theCUBE + NYSE Wired: Zero Trust Cyber Series | David Gerry, Bugcrowd

Clips
More from theCUBE + NYSE Wired: Zero Trust Cyber Series

Dave Gerry

CEO

Bugcrowd

play_circle_outline Bugcrowd's CEO David Gerry discusses AI in cybersecurity and data privacy.

play_circle_outline Bugcrowd addresses objections to collective intelligence and crowdsourcing security.

play_circle_outline Challenges Ahead: Supply Chain Worries, AI Implementation, Market Consolidation, and Excitement at Black Hat London

Info
Transcript

David Gerry, Bugcrowd

Dave Gerry

CEO Bugcrowd

Bugcrowd's CEO, David Gerry, discussed the impact of AI in cybersecurity, emphasizing the importance of systems and policies for CISOs. Bugcrowd leverages hackers' ingenuity to enhance security outcomes, focusing on hardware and supply chain security. There is a growing use of AI by hackers to increase efficiency, posing risks for defenders. Gerry emphasized the need for bias assessments in AI models. Bugcrowd explores using AI and machine learning to improve efficiency. The discussion also highlighted the changing relationship between CISOs and vendors. Bugc... Read more

explore Keep Exploring

What role do you anticipate the CISO's playing in leveraging AI within organizations in the future? add

What are the benefits of working with ethical security researchers and hackers in order to defend against cyber attacks? add

What are some common concerns that customers in the industry have been expressing? add

bolt Powered by CUBE AI

David Gerry, Bugcrowd

search

>> Hello, welcome back to theCUBE's coverage here. Mediaweek in New York City. Part of theCUBE and NYSE Wired communities open initiative around getting the top voices and technology to weigh in on what's happening in the week in Palo Alto. We have our studio there and a super studio here in New York City. David Gerry's here, CEO of Bugcrowd. CUBE alumni from RSA 2023 is remoting in via the remote capabilities here at the NYSE from London for Black Hat Europe. David, great to see you again. Thanks for coming in remotely to our Mediaweek.

>> Absolutely. Thanks so much for having me here, John.

>> You're technically not physically in the jurisdiction of our New York subnet, but we are remotely, digitally brought you in. Great to see you. Great to have you on again commentating on what's going on. Black Hat, obviously we can tie into that as well. Great to hear from what's going on there. We're really looking at the AI innovators as part of our ongoing series, cybersecurity. This week has been a big focus of the data in the AI systems. Obviously general AI everyone loves. They see all the buzz. Agents are coming around the corner, but right now all the work and work is being done at the, I would call the root or infrastructure/foundational levels where the systems are today, and that's a big part of where the data lives and you got to get that right. If you don't get that right you can't fix up the stack. So I want to get your perspectives to start. How do you see the market right now? Obviously with the general AI coming fast, what's going on in cyber with respect to how the AI and the data's coming into the whole play?

>> Well, John, I think this has the opportunity to transform everything that we know in terms of being a defender. And you talk about getting the systems right, getting the underlying architecture right, it's also just as important to get the policies right. And what we're seeing in the market today, and what I predict we'll see in 2025 here is that the CISO's role is going to become increasingly important in terms of how AI is leveraged across the organization. What we saw at the early part of this year is committees around AI usage. There was a legal influence, there was a data and privacy influence, and there was a security influence, and I think we're going to see that that starts to get consolidated under the CISO. And they start to look at AI and the capability of it around it being a tool to help them be more successful, but that any implementation of AI also becomes a target for them as they think about their extending attack perimeter.

>> One of the things I like about what we're doing here with the NYSE is we've created this open network collective intelligence with the data of the media. Bugcrowd's DNA is in crowdsourcing and really crowdsourcing around cybersecurity. Before we get started with some of the specific questions I have for you just share your vision of Bugcrowd's philosophy and how you guys execute in your North Star and your mission.

>> Yeah, really simply we want to connect the amazing ingenuity that exists in this hacker community, in this hacker ecosystem that's out there in the wild and bring that to bear for our customers to help them drive the security outcomes that they care about. So often we hear from clients that they're struggling with talent, they're struggling to hire, they're struggling to retain employees, and that's where we help bring the exact right resource at the right time to help drive the outcomes that they care about.

>> One of the conversations we've been having even this week in New York City is, you got to understand what's on your network, you got to understand what the inventory is, the devices. You're seeing a lot of supply chain span from hardware to software, but there's been a rise of hardware hacking lately. Can you share your thoughts on how you guys are executing in that area and what you're seeing?

>> Yeah. We're seeing more and more customers coming to us with the explicit use case of we're deploying hardware in our environments, how do we help make sure it's secure? You've seen the rise of IoT and the ability to have connected devices. And for a long time organizations have been focused on how do they secure the application and the network? Now this is the underlying infrastructure and there's a finite amount of talent that exists in the market today, and that's where we really specialize. We have immense talent on the platform in the hacker community that we can help bring in, whether that's helping large telcos with 5G testing, whether that's helping large gaming institutions around casino machines and ATMs, or whether that's looking at critical infrastructure. We have resources and talent on the platform that customers otherwise just don't have access to, and we're seeing that be one of the key drivers from a revenue perspective as we head into 2025.

>> Yeah, great point. Also, it really highlights and shines a big bright focus on supply chain security. That's certainly a top priority. What's your view on that piece of it as this ties directly to where's that device been and who touched it?

>> That's right, and I think we're seeing it in almost every single one of our customer conversations, that their primary fear, their primary concern is how do I secure all of my partners, all of my strategic vendors, and how do I make sure that I understand the threat profile that exists within my supply chain? Now, this is different from a traditional SBOM or software supply chain. This is looking at the actual suppliers and the risk that they pose being a part of that supply chain. So we're seeing customers coming to us asking, how do we set up security programs on behalf of our partners? How do we think about the hardware as it goes through that supply chain? How do we make sure that there hasn't been tampering or malicious activity happening with that hardware? And we're hoping to provide one guidance around what they should be thinking about and doing, but two more importantly, actually being able to go in and do some testing and validation that they have the right level of controls and they have the right level of security within those devices themselves.

>> AI's got all the buzz. Generative AI is generative. It's not static, so you don't know what's going to happen. AI has been a tool and a target. Talk about that impact and what you guys are seeing there and some of the things you're working on.

>> So what we've seen is we've surveyed our hacking community and we just released our Inside the Mind of the Hacker report recently, and what we found was over 90% of hackers are already using AI to become more efficient. So that's a good thing in that we're starting to see more symmetry come into the defenders, being able to combat the adversaries that they're seeing. However, that also introduces the ability for the adversary to be smarter for them to be faster and be able to leverage AI. On the target side, every single one of these deployments, we love these deployments and these models and organizations are adopting these faster than likely any technology that they have in the last decade, but that introduces risks both from a security standpoint as well as a safety standpoint. So we've started doing bias assessments and really working with customers to understand what are the safety implications of what they're doing and what are the security implications of the models themselves.

>> Over a year ago when we started our CUBE pod. It's every Friday, put the plug in there for theCUBE pod, check it out if you haven't listened to it yet. Dave and I had argument back and forth. We argue a lot sometimes on the pod. We did a survey, a Twitter survey, not a scientific survey. So at the beginning of our pod over a year and ago the question was, who benefits from AI, the defenders or the attackers? And we debated back and forth. And the results from that from the market on Twitter was that the defenders, I mean the attackers benefit. A year later we ran the same poll and the defenders were gaining advantage and it came out clearly at Google Mandiant's event, mWISE, defenders are getting better. This has been a big advantage. I think this also democratizes the opportunities for what you're doing. So you starting to see AI almost not yet level the playing field, but certainly fill the gap. What's your reaction to that?

>> I think that's exactly right. I mean, certainly in the early days of this, we saw that the attackers had to be less sophisticated to be able to carry out sophisticated attacks. AI would do a lot of the heavy lifting. They were working around the guardrails and the controls that were in place in some of these models to be able to exploit that. What we're seeing now is that you have had defenders starting to adopt this technology. They're starting to catch up. We're starting to level the playing field, and that's the beauty in our minds of what the crowd brings to bear. And crowdsource security at its core is all about leveling the playing field. So for us, we love any technology that helps make that easier. And then from a target standpoint, we simply help make sure that they have the right controls in place on those models and systems that they're using. But it is leveling the playing field for the defenders and the defenders are becoming far more efficient and productive than they ever have been before.

>> I have to ask you this question because it was really popular at AWS re:Invent last week. I even brought up with Andy Jassy. We had exclusive with him on theCUBE. So I ask you because it is a collective intelligence angle for you. Love the community approach you guys have. I'm a big fan so I'm biased and I love what you do, so little disclosure there. But with the rise of agents, tell me your idea of that because I would imagine that having agents will create a network effect inside a collective intelligence system with a human in the loop. I can imagine that in the future, I know it's not there yet, but your crowd only gets bigger when we enable and delegate tasks to potentially agents. What's your thoughts just generically? I know there's not a lot on the table right now from a production standpoint, but you can connect the dots.

>> AI is going to truly change the way that defenders think about what they're doing. That goes for our crowd as well. Our crowd is leveraging this to be far more impactful, far more effective and automate some of the lower level tasks that historically they would have to do. And we're looking at this even internally for ourselves. Do we need a human to validate every vulnerability that comes in? Of course not. We have the ability to leverage AI and other machine learning to be able to do some of that pattern recognition. The same is going for defenders and crowd members out there. They're going to be able to scale well beyond whatever they thought was possible before by leveraging this technology at exactly the right time. And again, you're never going to replace a human defender with AI. It's going to play a very important scale up role, but it's not going to replace the human ingenuity that comes with the crowd.

>> Yeah, it gives them more horsepower, more creativity-

>> Exactly....

>> mundane task. Go do some analysis, come back to me with some insights. I totally agree. I'm excited by that. I got to tell you I'm looking forward to next year and the security shows we cover on that piece. It's going to be big. I got to ask you a question on, you mentioned this earlier about CISOs and whatnot. Do you see the vendor relationship with companies consolidating or still growing? What's your take on that?

>> So I think that CISOs are looking to build deeper relationships with the vendors that they partner with and that they trust today. I think from a market standpoint, we're going to see 2025 be the year of vendor consolidation. You're four years out from the peak of the fundraise market where we saw valuations that simply didn't make sense. I think you're going to see far more consolidation heading into 2025 as organizations start to run out of that cash that they raised at the height of the market. Now they need to raise more money, valuations are down and you're going to see that there's going to be an opportunity for market consolidation. I think ultimately that's a good thing for customers and for CISOs because they're going to have the ability to place bets on the vendors that they trust, the vendors that they believe in, and be able to consolidate more of the spend under those organizations.

>> David, I got to ask you, do you see people when they work with Bugcrowd the light bulb doesn't go off or they might have an objection? I mean, I've heard from people who look at some of this crowdsource approach, "Well, I don't know trust. I don't know if can I trust it." I've heard that with theCUBE, some of our things with our open CUBE Network. How do you handle the objection of the reliability and the trust of collective intelligence and crowdsourcing security? What's your answer to that?

>> So John, it is funny. We saw much more pushback and objections around that a few years ago. I think for the most part, the market has adopted the fact that they can't scale to the level that they need to scale, and they need additional resources to be able to help. Now, when we do hear that the analogy I like to give is you're not giving them any additional access. If you were going to go rob a bank, do you sign up for a bank account first? Of course not, you go rob the bank. If you're not working with the ethical security researchers and hackers to amplify your ability to defend, all you're doing is giving the adversary a leg up because we can promise you that the bad actors and the criminals are already targeting your environment. Why not take advantage of this amazing crowd and ecosystem of ethical researchers who can help you identify vulnerabilities fast?

>> I want to bring that up because I wanted to drill into that. Give an example of a use case day in the life, I'm a customer, how do I engage and what's the alternative if I don't leverage some of this professional open resource?

>> A really good example is let's assume that you have a vulnerability that exists with your environment. If you don't have a vulnerability disclosure program or you don't have a bug bounty program in place, how is that researcher supposed to get that? Let's assume it's a good actor that identified that vulnerability. You have a critical vulnerability sitting in your environment that you don't know about and you have no way for them to be able to disclose that to you. A platform like Bugcrowd gives you the avenue and gives you the help and the go-between between you and the hacker community to validate vulnerabilities as they come in and help you understand what remediation protocol or mitigation protocol you should be thinking about in that environment.

>> I got to ask you because Brian Baumann who heads up capital markets for NYSE, he also heads up the new NYSE Wired community which you're now part of. Thank you very much for coming on our show and being part of the group. We were riffing the other day around. We came together with a program around AI for CFOs and was out of the idea that CFOs are coming into the fold, but they don't know anything about AI. But mostly CISOs, COOs, legal you mentioned, but when you get into the role of data and contracts, you start to see the CFOs come in saying, "Hey, if that data is worth more, I might want to put a different insurance policy." But yet insurance companies don't differentiate between... This is a small example, but there's a million in between the cracks details that have huge implications. So I want to ask you, what should we put on the program? What should we ask experts to serve CFOs as they have to go in and look at the business model transformations of AI and security? It's a huge topic that we're now going to expand our inaugural event next week in Palo Alto.

>> I think the last piece of what you said is the most important. This is a business model transformation. This is going to change every single piece of how a CFO does their job and how they think about their company today. It changes the value of the underlying data. It changes the risk profile for the business by leveraging AI or not leveraging AI, and it also, more importantly, starts to frame up a discussion around how do you leverage it effectively? This gives a CFO the ability to look at immense margin improvement, immense cost structure improvement by being able to make the current organization and structure more effective. They should be drooling over this. They should be adopting it left and right. We're seeing that they're not adopting it as quickly because of the risk. So it's our job as a security industry to help be able to articulate that risk, help them minimize the risk where it makes sense, but most importantly, drive the outcomes that they care about and be able to speak that in a language that a CFO can understand.

>> I had a line, you might laugh or maybe not. someone to his CFO friend. I was pretty direct with him. I said, "No offense, you guys default to risk management and capital budget, but the adversaries are playing 3D chess. You're playing checkers. You got to get in the game." And he's like, "What do you mean checkers?" I'm like, "Well, the things you talk about. There's all kinds of risk profile, revenue opportunities, margin expansion, downside protection on any kind of breach." I mean which they kind of care about, but they punt to the CISO or security teams, but never mind, other things, the insurance. All this is now in the business model. So he goes, "Wow." And so this is what inspired Brian and I to put together this event. Again, I don't want to harp on that-

>> Great idea.

>> And we maybe have you bring you in for expertise because your comments are great, but this brings up the State of the Union because at the end of the day the business models have to be engineered for the environment and that's the business model and the customer value proposition. You guys are at Black Hat in London, in Europe, back at Europe, which is in London. This is the trenches, the technology and the capabilities like Bugcrowd enable those businesses to stay in business and maintain that business model. So I want to ask you, what's going on at Black Hat London? What's the agenda like? What's on the radar? What's the current talks of the day that's getting your attention or that people should know about?

>> Yeah, so it is a lot of what we talked about. AI is around every corner, the buzz around AI, how organizations are doing it. And this is also where we as a security industry need to be really careful that we're articulating what AI value exists and where we can drive more value leveraging AI because very quickly it's becoming a buzzword and we don't want to tune people out. I think as we talk with our customers we hear every single day they're worried about their supply chain, they're worried about how they implement AI effectively and keep that secure. They're thinking about consolidation across the market. So for me any opportunity to speak with customers, to walk the show floor, to talk with our partners, to talk with the hacking community that lives here in London is a great opportunity just to, again, be in the trenches, as you said, and be able to see folks. But the buzz at the show is fantastic. We've seen a ton of energy around the booth already and we're super excited for the rest of the week and being able to spend more time with people.

>> David, great to have you on. David Gerry, CEO Bugcrowd. Final word. I'll give you the 30 seconds we have left. Put a plug in some of the metrics. You guys got some notable milestones you're looking to hire. Give the shout-out and plug.

>> Yeah, I appreciate that. We've had a really exciting year. So new customer acquisition last quarter was up 100% year-over-year. We're seeing more customers adopting crowdsourced security than ever before. We're hiring across the board, across every single function. So far year to date we've brought in about $152 million of new fresh capital into the business through our round with General Catalyst at the beginning of the year and then with a credit facility through Silicon Valley Bank towards the end of the year. So we're excited for a really big 2025, and we believe that this is going to be a space that continues to grow, that we continue to see just immense success driving the right security outcomes for our customers by leveraging the ingenuity of the hacking community.

>> Great to have you on. Thanks for coming on theCube, both part of our new NYSE Super studio connecting the access point of our community here in New York with Silicon Valley, creating an open network with the NYSE Wire community. Thanks for coming on.

>> Thanks for having me. Great to be here.

>> I'm John Furrier with theCUBE. Thanks for watching and we'll be right back.