Want to catch a glimpse of Cybersecurity’s near future and what founders are working on to disrupt rapidly advancing cybercrime?
Take a deep dive with Dan Frye, Co-founder and CEO at Rocketansky, and Grant Wernick, Co-founder and CEO at Fletch into the evolution of Cybersecurity, the no-code movement, and everything you need to know about Gen 1, Gen 2, and what’s coming in the wave of Gen 3.
Expect amped up protection for businesses of all sectors and sizes through automated, turn-key, and user-centric products, a revolution driven by re-tooling, and the solution to the talent shortage problem. Watch or follow the transcript below.
Grant: Hey everyone, Grant here.
Very excited today — you’re not just going to listen to me talk about the world of security, how much it’s changing, what needs to happen, and the awesomeness going on around us — you’re going to hear from my friend, Dan Frye.
Dan’s been in security for a long time. He’s evolved the industry, done many cutting-edge things, and moved from being a practitioner to a leader in security to now a Founder and CEO.
With that, I’d love for Dan to introduce himself and share his background. So, hello Dan, thank you for being here with me today.
Dan: Hey, thanks for being here. So, a little bit about me, I was the quintessential 1980’s computer geek. I got my first Atari when I was 3, my first computer when I was 10, and from the moment I got it, I knew I wanted to do computers and this would be my career trajectory.
I got into IT when I was 17, out of high school, went through the dot com boom, and in 2005 transitioned to security because I found a copy of Hacking Exposed in a bookstore. I thought it was cool. I talked to my boss and said we have Firewalls and Antivirus, but I feel like there’s more coming. He said if you want to focus on security, great. So my title changed from Manager of Network Operations to Manager of Network Security, which transitioned me to a pure security role.
I spent about 15 years at the same company building grassroots cybersecurity teams, figuring out what we needed to buy, and building strategy. When I left in 2020, I was a Chief Information Security Officer.
Grant: That’s fascinating. Not many people climbed up the ranks like that. I’ve been thinking about how that drive, curiosity, and self started-ness are the core of cybersecurity, and people tend to forget about that.
People think, okay, we’re going to follow these frameworks and hire people who have these certificates and check these boxes, but cybersecurity stems from curiosity.
Can you spend a minute talking about curiosity [in cybersecurity]?
Dan: You have to hunt for inquisitive talent. The best hire I ever had for forensic investigation was an accountant.
He was used to seeing a bunch of data in very detailed numbers and didn’t have a cybersecurity background. I brought him into an entry-level position, and he was amazing. I turned another guy fixing laptops at the Microsoft store into one of my best Swiss Army Knife guys because of his hidden talent for problem-solving.
I don’t necessarily hire because they have a certification or a cybersecurity background — I think about what talent [a candidate] has that aligns with the objective I’m trying to solve.
It’s hard to step out of the bounds and convince HR that it’s about more than years of experience and the number of certifications [candidates] have — you have to look deeper than that.
Grant: You’ve mentored a lot of people, too.
Dan: Yeah, 10 or 15 or so. I’m still in contact with them, and they’re in security still. It’s great, especially when I’ve started my own company, I can call them up and they’ve been really helpful.
Grant: That’s pretty awesome. If I think about how security’s evolved, you could say you were there in the early days. Yeah, security came out of the government, and various government agencies have been doing it for a long time, but as far as the early days of corporations caring about security — something you and I have talked about in the past is Gen 1, Gen 2, and Gen 3 of security. So let’s step back into the timeline of security. You started at Gen 1; most of your folks started at the beginning of Gen 2.
We’re not at Gen 3 yet, so I’d love for you to outline Gen 1, Gen 2, and Gen 3, what you think those are and where we are today.
Dan: Gen 1 was what I’d call the “raising the awareness” component. You had a Firewall and Antivirus, and that at the time was deemed good enough. You struggled to apply patches, defining phishing — phishing wasn’t even really a thing yet — so you had these evolving threats where the hackers to worry about were the kids in their parents’ basements hacking for fun.
At some point, there was a crossover where [hacking] became a business. I would say now, we’ve moved from small-to-medium-sized businesses to big businesses in terms of cybercrime.
Along with that, suddenly, you had the opportunity for new innovators to bring new products to market, where security became part of the overall thought process. That’s where security has ramped up. While doing that, we’ve left things behind that nobody’s thought of, and one is the labor shortage and the talent gap. It takes a long time to learn security and learn that mindset, and the problems aren’t necessarily technology problems — they’re people problems, like phishing.
Going into the future of Gen 3, Gen 3 is the idea that everything has to be simpler and more integrated. Kind of like the iPhone view of the world. It’s all about sleek design and simplicity. And there’s a lot of complexity in the simplicity.
Grant: Gen 1 was about getting on that command line — there weren’t developed tools. During Gen 2, it started becoming what I like to call “the Great Wall of China”. You bought one of everything because you didn’t know what worked and you have lots of signals and lots of people going through lots of noise.
We’ve kind of created our own problem, with the fast-forward with covid and everyone moving to cloud and saas. Now that smaller companies care about security as opposed to the past when only larger companies did, the systems need to change because not everyone can hire super technical talent. They have to hire people with creative minds, like the accountant.
How do [cybersecurity] products need to evolve, and what do you think the next generation will look like?
Dan: [Gen 3] solutions have to be user-first, or people-first where it’s about the user experience.
One I will pick on is two-factor authentication. We have passwords. They’re insecure, easily broken, people forget them, and they’re somewhat painful to use — but we use them because they’re familiar. Just accessing stuff is becoming a burden. It’s doable, but it’s not simple or fast, and those types of solutions need upgrades not just on the people’s side but even on the practitioner’s side.
With security information event management systems, we spend an inordinate amount of time troubleshooting false positives. We think the more logs, the better. Well…what do we do with them? It was interesting back in Gen 1, where you would gather data and wouldn’t know what to do with it. I call it the “top 10 problem” — there’s no actionability to it.
We’d been getting data for data’s sake with little notion of what exactly we’re supposed to do with it.
Grant: It’s interesting; we’ve ended up in a kind of data swamp coming out of Gen 1 into Gen 2. You captured it well — and I think that’s how people are still thinking. As we move to Cloud and Saas and the industry changes, [the industry] still has an alert-triage and data-hoarding mentality.
How do we get people to shift their mindset [from alert triage and data hoarding]? What kind of apprenticeship model should we develop, and how do we attract new talent to help change that mentality?
Dan: It goes back to asking “so what?”. If you go back to the early days of information security, hacker ethos is built around curiosity.
How do we bring curiosity out of the existing people in the industry and out of the people joining the industry? [Newcomers] bring a net new perspective as they’ve never experienced the pain of sifting through thousands of alerts just to find one that is actionable.
Leaders spend a lot of time, labor, and cost to improve accuracy. But while going from 20 percent to 55 percent accuracy is a huge lead, you’re still only at 55 percent accuracy…you have to find ways to pull out curiosity and reward it.
Grant: Yeah, I’m pretty passionate about that topic around both automation, having machines doing all the data plumbing, and also about making it easy for humans and nontechnical people to get higher-level answers.
The next generation of technology must start giving answers, trends, and triangulate things for you. Not just be tools. Any thoughts on that?
Dan: The “so what” always caters to the finances of the business. A business’s goal is to generate revenue. So, what are the risks to that revenue, and how much do you have to spend to protect the revenue? Framing it in those terms helps you figure out where you need to spend time, money, labor, and allocation.
Grant: I totally agree with you. So, you’re a founder.
Tell us about the company you’re bringing to life and why you decided to become a founder after many years of being a high-end practitioner and so well-known in the industry.
Dan: The guiding principle for me and my two co-founders is the disadvantage of small businesses in relation to security. Large companies, like big banks, have security budgets of around $250 million dollars. As a small-to-medium-sized business, my budget was $250,000.
The discrepancy between what [large businesses] can afford and what we could afford is large. It was hard to find solutions targeted toward small and medium-sized businesses that understood the labor shortage and the capital shortage.
I want one tool to do a lot of different things in a very automated way to save on labor because if I can’t hire humans to do it, I have to find a machine to do it.
There is a developing small-medium business market with that ethos as the underpinning, so that’s what we set out to build. When we talked about problems, the first we came up with was how hard it is to log in. I hate passwords and pin codes, and in this day and age, we should be able to go to a website, and [the website] should be able to recognize us instantly.
Through talking with potential customers, we’ve found that there are gig-workers for things like marketing and accounting whose machines need to be validated in terms of security. People want to offload certain ad-hoc workflows. That’s what our platform will do — validate the security of machines used by contractors, simultaneously get rid of usernames and passwords, bundle it together, and provide actionable telemetry off of that where you can guide users to patch their own machines or encrypt their devices. It all goes back to labor savings and increasing the overall security footprint of an organization.
Grant: I love your vision and your inspiration for creating your company. An interesting way to sum up what you’re doing, and it’s very much my inspiration around Fletch as well; it’s asking, how do we get creative minds and less technical people to be able to take care of things.
The low-code no-code movement comes to mind. Have you heard anyone say that about your products before?
Dan: Us, no — I’ve heard you mention it a few times, and I’ve somewhat adopted that and used it with others because I think that’s the right way to think about it. In the same way that you have low-code no-code for software development, you also need what I call “lego blocks” for vulnerability management — here’s my lego block, and here’s how it attaches to other blocks. The idea that you’re not reinventing the technology and reinventing the process of how you use the technology is key.
Grant: I agree with you a ton. When I think about where our friends and we are headed, security is in for a treat. A lot of new technologies are coming to life that will compact this talent problem and re-shape an industry that attracts a group of people to want to help fight the good fight around security.
Any parting words of wisdom for those coming into the industry as we enter Gen 3?
Dan: Advice I would give to anybody who’s looking to do a startup or do something is build. Just build.
You’ll figure out what works and what doesn’t, but I don’t think we have enough people building. We have a lot of people consuming. The building is where the fun happens, having been on both sides of the equation-getting out to solve problems and talk to people.
Grant: I couldn’t agree with you more. I’ve spent a lot of time building and building companies and solving hard problems. Dan, I appreciate you spending time with me today. You’re somebody I always turn to for advice and insights. Hopefully, audience, you got a few tidbits of wisdom out of Dan. He is doing many interesting things, and we’ll be following him quite closely as his company starts becoming much bigger.
Thanks so much, Dan, and thanks so much for joining me today. Look for more conversations with Grant and Dan as we cover more topics in cybersecurity together. Great to see you today, my friend.
Dan: Awesome, you too. Ciao.
Originally published at https://fletch.ai.
If you enjoyed this article:
Clap to help others find it
Comment to ask questions or start a discussion
Sign up to receive our newsletter
