Founders on Fire: Jim Zuffoletti, CEO and Co-Founder, SafeGuard Cyber Founders on Fire Podcasts Posted by Jon Howell | 22/04/2021 Today we’re catching up with SafeGuard Cyber, our winner of the 2020 Mobile Trailblazers Award. We get to chat with Jim Zuffoletti, the CEO and Co-Founder of the firm. Chief Trailblazer Rose Ross quizzes him to find out what the win has meant for SafeGuard Cyber and what’s been happening since winning the award. Jim eloquently explains how the threat vectors for businesses these days are changing and will continue to do so as new communications channels appear, thanks to the power and flexibility of mobile communications and exacerbated by Bring Your Own Device. He reassures employees that it’s the risk that firms need visibility of, not their private emails and messages. He also talks about the latest round of funding that the firm has recently secured and only announced a few days back on 12 April. $45m from NightDragon Security, Cisco, and AllegisCyber not only brings useful funds but also knowledgeable partners to forge the future with. Listen to the full podcast here: You can also listen to the podcast on YouTube or Anchor FM. Interview transcript Rose Ross: Good morning everybody, we’re here for the Tech Trailblazers Founders on Fire podcast with Jim Zuffoletti who is the CEO and co-founder of SafeGuard Cyber. Good morning Jim! Jim Zuffoletti: Good morning Rose, good to be with you today. Rose Ross: Fantastic, well it’s great for you to join us, where are you based Jim? Jim Zuffoletti: I’m in the centre of Virginia in Charlottesville, so we’re experiencing all the joys of springtime with colour, and all the pain with the pollen. Rose Ross: Ah, well that’s the downside, but it does look like you have an amazing view out of the windows at the back of your office there, and as I said and amazing array of artwork around you. It looks really light and airy and a really pleasurable place to be doing business. Jim Zuffoletti: Absolutely. Rose Ross: Fantastic. Well welcome, it’s great that you’ve been able to join us. Obviously, you guys got recognition in the Mobile Trailblazers, which is kind of interesting because you guys are much more in the security space, and it’s a really interesting area as well. So I’d like to dig deeper into that as well if I may, and then I’ve got a couple of other questions I’d like to pose. Firstly it would be great to understand a little bit about SafeGuard Cyber itself and the solution, what it does, what problem does it solve for people? Jim Zuffoletti: Absolutely, and let me do that and then talk about why that’s so important to kind of, let’s call it, the mobile mission of organisations. So, SafeGuard Cyber is a digital risk protection company. We talk about our mission as securing human connections, and in short what we’re responding to is the fact that the way that work is taking place at companies right now, has fundamentally changed. Set aside the pandemic and just think about how people go to work and experience work over the last couple of years, and one of the common threads associated with that is, whether it’s the company or it’s the individual employees, they’ve started to adopt all of these different digital channels as a new way of doing business. It’s been remarkable for productivity, and we’ve seen all kinds of statistics about that. But at the same time this is, in the security world, a new, what we would call, attack surface that organisations have to respond to. So just as your network gets attacked, just as your email gets attacked, just as you need to make sure that you ensure security and compliance in those particular realms, you’ve got to do the same whether it’s social media, or collaboration, or mobile chat which is kind of the centre piece of the digital world. And so our platform allows companies to adopt those channels and do it in a way that’s both secure and compliant. And what’s important about the mobile world is, if you think about how the human experiences those digital channels right now, it is often through their digital device, and so if I’m using WhatsApp, or I’m using LinkedIn, or even I’m using Slack, I’m doing it on my phone whether it’s Bring Your Own or company device. And so an important aspect of what we’ve done is to protect the organisation across all the different modes of digital, including the most important one which is the mobile world. Rose Ross: Absolutely, it’s certainly something that I find people are doing more and more. It would be interesting to understand a bit more about how you actually do that, and where the idea came from. Because obviously as a Tech Trailblazer you’re a relatively young company, less than five years old, how long have you been operating, and where did the idea come from? Jim Zuffoletti: The origin of the business really goes back to just about five years ago and there were two big converging forces, my co-founder and I had started other businesses together and we really recognised that we saw a convergence that was creating an opportunity. The first one is something that I referenced a little bit which is the onset, the transformation to whether you call it digital transformation, or social business, and now we’re talking about work from home, but they’re all this kind of mega trend about the changing work environment, the changing way that we do work. And so we saw that kind of transformation take place. But the other thing that we saw, and we’ve got kind of an interesting perspective is, we’re both fans of the geopolitical front, or geopolitical junkies I guess the right word would be, and if you go back into that timeframe five years ago one of the things that was taking place was a geopolitical conflict between Russia and Ukraine, it continues to this day. There’s a lot of emphasis on what you would call the kinetic warfare, the actual combat, people are getting killed along the way. But what was not getting as much attention, but in many ways, we saw as a more pervasive and fundamental shift, was the cyber-attacks from Russia against Ukraine. These were attacks that were starting to be novel, because they were coming through not just the traditional network route and the like, but were coming through these new digital channels that companies within Ukraine were adopting, and we’re vulnerable as a result of that. So we saw the adoption, and we saw the attacks, and it didn’t take much to say, ‘Hey, this is going to shift from nation to nation, to nation to company, to criminal to company over time, and just over the last few years that’s exactly what’s happened, where it’s almost that people joke about ransomware-as-a-service, the fact of the matter is, digital-attacks-as-a-service is now something that’s starting to show up. And so we really saw those trends five years ago, and over the last five years it’s really exploded to the point that somebody like Jeff Bezos, the richest person in the world, has been vulnerable to this kind of attack, because these are just channels that are extraordinarily adopted, but unfortunately incredibly lightly protected. Rose Ross: Well, if you think about when you purchase a phone, it’s very quick for them to transfer all of your data from one to the other, so you wouldn’t actually have to lose your phone for very long for everybody to effectively have everything on it. Jim Zuffoletti: Yeah. Rose Ross: But obviously we’re talking about not necessarily the physical access, we’re talking about whatever access that may be, and I’ve got a few friends who are ex-military and they’ve certainly been talking about that kind of stuff for a long, long time. Jim Zuffoletti: Absolutely. Rose Ross: So, we’ve been kind of lucky that it’s taken this long for things to really get to that level. Are you seeing with COVID and obviously people working more from home and relying perhaps on their devices and going about their business perhaps, and I suppose merging more of your personal life, like out for walks, trying to get some kind of routine together that doesn’t just involve sitting in front of your computer all day, because we don’t even walk to the train station, we don’t even walk to our car necessarily to go anywhere. So, there are more people who are sitting on a bench and having a conversation, or checking what’s going on on Slack, there’s a WhatsApp just popped up, then checking their emails, then making a phone call, then going back and sending an email! You could very easily basically live and work on your phone pretty much, these days. Jim Zuffoletti: Absolutely, and in that way that you were just referencing where there’s this interconnection between the personal and the professional, Bring Your Own Device is the centrepiece of it, but as you said, one moment I’m on Slack and that’s the company Slack, and the next moment I’m on LinkedIn and maybe I’m doing something for the company, or it’s personal. Then the next moment I’m on my personal Gmail account, and I’m doing that all on that same device. All of those communication channels are moving back and forth. What’s a company to do to try to protect that employee in the wild, if you will? There are many aspects to it which I’ll spare you for the moment, but one of the things that I think is really critical to appreciate about how we approach this which is novel, we have this concept that’s called Total Privacy. The idea behind Total Privacy is to abstract the difference between the content that might be shared on that mobile device, and the risk event itself. The company cares about the risks they don’t care about the content, and so I can say to you as an individual, if you authorise me to protect the different communication channels that you undertake, what my agreement with you is, I only see the risk events itself, not the underlying content. Now practically speaking from a technical perspective it’s actually encrypted, so even if the company wanted to see it, they wouldn’t be able to see it anyhow. But that concept of how do you balance protection and privacy in this inter-linked world that you were talking about, is something that we’ve really put a lot of investment in and has really made a difference for us, in terms of serving companies. Rose Ross: You’ve had a busy time and you mentioned your co-founder, so if you’d like to just introduce them as well. Obviously, we can talk about them behind their back because they won’t be listening to this! But you’ve done this before you mentioned, together, so tell me a little bit about your co-founder and why you two are so successful together, because clearly if you’ve done it a couple of times it must be working, right? Jim Zuffoletti: Absolutely. We first met each other in business school in 2003, and we showed up at business school both intending to be entrepreneurs again, because we had been entrepreneurs prior to business school, and so it was a small affinity group. My co-founder, Otavio Freire is his name and who is our CTO, has been an incredible partner as we’ve gone through a couple of different businesses that we founded through the years, successes – quite frankly success and failure. And the two of us work together extraordinarily well, because I think there’s a balance in terms of both business savvy, as well as technology knowledge, and you see in Otavio what I would argue is the finest combination of that savvy, a person who’s incredibly thoughtful and capable from a technological perspective, but puts it within a business context, has been immensely valuable in terms of the businesses that we’ve started together. Rose Ross: What did you both learn from the failures, and what do you both bring from the successes to the next venture? Jim Zuffoletti: We’ve got plenty of scars. One of the failures I would talk to you, and we’ve used this expression across a couple of different startups, is what I’ll call the ostrich problem. We’ve been in the world often where our solutions are about helping organisations in protecting them, it’s SafeGuard Cyber, that’s central to the mission; we secure the humans so that you can engage in all these digital channels successfully. But we will find again and again when we meet these organisations, that they want to keep their head in the sand, even though they know they’ve got a visibility problem, they can’t even see if their organisations are adopting Slack without their knowledge, the whole shadow IT phenomenon. Even though their employees may be using a channel like WhatsApp for the conduct of business, which might create a gigantic security and compliance hole for the organisation, they just don’t want to know. We’ve actually had cases where we have presented findings of risk, we talk about it as ‘Finding Evil’ and we present that to a potential customer, and they will not want to keep a copy of that report that we present to them, because that in and of itself is a vulnerability. So there’s this dynamic which is the ostrich phenomenon which has definitely been one of the more confounding, and that’s across multiple companies that we’ve started up. In terms of the things that got us excited, one of the things that I think is kind of exciting, and it might sound a little bit nerdy, but we work with dozens and dozens of different companies, all these different companies that embrace these different channels, whether it’s Facebook, or it’s LinkedIn, or it’s Slack, and we have to have really close relationships with them to get access in the way that we need in order to protect the organisations, in order to protect our customers. One of the things we’ve been really successful in conveying to them is, how valuable it is for them to have an ecosystem of companies that are surrounding those channels that protect them. In other words to say, ‘Hey, don’t build all of this yourself, really leave it to an ecosystem, because what one company’s risk event is is different than another company, and you have to focus on the centralised systemic risks, leave the other risks to us.’ And so that ecosystem thinking, if you will, has been really successful. The second one, and I reference this a little bit is, the ‘aha’ moment we had when we recognise that privacy was going to be a difference-maker for our organisation, and that ability to separate out the content from the risk events, and do that in a way that we can make the right agreement with the human who is using this channel and with the company, so they both get what they need. That was a really big breakthrough moment for us that we were excited about. Rose Ross: So that people are comfortable that it’s not a surveillance tool, it’s a protection tool. Jim Zuffoletti: Absolutely. Now there are organisations that have legal requirements, like in the financial services where they need to be able to see that, and that’s a setting. But let’s say for example, one of the organisations we work with is an Aerospace company, and they may make the decision that when it comes to social media what they care about is, are people sending malicious files into that account which could get on that device? Or are people sending malicious links? Or are they initiating social engineering attacks? That’s what they care about, they don’t care about the other communications, in fact it’s in the best interests of all parties that we’re protecting privacy regardless of what region in the world we’re in. Rose Ross: Well, I’m just going to ask you a little question as well, because I notice that you put out on LinkedIn a couple of days ago about your Executive Protection Poll 2021, could you give me a couple of little snippets from that, that you thought particularly interesting, or maybe that surprised you? Jim Zuffoletti: One of the things, when you go out and you do a survey, you don’t know what you’re going to get associated with it. But one of the things that I think we were really pleased in the end is, we were looking for a confirmation that this was a priority for organisations, at least in part, and if not a priority for action at least a priority in terms of recognition, and that divergence is what we saw. So, I can’t remember what the percentages were off the top of my head, but from an awareness perspective we’re exactly where we want to see; people recognise that their executives are being targeted, and they’re being targeted because in a manner of speaking, organisations have done such a great job of protecting their networks and their emails, that now the vulnerability is the public assets associated with the executive that might be out there, for example in social media. At the same time, the prioritisation of executive protection is a real need, is something that is still lagging, and that’s showing up in the data as well. And so that kind of distinction between, ‘Hey we all get that this is important, but people are not yet adopting it,’ ultimately what you want is it’s red-hot across both of those dynamics, but at least we know people recognise it’s important, and now as an organisation we can attack that latter point which is, why is this important? And it’s really important frankly, because this is the way that criminals are attacking; they’re coming in through executives who are being susceptible to direct messages via, amongst other things, fake recruiters on different social media platforms, and then once they make those direct message connections, they’re sending in either a social engineering attack, or it’s a malicious file and the like. And so we can work on raising that awareness because as it’s saying in the data, this is not showing up as important as it should. Rose Ross: You’re talking about obviously the privacy vs privacy protected, and yet protecting the individuals and the company from risks in this environment, does it have any impact on access? Because I’ve always felt that this is one of the potential issues, is that what you do is you make it harder for people to do things, then they find a way to get around it which means they probably go onto another… Now apologies, I don’t know whether this is something that you look at, but I know a couple of people who have said, ‘I’m coming off WhatsApp, I’m going on to Telegram,’ I’m going, ‘Oh no, not another thing to worry about, I’m not doing it. Sorry, I’m not doing it, I’ve got enough stuff to deal with here.’ But there is always this element of do some people get pushed into another direction, because they think ‘Ah, right, this is going to be a hassle’ or ‘I don’t want somebody to know about this, so I’m going to put it somewhere where they can’t see it, and they can’t recognise it’? Jim Zuffoletti: Yeah, there’s so many different elements to what you were raising there, that are important to think about. Rose Ross: I like to call it a Rubik’s Cube question. Jim Zuffoletti: There you go, and so let’s talk about the three dimensions of the Rubik’s Cube. One dimension of the Rubik’s Cube is that concept of what we call digital sprawl. Today everybody’s talking about WhatsApp, tomorrow they talk about Telegram. What’s an organisation like us need to do? Well, one of the fundamentals that we need to address is, we need to always have as a core competency the ability to add these new connectors, these new channels that are out there. So in fact we have WhatsApp, we have WeChat, we have WeCom, we have Telegram in anticipation of that kind of migration if you will, which is an important consideration on it. So, that’s one dimension of the Rubik’s Cube. The second dimension of the Rubik’s Cube is this dynamic about, let’s call it, the nefarious actor, and one of the realities that’s associated with the digital space is there’s always going to be a new channel, it’s always going to be out there. And we’re very upfront with companies which is, our goal is to provide them visibility that is many-many-many times what they’ve ever had before, but it is not perfect visibility. And so our capabilities in terms of both looking at what we would call protected channels and scanning the public surface, may very well surface that threat of the nefarious actor who’s adopted a new channel, and so we work on our technology to continue to advance that. But we’re upfront about the fact that there’s no perfect solution to that dimension. But the third one, and this is so important, is what you were referencing at the outset, which is; if I get in the way of the user experience, the user goes to another channel. If I tell you that you need to go to this interface instead of LinkedIn, you’re going to get rid of that interface, you’re going to go down to the local Starbucks on the wi-fi on your phone and you’re going to use LinkedIn. And so our architecture is agentless and non-invasive, which means that if I’m a person who is having an account, whether it’s Slack or it’s Facebook, and it is being protected by SafeGuard Cyber, no matter where I’m using it whether it’s on a mobile device, my home computer, my company computer, it’s always being protected and it’s done in a way that doesn’t interfere with the user experience. So the best way to keep what I’ll call the non-nefarious but sometimes error-prone employee from moving to another channel, is to make whatever they’re doing as easy as possible, as non-invasive as possible. And by the way, as we were talking about a few minutes ago, architected in a way which is private to that. And so that dimension of ‘not getting in the way of the user-experience’ is that third critical dimension of the Rubik’s Cube that we have to be able to support, and we’ve built a lot of technical effort behind it. Rose Ross: Great, sounds good. So, you’ve done some research, I notice you’re also doing a number of firsts, I see an industry first in total privacy capability, so that’s a lot of what you’ve just been talking about. But obviously the journey is not just about the technology, it’s obviously about that being adopted by customers. So I would imagine your location in the States may indicate that there may be some connections to government, and they may find these types of things quite useful perhaps in various cases. But it is also very much I would have thought, something important for enterprises as well. Jim Zuffoletti: Yeah, if you look at our customer base, we are primarily a B2B company, we do some work with government, though not the US Federal Government. The companies range from some of the largest financial services, healthcare, and life sciences companies in the world, to some of the… I like to joke, we serve the 47th largest bank in the State of Louisiana in the States, which is by the way not a really big bank. And so the takeaway from all of that is we’ve crested over a 100 customers at this point is, this need is pervasive across industry, across size of company, and it’s really about focusing on the areas that are the most urgent. For us, that’s financial services companies, pharmaceutical companies, healthcare organisations, organisations that have big regulatory burdens and a lot of valuable data that could be targeted. Aerospace is another example of it. So, lots and lots of targets that are out there, which is why the digital risk protection space has quite a few players that are out there, though again we’ve really focused our attention on a certain aspect which is, securing the humans across all these different digital channels, as opposed to public scanning for risk events. Rose Ross: I get what you’re saying, that makes absolute sense. You’ve had a rather successful engagement with somebody I actually know, Dave DeWalt from NightDragon. His organisation, NightDragon, led your $45 million equity in debt financing. So it sounds like you’ve got some ambitious plans over the next couple of years, because that’s quite a lot of money, and I’m sure that’s not just going to go in nice expensive artwork for your gallery at the home office. Although, you know, it could be a very good investment, but that’s probably not what the involvement is. Others who are involved in that were Cisco Investments which is a reasonably well-known name let’s say, and also Dave’s company AllegisCyber which obviously was an original investor. So that’s all really rather exciting. Tell us a little bit about why you’re working with NightDragon and Cisco and Allegis and tell us a little bit about what your plans are over the coming years. Jim Zuffoletti: Absolutely, and let me just add that joining them, they’re joining on the cap table Salesforce Ventures who’s also been an investor in SafeGuard Cyber. So between Salesforce Ventures, and AllegisCyber, NightDragon who led the round, and Cisco, we’ve got an incredible group of partners around the table in order to help guide the company. Rose Ross: That’s a strong team. Jim Zuffoletti: Absolutely, and it’s important as you think about a SalesForce and a Cisco because these are organisations who have an incredible perspective on how work is changing over the coming years, what digital channels are being protected. Both of them have made investments behind security and compliance, and we get a unique opportunity to understand how what we do complements both of those organisations. And so that’s been incredibly valuable for the round. But let me talk about NightDragon. Dave DeWalt has been around and has certainly been arguably the most influential figure in the cyber security space for several years and has relatively recently started NightDragon to do investing. And what was attractive to us amongst other things is, they really showed up with two things that we thought were critical in terms of being supportive to us. One is, NightDragon had a perspective on where the gaps were in the cyber security fabric that was out there, that needed to be covered urgently, and one of them was this digital risk space. One of the turns of phrase that we surface when we’re talking with them is what we call the perfect spearfishing storm, social spearfishing storm; meaning that new attacks and old attacks were recurring in this digital risk space. And so, NightDragon had a perspective which is the type of risk we protect against was something that was critical to the cyber security fabric of companies, and so they were willing to really invest heavily behind building out a company in that space. The second element was when you engage NightDragon it is really what I would like to call a plus relationship which is, don’t get me wrong, we are incredibly appreciative of the investment capital and what it allows us to do, and I’ll get to that in a second; but the connections, the visibility, the thought leadership that we get to be part of as a result of that, is really a difference maker. So quite frankly when we were deciding where we were going to take our investment capital, that was a consideration that actually moved the needle in terms of we decided we really wanted to take the investment from NightDragon. With respect to ‘what do we do with it?’, we’re at the beginning of the evolution of the digital risk protection space, there is technical development that we want to do, as you think about the scaling of millions to billions in terms of transactions per second or per day, and there is an incredible investment that we need to make and we’ve been making, frankly, in the team, the development of the team that is built around getting a global go-to-market footprint, and then serving what is already a global customer base, and a customer base that today we’re working with them on LinkedIn but tomorrow they need to add Slack. So that’s where we intend to invest the capital and that’s why we made the decisions, and we’re really, really happy to have the kind of partners at the table that we have. Rose Ross: Have you worked with any of them previously in your previous lives as entrepreneurs? Jim Zuffoletti: We had had experience before with Salesforce Ventures, and to work with NightDragon is also to interact with Dave DeWalt. Frankly, we’d heard about Dave DeWalt, it was the whispers about this guy Dave DeWalt for years and years, and then had a chance to work with him, took an individual investment, and then ultimately this large investment as part of our current strategic growth financing. Rose Ross: Well that sounds like it’s going to be an exciting couple of years for you guys. Jim Zuffoletti: Absolutely. Rose Ross: You’ll be very busy, I’m sure. So, global, growth, obviously I’m sure as you say there are plenty of other platforms, and I was just thinking well that’s quite a sweet little number, because once somebody is getting protected, as soon as there’s another platform that they are seeing as pervasive within their executive team, they’re going to have to add that because that would be crazy, it would be like leaving a window open at the back, so just in case I forget my key. But yes, that sounds very exciting. So how about you personally Jim, what are your takeaways? Obviously, awards are important to you guys, because otherwise you wouldn’t have entered, and we’re delighted that you have won; are you feeling that that type of recognition is important for you? Jim Zuffoletti: Absolutely. If you think about the Tech Trailblazers and what it’s meant for us, and the timeline since we’ve gotten the award, correlation is not causality but after we got the award, we did this gigantic round, and whilst one didn’t necessarily mean to the other, what was really important when we were talking to potential investors is that there was validation of the space, and validation that what we were doing was a unique approach to the space. So when you can show up and say, ‘Hey we won this award, we are a Tech Trailblazer’, that is something that becomes a third-party validation that is critical for organisations. Then back to what we were talking about at the outset, the digital realm, whilst it’s not exclusive, transits so much through the mobile world, and so winning an award associated with mobile is a big difference maker as an organisation. So it has certainly been a contributor to getting our name out there, our name recognition. It’s something quite frankly we put a lot of thought and effort as we submitted for consideration, and it’s definitely paid off for us in terms of helping us move along where we’re trying to go in this mission of secure human connections. Rose Ross: Fantastic. Well it’s been a pleasure to chat with you today, really insightful, very much an exciting area for you. And as we say, with partners such as the ones you’ve discussed, and working with Dave DeWalt, I’m sure you will be having quite an adventure, and we look forward to hearing more over the coming years of how things are going. Unfortunately, I think if you’re five we may not be able to welcome you in again, because you’ll be too old. But I’m sure we’ll see you if you’re still within the criteria, so that would be awesome. Jim Zuffoletti: Indeed, well we will continue the spirit of trailblazing even if we’re not an eligible participant in the future, and we love to make space for other interesting players in the mobile space and beyond in the years ahead, and really appreciate the opportunity to be here today. Rose Ross: No problem. Well we always keep an eye on our previous Tech Trailblazers so we will be reporting on things that you guys are up to anyway and giving you a shoutout on our social media as we do. So thanks Jim, it’s been a pleasure to speak with you. Thank you everybody for listening. You’ve been listening to the Founders on Fire with Jim Zuffoletti, and he is with SafeGuard Cyber. He is co-founder and CEO, and we wish him and the team the very best of luck. If you’d like to find out more about us as the Tech Trailblazers and other people like Jim who have been doing amazingly well and blazing a trail, please do visit the website at www.techtrailblazers.com, follow us on Twitter @techtrilblaze, or find us on LinkedIn. Thank you.