Safeguarding Your Company Against Cybersecurity Attacks

Calavista CMO Sloan Foster interviews Founder and CEO Mike Shultz of Cybernance, an industry leader in cybersecurity risk governance. Mike Shultz has spent over 40 years in technology, software and cyber security experience managing complex projects and sales programs for Fortune 100 clients. He is recognized for his extensive and in-depth knowledge of all things cybersecurity, risk management, and compliance. Full Podcast Transcript: Sloan Foster: 00:32 Thank you for joining Calavista Conversations today. We're happy to have the CEO and founder of Cybernance and the studio with us today, CEO Mike Schultz. Mike has spent over 40 years in technology software in cybersecurity experience, managing complex projects and sales programs for fortune 100 clients. He's widely recognized for his extensive and in-depth knowledge of all things cyber, security, risk management and compliance. He is the founder and Chief Executive Officer of Cybernance an industry leader in cybersecurity risk governance. Mike's been responsible for the security of massive database programs such as the airline and the TSA terrorists tracking program and insurance fraud, he is a frequent guest speaker at the University of Texas Mccomb School of Business and serves on the Cybernance Board of Directors. Hi Mike! Welcome to Calavista Conversations. Mike Shultz: 01:23 Thank you. And thank you for having me. It's a pleasure to be here. Sloan Foster: 01:26 Well, thank you for joining us. So Mike, tell me what problem are you solving at Cybernance, and what value are you providing to your customers? Mike Shultz: 01:37 Cyber risk is becoming better known all the ime, and is now one of the three greatest risks to an enterprise according to the National Association of Corporate Directors. The financial risk is massive as most people know. The reputational risk is even greater. And so our business is based on solving cyber risk from a governance standpoint, lots and lots of businesses and billions of dollars have been invested in the creation of perimeter defenses for cyber protection. And what we've done is created the internal defenses, the people policy and processes part of that governance. Sloan Foster: 02:15 That sounds really great. And you've done that through a technology format through the platform? Mike Shultz: 02:20 Yes! What we've done is essentially automate in software the process to analyze and assess a company's maturity and resilience to the NIST CSF standard as the National Institute of Science and Technologies Cyber Security Framework, which only shows why they call it the NIST CSF instead of spelling out the whole name. Sloan Foster: 02:41 And how many other platforms are NIST certified? Mike Shultz: 02:47 Well, it's a fair question, but it can't be answered directly. So let me just say that this doesn't certify any platforms or anybody's organization. We did, however, submit platform and technology and the company to the analysis by the Department of Homeland Security Safety Act Office. The Safety Act office brings forward congressionally passed laws relative to the limitation of liability of companies in the event of a terrorist or cyber attack on a business. We are the only software that brings the NIST platform into the marketplace. It is approved and vetted by DHS and further than that, they provide liability limitations for our customers up to, and potentially including a hundred percent immunity from third-party liability. Sloan Foster: 03:41 Which is really big on the market right now. You've heard about all the breaches. Obviously, I shouldn't say you. I know you have. I have. And everyone listening has as well. So I'm assuming that's how you identified this need in the market, was seeing the crazy headlines about all the breaches? Mike Shultz: 04:00 Well, it was actually before that, we became intrigued by this opportunity, I had been the CEO of a company called Info Glide Software a number of years ago when we sold that company to Fico Fair Isaac. And during the period of non compete, I began looking at the marketplace and in the business and thinking through the "what's next" piece. And that was at about that time that I read a quote from a speech given by the head of the Securities and Exchange Commission, Luis Aguilar who said that the opinion of the SEC, members of Boards of Directors could and should be held personally liable in the event of a cyber breach. I'd never heard of any government officials say that before and it really intrigued me. We began looking at it and we clearly now are in a position where lawsuits are being brought against the management and the officers and directors of companies with names like Yahoo and Equifax and etc. The liability for individuals personally is massive. And the Equifax breach alone it could be into the billions that would be with a B, billions of dollars of personal liability. Sloan Foster: 05:16 It's really very disheartening to think about, but also exciting that there is now a solution out there to perhaps solve that problem in the marketplace? Mike Shultz: 05:21 We think so, yes. And we're excited to be doing it. I personally have precious little sympathy for companies who don't do the right thing with my personal identity. I've been breached so many times that I can hardly count them. I was breached by the federal government in the office of personnel management breach. I've been breached by the IRS have been breached by the FDIC, have been breached by Equifax. I've been breached by Experian. So, you know, maybe the right thing to do is to hold people's feet to the fire if they don't do the right thing. And of course, what we're trying to do is help people do the right thing. Sloan Foster: 05:58 That's really great. And so how long once you solidified that idea that there was a need in the marketplace that it take you to go from idea to execution? Mike Shultz: 06:06 Well, the first part of the first phase of the process was to define the problem in more detail and begin to define what we thought the overall solution might be. That took about six months. At that point, we then made a decision to outsource the development. And let me just say for me, this is the first time I've ever done that. I've run lots of software companies and I have never outsourced development before. I always thought that was part of my crown jewels. And so going through this process I had to get comfortable with the fact that that made sense. And we looked at several companies, we settled on Calavista, and the Calavista process from beginning to a minimally viable product was about six months. Very fast. I was more than a little bit shocked. Sloan Foster: 06:55 Pleasantly so? Mike Shultz: 06:55 Yes! Sloan Foster: 06:59 And it worked. And as you said, it's one of the first or the first NIST certified platform that's out there. Mike Shultz: 07:03 That's right. Sloan Foster: 07:04 So it was a unique field, if you will, Greenfield, that you had to grow into and trust your technology partner to do that. Mike Shultz: 07:10 That's exactly right. And at the end of the day, it was a very good experience. Sloan Foster: 07:14 Good. How long have your customers been using your solution? Mike Shultz: 07:18 We've been in the market place with paying customers for just a bit over a year. Sloan Foster: 07:24 How large are your customers? Mike Shultz: 07:32 They are as small as The Center for Child Protection here in Texas and as big as Northwestern University, Boy Scouts of America. We have 11 critical infrastructure energy delivery companies that are processed through our relationship with the Department of Energy. So they're very, very big and some that are not so big, you know, the Center (for Child Protection) has probably 80 employees and we're working on projects that have something in the range of 100,000 employees. Sloan Foster: 08:05 And so ultimately, what is your goal? Mass domination, world domination with this product, or what are you doing? What's your plan for the next few years? Mike Shultz: 08:15 Well, I've been at this for a long time. This is my sixth time to be a CEO of a technology company. Sloan Foster: 08:20 Congratulations! I guess? Mike Shultz: 08:28 You'd think I'd learn, but maybe not. So it's not about world domination and it's not about becoming rich. It's about building a business that makes sense, contributes to the business community. We're creating a great place for our employees and our partners to work and be engaged and I know that sounds sort of a little bit too philosophical, but that's actually the truth. That's what we're trying to get done. Sloan Foster: 08:54 That's probably what you learn after many times of being CEO, what's really important, right? Do the right thing. And the right thing will happen. Mike Shultz: 08:59 Yeah. And the rest of it we'll take care of itself. We believe very strongly that the cyber risk to our economy and our country is really, really substantial. And if we can do something to help with that in a meaningful way, that's all by itself was a good thing. If we do those things, everything else will take care of itself. Sloan Foster: 09:23 That's great. Do you have any idea of how many risks you've prevented so far with this or with your platform? Are you able to articulate? Mike Shultz: 09:38 Don't know, I wish we could. If you think about the level of breach activity in the and the rate at which it is increasing. We could extrapolate all kinds of crazy numbers, none of which I could justify, but if you consider the growth of cyber breaches and the number of events that are now logged. Folks that keep track IBM, Ponemon Institute in those, we're in the thousands and thousands of breaches a year now and it's getting worse. Sloan Foster: 10:05 They find a way in it seems like. Mike Shultz: 10:05 Yes. Sloan Foster: 10:05 So you said that you've been in the market for a year and all your clients have been using just over a year. So you've seen quite a bit in your 40 years, as you said, several times a CEO, what ultimately made you decide to outsource the software and times when you haven't before? What was a deciding factor for you? Mike Shultz: 10:27 Well, there were a whole set of criteria that we thought through as we were making the decision. The first is to determine whether we want to stand up a development organization, hire people, and all of the bits and pieces that go along with that. Our application was relatively straightforward and we didn't necessarily need to hire people with great expertise in a very specific area. We were going to be involved in more general sorts of applications with some need of some specialty capability in the area of user interfaces with an example, and also in the area of database design and database management. So rather than building a large and expensive organization, it made sense for us to outsource the development to get what we call a minimally viable product. That's a product that we could sell to somebody for money, which is different than giving it to them. Sloan Foster: 11:31 Right, important when you're a company? Mike Shultz: 11:32 Yes. Yes. Sell it to somebody for money and actually stand behind the product. So as we moved forward, the leadership at Calavista was known to some of my partners and we spent some time not just with Calavista but with several other businesses and other competing companies and concluded that the expertise that was nested within Calavista. This is going to sound a little bit silly, but their approach to the business was such that, I've got very comfortable with how they work. If you ever go visit Calavista, there's this crazy little tagline that they have, it says 'no drama!'. And you go yeah, right no drama and you keep going. But the fact of the matter is software development is chocked full of drama and anything that starts off by saying we're going to try to minimize drama, that's probably good. Drama is things like surprises, bugs, slipped events and schedules. All of those things create drama. And so for me, spending time with Lawrence and then thinking about the no drama piece and the level of expertise that they have on staff. It made it easier for him to make that decision. I got very comfortable. Sloan Foster: 12:54 Yeah, it is. It's interesting how many things have drama in it when you're starting a company and as many things as you can minimize that drama with a better off to get your idea and product to market faster. Let the people do what they do well and keep that drama out. So as Cybersecurity, you mentioned there are thousands of breaches a year. It's an evolving problem/industry and there's a lot of quote "solutions" coming out on a consistent basis. How does Cybernance maintain the lead in this continuously changing environment? Mike Shultz: 13:22 Several ways. Clearly, it's an ongoing challenge that isn't going to change. The interesting thing is that we approach the business from a little different a vector. Most businesses involved in protecting organizations from cyber threats are focused on the external threats, the perimeter defenses, and that's about building the walls higher in the moat deeper. As it turns out, north of two-thirds of all breaches over the last couple of years have not been external threats, but have been failures of the internal defenses and that's where we focused. So we focused on the application of the NIST CSF standards internally, and that's about managing the people activities, the policies, and processes within the company. That has the single most significant effect on protection from breaches. So first and foremost, the vast majority of the investment in cyber protection has been externally. And so we have less competitive, threats to us in the space that we've chosen to be in. The second is that the application of the standards has given us a substantial leg up because it isn't a Mike Schultz and his band of merry men saying that this is the right thing to do. This is a standard that was created, funded by the federal government, but quite wisely created with the input and constantly evolvement of thousands of contributors from government, industry, and academia. It's a constantly evolving standard as risks become better understood or appear on the scene. So we're able to continue to evolve with the standards so that we are rock solid on what we're standing on. This is not an opinion, these are the standards. This has become the gold standard for cyber governance. And so that's us. The other piece is we have a continuing relationship with our partners, Calavista, of course, being the leader of those, where we're involved in constant improvement, continuous improvement cycles. So we're able to continue to adapt the software and the application to the marketplaces changes. And we continue to do that, as an example the NIST organization and other organizations who have specific standards around industry or technical needs, like healthcare information that's governed by the HIPPA standards for cyber. Through the team at Calavista, we developed crosswalks between NIST and health and human services so that we can automate the HIPPA standard within the standard that we already have. We've done that also with a standard around financial institutions called FFIC, but we're also in the process of adding additional standards to the basic platform that include the New York Department of Financial Services standards, the International Standards Organization, ISO 27001 and et cetera. So we're able to very quickly respond and react to the marketplace as additional standards and additional crosswalks occur. So we're always at the very edge of what's available. Sloan Foster: 17:05 That is actually quite impressive that you're meeting all of those different standards in those different market segments kind of through NIST and through those partnerships. Mike Shultz: 17:15 It's a fascinating challenge! Back to the question, you asked me earlier, why did I elect to outsource versus a build a development team internally. As we move rapidly to face competitive threats and to make sure that we are always at the forefront. The ability to access a large organization with multiple capabilities and teams allows us to have a Chinese menu. You get egg roll and we can get, we can get user interface people, we can get a database, people we can get additional testing people that begins to match our need as we're developing product and moving into the marketplace. So that's a key part of our success is the ability to be able to depend upon our partners to help us stay at the forefront. Sloan Foster: 18:10 Keeps you nimble. Mike Shultz: 18:11 Sure does. Sloan Foster: 18:14 And we know that's critical to business success in this day and age, right? Mike Shultz: 18:15 That's right. Sloan Foster: 18:17 Adapt or die, I think they say. Is that right? Mike Shultz: 18:20 Yeah, I say it because I'm a lot older. I say things like, don't pour concrete. Sloan Foster: 18:24 There's a saying for everything. Right? So as a serial entrepreneur and seasoned one, I'm sure you have experiences that others may benefit from. What is your number one lesson you would want another founder to hear if they were thinking about doing something in the market, any market? Mike Shultz: 18:40 You'll hear people talk about cash, cash management and cash in your hand as being really important and I would suggest that they're wrong. It's not really important. It's way more important than that. So be careful about building large organizations, be careful about investing in things that don't bring you immediate results, but the marketplace is so tuned to providing specialty services and special capabilities that you don't need to build a big organization today. It's as simple as I can time slice my car by using Uber. So I need to, do I need to buy a car, do I only need to use Uber to get to where I want to get to? The same thing is true and office space, in compute capability and it even comes down to software development. I time slice software development by not building a big organization, but instead of buying the services that I need at the time that I need them and it helps me manage cash. And so I'd say that the number one issue for me is figuring out how to get your job done on the minimum dollars that it's going to take to get there. Then just manage that cash really, really hard. Sloan Foster: 19:56 Great, that is a good motto. Right time, right action at the right time. Right? And that helps with that. Mike Shultz: 19:59 That and the first guy who suggests that you put your name on the building outside. Fire him. Sloan Foster: 20:06 That's a good one too. So I'm kind of wrapping up if a company wanted to use Cybernance, how would they find you? How would they engage with you? What does that process look like? Mike Shultz: 20:18 We provide our capabilities both on a direct basis and through reseller partners. If we're back to today's world and only spending money on things that you should spend money on, we're really easy to find. If you just type cyber governance into any search engine, you'll find us. We're relatively well known in that part of the world. You also can find us through our partners and obviously our website is readily available. Sloan Foster: 20:51 And that's Mike Shultz: 20:51 Precisely. Sloan Foster: 20:59 Okay, great. Anything else you'd like to add today about Cybernance and the wonderful things you guys are doing? Mike Shultz: 21:04 It's a great run. I'm sitting here now after having our first birthday some time ago and installing our platform for customers. We're a SAAS business and so we work on annual renewals. And this will give you a sense of the quality of the offering that we've presented, and kudos to my dear friends at Calavista, we have a hundred percent renewal rate. Sloan Foster: 21:33 Congratulations! That's awesome! Mike Shultz: 21:33 Thank you! Mike Shultz: 21:40 I need to be doing business with more people, but that obviously never changes. I don't know if I would have believed a year and a half ago that I'd be sitting here today saying that a hundred percent of our customers have renewed. That's a pretty big statement about the quality of what we're doing. Sloan Foster: 21:57 That's a huge statement. I mean churn rate isn't as a part of every sales conversation that I'm in, especially coaching startups. So congratulations to the one year birthday and to the 100 percent renewal rate! Both of those are very big successes and we need to celebrate success big or small. So congratulations and thank you very much for your time today. If you need more information about Cybernance, again, Thank you.

You can listen to Safeguarding Your Company Against Cybersecurity Attacks online on Radio and Podcast. Open the player on this page to stream the available audio.

Safeguarding Your Company Against Cybersecurity Attacks is an episode from Calavista Conversations by Calavista .

The episode duration depends on the source podcast feed and may not always be available.

This episode was published on Feb 24, 2018.

Yes. Use the heart button on the episode page to add it to your favorite episodes list.

Yes. This page shows related episodes from Calavista Conversations when more episodes are available from the podcast feed.