020 --> 00:07:10.630 Art Coviello: Well, you know, machine learning is not new. 120 00:07:11.110 --> 00:07:14.740 We've been using machine learning in next-generation AV 121 00:07:14.740 --> 00:07:20.680 and it's been particularly effective. But the problem these 122 00:07:20.680 --> 00:07:23.260 are, these are predictive AI capabilities. It's the 123 00:07:23.260 --> 00:07:28.060 generative AI capabilities like ChatGPT that presents that much 124 00:07:28.060 --> 00:07:31.270 more of a problem because they feed on themselves. And ChatGPT 125 00:07:31.270 --> 00:07:35.290 is just grabbing information, whether you know it or not, once 126 00:07:35.290 --> 00:07:38.740 you connect to them. If you're using them to automate an email, 127 00:07:38.920 --> 00:07:42.790 and you're putting in PII information, or you're putting 128 00:07:42.790 --> 00:07:46.270 in some kind of technological formula, or what have you, 129 00:07:46.540 --> 00:07:51.160 ChatGPT is just going to grab it and run with it. So we have to 130 00:07:51.160 --> 00:07:55.390 fight fire with fire, and have our own artificial intelligence 131 00:07:55.390 --> 00:07:59.140 capabilities to stop those things from happening. And once 132 00:07:59.140 --> 00:08:01.930 again, not surprisingly, we've got an investment in a startup 133 00:08:01.930 --> 00:08:04.180 called Cranium, that's going to help us do that. 134 00:08:04.000 --> 00:08:05.590 Tom Field: There used to be conversations. We will have an 135 00:08:05.623 --> 00:08:07.180 app for that. You have an investment for that. 136 00:08:07.000 --> 00:08:10.630 Art Coviello: Yeah, well, but we're very active. It's 137 00:08:10.630 --> 00:08:13.240 incredible, the number of companies that we see this, 138 00:08:13.450 --> 00:08:16.270 there's hardly a company that gets funded, that we don't get a 139 00:08:16.270 --> 00:08:19.180 chance to look at. And we're focused on the very areas we've 140 00:08:19.180 --> 00:08:21.430 been talking about. Not surprisingly, if those are the 141 00:08:21.430 --> 00:08:23.380 most important ones, those are the ones we're going to be 142 00:08:23.380 --> 00:08:23.860 looking at. 143 00:08:23.890 --> 00:08:25.360 Tom Field: What are the technologies you're most bullish 144 00:08:25.360 --> 00:08:25.570 on? 145 00:08:26.350 --> 00:08:29.980 Art Coviello: So there's one that I had mentioned. So I 146 00:08:29.980 --> 00:08:35.860 bought Archer in 2010. And it's gotten to be totally unwieldy as 147 00:08:35.860 --> 00:08:39.550 to how you do governance risk and compliance and Archer has 148 00:08:39.550 --> 00:08:43.540 been and is just the framework. So it requires you to have all 149 00:08:43.540 --> 00:08:48.370 kinds of spreadsheets and work effort by people. And we've 150 00:08:48.370 --> 00:08:51.190 invested in still another company called RegScale that 151 00:08:51.220 --> 00:08:55.810 automates the connectivity of applications and pulls the data 152 00:08:55.810 --> 00:08:59.200 from them to give you a real-time status of your 153 00:08:59.200 --> 00:09:01.870 compliance requirements, which you can't do if you're just 154 00:09:01.870 --> 00:09:05.410 updating periodically on a spreadsheet. So whether it's 155 00:09:05.470 --> 00:09:14.350 anti-ransomware, IoT, OT, you know, discovery, and identity, 156 00:09:14.950 --> 00:09:17.620 you know, those are the areas that we're particularly 157 00:09:17.620 --> 00:09:20.410 concerned with and continue to track and invest in. 158 00:09:20.440 --> 00:09:22.510 Tom Field: Last time you and I talked personally, you would 159 00:09:22.510 --> 00:09:25.450 take a great interest in the privacy conversation. That's 160 00:09:25.450 --> 00:09:29.290 only ratcheted up with more diverse and strict privacy 161 00:09:29.290 --> 00:09:31.900 regimes around the world. What are your thoughts on how 162 00:09:31.930 --> 00:09:33.850 security and privacy are evolving together? 163 00:09:35.880 --> 00:09:38.130 Art Coviello: I'd like to be more hopeful. I just think it 164 00:09:38.130 --> 00:09:44.280 gets more and more complicated and things like deepfakes and, 165 00:09:44.910 --> 00:09:48.990 social media just have made it almost impossible to maintain a 166 00:09:48.990 --> 00:09:54.480 level of privacy. But there was another company that SYN 167 00:09:54.480 --> 00:09:59.130 Ventures is not invested in but BigID which does a particularly 168 00:09:59.130 --> 00:10:02.490 good job around protecting privacy within a company. 169 00:10:02.820 --> 00:10:04.800 Tom Field: You get the chance to walk around, see lots of 170 00:10:04.800 --> 00:10:07.230 different organizations and people these days, not the same 171 00:10:07.230 --> 00:10:10.560 as when you were at RSA. What's your thoughts on what the next 172 00:10:10.560 --> 00:10:13.110 generation of security leaders need to bring to the table? 173 00:10:14.140 --> 00:10:17.560 Art Coviello: More of a business orientation. They, I mean, I 174 00:10:17.560 --> 00:10:23.290 remember way back in the early part of the millennium, I talked 175 00:10:23.290 --> 00:10:26.830 about the fact that this is our time; that we were becoming 176 00:10:27.100 --> 00:10:30.250 mainstream. Security people weren't those, you know, Crazy 177 00:10:30.250 --> 00:10:34.960 Uncle In The Attic anymore. But we've gone well past that, that 178 00:10:34.960 --> 00:10:38.440 we are mainstream, but now we have to become more business 179 00:10:38.440 --> 00:10:41.860 people, more aligned with the business. And that's something 180 00:10:41.860 --> 00:10:46.060 that I have seen over the last several years is most CISOs are 181 00:10:46.060 --> 00:10:49.240 becoming integral parts of the management team itself. 182 00:10:49.300 --> 00:10:51.580 Tom Field: What happens when those CISOs start to get put on 183 00:10:52.180 --> 00:10:54.820 the spot in certain legal issues, as we've seen over the 184 00:10:54.820 --> 00:10:56.800 last couple years, there are a lot of people that shy away from 185 00:10:56.800 --> 00:10:56.980 that. 186 00:10:57.010 --> 00:11:00.430 Art Coviello: Well, it's absolutely frightening. And 187 00:11:00.850 --> 00:11:06.880 we're advising no CISO to take the job without having the same 188 00:11:06.880 --> 00:11:10.360 kind of indemnification provisions that most corporate 189 00:11:10.360 --> 00:11:14.080 offices have, but some of the things have been chilling where 190 00:11:14.260 --> 00:11:18.430 they've been scapegoated literally, for things that they 191 00:11:18.430 --> 00:11:21.460 shouldn't have been held responsible or accountable for. 192 00:11:21.730 --> 00:11:23.350 Tom Field: Art, as always a pleasure to see you. Thanks so 193 00:11:23.000 --> 00:11:25.490 Art Coviello: Yeah, great seeing you. Good to be back. 194 00:11:23.350 --> 00:11:23.830 much for stopping by. 195 00:11:26.120 --> 00:11:27.620 Tom Field: Again, we've be talking to Art Coviello. He's 196 00:11:27.620 --> 00:11:30.170 the managing partner with SYN Ventures. For Information 197 00:11:30.170 --> 00:11:32.840 Security Media Group, I'm Tom Field. Thank you for giving us 198 00:11:32.840 --> 00:11:34.100 your time and your attention today.