Jumping in with Battleship | The Cybrary Podcast Ep. 31

Ryan: Welcome everybody to the Cybrary podcast. I'm Ryan, the CEO and cofounder of Cybrary and I am very excited to welcome a new friend to the podcast today, Katelyn L. Connie, Katelyn is the Chief Revenue Officer for Scopedive, a cool company that we're going to talk a lot about that's going to do some really disruptive and neat things in the cyber security space, welcome Katelyn.

Katelyn: Thanks so much, Ryan. I'm excited to be here.

Ryan: Awesome, awesome. Why don't we get started with just a simple introduction. Tell us a little about yourself, your background, that kind of thing.

Katelyn: Absolutely. I came into cyber security, like a lot of people in a bit of a strange way. I got a Russian major in college and then a Master's in Public Health and went into Health IT and decided I wanted to see the vendor side of the world so I went to work for IBM security and got a great education in all things security while I was there, it led me to want to get a Master's in cybersecurity at Brown, which I finished in 2018 and while I was doing this, my husband and I had been talking about starting a business, starting a cybersecurity business so we kicked that off last year in 2019 and here I am.

Ryan: Awesome. That's very cool. It's a background and it's funny, you don't run into too many people who are in the cyberspace and have, you know, have layered on a couple of educational degrees and things like that so that,that's super neat and you must have a very interesting perspective. Why don't you tell us who or whatScopedive is and what you guys are setting out to do?

Katelyn: Well, this is my favorite topic. Thank you for asking. Scopedive is the cybersecurity talent marketplace. We're a SAS enabled marketplace and our goal is to democratize cybersecurity resources and give more organizations access to cybersecurity talent.

Ryan: Gotcha, gotcha and so what will that look like for the company about doing that?

Katelyn: So what we're doing is we're vetting cybersecurity freelancers, and boutique consulting firms and standing behind the quality of their work so that clients who need cybersecurity services, whether this is help with a project like an assessment or pen testing, or if they need something all the way to VCSO services, or even staff augmentation, they can come work with our resources at far lower rates than traditional models would allow for, because we cut out a little bit of the overhead.

Ryan: Gotcha so where did the idea come from? It's a neat mission. Where did, how did you get the concept?

Katelyn: So back in 2015, IBM sent me to a course at Boston University and one of the professors was talking about his book, called the Platform Revolution, and I read the book and then I made everybody, I knew, read it because it really changed my perspective about how platforms are the future and we've already seen that, right? One of the most famous platforms is Uber, for instance, everybody's really familiar with that and I came home and I said to my husband, you know, we really need to think about how we are going to be part of the platform revolution and how can we take this model to cybersecurity? So that was the Genesis of the idea and then we spend a lot of time doing research and thinking about where we could add the most value?

Ryan: That is probably my favorite book of all time and it definitely formed how, up Cybrary as well.

Katelyn: Yeah.

Ryan: and so, I mean, when I came, that book I had come across it through reading the book called Hooked by Near Ayal and Hooked you kinda, it's kind of funny because platform revolution is the macro concept, right?

Katelyn: Yes.

Ryan: This is what a platform or a network, you know, kind of can look like and typically does look like, and then what they can do in a business and in business and in industries and then, Hooked is really the micro. So Hooked is like the, how do you think about now that you have users getting those users to be a part of this more and more frequently? So a phenomenal book, probably my favorite of all time. So

Katelyn: Agree

Ryan: Another good one is The everything store. That's the Amazon Jeff Bezos book. That's a really good one too, to tack on top of those others so I'd recommend that one if you haven't given that a whirl yet, it's a long one.

Katelyn: I haven't read that one yet.

Ryan: Yeah.

Katelyn: Yeah but I'm a big believer in being a lifelong learner, Ryan, and

Ryan: Yep.

Katelyn: I think it's so key, especially if you're going to be an entrepreneur, because you have to keep your mind open to new things all the time.

Ryan: Oh yeah.

Katelyn: You have to be willing to change direction on a dime and really think about you know what is my business going to look like in 10 years because you're building for the future.

Ryan: Yep, yep, I totally agree and that's critical to building a business and it's been the case for us over the years and I can tell you that you will face some resistance from the team at times,

Katelyn: Yeah

Ryan: even though you know that a little bit of a change or a pivot or whatever is the right thing you believe in it and sometimes that can be a little tough, but it's constant change and it's constant speed so good luck on that. Yeah, you have the right mindset for sure. Why don't you tell us who the team is made up of at Scopedive.

Katelyn: So we're a little bit unique in that we were founded by husband and wife team so my husband and

Ryan: Yeah, yeah.

Katelyn: I founded Scope dive, and my husband Awat, quit his full time job last March to found the business. So he was a General Manager at a large power systems company called ABB. He had a global cybersecurity team reporting to him so he really understood operations. What does it mean to own a PNL? How do you lead very diverse teams and he just jumped in full time, last March, and then we quickly had a developer join our team, a fantastic developer who has shipped over 70 products successfully. He's really very versatile and he has also built platforms before. So he really understood this space and our vision.

Ryan: Awesome.

Katelyn: In December, Tim Johnston, who I went to Brown with, I got a master's in cybersecurity with Tim and Tim is such the stereotypical hacker. He's awesome. Tim went and spent a lot of time at the NSA as an endpoint exploitation analyst, and he's really our techie. He understands the technical side of cybersecurity inside and out.

Ryan: Yeah.

Katelyn: and he's our Chief Security Officer and then I came into the business full time just a few weeks ago. So I'm now the fourth person who's full time in the business.

Ryan: Awesome, awesome, okay. Well, that's quite the team power team and there's a funny, there's probably a little bit of a cybersecurity love story mixed into that, but maybe that's for another podcast.

Katelyn: Yes, there is. I will say I, when I got reorged into cybersecurity at IBM and I was really worried at the time, but I definitely fell in love with cyber security and never looked back. I always want to be in security.

Ryan: And you're, you have a husband now who has a similar passion, which is funny so

Katelyn: Yes and he has a similar passion. I mean, we all do, it's really great. We have a fantastic team.

Ryan: Gotcha we'll have to talk through how cybersecurity brought husband and wife together. Let's stay on Scopedive today for sure. So, okay, so you're fairly new to the business, but you've been fully in tune with it since it started I'm sure, so how long has the company been around. Don't you tell us a little bit about the stage that you're at right now, and then what has been probably the toughest challenge that you all have faced to date?

Katelyn: So we launched in terms of starting building the company last March in 2019. So we just hit a year and we officially came out of stealth just a few weeks ago. So we put out a press release coming out of stealth, April 14th and we're really at the earliest phases. We are validating the product market fit right now. We are building out the platform so we have the platform built. We have our early adopters that we're working with and we have an amazing group of cybersecurity professionals who have signed on to the platform to find either independent contractor jobs or if they're boutique analysts and boutique consulting firms looking for projects that they want to fulfill.

Ryan: Gotcha, gotcha and so that, that's probably your first challenge right there then right? Cause you're building a marketplace and so

Katelyn: That's right.

Ryan: How did you guys think about starting the marketplace?

Katelyn: So we did a lot of research into marketplaces because you have a chicken and an egg issue with a marketplace. You have to get two sides going and when you look at the most successful marketplaces, what they all have in common is that they think about the supply side, if you will, of the marketplace first and for us that is really our cybersecurity experts. Those are the cybersecurity professionals who are looking either for a side gig or who want to build a full time business, you know, on their own, as a consultant or for these boutique firms. Getting them signed on, getting them to say, yes, you know, we want to be a part of this mission and this vision was our first hurdle and we went with our gut, because there's not really anything in the market today that is doing cybersecurity, you know, freelancing and really rethinking this model of like, how do you do staff augmentation? How do you do, you know, cybersecurity projects? Do you have to

Ryan: Yeah.

Katelyn: go pay a lot of money for someone at a, you know, very expensive firm or a typical staffing agency that may not know anything about cybersecurity?

Ryan: Right, right. Yeah. That makes a ton of sense. So you, you guys, in your mission, you talk about the cybersecurity skills gap. Why don't you tell us kind of how you define what that cybersecurity skills gap is and then, what do you think has contributed to it, to date?

Katelyn: That's a great question and it's really interesting. I don't know about you. I spend a lot of time on InfoSec, Twitter and I'm sure a lot of your listeners do too.

Ryan: Oh yeah.

Katelyn: And there's a hot debate right now in InfoSec about the cybersecurity skills gap. So this is not a straight, very straight forward at all, but for us, what we see is that there's absolutely a technical gap in cybersecurity.

Ryan: Yep.

Katelyn: These hard technical skills are missing in a lot of organizations. They're hard to come by and typically people that have them are very expensive and they're prone to want to change roles, right? For whatever reason. It may not be a good cultural fit or they may get offered more money somewhere else and it's led to in the U.S somewhere North of over 300,000 or so cybersecurity roles unfilled, largely they're technical.

Ryan: So it makes a lot of sense. We think about that in a very, very similar way. It's funny cause it's like, at least the way I remember it or recall it in the early days when we launched Cybrary, when we talked about the cybersecurity skills gap, they would talk about it from just the number of people like not enough people entering a space and that's a hundred percent true, but we've watched it kind of, as we've brought on more customers and we've talked to more organizations and more CSOs and so on, we see that the skills gap is broader than just that, it's also, you know, not enough people, but also not enough of the skills within the, across the rest of the technical organization, right. So like your coders need to be, you know, they need to code securely all the way to the Dev Ops professionals.

Katelyn: Absolutely.

Ryan: Need Dev Sec Ops capabilities so it's really an everybody thing. So it's monstrous, it's even bigger than I think the early rhetoric on it was. So kind of given that you know, the skills gap may never close, but, so what does closing it really mean to you guys?

Katelyn: So one of the things we think a lot about is the skills gap is also being driven by an education gap. There are a ton of organizations that aren't really grasping how important cyber security should be for them. So cybersecurity is intimidating for a lot of people. If it's an organization that has a small IT staff, hasn't ever really addressed security before, it hasn't ever really faced a big cyber security issue, they don't know that they've had a data breach or something like that then security can feel like something for another day, not mission critical.

Ryan: Yep.

Katelyn: And they may also be tasking some of their current staff like their network manager or a DBA with taking on security roles. So where I see the, really the closing of the skills gap very literally is in your space, right? This idea of training, re-skilling and upscaling people to take on more of the cybersecurity roles within their organizations and we're tackling it very directly from a different angle. We're saying, you know, there are a lot of people that have cyber security skills. Is there a way to democratize those skills? How do we get more people access to the current pool of cybersecurity talent? And for us, the way we really think we can do that is through freelancing and through getting more people access to very good consulting firms, boutique consulting firms that may not have a big brand cachet. They may need someone to stand behind them and say, yes, we'll vouch for you and then they can really grow their business.

Ryan: Yeah, yeah. That's awesome. It makes sense. So it's hard to, you know, hard not to notice, but I'm in my basement, you're at your home in your home office there.

Katelyn: Yes.

Ryan: We're doing this because we're in the middle of this Coronavirus, COVID-19 you know, Pandemic. So I have to ask the question, just given the landscape right now. Katelyn, what are your thoughts on how COVID-19 may be affecting the cybersecurity landscape within organizations?

Katelyn: So, that's a really interesting question that we've been spending a lot of time thinking about too, which is there are immediate impacts from COVID-19 that we're seeing in the very short term and then there will also be long term impacts. Not the least of which, because we could be in this situation in the long term, right. We could be on these lockdown situations going in and out of lockdown for some time before we have a vaccine so what we're seeing happen is this acceleration of some of the things we were paying a lot of attention to already around the future of work, such as remote work, people, working from home, people needing to do very sensitive tasks from home and we're seeing a forced agility, this force flexibility in the work environment right now that I think is actually going to lead for some very good things in cyber security, even though right now, people are still scrambling in a lot of ways. So one of the things that's the immediate short term impact is that when people are working from home, they're more relaxed. In your home environment you aren't thinking I need to be on guard the same way you do when you're in your office. So you're more prone to behaviors that could lead you to, you know, inadvertently being taken advantage of, let's say through some kind of social engineering attack. The other thing that happens is that you're not being protected at home by some multi million dollar cybersecurity infrastructure.Right, you're not within the network of the company and so now we are having people spin up VPNs that they may not have been using before and you know, their shoes sticking together. That's also leading to some critical weakness points that we don't know the long term implications of quite yet though I'm seeing a lot of, kind of just chatter in the security community about, you know, that there's definitely going to be some negative impacts here in at least in the short term.

Ryan: Yeah, no, that makes total sense. I mean, I have a good example, right. Even just for us, for the team at Cybrary. We got forced into this working at home environment and zoom was, is our, we use zoom where, you know, we're on zoom right now and, you know, we started to you know, realize that there are some, there are some vulnerabilities, although they're far less, when it comes to the corporate account with Zoom but the free account was the thing that people started talking about it, but it forced, Mike, our CSO to take a look at what vulnerabilities may exist and, you know, the first thing that was low hanging fruit that he changed almost immediately credit to him was making passwords required, right.

Katelyn: Yeah.

Ryan: To enter into the zoom and so that, that was a setting that we didn't actually have ticked on early on but then, you know, as we kind of spend a little more time figuring out what these vulnerabilities might be, unfortunately realized it and switched it, and I got to be perfectly honest with you, I hate to admit this. Although the risk is incredibly low, given my house is secure. A common practice at Cybrary is to brutally shame someone when they walk away from their computer, with their computer unlocked. So typically what we do is we call it gardening. We'll give them a garden of a terrible picture using the Google image search and so that shames them really quickly like it'd be like unicorns or, you know, Bumblebee tuna, and you'll have all these different, you know, pictures of

Katelyn: Oh my Goodness.

Ryan: these things across their screen and then you lock it on them and then they log back in and they see this crazy stuff. So we commonly preach don't walk away from your computer with it unlocked.

Katelyn: Absolutely.

Ryan: I've done it today. I've done it today. I've walked away from this computer today with it unlocked. Now it's my house but that's just another example.

Katelyn: Right, but your guard's just down a little bit, right?

Ryan: It is your point was very well taken. It is down a little bit. That's scary.

Katelyn: Yes. And so we, what we don't want is for now some of these habits to go back into the office when we

Ryan: Yeah.

Katelyn: eventually can go to our offices.

Ryan: Yes. Yes. Very good point. We'll probably have to make the first, all hands meeting when everybody's back a reminder of security practices, for sure. That seems pretty high priority. So that's awesome. So you have been running a podcast for a little while now

Katelyn: Yes.

Ryan: called security economy. Why don't you tell us a little bit about that?

Katelyn: So, security economy is my second passion. It has been such a fun project and I really decided to start the podcast last December. So I haven't been doing it too long. I came up with the idea I roped in my husband, Awat, who is also my co-conspirator here at Scopedive into the project and we did our first interview in late December. I did it with Matthew Rosenquist on the cybersecurity skills gap. A lot of the things that we're talking about today

Ryan: Yep.

Katelyn: and since then, I've interviewed over 20 people and some of my best interviews are with people who are not in the security community actually and we're talking about things that apply to security that could be really relevant, but getting outside perspectives and the whole goal. My whole story arc is around. What's the future of cybersecurity? How are really big topics like human behavior and technology and money, investment in security. How are those shaping what's going to happen in the whole cyber security space? Because you know, if companies aren't investing in security that can change the path of cybersecurity. If startups are coming up with great ideas around cybersecurity, but no one can find out about them. That changes how we understand security and then there's a lot of emerging technologies happening right now that I'm also talking about in the podcast like AI and blockchain and in quantum computing, for instance, that could drastically change how we think about cyber security jobs.

Ryan: That's awesome, that's awesome and so I think you might've mentioned the name there, but who has been your most memorable guest so far and, and why did they stand out to you as being so interesting?

Katelyn: All of my guests have been wonderful and I learn something every single time I do an interview. I don't know about you, but when I do interviews on my podcast, I feel like, Oh my gosh, I learned at least one thing that I either hadn't thought of, or just really didn't know and really there's two people that come to mind for the podcast that at least made the biggest impression on me. One of them was with Dr. Gleb Saporsky, who's a behavioral economist, and he was talking about how really we can think about behaviors impacting cybersecurity and how do people make decisions? What is the role of your gut to, what is the role of your instinct and how you make decisions and why should you not trust it? No, don't trust your gut is the name of that episode and I really enjoyed that conversation and then another conversation I recently had and haven't published this podcast yet is with Dr. Mark Goulston and Dr. Goulston is a psychiatrist and he wrote a book called Just listen. He does a lot of research into the science of communication and the podcast I did with him was on how can we help cybersecurity practitioners become better communicators so that they can get buy-in for really critical cyber security initiatives within their organizations. This is a problem we hear about all the time that cybersecurity is just not funded and one of the main ways to change that is communicating about it differently.

Ryan: Interesting, interesting. that's funny that aligns pretty closely with, I could see why that would be a great episode. I can't wait to check that one out but there's a gentleman that we've done a lot of work with named Jeff Mann from Security Weekly podcast and Jeff taught a course on Cybrary. I'm honestly not sure if it's still up because it was, it was a couple of years ago and we tend to refresh things pretty often but he did a lot of talks on it as well, like Black hat and some other places called the Art of the Jedi mind trick, because that is a common problem in our space, right?

Katelyn: Yes.

Ryan: Like I hear it all the time. You got to have people who can be able to speak the language at a toned down level yet still come across super credible so that the message actually gets through to security and to technical leadership in an organization.

Katelyn: Absolutely.

Ryan: So that's super interesting, so very excited about you or about Scopedive in the marketplace. Our missions aligned so much.

Katelyn: Yes.

Ryan: You know, when it comes to closing the skills gap. So I'm rooting for you a hundred percent all the way. Why don't you tell us what you kind of see for the business over the next 12 months? Where do you hope to be in about a year from now and what could the company look like by that point?

Katelyn: So the first thing that comes to mind is world domination.

Ryan: Of course, I agree.

Katelyn: So, I can, you know, I

Ryan: That's gonna take 18 months come on be realistic.

Katelyn: Yeah, I think so. I think so. That's

Ryan: At least 18 months.

Katelyn: That's a little bit longer horizon, but you know, like any early founders who, you know, we've really just come out of stealth. We are in the building, building, building mode, right and we get up every day and we think about how are we going to keep building, how are we going to keep expanding our message and continuing to validate the idea and pivoting if necessary and so right now we're really keeping an open mind and trying to be sponges and I see that continuing for some time. I, you know, as I look at my mentors in the entrepreneur community and learn from them, I think that this idea of constantly learning, keeping your eyes and ears open and being willing to maybe take some hard feedback at times is so important. So over the next year, you're just going to see us continuing to grow and building out the vision.

Ryan: Gotcha, gotcha and so our listeners are going to be about the same as the you know, cyber users are going to be about the same type of person as the type of person that would join Scopedive. So who are you looking to specifically to join the marketplace? They're the two sides, who are those two sides?

Katelyn: So on one side we have our cybersecurity experts, let's talk about them first because they're probably closest to your listening audience and really our experts' side. We have so many different types of people with a lot of different skill sets. So our goal is to reimagine how people think about working with cybersecurity professionals and to do that we're onboarding cybersecurity experts from everything from technical writers, people who can write about cybersecurity to people who have deep technical skills themselves like pen testers, like people who want to do reverse malware engineering, and then the compliance side of cybersecurity, who can look at compliance, doing assessments, doing audits and everything in between, you know, all the way up to deep cybersecurity strategy and things like VCSO services. So another area that we've really been focusing on is incident response. We have a lot of people who are really interested in forensics and incident response on the platform. We would love to make incident response more affordable and more accessible for more organizations today, incident response retainers tend to start at $50,000 or more and then if you have to use it, you blow through it so fast and now you're spending $500 an hour on average for help, which is why, you know, organizations sometimes go out of business when they're responding to an incident. What we want to do is make it more possible for a much broader group of organizations to get access to incident responders and that's been a big skill set that we've been onboarding as well. So that's the expert side and then on the client side, we've built the platform for organizations that don't today have enough in house cybersecurity skills. So those tend to be small, to medium sized organizations that are looking for help across a wide array of cybersecurity services and how they think about their cybersecurity budgets year to year may change. So one year they might be thinking about, you know, we really just need to do a NIST assessment and that's all we're going to do this year, and then we're going to do next year we're going to think about getting the budget to remediate some of these issues. So different sized organizations think about security really very differently, and we're perfectly positioned to help those smaller organizations that just don't have the budget to hire all the full time staff they bike. On the other hand, we also are positioned to help large enterprises with things like staff augmentation and coming in to do contract work for a very specific scope for a skill set that may be hard to find. So it's the full gamut of organizations that we're working with on the client side.

Ryan: Perfect. Perfect. I appreciate you spelling out the two sides and who they are because I wanted the listening audience here to be able to say, Oh, wait, that's me.

Katelyn: Yeah.

Ryan: And then reach out to you if need be yeah, to your point. you know, when Cybrary first started off we were really just working with like teeny tiny companies, right. Just small, tiny little sock team here and there and that kind of thing but as we got a little bit of a larger footprint, we ended up really, you know, being fortunate enough to work with large enterprises and so it was at that time when we finally landed our first large enterprise, where we had to do a full blown security audit. Now our VP of engineering at the time was fine with doing that, but we actually did have to go in and build additional features and functionality and in order to serve that enterprise organization for them to even buy from us and so that can that can be daunting because you look at it and you're like, It's going to be really expensive. It's going to take a ton of development time

Katelyn: and so had we had something like Scopedive at that time, we would have had it, we would have had it done in no time and I'm sure way more economically than we did. So yeah, I again, I just appreciate what you guys are doing and I think it's fantastic. So if you're sitting out there and you are a security expert or a budding security expert, yeah. Go and apply to the marketplace side of Scopedive and then if you are an organization, these guys any sort of challenges when it comes to cybersecurity hold on tight cause your solution is coming soon. If it's not, is it already there or is it coming soon?

Katelyn: We have a lot of cyber security experts currently on the platform

Ryan: Great.

Katelyn: and we've been so fortunate to have more applying every day. So if they're not there today,

Ryan: Awesome.

Katelyn: I think they're going to be there soon.

Ryan: That's great. That's great. Well yeah, Katelyn, love what you guys are doing. I think it's fantastic. I wish you all the best of luck in the world with this, I'm rooting for you and if Cybrary can be helpful along the way, you know where to find us. So why don't you tell everybody where they can go? what's the website,

Katelyn: The website is scopedive.com. You can also find us on Twitter @scopediveinc and me personally on Twitter @cyberkatelyn. I'd love to connect with all of you any time.

Ryan: Awesome. Great, Katelyn. This was fantastic. I wish you nothing but the best.

Katelyn: Thanks so much. Great talking with you today, Ryan.

Ryan: Thank you as well. Bye bye.