RSA Innovation Sandbox Finalist: Harmonic Security with CEO, Alastair Paterson

[00:00:00] Hey, it's Andrew. And just quickly before we start this episode, I want to tell you about one of my

[00:00:04] favorite podcasts is the Bare Knuckles and Brass Tax podcast. Not only does it have a great name,

[00:00:11] it also has a really good format that's interesting. The two hosts are both named

[00:00:15] George. That's not what's interesting about it. It's that George K is on the vendor side

[00:00:21] and George A is a CISO on the customer side. And they have real conversations, sometimes with

[00:00:26] guests about the world of vendor customer interactions. They're not afraid to call out

[00:00:32] bad behavior on both sides and talk about the weird and wonderful nature of this world of ours

[00:00:37] in cybersecurity. Recent favors of mine are the one about building trust called taking a

[00:00:43] flamethrower to FOD and buzzword mumbo jumbo. And also the one with someone who's a field

[00:00:48] CISO and advisor to startups called how security buyers think and go-to-market

[00:00:53] strategies for young companies. I'm not getting paid for this promo. I just really enjoy the show

[00:00:58] that two George's put on. Check it out. It's the Bare Knuckles and Brass Tax podcast. Now on with this episode.

[00:01:15] Welcome to the Cybersecurity Go-To-Market podcast for a special showcase episode where

[00:01:20] we're talking to leaders of the company selected for the 2024 RSA Conference Innovation

[00:01:26] Sandbox. These are the very, very few, in fact 10 companies out of hundreds if not over a thousand

[00:01:33] people who entered who got selected by judges as having, as being the most innovative startups

[00:01:38] in cybersecurity today. I am your host Andrew Monaghan and today we're talking with Alistair Patterson,

[00:01:43] co-founder and CEO at Harmonic Security. Alistair, welcome to the podcast.

[00:01:48] Great to be here, Andrew. Thanks for having me.

[00:01:51] I'm looking forward to our conversation, Alistair. You are now a multi-time cybersecurity

[00:01:56] entrepreneur. You built, co-founded, ran with CEO of Digital Shadows which was sold to ReliaQuest,

[00:02:04] what? A couple of years ago now, three or four years ago now, is that right?

[00:02:07] Not even that long. Yeah, it's actually only July of 22. So relatively recent.

[00:02:12] Less than two years.

[00:02:13] Yeah, great run and thank you. It's a great company.

[00:02:17] Congrats on that whole run and that was incubated well and run and built up over time. You did it

[00:02:23] with your co-founder Brian who's your co-founder at Harmonic as well. I just love that you guys

[00:02:28] have worked together on two or three entities over the years.

[00:02:32] Yeah, we get back a long way probably around 20 years at this point. So yeah, he's always

[00:02:38] been an important part of what we've been able to achieve as a company last time around

[00:02:42] and obviously he's the heart of it again this time as CTO.

[00:02:46] The sharper listeners will have picked up that you're a fellow Brit like me. I'm obviously from

[00:02:52] Scotland. You were born and bred in England, is that right?

[00:02:55] Yeah, I grew up just north of London, a little town called Aylesbury in Buckinghamshire

[00:03:00] which is famous for not very much but yeah, it was a great place to leave and

[00:03:06] go elsewhere but yeah, no, I've been in the US now nine years but you wouldn't

[00:03:10] know it. I think I spend enough time talking to British people still that

[00:03:13] the accent has stayed intact.

[00:03:14] Yeah, I lost my accent very early on in the process. I don't know exactly why but I did

[00:03:20] but you've held onto yours quite nicely so congrats on that as well.

[00:03:24] Thank you.

[00:03:25] All right, so we sort of answered the first one a little bit but where in the world did

[00:03:29] you have your first sandbox, Alistair? Yeah, absolutely. I mean, I started out in

[00:03:34] the UK and I grew up there and also I started out working there too. Originally,

[00:03:40] there's a British company, Detica that has spawned a lot of actually other

[00:03:45] cybersecurity startups in the industry including, you know, QuantX here and

[00:03:48] Garrison and Tannas here and a few others but Digital Shadows was one of

[00:03:52] the first if not the first to come out of there and that was a great one for

[00:03:57] us as you mentioned over 11 years or so but yeah, that was really what took

[00:04:03] me to the US. I've been in the US since we did the Series A at Digital

[00:04:06] Shadows in 2015 and living in Silicon Valley ever since then.

[00:04:10] And what's the story of the founding of Harmonic?

[00:04:14] Yes, you mentioned my co-founder is the same CTO as last time, Brian. So

[00:04:20] Brian and I, in building Digital Shadows, it was really interesting to

[00:04:23] us. So for those who don't know, Digital Shadows was one of the leaders

[00:04:26] in the threat intel space and one of the things we did was look at all

[00:04:30] of the sensitive data that had leaked out of companies on the open internet

[00:04:34] and we were finding billions of records every week that were leaking out all

[00:04:38] types of sensitive data. So we'd already, you know, we've been

[00:04:40] discussing, you know, there's something not working very well in the data

[00:04:43] protection side of the house here and there's probably a company to do one

[00:04:46] day on that side of the house but then I think really the

[00:04:50] genesis came from ChatGPT coming out in this generative AI wave that

[00:04:54] shined a light again on data protection and we'll maybe come back

[00:04:58] to that a little bit later and what sort of problem we've decided to

[00:05:02] solve. But that was really, you know, those sort of seeds coming together

[00:05:05] was the start of the story.

[00:05:06] And was there a genesis moment where you were sitting there in the

[00:05:10] Keyser pub talking about this and just came to you that this is what

[00:05:13] to do or you run a campfire somewhere? What happened?

[00:05:16] Yeah, it's funny. I mean, just going back on Harmonic itself

[00:05:20] as a name, so there's sort of a couple of aspects to this. So

[00:05:24] when we're thinking of doing something new, we were thinking of

[00:05:27] fun company names and if you go far enough back, Brian and I

[00:05:31] actually played in a band together, so in our 20s. And so we

[00:05:35] started thinking, well, you know, it'd be pretty good to have a

[00:05:37] musical name of some sort. And we were actually in a place in

[00:05:41] San Francisco, Harmonic Brewing when we were discussing the

[00:05:45] company. So it isn't officially named after the brewery but

[00:05:48] we are actually having our RSA drinks in that brewery on

[00:05:51] Wednesday night of RSA. So I hope to see some people there

[00:05:55] and certainly a couple of their IPAs and a good discussion

[00:05:58] with part of their foundation for Harmonic Security this time

[00:06:01] around.

[00:06:01] Oh, I love that. I love that. Is that near the Moscone or are

[00:06:04] you taking people elsewhere around the city for a Sights

[00:06:07] and Sounds tour?

[00:06:08] It's walkable or less than five minutes in a car probably

[00:06:12] from there. So yeah, anyone who's interested to go to our

[00:06:14] website and drop us a note, we'll get you signed up.

[00:06:18] Love it. All right, let's talk about the problem then.

[00:06:20] What is the exact problem that you're looking to solve

[00:06:22] and who in an enterprise or a company that might buy it

[00:06:25] would care about this?

[00:06:26] Yeah, great question. I mean, I think as I mentioned, the

[00:06:29] start of this was really already thinking about huge

[00:06:32] issues in data protection and secondly seeing this just

[00:06:35] spotlight being put on it by the advent of this new

[00:06:38] gen.ai era because I think we've always had these

[00:06:42] challenges of sensitive data getting out of organizations

[00:06:45] and there's been a shadow IT issue. I think with the

[00:06:49] advent of these gen.ai tools, hugely positive of

[00:06:52] course, but the number one issue that we see in

[00:06:55] companies right now in terms of adopting gen.ai is

[00:06:57] concern for their data privacy and security because

[00:07:00] you suddenly got information, often really important IP

[00:07:04] and customer data and so on leaving the enterprise

[00:07:06] and going into these third party applications, some

[00:07:09] of which may be training on the data that's put

[00:07:11] into them according to their own declarations

[00:07:14] and some of them are obviously very early stage

[00:07:17] startups and companies that may not have much of a

[00:07:19] security policy that are now handling a lot of

[00:07:21] sensitive data. So in some respects, it's not really

[00:07:24] a new set of risks, but it's certainly putting a

[00:07:26] spotlight on those existing set of risks and the

[00:07:28] challenge is that the existing set of tools is

[00:07:30] just not up to the task. I mean we've spent 20

[00:07:33] years regex matching on social security numbers and

[00:07:36] credit cards trying to find sensitive data and

[00:07:38] I mean it's false positives everywhere and it's

[00:07:41] just looking at a tiny subset of what's actually

[00:07:44] sensitive about a company's data and it isn't able

[00:07:46] to identify much higher level concepts that

[00:07:50] companies care about in their IP and you know

[00:07:52] whether it's code or it's you know it's customer

[00:07:55] data and other types of information you can't just

[00:07:57] match simply on. So that's like solution one and

[00:08:01] the other approach the industry has been going

[00:08:03] with and polishing over the last few years is you

[00:08:05] know labeling and classifying all of your data

[00:08:07] and I think there's very few CSAs I speak to

[00:08:09] that relish the opportunity to do that. It tends

[00:08:12] to be a you know very challenging exercise to

[00:08:14] try and identify even where all your data is

[00:08:16] let alone label and classify it all and even if

[00:08:19] you did, it's going to be pretty tough to you

[00:08:21] know that alone won't spot bits of that information

[00:08:23] being copied into prompts or emails ultimately and

[00:08:27] other things like that. So we felt like there was

[00:08:29] room for something new like a completely different

[00:08:32] approach to solving this set of problems.

[00:08:34] You know the someone who used to sell DLP

[00:08:38] solutions back in the day, the dirty little

[00:08:40] secret about them is that very few were

[00:08:42] preventing and most people were just monitoring

[00:08:45] because it wasn't that confidence in the

[00:08:47] classification identification and then the policies

[00:08:50] to go with it and they sure as heck didn't want

[00:08:52] to block something which was mission critical or

[00:08:54] was related to a CFO trying to do his job.

[00:08:57] Yeah, it's sadly become a compliance tick box

[00:09:00] you know it's sort of running in the corner

[00:09:01] on this tiny subset of data is tuned to not

[00:09:04] really find anything great you know we can

[00:09:06] tick the box that we've got it but actually

[00:09:07] if you actually care about your data it's

[00:09:09] probably not a measure you're looking to deploy.

[00:09:11] So what is the big innovation Alistair in

[00:09:14] this whole world that you're talking about there

[00:09:15] that you say that's why we were selected for

[00:09:18] the sandbox?

[00:09:19] Yeah, I mean the first thing that we do at

[00:09:21] Harmonic is the straightforward bit which is

[00:09:23] really giving you visibility into AI adoption

[00:09:26] across the enterprise so which applications

[00:09:29] and models are in use and you know there's

[00:09:32] a positive in that right we want to be

[00:09:33] enabling the business to solve the problems

[00:09:36] that it needs to with AI but you also want

[00:09:39] to obviously identify the ones that are high

[00:09:40] risk and potentially are going to train on the

[00:09:42] data that's put into them and cause otherwise

[00:09:45] cause data protection concerns.

[00:09:46] So we you know we cover all of that and not

[00:09:48] just for the existing set of sort of new AI

[00:09:52] apps but existing SaaS apps that are

[00:09:55] deploying AI as part of the stack which

[00:09:57] pretty much every enterprise app is doing

[00:09:59] right now so we're covering all of those

[00:10:01] apps and a number of them are changing

[00:10:03] their terms and conditions now because of

[00:10:05] AI rollout so there's a really interesting

[00:10:08] challenge in vendor risk management around

[00:10:09] that so that that's like the part one but

[00:10:11] the really sort of innovative thing that

[00:10:13] we're doing is that we're building our own

[00:10:16] pre-trained data protection models to

[00:10:20] identify sensitive data way better than

[00:10:22] anything's done before. We're using a

[00:10:25] mixture of experts approach we have a

[00:10:26] combination of different models that are

[00:10:28] fantastic at spotting different types of

[00:10:30] sensitive data in the same way that a

[00:10:31] human would and you can imagine it as if

[00:10:33] you know it's like having a human

[00:10:35] looking at every piece of data going

[00:10:37] out of the business and be able to

[00:10:38] make a human-like judgment about what is

[00:10:40] and isn't sensitive and the really cool

[00:10:42] thing is you can configure us in the

[00:10:44] same way you would talk to a human

[00:10:45] about what matters to the business so

[00:10:47] you could be an investment firm and you

[00:10:49] can configure harmonic by saying well

[00:10:50] look I care about my investment committee

[00:10:52] memos and so and I don't want any of

[00:10:55] those leaking out and our models

[00:10:58] actually understand what an investment

[00:10:59] committee is they know what a memo is

[00:11:00] they know they know they don't have

[00:11:02] to have seen or been trained on your

[00:11:03] data and your memories to to know

[00:11:05] what one is when they see one just

[00:11:07] like you'd be able to or I would be

[00:11:08] able to spot those things for any

[00:11:10] company so the beauty is that we can

[00:11:12] you know without any complicated rules

[00:11:14] being set up or any you know having to

[00:11:15] train on your data or do anything like

[00:11:17] that we can actually identify what

[00:11:18] matters to you in terms of sensitive

[00:11:20] data leaving the business in a way

[00:11:22] that's just not been possible before

[00:11:24] so that's sort of core innovation

[00:11:25] and the reason we've been able to do

[00:11:27] this so well is really knowledge of

[00:11:28] previously leaked information it's the

[00:11:30] sort of os and thread intel

[00:11:32] background that we've got that gives

[00:11:33] us knowledge about how to build

[00:11:35] realistic training data sets that we

[00:11:37] can build and structure these models

[00:11:38] on top of so we have a bit of an

[00:11:39] unfair advantage with that thread

[00:11:41] intel background and the final thing

[00:11:43] that we do is that having identified

[00:11:45] something sensitive you're probably

[00:11:46] you know familiar having rolled out the

[00:11:48] lp that there tends to be a whole bunch

[00:11:49] of incidents they get fired at the

[00:11:50] security team you know it goes beep

[00:11:52] the security team have to go and look

[00:11:54] at it and figure out if it's

[00:11:54] something interesting or not and why it

[00:11:56] went beep and and it's usually oh

[00:11:59] great it was turns out mexican

[00:12:00] driving licenses looked like us

[00:12:02] social security numbers and you know

[00:12:03] if you had any kind of human

[00:12:04] contacts you'd know to ignore it

[00:12:06] straight away but but of course the

[00:12:08] systems don't you know are not smart

[00:12:09] enough to do that so the beauty of

[00:12:11] the harmonic approach i mean number

[00:12:12] one of course we're looking at this in

[00:12:14] a much more sophisticated way so when we

[00:12:16] find something it really is something

[00:12:18] of interest but beyond that we also

[00:12:19] know why we matched it you know we

[00:12:21] know that it's to do with an

[00:12:23] investment committee memo in my

[00:12:24] example some other piece of

[00:12:25] sensitive information and we have that

[00:12:28] that context we pull in identity

[00:12:29] information to help make good

[00:12:31] judgments about that too

[00:12:32] but that that allows us to then

[00:12:33] instead of fire the results of the

[00:12:35] security team we actually go to the

[00:12:36] end users directly and we can coach

[00:12:38] them in the right direction and say

[00:12:40] oh you know it looks like you're

[00:12:41] sending some PII out of the country to a

[00:12:45] you know a non-GDPR location or

[00:12:47] something like that if you have

[00:12:48] European customer data

[00:12:49] and the employee can say well actually

[00:12:51] this is this is perfectly

[00:12:53] fine in this case because i'm closing

[00:12:54] some business out there i need to send

[00:12:56] this proposal out it turns out it's

[00:12:58] it's valid loop in their boss on

[00:13:00] slack or teams who approves it

[00:13:02] and then the whole thing gets

[00:13:03] audited and logged and and goes

[00:13:05] through without the friction that

[00:13:06] you typically have of

[00:13:07] one leading the security team into

[00:13:09] blocking the end user

[00:13:10] so instead of this sort of once a year

[00:13:12] security awareness training we're

[00:13:13] actually effectively coaching users in

[00:13:15] the right direction on the job

[00:13:16] because most of them are you know

[00:13:17] they they obviously mean well and

[00:13:18] they're trying to just trying to get

[00:13:19] their job done and they don't want

[00:13:21] to get blocked by

[00:13:22] security in doing that so we're

[00:13:24] trying to be an enabler for this

[00:13:25] new AI revolution as a result

[00:13:27] and who are you finding is the main

[00:13:29] buyer of this because it touches lots

[00:13:31] of different groups inside

[00:13:32] inside an organization i would imagine

[00:13:34] yeah i mean it is interesting we're

[00:13:36] seeing um you know every

[00:13:38] organization is looking at AI right

[00:13:39] now of course and a lot of them

[00:13:40] are building steering committees and

[00:13:42] groups to look at it

[00:13:43] uh security is is usually a

[00:13:45] stakeholder and sometimes even runs and

[00:13:47] chairs those those groups but there's

[00:13:49] other other people involved whether

[00:13:50] it's compliance legal

[00:13:52] uh you know cto's office and so on

[00:13:54] um but typically we are selling to

[00:13:56] the security team and the cso

[00:13:59] initially because they tend to get

[00:14:00] given uh you know the task of

[00:14:02] actually solving

[00:14:03] the problems that are being thrown up

[00:14:05] here and deploying the right type of

[00:14:06] tooling and visibility

[00:14:08] so we help them get their arms

[00:14:09] around this problem with the

[00:14:10] visibility and then implement the

[00:14:11] right controls with the

[00:14:13] the gen ai models we're building for

[00:14:15] data protection so

[00:14:16] that's usually the the buyer center

[00:14:17] and it's the cso's team

[00:14:19] um the types of companies that are

[00:14:20] interested they tend to be the ones

[00:14:21] that are a little more

[00:14:22] forward leaning into AI so they're

[00:14:24] looking you know they're accelerating

[00:14:25] their their adoption but they they

[00:14:27] have sensitive data they're

[00:14:28] worrying about

[00:14:29] so they're fairly mature from a

[00:14:30] security perspective they don't want

[00:14:32] sensitive data

[00:14:33] leaking out but they want to lean

[00:14:34] into this AI revolution

[00:14:36] um right now we're not we're not

[00:14:37] necessarily trying to displace

[00:14:39] existing

[00:14:39] technologies we may we may go ahead and

[00:14:41] do that over time but right now we're

[00:14:43] looking for

[00:14:43] the the types of buyers that are

[00:14:45] early adopters and and are leaning

[00:14:47] into this wave and

[00:14:48] prepared to to look at something new

[00:14:50] in a totally different approach like

[00:14:51] harmonic

[00:14:52] and going back to what you're

[00:14:53] saying about accuracy have you been

[00:14:55] able to gather some data about how

[00:14:56] more accurate your way is versus the

[00:14:58] old regex

[00:14:59] kind of base based way yeah i i

[00:15:02] think so i i don't have any sort

[00:15:04] of stats to hand here but but i

[00:15:05] would say

[00:15:06] it's it's not only the accuracy

[00:15:07] piece which is hugely important but

[00:15:09] but it's the fact that we can open the

[00:15:11] aperture on what we can see

[00:15:13] way wider right so if you're the

[00:15:14] average enterprise and you've got d l

[00:15:16] p rolled out you're probably

[00:15:17] tracking a very small number of

[00:15:19] nicely typed

[00:15:20] date pieces of data that you can

[00:15:21] spot but you're not looking at you

[00:15:23] know your corporate strategy

[00:15:24] documents and hr and

[00:15:26] you know and m&a information and deal

[00:15:30] documents or

[00:15:31] you know one of our design

[00:15:32] partners for example is a lithium ion

[00:15:34] battery technology company

[00:15:36] so their ip is critical and anything to

[00:15:38] do with that

[00:15:39] going out is a major problem and you

[00:15:41] think about what the existing

[00:15:43] types of data protection technology

[00:15:44] offer you in trying to

[00:15:45] stop that that information leaving is

[00:15:47] pretty minimal right you can't

[00:15:49] nicely key off anything in that data

[00:15:51] but but of course

[00:15:52] in our case harmonic actually

[00:15:54] understands the concept of lithium ion

[00:15:56] battery

[00:15:56] you can write some very plain english

[00:15:58] ways of describing what you care

[00:16:00] about

[00:16:00] and then we can spot that on the

[00:16:01] way out in a way that

[00:16:03] nothing else could before so it is yes

[00:16:05] partly an accuracy leap because we're

[00:16:07] looking at it like a human word and

[00:16:08] we're not going to start throwing all

[00:16:10] these

[00:16:10] false positives over but the bigger

[00:16:12] piece is probably that we're actually a

[00:16:13] strategic

[00:16:13] tool here we can actually spot the

[00:16:15] things you care about not just the

[00:16:17] the sort of compliance tick box

[00:16:18] pieces got it all right what are your

[00:16:21] big plans for 2024

[00:16:23] yeah we're sort of exciting news for

[00:16:25] us is is we're just getting ready

[00:16:27] with the sort of general

[00:16:28] availability of harmonic we've been

[00:16:29] working with design partners

[00:16:31] who've been live since january on on

[00:16:33] the platform where we've been

[00:16:35] honing the product since then we've

[00:16:36] taken a very

[00:16:37] you know i guess customer first

[00:16:39] approach of just as soon as we had

[00:16:41] something we could push live we

[00:16:42] we went and took it to to the cso's

[00:16:45] and went live

[00:16:46] we've had over 50 cso conversations

[00:16:48] before we even

[00:16:49] started writing the code and building

[00:16:51] anything to make sure that we're

[00:16:52] building in the right way so

[00:16:53] in terms of if this year the goal

[00:16:55] is now getting from that design

[00:16:56] partner stage where we are today

[00:16:58] to to the point where we were at ga

[00:17:00] which is

[00:17:01] weeks away not months and then from

[00:17:04] there we'll be obviously bringing

[00:17:06] more and more customers on board and

[00:17:08] building out the platform more broadly

[00:17:10] than it is today cut and you

[00:17:12] mentioned the event you have during

[00:17:14] rsa what else do you have

[00:17:15] on during that week yeah i mean like

[00:17:18] everyone else i'll be pretty busy

[00:17:20] hanging out with

[00:17:21] with everyone being in town here yeah

[00:17:23] we've got a we've got a meeting

[00:17:25] room in in the mosconi on

[00:17:27] on the wednesday on the tuesday i've

[00:17:29] got the lucky to have some

[00:17:30] fantastic seed investors at 10 11 who

[00:17:32] are hosting us in a

[00:17:34] space next to the the mosconi as well

[00:17:36] on the tuesday so

[00:17:38] beyond that i'll probably be in the

[00:17:39] lobby of the four seasons with

[00:17:40] everyone else for a chunk of the show

[00:17:41] or or at the bar you know certainly

[00:17:43] harmonic brewing on the wednesday

[00:17:45] night

[00:17:45] yeah i love that and they can go to

[00:17:47] your website to sign up for the

[00:17:48] the brewing night

[00:17:50] that's right yeah anyone feel free

[00:17:51] to fill in the form on there and

[00:17:53] we'll look back to you imminently and

[00:17:55] if you'd like to find out more about

[00:17:56] harmonic you can request the demo

[00:17:58] as well

[00:17:58] that's awesome well listen that's a

[00:18:00] luck for the sandbox competition

[00:18:02] itself and of course

[00:18:03] you know for the rest of the year and

[00:18:04] beyond looking forward to seeing your

[00:18:06] success

[00:18:07] thanks and real pleasure catching up

[00:18:09] with you today

[00:18:22] it will mean a lot to me and to the

[00:18:24] continued growth of the show

[00:18:25] if you'd help get the word out so

[00:18:28] how do you do that easily there are

[00:18:29] two ways

[00:18:30] firstly just simply send a link to a

[00:18:33] friend

[00:18:34] send a link to the show to this

[00:18:35] episode

[00:18:37] you can email it text it slack it

[00:18:39] whatever works for you

[00:18:40] and it's easy for you the second

[00:18:42] way is to leave a super quick

[00:18:44] rating and sometimes that can seem

[00:18:46] complicated so i've made it as easy

[00:18:47] for you as i can

[00:18:49] you simply have to go to rate this

[00:18:51] podcast dot com slash cyber

[00:18:55] that's rate this podcast dot com

[00:18:57] slash cyber

[00:18:58] and explains exactly how to do it

[00:19:00] either of these ways will take you

[00:19:02] less than 30 seconds to do

[00:19:04] and it will mean the world to me so

[00:19:05] thank you