How to build a cybersecurity solution without limitations?

Mark Levine, CPO & CTO ● Oct 17th, 2023

The full transcript

Oleg

Hi, Mark! Welcome to the Devico Breakfast Bar! I appreciate your participation. Our aim is to encourage meaningful conversation by gathering professionals from various industries to discuss their viewpoints on their organizations and the wider industry in general. Could you please introduce yourself and tell us about your professional background?

Mark

Yes. Good morning, Oleg, and good morning, everybody! It's a pleasure to be here. My name is Mark Levine, and I'm currently the Chief Product and Technology Officer at a Canadian company called CYDEF, who specializes in defense in depth, managed endpoint detection and response within the cybersecurity field. And we'll get a little bit more into that later. My background is as an electrical engineer. I graduated from McGill University in Montreal back in 1991. And at that time they didn't have a computer engineering or a software engineering program. So, I did electrical engineering and followed in the footsteps of my father who was also an electrical engineer. And he had a startup company of his own, an engineering company. And they specialized in making products for professionals, primarily law firms.

And that equipment did what we called cost recovery. And it was a combination of hardware and software that would connect to photocopiers and later on fax machines and printers, scanners. And essentially these lawyers charge for their time and for the job, but they also charge for what we call disbursements - expenses related to making photocopies. So, these were like mini cash registers for the law firms where every time they made a copy, they would enter some information about who and why they were making the copy, and then this generated originally. It was old-fashioned with a little printer, and it would just print out a little receipt every time you made your copy, and you would bring that to the accounting, and they would enter it into the big computers. But later on, this system became all digital and networked, and everything was connected. We were dealing with law firms that were billion-dollar organizations with offices around the world.

And I really grew up starting in QA and testing through software development project management. Ultimately, I bought out my father and his partner, became CEO of the company, and then I sold my company to a large American company called Nuance. And Nuance had several divisions. They had a healthcare division, they had an automotive division, but they also had an imaging division – and that's where our software came into play. And I was involved very much with now a much larger version of my business expanding into scanning and document flow and using character recognition.So, it was very, very interesting career path because I started off very niche, really at the early days of software and individual computers. And I ended up in an AI company, doing very large-scale projects with global organizations.

Oleg

That's awesome. Really interesting journey. Thanks for sharing this. Can you please tell us about the project you're currently working on and the problem it solves?

Mark

Absolutely. So, after my stay at Nuance, which was a very good education period for me, learning how big companies work and how they're different from small companies, I was on my own for a little bit and then I came in contact with a mutual contact who introduced me to CYDEF, which was this startup founded on a principle that really everyone should feel safe to do business online. So as we all know, cybersecurity and safety around computing has been a problem for many, many years. Started off being pretty contained, a virus would hit your computer and this was really, really annoying, maybe upsetting, but it wasn't what it is today where a single mistake made by a single employee on any kind of device can literally bring down the largest organizations or governments in the world.

So, we live at a very interesting time where people have to make a choice about how much access they give to their people and how that limits their work. And what I found refreshing about the people at CYDEF is they had a very fresh approach to how you solve cybersecurity and that's you should not be locking things down, and you should not be limiting what people do, and you should not be training and training, and all this other hard stuff for people to do. You should let people be people and you should let them work the way they want to work. But you need to add a layer of monitoring behind the people, and you need to detect when something is wrong or something seems wrong, and then you investigate that using experts, and you can then act accordingly.

And this is basically the theory and the product we offer at CYDEF, where we install a monitoring agent, we let you do you, and we learn what normal is from a baseline. And if we see anything that's not normal, we investigate it using our pool of experts. And we have a single platform, nothing for you to learn as the customer. We do all the hard work, and it's a proven model. We've caught early stage ransomware, malware and stopped it before it was able to take root.

Oleg

Okay. Got it. Thanks. But what was your initial spark that raised interest in cybersecurity industry in general? Why did you decide to go there?

Mark

I didn't really decide to go into cybersecurity. So, as I said, after my stint with Nuance, I was actually interested in fitness and technology related to fitness. And I was actually building, my own software to do tracking of workouts and trying to get into that industry. That's really where my heart was at the time. But I got introduced to the one of the Founders of CYDEF named Tiago De Jesus. And he's really an expert in cybersecurity and he's a super passionate person. He was really on this mission to revolutionize cybersecurity and the whole approach of the industry with threat intelligence and trying to stop the bad guys.Everything in cybersecurity is about blocking, and stopping, and looking for the bad. And he was like, 'This is just wrong, and it's a losing battle, and what you need to do is you need to look for the abnormal. You need to look for what is not usual.

And that's where you can find the problems. So, it's a much easier problem to say what's normal and what's not normal than to say what are all the possible things that are bad.' And this was very, very intriguing, sparked my interest. They had a problem, which is very typical in startups, which is they had amazing, amazing technology, they had amazing people working unbelievably hard, but they didn't have a product and a product strategy. And I knew that I could help with this because this was really my sweet spot. So, I knew I could learn the details of the cybersecurity industry, but I love the mission of trying to help people work with computers. And I knew I could help CYDEF because I knew I could help them take their technology and turn it into a product and a service.

Oleg

Okay. You said that we are living in interesting time. I totally agree with you, but I also, I would add risky time too. Looking ahead, how do you see the future of cybersecurity products and what role do you see in shaping the future?

Mark

So, when I think about that question, I think about the future being really in sort of different periods of time. Because we're in a time right now where people are throwing around the term AI or artificial intelligence, but we're really, and we're learning very quickly. We are not in intelligence, we're in language models. So, in other words, we've allowed computers, which have always been great, at doing calculations, and analysis. and statistics. And we've added the communication level to that skill set. We've got this illusion of intelligence because there's this great body of work that humans have created, and now these computers who are great at harvesting information, are excellent at communicating information.

But, with all computer systems today - it's garbage in, garbage out. And if you look at what's happening with ChatGPT, we have a declining return. So, in other words, people have learned how to manipulate the system, and the accuracy of ChatGPT is actually declining over time. And at the end of the day, this is just a statistical model and it has no morals, ethics, or really balancing logic that humans have. So, I don't see AI in the short term as being the be-all and end-all to attacking cyber criminals. These are brilliant people, or organizations, or countries that know exactly how AI works and know exactly how to manipulate AI and how to beat it. There's a lot of hype, a lot of investment on threat intelligence, knowing threat actors, and using AI, but to me, that future is still many, many years out. We need to live today.

And, yes, I think ultimately with quantum computing and other inventions, you might get to artificial intelligence that is worthy of replacing a human, but I'm not going to focus on that or worry about that. That, to me, is more than a five-year problem – lifetime in computing. Never, never worry about it. So, what's the CYDEF approach? CYDEF approach is leverage the tools that exist, use the AI for what it is – the statistical model, the data analysis tool that it is – let it help you do your job, let it search for what's good, what's normal, and filter it all out, and then whatever is unknown – leave that to human beings.

So, I see more of the CYDEF approach winning out short term. I see more demand for humans in cybersecurity, and that's really the challenge. So, our role at CYDEF is we've simplified the job of being a cybersecurity expert – you don't need to be 20-year veteran of knowing everything to work at CYDEF and be in cybersecurity. We can actually take a pretty baseline software engineering, cybersecurity type of IT person, and turn them into a cyber threat hunter who's very effective at catching the types of crimes that are out there today.

Oleg

Cool. How do you keep yourself up to date with the latest technology?

Mark

So, it is actually easier now than ever with... First of all, I have a great team. I have a great team of experts who challenge me every day, and that's really good – I can learn from everything they know. I'm always scouring online. I used to like to read technical books more than fiction. It's just in my nature. So, I'm always scouring online for new and interesting topics Usually, the media headline will catch your attention. But then if, usually it's wrong and misleading. I like to dig in underneath the headline, look for what's really going on, and do that type of research. And I'm also very much involved with McGill University. I do a lot of mentoring and entrepreneurship workshops with the students. And that way I'm exposed to the researchers and young minds and that keeps me very, very fresh and up-to-date.

Oleg

Wow! I didn't know about your relationship with the university. That's definitely cool. What are some of the biggest challenges you face as CPO in cybersecurity industry and how do you overcome them?

Mark

Yeah, there are many challenges in this industry. We're a very small, very small fish in a sea of giants and more and more. It seems like every company – Google, Microsoft – you know, they're interested, and they're your competitors, and they're your partners. You can't do business without them, but they're also in this space as well. So, getting your message across, being heard, being visible in this ocean where there's a lot of people is very challenging. There's also a lot of noise, a lot of misinformation, a lot of false claims. Some of that shine has come off. I mean, all the big guys have been hacked. Microsoft lost its keys, governments. So, some of that shine has come off, but at the end of the day, the culture still big business likes to only do business with big business. And it's very, very hard for a startup to get in, to get that recognition, to get that lucky break. So, this is one of the challenges.

Being creative on the marketing side, leveraging your network, using every opportunity you can to get your message out there that there is a different way, a better way, and that nobody, no matter how big they are, has the perfect answer, gonna solve all your problems, so you really need to be open-minded. And the last challenge is the talent challenge. I mean, it's a big... Every company is out there hiring IT experts and cybersecurity experts. And it's driving the value of these people up, and they know it. So, keeping top talent is a big, a big challenge for me as the Chief Product Officer. So. how do we overcome it? I mean, we have a unique mission. We have a unique culture. We try to appeal to being very flexible, and very moral, and ethical as a business. And also very transparent and very honest. We don't make claims that we can't live up to. We don't have a technology that we don't understand. And we don't make promises we can't keep. So, this is our way of trying to attract customers and talent to our company.

Oleg

Okay, I hope you know why Microsoft doesn't use Cypress yet. That's their problem. Okay, you already touched on this topic. Could you please comment on problems associated with the lack of qualified specialists in the IT sector, mainly in connection with your business in CYDEF?

Mark

Yeah. So, I have to say, I mean, so far we haven't been as dramatically affected as some company, somewhat because we still manage to remain kind of small and haven't had needs for huge amount. So. maybe this problem will become more exacerbated as we grow bigger and bigger. We've been lucky in that we've been able to retain for the most part our talent. But certainly, the cost associated and the time associated with finding talent has hit us. And that's really why our partnership with you has been so wonderful because you helped me with this problem very much.

Oleg

Thanks for that. We will come to this later. What role do you think IT outsourcing play in solving these challenges?

Mark

So, IT outsourcing, for sure, brings the global community to and makes it available to everybody, especially small companies. It's not possible as a small company to have outreach beyond who you trust, which is who you're connected to. So, IT outsourcing - if you trust the outsourcer – then brings another scale of talent. And, I have to say, in my experience, when used correctly, that talent is quite sensational and is very powerful.

Oleg

Let's take a little bit more on outsourcing benefits and drawbacks. What are they?

Mark

So, for sure, the benefits is basically the flexibility to scale up and scale down without having to make a commitment to employees. And, in some way, the management of the HR part is taken off. It also, in my specific case, brought an expertise that we didn't have. So, I wasn't just given another resource to work on a project – I was given an expert who helped shape. In our case, our QA department was created through our partnership. So, in this way, outsourcing brought expertise and know-how into our organization. So, this has been very, very positive. On the flip side is you don't have the same relationship, you have to work very hard at that not to have a two-tiered system, to keep the culture together. They're not employees so they can move on, and then you're starting with somebody else. And also there's a level of protection – sort of that certain projects are, in my opinion, suitable for outsourcing, like a QA project or a very well-defined project and it's scaling, but when it comes to research and development or true core strategic, for me, that doesn't work with outsourcing. That has to be kept internal. So, balancing all of these are some of the challenges as well.

Oleg

Okay, got it. How did you come to a decision to outsource your needs?

Mark

The outsourcing decision came really, I say, through effective marketing from DeviQA. I have to say I was not looking to outsource, but I was intrigued. And I thought that QA, as a starting point for outsourcing, was kind of a safe bet in that we didn't have QA. So, it wasn't like it was going to make things worse. It might waste people's time. But I didn't really feel that I was taking a lot of risk by trying the outsourcing. And I also was very impressed by the confidence that you and your organization portrayed. And it didn't take long to realize that the workers that you brought in really knew what they were doing, really knew how to work independently. So, I became a fan very quickly after trying.

Oleg

Okay, thanks. How do you measure the success of collaboration with IT outsourcing vendor?

Mark

So, for me, it comes down to really three points with any partner. First of all, is the relationship easy? Can I have the easy conversations, of course, but can I have the difficult conversations? And yes, I mean, this is what has made our relationship successful and the relationship with other partners successful is if you can have the honest conversation: I'm going through a hard time, or I'm having this problem, or this isn't quite working. If we can have that conversation, and it's easy, and we're focused on solutions, not on process or contracts, yes, then this is a successful partnership, and this is one that we will work hard to accommodate on both sides.

Do the people fit culturally? Not being the same culture, I don't mean that. I like the diversity of culture. But it's more of a moral and ethical approach. Does it fit? Do we have the same values? And this is very, very important. And this has been made more meaningful really because the situation in Ukraine. And I have Ukrainian employees, but I also have a Ukrainian heritage as well. And I'm very much emotionally invested in the unjust suffering of the Ukrainian people. And being able to help has also been motivating and just sharing that with the whole company – so that comes, it's not me, that's a CYDEF thing – and embracing the integration of the cultures, and being blown away by the fact that you can be living in a war and yet show up to work every day and do great work can't comment that enough, and that's really making the relationship far more valuable than just the work.

And at the end of the day, the work has to be there. I'm not a micromanager. I don't come in and ask for your timesheet, even though I get one. I don't ask for every detail of what you did, but we have our two-week sprint and I, you know, what have you worked on and what problems did you overcome? And if you could explain to me, it took me two weeks to do nothing, but you could explain it to me why, I'm fine with that. And so, we have very good communication, I can see the work being done, I can see the flexibility, and that's what makes the relationship a success.

Oleg

Thank you. And finally, what advice would you give for other companies considering IT outsourcing?

Mark

So, the advice I would give is just reiterate what I've said before. If you're at the stage of a company where you're strategic, where you're planning, where you're on your vision, on your core R&D, I would say you must keep that very close. And I would not say that that's appropriate for IT. But once you have a product and you're looking to scale your technology, or you're looking for support around your processes that are defined, or even help with defining your processes, but they're processes, then there are amazing experts from all around the world who are available to you. You don't just have to look in your backyard to find the one person who knows the answer.

Oleg

Thank you very much. Thank you, Mark, for participating in our Devico Breakfast Bar. I hope this information will be useful for companies that consider outsourcing. Thanks again. Have a great evening. Not evening – in your case, it's daytime, in my case, it's evening. Thanks again, Mark.

Mark

Thank you, Oleg. It's my pleasure to be here, to tell everybody a little bit about my company, but really to support you and to be an aid for companies out there who are looking to outsource QA, or development, or IT in general. I can't recommend you enough. So, thank you for the opportunity, and have a great evening.

Oleg

Thank you, Mark. Bye Bye.

Mark

Bye.

Watch previous episodes

Contact us for a free
IT consultation

Fill out the form below to receive a free consultation and find out how Devico can help your business grow.

Get in touch