Luigi Lenguito: Getting Proactive About Your Cybersecurity Artwork

Kitecast

Kitecast features interviews with security, IT, compliance, and risk management leaders and influencers, highlighting best practices, trends, and strategic analysis and insights.

All Episodes

Kitecast

Luigi Lenguito: Getting Proactive About Your Cybersecurity

December 18, 2024 • Tim Freestone and Patrick Spencer • Season 2 • Episode 38

Luigi Lenguito, a pioneering figure in predictive cybersecurity, brings an extraordinary background to his role as founder and CEO of BforeAI. Before revolutionizing cyber threat prevention in 2018, Lenguito's 18-year tenure at Dell and Quest Software encompassed 26 diverse executive positions. His unconventional journey from Formula Three racing champion in Italy to tech industry innovator showcases his adaptability and vision. At Dell, Lenguito's entrepreneurial spirit shone through his creation of a groundbreaking program that bridged the gap between corporate employees and startups, demonstrating his talent for fostering innovation and maximizing human potential.

Building a Bridge Between Corporates and Startups

One of Lenguito’s most impactful achievements at Dell was creating an innovative entrepreneurship program that connected Dell employees with early-stage startups. The program grew to involve over 400 Dell employees mentoring 10 to 20 startups at any given time. Rather than following traditional corporate-startup engagement models, Lenguito’s program focused on unleashing the untapped potential of Dell employees, allowing them to utilize skills from their past experiences that weren’t being used in their current roles. This unique approach not only benefited the startups but also significantly improved employee satisfaction and retention.

From Intrapreneur to Entrepreneur

Lenguito’s exposure to entrepreneurs through the Dell program eventually inspired his own entrepreneurial journey. In 2018, he founded BforeAI after discovering research that aligned with his long-held vision of predictive cybersecurity. Inspired by the concept of “pre-crime” from the movie Minority Report, Lenguito saw the potential to transform cybersecurity from reactive to proactive that relies on continuous monitoring. His company now prevents an average of 20 million potential cyberattack victims daily, with the ability to predict threats up to nine months in advance.

Insights on Building Corporate Innovation Programs

Drawing from his experience, Lenguito shares three key principles for organizations looking to build successful corporate entrepreneurship programs. First, clearly define your purpose--understanding why you’re creating the program is crucial. Second, set clear boundaries and expectations upfront about what the program will and won't do to avoid frustration on both sides. Third, secure appropriate funding by identifying who benefits from the program’s secondary outcomes, as they should be the ones sponsoring it.

Future of Cybersecurity

Lenguito’s vision for the future of cybersecurity challenges the industry’s current “assume breach” mentality and zero trust security principles. His experience with cyber insurance providers has led to innovative hybrid models that combine traditional insurance with predictive security measures. This forward-thinking approach has earned recognition from industry leaders, with BforeAI recently being named a Gartner Cool Vendor in AI and GenAI for banking and financial services.

LinkedIn Profile: https://www.linkedin.com/in/llenguito/

BforeAI: https://bfore.ai/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Patrick Spencer (00:01)
Hey everyone, welcome back to another Kitecast episode. My name is Patrick Spencer and I am the host for today's show. My colleague and Grime 10 Freestone unfortunately isn't able to join us today. He's out shooting a video for our SKO event coming up in another month or so. But we're in for a real treat. I'm very excited about today's show. It features an interview with Luigi Lenguito, the founder and CEO of Before AI.

Before founding the company back in 2018, Luigi served in executive roles at Quest Software and Dell for 18 years. We're gonna dive into a little bit of that. Very, very few technologists stay at one company for 18 years. I made it one decade at Symantec. He speaks a bunch of different languages. We're gonna only do this in English, obviously, and holds degrees from universities.

Luigi @BforeAI (00:47)
you

Thankfully.

Patrick Spencer (00:54)
literally around the world. I was very impressed with your academic background and the fact that you have degrees from China and Paris and Brazil and wow, very, very impressive. So this is gonna be a fun conversation. Luigi, thanks for joining me today.

Luigi @BforeAI (01:10)
Thank you Patrick, really looking forward to it and hopefully we'll explore some of these different adventures also in light of the modern world we live in.

Patrick Spencer (01:21)
Well, you had a little bit of entrepreneurial spirit when you're back at Dell because you created this entrepreneurship program that was very, very successful. We'll talk about that in a little bit. But so I suspect that's what led you into your venture that started back in 2018, before AI. What prompted it, you know, and what is before AI? We'll talk a bit about the leadership position you guys have. You're in the Gartner hype cycle.

Luigi @BforeAI (01:27)
Hmm.

Patrick Spencer (01:49)
Twice, in fact, I believe. But let's start with.

Luigi @BforeAI (01:52)
And actually today, today as we are recording, we just were named the cool vendor. So super happy, know, in yeah, cool vendor in AI and GenAI for banking and financial services, only cybersecurity company among the four listed. So yeah, very proud. listen, the inception a few years ago was really looking at the industry, seeing that

there was all these detect and respond and assume breach kind of mantra that was starting to form. And to my kind of liking, it was going too much in that direction. nowadays we see that basically cybersecurity has become extremely reactive. And the problem with that for me is that if you are in that victimhood mentality, then it's not a good place to be. You don't know what happened next.

You know, you're always under stress and we don't want that burnout and turnover and security team is at all time high. And for me, it's the direct consequence. And so the thought was, okay, I want to bring something new to the industry and rebalance. Of course, we're not going to stop doing that action and response. There will always be cases in which that is important, but it shouldn't be 100 % of the case. It couldn't be and not be the norm. And so we invested in building this predictive and preemptive technology.

to bring to bear preemptive security. And before AI is really all about this, it's all about identifying sources of cyber attacks weeks before the attack starts, blocking them before any victim is made. Nowadays, we have an immediate three weeks anticipation, up to nine months for more sophisticated attack like ransomware and malware, as short as six hours for things that are more menial like maybe fake websites and the likes.

And more importantly, 90 % of those attack we shut down before any victim is made. We have an ability to do what we call preemptive take down together with a capability to disrupt the network so that there's no victim. Every day an average of 20 million victims are prevented today thanks to before the indices growing. Of course, there's more customers coming to asking our services. So really, an interesting.

set of technologies in the prediction. And we can talk about all the predictive AI that we use combined with automation and business rules to do this preemptive blocking and work with a lot of partners to enable it, resulting in deterrence. And there's an interesting phenomena that we are seeing nowadays where our earlier customer that are with us since a couple of years are actually seeing the number of attack against their premises reducing over time.

And our theory is that this is because we are blocking the attacks before any victim is made. You can see the criminals investing in that infrastructures, in their campaigns, in their effort, time, money, and then get nothing out of it. As we know, economical crime is very ROI-oriented. So we're basically skyrocketing the cost for them because there is no return on investment. so...

Patrick Spencer (04:39)
Interesting!

Luigi @BforeAI (05:04)
It is a little bit like the tale of the bear and the two friends. don't need to outrun your friend. In the bear, you need to outrun your friend, right? And so in this case, think criminals are basically moving to other targets that they find more approachable versus our customer.

Patrick Spencer (05:19)
Are they talking to each other so they know that, you know, criminal gang in China, they attempted to breach a particular company and they spent six months creating a, you know, an attack methodology and so forth. Someone in Russia knows that that's the case.

Luigi @BforeAI (05:33)
We think so. have some of our customer have reported that they have seen some messages on dark web anecdotically. I like basically indicating what you're seeing. Of course, I'm searching strongly to find those messages because we want to put it, we don't do dark web or deep web analysis, but I love to find one of these to put it on a billboard, right? The criminal say don't attack that company because it's too well protected. I think that definitely is kind of the growl for us.

Patrick Spencer (05:57)
Yeah.

So you started the company back in 2018. was before all the, mean, AI was a topic of conversation, obviously, but not like it is today, particularly after the big launch in November of 2021, right after Thanksgiving, right? So you were doing AI before AI was really a big deal. And now you're probably, you know,

Luigi @BforeAI (06:18)
Mm-hmm.

Patrick Spencer (06:29)
You had both feet in the water back then. Now you're all the way in, suspect. Talk about what that process has looked like.

Luigi @BforeAI (06:35)
Yeah, I mean, I think first of all, AI is not new, right? It's been around for like 30 years. I think what is new is generative AI and all the attention, right? And often people, especially the one that don't have a lot of experience, kind of conflate the two and, you know, like they were the same thing, in reality is not right. In our case, for example, we do not use generative AI. We use predictive AI. Now the anecdote is before AI actually is before attack intelligence.

you need a bit of luck in entrepreneurship as well. So we choose this name well before, but we were before AI, technically speaking. So what happened is that as I this idea that I wanted to rebalance the cybersecurity world to a more proactive one from a fully reactive, I started to search around and I was lucky to be involved in a program from a university where they had a number of patents and they were searching entrepreneurs.

to bring them to market as a research to start that program. And I found this technology and when I saw it, I kind of got this flashback to many years earlier when I was selling network firewalls and customer were always telling me how they felt like they were slow and late. And one customer specifically sent me to the movies, say, Luigi, you really need to go watch this movie from Steven Spielberg with Tom Cruise, Minority Report. You will love it.

Patrick Spencer (07:57)
Hmm.

Luigi @BforeAI (08:00)
And I'm sure people in the audience will remember the three mutant in the pool, the Nagata, they could see the future of crime and the pre-crime police that would jump in the crime, in the scene to block criminals before crime was made, right? And I remember thinking, well, I'm not sure about the mutant, but the idea is very cool. And, at the time, big data and predictive analytics, you know, we're probably talking, you know, like 2003, 2004, something like that, were kind of the buzzword, right? And my thought was one day someone would

take all this data from internet routers and logs in Windows and Linux and mash it up with predictive analytics and figure out the behavior of the criminal and block them. And so now I'm this research program and they're explaining me their data pipeline, behavioral predictive analytics and all these other cool technologies. And I say, this is prey crime. We need to bring it to market. Thankfully, 20th Century Fox did not trademark the name prey crime. So we did it.

So we own the trademark globally for pre-crime is the name of our products, pre-crime intelligence and pre-crime brand defense. And that's what we do, right? So we identify the attacks and we stop them before the crime happens.

Patrick Spencer (09:01)
Interesting.

Hmm. Wow. So you're getting all this intelligence from partners that you have, your customers, a combination, you know, where's all your intelligence come from?

Luigi @BforeAI (09:17)
No, yeah, the way the system works at a high level is very similar to a weather forecast system. We observe the whole internet at the network layer. We collect all the information about routing, about naming, about addressing, about movement between the clouds. And then the system through machine learning convert this in behaviors of infrastructure. So we monitor more than 2 billion infrastructure a day to see how their behavior will change.

And then we train the system to recognize malicious behavior from benign behavior. And we do that by giving examples. So it's not signature based. It's based on giving example of other known good and known bad infrastructure. And then the system with this data that keep getting collected six times every hour, a snapshot of the whole internet metadata. Basically identify network changes or behavioral changes that show that that infrastructure is getting closer to known bad.

behavior and when it's close enough, that's where we signal what we call the pre-crime score.

Patrick Spencer (10:25)
And that notifies the network that it needs to take proactive activity based on that intelligence. Good.

Luigi @BforeAI (10:31)
Yeah, so what happened is that we have two products. So the first product is a pure attack intelligence. So there is an API, the customer connect to their security ecosystem. So firewall, anti-phishing filter, DNS resolver, CEM, web application filters, and so on. And indeed, they receive our prediction machine to machine, and they configure preemptive blocking. So they will stop any communication.

those infrastructure that we indicate will become malicious later on. So by blocking communication, of course, that cannot be infiltration, exfiltration, command and control communication, and so on. So this is really a network security product is meant to protect our customer infrastructures. And then we have another product where instead we focus on impersonation. So we are looking for all those infrastructures that prepare

either a phishing attack, credential stealing attack, counter cover. In this case, not only we provide the notification to the customer before the attack starts, so that they can get prepared. Maybe they notify their client services, or maybe they put information in their app or whatever. But we actually can block the attack as an internet scale. We collaborate with companies like Google Safe Browsing, Virus Total, Quad9 DNS.

many other partners, we share with them those indicators. They block it to protect their own users, but that user represent about 75 % of the internet traffic. So in less than five minutes, 75 % of the internet traffic does not go toward that malicious destination anymore. So we isolate it. We don't touch it. We just help everybody stay away from them. Concurrently, we initiate this preemptive take down where we share the same data with registrar, registry, cloud host, their host,

CDNs, search, C-search, you the entire stack of the infrastructure support. And we show them that their customer is basically abusing of their service. So they should shut down that infrastructure. Nowadays, about 88 % of our take downs are completed before any content is loaded on the infrastructure. So not only we were blocking it, you know, days before the tax started, we now shut it down even before content is loaded. So to the earlier point, the troop break crime.

truly avoiding the criminals to get any return from their work.

Patrick Spencer (12:59)
Interesting. So phishing's a big issue, as you know. It's often, you know, the employees who fall prey to social engineering. Some of these are really good. I got one from Norton, purportedly the other day. You would have thought it was from Norton. It wasn't, but it looked like it. Which is kind of ironic. They're using the cybersecurity companies for their phishing attacks.

Luigi @BforeAI (13:09)
Mm-hmm.

Patrick Spencer (13:28)
How do you work with the employees within the company? You shut down network traffic, they're still, they're not gonna see those emails because you know that those are malicious and that's how they're being stopped.

Luigi @BforeAI (13:36)
Correct. Correct. Yeah, the filters will avoid them to come into their inbox on the first place. And I think nowadays you need to have a multi-layered approach. So you would have content-based analysis that most of these phishing filters are able to do also using genera, fantastic companies in that sector. But you still will have false negatives that comes up because, of course,

Feminals tend to craft their work pretty, pretty well. So that's where we generally get introduced in anti-fishing filters to reduce the false negatives of other solution. And the generally are the more sophisticated, the more risky as well, especially in the financial sector. I'm very much of the idea that you can train people as much as you like. Actually, if you take the most trained people in the world, airline pilot, they're still the number one cause for airplane crash.

So, you yes, you have to do awareness, but the solution is in the system, not in the people. And so of course people have to be there and you want to have the human firewall in place. But, but you know, if there is one thing that we can forecast without needing or AI or anything like that, is that crime, electronic crime will continue to grow. That sophistication of these attacks will continue to grow. As an example, we've seen our prediction grow by 400 % in the last nine months. So.

Patrick Spencer (14:41)
interesting.

Luigi @BforeAI (15:04)
And this is coming now, because we are months in advance. And so that sophistication, that variety, velocity, and complexity of those attacks require machines. Only machine will fight against machine. But machine that are obviously created by humans and that are orchestrated by humans. So that's where we see us. We see us as augmenting the ability of security teams, removing the menial administrative work.

from them through automation so that they can concentrate in helping us train the system for identifying faster and better those future attacks.

Patrick Spencer (15:43)
Interesting. How do you envision you talking about faster and machines quantum computing? You have the issue where road nation states and some of the cyber gangs are gathering all this information. They're not doing anything with it yet because they don't have quantum computing where they can break those algorithms and so forth. Is there a play for you there on that front? Because some of this is not going to happen for five years, maybe 10 years.

on who you talk to, you know, and what technology is required. But once quantum computing becomes more more prevalent and more more advanced, you know, these criminal gangs, nation states, they anticipate they're going to be able to break these algorithms. You know, what's happening on that front? And, know, do you have a play there as well?

Luigi @BforeAI (16:14)
Mm-hmm.

But I think we have a play more in avoiding leaks on the first place, because obviously you don't want to have data excistration and the likes. I'm not an expert in quantum, but one thing that I look is I have a set of floppy disk at home. It tells you how old I am with computer. And I don't have a reader for these floppy disk anymore, right? So the data in there is useless. And there are some nice games from my MS-DOS times that I miss.

What I mean by that is that I surely some very secret information that will still be valid 20, 30 years from now. But the vast majority of things will be superseded, especially at the speed of today. So I'm not sure if it is overestimating how fast we will get to quantum capabilities, because at the moment it's still very far away, to your point.

and even the 10 years seems to me quite optimistic given where we are. Or we are overestimating the value of certain disinformation. So the good news is there is a lot of people that are focusing on it. They're very smart. They have a lot of funding. And I trust that they'll get something sorted. For now, we sort the problems that exist today just a few weeks in advance so that there are no victims. It's important.

Again, cybersecurity is a very, very vast set of problems and not a single solution solved for everything. So we need to continue to build these layers of different capabilities and make sure that they work in coordination and they're not too complicated to manage and to deploy, but ultimately make the life of the criminals more and more miserable, basically.

Patrick Spencer (18:31)
Makes a lot of sense. The protection of corporate secrets, private information, protected health information, financial documents and so forth, is becoming more more complex with the introduction of the supply chain, right? Software supply chain, third parties, the number of third parties an average organization deals with is in the thousands early based on our research, probably the research you've read as well.

Luigi @BforeAI (18:49)
Hmm.

Patrick Spencer (18:59)
How do you deal with all of those, right? Because you can sell your solution to ABC Corp, but they may do business with a thousand different entities that may have varying cybersecurity controls and only a handful of them they rely on before AI. How do you help protect that supply chain scenario or is that on the horizon?

Luigi @BforeAI (19:15)
Mm-hmm.

Yeah, so I think first of all, you're absolutely right. You know, complex supply chain that being within the software products or within the operation and the business of a company are definitely where criminals are starting to are spending more time, right? Mostly because large sophisticated companies have matured their cybersecurity programs to a certain level where

their supplier now much easier to be, you know, victim of cyber attacks and then have a conduit that is a trusted conduit within the, you know, the larger corporation. And so at the same time, this is very complicated to assess and measure. You know, it's definitely every time I speak with CSO one on their top kind of issues. From our perspective,

We contribute in different ways. Again, we are not the single solution for every problem. Likewise, we cannot predict every possible attack in the world. But the company started in Montpellier, that is the city of Nostradamus. We don't have the book with every possible prediction in the world. But in third party, what we do, things. We have customers that ask us to filter our prediction on the basis of the impersonation of their partners.

for business email compromise, for again, trusted infrastructures that may be working on their interfaces that are being replicated if you want by criminals. And so what we can provide there is a customized feed that then they can use in the relevant security control for filtering. Maybe the main filter is optimized against.

impersonation from the third parties, right? The banks, the air conditioning, you know, suppliers and things like that. The second thing we have actually other customers, especially in the banking sector, where, you know, they have B2B relationship with their own customers, and they see their customer as a risk, somebody that get impersonated and asked to move money from one account and other in certain parts of the world, the responsibility for such mistakes.

is actually in the bank, or at least 50-50. And so there is actually cost of fraud that materialize. If anything, also problem for AML or anti-money laundering and KYC, know your customer because this money then goes up as your money, mule accounts, where it goes to fund terrorism and all sorts of other crap. So what they do, these customers of ours, they actually buy before AI for their own customers.

Patrick Spencer (21:44)
Mm-hmm. Yeah.

Luigi @BforeAI (22:08)
to so that they provide as part of their service value proposition an additional cyber layer so that their customer now get protected by us and indirectly they're getting protected. So there are various approaches. The critical element in all of this is always identify your risk, prioritize them, and make sure that you have a systemic solution to mitigate that risk. And ideally,

Patrick Spencer (22:18)
Interesting.

Luigi @BforeAI (22:36)
avoiding it completely with prediction and preemption, but otherwise with mitigation like the text and response.

Patrick Spencer (22:43)
What, you know, there's a lot of discussion around the compliance regulations, security, there's a lot of different standards. ISO, you know, on the defense industrial base, have CMMC, know, Kiteworks has seen a lot of business on that front, obviously. You see regulations, you know, improving security, number one, but moreover, do you see some of those regulations beginning to factor in, you know, the predictive modeling where you can prevent.

Luigi @BforeAI (22:56)
Yeah.

Mm-hmm.

Patrick Spencer (23:13)
and you need to have those controls in place, just not the reactive controls, the controls ensure they can't get in the house, but you're actually trying to predict attacks before they happen.

Luigi @BforeAI (23:23)
Yeah, there is more than me that obviously have a very biased approach to these and been challenging, for example, MITRE saying you don't ever predict all of your attack or defend. There should be one. But interestingly, this very weak National Science Foundation put out a request for information to various agencies for where research funding should be oriented in cybersecurity space.

And Mitre actually responded to the RFI. And one of the things that they suggest to focus on is predictive and preemptive use of AI for cyber attacks. And, you read it, looks like they've done a copy paste from our website, but, you know, I'm not going to claim any royalties or any trade large on that. I'm very happy with it. But I think, you know, we have seen it first in the defense sector where an active defense approach has been kind of

in live or in the works for many years. Iron Dome in Israel is a fantastic example of a solution. This active defense is there waiting the moment that the rocket starts to destroy it in the air, protecting people in Tel Aviv. What we saw with the beginning of the war in Ukraine, US disclosed a lot of threat intelligence about the positioning of the troops from Russians to try and deter them. Unfortunately.

the madness there couldn't be deterred. But I think this trend is not new. It has been in the air, this concept. Of course, the challenge is one of false positive and false negative. So as you build these technologies, how much you cry alert, what is the trigger? And so we have done a huge investment to reduce the number of false positive because you need credibility, especially when you predict the future.

If you get it right only one every 10, then who's going to believe you, right? In our case, it's become so precise today, we have less than 0.05 % of mistakes. And we actually guarantee that low level to the point where if the customer, due to our mistake in prediction, is hit by an attack, we cover the cost of the attack up to 10 times the value of our annual contract.

Patrick Spencer (25:25)
Quite well for once in a lifetime.

Luigi @BforeAI (25:47)
And this is backed by Munich, the global insurer that basically analyze our system. And they saw that, you know, that zero zero five is actually the worst case. It's actually very stable. So it's critical that the system are engineered for minimum false positive and minimum false negative. Now false negative is the most complicated and risky thing is where you announced that something is not going to be problematic and then suddenly become problematic. And so.

Patrick Spencer (26:11)
It is.

Luigi @BforeAI (26:14)
Unfortunately, you you don't know what you don't know, right? And false negative is pretty much about the unknown. But, you know, there's still root causes that we can identify. Nowadays we do, you we deliver about 100,000, a new prediction daily of future cyber attacks. And of those less than 4 % are actually false negatives. So we do miss very, very little among the things of course that we can predict. so I think.

Patrick Spencer (26:32)
Hmm.

Luigi @BforeAI (26:42)
know, policy wise, you know, I'm not, you know, despite being European, I'm not a great fan of regulation in general. I think, you know, even with the recent election, which we know the results now, probably regulation is not going to be a top of the agenda, you know, in the US either. I think still there will be, right? The world is full of it. But I think it's more a governance of the cybersecurity program that we're

teams are just fed up with this reactive approach and they will want to do more preemptive security, proactive security. Of course, prediction is kind of the extreme. You cannot apply to everything. But I think the movement is we don't want to be victim. We want to be in actor mode. We want to know what's coming next so we get ready and prepared for fighting. And I think that's definitely one of the things that we hear as a

Patrick Spencer (27:18)
Proaction.

Luigi @BforeAI (27:40)
A reason customers really love before AI is because they feel that now they're not fighting back because we are not doing offensive security, but they're not in that victimhood mode where they just don't know what's going to happen next, right? And they are reacting. They like that they have a voice that we are creating problems for the criminals. We are reducing their ROI. Their customer are not becoming victim.

you know, is really more empowering. It's really good feeling for them when they go to the board and say, we saved $20 million we could have had in these attacks that we blocked. So that arrow eyepiece is actually one of the things that our customer really liked. provide a regular reporting in which we tell them these many attacks we predicted, these many we blocked, so many victims were avoided because we have all the telemetry from the system that gives that. And that visibility they never seen before.

is actually quite exciting and eventually become one of the reasons they stick with us because they can provide this reporting regular to the board, their CTO, CIO, whoever they report to. And it's a feel-good, It's knowing that you get in the morning and you have saved millions of people from fraud is a very good place to be.

Patrick Spencer (28:55)
So it sounds like there's work to be done on the policy front, depending on, regardless of your opinion on, those good or bad? It seems that probably more preemptive proactive security controls need to be built into NIST and CMMC and SOC and ISO and so forth that are out there. Do you think the insurance companies will help drive some of that change or?

Luigi @BforeAI (29:18)
I think, I think.

Patrick Spencer (29:22)
Maybe they will create their own models because they have to figure out what the risk is when they do insurance with these different entities. Are they starting to talk about preemptive proactive insurance at all based on what you're seeing?

Luigi @BforeAI (29:22)
Mm-hmm.

Sure. Yeah. So here is a couple of thoughts. So first of all, I think regulation will capture also the capability of the market. So we are doing something, NSF is going to fund more. And so at some point, this technology will become more known. And so automatically, people will see a value to map them. So there is a kind of a natural hype cycle type of evolution there.

Concurrently, I think you're right that the cyber insurance insurance world is facing specific challenges where, yes, they try and measure and manage the risk. But I always challenge the teams that I get in actuarials and in the insurance carrier world, because I think that the equation of the cyber risk is a pretty different one from other risks.

You have a base that is definitely something you can control, right? The, you know, how secure and mature cyber security program at a firm is, but this is power to another component is not controllable. That is the adversary that is going to make more and more effort to try and do the most damage possible. And so that is not a controllable and it's not statistically valid either because there is this intent of ARM.

It's not a natural phenomenon that you say we can map for statistics. It's a non-statistically relevant phenomenon. So of course, they have models. And there have been recent research that show that the more use of tools to assess the customers are in place, the better the control of risk is. And because there is improvement in that base, in that controllable,

But ultimately, we know that cyber insurance is, for example, for the mid-market and definitely for the small businesses, an absolute nightmare. The cost is too high, it's too complicated to stay on top of all the audits. The requirements are becoming more more complicated. The cost is increasing. So the conversation I have with cyber insurers is, there alternative models? So we have seen firms that already mix insurance with

incident response, for example, to control for the cost of claims. So maybe you cannot remove the risk or limit the risk, but you can reduce the cost of responding. So that's an approach. We are working with certain insurance carriers to embed our product into their cybersecurity product by basically saying, okay, a cyber insurance with incident response assume that there will be an attack. So it's always in that reactive approach.

Patrick Spencer (32:08)
Mm-hmm.

Luigi @BforeAI (32:26)
do another type of product where we assume that 99.95 % of the time, we will not see the attack because we have predicted it. And we cover with a performance guarantee, which I was mentioning earlier, that part where we make mistake in predicting. And so we reduce cost claim losses, not by reducing the cost of treating the single claim, but reducing the occurrences of the claims. And so definitely there is a lot of interest and discussion for this.

Patrick Spencer (32:41)
Hmm.

Luigi @BforeAI (32:54)
alternative models of, you more hybrid type of cyber insurance. And I think that's the definitely future of kind of a fusion between cybersecurity product and insurance product, a bit like before AI is with the Munich Resupport, where in our case, we have a cybersecurity solution that is backed by a performance guarantee supported by an insurer. I think there will be various, you know, evolution of these models. And you cannot, you know, be one or the other because

you know, the, the, the, cyber solution will ever be 100 % complete and no cyber insurance will be, you know, cheap ever. Right. So, so you need to find the right balance. Yeah. You need to find the right balance between these two components. And so for us, for example, is definitely all about, know, how do we partner with those insurance carrier? How we help them bring our product in a scalable way to their customers, you know, how we help them.

Patrick Spencer (33:34)
We only wish.

Luigi @BforeAI (33:53)
kind of move from this mentality of, yeah, we have to have an attack and reduce the cost of the attack to let's find ways to avoid the maximum attacks. And then, yes, there will be still some. And let's cover this little piece rather than a more wider set of occurrences.

Patrick Spencer (34:11)
That's fascinating conversation in and of itself. Well, you know, we have a few minutes left. I want to transition over to the personal aspect because I think that's going to be of interest to our audience as well. You were at Dell for 18 years, your Quest another three years after that. You know, how in the world do you stay at a company like Dell in a series? You had, I looked at your LinkedIn profile, eight or nine different roles at least when you were at Dell.

Luigi @BforeAI (34:13)
Thank you.

Yeah, LinkedIn probably had the limit.

Patrick Spencer (34:40)
Yeah, that kept you energized, I assume, and talk a bit about what you did there. And then I wanted to spend a moment about the entrepreneur program that you developed that was focused on French market.

Luigi @BforeAI (34:48)
Sure. Yeah. So listen, Dell was my actual first official job before that. was doing formula three racing, professional racing. And, yeah, I'm definitely, there is, it's a, at the bottom of it, it's it's a long, but listen, Dell was, and I think still is, but, I was in formula four. So obviously it is a secondary kind of teams. don't, wouldn't know the name, but

Patrick Spencer (34:57)
really? That's not on your LinkedIn profile.

Which team did you race for?

Yeah.

Luigi @BforeAI (35:15)
I was Italian rookie of the year, so I was European champion at some point. Eventually, I ran out of money, so I had to escape Italy to avoid the debts payments. And I moved to France, and that's where I joined Dell in their Italian tech supports, where they started the business for the south of Europe. And this was, as I said, my first official job. stayed 18 years. I actually counted before leaving.

Patrick Spencer (35:20)
wow.

You had to go to work.

Luigi @BforeAI (35:41)
26 different roles. So the nine that you see on LinkedIn is more kind of the major ones. And this was the beauty of the bigger startup in the world, as Michael Dell used to say. There was all this growth, all these opportunities. By the way, every single job was created because I suggested it. So I never took anybody else's role. There was also a very opportunistic entrepreneur. So you can say that I was an intrapreneur.

at the time, right? So, know, coming up with new ideas, seeing new opportunities to help customers or improve the processes. And thankfully Dell had this meritocracy that created and made me always kind of move on with my skills. So as I was learning, so fantastic experience. And indeed, toward the end of my stint, this opportunity to start to work with entrepreneurs to power them with Dell technologies. And

you know, probably Dell didn't know the trouble they were letting them in by letting me work with them because of course I got the bug. And so a few years later, you know, I left, I'll bet it wasn't a direct relationship, but I left first and then a couple of years later started the business with the, before AI. but you know, I think the takeaway there is if you are curious, if you are eager to learn, and if you find yourself in a, a context that

give you the capability to spread your wings, then I think anyone who asks can achieve fantastic careers. And it's really about what do we want to achieve more than what is around us. But DelFont Entrepreneur was an exciting experience working with startups at a very early stage. The program was all about giving

employees a certain percentage of time to work with these startups. So was more of a mentoring program. There was no equity exchange or investment or anything like that. And what I realized at the time is that when you are an employee, maybe you are in marketing, doing product marketing, maybe you are in channel, doing channel management in those large corporations, at any given moment, you're probably using

let's say 50 % of your capabilities, because you have been in other jobs before, but you're not using every skill that you have had across your career. And there is a, you know, kind of, for me, that's kind of a waste. so through these mentoring programs to the entrepreneurs, we would have marketing team helping entrepreneur with finance. We would have, you know, sales team helping them with, you know, speaking with partners because they had done it before. And so it was,

Patrick Spencer (38:07)
You learn. Yeah.

Luigi @BforeAI (38:29)
sure the entrepreneurs got a lot out of it because they got these fantastic people consulting with them for free, kind of unlimited. At a given point, we had more than 400 people involved in the program on the Dell side for 10 to 20 startup at any given moment. But you also had a huge upside of the satisfaction of the Dell employees because now they could use all these skills that normally they wouldn't use in their job.

Patrick Spencer (38:42)
Wow.

Luigi @BforeAI (38:58)
purpose and obviously seeing the entrepreneurs improving and growing. Some eventually left and went to work with the entrepreneurs or some left and built their own company like myself. So the problem, the product was successful beyond belief. Definitely we didn't anticipate all these outcomes and collateral evolutions. But it was very exciting, especially because there was a true human to human

Patrick Spencer (39:10)
Like you.

Luigi @BforeAI (39:26)
value exchange and very proud of what we did at the time with all the teams.

Patrick Spencer (39:31)
Interesting. If some of our listeners are entrepreneurs like you, they're running their own businesses, they're not huge organizations. Others are in large organizations, may not the size of Dell, but sizable. Maybe some of them are bigger than Dell. Do you have recommendations for them on what they can do to emulate or to create a program similar to what you did at Dell if they're interested in doing the same in their organization?

Luigi @BforeAI (39:56)
Yeah, I mean, I can, I can just say some of the things that work, but I'm not sure I would call them recommendation. Each organization is so different. You know, I wouldn't, I wouldn't, you know, have the make the assumption that, know, whatever, whatever I say can, can be applied, right. But I think, you know, the, first thing as in any business and in any endeavor is find your purpose. So why are you doing this? The first question is really, and, know, for us.

The answer was we want to help the entrepreneur grow. And then the rest kind of came later as in, we also want to help the employee be more, know, at being their job and kind of just some of their time for something more purposeful than the day by day activities. So that's number one. Number two is, you know, clear understanding of what is the scope because this thing can...

you know, get out of hand very, very quickly because the entrepreneurs are the good ones anyway. They are capable of extracting value from where there is nothing. And so you want to make sure that you set expectation and you don't create frustration on the two sides that, you know, because maybe the entrepreneur thinks that Dell is going to Dell, sorry, any company that you're working with is going to resell your product. You know, that maybe it's not at all in our case was not the case. Maybe they can.

Patrick Spencer (41:15)
Mm-hmm.

Luigi @BforeAI (41:19)
you know, imagine that there would be some form of investment or &A when that is an absolute, our program was absolutely set for that. So it's very important to say at the beginning of the relationship what you will not do to the entrepreneur. So be very strict on, you know, yes, this is what is the program. Give a contrast, what is not the program. Set expectation, this way there will not be frustration. Frustration is always a result of having higher expectation the way you can deliver it.

Patrick Spencer (41:33)
Hmm.

Luigi @BforeAI (41:48)
So that's the second thing. And then the third thing, find the funding because these things are not cheap. And so that you need to be creative. Is this a marketing program because it's building brand? Is this related with some form of business development? And so it's more sales related. Go figure out who is actually getting not the primary outcome, but the secondary outcome of the product. And they will have to sponsor it. If they don't sponsor it, it means that

you don't have the frame of reference of your program yet correct. So one, why you do it. Second, what you don't do it. And third, how you pay for the process. Because there will always be some activities, attending events, traveling to meet the entrepreneurs, supporting entrepreneurs in some marketing activities of theirs, and so on. But.

Absolutely, if you can build an entrepreneurship innovation program within the company, it's so good. Even if it doesn't deliver any actual innovation to the company, it deliver a fantastic learning experience for the employees. create, know, despite my example and a few other, the majority of the employees that went through that program are still with Dell. So fantastic retention because you create this purposeful, you know, community building type activity.

Patrick Spencer (42:55)
for employees.

Luigi @BforeAI (43:11)
And last but not least, this a lot of fun. Just a lot of fun.

Patrick Spencer (43:17)
Well, those are some great suggestions. And I'll be interested in hearing from our listeners if you go and actually try to see if you can get a comparable program started up in your organization. So, Luigi, we could go on for another 40 minutes, but unfortunately we don't have time. For listeners who want to get in touch with 4AI, what's the best way to do so? Your website, I assume they can connect with you on LinkedIn.

Luigi @BforeAI (43:20)
Thank you.

Yeah, website very easy before.ai. I'm super active on LinkedIn. So Luigi Linguito and or Luigi before.ai you'll find me very easily. And I connect with everybody that connects with me. And then, you know, very happy of again, this cool vendor. So before.ai slash cool dash vendor, and you'll see more about it. And ultimately our video archive, there's a lot of demos of our platform and

interviews with our customers before.ai.video and it brings you to the YouTube channel where you'll find all the content.

Patrick Spencer (44:23)
Yeah, that's great. Being named a Gartner Cool Vendor is a big deal and will drive a lot of sales for you. At least you're hoping, I suspect, based on my past experience with group.

Luigi @BforeAI (44:29)
Very cool.

We're very proud. We're very, very proud. For a year in, getting this achievement, and before it we had 24 mention in different reports. We definitely feel that we're doing something right, and we will keep doing it.

Patrick Spencer (44:52)
You landed right on the target. So congratulations. Well, Luigi, thanks for your time today for our audience members. Thanks for joining us for another Kitecast episode. can find other Kitecast episodes by going to Kiteworks.com slash Kitecast. Thanks a bunch.

Luigi @BforeAI (44:55)
Thank you. Thank you very much.

Thank you, Patrick. Bye.

People on this episode

Patrick Spencer

Co-host

Tim Freestone

Co-host