Interview extracts from the first volume of an oral history of cybersecurity practitioners.
There are a few cybersecurity tools that might be considered ubiquitous. The vulnerability scanner, Nessus, from Tenable Network Security, is arguably one of them. Tenable Network Security was started by Ron Gula. Gula launched his commercial security career after serving in the Air Force. Having started several successful cybersecurity businesses, including Tenable, he now invests in them.
Ron Gula: At the beginning of 2017, I founded Gula Tech Adventures, which is a cyber venture capital fund. We invest in start-ups at the seed stage, as well as follow-on rounds. We’re spending most of this and next year building up our experience as investors. I have twenty years of experience bringing security products to market, along with my wife Cyndi Gula, who is my partner in Gula Tech Adventures. We’re hoping that by this time next year we’ll be starting a new and much larger fund.
Our investment thesis is that there are plenty of cybersecurity services companies that have developed code or techniques they want to productize. Several of our portfolio companies are spin-offs from larger and older companies. Founders know what they’re doing on the technology side, but this is probably their first business. We have a lot to offer, having a track record of bringing products to market. We have about twenty-five different companies—four to five of them are very sophisticated, and we don’t need to do a lot with them. The rest—we probably talk to them every day on a wide range of issues … technology, business, personnel, media relations … you name it.
As a CEO you’re always trying to sell your company’s capabilities. It’s a different dynamic as an investor. Everyone wants to talk to you. There is always feedback from all directions. It’s fun to have a conversation with a CISO, and talk about the portfolio, and find something that filled a niche. I really enjoy this because at Tenable we were very focused on our core business, but the wider market is so much bigger. I want to get more involved in proactive cyber hygiene. We have a company that does automated breach simulation.
I’m probably most recognized as co-founder and CEO—and CTO for a long time—of Tenable Network Security. We grew Tenable to over 1,000 people, and we’ve got over 30,000 customers worldwide. It’s just insane, the popularity of what we built. Before that I was in the intrusion detection business. I started a company called Network Security Wizards and brought the Dragon IDS to market, and sold it to Enterasys Networks. This was the late ‘90’s to early 2000’s, so I was there at the birth of the intrusion prevention and detection markets. The same holds true for the security monitoring market with Tenable. Getting in early and building successful companies is a lot of fun. Fingerprints of Network Security Wizards and Tenable are found on of a lot of the big, famous companies out there. Being able to give people their start, and to see them start their own thing or get involved in bigger things is great.
How did you get started in security?
My dad worked for IBM. I was always into computers growing up. I had an Atari 400. I had a PC Jr. When I went to school at Clarkson University, I was roommates with Marty Roesch, and we had one of the first x86 based computers on campus. The word “cyber” was not what it is today. It was like something alien, like the Cybermen in [Doctor Who](https://en.wikipedia.org/wiki/Doctor_Who. I really understood hacking and information security and wanted to do that, but I also had aspirations of being an astronaut, so I went to flight school. That didn’t work out, so I went back to my second love—really my first love, now that I think about it—computers.
I had a couple of interesting jobs in the Air Force, but my last one was at the National Security Agency, where I got to do penetration testing and vulnerability research full time. This was in the mid-90s, when the Air Force was standing up its information warfare squadron and information warfare center. That, along with what was going on at NSA at the time, gave me a front row seat into the early days of what we now think of as “cybersecurity.” Being there at the beginning, so to speak, gave me a unique perspective. Even then we didn’t have enough people to do the work, which is why I’ve spent my time focusing on products. You have to compensate for that lack of human talent by using products and controls that can amplify or multiply effects across a system.
When I got to NSA, I got to meet with a lot of people who had been there and done that … people like Becky Bace, people like Dorothy Denning, people like Gene Spafford. Becky, if anybody, was probably my biggest mentor. She invented a lot of things; she wrote the book on intrusion detection. But as much value as I got from those relationships, you have to keep in mind that mentors not perfect. They have answers, but those answers might not be right for you. Different people are going to tell you different things, and you have to have some experience to sort through very differing opinions. You need to develop a “gut” feeling. You get a room full of seasoned experts … brilliant people, and they’re going to disagree on a lot of things, which speaks to how complex these issues are. The biggest things mentors can do is give you confidence. A lot of people said launching Dragon IDS was a mistake. They said, “The world is moving towards encrypting everything, and you won’t be able to sniff anything. The big boys are going to get into the game and crush you.” Becky gave me the confidence I needed to make the leap.
What’s the biggest problem in cybersecurity right now?
How unaware people are about the state of security in any given organization. A lay-person can look at things in most fields and get a pretty good sense of when something is not right. You expect that a new car coming out today will have certain features and meet certain standards, and you’ll look askance if they don’t. If you were getting on a plane for a trip to Hawaii, and you saw propellers vice a jet engine, you’d know something wasn’t quite right, even without a degree in aeronautical engineering. When it comes to network security, people have no clue. There is no way the average person could walk into a company of any size and know if they’ve got their act together when it comes to security. People on the inside of these organizations have a hard time doing it as well. We’re not making progress because people spend so much time doing busy work. I’m not trying to trivialize their efforts, but the bulk of the job is compensating for errors made before they got there. People can’t take a step forward because they’re trying to avoid sliding backwards.
When I think about our industry today, I think back to when I was at Tenable. A lot of what we were defending is now moving to the cloud . Imagine a big enterprise with an Exchange server and Active Directory and Windows and backups and failover. All of that goes away when you move to the cloud . So I used to think things were getting better. The reality, though, is that the voracity and audacity of these current attacks are making them much more successful than attacks in the past. Even though you’ve got a 24/7 Security Operations Center and multiple network and end-point monitoring devices, we’re still getting owned . There is no shortage of breaches, and every new one is bigger than the last one.
I’m really worried now that there is so much technical debt in cybersecurity. It is very difficult to defend an enterprise and come up with a remediation. You can’t take out all risk, everyone knows that, so you want to decrease complexity and give that job to people who know better, or can do better. We can debate who does a better job at building and securing cloud infrastructure, but whether it’s Google or Microsoft or Amazon, or any company’s internal IT team, any one of them is probably going to do a better job than I can.
Cybersecurity might be a relatively new field, but the problems have remained fairly constant over time. How do we start making progress? Can we avoid tragedy?
What does winning look like? Is it no more OPMs? If you look at the impact of major events, the world didn’t end. We didn’t fall into a Mad Max type scenario. I’ve got four or five devices around me. If we assume everything is already compromised—look, if someone really wants to get on my system—they’re going to find a way. My point is that’s the life we’re living. Given the problem we’ve faced, it seems to be working. I think to do more, substantially more—actually remove threats or classes of problems—risks totalitarianism. It’s difficult to say what winning is. or better security looks like at this point because we’ve not really had that conversation as a country.
To read the full interview, and learn more about the working lives of a range of security practitioners, order Working in Cybersecurity at Amazon.com.