theCUBE + NYSE Wired: Zero Trust Cyber Series | Saket Modi, Safe Security

Clips
More from theCUBE + NYSE Wired: Zero Trust Cyber Series

Saket Modi

Co-Founder & CEO

Safe Security

play_circle_outline Utilizes FAIR standard for quantifying cyber risk, real-time benchmarking, and data-driven decision making.

play_circle_outline Offers SafeX mobile application with Gen AI capabilities for instant answers to cybersecurity questions.

play_circle_outline Maximizing Business Impact: Cybersecurity ROI and Risk Reduction Strategies

Info
Transcript

Saket Modi, Safe Security

Saket Modi

Co-Founder & CEO Safe Security

Saket Modi, CEO of Safe Security, shares the company's journey from a services company to a product company using AI and machine learning to address cybersecurity risks. Safe Security aims to provide a business-focused approach to cybersecurity, translating technical jargon into business impact. They utilize the FAIR standard and integrate with various cybersecurity tools to offer real-time risk assessment and benchmarking. In 2020, they launched a mobile application called SafeX, powered by Gen AI, to provide instant answers to cybersecurity questions. Safe ... Read more

explore Keep Exploring

What is the standard called that has been developed by the FAIR Institute and is used by over 17,000 cybersecurity risk practitioners, with over 50% of Fortune 500 companies also using it? add

What are some examples of questions that could be asked using the SafeX mobile application for Gen AI, particularly by chief information security officers or chief information officers? add

What factors should be considered when determining the effectiveness of cybersecurity spending in a business? add

bolt Powered by CUBE AI

Saket Modi, Safe Security

search

>> Hi, welcome back to Media Week, NYSE Wired and theCUBE's exclusive coverage of cyber and AI innovators. We're super excited to have Saket Modi. He is the CEO of Safe Security. He's got a story to tell you. Saket, great to see you. Thanks so much for coming.

Saket Modi

>> David, it's an honor to be with you on the show. Thank you so much for having me here.

>> I want to go back to, you have an interesting founding premise and story with your comeback, it makes me think of Michael Dell who started this company when he was in college. Tell us the founding story. Take us back to the early part of last decade, why did you start the company? It was what, 2012?

Saket Modi

>> My introduction is simple, Dave. I'm a geek and a nerd. I was studying computer science engineering, I didn't know if I was qualified enough to get a job. So what do you do when you don't have a job? You try and start a company. It literally started from there. My father is an entrepreneur, so was inspired by him. And got to a point where for the first six years, since 2012, we've been a services company. We were successful as a services company, but figured it's not scalable, so we actually pivoted. We went from $5 million in revenue to zero, and today, tens of millions of dollars of revenue from a services to a product company.

>> Interesting. What'd your father do that was-

Saket Modi

>> My father was actually into this computer education business, so he used to have various centers to train people on how computers work and how animation works.

>> Oh, okay. And then pivoting is an interesting experience. And going from a services company to a SaaS company is also. Now, when did you make that pivot?

Saket Modi

>> It was 2019 when we got our angel investment from John Chambers. That's the time where we pivoted and our gross margins went from high 40s to now high 80s.

>> High 40s is actually not bad for a services company, but now high 80s. The good thing about that pivot is you pivoted after the cloud had taken hold. A lot of companies that started early on last decade started on-prem and you started cloud native.

Saket Modi

>> It was totally cloud native and we are totally build grounds up in a very, very modern architecture, Dave, that way from a scalability perspective. So what we are trying to do is really build what we call as the cloud of clouds. We actually integrate when we go to a company, all the signals from different kinds of cloud, and that's the reason why we not being on the cloud was not even an option from day zero.

>> We call that the security super cloud.

Saket Modi

>> I like that, I'm going to use that.

>> We did. That's the idea, it's a cloud and subtraction layer over the clouds. It simplifies, it gives you a common experience.

Saket Modi

>> I love that.

>> Which I presume is what you guys are all about. But come back to your core value property. You're all about risk management and reducing risk. Tell us more about that. I'm sure you're using AI and machine learning. Give us some color there.

Saket Modi

>> We think cyber security is fundamentally broken. 4,000 cyber security product with $200 billion spent every year, growing at 15% year over year. These are Gartner numbers.

>> And we keep getting less secure.

Saket Modi

>> Exactly, there are more hacks than ever. Now, the fundamental problem with the cyber security industry is, take the top three cyber security companies in the world, Palo Alto Networks, CrowdStrike and Zscaler. Phenomenal companies, but I'm ready to place a $1,000 bet here. If you can find me one chief information security officer in a Fortune 500 company that says, "I use the output from these product on a daily basis," zero. These products are incredible products, but they're three levels below the chief information security officer. So we are building what Salesforce is to Chief revenue officers, what Workday is to chief HR officer, what SAP is to the chief finance officer. Where they can take decisions based on data, we are building that for chief information security officers.

>> Interesting. And this is ServiceNow angle as well.

Saket Modi

>> Exactly.

>> If you think about that.

Saket Modi

>> Exactly, what ServiceNow is to CIOs, because CIOs live and breathe inside ServiceNow every day to make decisions. CISOs don't have a tool like that today. We are exactly that tool where we aggregate signals. So we integrate with more than 115 cyber security products, including CrowdStrike, Palo Alto Networks, Zscaler, et cetera, et cetera. And then we make sense out of that using neural networks and artificial intelligence. Happy to talk about that if you are.

>> What is the output of that? Because I was talking to somebody last night here at the NYSE cyber event, and he was talking about how his specialty is consulting with boards and helping CIOs or CISOs and CIOs communicate about risk to the board. Not in terms of acronyms, but in terms of risk of, "I'm going to spend a dollar, what am I getting back? What does that mean for my expected reduction in risk?"

Saket Modi

>> Exactly.

>> And that sounds like the business that you're in. Can you elaborate a little bit on the value prop?

Saket Modi

>> You're absolutely right. Today, cybersecurity is no longer a technical problem, it's a business problem. Because if a company gets hacked, the CEO, the board is concerned because business gets affected. The problem is cybersecurity for decades has been a technical issue. It's only been a place where techies would stay. We'll talk about these vulnerabilities and misconfigurations and malwares, et cetera, but the CEO doesn't care about the vulnerabilities. He or she cares about, "Tell me how much business impact. How much will my revenue go down? How much will it cause an outage? What will be the impact on my brand, which will have a function on my stock price which is out there?" That's what the board cares about and the CEO cares about. That's exactly what we do for companies. We go in and we integrate with these security solutions and we translate technical jargon into business impact, and that's what we do for a living.

>> Help me think through the business case. Take what you just said, say okay, this is the because of your growth, your valuation, your ecosystem, et cetera. Here's your exposure and here's your risk. If the probability of an incident is , and the impact of the incidents is on some spectrum-

Saket Modi

>> Yeah, it's a range between dollars.

>> Then you can draw that curve.

Saket Modi

>> It's a two by two plot chart that-

>> Beautiful, and nice and simple. I can visualize that and I would presume there's an inversely proportional relationship potentially between the probability of an incident and the impact of those high impact incidents. So it may not happen, it might only happen once every five years, but if it happens, oh boy, are you in trouble. And you can quantify that to some degree.

Saket Modi

>> They told me you're a genus, I can see that already.

>> Yeah, okay, great.

Saket Modi

>> You're absolutely right.

>> But then you can draw the curve of how much my expected risk and my expected loss is going to decline as a result of your product, correct?

Saket Modi

>> Well, as a result of my product, first of all, I tell you where you stand today.

>> Baseline it.

Saket Modi

>> Baseline it, right. This is where you are.

>> There's a big discussion around that, isn't there?

Saket Modi

>> Absolutely.

>> How'd you come up with this number, what are the assumptions that you're making around it?

Saket Modi

>> Well, more than assumptions, it's an open standard. There's a standard called the FAIR Institute, which has come up with a FAIR model, which is used by 17,000 cybersecurity risk practitioners. Over 50% of Fortune 500 companies use that standard. It's like the GAP standard.

>> What's the standard called?

Saket Modi

>> FAIR, Factored Analysis for Integrated Risk. The company which founded FAIR is basically the company which we acquired last year. I sit on the board of directors of the FAIR Institute, and the reason I start from there is because that body has gone ahead and consulted White House over a dozen times in the last decade in going ahead and coming up with the right standards and looking at risk in a quantified way where there's method to the madness. The way there's GAP standards for reporting financials, there's the FAIR standard. It's an open standard, you don't need to pay anybody any money. You can use FAIR, Apple, Wal-Mart, NASA. The largest companies in the world use FAIR without paying any money to anybody because it's an open standard. 50% of Fortune 500 companies use that. So to answer your question then, how do you come up with the probability or the lost magnitude, which is out there, there is a science which actually goes ahead and puts things. But it's the same thing that ServiceNow did. They used to be ITIL, which was an open standard that came up, which could be used by anybody. But ServiceNow said, "It's an incredible standard, but you want to use that in an automated way, in a way which the user experience is incredible, use ServiceNow." That's exactly what we are doing with SAFE, that the open standard exists. Of course you can do that, it has more than 700 variables. So yes, you can do it, it's very difficult to do it. But that is what is automated using artificial intelligence and machine learning.

>> Interesting. I remember the ITIL, because it was very hard to implement ITIL. It was well thought out, but it was a real heavy lift. And when things in the business changed, people would sigh and say, "Okay, we got to do that again." And maybe you do it once every few years. So you've automated that whole workflow?

Saket Modi

>> Yeah. And remember, this is made for the modern age because we go ahead and in FAIR, not just... Because when we go to a company and the largest companies on the planet are our customers, Google, Facebook, Netflix, Chevron, ADP, Caterpillar, there's a very long list of the largest companies on the planet which are live on our platform, and they trust our product's output for understanding and then communicating their cyber risk in business terms across stakeholders on the top and the bottom. And it changes every day. Dave, if you think about it, when we go to a large company, let's take ADP as an example. We integrate with their vulnerability scanners, their misconfiguration tool, their cloud security tool. Whether it's a Qualys or a Wizz or a Tanium or a Rubrik or a Proofpoint, I mean, we integrate with all of that. That's why we say we are the cloud of clouds, the platform of platforms. Not only do we take that, we also look at the external threat intelligence. We integrate with the ISACs, which are the intelligence communities out there, which tell you what threat actors are operating in your industry, in your geography. So we see what's changing internally, what's changing externally, and that comes in together and actually tell you where you stand today versus your peers. So you are in your 25 percentile or 50th percentile in your risk

>> You benchmark that?

Saket Modi

>> Absolutely, and that happens in real time.

>> When you guys were a services company, were you in this business or did you just-

Saket Modi

>> We were in the business of pen testing and vulnerability assessment.

>> Okay, so you took those learnings and all the gaps that you lived every day and said, "Let's build the product that we wished we had or we know our customers are going to want." So you took that tribal knowledge and platform.

Saket Modi

>> We started as we started a hacking company. The problem was when we were hacking and we've hacked into the largest airlines in the world, in the banks in the world, with their permission of course. And we saw that when we showed banks, I remember hacking into a Fortune 50 bank where we transferred money from a CEO's account to the CISO's account, live in front of them with their permission, they freaked out, the board freaked out. Now, there were two reactions. One, people were like, "Oh my God, will I go to jail? This is going to be crazy." And then the other set of people on the board were like, "Yeah, I've seen this movie in other boards. You had special permissions, this can't happen in real life." Both in my view, were not very accurate. Where is the right place to be? Somewhere in between to understand the risk, not freak out, but at the same time, not take it too casually. And understand in a calculated, in a data backed way with data science of what is the true risk in terms of probability, in terms of dollar impact. And then say that, "If now we invest another $10 million, $20 million, $100 million in cyber security, how much will that reduce?" Right now, most companies do a finger in the air, red, amber, green. "I think the security risk will come down if I do these five things." We make that conversation objective and we do that for first party and your ecosystem and third party also.

>> Because you have the FAIR standard and you've got data, I presume they're FAIR, you said how many inputs with the FAIR standard?

Saket Modi

>> This is going to be very controversial, but we have the highest amount of telemetry data on the planet for our customers. What that means is when we go to a customer and I gave you a list of my customers, remember, I'm sucking in data every day from all of their cyber security tools which are out there. So there is no cyber security product which has more data. And I don't need to tell you the future of AI is not the ones with the people with models, but with data. So yes, it's an exciting topic.

>> That's all lag, I get that. Now, speaking of AI, 2019 when you guys pivoted, did a raise-

Saket Modi

>> 2020, we launched the product.

>> But you were working with, I'll call legacy AI, machine learning at the time. I'm sure you still are, I'm sure it's very effective. And then the AI heard around the world is introduced, how is that affecting things? Is it just more the way we interact with the system? How are you using? Is it all hype and we should just really focus on the hardcore machine learning? How are you using Gen AI?

Saket Modi

>> A couple of points there. First of all, we think AI is a fundamental shift. I'm not saying anything you don't know, you've not heard. We think it's a fundamental shift. Now, I think the place where it gets confusing is where firstly, when you talk about AI, LLMs are a small part of the overall artificial intelligence gamut that you would talk about. For example, we built our own neural networks where we go ahead and ingest the data. The way the self-driving that you see with Uber, or sorry, with Tesla, where they see, "What are my top drivers doing?" And based on the learnings from those top drivers, they automatically, when you are in a Tesla, learn from that and then go left or right, depending on the learnings from the top drivers. Exactly in the same way we work with the largest and the most sophisticated enterprises out there. We learn from them and we put that learning and then put that as recommendations for companies across the globe. This has nothing to do with LLMs, this has nothing to do with Gen AI. The second piece of Gen AI where we do use, we actually launched all of this data in your fingertips that you can see on a mobile application, which is called SafeX, which by the way, is free of cost available for anybody to download and experience. You can go to the app store right now and download it. And basically, you can ask Gen AI to go ahead and ask it. Think about the power wherefore a company and the chief information security officer or the chief information officer, which has all this cybersecurity telemetry now coming to my cloud, being analyzed using FAIR and ATT&CK MITRE, these are the two open standards that we use. And now you can ask any question and questions which matter to CIOs and CISOs. Questions like, "Hey, my CEO wants to do AI. How will that change my risk? Hey, I just read in the Watch Street Journal, Clorox got breached. How does the same attack simulated in my environment, what does the risk look like? Can you make me a bold report?" All of these questions and beyond with answers in less than one second.

>> Interesting, okay. I'm imagining being a consumer of that information. First of all, where are you pulling the data from? Is it just kind of open LLMs? Because if it is, then you know the follow-up questions, how do you make sure it's accurate? I love this stuff. I have three or four LLMs open at all times.

Saket Modi

>> Absolutely.

>> I use them to fact check, I use my own knowledge of the business. And even now, every now and then you search, kidding. But every now and then I will crack open an SEC document just to make sure, because I'm not quite sure. How do you make sure?

Saket Modi

>> Great question there. A couple of points. We took a fundamentally different approach where we don't think overusing LLM everywhere is the answer. I'm going to say something very interesting, which most of the techies, when they hear about, they're, "Ah, we didn't think about it." We don't use LLM for answers, we use it for questions.

>> I love that, right.

Saket Modi

>> Think about it.

Saket Modi

>> What questions should I be asking that I haven't thought of?

Saket Modi

>> And now here's a point. Or the other way around also, so you're right, one is to recommend questions. But the other way around also, if you think about the persona of a chief information security officer who we serve. Remember, we are building a tool grounds up for the chief information security officer. We have hundreds of CISOs around the world which are our customers. I went to those CISOs and I got a list of 150 questions that everybody asks There's no secret here. What I did was we took LLMs where, what are my top risks can be asked in 1,000 ways. Whenever you go to my app and ask a question of what are my top risks, tell me about my top risks. How do I look at my top risks which matter to my business, blah, blah, blah? There can be millions of ways you ask that. All of that is where we use LLMs to point to the same question. But the moment we know which question that is, the answer is not through LLMs, but that is hard-coded with variables so there is zero hallucination. We are using LLM where there is required, we are not using LLM where we don't need to and it creates the best of both worlds.

>> There's less bias in the prompt because you know where you're aiming that prompt.

Saket Modi

>> Exactly.

>> And the data set is very static. Okay, listen, I got to jump. This has been great conversation, would love to have you back, Saket.

Saket Modi

>> It's such an honor to be with you here.

>> You have the final word, you got a minute to-

Saket Modi

>> Well, the final word is just this. When people think about cybersecurity, I think it's time to go ahead and think beyond technical jargons and to really start thinking about the business impact that cybersecurity has. And it cannot be mindless spending that happens in terms of every year, the budget's going up without understanding how does my risk reduce? And not, "Oh, I'll go from red to green." It needs to be, "What's my probability of my top five risks? How will that change? How will my loss magnitude change, et cetera?" And then that use not internally, but also for your regulators, for your cyber insurance carriers, for the ecosystem, which is even beyond that.

>> Bottom line number, I'm going to spend a dollar, what am I going to get for that?

Saket Modi

>> I love that.

Saket Modi

>> Saket, thanks so much.

Saket Modi

>> Thank you so much.

>> Really appreciate it.

Saket Modi

>> Thanks for having me here.

>> Keep it right there. Dave Vellante and John Furrier will back. NYSE Media Week, cyber and AI innovators. You're watching theCUBE, be right back.