Eleanor Dallaway sits down with entrepreneur and Resilient CEO & Co-founder, John Bruce, to talk acquisitions, certification, artificial intelligence, and cyber-insurance.
Resilient was acquired by IBM in April 2016. What does the acquisition mean for Resilient and for its employees?
Well, with the exception of a couple of people, everybody stayed, and we’ve added an additional 40 people in five months and continue to add them, with vacancies in Europe, APAC and the US. Generally, our employees are finding the acquisition positive.
With an acquisition, you never know how the cultures will blend, but we had a long relationship with IBM before we signed, and there is a high-degree of overlap in our customers. Even our office is close to theirs in Cambridge, Massachusetts. Culturally, we are similar, even though we’re tiny in comparison.
The acquisition has accelerated the spread of our business globally.
You mentioned the cultures blending, how would you describe the Resilient culture?
Our center of gravity today is still young, energetic people, complimented by older more experienced people in the field, and this combination defines our culture. It’s a high-energy environment.
The IBM security group’s culture is very unlike the rest of IBM, or at least how I perceive it. The security group is very entrepreneurial, energetic, and I can’t remember seeing anyone wearing a suit.
With a history of selling companies, do you consider yourself an ‘M&A guy’?
Actually, I try not to get acquired. My intention is always to build a good business, but when you do that, people want to buy you. The intent is never acquisition, but I’m an entrepreneur and investors put their time and money in me, and I’m not ready to hang my boots up yet.
I haven’t been recruited by boards to sell companies, but instead to realize the value of a company and get the fastest growth.
This company is different, it’s the first company I’ve actually founded.
Is the so-called cybersecurity skills gap affecting Resilient? How hard is it to recruit and retain talent?
The skills gap is frightening; they predict a million vacancies by 2020.
Some of our significant hires have taken a while to recruit, but that’s because we’re picky.
We actually circumvent the skills gap somewhat by the way we built the product. We built an intuitive product that would not require years of security training to sell, or use. It’s easy to use and has optimal functionality. Because it’s so intuitive, we have been able to hire graduates from college and train them quickly. So the people we want to hire are easier to find, some haven’t even worked in the industry before. Our product allows us to take generally smart people and put them to tasks which would ordinarily be left to security experts.
How has artificial intelligence affected your business, if at all, and how do you envision it doing so in the future?
There is some really exciting stuff happening with Watson and I see opportunities for it working with our technology in the future. Watson can give you intelligence in a way that humans can’t, and what it has done in healthcare in particular is unbelievable. However, artificial intelligence will never take the place of people.
The notion of replacing people with AI is presumptuous. We try and augment people with processes, we have over 60 applications feeding into the platform. It’s somewhat artificial intelligence, but the automation supplements people rather than replaces them.
Resilient is a company based on response – if we focus solely on response rather than prevention, have we given up?
It’s got to be a balance between protection, detection and response, but it took the industry a while to understand that protection isn’t absolute. After that, we had the decade of detection, and now we’ve got to response. In the real world, it has always been a balance between protection, detection and response - but cybersecurity is behind.
Prevention is job one – it would be silly not to have locks on the door, but almost all cybersecurity spend is spent on prevention and detection, and we need to see a shift towards spend on response. Before us, there were only service businesses that would help you clear up the mess.
I like to think of what we do as incident management rather than incident response – because it’s also what we do in expectation of a response. If done correctly, response is pro-active. The company was always intended to feed the prevention, detection and response loop.
I once heard someone say that “Good security is a chess game and all we can do is play for a perpetual stalemate” and I agree with that.
Fundamentally, I like what security technologies and vendors can do. Without the information security industry, what kind of shape would we be in? As an industry, we provide a valuable service. You have to do something you’re passionate about.
Cyber-insurance has been built on the premise that prevention will fall. What’s your opinion of the exponentially growing business of cyber-insurance?
Perhaps we should hold marketing responsible for the outlandish claims they make about prevention – they are getting away with it too! There should be accountability where it’s proved that the marketing was ill-advised.
Cyber-insurance is a good idea, but the carriers will struggle with being able to accurately assess the extent and cost of damage from a breach or compromise. Those numbers are absent. Fairly significant evaluations need to be done to assess risks, it’s not an easy business. A lot of people think cyber-insurance is included in business insurance, but carriers have started to point out that breaches aren’t covered, and that’s how people have woken up. Being candid, I’m surprised it has taken us as long as it has to get cyber-insurance to the point it’s at now.
You have a CIPP. What are your thoughts on certifying industry professionals in the current market? Does it still hold the same worth?
Being educated in this space is increasingly valuable. I’m a great believer in getting as educated as possible. Authorities and certifications take the burden off on the employer when hiring – they don’t need to test them on that, they can focus on other areas instead.