SOF 012: Navigating the Cybersecurity Landscape with Ross Haleliuk Artwork

Securing Our Future

Securing Our Future is a podcast and publication from New North Ventures (NNV). NNV is a venture capital fund that is solving large and unmet national security problems and commercial opportunities. To learn more about how commercial and national security sector collaboration can accelerate innovation subscribe to our newsletter at securingourfuture.us

All Episodes

Securing Our Future

SOF 012: Navigating the Cybersecurity Landscape with Ross Haleliuk

June 06, 2023 • New North Ventures • Season 1 • Episode 12

Host Jeremy Hitchcock sits down with Ross Haleliuk, head of product at LimaCharlie - a California-based cybersecurity company that enables organizations to detect & respond to threats, automate processes, reduce the number of vendors, and future-proof their security operations.

Ross began his journey as a co-founder of a B2B edtech before building a decade-long career as a product leader across multiple industries and ending up in cybersecurity. His areas of expertise include go-to-market and product strategy, B2B product-led growth, strategic positioning, product-market fit expansion, and growth.

Ross is active in the cybersecurity ecosystem as a startup advisor and angel investor, currently leading the VIS Angel Syndicate. He often writes about cybersecurity, security investment, growth, and building security startups on TechCrunch, in other leading industry media, and in his blog Venture in Security, read by tens of thousands of security leaders every month. Ross is a frequent speaker at podcasts focused on cybersecurity, including SC's Enterprise Security Weekly, Breaking Through in Cybersecurity by Cybersecurity Marketing Society, and others.

Jeremy Hitchcock: Thanks for joining us. I'm here with Ross. He is probably first known as head of product at a company called Lima Charlie, but he also runs his own blog on, on security on Substack called Venture in Security and we are thrilled to have you, Ross.

Ross Haleliuk: Thank you so much. Happy to be here.

Jeremy Hitchcock: First off you, you have an interesting background and always love to hear how people get into cybersecurity. What led you to be both in the intersection space of the product engineering, but also in the go-to-market? How did you get to there?

Ross Haleliuk: That's a fantastic question. So I have been focused on go-to-market way before I started in security. So my story is quite interesting and quite unusual. I'm an operator. So I have been in the tech industry for over a decade working primarily on on the product management and the go-to market side of things. So I started in edtech, educational technology then worked in retail, wholesale ecommerce for a number of years for several years in Fintech. And over time, I like, I ended up just developing some curiosity and interest in cybersecurity, but that interest wasn't actionable. It was something that I I know on the back of my mind. Yeah, that's an interesting space. It would probably be cool to see how it functions. But that really was it. And then one day a friend reached out and asked me to join their cyber security startups ahead of product.

Ross Haleliuk: So, I had a great conversation with the founder. The vision made made sense, I got quite excited about the vision and then I went home and I started reading about the industry. After about the day. I messaged my friend saying, “Listen, I cannot do this. This is insane.” And so my initial response to his offer was to essentially say no. The reason I didn’t at the time was quite interesting. Now, looking back, I realized that for somebody coming from other industries into cybersecurity when the very first thing you see is MDR, MDR XDR, SAMESORE, you know, cspm bspm and all the other DRS and PMS Spms.

Ross Haleliuk: It's a lot to take in, it's a lot to process, so at the time I remember I was trying to. I was looking at different products and saying, Okay, what does this thing actually do? What problem does it solve? I would look at the other thing and I would be like, okay, well, There is an overlap, but it's not a full overlap. It's just like, it's, it's partial so you, if you're a security team, you still want to bring both both of those products on board. But there is a degree to, which they will doing the same thing. And it was just it was just so confusing. So my first reaction was just to say, Listen, this is too much to handle, but obviously, I came around, I decided to take to take on the challenge and the rest, the rest is history.

Jeremy Hitchcock: It is funny because security does have a bazillion terms of art in terms of all the acronyms and solutions and it's it still changes. And and a lot of the industry is is focused on preventing things, bad things from happening that continue to happen and as an outsider coming from ad tech relatively. Well, well, formed business, okay. How do you how do you deliver content to the right eyeball. Cybersecurity is very different because you're trying to prevent things from bad things from happening. And so how did you, like what gave you the comfort that you could add something to the dialogue in security and in that space? Because again there's just been so many evolutions of product that have come along, and h how did you think about taking a fresh look and applying that to, to, to where you are now?

Ross Haleliuk: So they really think about it is is twofold. On one hand, security is a practice. Security is it is a way by which people who are dedicated well, you know, well-versed educated smart security professionals doing the job to keep their organization safe. But then, on the other hand, whether we like it or not, but security is also a business and when you work, when when your job is to solve problems, In a way that enables the company to to also generate some revenue and grow. You realize that fundamentally in product management, like the nature of product management, does not change. When you go from one industry to another, you still need to. You still need to listen to, to customer problems. You still need to understand those problems. You obviously, you do need to build a level of domain expertise that will enable you to, to prioritize the right things and to, you know, to focus on right strategies. But you don't have to be the domain expert. In fact, not being one can actually be much more helpful than we than being one, especially if you're focus, is more more on the high level if you're working, if you're operating like around product market fit, if you're looking at the defining, the product strategy, and and really understanding like in the startup understanding, what is it that you as a company need to talk a strategically?

Ross Haleliuk: The reason that's the case is because when you do have the domain expertise, you develop a set of biases, which really in many ways, prevent you from being able to just sort of step back and listen to what other people have to say, when you don't have that domain expertise, and you come into the conversation with a head of security, or you come into a conversation with the security engineer, you, you have that natural level of humility that allows you to say, Okay, like what is hard about this? What what is the problem you're trying to solve? What is not working? Yeah. What else have you tried? So you start asking this open ended questions which over time enable you to learn so much faster than if you come in, visit assumption that all I know, like I know the domain, I know what they're dealing with. I just need to tell them how to use my product. It's just … and and so that's like there is that domain expertise part which now looking back I think it was a fantastic decision and you don't indeed need it super high level, super deep expertise in the field but also you do need to be willing to learn and just and get up to speed with the areas you know nothing about. And also be transparent about the about the the boundaries be transparent about your own gaps. So not try to pretend that you know anymore than you do.

Jeremy Hitchcock: Yeah, you and you have one your articles in Venture in Security is about how building security products is more about practitioners. And, and constantly that cat and mouse of who has advantage. And it's more of a practice and it's much more of a trying to think about how to have how to have the advantage versus the deep knowledge and trying to bring both a team and product. Based approach to. Having best in class or having having success. In that area, I was wondering if you could, if you could expand on that a bit.

Ross Haleliuk: Yeah, you see, I have this fundamental core belief to everything I do, and I do a lot. So I'm ahead of productive at LimaCharlie, I have a fairly active nlog, but I also do some angel investing and some, some advisor will work and a bunch of other things on the side. And so, the fundamental belief that underpins I would say everything I do in the industry is that cybersecurity is not about tools, it's about people. And so when I say it I don't you know I don't mean it in some sort of a nice and marketing eBay you know as a quotation that somebody can reuse. What I truly mean by this is that tools are just tools, tools are just tools that unless they're leveraged by, by people who know what they're doing, they're going to be misconfigured, they're going to be like they're going to live somewhere on the network. Really not doing what what the vendor has initially designed them to do and someone and so forth. So what we need to do like in my view what one of the things we need to do as an industry is to refocus from this obsession this tools on to hiring the right people and giving them the, the agency, given them the, the opportunity, and giving them the degree of freedom and degree of responsibility. Obviously, while holding them accountable for their job to do what to do their jobs. So a tool however shiny it is not going to replace a security practitioner who truly knows what they do. Moreover tools themselves are built by practitioners, like if you look at the top tier renders at, you know, the best known logos in the industry.

Ross Haleliuk: You realize that behind each of those logos, there is a team of security practitioners of researchers, you know, detections engineers and the security engineers security analysts, security architects. Like people like mile, you know, model reverse engineers and someone is so for people doing their jobs to build like to make that to do a thing. So, I think as an industry, we have to focus more on people. And that's like that because that's that's an underlying believe for, for what I do. And for what I for, what have I function, I end up going to to many people and having those conversations, like, in the context of Charlie, they haven't conversations this. You know, this is our users asking them questions like Hey, what's working? What's not what can we do, better? Like What are some of the gaps you're seeing? And I find that the learnings that come out of it far, like out way the experience that you may have accumulated a decade before you moved into the vendor space and now you're still operating thinking that, you know, have the industry functions when the industry has moved, so far away.

Jeremy Hitchcock: Yeah, there's there's a lot written about getting security and ease of use and and almost as a juxtaposition against each other that you cannot have both. But as you're thinking about people, especially with, with a modern threat landscape, how, what are the ways or common mistakes that you see companies employing when they're thinking about having a security mindset and and trying to in your own building how do you try to take that to account with with products that you're building in Lima Charlie?

Ross Haleliuk: Ah, that is such a such a broad question. Tell me more. So when you're talking about the security, that is such a broad question.

Jeremy Hitchcock: Tell me more tell me more about product evolution and the balance of user design and flexibility, but high levels of security at the same time it is an interesting question.

Ross Haleliuk: Yeah, it's I see, I find the whole process of building products in cybersecurity does look, someone different than it is in, in many other industries. And so, Like if I were to sort of, if I were to to just to simply walk through the software development lifecycle of, you know, building a product, what comes to mind is that like from the very from the very first step to the very last step things are a bit different and and in many ways a bit harder than they are in many other industries. Like for instance, And everything starts with this customer discovery, like What are the problems our customers have? like, have to have the result them, like what's working? What's not like, where some of the gaps that they're seeing. And so, in security, you know that every single environment is unique. You also know that every company does security just a bit differently because they have different needs. They have different crown jewels there that they care about different about protecting different things. They're always going to be some difference.

Ross Haleliuk: And on top of that to not be blindsighted by the voice of the loud. Minority. You like you are the product person in the industry. You want to go out and talk to people who are not your customers because if you only talk to your customers then well you get a very very narrow and very biased view of the industry. And as soon as you want to go outside, you realize that it's actually quite hard. So security teams are super busy. Their schedules are always changing. Like you can have three calls in a row and there is a non-zero chance that one or even three of those calls will be canceled because of the incident response or some of the other issue.

Ross Haleliuk: And then most importantly, in order for you to dive deeper into the problems, you need to be able to ask very intimate questions. You need to be able to ask. What does the security team in the organization use? What is not working? What are some of the gaps they're seeing? And in order for you to get answers to those questions, there have to be an underlying trust because a security team is not going to talk about their gaps publicly or to people it does not trust. Like their mandate is to protect their company, not to make the holes in their security posture visible for forever.

Ross Haleliuk: That's just and that's just the customer discovery step as soon as you go into the planning into the planning step. Well historically in other industries of the tech industry, AH planning of new products and planning of new features is typically accomplished by bringing people from three separate functions from products, from software, engineering from from the essentially developers and designers.

Ross Haleliuk: In cybersecurity have ever designers are not typically a part of the planning, they're not typically a part of the conversation about, Hey, How is this new product is going to look like, For many reasons, one of each is that it has been that way before. And we, as an industry are very used to building products for deeply, technical security, practitioners and our assumption. And the message of the market has always been. Well, you know, you can You can train your team like Yes. This product may not will not be the easiest to use, but here is the help documentation and if you have any questions reach out to the vendors at the end of the day you can train your team to use it. And so to me That's kind of goes back to like it sort of answer. It's it's really an attempt to answer your question. The reason design has not been considered a part of the conversation is because companies will typically be started by very technical people by security architect by deep deeply proficient and technical security practitioners. They were so smart and so advanced in their, in their field, they didn't, they didn't care about the user experience. What they cared about is the technical capability. However, as we're looking to make the industry, more accessible and invented 23, as we were recognizing that, not every single person using the product, Is going to be an incredibly technical human who is able to spend 10 hours learning or like 20 40 50 hours, learning how to use the product. So we want to make this product more accessible. Then once you move outside of the planning once you go to the development step, building cybersecurity products is hard because the technology is complex and not, every developer is passionate about the space. It's you have to be you have to be really interested to go super super deep and care what happens on the (???) and if you do not well then it's it's very hard to become.

Ross Haleliuk: To become a developer in the industry. Now, as soon as you move to the rollout, step,

you realize that because cybersecurity products are so high impact, you need to test them super super well, for example, when I'm using my uber eats account. And for some reason, I'm unable to add a salad to my order. Well, what is like, What is the potential? What is the order of magnitude of that impact? Well, I'm not going to have solid for dinner. However, if I'm in the middle of the incident response and the isolate endpoint button isn't working, the impact can be very, very different. so deploying products in cyber security requires a very thorough testing and a very high confidence that that thing is actually going to work when it comes to positioning, how do you talk about the product in a way that communicates value but doesn't get lost in, in the sea of baseless claims, which is such a big, such a big problem in the industry.

Ross Haleliuk: So, essentially, if you, if you step through there through the software development life cycle, you realize that building products and security is hard and for we are certainly as an industry, we are used to doing things, the way they were done before and that's why we don't have designers, the part of the conversation and that's why we keep building products that are not that do not embed a good user experience from the ground up.

Jeremy Hitchcock: Sounds like an opportunity. I mean you do do hit on something where a lot of industries have both insiders outsiders, who start companies that grow to scale. And you think about the big security companies and I don't know, crowd strike, alien involved, mandy and fireeye, all of those insiders. And it's interesting because that you, you raise an interesting point or an interesting observation that the, the people, the not opaqueness per se, but the but testing is it can at scale? I think is that rigor of what? Security products are high quality. What are not high quality, There's some hyperbole. There's a little bit of the fear and certainly doubts. It's it's tough to fully evaluate those. And again, you're trying to avoid these. These episodic events. So you can't, you can't test and and find out on Thursday. Hey, I can't order my salad, but Friday gets, you know, the push gets fixed. It's a to something, there's a customer, get broken into, and then, you know, it's more of a generational change in the security landscape. And and I think there's a hopefully some opportunity for some for for how that, how the industry can move ahead and accessibility might be one of those things because we just keep employing more and more systems. And so making sure that they are locked down secured but still have that easy use is critically important.

Ross Haleliuk: Yeah, the definitely. And so you, you mentioned an interesting point, you sort of emphasize the fact that yes, it is hard like it is like in order for the industry to innovate, we need to attract more and more quote unquote “outsiders.” People who did not grow up in this space. But on the other hand, when you look closer at the space, you also realize that a lot of the value that the outsiders may bring is hard to realize in, in the industry. Like, for example, like that, when I take my product hat on I realized when I started in, when I started in cybersecurity, I came to realize that many of the modern product management practices that became popularized by by the Silicon Valley companies, do not quite work in the industry. And what I mean by that is when you look at the likes of, you know, Netflix, Facebook, Apple and and and so on and so forth, each of those companies typically has millions of users. So as a product manager, you can run large-scale experiments. You can get instant feedback. You can validate your hypothesis and understand like how the users behave, and you can do it very quickly. You can do some A/B testing, you can see what works. What doesn't you can see what performs? That's absolutely not the case in cybersecurity they installed base is substantially lower. So you have a couple of a couple of enterprise customers using your product. And most importantly, the users of your product are experts. So the they really know their domain. They know what they're doing, they know what problems they're trying to solve.

Ross Haleliuk: … Basically, there are many reasons to say that ah, the way Netflix runs runs product is not going to be the way like a cyber security startup will run product, but on the other hand, if you look at large enterprises like including large cybersecurity enterprises, you also realize that as a startup, you cannot do that either because they have a very established brand. They have the brand recognition, which enables them to, to push their products, much much more easily and quicker. Well, if you're a startup again, you don't have that underlying trust. And so if you are an outside there it's very it's easy to come up with new ideas but it's very hard to tie these deas back to the reality of the industry. And that's again one of the reasons why the vast majority of the companies in this space are started by security people.

Jeremy Hitchcock: Crazy. I'm curious to your reflections on on how the business has changed the threat actor landscape, how has that caused security practitioners to change what they do? We hear a lot about ransomware in today's era. What are the economic drivers that cause people to act in ways that where they want to break into systems and how is that? Cause companies make the ones you invest in LimaCharlie, how's that cause the industry to change how they behave?

Ross Haleliuk: I think there are a couple of factors in fact, they're probably many more than we can cover on the podcast, but so, the number one thing that comes to mind is that Everybody's environment is much more complex today than it was 10 years ago. So you know it's no longer the case that all we are dealing with is predominantly like Windows Fleet and a couple of users you know.

Ross Haleliuk: Doing like maybe have some, maybe have some some basic programs installed. Like here you have like every single like every single department has the tools they rely on and you have the proliferation of sauce and so on and so forth. So that has really changed their the scope and the size of what a security team in the enterprise needs to protect that the remote work and the fact that people are no longer sitting on one on one, internal network that obviously makes makes the job even harder and then from there from the threat, landscape space obviously we can talk about the nation states attacks and that is true. And that is that is an important part of the today's reality. However, I like the way I, I look at things I would be shocked if a small vendor, like if a small I don't know.

Ross Haleliuk: I don't want to use some some bizarre example. But let's just say if a company that employs between 500 and 2500 people is going to be attempting to protect itself from the nation state tax. It's just, it's hard to picture and it's just not realistic. So, what is much more important in my view when it comes to the present threat tread landscape is the fact that cyber criminals have professionalized their business.

Ross Haleliuk: Like they they, instead of acting sporadically and episodically, and just trying to do their best to break into the specific companies or or casting a wide net, they're designing their their operations to run the same way like legitimate businesses do. So you have like you you have, you see cyber criminals Today, Replicating the SAS model, cyber criminals to their replicating the marketplace model, you have the the ransomware as a service. You have all of those things that show how far they have gone from, you know, I'm just trying trying to break into somebody else's environment and and still the data to design the sophisticated business models to really monetize their knowledge and their access. Like you have initial access brokers, you have, you have so many so many unique business models in like, in on the bad guys side that it's like it's it's it because it became a legitimate economy.

Ross Haleliuk: There are and when I say when I call it illegitimate economy, what I mean by that is like a lot of the like a lot of the threat actors. They function as businesses, they have an HR function, they have a payroll function, they have an operations function, they recruit people, they fire people, they compensate them a certain way, they ran their marketing campaigns. They have a social media presence. They have people in charge of the social media presence. So like without obviously, without trying to, you know, somehow fetishize and and, and talk about about all of it. As if it's a norm, we have to acknowledge that the cyber crime has gone a long way from what it used to be before. And so today it's a fight between between the two sides and neither of them I think as of today has is stronger is standing stronger on the ground.

Jeremy Hitchcock: When you think of attackers versus defenders, and technology plays a part in giving advantage to to people who are breaking things versus defend things, when you think about systems and companies today versus 10 years ago, who has the advantage relative today than in the past? Is it easier for attackers? Or is it easier for defenders?

Ross Haleliuk: See I I don't think there there can be an easy blanket answer. What I do think is that the tools themselves are accessible to everybody. So there is a, there's a there's a level playing field. That's why, for example, when we talk about artificial intelligence, what I think about is that, yes, AI is coming to help us defend organizations, but the same AI is going to help attackers to break into their organizations. So it's like the soul presence of the new technology. There's no change the balance of power. What does change it is? Is this complexity of the environments which which I talk about. And, and the fact that It's simply very hard. And nearly impossible to.

Ross Haleliuk: Take care of this complexity in such a way that that protects it, that the ads and additional layer of security to it. When you like, when you're a company of 50,000 people, some of each work, you know, work out of France, others work out of Latin America. Somebody else works out of the US, but somebody may be traveling to India, or China, or somewhere else or or Western Europe, so you can no longer … you can no longer apply the same simple logic as you were as you were able to apply before when it comes to identifying threats. On top of that, you have people using all kinds of applications. You have the pro, you have, you know, marketing department implementing Zapier to automate their tasks and on top of the apear, they now decided to send some, some data, to some other system that was, never authorized by the security team to be implemented. So if you have you this, this inherent complexity, they just makes things hard to secure for defenders and easier to find gaps for attackers. So that's, that's really the way I think abou.

Jeremy Hitchcock: And if you have to prognosticate 10 years out in the future again, thinking about the tools acceleration, there's specialization now that as you talked about, there's a whole ecosystem, where people sell identities, they sell tools, they sell. It's it's like any modern economy. You get specialization when you, when you when you get scale. What do things look like in 10 years? Is it? Our will there be more systems broken into will companies have a better or a different approach? What what trends are you seeing that, that help you understand whether or not we're moving a, in the right direction, and B what can organizations do to give defenders a greater advantage in the future?

Ross Haleliuk: Thats a great question. I think I would probably split it into two and unfortunately, I don't think I will be able to answer either of those two questions in the way that is going to satisfy your curiosity. So the the first part of the question, the way I read it is “what is going to happen in 10 years?” And based on the trends that we're seeing today and honestly, I think the answer is that, nobody knows. Like big genuinely have no idea what what the what the Vander landscape is going to look like, what the tread landscape is going to look like for the security landscape is going to look like. 10 years ago, who could have predicted the problems we're dealing with today are going to be the problems we're dealing with today? I think it's much more important to look at where we are today and to take steps in the direction that we believe is going to help us future proof, our security operations and and improve the state of the industry to me. Like we have too many point solutions. We have too many companies. Look like trying to solve like one tiny problem. We have too little interoper, interoperable products. So, you see a lot of vendors designing, their their ecosystem of integrations in such a way, that protects their market dominance, and and makes it impossible for somebody to easily integrate with some like, with some other tooling and adjust and customize the vendors tool to their own environment.

Ross Haleliuk: We see … I don't want to say the talent shortage because that that phrase has been overused. But in my view from what I have been seeing and, and again, based on my perception of the state of the market, we see a lack of technical security practitioners like the engineering driven, engineering focused, security practitioners. There are in, my view, there are enough people who are interested in compliance and enough people who are interested in policy writing but they're not enough detections engineers. They're not enough security architects. They're not enough people who can build something that is more custom and tailored to the individual companies environment. Where is it? And obviously, on the other side, we see we see attackers improving base, their state of practice, and forming essentially a criminal conglomerates improving their business models and reinventing their business models. Where all of that is going to lead in 10 years? Honestly I think, if anybody had an answer to that question we would have not even had this conversation. I think what's important today is that we as an industry, keep making the right steps to make that future ten years from now, better than what it could be.

Ross Haleliuk: Meaning have the government obviously mandate and also actively encourage companies to to improve their security posture and improve their defenses. Have they educational system produce security practitioners who are not, who have not just completed a year-long boot camp about writing a security policies, but who actually have the understanding of how the code functions, how can the code be subverted into doing something it wasn't designed to do. Like, what … basically the technical side of security, where the there is a lot missing. But, on the other hand, get more people into into the industry who I have knowledge of other fields. Like if you were, for example, if you're a company defending like trying to defend, a mortgage brokerage, it would be incredibly helpful to have somebody on the security team, who understands have the mortgage transaction. Looks like have can can people exploited, how can people, you know, do something that that

Ross Haleliuk: And Naples them to take advantage of the company. So get more of that domain. Expertise, get more people with different backgrounds, including the people who are technical on the market side. You know, it's very tempting for everybody to keep repeating the word consolidation because we think that the more we say it the less vendors there will be a year from now but I think the reality is there won't be any less vendors. The cybersecurity industry is very well funded. So there is a lot of capital that goes into it and for us long as it's hard for companies to for large enterprises to produce innovation internally, and for us long as they keep buying smaller products and assembling them in into their larger larger ecosystems, there will be those, there will be more and more founders trying to build a company and, and basically target an exit. So, I, I don't quite know what, the solution to this to, to this large and ever growing. Number of you know, calling solutions and smaller tools is frankly, my hope is that we will see VCs batting on more founders of this large but very risky vision. Because we need not just new tools. We need a different approach to to the industry. So we need we need more funders who are trying to solve many problems.

Jeremy Hitchcock: Now that sounds like a great place to leave it. I think the the more integrated approach less tools, more more platforms can make a big difference. So, I want to thank you for joining us today. Ross, it was great to have you. Your insights are very interesting fascinating and and we all hope for a greater and more secure security landscape in 10 years.

Ross Haleliuk: Thanks, Jeremy.