Judges on Fire: Raj Samani, Fellow and Chief Scientist, McAfee Judges on Fire Podcasts Posted by Jon Howell | 04/09/2020 In our Judges on Fire series of podcasts, we aim to let you get to know our judges a little better. They also get the chance to share their wisdom and tips about entering the Tech Trailblazers Awards. For our sixth outing we are connecting with Raj Samani, Chief Scientist and a Fellow at McAfee. Raj is one of the judges who’s been with us since right at the beginning of the Awards. In an enlightening discussion, Raj shares how he got into the business of cybersecurity, having started out on a help desk. He also tells us about how he has fun at his job at McAfee, along with giving advice for startups on how to be successful. Plus find out ways to make your entry to the Tech Trailblazers Awards quicker and more effective. You can also discover exclusive details about Raj that he never shares on LinkedIn. So, over to Rose Ross, Founder of the Tech Trailblazers Awards, as she interviews Raj Samani in our sixth Judges on Fire podcast. Spotify Also available on: YouTube Interview transcript RR: Hi everybody, welcome to the Tech Trailblazer’s podcast series, Judges on Fire, and I’m here today with Raj Samani who has been one of our judges from right at the beginning, and he is the Chief Scientist at McAfee, and also McAfee Fellow. But in addition to that he is also the Chief Innovation Officer for one of our partners, the Cloud Security Alliance. Hello Raj, it’s great you can join us today. RS: Thank you for having me, hello everybody. RR: So, obviously on the Tech Trailblazers we talk about a lot of the elements around the awards, and from your perspective Raj, what you are looking for within it. But it would be useful for the listeners who maybe haven’t come across you, either in your McAfee role, or with the Cloud Security Alliance, to find out a little bit more about what your present role is, and what you’re involved with, and also your journey together. RS: I actually get to have fun in my job. We run the threat research teams within McAfee, as well as the threat intelligence capabilities, and the red teaming, and the vulnerability research, and the Vulnerability Disclosure Programme. So, basically I run a team where we get to investigate some of the most fascinating cases on the planet. We get to engage with law enforcement, I work as an adviser to the European Cyber Crime Centre, part of Europol. So, we get to engage with law enforcement, we get to take down bad guys, we get to break stuff, and we get paid for it. So, it is pretty much the best job I can think of, where I get to do the stuff that I kind did for free, at McAfee. The purpose of this is so we understand how the adversary is adapting, how the adversaries are working, so that we can make sure that we integrate that into the protection for our customers. And so really all of this is the intelligence that goes into the products that we provide to customers, from consumers to government agencies and everything else in between. Good fun. RR: How did you come to have that kind of role? Because you’ve been with MacAfee for a while, hence being a McAfee Fellow, how did you get into the business of cybersecurity? RS: It’s actually a funny story. I’m going to sound super-old to everybody, it was the mid-nineties, and I did a generic Masters in IT, because at the time there wasn’t really any cybersecurity-related special degrees or anything like that. I read Cliff Stoll, The Cuckoo’s Egg, in which he did an investigation. It was fascinating to me, and it was something I really want to do, but there wasn’t a cybersecurity role out there because actually the term of cybersecurity hadn’t even been developed. So, I did my final year thesis on building what we call a bastion host, and for the people that are going, “What the hell is he talking about?” but for those of you who have been around for a while, you’ll know the term bastion host. I had this choice which was I could go into networking and it pays more money, but actually I really wanted to do a job that has security in it. So, I started to work on a help desk, one of my first jobs was to manage the AVN points, and I then started to do investigations. I remember at the time we’d just rolled out ISDN and we had various different employees using their home ISDN lines to download porn, and so it was like, “Raj, can you investigate why the ISDN bills are so high?”, and I think it just began there, this was something I wanted to do and I actually showed aptitude for. Then as I started to develop my role, I started to play around with SMTP relays, and then we started to do some vulnerability research. So, I think it was a conscious decision to get into security when there wasn’t really a role for security. Then all of a sudden around me an industry kind of popped up, and it was like, “Wow, okay. I can actually do this full-time in my career”, rather than doing security, and the help desk, or managing servers and so-forth. RR: So, you were able to focus on that. Fantastic, and the stuff that you’re doing as the Chief Innovation Officer for the Cloud Security Alliance, that must be very interesting as well. RS: Well actually I co-authored the book, the CSA Guide to Cloud Computing, which funnily enough I was looking at on Amazon the other day, and it was 2014 when it was myself, Brian Honan, and Jim Reavis published the book. So, yeah, I’ve been involved with the CSA for a long time. The cloud is now ubiquitous but I remember when we first started to get engaged with the CSA, and it was really kind of like a nascent idea and concept, and now of course everybody uses the cloud without even knowing that they use the cloud. It’s incredible, it’s really incredible how that’s now become part of the norm, I guess. RR: So, from your perspective, you’re focused on innovation, you’re dealing with the newest threats, things that people haven’t even thought of dealing with. Are you seeing an uptick in all of that stuff? There’s lots of talk at the moment obviously with COVID, and the changes in the way that people are working, more home-based sort of dining table warriors and less stuff in offices. Are you seeing an impact in what kind of threats and issues you’re having to deal with, and your teams are having to deal with? RS: Certainly, the number of attacks that we’re seeing is increasing. You only have to look at the number of ransomware cases, and the number of ransomware attacks, but also perhaps more concerning is the level of innovation that you’re seeing from the adversary. So, for example, we published research on a campaign that we suspected to be Lazarus Group, and they were using template injection attacks. We look at ransomware groups now publishing data from victims, in order to be able to charge $10-million plus ransoms, and so it’s becoming… I’m always conscious that I sound like a miserable sod whenever I talk, but the reality is, is that there are a lot more capable actors out there, and they are innovating and they are getting paid. When we published research on Netwalker which is a ransomware group, from March until about now, they’ve made at least 25 million bucks. That was really done with developing a backend for them, that’s fundamentally what they did, in order to be able to become that successful, financially successful. So, yeah it’s definitely getting more challenging I guess, out there. RR: And how do you see the role of the startup? Because obviously you’ve been involved with what we’re doing, and I’m sure also in your day job, day-evening-night job, you’re also coming across a lot of startups, cybersecurity is probably the biggest part of the enterprise tech startup scene. I know that some statistics are talking upwards of 15,000 cybersecurity startups, which is just mind boggling. Where do you think they’re going to be playing a role in this, the fight against these types of adversaries? RS: It’s a great question, and yeah I see a lot of tremendous innovations, a lot of tremendous startups, and actually sometimes when I judge various different startups… I think here’s the key point that I would really want to say to companies out there which is, it’s not just the technology that’s important. I know that sounds completely the opposite of what everybody is saying, but how you’re going to be able to get that technology out to market. Like a founder has to be everything, has to be the technical visionary, has to be the sales guy, has to be the HR guy, has to be the social media person etc. etc. etc., and the challenge that you’re going to face, “How am I going to be able to go to market?”, “How am I going to be able to go beyond the noise?”, and that doesn’t mean getting a booth at RSA, and saying, “We have a blockchain-based identity – two-factor authentication”, eliminating the buzzwords and actually having a viable USP that is valuable, but also understanding the business to market, and being able to find a way to be able to have a successful go-to market. That’s what makes a successful business, and fundamentally that’s what startups should be focussing on. I see really tremendous technology, and sometimes you meet people, and you just think “Look, I think you’re really smart, but how are you going to be able to convince, and how are you going to be able to…” And of course there are some ideas that simply the technology will carry alone just by the nature of that. Look at advisory boards, that’s a really great idea, startups can look at advisory boards with business leaders to help them address some of their gaps, in order to be able to achieve that, and that for me I think is a really interesting angle. So yes, I think it’s the whole package, not just is the tech really cool. RR: I suppose that’s more of a challenge for the Firestarter type, the younger pre-VC ones that we see coming forward. Hopefully, the ones that have had VC funding are going to be a little bit more mature, and have more people involved, and picking up those sort of roles. It’s not quite so much of a CEO/tea-maker/bottle-washer, and everything else, side of things. But yes, that’s true, and it certainly is something that other judges have pulled out. I guess being involved with the awards and putting yourself forward is one part of that, right? It’s at least being out there and putting your head above the parapet , and making people aware of what you’re doing. So, aside from the go-to market stuff, is there anything else that’s going to get your attention, when you see the entries coming through? RS: There is, obviously, a couple of things. If I look at how organisations really engage with their customers. I’ve seen some really smart ideas where you’ve seen, for example, some companies where they’ll provide regular health checks, or regular engagement touchpoints. You’ve heard the term a lot like “trusted advisors”, and so-forth, but in the world of cybersecurity having a vendor that is a partner for you, and really being able to articulate that is absolutely crucial. And for me it kind of speaks to the culture of a company as well, how you engage with your customers, do you provide them the support that they actually need? We’ll often say cybersecurity is not that difficult. Well it isn’t that difficult, but equally it is very hard as well. You’re dealing with a plethora of threats, you’re dealing with budgetary issues, you’re dealing with a changing regulatory landscape. I’ll always look at what are you doing for the customers, beyond just simply selling them a product. There’s some really great companies out there that can actually speak of being leaders in their own field, partly because of the founders of who they are, or the type of work that they’d done in the past. So, for me it’s not just, let’s look at the technology, but it is, are you striving to be the de facto advice of your customers, are you helping them and so-forth. So, there’s a lot more to this, and I think that’s important because it’s a really, really crowded marketplace, you kind of touched on it earlier, but how you’re able to differentiate beyond just simply typical marketing which is catchy lines and so-forth, that to me is going to be the crucial parts. I’ve actually seen some of the startups recently driving research with tier one newspapers. I remember one around misinformation, that was covered by the Guardian, and you think to yourself, well that’s outstanding, you’re literally driving and leading the narrative in the space that you’re in. So, I’m very, very impressed with it, and of course you’d expect that because it’s part of what we do here, within my team as well. RR: Absolutely. So for this year, what are your tips how people can present the kind of stuff to you, what would you say would be your top tips for people, outside obviously sharing the kind of information that you’ve shared that gets your attention? RS: I guess for me I would say don’t overthink this, try to put yourself in the position of the judge themselves. The judge has probably gone through multiple different submissions. Just point out the things that you think are the most important, and I know that just seems like the most ridiculous advice, and so glaringly obvious. But I’ll give you a great case in point, the example I will give you is, imagine you have 30 seconds with the biggest investor on the planet, and you’re in a lift with them, what are the key salient points that you want them to walk away with? Because the chances are they’ve probably spent an entire morning of pitches, they’re going to spend another afternoon of pitches, what are the three to five things that you want to get across in that conversation? That’s literally what you have, is you have a conversation with a judge, and your objective is to get their attention, and to showcase the things that set you apart. Don’t write chapter and verse, War & Peace, literally pull out the key points that you want to raise, and show the metrics as to how you’re delivering against that, and emphasize why that matters and why that’s important, and that’s it. Don’t give the judge a fishing expedition and say, “Well, here’s seven pages, good luck. You try and work out what the value is”. You have those 30 seconds in the elevator with the investor, what are the things you want them to hear? RR: Well we do limit the amount of input people can give, so hopefully that helps to laser-focus in on those key elements. That’s great advice and I can see that is going to be the differentiator if people can cut to the chase, and make your life as easy as possible to understand what people are doing. Moving forward into the wider landscape, obviously we look at things like CxOs. We’ve got the Male & Female Trailblazer of the Year. Are you seeing a lot of very exciting people who are leading the startups that you are engaging with? What’s the mood amongst them at the moment? RS: It’s interesting, my niece is currently at Kings and she’s involved with… Kings run like an incubation hub I guess you’d call it within Kings, and I’m seeing a lot more diversity in some of these startups. I think it’s important, because one of the things I used to do before COVID kicked-off, but every month I’ll go to a school and speak to young kids about getting a career in cybersecurity, and it’s important because in many cases when I’ll talk to, certainly young girls, or when I talk to kids from maybe different socio-economic backgrounds than the rest of us I guess, there’s this kind of, “Oh, okay I had no idea how I would get into this industry, where do I start?” and so-forth. And for me what’s interesting is that today cybersecurity is something that many kids would like to do. Now unfortunately, the question they always ask me was, “How much do you get paid?” So, I think the motivation probably needs to be…[Rose laughs] But there is finally an interest. I think where the challenge is ‘where you start?’, and incubation hubs like Kings are great, but the challenge for me is how do we go slightly earlier. So, how do we find the innovators of the future that won’t go to Kings for example, that may not get to some of the best universities, but it is definitely changing I think really for the better. So, it’s positive I think, and that’s the thing I’ve noticed that’s changed certainly over the last couple of years is, I’m seeing a lot more startups, a lot more innovators, a lot more diversity, and that’s great, that’s really important. RR: Absolutely. So, outside of what you’re doing on a very, very busy-busy side of things, are there any facts about Raj that maybe aren’t on your LinkedIn that you think would be interesting for people to know about? RS: Oh my gosh, there’s so many of them, I’m almost embarrassed! There’s a ton of things there, I love reading, I don’t read fiction, I hate fiction I think it’s a complete waste of time. There’s only one fiction writer I read and he’s not someone to boast about! I like to read, I like to fight, I mean I’m a boxer so I’ve been doing that for 25 years now, although I can’t do that at the moment, for those of you that follow me on Twitter may have noticed I ruptured my Achilles in February. So I’ve literally spent the last six months learning how to walk again, which has been really challenging. I’m finally exercising again after being able to walk. For me I love reading, I love information, I love learning new things, I’m constantly reading all of the time, I finished another book this weekend, and I’ve got another five or six I’m ready to roll down. Since I’ve done my leg in I’ve not been able to get in the ring again, but that I’ll do again probably later this year. RR: There’s definitely things I wasn’t aware of, and we’ve known each other for quite some time. RS: Well, it’s not on LinkedIn, and I don’t use Facebook. RR: There you go. Fantastic, is there anything else that you’d like to share that you think would be useful for people to get to know you better, or maybe something else that you think is worth sharing with the startups who are putting themselves forward, on why you are involved with this, and why you think it’s important for people to stand up, come forward, and engage with yourself and the panel of other judges? RS: I guess the most important thing that I would say to young entrepreneurs, and the startups that are out there, is just reach out. I know it sounds really rather obvious but, the judges are absolutely outstanding in their field but we’re more than happy to reply to an email, more than happy to give you some advice, whatever it takes you’ve got to start to reach out, and you’ve got to be not afraid of rejection. Of course we all know the story about Harry Potter and so-forth, but for me that’s important. I remember when I started in this industry I’d go to the ISSA in London Chapter, or UK Chapter, and meet people that I looked up to in the industry, people like Richards Stans, or Ed Gibson from the FBI, I got to meet the amazing people in the industry. Every time I got back I’d connect with them on LinkedIn, send them an email. I’d do anything I can, to try to like, “Hey, can I borrow 10 minutes of your time? Can we have a coffee?”, “Tell me about your job”, or “Can you give me some advice here or there?” For me that was really important, I didn’t necessarily have a mentor, but I had people that would guide me along my path, and for me that’s important which is look to find people that can help guide you in your path towards achieving your ultimate goals and so forth, and for me that’s something I would strongly, strongly recommend. Every time I do a talk I will always pickup people that I engage with afterwards, and some of whom I personally mentor and stuff, and for me that’s really important; finding people that can help you grow and learn, equally it could apply to not only you as you’re starting off in a career, but even now today as well. So, that to me would be the best thing that I would really want to get across, and hopefully that will probably help people. RR: Yes, it is very much our judges are very open, and I’m not sure if all the entrants take advantage of that. It’s opening a conversation really, part of this, you never know where it may lead. In your own career are there any mentors that you would like to maybe refer to? Because I get the sense from you, you’ve mentioned a couple of names that have been important to you, but I suspect that might have been later in your career, there may have been some people prior to that? RS: So, one of the first people that really mentored me fairly early was my boss when I was working on a lonely help desk. I did my Masters, and Andy Ealey, I think I’ve said this publicly a couple of times, when I was working at a pharmaceutical company, he was the person that really set me off on my way. There’s been so many people that I’m indebted to, like I said, I’ve never really had somebody that I would say, “You’re my mentor”, I just generally looked up to. When I used to work for a CSO for a big organisation, one of the people was John Colombo when I was working there, he taught me how to start writing properly, because my writing skills were a lot to be desired. Honestly, there’s so many people that I look up to, that have helped guide me. I guess that’s why I’m more than open and willing, and that’s why I do this today when I go to speak at schools, is because I feel you need to do the same as well. At some point it’s going to be my daughters, or it’s going to be my son who are going to be looking for mentors themselves, so I think it’s important to do that. RR: Brilliant. That’s been very insightful now into some other aspects of Raj that I wasn’t aware of, and I’m sure for the listeners it’s been fascinating to get a much better insight into you as a person, but also as an advisor on what you see as being important for our cybersecurity startups when they put forward their entries. Thank you Raj, thank you for joining us. RS: Thanks for having me. RR: And thanks to the listeners, it’s the Tech Trailblazers Judges on Fire podcast, and I’ve been joined today by Raj Samani from McAfee. Thank you.