What type of CTO are you?
As the CTO of a startup, my focus areas have had to change as the company has moved from stage to stage. They broadly fall into the following categories:
- Chief Architect/Lead Engineer — I still self-identify primarily as an engineer and, in the early days, was personally involved in the definition, design, and coding of the primary Agari products. Even today, despite the rapid expansion of Agari’s engineering team, I participate in architecture reviews, design workshops, and technical decision-making related to our systems.
- VP of Engineering — This role involves organisational and process architecture. I spend a significant amount of my time recruiting engineering talent and ensuring that we have the culture, structure, and communication to keep our engineers happy and motivated. I also work with my managers to evolve our Agile software development process and team focus areas to match the needs of the company and the systems.
- Technical Evangelist — An engineer on my team once observed: “It seems like CTO stands for Chief Talking Officer”. My role does involve participating in industry activities, talking to customers, and communicating with the rest of the company as an evangelist for our products and the technology that underlies them.
- Executive Team Member — I work with the other company executives, especially our CEO and VP of Product, on company and product strategy. While all the executives have distinct teams and functions, we make a strong effort to understand and support each other’s areas of ownership.
What does it take to succeed as a CTO in your industry? (Security)
Security is an extremely broad practice area, with many point solutions built to cover different portions of a company’s attack surface, through different phases of the kill chain, supported by different security roles within the company.
A CTO guide: Cyber security best practice tips
As the CTO of a vendor in the security industry, it’s important that I have a deep understanding of the threats, technical considerations, and workflow in my specific sub-category of Security. But to be successful, it’s also necessary for me to be able to understand where my solution sits in the broader practice area of Security, to find integration opportunities with other security solutions to improve overall outcomes, and to build a deep understanding of security practitioners so I can work to improve it.
Are there any specific challenges or pain points that you have come across in your role?
A large part of my role is to be a universal translator – someone who can speak the language of an engineer on my team, a technical security practitioner, a business-focused executive, and even a venture capitalist. A challenge that I enjoy is finding the right balance of technical depth and business value for every audience, trying to ensure that they get the detail that they need, without getting mired in complexity. At the same time, I need to continue to focus on being a good listener, understanding technology at a deep level, but also understanding motivations and needs.
What predictions do you have for the role of CTO in the future?
The move to the cloud drove a fundamental change in the way we built, deployed, and operated software products. The recent move towards serverless computing will drive similarly fundamental changes. With the move to the cloud, many software organisations first attempted to recreate their legacy architectures, before realising that they needed to completely rethink them. With the serverless computing options provided by the major IaaS providers, a similar rethinking is starting to be necessary. But the opportunity for greater efficiency in development, simplicity in deployment, and ease of management of software systems will be well worth the change.
The 4 different types of CTO – which one are you?
Where does Agari fit in this industry? (Security)
In a crowded cyber security market, in which vendors are promising robust solutions across all aspects of the threat landscape, Agari is dedicated to eliminating email as a channel for cyber-attacks. Whether domain spoofing, look-alike domains, display name deception, or account takeover (ATO) based attacks, our focus on protecting cloud inboxes from advanced attacks allows us to identify and resolve threats at speed. Providing security to Fortune 1000 companies, including 6 of the top 10 banks and five of the world’s leading social media networks, as well as Government Agencies our advanced technologies are based on massive data-sets. Every day, we update more than 300 million models to train our machine learning engine to deliver accurate decisions for email communications. We are the only cloud-native solution that uses predictive AI to stop advanced email attacks, safeguarding more domains today than all other vendors combined. It is our focus on email as a key vector for attack that means we can build specific tools to counter an ever-growing threat.
What are the main challenges in the cyber security industry and how to overcome them?
Some challenges remain fairly constant in this industry. For example, the ability of criminals to adapt and evolve threats rapidly, using new technologies and tactics will continue, but that is part and parcel of the industry. There is also the well-publicised (at least in industry titles) problem of the cyber security skills gap, and how we attract young talent to the broad spectrum of roles available in this sector. This is a challenge that many organisations are talking about to each other, but the message doesn’t always reach the generation that would benefit from it. At Agari we run internship programmes and strongly advocate mentoring throughout the business. We don’t have all the answers to this issue but are keen to demonstrate the breadth of opportunity available to talented students keen to put their skills to rewarding use.
Finally, I would also say that one of the industry’s key opportunities, machine learning, is also proving challenging when it comes to separating the reality from the hype. Machine learning has unfortunately become an extremely overhyped term over the last year or so, particularly when conflated with its parent technology artificial intelligence, which instantly conjures images of science fiction robots. Publicity issues aside, the technology is capable of incredible things in the field of cyber security thanks to its ability to identify patterns and connections. Those exploring options that tout machine learning and AI as features of a solution should probe what this actually means in practice and whether they are truly buying the technology that’s being promoted.
Do you have any standout technology predictions for the cyber security space?
While ATO is still rare, our report, “Protecting Against Account Takeover (ATO) Based Email Attacks”, discovered an upsurge in this type of attack over the last year. Seeing through a deception like ATO is exceptionally challenging as there are almost no clues to differentiate such an email from the real thing. While email security has advanced to the point that even the most well-crafted fakes can be reliably spotted, even the latest generation of advanced email solutions can struggle with ATO. With so little to go on, attempts to spot imposters can easily lead to so many false positives and false negatives that it creates an unviable amount of disruption for the user.
This is an area where we are using AI and machine learning to analyse huge data sets in a bid to separate the good from the bad. The development of AI and machine learning will, of course, continue to impact this space, but must be done so with caution. It won’t answer all the challenges that will present themselves – criminals will have access to the same technologies we do and will also do all they can to use AI and machine learning to bypass protections.
What is your top cyber security best practice tip?
Rather simply, it would be not to only rely on email to conduct your business. The majority of email-based attacks are now perpetrated not through mass spam campaigns, but through extremely targeted, personalised and research spoofing attempts. Account Takeover (ATO) and Business Email Compromise (BEC) attacks use these sophisticated tactics to bypass traditional email security tools. Where AI and machine learning are steadily separating the good emails from bad, there are ways to protect yourself entirely from being fooled. If a colleague, partner or client is asking for a payment, or for sensitive information, pick up the phone or walk to their desk to confirm that the request is legitimate. While security tools are becoming smarter and more robust every day, the best peace of mind comes from a holistic approach to security.
What changes can be made to create a more diverse technology workforce?
Many engineering teams use metaphors like “sports team” and “tribe” to describe their structure and culture. At Agari, we feel that the term “community” best describes the way we operate. We each bring our own unique skills, perspective, and contributions to the organisation, but we also rely on and expect support from each other. Since we believe that every vibrant community has a diversity of experiences, backgrounds, and opinions, during our recruiting and interview process, we not only evaluate the “new” that the candidate brings to the table, we also try to estimate how much they will share their learnings with others and contribute to the success of the community as a whole. We believe that optimising our hiring process to find engineers that enhance our community over solely looking for “rock star” individuals leads to a better outcome and a more diverse technology workforce.