Cyber Paradigm Shifts with Samir Kapuria
Ann Johnson: Welcome to "Afternoon Cyber Tea" where we talk with some of the biggest security influencers about what is shaping the cyber landscape and what is top of mind for the C-Suite and other key security decision makers. I'm Ann Johnson and today, we are going to discuss the next cyber frontier including trends, technologies and paradigm shifts that will help ensure a more safe and secure future. I am thrilled and lucky to be joined today by Samir Kapuria who is the managing director at Crosspoint Capital Partners and a strategic leader investing in industry-changing innovation. Samir has over 25 years of experience leading enterprise software, consumer software and managed service businesses in cyber security. He was previously the president of NortonLifeLock, a global leader in consumer cyber safety. And under his leadership, he helped scale the company the annual revenues exceeding $2.4 billion. Welcome to "Afternoon Cyber Tea", Samir.
Samir Kapuria: Thanks, Ann. It's great to be here.
Ann Johnson: So, Samir, before we start talking about trends and the challenges and opportunities, can you tell the audience a little bit more about you? You have dedicated most of your career to cyber security, so how did you get your start? Why did you stay in the industry? And what brought you to your current role at Crosspoint?
Samir Kapuria: What a great question. You know, my start in cyber actually coincided with the internet coming to life in the '90s. You know, I had the privilege of being at the right place, at the right time with the right friends who are working at an organization called BBN, a place which was most famous for its DARPA-sponsored research. Some of the- the tech historians out there may recall that BBN was focused in creating some of the earliest internet incarnations like RPNet as well as developing things like TCP and the IPsec standards. But in a nutshell, it was a place where technical wizards sort of roamed the hallways and I was a sponge to learn from all of them. But the key from that experience was thinking about how things could break and then thinking about how you'd fix them, and that -- this has led me into a- a company with cyber pioneers that was called @stake. We were focused just on that same thesis, how do we break security and then, how can we fix it? And if you fast forward time, what's kept me in this space, I'd say it's- it's three things, Ann. First, it's- it's a fulfilling mission. It's one of the only spaces where you have a mission to protect people, companies and organizations and being part of something greater than yourself. I think the- the second big thing that's kept me thriving in this space is the- the need for continuous innovation. You know, this- this industry, as you know, has a mantra of constantly creating new. Why? Because you have an active adversary changed in a game on a daily basis. So, of course, you just want to expect the unexpected and innovate new defenses and safety on a constant pace. The last thing that- that's probably kept me in this industry and kept a smile on my face for so long is the community. When you have a problem that affects so many lives and organizations around the world, it has this gravitational pull bringing people from all walks of life together and that community is something that- that I really relish. And so, now- now here I am, we formed a firm called Crosspoint Capital not too long ago and we've evolved from that thinking and harness our experiences and our resource to define companies who are focused on that mission. We're focused on that continuous innovation, we're focused on that community to work with them to- to fuel and define the-- the future of the sector.
Ann Johnson: You know, a lot of what kept you in the industry are the same things that have kept me in the industry for 20 plus years. And I remember @stake, they had such a tremendous reputation. So, you have this feel like really highly valuable and valid industry experience that I'm hoping we can really dig into today. As we think about the market today and thinking about it more broadly, an awful lot has changed in the past 20 years and an awful lot has changed even more so in the last year. There's a lot of economic turmoil, there's geopolitical turmoil, what do you think are the macro trends that are tracking across specifically the cyber security industry?
Samir Kapuria: You're right. A lot has changed over the last year and I could- I could probably drain a whole kettle of tea with you on this question alone. But as you mentioned, the economic climate has companies looking at efficiency and spending in really creative ways but I think a lot of leaders have an appreciation for the importance of investing in cyber in a whole new regard. Let me just break that down with- with a few key observations. The first one is if we take that- that macro view you- you mentioned and pull back for a second, damages from cyber attacks have grown to trillions of dollars and I- and I think one of the reports I recently read said it has a trajectory to be over $10 trillion of annual damages in the next two years. So, that's definitely hitting the P&L and the bank accounts of both companies and individuals in a serious way. And seeing in that macro view for a second, the total spend in cyber security is roughly 150 to 200 billion. So, the bounds in- of investments still has quite a long way to go before we- we see the- the size of the damages commence with the size of investment they're protecting. Then, two, the geopolitical environment. It's definitely demonstrated the rise of cyber weapons targeting critical infrastructure, not being behind the curtain so to speak but being in the forefront. So, the underpinnings of day-to-day life is now being impacted in a serious way. Keeping in mind that many of these cyber attacks don't just stay on target but start to roam beyond the coordinates that- that- that we're given. And then, as I think about that economic environment, companies are trying to do more with less by the way of automation as well as the heavier reliance on integrating with third-party capabilities and the attackers have followed this move with focusing and pushing the dominoes of the supply chain starting with a key component in the supply chain ecosystem and cascading to a broader swath of victims. I think, finally, the rapid digitalization of the world that was quickly accelerated during the pandemic moved the workforce from the office to the home almost overnight which in and of itself created a large and growing surface area of hybrid environments that needed to be protected. So, you put all of these together and I see that the- the big security awakening that's happened over the last few years turned into a security action where companies focus on gaining visibility across that growing surface area both on the cloud and on their systems, embracing a new generation of detection and response technology across the network all the way to the IoT and OT fabric, focused on- on the supply chain of ingredients they rely on from the way they build their applications all the way to continuous testing, and I think this new appreciation of the investment required to maintain constant cyber vigilance and resilience onto this umbrella of what I call modern risk management.
Ann Johnson: I think that's right and I do think that we're operating in a macro environment that we haven't seen at least in recent history. And I was talking just- just a couple hours ago to somebody about the, you know, kinetic in cyber work I mean together, for example. And when I talk to peers and customers and our partners about the challenges they're facing, I hear some of the, you know, the same concerns related to cyber hygiene and passwords and such but I also hear about this layering of challenges like new technology, the pace of change and those emerging threats I was just mentioning that aren't truly well-understood. I'm curious what you're hearing and what are some of the most pressing security challenges you're hearing from founders and from other enterprise security leaders you speak with?
Samir Kapuria: Oh, I'm definitely hearing some of the same things you are with that- with that focus and the foundational elements of- of cyber hygiene. But I'm also hearing a- a whole host of new challenges that are- that are top of mind with folks. On the pace of technology facet you just mentioned, one thing that keeps coming up is the- the surface area expansion we just spoke about specifically with IoT devices. Many of these devices as you know are the least secure part of the network and- and they don't have the compute power to necessarily protect themselves but the volume of these devices is growing at a fast pace. So, it poses a challenge for orgs who are now starting to respond by applying zero trust- a zero trust approach almost to- to IoT as part of their cyber defense strategy but it also take a step back to emphasize something else which is the trust part of cyber. You know, you're not even in the space for a long time and- and if we look over the years, we've- we've seen that people are naturally trusting and attackers prey on that human characteristic with all sorts of social engineering attacks. And- and one of the most common attacks in this category has obviously been phishing and it continues to grow and be top of list for many companies. But as we just spoke about, there are broader challenges that focus on the trust element and I- I was actually speaking with some folks at a forum just- just the other day where some new research was being presented on the threat landscape. And one element that stood out for me that- that I hadn't heard before or seen before was that greater than 40% of cyber threats are now occurring through the supply chain. Now, some of this is taking form in the application development process where developers, as you know, have- have been challenged with faster release cycles and are relying more heavily on common-shared application libraries and modules. So, attackers have naturally implant- implanted nefarious code into those ecosystems to Trojan in. But other supply chain attacks are focusing on penetrating the security of a large company by attacking their small, trusted partners and using them to remora back into the larger target of choice. And so, these supply chain category attacks are definitely front and center with application development and third-party risk management as well as regulations coming out to put the responsibility of understanding on the companies in charge, you know, software, bill of materials and thing of- things of that effect. But another pretty amazing thing to think about as you- as you mentioned the trends here is how two little letters are changing the world so quickly, AI. You highlighted the pace of changing and the question in- this is an area of technology that's just rapidly evolving with- with generative AI. The ability to create content, interpret information and- and scale so quickly. So, from a security lens, companies are trying to understand the benefits this- this poses for their cyber defense posture with the ability to collect, analyze, identify risk faster but also how this category may be a tool used by organized crime and nation states for- for malicious purposes. And I think that the last big trend, I'd be remised if I didn't mention quantum on the horizon. So, the power and promise of quantum is- is something that definitely can help society in immense ways with the ability to accelerate the time to compute. But as we've discussed over the years with all new tech being used for positive, there's also the malicious use of that tech. And with recent publications from various organizations and the NSA most recently, there's a looming expiration date on things like cryptography with- with quantum coming into the forefront. So, this topic has come- come into the fold. Some of the conversations I've heard recently from- from executives of- of different enterprises is, "What do I do to prepare? How entrenched are these crypto algorithms that could potentially be broken by quantum? Where are they? How do I replace them?" And- and so, this nature of- of questioning is- is one that I think is- is healthy because going back to that model in view of risk management, if you take everything I said and boil it down, it would- what you're hearing is folks are asking, "How do I measure and keep control of the risks I know," like you said, "cyber hygiene? How do I manage the risks I'm inheriting from other technologies or connections, supply chain, application security and the like? And then, now, how do I plan for the risks that are on the horizon with things like AI and quantum?"
Ann Johnson: I think those are all really important and I do think that, you know, we have to be- I mean, unpack AI for one second, right? We have to be equally enthusiastic about the capabilities that AI is going to enhance for us in cyber security particularly things around SOC fatigue and alert fatigue. But we have to be equally concerned about both the bad actors using AI to advance their campaigns but also how we're going to secure the AI models and equally importantly, the data. Make sure that there isn't any data poisoning or data that comes into the model that's not real data because that will change the outcome materially and I would expect that to be a significant attack vector. And, of course, quantum. You know, we- we've talked about quantum. I- I- I'm- I'm optimistic, Samir. We have- we have our hands around it because it's going to be probably still a few years before those mainstream quantum capability and we really do have time to get ahead of the protections. But understanding those legacy, you know, things like the RSA Bsafe tool kit which I'm very familiar with are in millions of pieces of software globally. So, we really do have to take all of this seriously as we think about what the challenges are going to look like in the future. Thank you always for, you know, being a leadership in highlighting those things. So, I know you spent a lot of time and energy focused on consumer cyber security which is a topic haven't unpacked much on "Afternoon Cyber Tea". I think there is enough challenges for those in the industry who actually know the ins and outs of security. But when I think about my- my husband and my daughter- I'll tell you something funny. My husband was talking about a podcast he listens to. I said, "You never listen to "Afternoon Cyber Tea", and he said, "Because I don't understand it." So, that just gives you an idea, right? I can- I- I- I'm challenged to educate my own consumer household so think about how challenging it is for folks that don't actually have a cyber practitioner at a ready, right? I'd love your perspective on how consumer cyber has evolved over the years and what we're doing to make it easier, where it needs to go in the future. Are companies doing enough to protect their consumers? And I'll give an example. I had an attempted intrusion on my home network. I don't know if it was truly nefarious or not but my- I'll give a plug, my Orbi device detected it and block it, right? Block an IP address it didn't know. So, are companies doing enough to protect consumer environments and do we need a paradigm shift in consumer cyber?
Samir Kapuria: Oh, what a great question. Consumer security is definitely different. So, as you rightly pointed out, most of us signed up to be part of the cyber community. Our consumers woke up one day and- and realized they had to be the CSAW of their household. And looking at this evolution, I think it started when- way back in- in the day when there were viruses and then there was anti-viruses. And as we fast forward through the ages, the digital footprint of a household expanded as- as you just pointed out to include so many other things that would be under the umbrella of cyber safety, right? You got things like device protection from mobile to PC to IoT. And if I just counted how many things in my house alone have an IP address, it's probably equivalent to a data center somewhere. And- and it also includes things like identity protection and anti-fraud solutions as organized crime is focused on pilfering identities for monetary gain. Being able to identify the misuse of your own identity and restoring your identity has been a challenge for- for consumers at large. And I think the other- other two big areas are privacy. This includes where consumer's behaviors, their information, or what I like to call their digital exhaust should not be available to others to monetize or lift without consent and that's a big and growing concern area. But it also includes the home where everything, as we just talked about, is online in some form or- or fashion. And so, if- if I put all those things together, I think consumer risks have evolved from just security to this digital safety which includes the identity privacy and home. But in terms of the future, I think there's a lot yet to be done with consumer security. First, there's an opportunity to simplify these solutions because much like yourself, I found I am IT support and CSAW for not just my house but my friends and families. And- and quite honestly, it's because many folks are very tech savvy in- in using their technology but to protect it and make it safe is a whole another degree of- of knowledge and capability. So, I think there's an opportunity to simplify. I think two is I think there's an opportunity to protect both folks early and late in life. And- and what I mean by that's when I talk to- to my sons and whatnot and, you know, at the age of 10, the average kid has a cellphone in the US and so that's a new online user. How do we give them a seatbelt and a helmet that they need to ride the internet safely? I don't think that's been done fully yet and there's an ability to help and maybe AI has some key role in this but there's an ability to help- help both the youth as well as the elderly as it relates to- to cyber safety. Because unfortunately, a lot of the attack actors are- are preying on- on those two demographics specifically because they're very trusting. The third thing I'd say is a lot has been done by elevating user privacy and- and putting in the forefront especially with- with policy and- and regulation but I think there's still an opportunity to reinforce with controls and- and accountability. And I think that area is going to evolve quite a bit and- and needs to. But, you know, as I look at the horizon end, I think- I think there are some other elevating concerns. You know, there's this counterfeit reality emerging with deep fakes, with misinformation, with things that look authentic. And as consumers interact with this new horizon of things they watch, things they read, things they see, they don't necessarily know if it's authentic and- and valid. And so, I- I do think there's an opportunity out there as we look at the evolution, we move from AV to safety to a whole gamut of capabilities but I think the next horizon is one of making sure that we're able to provide consumers with not only that simplicity but an ability to understand what is counterfeit and what is real.
Ann Johnson: Yeah. I think when we're talking about consumers, we need to focus somewhere. I- you- you can't ask consumers to understand everything, understand that passwords are inherently insecure so you use some type of, you know, multi-factor authentication, right? Understand that you shouldn't be sharing passwords or repeating your passwords across the internet. You know, I think if we set a baseline and don't ask them to understand everything like my- my daughter literally gave me- my daughter is a digital native, by the way, but she literally gave me her phone and say, "Can you set up, you know, a strong authentication on my Snapchat," or Instagram or what- you know, all of her social media, right? She said, "Because I just," you know, "It'll be faster for you," and I was like, "I'm going to go with that," right? She recognized that she needed it and I thought that that was the most important thing. And I that think consumer education without using big scary words is the most important thing we could do.
Samir Kapuria: Absolutely.
Ann Johnson: So, despite all the challenges we face, I'm always optimistic, right, about the future of cyber, that's why I get up every day and I think you probably are too. I would love to hear what you're seeing that's exciting from a tech perspective. You see a lot of early and young things and are there emerging techs that you think are really going to be game changing?
Samir Kapuria: Yeah. So, my optimism actually starts from a different place. You know, although the headlines grab a lot of the attention about things that gone awry, I think both you and I have- have a privilege of hearing stories from companies and practitioners about all the attacks that they have stopped and the volume and the sophistication of- of the attacks that have been detected or responded or prevented, I- I- you know, just taking a slice out of time, I hear more stories now than I ever had about things that have been prevented. So, that's- that's something that gives me a lot of optimism. The other thing that- that- that gives me a lot of optimism is how many students are focused on cyber. And I know there's a shortage of talent in the domain that- that we've all been trying to fuel, to address but as I go through different universities and education institutes, there's a lot of interest in cyber and I hope that continues because it's just raising the collective IQ. But then as I- as I look at- at companies in cyber, you can see that innovation is alive and thriving in cyber as many organizations are investing their- not only their passion but their resources in- in new ways to do defense and- and- and safety. And on the tech side, I'll go back to the AI comment you mentioned a little while ago, it seems to be the key area that I see as a game changer wherein so many different solutions from network to application to operations to SOC to identity to privacy are all leveraging AI in very innovative and effective manners. And I can see how this new category of technology embedded in- in cyber can not only prove threat detection and increase efficacy of cyber but it's also giving birth to new models and new types of- of cyber defense technologies. We've got an opportunity to- to look at a whole host of- of companies that are harnessing this type of capability in- in new and exciting ways, And the thing that- that starts to rise to the top is how one person now can do the job of multiple people with AI, and what that means is the pace of innovation in cyber has started to accelerate and that's what's really getting me excited about the space.
Ann Johnson: I think that's all right. I love the pace of innovation and I love being in- in the cyber industry as a whole because you- you have that innovation, that need for innovation but let's change course a little. The RSA Conference is coming up soon and I know everyone is gearing up for a really- really busy week. The theme this year is Stronger Together which is just this amazing theme especially right now. So, I've long said that cyber is a team sport and we all need to work together for a safer and more secure future. Why do you think it's so important that we are elevating stronger together this year in particular?
Samir Kapuria: Well said. Cyber security is a- is a team sport and I've been going to this conference for many years as you have as well and it's bounced back even stronger than ever following the pandemic. So, the- the RSA Conference is another reason I'm optimistic to be honest with you about the industry because we're seeing the community come together to solve bigger problems in a more robust manner than ever before. And- and for full disclosure, Crosspoint Capital acquires significant interest in the RSA Conference so I- I have even more of a heightened sort of approach to it. Well, like you said, the- the innovation is healthy and thriving but when people have come together in any facet of- of industry or- or life, they're able to collaborate and breakthroughs happen. And so, that's where I think this- this theme of Stronger Together is more appropriate now than ever before because there are so many challenges on the horizon but there's also that equal enthusiasm of how can we now collaborate, how do we share more, and- and you haven't seen that type of openness in this- in our community in a- in a long time where people are willing to share their experiences, share their knowledge, share their talent, and - and bring it all up together for the community to- to sort of all boats rise type- type approach. That said, one of my favorite things at- at RSA is this innovation sandbox and I know you've attended in the past where the top 10 finalists have three minutes to pitch like some groundbreaking cyber technology to a panel and- and as well as the whole RSA Conference and they get, you know, you get a peek into the future. And a lot of what we're seeing in terms of submissions and in terms of interest at the conference is how we can harness that collaborative nature of the community to- to better the space at large. And so, you're seeing things like risk management in governments. You're seeing things like the human element of cyber security. You're seeing things like cyber resilience. These are topics that take a village, not just an individual. And- and so, not only is it a theme for the conference, I think it's also found its way into the subjects that everyone wants- wants to participate with.
Ann Johnson: I agree and RSA- I- this will be my- I don't know. I'm 20 somewhat years going. I've- I've lost track. It's just such a great week because you can network, you connect, you feel that really big sense of community when you're out there no matter what the topic is. So, we're- we're coming up at time, I have a couple more questions. I know that you always have a ton going on, I know you're incredibly busy, can you share a bit with our listeners about what you're working on right now?
Samir Kapuria: I think it's quite simple. I'm working on all the topics we've discussed so far. I- I have the privilege of partnering with- with companies that are dedicated to helping enterprises, small businesses, consumers and governments, address a whole host of challenges that we spoke about today while embracing that innovation. So, as you can imagine, no two days are the same which makes me a constant student and a- and a constant guide for companies that- that have a common thread that ties to cyber. And so, my job is to help share operational experience, sector knowledge and investment resources to help all these great companies, you know, achieve their maximum potential in- in cyber.
Ann Johnson: That's fantastic. And as we think about the, you know, cyber and we think about all of the incredible insights that you shared as we talk about, I always want to have optimism and a couple takeaways. So, what do you think is important for our listeners to know right now why you are optimistic about the future of cyber security?
Samir Kapuria: Oh! Well, the industry is thriving, the pace of evolution is fast, and those with the passion to join the community are more than welcome and I'm energized by spending time with cyber security leaders like yourself who are driving these meaningful conversations that translate into actions, that sets the stage for the future. So, thank you, Ann, for doing this series because it's an amazing platform to bring awareness to the community and- and also for being a catalyst for- for innovation and focus. And I love the questions you raised and the opportunity to join you on- on this podcast and the spirit of community. If anyone listening would like to share any thoughts, ideas, questions, just pop a note. I'd love to hear from everyone.
Ann Johnson: Samir, thank you for being a leader in the community, thank you for always being positive and optimistic, and thank you for taking the time to join me today on "Afternoon Cyber Tea."
Samir Kapuria: Cheers. Thanks for having me.
Ann Johnson: And many thanks to our listeners. Join us next time on "Afternoon Cyber Tea." I invited Samir Kapuria to join me on "Afternoon Cyber Tea" because he has such a great vision for the industry and he has this incredible base of knowledge. He's worked in consumer security for quite a while which is an area that we haven't touched much on "Afternoon Cyber Tea" and it's so incredibly important. He also, of course, Crosspoint Capital has acquired the majority of @stake in the RSA Conference so it was great to hear his perspective on the upcoming conference in April. Also, wonderful episode and I'm sure everyone will enjoy it.