Special RSAC Episode with Renee Guttmann
Deepak Jeevankumar (00:00)
Welcome to a special series of the DTC podcast focused on the 2025 RSA conference. In these podcasts, investor Deepak Jeevankumar interviews seasoned CISOs on what they get out of this venerable conference, how startups might get their attention at it, and the ins and outs of their ever-evolving role. In this episode, Deepak talks with Renee Gutmann, a former CISO of companies such as Campbell Soup, Royal Caribbean Cruises, and Coca-Cola, and current founder and principal at CISO Hive.
She's been attending RSA since the 1990s. So without further ado, Renee and Deepak.
Renee Guttmann (00:36)
Hi, Renee. Welcome to the Dell Technologies Capital Podcast.
Deepak Jeevankumar (00:40)
Great to be here. Thank you for inviting me to chat.
Renee Guttmann (00:43)
Yeah, great. Great. Renee, ⁓ we are doing this podcast in preparation for the world famous RSA conference. And ⁓ you are very well aware of this conference for the last few decades. So how many times have you been to RSA conference? This is your 20th time, 10th time, 5th time. What is it?
Deepak Jeevankumar (01:03)
So it's easy for me to answer the first year that I went. The first year that I went was in 1996. And the theme for that year was the Navajo Code Talkers. And it was about the language that the Navajo used, and they were able to use it to ⁓ basically relay secrets during World War II. And this is why this is important to me, because at the time,
the way it was advertised, was unbeatable, was unbreakable, okay? That's in 1996. So I went back and I talked to my friend, Chet, GPT, and I said, hey, what about this? Is it still unbreakable? And it basically said the Navajo language used by the code talkers during World War II cannot be easily decrypted today. I don't know if that's true.
Renee Guttmann (01:58)
Wow.
Deepak Jeevankumar (02:02)
But the word easily means, I don't know what that means actually.
Renee Guttmann (02:07)
Maybe with the rise of quantum computers, it might be decryptable. Let's see. Let's see. So there's almost 1996. are in the many conferences from what I know don't last for more than a decade. How is RSA conference at such a long staying power? What are your opinion? they get it right to have like a three decade staying power?
Deepak Jeevankumar (02:34)
Yeah, so when I first went, it was highly technical and I really felt outnumbered because I think that everybody there had a PhD. ⁓ I read that in 1997, there were 2,500 people. So let's imagine there were 1,000 people when I was there. Now it's 40,000. It started off really technical and I was putting in a PKI at the time for the company that I worked for. So I really felt that I needed to be there because I need to understand encryption technology and how to implement this.
⁓ this solution. So I think originally that was the purpose, but you know, it then morphed into a place where you could go to get information about not just technology, but better practice. So I was a founding member of the executive security action forum and we met and we compared notes and we talked about, you know, what are the risks and what are we each doing about it? So it was a really great place to learn. And I think now ⁓
You know, I'll just say this, if I was just getting into the industry, I would still go to RSA because I would want the breadth of understanding the technology, the opportunity to meet with people from around the world and talk about what's going on in the space of cyber. And then finally, I think they've done a good job of bringing the various industries together, including government. So it's just where the world goes, right?
Renee Guttmann (04:03)
Got it, got it. So ⁓ what is your advice to fellow CISOs who are navigating RSA conference? You you have been CISO of like some really notable companies like Coca-Cola, Royal Caribbean, Campbell's soup, very different industries and you've seen it all. So if ⁓ somebody becomes the CISO for the first time and they go to the RSA conference after becoming a CISO, would you approach things differently than...
where then you would approach it when you were a see so.
Deepak Jeevankumar (04:34)
You know, it's a good question. So there are a couple of angles to this. One, I do believe in meeting with other CISOs and finding out where they're going to be. they, know, sometimes you can get into the meetings. There's a lot of events at RSA that bring people together. There are a lot of VC events. I would definitely encourage people to attend the VC events because you're going to find ⁓ other CISOs that are there. You can talk about, you know, well, what's coming down the pipe.
I believe in seeing the keynotes. really do. I think, I don't know that I would go to every session, but I think you should pick a track and go to the sessions that are relevant for you, especially if you're just starting out.
Renee Guttmann (05:17)
Okay got it got it. So looking back at your different RSA conference experiences was there any standout that you can think of any new discovery? How do you discover new things and what kind of things are you looking for?
Deepak Jeevankumar (05:33)
You know, when I go to a conference like RSA, I generally start at the fringe. I don't generally go to the middle where the, you know, I'm talking about the floor now. I don't go to the floor and go to the expo. ⁓ I don't necessarily head there first. It's good to see what, you know, the larger companies are doing. But, you know, here's a funny story. I remember when Splunk had a table.
the size of my desk, okay, so it's about four feet by three feet, you know, and they were on the fringe, right? And that's what I like to do. I like to go and find out, you know, why, you know, it's great because the co-founders are generally there as well. So you can speak to them and say, listen, what made you think that there was a problem here? What made you spend any energy thinking about, you know, the fact that, ⁓
We might need something like X ⁓ solution. I want to know what's coming down in terms of risk. And also I want to know like why they think maybe existing solutions today aren't getting the job done. So that's how I, you know, I really do approach the conference. I want to learn when I'm there. It's nice to network. It's nice to enjoy a meal with people, but I'm there to learn. And I'm also there to talk and give back. That's the other thing.
When you go to RSA, you're kind of expected, especially ⁓ I think further down, you're there to actually be part of the community. So ⁓ Deepak, I've always been an early adopter of technologies. I've always been, I look at whether the product that I'm buying, the solution that I'm buying, whether it has the ability to have legs. The last thing, this has happened to me once, happened to me once in my career.
where I had to go to the CFO and say that the product that I had bought literally was dead. It was dead. was between Friday and Monday gone. And I swore to myself that that would never happen again. So I am very concerned about whether a solution that I'm buying, even if it's an early stage, even if I'm client number five, do I think that the team has the ability to execute and
Today, one of the ways that I assess that is understanding whether they are prepared to engage channel partners or engage others on their behalf to educate the market, which they have to do in some cases, know, ⁓ implement it, make sure that it's a right fit for me, and maybe help me with the implementation. So I do look at the ecosystem ⁓ of the startups that...
to see if I think they've got the ability to be around in three years.
Renee Guttmann (08:31)
No, absolutely. And so do you advise founders to start engaging with the channel from their first customer itself or after they get a handful of customers? And do you recommend certain channel partners who are open to doing business with early stage startups?
Deepak Jeevankumar (08:49)
So I've seen different approaches. I don't know that there's a one size fits all, but I've seen companies that basically say we're channel first. ⁓ I worked in the channel at one time. ⁓ I basically built their field CISO program. So I like to work with the channel and startups where everybody sort of knows that, OK, we might have a few bumps in the road here.
But if we work together and we can get things done and we can make sure the client doesn't fail, because I think the channel probably has a stronger relationship with the client. And I think that's a good thing also for startups, right? I mean, the channel, if the channel's doing their job, will tell you a lot about the client and that environment so you know whether they actually fit your ICP or not.
Renee Guttmann (09:43)
So you very casually mentioned NHI and a couple of other areas, right? Like what are the, what are your bets for this year's hype at the RSA conference?
Deepak Jeevankumar (09:53)
My bets for hype. Okay, well that's a rough one. I do think there, I mean, I've been approached by four different startups that are focused on NHI since January. So I think that NHI, and here's the thing about NHI, and I will tell you that my knowledge here was maybe not as current as others, but I'm reading statistics like 45 to one, there are 45,
you know, service accounts or non-human identities for every identity and, you know, that's now where the attackers are going. When I think back now, I can think of a number of times that, you know, a service account caused me a headache at a previous employer. Here's some other things that I'm looking for. I am looking for solutions that do leverage AI, but to create dynamic run books in terms of an incident, ⁓ maybe to be able to pen test your environment. ⁓ You know, so ⁓ in a more sophisticated manner, ⁓ anything that will remove a spreadsheet and tribal knowledge from my environment, I'm all in favor of.
Renee Guttmann (11:13)
We are seeing a lot of that in non-cyber environments. People are automating spreadsheet-based and email-based workflows, especially in the CFO office, the supply chain office, procurement office into more systematic AI-powered workflows that are more software or SaaS-based. But for some reason, we have seen that cybersecurity has been a little bit slow to adopt. I don't know why. mean, any guesses like... why cyber could be more hesitant to adopt AI.
It's a regulatory reason.
Deepak Jeevankumar (11:49)
I think part of it is because we spend all of our time worried about everything that everybody else is doing and so we're kind of caught in a rock and a hard place. We set up these governance committees and we've also got to play by those rules but why have they been reluctant? Maybe because we've been too focused on the governance element. But I think we're missing out on the opportunity. I even talked to people in healthcare.
And I get so excited about the thought of AI really drawing down diseases and sickness that today, ⁓ like Alzheimer's, anything, right? I am so excited about it. And I think everything else in our life is a risk reward. And I think we have to start treating AI that way.
Renee Guttmann (12:41)
And maybe, no, I agree. And I think it's a combination of many industries are regulated. So they have to be very careful about technologies that have non-deterministic outputs. They have stochastic outputs, non-deterministic outputs like AI is that. So maybe ⁓ to ⁓ flip the table a little bit, right? We talked about how CSOs can approach the RSA conference.
Now, what is your advice to startup vendors and founders to get the attention of ⁓ CISOs like yourself and your peers in the industry? How do they show empathy and how do they figure out who is the right fit and how to approach people like yourself?
Deepak Jeevankumar (13:26)
Yeah. So I believe a couple of things. One, ⁓ I think that it would be really helpful for the startup to think about their ideal customer, right? Who that is. Secondly, if that ideal customer spans a couple of industries, think about that client in the context of the industry sector that they are working in, right? And have some good information related to how your solution could provide value
you know, in an environment, whether it's financial, healthcare, but I think it's got to be relevant and specific. ⁓ And, you know, there are ways that I think startups do have a wealth of information. And as long as they're also helping to up-level, you know, the knowledge base of the individual that they're speaking with, I think that they will get, you know, time from people because people
As I said, I'm going there to learn. I do believe other people want to learn.
Renee Guttmann (14:29)
Yeah, yeah. you mentioned Splunk caught your attention in the early days. And when you were looking at the fringes of the expo floor, are there any other startups through your different experiences at RSA that have caught your attention and that have now become well-recognized brand names? And how did you recognize them early on?
Deepak Jeevankumar (14:52)
I'll just say this, I was Archer Technologies' fifth client, Fortify, CyberArk. You know how I recognize them? It's because I had challenges in the companies that I worked for. And they basically came to me with, I think, better ideas for how to address the challenges that I was facing.
Like Archer, for example, mean, they took out spreadsheets from me back in the year 2001 or 2002, if I recall correctly. I think that anything that is going to automate and again, take out the tribal knowledge. also, here's a final piece. I look for things that basically reduce friction. Security today creates too much friction in my mind. are, you know, we're people that
our users want to run from instead of walk to or walk towards. And I'm always a fan of anything that I think will reduce the friction of whoever my constituents are in the company that I'm working for.
Renee Guttmann (16:08)
That's a very fair point. What is your advice to fellow CISOs on what they can do to reduce friction? It's not like, I don't think that's like a fair one size fits all thing, but what are some of the steps you have taken in your previous experiences and ⁓ how, and it's moving target, right? Because developers are moving fast and people are introducing new tools, AI is making life lot more complicated. So how can CISOs approach a moving target on how to decrease friction?
Deepak Jeevankumar (16:37)
Well, the biggest, the biggest trend that I'm seeing right now is prioritizing vulnerabilities, right? And, and that's basically saying this is important and this is exploitable. And I think that has to be, and if you do this, you will, you will draw down X amount of vulnerabilities. ⁓ but I, I don't believe in just dump and run, just giving people things that they can't action. I had a
I was looking for a solution and frankly the output had to be used by normal people. the reports, the workflow, the whole thing wasn't built for a human being to use. So that's how I look at things. And I wound up giving money back to my company because I couldn't implement a solution because I couldn't find something that a human being could use.
Renee Guttmann (17:32)
How about like, what are the things that keep you up at night as a CISO? ⁓ And does that factor in into how you do vendor selection at all and what startups or founders you like to work with?
Deepak Jeevankumar (17:48)
So what keeps me up at night is having to wake people up at night. Okay, so for me as a CISO, I never manage big teams. I manage medium-sized teams, maybe 30 people. At Coca-Cola it was different, okay? So let's take that off the table. But I hated, hated getting people up in the middle of the night. So I call it the middle of the night problem. So for me, anything that you could do to make a
to automate, to make sure that if you had to get people up in the night that they had the right information at their fingertips, that you had the right people there. But I still believe that there's a lot of automation that ⁓ we can put in place to solve for that issue. would also say, I mean, you can't always be sure who you're going to get on the phone in the middle of the night, right? So this is why when we talk about not taking up AI,
I just think, what are my options? Waking up everybody and then praying that something will go right?
Renee Guttmann (18:55)
Yeah, and not everybody can function at full capacity at the middle of the night, even if they're awake. Even if they've been woken up. That's like another, I definitely can't function at the middle of the night. So that also factors into the quality of the output.
Deepak Jeevankumar (19:12)
That's why I get excited about the future. Anything that, like I said, can reduce friction, can give people the opportunity to sleep, get their life back, ⁓ be a human being with their family. I'm all in favor of those solutions.
Renee Guttmann (19:29)
Yeah, so you see there's a huge promise for AI and cybersecurity.
Deepak Jeevankumar (19:34)
I do. It's a partnership. I don't think it's just going to drop in our laps. I don't think anything drops in your lap. But this is something that I think if we can identify what we want to address, I know friction in the middle of the night, I think that there's a lot of potential use cases where AI and newer technologies, newer solutions will support, will make that better for us.
Renee Guttmann (20:04)
Okay, maybe one final question about the future. ⁓ Quantum computing, post quantum era cryptography. I think it's one of the favorite questions for which ⁓ people have different perspectives. How do you think about that in the role of cybersecurity? How will quantum change cyber and how can people get prepared for it?
Deepak Jeevankumar (20:27)
You know, ⁓ I don't think I can answer that robustly enough. Here's what I'm wondering. It's whether, I go to the cryptographer panel every year. It's one of my favorites. And I'm wondering if this is the year actually that Quantum gets some respect. So that's what I'm leaving it at. ⁓ You know, I didn't even look other than I I believe that it's an area, I didn't look at the talks yet.
You know what, you know the other thing that I didn't see and I don't think the finalists for Innovation Sandbox have been ⁓ named yet.
Renee Guttmann (21:03)
Yeah, I'm excited to hear about that as well. They've had a very good track record historically in picking. Do you go to the Innovation Sandbox every year?
Deepak Jeevankumar (21:12)
I do. You know I used to be a judge, right?
Renee Guttmann (21:15)
wow wonderful!
Deepak Jeevankumar (21:17)
I'm one
the first judges of RSA Sandbox and it was really wonderful. mean it was a great experience to be able to, I mean it was exhausting. I I think one year, the year that I was there, I we had hundreds. I bet you they got a thousand submissions. I don't even know if the number's out there.
Renee Guttmann (21:35)
Yeah, yeah. So maybe going back to your time as a judge at the RSA Innovation Sandbox. ⁓ And how was that experience? That must have been a wonderful experience. What kept you as a judge? And I'm sure you've judged like multiple times. And what did you learn from it? What was your takeaway as a judge?
Deepak Jeevankumar (22:03)
Gosh, well firstly, the other thing probably, I was one of the first Gartner analysts in 1999. So I just keep getting older and older here is the way I look at it. it was really important and it still is today for me to look at, and actually today it's sort of a different scenario, to look at the founders, to look at...
the solution, clearly the technology was important, but the value, the why they built something. But I was worried about whether something that ⁓ we chose, whether it would still be viable like a year later or whether the founders would totally destroy the company for some silly reason because they had no ability to execute. So I look at both things and I still do today.
I think it's a lot easier today to look at solutions because so many people that have exited, so many founders that have already exited once are back in the game again. And so it's somewhat easier to assess the ability of a solution to be successful based on the capability to execute. That said, it's still important to look at, are they really solving something that needs to be solved that we think that...
you know, that has a place. I think, you know, sometimes we even made like, not, how do I say it? We even, we picked a product that actually bridged the gap between physical and cybersecurity about 10 years ago. And I think we thought we were going on a limb doing that.
Renee Guttmann (23:49)
It's needed. It's needed. It is absolutely needed. Yeah. Great. So let's see how the RSA Innovation Sandbox breaks the finalists this year. We talked about NHI, quantum, middle of the night, AI automation. Let's see how many of the finalists fall into some of those buckets. Critical infrastructure. Yes, exactly. Cool. Awesome. Thank you, Renée. Hope to see you in person at the RSA conference this year.
Deepak Jeevankumar (24:09)
critical infrastructure.
I
hope to see you there as well and thank you for having me.
