In this episode, host Den Jones introduces the podcast's unique approach to discussing cybersecurity, focusing on the softer side of life rather than constant breach analysis. He welcomes Bill Harmer, the operating partner and CSO at Craft Ventures, to the show.
Bil Harmer is a rockstar in cybersecurity, currently jamming as the CISO and Operating Partner at Craft Ventures. With over three decades of IT experience, he's been the go-to guy for locking down security in startups, big finance, and even the wild world of adult content. At Craft Ventures, Bil is the security maestro, offering vCISO services to portfolio companies, handling technical due diligence for new investments, and maintaining security for Craft itself. At SecureAuth, he transformed the company’s security model to a hybrid cloud system with seamless ZTNA integration. At Zscaler, he helped clients adopt a Zero Trust security model, focusing on risk management and business needs and at SuccessFactors, he innovated a trusted security audit method for SaaS solutions using SAS70 and ISO standards years before the SAS70 was created.
A fun fact about Bil: he once pushed more internet traffic through a porn site than all of Bell Canada’s home users combined. He's also a builder of custom bikes and cars and loves playing hockey as a goaltender. Bil’s vision is all about transforming the CISO role into a risk-focused gig, ensuring that security is integrated into every business decision. He believes in empowering users through education and smart system design to make secure choices easy.
Bil Harmer is not just securing the digital world; he's making it cooler, one innovative solution at a time.
Narrator:
Welcome to Cyber 9 0 9, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran chief security officer and Cyber Aficionado Den Jones taps his vast network to bring you guests, stories, opinions, predictions, and analysis you won't get anywhere else. Join us for Cyber 9 0 9, episode five with Bill Harmer.
Den:
Howdy. Folks, welcome to another episode of Cyber 9 0 9, the podcast that we figure is going to be a little different as we don't want to talk about breaches every five minutes and analyze them. We'd rather talk about the softer side of life. So I've got exciting guests to come on the show. And for episode five, we've got Bill Harmer operating partner, CSO Craft Venture King. So Bill, welcome to the show. Why don't you introduce yourself? You a better job. Better job than me, perhaps.
Bil:
Thanks for having me. It's great to be here. Yeah, bill Harmer, I'm the operating partner in CSO Craft. And just to give early context on what that means, as an operating partner, I provide vcso services to my portfolio companies. So early stage companies aren't hiring a ciso. If they need somebody with expertise, I'm here for them. I can do strategy, can do privacy, can do incident response, all the stuff that they don't have skills typically at, because we see a lot of engineers building stuff and they've never had to deal with a breach and talk to a lawyer. And then I do technical due diligence on investment. So in the cyber side. And then on top of all of that, I am the in-house cso. So I run IT and security for craft David Sachs and Jeffer.
Den:
That's awesome. Oh God, I keep thinking I am gravitating to the word awesome. Just a little too much these days.
Bil:
Your eighties is coming back out, isn't
Den:
It? Oh man, I tell you. So every now and again, you catch yourself saying something and you're like, oh, wait a minute, that's a habit I need to change.
Bil:
I have no idea where I picked it up, but I now say defo.
Den:
Oh really?
Bil:
Oh
Den:
Fuck yeah. I've not got that word in my vocabulary yet, so I'll try not have it there.
Bil:
It's way easier to type than definitely
Den:
Jesus. Yeah, yeah, yeah. defo is, I guess, I dunno. So one of the things that's interesting to me, we got the whole virtual ciso, fractional ciso, real ciso, what your mind is, I mean, you're kind of a blend of both, right? You're the real CISO for craft and then you're a virtual fractional advisory. So can you explain the difference?
Bil:
Sure. When I was a real CISO at another company, I would handle certain obligations. Getting my SOC two out the door, customer inquiries, incidents, those are big things that you have to deal with. And during an incident, it was me, my ass on the line and I was managing it all the way through. Thankfully I didn't have a lot of them. When you do the virtual CSO for the portfolio companies, they will call and they say, I have this question, or maybe I think I've had an incident. And I did have a portfolio company call me with what they thought was an incident. And I sat down, I talked to them, got them to tell me what was going on. And I said, okay, first off, let me have you delete any emails where you say you've had a breach or an incident because you've not had a breach.
They completely misunderstood the concept of what a breach was. Did they screw up something? Yeah, they screwed up something. Was it astronomical? Absolutely not. It was a minor error. It involved, I think two of their customers. They contacted both customers, everything was fine. But the good part about that is as a virtual ciso, as soon as I was done giving them the advice, I hang up the phone and now it's on them. You're not having to run through those pieces. I think, and I see this a lot in the industry lately in the last couple of years, a lot of CISOs I either exiting their role could be mergers and acquisitions, could be downsizing, and then other ones that are just going, no, I'm done. I'm done with not getting the budget, not having a seat at the table. Because a lot of CISOs, they tend to report to CIOs or God, I think I even saw one that had CISOs slash senior director attached to it. And yeah, they're frustrated with that and seeing things like Tim Brown case where the SEC is naming a CISO in a lawsuit. So that kind of stuff is getting to the point where a lot of them I think are saying, I'm out. I can apply my skills, I can spread it across the board, reduce my risk and reduce the stress. I think the burnout now on CISOs is less than two years. I think they're saying it's 18 months now.
Den:
Yeah. Yeah. So when you think, I mean of the legal side of it, and that's one thing even for me. So going from running big enterprise security teams, Adobe and Cisco, and then I go to Banyan and it's like I'm the CS OI was the CSO. The CIO all rolled into one and trying to dodge being considered the legal DPA, right? I didn't necessarily want that on the legal side of my existence. And then starting my own company, we are now in a situation kind of like you, where our contract basically says, Hey, we're giving you advice Now if you want us to execute something and we execute incorrectly, then yeah, we've got liability. So there's some areas where the virtual CISO is as zero liability or feeling.
Bil:
Yeah, very thin
Den:
Feeling, a feeling of zero I guess if you do it. So in your position as the virtual CISO with the portfolio companies, what do you see from a founder's perspective as the most common mistake they make from a security perspective? So you get pulled in, you start reviewing these guys, is there a common mistake that most founders make?
Bil:
Yeah, thankfully it, it's airing on the side of over caution, which I'll take that any day. I think I was surprised, hugely surprised that when I started sort of polling through the portfolio companies, how many of them had SOC twos that had actually implemented controls and were auditing them. So early in the stage of the company, when I joined SuccessFactors, I joined in oh seven. That was our first audit. Back then it was SaaS 70 and then you were populating with control criteria from ISO and NIST and a few other things. But that company had been around, I was a customer of SuccessFactors in late oh four and they'd been around since oh two. So that was like you're talking five years without an auditable security methodology.
Or at least maybe they had an auditable security methodology but they weren't auditing it. Whereas now I'm seeing companies that are just closing their A round with a SOC two and I'm like, that's fantastic because at least you're building the basis. And that's what I always tell startups, and this might go against the whole concept of being a security person, but I tell them that security's not technically important in the early stages. And I always clarify that so that way you just don't go, oh, free for all. What I mean is the implementation of security controls are irrelevant if you have no customers. So if you're doing ICP, it's pointless to be building in heavy, heavy security controls and take everything I say with this is not a 100% coverage. There are certain things where you just simply have to build, if you're building a security product, you got to have security controls.
But for the most part, when you build something, you're building it. You need to build a viable product, you need to get it out to market, you need to see and unjust and add on and build some customer momentum. But you also have to make sure in early stage that you build the foundation or the building blocks that allow you to add in the security later on when the time is right, when it makes sense to invest the cash and the money and the time to manage a security piece of your application. So that's usually how I guide them and to find out that they've done early stage stuff where they're getting SOC two compliance on operational security is fantastic because operational security is operational security. That's the piece you have to start off with.
Den:
And one of my serial founder friends, I was talking with him at Black Hat this year, and he said exactly what you said, and that little clip there was, when you're an early stage startup, you don't have assets too secure, you don't have money to protect, you don't have the investment at that stage. I tell people the cost of protecting the thing shouldn't be more than the cost if the thing went bad. So if you got breached and that shit costs you like 10 million, but in order to prevent that breach scenario, you're going to spend 50 million I know makes no sense. Maybe I'll just suck up the 10 million
Bil:
Now early stage and if anybody's out there listening, I hope people are out there listening. If anybody is out there listening to early stage, secure your code. That's one of the first thing you need to do. Secure your code. Because early access to code, if I can get to somebody's code early and inject something that becomes the norm of the code and plant a rat or something that gives me later access, that is exactly where I see a huge opportunity for threat actors to get in.
Den:
Because
Bil:
If the company blows up and becomes the next open ai, it becomes the next yammer or becomes the next success factors. You want to make sure that your code base is secure from day one plus it's your intellectual property. So that's the piece that you're protecting.
Den:
And I tell people, don't get hung up on the concept of a big security program. I'm always like, don't stroll into a founder or a CEO and say, Hey, we're going to do the security program defense in depth. And at the end of it, a you make it sound too big and expensive. Excuse me. And also they don't need a security program. You need to look at like you said, this code and then it's how do I lose access to my code or the platform I'm building the availability of the platform.
Bil:
Exactly.
Den:
So there's a few things that you can narrow in on and say, okay, well how do we protect these? And when you look at 80% of the breaches being users, click and links or creds being stolen,
Bil:
It's not rocket science. It's not rocket science. And I have never built extensive heavy software, heavy security application security programs. I just haven't. Now, I've also never built a security program for Koch Industries or Ford. They're going to have a or Lockheed Martin, right? They're going to have way different requirements. And this is again, CISOs and security professionals that want to move up in the industry, learn your business, know where you make money, know what you can survive, know what is important to you. There was a CIO for GE years ago that told me this story and I thought it was absolutely brilliant. It clearly articulates the risk methodology. He was talking to the board and he asked the board, what is important to this company? Unanimously without hesitation, it was intellectual property. GE is an idea company, they have ideas, they build big things, they make lots of money from it.
And he said, okay, so which part of it? And somebody said all of it. And he goes, oh, okay. So I should apply the same level of security control to the washing machine division as I do to the jet engine division. And they sort of looked at him said, and he said, well, the washing machine division, I'm going to make up the numbers. I don't remember what they were, but he said the washing machine division is a $50 million annual business. The jet engines is 2 trillion. The washing machines come out every year, and the difference between us and everybody else is color and two features the jet engines. That is a 20 year life cycle. So are they both equally important? They went absolutely not jet engines. And so it started to hone in on them, the understanding that if you work in the engineering department designing the next jet engine for General Electric or Boeing or whoever, your security is going to be brutal.
You're going to have to have a company laptop that you cannot surf public websites on. You cannot install anything. It's highly monitored. You've got probably three factor authentication going in every time you log in. It's early stage. It's constant monitoring big brother eyes on, but expect that because I think understand your business, but if you're building the marketing plan for the next washing machine, if you've got the same security applied to that, you're going to piss off your users. They're going to find ways around it. You're going to spend money you don't need to spend and your security program's going to go in the hole. So this whole concept of the brush that paints everything, and you see some of you still see these CISOs today, the purists I like to call 'em, where it's my entire company does this. I don't make exceptions. And it's like, buddy, all you're doing is irritating the shit out of a good part of your organization and they are finding ways around it.
Den:
Yes, I kind of look at this. I came up with this whole concept for 9 0 9 cyber, which is pragmatic security. And basically for us it is, it starts with get to know your business and then you're going through and understanding it's not to understand what you have and the sand's way, but ultimately the people, the process of technology, the way you're overspending your money, the way the processes don't work and people just circumvent them because they're overly, and I think the thing I would say, they circumvent them because they know it's bureaucratic bullshit. And when people,
Bil:
Or they may not even understand why you've put it in there, right? Because to them it's just another thing. And the time when you get that one really important thing that everybody should really adhere to, they just go, ah, no, it's just another thing from security. They're just dumping another thing on us and there's no separation.
Den:
And I remember inheriting a team where the brand and reputation was ivory tower, and it's always in the name of security, and it's like, no, that's nonsense. Because if you partner with your business and the different business units in your company and recognize that they're not all the same and recognize that the way the business units are going to be successful, people within those business units have access to some more serious stuff than others. But how you operationalize that in a way that's cost effective for the business, sometimes you're making the calculated risk that you're not asking for the extra friction, right?
Bil:
Yep.
Den:
Now, I called this, I done a math equation, I was just pulling it up there. So governance minus bs, right? Because I think people do governance sometimes for checking boxes. So governance minus BS plus security, common sense plus business strategy. I'm like, that's the equation. That sounds good. Because ultimately if you don't focus on the business strategy and then you've got common sense security, then you're just checking the boxes. And it reminds me of the people that used to do the ITSM service management shit. They'd get that book and they'd literally follow the book and the process, it was in the book rather than saying, Hey, how are we running this business? Change management doesn't need a $2 million a year program. You can use Excel if that's what works for your business.
Bil:
Yeah, absolutely. And you're hearing this all the time now, and it's really interesting, the whole concept of ai, if you've ever listened to the All In podcast with David Sach, Chamath and those guys, Chamath is really heavy on this idea that AI will completely destroy the SaaS industry because a system of record is nothing more than a database and some encryption. I'm like, okay, well hang on, you just went way too far. The other side of this, there's a leap. Yeah, there are rules, there's intelligence that goes with it, but the concept is somewhat sort of valid in that you could theoretically rebuild a SaaS program internally using an AI tool in agents. You may not be legally compliant, you may not have the best practices, and you're going to have a whole bunch of problems elsewhere and you're going to spend a lot of money maintaining it.
That's what I think a lot of people start to misunderstand, but the concept of a system of record as a moat is really not there. It's all the things that get added onto it. Like Salesforce has a ton of data, but the fact that their system of record for sales is not their moat, it's that they have 92,000 integrations with everything on the planet. And if you go to another application and say, okay, well I'll use yours or I'll build my own, who's building all those integrations? That's truly the moat in that side. And security is the same way. We tend to do this thing where we try to build ourselves as the center of and then create this mode around us, and we don't understand what those connections are. I always say that if you look at a security person, you're probably old enough to remember this, I'm not going to date you, but you remember the days with hypos, right?
You'd find hypos in the org. HR would go through and find the high performer, high potentials, and they take those people and they put them on assignments and they'd be seconded into finance, into HR or into the Canadian division or into the manufacturing division. And they'd be moved around to understand and how all the departments and divisions were being run because they were the future leaders of the company. These were people that they thought out of the group that they're moving around, they could pick the next C-E-O-C-O-O or something like that. And they understood that they needed to understand how every part of the business worked in order to run the business. What we're coming to, and I think people are starting to get this, is that security is now the business as well. It always has been. We need people that are going around and understanding how does HR work, how does manufacturing work?
How do they make money? What can they survive? So that way you can build an overarching risk program. I am don't know if I'm considered crazy, but I think the title chief Information Security Officer should just go away, really, because security's a tool. Those are the tools we use. Those are the levers and the dials and the things we do to reduce the risk to the company. End of story. There's no other reason for security that I can think of. And again, this is 90%, there are some oddities and exclusions to that, but you address those separately.
Den:
So what I was going to say, what kind of title would you expect us to have in the future? First officer, chief
Bil:
Risk Officer? Absolutely. And you should go around and learn every department understand how they do business, because you'll understand the friction, you'll understand the challenges, and security should be a way of protecting data and the correct dissemination of information at the correct time, whether that's PI, marketing information, financials before intellectual property, whatever. You're controlling access to stuff and you have to understand how people work. You have to understand the frictions they have because everybody's human. And unless you take that into consideration, if you have no empathy, you will never survive in security. The ones that are security lockdown, religious nuts, I was trying to avoid saying fanatics or Nazis or something like that. But those ones that are, it is our way of the highway are the ones that usually have the worst breaches.
Den:
But the problem is there's so many people in the security industry that are on their ivory tower that are, I just think of it, they think that they should be adding friction. And I'm like, holy shit. No, no, no. The minute, and my old boss and I used to have this conversation, which was along the lines of if you make the process and the experience cumbersome, they will circumvent their way around it or the policy or whatever. And the reality is then you should be looking at what you put in place and say, is it a way we can do this where the friction is less and even the cost of it to the business is less. And that for me, when we were at Adobe, I thought that was a great, because you have to become really creative when you start doing this stuff. Now, in order to achieve that, you start looking at the technologies that we keep throwing around. And I can't remember, there's now over 3000 security vendors. I can't remember where I got that silly stat from. But when you're thinking about a defense in depth strategy, do you go for best of breed? Do you look at suite platform solution plays? I mean, where do you fit in that scale?
Bil:
It really depends on the business I'm working for at the time. So if I were looking at success factors back in those days, I'm looking at some platforms simply because it's vendor management is a huge part of it. Interoperability is absolutely important. And I know from history, and again, I'm going to bring my biases to the decision, but my historical piece was whenever we built stacks, the biggest problem with the stacks is in there. The components never talked to each other
Or you had to do a lot of work to make them talk, and then an update would come along and break stuff. I would start to take a hit maybe on some functionality in a particular area, but if I could have the stack, if I could have 80% of the stack as a single vendor, then I could work and see what the future is, and then I would look at the business and go, okay, well over there in that section, I need something a little bit more. But I would find that baseline, just something that's baseline that I could implement and manage my controls across the board. And then you get to smaller organizations where they're a little bit more nimble, but they have less requirements. So you sort of look at best breeded and go, okay, look, I'm going to take, and this actually, this is a really good idea, a really good topic because I'm starting to see this change in endpoint, right?
So for a long time we were going, don't put anything on the endpoint, stay away from the endpoint. And I got that we were overloading the endpoints, and then we saw sort of this move, and as SaaS solutions took off and became pretty much predominant in any new company being built today, the endpoints aren't doing very much, but they were constantly being upgraded, like the new Mac M threes, those are standard deployments, and yet what are they doing? They're running a browser. So then we saw the advent of the browser security, the islands, the halls, stuff like that. But what I'm starting to see now is these hyper-converged endpoint securities that come in that can sit on the endpoint, go way beyond just a browser plugin. If you're doing browser plugin, that's kind of pointless. You can go to Reddit and there's teenagers that have of zombie programs that can hang browser extensions and get around.
They want to look at porn on the Google workbooks that they have, but they're bringing in sort of 80% of security. It's not like a full Zscaler suite or a full Prisma suite because those have very specific use cases. They're not needed for everybody across the board. But if you can lop off a majority of the things, you can do some DLP to address the AI issue coming. So you can stop intellectual product code being uploaded, or at least UpTop keys, tokens, passwords. You can stop social security numbers, the basic gamut before it ever gets in to the prompt. You can do URL filtering, you can do anti phishing, you can do typo squatting. And like you said earlier, it's people clicking on shit that's 80% of this problem.
You can lop off so much right there. And because the laptops or the endpoints aren't being used heavily using a little bit of resource and less than 1% is absolutely acceptable nowadays. So the hardware's been getting better, the software's been getting better, and then these hyperconverged agents are now building huge integrations. That is the key to them, because if you've got an endpoint agent that is running like an eeb PF, so you're not threatening the kernel, you can have it running local. And that's actually, I heard Microsoft is doing that with Defender. You can have it running local, you can have it feeding information out about posture status. So you can almost get into auditability. You can start feeding audit systems like Vanta or any of the others with automated data updates. So that becomes faster, easier, and more simple for the IT organizations. And they're taking on a lot of that heavy lifting, which allows your IT and security people to actually start doing more specific and better use actions in the security world.
Den:
Yeah, I've been saying to people for years, I remember talking to Todd at Okta about one day you need an agent. I'm like, if you want to take control of the identity from a device to an app to whatever, to whatever, you kind of need an agent if you want to do it. Good. And that was over 10 years ago, I said that. I think now they have one because in order to do passwordless, do posture checking in order to do some of these things, having the agent on the device gives you way more control and browser plugins, they're great, but if you go to a larger enterprise, they're not used. You can say we're standardized on Chrome or whatever, but the reality is they're not going to do that. End users will use Chrome for some stuff
Bil:
And
Den:
Then some other browser, whatever.
Bil:
I've been hearing that Paolo can't even give away Talon because people are like, I'm not going to replace the browser.
Den:
Yeah,
Bil:
I need Chrome, I need Safari, I need whatever the hell Windows. What does Windows use these days?
Den:
I dunno. I still call it
Bil:
Explode.
Den:
Yeah, I was going to say, I still call it explode or Edge, I dunno.
Bil:
Oh, yeah, okay. Edge, right? So you've got everybody's out there using their browser, the preferred browser, and again, that's human behavior. You get very comfortable with a particular browser and how it works. I did a switch to Duck Go for a while to see what it was like. It works, it works, but it's different and it just felt wrong. And I just found myself going back to Chrome. I know Chrome works and I don't have to look at something not working and think, is it Chrome or is it me or is it the app?
Den:
Yeah. Yeah. Well, that's it. And the plugins, I tell people about browser plugins and be very wary of how and where you get them, right? But Chrome, the plugins for Chrome are good. I very rarely use Safari now or Firefox, but Chrome's my go-to now. We're kind of getting close on time, man. Easy to show the shit together for quite a while. Couple of things. So new CSOs in their tool strategy, what would be the one board of advice when they're approaching that
Bil:
New CISOs in their tool strategy?
Den:
Yeah,
Bil:
Usability, right? Balance. Everything. 50 50. Security and usability. If you can't use it or it's hard to use or if it's even confusing, and I tell this to startups that are building security tools, if it's not intuitive, it's frustrating. If it's frustrating, I'm not using it. It's just we have gotten to this instant gratification world of TikTok and Instagram and it's swiping get, and it's all Netflix's fault because people don't have to wait at the store to get the DVD
Den:
Return return.
Bil:
You remember the days and you'd have to go to the video store and you'd have to put your name down to wait for somebody to bring a copy back. And then Netflix came along and started sending it disks, and now it's just on demand. But that's the world we're in. So if I go into a tool and I go, oh, I need to get some logs from an endpoint, and I cannot, if I go to, I see a thing that says logs, I'll click on logs, I need logs. So logs should be in logs, right? But logs aren't in logs. If logs aren't in logs, and I got to go start looking for it, and then I got to go click three dots to find something in a hidden menu, I'm frustrated at that point. So I would say if you're building tools, make it simple. If you're buying tools, make it simple and usable.
Den:
Yeah, that's great. And I would add that from a tool strategy perspective, if you have fewer tools that are fully deployed, that's a lot better than many tools not deployed very well.
Bil:
Absolutely.
Den:
I've shut down more tools along the journey just because you end up having 2.5 tools per person. I wouldn't doubt it. That's a hard thing as a company grow and you want to figure
Bil:
That worry. Yeah, don't worry about nation state. You cannot survive a nation state attack. If they want you, they will get you. So lower your temperature a little bit on that side, raise your temperature on the other bit and meet yourself in the middle.
Den:
Yeah, yeah. Nation state. Unless it's Scotland's a nation, because I don't think, I can't imagine people in Scotland going around hacking people. We're quite a fair nation that way. So ai, I want a couple of things on ai. So what do you see for the next 12 months in the AI landscape? 2024 was playing out a breeze. It's getting fun, but what scares you the most and what excites you the most?
Bil:
I guess I would say that this is the era of the AI app. The whole infrastructure play has gone kind of crazy. Open AI has reduced token costs by 98%, so it's kind of a race to the bottom on that side. For me, I think the future of security rests with AI to a certain degree, and that would be across when you think about security, when talk about alerts, I try to refer to them as data points, not alerts. Because if you talk about alerts, everything's an alert. Alert becomes alert fatigue and blah, blah, blah, blah, blah. But if they're data points, then you can do something with the data, consume the data and make decisions on the data. So it's a little bit different perspective on how you're going to handle it, but there is so much of it. There is so many data points that how do you do it?
And AI is some sort of machine learning is the only thing that will allow us to consume that much and make decisions. But taking that a step further, if you have people that work for you and say you've got CrowdStrike and Paolo firewalls for just picking two, and you hire somebody and the person is a great Paolo firewall person and they know CrowdStrike, so you put together a program and off you go, and then they get a job somewhere else and they leave, and then you put a job out saying Paolo and CrowdStrike, and you get somebody, and what they are is a little bit more biased in their skillset to CrowdStrike. They know that they're an expert in CrowdStrike and they know Paolo, your security posture just changed and it changed potentially immeasurably or irrevocably, but it did change. And now you don't realize that though.
And that's what we have is we have all these different tools, all these different skill sets, and then you've got different personalities, different philosophies, different beliefs, different ways of doing things. If you can train an AI on the risk methodology that you want to apply to your tools and it can consume and understand all of the tools and not forget how they work day one to day 5,688, it still understands the tool. Your security posture just got a shit ton better because now you can start looking at it and you get that thing at the end of the year where somebody says, okay, cut your budget by 15%, go find some tool that you got to get rid of. If you could go to your AI and say, look, scenario model this for me. I need to reduce costs by 15%, but I want to maintain my security posture. And if you can't maintain my security posture, I want the least reduction in security posture from a risk perspective based on my business, based on where I would potentially lose money or whatever it is that is my issue, and give me three choices. The amount of time and effort it has taken me to do that kind of scenario modeling. When I look at my tools and try to figure out am I going to pull out and rely on something else and then run the scenarios on it?
Narrator:
And
Bil:
I don't know. I may be looking at, okay, I'm going to use Intune versus Kanji. I don't know Intune. So I can't even make that decision. I can only guess at it. If you could have a system that does that, it doesn't matter who's technically coming in because the skills are not as important at that point,
Den:
The
Bil:
System understands it and you maintain consistency all the way through the company's life. And that's what I'm most excited about. I think that's where we will see huge, huge benefits in the security world.
Den:
I don't even know if there's an AI company that exists. It's actually making that yet Bill. So hopefully
Bil:
I've seen maybe somebody watch this seen, I've seen little bits of it. There are companies out there that are doing it. There's one reach, security does it sort of for your controls. They look at your security controls and say, here's your risk. And then if you're going to adjust, but then take that concept and just expand it, and I call it CISO in a box. We need the ciso, the technical side of the CISO in a system that can consume vast amounts of data and make incredibly complex decisions based on that vast amount of data and then somebody to govern that decision.
Den:
Yeah. Wow. I can't really imagine. I guess I can imagine that being somewhere in the future, but I can't see it in the near future. I think most of the people that are building stuff like this, they're focused on one thing, here's your cloud posture, here's your AWS or so I think A bundle them, but we'll get there.
Bil:
You get into that agentic ai, right? So the agents running agents. Now, when you get to agents calling and building agents to run agents, I think that's when it manifests itself
Den:
Because
Bil:
Sooner or later, all your different tools are going to have AI agents that make them better. Hopefully that can make them worse. You never know, but they're all going to be better. And then there's going to be a person that's saying, okay, I'm looking at all these agents and I'm tweaking turning the knobs and flipping the switches, and then somebody's going to go, why don't we just have all those agents talk to an agent? And then somebody can just look at the agent and that'll be like a CISO dashboard that's AI driven that controls all of the agents or can at least talk to them and consume. That'll probably be the first way it comes out. It comes out as some sort of dashboard that highlights all of the things from all these other agents, brings 'em up and surfaces it. And if anybody's out there, Hey, cut me some shares on whatever I just said.
Den:
Yeah,
Bil:
Help Amanda, a little bit of equity. I'm happy to talk to you about it.
Den:
So the summer is over now in October. So what was your funnest conference of the summer or the year, and then what was your best personal adventure
Bil:
Funnest conference this year was Black Hat mostly because we at Kraft sort of tried to say, how do we get involved in Black Hat from a security? So we built our CISO network. We just launched it last week actually. So if you go to kraft ventures.com, you can actually see our CISO advisory council. And one of the things that we were doing was how do we get involved? And I've been doing Black Hat for years and getting people's attention to Black Hat is really difficult. You can go rent the racetrack, spend a quarter million dollars to have the track for the day race cars. You get like 10 minutes of people's attention, and basically you're just calling a list of names and email addresses for future sales. So we're trying to figure out how do we do this? So we rented a private jet and I flew eight CISOs from the Bay to Vegas because everybody has to get to Vegas anyways,
Den:
When
Bil:
You pick up the tab, I'll be the Uber of the air for you. So we rented a private jet, flew eight CISOs out, had a fantastic time. I bought three, four fantastic bourbons, did a TSA approved travel kit craft branded, and threw some bourbon in there, and we drank bourbon and shot the shit for a couple hours. So that was the most fun.
Den:
That's good. Yeah. That's cool.
Bil:
Yeah, personal adventure. It's been a hell of a lot of travel for me this year, and it's really a toss up between scuba diving and Tahiti and standing above base camp at Mount Everest.
Den:
Oh, that's right. Yeah. Yeah. What was that story? How was that
Bil:
Experience? I would say if anybody ever has the chance, or if you're trying to look for an adventure in your life, go to Everest. I didn't do the hike and I still want to go back and do the hike from Lukla up to base camp. I think it's seven days up and three days down you only hike up on every other day. We only had two days to do the whole thing. So we literally took a helicopter to Lukla and then took a helicopter from there up to a place called K Patar, which is 18,500 feet. And you get to stand there for about five minutes. You are slowly dying. You're in the death zone. You have not acclimatized, and you're just in awe. You're standing there at 18 and a half thousand feet looking up another 10,000 feet at Everest. It's just beautiful up there. It's quiet. You can hear things from massive distance away. So still. And then we spent the night, the Everest View Hotel and woke up to watch the sunrise over Everest. And so yeah, it's phenomenal. And the Nepali people are the nicest people in the world, just phenomenal people and the culture there, all the things you can see and learn. Absolutely. So worth it. So anybody ever out there thinking about it, go to Nepal, go up to Everest,
Den:
And didn't you record a podcast when you were on that trip? What was that like?
Bil:
It was trippy because you're sitting there, and again, you're still sitting at 14 and a half thousand feet and zero acclimatization, so there's a lot of Excedrin being taken. There's a lot of, I've forgotten what the pills they were telling us to take to avoid altitude sickness, but you're sitting there and you're discussing risk. That was the topic that we wanted to talk about because we were doing risky things like flying to 18 and a half thousand feet in the helicopter is risky no matter how you cut it, but it was so surreal because you just kept looking back and right there, there's Everest that is Mount Everest. You've got everything from people climbing that day. It was beautiful day. So they knew there would be people on the mountain climbing. It was right in the middle of the summits season, so people had already done all their training and were going up and you knew there's 300 dead bodies up there.
They call it the Rainbow Road because of all the snow suits that come out through the snow when it starts to melt. But it was the most surreal thing I think I have ever done that I'm somehow, in my career, it has brought me to Everest to discuss risk and security Pal. One of our portfolio companies, they sponsored it. Kar Al is Nepali, and during Covid, the Nepalese people could not do what they would normally do, and that was they get trained and then they go to India or Singapore or other places to work. They were sort of stuck in the country, and he thought, what better place to build an outsource BPO, but do it in Capmandu? So he has since built this phenomenal office there with I think 130, 180 people that are all doing amazing work. So we went to see it, we went to see how they were doing, but also to do this piece. And I owe a lot to Kar for inviting me on that trip, and it was an amazing journey.
Den:
Wow. Wow. Yeah. When you look at your career, there's always places you visit. And I remember when I was a kid going to Asia for the first time, and I was like, I was mid twenties, so I was going around doing this project of novel migrations back in the day, and literally I'm like, holy shit. This job that I got is getting me to Singapore and getting me to Hong Kong and Tokyo. And sometimes we don't take a minute to stop and just appreciate or be grateful for the things that we have where humans as a society, we focus on what we don't have more than what we have. And I sit there to everybody. I'm like, take a minute, take a breath, look at what you've got, be grateful for what you've got. And then recognize you're not in competition in life with anybody else but yourself.
Bil:
Yeah, the personality type, I think that ends up being a CISO strives for the next thing, which is what drives us. I don't know about you, but it's always been me. I've never been satisfied with where I am,
Den:
Which,
Bil:
And I'm getting to a point in my life where I'm learning to be satisfied that I love working for Kraft. I love where I am, and I'm not looking anywhere else because I have 30 years behind me in this industry, and now I'm putting that to good use in, I'm still learning new things. I'm learning how the investors work and how to be an investor and what they think because that's my business of how to protect them, how to help them, how to make the business grow. But yeah, no, I totally get you. 2019, I actually, the year after my father passed away, I got to speak in Belfast at Big Data Belfast. My family is from Belfast, my father's from Hollywood. My mother's from West Belfast on the Falls Road, and I think it was the Elster Times caught wind that I was coming to speak and that my family was from there.
And they did an entire page, a full one page spread in the newspaper, old newspaper, actually pick it up and infected it. That's it right there. Framed that. I was able to, they called it the Homecoming for an IT guru because my father left Belfast, came to Canada, became an IT person in the early days, like working on UNIVAC systems, that kind of stuff. Built some of the original systems that suffered from Y 2K. So he actually came out of retirement for Y 2K to help companies through that. And just before he passed away, I had been invited to do this in 2018, so at least I completed that mission that he knew I was going to go speak, but I didn't get to do it in 2018. They actually, it got canceled or my travel got canceled, so I couldn't get to it. So I said, 2019, if you invite me, I'm coming. I'll pay for it myself if I have to. And the Zscaler, they're like, absolutely not. You're not paying for it. Go do it. Honor your father and do some Zscaler work while you're there. So
Den:
That's excellent. Yeah, and also great places to visit as well. I mean, there's usually a lot of work in there, but it's always good to do some personal and some growth and stuff. Bill, it's been a pleasure as always. Way over. We could cover a billion more topics, but absolutely. I appreciate your time. Great, great seeing you. So thanks everybody. If you like the show, a guest, subscribe, like, share, do all that normal stuff. I'm Dan Jones, bill Harmer. Thank you very much. We appreciate it.
Bil:
Thank you,
Narrator:
Dan. Thanks for listening to Cyber 909. Subscribe wherever you get your podcasts, and don't miss an episode of your source for Wits and Wisdom in cybersecurity.
.svg){kind=icon}