SafeBase Presents: How Netflix is Saving Cybersecurity with Craig Goodwin, Co-founder and Chief Product & Strategy Officer at Cyvatar

Kevin Qiu
November 2, 2021

Al Yang:

Today we have Craig Goodwin, co founder and chief product and Strategy Officer at Cyvatar. Craig is going to be giving us a highlight about how Netflix saved Cybersecurity. He's a domain expert and Craig leads Avatar's product strategy product management and engineering function and is a member of the senior leadership team. Prior to Cyvatar he spent 20 years in the security industry, starting with the intelligence services in the United Kingdom. He then went on to hold the roles of Global Chief Security Officer for a number of large public and private sector organizations, including Fujitsu, Monster Worldwide, just to name a couple of organizations. He spent his career driving real business outcomes from his security organizations, positioning security as an enabler for digital trust and transformation rather than a hindrance, which is strongly aligned with mission here at SafeBase. And Craig is a Certified Chief Information Security Officer and a Certified Information Systems Security Professional. So I hope that didn't take up the whole webinar. Just kidding. Hey, go, Craig.

Craig Goodwin

Thanks. Yeah, I appreciate it. That was the longest intro and most formal intro I've ever had. So I'll take it. Yeah, super cool to be here. Thanks. Thanks, SafeBase for for setting this up. As I mentioned, I love love SafeBase's organization. And I'll touch a little bit on what Cyvatar isdoing. But so many crossovers, so many things that I love about what SafeBase is delivering and are reflected in in the Cyvatar model as well and how we're approaching kind of fixing some of the real issues in the cybersecurity industry more widely. So yeah, again, thanks Al. Thanks, team.

Just absolutely fantastic to be here. So, really quick before we before we dive in just a quick couple of minutes on Cyvatar, where we do give you some context for for this kind of briefing, I guess and where we're coming from when we talk about the comparisons between Netflix and the cybersecurity industry in general. So as I mentioned my background, I've been an end user Chief Security Officer for over 18 years, building running, operating large scale cybersecurity functions. I'm really trying to focus throughout that time on driving real business outcomes with the security function. And we can talk about a little bit what that means to me as we go through the presentation.

And then my co founder Corey White. So Corey comes from a more vendor centric background to his last business was Cylance, which eventually sold to BlackBerry.Bbut the thing that we had very much in common when we came together to fund Cyvatar a few years ago now was about delivering customers real outcomes, you know, delivering things that actually mattered to the organization and actually reducing and remediating risks rather than than just picking out the holes, identifying problems and ultimately giving the end user security organization more things to do, rather than less and what we built at Cyvatar is true cyber security as a service, all inclusive, subscription based solutions that drive continuous remediation across a ton of different cybersecurity areas. And just like any of the best subscriptions, they're all inclusive, you can cancel them any time and they consume on demand. So, you know, come and check us out. See what we're doing is different. But that's Cyvatar in a nutshell.

So when we think about comparisons to the industry, and we think about kind of what the industry looked like, pre Netflix, we have Blockbuster, right? Everyone knows Blockbuster. Blockbuster was an incredible organization. It's one of those organizations that we think of when we think about originally creating an industry. It's iconic, not just in the US, actually. So talking to the US centric crowd here, I suspect but you know, not only in the US in the UK, I remember growing up as a child taking my weekly or monthly trips to Blockbuster to pick up popcorn and grab a film to then go home and watch in the VHS player and eventually kind of just touching on DVD player, as it said.

And blockbuster was an incredible business that exploded in the US and globally, blew up to a huge scale of 800 stores. It was elite, their leading video rental business. It was part of pop culture, you know, even today, despite its demise, Blockbuster is really seen as kind of that that archaic brand, you know, moving towards being a verb, go to Blockbuster, you know, you don't go to the video rental store, you'd go to Blockbuster, and and its peak year, almost 9000 stores, which is just mind boggling globally, and 5.9 billion in revenue.

So at that point in their evolution, they must have been doing something right, right? They hit the market at the right time, they grew incredibly quickly. And they blew up in revenues very, very fast. And continued to maintain that for a long time. So clearly, there was something there that clearly there was a foundation. And if you think about the cybersecurity industry, of course, we see a million different businesses that blow up in a in an almost similar way. You know, they've they've blown up over the years, we think of AV companies, you know, we think of the endpoint protection companies of the world that very quickly exploded, and became a massive part of not just the industry, but the vernacular with which we speak about the industry and became synonymous with security itself. And that's kind of what Blockbuster did, initially with with the video rental industry.

But what what went wrong? Well, what went wrong is that they fail to keep pace with innovation. And and this is just one story, right? You can think of a million others, the likes of Kodak and all those other famous stories about businesses that just didn't keep pace with what the modern industry wanted. And if we think about what those things were, that ultimately led to the demise of Blockbuster, the key one always comes out if you Google it and start to look for the stories of Blockbuster was was late fees, right. And the reason late fees was such an important thing, not just because it upset me, but also that it was putting the profits of the organization above the customer experience. It was a really tangible example of where actually, you know, the business itself. The business is revenue streams, and the business stakeholders were far far exceeding what they wanted the customer experience to be like.

Secondly, they just weren't focused on the outcome of entertainment. But you could argue, and lots of people do that blockbuster was really uniquely positioned to take the market over from a digital perspective, it wasn't the fact that the market had changed because Blockbuster was positioned to take advantage of that. It was the fact that they weren't focused on the outcome of entertainment. If you think about how you consume from Netflix nowadays, it's not about taking those individual physical tapes. It was never about having a DVD player or all of those constituent parts. It was about just getting the outcome of media. And there are a ton of other examples right? You take now the Ubers of the world, right? You take the Spotifies of the world. They all moved into a digitalized industry and pushed out the previous players who just weren't set up to adapt to that change or adapt to that technology. And what most of that comes down to is not being covered, essentially not understanding what the customer wants to achieve, or what the customer wants to gain from that engagement with the the third party or with the company. And because of all of those things, they ultimately failed, and went out of business.

Now, if I look at the comparisons in terms of what we see within the cybersecurity industry, there's a huge focus on response, rather than prevention. There's a huge focus on delivering management detection and response after the fact right after the fact that these things have occurred after the fact that a breach has been has occurred. If you look at the managed security services industry, it's very much built around the premise of that business making money out of the incidents. And actually there's a pretty neat comparison. They're making money off late fees, versus making profit from the incidents of the customer, is a really direct comparison about where customer failure, which seems a bit of a harsh world, and the word in security I'll accept, but where the customer's security program failure actually becomes the profit of the organization's and what that means is that business is not ultimately set up to achieve those outcomes. When the outcome that you want to achieve with your customer is not aligned with the money that you're making. Those things are ultimately going to come to a head and fail. So what that all means is none of the cybersecurity industry is really focused on getting to a true outcome of security is focused on delivering issues, delivering alerts delivering after the fact responses to existing security incidents are put in a harsher way, customers who have failed to protect themselves. And ultimately, we think that doomed to fail in the same way that Blockbuster was doomed to fail, and that this business model was not aligned with its customer outcomes.

And it's pretty nicely summed up in this quote, right, whereas Netflix developed a business model that simplified the video renting process, making the experience more enjoyable for its customers, Blockbuster was ultimately focused on maximizing their own business returns. So what I'd encourage everyone to do from an end user perspective, is really to focus on challenging their vendors about whether they actually care, challenging their vendors about whether they are delivering at the heart of what they're doing. The best outcome for those end user customers. Because of all these things that we see in the cybersecurity industry, and because of the way that most of the vendors are set up, we're ultimately failing, we're ultimately failing to control that problem. And why wouldn't we be failing based on the examples that we just talked about? Why wouldn't we be failing, predicated upon the fact that we are just responding to these things. If I liken it to my career as a Chief Security Officer, too much of the time, in fact, most of the time was spent ultimately firefighting, reacting to issues but never solving the wrong root cause of those issues. Twice as many records stolen in the last year, malware infections continue to rise. Ransomware incidents continue to rise. And yet the money and the spending on cybersecurity increases exponentially every single year. And both of those things just don't marry up. And we're failing to deliver because we're focusing on that constant firefighting. All our vendors are set up to focus on that constant firefighting. Everyone makes money out to that constant firefighting. So all of those things in a nice melting pot, lead to us ultimately failing and not really solving the actual problems.

So how do we change that and what did Netflix do, right? Well, of course number one, Netflix got rid of those late fees, right? Their business model wasn't predicated upon the customer being wrong. It wasn't predicated upon the customer. experience being bad, because it made you feel bad as a customer when you didn't deliver it on time. And it gave that horrible taste in the mouth for you charging money for it. So the business wasn't set up to make profit out of that. They profited from the actual customer value and outcome, the ability to consume the media that was wanted, when it was wanted in a fast and easy way. It made the entertainment more accessible and convenient. Again, adding to that customer experience making it available when they needed it and profiting off the fact that it was available and accessible and convenient to the customer. That's what made people sign up. That's what made it a no brainer to just sign up for your Netflix free trial, and then ultimately, pay for it later. Because everything was available when you needed it. And you didn't get penalized for late fees, you didn't get penalized for not using it, right?

They changed and adapted with technology. You know, there's there's a whole other webinar to talk about, businesses going from great to good. And you know the way that you drive and develop the business, but ultimately, it boils down to that lack of adaptation to technology. And they've stayed maniacally focused on customer satisfaction. The important thing about that is loads of people say it, lots of businesses say they are focused on the customer, lots of businesses say they are customer focused. But it's about aligning the real business model, how you make money, as a vendor has to align to the customers being satisfied, otherwise, that business model breaks.

And finally talk about actually delivering outcomes, right and delivering real outcomes to the customer. So what does that mean for cybersecurity? Well, it means actually resolving things, it means getting ahead of the things that are going to go wrong. And preventing things from happening within the customer environment is strange, because I talk to fellow CISOs. As I talk to our customers, that language is really not prevalent, or as prevalent as it should be across the security industry right? We talk about detection and response, we talk about the last three phases of our models, we talk about how we detect things, how we monitor things, how we react to things, we don't talk about how we build hygiene into our security programs, we don't talk about how we build the basics in from the beginning, before things go wrong, so that ultimately we're resilient enough to then deal with the smaller percentage of risks or incidents that do ultimately happen. We need to focus on the customer lifetime value, like how many end user security people do we know that ultimately have an engagement with a vendor during the sales process. And then as soon as you buy that product, they disappear until the renewal comes up again, and 1, 2, 3 years time, right?

And that shouldn't be the way it is, with a constant value delivery with a constant outcome based model, the onus is on the vendor to always deliver that value. And the analogy is Netflix, right? You look at Netflix, the onus is on Netflix to always deliver new content to always make that experience better, to always make more and more media content accessible, good media content accessible. The onus is shifted onto Netflix to make that a good experience. And this just proves the point. But we can clearly see in the numbers here, how effective that process was how so quickly, Blockbuster dropped off when that value proposition just was no longer there. And someone came along with that lifetime value, that subscription based model that delivered continuous outcomes and deliver continuous value to its customers.

So how do we adapt to these new changing times? How are we building subscription based solutions that recognize the way that end users now expect security to be delivered? What customers want flexibility? I mentioned this earlier on they want it on demand, and when they need it, the ability to be able to shift between products if one is better than the other meets their needs. They want the ability to grow within that subscription, the ability to pick and choose what they need, when they need it. We all know that modern business changes at a rapid rapid rate. So to go and buy a single product and expect it to fulfill your needs for the whole five year contract, as it used to be, just isn't reasonable anymore. We want that vendor, that person is delivering the subscription, that Netflix, to deliver continuous value, right? It's not about delivering one off spot products. It's not about selling you something and then walking away. We know how important as end user security people it is to constantly monitor you say things like security is conditioned to be managed, not a problem to be fixed is something that we need to manage over time. And the vendor models need to reflect that delivering a one off product does not reflect the fact that organizations and businesses are constantly changing. How can you expect the product to adapt with it? So we need to deliver continuous and constant value.

Most successful industries have adapted to this point, right? Cybersecurity has not. Think of TriNet for HR, many small businesses are using on demand HR services through TriNet or a similar solution. Gusto for payroll is another example. Me and Cory don't want to have to deal with HR. Right? So we use a on demand solution that allows us to live a human resources based solutions. There's tons of other industries that have adapted to this, why hasn't cybersecurity? Well, it has now and it will continue to do so it builds trust and loyalty. A membership program is not just about delivering a single one or failure to a single customer, it becomes about community. So the value of the whole is greater than the individuals. And it's transparent and measurable. You can see the outcomes, you can see what you're doing, you can see the outcomes that you're actually being delivered, you take something like a threat and vulnerability management program.

For example, how often have we been sold those programs by vendors and and the outcome is a ton of scan results that sit on the desk for the next six months, because we can't fix them? And then we come back the next year and do another pen test and we get the same thing. It needs to be measurable, we need to reduce risk as a result of using a product or a service. And that needs to be continuous. So all of these things need to be present in order to deliver and really recognize change, and change the way that the industry is delivering cybersecurity solutions today. So this would be my challenge to you. All right, go to your security vendors. Go to those 1000s of product companies that are out there that you guys are using and challenge them to do better. I challenge everyone to look at the real value prop of the solutions that you're buying, the products that you're buying, and ask them to show that true continuous value. Don't let them walk away after they sold you the product, talk about continuous value, hold them to account for that continuous value. And don't let them be the Blockbuster of the world. We want everyone to be the Netflix. Oh, thanks for having us really appreciate it more than happy to take questions now. If anyone wants to follow up details are there, would love to show more about what Cyvatar is doing and love everyone to engage. So thanks so much.

Al Yang

Thanks, Craig. I wanted to point a couple of oh, well, a couple of reactions. So I agree with the thesis here. And we're seeing that trend. We're seeing a lot of companies trying to do that in cybersecurity. I'm just sort of curious how Cyvatar has been able to, to lead with this philosophy. We have a few mutual customers, they frankly use many different solutions. So it's not just you know, one vendor, how are you trying to stand out? Or how have you seen companies do this? Well, in terms of delivering that continuous value for customer experience?

Craig Goodwin

Yeah, I mean, 100%. And it's a bit of a cliche, I think in the industry now, but it's still not being done very well, which is that concept that Bruce Schneier had, like, almost 20 years ago now, people process and technology. And I think fundamentally, we're always missing a part of that. And I think, a lot of vendors and we both know this, a lot of VC firms, quite frankly, that fund those vendors are set up to be really scared of the process and services bit. So what you end up with is just a ton of companies four and a half thousand, whatever the number is, that purely focus on the tech part of that triad, so you know what we've done successfully at Cyvatar is bringing those three components together into our subscriptions and realize that you can't get away with having either of those three pieces. So we've taken best of breed solutions, we've found a way of utilizing those, but combine them well with services on the backend with an automated platform, and really, really well built and repeatable processes into those fully managed subscriptions that deliver the real outcomes for customers. And the secret sauce in all that is really just experience, right? delivering real outcomes being focused on what the customers outcomes need to be, and making sure we do that really repetitively. And you know, with with real quality service in mind.

Al YangLove that, and are you seeing any sort of changes or learnings as you do this, because different from maybe other services or experience where you want to constantly be seeing your customer, I kind of see cybersecurity in some ways as medicine, you kind of don't want to see your doctor all the time, because I mean, but then you want your doctor to be really nice to you, but you don't want to see them. So are you seeing something here where you want to provide that experience, but the same time you want to provide the right solution? So maybe they don't have to come talk to you all? Are you seeing this kind of balance? How are you thinking about that?

Craig Goodwin

Yeah, 100%, because one of the things that we mentioned, you know, it's like Netflix with the flexibility, you can pick and choose what you want. And actually, you know, we've got customers that run the gambit. So we've got customers who just say, quite frankly, look, Craig, take the pain away, like, you know, I just want to look at my dashboard once a month, and I just want to be happy that I'm in a good place, right. But we've also got customers to your point they're incredibly techie and like to be hands on and can dive into the issues can dive into the tools, we we've built a model that is incredibly transparent, you know, to any of our customers. So quite frankly, we're flexible enough to be able to cater to both of those. If you want Cyvatar to completely take the pain away, we can do that. If you want to dive in and get geeky about it and choose your tools and get involved with the remediation, we can do that too. And we facilitate both those models. So I think the key for us is remaining flexible, and making sure we cater to both kinds of audience.

Al Yang

Well, I love that philosophy too. Because, yeah, you know, say face while we're in our call it early stage phase where a lot of a lot of the philosophies around choosing your target customer, I do believe building in flexibility and transparency, early on that allow you to understand what your customers really want, and be able to service them is pretty key. So I love hearing that I see the NPS on your product being very high. So clearly it's working. And I love to see how you know your team and your customers continue to kind of grow and share the learning. So I know we're eating up a lot of time here. This has been really thoughtful, really helpful. Again, we're going to transcribe this and send it across to you guys, as well as to everybody on our list and I want to thank all the attendees for joining. I've kind of run through most of the questions I'm seeing. So thank you, Craig, thank you for the time and I want to thank everybody for joining.Craig Goodwin

Yeah, thanks, SafeBase. Thanks, our pleasure to be here.

Al Yang

Take care. Bye bye

Discover SafeBase

Learn how SafeBase has helped companies speed through security assessments and expedite deals.