Special RSAC Episode with Ben Carr
Deepak Jeevankumar (00:32.526)
Good afternoon, Ben. Welcome to the Dell Technologies Capital RSA Conference Podcast.
Ben Carr
Yeah, Deepak, happy to be on with you today. Great to have a discussion.
Deepak Jeevankumar
Great, as we head into RSA Conference 2025, I thought this would be a great discussion for our viewers to understand your perspectives as a CDLC SO and been to conference multiple times, how the conference has changed, how the roles of CSOs have changed today. But let's start with the RSA Conference itself. What do you think are the top themes this year? What are people thinking about when you talk to your peers in the industry?
Ben Carr
Yeah, I think that's always a good question. think AI was certainly the theme last year, right? Everybody was talking about AI. I kind of think it'll be an extension of that. I don't see that there's any new wave of things coming out. Look, I think with everything going on in the market right now, economics could be part of it, right? We could be talking about how the economics and offshoring and
Like all that could be part of it, but I think generally it'll be an extension of last year's conference, primarily with the discussion on AI and where that takes us.
Deepak Jeevankumar (01:44.888)
Great, great. Now I have been going to the RSA conference personally for at least a decade, pretty much every year. And I've seen the evolution from cloud to identity, non-human identities and AI. So maybe if we can dig a little bit more into the AI theme. Today we are unlike two years ago when ChatGPT was very new. Everybody knows ChatGPT.
Everybody has used either Chat GPT or one of their competitors like Anthropic and Gemini and others. AI adoption has led from the consumer world and then has gone into the enterprise world and cybersecurity always follows that as we all know. So what are the key AI adoption or commercialization challenges you see talking to your peers and hearing from them as regards to security and what role can security play better in enabling AI adoption.
Ben Carr
Yeah, I think last year, year before, kind of historically, mean, people were trying to figure out what people mean by AI, right? So I'm old enough to remember when it was ML and now that it was AI and everybody wanted to include it and seemed like there was a very early wave. It kind of went away a little bit last year, kind of raised its head. And I think you're right, like ChatGPT and LLM certainly created a buzz around that because of the rapid adoption of ChatGPT. I think the shift has been, you know, enterprise businesses are now trying to figure out how they bring AI as an adoption into the company. I mean, we've seen companies come out and say that, you know, I think everybody's probably seen this on LinkedIn, right? Posts where companies are saying, you know, every further initiative when they're considering additional resources, they have to take into account, could AI do it? Right. And I think one of the things CISOs are trying to figure out is what's that mean for security, right? Where's the impact? And I think the nuance has been.
again, up till now, people are recently, when people have been talking about AI, a lot of it, what they really mean is LLMs, right? And I think the shift is going to be into agentic AI. I think that's really where a big transformation will start to happen is as we move into the agentic side, then there's a whole question about like, what does identity look like? You know, it's much different than an LLM discussion when you're talking about agentics and the relationship to an individual. if an agentic AI is doing something on my behalf,
How do you differentiate that from me? Because obviously if I'm creating that agentic AI, I want it to create actions with my authority, right? But that presents its own challenges. And so I think that's where CISOs are getting to now is this mandate from the business to bring in more than just LLMs, but even LLMs create issues, problems, concern. And how do CISOs work at the speed of business? Not try to slow the business down, at the same time ensure that security is something we're still really taking priority with and looking at from a business side.
Deepak Jeevankumar
Yeah, yeah, you one of the key topics of discussion I have and talking to people in the AI world is how do you have AI native employees, AI native humans? Yeah. And also, how do you make agents human native? Because humans and agents need to work with each other. We're going to live in a polyglot world, multi-agent world, in a human agent world.
And it's going to be really interesting how this evolves. maybe let's see the other side of the story. Has AI changed the threat landscape? Are we seeing new kinds of threats?
Ben Carr (05:29.174)
Yeah, I think that that's certainly the case. Like we are seeing where there's issues on the threat actor side that they are taking advantage of this and they are figuring out how to weaponize it. Right. One of the things that I think everybody can see is, you know, if you go back five years ago and you look at phishing attempts and what they look like, they were fairly easy to decipher. Right. Like we still had issues where things would get through and it was more of a training issue and you could train people to look for certain things that were definitely threat actor like, right? Poor English, poor phrasing of words, those kinds of things. LLMs have changed that, right? Threat actors have put that in their toolkit. When you get a phishing email right now, it's really, really hard, right? And it's not just phishing, it's smishing, it's all the places where this comes into use. And so that's a really easy to understand change that's happened where the threat actors have taken use of AI like technology. Now I think where, again, I look for is the problem of velocity. So the challenges were overloaded by alerts, were overloaded by things we have to do. I think the agentic problem on the threat actor size changes the velocity of the problem and the misuse of AI or AI is developed specifically for threat actor like behavior is really going to put into immense workload and cause us to kind of respond in kind, right? And so it's this ever increasing arms race from the CISO to threat action.
Deepak Jeevankumar
Yeah, yeah. Maybe that's a good segue into how the role of the CISO has changed over the last decade, be it in big companies or small companies. And I'm sure AI is going to have an even bigger change in the role of a CISO. What is your evaluation of the changes and what should modern CISOs be aware of?
Ben Carr (07:24.408)
That's a good question. You know, I've seen this discussion happen with my peers, especially recently. I think it depends upon the size of the org and the makeup of the org and just the demographics of the org, right? It's going to, it's going to differ, but on the enterprise side, I think one of the things we, a lot of CISOs have had concern with is the amount of budget and what they're getting, right? And I think we've seen that, we've seen that trend up. And now I think we're seeing that trend kind of flat a little bit.
I think the biggest change is happening on kind of the mid to small business side. that changes as opposed to the CISO reporting into IT. It was a security first mindset with IT being part of that overall mandate for what ended up becoming a security and trust officer role. That was kind of new. I've heard of a couple people doing that, but post that, you know, we're talking two, three years ago, I've heard of a lot more of this happening where you know, CISOs are coming in and they're being asked, can you also take over the IT function? And I think it makes sense because the transition is security really understands how to do security, but everything security is also IT. And so I think what companies are saying is, look, we're trying to make things more efficient and streamlined given economics that are currently happening. The CISO can handle the IT function fairly well and do it from a security first mindset.
In many cases, that's not to say this works for everyone or for every company, but I am definitely seeing a shift. I've heard it from my peers. It's been talked about in some public discussions that I've had. So this is, think, one shift of like the CISO kind of evolving up the stack and becoming more relevant. But in order to become relevant, you've got to become relevant to the business. One, you have to know how to talk about business issues and be broader than just security. Right. And so bring that value where you can do that.
Deepak Jeevankumar
Yeah, so how do you think about these changes? are the, the pros are obvious, right? Like, you know, there is like one person who can look at the organization end to end and stitch things together more effectively. Are there any risks in the same person doing cyber and IT and privacy?
Ben Carr (09:36.998)
It's going to be the same risk one way the other, right? you know, if you've got the same, if you've got a CTO or a CIO managing it, the challenge is generally there. you know, as a CISO, I think about the traditional risks, right? Is that you're looking at that role and the mandate that the CISO has, and it's typically in conflict with what the CIO does. Right. And what I mean by that is the CISO, the CIO is about availability and delivery, right? And the CISO is about security. So almost everything we do from a security side potentially could have some impact in availability delivery production, right? And so it's about balancing those risks. If I flip the script and I think about it the other way, the risk could be if you get the wrong person in the role who doesn't have a business sense and doesn't understand the balance of IT, then they might put security first in everything, right? Which could have a greater impact to the business. I think the benefit is if you bring the right person in, you can mitigate that because
Look, when I did the role and I first took on, you know, full CIO responsibilities, like that, that impact of like, Hey, I'm, I'm trying to deliver availability and service to the business. was insightful, right? It opened up some windows into things that I may have, you know, intellectually known, but didn't emotionally connect with because I didn't have that responsibility. And so I think it can be very empowering, but certainly it definitely depends upon the right person. Right. And I think my concern would be.
If you're bringing the wrong person in or you do it for the wrong motivations, if you're just doing it for cost savings and not realizing about the long-term benefit and trying to construct it so there's a benefit there, you could be setting yourself up for failure. So I think it's about approaching it the right way and having that dialogue with that person you're thinking about to understand and the rest of the business to understand how do we architect this for success, both from business and from an IT and security role.
Deepak Jeevankumar
No, I think you used a very insightful word. How do you emotionally connect with the other stakeholder? Yeah. Whether it's IT or developers, sometimes at different parts of the organization. Well, there's another important stakeholder for a CISO, the board. There is. Right. And how can CISOs very effectively and emotionally connect with the board? And how...
Where do you see conflicts between what a CSO wants and the board wants and where do you see this aligning well?
Ben Carr
Yeah, that's an insightful question. So I think one of the things that it's really important for a CISO to bring to the table is EQ, right? You have to be emotionally aware of both yourself and your connections to other parts of the business. None of that's more important than when you're having those discussions at the board. So I think the first thing is you have to figure out how to make a connection to the board. So, you know, going into board reporting isn't just about bringing in a deck and like giving two slides and walking out and being like, yeah, I did a great job. Before the board meeting, you should figure out you know, if you if you're new to the organization, or even if you've been there for a while, who on the board are you going to create a relationship with? Right? Are you going to create alignment with and are you going to have the era of right? If think about the CFO, there's someone on the board that they have a relationship with, and they probably go over the deck before they go into the board meeting. you think about the CIO, hopefully they're doing the same thing. But certainly the CEO and every other board member worth his salt has that person that has a relationship. So I think you have to find somebody and you hopefully
Deepak Jeevankumar
Typically like is there like a specific kind of a board member that you would look for?
Ben Carr
You look, think some board members have more of a concern about security and technical risk and then just risk in general, right? So you've got to look for the board member that's most concerned about the risk. And hopefully we're talking as risk professionals. Security is just one type of risk, right? You may find on your board, you've got nobody who's super technical and that's actually a trend. Like there's not a lot of boards that actually have deep technical expertise, even though technology is every company nowadays. I like to say, even if you make toilet paper, you're still a technology company, right? There's technology that makes that company function. and you also are a risk-based company, right? Like everybody has risks, whether it's real estate, whether it's, you know, profitability, like there's all types of risks. So figure out who is most interested on the board from risk. And that's probably your best alignment. If you are lucky enough to have somebody who's technical and Uber lucky to have somebody who actually has in passing interest in security, I would suggest those are also targets for that. Right? But create that relationship, create that dialogue and invest in the relationship and start to have conversations, not just about what security is doing in the company, but in general, what's the risk tolerance? What are they concerned with? Like, what do they think about the program? Right? Like get them involved and start talking. And I think once that happens, you've started the dialogue and that discussion. If that can continue, you've set yourself up for a great deal of success there, because I think
That's what all boards want to understand is ultimately what's the risk and how do you get great, greater profitability. Once you've set up the risk discussion, I think the next thing and hopefully the ultimate goal is how can you create alignment in that? You're going to be asking for budget that the budget is going to something that's either one going to reduce risk or two, hopefully increase profitability of the organization. And if you can do that, you've created real business value.
Deepak Jeevankumar
Yeah, and increase the share value of the organization. And that's what we all want as shareholders, whether it's a public company stock or private company stock. So talking about the RSA conference, how important is it for CISOs to attend the conference? And how can CISOs make a good use of it?
Ben Carr (15:28.602)
both excellent questions. So look, think when I think in general about CISOs going to the conference, I think there's general two schools of thought on this. One is I get a lot of value out of RSA. At the CISO level, I think it tends to be more about the connections. Again, it's part of that EQ building, right? It's about the
Deepak Jeevankumar
Who do you connect with? Who would you look to connect with? Your peers?
Ben Carr
Yeah, so other peers, right? Like, so other CISOs that I know are going, it's a great time to get FaceTime with those people, sit down, have a discussion. What are you doing? Right? Like we can only do so much over the phone. I think everybody's a little burnout post COVID about, you know, Zoom and webinars and that kind of stuff. Phone calls are great, but it's always nice to sit down in a relaxed environment, have those longer conversations, again, building the relationship. Sometimes it's vendors, right? Sometimes it's people you have a strategic relationship with. Sometimes it's partners.
that that's the one school is like, want to go, I'm interested in it. There's another school of thought, right? Just being honest and transparent is that it's a vendor fest and there's not a ton of value. And so I do hear a lot of peers now say, man, I'm not getting the value I used to out of RSA. I'm not going to go, but still I do see a lot of them send other people like send directors, send managers, right? Send people who haven't gone because they do get more value out of it. And it's a good.
It's a good focus spot, even if it is very vendor focused, which we still need that for somebody who is more, you know, the, the person responsible for endpoint protection, this person, person responsible for, you know, email protection, the person responsible for ransomware that they actually go and can meet with all the vendors in a concise condensed time, right. And actually get a lot of information out of that. I still think there's a lot of value in that, but yeah, on the CSO side, definitely do think it's split into kind of two camps.
Deepak Jeevankumar
Right. So you mentioned that some CISOs now send their reports, VP, directors, managers. So let's talk a little bit about that because RSA Conference is obviously a great place for startups to get your business. So how should startups go about doing that? Now you can put your hat on as a vendor, as a CISO of Halcyon.
Ben Carr
Well, look, think you have to differentiate yourself as a vendor. You have to create some value.
Like what, 3000 vendors coming to the RSA conference? Yeah, it's like every year I go, I always get asked after the fact, was there anything interesting that popped out at the conference and how do you elevate yourself as a vendor outside of the noise that's there? And part of that discussion is every vendor wants to talk to the CISO, right? But as a CISO, especially the larger the organization gets, right? You could be the CISO and only have two people reporting to you, but you can be a CISO and have several hundred people reporting to you.
The larger the organization gets, the more important it is to have those conversations with the direct reports or even some of their direct reports, right? Because that relationship is where you're going to build kind of that technical connection of, wow, this really works for us. It's fit for purpose. And I get it again, you've got to elevate out of the noise, but know that you don't just have to talk to the CISO because as a CISO, I often rely on trusted people within my organization, my directs, to bring me information and basically tell me, Halcyon is doing something different and I really think we should spend the time. And that's when it's a see-saw I'm willing to make the investment of time, because I just don't have an endless budget of it. mean, time is the only thing I can't get more of. So I want to make sure I'm focusing that correctly. And so I'm looking for one, vendors that actually set some differentiation, elevate themselves above, aren't talking about a me too.
And they've taken time with my directs to build that relationship to help them understand why it's the right solution for us. And when I say that, I mean, you understand our environment. You understand what I'm doing internally. If you don't understand that and you're just talking, it doesn't help. You need to listen first, ask questions, understand what is different in my environment than my competitor's environment. And then tell me about what business advantage you're going to bring that.
because I have to translate that business advantage into the other C staff and to the board. I have to explain why I'm making this investment. So that's what I'd have to say.
Deepak Jeevankumar
No, that's very sound advice. So can you give us some preview into how is Halcyon going to rise above the noise in this RSA conference?
Ben Carr (20:08.386)
Yeah, well, think Halcyon is bringing a very interesting solution to the market, right? We are specifically targeting ransomware, right? We're ransomware prevention and ransomware remediation and response. And so that's what we're trying to do. We're not trying to displace or replace EDRs or EPPs. We believe that there's a gap that's left between that EDR and between a backup, right? And so ransomware actors have figured out how do I bypass? How do I get around those technologies?
They're trying to identify and scope out what EDR is there, how to bypass and turn it off, and how to exfiltrate data and get it out. So if you're relying on backups at the end of the day, you you've already had a very, very bad day and maybe a very, very bad couple months. Yes, you may get the data back, but even if you do, it's been exfiltrated and it's being held for ransom. And that's just not goes to you. That goes to, you know, third parties, fourth parties on down the line. So that's the gift that keeps on giving from the ransomware actors.
Halcyon is specifically trying to target prevention. One of the things we really bring, we call it RDR, ransomware detection response. We actually are able to response to the problem, right? So we prevent it first. If for some reason we can't prevent it, we're able to do key capture. We're able to actually work on preventing exfiltration of data. And then we have a very deep technical staff on the backside. This acting as a backstop and actually acting as kind of a managed ransomware function on the backside to make sure we're working with the internal team and we're not increasing workload. So I think our solution is very unique. It's differentiated from everything else out there. There's nobody doing everything we're doing. And yet we up armor the EDR. So, know, holistically, we're focusing on making sure that we're giving you the best possible protection against what's arguably the biggest risk in cyber right now, ransomware.
Deepak Jeevankumar
Yeah, no, I agree. And since we have been investors in Halcyon for a couple of years now, I think what really attracted to us, Dell Technologies Capital, was the fact that in spite of ransomware being like a two, three decade old problem, there is no company that focuses exclusively on ransomware. Everybody does it as the number fifth thing or the number sixth thing or the number 10th thing they're doing. And this is like...
(22:26.126)
It just felt so obvious, but I don't know why nobody did it. So we are glad to be in business with Halcyon. So any parting words of wisdom to CISOs who are coming to the RSA conference for the first time? they're coming there for the first time, would you say? Or a security professional, maybe not a CISO, like a director level person.
Ben Carr
If you've never been to the RSA conference, wear comfortable shoes. Try to figure out what parties and events are going on and figure out how to get on the invites. If you're interested in talking to Halcyon, reach out to me. We're doing a number of great events. We have an event off site that we do every night at Natoma Cabana. So we'd love to have people stop by the booth at the RSA conference, talk to us, find out more about ransomware. But again, like,
Focus your time, try to figure out what you want to see and make the best use of it, right? Engage in worthwhile conversations while you're there.
Deepak Jeevankumar
Great. Thank you, Ben, for joining us. And we will see you at the conference floor. Thank you. Thank you.
