Afternoon Cyber Tea with Ann Johnson 11.14.23
Ep 85 | 11.14.23

Leading Edge Cyber Innovation with Nadav Zafrir


Ann Johnson: Welcome to "Afternoon Cyber Tea," where we explore the intersection of innovation and cybersecurity. I'm your host, Ann Johnson. From the frontlines of digital defense to groundbreaking advancements shaping our digital future, we will bring you the latest insights, expert interviews, and captivating stories to stay one step ahead. [ Music ] Today I am joined by my good friend and colleague, Nadav Zafrir. Nadav is the co-founder of company building venture firm Team8, and managing partner of the Team8 platform. Prior to founding Team8, Nadav served as commander of Unit 8200, Israel's elite military technology unit, where he established the Israeli Defense Force's Cyber Command. Unit 8200 is recognized as the informal talent incubator for the nation's renowned tech industry. Welcome to "Afternoon Cyber Tea," Nadav.

Nadav Zafrir: Hey, Ann, good to be with you. Thanks for having me.

Ann Johnson: So, Nadav, you are pretty well known in the tech industry. But for those of you who may be less familiar, can you briefly tell our listeners about your background, how you got your start in cyber, and what has kept you in the industry all these years?

Nadav Zafrir: Sure. Well, I spent the first 25 years of my career in the Israeli military. And most of that was around different aspects of intelligence. I was lucky enough to be in a transformative time where things moved from more traditional single intelligence to the cyber realm. So you know, I'm old enough to be there when the internet just started. And I was a part of a small group in the 90s, towards the end of the 90s, we try to figure out what's going to be the implication of this new technology. I know that it sounds very weird right now. But back then, at least for military purposes, it was very premature. And over the years, I found myself leading larger and more important groups as we understood that everything was moving to digital and everything was moving online. And that every organization or person with every purpose on the planet Earth was going to be using the internet for something. And we didn't call it cyber back then, we called it data operations and stuff like that. But ended up really falling in love with this opportunity to look at how this technology has grown dramatically from the 90s to where we are today. And with that, I ended up in 8200, as you said, which is sort of the equivalent of the NSA for the Israeli military. And I did that until 2013. Until the end of 2013. And when I left the military, it was sort of kind of a natural transition from what I did in the IDF, in the Israeli Defense Forces and 8200 specifically, into venture. Which by then was an emerging phenomenon in Israeli tech. And you know, we started Team8, and you know, I can tell you a little bit more about that if you like.

Ann Johnson: Yeah. We absolutely will talk about that. And one of the hallmarks of Team8 is the Village. And I feel fortunate that you allow me to participate with this community of CISOs and tech industry leaders that you foster. As part of the Village, I've really benefited from all these discussions so I'd love to unpack that and more about Team8. But get your point of view on what's top of mind for the CISO Village. And one topic that I know we're going to talk about, but it's not the only topic, is generative AI. So as you think about the Village all up, can you talk about why you created the Village, what you see the growth and goals of it are, and then we can talk a little bit about generative AI.

Nadav Zafrir: Sure, happy to. When we started Team8 with my co-founders, with Liran and with Israel and Yuval, the idea was what was the magic of short entrepreneurial iterations in a military environment? Some of that makes sense to bring into the venture world. At the core of the idea of Team8 is that we are a venture group and we do make investments and we have LPs and we have all the structure that an early stage fund would have, but the process is very different. The process is ultra-focused. And the idea is that we have our own researchers that try to create a hypothesis about the impact that different technologies, regulations, geopolitical situations, will have on cybersecurity in the future. And then we tried to come back to today, and based on this sort of visit that we had in potential futures, we tried to create a hypothesis about what can we do today to get ready for that future? And this is where the Village is sort of the critical part of what we do. We look at technologies, we look at the future, we have researchers, we have folks that come from the attackers perspective because many of them served in different organizations such as 8200, NSA, and other organizations that work for governments, et cetera. And then different researchers in technology, data, AI, et cetera. The Village brings that practitioner's perspective. And so, we present those ideas, the thesis, the hypothesis about the future, and then different villagers, different CISOs from large global enterprise, start interacting with us. And they give us the real-world benefit of getting the criticism, what's missing, what's going to work, what's not going to work in a very early stage. And based on that, we start coming up with initial ideas of you know what? If this is what the future looks like, here's an idea of what we should be working on today. Once we get some conviction around that, this is where we sort of do a reverse VC act. Where we go out and pitch that idea to potential founders and entrepreneurs. Usually second timers experience entrepreneurs who say hey, you know, we think this is a cool idea to fix something that's going to happen in the near future or sometimes the mid-term future. We validated this with hundreds of our CISOs from the Village. We got initial validation. Are you interested in building a company? We will also bring the money to do it, you know, we'll make an investment. But more importantly, we'll bring all this community that believes in this idea. Some of them will actually become design partners. But only then we write the check. Once we do that, we go into a 12 months validation process, we go through several milestones. And certain select villagers that are passionate about this become a part of this process as we go forward. And as you also know, we also have some formal gatherings where the Cyber Advisory Board, which you're a part of, we come together, we present it to them, we get their feedback. And we do this process repeatedly over the last decade or so. On average, we will start between one to two companies every year.

Ann Johnson: And you've done so well with them, right? And I just -- congratulations, to begin with. And for me, I can say to our listeners, one of the values is seeing things really early. Being able to provide what I hope is helpful input. But also just seeing these incredibly creative ideas with these founders who are passionate about cyber. If you ever lose your energy for this industry, it's a group you want to spend time with. Because they have all these fresh ideas and they're passionate and they're coming to you to tell you how they're going to solve some really hard problems. I always leave the meetings hyper-energized.

Nadav Zafrir: One more thing that I'll add, Ann, is around sort of the things that we're excited about. Things to come to mind. And obviously generative AI's on everybody's mind. You know, I've been trying to think about this in the last couple of months. You know, what is this really going to mean for humanity? And there are different groups that thinks the dystopian future and there's the rosy future. But in some ways, you know, I think if you look at our continuum as humanity and what differentiated us from other humanoids, if you know, it's our language skills. Right? When you think about our ability to communicate through a language, through a human language, that is what sort of differentiated us from other smart humanoids 100,000 years ago, according to the theory, and that led to written language and that led to the printing press, and that led to the internet. And we became more and more connected. And we became more and more, the ability to collaborate, imagine a future and work towards it, you know, from either a positive future or a destructive future. Because obviously we as people will do both. But I think generative AI is sort of another transformative technology that I think when we look at it retrospectively in the future, we will understand that it's probably as big as the printing press or the internet. And in many ways, you know, it defies, you know, if you think about the stories from the Bible. Like you know, the tower of Babel, for example, right? Humans decide that they want to defy this Earth, we want to get to the sky. We want to defy gravity or whatever. And the way God sort of fights that is by creating havoc through creating different languages so people can't understand each other. And in some ways, in technology right now, because we've built stacks of technology over the years with different protocols, different beliefs, different methodologies, there was this sort of inability to connect everyone and every computer. And so I think generative AI's going to have a huge impact on machine to machine, human to human, and human to machine. And we'll have something which is incredibly transformative. I believe that what we are looking at is different timeframes from a cyber perspective. I think that for the short run, when I look at this from the attackers' perspective, I think that attackers are going to be able to leverage generative AI faster than defenders. And hence I believe that we will see more sophisticated and at scale attacks over the next couple of years, unfortunately. Just because attackers are not defined by regulation, et cetera, they move faster, we know that they can collaborate in easier ways. I think once we pass that, I don't know if it's going to happen in the next couple of two years, three years, four years, but at some point, I think we will see an improvement in our ability to use AI to protect organizations. Once we learn how to effectively use AI for cyber defense, for automation, et cetera, so that's sort of one aspect of where we're looking at AI. Is where do we deal with the next couple of years where the advantages on the attack side are going to be bigger than the ones on the defense side? Beyond that, obviously, the obvious questions about trustworthy AI and explainability, all these are sort of fascinating areas that we're looking at right now. And trying to create a hypothesis in bringing in some of the Village members to be part of these thought processes.

Ann Johnson: I love the history. I've been reading a book called "Ancient Tombs and Lost Lives," or something like that from National Geographic. Which is talking about the history of civilizations that we have lost. And all of the things that we're learning about communication skills and tooling, et cetera. But the centuries that it took, right? To get to where we are today. And then to think about just what's happened since the invention of the personal computer and the smart phone and how fast we're moving, and now you have AI. So it takes me to thinking about like my daughter's generation? What is the world going to look like when she's my age? How fast are we going to be moving? And to your point, are the adversaries going to have the ability because they're unconstrained and well funded to move faster than we're able to move? Not just in cyber, but in things like you know, securing food supplies or predictability of climate change and orderly migration of civilizations, right? This next 50 years is going to be really, really constructed by what we can do with things like generative AI. It's going to be interesting to watch.

Nadav Zafrir: Absolutely. And you know, I think that the adversaries will have the upper hand in the short-term. I think that in the mid- to long-term, I think this will, for the most part, be a very positive - I'm talking from a cyber perspective now, you know, it's beyond me to go into other aspects of this - but yeah. It's exciting. And yeah, I mean, it's just this acceleration, I think that if there's a silver lining when you think about long-term, right? So there's a race to powerful AI between different groups and companies. But also nation states. And it used to be a lot around compute power and the sophistication of the algorithms and the efficiency of your storage capability, et cetera. Your access to data, which totalitarian countries may have an advantage over because there's no privacy issues. However, I think that we've come to a point of acceleration and to a point of possibilities where one thing, which is going to be in very high demand, is imagination. And this is where I think the west and liberal democracies actually have a big advantage. And I hope that will enable us to actually have an upper hand both for liberal democracies versus totalitarianism, and also for on cyber defense. Eventually. Because the moral fabric of this also makes a difference.

Ann Johnson: It absolutely does. And that brings us to, when you're talking about liberal democracies and you're talking about the world that we live in today, it brings us a little bit to regulation. Because, you know, we've embraced the thesis that there has to be regulation around responsible AI, privacy, data, et cetera. But regulation can also feel burdensome. Right? To CISOs and other technology leaders and when governments are not as well informed. And they're producing regulation that may not deal with the realities of today. So Team8 recently published this report on regulation. Can you tell our audience what some of the top findings were? And also, what are some of the recommendations to make sure we do it right?

Nadav Zafrir: Yeah, for sure. So look, I mean, I think the report on behalf of Team8 and the Village that basically commend the White House Office of the National Cyber Director on its approach to cybersecurity regulation. And you know, in the request for information, the cybersecurity regulatory, I think the report underscores the significance, you know, of adopting something which is more ballistic and agile. And generally speaking, it gives sort of substantial attention to the CISO community, their concern, and their role in enhancing cybersecurity. And to the best of my understanding on the report, and that we've put out and the fact that we're able to talk to the people that are actually writing the regulation, makes a difference. And at the end of the day, we're looking to harmonize regulations among different regulatory bodies. You know, at least in the United States, we're looking to engage all stakeholders, including technology providers that will shape this strategy. And more than anything else, we believe that they need to embrace an agile regulation to address the current cybersecurity challenges. You know, if the regulation, it has to be more descriptive than anything else. This is the outcome. And less sort of prescriptive on how to do everything. We need to ensure that CISOs have appropriate legal protections. I think that's very timely. We're having this conversation a couple of days after the SEC and the soloist decision. I'm not sure that this is sort of the trajectory that will make us more secure. It may make us more compliant going after -- we don't know the details yet and we will look into them and try to understand what is the accusation all about. But generally speaking, we understand that being a CISO is a hard job, there's a lot of responsibility, there isn't a lot of glory. And I think if we are going to do this with a very tight regulatory system, we're going to find ourselves more compliant but not necessarily more secure. To be honest, probably the reverse.

Ann Johnson: Yeah, because we don't have all the facts and it's early. Here's what I think the government is doing exceptionally well right now. They're really leaning early with the technology companies and with the experts as they form AI regulation, as opposed to regulation being layered on top of something that's already existed in market for decades or years. So I think we're doing it right and hopefully the outcome is regulation that both protects society, right? Protects companies, protects consumers, protects citizens. But also takes into account the reality of the world around us. I think that's just incredibly important.

Nadav Zafrir: Absolutely. And you know, we also need to promote the collaboration and cooperation between the CISO community and the regulators. And that's something that we're trying to do through the Team8 Village. I think for the most part, we're seeing different areas in the government that are welcoming that. And I think it's a good trajectory for everyone.

Ann Johnson: Yeah, I think it's a good trajectory for everyone. So, in this community, which is really why it's so important, right? That you create a CISO community where CISOs can come together. They're under tremendous pressure. They're suffering from burnout. And I want to acknowledge that in the world you're living in today, the user country is actively at war, right? So the stress on the community could not be any greater. And this evolving workshop that you have created, one of the best sessions that I have attended, and I'll tell you this, is the "Happiness" session. I was promoting it to everyone here. Well we went to the CISO event, which we do a lot behind closed doors. But you had this speaker come in and talk about happiness. And I walked out of there and I was like this is something that we need to have this type of session all the time. Because people are struggling. They're struggling in their personal lives. And they have all the stress at work. So can you talk a little bit more about what's so important with this evolving CISO workshop and how you think about the workshop and why the community embraces it so well?

Nadav Zafrir: Yeah. You know, I was actually thinking about the same session. I think it's Professor [inaudible 00:19:14] [inaudible 00:19:14] that we had there from Stanford. And that's his area of expertise. You know, the science of happiness. And one of the things that he spoke about is you know, everybody's aware and you know, it's something that probably all of us have some level of PTSD in our lives, but obviously when you're in a very stressful situation, whether it's personal, company, or like a national level, like we have right now in Israel. But he spoke about PTG, you know, Post-Traumatic Growth. And what that means. You know, I've been thinking a lot about that session in the last three weeks. Especially with the trauma that we went through on October 7th. And what followed. In some ways, I think that the CISO Village and the sessions that we have are about many things. They can be about the coolest technologies that are coming. They could be about exposing what attackers are thinking about. But I think that the two things that are always, where everybody's engaged, it's either on the peer to peer sessions that we always have once a year where CISOs just have the ability to talk about whatever they want. And they do it and it is sort of from now to now, it's spontaneously talking what's top of mind. In smaller groups that we break into. And the other one, as you said, are the life skills that we talk about. Because you know, at the end of the day, this is one of the-- I think, one of the hardest jobs on the planet. There's usually very little glory. It's very stressful. And alternately, honestly, doesn't really matter how experienced you are. How hard-working you are. How well prepared you are. Over time, there's always 100% chance that something will go wrong. You know? And when people get together and share their anxieties and their sadness and their, you know, something magical happens. So it's this peer to peer and the ability to talk about-- openly about one's vulnerabilities and where this profession is going. Because this profession is evolving and changing so fast. So I love those sessions. And I always leave them understanding something about myself, understanding something about my peers, and understanding something about the industry. Which to be honest is probably a little bit more invigorating than looking into a specific zero day and how it came to life.

Ann Johnson: Yeah, exactly. Though that's important. Let's pivot a bit. Let's talk about your business. First, we're also recording this on the heels of, you know, closing a great exit and transaction for one of your companies. But the cyber world in the past, you know, 18 to 24 months has really had a lot of ebbs and flows, the valuations have changed, the price of money has changed on a global basis. Can you talk, I'm going to ask you two questions at once and let you run with it. Can you talk a little bit about how investors are thinking about security today? Where the money is flowing if anywhere specific? And also talk about your business model? You're not the classic VC where you just dump money and put someone on the board and let things just go. You stay very, very actively involved with your model. So I'd love to hear more about that.

Nadav Zafrir: Yeah, you know, I think that the reason, you know, when we started building companies, the Team8 model in 2014. And I remember that somewhere around 2018 we were thinking well, what's there to invent in cyber? So much money, so much attention, so many start-ups, so many acquisitions, so many competitors. Everything is solved. And today, I think that it's never going to be solved. Right? I mean the room for innovation in cyber is going to be just as fast as new technologies emerge. Right? So it went from one trend to another. But ultimately we are going to be more dependent on our digital networks. We're going to be more dependent on our algorithms. We're going to be more dependent on our AI. And as our lights shifted into the digital domain and will continue to change, I think that attackers will find new ways to be creative. Most of the crime has already moved into the digital domain. And so cyber budgets are still going to grow and the problems are endless. If you look at Momentum Cyber's almanac for 2023, we're talking about financing -- in 2022, actually, the financing total, something short of 20 billion dollars and over 1,000 deals. And in 2021, it was higher than that. But the numbers are still very, very high. And I think the ever evolving nature of the cyber threats will keep us in business if we're innovators in cyber. There may be some consolidation into some of the bigger companies, but if you look at the market today, it's a huge market. There's no one or two or three dominant players. It's still quite a large industry that is fragmented into many, many companies. When we did our last CISO event, we also did a survey amongst the Team8 CISO Village in Tel Aviv in June. We had over 100 CISOs representing Fortune 500 companies and more. Cybersecurity budgets, even in 2023, where other budgets have gone down dramatically, for the most part have stayed very, very robust. In fact, 56% of the survey participants reported budget increase in 2023. So I think even in a time of economic slowdown, this is sort of an inevitable budget that will continue to grow. And the last thing I'll say about it is from my perspective, one thing that I sort of think hasn't happened yet is that cybersecurity and its budget will go beyond security. I think that for example, data that is collected in order to stay secure can be used for other areas like operational excellence. I think we will see a merge between different things that are happening now in infrastructure around identity. That will have crossover and dual uses. And so I think at some point, I think we're already at a point where mature enterprise and other companies understand that if you don't have a robust cybersecurity posture and you don't have confidence in your IT infrastructure, you're going to be hurt on the business side because you won't be able to move as fast. And I think going forward it will go beyond that. And we will see that mature, able cybersecurity groups will also be able to support other functions in the organization.

Ann Johnson: So Nadav, for the more established start-ups, right, and company leaders, what advice are you giving them right now as they navigate this uncertainty and this, you know, interesting fundraising situation and exit situation with the IPO market, being almost closed or at least not as attractive?

Nadav Zafrir: Yeah, you know, I think some of it is very straightforward. You know, the first thing is the days of growths, growths, growths without worrying about efficiency are over. So I think even in the early days, you got to be very cognizant of the spend, not just the revenue. Which I guess, around 2021 wasn't as important. The other sort of very straightforward is you want to be in a situation where you're always looking to be at at least 18 months of runway. The other thing that I say is, you know, and we were pretty conservative even in the hype of 2021, is to worry less about valuation and more about having a real solid business that's built on metrics that you start looking at from day one. And then lastly is sense of urgency when you think about your customers. Everybody will be happy to look into something when times are good. And even buy it. When times become harder, the ones that will survive are not just the ones that have the business viability into their business, but also it'll be about sense of urgency. And so when we do our validation processes today with the Village, CISOs, et cetera, it's not just-- well, you know, is this interesting? Do you want to take a look at it? But is this something imperative that you think is eminent for you to have as a part of your tech stack? So that's one thing. The other thing I'll say is that I do think some of this shakeout in the market is actually good news. Because I think companies that have done the right validation, they have the right leadership, they understand that the business side, you know, there's going to be less noise in the market. And I think that's actually a positive. Because it will enable the real companies to get more financing. And do some deeper R&D so that they can actually come up with the real product that their customers need.

Ann Johnson: I think that's right. And as you said earlier, cyber is always going to get funding. It's just a matter of being in the right place and having the right product market fit. I know you do a lot of other investing in fintech and healthcare and in the data spaces. And you know, next time I have you on, we can talk more deeply about that. But I wanted to thank you for joining me today. I'm always an optimist, despite the rise in cyber crime, I believe cyber defenders are more often than not one step ahead of the bad guys. With that in mind, I'd love to hear what your optimistic about in the future and what's your perspective on how we can continue to come together and defend our digital world?

Nadav Zafrir: It's a tough question. You know, I have to sort of talk about this in the context of what's happening right now in the Middle East I believe. We talked a lot about this when we were talking about the War in Ukraine between Ukraine and Russia. And in fact, I think that what we saw was that Microsoft specifically not only showed that they had a core value system. But also found itself literally in the digital frontline in war. Which is almost unprecedented. And perhaps completely unprecedented. We live in a world where it's hard to predict where the next conflict will take place. And there's going to be a total sort of blur between the physical world, the digital world, the geopolitical world, et cetera. And then in the last three weeks, we are fighting a harsh war here in the Middle East. I believe that in the future, and I think it's happening already, we will find ourself as people, as businesses, as nation states, we will need to choose sides, right? And we saw that in the conflict in Ukraine. I think we're seeing some of it in the conflict here in the Middle East right now. And because everything is blurred, I hope that we can create new alliances. Not just around energy, but also around the digital world that are not just based on technology but also based on our core values. For example, when you think about social networks and AI and where fake comes in, we are going to need to make these alliances if we are going to continue to protect our nation states, our businesses, our families, and ourselves. And I think that's sort of where we need to go. I'm optimistic because I do believe that we will be able to gather around some basic rules, some basic values that we share. And ultimately, let me sort of take this one again, as you said I could do that, I'll try this at the end of this again. I think that there is the conflicts that we're seeing around the world, whether it's in Ukraine, in Russia, in the Middle East right now, unfortunately I think we will see more and more of these conflicts. And data and cyber have become an integral part of these conflicts. And data and cyber and technology are not just led by nation states, but by the private industry and large enterprise, et cetera. And the call of action in this kind of world is that not just nation states, but also we as people and our companies will need to choose sides based on our core values. Again, we saw this in the War in Ukraine in Russia. And we're seeing this happening right now in the war in the Middle East. I'm an optimist in the sense that I think that because things have come to such an extreme in different places that I hope people will find it easier to choose sides. And it will understand that it's imperative that they choose sides. And around the digital world and cyber, we will understand that we need to create these new alliances between nation states and companies and people and regulation. And gather around some core values to build a better world for our children. Or at least not let it deteriorate.

Ann Johnson: We are all aligned in that goal. Nadav, I want to thank you. It's always a pleasure to talk to you. Thanks so much for making the time to join me today. I know you have a lot going on.

Nadav Zafrir: Hey, Ann, thanks so much for having me. It was fun talking to you and I hope to see you soon.

Ann Johnson: And many thanks to our audience for listening. Join us next time on "Afternoon Cyber Tea." [ Music ] I invited Nadav Zafrir from Team8 to join me on "Afternoon Cyber Tea" because Nadav has been doing cybersecurity since the 90s. He actually built the cyber command for the Israeli Defense. He is just this brilliant but also incredibly pragmatic and very, very detailed member of the security industry. And it was really a compelling conversation. [ Music ]