Safeguarding Vulnerabilities
KITECAST - Patrick Garrity
Patrick Garrity has over 15 years of experience spanning various marketing, sales, and product roles for high-growth cybersecurity companies. For this Kitecast episode, he delves into detail on his expertise in vulnerability management.
To start the podcast episode, Garrity discusses the rapid evolution of vulnerability management over the past few years. He notes that vulnerabilities are growing exponentially in both volume and complexity, with over 25,000 new vulnerabilities identified in 2022 compared to just 5,000 several years ago. Despite this growth, many organizations still struggle to patch even known critical vulnerabilities in a timely manner. In response, Garrity emphasizes that organizations need to focus first on addressing externally facing, actively exploited vulnerabilities before attempting to tackle everything at once with their limited resources.
The podcast episode also covers the role of AI and machine learning in vulnerability management. While emerging AI tools show promise for use cases like prioritization of vulnerabilities and automated reporting, Garrity cautions that the underlying data feeding these systems needs stringent accuracy and validation. He advocates leaning on trusted threat intelligence from established providers to help inform data-driven decisions around vulnerabilities and incident response.
Shifting gears, Garrity reflects on seminal lessons learned from his experience rapidly scaling Duo Security before its $2.35 billion acquisition by Cisco in 2018. When asked by the hosts to provide career guidance to others pursuing work in the cybersecurity field, Garrity highlights the outsized importance of continually assessing the market landscape with an eye for evolution. Similarly, he stresses that individuals should embrace openness to filling a variety of roles in early-stage companies as they grow. Finally, Garrity emphasizes the urgent need for sustainable business models in cybersecurity rather than overvalued fundraising built predominantly on hype. Underpinned by this sobering perspective, he still goes on to express optimism about the industry’s overall trajectory thanks to the advent of various “secure-by-design” initiatives.
LinkedIn Profile: https://www.linkedin.com/in/patrickmgarrity/
Transcript
Patrick Spencer (00:02.5)
Hey everyone, welcome back to another Kitecast episode. Tim, how are you doing today?
Tim Freestone (00:07.317)
Yeah, I’m okay. I’m looking forward to the holiday break. Hoping I can get one.
Patrick Spencer (00:12.12)
Now where’s that ugly sweater? That is true. Well, we have a real tree today. Uh, I don’t think we’ve number one ever done a podcast with another Patrick. So it’s going to be very confusing. I’ll try not to answer every one of your questions. Uh, but Patrick Garrity is joining us today. Uh, Patrick, uh,
Tim Freestone (00:16.856)
That’s tomorrow.
Tim Freestone (00:21.252)
Yeah.
Patrick Spencer (00:37.636)
He has over 15 years of experience in various marketing, sales, product roles for high growth, SaaS, cybersecurity businesses. He’s going to do a deep dive into threat management, which we had a chance to do in a few Kite cast episodes, but we haven’t had one in a while. So this is going to be interesting conversation, particularly as we close out.
2023, I suspect you’ll be able to reflect on some of the things we’ve seen take place over the past year. Patrick, prior to his current role, he scaled Duo Securities revenue to $200 million, launching Cisco’s global zero trust strategy and spending out census from the University of Michigan, which we may talk a little bit about. I’m kind of curious to hear how he did a startup, basically using the incubator, I assume, over at the University of Michigan.
Patrick, thanks for joining us today.
Patrick Garrity (01:39.726)
It’s great. Thanks for having me on. I appreciate it.
Patrick Spencer:
Third party risk management’s a big topic for us. And I think it’s been a big topic in the marketplace. You know, where do you see that fitting as an organization and how often do you hear that coming up in conversations?
Patrick Garrity (02:56.086)
Yeah. I mean, I think it’s definitely of a concern, especially when you’re developing software, right? And you have supply chain risks when you’re a federal agency and you’re dealing with national security and you have people components, you have software components, you have hardware. Really, it’s pervasive challenge and problem within every environment. And when you’re working with technology by default, inherently…
that technology you’re using is provided by third parties. So vulnerability disclosure and vulnerability management is very close to managing third party risk, whether you put it in that category or not. So very, very top of mind for many, many different organizations and agencies throughout the world.
Tim Freestone (03:46.693)
Do you see if your customers are actually still trying to tackle first party vulnerability management?
Patrick Garrity (03:53.826)
Oh yeah. Yeah. I mean, both is a big issue. I mean, we’re seeing that right now with some of the, um, you know, different, different supply chain issues and attacks. I think, uh, I don’t, I don’t know what intimately, but I was just reading about JetBrains today and it’s like, Oh, wow. Like, um, software developed in Europe. Sounds like, you know, there’s some Russians involved and you know, that’s a development tool. So we’re actually seeing, uh, you know, attacks and exploits of development.
software very, very common with things like Atlassian, JetBrains and other technologies. Not to pinpoint any vendor per se, but yeah, third-party risk and supply chain is a really, really big issue and concern.
Patrick Garrity (06:47.178)
exploitation has become more pervasive of vulnerabilities, especially on the initial attack factors, right? And so, you know, that’s changed. And so definitely there’s a component of security operations involved, certainly in the rapid response side of it, where we’re talking about like new zero days. But more and more often we’re seeing that, um, a formal vulnerability management role and program is being built by organizations.
or they’re outsourcing that function because it’s such a big, hairy, scary problem in most instances for organizations that like it takes dedicated resources, but that’s a lot different than, you know, your sock and what your sock is doing. So might filter into that, but often there’s a person or people that are responsible for orchestrating and building the vulnerability management program.
that typically I see our director of security, director of threat intelligence, and rolling into the CISO separate of the SOC.
Tim Freestone (07:52.061)
So Patrick and I, I don’t know if you saw this, but we spent a few years at Contrast Security working in the IS space and a little bit of RASP and tackled a lot of vulnerability management problems. And one of the things that we would come up against is just the dynamics between the security team and the development organization. You see that still playing out or is it still a challenge?
Patrick Garrity (08:17.813)
Oh yeah.
Yeah, product security and vulnerability management, right? Like, and they’re just button heads. So I think one of the biggest challenges, vulnerability management teams are typically centered around IT. Maybe some OT in there as well. OT typically operates similar to IT. But it’s typically like your network switches, your Windows devices, your Mac devices, like all these things you buy, right, and you deploy. And the challenge is…
Patrick Spencer (08:20.369)
Speed versus Accuracy.
Patrick Garrity (08:47.29)
Now they want to tackle vulnerabilities in the software build process and when they’re building applications. Yet most of the practitioners don’t have a good understanding of software development and how it works. So they’re like, Oh, give me all your data, right? They get all the data and it’s like, well, there’s vulnerabilities everywhere in your code. And suddenly they just like pile on like, go fix all these things. And the challenge is they don’t understand it. They don’t talk to them.
And in a lot of cases, what they’re sending back is irrelevant for one reason or another. So yeah, I encourage people. It’s like, if you’re a vulnerability management team that’s trying to get aligned with product security, go have conversations and learn about their process and how they work before you just start throwing them things. Because that ultimately builds distrust. And the product security teams are like, do not get involved with our process. We don’t want anything from you. And we don’t want your involvement because you…
don’t understand how development life cycles work. So I think like a very, very frequent problem when I’m talking to vulnerability management teams or product security teams, in that there’s just a misunderstanding and lack of like empathy that the disciplines are different. And I do see a lot of teams in security, even in vulnerability management teams, having expertise with people on their team of product security and then vulnerability management or corporate security.
Tim Freestone (09:50.474)
Yes.
Patrick Garrity (10:16.555)
That tends to work a lot better because they understand the disciplines themselves quite well
Tim Freestone (10:21.453)
Hmm. Interesting.
Patrick Spencer (10:22.508)
Interesting. Well, I know one thing we encountered was the fact that while everyone has open source, only a fraction of certain open source libraries, and I say you’re using one specific library, like 2%, 1% or whatever is actually used in a product. So while that open source library may have five vulnerabilities, none of those may be in your software code because you didn’t use that portion of the software code, right?
Patrick Garrity (10:48.142)
Correct. Yeah. So Vaughn management is going to base that on like CPE or other data, right? And it’s saying you have this within your environment. Well, if you’re not using all of that, then you might not be at risk or vulnerable. And so that’s one of the challenges is like these components, but then all of a sudden you start using that and nothing’s changed. And we said we weren’t using it. So there’s just a big challenge with the supply chain side.
Tim Freestone (11:01.393)
Mm-hmm.
Patrick Garrity (11:17.31)
in development and understanding what components are being used, what is actually vulnerable, and whether there’s risk within an organization’s environment.
Patrick Spencer (11:30.088)
You brought up a point when you’re answering one of Tim’s previous questions that piqued my curiosity. You said you need to measure or understand your vulnerability management when it comes to compliance. We have a couple of questions there, I suspect. The first one is, you know, do organizations truly understand the risk when it comes to compliance within their environments? How do they measure that? How do you guys work with those organizations when it does come to compliance?
Patrick Garrity (11:58.282)
Yeah, so it’s important, you know, if you’re in a regulated industry to follow compliance and federal regulations. So a good example is in the federal government, you have SISABOD 2201, which is also known as SISA’s Non-Exploited Vulnerabilities Catalog. And essentially, they mandated and said, hey, look, like we’re making this list of non-exploited vulnerabilities. If anything is externally facing, you must fix it within a certain time period of days, right?
And so if you’re a federal agency, like you should comply with that. You got to figure out, you know, how you meet those deadlines and timelines, but that’s really important for national security. And then you have other frameworks like PCI where it’s fix everything. That’s within your PCI environment. See CVSS for hire, which is basically like 99% of all vulnerabilities. And so I think it’s just understanding intimately, like in the new regulation, you got to understand intimately.
what your compliance requirements are. But NYDFS, the New York Regulator for Financial Services, just changed their compliance requirements where you have to do active vulnerability management, where before it was just doing vulnerability scans and pen tests. And so we’re seeing a significant change very rapidly in the compliance space, even acknowledging that like, oh, wow, we’ve left our guard down, we’re looking at things, but we weren’t actually prescribing action.
And so we’re seeing a change in regards to action. Now, some of the compliance frameworks I don’t mean to be critical about, but most of them are based on things like CBSS, the Common Vulnerability Scoring System, and using terminology like critical and high. The challenge is that, you know, basically when you use broad terminology like critical, that can mean anything. And so really it’s on the organization’s behalf.
Tim Freestone (13:41.061)
Yup.
Patrick Garrity (13:53.45)
define it, but a lot of organizations are defaulting to the open standard of CVSS. Um, and the reality is, is like, in some cases it’s near impossible to do what’s asked to the framework when using CVSS. So that’s where using, uh, exploit information to determine criticality. Um, and considering recasting what we call vulnerability severity becomes important. Sorry, I’m getting in the weeds a little bit. Um, but it’s important.
Tim Freestone (14:19.757)
No, it’s a good one. It’s also topical. I’m curious. I want to double click on. So what’s the difference between CVSS, which is what I’m used to, the assessment of certain risks, 1 to 10, versus what you just said? And how do companies reconcile it? What’s the other option?
Patrick Garrity (14:40.458)
Yes, so well first off like CVSS is 20 years old. It’s been evolving and there’s a new version, version four, which I’m hopeful is great, but by default it doesn’t consider threat at all. The CVSS space scoring system, which is used by most people, just considers the impact of the vulnerability. So if you take that into consideration, it’s like, oh wow, there’s 25,000 new vulnerabilities this year. Yes, 50% of them are.
critical or high impact. That really doesn’t tell you what things you need to fix. Like that says, go fix them all, but there’s a finite amount of resources in every security program. And I can guarantee, like I look at all of them, like very few, if any, are fixing everything or 50% of everything, right? And so some of the industry research we’ve seen, like Cyanchea, for instance, good friend, Wade Baker and Jay Jacobs, like
An average organization can fix 5 to 10% of vulnerabilities within their environment with the resources they have. So how do we focus on the 5 to 10%? CVSS doesn’t help us solve for that need. And how do we focus on the ones that are highest risk? And risk considers things like threat, whereas CVSS is not. And so at the same time, you can enrich CVSS.
Patrick Spencer (15:38.041)
You know those guys.
Patrick Garrity (16:05.998)
It gets slightly better with what they call the base threat or temporal score. And we have yet to see with version four how much better that gets, but it’s an incremental downshift where you still have to fix a ton of things. And so incorporating things or using a threat to start with from a priority perspective, whether it’s Sysichev, which is open and available and free.
of known exploited vulnerabilities. Like that’s a really good place to start. And then you have new scoring systems like the exploit prediction scoring system, which actually uses knowledge and threat intelligence with machine learning to help you prioritize what they consider to be the most likely, high likelihood of exploitation. And so, from my perspective, like,
we didn’t have those things available a year or two. They’re all newer. 2021 is when both those were first released. So like we have to move away from how we always did everything, we need to move to new standards. And then the third thing I would say is like, you have open, open or not open, sorry. You have commercial threat intelligence like Mandiant, like Recorded Future, like Intel 471. And so those give you a much broader, richer perspective that can help you do.
things and take action and get earlier indicators of threat or risk. And they each have their own different values, but for organizations that can afford those, certainly they’re going to be able to leverage that information and reduce their risk when you can get access to commercial threat intelligence.
Patrick Spencer (17:49.824)
Next generation vulnerability risk management. Obviously there’s algorithms involved. You mentioned briefly AI. Where do you see AI playing a role in terms of, identifying what you actually need to focus on and guiding you there? Algorithms can do that today. If you have the right algorithm, I guess, and the right data to your point, which means an aggregation of it, but where…
Where’s AI going to take us over the next few years, I think?
Patrick Garrity (18:19.302)
Yeah, I mean, I think AI is interesting, but I think we emphasize too much about like the aspect of AI and, you know, not really the use case so much. But for me, unfortunately, like organizations aren’t patching the things that are known. So we actually don’t need AI to solve a lot of the vulnerability program problem. Like people need to fix things with exploitation, right, that are externally facing to start. So there’s a lot of logic and ways within vulnerability
use. I think there’s a risk of like in some ways over indexing that AI is going to solve this problem and like we need to change fundamental processes within our VM program where we didn’t have access to information. So exploit prediction scoring system is based on a machine learning model that helps identify attributes of a vulnerability that’s likely to be exploited. I think that’s an excellent use case.
So I think more and more people should get involved with EPSS. It’s an open standard. The more we can use and leverage open standards to standardize on vulnerability prioritization, the better and the more we can enrich that. So I’m a big advocate for that. As it relates to other use cases, I do think the aspect of information processing, gathering information, providing the right information to be able to take action on is really important.
Um, so I think one of the projects, I think that’s cool. If you look at gray noise, gray noise has sift. Um, and sift is a new, uh, tool that essentially daily summarizes a bunch of information they discover. I think Andrew’s like, it’s pretty good, you know, but like, like that’s the thing with AI is don’t trust anything. Like you need to, to leverage and then validate. So that’s why I like commercial threat intelligence and sources like Sysik have are really important because like.
Tim Freestone (20:08.232)
Great.
Patrick Garrity (20:14.082)
they’ve had people analysis behind them and they’re defensible. Whereas AI is not defensible, but it could help. So I think there’s those sorts of aspects to me that like it’s interesting there’s use cases, but also there’s risk. And it’s just gonna depend on your organization, the tolerance for that.
Tim Freestone (20:32.033)
Yeah. I think it’s. Yeah. And if it, as it evolves, you know, you’ve got the identification, the prioritization, and then the fixing of them. And the more that I kind of, to your point, kind of, we need to solve what’s already known to be fixed. Go the other way. Let’s how do we use it to fix what’s already known, uh, before we do discover new things sort of deal. It’s such a hard, right.
Patrick Garrity (20:55.566)
Yeah. Well, so, yeah, so I think GitHub is a great example with Co-Pilot, like, yes, that can significantly reduce the amount of vulnerabilities in our software development lifecycle early on. So like, that’s an amazing use of AI as it relates to vulnerability management. Most of the problems in vulnerability management, or a lot of them are actually up the river, or up…
the chain in relation to like, oh wow, we have really bad software development processes. That’s why we’re seeing a pile of vulnerabilities. Well, let’s go and fix that problem. Oh wow, we have a lot of Windows server vulnerabilities or Windows vulnerabilities. Like, oh, that’s because we have bad patch management process. Most people have fixed Windows patching, but not all. Mac OS, like kind of same thing. And so…
Tim Freestone (21:46.553)
Yeah.
Patrick Garrity (21:49.942)
Generally speaking from my perspective, we can bucket these things relatively easily to say, hey, do we even have our patch management processes in place for our network devices, Cisco, Citrix, and kind of on and on? I don’t think AI is gonna help too much with that. Yeah.
Tim Freestone (22:01.017)
Yeah.
Tim Freestone (22:07.841)
Yeah, I agree. At some point, somebody has to be process oriented in all parts of an organization and like essentially just bite the bullet and do the work to get people operating in a system with clear objectives and then remediation, checking, validating, just do over, like over and over and over again, you know.
Patrick Spencer (22:07.992)
Bye.
Patrick Garrity (22:18.219)
Yeah.
Patrick Garrity (22:29.91)
Yeah, another interesting use case I’ve seen is reporting. And so I have a lot of people that send me their AI chat bot Vaughn tools. And most of them like, this is just Google search, but it takes longer. Like that’s the reality of like the tools they make. But there are some cool ones. I have a friend that made one that you send an image of your dashboard from your Vaughn tools and it builds a report based on.
So now it’s like taking the visual and it writes up information. And with my data visualizations, I created, I fed it a few and it’s like, oh, wow, it made a summary. My data visualization, that’s actually pretty accurate. So I think like the, the speed in which we can like pull together data, um, with AI tools and augmentation, uh, to human, I think is going to allow us to move quicker, faster, but yeah, I, I. Stay perceived with caution. Cause I use AI a lot in my research. And.
Tim Freestone (22:57.604)
Hehehe
Patrick Garrity (23:27.314)
Nine times out of 10, very quickly, I find the data’s inaccurate and wrong. And maybe that’s just like more model tweaking and getting to accurate, high accuracy stuff, but it’d be very careful saying to AI, like, this CVE, tell me about it. What do you know about it? How should I prioritize it? Because a lot of times that information it spits out is inaccurate. Yeah.
Patrick Spencer (23:50.712)
Yeah.
Tim Freestone (23:53.329)
Just we clicked down a lot on vulnerability management. I mean, how’s the market doing these days? Because I mean, there is, again, back when Patrick and I were at least in the space orthogonally, there was only so much market to be had because you kind of had to be a company with a software factory, which means you had to be relatively big size, large size enterprise, finance, manufacturing, you know.
federal government and that just kept being more and more DevSecOps players and reporting systems in the market with a market that’s finite. I mean, is it changing or more mid-level companies starting to take this seriously or what do you think?
Patrick Garrity (24:38.294)
Yeah. Well, yeah, cause, yeah, you look-
Patrick Spencer (24:39.408)
up with a big spiral of Pope Carey products, right, as well. Go ahead, Patrick. I interrupted.
Patrick Garrity (24:45.006)
Yeah, well, first off, when I joined Nucleus, everyone in 2021 was like, wait, 2022, sorry, a year and a half ago, they were like, why would you join a volume management company? Like, there’s tons of volume management companies that have been around for decades. But there really aren’t any new ones. So that is an opportunity for disruption and doing things a different way. So really, it was a small handful.
Like in most of them, we’re scanning technologies. Like we’re not a scanner. Uh, we ingest qualis, we ingest tenable, we ingest whatever discovery tools you have. And normally in large enterprise, that’s 10, 20, 30 different, uh, scanning technologies or asset management components. And we build an asset inventory and then we layer, layer on the vulnerability information in addition to that. So you get an asset centric view. We’re very cautious of saying we do asset management, but the reality is, is like.
We build out one of the best asset inventories you can find because we leverage all these different sources and pull it in and do that for you because that’s important for volume management. So back in 2021, everyone was like, why would you go into volume management? It’s so saturated. Well, the reality is, is nobody was solving the problem area in which we’re in, which is the rate at which assets, oh, can you hear me now?
Patrick Spencer (26:02.32)
Uh oh. Yeah, we lost him here. He froze. Oh, he’s back. Much. It’s just in the wreck building and then you can blew your internet up. You’re good.
Tim Freestone (26:02.597)
Did you lose him?
Tim Freestone (26:08.245)
Yeah, we’ll edit that out. You froze.
Patrick Garrity (26:12.938)
Is it my internet? Do you know?
Tim Freestone (26:15.545)
I think so. We were fine and you’re back now though. So you can… Yeah, yeah, we’ll edit it, yeah.
Patrick Garrity (26:19.23)
Okay, I can keep on, should I just keep on going or no? Okay, so as the time has changed, assets have grown, the number of products you’re using has grown, the number of vulnerabilities has increased substantially. Like we’re seeing, I think five, 10 years ago, 5,000 vulnerabilities a year, now 25,000 vulnerabilities a year. So the reality is the problem kept on getting bigger and bigger, but something changed 2020, 2021.
Patrick Spencer (26:20.272)
Yeah, you’re good now.
Patrick Garrity (26:49.194)
Right? When COVID hit, we all of a sudden saw a shift in mass exploitation. So the adoption of broader scanning technologies, census spinning out of the University of Michigan, being an example of one of them, gave access to people to see the whole internet in a much different perspective. And then automation allowed them to run attacks of exploits in a very fast manner. And so I think we’re seeing nowadays over the last
two to three years and we see this in Mandiant’s NY’s report is the initial attack factor, like it’s more shifting from credential compromise to exploitation. That’s a debatable thing with Verizon’s DVR, but it’s pretty clear that like the NY’s report for 10 years reported phishing as number one and now it’s exploitation. Like Mandiant’s seeing something changed and I think they’re typically ahead of the pack.
And so from that perspective, I think like, yeah, everyone’s being caught in this scenario of they neglected bone management for the last decade. And now they have to actually figure it out because that’s where ransomware and the attackers are actually leading with, which is a big shift and change from an attack perspective.
Tim Freestone (28:05.869)
Hmm, interesting.
Patrick Garrity (30:27.518)
if you’re a mature organization, you have that or plan projects to do that stuff. But in the meantime, don’t, don’t neglect the low hanging fruit. Um, is more or less like the advice I have to most people because just fixing exploited bonds is going to be a pretty good, uh, you know, aspect of things you can focus on that are tangible that are going to reduce your risk significantly.
Tim Freestone (30:53.269)
Yeah, we, you know, it’s funny, I have the same philosophy and I’ve even been, you know, on stage presenting some perspectives on where the market’s going and cybersecurity, et cetera. And then kind of dovetailing that into the kite works value proposition, but then been challenged on, well, we, you know, we don’t even know where our class or, you know, our critical content is. We, we have to do a classification strategy first. No, you don’t.
You know that the legal team is sending out sensitive information, right? Start there. You know that the finance department has a lot of sensitive information. Just get started and go to the places where you know the sensitive information is and to your point in your domain, the internet-facing information. But it’s so interesting how you can get wrapped around an axle of like, well, there’s all this unknown that I don’t want to start until I figure that all out. When you really don’t, you know.
Just step forward and you’ll get somewhere eventually, right? Just go forward on your cybersecurity strategy.
Patrick Garrity (31:54.594)
Yeah, increment. Don’t boil the ocean. Start with CISSE-KEV, maybe high APSS scores. Then if you get access to commercial threat intelligence and like, oh wow, you get asset involved in that too? Like, cool, great. But, you know, really that’s, you know, my perspective, external attack surface, definitely number one. So grabbing, you know, information on exposure or what has a public IP address associated with it is a pretty good place to start.
And I can tell you from continually being in large scale organization environments, like every time I can point out in literally minutes, like, here’s your externally facing wildly exploited vulnerabilities based on Mandiant Threat intelligence. Where do you think we should start? Oh, it’s only a handful. Cool. Like go get teams to fix that. Uh, I mean, it’s that’s, it’s pretty simple, right? Don’t, don’t try and boil the ocean.
Tim Freestone (32:39.022)
Right.
Tim Freestone (32:45.274)
Yeah.
Tim Freestone (32:49.069)
Yeah. Just because of time here, Patrick, I might fork the conversation a little bit. Yeah, I did want to talk to you about the success over at Duo Security. If I heard correctly, it started at 100K and then the 200 million in revenue, you were there for the whole ride, is that right? How did you do that? How did that happen? Was there anything that happened in the market? Was it?
Patrick Garrity (32:55.436)
Yeah, that’s fine.
Patrick Garrity (33:07.894)
Yeah, yup, yeah, that was wild.
Tim Freestone (33:17.078)
Anything you can point to and say, man, it was these three things.
Patrick Garrity (33:20.394)
Yeah, it’s almost identical to the nucleus. So number one, everyone told me not to quit my job and take a pay cut and go to a startup. They told me that MFA was an existing technology. Everyone I was ever gonna adopt it already adopted it, financial services and compliance regulated industries and that’s about it. And then it was game changing. So.
I deployed RSA secure ID when I was part of a managed service provider myself for customers and it would take 80 hours. I was an account executive at the time and I deployed Duo on a Windows server in five minutes. So I was like, oh wow, like this is going to change the game. And there was a shift in the market where nobody had adopted cloud services yet. So the reality was, is we were selling into accounts that never touched the cloud service and the first one they used was Duo.
So some of our biggest objections were like, oh, you’re a cloud service. Like we don’t know if we can use you. We’ve never done that before. But because we architected to be a layer onto their primary credential and had no data, it actually became a very natural layer on for customers. So those are some of the things at the time from a market shift perspective. And then like, as you’re building the company, I’ll tell you this right now, you start hitting the milestones and you know, early on.
Tim Freestone (35:01.059)
Hmm
Patrick Garrity (35:14.446)
$10 million mark chaos. Like everyone wants to quit. Everyone’s like, this is never gonna work out. But you keep on pushing and pushing and you try different things and you go through different phases of the company and you grow it. And yeah, we were really fortunate to grow to the point where we got acquired by Cisco in 2018. So pretty exciting ride.
Tim Freestone (35:18.53)
Yeah.
Tim Freestone (35:38.821)
Nice. That’s, that is exciting, especially when you come out as a winner. It’s these days, a lot of, a lot of companies on pause with that exit strategy they had three years ago. So.
Patrick Spencer (35:39.898)
Yeah.
Patrick Garrity (35:42.541)
Yeah.
Patrick Garrity (35:49.202)
Yeah, we got a little wrapped up in cyber, not only cyber, but a lot of it from the tech market. But yeah, the reality is just like fundraising at a billion dollar valuation with a few million in revenue turns out to be a really bad idea. And I’m not trying to criticize those that did, but a lot of companies did that. And it’s really hard to ever live up to those valuations is the reality. So you burn a lot of capital.
Tim Freestone (36:03.761)
Yeah.
Tim Freestone (36:10.351)
Right.
Patrick Garrity (36:18.078)
And unfortunately, I think we’re going through a phase where we’re going to see a lot of consolidation, we’ll call it, in the industry. And we started to see some of that, right, but I think we’re going to see a lot more in 2024.
Tim Freestone (36:24.749)
Yeah, yeah, for sure.
Tim Freestone (36:32.025)
Yeah, no, I think a lot of the VC funded companies, especially in cybersecurity are hitting, especially like 40, 50, 60, that’s like a really, really tough springboard to go up into a hundred where you’re not profitable and you’re just burning cash and you know, you’re series E and you know, there’s just gonna be some consolidation is a euphemistic way of saying it, but I agree with you.
Patrick Garrity (36:52.012)
Yeah.
Patrick Garrity (36:58.894)
Well, I think there’s some good things like valuations are back to up in the stock markets at record high. But like, there’s not enough technology companies to acquire the 30 different companies in the cloud security monitoring space that’s new. So I think there is this challenge or problem where you’re going to have independents that stay independent, but they’re going to have to get the profitability. And then you have
Tim Freestone (37:03.909)
They are going to kill you. Yeah.
Tim Freestone (37:17.914)
NNNN
Patrick Garrity (37:27.102)
a few of those companies in a space that are going to get rolled up and acquired, right? To the Palo Altos, the Microsofts, the Googles, the Cisco’s. But I think that’s the reality of the new world is like, there’s not enough large companies to acquire the 3000 cyber security startups. And so that means you have to build for sustainability and you have to be a profitable company to survive the long term as well, which is much different. I mean, I don’t.
I don’t know many cybersecurity companies that were profitable actually in the last two decades.
Patrick Spencer (38:04.12)
You’re right about that. One of the big ones you just named, some of those on that list aren’t probably yet today,
Tim Freestone (38:04.397)
Yeah.
Patrick Garrity (38:09.494)
Correct. Yeah. I mean, you see a lot of companies moving towards profitability, right? Which is good. Mostly how they’re doing that is reducing people. Yep. So I think like being in the industry, you have to be mindful as well. Like you got to lean in to lean operations and how you automate as much as you can and drive it because that’s really the future of tech. And that’s different than just throwing people resources at everything as well.
Tim Freestone (38:19.473)
cutting staff, yeah.
Patrick Spencer (38:21.116)
cutting costs staff.
Tim Freestone (38:36.841)
Yeah. So I, um, right, right. And the fact that threats seem to keep increasing and more and more bad actors and the breaches are getting worse and worse, at least it seems to be that way. It’s, you know, I haven’t seen the hard data on maybe you have it top of mind, like truly what the volume of, of impact of.
Patrick Garrity (38:39.394)
Harsh Reality.
Tim Freestone (39:03.161)
bad actors and threats and the leaking of data and the amount of money that’s being paid in ransomware. I just haven’t spent the time to dial in on that in the past year or so, but it just, it seems like it’s increasing. And let’s go for a moment on the, it seems like, and assume it is, just for the spirit of this question. But last night I watched this movie on Netflix called Leave the World Behind, and I immediately went and looked up some,
Underground shelters because the end of the world is near apparently What’s your thought on all of that? kind of funny
Patrick Garrity (39:40.31)
We’re going into conspiracy theories. Yeah, I think like being in the industry as long as I have really like 2012 when I came to Duo, like in 2013, a CEO got fired at Target for a breach. Like everyone was like, whoa. It really seems like every year there’s a new thing that just gets more extreme and more extreme and you know, more fear.
So I try and balance even my own research of like buying into the like fear-mongering like the world is gonna end Because generally speaking like even after doing this for like a decade plus It still continues to get worse and we still continue to survive and be here So I think there’s a lot of hope in regards to like, you know You have a lot of people trying to do the right thing trying to
Tim Freestone (40:11.141)
Mm-hmm.
Patrick Garrity (40:27.202)
find ways to approach security differently. You have a lot of great initiatives by CISA with Secure by Design. So I think there’s a lot of hope. You see people responding and changing their ways in relation to product security. Generally speaking, I think there is still a long way to go with coordinated vulnerability disclosure, things of that nature, but I’m pretty bullish that the future is pretty positive. I think there’s a lot of…
externalities outside of our control in relation to Russia, China, North Korea, Iran. It is really easy to buy into the fear. I posted some on LinkedIn today about this, but it’s really interesting to buy into the fear side of the story. Reality is, we all need to do our part from a national security perspective, even at an individual business level. The things we’re doing, the security approaches, we’re adopting the tech.
tech, secure by design initiatives, all help and are in the interest of national security. So more and more promoting organizations on, hey, yeah, get your vulnerability management in place, get your identity in place, harden. This is in the best interest of everyone. You’re a supplier to other people around the world as well. That’s kind of how I take it, if that’s helpful.
And I think the more we can share perspectives on how to take tangible, small things from an approach perspective and move forward is just going to be in the best interest and help of everyone. So I’m bullish. No, 2024 is where it’s at. We’re going to do better than last year.
Tim Freestone (41:53.305)
Cheers.
Tim Freestone (42:08.165)
So don’t throw up your hands in defeat basically.
Alright.
Patrick Spencer (42:14.416)
Tim doesn’t need to build that bomb shelter quite yet.
Tim Freestone (42:16.991)
Yes.
Patrick Garrity (42:17.038)
I don’t know, you might, I mean, like, yeah, if you see all the bone data in the world, like you’re kind of like, oh, but at the same time, it’s like, okay, yes, these bones exist, but it’s not the worst thing in the world. Right. That’s why we have incident response teams. That’s why we have security operation centers. We have really smart people in our businesses. And so yeah, I think generally speaking, it’s like, I don’t know, I’m, if I have to live in a bomb shelter, I’m
I’m okay with the end of the world. I like my sunshine.
Tim Freestone (42:48.932)
Yeah, right. It’s a treat. A treat off.
Patrick Spencer (42:52.348)
So Patrick, as Tim noted a moment ago, we’re basically out of time here. This has been a fascinating conversation and a different angle. I’m not talking about the conspiracy theories that we talked about, different angle than the ones we usually covered. So I’m sure that our audience is gonna find this one helpful. Couple quick things before we close. How can our audience members get in touch with Nucleus Security? Just go to your website, I assume, and then get in touch with you through your LinkedIn profile.
Patrick Garrity (43:20.926)
Yeah, NucleusSec.com or you can call me Patrick M. Garrity on LinkedIn. And I’m pretty open. I post content, data visualizations almost on a daily basis, right? So you can reach out to me anytime. Trying to maintain open dialogue and conversation and helping people. And my expertise, of course, vulnerabilities, vulnerability exploitation and intelligence. So always happy to riff with people and connect on this topic.
Patrick Spencer (43:51.196)
Thank you. We appreciate your time. Hey, for our audience members, you want to check out, thank you. You want to check out other episodes of Kitecast, you can go to kiteworks.com slash Kitecast. Thanks for joining us today.
Tim Freestone (43:51.339)
Awesome. Thanks.
Patrick Garrity (43:52.854)
Yeah, thanks for having me on the show.
Tim Freestone (44:05.937)
Thanks.