- Welcome to the Cyber5, where security experts and leaders answer five burning questions on one hot topic and actionable intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risks, brand reputation and protection, disinformation and cyber threat intelligence. I'm your host, Landon Winkelvoss, Co-Founder of Nisos, a managed intelligence company. In this episode, I talk with Chief Information Security Officer of Crossbeam, Chris Castaldo. We talk about his newly released book "Start-Up Secure" and how different growth companies can implement security at different funding stages. He also talks about the reasons security professionals should wanna be a first time information security officer at a growing start-up, and how success can be defined as a first time CISO. We also talk about how start-up companies can avoid ransomware events in the landscape that is not only constantly changing, but gives little advantage for defenders of small and medium size enterprise. Stay with us. Chris, welcome to the show. Would you mind sharing a little about your background with our listeners please? - Absolutely, yeah. So my day job, I am the CISO at Crossbeam. Crossbeam is the world's first and most powerful partner ecosystem platform. So we act as a data escrow service that finds overlapping customers and prospects with your partners while keeping all of that data secure and private. I also just published a book called "Start-Up Secure" specifically for founders building security into their company from the start. And I'm also a visiting fellow at NSI. - Awesome, and I know you're a previous military veteran. I aways like to give back advice to those in uniform, those in public service. For people that want to get in the information security field out of the military, what kind of overall advice would you? - So start early, that's definitely the first part before you're getting out at least six months, a year would be great before your ETS, you're at your end of service. So getting your resume together, figuring out kind of what your interest is, cybersecurity is extremely broad, right? There's tons of different roles you could have. So getting some type of general direction of where you wanna go, look at job descriptions, right? Start changing your resume to be a little more private sector than the military, right? Looking at job roles that might fit you, if you're an officer versus an NCO, non-commission officer enlisted, those types of differences, don't always translate, right? People don't know what a battalion commander is, most people don't. So looking at a job description of, okay, a battalion commander maybe had two, 300 soldiers beneath me, that equates to maybe a VP at a larger organization. So changing that language so it's really easy for recruiters when they see your resume to say, "Okay, they were in the military, I see similarities here of what we're looking for." - I think we could probably do a whole another podcast on just the subject alone. - Totally. - And so, yeah, I think getting into it, we're gonna be kind of diving into a lot of your transition that's happened since you've left the military. And today we're gonna be talking about the thinking and the mindset of security at different rounds of funding with mostly a focus around tech start-ups. What's the difference between a fast-growing tech start-up and a lifestyle business from a security perspective? - So if you look at those two, one is destined usually to scale, right? That is the goal of that organization. Either scaling customers, scaling their employees with that, a lifestyle, or maybe more appropriately, an SMB, is gonna probably stay the same size for the entirety of that organization, right? They're not gonna grow to a thousand employees at some point in the future. So their problems might stay fairly static as they continue to age, but that start-up where they're gonna scale from 10 employees, 50 employees, 100, 500, things are gonna break, right? Our CEO at Crossbeam introduced a very interesting concept to me that I hadn't heard of before, about things breaking on the 3s and 10s in a start-up, so that's something you're gonna not see in a company that's gonna stay at 50 employees forever. - Let's dive into that and let's explore both of those aspects. So if you're a security company, let's say at the, A round, B round, C round, right? So like just for the listeners perspective, an A round is typically where you get sales and marketing together, right? So you've had the seed funding, you've gone through, you've gotten the product or service up and running, people are paying for it. A is where you'll generally pour on the sales and marketing, B is when you figure that out, you pour gas on that, and then certainly the C round into the D round is where you start to see international expansion, you see looking at different markets sets, maybe you look at different product diversification. So understanding that landscape and that general methodology of financing between tech companies, take us through what security looks like for an A company, the B company, C and beyond. - So there's a lot of different aspects and things to consider besides just the funding round, I wish it was as easy as just like saying, we're at an A round, we should be doing this. It differs from a B to C company, a B to B company. And I talk a lot about that in the book of giving some examples, if you're this type of company, that type of company, so if we just say, it's an organization at an A round, they are B to B and they've got PII, right? So they've got personally identifiable information, that's part of their product or product suite that they sell, that they have to take in that information. So one of the things founders should really have prior to that is some type of plan in place for those inflection points of at an A round, at a B around, so you'd know what you should have in place or what you should be aiming for. So things like problems that will and will not occur at certain phases, right? So if your pre-seed, seed round, maybe you've got lighthouse customers, friends and family, people that you're very close with that are coming on as customers and willing to give you, you know, a lot of leeway, A round like you're, you're saying, you know, you're starting to repeat and have a repeatable process in selling your product or implementing your product, so you're gonna have a lot less leeway with those customers, right? So looking at things like possibly having policies in place, right? That's not the fun, sexy side of cyber security, but it's something an auditor is gonna look for, right? It's something a customer security team might look for as evidence of, you've got something in place to prove to us that you're gonna keep our data safe. And you can do that in other ways, you know, getting certifications like SOC 2 or ISO 27001. So planning for those things and looking for those indicators and when it's time, a lot of times the customer will make it easy for you and really indicate that you should have things in place, 'cause you'll start getting those questions over and over again. But if you look at a B to C company, no one's ever gonna probably ask you for a SOC 2, right? - So keep going on that thread, so from a B to C company, for companies that are looking to go, you know, really start expanding, 'cause that's when you really will start to see the growth. So you're probably assuming somewhere between five and $15 million of revenue growth, looking to get into maybe even the hundred thousand, hundred million, excuse me, revenue growth in the D. So after that initial growth where you're getting those policies, you're getting the compliance, getting ready for auditors, kind of walk through, I guess, what different programs can look like as you get into a company that's over 500 people and maybe in between, you know, up to 1000 people. - It's really making sure you've got the basics in place as you go. So you're not trying to rebuild the wheel or do something really exotic as a start-up or a founder or founding team, right? Look at it at the same way as the due diligence you would put into out human resources or your finance team, right? When you would bring on a head of finance versus a CFO that's going to help you IPO, right? So those are some familiar areas, I think founders could draw some inspiration from when building things out. So when I'm talking about basics, right? Basics like password and account management, having things like single sign-on in place or some type of solution to hone in on your account sprawl, right? So if you look at a, just run of the mill, basic tech start-up, a lot of what they're gonna be using is all in the cloud, right? And probably to start, they're not gonna pay for the highest tier, they're gonna use all the free tiers that's great thing about SAS companies, a lot of them offer a free forever type tier, but then you're managing usernames and passwords again. Maybe you've been told in the past and you're using a password manager, most don't have that in place, there's not a lot of, I think, acceptance outside of the tech community with password managers, right? Like, I think to us as practitioners, like, of course you'd use a password manager, but not everyone knows what it is, or where to go get one or which one they should use, it's not super clear. So, those types of basic things in place, and then looking at things like endpoint security, where you're storing net customer data, going back to the example of the start-up that's taking in PII, right? So let's imagine you're building it in a cloud environment, or you're doing basic things like encrypting stuff at rest. Most of the big providers today have a pretty easy like one click button to turn on encryption by default, right? We're getting a lot better about making it easy to be secure, but you know, some of those places still make it difficult. And then looking at bigger picture items, vulnerability scanning comes into play, and you're gonna have points where as a founding team, that's gonna be really difficult to manage all these things at some point, that's where I get to like midway in the book of, okay, when do you hire a CISO? When do you hire ahead of security? And what's the difference? Should you use a vCISO, so virtual CISO service to bridge that gap? So there's a lot of different options out there for founders, it's just getting educated on those topics, right? It's not something that's just out there for them to know about, at least the founders I've talked to over my career. - 'Cause it's all about educating founders, you know, really around the, you know, most prevalent threat that in the news today, at least, around ransomware, right? So like, let's take that small business and let's tackle this from a couple of ways. Let's take this from the small start-up that you're talking about, that you've talked a lot about in the book. And then let's take it from the lifestyle business or the small business that's not gonna grow. I mean, you know, I've talked to a lot of our larger clients who have $100 million as security budgets. When patches are released or when exploits are released and the patches, you know, issued by certain vendor, the threat hunt teams are literally sitting there almost guns and guards at the gate, just watching, you know, threat hunting, looking to see if there's any type of actor that's taking place. And they'll tell me, they'll say, "Within 12 hours of an exploit being released, you'll start seeing the attacks coming." For a company that's spending $100 million, they can probably defend against that. From the companies that we've been talking about so far on this podcast, I'm not going to say they have little to no chance, but they certainly have, you know, a large hill to climb. So understanding that, you know, that mentality, those small businesses that are just doing blocking and tackling, how do you get out ahead of that? - It's certainly very difficult to get in front of that for any of those organizations, I'll say it's difficult for both, regardless of your budget size. So again, going back to basics, right, do you have automatic patching turned on, right? Or do you have auto updates turned on that's one easy step, right? Again, security is a multi, multi layer approach. So that's one part that's typically free, right? That something comes with your operating system, regardless of what you're using can usually turn that on. So that's one step. Then another would be buying some type of end point product. You know, what typically was referred to as antivirus now is endpoint detection response. It's another layer, right? Looking at the delivery mechanisms, I wouldn't expect, you know, a small organization to immediately go out and figure out, okay, how is this ransomware family typically delivered? Is it drive by download? Is it phishing? And then go back to try and defend those areas, you know, starting at the front and moving in. In the book, I kind of switched that, and go to let's start at where we have the advantage, right? We should typically know where all of the Crown Jewels are, a common phrase we use in cybersecurity, the thing that's most important to the organization, and work our way out from there. I think both organizations, right, the 100 million budget organization versus the start-up, if you've got a little bit of asset management in place, it should be relatively easier to start working that way instead of trying to start the gate like you were describing. So going from the inside out gives you a few advantages, if you know, what's worth stealing, right? Let's go back to the PII example, let's say it's in a database in the cloud, one of the cloud providers pick your favorite one, and start putting wrappers around that, defenses around that, whatever that cloud provider offers for free, whatever comes with the service you use that. If there's things you can bolt on, that might cost a little more money, you know, put those on. And then you can start building out from there, so you've got controls around the data and you move out from there. Now you've got controls, let's say, on the workloads or containers, what have you, and then step back out again to controls around who and what has access to those systems and that data. So if you start looking at it that way, it's more manageable bites to kind of take out of the problem. And if you're scrambling for patches, right? And that you kind of use an example there of zero day or something gets released or a new ransomware, attack factor is released, if you've got all those layers in place, it's a little easier to defend. And then at the end of the day, it's pretty much relying on your insurance, which that is also changing very quickly, right? And I think where the re-insurance market is taking a real close look at how many payments are being paid out, and I think we're gonna start seeing some changes there on the support you get from your insurance provider, right? - [Landon] Absolutely and I guess the other things that you've been discussing is definitely an inside out approach, which I think is gonna be viable for any small business as it grows and scales. At what point do you think threat intelligence or an outside in approach is helpful to bolster that inside outside approach? Is it how many employees that you deal with, or are gonna have to deal with? Is it the expansion of your architecture? Where do you find that outside to in approaches complimentary after you've done the basic blocking tacking? - [Chris] I think at the point where you've got the resilience column in the NIST CSF, or the ability to come back from something, once you've got that column kind of filled out, if you look at that chart or you look at the cyber defense matrix, you look at those two together and you start filling in either with a product that you've purchased or some type of control you've implemented, or a person you have hired on your team to focus on that specific area, I think once you're at the point of being able to be resilient and say we are comfortable in this type of attack, when you pick something from the news, let's say we have that attack occur in our environment, we are very comfortable of basically blowing it all away and reconstituting it all in, you know, whatever your RTO and RPO is, you know, whatever your recovery time is based on your disaster recovery plan. And maybe you're in an organization where it doesn't matter, right? Maybe you've just taken real-time data, you're not really storing anything, it's kinda immediately in, immediately out, and all you're doing is standing up a Kubernetes cluster again or something like that. Really depends on the organization again, and that's, I think the difficult and fun part about cybersecurity, 'cause we're all going in the same direction, right? Every practitioner, the end of the day, I think the goal is to reduce risk for the organization you work in, right? So as long as we're headed in that direction, what risks you pick to accept, I think that's the fun challenging part, 'cause it's gonna be different at every organization. You could put two 50-person tech start-ups in the same industry together and compare and they're gonna make different choices, right? And that's, I think the fun part for us. - [Landon] That is really the fun part. You know, it's always very fascinating just to see what different security shops for different enterprises, frankly, within different industries have for risk profiles. And then that's where certainly CISOs and security professionals really, you know, earn their paycheck on a day-to-day basis. Why should security professionals want to be the first CISO in a fast growing tech start-up instead of potentially moving to a large enterprise? You've probably talked to a lot of people coming out of government, I've certainly talked to a lot of people coming out of the public sector, they kind of wanna understand where their first move is. And I think there's always an inclination to go to a bigger, safer enterprise. I always try to steer them toward an educate them toward, you know, how start-ups really work, because it is a fun and exciting culture and environment, you know, often with unique missions. From your perspective, why would you tell a young security professional to go work for a start-up? What your kind of thoughts on how to, you know, guide folks to smaller companies that are a little bit leaner. - [Chris] If they like being exposed to a lot of different parts of the business, that is absolutely the place for you to try to go. If you are more focused and want to be really, really down in the weeds and wanna solve one very specific hard problem, I think a larger organization might be better. In a start-up being prepared to context switch a lot, that could be something, someone loves, it could be something someone hates. So knowing those types of things, if you like risks, which why are you working in cybersecurity if you don't like risks? That's another great reason to go to a fast growing start-up. Again, going back to that knowledge, our CEO instilled on me, you know, things breaking on the threes and tens, right? You're constantly solving a new problem. Then that's not to say you wouldn't solve new problems constantly at a large company, it just might be at a different pace and might be a more manageable pace, it depends where you are in your career. There's a great book by Kim Scott called "Radical Candor," and there was a part in it she talks about a job offer to go to, I think it was Twitter, and it was gonna be an amazing job. And she ended up not taking it 'cause it wasn't the right... I'm trying to remember how she phrased it, it wasn't the right time in her life and career to take that job, even though it was an amazing job. And I look at it that way, right? Is it the right job for you at that time? And I think if you can say yes, then that's something you should go forward with, right? If you're in a situation where you kind of would like your day to pretty much end at five o'clock and not spill into the weekend, that's gonna be a bigger risk, you're gonna take in an a start-up, right, especially as the only security person, right. So you're there in those oh shit moments, if I can say that, to be that guiding star, right? Like people are gonna be looking to you for that expertise in that moment of time that everyone hopes to never go through, but that's what you're there for. So again, if you're looking for those experiences, I think there's great things about both, right? I wouldn't say to not go to one or the other, - [Landon] Just listening to you talk is just, you know, getting me excited, 'cause you know, we're kind of in the same boat, right? As it were at Nisos, we're a series A company looking to navigate to series B and I couldn't agree more. And that's what certainly keeps me going certainly every day. If you don't mind that over the past 10 years, you know, give me a day in the life, like what's the Monday look like and how could a Tuesday be so drastically different? I mean, if you could give a couple of like little more granular details in the weeds at a certainly a higher level, I think that'd be awesome. - [Chris] It could be all over the map, it could be logging into some security tool just to look at the alerts and make sure your MDR provider is actioning things based on the SLA you've set in place. It could be taking a customer call to talk through some concerns about privacy or data control or data governance. It could be giving training to employees on how to detect phishing emails in your inbox. The sky's really the limit. It could be writing a policy, it could be doing just pretty much all the functions of a cybersecurity team in one, right? It could be reviewing vendors that the company wants to sign up with, here's this new amazing tool, it's gonna help us earn, you know, a hundred thousand more dollars per month in revenue or something like that. So it goes back to what I was saying about get to see a lot of different parts of the business, that's really, what's fun about being in a start-up. Is that a larger organization, you know, if I was at a company that's, let's say 10,000 employees, I'm not gonna get to dive down in the weeds with some customer that's concerned about something on one day, right? It's gonna be probably very big problems, long-term strategy and vision for the organization. So that's what I would say to expect if you're going to start-up. - [Landon] That's certainly very helpful. And, you know, final question, how do you define success as a first CISO of a tech start-up? - [Chris] I think it really comes down to the same thing at any organization, which is building that political capital and making sure everyone feels comfortable and safe working at that organization. And that goes back to kind of looking at, you know, why they hired you, right? Look at it like why an organization would hire a CFO prior to IPO. They're looking for someone that has done this before, that has the scar tissue that's maybe seen, or even experienced firsthand the same problems that they will experience, right? I think that's kind of it in a nutshell. - [Landon] That's certainly very helpful. Would you indicate that coming into this environment, it's more important to listen and learn your peers in other departments? Or should you already be thinking about, you know, what kind of program that you're gonna wanna run? - Definitely listening, that is really important, I think, depending on the organization, so in like a B to B, really getting in the weeds with who your customer is, and really understanding what their concerns are. So your able to enable the business, again, that's kind of reducing risk one, but really we should be enabling the business. And if you understand the customer, what they're asking for, you know, if you're not selling a cybersecurity products or you're not selling to your peers, which I think is probably an even more difficult job as a CISO, looking at things like that and really figuring out what it is that we're selling, what is our value prop? Why is it we're building this company, right? So then you can put that why into your cybersecurity program. - [Landon] Certainly very helpful, Chris, these words will go certainly a long way to a lot of founders. Congratulations, certainly on the book and I appreciate your time today. - [Chris] Thanks so much for having me, I appreciate it. - [Landon] For the latest subject matter expertise around manage intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems under the job plain, and conduct high state security investigations. Without the value of the team provides day in, day out, this podcast would not be possible. Thank you for listening.