Kitecast

Edna Conway: Collaboration in Cybersecurity Policy and Practice

Tim Freestone and Patrick Spencer Season 2 Episode 29

Edna Conway, an innovative executive and thought leader with over 30 years of experience leading cybersecurity, risk management, and value chain transformation at Fortune 10 technology companies, highlights how collaboration in cybersecurity is critical for the development of and adherence to policy and practice in this Kitecast episode. Edna is currently a Senior Fellow at the Carnegie Endowment for International Peace and CEO and Founder of EMC Advisors. She currently is an advisor or board member for a long list of technology and professional services startups and nonprofit organizations.

One theme from the discussion with Edna centered on the cybersecurity workforce shortage. She emphasized the need to look beyond traditional sources and backgrounds to find talent. This requires partnerships between companies, academia, and nonprofits focused on training and upskilling people from diverse backgrounds for cybersecurity roles. Apprenticeship and mentorship models were discussed as potential solutions.

The conversation then delved into cybersecurity policy and regulation. Edna provided her perspectives on the balance between driving security practices versus overregulation that hinders business. She noted that legislation often lags behind technology advancements, making public-private collaboration critical. Edna stressed the importance of the private sector proactively stepping up security rather than just reacting to new regulations.

Another key topic from the podcast touched on the crowded landscape of cybersecurity startups and the challenges they face. Beyond just having an innovative product, Edna emphasized the importance of serving a real customer need, providing a complete solution, and demonstrating value to multiple stakeholders in an organization beyond just the security team. Making customers’ lives easier is key to standing out.

Edna also touched on the need to embed security into business processes and objectives from the start, rather than bolting it on afterwards. She discussed the concept of “secure by design” and how leading organizations are building security into everything from their products to their supplier relationships. This proactive, holistic approach is critical to managing cyber risk in an increasingly interconnected business environment.

LinkedIn: https://www.linkedin.com/in/ednaconway

EMC Advisors: https://www.linkedin.com/company/emcadvisors 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Spencer (00:01.381)
Hey everyone, welcome back to another Kitecast episode. I'm here with my cohost, Tim Freestone. Tim, how are you doing today?

Tim Freestone (00:07.21)
Hey, I'm alright, Patrick, how are you?

Patrick Spencer (00:09.281)
Just fine. We're in, we're lined up to have a really interesting conversation. We always have interesting conversations on the Kitecast episodes. Edna Conway is joining us. She has a very interesting background. She's a, I'll do a quick intro here for her. She's an innovative board director and executive. She's had stints as an executive at Microsoft and Cisco 20 years at Cisco. We'll have to talk a little bit about that. I bet she saw a lot of change.

over those two decades. She's focused on forecasting the future of business, creates clear strategies to deliver new and secure operating models for a digital economy. She's highly sought after industry influencer. One of the reasons we have her on our show. She has over 30 years of broad and deep leadership of success creating new organizations and delivering cybersecurity risk management, sustainability and value chain transformation across Fortune.

10 technology companies. She currently is a senior non-resident fellow at Carnegie Endowment for International Peace. That'll be a little interesting tidbit to talk about today. She's the CEO and founder at EMC Advisors. She's an advisor and board member on more companies and organizations than I can actually list in the next 60 minutes. So we're gonna forego those, but you can check out her LinkedIn profile to get a list of them.

Edna, thanks for joining us today. We're looking forward to this conversation.

Edna Conway (01:38.232)
Oh, my pleasure and my privilege to be here, especially since I'm able to do it from my favorite place, my home in the live free or drive state, New Hampshire.

Tim Freestone (01:47.455)
All right.

Patrick Spencer (01:49.931)
Well, let's start the podcast talking a little bit about what you're doing now. You finished up some time as an executive at Microsoft, I think last was it last year and you've been doing a bunch of consulting board advisement work, some nonprofit work. You know, what are you up to right now?

Edna Conway (02:09.928)
Oh, a whole host of things. And, you know, I think this is the gift that comes at a certain stage in your career. Everybody always says, don't use the word retirement. So what I'm saying is I'm in the portfolio stage of my career, right? Because I'm still alive, well and kicking. And it's an opportunity to think about some areas that I wanted to focus on. I love growth companies.

Tim Freestone (02:22.382)
There you go. I love it.

Edna Conway (02:34.468)
And so being able to focus on growth companies as a board director, as well as an advisor and a growth partner at a PE, makes a lot of sense because when you're at a large company, like the ones that I've been at and the 20 years prior to that executive stint, looking at representing broad spectrum of companies as an outside attorney, it gives you such a beautiful lens that has a very wide aperture.

So I wanted to spend some time doing that. I also wanted to see if I could continue to influence some policy work. And that short of going to the government really means a think tank. And was lucky enough to have Carnegie and Down with International Peace say, yes, we'd love to have you come work with us. And just recently, I think in January, we wrapped up something I was on the steering committee of, which was a project to look at the realities

systemic cloud failure and its risk now that we have all moved so ubiquitously to the cloud. Quite frankly, the folks who are really concerned about it are the reinsurers. That was fun. I have another idea that I'm ginning up and swirling around right now with regard to accuracy of AI that I'll be releasing in a panel at the RSA conference. I think there's something

Patrick Spencer (03:57.094)
Last bit.

Edna Conway (04:01.684)
I'm getting tired, gentlemen, of hearing folks say, we don't have the workforce in cyber. Because if you look at all of the entry-level roles, a lot of them say three years of experience. Just, we're hurting ourselves, right? And the other thing is we look at, do you have a computer science degree? For those of us who are of a certain vintage, shall we say.

You know, certain degrees didn't exist back then, right? I mean, I tried to explain to people to write code. Uh, let's slow down now because I, I went to school at a time. We went to the building where the computer was, and there were these physical cards that had holes in them. And they sort of look at you like, wow, that's intriguing. I actually had one, one fella who looked at me and said, you don't look that old. And I said, well, thank you. I think that was not the intent of the message I was trying to send. Um, and so I.

have the privilege of being invited to sit on the board of trustees of Gallaudet University, which is our nation's and quite frankly the world's largest university for the deaf. And it spans students both from kindergarten all the way through graduate level courses and it's funded by Congress. And so I think that community is in fact an untapped resource for not only the cyber workforce but other workforce deficiencies that we have in today's economy.

I'm still committed to moving the needle there. And then I'm still working with some government folks on my tab, not as an employee, but just because I think if you see the flag sitting above my head, I have the privilege of being a citizen of the United States of America in my care.

Tim Freestone (05:27.629)
Yeah.

Tim Freestone (05:49.262)
That's awesome. You point on something I've heard multiple times in this podcast, which is all of these cybersecurity entry level functions require non-entry level experience and it happens again and again. And you said, you know, we're shooting ourselves in the foot. I think absolutely. Is there a, have you heard of programs or is there, are there initiatives where in companies of a certain size?

might have incubators for cybersecurity skills, you know, no experience required will incubate you for what you need for a year or two. The only requirement is you have to work for us for at least two years after that situation. That was kind of one of the things I was thinking over the past six months or so of, geez, that would be a good way to get over that barrier of, you need no experience, just a pulse, you know.

and in a basic education.

Edna Conway (06:47.356)
Yeah, that's an intriguing concept. I think, so look, without naming names, I think there are a number of nonprofit organizations that are out there that are trying to grow the workforce for cyber and risk. And I'm gonna be meticulous about saying that because I think we need really to get to the point where there's always been business risk, it's always been evaluated, there's always been enterprise risk management.

And cyber is one of them. It happens to be an important one, but it should be seen in the context of the business, right? Or the business of your household. And so I always remind people about that. I still remember when one of my siblings asked me, hey, should I be buying this connected refrigerator? And I said, well, you make the choice. How much information do you want out in the world?

Beth, how important is it for you to know when you're already on the line at the supermarket, oh, gee, I forgot eggs and I need them. I know where my heart lies, which is I really want no one to know anything about what's in my refrigerator, thank you very much, mold included. But I think you've got the nonprofit community, Tim, thinking about it. I think you actually have some for-profit companies that are focused on training areas and having programs for education in this arena.

And I think you also have a number of organizations that have linked up with academic institutions. So if you think about nonprofits, for example, think about, you know, the executive women's forum, which has been talking about, you know, women in cyber and risk and privacy for years and has a lot of content knowledge and expanded its reach.

WESIS women engineers, there's a whole set of them who exist really too. And I'm not being myopic here. Those happen to be the ones that I know about. There's also one that's really great called CYVERSITY that focuses on diversity and underrepresented community members in this field. And so predominantly think, you know, the groups that you don't see.

Edna Conway (09:04.884)
represented largely at the right percentage equivalent to their existence in the workforce. And that spans a lot of groups, to be honest with you. I myself have been on a mission, Tim, to think about encouraging people in all fields to start reaching out and including and including this diversity of thought, which means we want folks who have different backgrounds. And then you go to, then you go to companies who have

Relationships with academic institutions. Columbia has something, NYU has a great cyber program where they have an academic program for people who have already been in the workforce and just say, I'm gonna be crazy here, but I'm a nurse. I'm a truck driver and I wanna go learn about this. And it's a shortened program. It doesn't have the expense usually associated with a four-year undergraduate degree.

And there are a number of companies that have stepped up and I have the privilege of still serving as an advisor and a fellow on that. But, you know, folks who wanna embrace you and help you when you get out of the program and also say, here's something we should be adding. Five years ago, I'm not sure the program was really focused, for example, on ML or AI. Now it is.

Tim Freestone (10:22.134)
Mm-hmm.

Patrick Spencer (10:24.193)
This concept of looking outside the traditional sources for cybersecurity professionals, it gets me thinking about conversations I've had with some of my peers in marketing for specializations like running videography and so forth. You used to do apprenticeships, right? You'd attach someone, they'd be apprentice, they'd learn the ropes. That's no longer the case. So you have some who think they know everything. They really don't.

as we know, and then in other instances, folks are thrown into the fire without any guidance or direction or training and so forth. You think cybersecurity is an area where apprenticeships could help us bolster the skill sets that exist and attract new talent into this space?

Edna Conway (11:12.172)
You know, it's an intriguing question, Patrick. I'm a big fan of going back to old school days. In old school, you often had somebody in the neighborhood. It wasn't formal, right? Or a parent or a relative or a favorite teacher who took you under their wing and taught you something. And I think I always remind people just out of curiosity, when you go to a physician, I know what I ask.

I ask, how old are you? Next thing is, how many of those procedures have you done? Because I guarantee you, I'm not sitting with the doctor who's straight out of school, because they may be the most brilliant person out of the most fabulous school. And the reality is they haven't done it. And guess where we learn as humans? We learn in active implementation. So your point was well taken. I think...

I have a model and it's a motto. In fact, there was a book that just came out by Ed Adams talking about, you know, how to break into cybersecurity, even if you don't love hacking. Um, and he did some case studies and I had the privilege of being one of his case studies and I think the answer is. Folks will take you under their wing. Um, and teach you, I can't answer all of the LinkedIn messages that I get, but I try.

Especially for those of us who are at the stage in life where the joy is when watching companies grow, watching people grow. And I think there's twofold. One, it's inherent on all of us to do it. And you don't have to start a nonprofit. Here's what I challenge people to do. Pick just one. Do it well. And I'm going to tell you something that doesn't sound right in cyber war and business, do it with love, because when you do it that way,

What happens is you follow the path that's best navigable by the individual whom you're assisting. And more often than not, you get a hell of a lot more from them than you gave.

Patrick Spencer (13:15.809)
point. It's passion, right? What you're passionate about is what you need to do in life. I think that's a good end to that part of the conversation. You brought up something in the introduction I'm sure Tim wants to talk about as well about influencing policy at the standards level, at the government level. Talk a bit about what you're doing there and what trends do you see taking place? CMMC obviously is a hot thing. We had the Boeing

fine just the other day. It was what 51 million dollars or something like a huge chunk of change when you add it up but you have other things like the new SEC filing that came out. What are you seeing happen there and where are you involved?

Edna Conway (14:00.92)
So I think we live in a world now where there needs to be public private partnership just as the norm. And I think the US government has done a mighty job of trying to encourage that. Right. Hard to do in a democracy, sometimes easier to do in a more authoritarian regime. And hopefully we never get there. But I do think we, as members of the

private sector have an obligation to have our voices heard. And you can't just after the fact complain. So be part of a pollution. A lot of folks say, I'm at a startup, I can't, I don't have time to do that. But you do, you have time to talk to a representative or time to send a message. And our government's particularly good when they put something out about asking for public comments, right? You don't need to have a lobbying organization to do that.

And a bit ago, I did something with the media group that I'm particularly fond of. And we talked about the SEC rule, and more importantly, the fact that people need to be aware whenever you create something that there are wonderful new capability that comes out of it. And there are always those who will use particularly new technology for evil purposes. It's not the technology that's inherently

good or evil, right? It's us, that human factor. That's true also with regulation. So step back for a minute and talk about the SEC requirement. So a couple of things to note that are really intriguing. If you look at the definition of materiality, materiality is very clearly referenced back to the financial materiality that we all saw, the clomative socks, which rose from the ashes of, I won't say the first financial disaster that the US saw, because that was back

But it came out of what we saw in the early to mid-80s, and then we saw another one in the 2000s, and God only knows what the economists are predicting we're in right now. I don't know. And so I think that the regulation is well-intended, and I think that materiality has to be defined only by the enterprise that is actually experiencing the issue.

Edna Conway (16:27.116)
because it's so intensely complex. But to make it simple, let's remind everybody what the SEC is striving for. It's to help the reasonable investor. And sometimes we make things so magically complicated and we muck it up with, as an attorney, I could say this, legal ramifications. Here's the rule. Am I better off knowing this as a reasonable investor? Well, here's what I always tell people bluntly.

I don't know why you invest, I can tell you why I invest. I invest to make money. My social issues, I deal with elsewhere. I would prefer that you not beat people, not use slave labor, and that you not destroy the environment, but I'm investing to make money. I know very clearly what I'm doing it for. So if you have something that in theory meets a broad and vague definition of materiality, but it doesn't affect operations, it's...

impact is significantly low, and more importantly, you're still operating and making profit, I'm not sure I really care as a reasonable investor. And so are we doing more harm than good? I don't know, but here's the harm side of that. There was a particular persistent threat actor who's well-known, who actually, God love him.

Even before it was in effect, they deployed a ransomware attack on a victim enterprise. And then the victim enterprise didn't pay in a timely fashion, according to the ransomware deployers. So they filed a complaint with the SEC to say this rule requires that they file something and we happen to know that there was an incident. So just fathom this, you're a regulator and now you're faced with a complaint from somebody who is, well,

perhaps learning exactly the words, saying, hi, I perpetrated what could be a crime under a variety of US laws, and I'm really irritated that they haven't paid me my ransom, so I'd like you to look into that. Are you kidding me? So now you have a regulation that has actually been weaponized. So that's why you need public-private, not only collaboration, but wisdom shared.

Patrick Spencer (18:23.875)
CyberGram.

Edna Conway (18:52.232)
And you need to be flexible enough to say, we tried this, maybe we need to add something or change something in its regulatory implementation. So, you know, I mean, Tim, I'm a little hard over on that one, probably a little bit more adamant than others to remember what the reason was. And I've met people who have said, look, if you had an incident, I really want to know about that. Well, let me clue you in. Every company you've dealt with who is a supplier to you as an enterprise or a small business,

and every company you deal with as a consumer has had an incident. Let's dispel that notion. Stop treating it like it's some unknown. Okay?

Tim Freestone (19:25.26)
Yeah.

Tim Freestone (19:31.126)
Yep.

Tim Freestone (19:34.806)
To further expand upon just sort of regulations, I was at South by Southwest this week. Yeah, I think this week. I was on a panel with a number of regulators. One of the women was the head of the AI regulation or the executive order on AI out of the White House. Pretty high level folks talking about regulatory action. It does seem like

there's a lot more of a lean in on regulation, actual execution, but the piece that seems, when I say execution, I mean creation and presentation, but it always seems the piece that pushes to the wayside is the teeth, the penalties, the fines, the execution of those penalties and fines. Am I off base here? What do you think about what's happening in the regulatory environment right now?

The regulation that's driving the most action to cybersecurity decision right now is CMMC because they can take away the business, right? So there's like real meaningful harm if you don't facilitate these regulations in your organization.

Edna Conway (20:51.276)
That's a complicated question, Tim. Couple of things. I think we have well-intended, usually well-informed regulators across the world and certainly here in the US. As a result of that, they are acutely aware of the reality that you have to balance a goal you're trying to seek with the potential ramifications on business.

We don't want to stop business from operating, right? And that's a delicate balance. It's a tough dance. Now, CMMC is a great example, but let's remember it took bloody eight years before we actually started implementing regulations. There's a reason for that complexity. It's not just because people were thinking about hard things, which they were, but there were other political factors involved in that, and budgetary factors.

Tim Freestone (21:21.518)
Yeah.

Tim Freestone (21:33.867)
Great, yeah.

Edna Conway (21:50.94)
I do think that we can always look to the national security arena to say, Hey, that's going to, in theory, be the highest standard. However, I have a, I'm of the mindset. I'm not sure everybody agrees with me. Legislation and regulation is a bloody lagging indicator. By the time you're talking about that, things have occurred. It's out in the free world. Um, it's on the dark web and we already have a problem. Right. So.

Step back for a minute and remember that as you experience that as a business operator, you have an independent motivation to achieve that goal. And I think even, you know, with some of the things that you talked about, you know, I mean, I think Boeing does a really good job of trying to drive quality. I'm not going to opine on whether there are issues or not, but do we need more regulation to fix that? I'm not sure.

in all honesty, I think it's a mindset of the workforce. And so I'm gonna step back and say, I think regulators are a little bit more sensitive to the penalty ramification because of the impacts on business operations, number one. I also think the solution for us is to, and this is my personal bias,

We need to step up as workforce members and say, I take responsibility. And you can see differences in that attitude generationally based on what was going on in the economy at the time that workforce member came into the workforce. You could see whether they grew up digital or non-digital or somewhere in a hybrid environment. Um, and so it's almost stepping back. If you remember, you know, when we had, go back to FDR, for example, which is we're going to rally America.

and Americans around America. That does not mean we are unaware of or uncommitted to the world in which we operate, but it means that you as an individual have to care about what you're delivering. I'm gonna make a bold statement. We've lost a little bit of that. Doesn't mean there are wonderful people doing wonderful work and who are very committed, but we've lost a little bit of that and we need to go back to it. And our regulators are saying,

Edna Conway (24:16.612)
Step up to the plate and help us here. We really don't want to have a whip. We would much rather sit down and have a meal.

Patrick Spencer (24:24.29)
Yeah.

Tim Freestone (24:24.406)
Mm-hmm. You said that something I want to double click on, which I agree with and hadn't really thought of it in that way, which is regulations or regulators are a lagging indicator of what's actually happening. Another way to put that is reactive. The most recent is obviously all the AI regulation that's starting now. That's in reaction to November of last year, unarguably.

Um, okay. So we're catching up to that. Do you have a sense of like if a regulation were to change the narrative on, or the process or the, the stages at which it comes out in the future, is there something that you would point to and say there should be regulations coming out right now for what is going to happen in the next five years? Anything that you can point to like that, if they were to switch the flip, the script, so to speak.

Edna Conway (25:24.816)
You look, over regulation is not something I'm a fan of. So let me be forthright and say, I come from the premise of there should be as little regulation as needed for societal protection. So put that at the foundation. And that's the answer to the question. I think there's something that's near and dear to my heart, which is, and sometimes we forget that, you know, these things have been in the hopper. How long have we been talking?

Tim Freestone (25:36.642)
Okay.

Edna Conway (25:53.844)
about quantum encryption, right? It's hard, it's complicated, there's been movement. You need time for things to gel. We've been working on AI and ML, I think it was about 32 years now that my last calculation looked at. I might be off on that. But these large language models and the use of them by in common parlance, so to speak, raised a number of ethical.

Tim Freestone (26:10.35)
Mm-hmm.

Edna Conway (26:22.992)
issues that I think regulators are concerned about from a societal impact. I want to say, you want to look at something and really step back for a minute. How about we actually have, and I hesitate to say the word mandate, but an international standard that says you should have an algorithmic and a policy approach. It doesn't have to be a policy from a government. It could be, but it could be a policy approach to implementers and creators.

of AI and I apologize that four legged creature that I told you about the desk. I told you it was it was around chips and now quantum computing is next issue. So bear with me as I try to, you know, soothe him by covering him and making it go away. It seems to have done the trick for a couple of minutes. I think we have forgotten about accuracy. So.

Tim Freestone (26:56.518)
where it happens to me too. I got excited.

Patrick Spencer (26:58.145)
You heard you talking about AI and quantum computing.

Tim Freestone (27:13.044)
No problem.

Edna Conway (27:22.596)
Everything is own, you know the old rule, it's like it's like the rule of, you remember when your mom said eat your vegetables, have them eat fruit, there are basic fundamentals. I'm a big fan of like physics and the string theorem because there are rules that just, they always operate. Here's the rule, garbage in equals garbage out. Okay, so before I get to ethics and bias, how about I actually algorithmically and policy-wise

Edna Conway (27:52.188)
of the data that's being input because we're doing analysis on it. And so the output could actually be to the far left of accurate. And I'm going to make business decisions on that. Now, you know, a teacher might also be equally concerned that I'm teaching folks that they really don't have to work hard because I mean, I love, there's a video somewhere of a child using Alexa to do their math homework, right?

grade school level like Alexa, what is 17 times 48? And the parent walks in. That is not the intent of technology. So too, I understand that. It's a morality and an ethics utilization. I think we need to make sure that the true benefit that can be brought to us, and there are a lot of folks working on this, is making sure that the data that is utilized and consumed.

is as accurate as possible. And I have a particular bias on that because I'd love to see us get to a higher fidelity of predictive risk. If I could like take my feet in a hammer and bang away Monte Carlo simulations, I'd be a happy, happy woman, but we had to wait for storage capacity and we had to wait for compute capacity and we had to wait for analysis. But we got there and then the question is, how do you vet the accuracy of the data?

Well, it takes some human involvement. You can do some of it algorithmically. Some of it you can't do algorithmically. I could think of probably five prompts that can't be algorithmically addressed. They need sophistication level to be probably on where we are today. We may get there. So how about you have a policy?

Tim Freestone (29:41.014)
Yeah, that makes absolute sense. But to your point, we may get there, right? It's just there's so many things that need to come together. Speaking of quantum computing, that could be a critical piece, assuming it delivers on the promise of speeding everything up to the nth degree, right? It would speed that up as well. And that's the piece that I was thinking you might say is, sort of, if we look into the future, you know,

I was in DC three months ago to talk about encryption around quantum computing and how that's needing to evolve. But I was thinking at the same time, we sort of know where that's going, where quantum computing is going to eventually get. We know the thesis statement. Why not start the regulations on that thesis statement now? So when the thesis statement is realized, we already have...

the structure in place to keep it contained. And it's just kind of an interesting thought experiment on, you know, again, just kind of flipping the script a little bit, but that's the one.

Edna Conway (30:51.461)
I think, Tim, the fundamental question is something shouldn't be regulated and something should. So sometimes you need to play them out, right, before you actually act. And like everybody, governments and regulators have a list of priorities of risks. So in the scheme of what's going on in the world today, I'm not sure that's on the top of the list.

Tim Freestone (31:14.082)
For sure it isn't. I mean, it's a maybe risk. But to your point, we don't know until we experience it. But it'll be a fun journey. Quick shift in the conversation a little bit, because I want to make sure we get to it before we run out of time. You're on the board of a lot of cybersecurity startups, it looks like, right now. Is there a theme of challenge that there

Edna Conway (31:33.284)
you

Tim Freestone (31:43.458)
facing with being in market, convincing people that what they have will help them. It's a very, very crowded space right now. And I do not envy the CISO of today navigating this crowded space of cybersecurity.

Patrick Spencer (32:01.309)
Over 10,000 vendors now in security, I read this week.

Tim Freestone (32:06.826)
Yeah. Is there a theme there that like one of the startups, a little bit more successful, are they all struggling with some sort of, sort of similar thing in their business growth? I mean, what are you seeing across the board there with these new side of security?

Edna Conway (32:19.38)
No, I'm an advisor to a lot on security on the boards. They've spanned a lot and I've been on a lot of boards and I'm blessed I've had that experience, but they go from crazy things like medical devices, which will perform extracorporeal pulse flow for pumping when you're doing heart surgery to one of the boards I'm on now.

is a great Canadian company that is moving the needle on supply chain efficiency and inventory management with an environmentally sound space utilization model that includes digital twins and AI is basically a cube you put in your warehouse and it has custom robots. It's, is it a tech company? Is it a supply chain company? Now the answer is yes. Um, intriguing question of, you know, what are the risks from a security perspective? There are some.

But not everything is all, I like to say, you know, I actually both sides of my brain work. So I'm not all cyber all the time. What I do see, however, is the answer to your question is the same risks in cyber that almost all startups face. And then they have some special ones. And the first one is, do I have a solution that somebody wants? Number two, is there one or more already out there?

that has grabbed a significant enough percentage of the TAM that despite the fact that I might be the most brilliant and the best solution, that may not be the path. I always remind people who are old enough to remember, not that I don't love Microsoft Word, but I loved Word Perfect more than Microsoft Word, but try to go find Word Perfect in business. Okay. So...

Patrick Spencer (34:12.217)
Tim may not remember that, but I do.

Tim Freestone (34:14.252)
Yeah.

Edna Conway (34:18.228)
You know, there are plenty of solutions out there that were great. Um, but the, the second thing is, are you a one trick pony? And in some startups, to be honest with you have to be. I'm doing quantum, um, safety and I'm preparing for quantum. That's what you're doing. Don't look at somebody and say, give me a platform with 16 modules. Um, so too sometimes in cyber, right?

But there's a company that I happen to be on that I think has a great potential. You could argue that MDR, Managed Detection and Response, is a very competitive space right now. And they're looking at the future, and they've moved to something called Managed Cybersecurity Risk Reduction. So it's a platform module that makes you think about multiple aspects of cyber. So that second challenge is beyond just

does it scratch a niche and is there still a tam? How do I make life easier for my ideal customer profile? And that is what everyone struggles with, not just in cyber, but particularly in cyber right now, which is my budget is flat. If I'm lucky, it might be going down. I might be getting a little money on AI because businesses just like people like to follow shiny objects.

I think AI is a capability that we should be abetting in everything. It's not in and of itself, something. So, I, and you can see that by how many, how many platforms are there now? I haven't looked at it. It's, it's ridiculous. It's, it's a push in 400, right? So like, people like I love Walmart, you know, I'm like, great. That's good for you. Um, you know, I'm a, I'm a co-pilot person. I, you know, I tried Gemini and I think it's better than Bard.

that is well, yeah, true, because that wasn't a hard hurdle to get over, but nonetheless bringing people went put their minds to it. And so I think you need to recognize that audience that you're selling to. And I think you also need to remember that you don't always sell cyber to people who are cyber savvy.

Edna Conway (36:40.096)
Well, I talked to a company recently is I'm a faculty member for something that is a research company and they have clients and they will come and ask experts to talk to them. And it was very clear to me that I was talking to security team, Tim, and they said, hey, you know, we had a challenge, we want some advice, which is the challenge was I had a third party.

who host my, let's say, website. They host something for you, some operation. And they use the fourth party to them for something. And they saw some anomalous behavior, right? That might've included even filling out forms in a language that's a language that connotes a nation that might not be particularly friendly to us. And that's certainly not within our policy. And we had to figure that out. How do we capture

and wrap our arms around that community. So they were realizing that they don't operate in isolation, that their third party ecosystem is not just their first tier. That was not necessarily, I was like, well, you know, I'm obviously, you know, you have to go ask them about SQL injections, you have to ask them whether or not they're using, what kind of, you know, file transfers they're using, you have to look at, they knew all of that. The methodology of how to reach out to that community was something that they hadn't really

developed yet, or they had it, but they hadn't embedded security into it. So I think there's a window of opportunity, Tim, for while it's crowded, how do we make cyber something that is embedded into the business, right? And an example of why I say sometimes government is a little bit behind, and this is with all due respect to my colleagues at CISA, you know, this year's initiative is Secure by Design.

I can list off at least a hundred companies that I've been not worked at, but been part of engagements with that have, you know, X, designed for X. It's been sustainability, manufacturability, quality. I mean, how many people remember when there were ISO 9,000 flags outside of buildings?

Edna Conway (38:55.36)
people were very, very happy that they had gotten a quality certification. And you want to just like drive by today. If you drove by somebody that had that banner, I'd tell you run, run for the Hills, they're like 30 York behind the time. Right. So too secure by design. It should be. And I think sis is right. It's not, it's not yet. Um, but people have been working on it. That was a very long winded way of saying, I think cyber is still a much needed market. I think people need to.

take their geek hats off and understand business. Business operates and it needs solutions that say, well, I might be helping you with identity and access management, but I've given you this beautiful group that's an interface that says, my user experience is now helping my CIO on productivity and enhancement. It's helping my HR department with seeing lagging utilization. And ultimately it's helping all of us because I've identified a problem.

a problem person might be the issue. And so maybe that problem person just needs some extra training. And so you solve your problem, you solve your human issue, you enhance productivity because you can see things faster. Sometimes that's important. And we think about speed of incident response. How about speed to help your operation? How useful is it to everyone? And so if you went and said, well, my ideal customer is the CISO or the CIO.

Interesting. Have you talked to the CFO? I can't get a meeting with them. Have you talked to your two ideal customers and said, this helps your CFO, it helps your COO, and your HR department might really love you for it? That's a very different mindset. But yeah, we're overcrowded. Everybody went to the shiny object. I don't want to minimize that. You're right, Tim. We're doing it with AI right now.

Tim Freestone (40:50.367)
Yep.

Edna Conway (40:51.428)
And you know what happens. Everybody throws some money at it and you see which ones stick. And then there's consolidation.

Tim Freestone (40:55.987)
Which one's bubble up? Yeah.

Yeah, and then there's consolidation. And there's a graveyard of people that poured their heart and soul into hundreds, if not thousands, of technologies. It's a painful process, but at the end, the right things bubble up.

Edna Conway (41:15.004)
It's the innovation process. I'm not always sure that the right things bubble up, but the winners are there for many, many reasons. Right. Um, but I love the idea of saying, can we change the mindset and show cyber as maturity? Um, and start me people oftentimes are like, how could you have been a supply chain executive and a cyber security executive? And I'm like, well, first of all, I think security is physical security, logical security.

Tim Freestone (41:18.977)
Maybe the most innovative, I don't know.

Edna Conway (41:44.372)
operational security, behavioral security, and information security. Thank you for using the sexy new term cyber. We've had it around agents called information security, and it was usually somebody buried inside of IP who cared about it from the first moments we went digital. Right? So not falling prey to marketing and recognizing who you serve and for what purpose is a beautiful thing.

Patrick Spencer (41:52.782)
for a long time.

Tim Freestone (42:09.71)
Mm-hmm. Good answer, thank you.

Patrick Spencer (42:14.521)
Edna, we could have a very lengthy conversation and do this all over again for 50 minutes and cover a whole new realm of questions with you. I had some that we didn't get to, obviously. Tim, any final thoughts or questions for Edna before we close out the podcast?

Tim Freestone (42:32.574)
No, I think just the final thought as I was sort of processing your answer there, there was a nugget in there about, um, you know, truly helping your ICP making their life easier. Uh, you know, another word for easier might be better, but it's the, it's like that human aspect of, of your market, you know, what, what can I do? I, I'm my company, not my business.

to help you, your life, be easier in your role at your company and drag in the product in that process versus the features and bits and bytes and stuff. That's an astute comment that I really will probably take on for the rest of my life. What are we doing to make your life easier or better? And if we can answer that, we'll probably get people to pay attention.

Edna Conway (43:14.009)
you

Patrick Spencer (43:24.933)
Well, we've seen that with some of the cyber technologies that are out there, like endpoint management, some of the advancements we've seen in the last, you know, five, six years where users can actually flag phishing. They don't have to send an email. Uh, they can block, uh, certain centers and so forth. It makes their job just easier. So even in, you know, fairly basic level of cybersecurity, we've seen those advancements and I'm sure as we get into more sophisticated.

capabilities within the cyberspace, the same is going to ring true.

Edna Conway (43:58.508)
Yeah, that's great. Thank you for summarizing that. I appreciate it. I might steal that as well.

Tim Freestone (44:03.875)
Hehehe

Patrick Spencer (44:05.294)
Well Edna, thank you for your time today. We're going to have to do this again. You're a fount of information and we appreciate your time.

Tim Freestone (44:13.623)
Yeah, thanks.

Edna Conway (44:13.804)
My privilege to be here. Thank you so much, gentlemen.

Patrick Spencer (44:16.013)
Thanks. Thanks to our audience members for other episodes of KiteCast. Go to KiteWorks.com slash KiteCast.


People on this episode