Podcast Transcript

Introduction:
You're listening to the RSA Conference Podcast, where the world talks security.


Britta Glade:
Hello listeners and thanks for tuning in for this installment of our RSAC 365 Podcast series. I'm really looking forward to today's discussion in and around Data Care with our guests, Cyndi and Ron Gula. Here at RSAC we host podcasts twice a month and I encourage you to subscribe, rate and review us on your preferred podcast app, so you can be notified when new tracks are posted. And now without further ado, Cyndi and Ron, thank you so much for being here. Can you please introduce yourselves to our listeners and we'll jump into today's discussion?


Cyndi Gula:
Well, thanks so much for the opportunity Britta. We're glad to be here. I'm Cyndi Gula. Gula Tech Adventures currently Managing Partner. Ron and I, who you'll hear in a minute, are voluntarily related and we've been working in the cybersecurity arena for over 25 years. My background is not in computers and it's not in computer science. But I am an engineer and I have gotten into the field through osmosis and I really grew to love the field and the mission and look forward to all the exciting things that we have in front of us.


Ron Gula:
Cyndi you said currently, are you going somewhere that I don't know about?


Cyndi Gula:
Well, we do have the Gula Tech Foundation too but you know, there's a lot going on.


Ron Gula:
That's excellent. So I'm Ron Gula. If you look at my LinkedIn profile, it doesn't say Cyndi Gula's husband or better half or anything like that. A lot of folks out there probably know me as the one of the founders and CEO and CTO of Tenable Network Security. Cyndi and I, this is our third sort of company together. We started an Intrusion Detection Company a long time ago. We were founders at Tenable and now we've been doing Gula Tech Adventures and we focus on investing, philanthropy and some cybersecurity policy.


Britta Glade:
This is great. Thank you so much for being here. I'm glad you're voluntarily related and I'm glad you're voluntarily involved in everything in and around today's discussion because there really is a lot of opportunity and need to change the discussion in and around how we approach data. I know this is a topic that's near and dear to your hearts. Let's start with some baseline definitional discussion to help our listeners get on the same page with you, and then dig into some of the nuances of why this term matters and how it's far more than just two words. And why these two words are key to the future of cybersecurity. So Cyndi, I'll start with you. What is Data Care?


Cyndi Gula:
Yeah, and like I said before, I didn't start in cybersecurity. I didn't start in computers or anything else like that. And so I kept getting asked, how do we get more women in cybersecurity? And it was a very intriguing question because when you look as to why people are not in a particular field or why they're not attracted or even thinking back, I realized that my 17 year old self, knowing everything that I know today would not go into cybersecurity the way it's being sold. And I really had to look and listen and deep dive into myself to figure out what the issue was with respect to that. And it was because we're missing the why. Why would I go into cybersecurity? The way it's being sold sounds like you're going to put the entire world on your shoulders, walk in your hoodie all by yourself, in the basement and work on this problem. And in reality, that's not what it.


Cyndi Gula:
So we really need to figure out how we can change the dialogue and really change the why to tell people or invite people directly to get into this field. And I think the term Data Care is very similar to the pivot that medical field did to healthcare. Once they pivoted the healthcare, it was a lot more easy to see why caring for yourself and being more careful what you eat and exercising was important versus the medical field. And I think if cybersecurity shifts to Data Care, it'll be a very similar, that tells you the why. Why is it important? And it's not saying that you need to be a humongous expert in everything and attack nation states, you can just do yourself, your own issues and protect your own data to start with.


Britta Glade:
So Ron pivoting off of that is Data Care different than cybersecurity? What's the nuance here?


Ron Gula:
I think It's very different. So if you look at the last three major sort of cyber incidents that we had right? We started of late last year with Solar Winds, then we had Colonial Pipeline and now we have the largest vulnerability in the world Log4j. If you talk to any elementary school teacher about any of that, they probably know about colonial pipeline because it impacted them. It was much more personal. So cybersecurity, we live in this bubble. And they might be working... Data Care and cybersecurity might be working on the same problem. But the reason we differentiate them, is we're really trying to reach outside that bubble. We're trying to make it personal to people that not only can they have an opportunity to help with the fight but they have also the responsibility. The same way we're talking about personal hygiene for COVID and wearing masks and getting vacs, you know they have to take care of their data in much the same way. And if they don't have an opinion and pay attention to it, they could get exploited by a number of forces both in and outside the United States.


Cyndi Gula:
And the COVID pandemic has really enabled a lot of great leap forwards in the digital domain. But has also increased the attack factor for cyber criminals and inability to be exposed to cyber crime and ill effects that comes with the internet. We need more people right now are hypersensitive and hyper aware and actually listening because they can see that it's personal to them. What can they do? Small steps, personally to take and improve their data protection, their privacy. The conversations are so much easier to have when it's around the data than it's around the cybersecurity that's somebody else's problem. Somebody else is supposed to be taking care of the cybersecurity. But I can do small steps myself in order to enable that protection without outside help.


Britta Glade:
So Cyndi I want to pivot there because you... And what I like a lot about what your foundation has focused on, it seems like there's individual level responsibilities, right? So it's not, someone take care of me. You know, this amorphic cybersecurity blob, take care of me. But Data Care, it feels like, pulls it to an individual level conversation. If we really embraced this concept of Data Care, how would that look different at that individual level? What would we be doing differently? How would we be thinking, approaching, doing anything differently?


Cyndi Gula:
Well, a lot of it starts with the idea of awareness. And so getting the general public just to understand that and make them aware that it's not about the security of the digital domain, it's about that data. And their data that they're required to give to other people and that they need to transact or do their work online. So we're moving more into the digital domain. And it's very similar when cars came out. When cars came out they didn't have seat belts. Everybody just took the car and they rammed it into a wall and they said, "Hey, this isn't very safe." And then the manufacturers were like, "Oh, okay, that's fine. We'll make it more safe. But you have to pay us to install those seat belts." But once the more public actually started driving cars, they were actually able to come up and say, "Wait a minute. It is not the right mentality if we just secure ahead of time. And it's not an option, it should be built into the vehicle. Then we'll make it more safe."


Cyndi Gula:
But the public had to actually get more involved. It had to be more widespread to use vehicles. And once the public did start demanding, what did the car industry do? They actually started driving their own cars into the wall and proving and showing and demonstrating how safe they actually were. So if we can get more of the public understanding, this is about their data and their ability to transact online. They're going to start demanding security. And that's where we really need to go. Cybersecurity shouldn't be a secondary thought, it shouldn't be an afterthought, it shouldn't be something tacked down later. We need the public to demand security by design so that when they have to transact online or do anything else like that, it should be secure out of the gate. And then also be able to then hold people who lose their data or expose their data accountable. Without this there's a lot of finger pointing, oops, sorrys, here's credit report to protect your data. But it's not effective. We really need that secure by design mentality and really start demanding it from everybody who is requiring online access and ability.


Britta Glade:
Ron, take us a step further there. How does this look different at the organizational level within companies, within how society is set up, within policies that are in place? How does the ripple continue?


Ron Gula:
I'll give you a good example. So we've all walked into a store or restaurant and we've seen the, you know, everybody is checking, Hey, do I need a mask before I go in and stuff like that. I mean, what if there was a sign that said, "You know if you bring your unpatched phone or your unpatched laptop, you can't get wifi access." You know, we are all related and we're all connected. Everybody understands that from a COVID biological point of view. But once they understand that from that we're only 50 milliseconds or so away from each other and all the evil people on the internet, we can kind of think about this more holistically. In organizations, there's a lot of different concepts. There's the cyber poverty line, right? Where if you're above it, you probably have the ability to do hygiene and hunting.


Ron Gula:
But if you're below it, you might not even have hygiene. So some organizations need to invest more money and resources and more people. Other organizations, we want to talk about bringing cyber into the boardroom. And this is a really a great opportunity for minorities as well. A lot of people say, "How do we get more minorities into cyber?" And that's a big part of what we're doing with Data Care. But a great way to do that is to get cyber people from a minority onto board. You're solving so many issues with that kind of focus. That's a great change as well. So we just think a lot of these things need to be a lot more personalized, both at the organization level and at the individual level.


Cyndi Gula:
In addition, one comment is that cybersecurity or the term itself actually has a connotation of policing. And for certain demographics, policing is not a very positive or attracting reason to get into an industry. But additionally, when we are trying to establish best practices, and then it turns to compliance, then compliance is this overarching, Oh, I don't want to do it or it's hard to be compliant or whatever. But if we change the dynamic and the conversation about Data Care, then it's more of a partnership. We're providing how do we then secure the data with best practices through compliance measures. And it becomes a partnership and a responsibility as compared to an overarching onerous responsibility. And again, I think that Data Care helps the understanding of the why we're doing all of this and not just the what, what, what, what. And you will be fined if you don't and you know, anything else like that. There's good reason to have these compliance pieces in place. We just need to invite people to do best practices as compared to being authoritarian.


Britta Glade:
Yeah. It's interesting the power and the weight, that words carry. I think some of which we recognize and some of which not necessarily. And there's going to be a great session. There's going to be a great keynote at RSA Conference from a couple of CISOs about how they've approached within their organization, terminology that's used. How discussions take place in such. And big major changes that have happened as a result of that. And sometimes we know the nuance because it's how we grew up and were sensitive to it. And other places where it's a blindside. And that's an exploration that's going to take place. So I like where you're personalizing this and the change that is affected by that sort of an approach. How did you arrive at this term? Did you coin Data Care? Obviously a lot of thought has gone into this.


Ron Gula:
Yes. If I may, Cyndi coined this. We were having coffee one morning and she came up with that. As soon as she said it, I'm like, "We have to run with this. This is definitely something that will appeal to a large number of people." So yeah, I give Cyndi a lot of credit for coming up with Data Care.


Cyndi Gula:
And you know, you're absolutely right. That words do matter. And that's how and why we need to invite more people into the industry. And it's not just an industry. This is going to be our reality. I mean, digital domain is not going to go away. There's only going to be an increasing amount of things that we are capable of doing. And it's wonderful the ideas and where we can be and plan to be. I mean, flying cars finally. And just other things that we can do automatically. But those things cannot be done in a bubble without protection. And until we've really get the public and everybody doing their part to protect the cure and analyze that data, we're always going to be behind the eight ball and chasing confidence that what we are doing is trustworthy and secure.


Cyndi Gula:
And with respect to the term data, we don't own it. We don't want to own it. We want other people to own it. We want people to personalize it and evangelize it by themselves for themselves in a way that mean things to them that I might not even imagine. That's one thing we've learned with the foundation, is so many people are doing things that I never would've thought but are very productive in hitting an audience that is not being currently served. So Data Care is not something that we own or want to own. We want people out there to take it and make it their own.


Britta Glade:
Yeah. It's interesting how many terms within cybersecurity do have a military lineage, a policing lineage, which works for some. It's a natural, it's a... "Oh yeah, I understand what's being talked about." And others there's a pushback as a result. Or a feeling of, this isn't what I'm about. We have an understanding here, Data Care. We have an understanding of how this nomenclature is important going forward. I know that Gula Tech Foundation, where I'm so honored to represent RSA Conference on the grant committee, you've been doing a lot there. There's two completed grant cycles, there's one that's going to be awarded at the end of January. Can you tell us a little bit about what you've been seeing with this work and what the goals are with the foundation?


Cyndi Gula:
First of all, I have been so impressed and amazed at all of the work and mission of non-profits out there trying to work towards this issue. You know, I've just really been excited personally to see the missions all over the country, all over the world and how people are really starting to shift the focus and realize that it's not just about big corporations. It's not about what money you're going to be able to make with a solution for cybersecurity. The realization that this needs to go beyond B2B and what they're doing to create products is really wonderful because we do need to get the public in the game. You know, Jane Easterly and even I created a blog previously that said, "We're all in this game. We just need to get everybody participating in the game."


Ron Gula:
That's great. So when we started this we got a lot of advice from other people who've done philanthropies, philanthropy work in cyber. And the feedback we got was, you know, really be purposeful. Cause previously we were just donating to one particular course or non-profit after another. So in being purposeful, we named our grants as the purpose. It made it a lot easier for people to understand the problem we were trying to solve. First one we did was increasing African American engagement in cybersecurity. The second one was increasing public cybersecurity awareness. We started branding those things Data Care. And the one we're doing right now is increasing confidence in Data Care. Every time we've done one of these grants, it's been a competition. And we think that's really important, especially as investors. You know, we get to see a lot of different solutions to the same types of problems. A Lot of different efficiencies of how money is spent.


Ron Gula:
Sometimes Cyndi and I have to ask ourselves and our team, is this a non-profit or is it a cybersecurity start-up? But the reality is the competitive nature of this really brings out the best in some of the stuff Cyndi was talking about. All the different people working on these problems. So we're very honored that we can help out and do more than just give a little bit of money. I think, exposing them to the grant committee, thank you again for that. But also getting some publicity. You know, we do a little bit of work with them after they receive the grant and it's just been an honor to kind of help some of these organizations move along.


Cyndi Gula:
One of the things that we didn't actually even expect from the foundation was our Data Care awareness grant, the second grant that we have. The winners of that grant actually get together and they figure out how they can work together. And that will help amplify their message. And that was just a windfall that I didn't expect. And the amount of activity and power that they are now getting to show up their own messaging and feeding off each other. Like one of the winners was specifically for seniors, and so they created a pamphlet and then they brought in the cyber network in the event that a senior did get scammed, where do they go? And how do they move past that? And so just the idea that these non-profits now are working together is just even beyond our expectation.


Britta Glade:
That is great. I love reading and digging in and learning more about the finalists that are put forward and this small, medium and large scale approaches that are being taken. And I love that you're motivating this visibility because all these groups are doing this on their own anyway, right? You're just giving an opportunity for a spotlight to be shown there and some financial incentive, which is no small thing. Million dollars per grant is a major philanthropic investment. But that synergy that comes from them knowing each other and working together, that's pretty awesome. So tell me a little bit about how you're seeing the nomenclature make a difference from a talent recruitment standpoint from different things. You maybe see organizations doing differently as a result of looking at things through the lens of Data Care.


Ron Gula:
Well, it's still early days. And a lot of times when we first meet people who are knee deep in the cyber secure or your universe, their initial feedback is, "Hey, don't take my cyber budget, right? I don't want to lose a cyber budget to something else." But when you look at the talent recruiting problem, when you look at the personal responsibility problem, everybody gets that. And most people start to use Data Care, especially once they talk to a non-cyber person like at the shopping mall, at a doctor's office or something along those lines. What I'm really hoping though, is that Data Care can get more of a movement that can pile on some of the great work the administration's currently doing. Right? We have a lot more awareness in cybersecurity in the federal government right now and a lot more focus on it. But we still have a long way for it to go to reach the same level of awareness as we have, perhaps something like COVID. So we think Data Care is really going to help with those conversations.


Cyndi Gula:
And my conversations with people who are not in cybersecurity, if I'm in a group and they ask me what I do, I say, "Do you have data online that you have an expectation of privacy that you think should be protected and secured?" And when they say yes, then I say, "Well, that's what I do. I help secure that I'm in cybersecurity." Because a lot of times what I noticed, if people ask what you do and you say you're in cybersecurity, their eyes glaze over and they don't think that they have a part to understand because it's so complex and it's so over their head. But prefacing it in a different way you're inviting them into the conversation and you're making it personal. And then they understand and they can relate more. And I think just as an industry, when we constantly say what, what, what, what, what, what, what, what, what we do, we are eliminating a lot of people's interest in the why we're doing it and inviting them directly to help participate.


Britta Glade:
Excellent. So Ron, we were talking earlier and there was some discussion in and around how do things need to be approached from a policy standpoint differently because of Data Care? Do we need different authorities that are looking out for Data Care? Do we need different responsibilities happening there? Organizationally, how do we need to be changing with this lens of Data Care?


Ron Gula:
So I think you're going to see a tremendous evolution of that knowledge in the general public. So two presidential campaigns ago John Delaney for Maryland, he wanted to have a cabinet office of cybersecurity. And that was kind of laughed at then. But if you look at now where we have DHS, we have [inaudible 00:23:08], we have Chris Angles at the White House. We've got the NSA and more proactive. It's like, Hey, that's great. That's that's transforming. But if you compare that to other countries like the United Kingdom or other countries, there's a lot more centralized approach to solving cybersecurity. Being on the defense and the offense and the policy and where do you go. We have a very very long way to go with that. Almost no large commercial agency right now, if they got attacked, calls their local police department. Maybe with the exception of New York City, the New York cyber task force up there is excellent. Really really well funded.


Ron Gula:
We have such a long way to go until we get that at the county level, at the city level, where that capability is out there kind of on per with what we have with healthcare. So we think Data Care can, can help with that. But the other thing that's occurring right now is you have such a proliferation of technology. Everything is being digitized. You can buy feeds it's from space, telemetry from crops and commercial signals intelligence. I mean, everything is being digitized. Every part of your supply chain is out there. The dramatic amount of complexity that we're seeing is really what we need. This is another reason we need Data Care because we don't want to have yet more complexity and more at acronyms and more complex policies for the general public to understand. We need to understand that they've got a role in that.


Ron Gula:
And lastly when you talk about the great nation struggle, everybody says, "We need a whole nation approach and whatnot." But the reality is if you're a citizen, what do you do to stop Chinese IP theft? What do you do to stop Russia from attacking a critical infrastructure, perhaps as a preliminary crane invasion or something like that. The average person doesn't see their role in that because it's such a small thing and we need to use Data Care to make them aware that they can actually have a major impact on those great nation struggles


Cyndi Gula:
And more of the conversations that was big and difficult to have that we all witnessed was the whole entire idea of Huawei. And even just what the conversation is. And if a conversation was, would you want your data to go to a country without your knowledge and without your control? And if the answer is yes or no, then you're on the side of the conversation that you want to be on. Again, explaining the extreme complexity of cybersecurity is one of the challenges and I think Data Care is one way to invite people in, to ask me why, and to get engaged to learn more but at their own reason and realize that they don't have to be experts to participate. And we need everybody to factor authentication, stronger passwords. You know, all of these things that we say, what, what, what we really need to invite and understand the why we need to do all these things


Britta Glade:
Well. So imagine a world where we all get the why. The why of Data Care is pervasive at the individual, at the organizational, at the policy level. What does it look like? How is it different from today? What problems are solved? What opportunities are there?


Cyndi Gula:
10 years from now. 50 years from now, there's been tremendous success.


Ron Gula:
It looks a lot like StarTrack, and it looks a lot like The Jetsons. You know where everything just works. There really aren't a lot of you know... StarTrack, nobody ever got the cards, passwords, it's all biometrics. And it was just all seamless and stuff like that. So that is a possibility of where we go. And my feeling, if we don't get there, those futures look a lot more like Blade Runner. You know, where you've got corporations running everything and the individual really is being exploited on a daily basis.


Cyndi Gula:
Yeah. And as an industry and just in general, things just need to be automated. They need to be easy. Because when things are easy, people gravitate to them and tend to use them again. If we start demanding security by design, we can get to that 10 year Data Care place where we're a lot more StarTracky because there is an established social norm that whatever I download, whatever I have access to, I either interrogate to see if it's secure or somebody stamped it secure and it's invisible to me, but I have the trust. And that's one of the big things is we really do need to build that trust and design things in a way that we can gain the trust, secure the trust and maintain the trust.


Britta Glade:
Awesome. So you'll take us where no man has gone before here with StarTrack, with our Data Care. You've taken the elephant, you've made it eatable with what's being done. There's small steps that can be taken at an individual level, there's additional steps all along the way. But it's doable. This is something that will benefit all of us and the whole of society. And I appreciate the action ability that you two have put in place. I appreciate the philanthropy with the Gula Tech Foundation. I am incredibly in great admiration of all of the companies who have submitted for that and what they're doing and the real passion that they have in really making the world better, which we all have a part in. So thank you. Thank you so much for that.


Britta Glade:
And thanks for framing this conversation today, with how we think and approach Data Care. I look forward to seeing you both at RSA Conference, where you'll be announcing yet another round of winners from a grant competition. And listeners thank you so much for joining us as well. Don't forget to visit rsaconference.com marketplace, where you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. And please keep the conversation going on your social channels, using #RSAC and be sure to visit rsaconference.com for new content posted year round. Thank you so much, Cyndi and Ron.


Cyndi Gula:
Thank you Britta.


Ron Gula:
Thank you very much.