A Self-Service Platform to Secure Small BusinessesCEO Stan Golubchik on ContraForce's Mission to Democratize Cybersecurity Steve King • December 29, 2022 30 Minutes
Small companies should be able to have the same cybersecurity protection as larger companies, without having to know a great deal about the world of cyberattacks. That's why Stan Golubchik founded ContraForce, a company whose mission is to simplify security tools and provide small to medium-sized businesses with the ability to manage and improve their cyber resiliency without the need for expensive human resources and additional software. He says it answers the "need for a stronger generalist workforce for cybersecurity."
Golubchik says the ContraForce platform was built on a self-service model. "We see some very advanced and complex enterprise tooling systems that take a lot of professional services to implement, get optimized, and then manage for the lifetime of that software subscription. So we wanted to get customers away from that kind of management, and then just focus on the security outcomes and value."
In this episode of "Cybersecurity Unplugged," Golubchik discusses:
- How ContraForce integrates with Microsoft Office 365, which he says 9 in 10 small businesses use, to automate Microsoft security;
- The impact of ContraForce's acceptance by technology startup accelerator Y Combinator;
- His plans for global expansion and how the platform constitutes a democratization of cybersecurity.
Golubchik is the founder and CEO of ContraForce, a company whose mission is to simplify security tools.
Steve King: [00:13] Good day, everyone, this is Steve King. I'm the managing director at CyberTheory, and today's podcasts is going to feature Stan Golubchik, who's the founder and CEO of ContraForce - a company whose mission is to simplify security tools and then aggregate the results of what goes on in computing environment provide small to medium-sized businesses with the ability to manage and improve their cyber resiliency without the need for expensive human resources or even additional software. So ContraForce was created as a way to enable little guys have the same cybersecurity protection as much larger companies without a great deal of knowledge about the cyberattack world, which we've all heard before. But I know it's different here. So Stan, could you explain how your platform works?
Stan Golubchik: [01:10] Steve, thanks for having me on. First of all, it's a privilege to be here. Being able to speak about this as we think, it's a big problem, as you alluded to, in the market today, this is something that, I think multitude of companies have hit their head against the wall for quite some time trying to be able to figure out this conundrum and this formula of how do you go and break into the small and medium business market, and build a solution that can scale and meet the demands of the market without losing your parents financially. So for us, the platform is driven through a self-service model. From a go to market business perspective, we built it where we wanted to ensure that customers could essentially self-service and we can use a product-lead growth strategy. That was critical for us, because it allows us to be able to focus on valuable security content, security, engineering and the customer success piece. We see some very advanced and complex enterprise tooling systems that take a lot of professional services to implement, get optimized, and then manage for the lifetime of that software subscription. So we wanted to get customers away from that kind of management, and then just focus on the security outcomes and value. So a customer can essentially onboard themselves in about 15 or 20 minutes, we made the integration with the existing controls we have integrated today, a lot of which are Microsoft, that can be done in few clicks. Then that data in the threat intelligence and security visibility starts streaming into that customers platform within about 20 or 30 minutes and will start showing them attacks that they may have not seen across their cloud environment, their network, endpoint, their identity providers, and even SaaS applications, because we know that customers are now going through a accelerated digital transformation. So we need to support that migration process and that journey that they are taking on. So the platform will help give them that comprehensive 360 degree visibility of all those threats across their entire attack surface. Then very importantly, we also provide them context on how to respond and remediate. It's not just telling them what's going on or how to fix it, we give them the automation workflows to do those actions. That's important, because customers struggle with that piece.
King: [03:30] It sounds fantastic. You've gone after the 800-pound gorilla with Microsoft Office 365 customers initially. What about other tools and products that someone might want to integrate with ContraForce? What does that take in the way of technical skills to do that?
Golubchik: [03:55] You're right, Steve. Right now, we're focusing on customers that are utilizing Microsoft Office 365 and the 365 suite - eight to nine out of 10 customers in the small to medium business segment use that license suite and they get a lot of value. But the problem that we see is that they don't have an effective way to operationalize, be able to tune these tools and then comprehensively bring the data that these tools are generating into a unified, visible platform. That's where we come into play. Now inside the Microsoft stack, we have an API layer so we can integrate with multitude of vendors today outside of Microsoft. Why we do play very well at Microsoft, because of the content and the integration simplicity. We still understand that customers have a multitude of tools and every customer is very unique, even in a small space. I think that's a big problem that's predicated and plagued the industry is that when you go off with the smaller customers, they're not turning over as much revenue for the business. But they have always a distributed stack, right? It's very heterogeneous, they might have vendors that are on the endpoint that are outside of Microsoft, different firewall vendors, and they might be multi cloud. So you see this kind of mixed bag of technology and the problems still persisted, which is they don't know how to get the proper intelligence out of these tools. That could be a multitude of reasons why, and then understanding when to respond and how to respond. So the tools we connect with is very agnostic. We're just trying to essentially help simplify the customer's investments that they have today, and focusing on not ripping and replacing, so it's not going to be as painful when they start stepping into more of a mature security program.
King: [05:45] Sounds great. As you know, I'm sure that there's this huge employment supply demand problem in cybersecurity and whatever it is 760,000 open positions, but it gets exacerbated if you're a small business, say, in Winslow, Arizona, or someplace that hiring and retaining experienced cybersecurity talent is a real chore there. How necessary is it for your customers to have an experienced security team to get the most value out of ContraForce?
Golubchik: [06:25] That's a great question. So if you're in Winslow, Arizona, or you're from Dallas, Texas, that's where we're headquartered out of, it doesn't matter. You might be resource constrained, and you might not have local talent. For us, we knew that was critical to be able to enable teams that don't have security expertise. Like you mentioned, Steve, a big reason for that was the skill set and talent gap that we have that's pervasive. We understood that there is a need for a stronger generalist workforce for cybersecurity. We're moving that way. When we look at the cybersecurity workforce today, it's still relatively in its infancy and there are now more standardized certification processes, tools and resources that are being essentially propagated out there for people to use. It's reducing the barrier to entry to the market to be able to get a job in cyber. But we still know that's going to take time. We know that education piece, and I know you're a big proponent of that, is it's moving to flywheels gaining more and more speed and momentum. But in the meantime, we already have people that are in businesses that are IT professionals, they have a strong network knowledge, they have a strong IT operational knowledge. That's all they need to be able to get value out of ContraForce, because we want to simplify and abstract the complex nuances when you start thinking about security operations. That comes down to a few things, which is security alert triage investigation, evidence gathering, and then building a conclusion on that investigation. Those are very complex, high-level tasks that typically take like a level three analysts and level two analysts. We wanted to abstract that and just give the conclusion immediately to the end user without them having to be an expert. That's just by giving them plain English context of what's happening, the user's assets, the entities that are impacted, and then how do you respond to be able to essentially cut off that window for the bad actors, so they want to they don't need a high-level of skill set, we want to make sure that we can start to help bridge them into higher thinking when it comes to cybersecurity context and understanding, how the thread actors are working.
King: [08:38] So you want to say, "hey, don't worry about what's going on underneath the covers here. We're taking care of it. Here's the simple English language version of what we've discovered."
Golubchik: [08:51] Yeah, that's a much more succinct way of saying.
King: [08:55] It makes sense. You recently expanded into Africa. Why there? What's your strategy for international growth? Is that part of it?
Golubchik: [09:04] Yeah, honestly, that wasn't a focus for us. Like we weren't proactively going out and reaching to other continents. We knew that, from an initial go to market, the United States had plenty of opportunity, while still competitive. But we have partners coming out of the Sub-Saharan African region and Indian Ocean region coming to us and saying, "Look, we love what you guys are doing. We focused and made a 180 turn the past two quarters on the Microsoft story. When we did that, the resonating impact of that was pretty profound." Those partners coming out of Africa came to us saying, "Look, we see pretty much every business here using Microsoft, they don't know how to get the most value out of it. They are not keeping themselves secure. So we need help to essentially make that management automate. We need to scale it out, we need the expertise." They saw we built from a product perspective. So they saw a good way to be able to journey toward these customers, tell them a story of how we can automate security operations, to use those tools they have today, because, Microsoft has penetrated that continent, and be able to uplevel the security capabilities of the non-existent security experts in that space. So we were pleased and excited to see regions coming to us understanding the mission, the vision and the value for the customer, more importantly, and then bring that back over there. The nice thing with Microsoft and their existing distribution and channel partnership ecosystem is that they're already established there. While we've seen other vendors struggle getting into different regions, working on the backbone of the channel partner program that Microsoft has developed, allows us to get into market internationally, effectively with very little friction. That's a nice thing to have. But down the road, we definitely want to expand this across many continents. We understand that this is a global problem. This is not just domestic here in the United States. It's only going to get further exacerbated, especially as we see more of a dissolution of actual work from home and remote capabilities, and digitalization. So for us, I think this is going to be just the tip of the iceberg as we move forward.
King: [11:29] That's interesting. You mentioned education. We've got this initiative called Cybera.io, which we're launching this month. Some of our audience, generally speaking, is interested in how these careers get developed. So in terms of your career, before starting ContraForce, you started out in network engineering at a medical equipment company in Texas, and then moved into cloud security roles at McAfee and Armor. You had undergraduate degree, I think, in business management and molecular biology, is that correct? How much of a benefit has that been to your career and if you had to do it all over again, what would you change?
Golubchik: [12:16] I don't know how much that translated over to cybersecurity. I was doing things like organic chemistry, very much on the pre-med side. The benefit of that, that might translate over to some degree is just understanding system orientation from a biological to a computational side of things. You still have a pretty strong STEM background. So that did translate with math and some science. Now, if I were to do it again, would I go down that same path, if I knew I was going to continue to venture to cybersecurity? Probably not. I think there was other resources that I would take. There was definitely good learnings and education that I gained from it. But this is I think, the beautiful thing, Steve, and, with your initiative that you're also launching, I think the education piece with cybersecurity, if people out there listening are looking to get into the space, there's no better time. I'm sure that people have heard that before. But I mean that. It's due to the fact that we have so many available resources at our fingertips, even 15 years ago, if I have the same resources I have today to learn in cloud computing, which I know wasn't a thing back then at the scale that it is today, or infosec, and GRC - all these robust domains, it would be a different story. You and I would be talking about how I started this pathway back in the day. I think there's just an amazing opportunity to be able to capitalize and leverage such fantastic resources that we have available today. So I am also a big proponent of not looking in the back in the past and saying, "I'd like to do it differently." I like to just say, "Look, that happened for a reason and it was probably lessons learned to be able to understand, I won't go that path or how I can do something a little bit more holistically." I think there's still great learnings that exactly translate one to one in the field I have today, but there was definitely some indirect value that I pulled out of that overall process and education.
King: [14:22] I'm sure there isn't. One of the commonalities with STEM and molecular biology is that all of those fields of study are reliant upon an organizational structure. Within, it's very system like, regardless of whether it's mathematics or what have you, and all of that, I'm sure, provides the background in terms of critical thinking that enables you to extrapolate the stuff that you need to understand how a network behaves, for example, and I personally think that the best cybersecurity guys have a background in network engineering, which I believe it's because I think it's impossible to run a cybersecurity organization unless you understand what's going on in the network. So in any event, got through Y Combinator, which was pretty amazing. I think that their acceptance rate is something like 1/10 of a percent in terms of folks that they allow into their accelerator. Do you attribute a lot of your success to that acceptance at Y Combinator?
Golubchik: [15:33] I do, and I'll be completely honest, initially, we were a little reluctant, because joining YC, when they first offered for us to join the cohort for summer for the summer batch, I've told this to some people, and they were a little shocked they go, "you guys were like deliberating," I'm like, "Well, yeah," because, what we did is we took a step back and said, 'Look, Y Combinator is amazing at what they do, they have the track record that proves that they know how to be successful with most of the companies they work with." But when we looked at their portfolio of companies they worked with, cybersecurity wasn't exactly their strong point. But we knew that we had to take a little bit of a different approach. We needed to be unorthodox, we needed to look outside the box. That's where I think we got a tremendous amount of value from YC. Because the way they look at things, it's from a ground level perspective of building what people want. Then you start to reverse engineer from that. It allows you to look externally inward and say, "I need to be true to understand the true pain points and building product in the companies that YC works with, they build some of the best products in the world." So we wanted to use that, as a great platform to be able to learn from others that have been successful is how do we build a new market potentially? How do you build something that is disruptive in the market and start to challenge the things that have been done in a legacy traditional way? With that mindset, I think, we not only gel with that very well and we worked with those group partners in the YC community, but allowed us to even be pushed further and think further outside the box. I think that's what we need is fact that cybersecurity is trying to chase a silver bullet, which we know does not exist. You're always trying to build the next tool that's going to maybe edge out the adversary. There's a reason why some of these very distinct and difficult problems and market segments haven't been tackled in cybersecurity. I honestly think it's because as these companies today that have been trying to tackle the problem, or the ones in the past, have been doing in a very traditional sense. As an example, if you're like a traditional managed security service provider, you can't go after that market, you're not going to become profitable, you're not going to make revenue, you're going to die on the vine. So YC starts to change and dissolve the way in which you think about looking at customer problems, understanding pain points and challenges. It was a nice way to be able to challenge that process. At the end of it, we came out for the better with a new outlook on building a company in a product that we knew people would gravitate towards. Of course, we need a little bit more time and investment that at that point in juncture, but overall, I think it was a great process, and it teamed us up nicely for our next VC round that was led by data tribe. So that happened three months after we finished with YC. We definitely, I think, attribute a lot of that success with working with that group and team there. So it was a great experience overall.
King: [18:46] I'm sure it's probably also a little bit like the Ivy League looks at feeder schools, too, where if you are coming out of YC, then that's a stamp of approval that you've gotten a solid boot camp training. That's always nice. When we look around the space, and I think we're on the verge of having lots of serious mental health issues around the CISO role today. As a former CIO, and I'm glad I'm not in that seat today, because when I did it, it was far less complex than it is today. If you can scale what you do, you have the Holy Grail. What parts of that, that you do today for that little company and wherever, Dallas, how can that be leverage it into useful solutions for maybe not JP Morgan Chase, but larger companies that have multiple branch offices?
Golubchik: [19:45] That's a fantastic question. I still work and talk with a lot of CISOs on a weekly basis. Like you said, it's unfortunate, we're seeing legal issues that are causing CISOs take a step back and say how much liability I can redact from my involvement and my engagement with an organization. I had lunch with a CISO this past Friday, and leaving his organization as a full time, he's now taking on just fractional CISO work is it helps him put a layer between him that organization from a liability perspective, because he can essentially be on his own terms and contracts. I think we're going to see more of that, I think we're going to see people understanding that the risk isn't worth their mental sanity, it's not worth the financial risk or the legal risk. So they're going to kind of work on that peripheral aspect of the business in a sense. I think the way we can help them down the road is that by working downstream. Supply chain issues are becoming more of an issue. We know that we have a rapidly growing, digitalized economy. So how do we ensure that we can provide every single organization, from 10 employees up to 500 and beyond, that they are secure? So when they go work in the supply chain, and they are working through distributed data, and potentially sharing infrastructure, making sure they're secure and they're not essentially a backdoor for a threat actor to get up into a large enterprise organization. So we're seeing the uptake and adoption of software bill of materials solutions, we're seeing supply chain risk management solutions. I think that's where we play well is being able to accumulate all this intelligence that's hive-like community intelligence, where we can see a profile of a small business with a specific tool stack, and then helping that intelligence be shared with a similar company, maybe in a different vertical, but has a similar risk profile. By going down that kind of thought process, we can start to map and understand the risk for each one of these companies as we go and help them work with larger enterprises. The enterprises are I think, going to start shifting and stop, stop asking, "Hey, I need to see a SOC to audit, or ISO 27001 certification." Those compliance standards are great baselines. But compliance is the outcome of security. So for us, we want to focus on the hard pieces - securing the internal sensitive data and infrastructure of these small, medium businesses, as they start to handle and become the custodian of the data of these large enterprises, which, at the end of it, hopefully, that will help the CISOs manage the risk at a more comprehensive level when they're working with hundreds to thousands of the smaller businesses, and not knowing if they're secure and they pose a risk or not. So we're working from a bottoms up approach. I think over time, we are focusing on giving the CISO confidence that these companies pose this risk, and then they need to make the decision if that's within their risk appetite. So I think the data that we are accumulating today, and that we will continue to do so in the future, will be very well served to help those CISOs rest a little better at night.
King: [23:13] That would be terrific. Your comment about liability is very current as well, because of the Joe Sullivan case, and followed up a few days later in terms of sentencing anyway, and the motion is to set aside by the drizzly situation. I'm not sure either of those are going to be able to withstand a legal challenge. But if we might characterize your business model with a headline like "democratizing cybersecurity has finally arrived," I get the impression that you're seriously mission driven, though. What is your immediate and longer term goal? Where do you expect to be in five years or something?
Golubchik: [24:19] That's spot on, Steve. I have always been more of a very mission oriented and driven individual. I think that's just a necessity. That's how I was raised, and I grew up, given a lot of opportunity to a place that was foreign for my family. When we came here from overseas, I think that mission of being able to come and have an opportunity to be able to do something better and give back and be able to provide profound value to others is something that's been ingrained in me for a while and with ContraForce, it was no different. It was being able to go after a dream, build a company, and then give value to people and companies and businesses and that's what we drive towards. When we talk about democratizing cybersecurity, sometimes I get head scratches and sideways looks. They're like, "what the hell does that mean?" That is I think very much the long term vision goal. The way I look at it from a long-term perspective is that I believe it needs to be a utility. Today, we're seeing cybersecurity as the fifth dimension of warfare. We're seeing it also as a very disruptive but yet also as an innovative, productive leverage point that we can utilize in every single business. So it's up to us to take a utility like that and harness it in a way for a productive good across the masses, and make sure that we have a safe and civil society to be able to do what we need to without critical infrastructure being disrupted and critical infrastructure goes beyond just OT, IoT. It goes into small medium businesses. 50% of these businesses are constantly being bombarded, breached, down in six months and out of business, that is going to have economic disruption. So that's the long term goal is to be able to provide it as a utility, where any business can turn it on, and it's almost a fault on, right. And that's, I think, critical for them. Then from a short-term perspective, we want to be able to focus on telling a simple message on some of these profound vendors that are building tools. I'll give you an example, with Microsoft, and we've talked about that. Microsoft - we know this, especially in the cybersecurity space, we've been around long enough, it's not always everyone's favorite vendor, when it comes to security. We understand why, maybe somebody can point out the vulnerabilities, and patch Tuesday, etc. But we know that they still have massive intelligence, they have massive R&D, and they put investment into it, they care about it. I think all the cloud vendors out there are doing the same thing in their own right in their own niche. So we want to be able to focus on that in the near term to make sure that we can capture that market, but more so support those customers that are struggling around being able to secure that stack. So we will be prescriptive on picking the stacks as we grow and expand and every vendor stack is a new framework for us. It's almost like building a new compliance as a station tool, but we're doing it around cybersecurity readiness and resilience, and starting with one stack, and we'll keep essentially hitting every single domino until we get all those rows knocked over and go towards that long-term vision around the democratization of it.
King: [27:40] What is Windows up to 50 million lines of code now something? As much as we criticize Microsoft for having the mother of all Trojan horses and Active Directory, and that seems like it's never going to end it just keeps going on and on and on. However, if you had a product that was virtually impossible to figure out, how all of the dots connect internally, what would you do? So I cut them some slack. But you're right. It's a challenging world we live in. But it gives you a tremendous opportunity to scale your product up and be very successful as you have so far been. So that's great. Stan, I want to thank you for spending the time that you have with us this morning. It's been educational and entertaining for me. I hope that that's true for our audience as well. I appreciate you taking the time.
Golubchik: [28:48] No, Steve, it's been a pleasure. Thanks for the fantastic questions. Always appreciate your thought leadership and how you look at the industry as well too. It's very pragmatic, but also very aware. It's always nice talking to you. Thanks again, for having me.
King: [29:00] It's very nice of you to say that. We should reconvene in six or nine months as to see where things have gone. I'll ping you around that timeframe. We can do it again.
Golubchik: [29:13] Yeah, I'd love to.
King: [29:16] Thanks again, Stan, and ContraForce and our audience for taking time out of their day and I hope you found it entertaining as well. Folks, this is Steve King, until next time, signing off.