The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

34. Ganesh Krishnan, Co-Founder and CEO of Anzenna - on Cyber Security Awareness Training

Hello, everyone, and welcome to another episode of the Security Podcast in Silicon Valley. I'm here today with a very special guest, Ganesh Krishnan, who is the founder, CEO of a security company in Zenon, which I just learned a moment ago is Japanese for what is it, Ganesh? Safe. Safe.

Ah, that's such a good name. Such a good name. I love the Japanese language. You have a lot of really great experience that you bring to the table, but perhaps you would like to share with our audience just a bit about yourself and what has led you to where you are today with Zenon.

Yeah, yeah. Thanks, John. Great to be on the show. Thanks for having me on the show.

I have been in the cybersecurity field for the last 25 plus years, long time, and my start to security happened during my master's program at Purdue. When I was a research assistant at one of their cybersecurity labs, that's when, believe it or not, in 1996, I think it was, I got introduced to things like anomaly detection and patch management and all the jargons you still hear 25 years plus later. And that's when I got hooked to it. I got really interested in the field.

Very few people knew what security was back then. And then both my master's program, I went to work for Intel architecture labs in Oregon, where I started as a software and security software engineer, writing device, IP, writing IPsec device drivers for Windows 95 and Windows 98. If you ever heard those, you hear those terms. It's not often you hear about Windows 95.

You mean not in the museum of computer history? In the museum of computer history. Yeah. Those were rampant with security flaws back then.

But now if you had a Windows 95, you couldn't use it and they would be in a museum. Yes. And yeah, and writing device drivers for Windows back then was extremely challenging. There's a system called Endis.

But anyway, I was writing like IPsec protocol level code and Ike protocol level code. Even that's obsolete these days with zero trust and stuff. So that's how I got my start into the professional career. I was in Oregon at Intel architecture labs.

And that's when I was a few years in, I got tired of the rain in Oregon. It used to rain nine months. It rains all the time though, doesn't it? Yeah.

And said, hey, I need to move to somewhere where it's warmer and sunnier. And that's when I started talking to this company called Securify, which was started by Tahir Elgamal, who is the guy behind the Elgamal Signature Standard, which became DSA, the Digital Signature Algorithm. And he was one of the early pioneers in Netscape, part of the committee that started out back in the day. So it was actually a security consulting company and had a stint with security consulting in 1999-ish, that timeframe, and was working on security stuff with companies like Yahoo and others and got to really learn about pen testing and vulnerability scanning, things like Nmap and things.

They've existed forever now. So that was a great experience being a software engineer writing device driver. So it was a kind of a dramatic switch. And then one of the companies I worked for was Yahoo and then joined Yahoo sometime in 2001 after the dot-com bust, which probably not many people remember.

That was the biggest tech bust and slowdown ever. And joined as one of the early members of their security team, was doing software engineering security, and then spent nine years and change building the security program at Yahoo. So left in 2010 when companies like Facebook and LinkedIn and others were starting to expand their footprint. Joined LinkedIn to build their security program, their trust engineering, anti-abuse engineering program, and then spent several years at LinkedIn through the IPO.

And then moved to Atlassian. Yeah. Thank you. That's big.

A lot of people aim for that in their careers and very elusive. Yeah. Yeah. Fortunate.

And then moved to Atlassian to run their identity and security engineering programs as Atlassian was growing. And that's when I realized, hey, I've been doing this security practitioner CISO thing for a while. And if I continue doing this, I'll probably grow native. So I have to shake myself and see if I can do something that's completely different.

Yeah. But I was still passionate about the security space. So I ended up starting a company in the cloud security space in 2017 called Avid Secure, which was then acquired by Sophos in 2019. And I was skeptical going into a 35-year-old security company.

It's probably one of the oldest security companies in existence that still does really good business. Just culturally having worked in Silicon Valley and stuff. But I was pleasantly surprised working for Sophos. I had a great time.

I spent three years there after the acquisition and got to work with really good people. Who's co-founder with that? It was a gentleman by the name Nikhil Gupta. Nikhil Gupta.

Yeah. Who went down to co-found another company called Armor Code. Yeah, that's right. Yeah.

He and I know each other pretty well, actually. That's great. He tried to sell Armor Code to me at the Care Storage. Ah, okay.

Okay. Yeah. Okay. So it's a small world.

This is a small community, guys. Indeed. It's really incredible. Yeah.

And post Sophos, once you start a company, every problem looks to next bigger. As you probably know. Yes, it does. And so basically left Sophos early last year in 2022.

And then started Anzena towards the end of last year. And as we were talking, yeah. So that is my story. That is what I've been doing.

And fortunate to have the opportunities I had. Thankful. And thankful that I'm still able to contribute in some way to the industry. Yeah, absolutely.

Not just in some way, but in a profound way. Help our listeners understand, like, what do you do better than anyone else at Anzena? Yeah. What we do is we figure out how to engage employees on cybersecurity.

And this is an age-old problem that has actually got, continues to get worse. Primarily because the surface area of cybersecurity is expanding and IT itself is decentralizing. So if you look at IT, employees can do a lot more than what they could five years ago. Of course, if not more than 10 years ago.

And so when IT is decentralizing, security is the opposite. It's dependent on a set of experts who are hard to hire, train, and scale. And every risk and vulnerability has to go through them. We need a different system in order to scale that much better.

We need a way for security teams instead to manage the process and the workflow and focus on high-value items versus being in the middle of every single alert and then mediating all of that. So the goal of Anzena is to go from risk identification directly to surfacing that risk to the employee in question and then working with the employee to self-remediate while providing them contextual training. So what we see happening is security awareness training is broken. That's not a new thing.

Because it's very content-driven. And so this makes it contextual and in the process engages employees. And that's really what you need for employees to take more ownership of their own security posture. So that's what we do at Anzena.

We get employees to engage with cybersecurity. That's incredible. I've always thought of security as having two types of security people in the world. There's two types of security professionals.

There's the type that will walk into a meeting room and everyone in the room will say something along the lines of, Oh no, so-and-so is here. And they're going to say, Oh, we have to build all of these things and throw all of these strange standards at us. And say, they throw suck two type two requirements in our face. And they're going to push the deadline and we're not going to have our product shipped on time.

All this, all this stuff. And it's like super negative. And then there's another type of security person that I've noticed exists in the world. And I try very hard to be this type of security person, which is like, you step into exactly that same meeting room with exactly the same goals and exactly the same.

Maybe you even get exactly the same outcome. But everyone in that meeting room is like, Oh, great. Like so-and-so is here. They're going to help us like navigate this challenging space.

And we're going to ship a more secure product at the end of the day, even help us break down those complex pieces that over what needs to be in the MVP versus like V1, V2, V3. And achieve our go-to market strategy because all of our customers need to have a strong sense of security baked into our product. And you might actually get exactly the same thing happening as a business in both of those cases. But you're going to have a much better time.

You're going to have a much better experience with that second type than the first type. And at the very. . .

Yeah. I'm sure that you've bumped into this like multiple times in your career. And you seem like the sort of guy who's that second type of security person. And this is really incredible because it sounds like almost you built a company around that second type of security.

That's right. It's collaborative. It's learning. We're in the same boat together.

Everyone is going to go home and feel good about themselves because we understand the why. And we feel like we're contributing towards something like greater than ourselves. Greater than like just the compliance team and some engineering org underneath some manager, some database team and some like quarter of the company. No.

When you get to work with the security team, it is a joy. That's correct. Yeah. And my best experiences have been when myself and my team have worked with the rest of the company in coming up with solutions to problems.

So security team can say, oh, there's a security problem. Here's what we want to do to solve that. That could work, like you said, to a certain extent. But my best experiences, like you said, have been to take the problem to the right set of people who we think can help solve it.

And actually collaboratively working with them, making them own the problem. And that has pretty much unanimously, universally resulted in a better solution than what me or my team could come. Absolutely. And that is the experience that we need to create for ourselves as security people and for the rest of the company.

Everybody feels good that way. Right. And the right thing happens. And the right thing happens.

The right thing happens quickly for the business because you have the expert in that area of the product focused and owning the problem and resolution. You get to learn a little bit about security. You get to engage with a new team. It's like fun and dynamic.

And I love that you built a company around this. Thank you. Yeah. No, thank you.

You're helping like not just myself because I'm a security leader, but you're helping like everyone in the security community just do the right thing. And I think everyone tries to approach security in this manner. I do have to admit it can be very difficult sometimes. Yeah, it is.

It is. And that is what these are challenging things to productize and take to market and get, like you said, people who are dealing with their day-to-day stuff, get them to use it and embrace it. But that's the journey we are on. And I think the hard problems need to be solved.

Right. There's lots of tools that find new security challenges, new security problems, the new risk. Right. But there's very few tools that will say, okay, how do I help you effectively resolve it and gain credibility within the organization?

Incredible. No, I love it. And I love that there's a product to help us with this. Okay.

So if someone wants to like give this a shot, like someone wants to try it, like you just go to your website, we Google you. We can sign up for a free trial. What's your go-to-market strategy look like? Yeah.

Yeah. So what we have done is you can go and go to nzana. ai. There's a try now.

You can sign up and try. You can try some of our, like one of our simple use cases. And then we can, you can just ping us directly. And then we can basically give you access to the entire product.

And we would love for people to use it and give us feedback and give us their perspective on the different workflows and use cases that we have built around this problem. All the way from basic awareness training to more contextual awareness. Like how do you get your employees to fix certain types of issues? Like security tickets in Jira, vulnerability tickets in Jira, all the way to, hey, there's these OAuth grants that employees keep doing through the IDP all the time.

Those are things that the security team shouldn't be following up or a SOC shouldn't be. Like it should be raised directly to the employee and they should self-remediate. So we have use cases like that you can try. And we'd love for people listening to the show to go sign up and try the product and give us some feedback.

As soon as our recording is all set here, I know what I'll be doing. And so I appreciate everything that has led up to this point. I feel the passion for security. I feel the love, like you have an authentic love, I think, for the problem itself.

And I'm excited to see like what you've built and help us navigate that as a security community that has to work with like other stakeholders, the engineers, the support people, the lawyers, the C-level executives that just need to get the product shipped at the end of the day. And to help navigate that space. As you've been building this thing to help all of us, like what's been your best day so far? The best days are, and I've had several, right?

Talking to security practitioners and CISOs saying, hey, we are thinking of this concept. This is what it means. Does this make sense? Is this solving the right thing?

Is this right? Talking to the second type of security practitioner you mentioned earlier. The second type, yeah. Are my best days.

Right, because people just right now tell me, hey, this is exactly how I want to run my security program. In an open, honest, transparent way where I tell people why I'm doing something, why, and solicit their help and empower them to make it better rather than dictate a set of policies. Amazing. Spectacular.

With all journeys, there's going to also be challenges. And maybe you'd be vulnerable enough and willing to share maybe one of the most challenging days that you've had in your journey as an entrepreneur. Yeah, as you probably know, and whoever is an entrepreneur listening, there are ups and downs all the time as an entrepreneur. You have some up days, some down days.

That's constant. One of the things that stands out to me, again, is talking to customers and potential people who may have good feedback. And unfortunately, one of the feedbacks that I heard is, hey, this is great, but you know what? Employees, you know, we don't really want to trust them when it comes to security.

And that was, I think, the worst part of my journey so far. And I think that leads me to question, hey, if we don't trust our employees, we can't run a business, let alone cybersecurity. So we have to change the mindset. I mean, to devil's advocate maybe a little bit for this person, like maybe they meant it from an insider trust perspective.

Yes. They meant it from this. They didn't trust them to do the right thing. That's right.

And they might be justified in their statement. And I think that's how we've been brought up in security. If you're like 15, 20 years ago, I would probably say the same thing, right? Is, hey, we need to just build around these people, have technology controls and blocks and tackles.

I have experienced over the years that those things are necessary to have default defense and security, like default protections are absolutely necessary. Right. Right. But they're not sufficient.

And you really have to earn the trust of their employees because you can't block everything that they're doing. You can't mistrust them. So there's two sides to the same thing. And that's what people need to realize and need to invest in the people side of cybersecurity to really build a program.

Cybersecurity is not just about technology. It's about people, process, and technology. That's right. That's right.

And people are always first. And I like that you mentioned people first in your list of things. Yeah. What is the company except just a group of people who have gathered together to try to, like, change the world for the better, to solve a problem for other people that other people experience and are trying.

Right. Yeah. And I guess it's unfortunate that there's evil people that exist in the world and security has become a necessity, especially when you're dealing with things like money, personal health care information, or all these sorts of things. Yeah.

And security. Sorry. Oh, go ahead. Go ahead.

So security often gets compared to operations or QA, right? Especially in the development world, right? If you're like a developer-first type of company. And I would say, of course, they are comparable.

But security is way broader. If you think about security, it affects every single thing that a company does. All the way from tailgating for the physical security world to a salesperson accessing Salesforce to a marketing person tweeting and having their Twitter account company Twitter account compromised or whatever. To everything that the company is developing, the products that they're thinking about, right?

Their internal IT technology, right? All of that. So it's way broader. And it's not exactly the same thing, right?

You can't just spin it on the security team. You have to democratize it and you have to say, how can I actually push this out more and more to the people doing it? Yeah. We're all in the same boat together.

And I think it's really important when we think about security and we, as security professionals, we ask for help in achieving security goals from the rest of the org. That we do so from the position of, you know what? I know this is challenging. I know this is a security thing.

But we're all in the same boat together. And we don't want to hit any icebergs. We don't want to hit land. Let's be safe.

And steer this ship out of the storm. And it takes the entire crew. Everyone on that boat plays a very important role. So.

Indeed. That's great. I love it. If you were to fast forward into the future.

And I'll let you decide how far into the future you'd like to share a vision. But what does success really look like for it? And then I. I think that all security teams are the type two.

I think you started out really well. Where the goal of security teams should be to help the company manage its risks. Right. Its cybersecurity and trust and privacy risks.

Right. Not to actually own all of it. And drive resolution to all of it. And that's the cognitive shift that's needed.

And you need the rest of the organization to be behind you to not. And so when we convert every single security team to our practitioner to type two. That's what I've got success. That's amazing.

I love that world. Let's get there as quickly as possible. And you let me know. I can help.

Indeed. Awesome. But it takes a great sense of humility. To walk into a room filled with extremely smart people.

And admit that you don't have all of the answers. And in fact you have very few of them. And that you do need other people's help. And that you do bring something to the table as security practitioners.

We bring that security expertise to the table. But it's not the end all be all. It's a very small piece of a bigger picture. And it's a very important small piece of the bigger picture.

Yeah. We tell our kids all the time to ask for help. But we don't tend to do it ourselves when we need it the most. Isn't that the truth?

Isn't that the truth? All right. Guiltiest charge over here. It takes a long time to get.

What was that saying? I heard it was. I'm not young enough to know everything anymore. It's in the journey.

And we have a few young listeners who are like, yes. It's funny because I don't actually get that energy from young folks. I don't. I'm actually really happy with all of the interns and the mentors and the mentees that I've had the great opportunities to work with.

I'm really excited for the future. I have to say. And especially with like tools like Nzena that you're helping to build. So, you know, it feels like when you're close to the problem, it feels like very big and daunting.

But when you step back and you really look at the bigger picture and you realize that there are smart people and people with high EQ helping move the needle in big ways for everybody. That gets me excited. Yeah. Yeah.

I mean, you look at a taken examples, very specific, right? Let's say you have a company of a thousand people and the security team is probably going to be 10. Just realistically, right? Now, in any company, you'll find supporters, right?

So 20% will actually be supporters. So imagine if you can leverage 20% of the company to help you with your security program. Your team just went from 10 people to more than 200 people. It's massive.

Like even getting part of your organization to contribute to security as this hyperscale notion. Like it takes you to a different level in terms of awareness, culture, and the kinds of things. And I know practitioners do this with security champions and others where they see exponential returns if they can foster that program effectively. Because people who are supporters are proactive.

They'll say, oh, I'm seeing this problem that you may not even know about. And they will come to you and say, okay, let me help you fix it. And that's the best program, right? A proactive program with a strong sense of ownership.

Incredible. So share with us. When you do your own team building, do you have a favorite interview question that you like to ask or something that you like to look for? I generally look for team dynamics.

Like how someone can actually work constructively with other people and whether they will actually fit in with the rest of the team. That's number one. The rest of it depends on what I'm hiring for and whether it's a startup or not. For example, if I'm in my current antenna, we are a small company.

So when I do the interview, I'm usually transparent about what an early stage company looks like. Right. So a lot of folks want to work for early stage companies for the learning that it offers. But don't necessarily fully understand what that comes with in terms of uncertainty and the need to embrace risk and the need to embrace uncertainty with everything you got.

Right. Because every day, like you said, is up and down. So it's not like a stable company where you have a six month roadmap or a one day out of your talk to customers all the time and you have to change. Right.

And so that context really depends. So one is just be transparent about what you are getting them into. Then that will help you gauge interest and whether they are really a fit. And second is the team dynamics.

Yeah. I think the rest of it starts itself out. Yeah. I think the rest of it starts itself out too.

And that's really interesting. A lot of people talk about red flags and how they look for certain red flags. And if they see one, they will shut it down basically. But not a lot of people talk about green flags where if you see something or you see a quality, you see a characteristic and it's like you get that, I don't call it a warm and fuzzy feeling, but you know when you see it.

And then sometimes you'll fight really hard to make it happen. Do you have any green flags for interviews? Yeah, I think it's hard to pinpoint, right? So when you have a conversation with someone, you get that feeling, like you said, that, hey, you know what, like this could, this could, this would actually work.

And that comes with just how the conversation goes. A lot of times it's also about the question and that the other side is asking, which will, which will allow you to gauge interest. And are they really interested in what we are doing? And that's really important because if they're not, then if they really just want a job or something, then, you know, you have to expect that mediocre performance over time.

No, that makes perfect sense. If you love what you do, you never really work a day in your life. That's right. Hey, if you think about maybe a book or a movie that you watched at some point in your life or maybe something that you read and it really just changed the way that you saw the world.

Yeah. Recently, I read a book, Think Like a Rocket Scientist by Ozan Warhol. I would recommend all your listeners read that book. It teaches you about first principles thinking and just how to embrace uncertainty.

Regardless of what you're doing in life, what your profession is, and just get better as a person and in your profession. I think that's a great book. That sounds amazing. That sounds very philosophical.

Yeah, with specifics, right? So the book provides specific examples on what happened in certain NASA launches and how they were successful, but they were really like scrambling in background. Right? Even happens when you're trying to launch a rocket.

So you don't have to be disappointed about embracing those types of things. There's a lot of good lessons in that book. I would recommend reading. Incredible.

I'll have to put it on my list. Maybe this is a fun one. If you could go back in time and you could meet the younger Ganesh. Maybe you were still in grad school or maybe even before then.

Or maybe you're starting your career, launching your career, and you could share with your younger self a piece of advice. Not like what stocks to pay. Like a real, something profound. A pearl of wisdom that maybe you wish you had known or had heard from your older self.

Yeah, I wish I had taken more risks early on in my career. I think I played it too safe. Like joined companies. I did join some startups early in the career, but I felt like I could have, yeah, I could have become an entrepreneur earlier.

I could have let me go explore and be more uncertain. Venture out in the wild. And that's what I would advise my younger self. And the professional journey could have been better.

Again, like hindsight's 20-20. I have no regrets. But that's what I would have done differently is taken more risks. May I ask, and we can cut this if you want, but are you married?

Yes. And at the time, like maybe you think back on your younger self, you were in a position to be able to take risks. Because I know sometimes that will keep some people away as they don't feel like their life is set up in a way where they could responsibly take risks. That's right.

Yeah. So this is the thing that the book that I was talking about gives you some advice on, right? The way to think about that is not necessarily just monetary or something. It's to say, hey, what's the worst thing that happens?

So you try X because you're really bashed about X. Let's say it doesn't work in a year or two. You can always probably go back with those skills to a more stable company and get a gig. And so are you comfortable with that approach in your life?

Where are you financially? And I'm not saying that those things are not important. But people tend to over-index on stability versus passion and risk-taking. Yes.

Yeah. I think that we do tend to overvalue comfort and stability. Yeah. Both of those things.

And I've always found like in my life, when I'm outside of my comfort zone, that's where the good stuff always happens. Like I'm always learning. I'm always growing. It's uncomfortable.

By definition, you're outside your comfort zone. But that's where I've always grown the most. I've been in both like big companies and small companies, just like yourself. And there's just something really special about being pushed outside your comfort zone.

And I think like what terrifies a lot of us is that when you step outside your comfort zone, you know that you're not going to be comfortable. But I think a lot of us maybe worry about being too uncomfortable. And sometimes like if you're pushed too far outside your comfort zone and you're not like aligning your strengths to how the type of life that you're leading, you're not being effective. Maybe you crumble or don't feel like you're putting your strengths forward.

But I've never found that being outside my comfort zone has led me into that type of space. So I'm totally understanding and sympathetic with that entire very sensitive topic because I've navigated it my entire life. But yeah, humans are programmed with inertia, right? It's a simple like there is deep resistance in all of us for change, deep.

And the people who come out of it, appreciate it more, will probably have better experiences in their professional and personal life than the ones who don't. And that's just been my experience. Like different people may have different experience. There's nothing wrong being in your own comfort zone.

Don't get me wrong. Oh, there's nothing wrong with that. There's nothing at all wrong. Nothing wrong with it.

I think it's your individual choice. But for me, like whenever I've come out of that zone, it's when I've felt like, oh my God, this is crazy. But I feel like I feel good about myself. I feel like I'm learning.

I feel that I'm growing. And that's important to me. And if more people did that, I think there'll be a lot more advances. And even in the last 10, 15 years, like there's been way more startups.

And I think that's amazing for society because new things get invented and new things get done. Otherwise, if everybody's in their comfort zone, it's hard to make advancements. That's so true. Speaking of startups, have you bumped into any problems that you just wish someone like would go out there and build a company to solve and solve it the right way and give it the time and the space that it deserves to be solved correctly?

And we have a lot of entrepreneurs that listen to the show. So it's a little bit of a leading question. But you would definitely pay money to solve this problem. Oh, boy.

I was not prepared. Like, I don't have anything that like says, OK, do this. And I will. Yes.

You have no pain points. I do have a lot of pain points. I think one of the pain points I'm solving, if you just stick to security, there are problems across the board. Right.

So I think that more companies need to be looking at how to help people resolve issues than to just identify new issues. I think that's a theme. So I would say if you are trying to think about cybersecurity, think about how to help people fix problems, not just create new ones for them, because there's so many problems already practitioners are dealing with. So that's one.

And there is there's definitely others that that I can think of. Simple things like how do I manage my browser tabs more effectively? I wish Chrome had gone and solved that and made it easier. Like I have I have three different windows with three different profiles with 30 different tabs on each open.

Sometimes I force myself to close them because I get misorganized. But but I wish Rome would give me an easy way to manage these things or somebody would try to plug it. So someone just like a Chrome manager. Yeah.

Tab manager. Tab manager. Tab manager. I could just use something that if it just expired the tab, like after 20 minutes of not having the thing open and just kept it in the history, that would be perfectly fine because that's what it turns into.

It turns into the history of tabs. That's right. And it's almost embarrassing how many tabs I have. And each one of those things is a process on your CPU that is running and properly segmented for all of the good security reasons.

But that still takes up resources. Indeed. Kills your battery on an airplane. Ganesh, thank you so much for joining me for an episode of the Security Podcast in Silicon Valley.

Thank you so much, John, for giving me the opportunity. It's been an absolute pleasure. I look forward to having you back like when you're a unicorn and going IPO and have all of that great success underneath your belt. Yeah.

Thank you. Thank you for all the good wishes. And I hope we can solve pressing problems for cybersecurity practitioners and teams. And if you want to try the product, www.

nz. ai, try it and give us some feedback. That's A-N-Z-E-N-A dot com? Dot AI.

Dot AI. Dot AI. Okay. Thank you for cracking me.

Amazing. Okay. Thank you everyone for tuning in for another episode and stay tuned for another one. Cool.

Thank you. Thank you.

‹ 35. Aviv Grafi, Founder and Innovator at Votiro: from IDF 8200 to Cybersecurity Visionary

33. Elizabeth Nammour, Co-Founder and CEO of Teleskope, Navigating Data Security Frontiers ›