We’re excited to kick off a new video series with our VP of Product Strategy, Kelly Shortridge, titled “Between Two Kernels.” Kelly aims to conduct short, potentially awkward interviews with industry leaders that don’t shy away from tough and entertaining questions. Episode one is embedded for your viewing pleasure and features Art Coviello at the 2019 RSA Conference talking about how he’d use the Infinity Gauntlet for the cybersecurity industry, infosec start ups and acquisitions, and how it feels to be Founder of the most hated information security conference.
Kelly: Welcome to Between the Two Kernels. This episode my guest is Art Coviello, who is the former Executive Chairman and CEO of RSA. Thank you for being here. My first question is what is it like knowing that the conference you founded is now the most hated in information security?
Art: Wow … Most hated. I actually tell a lot of the companies that I invest in that they should have their own conferences, and I say that nobody goes to the RSA Conference anymore ’cause it’s too crowded.
Kelly: It is very crowded.
Art: You see Yogi Bear a lot. Yeah, I think it’s had an incredible history of innovation, and I’m actually particularly proud of the content this year and the number of women speakers in keynote slots, which is good. But it’s difficult to get your arms around it, and I think that might be the part that’s problematic.
Kelly: I think it’s the swarms of people and the onslaught of buzzwords tends to be what gets people …
Art: Well, yeah, and 600 trade show exhibitors. I never go to the trade show floor because I either get accosted by people looking for a job or people with a business plan, so I try to stay away.
Kelly: That seems like smart advice. Do you think the explosion of vendors, speaking of 600 at the conference, is a good thing or a bad thing for the industry?
Art: Oh, that’s a bad thing. Somewhere between 16 and 20 billion in venture capital has poured into the space, and when it rains and pours what happens to most of the water?
Kelly: I guess …
Art: Goes down the drain!
Kelly: That’s a good point.
Art: And that’s what’s gonna happen with a lot of these companies. They get traction to maybe 10 or 20 million of ARR ’cause somebody will always buy something, and then they’re gonna be stuck there. Fortunately, we have something called private equity that will come down and sweep up the mistakes that venture capitalists make, and then they play this game of musical chairs passing one company to another. I’m still astounded at what happened with Blue Coat. I thought it was-
Art: Yeah. Well, I thought Thoma Bravo who paid it a billion, I thought Bain was crazy to spend two billion, and then what do you know? Symantec paid what they paid. Anyway. What do I know about finance?
Kelly: No, that’s a good point. Do you think the gravy train stops at any point?
Art: Well, that’s the problem with the private equity guys, because it’s kinda like musical chairs. When the music stops somebody’s without a chair and somebody’s gonna be left totally in the bag. You can’t fund these companies forever, and there’s already literally dozens of companies that are living dead out there.
Kelly: This is true. I always wonder are there enough exits available for all these startups that have …
Art: Clearly, there can’t be. I think [inaudible 00:03:15] said at the Innovation Sandbox yesterday that somewhere on the order of 3,000 companies?
Kelly: I believe it.
Art: We don’t need 3,000 companies in the space. Then of course the analysts, who are my favorites. They talk about these gigantic markets, and there’s no way. You add up all the companies in the space and you maybe get to 300, 600, 800 million of revenue, but you don’t get the five billion. So all of that’s overestimated.
Kelly: One of my favorite stats, I won’t name the market, was that the market sizing available for the category was 600 million and about a billion dollars in capital have flown into the category.
Art: Well, I say there’s lies, damn lies in market research reports.
Kelly: I like that. That’s a good segue. I hear when you were CEO of RSA you threw a lot of furniture. Did you ever hospitalize someone?
Art: You know, they had an interesting phrase for my management style. They called it Art attacks.
Art: I was known to occasionally lose my temper. But I was never mad at a particular individual. I was always angry at the situation. Then my VP of HR would always tell me that I had to go back and apologize and tell people it was my own fear of failure. It was nothing personal. But it was one of those “Stop me before I kill again”, so I had a bit of a reputation, but people just loved me.
Kelly: Certainly walking the vendor hall and all of the noise and excitement, sometimes I wanna throw furniture, so I can definitely relate to that. At RSA also you were the victim of a really high profile data breach. If you had been able to sweep it under the rug without anyone knowing, would you have done it?
Art: Not a chance. People wouldn’t believe me generally when I said this, but our first concern was actually with our customers. You can’t be in the security business and have something like a breach and not think first about your customers. I knew we were gonna take a huge reputational hit, but what concerned me the most is the critical place we played in so many customers’ infrastructures, especially in government and defense, and since it was nation-state attack, that was obviously our first concern.
Art: We found out about it on a Friday, did our best to come up with not only a communication plan but a remediation plan for our customers to protect themselves, and we announced the following Monday. That’s how fast it was.
Kelly: Were there any Art attacks in the meantime?
Art: No. It’s amazing. I was always tougher when we were doing well than we were doing poorly or in a crisis. Matter of fact, as the weeks progressed I would come to work every day and everybody kind of had a bunker mentality as we were dealing with angry customers and trying to figure out what happened, and helping customers remediate the situation. I would walk the hallways, and my head would be high and I wouldn’t necessarily be smiling but I wouldn’t be walking around hangdog.
Art: My employees would say, “How can you seem so confident? Aren’t you nervous?” I said, “Look. Inside I’m a quivering mass of jelly. But I can’t project that to people. The sun will come up tomorrow. We’re gonna figure this out. We’ll work our way through it,” and that’s exactly what we did.
Kelly: I like that. Art attacks in the good times only.
Art: Yeah. Exactly.
Kelly: I think it’s interesting, your background leading one of the biggest security organizations, and now you’ve been doing some venture capital. Without naming any names, though feel free to if you want, what are some of the biggest character flaws you’ve seen in the venture capitalists with whom you’ve interacted so far?
Art: I’m not one of those CEOs that had some success in business and then figured I could just go in and become a venture capitalist. I had no desire. I’m a venture partner at Rally Ventures and I advise ClearSky Security Fund, but what I like to do is just help companies, and what I’ve found and why I work with Rally and why I work with ClearSky is as venture capitalists they don’t just give you the money and promise to help you build a company. We actually get in there and help you build the company, not in an obtrusive way, but in a helpful way, and I see too many venture capitalists that are more interested in placing the maximum amount of cash that they can, and they’re pretty selfish about what their interests are. Sometimes your interests don’t always align with the company, and we always try to make the interests align with the company.
Kelly: Do you think that misalignment is one of the contributors for too many companies and startups being funded?
Art: Oh, no question. I don’t presuppose that we’re always the smart money; as a matter of fact if I did presuppose we’re the smart money then that’s probably when we’d have our heads handed to us. I’m always looking for the flaw in the value proposition as we go through companies. But there’s a tremendous amount of security expertise in both Rally and in ClearSky that’s not necessarily represented in some of the funds that are doing a lot of the security investment.
Kelly: I’ll agree with that. Sometimes it feels like they’re just chasing buzzword of the moment and almost just creating hype for each other rather than any hype that exists with actually customers.
Art: Yeah, and one of the things that I see repeatedly is they do these massive A rounds, and the entrepreneur says, “Wow! I got an 18 million pre-money evaluation,
Kelly: Sound good, yeah!
Art: And I’m raising 12 14 16 million of cash.” Well, the entrepreneur doesn’t need 12 14 or 16 million in cash, and what’s happened is they’ve overvalued the A rounds and in essence have provided enough money for a B round, so they’ve discounted the B rounds. There’s some risk for the venture company doing that, but it’s not necessarily a good thing for the entrepreneur.
Kelly: I think it’s not really a good thing for the CISOs either that than have to kind of sift through all these vendors.
Art: Oh, I just feel so sorry for the CISOs. You know, this one bank in particular that has a chief technical officer for security technology, and this person has 250 people working for him whose sole job it is to look at security technologies, bring them in, POC them, stage them maybe if they actually acquire it, and then bring it mainstream into the bank. But that’s all they do. Now, tell me how many companies have 250 people that can devote that kind of resource to looking at all of these technologies.
Kelly: No way.
Art: It’s ridiculous. I talk about Fortune 1000 and then I talk about the unfortunate 5,000 that don’t have those kind of resources.
Kelly: I read that. Yeah, I was gonna say, thinking about the smaller banks or a credit union, there’s no chance … They barely have enough security people as is let alone being able to evaluate.
Art: That’s why I’ve been looking for managed service opportunities, because I think that’s critically important. But a lot of the advice I would give to non-security companies that I’m on the board of or advising would actually be to put more and more of their infrastructure into the Cloud, because whether it’s Microsoft or Google or AWS, they’re probably gonna do a better job securing you than you could possibly do for yourself.
Kelly: From your vantage point, do you feel like security companies eat that [inaudible 00:11:36] enough? Do they secure themselves well enough?
Art: No. It’s totally shoemaker’s children. I’m appalled sometimes, and clearly that’s one of the things we look for in the companies we invest in. It was tough enough to go through the pain of the RSA breach, and we were attacked by a nation-state, two separate APT attacks, and we still almost beat them. By the way, no company suffered a loss as a result of our breach. A lot of inconvenience but no one suffered a loss. But reputationally it was not a very pleasant thing, so I’m very mindful of making sure that they do a good job with their own security.
Kelly: Absolutely. Are you familiar with Thanos in The Avengers?
Kelly: Thanos has a magic glove that when he snaps he gets rid of 50% of all beings, I think in the universe, or the galaxy. My question is if you had to handpick 50% of security startups to just go away and better the industry, would you handpick them or would you just snap a random 50%?
Art: No no. I would definitely handpick them, and I would take a lot of delight in doing it.
Kelly: Oh, really? Okay. Any hints as to the categories?
Art: It’d be like picking wings off a fly. It’s clearly Endpoint; it’s just ridiculously overfunded space. Again, a lot of SIM vendors. It’s just ridiculous how we flock one way or another.
Art: By the way, that’s another thing. The pendulum always swings back and forth in security, doesn’t it? It’s “Well, we gotta prevent this from happening.” “Oh,” it’s like, “no no no. It’s hopeless to prevent, so we’ve gotta detect and respond,” and if you think about any security framework it’s really about defense in depth, so it is really about preventing, detecting, recovering, and responding and recovery.
Art: I think the pendulum has shifted way too much to respond and recover, and there’s lots of technologies that can do a much better job preventing. In terms of value proposition, it just stands to reason. An ounce of prevention is worth a pound of cure, so if I can prevent something from happening, that’s a much higher value proposition than detecting and responding at the back end. Not that you shouldn’t have both.
Kelly: Right. It strikes me that a lot of this is driven by the marketing itself being able to say, “Oh, well all these solutions that you already have just don’t work, and you have to use us ’cause otherwise everything’s gonna fall apart.”
Art: That’s another thing I look for when I talk to companies. Everybody thinks that it’s their product that solves the problem, and as I advise companies I say, “I think your product’s great. I think your technology’s great. But you have to position yourself within a continuum of defense in depth, and if you don’t accurately and passionately state what that value proposition is, how do you distinguish yourself from all the other vendors that are out there?” Not too many companies … They try and sell their products as if there’s a vacuum and they’re the only thing, and that’s a big, big problem.
Kelly: Good way of putting it. As a last question, if you had a magic wand to correct any of your mistakes during your career in information security, what would you choose?
Art: There’s one in particular. I did 15 acquisitions at RSA, and I would say five were absolute home runs, three of them were grand slams; the acquisition of RSA itself, NetWitness, and Archer were probably my three best acquisitions.
Kelly: Archer’s been great at allowing startups room to innovation and say they were the next-gen Archer, so there you go.
Art: Imitation’s a serious form of flattery. But one of the ten losers was actually a company called Intrusion Detection. They actually had trademarked the name Intrusion Detection. I spent 30 million for it and I flushed it after a year for a million dollars, and the valuable lesson I learned there is RSA, which was doing authentication and encryption, had no business being in the intrusion detection space, and I just went for the shiny, new area of security and I learned a valuable lesson from that.
Kelly: Sounds like a lesson a lot of these big players trying to do consolidation plays could learn a thing or two from.
Art: Yeah, I’m not a big believer in consolidation plays.
Kelly: I’m not either. You haven’t tried any popcorn yet.
Art: Well, I actually did before we went on camera, and it’s kinda stale actually.
Kelly: Well, thank you for that, and thank you for joining us.
Capsule8 is the industry’s only real-time, zero-day attack detection platform capable of scaling to massive production deployments. Capsule8 delivers continuous security across your entire production environment — containerized, virtualized and bare metal — to detect and disrupt attacks as they happen.