A Conversation with David Shipley

In an interview with INFOSEC NORTH, David explores why he founded Beauceron Security, the impact of his platform, and how he is truly enabling organizations to treat cyber security and risk as a business issue, not just an IT problem. He provides advice for future entrepreneurs, and highlights how companies need to evolve its hiring and recruiting practices to address the acute talent shortage in the market.

What were your motivations to start your own venture?

I was the cyber security practice lead at the University of New Brunswick (UNB) and I only had three quarters of my available work hours to manage a very complex cyber security environment. I had to manage several very manual essential tasks: phishing, simulating attacks, education, awareness, risk assessments, strategic communications, and infrastructure planning. There weren’t enough hours in the day. So we looked at the tools that we are using and asked ourselves whether there was a way to integrate these key activities and make the process easier and faster. Our goal was to gather the key risk insights needed and surface them not only to the IT team and senior leaders, but also to the end community members. We wanted to turn those passive members in our cyber security story to become actively involved in the defense of the organization.

So that was the genesis of Beauceron… the idea of turning people from bystanders or the so called “sheep” to the active defenders or sheep dogs.

What challenge is Beauceron addressing with its solution? How are you framing your value proposition?

For some clients, it’s the ability to automate the key annual awareness activities or ongoing campaigns that engage users. For others, it’s gathering the data to measure the success and determine where they need to focus their efforts. For organizations that are using a security framework like NIST, they can measure and manage the issue effectively.

The challenge for most is that if you can’t measure an issue, and you can’t develop meaningful, specific, actionable and timely metrics, then you can’t effectively deal with the problem.

We believe in the saying “If you can’t measure it, you can’t fix it”. So we provide clients a reference number, guide, and plan that they can work to in order to reduce cyber risk.

Our solution is a Software-as-a-Service offering and it integrates thoroughly with Microsoft Office365, so it’s really fast and easy to deploy. It’s a low touch product from an IT administrative standpoint and solves the pain point for the organization and IT team.

You’ve mentioned several security domains that your system addresses like risk management, education and awareness, and security analytics, how does the platform bring these components together?

We are incorporating three different previous product offering into the platform: security analytics, security awareness, and governance and risk management. We’ve developed a “leaner and meaner” platform that provides just enough and at the right time that is easier for organizations to use. Especially mid-sized organizations.

For large established enterprises, our roadmap ensures that our platform will plug into existing investments like their SIEM or GRC platforms. But the goal is to simplify the risk reporting process so that a senior management or board can review meaningful metrics that aren’t technical gibberish. They want to be able to see the risk number, what are the recent changes or trends and they want to be able to answer questions like ‘what are we getting for our investment’ and ‘how do we compare to others of our size or industry?’

One important point of distinction, there are excellent products on the market for the IT team or IT security team to use to manage the technical side of the problem. But there is a huge gap in tools for business leaders and managers to manage cyber risk as a business issue.

What do you love about your team, and why are you the ones to solve this problem?

The number one thing is the shared passion for making a difference on this issue. You hear some startups talking about their broader social mission, some emphasize it more than others. We thoroughly, genuinely and intrinsically believe in the importance of changing the cyber risk and cyber security story. We know the numbers and trends. We’ve dealt with clients both small and large that need help picking up the pieces after an incident and have seen the stress that they have to bear while picking up the pieces post-incident. We don’t want to see the current narrative of organizations constantly falling prey to ever-more-sophisticated attackers. We want to create sophisticated defenders.

We’ve thought a lot about why the past approaches to cyber security has failed. We identified that, historically, organizations have put tools in place to try to control users. They’ve had a bias towards technical solutions versus people-based solutions. We have a core belief that when you empower users on an individual and organization level to own their cyber risk, and understand their position and know they play a key role, you can have a more proactive and balanced approach to security.

This new approach is making a different.

How did your prior role and experience at UNB build a business around this new approach?

It should be noted that, like many people in the field, I got into cyber security by accident. I was working in the web marketing team at UNB in 2012 when we were hacked by an activist group. As a former soldier and journalist, I had a number of tools that helped me manage complex issues and the CIO brought me over to the IT security team and I got involved with the investigation into the attack. I dove into my cyber security role head first. In my experience at UNB, we dealt with everything from nation state level hackers, cyber stalking, IP theft, to attempts to abuse the infrastructure.

I initially started with the same approach most people use which is “I need more tech. Better automated tech and integrated tech.” In the course of trying to build this complex and very expensive ecosystem, I was always trying to work around the human problem. 95% of all our issues started with people, process, or culture. It had nothing to do with technology. When I was working on the root cause of our problem, like lowering our phishing rates from 30% to less than 5%, that’s where we received the greatest dividends.

Was it important to you to build your company in New Brunswick? How would you describe the tech and cyber security community in the area?

I would argue that New Brunswick is a leader in Canada when it comes to cyber security. Specifically, UNB was the birth place of Qradar. It was the IT department at the University that invented the core of what would become Qradar because they were looking to solve a problem. As a result of Qradar’s tremendous success and buy-out to IBM, it created a strong ecosystem in Fredericton and more broadly in New Brunswick. At the same time, our provincial government has created the first provincial agency dedicated to cyber security, called CyberNB. We also have phenomenal startup infrastructure here. The New Brunswick innovation foundation and a robust angel investment community that helps not just provide cash but also expertise.

What stage of growth is company currently in?

We closed a $500,000 funding round in June 2017 and opened full time operations. We took our product from minimal viable to a full platform, that’s now heading towards its second generation. We have more than 30 clients across North American and two global entities. Our platform is used in 23 countries. We’ve been working very closely with managed security partners and re-sellers. We’ve grown from 3,000 seats in January 2017 to 15,000 seats today.

What is the initial client feedback? Are there any early success stories you can share?

Over 80% of people that we have trained on the platform have consistently reported that it has been a valuable experience. Some clients get as high as 93% positive scores.

We also have a status and recognition portion of the platform that are tied to their risk score. As risk is reduced, users are rewarded.

As our platform is sending out automated phishing emails, we are seeing as many as 70% of users spot and report malicious emails through the appropriate channel. The best result I experienced at UNB was 15% and the closer you are to 100% engagement rate, the more resilient your organization is to social engineering.

What advice do you have for new Canadian cyber security entrepreneurs?

I highly encouraged people with innovative ideas to come to the marketplace. There’s never been a better time to start a software company in Canadian history. Companies like Microsoft Azure and Amazon AWS have generous programs for startups to access compute for free as they figure out their business model.

The problems have never been greater and the need has never been greater.

On the flip side, be realistic with your goals. Expect things to take twice as long and be twice as expensive.

What’s your perspective on state of cyber security talent in Canada compared the needs of organizations.

There’s not a doubt in my mind that there’s an acute shortage of qualified, certified, and experienced talent through all types of organizations in the market. We work with some great partners that have job postings open for months and struggle to fill critical roles because there’s such a shortage. Security is also a tough gig. You have to have a robust skill set, it’s also stressful at times, and there’s a lot of burnout.  It sometimes feels like you are pushing a rock up a big hill, but the job can be very rewarding. You have to have that sheepdog mentality – the protector of the pack.

I believe that 30% of open jobs will, be necessity, be replaced with automation, technology and working smarter. The other two-thirds will actually get filled. A portion of these hires will come internally, as organizations find their sheep dogs and provide them the training and skills, and are smart about retaining that talent.

We have a number of progressive clients that are using our platform to identify people inside the company that are the most engaged with the platform and approach them to see if they’d like to take additional training and spend time with our cyber security team. You can use the platform to start to identify your “farm team” to close that critical skills gap.

This article was originally posted on INFOSEC NORTH's blog.