In this Brand Story episode, hosts Marco Ciappelli and Sean Martin discuss with Ben Fitzpatrick from Cymulate about innovative cybersecurity strategies, focusing on continuous monitoring, risk prioritization, and effective response mechanisms as Cymulate expands into additional markets.
In this Brand Story episode, hosts Marco Ciappelli and Sean Martin engage in a thought-provoking conversation with Ben Fitzpatrick from Cymulate. The discussion explores the innovative approaches to cybersecurity that can help regions advance beyond their current situation.
Fitzpatrick shares his insights on the lifecycle of security and technology, emphasizing the critical role of continuous monitoring and understanding the attack path for staying ahead of potential threats. He elaborates on Cymulate's use of cutting-edge tools and methods like automation, AI, and TTP to simulate high-level intrusion attacks without causing damage, providing a non-disruptive method for businesses to validate their security controls.
An important aspect of the conversation revolves around risk prioritization. Fitzpatrick expresses the necessity for businesses, particularly CISOs, to conduct regular—even continuous—testing of all components of their infrastructure and applications. This approach allows for a comprehensive understanding of potential risks and the ability to prioritize their mitigation.
Fitzpatrick also digs into the concept of response. He asserts that many companies are only at the cusp of realizing its significance in their cybersecurity strategy. He underscores the need to stay ahead of the curve, tackling the most important threats and adversaries, and minimizing the risk window.
The episode concludes with Fitzpatrick discussing Cymulate's role in helping businesses understand their most critical threats and adversaries, and how they can best respond to them. He emphasizes that Cymulate is not just about ticking boxes; it's about understanding the business, managing risks, and staying ahead of the curve. This episode promises to offer listeners a unique perspective on proactive, intelligent cybersecurity strategies and their role in business resilience.
Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-story
Guest: Ben Fitzpatrick, VP of Sales, Asia Pacific (APAC)
On LinkedIn | https://www.linkedin.com/in/befitzpatrick/
Resources
Cymulate Expands Sales Leadership Team to Drive Growth in EMEA & APAC Global Markets: https://cymulate.com/news/cymulate-expands-sales-leadership-team-to-drive-growth-in-emea-apac-global-markets/
Security Analytics for Continuous Threat Exposure Management: Making Better IT Decisions Through the Lens of an Attacker | A Brand Story from Infosecurity Europe 2023, London, England | A Cymulate Story with Nir Loya: https://redefining-cybersecurity.simplecast.com/episodes/security-analytics-for-continuous-threat-exposure-management-making-better-it-decisions-through-the-lens-of-an-attacker-a-company-briefing-from-infosecurity-europe-2023-london-england-a-cymulate-company-briefing-story-with-nir-loya
____________________________
Catch more stories from Cymulate: https://itspm.ag/cymulate-ltd--s2k4
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.
_________________________________________
[00:00:00] Sean Martin: Marco,
[00:00:01] Marco Ciappelli: Sean,
[00:00:02] Sean Martin: it's uh, it's a long journey where we're headed to today.
[00:00:07] Marco Ciappelli: But do you actually know where we're heading or?
[00:00:11] Sean Martin: I have an idea where we're heading.
[00:00:13] Marco Ciappelli: Well, that's good. That's already something, at least you have an idea of the direction where we're going.
[00:00:17] Sean Martin: That's right, right. It's, Over some water over the water and through the woods.
I think maybe is where we're going I don't know how many woods there are there but but We get to talk with our good friends. They've been on the show before the folks at Cymulate they do exposure management and security validation and they've been Growing tremendously and have made a couple of new hires, uh, to broaden their reach globally.
Uh, of course you and I know Marco and clearly they do. Threats don't target a specific region and leave others alone. They don't target certain companies and leave others alone. It's a free for all and we need all the help we can get wherever we are.
[00:01:05] Marco Ciappelli: It's a free for all, but also, yes, there are no boundaries, but, uh, you may be dealing with different culture, different way to run the business and maybe different priority.
So I'm not going to say it's uncharted territory, as you suggested to be going who knows where, but I'm sure there is some kind of way that you need to adopt the way that you do certain things. But again, as usual, we're not the one that knows.
[00:01:32] Sean Martin: That's why companies like Cymulate hire, uh, smart folks, you know, what the heck's going on.
And in that case, it happens to be the same person that we're on with today, Ben Fitzpatrick. Thanks for joining us.
[00:01:51] Ben Fitzpatrick: Oh, thank you gentlemen. It's, uh, it's a, yeah, genuine pleasure to be, uh, you know, invited and, uh, be a part of this podcast.
[00:02:00] Sean Martin: Love it. We're, we're excited to have you on and, and hear about, uh, all that you have going there.
And let, let's start first by. I always say when I was hatched, right? So not, not far as back as when I was born, but it would kind of take a look back at where, where you started your journey in, in technology and cybersecurity and how that led you to, uh, Cymulate.
[00:02:25] Ben Fitzpatrick: It was, uh, it's probably, uh, a little different from the executive leaders.
I, uh, I started my journey in the military. I started at a very young age, 17 years old. Uh, I joined, uh, the Royal Corps of Signals, which is a technical trade, I guess, and, uh, I joined as a technician. I progressed into the Special Forces. I spent nine years in the Special Forces in the Parachute Regiment.
And then, uh, due to a very, very, very unfortunate accident, I broke my back, uh, on a parachute jump. I got retrained, thanks to her majesty, named to, uh, IT. And that's where I guess, uh, the story begins. I, uh, I, I came from a pre sales and an engineering background and moved into sales and sales leadership.
And, uh, yeah, that's where I am today. I think it's, uh, it's a great story for me, you know, personally, because I feel like it's a very multifaceted story. I've got experience on all sides. Not just, you know, uh, we'll cut your deal, we'll do your deal at this percentage, like, I've learned to understand that there is a need that a customer has, there's a need that the vendor has, and how we bring those together is very important.
[00:04:07] Sean Martin: Yeah, that's, that's often the difficult part, right?
Um, talk, talk to us a little bit about. Some of the experiences you've had, uh, in the different roles and, and how that helps shape what you hope to do with Cymulate moving forward. That's,
[00:04:27] Ben Fitzpatrick: you know, I think that's a great open and I think that, uh, there's been a definite transition, uh, in the market. Both for customers, consumers, and vendors.
Everyone's trying to, you know, scramble and get to the end game, like, but no one really understands the end game right now. Uh, I think when I started with. Uh, this journey, I spoke to maybe three or four CISOs who I hold in very high respect, uh, both from Australia, Singapore, one in Malaysia. And they told me that this, uh, like CTEM, like, uh, this continuous, you know, threat exposure management, like two of the four described it as The Holy Grail, which I was like, wow, that's like, that's a term that you don't hear every day.
They, described it as if you can always be in front or even not in front, but as close to the adversary. as you can possibly be, then that's what we're driving towards. And, uh, it really piqued my interest and that's what made me think about how I could help deliver value, how I could help deliver, you know, I guess some level of reassurance to the company or customer that we were doing everything that we could.
I, uh, I spoke to a number of Companies. Uh, Cymulate had been one of them. I have a number of board connections. I sit on a number of boards. And, uh, Cymulate I, when I spoke to Eyal, he was the CEO. So he's the CEO, uh, brilliant guy, him and Eyal. Who is the co founder and CTO. They were the people who actually cared.
They were people who I spoke to and weren't just thinking about the dollars and the value and how I got to a hundred million ARR and how I did this and how I did that, how I can make this a sale. They actually still talked around how we can fix the customer's problem. And to me, that was, that was the changing point.
So, uh, you know, in a nutshell, I. I have my own drive, my own sort of, you know, uh, drivers to be who I want to be and who the team I want to build and the people I want to bring on. I could have worked for maybe a dozen companies. These guys are very, very serious about fixing customers problems and are genuine, which it's not a common occurrence in this cyber, in the cyberspace.
[00:07:23] Sean Martin: You'd think it would be, but, uh, that's not the case. That's not the case. So it's an important part of, uh, making a big decision like you made. So, Marco.
[00:07:34] Marco Ciappelli: Yeah, I want to just dive into kind of what we were playing at the beginning of the conversation and explore how do you adopt? So you go into the company, you meet the team, you discover the way to work, the problem they solve, the way to do that, and then you grow.
And you go to a different geographic area and what do you do at that point? I mean, do you create another team that kind of speak the same language per se of that culture, that business, what do you do? What's step by step?
[00:08:09] Ben Fitzpatrick: Yeah, it's a great question, Marco. And I think that, uh, I've got a great team. I'm very lucky. I'm very blessed that I have got to work with and have a team that follow me. And, you know, uh, also I'm very invested in them. They are a bunch of professional people who, uh, , they're not your, you know, uh, hate to say this, your used car salespeople.
They are more concerned about how to fix a customer's problem. Because you know, like this customer, uh, is important. The company we work for is important, but what's the most pressing question is for them is how can I help the customer? And I think, uh, what's led me to be successful and, you know, hopefully continue to be successful is the team that I've been on board is they're focused on the customer.
They're focused on the customer's problems. They really, really, really want to help the customer. CTEM, like I said before, the high number of CISOs describe it as the holy grail. And when you think about it, it's like, it's not too hard to work out. patching and testing and all the stuff that, you know, I've been in security 20 plus years.
It's important, but how do you actually prioritize a patch or prioritize a remediation. You have to understand what it means to the business. Uh, and unfortunately, the businesses are not very aware of what it means to the business. Not just fiscally, but, uh, you know, financials are one thing.
And guess what? That's all the board really wake up and care about. The board wake up and go, wow, we just lost a hundred million dollars. But guess what? What about the customer churn? What about customer trust? What about the name in the market? And what the team I wanted to bring on board was like someone who could educate the customers they were speaking to around here.
It's a problem. Yes. But there's a solution. Uh, we are behind the eight ball and eight pack very much. So I think, uh, between 15 and 20 percent behind. Uh, Amir, uh, North America, which, you know, it's, it's a problem. It's embarrassing. It's something that needs to be fixed. But what I wanted to do was get a team that wanted to work with customers to help them prioritize, not just, the fiscal value, but also like reputational, make it important to the company that they were doing the right thing.
And, uh, generally. In APAC, uh, I've worked there and I spent time in North America as well and, Europe over my 30 year tenure. Uh, in APAC, I can tell you now, over nothing that they, the executives take it very seriously. They want to be held responsible. They want to be accountable. And I think that that is a big difference between the other markets I worked in.
[00:11:32] Sean Martin: I love what you shared here, Ben, and I want to kind of stick with the, the regional aspect. Um clearly people understand, um, your team understands. I'm wondering how, how does what you do, Cymulate do as a, as an offering? Perhaps help not just cover that 20%, but maybe even take, take the region ahead in, in where they're going.
Cause I mean, the, the whole point of continuous, uh, monitoring yeah, staying ahead of the, the attacker, right. Understanding the attack path and then having the intelligence to know where they're headed and being ahead. Kind of says you can get ahead, not just play catch up. So talk to us about , how, what you plan to do will help leapfrog some of the current situation there.
[00:12:25] Ben Fitzpatrick: It's a good question, Sean. Generally, I think that if we take out, if we strip out security, if we strip out technology, everything has a life cycle. Like, I hope you agree that. There is a zero to a hundred, uh, if we look at antivirus for, uh, for instance, you know, like you look at, uh, Sophos, you look at Symantec, you look at McAfee, there's uh, an evolution life cycle.
They all do exactly the same thing. It's, it's a race to the bottom. It's almost, uh, who can get that cheapest? Who can get that fastest? What can we do? Like, I, I, I'm at WordPress services companies, very, very high value services companies, like, uh, you know, I work for, uh, Mandiant. I work for NCC, like for instance, the red teaming element, uh, very, that's like a very, very, very high skilled area.
We need some of the best people in the industry to be able to act like the adversary, to really, really, really understand the tools, be the, the proceed to really, really. I'd be able to do the maximum amount of damage that you can or not damage depending on the level of the other team.
NCC and you know, Mandy did a good job of it. Uh, the scared, the holy bejesus of our customers. I think the same as anything, it's, it's an evolution. So what companies like Cymulate, and I'm not going to like say Cymulate is the only company doing this now, but what Cymulate are doing are using automation, TTP, AI, to be able to perform the same level of intrusion attacks, uh, but without damage, but give the same validation back to a customer.
You know, customers appreciate that. Customers appreciate that, you know, We are scared. Of course we're scared. Everyone's scared about what the potential impact could be. But what we're doing is we're giving you a way to validate your security controls. Without actually shutting you down, without causing you business impact.
I think that's what's important. It's about, you know, do me wrong. Web teaming, pen testing, everything's important. Like 100 percent it's important. But what's important is also being able to do this at the drop of a hat. On a Tuesday or a Wednesday, a CISO wakes up and goes, you know what, I'm not comfortable.
I want to, I want to test my applications. I just don't want to test my infrastructure and my software, I want to go and go and test my, like my SAS. I want to go and test everything that we we're getting as a service and then get something back that helps me go, wow. I didn't realize last Tuesday that this was a problem, but now it's a problem.
How do I go and prioritize this risk? And that's what all comes back to. It's, it's about risk prioritization as a CISO, as a CIO, like there's a million things out there. How do I fix what's. Does that make sense?
[00:16:04] Sean Martin: Absolutely it does. And I'm, I'm thinking back to, uh, when we got, had a chance to speak with Nir Loya.
Uh, I believe he's the VP of product there and he, he outlined five things, scoping, discovery, prioritization, validation, and mobilization. And you just, you spoke to those two points in my opinion, very clearly, uh, where, how are you going to take. Your, your knowledge and answer key questions. He, he put a couple out.
Are we at risk to this emerging threat? And do we have the necessary capabilities to protect us if we were under attack from that threat? And that leads to what do you do when, when something you have to make a change, right, either, either to mitigate or respond, uh, that's the action piece, looking at it from a pure risk perspective and.
I guess so. With those things in mind, kind of leading it back to the region again, um, are the conversations you're having with, with folks that you're speaking with, are they at that same level to say that those are the exact types of questions we're looking to answer? And we're trying to drive toward the same outcomes of mitigation and response with real intelligence.
[00:17:20] Ben Fitzpatrick: Really interesting question because I could speak to 50 50 different responses Sean at, uh, the end goal to me is like, how do you respond? Ultimately, everything ends in response. Like not just from a cyber perspective, from, from psychology, human psychology, how do we respond?
How do we digest? How do we understand? You know, the conversation. How does it make us feel? And then how do we respond? And I think that companies are only really on the verge, if at all, on the response piece. They think that having a retainer is like a tick box. And yeah, don't get me wrong, like it is. And if you have a insurance policy with a cyber provider, Yeah, okay, that takes the box and then you have to pay a little premium.
Pay in retrospect. You have to actually understand, as a business, like, what's important to us. If this happens, what do we do? How do we react? Let's not just tick a box. Why don't we try and stay ahead of the curve? Why don't we try, uh, you know, not have to deal with 80 percent of the problems.
Why don't we deal with 20 percent of the problems? And I think that's where Cymulate uniquely positioned with minimizing the risk window. We're trying to make it around how can we help you, understand your business? How can we help you deal with the most important threats slash adversaries?
And some of it's mismanagement, some of it's internally, you haven't done the right things. That's the difference right now, and I've worked, like I said, in security a long time, and like, you can pull all the mitigating controls you want into a plan. But unless you truly understand it, uh, as an internal person or an organization, then that, that's where I think the difference is.
[00:19:39] Sean Martin: Let's go there, Ben, I want to stop you because it, this is a question I often have in my mind because there's so many technologies. That we have, that we can use to protect ourselves. But then there's a bunch of stuff that we use to run the business. And then there's a team that uses technologies to kind of bridge, bridge the gap and manage risk and, and exposure and all that stuff.
So the question I have for you is how does what. You offer fit into a security program. Who takes the lead on bringing this in? How does that change the definition of the program? Uh, the, the team structure. I mean you spoke to kind of the, the, the human element here and how, how people think right before they respond, hopefully they think before they respond and maybe even practice before they respond.
So how do, how do you fit in? To that environment help people understand how they bring you in and, do good things together?
[00:20:42] Ben Fitzpatrick: Yeah, it generally is a great question. I think the, the difference is that people becoming more proactive, they're getting, uh, more a. 100%. And, and, and again, you know, you guys have like, like this podcast, it's, it's trying to help people understand how to get in front of the curb.
Yeah. It's not about, uh, waiting for the event to happen. I think with Cymulate. It's the only company I've ever worked for that has a truly proactive element. It's not around the past. What can we do? And then how do we learn? What ATP? What IOC do we do to stop it happening again? They're trying to go from like, uh, you have a security score of 60.
We want to get you like 90. There's no such thing as a hundred percent guys. And like, I'll tell you on record right now, like someone has been in the industry for 20 years, you can't protect against everything. So I'm telling you now, you, you can't do that.
What Cymulate are doing is looking at your existing security controls, validating them. I'm actually trying to work out the, the efficacy, how can these things work together or how do they work together in order to make sure that you are protected? And if you're not protected, we're going to be the first people to tell you, we're going to be like, this, this is wrong.
This is wrong. But if you did this, this and this, which would take an analyst minutes. It would give you that coverage. And I, again, like that's different to anything else I've ever seen. I've worked with, you know, companies who've developed MDR and they've done things and like, it's like, ah, you guys are too stupid.
We'll just fix it for you. That's not, that's not what Cymulate trying to do. Sam, what Cymulate trying to do is give you the education around your controls, what you could do differently to almost immediately impact those controls, if that makes sense.
[00:22:59] Sean Martin: Absolutely does. And like, I can see why Cymulate brought you in.
Your, your experience, you have to know this stuff, right? You can't wing it yet. You have to know. And I can see why Cymulate brings you in all the different roles you've had and experienced at different companies, gives you, gives you that knowledge, right, Marco?
[00:23:19] Marco Ciappelli: Absolutely. And, and if there is one thing that I get from you, if you have this, uh, let's be clear policy, like you have a team that cares about stuff that don't promise things that they do not follow through and you're not promising the moon, but you're promising something that is achievable.
So what I would like to know to close this is as you're expanding in all this new market. Looking a little bit of into the future as we're also closing the year with the prediction. How do you see things change? I mean, I think, and I agree with you that being trustworthy and honest, it's always the best thing to do when you deal with client.
But also, oftentimes you bring something different to the table and Cymulate. I'm sure it has some, uh, weapon. In their, in their arsenal that make them probably a little bit more appeal than another company. I'm not saying they're not doing the right thing, but what makes Cymulate special, especially expanding into market where you want to get more than that 20%.
[00:24:29] Ben Fitzpatrick: It is a good question and uh, I think What's different is that, uh, you just alluded to it, technology fixes one or two problems. Yeah. Like, uh, point technology fixes this problem. We have four or five technologies, uh, they all fix very different problems.
Uh, it's exciting that we can help customers in certain ways to do things in a point in time case or not in a point in time case. Like, uh, for instance, the BASS, which is the Breach Attack Simulation. It's like pen testing, but, uh, instead of pen testing, you run once a year for a tick box. We do it like, uh, yeah, we'll do it this month.
Boom, boom, boom, boom, boom. We do it and we, uh, we can continually do it. Which is exciting to me because it's a continuous. element of safety. Uh, but if you want to change the scope, I want to do it to applications. I want to do it to SAS. I want to do it, you know, the hard way. That's, that's one thing where we're going towards.
And I think Uh, where companies are lacking is the analytics. Exposure analytics is what we call it. And, uh, it doesn't have to just be our products. Exposure analytics can take in your vulnerability management. It can Take in, you know, your bus, if you use a different product, think in your score, your antivirus, everything.
What we're trying to do is get to a position where our analytics can give you the ability to reduce your risk. And I think that's, uh, yeah, to me it's exciting, but also, It's something that could change the market. It doesn't matter what you have or what you've got. It means that whatever you've invested in, that you can, you know, you can plug this in, and you can actually get the realization of your investment.
Because no one likes spending money and then going, Oh, guess what? You shouldn't have spent money on that, or you shouldn't have spent money on this, or that was a bad decision. It's about making sure that, uh, the money you've spent has been validated. And I think that's what exposure analytics will do. It will really help validate what we're doing globally, uh, mankind wise and then be able to translate that back to a company as in, uh, what can you rationalize? What makes sense? What doesn't make sense? Do I spend 100, 000 on this when it's giving me 2%? When I'm spending 40, 000 on this and it's giving me 90%, it's all around, uh, it's a business decision.
And I think that's, uh the thing I joined Cymulate for was the exposure analytics.
[00:27:39] Sean Martin: Yeah, I can certainly see that. And I think ultimately it does boil down to the dollars and cents, right? Are you, are you doing the right thing with the right investments? And having the other conversation as well, uh, with near it.
Really says to me, I mean, and having all the conversations I have on, on my show, redefining cybersecurity, it's all about making informed decisions, decisions that are fast, decisions that stick that you're not second guessing and having to, to retract and redo later. And decisions that don't, uh, destroy the team, right?
It goes back to the human element as well. You, you can't, you can't burn the team out. You, you can't. Kill the business teams, uh, efforts to drive revenue. Um, it's all decisions and it's, we have data. It's a matter of how, how you get the data, how often you can look at it, how easily you can analyze it and translate into something that makes, uh, helps make a good decision that, uh, To me, it sounds like the, the, the perfect scenario.
And I'm, I'm, uh, happy to have this chat with you, Ben, and, uh, congratulate you on your new role and, and hope, that's, hope that the expansion in in the regions, uh, that you and your, your counterparts are, are making are successful. Time to change, uh, how we look at things and how we measure things.
[00:29:07] Ben Fitzpatrick: And Sean, thank you. I echo back that guy. I really appreciate, uh, having you, Marco on. You know, uh, had me on the call that, uh, the team that's been with you share the same values as me that then they're not about, uh, you know, taking dollars for customers. They're about how can we help customers?
And that's what, you know, personally, I feel is, uh, something that's missing in the security market.
[00:29:32] Marco Ciappelli: You want to wake up in the morning and be proud of what you do and because what what you do is important and I want to invite everybody to check on all the notes that we're going to leave here so that they can really understand and get in touch with you and and explore opportunity hopefully with Cymulate
[00:29:50] Sean Martin: I'll include the link to the chat. We have with near it was. It was an incredible conversation as well. Thank you. So I'd encourage everybody to listen to that too. And, uh, yeah, wherever you are, Cymulates in your region, how it seems. So, uh, so reach out to them and, uh, and have a conversation.
Time to be more proactive. Thanks again, Ben. And, uh, thanks everybody for listening and tuning in and stay tuned for, for more brand stories here on ITSP magazine.