Dave: Galina, welcome to Security Voices here in lovely Santa Monica.
Galina: Thank you for having me.
Dave: Our pleasure. This is the very rare live in person, well not so live, but at least in person Security Voices. Jack couldn't make it today, but, sense is best. And we've got a whole bunch of topics with Galina. We're going to talk about industrial security.
We are going to get into Claroty, our company for many, many moons now, and gender equity and other topics. So if you are the impatient type and you only want to listen to one of those, we're roughly going to cover those in that order. So you jump ahead at your leisure. So to start out and I'll tell you what.
Why don't we do the briefest of bios on you just so we people know, even though you're all over the place, seemingly, we'll do a quick bio here. And this is where normally I'd read it to you. So you don't have the uncomfortable position of having to explain yourself, but I don't think that's uncomfortable for you at all.
No, I love
Galina: it. I love it. Thanks, Dave. You know me too well already. So how I started was very typical computer science kind of background started my career in a giant corporation of IBM was very fortunate to work on. Integrating startups into that giant, but a very kind of straightforward IT security background from there.
And that was in Canada, in Toronto. From there, I had an incredible opportunity to do my MBA actually in Switzerland, and then from there on to be recruited by the CEO of Siemens. So a hundred billion dollar corporation. Interestingly enough, that was right around the time a little event called Stuxnet was made public.
And so Siemens, as you know, was kind of in the middle of that. And so it just opened up a really interesting opportunity, given my background in IT security and discovering this like wonderful world of industrial automation. And basically the fact that that runs our world to start a new business unit at Siemens.
So this is how my fascination with industrial cybersecurity really started. This was back in 2011, early 2012. So from there, I started a new business unit at Siemens, took the business from Germany, moved it to Atlanta, Georgia in the U. S., grew it. And it just gave me unprecedented kind of view into what was going on in the market, which was all the large customers were asking for solutions which were different than the I.
T. solutions that All the large vendors at that time were pushing and so long story short, I decided to leave my executive job and got on a one way ticket to Tel Aviv because I wanted to work with like Israeli co founders and kind of found my people after a few weeks and the rest is history. We started Claroty in early 2015 and now eight years later we've raised 100 million in sales company, over 500 people.
And we are in one of the hottest sectors in cybersecurity, so couldn't be happier, but it wasn't a straightforward journey. Definitely.
Dave: All right. We'll get back to Claroty a little later, but first the threats. So, you know, the Colonial Pipeline was a huge watershed event. As big as Stuxnet, not as interesting at all.
You know, Kim Zetter will not be writing a book about the Colonial Pipeline. Maybe it'll probably get like a good Wired Magazine article if that or so on, or it's probably already gotten a number of them. But suffice to say that it was a hell of a reminder of just how dependent we are on industrial control systems and industrial controls, operational technology, I think is probably the right way to say it.
But having said that, The Russian Ukrainian war is the one that just seems so interesting. And we, here we are, we're, I don't know, 14, 15 months into the war. And it actually, you know, the industrial attacks from Russia on the Ukraine, and I'm not sure if it goes both ways, but I know it definitely went from Russia to the Ukraine.
It actually extends back to well before the war. Can you give us a little bit of the history and then we'll fast forward to today and what we've seen from the war and how it's kind of changed the landscape, if at
Galina: all. I'll just kind of give a little bit of background for those listening that are not familiar with industrial control systems.
Those are basically the networks that literally run the world. So we're talking about everything from electric utilities to nuclear power plants to rail and planes and airports and Communication all of that is basically what modern life depends on. The challenge is that those devices have a lifespan.
span of, you know, 30, 40 years, which of course, by definition presents a lot of security challenges. And we've known for a really long time that obviously those are cyber physical machines. Therefore, you know, they're attackable Stuxnet was kind of like the event that made the public aware of that. But obviously technology experts have known of that for a really long time.
The real challenge that we have in the world in general, when it comes to critical infrastructure is that even getting visibility of what's going on is a. Not a straightforward manner, right? Which is why company like ours exists, but just the lack of visibility is one thing. Secondly, the fact that they operate in a completely different way, they run on custom protocols, you know, a lot of legacy devices, so you don't even necessarily need vulnerabilities to actually attack them.
You can just kind of go and tell the controller to do a different. thing. I'm oversimplifying it, of course, but that's at the core of a lot of the, of the attacks. And so it comes as no surprise that those critical networks are extremely valuable, right? And when we're talking about a conflict like the Russia Ukraine, right, nation states fighting with each other, Critical infrastructure is absolutely at the core of that.
Now, Russia has been pushing Ukraine and invading them and whatnot for, I think, over well over a decade. And one of the first instances of them blatantly just attacking their critical infrastructure was actually in the winter of 2015. And then there was another one in 2016. And a lot of us back then that were in the industry kind of said, Hey, this is really a red line.
Because we know who's behind the attack, right? We know of the intentions. We had a pretty good understanding of technically how, how they achieved that. And for many of us, this was crossing of a red line. Well, here we are, what is it? Eight and a half years later, almost. And they continue to, you know, deploy such software.
One of the more recent ones is, um, in controller that was kind of came to the attention of the public almost a year and a half ago now, which is, yeah, exactly. It's actually, it's, it's a lot more than malware. It's a whole. Framework of how to exploit various different controllers, right? So it's kind of like Triton was another one that happened back in 2017.
And that was again, targeting safety systems. I'll talk about that in a second, but one is that. The technical feasibility is absolutely definitely there. And the second challenging thing is that that just becomes a tool in the arsenal. And because it is not as obvious as, you know, things kind of going boom, sometimes we're kind of reluctant to say that's a red line.
But if you think at, if you compare it to other areas of, you know, warfare, it is absolutely a red line. having one nation attack the critical infrastructure of another one.
Dave: Let's dig into it a little bit. With Stuxnet, it was famously entered, penetrating the environment on USB stick. Allegedly. Allegedly.
Yeah, we'll take a few liberties. Then we give you the answer. Yeah, the sponsors won't get pissed, I promise. Allegedly. Good, you don't have any. Yeah. And then it spread through, you know, Oday exploits, like a cache of them, right? A number of novel ones and so forth. What did we see with, within controller? Was it similar?
And I have a whole bunch of questions that, that may be entirely unfair. So tackle that one, explain a little bit of how it got access and how it spread,
Galina: if you can. So first of all, you know, with, um, we just gotta be aware of also where it happened, right? So like Stuxnet, nuclear power plants, et cetera, of course, absolutely.
No connectivity to the internet. It continues to be this way for nuclear power plants to this day, which is a good thing in the cases. And I want to talk about Triton as well in the cases of Triton, which happened, I think it was 2017, the timeframe it was actually discovered as part of a kind of incident response and the work that was done post the incident response.
But the big thing there was that they actually use the native capabilities of the programming of the controllers to actually change how the, it's called a distributed control system. And I don't want to get into too many technicalities, but like distributed control systems basically have like controllers that execute whatever physical process they need to execute.
And they also have safety systems. And it was a very complicated process by which they've kind of. Disabled the safety system, so to speak, by just like reprogramming it and then found a way of just basically manipulating the values of the controllers and none of that. Technically, there were some exploits involved in that, but a lot of that could also actually be achieved by just issuing those commands.
If you have the right access, escalation of privileges, et cetera, et cetera. So with the in controller, although, you know, there aren't any, again, it was kind of discovered. As part of investigations and stuff like that, it's an extremely sophisticated net attack framework, right? Mindiant and other folks have enough.
evidence to basically say that it's pretty much Russia behind it because it needs a nation state for those kind of resources as well as intentions. And what's really powerful about the framework is that it wasn't just one exploit or it wasn't just one attack vector, but it actually had like few different components.
One was to discover servers that were running specific programs, obviously UI, which is a very kind of common protocol. And then from there it had like different parts of the, it's almost like. It was building blocks so that you can take the building blocks and actually reconfigure it for whatever you want.
It affected a number of different vendors. So again, it was Schneider, it was Omron and a few other variations of their controllers. But it was. quite sophisticated in terms of like how all the pieces came together and he wasn't using any exploits, right? You didn't need any vulnerabilities. Of course, there's security best practices and ways in which you can harden those systems.
And there's like a lot of that information is now available, but it wasn't anything that you could say, Hey, there's this specific vulnerability or something specific that was exploited. And I think it just talks about. The complexity, first of all, and secondly, the nature of those devices, we need fundamentally a very different way of protecting them.
Now, what's really scary about this is that we have no way of knowing exactly where it has been deployed. And just because we don't have, unlike in our I. T. systems, we don't have visibility into operational technology networks. And even if it is deployed, it could just be. Basically at a recon stage, right?
If it's not used, it cannot be detected. So that is the scary part, but just, I think given how much Russia has pushed in terms of like using those kinds of weapons to basically carry out their objectives, one always wonders if things were to escalate, would they actually use tactical nukes or would they use something like that, which in theory could have a lot larger, like the impact of something like that.
And the economic impact right beyond just like loss of lives could be just absolutely incredible. So I guess
Dave: a couple of questions for people who are new and even folks like myself who played a little bit in operational technology. I know enough to be dangerous, but is it an issue of the legacy equipment that's out there that just wasn't designed at all for security that presumed a safe environment that was pre anything being connected to the Internet?
From the OT side, which clearly isn't the case today. I have another question on that in a moment, but is the new equipment that much better? And we just have a ton of old legacy equipment that candidly still is in its useful life. And that shouldn't be replaced. It would be too costly to replace, but we've got a whole bunch of old stuff that you just can't update away the problem, or maybe you can, but you're just not going to realistically.
Is the new equipment that much better and this is a legacy issue that we're going to kind of phase our way out of? Or is the new equipment just as bad and the OT vendors are just
Galina: drunk? I love the OT vendors. I think they've made tremendous progress in the last, I don't know, decade. But there are just some fundamental constraints that we're dealing with.
So a lot of it is legacy. But what I mean by legacy is not that it's just been in the field for like 30, 40 years. It's. The way the economics work for that is you want to deploy something that's out there for like a decade and more just because stable, because it's not economically viable if you're like a chemical manufacturer, whatever you can't, it's just impractical given the economic realities.
These people, the manufacturers, you know, oil and gas company, they barely have time to stop those machines for maintenance, let alone the cost of rip and replace. So the life cycle of those devices will never go down to like five years or three years or anything like that. It will always be in the decades.
So that by definition means that no matter how amazing is the current technology that you're placing in, in five years, you know, aspects of it will be obsolete. Right. And, you know, let's be honest, like even on the IT side, our security industry is not perfect. Like companies get breached every day just by like the most basic of ways.
So we're talking about, you know, decade ago, the thinking was those things are disconnected. They're not connected to the internet in any way, or they shouldn't be. They should be air gapped. My saying back in the day was air gaps and unicorns don't exist. We just. Like, you know, they just, they don't exist, right?
Dave: Next question is what percentage of OT networks and just ballpark it are connected to the internet now? That
Galina: one might get me in trouble. Air gaps in unicorns don't exist, right? So if people want to, want to find their way in, they will. The interesting thing that has happened. In a very large scale in the last, I would say three to five years and very much driven by the pandemic was digital transformation and connectivity actually increased significantly.
And this was a great thing because we died. Also came a lot of thinking of like, okay, how can we secure that connectivity? Right. Cause I feel like five years ago we were stuck in the old argument of like, why can't get, you know, my data analytics off of my turbine or whatever. Cause nothing is connected and I can't connect it because you know, security.
So now we've kind of moved past that. The pandemic honestly forced a lot of companies to just move away from digital transformation on paper and like a fancy slide for the board to actually doing it. And that was great for industry because now we were thoughtful about how we were connecting those devices to the outside world.
Dave: because they just literally couldn't send people to the plant anymore? It wasn't even an option anymore. So we had to do it and we had to figure out a way to do it. We knew enough to be dangerous with respect to securing it. So they made sensible choices that were available at the time. We
That was exactly like a big part of that was just, you know, life forced us to go down the path of like digital transformation, which ended up being an amazing thing because it fed into a very interesting loop, which was, okay, so the boards of directors and the executives saw the benefits. of productivity, of that connectivity, and they're like, Oh, this is a way we should do it.
And then they're like, here's a bunch of money to also like, make it secure. Right. So it was good for the security teams. And what it really created is established a partnership between the security teams and kind of like the board of directors that goes beyond you're seen as a cost center. Here's a bunch of money to basically defend this.
It was like, how can you build resilience into our networks? Because let's face it, there's No organization in the world, whether if someone wants to take you down, they'll find a way in, right? The question is, how do you bounce back up, right? And if you're a hospital, like, how do you bring all of these machines back online and, and all of that?
And how do you think about the totality and the complexity of that all? And cyber physical systems are not just, you know, laptops and phones that you can just re image and just redeploy, right? There's a lot more thoughtful process that needs to be deployed there. Yeah, it
Dave: strikes me that. Oftentimes these industries, the security new product categories are started because we see a threat and we want to make sure that we stop the threat and as entrepreneurs and like professionals were like, well, that will surely build the business will stop the bad thing because people want to stop bad things.
They don't want to be breached. And I think one of the great. Revelations is that people don't care typically until afterwards because it's hypothetical and you can't ask them to like bemoan a problem that they've never experienced, right? You only know it hurts after you've touched the hot stove, but yet it sounds like in this instance.
I mean, there's some interesting threats that I want to talk about, particularly related to Ukraine and Russia, but in general, the threat landscape, it doesn't seem like it's been bonkers. It feels like it's been kind of steady, but it sounds like what's really fueled the growth of Claroty and others in industrial security is the pandemic hit at this time when we were aware of the security threat, when there was an industrial security market, an OT security market that had matured and folks looked at it and said, Oh, this is a huge productivity boost.
I can connect to the internet now. There's a means of, of enabling this. And yes, we want to stop the bad things and we've seen them now. But the bigger thing is I can't avoid a truck roll and sending people into work unless I do this security thing along with it. So your security as an enabler, as opposed to a defender, is that the right way to reason about it?
Galina: nailed it. And in just like anything else in like corporate life. Cost, cost and opportunities what drove that, right? Because cost efficiencies, because digital transformation meant that they could be more competitive, right? Whether that's getting insights off of their, you know, whatever data they had or, or anything else, connectivity is the way forward.
And I think, you know, one of the silver linings of the pandemic was really forcing us to go that way. And that's a great thing. Now, of course, there are a lot more threats that come with that. Not to mention about the explosion of like IOT devices and how everything is interconnected. But that is, I feel like we're in the right framework now when we're thinking about resilience versus just, Hey, you know, those are devices that cannot be exposed to the intranet.
And to answer your question, you know, when we started the business, all of our customers were on prem that has changed significantly. So the whole industry and the whole mindset. said has changed significantly. And to be honest, I've had talking to like clients or potential clients where I was like, my preconception was a hundred percent.
They would never be open to like cloud connectivity. And they're like, yeah, absolutely. We're doing it for everything else in our business. So not why we died. You tell me what is the right way to secure it so that I can deliver on the bottom line to the business. So that shifting, like how the CISOs and the security organizations are viewed as.
partners as enablers, exactly as you said, as competitive advantage to the business, it's just been an absolute tremendous shift in our industry. And it's just amazing to see that partnership versus just, you know, budgets and threats and like showing, you know, red traffic lights on board slides.
Dave: And, you know, we're starting to see that a little bit on our side.
It's. I mean, dramatically different area like cloud data security, but we're starting to see that with things like GDPR where people are saying, Hey, I'm going to expand internationally and yes, we could have a leak, a breach or so on. But don't talk to me about that. Talk to me about the story that I can tell my.
customers in the areas that I'm going to keep their data in this place and I have measures in place to keep their data safe and private so that you can be WD 40 for the sales process. And that was like one of the moments where I looked at this and said, ah, okay, categories developing because we're beyond the, hey, this bad thing could happen argument.
And we're into starting to be a business enabler. And that's I think that's really part of what's been behind all the compliance companies rise to write like the Vantas and Thoroughpass and, you know, and the rest of that posse secure frame where he had Shravan here a long time ago, but I think that's part of it too.
It's like, yes, those companies took off because people needed. They needed compliance to do what? To be more secure? No, to lubricate the sales process. That was, that was what was driving it. And all right, so let's kind of close out on the threats a little bit. I was looking into it. I hadn't paid much attention.
My world is the cloud world and the data world, and there's plenty going on there. But an interesting one was the Viasat terminal attacks, where it looked like the Russians were trying to disrupt internet for the Ukrainians, which was really fascinating, made me think back to our satellite. with Frank Pound.
I'm assuming that one for you guys is a little, a little far afield, you know, not necessarily your guys's
Galina: domain. Yeah, we don't do satellites, but it's absolutely in the same kind of like line of thinking. It's just a great example of how at war, you know, you would basically try to disrupt kind of like whether that's like supply communication.
I think there were examples also of like. railroad kind of disruptions, obviously everything kind of related to the electric grid incidents that we mentioned. So that's a fascinating one. And it just goes to show you the importance of the infrastructure that we all rely on, right? And it's literally, it's everything, it's everything we could imagine, including satellites and the rail that brings supplies and all of that communication, the energy that we rely on.
If I were to make a bet, it will probably continue to be, we'll see more examples of that as things escalate. Now,
Dave: Ukraine Russia conflict has so much of our attention and for good reason. There's a history of OT attacks by the Russians here and probably by the Ukrainians too. And of course, Stuxnet, US Israeli attack, you know, allegedly.
Yeah, you can't say it. I can. I read the book. It's all right. I believe Kim Zetter. But to come back to it, what's flying under the radar now? I mean, other than ransomware, which I think, You know, whether or not those are intentional ransomware attacks against OT or accidental, just given the way that it goes, I don't have an opinion on that.
Maybe you do. But beyond Russia, Ukraine, ransomware, what are the other trends and the things that maybe are behind the headlines or are visible to people inside the industry, but to the rest of us, you know, people sitting on the outside, we wouldn't see it. So
Galina: actually let's talk about ransomware for just a moment because whether it's intentional or sometimes just as the byproduct.
What we're actually seeing in critical infrastructure is that more times than not, more often than not, it is actually intentional. It's very simple. Those networks are critical. You have a completely different urgency of like restoring them. And let's talk about hospitals for a moment, which is like my newest vertical that I'm kind of fascinated by.
So a year and a half ago we acquired a medical devices, IOT company, Medigate. Yeah. And so that just kind of. okay. So if you think about a hospital, right, and sure you think about medical devices because you need the MRI to be working in a bunch of other things that are useful like diagnostics and care, but also think about the building in which that care is being provided, right?
If your building management system, HVAC, your elevators are not working. Like your HVAC is not pumping like oxygen in the operating room. You can't actually do any of those things. So you got to think about like the infrastructure of all of that. And it's especially urgent in hospitals because. You know, irrespective of the origin of the ransomware, the reality is that your infrastructure is down.
You can't do surgeries. You can, you know, and unfortunately there've been a lot of reports around actual human lives lost because equipment was down. And it's not so easy. It's not a trivial thing to bring it back online. The other thing, you know, just from talking to like CISOs of healthcare organizations that I haven't even thought about is that apparently, like the younger doctors and the medical students, they're not trained in the procedures on paper.
So like literally they have to run like tabletop exercises and train them how to like update charts and stuff like that on paper, right? So we are so dependent on our cyber physical devices and those interactions that you literally like, you cannot open the cabinet where the medication is, right? If that's locked, like you can do a surgery cause you don't have any of the equipment.
There's no oxygen. There's no lights. There's just so much that we. rely on. And I think that hospitals is one example that we can all rely, we can kind of relate to. So whether it's intentional or you're just, it's just a by product of a, whatever crazy attack, the reality is that your equipment is down. So there are ways of like thinking of how to contain that and, and how to be more resilient.
So that's on that. To the second point about what worries me and what is it that the public is not seeing, The biggest challenge with our industry is that we don't know what we don't know. And what I mean by that is there is no, unlike in the IT networks where we've got dozens of different products that are already deployed, they're giving us some kind of signals, right?
We've got some security telemetry that's coming from those networks. The penetration of visibility and kind of that signal and the security telemetry from the industrial networks is in the single digit percentages. From around the world, right? So yes, certain governments see more, certain companies like ours see a little bit more.
No one has perfect visibility, and there's no technology that's deployed across the board, right? So talking about the controller kind of malware framework that I talked about earlier, that Mendiant, from the Mendiant report, we actually don't know where that is deployed, right? And waiting. The type of industrial control systems involved in it are like, One third of the automation deployed in the world.
So we just don't know what we don't know. And when it comes to like nation states and how warfare escalates, it definitely is an arsenal. And in some cases, it could, of course, be used in ways that are very obvious, but it could also be used in ways that are subtle. I've heard
Dave: this said before, and I don't know if this is true, unlike the Israeli and U.
S. based Stuxnet attack, which I'm convinced of. This one, it feels right. You know, it has that inexorable quality of it feels right, but don't know it to be true. I'd be curious if you have an opinion on this that you can share. But it was said that the U. S. has, you know, widely penetrated Russian infrastructure and it's believed that the Russians have probably widely penetrated the U.
S. energy infrastructure and other places as well. And the extent of the blind spots that you're talking about, they're so widely felt at this point. And it sounds like they're starting to be eliminated, but they're still so entrenched that at this point, the nature of kind of mutual exploitation of each other's infrastructure, yeah, that we end up in a situation not unlike nuclear arms, where it's like, look, we're inside their environment, they're inside ours.
And if anybody truly was to try and take down each other's infrastructure. It would be so painful that, you know, both countries, they'll refuse to act on it because they feel deeply that they would be just as impacted. Do you believe that to be true?
Galina: I think a lot of us in the industry believe that. And I mean, it's not a matter of belief, right?
I think it's a matter of the kind of simplest explanation is. It's always probably the most likely one. And you could see it. I mean, even I'm just talking about like public statements, even that the U. S. government has made for years now, you know, back in when was it 2017, 2018, when they came up with their new strategy, it was called Defend Forward.
And, you know, we know of a lot of examples where that is the case, it is the new frontier of cyber warfare, right? So it would make a lot of sense if this was the case.
Dave: All right. Well said, spokesperson, you managed to give us something meaningful without saying too much. It's a skill. Tip of the hat. How long is it going to take until we eliminate these major blind spots in which in controller and other threats and other wild crap that's out there is fomenting?
Do you think it's, you know, we're well on our way and we kind of got a mighty shove in that direction by COVID? Is it going to take five years? Is it going to take 10? Are we still going to be talking about this, you know, two decades from now? Like how long do you think it'll take until we feel like we've got a good grip on at least baseline visibility?
Galina: Look, I think the best way to predict the future is to invent it, which is why I'm working on what I'm doing at Claroty, right? My kind of best estimate is that first of all, it's very hard to project because obviously we are. Closing a lot of the fundamental challenges with our industry, which is like the legacy protocols.
A lot of them don't have encryption and all of that by the same token, you know, even if we did have encryption, what happens when quantum computing is, you know, ubiquitous and everybody could use it on the bad side as well. So it's going to take some time. It's. Probably in the decades, and it's only going to get more complicated because our world will increasingly become a cyber physical domain.
And so those are all kind of like the weird things that have real impact, like kinetic impact in the world. And we don't have very. Good ways of protecting that. So I think the short answer is that company like mine will continue to have a future. We would have to evolve and change what we're doing and what products we're selling and stuff like that.
But I think that the explosion of cyber physical devices across the board, right? Not just in critical infrastructure, but like IOT healthcare everywhere is going to drive. The need for how we think about like securing them and it's just the impact is so tremendous that it's going to take us some time.
All right. I say
Dave: this partly in jest, but partly for reals. What's the impact of AI on industrial security? Will chat GPT come save us when it's married together with amazing 30 year old OT technology? Is that peanut butter and jelly? No,
Galina: I mean, look, it's like in general, I think the public's fascination was captured by ChatGPT just because finally they could like play with it.
And obviously it's like the models have evolved so much, but you and I know that we've been using versions of machine learning and cybersecurity products for a really long time. So things are just getting better. Now, I'll tell you where it's going to help, I think, is with the skill shortage, which is extreme.
So part of the challenge, and especially in our domain, is that you got to train people on cybersecurity, you got to train them on industrial control systems, which is like unicorns and unicorns, and then they got to want to stay and work for you, right? So I think that all the progress that we're seeing in the processing of data and just, you know, everything that we can do with the modern AI systems is going to help.
less skilled, you know, whether those are SOC analysts or, you know, other OT operators to just have the advantage of knowledge and data at their fingertips. And I think that's a very positive thing for the industry in general, not just for industrial security, but industrial security suffers.
disproportionately for this because of the unique skills that we need. So I think this is where it's gonna help us a lot in the future from a product perspective, you know, pretty much every security company probably uses a component of machine learning one way or another. I remember
Dave: being back at Symantec.
And seeing ESET out of Romania, leaning heavily on ML for in retrospective tests, basically what it is, they freeze the AV definitions for two months and then see what they detected. And they'd only do it on static files. So, which is problematic in any of a number of ways, but it was a good indicator of who is using ML.
And there was, you know, really only one company at a time, but then everybody fast followed. And. You know, and then it became fashionable. I think we figured out that we could market AI in early last decade, and then hilarity ensued in a whole bunch of hyperbole. But yeah, I mean, and look, I mean, we use a large amount of ML and NLP transformers just aren't viable in certain areas for cost performance reasons and so forth.
So yeah, we use it where it makes sense. Elsewhere, it's just not compelling. You have to use the right tool for the job. But the training thing is, is fascinating. I mean, we have these areas and I'd say like OT security is a little more arcane and unavailable to people just because of the specialized expertise.
Cloud security is much more available on the faster path because more broadly applicable in some ways to any type of business as opposed to just a. Largely a medical critical infrastructure and so on, so it'll, it'll benefit there. But yeah, that totally makes sense. And I think one of the areas maybe we're overplaying the conversational side and the impact on things like analysis and detection, which is where our minds go.
But it's quite possible that from a training perspective, we're actually underestimating the impact, particularly for something like OT, which is. Black magic to most people that makes a ton of sense. Let's talk about Claroty for a minute and well, more than a minute here. We'll focus on it for a little bit here.
Now you guys are, how long has the company been around? 10 years, eight years. Okay. Eight year old company, a hundred million in ARR, which is amazing. I mean, that's blood, sweat and tears. And what have been some of the key moments along the way? If we were to look at like a timeline from inception to today, give us like.
I don't know, four or five of your like top moments that were just lines in the sand, they were big moments for you and for the company.
Galina: So, woof, where do I start? There are quite a few of those, but I think probably at the inception we had to like, Reimagine and redefine what a product that's purpose built for those networks could do, right?
Because we were stepping into a market dynamic that was, you know, a lot of the existing cybersecurity large vendors were trying to shove like regular I. T. products to those networks, and that was actually creating a backlash from the OT engineers because they were like literally breaking those networks.
And, you know, when your manufacturing process doesn't work, it kind of defeats the purpose. Cyber security was providing cyber security on top of it, right? So we were getting into the marketing to a very interesting time, and I think it took a lot of creativity to just kind of go in and tell people, Hey, this is possible, you know, specifically like investors, customers, let me show you a new way of how we could do this without breaking your networks, right?
But it took a lot of convincing, it took a lot of like technological power and it couldn't be done with shortcuts. Like I remember, you know, for the first like months and years, there was just all the, you know, hundreds of different types of like legacy equipment that we had to like acquire and make sure that we do like blind analysis protocol on the, on all these protocols and understand how they're working.
So there are no shortcuts and reimagine, you know, just a different way of how those. Technologies could be deployed. How
Dave: long did it take you to build a sellable?
Galina: We were selling in iterations, you know, , I was selling in iterations. But I would say, you know, it took like over like six months, I think to be able to walk into a specific vertical and say, Hey, dear Fortune 500 customer.
Fairly confident that we'll be able to figure out most of the stuff that you have. And everything was very vertical specific. So nowadays, you know, Claroty's probably deployed at like, I've lost the count, but well over 25 verticals, right? So we were very specific at the beginning going just kind of vertical by vertical and cracking that.
What was your first vertical energy? Oh, and gas. Yeah, actually it was like the hardest possible customer you could imagine is an offshore drilling platform and just to get there, you need to like literally be certified in like helicopter classes. Cause what happens if you've got, you need to get there with a helicopter and like what happens if.
You know, it's like there's an accident and you got to swim in the ocean. So we didn't choose like, but you know, when you're starting, it's like, Hey, here's a customer let's go and deploy and see what happens. But, um, yeah, we started with actually very, very like from a technology perspective, very challenging customers, which was a pain at the beginning, but I think it pushed us to just kind of make the product like robust and expand the protocol coverage, which was a big thing.
So that was kind of like one. origin story. I think some of our competitors tried to take the shortcuts way back then and just kind of like do the easy protocols or do some of them. And you just, that strategy didn't, didn't pan out. So that was one thing that we did. The second one is we kept on challenging ourselves in expanding, right?
So we started with two, three verticals. We really had great penetration there, but we're like, okay, what's next? Like, what is the bigger vision here? Cause we don't want to be just a visibility and threat detection, right? So. We kept on building vertical after vertical at the same time, expending on the use cases, because what we figured is that companies that are already playing in many of those use cases, they might want to just go and play into the industrial space as well.
I mean, you came from one of those companies like Tenable, right? So we're like. Damn, if we're going to be competing with a big company, we got to go and, you know, build some of those use cases. So as we kept on approaching verticals, new verticals, we also kept on building new use cases so that we could defend the territory from like the larger incumbents that could just, you know, come in and have the relationships and already have a large footprint in the accounts.
And one of the latest ways in which we kind of pushed ourselves was the healthcare expansion. And that has played really, really nicely as well. All right.
Dave: In hindsight, which one of the verticals was just the best? Which one really kind of catapulted the business forward? And which one was super painful and you'd never want to revisit?
Do you have any stories?
Galina: You need to like rank my customers now, which is a painful thing. No, but I would say, look, just by the definition of like the Physical distribution of things, oil and gas is always challenging, right? Cause like there's downstream, upstream, there's like drilling, there's distribution, there's so many different things in one vertical.
And this was one of the very first ones that we did. So he just kind of taught us a lot of great lessons and he really pushed us to be an excellent company. I think what we're seeing recently is a lot of the more traditional quote unquote IOT or building management systems verticals are picking up quite a lot.
So commercial real estates, hotels, casinos, data centers, the data center infrastructure of banks, you know, verticals that traditionally we weren't like proactively selling into commercial real estate, very hot right now, right? Because of obvious reasons, right? It becomes your resiliency of your infrastructure.
So those are very good verticals and they're. Easier to deploy in and just you're just, you know, you don't have to fly to an offshore drilling platform to do a deployment. So funnily
Dave: enough, Sean Cooley, who was on the podcast ages ago, first year, he was the CTO of Cisco's IOT business started a company called Mapped.
Where full disclosure, I am an investor, but they turn, they're capitalizing on the trend you just mentioned, which they have a box, which helps take a dumb building and turn it into a smart one, which of course got a nice boost through COVID because people want to understand flows, airflow and everything else.
So yeah, that, that makes a lot of sense. Give me. We've talked about some of the key moments. One of the bigger moments was when as a founder, you step back a little bit and you brought in, you know, a professional CEO. As I said, what were the signals for that? Like when did you look at yourself and the other founders and say, it's time and you know, do you think you got it
It's such a key moment in the life of a startup because it's like literally you're giving your baby to someone else to manage. So obviously not a trivial undertaking, but I think me and my co founders, first of all, we as personality enjoy the early stages a lot more. It's just kind of like getting that product market fit, you know, getting the few initial funds of investment, getting the strategic investors on board and just kind of like talking to customers, right?
And thankfully and greatly for us, we were very successful. The company was growing. We were on the right place, right time, kind of like on the heels of all of that. And at some point, you know, it was a grown up company and like you wake up one day and you're, I don't know how many people and you don't have HR, you don't have like some of the functions just because we were having a lot of fun and we were growing so fast.
And so the time came where we're also, you know. becomes a point of like running sales efficiencies and implementing processes and just having a different profile of a person that a enjoys different things, right? And also has that ability to just bring the company to the next stage. So I think it was the right time.
We just, by the way, it's from a humility perspective, it's very hard to acknowledge that, you know, maybe someone else is best. to take the company forward. And there are some amazing legendary CEOs that take the company from, you know, inception to kind of like IPO and beyond. But the more common scenario is that you kind of have to have that self awareness to say, Hey, this is not what I enjoy.
And this is not where my strengths are. So you got to give it to someone else. And so we were extremely fortunate, um, with the CEO that we found and just kind of how he managed to take us in the next stage of growth that also came with, so it wasn't just change. We also had to think about what is the executive team that is going to take us to the next stage of growth, right?
And you're just basically on a completely different road at that point. So we had to reevaluate a lot of things and over the last, uh, gosh, what has been like two, two and a half years, we pretty much, it's a new executive team and it's working wonderfully, right? It just bringing a level of expertise of just how things are done.
So we. Didn't have to figure out everything from scratch. Right. A lot of the early days were like figuring out how to do A, B, and C. And then there are like professionals that are doing this.
Dave: I'm sure there was a number of things, but was there a key moment or a key thing where you said, oof, this hurts and it's time to bring in somebody else?
It wasn't one. It was just sort of
Galina: like that. It was just kind of like, I think. You know, at least self aware and I think mature enough to be able to know that what like we need a different kind of profile to push things
Dave: forward. And did that come from you guys or the investors are kind of both around the same time?
Yeah, that's a happy moment and a rare one when it's a mutual decision. Let's talk a little bit about gender. And I think we were talking a little bit before we started, and this is the rare. company and especially the super rare cybersecurity company where a woman is the face of the business from day one, you know, until now.
And of course there's plenty of small ones, but a hundred million ARR company is not a small one as we just talked about. Can you think of any other ones that are out there?
Galina: So obviously the one that's gone through IPO is Michelle at Cloudflare, right? And that's absolutely amazing. I actually cannot think of, I gotta do some Googling, but I can think of another one that's gone IPO with a female founder in cybersecurity.
Do you have one?
Dave: Yeah, no, I don't want to have one in cybersecurity. I do think Christine at Vanta, you could claim not a security company, but I think that's splitting hairs there for all intents and purposes. Vanta is a security company, a security compliance company. They're not public yet. I think they're of similar size as Claroty.
That's the only other one that came to mind and not Bulgarian. So you've got like the Bulgarian female founded.
Galina: Edith from Launch Darkly. I'm pretty sure that they're over a hundred million error. I think she's talked about it publicly. It's kind of like a, I think a similar size, but yeah, I got to do some Googling.
But, um. There are only a handful of us that are really at that, at that size. And actually it was funny, like a few years ago, I was part of this like mentoring kind of thing. And you were obviously supposed to be mentored by someone who's like ahead of you. The only other person within that industry that could mentor me was Michelle.
So when I first. Matter of fact, the first time I'm like, you know, cause there are a few years ahead of us in terms of progress. I'm like, I want to be you when I grow up, like teach me. Right. Unfortunately, that's one general problem that we have in cybersecurity and technology in general. There's just not enough role models that are women, women led organizations, women founded organizations.
And I do what I can to. Change that, you know, it's like I invest in those types of companies. I mentor, I try to help them through like board work or, or whatnot. But I feel a lot of it is just a gap of the confidence for whatever reason, you know, social conditioning, the way we're raised, whatever it is.
And of course, like the world is not a very fair place and just that gap in confidence over time results in. What is the size of the problem that you work on? How much, how are you pitching investors? You know, how are you, I don't know, like self promoting, what kind of challenges you're taking on? All of that.
I think the end result of it is that we have very few women in general, founder women that are working on really tough problems. And I think then that goes into the cycle of like, obviously they're not getting enough capital and it's just kind of like a spiral. But the numbers are absolutely dismal. I think.
What I recall from the research, I think less than 2% of companies are like female founded and in cybersecurity is probably even less than
Dave: that. I think there's reason to believe it's getting a little better, but progress on erasing the gender gap in cybersecurity from everything from just sheer numbers to pay and everything else, like just go to an industry event.
It's very clear that we haven't made much progress, but yet. Maybe your lesson can be instructive here somewhat for people. What would you offer up from your own experience? Like, why did you feel like you could be successful at it and push for it and make it happen? Whereas you think, you know, what enabled you to do that where other people would not?
Was it self confidence? Was it something else? What got you there that other people might be able to learn from? I
Galina: think I had a lot of amazing mentors along the way. And to be honest, I didn't have a lot of like role models in women. Like, you know, I remember one of the kind of first executives that I spoke to at IBM, I was like, you know, in my first or like early days in the company, I was just like, if you want to be successful, you got to always like wear a suit and like take.
Three weeks, if you're ever having kids and like be like the guys. And I was like, what? Like, no, I just want to be myself. So I think as an industry in general, technology in general, we've come a long way of just like, be who you are. Then people will accept you once you prove yourself. But what concretely, what helped me is just having mentors and people believing in me.
I think people just like recognizing my abilities and like pushing me, I had to be pushed at the beginning, right? I wasn't the one like raising my hand and say, Hey, I'm going to take that assignments. Like my managers or my executives will come to me and be like, yeah, you're working on this like integration project or whatever.
Like you're flying to Switzerland tomorrow to integrate this company. I'm like, what me, like me, I'm like, I just started. Right. So I think it takes whether it doesn't really matter gender, but it just takes. It's someone to like recognize your abilities and just kind of push you. So I think that's one of the main differences that I see and of course can generalize, but relatively speaking, generally speaking, for whatever reason, you know, men tend to be socialized in a different way and they're just more willing to like raise their hand and say, I'm going to take it as a project or whatever, even if they don't have the full knowledge of it.
Same thing for like taking jobs, right? I think there's a very well established body of research that shows that. Women would only take the job or even apply for the job if they fulfill a hundred percent of the requirements, whereas for men, it's like a much lower number. And in that regard, I think that's why I talk about the confidence gap.
You know, some of it is if you're lucky enough to have a mentor or seek out those mentors, right. That can give you that push, objective push. And the other one is just push yourself. Right. So I feel like in my case, once I kind of got a little bit of that inertia of like. Okay. These people that I respect are actually telling me that I should do that.
And they think I'll be good at it. So like next time I just started getting like a little bit bolder and bolder, just raising my hand, right. To do things. Right. And so that's also kind of how a lot of people ask me, why did you leave your cushy job? You know, being mentored by the CEO of the company. And, and, you know, it's like, cause that was my dream before my MBA.
I was like, I'm going to be the CEO of a fortune 500 company. That's what I want it to be. Right. I didn't even know that like entrepreneurship could be a route. And then once I got into, into Siemens and just kind of like build a business within a larger business, I'm like, Oh, okay. That's a stepping stone for my confidence that maybe I could do this on my own with external capital.
And then that's where I just kind of had to push myself and say, I'm going to leave my cushy executive job and go and figure it out. And that's what I did. But it does take people along the way who can help you. Cause it's, we cannot be infinitely self motivating, especially given. Um, on a daily basis, all the, I call it like dead by thousand cuts that you get all the little reminders of like people kind of reminding you, most of the time they're not even conscious of the biases, but just kind of like, you know, you walk into the room that happened to me all the time.
I would walk in with like a man who works for me and that would like think that I work for them like a hundred percent of the time or being at a founder's event and then they're asking. me like, what is my role in a company? When I'm like, I'm at a founder's event. What do you think is my role in the company?
Right. But just because of the gender, right. Or just like not paying, just the simplest of things, not paying attention to you, right. Like not talking to you. And that's something that to this day, I just have to fight with, especially if it's, you know, if it's an environment where people know who I am.
They'll talk to me. But if you just like, I do these experiments all the time. If I go to like a completely new field, right. At a conference or an event, whatever, like you just see in a three or four people conversation, how everybody, including the women, most of the times are just kind of talking to the men.
So the simplest of things that. You, anyone can do is just recognize the women in the conversation or whatever minority they are. And the other one is that I always say, assume that they're the CEO and assume that they're technical. Oh, that's the other thing. You know, people start talking to me, like I'm not technical.
And I'm like, yeah, I understand what you're saying. Explain it to me technically. So those are like the key things. So we just take kind of like, almost like a beating on a daily basis. And so it's hard to self motivate. So. It's important to seek out those mentors and supporters from the outside that are going to like cheerlead you along the way.
But, you know, I'm a huge believer of just taking our own destiny in our own hands. Like I don't like the victim mentality, right? The victim mentality. So you just got to say, I'm going to go do it and believe in
Dave: yourself. I think it's, I've heard it couched as sort of a nonstop parade of microaggressions.
You know, just every day, but what's interesting is, and I think some of this is just, it's in your DNA. There's nothing about you that's timid, seemingly, at least at this point in your life, and, but I'm sure that some of this was just inside of you and it was who you were, but having those mentors and those people who offset those microaggressions and were, you know, more than micro significant supporters, but maybe it wasn't something big, but it was encouraging you or pushing you along.
It seems like as. We kind of steer towards the end of the conversation. I don't know. It's already been an hour somehow. It feels like one of the things that men can do is exactly what you said is offset those microaggressions by overtly doing things and yeah. And you gave two great examples. What else would you tell the men in the industry that they can do in order to help since the industry is mostly full of men?
Galina: Well, don't go to the other extreme, right? Like I've heard a lot of men be like, Oh, I'm not going to go to this event or I'm not going to like get, you know, a couple of drinks because I don't want to like, whatever. I don't want like my behavior to be whatever misconstrued or whatever. I think this is also the extreme.
I think, you know, first and foremost, you got to recognize the professional behind the gender. Right. And so just do that. Just treat us like you would treat. a buddy and offer the same support and encouragement. And I think from my experience, vast majority of those micro, I don't know if microaggression is the right word, but whatever, like dismissals, just like not paying attention.
It's just subconscious, right? It's not that people are consciously dismissive of you, but so you can turn that around to your benefit and to the benefit of women. And just, just be conscious of it. And again, assume that she's the boss. She's the one in power in charge of whatever it is that is the subject of conversation.
Assume she's technical, especially in our industry. I am struggling to think of a woman in cybersecurity that is not technical because we had to be extra technical to overcome the bias against us. Right. So assume that we are the boss, assume that we're technical, assume that we know what we're talking about.
And if we don't, we'll tell you, right. But it's kind of nice to kind of get the compliment the other way around and just recognize the presence and talk to us. And then of course, the other thing is like stand up and defend where appropriate. A lot of times, you know, for women that just don't have that initial confidence to raise their hand, maybe help them do that.
And I've seen a lot of amazing examples like across the board, right. That's
Dave: great. And some of this feels like, look, you have biases. We have biases as human being doing overtly doing things to offset those is kind of I was thinking in my head. It's like, yeah, that makes sense. You know, you have them recognize them.
You know, nobody's colorblind. Let's be clear. You know, these are in us. We need to be honest about those and overtly do things to counterbalance them. What about the women who are considering cybersecurity or early in the cybersecurity career? How would you advise them? What would you give them as a recipe for success?
Maybe the things that worked for you along the way?
Galina: I would definitely say the mentorship. You just got to have your supporters. And by the way, they don't have to be women. They could be, you know, men, whatever. It doesn't matter. You just got to find folks that will cheer you along the way. And because at the end of the day, It comes down to networks, right?
Networks is how we get things done. You know, whether that's finding your next job, you know, founding your spouse, whatever, everything, right? So you just got to be invited. You just got to be part of those networks and having mentors that could open the door for you and kind of. Help you get a seat at the table is all it takes.
Right. And again, here, what we're trying to do is we're trying to offset the natural kind of like biases that we have. It's not about, you know, affirmative action or giving people jobs that don't deserve the jobs. I can tell you, you know, just in my experience of like working with women, women get shit done.
Right. I mean, I like, I work with a lot of wonderful men as well, but it is my experience that just. Like women get shit done and it's the same thing in technology, right? They're very proactive and they just find ways of like getting stuff done because that's just the nature of the gender for like millennials.
We had to take care of a lot of things, right? So I think it's the simple things. I think it's the simple things that are making the most of impact and rather than just, uh, you know, calling for some kind of a dramatic call to action or something like that, be the change you want to be, you want to see in the world, who said that, Gandhi or something, but yeah, it starts with us.
And I can tell you from my own personal experience is that like no policy at a company or something like that could have had as much of an impact as just someone saying a kind word or offering help or offering a conversation or offering access to their network. And again, I've, I've just been so privileged to have a lot of those men and women in my life and I continue to seek them out as I continue to expand my network and I continue and I know I try to like also help.
weird access to those network for, for other women that are just kind of growing their career. So it's, it's the small things that count. That's what I believe in. That's great.
Dave: And things that anybody can do work at a conference, any sort of industry event. All right, let's wrap up and look ahead. Let's say that you do this again.
Let's say that you, you unpack your bags from Claroty at some undetermined point in the future. And you say, Oh God, I'm absolutely going to do that again. But I Absolutely won't make that mistake again in the waning moments here, give us your, um, your hard fought wisdom of the absolute will do list for Galina Antova and the absolute, Oh my God, I will never do that again.
Galina: Oh my God. So first of all, I would absolutely do it again. It just, it was, and it continues to be just the most magical experience. I mean, you know, this from Creating companies of your own is just, it's like you're high. I mean, the highs are high and the lows are lows, but the experience is just magical.
And, you know, I kind of had like a semi of that experience at Siemens where I started a new business within organization. Then with Claroty was just absolutely. Incredible to create something in a domain that is just so important. Like the mission is like really important to me writing in what we do.
And yes, there were a lot of like painful moments. I'll talk about those in just a moment, but I would absolutely do it again. I got a ton of friends calling me and like offering me VC jobs and whatnot. And I'm like, just no way. Best job in the world is a startup founder. And so I'll do it again, at least one more time.
So we'll see as to the timing of that, but what would I do the same? And what would I do wrong? I think I had a lot of fun because I work with like the best people. Right. So I think it makes a huge difference if you've got a team that's like. You're learning from right and you work with just the best in the industry.
So that gave me a huge boost. Like we were working on a meaningful, important problem I can tell you is I'm not going to do like a feature company or stuff like that. And unfortunately there are way too many of those in our industry, right? That's actually one of the big challenges I see us having is just how fragmented, right?
Our. security defenses are when it comes to like the technologies that we're using. So maybe that becomes an idea for later on.
Dave: A feature company. Yeah. Yeah. So you want to do a platform instead, otherwise take on a huge problem.
Galina: It needs to be a huge problem because again, it just, I saw the advantages of that.
The reality is that you're going to make a million mistakes along the way. And I think what gave us. Quote unquote, like the cushion or the push when things were not great at Claroty was just the fact that we were in a gigantic market in a market that was just starting to get developed, right? So it's kind of hard to hit the jackpot twice, but I'm definitely going to aim for something that's kind of like of that magnitude.
So that. and the people you work with, definitely I'll do again. As to the mistakes, honestly, there are too many of them. I think we've made every, every, probably every mistake under the sun. Most of them were recovered fast from. So I think you just can't avoid the mistakes, whether that's like hiring the wrong person or not doing something fast enough, but you just got to catch yourself and you got to have the honesty and the humility to accept that you've made that mistake and kind Do it reverse the action.
There are very few decisions that are irreversible in the startup life. And so you just got to be honest with yourself. That's probably like the hardest thing.
Dave: So the, the big thing to avoid is beating yourself up. You're going to make mistakes, just recognize it, have the humility to recognize it and recover quickly.
Is that right?
Galina: Absolutely. And just, again, you just got to, you're going to make all of those mistakes. There's just no, I'm going to make new mistakes in, in whatever company I end up. Creating next, but just give yourself the cushion, right? And so the cushion is big Tim, big problem, good investors, investors that have your back, right?
Actually, one of the things that I was always like conscious of is like, I'm sure things are going to be awesome. If the company's doing great, what is going to be your reaction? Or can I talk to people that have been in a situation that's. And how did you react? Right. Cause you want to have your support network, your investors being a huge part of that when things don't go well.
Right. So yeah, I'm looking forward to making new mistakes and learning from them and working with awesome people at some point in the future.
Dave: Fantastic. All right. Well, thanks so much. Not only for being on Scary Voices, but for driving across town. All the way from Hollywood Hills to join me here. It's no small feat.
So great to see you.
Galina: Thank you so much for having me. It was a pleasure. Thanks.