Sam Curry is the chief security officer at Cybereason. Curry has dedicated over two decades as an entrepreneur, information security expert and executive at companies like RSA, Arbor Networks, CA Technologies, McAfee, Cybereason and several others. He has devoted his career to empowering defenders in cyber conflict and fulfilling the promise of security enabling a safe, reliable, connected world. Curry is also a widely in-demand public speaker and he holds multiple patents. In his spare time, he hosts his own podcast called Security All-In, sits on select boards and publications and is a tireless info security mentor.
Cybereason has recently ventured into the realm of commercial media, streaming and cable advertising, an untraditional path for many cybersecurity companies. Curry discusses exploring these mediums and the positive impact it’s had on the brand:
Trust is built by contact and exposure. … I think you can become more familiar with a company and brand and the result is seeing increased web traffic and curiosity about who we are and what we do, which is exactly what it was supposed to do.
In this episode of Cybersecurity Unplugged, Curry discusses:
- Financing and building up an agile cybersecurity company;
- Improving company recognizability and trust by using commercial media, streaming and Cybereason’s signature owl;
- How SMBs can increase visibility into indicators of compromise.
CLICK HERE for a full transcript of the conversation.
Steve King 00:04
Good day everyone. I’m Steve King, the managing director at cyber theory. Today’s episode is going to focus on unified endpoint security. And then a guy who’s one of the key influencers in cyber security today. And joining me is Sam curry. That guy, widely held to be one of the true visionary leaders in the field of cyber security, as well as the Chief Product and security officer at cyber reason. Sam has dedicated over two decades as an entrepreneur and infosec. expert and an executive at companies like RSA, Arbor networks, computer associates, McAfee cyber reason and several others, is dedicated his career to empowering defenders in cyber conflict and fulfilling the promise of security enabling a safe, reliable, connected world or at least giving his best shot. Sam is widely in demand public speaker, he holds multiple patents. He hosts a podcast himself called security all in he said science on select boards and including ours and publications and is a tireless info security mentor. So welcome, Sam. I’m glad you could join me today.
Sam Curry 01:35
Steve, that may be that may be the most amazing intro I’ve ever had. Thank you for having me. And hopefully I live up to what you need from this from this session together.
Steve King 01:44
I’m sure you will. Let’s talk about education for a second here for openers you’re you’re a member of our faculty advisory board here at cyber Ed Dotto and and I know that cyber reason recently joined the mitre ingenuity center for threat informed defense as a sponsor, we love ingenuity and will soon all things falling into place here we’ll be delivering their certification program on our platform. Can you tell our listeners why you believe this initiative is important to cyber reason in particular? Well, yeah,
Sam Curry 02:23
I mean, I’ve been impressed generally with mitre, everything from, you know, the attack framework to some of the tools they’ve produced, but ingenuity in particular is something that we wanted to get behind. I think it’s important that we contribute to worthwhile initiatives. And by that, I mean, we have a mission at cybereason, as you mentioned, my personal mission, and one of the reasons I met cybereason is when I met our CEO reorg, I realized I’d never met a company I was more in alignment with right and and that means we will do what it takes as a company, not just as a business, but with any clout that we have to reverse that hacker advantage to make defenders expect to win in cyber conflict. And so, ingenuity is one, there are others too. But I think this is critical if we want to be changing the way cyber is done. And yes, it’s education, sometimes in awareness, others, sometimes it’s standards and protocols. Sometimes it’s toolkits. Sometimes it’s collaborating with competitors. But if we want to live in a world where defenders expect to win, this is what we got to do.
Steve King 03:27
Indeed, and that relationship dynamic definitely needs to change here. So I’ve been in the space for like yourself 20 plus years, and I you know, it’s hard to sort of ward off the demons of of ironic system, if you will. But I’m, I’m an optimist by nature. And and I think we can do this. So
Sam Curry 03:48
I’m a huge fan of the attack framework generally, not because of the hype and the over, you know, that some people think it’s sort of testing products, which of course, part of ingenuity does. I like purple teaming, and I believe in a taxonomy and I think it’s evolving. And these are indisputable, we don’t come up with a framework and use it for decades, you come up with the framework and you improve it as the bad guys improve. And that’s a worthwhile pursuit by itself.
Steve King 04:13
Yeah, no, I agree. And we are improving no question. Now I know you guys recently closed on a huge round of financing at least huge in my mind, brought a lot of million bucks to your leadership position. and delivering you know SDR and EDR epap solutions to the market. It also brought Steve minuchin to your board. Tell us about how you intend to enhance and expand your, your AI powered cybereason defense platform with that, some of that capital and maintain that front of the pack position that you’ve f5 so hard to win.
Sam Curry 04:51
The most recent f round was 275 million that we took in, I think that brings the total invested to about 690 or so. So, but we’re in the hyper growth mode, this is the opportunity that you hope you’re in. And that means that development is king. Right? We have to make incremental improvements and refinements and bring new features. And so from my perspective, yes, you know, it’s xDr, it’s protecting cloud workloads, it’s, it’s adding the refinements that that brought customers to us, and will keep them with us. And it’s continuing to improve on the on the promise, yeah, I don’t want to have, you know, the product sit around, it’s got to be fresh, it’s got to be in other words, just as agile as you would expect of any other industry, if not more so, because we have an intelligent adaptive opponent, so that money will go to two big buckets. Of course, I’m not responsible for the spent spend on that Lee, or is the CEO. But the two big buckets are coverage and go to market, because more people need to know what we can do, and that we are changing the game in cyber. And developers, we’ve got to build more and do so in a secure way. The trade offs among, you know, quality, time to market and scope are incontrovertible. And so for that we need to build new capacity and in new places, and because we are a global company, and just that’s where the money is gonna go.
Steve King 06:14
Yeah. And you, you speak about coverage. And I want to, I want to talk about your go to market and your recent sort of foray into the commercial television space as well, in a minute. Speaking of winning, I wouldn’t characterize our overall security results in that way right now, just in terms of, you know, as we, you know, indicated earlier that attacker defender dynamic, and I know you’re you’re frustrated by our inability to mount a coordinated forward defense posture at the national level, tell me, what would you like to see the new season get done under this administration? And how would you like to see them do that? I know, you know, some of the people that are involved?
Sam Curry 06:55
Yeah. Look, I i’ve been nothing but impressed with, with the energy and the dedication and the professionals they’ve pulled in, as you said, some of my friends are there, and have been since since the early days. But I want to see, yes, you know, the the national strategy evolve, we certainly saw an executive order, come out to to move the goalposts on that to push things a little harder, and challenge the status quo. But I think the real thing about Sesa is they’ve got to uplevel the game and bring resources to the public. And people who don’t otherwise have those resources, give them the shortcuts, give them the tools, give them the help. And what a lot of folks don’t know is they will just come in assist, they don’t know that, then many people don’t know they can call on them. And so my hope is that that becomes evident, and that they innovate in making security accessible to smaller companies and verticals that have never had it and regions that don’t have access to the cyber professionals. We talk about talent gap in our industry. And it should, by all means it’s there. We’re producing more graduates than ever. In fact, when I started, there was no bachelor’s in the Ph. D. program in infosec. We charted the course. But there are now it’s just the gap is getting bigger, faster. And it’s, you know, there are some parts of the country, it’s very hard to get cyber talent. So how do we make it easier to train people in situ? I don’t think we’ve increased diversity in many dimensions in our space. And I don’t think we’re very welcoming as it is an industry. And this stuff is graphical people can get it, when you actually sit down and explain it to people. But for some technical skills, which are critical, there are many, many jobs in cyber that people get into. And once they’re in, Welcome to the family, they can move around, but I’m not seeing enough of it. And so I also hope that we cast the net wider and people can see themselves in the industry. I am someone who joined us as a history major. And she she said, I want to be a level one analyst, and she became one within about seven months. There’s enough people who can see themselves doing that from other disciplines, and then get on the path and then have welcoming arms receive them. We’ve got to do something about that, too, Steve.
Steve King 09:06
Yeah, I know you’re you’re absolutely right. And as much as season is your own marketing campaign, we also do that we also need one to push that message out there.
Sam Curry 09:17
Because Krebs once said, a cybersecurity Information Security Agency. He said, we love security so much. It’s twice in our name. I think most of the people they serve her are aware of the presence and desire of the people who’ve got to do it to actually help because they tap into people in the industry and bring them in house and then say we’re going to enable you and I don’t think a lot of people know that they can call on it.
Steve King 09:42
Yeah, no one understands that story well enough for sure. Let’s talk about the Owl and the province of owls that guys, I love it as
Sam Curry 09:51
a collective noun for for ALS is a parliament that you know, that’s awesome and it was a it goes way back as The term but yes, what would you like to discuss about house
Steve King 10:02
because you know, you guys chose this as your mascot for this current campaign you’re running. And I’d like your thoughts about commercial media and streaming and cable advertising versus cybersecurity companies and you know, what’s been traditionally a b2c channel? Yeah, so
Sam Curry 10:19
you want to start with the ALS? Yeah, Providence
Steve King 10:21
Sam Curry 10:22
So als have been with us for as long as it’s been a company, I think it may even predate the name of the company and it might predate the founding vowel was, was really part of our identity. From the earliest days, it just changed with the latest campaign. So we used to have a blue was our color and I still have some off brand blue stuff, like my challenge points for security. But now we’ve we’ve, we’ve modernized it, we’ve updated it, and it was time it was time to get a fresh look. And it’s super exciting as a campaign. By the way. I don’t know if you know, but in Hawaii, I believe owls are day hunters, not night hunters. But they have some amazing refinements that they the way they swoop is almost as silent as you can be when attacking. And they’re known for things like wisdom, there’s a whole bunch of In fact, we used to call the onboarding classes, we should call them flight school. And we had to, we had to explain what the owl meant to us and think about it. And we had mascots all over the place. So it is part of our heritage for a very long time. But the most recent campaign came about because our size, our reach our capability wasn’t necessarily as visible in the world of the big companies getting into the space. And and some doing IPO isn’t getting the natural attention that that brings. And we want to make sure that we accelerated things. So it made sense to do things like television, commercials and radio. In fact, we support teams like the browns and the Patriots. And so if you go to games and the Ravens, if you go there, you’ll see our logo on the scoreboard, for instance and responses of teams. That’s a that’s us reaching the next level of maturity a bit that that address it for you or is there something you wanted to unpick
Steve King 12:04
that addresses it? You know, I think, I don’t know. But there’s only a handful maybe, of cybersecurity companies that are that are exploring that medium. We have great
Sam Curry 12:15
people behind it, our cmo mag and Kyle Flaherty who who ran the campaign under her, they were just so creative, and and they made it fun. And they did it in a very short period of time very professionally. And these ads are fun. I mean, it’s great to see. But of course, I’m biased, right?
Steve King 12:31
Yeah, no, no, I agree. And Kyle is a great guy and spent some time with him. Thanks to you recently, and I can see how he how he managed to pull this up super bright guy. But you know, it’s when you’re standing in line, I guess in Hoboken, New Jersey, trying to fill your you know, waiting to fill your gas bag with the three gallons of gas, because because you’re been rationed after the colonial colonial head, I suppose business to consumer advertising starts to make a lot of sense here.
Sam Curry 13:01
Yeah, and trust is built by contact and exposure. There are some branding, rules and guidelines. I’m not I’m not an expert in that like, like making Kyle. But I think you can become a more familiar company and brand and the result is seeing for us in increased web traffic and curiosity about who we are and what we do, which is exactly what it was supposed to do. But you know, the speaking of the colonial gas incident is deeply frustrating when I see things. And we’re not, I’m the last person to ever jump in and say if you just used me, it would have been better. But I wish people knew what our capabilities were more. And so if that curiosity leads us to being better assessed good and bad, then then the next
Steve King 13:42
good thing. By all means, everyone today is afraid of ransomware attacks, and obviously, for good reasons. And we all know that the best ransomware defenses to focus on preventing an infection in the first place. But visibility into these iocs or IO B’s can provide pretty good early indicators to allow detection and prevention through early stages. How can an SMB However, in the middle of Kansas, or you know, Oklahoma, who, you know, manufacturers, I don’t know steering wheels, or torque wrenches or whatever? How did they get that done?
Sam Curry 14:21
Well, I’ll start more generally, then I’ll get down to you know, the SMB, smaller business doesn’t even have it dedicated necessarily, but ransomware is really ransom ops to ransom operations. It’s not just a piece of next gen software on the dark side. There’s a delivery mechanism. And then there’s a payload and the delivery mechanism is spread. It’s a combination of the aapt spreading toolkit, the silent and the low and slow with the devastating payload. And so to some extent, you mentioned diabetes indicators of behavior. You can stop this in the spreading phase. And yes, you should have prevention. Replacing there’s some we have some, for instance, there’s prevention that’s tailored to stopping ransomware. But when you get down to the small and medium sized business, the toolkit has to be usable by either a mark one human being, or available through partners and services as a consumable thing, like I pay a bill, someone does this, and they’ve interfaced with me to make the business decisions necessary. And to help me inform risk. Every business no matter what the size is, has some way of doing those things. And so the question is, how do you get the services that have helped the largest, most sophisticated companies and then large unsophisticated companies and then midsize companies? And then how do you get that lower in the size of company stack, because that’s when we get real resilience on a very wide scale, the vast number of companies in this country are in fact, SMEs, right? They represent the most number of companies out there, the advice I would give to them directly is okay, have a detection strategy, talk to your ecosystem of people who provide you the software, and have a prevention strategy, by all means, but the real thing to do is business, you should be table topping, hey, you know, call a cyber professional have to come in and do a Table Talk for three or four hours with you on what would we do if things scops got locked up, and then ensure that you have the ability to bounce back, that you have the backup and restore that you know who you’re going to call if it happened? Those are the four things to detect the detectable, prevent the preventable, get the business ready, and be ready for a post event what you’re going to do. And I think small businesses can do that. And it doesn’t have to take months, you could probably do most of that measured in a couple of days and talking to a few providers.
Steve King 16:43
Yeah, right. And that’s one of the benefits of being a small business, the CEO says, let’s do it tomorrow, it’s probably going to get done tomorrow.
Sam Curry 16:51
Right. And by the way, this is true for cities as well. And I mentioned cities, because prior to COVID, we used the word epidemic when talking about ransomware, hitting the municipalities, they sat in a sweet spot between vulnerability and ability to pay that poll the attackers to their address spaces into their networks. And other one, even though they’re they’re more secure, they have a higher degree to pay with health care. And so we saw ransomware targeting those two industries, even before we got to the, shall we say accelerated. I don’t want to abuse the term pandemic, but accelerated rates of infection and damage in 2020 and into 2021. Now,
Steve King 17:31
Yeah, no kidding. Yeah, I’m conscious of the time, Sam. So I want to ask you one final question. Sure. You’ve been with the company over five years now. And you’ve worn lots of different hats. And I don’t want to embarrass you. But I know people that would say cyber reason is who it is right now, because of you, in addition to Chief Product and security officer, your current role you participate cross functionally, throughout the company, and lots of different initiatives designed for market growth, not just security. So which roles have been the most rewarding? And what do you expect in terms of your role? And in terms of the growth of the company to see in the near future?
Sam Curry 18:13
Yeah, so so you’re right, I should, by the way, I don’t even think I’ve had a chance to update you on this week, we have a Chief Product officer now. We’re well past the 1000, employee, Mark and size wise. And we I think, I think it couldn’t be a compound rule anymore. So we have a guy named Ravi Iyer, who’s wonderful who’s taken over the steering of the products. But I defined my role is three chunks, right? One is security, absolutely a third of my time, and an effort goes on security. A third also goes on, on doing the right thing externally, we’re helping with standards and making sure that we add clarity to the market where we can and thought leadership and research and those sorts of things. And the third is executive function. So I’m working right now on on building up our federal business initiative. We do m&a, we do investments, those sorts things and think of it as executive sponsorships for customers and partners and making sure that the business of security ties into the practice of security. But the most rewarding thing for me is when I see it happen, and whatever it is, if there’s a roadmap and we’ve project something and we then deliver that satisfy maybe it’s a dopamine release, I don’t know. Or when I hit the you know, ISO certification sock two certification when I got I asked Matt for FedRAMP. When we close the deal, and we hit the targets we set aggressively for ourselves. That’s the most satisfying thing and you know, I were left brain right brain hats, right? The sometimes when I’m in the weeds, technically and sometimes I’m writing a blog or a white paper. It’s the same kind of satisfaction over both and when you hit that target, that’s the most happy moment. Right there. You And by the way, I appreciate your perspective of me within cybereason. But I work with some of the best people. And, you know, one of our core values is that react we win is one, I can’t imagine a better bunch. I know people say this, but I can’t imagine a better bunch of people to work with from the executives to the people joining the company, and now, it’s just a great atmosphere to great culture. And, and that’s a big part of my happiness too.
Steve King 20:23
Well, I expect to see and I’m sure you will, as well. Lots of lots more dopamine in the future.
Sam Curry 20:32
I’m hoping so me hoping to get quite the buzz
Steve King 20:35
off of it. Absolutely. I mean, what’s wrong? You know, I mean, life’s exciting times the answer. If you don’t have a passion, then you should probably be doing something else.
Sam Curry 20:43
Yeah, you know, it’s, I gave this advice. And from a security person, this may sound strange. First of all, I told people know who your customers and include security. We’re not the Office of now. The second thing was I told some folks, I said, Look, this is the time to be in cyber. I don’t want you to just drive the car, I want you to drive it like you stole it. Right? This is go if you want to try it, do it. Go get forgiveness, not permission. And I’m saying that as a security person, because we’ll get to security. Right? Right. we’re serious about that. That’s a cultural value. Now go do it. Go go use the investment. go spend the money from the latest round. We didn’t come this far to only go this far. We’re here to win. And I appreciate when my competitors have the same attitude. And I hope they realize the best way to serve the security market is each of us playing our game as well as we can.
Steve King 21:33
No kidding. I’ve already stolen that Sam. Like drive it like he’s still at it. It’s great. I want to thank you again sincerely for taking time out of your schedule. I know I know how hard it is and and I’m honored that you you would join me here and but I think was a pretty interesting exchange and hopefully we can do it again in another few months and see what the hell happened between her and yeah. Alright, thanks
Sam Curry 22:01
for having me, Steve. This is wonderful.
Steve King 22:03
Thank you. Terrific. Thanks to our listeners also for joining us another another one of our unplugged reviews and until next time, I’m your host Steve King, signing out.