Detailed transcript :
Stuart: Fail fast. And what I mean by fail fast, you guys have probably heard this many times, but for me, it means that you don’t just try everything and then fail quick and then just change and pivot. You take a mindful approach to decision-making but once you make a decision then you don’t wait to change paths, like you’ll know your backup path and your backup of your backup path and you’ll switch quickly. I can’t tell you how many times I’ve seen companies entrepreneurs fail, who keep doubling and tripling down on a really, really bad idea rather than just admit it’s a bad idea and just move on to the backup plan.
Ankur: Welcome to another episode of Zero to Exit. This is Ankur and Neelima. We took a bit of a hiatus from our scheduled programming for a number of reasons. One of the big ones was the time it took to get today’s guest on the podcast, something we have been looking forward to for a long time. So without further ado, let me welcome the man, the myth, the legend in the security industry, Stuart McClure. Stuart is the founder and CEO of Cylance, the first end point security company that revolutionized the way industry detects and protects endpoint using machine learning. Stuart is also the co-author of the most successful security book series of all time ‘Hacking Exposed’. Prior to founding Cylance, Stuart ran the security business at McAfee, co-founded Foundstone and held leadership roles at small and large security companies. He is now a board member and advisor for many security companies.
If you’re an entrepreneur or a security professional, there’s nothing else you’d rather be doing at this time than listening to this podcast.
Hi Steve. Welcome to the show.
Stuart: Hey, thanks so much for having me guys really appreciate it.
Ankur: Our pleasure. Thank you so much for taking the time. So there’s so much ground to cover today that I’m going to get right down to business. I believe you grew up in Guam. Tell us what your upbringing was like in the lessons you learned growing up.
Stuart: Yeah. I was born in the Los Angeles area but grew up very quickly, at a young age in Guam. My family was not in the military, that’s often the next question- Why would anybody move their family to Guam? but it was really a great place for me to grow up. I certainly struggled, as a minority in school, of course, and on the playground but you learn life’s lessons pretty quickly and get to know how to negotiate the world pretty quickly. So it ended up being a really, really strong part of my past. I also learned and discovered my passion for cycling. So road cycling was out in Guam. It ended up that I figured out- Hey, I can escape from the wild dogs and the bullies on a bicycle really, really fast and really well and easily. So I was able to get on that bike and just escape. Get and get out there. And it’s a small Island. So, I could go around that whole Island within a day. And, it was really good for me to get out. And I also found a nice sort of aerobic outlet for my energy which as a young man and young adult was really nice to have and it also led me to Colorado, which is where I went to train at the Olympic training center, in 1985 for road cycling. So everything happens for a reason and that was certainly no exception to that experience in Guam.
Neelima I remember we discussed this for a story -the airplane incident when you were in college. This incident decades later would help you with some of the core principles as you were building Cylance products. Can you talk a little bit about that incident?
Stuart: Yeah, sure. I was a sophomore in college, up at CU Boulder and my mother offered for myself and my 10 years younger brother Mark to go to Australia and we had never been. And we had free tickets to Australia because my stepfather worked for United at the time and I thought what could go wrong? It sounds like a fantastic trip.(Laughter) So I took a week off or so from college or I think it was during a break. It was the last week of February and went on the flight and from LA to Honolulu. It was no problem, had perfect flight up and down. It was a late night flight. So, we landed around 1:00 AM if I recall correctly. And then we took off about 2:00 AM and at that time I fell asleep, I was comfortable. We were in our seats, we took over the middle part of one row and I was on the right hand side of that part. And sure enough within about 10, 15 minutes, we had a huge explosion, rapid decompression and everything that wasn’t bolted down, just left the plane and unfortunately nine souls were lost on that flight that night, but we didn’t know that at the time. We just thought that it was like Lockerbie a year before. We thought it was a bombing and we thought for sure that here we are over the middle of the Pacific ocean. Don’t know how far away because we were ascending it for about 15, 20 minutes. We didn’t know where we would end up, would we end up in the water? Would we make it back somehow? And the whole experience and memory was just total chaos of everybody trying to figure out, this is how we’re going to die.
And how do you end up dying? All of us were really surprised when we started to hear people notice lights because it was pitch black. Remember it’s 2:30 in the morning. You really can’t see anything out the window and you start to hear, Hey, lights, there’s lights, there’s lights.
So that gave us hope that, Hey, we’re close to land. Maybe there’s a chance that we can land on the ground and not in the ocean. And then what I remember is the Pilot or somebody saying two minutes to touchdown. And I just remember thinking, Oh, that’s a really good sign. Right? Touchdown. It’s not a splashdown. I kept thinking but you just don’t know, You don’t know where you are. You’re in the middle of nowhere. I mean, total blackness everywhere. Somehow that pilot, it was his second to last flight before retirement with United airlines. It was mandatory retirement age. He was able to land that plane and it was the most perfect landing I’ve ever been on in my life before or since. I thought for sure we would do cartwheels, even if we got to land, we would do cartwheels and it would just be debris everywhere, but we landed, the plane stopped. We got off that plane within 45 seconds. It’s like 300 or 320 or 340 passengers off in 45. So it was crazy. Yeah. Then we got interviewed by the FBI thinking that it was a bomb. We really didn’t know what the heck happened. We just knew that there was a huge hole on the side of the plane. And so, I get back after the whole experience, get back to college and I used to work many jobs, of course, as a typical entrepreneur would. I was an assistant teacher at a daycare center and I’ll never forget it. I was walking between classes between classrooms and I just thought to myself, why would I ever choose to be unhappy again? Life is way too short. Even to this day it feels almost like a dream that I’m living versus the real world, the real thing. I think that’s pretty common for near death experiences but it’s shaped a lot about who I am as a person. And obviously as a professional, it created a lot of motivation for me to do the right thing, to make the right choices, think outside myself, which as a 19 year old, it’s hard to do, but it taught me that pretty quick and that’s carried me throughout my life.
Ankur: yeah. pretty incredible story. It’s interesting, you mentioned that the captain was about to retire. Didn’t this same thing happen with Captain Sully as well. I guess that experience led him to retirement but it was his tail end of career as well but wow, this
Stuart: It helps. It helps. I really do think that you get almost muscle memory in trying to respond to things that you need to react to within milliseconds, not within seconds. And if you don’t take those actions, I think as a pilot, you have the real potential for disaster. And I think that’s what saved us for sure. I mean, he was a thirty year glider pilot, captain David Cronin. He was out of Incline village, Nevada. Yeah, he was a 30 year glider pilot. So he knew how to glide. So in the plane, what happened was the debris that had blown out, went into the number three and four engine. So, he had to shut those two engines down. And I think to this day, no 747 plane has ever landed successfully with only two engines working on one side. And I remember I actually asked my stepfather to get me in contact with the pilot because I really just wanted to ask him one question, how did you get us down? Cause I see all the news articles about it, where, impossible flight. There’s no way it could’ve made it back, et cetera. How did the captain do it? So, I got his number. I nervously called him up. I was totally undeserving of calling him but I called him and I said, look, I don’t want to bother you and I just wanted to say, thank you for saving us all but I really need to know how did you make it back?
And he goes, Stuart, I’ll tell you something, I have no idea. He’s like, I have no idea. And I go, what do you mean? He’s like, well, when we got on the ground, the NTSB and Boeing, all of us, we pulled the black box. We put it in flight simulators there in Honolulu. And we tried over 200 different attempts and I couldn’t repeat it. I couldn’t repeat landing. We crashed in the ocean every single time in the simulator. So he was like, I have no idea. So I said, you know what that’s all I need to hear. I know my mission. Okay. Got to make the most of life.
Neelima: You had mentioned that it was a known flaw that actually got…
Stuart: Yes. So about a year afterwards, they had been performing an investigation and it had been discovered that there were two elements of the failure. So the first was, sort of an accident. So it was a short in the wire. So you could probably argue that’s a design flaw. Maybe you need to design for that sort of failure.
But the second backup element which is a hooking mechanism, that’s supposed to hold the door, even if it does open in mid-flight. It was a severe design flaw because that was made of aluminum and the door was made of steel. So imagine under pressure that steel door getting blown out, it just turned that aluminum to butter and never really held the door whatsoever.
So again, a couple of design flaws, certainly vulnerabilities in the fuselage of that plane. And I think that also really inspired me to apply that sort of mindset to cyber as well. So being able to think ahead and think like a bad guy, think like somebody that’s trying to bypass controls and exploit vulnerabilities and get to what they want and how I could try to apply that mindset, knowledge to preventing real suffering in the world in particular online. And I think that’s what gave me a lot of inspiration early on to go into computers and cyber in particular.
Neelima: After that, let me go back to your little bit early life. Right? So right after college, you started a consulting company and then became an economist at InfoWorld. And somewhere around that time, you also co-authored the first edition of Hacking Exposed. Why did you decide to write a book on security?
Stuart: Well, the book idea is I think like most people, you always think to yourself- God, wouldn’t it be the ultimate in existence, if you could just publish a book. Man, you really have made it if you can be a book author. And so I had always had that in the back of my head but I had been writing obviously for magazines and certain pieces here and there.
And I had also been focused almost solely on computer security at the time at InfoWorld. I was covering that industry for a number of years. And I had been learning a lot about how the bad guys were getting into computer systems and networks and I had been really documenting them so that I could remember them. And also so I could talk about them in columns and pieces and write-ups and such and obviously I would test out each one of these that I possibly could to see how they’re really doing it. Of course I had my computer science background and I also had a cyber incident while I was at CU Boulder around the Morris worm. So that gave me a lot of background and comfort around the subject. And so as I’m documenting all these particular attacks one day, I’m like- gosh, I could probably write a book on this topic. And I had already been writing a bunch of columns in the security watch column for InfoWorld that I started with Joel.
And so I just said, Hey, look, I’m going to write a book. And I actually first asked my boss at the time. His name was Bob Garza, if you wanted to join me and it would just be him and I writing the book because he had been an author of a Lotus Notes book. And I thought, Oh, he knows the drill. He can get me covered. And we’ll just coauthor it together. Well, he just refused me. He’s like, look, I’m too busy. A book is an absolute total nightmare. You never want to write a book. Don’t ever write a book. And so I like….
Neelima: that’s very encouraging (Laughing).
Stuart: Yeah, Thanks Bob. Well, to this day he still kicks himself in the butt for not saying yes on this one, But anyway.
So, my colleague, Joel, who was working with me at the time and I said- Hey, you want to, co-author a book with me. I’m going to pitch it because I had done some technical reviewing of another book for Windows 95 at the time. And I said- Hey, let’s try and pitch it together. And so I had written up a table of contents and I shipped it off to them.
Of course they rejected us the first time of course. Undeterred just kept sort of pitching it out to everybody. Well, about a year later, they came back to the very original pitch rejection and said, Hey, are you still interested in writing this book? Because we just hired a new editor and they’ve got time now to work on this and I’m like well yeah, yeah, of course. So that’s how it all came to be.
So Joel and I started writing it while still at InfoWorld. And then I got recruited over to Ernst & Young and finished it while I was there. And then left almost right after the book was published and started FoundStone.
Ankur: very cool. You know, I should mention that I am guilty of not having read the book but then after our conversation, I downloaded the seventh edition. I’m like halfway through it. One of the things that struck me about the book was it’s almost as if you wanted to write it for yourself or like your 10 year old. It’s very simple. It builds, it’s not jargon-y. It starts simple and then builds different concepts on top of that. It’s very first principles before first principle became a thing. Is this how you generally think about different subjects, people, organization scaling? like not be held hostage by dogmas but start things bottoms up and then build.
Stuart: a great observation. I mean I’ve always believed that unless you can explain it to a four year old, you really don’t understand the material and you really shouldn’t even try to explain it. I also believed at the time there were really only three or four cyber books out before I published this book and it was Halting the hacker was one, Secrets of the Super Hacker was another. Maximum security was another. And I think there was one more but I’m drawing a blank on it. But none of them, if you pull those things up and you can get your hands on any one of them. None of them were sort of recipe driven, prescriptive driven. And, I dunno if you’re a Baker, but like baking science by and large, right? You do this and then this, then this and in this order. And it comes out pretty much perfect. Pretty much every time. Right. And I thought to myself like- guys, why can’t we create cybersecurity more like a science. Do this, then this, then this and you’re going to get this result. And I’m also a kinetic learner. I’m sure if I got tested, I’ve got 20 different learning disabilities because I can not read something. I can’t. I have to actually do it. And so I thought to myself- well, the most foundational way everybody learns is kinetically by doing so. Why don’t I make this book more of a kinetic recipe driven, prescriptive process for people but make it as available and open as possible to everybody out there. And that was the design from the very beginning. And luckily we were able to get a nice template together for every chapter to make sure that they looked and sounded similar and came across exactly the same. And then of course, that book then exploded into a whole bunch of other books and the Hacking Exposed book itself became a whole franchise and it sort of got way out of control to be quite honest
Neelima: As I was telling Ankur, a lot of us engineers who used to do hacking, grew up on that book. So it’s a Bible for us.
Stuart: yeah. Now it’s more like a paperweight (Laughs) but yeah, back in the day, everybody had it on their desk and it was an easy meeting with 90% of everybody in the cyber security industry, that first meeting, because you tell them about you’re the author of that book and they’d be like, what? Oh, I have that book or I’d love that book. I’ve been studying that book forever. So it made it really a nice, easy meeting icebreaker for sure.
Ankur: Yeah, I can’t remember how many times I’ve given talks on things like Tor exit nodes and stuff and I’m like, Oh, it’s actually the onion ring. And I think it makes sense because there are layers and layers and I think one of the things that you mentioned early on in the book is to read every page. And that is true because you miss this fundamental concept, you’re not going to get the advanced stuff. So, you co-authored Hacking Exposed and then also co-founded FoundStone and were also an exec with another superstar like yourself, George Kurtz, who is the CEO of CrowdStrike. So, how did you know each other? Obviously you’ve done many years of work together. How did you get to know each other?
Stuart: We originally go way, way back. He originally sent me a couple of emails while I was at InfoWorld because he wanted something he was working on at PWC to be written about in the magazine. Then he invited me out to Windows hacking class out in Cleveland, Ohio. I’ll never forget that. That was sort of fun. (Laughs). And then he recruited me along with John Darbyshire over to Ernst &Young because they were going from PWC to Ernst & Young to build the cybersecurity practice there. That was largely out of Kansas city, Missouri. And so I helped them to build the foundations for that program. And George and I worked together pretty much every day for something like 12 or 13 years. So yeah. Got to know each other very, very well and we’re very successful together. And found FoundStone together. We started that company and it was a great experience and then with McAfee, we just took it to the next level and we had a great team there.
Neelima: Yeah. So going to McAfee, you were at McAfee for many years, running the enterprise risk and compliance business. A lot of founders we interview on the board are McAfee alums. Like the PayPal mafia looks like in security, we have a McAfee mafia. What made McAfee, such a perfect breeding ground for future entrepreneurs in the security world.
Stuart: It is funny that you say that about McAfee mafia, but I was just thinking that like a year ago or something, I was like- there is a lot to Mike DeCeSare and there’s just DeWalt, of course and everybody has gone on to do something either as first time entrepreneurs to start a company or to CEO company or multiple time. And, we had this phenomenon at FoundStone as well. I mean, I remember stopping counting at about 26 companies that FoundStone had birthed. In other words, first time entrepreneurs that were Found Stone alum. And obviously we had a lot of that with McAfee as well. I think that especially under Dave DeWalt, he was just a master at bringing talent together and acquiring and being acquisitive successfully. And you all know how challenging acquisitions can be on so many different dimensions and levels. And that they’re most often failures to be quite honest, by almost any measure, whether it be financial or cultural or logistical or whatever you want to measure them by.
But I honestly look back on all the acquisitions that we did, including Foundstone was acquired by McAfee and I look at it and there were not more than a handful that you would consider less than super successful. And so I think that came to DeWalt and DeCeSare and the whole team building the right executive team, looking for the right technologies and then being successful in bringing them in, their founders and their engineers, employees together. And proving that it can be done. That you could turn around a company. I don’t know if you remember the history, but McAfee wasn’t the shining star, let’s put it to you that way, in cyber security at the time. And I won’t name names and go into the details, DeWalt was a bright light and it was the reason why I came back to McAfee.
I actually left McAfee. I helped a buddy build a cybersecurity practice at Kaiser Permanente and they came back and asked me to come back and join because coz DeWalt had joined. And I was so impressed with him and knew that he had the right vision and the right execution, so it ended up. I think it’s a collection of talent. We were just super blessed to have been there at that time and could parlay and really what allowed me to focus on endpoint and focus on prevention. So for me, there were just so many blessings of that whole experience.
Neelima: We absolutely need to get Dave DeWalt on the pod. If he will come, it will be just awesome.
Stuart: Well, I’m sure he would, he just went public with night dragons, so with the spec., I’m sure he would be more than willing to chat with you.
Neelima: Okay. We will request you to do the intro. So thank you.
Stuart: Happy to do that. Yeah, for sure.
Neelima: So from McAfee, you went to Kaiser for some time but then you started the Cylance company. How did the idea come about for Cylance?
Stuart: I had taken the CTO title, the global CTO title and I had been sort of thrust into the world of managing large product portfolios. Some were new but most were old and antiquated. They had been built 20 plus 30 years ago. And I had also been, as the senior executive been asked to fly around the world, meet with every customer. And I used to get the same three questions pretty much every single time, almost in exactly the same order. Why is your product so slow? Why doesn’t it stop anything? And why aren’t you innovating? I mean, that was it. And I’m sure you guys can resonate, right. And when you get out there to customers, it is pretty much the top three.
So I used to jokingly say I’m more of the chief apology officer than anything. What I would do is I would apologize for what I had sort of inherited, but I would reassure them and give them a solid vision roadmap plan for improvements and innovation. But I knew deep down inside that I couldn’t do at least one of those effectively and that is to really prevent attacks because we all know how signature-based approaches work and the very nature of signature-based technologies is you can never actually prevent something brand new, almost never. You can only prevent that which the world has already seen before and already built a signature to detect.
And so I just kept thinking with such guilt, as I’m explaining to everybody, like we are moving forward to do this, I knew that we really couldn’t fully prevent cyber attacks, especially zero days. But I knew that there had to be a way. And I went back to my old days in college, in programming, computer science where I was fascinated with decision tree learning. And, I wasn’t strong in maths but I was strong in algorithms and programming. So I could build an algorithm , I just couldn’t reduce its time by a hundred X or something like that. But I knew that there was a way to teach a computer to learn. And that’s what really sparked my interest was to say, well, look, we have a known database of literally hundreds of millions, if not billions of viruses and Trojans and malware, why couldn’t we take all of those and break them down into their characteristic, parts and features and qualities and teach a computer to learn which features and qualities and characteristics are most predictable of malicious and which ones are most predictable of good.
And at first of course, it was hard to explain it to anybody because nobody had applied machine learning like that, or data science and cybersecurity. The closest thing that you could make an argument for was in the early days of spam filtering, they had some semblance of machine learning in those approaches but they never reached commercial success. They just couldn’t get them, fast enough and accurate enough. And so, you get a whole bunch of legitimate emails that were thrown into spam and vice versa. You miss spam that goes into the inbox. So I knew that there was some potential for this. And I just knew in my gut that we could do this in a far more efficient, effective manner, especially given the large data sizes that we were working with at the time.
So, the impetus behind Cylance was that we could not just detect a problem and stop it but we could predict it and prevent it. And that was the ultimate maturity and evolution of machine learning. It was to move away from classification to prediction and to do it in real time and that was the biggest challenge because you think about every single thing that executes on a computer. I mean, we’re talking milliseconds of time, so you have to get whatever decision-making that’s in the way and shimmed in between that process, to make a decision within a hundred milliseconds, or you’re going to overwhelm the company and no customer will ever buy you. So we had a couple of really big challenges to solve but once we solved those by a year and a half in Cylance, we knew we were onto something really, really special and we could get basically an intelligent mind on the computer in real time to look at everything before it executes or opens and determine if it’s going to be malicious and that process is what I had been doing as a cybersecurity professional forever. Right? Like, I’ll never forget. I am embarrassed about telling you this story but it’s a known story. So I think I am comfortable repeating it. So right after McAfee bought Foundstone, they put me on the road to go and talk about the technology and host a whole bunch of events. And one of them was in Rochester at the RIT Rochester Institute technology. And I’ll never forget this because it was one of the first talks, right after the acquisition and at the end of almost every presentation I ever did, I always did a live demo because I always thought that was the best way for people to learn, like, look at this attack. Let me show you how it works. Well, at the end of it all, I had somebody in the back row of the audience ask a question and he goes, Hey, Stu, I know you just got acquired by McAfee but I’m just curious, what do you use on your computer that protects you from hackers? I mean, you must be a pretty big target. You got the Hacking Exposed book. I’m sure somebody would love to put a trophy of your face on their mantle of somebody that they hacked. So what do you use? And I remember pausing because I just thought to myself, like McAfee, just paid decent money for my company and I am about to admit that I don’t use any product. In fact, I would never use a product of any sorts. I just don’t trust them. They just aren’t good. And it sort of creates this laissez faire attitude to doing something. Whereas you know, you have nothing to protect you on the computer. Now go work on the internet. So, I looked down at the front row and sure enough, it was the head of worldwide sales for McAfee in the audience. I thought to myself, Oh man, I’m either going to lie to a thousand people (It was about a thousand in the audience) or I’m going to be the shortest tenured executive in McAfee history because I just got acquired. And so I look up to the guy and I go cause he asked me- Hey, can you show me your computer screen, your SIS tray? And I’m like- look I don’t need to show you my SIS Tray. I’ll tell you exactly what I have on here. I have nothing on here but I just want to remind everybody, I’m not like 99.9% of the world. I know what to click on and what not to. I know what to open and what not to. I know what settings to set in the operating system at a low level to prevent sort of the low-hanging fruit of attacks. And so, I know all these things and that’s not what most people do. They don’t do that every day in and day out. So they do need some protection. That’s why McAfee’s perfect. Well, of course, in the back of my head, I’m like, I got to fix this problem because this is embarrassing. Cause I can’t even endorse the very product that I was a part of and I’ve got to try and make this better. So that really set me on my path to try and predict and prevent cyber attacks more
Neelima: One more thing that was unique about Cylance was it was a cloud managed console. First of its kind for an endpoint product. What was the thought process behind that?
Stuart: Well, there were two major architectural decisions that we had to make. One was where do we do the training for the models? We could get a whole bunch of GPU’s, could get a whole bunch of big irons or we could use the cloud. And that was the first decision, right. ECE-2 and Amazon AWS were coming out. That was first and second was where do we host our console? Do we host it in the cloud or do we have it on prem or do we offer for both? And we had a lot of very spirited debates and discussions around it but ultimately realized there was no way that we could stand up our own private cloud, economically, effectively anyway to deliver on what we needed to deliver on with regard to machine learning and data science training. So that was an easier decision. Second one was, where do we put this console? We saw the US government, they’re never going to take a public cloud over their dead body or even some of the big banks. I can’t tell you how many meetings I’ve been in with big banks. They’re like, it’ll never happen, never happen. And so we had to make a decision. Do we appease the big giants to get them as customers or do we craft and build the technology for the masses? Do we allow for the 80/ 20 rule, like, are we covering 80% with our technology then that’s what we’re going to do. And so we went with the cloud. Ended up being a great decision. We did have an on-premise solution at one point but honestly I think we even ditched that in the end and just said, look, if the technology is not compelling enough for you to overlook the cloud having the console, then it’s okay. There’s a lot of other great products out there, go for it. So yeah, but it all worked out in the end.
Ankur: One of the things you talked about was training datasets. So one of the veins of the security industry has been just not enough training datasets to do supervised machine learning. How did you get that? Is it just sort of unsupervised, get the attack, learn from that or were you able to get some copies of data from historical dataset? I mean, nowadays Congress and everybody’s talking about companies should come clean when they have been breached but there’s a lot of secrecy around this. How did you train the models?
Stuart: Well, there’s a few dirty little secrets that I’ll share with you (Laughs) at this point, I guess. First of all, the way that antivirus companies came to be is they would get access to a virus and then they’d build a signature and everyone else wouldn’t have access to the virus and then they promote it like, ah, look, we’re protected by our product. And then the customers of these other antivirus companies would say, well, gosh, why don’t you have coverage of this virus? And then the next time that they get access to a virus and the other guy didn’t get access well, then they would withhold the signature from the other vendor. And at that point, you start to realize, wait, what are we doing here? Are we actually trying to prevent the bad guys from getting it? Or are we just here to make money? And so what they really came together in a partnership early on and said, look, if we get something, a sample submission, we’re going to share it with you and you’re going to share it with us. And then that just started to blow up. So every single AP vendor out there, every researcher, every partner to the point where then virus total was created. You remember that, right. So access to data was never really the problem. It was publicly available. It was shared quite freely. And, of course, you had to handle it with care and it wasn’t going to go to some bad guy out in some foreign country without some credentials and validation but once you’re validated. Yeah, absolutely. They would share it and you could do whatever you wanted with the data because they were written by the bad guys.
Ankur: Got it. Very cool. So, you have the unique insight now. You have a product now but endpoint security is arguably incredibly competitive. There are McAfee and Symantec and a lot of vendors. You have to stand out as your message, your approach and why is it unique? You were ahead of your time. Remember going to RSA and there was like three years whereby Cylance stood out among the herd and you had this unique way to demonstrate the product. I believe you called it the unbelievable tour. Tell us about Cylance marketing. What made it great?
Stuart: well, of course I had just a phenomenal team. you know, largely, led by Ryan Golden who was head of branding. I sort of plucked him out of his web development career and he just had an incredible eye and an ability to understand complex topics and marketize it, sort of build a market around it. And so even though he was young at the time, he really just fell right into it. And when I started to explain book and the techniques and the company, it really started to make perfect sense to him. But we did struggle in the beginning with how do you demonstrate this thing? Because as you said the endpoint market is insanely impacted. I mean, we were tracking at one point over 66 or 67 competitors in the endpoint space. That’s a lot of competitors that you have to track on every single day and so it’s incredibly overpopulated. And so we struggled with how to demonstrate this incredible technology that not only has the ability to prevent current attacks but prevent all future attacks with no updating.
That concept was just no one could really understand what that meant. I don’t even know what that means. I’m so used to having my regular updates. And I can’t tell you many times we do these pitch meetings whatever. I would explain it just like that every single time and then say, okay, but how often do you guys update? And we’re like, no, you don’t get it. We don’t, we never update it. Never. You never have to update what I understand, like once a year. No, never because they’re so brainwashed into thinking you have to get updates for detecting new stuff. So I was at a board meeting and the board actually just punked, like asked me, cause they were just blindly trusting me at that point. Stu what the heck are you creating? We don’t even know what it is you’re creating. And I said, look, I think the best way to tell you is to show you. I love live demos. I do it with the Hacking Exposed all the time. Let me just show you this. So that’s exactly what I did. I took a hundred current submitted samples in the last 24 hours from virus total. And I just downloaded all of them, a hundred of them just to make it simple math. Right? So a hundred samples submitted to the virus total as brand new viruses in the last 24 hours that were peas. So I could actually convert them to executable is really easy by renaming them. And then I could run them real quickly in a for-loop and like one after the next, after the next. And let’s see what happens and I’ll do it compared to my Alma mater, the time I mean. Of course our technology was completely silent. You barely saw a blip on the CPU performance monitor graph and then the other guys were literally melting down. I mean, it was blowing up, it was a blue screen and there’s red screens everywhere. And you’re like, this is what we do. And there was no better way to show it, honestly because it was real. It was tangible. People could get it right away. Like, wait, I have that or wait I have a competitor of that. Is that also a problem? And you’re like, I’m glad you asked me to show you and we would challenge and we even pushed it so far to say, look, trust no vendor. That was a famous tagline of ours. Trust no vendor because every vendor is going to tell you that they protect against all of this. So don’t trust any of us even us. Don’t trust us, just test it for yourself. Do this exact test. Download virus total, rename the X, the PEs executable and run them in this for loop and see what happens on your standard gold build. And if you don’t have Cylance, you need it.
Ankur: yeah. The technology sells for itself.
Stuart: It did, it did. Yeah. With that sort of real world demo, it really did.
Neelima: For our listeners who are trying to build products in red oceans, this is a great way to market. I love this. It is just fantastic. We’re enjoying the pod so much. Thank you for that. I’m now going to switch to company culture. One of the things that people who have not worked with you or don’t know you is that you have a great sense of value and worth. And you mentioned that you should never forget your roots. How did that manifest itself in the company culture?
Stuart: Well. I knew when I started Cylance that we had the potential to grow very, very quickly. If the technology did what we thought it could do, we knew it would scale fast. And I knew with great hyper-growth like that you have the potential to get cocky, to have some hubris and to have humility take a back seat. And humility has been part of my life since I can remember getting beaten up on the corner, getting beaten up at school, having to run for my life. Humility is a big part of my history and my world. And I just knew that if you stay humble, if you stay focused, you won’t be distracted. You’ll be able to put all of your energy and effort into releasing and improving upon and innovating on great technology and keeping those distractions to a minimum which naturally occur from success. And so humility was always a big part of our culture, you know, high integrity. If you say you’re going to do something, you need to do it or explain why you didn’t do it. You don’t just ignore it and then of course, I mean, my airplane experience drove me largely to want to prevent suffering in my own little way with cybersecurity and preventing hacks. I mean, you look at all these ransomware attacks, it just kills me to see another ransomware attack work because Cylance prevents all of them like forever and ever and ever but obviously we can’t get that on every computer. So it just tortures me. So whenever I had the opportunity at Cylance, I would always remind them, look, if you’re not here to protect people, you shouldn’t be here. I’ll find you another job. It’s okay. I’ve got lots of friends that don’t have the same passion and the same direction. So I’ll find you another job, but you shouldn’t be working here because we’re here to protect people, especially those that really can’t fend for themselves and don’t know how to protect themselves. So, it was the only way for me to be. It’s the only way I know how to be and the only way I know how to live.
Ankur: Yeah. One of the parts of the role as a CEO and I was reading the profile of Frank Slootman, the CEO of Snowflake and a legend in its own right in the Bay area. Pretty intense guy, big believer in amping it up. And then obviously Ben Horwitz talks about wartime CEOs and peacetime CEOs.
It sounded to me like from your perspective, your style is mission driven, purpose driven but that’s not mutually exclusive on turning up the heat because in a startup you’re constantly in war time. How did you manage and struggle with that sort of employee’s wellbeing, making sure that people are not getting burned out versus it’s war time every day, day in and day out, or was it sort of once you decide the mission, people would actually work 12 hours, 15 hours a day towards that mission.
Stuart: Well, it’s a very astute observation. So what happens in the scenario that I described is we get, pretty much 90% of every employee is passion and mission driven, so will put in 300%, over an individual that’s just there for the paycheck that will put in maybe 90% which also sort of exacerbates the potential for them to burn out and that was one of our big challenges. At Cylance we had a big burnout challenge. And so what I instituted, I used a whole bunch of little things here and there, but one of the big things, we offered, at a certain point in time, if you had been with us, we offered that many weeks off in the year. It gave them an opportunity to really just totally unplug and uncheck for four or five, six weeks and still come back and have their job completely. We also really encouraged healthy lifestyles and healthy eating and all the things that are really essential, mindfulness and all the things that are essential. I’m not saying we were perfect in that execution of it because there were a lot of people that did burn out but we did constantly try to learn from that and improve upon it. And, yeah, it’s a good point about startups. I mean, you are a wartime CEO every single day. There’s no other way to put it and it can create a lot of burnout but you just gotta remind everybody -slow and steady wins the race. If we have to say no to a deal, it’s okay. I know that’s painful. I know it goes against the DNA code. But say no to a deal. So you can live to see another day. You don’t need to take every Hill.
Ankur: Yeah, it’s a breath of fresh air to hear that from a CEO, especially successful ones like yourself. I was reading an article about Goldman Sachs employees, some of the junior ones, a hundred hours a week. It’s just getting intense, more companies, more funding, it is just go, go, go constantly but you’re right, it’s all about balance.
So, we can have like two parts on company building itself, various stages, zero to 25 mil, 25 to a hundred and et cetera, we’re going to run out of time. So I do want to talk about the key thing about Cylance, which is when you sold it for 1.4 billion, By any measure incredible exit, right?
Having said that, knowing what you know now post COVID, would you have rather taken the company public number one? and the reason why I ask is that obviously entrepreneurs often struggle between when to persist and when to exit. What went into your thinking as you decided to exit when you did?
Stuart: Well, it had been six years. We started in July of 2012 and we were on a road show to go public in July of 2018 as crazy as that sounds. And I believe we’re still on record for the fastest cybersecurity company to 100 million in trailing revenue in history. We even beat Palo Alto, I dare to say.
So we knew we were on a great trajectory but what we knew we couldn’t do was we couldn’t fulfill our ultimate mission, which is to protect everything under the sun without bringing together, mobile IOT and sort of the interconnectedness of the world and that platform because we were great at windows, we were great at Mac, great at Linux , great at servers but we didn’t have a mobile solution. We didn’t have an IOT solution and this technology is perfectly built for that. And we knew we couldn’t do it all ourselves as well. So we said, when Blackberry came along and knocked on our doors, their vision and their mission, the spark platform really resonated with myself, the exec team as well as the engineering team that a one plus one would equal three. And so for me, I absolutely will do it all over again. The teams saw that alignment, saw what it could really be and ultimately what it can be which no one could cover that today. Even to this day from that complete coverage, it’s just that simple. Certainly, you’ve got the juggernaut companies out there but they’re all network or they’re all endpoint or they’re all cloud or all IOT but nobody can really offer up the expertise in all those areas. And so to do that we knew we had to combine forces at some point. It was only a question of would it be after IPO or before IPO? And so, no, we were just super happy to find that balance.
Tips on how to grow as a serial entrepreneur
Neelima: Great. I’ll switch to now basically your fourth inning, so to speak. You have been an entrepreneur thrice in your career. Can you share some tips with our listeners on how to grow as a serial entrepreneur?
Stuart: I guess my first suggestion is to find something that you’re super passionate about. Like a problem that you want to fix. Find one problem, the bigger the problem, the better but find one problem that you really are passionate about fixing and solving and then put everything into it that you can. I don’t mean money, I mean time, your interests, your passion then talk to people of like minds that want to solve the same problem or take on your problem as their own and see if you can combine forces and build something that can solve that actual problem because even if you only reach half of where you want to go, if you go after a really big problem, you’re probably going to be safe in terms of the market size and the solution that you’re coming up with or you’ll iterate quickly.
And the other thing is just to fail fast. And what I mean by fail fast, you guys have probably heard this many times, but for me, it means that you don’t just try everything and then fail quick and then just change and pivot. You take a mindful approach to decision-making but once you make a decision then you don’t wait to change paths, like you’ll know your backup path and your backup of your backup path and you’ll switch quickly. I can’t tell you how many times I’ve seen companies entrepreneurs fail, who keep doubling and tripling down on a really, really bad idea rather than just admit it’s a bad idea and just move on to the backup plan. That’s probably one of the most important suggestions I can provide.
And then of course, the age old maxim of just never giving up. Showing up is the first job of winning. So showing up, staying on the field and just continuing to chip away at the problem, no matter what the discouragement. I mean, you see a lot of people writing about entrepreneurs and it’s probably their stubbornness and their persistence that makes their success more than anything.
Getting over the inner fear of failure
Ankur: What about any advice on how to overcome the inner fear about starting your own company? What if I fail? What if things don’t work out? You were a serial entrepreneur so were there ever fears in your mind when you started this and what did you do to overcome those?
Stuart: I think you’d be lying as a human being, if you said that you weren’t fearful. There’s always times and places in your life where there might be more fear than less fear. Like, when I started FoundStone I started it literally two weeks before my firstborn was born and that was only like three months after I had lost everything in this move, moving from the Bay area down to LA. And so we had nothing, I mean, literally like air mattresses. It was crazy but I was also younger and I also had already started a company and sort of made it a success. And so I’m like, yeah, I can do this again. This is cool. So I sort of convinced myself and my wife at the time, to look past all of that and just believe. But there are times absolutely where fear can take over so just think about and introspect on yourself. There are certain personality types that aren’t impacted very much with fear because they know that they’ll figure it out somewhere along the way but there are others. They tend to be more precision driven. They tend to be more precise that means they need more predictability and more control. And you don’t have a lot of control as an entrepreneur. You have very, very little control and very little predictability and you have to just believe in yourself and know that you will figure it out. So I think surrounding yourself with people, if you’re not like that, surrounding yourself with people like that. I saw that in my father. My father started his own company out in Guam and I didn’t know it at the time,but now I realize, gosh, that was really hard. It had been really, really hard to do and somehow he did that and I thought to myself, gosh, if my dad can do it, why couldn’t I do it? Right. And so I think it’s just surrounding yourself with people that can achieve those things and prove to you, it’s doable and that you can do it as well. And then just believing in yourself and quite honestly, the secret is to just never give up. That’s the bottom line.
Neelima: Great. All right. So I think we’re at the end of the pod, we’ll switch to the rapid fire now. Single answers, yes or no or descriptive up to you.
First question, how would you explain SolarStorm to a ten-year-old?
Stuart: So to a four year old, this is it. all right. So a company created this product, this software, and somebody hacked that company. So when that company sent the software out to other people, they were also getting hacked. So it was sort of like your neighbor hacking you so that they could hack your family because there was a level of trust that was there. So that was as good as I can get you. I mean for a four year old.
Neelima: You were hired as a consultant for a top secret project at a large enterprise, bank maybe. And you were asked to advise on one threat vector that the enterprise should protect -network endpoint, apps, identity or data. What will you recommend?
Suart: well, okay. It obviously would depend on what levels of defense and strength that they had already existing but let’s say they were all equal or all equally bad. Let’s say, my first and foremost defense that always needs to be fortified is the threat vector. So there’s identity vectors, threat vectors and denial of service vectors. Basically classes of attacks and threat based attacks, vulnerability based attacks tend to be the largest and easiest to exploit. Identity is shortly thereafter with reusable passwords and guessable passwords, for sure but that’s getting better and better and better with controls on the back end side and then denial of service should be the last, but it’d be, threat prevention and threat detection as first and foremost.
Neelima: Which mega trend represents the next trillion dollar market, options, blockchain, crypto, AIML, ARV or climate or healthcare.
Stuart: Well, okay. I actually think democratizing healthcare.
Neelima: Great. your thoughts on Microsoft as a security vendor?
Stuart: My thoughts on Microsoft as a security vendor. O wow. Okay. Well, first of all, I think that they have done more as an operating system vendor than anyone else on the planet for cyber security. I just want that to be clear. And they have incredibly strong talent of people and individuals and quite frankly technology and they were one of the only companies out there as a competitor that we actually lost sleep over. It wasn’t CrowdStrike or anybody else, it was Microsoft because of their stranglehold, if you will, on the enterprise and the mid market for their software. However, you could poke a lot of holes in them. Obviously we could beat them up pretty good but at the end of the day, they’ve responded and risen to almost every challenge and problem that we have thrown at them. And for that, I give them a passing grade and I think that they’ve done well.
Neelima: What are you reading currently?
Stuart: Yeah. Well, here you go. I’m trying to finish my buddy’s book called The Peacemaker’s Code.
Ankur: Oh, yeah Deepak Malhotra
Stuart: Yeah, Deepak is a dear friend of mine and he’s a professor at Harvard with negotiations. And he decided over COVID, he’s like, look, I’m bored out of my mind, I’m going to write a book. And it was great to me. So I helped preview it. I got through probably half, two thirds and I just got to finish the rest but it looks like a really good book to finish up.
Neelima: I’m going to add it to my list and last question- who should we have next on the pod?
Stuart: Well, I think Dave DeWalt would be fantastic. You get Dave on here. He would do it in a heartbeat and he’s such a good guy and he’ll tell you some great stories. And ask him how he got the name for NightDragon because I reminded him, where he got it from.
Neelima: We will absolutely do that. With that Stu, thank you. We just enjoyed the pod so much. Thank you for the time and your wisdom and hopefully we can have you in the pod in a year again.
Stuart: yeah. Have me as a repeat guest. Sounds like fun.
Ankur: By the way, I was going to ask you- do you have a Twitter handle or something where people can follow your work? What’s the best way for people to reach out to you?
Stuart: You know, LinkedIn is usually the best place I use. I have a Twitter handle @Stuart McClure but I don’t often get on Twitter anymore but I’m fairly active on LinkedIn. Yeah.
Ankur: Awesome. Sounds good. Thanks a lot. Appreciate
Stuart: All right. Thank you guys.