Jeff Majka

Bio

Jeff Majka is the founder of The Security Bulldog, a cybersecurity platform that reduces the time and cost required for enterprise teams to remediate vulnerabilities. Its proprietary AI-driven natural language processing engine transforms complex threat intelligence into clear, actionable insights, reducing cognitive load and accelerating decision-making. Jeff has more than 20 years of entrepreneurial experience and is also CEO of Honeycomb Consulting, a firm helping B2B and B2G companies align business development, branding, and marketing automation. He has led successful marketing initiatives for organizations including Cisco, Microsoft, and British Telecom, and advises startups across the security, software, and telecommunications sectors. Jeff holds a bachelor’s degree in economics from American University.

Introduction

The discourse presented in this podcast features an enlightening conversation between host Jothy Rosenberg and esteemed guest Jeff Majka, founder of the Security Bulldog. Central to our discussion is the provocative thesis posited by Jeff: cybersecurity should not merely be perceived as a technological dilemma but rather as a profound human issue. Throughout the episode, we delve into the complexities of human behavior that hinder effective cybersecurity practices, notably our aversion to delayed gratification and inherent laziness. Jeff elucidates his journey from a marketing professional to a pivotal figure in cybersecurity, reflecting on how his past experiences have shaped his current venture. We explore the intersection of automation and artificial intelligence in the realm of security, ultimately emphasizing the need for tools that align with human nature rather than combat it.

Conversation

The dialogue between Jothy Rosenberg and Jeff Majka delves into the intricate landscape of cybersecurity, a realm often marred by human error and complacency. Majka, the founder of Security Bulldog, posits a compelling thesis: cybersecurity is fundamentally a human issue rather than merely a technological one. He elucidates how the tools crafted over decades have inadvertently clashed with human nature, resulting in a perpetual struggle against cyber threats. The conversation navigates through Majka's personal journey, shedding light on his evolution from a marketing professional to a cybersecurity entrepreneur, and how his past experiences have informed his current venture. He draws attention to the pressing need for cybersecurity solutions that align with human behavior, emphasizing that traditional methods have consistently overlooked this critical factor. The episode further explores the nuances of product-market fit in cybersecurity, as Majka discusses the challenges faced by security teams in effectively managing alerts amidst a sea of false positives and negatives. This exploration not only underscores the importance of understanding human characteristics in cybersecurity but also hints at the potential for innovative solutions that can enhance operational efficiency by bridging the gap between technology and human interaction.

Takeaways

• Cybersecurity is predominantly a human issue rather than a mere technological one, as human behavior significantly impacts security outcomes.
• The lessons from previous entrepreneurial ventures are invaluable, as they shape the approach to new challenges within the cybersecurity domain.
• Organizations are burdened by an overwhelming amount of data, necessitating tools that can efficiently filter and prioritize relevant information for cybersecurity teams.
• Successful cybersecurity solutions must align with human nature, addressing the inherent laziness and aversion to delayed gratification that complicate security protocols.
• The integration of AI in cybersecurity is vital, yet it must be complemented by human oversight to navigate complex decision-making environments effectively.
• A startup's journey is fraught with ups and downs; founders must maintain realistic expectations and embrace the iterative nature of product development.

• Startup Lessons for Founders │ Jothy Rosenberg’s Founder Playbook and Podcast
• Security Bulldog
• LinkedIn
• Jothy's TEDx talk - On why those with disabilities tend to overachieve
• Our YouTube channel
• Designing Successful Startups — Jothy Rosenberg | Author | Speaker | Podcaster - Site with all podcasts
• Tech Startup Toolkit book
• Please leave us a review

Hello.

Please meet today's guest, Jeff Modzka.

Human race is bad at cybersecurity because we hate delayed gratification and we're lazy.

Cybersecurity is hard, requires large amounts of delayed gratification.

It's just we're always going to be catching up to people, just not giving it the seriousness that they should.

What happens when a Midwestern marketing guy with zero engineering background spends years inside the world of cybersecurity, watches enterprise security teams drown in alerts they can't trust and decides the whole industry has it backwards?

He builds a company to fix it.

That's what.

My guest today is Jeff Machka, founder of the Security Bulldog, and his thesis is provocative.

Cybersecurity isn't a technology problem, it's a human problem.

And the tools we've built for decades have been fighting human nature instead of working with it.

Jeff is a three time founder who learned the hard way about overhead, about staying lean, about the difference between someone saying they'll sign and the money actually hitting the bank.

Today we'll talk about AI versus automation in the security space, what it really means to be at step 2.7 of product market fit, and why the most dangerous thing in any security operation isn't the hacker, it's the person who clicks the link.

Let's get into it.

Hello, Jeff.

Welcome to the podcast.

Hello, Rothy.

I'm glad to be here.

I like to set a context for everybody.

I just like to simply ask, where are you originally from and where do you live now?

It's actually quite like most people, I bounced around a lot.

I was born in Rochester, New York, upstate New York, to a Eastman Kodak family of all things.

We got transferred to Chicago when I was four, lived there till I was 17 and then we moved to London for five years and then I moved to DC to go to college, which was a long, long, long time ago.

So I'm a Chicago man.

I'm a Midwesterner.

That's where I was born and raised and I had my formative experiences.

So if you ask me where my, where I'm from, I'd say Chicago.

But there's been a lot of places I've lived and influences.

I always really liked Midwesterners because I'm one, I'm from Detroit.

Yeah, there I was, I was watching, there was actually a clip of a comedian who was doing a bit on being a Midwesterner.

And you can tell, says you can tell a Midwesterner when they go on vacation because at the pool they feel obligated to go introduce themselves to everybody at the pool.

You remember we called it Pop?

Yeah, we called it Pop.

Not, not Coke or soda or whatever.

We had some unusual names for things.

So your current startup is called the Security Bulldog and we'll get to that in a minute.

There were companies and startups before that and I just want you to tell us if there were any things, any formative things that happened in any of those startups, positive or negative, that kind of shaped the way you started the current one.

That's a great question.

Well, all of them.

I think every experience you have leads you to do the next thing a little bit better, hopefully.

Certainly maybe a little bit different.

But yeah, I started two companies before that.

Both of them were professional services companies, but my background's in marketing and business development, PR and web development, all that kind of jazz.

So yeah, so being an entrepreneur is something that I've been doing for a couple of decades now.

I've learned a couple of things from the first one and one that is that I hate overhead.

Yeah, we got a big office and we hired a bunch of people and we had to like shut down that office on a few people when the business didn't work out the way we wanted it to.

So I learned from that to have sort of maximum flexibility.

It's very lucky nowadays that you can run a company very skinny, like you don't need a whole bunch of like infrastructure to like especially stand up and run a software company or, or any company for that matter.

So the lessons I learned from them are definitely applicable now.

I think the second one was, led me directly to this one because a lot of the clients I had at that marketing agency were cybersecurity companies.

So working with a wide variety of different cybersecurity companies that were sort of approaching their.

Approaching the problems they were trying to solve with their solutions were very specific to each one of those different sort of problems they were trying to solve.

Where it made me sort of forced me to sort of step back and take kind of a 360 degree view of cybersecurity, which has led me into the idea that cybersecurity is a human being problem, not a technology problem.

And that's why we started the Security Bulldog with a thaw to try to create some products that work with human nature, not against it.

So for me, in my mind, it's just one sort of linear progression of different experiences and opportunities that I've had that have led me to starting this company.

Do you own a bulldog?

I do actually own a, an English bulldog who isn't exactly the model for the, for the logo we have, but yeah, his name is McLean, named after John McLean from Diehard.

Okay, that's, that's a good one.

I, I, I like those movies.

Well, what is it the same dog that you had when you started the company?

No.

Okay.

Are you kind of a bulldog?

Oh, I don't know if I would, I don't know if I would claim that I'm a bulldog.

I certainly don't sleep as much as a bulldog.

A bulldog sleeps about 20 hours a day and I don't think I could do that.

Yeah,.

I'm a Taurus if that makes, and that makes me want a bull.

That makes you a bull.

Maybe that's why we get along so well.

So you sort of told us a little bit about how the previous one gave you the idea, say a little bit more about what the security bulldog does.

Okay.

Yeah.

I mean it's really, really simple.

You know, we're trying to lower costs and speed remediation for enterprise cybersecurity teams as well as government cybersecurity teams.

You know, again, the idea that there's a cup of coffee in the problem and cybersecurity is a weird, unique industry in that when you wake up in the morning, you have no idea what kind of day it's going to be.

Right.

It could be an easy day, it could be our day.

It could be a day when there are no answers and that a lot of time is spent wasted trying to figure out, you know, what's happening, does it affect me and my team and if it does, what do we do about it?

And that if we're going to move the needle practically in cyber security, like I said, we got to build tools that work human nature.

And traditionally answering those questions was a human being job.

Right.

So that's a person, a group of people had to sit there and go through all sorts of open source intelligence as well as internal telemetry to answer those basic questions.

And that's a waste of a human's time because the working memory of a human being is seven and then we're just sort of like that at it.

So we started the company and launched our first product a couple of years ago.

We know a number of different enterprise teams that are working with us right now and again, it's about speeding up that time to remediation.

So anytime there's a bottleneck in that process, we want to be the, this is the AI tool that works proactively.

And there's a reasons why being proactive in cyber security is really good.

And the technology we use is different than most of the ones that most of our listeners, our viewers might be familiar with in that it's not an LLM, it's an nlp, which is a different version of a machine learning app.

We think that that's a differentiation that's really important, especially in a cybersecurity sense, because it is in cybersecurity is a probabilistic type of industry where you know an 85% good enough evidence to do something, it's, something's bad happened, you need to remediate is good enough like, okay, we're going to go switch what we're doing today.

So you know, cybersecurity is not like let's say rocket scientists where you know, when you're sending a rocket around the moon, right?

It's math, right.

There's a right answer and there's a whole bunch of wrong answers.

And if you get, if you don't get the answer right, the rocket's going to miss the moon.

So, so cybersecurity is not like that.

It's a probability exercise of how do you reduce the risk of something bad happening.

So very simply, we're trying to reduce costs and speed remediation for enterprise cybersecurity teams.

And again, the way we think of it is not replacing human beings.

We think of teams of humans and teams of AIs working together to help solve these difficult problems.

When I think about one of the best ways to start a company, if it's possible, and it's not always possible, is to start off where you can be self funded because you're professional services.

But professional services only has a margin of gross margin of maybe 35%.

And so while you're doing professional services, and I think you've implied this is what happened, you start figuring out, oh, this customer and this customer and this customer all needed me to do the same thing.

So I'm going to make a tool that does that.

And then you slowly convert yourself into a software company where the margins are 80% and higher.

I was able to pull that off once.

And the nine startups that I did, in your case, it sounds like you might have figured out what tools were needed with the previous one, but then you sort of started something brand new, the security bulldog, and created the tools that you'd learned about in the previous one.

So it's.

Is that, do I have that right?

Yes.

Yeah.

And I think that, you know, going in and you know, the difference between a professional services company, a software company are pretty, you know, are pretty obvious.

But I think knowing, knowing the, the industry specifically, but I think it's more general.

I think we all have spent the last 10, 20 years coming up with these content consumption kind of procedures or processes, right?

So whether it's, you know, sports or whether politics, you know, we have all these feeds and these, all this scrolling that we do, like we've been using our brains to ingest all this stuff.

There wasn't that much stuff to consume, right?

So 20 years later, I think it's becoming a bit of an untenable situation for the way that I collect information.

The way that you collect information, the way everybody collects information, which is trying to scan through all this stuff.

It's.

But you bet it's a terrible use of your time, right?

Why are we, why are we, why are we requiring ourselves to show how smart we are by consuming all this stuff?

Now reading and it's good for you and consuming stuff and learning and all that kind of stuff, but there's a point where you've learned what you need to know out of this and everything else is kind of extraneous and it reduces, you know, a cognitive load increases, increases, increases the amount of stuff you got to review, which reduces your ability to make decisions, which just increases your performance.

So I think all, everybody on earth is kind of wrestling with the same basic problem of there's too much stuff and you can't go through it all.

And so in a cybersecurity specific sense, obviously that's very bad.

Expensive things can happen and there's trillions of dollars of actual active persistent threats that are trying to break into stuff and steal things and break, destroy our sort of national security and everything else.

So you think about cybersecurity and the cat and mouse game that's going on in that, that seemed like a place where that universal problem is very acute and people are very much aware of it.

And for my discussions with everybody in cybersecurity over the past, in my professional services kind of sense, it was still kind of the idea that like, we don't need more stuff, we don't need more data, we don't need more information, we need better, quicker answers, right?

We need to like decide like, okay, what do we need to do right now?

So I think when we, when we think about cybersecurity and the applications of, is, hey, these guys need to make faster decisions they're slowing down because they just, or overwhelmed by the amount of stuff they have to.

And when I visited the NOCs of some, you know, fairly big companies, we've got quite a few here in Boston.

Akamai is here and Fidelity, very different companies, but they both have very significant knocks.

One of the things that they were complaining about a lot is tons and tons of false positives and, and also tons of tons of false negatives.

So they, they just had red lights like all over the place and they got to be very good.

I would say.

Aren't you worried there's.

You got so many red lights and they say no, no, no, we, we're, we're good at pattern matching and when you see those patterns, it's fine.

You know, it's, I, it just sounded crazy to me though that they're, you know, they're ignoring all of these negative signals from all of their systems because they, they've just learned that they're not reliable.

Sorry for the interruption, but in addition to the podcast, you might also be interested in the online program I've created for startup founders called who says yous Can't Start up in it, I've tried to capture everything I've learned in the course of founding and running nine startups over 37 years.

It's four courses each one about 15 video lessons plus over 130 downloadable resources across all four courses.

Each course individually is only $375.

The QR code will take you where you can learn more.

Now back to the podcast.

What?

You're going to say something?

No, I mean it's true.

I mean they, you know, how do you.

And even to the fact of how do you prioritize which signal to pay attention to based on your pattern recognition.

An environment when you probably don't even know what's entire.

What's your, what's in your network.

Right.

You get shadow it.

You have engineers standing up stuff in cloud services that you don't even know about.

So you think, you think all the, you know, you think this dashboard is the.

Reflective of the, the risk when it's not really actually even if you, even if you are really good at detecting the false negatives and false positives because there's still stuff that's happening that's not going to show up on your.

And that's again the problem.

One of the problems with using traditional cybersecurity tools is they're based on the databases and RSS feeds and the world changes faster than a database can be updated Right.

So again, one of the reasons why we like an NLP model for this is there's no database.

Right.

It's just scanning through the real world as fast as possible in real world time and is making recommendations based on real world time.

Now, again, like, we're not replacing anything.

Right.

We're not replacing any people, we're not replacing any of your tooling as of right now.

So we want to connect into what you already have and make it work better, faster, quicker.

And reducing the amount of false negatives and false positives is a great first start.

And using a tool like ours to curate all that open source, you are getting better signal to noise ratio.

I think those are all really good steps.

But again, it's, it's in cybersecurity.

Like it's not going to go away.

Yeah.

Just to go back and finish.

So the cybersecurity company that I have is a, it's a hardware based cybersecurity solution for protecting the processors in embedded devices.

And basically it's watching every instruction and its secret sauce is it's able to tell if that instruction is legitimate or is coming from a cyber attack and then it can take action.

But it's not for the big data centers, it's for embedded devices.

Yeah, we got started everywhere too.

Oh, yeah.

Well, 98% of the computers in the world are in embedded devices so.

Well, relevant to the last month's activities.

I don't suppose those PCs and the Iranian nuclear plants are still functional.

No, but the Iranians are.

We knew they were really good at this.

They're very good at cyber attacks.

And so.

Well, CESA just went on alert yesterday about.

We'll see how.

So when, when people read this, they'll see whether the truth actually holds.

But.

So we don't want to give away current events in this podcast, but no, I mean, it's.

And again, like, cyber security is not like any other industries where it's fair.

You know, competition is fairly, you know, innocuous and not violent.

Right.

Cyber security, like they're actively trying to hurt each other.

We're, you know, they're actually trying to hurt the United States and our companies and Chinese and everything else.

When you talk about advanced persistent threat beyond just what a greedy ransomware gang is.

And, you know, you can spend years and years and years thinking about the overlap between all of that.

Yeah.

I mean, so it becomes a situation where you can say, well, you know, isn't everybody dumb for all the dumb things they do?

But it's really, really important Right.

And it's really, really important that we build tools that help folks do this as quickly as possible and, you know, manage the risk as best as possible.

Because it is super serious.

Right.

We're not selling Cheerios or sneakers to people.

Right.

It's an actual cyber security, like it's an actually important part of what, what our society is trying to do.

Yeah.

And it's, I think for, for a lot of people who use AI for their, for whatever they're doing in their, in their daily work.

I'm not talking about cybersecurity for a second.

One of the things that everybody knows that AI is really good at is, and I use it for this constantly is to summarize things to, you know, I get a, I have a chapter in a book that I'm writing and you want to have three bullets at the beginning of the book that give you the three most salient things about that chapter.

And instead of go back and going back and reading your own writing, you just hand it to Claude and Claude comes back with the perfect three bullets.

And you could, so it's easy to, to see how that could be really useful in what you're talking about.

Looking through tons of data, pulling out patterns or facts that are important and running with it.

Flip that around for a second if, if you will.

And, and maybe this, this is not your area of expertise, but, but I suspect could be, and that is bad guys are going to be using, or already are using AI as well.

And, and how are they using AI?

Well, I think I'm the exact same way.

Right.

So, you know, so we're talking about AI a lot, but it's also automation.

Right.

So what's automatable and what's aiable, Right.

In cybersecurity, def on the defenders.

Right.

That's an open.

Right.

The easy stuff can be automatable, but as soon as it gets hard and difficult, it's hard to automate stuff, which is why human beings aren't going to disappear.

Right.

Because the more difficult it is, the more political it is, the more it's a human grade decision.

So it's automatable.

On the offensive side, they've been using automation and defenders have been using automation for a while now.

And AI just I think helps them, helps them try to scale, you know, the attacking side of stuff.

And whether it's scanning for ports or scanning for things, you know, you know, and you know, hallucinations in LLMs, from what I've heard anecdotally from some of the threat hunters is affecting them just as much as it is us.

And that, you know, they're trying to use AI to, you know, write phishing emails and it's got spelling errors and blah, blah, blah, blah.

Right.

So I think that, you know, the experimentation happens on their side at the same rate that happens on ours.

But I think that, you know, they're, they're definitely 100% innovative and try, you know, especially the government funded ones.

Right, right.

That's why they're, that's why, you know, all these AI companies are doing deals with different government contractors and is to, is to get as much power as we can to defend ourselves against this kind of thing.

But again, I think that searching for the weak ones in the herd essentially a lot of what just a ransomware gang who's in it for the money, they're just scanning for the school district that doesn't have their passwords done properly or scanning for somebody who just clicks on a phishing email.

Right.

It's still dumb stuff like phishing emails that work all the time anyway.

Right.

So you talk about all this esoteric, interesting, you know, threads and they are.

But all the basic stuff, right.

From my hacking perspective still work.

Right.

People don't change their passwords.

Right.

They click on links they shouldn't click.

Right.

They answer phone call information when they should give it.

Right.

It's still the hu.

Right.

The user's still the problem, the individual still the main problem.

And half the problem with AI, right, is people up chucking, you know, personal and you know, pii into, you know, OpenAI.

Right.

People are, you know, doing dumb things because they're people and that's what people do.

So.

Right.

So it's, it's, you know, in a lot of these kind of, in a lot of these kind of situations like cybersecurity is never going to go away because we're, we're terrible at it.

Right.

You know, the human race is that is cybersecurity because we hate delayed gratification and we're lazy and cybersecurity is hard, requires large amounts of delayed gratification.

Right.

So it's just, we're always going to be catching up to people just not giving it the seriousness that they should.

And you know, that's why it always pays off.

So you're in D.C. are you finding that most of your customers are government customers?

We have not had a government customer yet.

I've worked with a large number of government contractors and technology companies selling into the government.

So I know it really well.

We Just, you know, we've had to focus our limited resources on what, what's, what's going to move the needle quicker from, like, from like a product development feedback loop and from a sales loop.

So we've been focused on selling into the commercial side.

So yes, it's something we want to do and finding the right partners or we've had lots of, and lots of ongoing conversations with all the departments and so but we just haven't really been able to focus on that.

So.

Well, speaking of, okay, so commercial but small company, we all have to make sure that we're efficient with our marketing and so we find a very narrow niche, you know, a nice narrow target vertical market.

What have you, what have you picked as your target vertical?

Well, I think it's important as a startup founder, not pick anything, right?

No, I don't mean pick.

I mean you've talked to customers and then you've, you've gotten the feedback and then you've selected this one.

Yeah, I think you test out some, you test out some messaging, you have some theories, you figure out who responds to that messaging.

Generally speaking, those who have signed up for us to date is the way I'll put, I'll phrase it.

I call them chief information security officers with teams less than 50, so kind of like the, I call them mid market companies.

So.

And again like there's a level of cyber security maturity level there where you're not selling cyber security, right.

You're trying to sell the improvements in something that's already been invested in.

So you know the guy running cybersecurity for credit union, right.

So he's got 10 guys, million dollar labor budget, probably a million dollars in software spend.

Right.

This is a thing to be optimized.

You know the idea that like hey, 20% of your labor cost is being wasted with them looking up stuff on the Internet and doing Boolean searches in a browser, tabs, right?

That's dumb.

Let's free up, that's, hey, let's free up time for them to do more high value things to manage their risk better or you know, get more work out of, you know, the same resources depending on the type of company.

So for us, those are the ones that have been signing up for us and you know, are filling up our, our pipeline.

There's a couple MSPs we've worked with, like I said, there's a couple government customers that we've been talking to.

But generally speaking, that kind of mid market, medium sized security team, which kind of makes sense, right?

They, you know, they have limited resources, they do everything can be optimized.

How can we help them with their decision making and make better, faster decisions so they can remediate all this stuff and keep on top of it.

So it sounds like you're kind of well along to proving or maybe you feel like you have proven product market fit.

I think, you know, my joke is if product market fit is a three step process, we're on step 2.7.

Like we're kind of almost there.

Like we have early revenue, we have early investors, you know the products.

We're still iterating on integrations, we're still iterating on features, we haven't.

You know, I'd like to see more activity.

You know, last year, I think from a messaging differentiation standpoint, last year being an AI cyber security company was really interesting and, and it, it didn't knew.

I think this year it's everybody and their mom has a AI company.

So really thinking about our value and how to, how to actually measure in a real world situation, you know, a 40% reduction in mean to under mediate or 70% reduction in meantime to remediate and get three or four of those sort of testimonials and then be able to go to the market and be like hey, we've done this before.

Here's your peers.

Here's an example from Bob at XYZ company.

You know, here's an example of this soc team that you know, reduced their tickets by half and reduced their mediation time by xyz.

If we can make real strong statements and have real strong evidence and use cases around that, then I think we're there and we're doing a lot of those POCs and you know, testing design partner stuff right now.

So.

Yes.

So could we have product market fit but a quarter?

Yeah, I think so.

But I'm cautious.

I'm a 50 year old founder, not a 20 year old founder.

So I'm.

Until we're, until we're absolutely sure.

Well, product market fit is an interesting process.

I had a Lighthouse customer, they paid us a million and a half dollars for the right to be a Lighthouse customer for us.

And we worked really hard with them.

They were a huge company to integrate what we had built, which was hardware design into their chips.

And that process took almost two years which is really where the challenge for a startup comes.

And then that took long enough that they did a reorg and they reorged our champion right out of the company.

And that was the end of being a Lighthouse customer.

And we, we were I felt like we were heading for product market fit.

Even though we had focused all of our attention on one customer, we had been talking to others.

So we were sure that this, what they did was the same and we could anyway it, but it all fell apart because we lost that one.

And so product market fit is something, it's good to be very cautious.

Well, I mentioned it before like, you know, until, until the money hits the bank.

Like it's just talking, it's just people talking, right?

So you know, you gotta be, you know, we've all in the call about like bad beats.

Like we, you if you're in business development and sales, you have any number of bad beat stories that you tell over, over a beer with your fellow founders and you know, you know, I mean so yeah, so I mean, yeah, people say things and there's plans are made but you know, they're, you know, until, until the deal's done and money's in the bank and they're happy, you know, there's no way that you can.

Actually tell that that statement you just made is the definition of the difference between a 50 year old and a 20 year old founder.

Because the 20 year old founder is, is.

I'm, I don't mean to overgeneralize but is likely to be very happy with it, with the deal even before they've, they've sent you the money.

Well, I mean, you know, track, you know, start off right, there's going to be track, you know, traction is whatever you got, right?

If your traction is, hey, we've got three design partners and we've been reaching out to people and we've talked to 20 people, right?

That's your traction and that's what you have your parade on, right?

Like you got to pump up whatever you've been able to achieve at that point.

Having paying customers and having repeat paying customers and having a load.

We're a SaaS company so everybody knows what those metrics look like.

So when you get to that point we're like, okay, we hit all these data points, okay, Then you can say you have product market fit, but if you don't, then you don't and you still have work to do.

And so, and again like half of its messaging, half of it's, you know, the structure of cybersecurity teams is changing from AI companies like mine.

So even what we call ourselves is still kind of even up in the air.

So you know, we're not, you know, it's not a situation where it's a mature market where we know exactly what we're saying.

It's still a bit of a evolving, right, that evolving segment of, of AI and cybersecurity.

So what do we even call it is still kind of up in the air.

And there's, I mean you, you mentioned also that there's a lot more companies that are saying AI cybersecurity in the same, in the same sentence.

But what one of the things I've noticed in a lot of cases, I'm, I'm well aware that someone didn't change their product but they suddenly became an AI company and.

Well, I was going to say it may be that they have automation and people do sometimes confuse automation with AI because I can write a deterministic program that looks at some data and crunches it and, and, and gives you an answer, and that is not AI.

Yeah, yeah, yeah, I think that's exactly right.

And I think, you know, especially in, and in CyberSecurity, you know, AI, you know, automating stuff has been around for a while, which is troublesome because you always want to, you know, and so like the easy stuff is easy, right?

So, oh, Chrome, there's a Chrome zero day, there's a billion people use Chrome.

So it's bad things.

Every updates Chrome, which happens relative.

You don't need anybody's permission to update Chrome.

And so it just happens, right?

So it's a big problem, but it's relatively easy and even sort of automatable, right?

So you know that, that those kind of examples where it's.

There's an easy, it's ubiquitous, it's a problem, but it's easy to solve, right?

That can be automated and there are automated tools there for all that kind of stuff.

But the other, other two categories which are it's a hard problem but with a known answer.

But you can't do it for non cybersecurity reasons.

You can't do it because of political reasons.

Right?

You can't, right?

There's still.

Right.

The D.O.

Department of War just put out a directive signifying that all these, there's a bunch of like, you know, there's thousands and thousands and thousands of legacy servers that they haven't shut down that are just sitting out there, right, connected to everything because they're.

And they're not serviced by anybody.

And the company that made them in the 70s doesn't, you know, support them anymore.

And you know, aside from the whole Cobalt, you know, the whole Cobalt engineer that they have to pay, right, they're, you know, they haven't done it because it's expensive.

Right.

It's a political.

It's not done for political reasons, which are human reasons.

Right.

And then there's the third category, which is there are no answers.

Right.

A zero day happens.

Right.

Log 4J solar winds.

Right.

There's something that happens.

It's going to be a festering wound for the rest of time.

Right.

Basically.

And you know, what do you.

Right.

That's just.

And it's going to be on and on and on and on and on.

Then you're going to have to pay attention to it forever and ever and ever and ever.

And so the easy hard don't exist.

Those are all stacked on top of each other.

And if you're a cybersecurity practitioner or a cybersecurity team, like you're dealing with all of those stacked things which every day gets, the stack gets bigger and bigger and bigger.

So, yeah, automation, absolutely.

But where and when and what happens when it breaks?

Right, Right.

So you're always.

Everything you build in cybersecurity is always going to be battle tested by, you know, normal human stupidity, normal software entropy and the fact that there's active adversaries who are trying to break everything.

So, so, yeah, so what's a what?

So.

And I think that, well, I think that people know a lot more about AI than they did a year ago or even two or three years ago.

You know, when we started the company, we had to call it machine learning because nobody wanted to talk about AI because that was chatbots and that was a, that was a failed thing.

Which again proves the adage of you're never wrong, you're just early right in, in the world.

So we were wrong five years ago and now we're right now.

So, you know, that'll change, I'm sure, and play back around.

But yeah, so I, but I think that, like, you know, I think people are still, you know, trying to figure out just exactly what does this all mean in a practical, real world, people go to work on a sentence.

Hi.

The podcast you are listening to is a companion to my recent book, Tech Startup Toolkit, how to Launch Strong and Exit Big.

This is the book I wish I'd had as I was founding and running eight startups over 35 years.

I tell the unvarnished truth about what went right and especially about what went wrong.

You could get it from all the usual booksellers.

I hope you like it.

It's a true labor of love.

Now back to the show.

I'm going to get to my, my Last question for you.

And that is.

And it's, it's, we're not talking about cybersecurity anymore.

And everyone else who's a startup founder I've ever met has a lot of grit.

In fact, I think it's a requirement.

And, and by what I mean by grit is resilient, a lot of fortitude, very determined, a lot of drive and courage.

And that's probably the most important attribute.

So I would like to ask you to tell us where obviously you have grit.

And so where do you think it comes from?

I don't know.

I don't know.

I mean, I think it's, I think you've developed more grit as you go along.

I don't think you start with a full tank of grit, if that's the right metaphor.

No, I don't know.

I'm, you know, I just, you know, I think that you just keep going.

I think being an entrepreneur, you know, being, you know, when you start your own company and like you're in charge of your own payroll, right, That's a terrifying prospect for a lot of people.

And I think just, you know, the trade offs of like, hey, you know, you're your own boss, which is good.

Bad points, because I'm probably not that great at boss, but I'm not, you know, and then you're on, you're your own employee.

Especially in the small one where you're doing both roles, I think it's just, you know, you just keep going.

And I think that, you know, I like talking to people.

You know, my two skills are basically like cocktail party winner with tea, witty banter and just keep going.

Perseverance.

Like it just keep going.

People just skip.

You know, I need to hear stories about what's the story about Harrison Ford.

You know, everybody goes to Hollywood, all these actors every year, there's like a batch of actors that could show up in Hollywood and most of them wash out because they just give up, right?

And into all these additions and he didn't get hired and he hired and he get hired.

And they were like, oh yeah, weren't you here like two years ago?

And he's like, yeah, I've been here the whole time.

And he started getting blah, blah, blah.

But it's, it's, I think it's most people just, they have a timeline expectation which is kind of unrealistic, which Every startup founder falls into that trap of creating a timeline in your mind, right?

And being a startup founder is difficult a lot of different ways.

The main reason is psychological, that you trick yourself into creating expectations which are unrealistic, and then you're disappointed when they don't happen.

So, you know, trying really hard not to put myself mentally in the situation where I keep on making myself unhappy because the timelines I've created, my artificial confines that created, I had, don't come true.

So I think that's, that's basically it.

You know, I think there's a lot of startup founders, I think the community, there's a lot of books written, there's a lot of resources like, you know, keeping a sense of humor.

I think that, you know, I've always had a sense of humor about this and everything I do, which, you know, gives you a little bit of objectivity on it.

But yeah, I, you know, I think that, you know, I think you just keep going, right, and whether it works.

And again, it's an experiment, right?

You're testing a thesis.

So putting yourself in the mode of, I'm a scientist and I'm testing this thesis and it may work, it may not, and it's a startup, it's probably not going to work, and that's okay.

And there's, you know, my status as a human being is not tied up in this experiment.

But thinking back to the first one that you started, because that's not normal, right?

I mean, if you think about all the people in the, in the United States, yeah, there's plenty of startup founders, but the percentage of people that start a company is, is very slim, very low.

And, and so you did that.

And like, was that, was that in your upbringing, did that, you know, was that.

No.

And so, you know, I, my dad worked for a big, a big American company like you were supposed to do in the, in the 50s and 60s, 70s and 80s.

So.

Yeah, no, definitely not that.

I just, I don't know, I.

Maybe it's, you know, as a son, you're subtly or not so subtly trying to reject what your, what your parents do.

Yeah, I did that.

Yeah.

So I think that's maybe thrown in there.

No, I think that, you know, when I, so I went to school poli sci in D.C. like most people do, but I quickly switched to economics just because I realized that that was a better explanation for what was going on.

And so business and looking at business is something that I was always interested in.

My grandfather actually was a followed like the stock market and so when I was like 10 years old, like he had like stacks of like the Wall Street Journal and Barron's and he had like graph paper all over his walls and he would like graph s and P futures.

And so he sat me down and taught me what stocks were and bonds were, dividends were.

And and I always thought that was really interesting and fascinating.

So like I was always, it was always around me like is, it is a thing that was interesting to me personally.

And then you know, out of college I worked for, you know, know, a small advertising agency that was run by two guys.

And so seeing a successful small business just made sense, right?

And you know, we had, we.

My mom had made me do kind of an Apple coding class in like eighth grade.

So I knew how to code Apple Basic.

And so when websites were so.

And again, just lucky timing.

Like, so when websites were coming a thing, they were an HTML, right?

And so I was like, well that.

So I looked at it, I was like, well that's basically basic.

It's more complicated, but it's basically basic.

So I learned how to make a website, right?

Just because I knew how to code, right?

So I made the website and I started making websites for their clients.

And it took forever to make one.

So that was my first business with my business partner back then was made websites back in the late 90s when you, everybody had to have a website.

So it was, it was a great business for like two or three years until the dot com crash.

And that's why we went out of business.

So that's why I hate overhead because we thought that that would go on forever.

Lesson one, not going to go on forever.

But yeah, so I just sort of rolled into it.

So, you know, it just didn't.

It never seemed like that huge jump of what was, was previous and new.

It just seemed logical.

Like we worked for two guys that started their companies when they were in their late 20s and okay, we'll just start our own thing.

The reason I ask this is because I think it's really interesting to people listening entrepreneurs, people who are thinking about doing a startup maybe and when they realized that, okay, I could be like him, I could be, I could do that, you know, and, and so I think it's really helpful to people.

And I, I also, the other data point that that was, that influenced me was right around the late 90s is when Netscape went public.

And that was like a huge deal.

Like Netscape IPO'd for like, you know, $20 million or something like that.

And again, like a guy like me who was my age could be curious and create this thing and didn't need to go through all these institutional hoops, right?

That wasn't going to be beaten down by some big corporate America that they could build a thing and have people sell it off the Internet and gather all that, you know, success and wealth for himself and his team.

Right.

The fact that that was, that was possible, not only possible was happening.

Right.

That was a big inspiration.

Now it took me 20 years to start my own software company.

But that was always, you know, that always was like, that opened up a realm of possibility in my head that took me a long, long, long time to do because I wasn't a, wasn't an engineer.

So coming at it from an opposite side was an advantage and a disadvantage.

But yeah, so I mean it just, those were the things where it just seemed not normal.

It's not.

But normal ish.

Normal ish.

Good story and I think it's going to be really interesting to people.

And Jeff, I want to thank you for this great conversation.

Well, I appreciate it.

And you know, if anybody's thinking about becoming an entrepreneur or founder and you know, you know, a VC backed startup founder is a very specific, tiny amount of what entrepreneurship actually is.

And there's lots of different ways to do it that are, I think are really, really awesome.

And taking, you know, taking advantage of the opportunities you have, if this is something you want to do is something that you'd absolutely do, you can do it and you should do it.

It's really, really difficult and terrifying sometimes, but you know, I think it's worthwhile and you know, I can barely, barely imagine how it would be if I hadn't been an entrepreneur.

Well, thank you for that and thank you again for being on this show.

Appreciate it.

Well, I appreciate the opportunity and looking forward to the next time I come.

On now for your toolkit takeaways.

Item one, your previous company is tuition, not failure.

Jeff didn't start the security bulldog despite his earlier businesses.

He started it because of them.

The patterns he saw across dozens of cybersecurity clients became the insight that launched his next product.

Whatever you're building right now is teaching you what to build next.

So pay attention.

Item two, until the money hits the bank, it's just conversation.

Jeff put it simply.

He's collected plenty of bad beat stories where deals felt certain and evaporated.

Experienced founders celebrate signed contracts and cleared payments, not promising meetings.

Build your pipeline wide enough that no single yes can make or break your quarter.

Item 3 Artificial timelines are self inflicted wounds Jeff's biggest psychological battle as a founder is the gap between the timeline he imagined and and the one reality delivers.

Treat your startup like a scientific experiment.

You're testing a thesis, not executing a destiny.

When the timeline shifts, that's data, not defeat.

Now go look at the expectations you've set in your own head for the next 90 days and ask yourself honestly, which ones are grounded in real signals from real customers and which ones are just hope and then adjust accordingly.

And that is our show with Jeff.

The show notes contain useful resources and links.

Please follow and rate [email protected] designingsuccessful startups.

Also, please share and like us on your social media channels.

This is Jothi Rosenberg saying TTFN ta ta for now.