Episode 101: Creating Value Through Trust with Alex Manea

John Prial: For those of you who received a recent newsletter for Georgian Partners, you'll see that we introduced some of our newest hires. Now, for those of you who haven't seen the newsletter, please go to our website and subscribe. Our monthly digest is quite rich. I particularly recommend the, what are we reading section. These are curated articles that'll keep you informed About some of these foundational technological shifts that will affect your business and that we talk about here on the podcast. So in that newsletter, we highlighted our Chief Security and Privacy Officer, Alex Manea. Alex comes to us from BlackBerry where his last position was that of chief security officer. And although I'm a bit of a Jeopardy fan, I should note that in 2015, Alex was a winner of CBC's Canada's Smartest Person award. So Alex and I sit down for a wide ranging chat, where we talk about risk, privacy, B2C versus B2B solutions. We'll also get into different types of security attacks and how to protect your business. And we'll close on how a business should be preparing for this new world that intersects fairness, value and trust. I don't know, is it ever safe to put your foot in the water? Of course, it has to be. I'm John Prial, and this is the Georgian Impact Podcast. So welcome to the show, Alex, we're glad to have you here.

Alex Manea: Thanks a lot. Great to be here.

John Prial: I think I'd be remiss if I didn't talk to you about your transition, where you were the chief security officer at BlackBerry, and here you are in this world of private equity. Tell me a bit about yourself as part of this Georgian Partners Impact team. How do you see yourself scaling, in terms of helping companies? How do you see yourself learning from companies? How do you see yourself learning from academia? What is your world like? I'm sort of fascinated by this?

Alex Manea: Sure. So my world is really, really interesting. And I like to say every day is an adventure and that's what makes me always happy coming into work. I get to learn something new every day and I get to work on different projects every day, which is really cool. In terms of transitioning from BlackBerry to Georgian Partners, it's actually been a pretty smooth transition because when I was at BlackBerry, ultimately I was leading the company's direction when it came to cybersecurity. And in many ways I'm doing the same thing here at Georgian Partners. My role is ultimately to look after the trust thesis and to help our portfolio companies adopt this thesis. At the same time though, I also get to see a lot of new types of companies in the cybersecurity space. So for instance, I was at the RSA Conference earlier this year. I think I had 35 meetings with different companies. So I got to see a lot of new types of technology, a lot of innovation out there. And then I also have the classic CSO role where my job is ultimately to protect Georgian Partners from potential attackers. So every day is an adventure and it's always fun.

John Prial: So although, I guess there's a lot of time between now and 2020, everything in the paper now is telling us the United States Census for 2020 is going to go digital. Now there's hacking stories left and right all the time, whether it's government being hacked or businesses being hacked. So do you think it's time? Is this a good idea?

Alex Manea: I mean, I think ultimately, it's an inevitable idea. Ultimately things are going to go digital. And if we say it's not time yet to go digital, if we start taking the old- school Luddite approach, and basically say we shouldn't put things on the internet, we're going to fall backwards. And ultimately what I think is going to happen is things are going to go digital and we need to prepare ourselves for things to go digital, whether that's in 2020, 2024, 2028, it doesn't really matter. We need to put into place the infrastructure for things to go digital. And when you start looking at things like online trust and election hacking, we need to make sure that we have the right processes in place to authenticate the users, for instance. So if there's an online poll, we need to make sure that we have a pretty strong idea that the person who's voting is who we really think they are. I think that's what it ultimately comes down to for us to say," No, we shouldn't go digital because it's not safe enough." I don't think that's the right approach.

John Prial: Interesting. And you've already beginning for me to really explain the landscape a little bit. So you talked about knowing who the individual is. That's the outside coming in. In the same time, you mentioned election hacking, there's other data to get there. So we're going to build through that, but I want to just stay, if just for a second, on that individual point. And everyone always listens and talks about Facebook and Mark Zuckerberg made a recent post. And then there was a counterpoint by the author of the book Zucked. And obviously, both are presenting extreme points of view. But for me, I don't know if Facebook is going to change in a meaningful way. But for the purposes of this audience, of our audience and the companies that you and we at Georgian Partners deal with, how much does that matter?

Alex Manea: Well, I think Facebook is a very interesting use case there because I think Facebook very much stumbled into the privacy space. And I use that term as a bit of a pun, because if you think about Facebook's history, they were never really about privacy. They were about connecting people. They were ultimately about sharing data online and Facebook in many ways, became the victim of its own success. It became so big and it became so dominant in the online social media space that people started looking at them and saying Facebook ultimately now needs to be a leader and a thought leader in the field of online privacy. And I think it's been pretty clear, based on what's happened over the past few years, that they weren't really ready to do that. And they're not really comfortable doing that. So I do think when Mark Zuckerberg goes out and says," We need to have better definitions of what privacy means and what hate speech means from the regulators." I think he makes a fair point, but at the same time, I think Facebook is stuck between a rock and a hard place right now because they are a data- driven company. They're a company that's ultimately based on keeping the trust of their users, but at the same time, they also want to make sure that they can target advertisements to their users. So keeping that balance between the users trusting them with their data, but also them being able to process that data and being able to effectively target ads to the users. It's a very, very delicate balance. And I think it puts them in a very tough situation.

John Prial: People can say they got hurt, their market value is tanked, but they still have a couple of billion users. And maybe they're losing some demographics, maybe the shifting over to Instagram. How different is a Facebook in a classic B2C model to what we're dealing with on a daily basis? So I bet where you were going.

Alex Manea: Yeah, I think if you look at the B2C model versus the B2B model, it's totally night and day. Because the reality is that consumers always say that they care about their privacy and as consumers, we definitely do care about our privacy. Me personally, I would rather that Facebook didn't misuse my data. I would rather that Google didn't collect my data, but at the same time, when push comes to shove, if you look at what's happened historically, most consumers, when there is a major privacy breach, most consumers don't tend to leave a platform. Most consumers tend to continue to use the platform especially if it's a platform like Facebook, which they use every single day and which I believe has one of the strongest network effects in history. I think it's very different in a B2B type of scenario. So if I look at the previous company that I was at, BlackBerry. If BlackBerry had done some of the things that Facebook has done in terms of its user data, I think it would have been a lot more trouble. In fact, I'm not sure that BlackBerry would still be around today if that was the case. Because in a B2B type of model, businesses are much more protective of their data. And if you misuse their data, if you have a major data breach, they're much more likely to stop using your service. So I think trying to look at Facebook and what happened with Facebook as a B2B company, it's a bit of night and day. And you need to understand that as a B2B company these days, the trust with your users is ultimately critical to your business. And if you lose that trust, chances are you'll lose your business.

John Prial: It'd be great for a company to be a Facebook, that's a great aspirational goal. But one of the differentiations is Facebook doesn't really have a lot of competitors, but all of the B2B space companies, there's not a lot of monolithic companies that own it all. So yes, the risk is greater. Now, I know you spent a lot of time on internal education within our own company, and you really got everybody in the company very highly sensitized to phishing attacks. As a matter of fact, I think I sent you a funky one this morning to take a look at, and I think that's really an amazing... To get everybody mobilized and thinking and sensitized is a great thing. But that's just a piece of the puzzle and that's an external attack, some misstep on the inside causes a problem. But if I want to go back to maybe our census question and ask, what could go wrong? What's your 10,000- foot answer as to the really broad, scary question of what could go wrong? Let's talk about the landscape of security, please.

Alex Manea: Sure. I mean, what you're pointing out is social engineering attacks, and social engineering attacks are obviously in vogue these days, because what's happening is naturally, as people are starting to improve cybersecurity from a technical standpoint, people are starting, and by people I mean hackers, they're starting to target the users because they're starting to see the users as potentially the weakest link. But at the same time, we can't forget about the technical attack factors. And these are really going to depend on your business, but it could be anything from a distributed denial- of- service attack. So let's say somebody wants to take your business offline. They have a botnet that they're operating. They can flood your servers with information and take you offline. Another classic attack is just malware. So they get into your network, they put in malware in there. And typically the way most modern malware works is it's not your classic script kiddie, I'm going to install this program on your computer and it's going to delete all your data. It tends to be more spyware with command and control capabilities. So I'm going to surreptitiously install this app on all of your end points. And that app is going to siphon off the data to my server. And it's also going to ping my server every once in a while for software updates. And my server now can send instructions down to that app to collect different types of data or to infect different parts of the network. If you want to get really, really fancy, there's also these things called advanced persistent threats or APTs. These are more of an advanced type of malware that are typically more nation- state level attacks. And this is typically where you'll see a government attacking another government. They're very sophisticated types of malware and they're very persistent types of malware. But ultimately there's a lot of different things that can go wrong in cybersecurity. And the right way to approach it is, you need to take a holistic approach. You need to understand what are your assets, what are the threats, what are the different vectors that attackers can get in and what are the most likely entry points? And you really have to focus on your security budget on locking those down.

John Prial: So I'm completely terrified. That's probably not a bad thing. I'm sure that's your objective all the time when you open up a conversation about security. So let me just drill down a little bit and move a little bit from, I'm going to call it theoretical, but it's clearly altogether possible. It's a little bit of the rubber meets the road, you've got so many conversations with companies, whether you're doing due diligence with companies that we're looking at, or you're consulting within our portfolio, what do you see as the kind of the top of mind, couple or three things that the CEOs are aware of or you make them aware of and they go," Oh, I really need to jump on this"? What's the top, top issues here?

Alex Manea: Well, I think it really depends on the situation of the company. So typically, when we're looking at new companies to invest in, one of the first things I like to ask the CEO is," What's your philosophy when it comes to security? Is it something that's important? And if so, how do you actually go about doing that? Do you have a CSO? Do you have a security policy in mind? And how do you handle trade- offs?" Because security is all about trade- offs. I always like to say security is about economics. You could invest in security or you could invest in improving your product's UX. So I find that's always a very good first question. It really helps me understand the general mindset. And I find that all of the technical things tend to flow down from that mindset. Now, in terms of our portfolio companies, I can tell you there's a very broad range of maturity levels when it comes to cybersecurity. Some of them are fairly new to the idea of cybersecurity and they're really just exploring what they should be doing. Some of them are more advanced and some of them, they work in regulated sectors. So the ones that work with regulations, they're primarily worried about," How do I comply with these regulations? How do I comply with GDPR or CCPA? What are some of the other new types of regulations coming down the pipe?" Another big concern that I hear over and over from our CSOs is how do I get customers to trust me? And part of that is about explaining cybersecurity and your architecture in a way that they can understand. But part of that too is about third- party certifications. So you can talk all you want about how secure you are, but until a third party really looks at your environment and starts trying to hack you the way that hackers would, it's pretty tough to say that you're actually secure. So a lot of our companies are starting to look at SOC 2, ISO certifications, penetration testing. So we're definitely getting a lot of questions around that as well.

John Prial: Cool. That's great. That's a great breadth of topics. You mentioned trust, let's build to that. We also talked a little bit about privacy. So I get security, and where there's a lot there and in my trivial way, it's this thought of protecting assets, banks have these giant safes in the back of a building and locks on them and lots of steel and can they work? I guess. And obviously they need to have the equivalent of a cyber safe from a transactional perspective to protect those assets. But then all of a sudden, now we've evolved. We've got end user data, which has different implications. And that was a little bit about privacy, what people want, what people expect, what people should be doing. And I can't maybe draw that direct line of a bottom line as an asset loss. Maybe it's a little more indirect, although maybe I'm selling a little short, tell me your view then, a little more about privacy as it relates to this new world that we're in.

Alex Manea: Yeah, I think that people's views on privacy have ultimately really evolved over the past 5- 10 years. I mean, if you look at where we were 10 years ago with privacy, it was basically trust, but not verify, right? As a consumer and as a business, I would typically just give my data to another business and I would implicitly trust them to keep it safe. And I think there's been a couple of key things that have changed people's perception towards that. The first one was the Edward Snowden revelations and the revelations that the NSA was collecting a lot of data about a lot of users. And the other one is just the huge number of corporate data breaches that have happened over the past two, three years. I mean, you look at Facebook, Target, Home Depot, these are all huge, huge names and these are all names that people implicitly trusted. And so now it's starting to shift towards more of a trust, but verify model where people are saying before I give you my data, before I give you access to my crown jewels, I want to understand how you're going to be protecting them. And personally, I'm not new to cybersecurity. I've been working in it for 13 years. And when I first started working in cybersecurity, I used to have to convince people that security was important. I would literally go into large corporate deployments and try to explain to them why they needed to worry about privacy on their phones. And they would look at me like I was an alien. They'd say," What do you mean? Why would I care about the data on my phone?" And now it sounds almost asinine to even question why you'd need to think about security and privacy. So I think there has been a fundamental shift in people's understanding of the importance of security and privacy.

John Prial: Very cool. So now this leads to trusting, which is this overarching concept. Now, to me, I guess the question is, do you see trust as a superset, including security and privacy? Has there been more nuances to that in terms of how we think about this very broad concept?

Alex Manea: Yeah, I think ultimately, what's happened is naturally security and privacy have evolved into trust. And the neat thing about trust is when you start thinking about trust, you can really start thinking about it, not just in terms of protecting your assets, but in building real business value. The concept of trust isn't new to anyone. We all fundamentally understand the concept of trust. Not necessarily in the context of how do we trust a business, but rather how do we trust the people we know and love, right? Trust is something that's intrinsic to our nature. And even in terms of businesses, there are certain businesses that we do and don't trust. So for instance, maybe we trust Walmart to give us the lowest prices or we trust Starbucks to give us consistent, maybe not spectacular, but consistent coffee. We trust McDonald's to give us consistent burgers. We trust Colgate to help us brush our teeth. So there's definitely certain brands that we trust and the brand value of trust is huge. Now, the challenge with trust in the software context is it's even harder to know who you can trust because first and foremost, there's been all of these huge data breaches, but secondly, you don't really have access to a company's source code. You don't have access to an understanding of how they're building their systems. And so when you start thinking about trusting companies, especially in a B2B context, it's not just about security and privacy, but it's also about things like transparency. How well do you understand and can you understand what their business model is? So I'll use Google as an example. I trust Google because I understand what their business model is. They are collecting my data and they're using it to target ads at me. And the reality is Google is providing me enough value in terms of Gmail, in terms of the Google search engine, in terms of Google Maps, that I'm willing to give them that data. And I know full well that I'm trading off my data for free use of their services, but more and more, especially as we start getting into the machine learning and the AI space trust becomes about fairness because when you start having machine learning algorithms making important decisions, and when I say important decisions, I'm not talking what's the next movie that Netflix is going to recommend to me, or what's the next ad that Google's going to target to me. I mean, things like if I go to a bank and I'm applying for a loan and that bank plugs my information into a machine learning algorithm and spits out a yes or no answer, as a user, I want to understand how that works. And I want to make sure that that's fair and that I'm not being discriminated against. And the other big part of it, as well as reliability, so how consistent are they in the way that they deal with me and how reliable are their systems?

John Prial: And I love actually, when you talked about you trusting Google to give you some value. So you're making a trade- off, but you're getting value for it. Now, if there are two competing institutions, banks or whatever and you talked about branding, the company that has their brand tied to being trustworthy could be hugely differentiated. I just looked at a company the other day and they had published a code of ethics on their website, which I thought was the coolest thing. And I think we're going to see more and more like that. So this thought of tying trust and the brand together more than even value. So we have value and we have this ethical trust thing coming out of the branding, kind of neat, two different lenses on a brand.

Alex Manea: I think there's really two key aspects to trust, which is the value that the brand provides you and then the comfort that the brand provides you. And so it's important to understand both of those aspects. When we think about security and privacy and fairness, those are all aspects of comfort, but ultimately if the brand's not providing me value as a user, I'm not going to use that brand. So for instance, I still choose to use Facebook instead of Myspace, not necessarily because I'm more comfortable with how Facebook uses my data, but because Facebook gives me a lot more value than Myspace, because Myspace has very few users whereas Facebook has a huge number of users. So there's definitely the value component of trust. And I think ultimately, what I see with most startups is they're so hyper- focused on the value component of trust. They're so hyper- focused on delivering value to their users that they're not really thinking about it from a comfort standpoint. They often approach it as kind of a we're going to deliver value, we're going to put out a cool product, we're going to get lots of users and then we're going to add security in on version two. We'll make version three trusted. And I can tell you from experience, that model just does not work because there's always going to be more value you can give to your users. And if you just keep adding value, keep adding value, eventually you're going to get big enough that people are going to start looking at you. They're going to start attacking you. And they're going to start trying to hack you. And if you don't have a good trust model in place, you're going to lose your user's trust. And ultimately you might lose your business.

John Prial: Interesting. So this is cool. I wondered a little bit about the future. I know a lot of the issues are industry dependent and I'm fascinated off by what comes next. So something that's new that I've heard a lot in my working with you and your colleagues, is the theory and the discussion of adversarial attacks, where you're minimally altering some inputs to these machine learning models but it leads to misclassification. And the example I've known for a while was data could be authored. And all of a sudden a stop sign looks like a yield sign. And that's a big problem for a self- driving car. Just recently, the New York times had an article and it was about the dark side of AI in healthcare. But the same thing, modify a few pixels on a lung scan you could significantly affect the diagnosis of a cancer, one way or the other you'll have false positives or false negatives. So in my mind, I see a multiplier effect here doing a lot of damage. So rather than hacking my bank account and stealing a hundred dollars or two, but that's not part of this, that's all there is, versus hacking a dataset like this, has some huge multiplier effect downstream to hundreds of people having their lung scan looked at or thousands of people with self-driving cars. So where do you think we're going and what should we be doing about it?

Alex Manea: Well, I'm glad you pointed out the multiplier effect because I think that is a very important one. And especially as we start looking at things like IoT and connecting more and more things to the internet. there's potentially an even larger multiplier effect. The other one that I want to point out there, which you hinted at, is the safety aspect of things, because in both the healthcare and also the self- driving car example, you're looking at situations where if somebody performs one of these adversarial attacks and gets to break the system, they're not just hacking somebody's data and stealing their bank account info, they're potentially causing real and present danger to the person. And it could cause, eventually, a loss of human life. There's lots of examples out there of situations where people have, for instance, been able to prove that they can remotely take control of a self- driving car. I know for me personally, in my previous role at BlackBerry, one of the things that we used to do is try to hack IoT devices just to see what we could do with them. We've seen situations before where we were able to prove, for instance, that by hacking an IoT connected teakettle you could remotely get into a corporate network, a secure corporate network. But the one that really terrified me was, there was one time where we were actually looking at hacking a morphine injection pump, and we were able to hack that pump and to basically show that we could remotely overdose the patient. So when you start thinking about those types of use cases, that's where I think the rubber really hits the road and where we're going to see some really scary things happen going forward.

John Prial: Well, if I've got scales and I've got to balance two sides of the scale and it's investing in product or investing in security, and you talked about CEOs faced with that trade- off, it's quite clear as we look down the future, you better be putting a few more chits on that security scale.

Alex Manea: Yeah. And I don't think it's really an either or, I think you have to have a good balance of both. I mean, if you invest everything in security and your product has no value, then that's not great either, but you do need to balance it. And I think these days, if you don't have a cybersecurity team, if you don't have a CSO, if you don't have a security plan and you're a growing company, especially in the B2B space, you're just asking for trouble down the road. Because one of two things is going to happen. Either you're never going to grow and no one's ever going to target you. Which is in some ways your best- case scenario. Or you're going to end up growing. You're going to end up getting targeted. You're going to end up getting hacked. And you're all of a sudden going to be on the back foot saying," Oh my goodness. Now we need to rearchitect our whole system to build it around trust because we haven't done that yet."

John Prial: Wow. On that note, with some vision and some planning, I think companies can be in a lot better shape. I think it's an amazing story. And it's probably one of the most critical things every company should be thinking about. So Alex Manea, thanks so much for being with us today. It's a pleasure.

Alex Manea: Great. Thanks for having me.