๐ต๐ From melodies to cyber defence: How does a musician become a cybersecurity maverick? ๐ค
Meet Darren Gallop of Carbide on @thesaascast . Discover his unique beat in tech, blending musical creativity with cybersecurity savvy. ๐ถ๐ป
๐ Learn how Carbide balances fast-paced SaaS innovation and tight security.
๐ง Essential listening for anyone in SaaS looking to harmonize growth with security.
โก๏ธPowered by: Build with Assembly
โก๏ธ Powered by: Build with Assembly
๐ต๐ From melodies to cyber defence: How does a musician become a cybersecurity maverick? ๐ค
Meet Darren Gallop of Carbide on @thesaascast . Discover his unique beat in tech, blending musical creativity with cybersecurity savvy. ๐ถ๐ป
๐ Learn how Carbide balances fast-paced SaaS innovation and tight security.
๐ง Essential listening for anyone in SaaS looking to harmonize growth with security.
โก๏ธPowered by: Build with Assembly
โก๏ธ Powered by: Build with Assembly
Welcome to another episode of the SaaS Cast, the show that flips the traditional podcast format on its head. Here we have a simple rule one question, one answer from some of the biggest names in the SaaS world. Today we're thrilled to have the founder of Carbright on the show. They're an enterprise-class security platform that makes it easy to embed security and privacy into the DNA of every organization. It's a big mission, a big vision. Darren, it's great to have you join us on the shows today. You've built an incredible business in a really regulated, competitive and hard to negate navigate sector. So I'd love to begin by hearing a little bit about yourself and your journey building the company so far.
Speaker 2:Awesome. Well, thanks for having me on the show. Glad to be here. So yeah, I've got, I think, maybe a little less than traditional history in terms of how I got into building a cybersecurity company. I started my career as a musician in my early 20s. That transitions to being a recording engineer and producer, in other words, sort of migrating from being on the road and playing live a lot to actually working with other artists and helping them build their recordings. That evolved into effectively really just doing that full time, which turned into me starting my own label with a partner down in New York. We ended up becoming distributed in EMI with EMI Canada and a few other labels in other countries in the world.
Speaker 2:And, of course, the music industry really got hit pretty hard in mid 2000s and certainly again then in 2007 is the economic downturn. We had naps to roll out. The value of records really took a spin down the toilet bowl and our partners our record partners just the whole environment changed. I didn't really see how I was going to make my original business plan operate. Things weren't going super well and we were doing a lot of cool stuff with technology as a record label. That I think was pretty odd at that time, like going back to 2005, 2006, 2007. We were using Basecamp very seriously back in the day, people weren't using the word cloud and Sass was not a very common thing. But as like, where's the data? It's in a server in another state, somewhere, in a time where a lot of people are or in this room beside me or in this room beside me In this server under my bed.
Speaker 1:Yeah, exactly.
Speaker 2:And so that was really cool For me. Music really brought me to technology because when I started getting into producing music, this was really at the point where a lot of people were making that transition from analog tape recordings and stuff to doing things digitally. And I loved the digital recording and, being the type of person that, like I, didn't want to use a computer unless I understood the computer, so it really brought me deep into the tech behind the tech and so, yeah, and as a label, we love trying to figure out new ways of doing things and we were really obsessed with like Sass type technology and really leveraging that. So, as I was kind of seeing the demise of the record industry and really questioning my life decisions around starting a record label, we had this great idea around what if we sold technology specifically? Initially it was like, well, basecamp is kind of a generic sort of like platform. Right, it's not really specifically made for any type of agency. In fact, if anything, it was more like an agency doing like design shop or stuff like that. So we were kind of like using it in a bit of context. So this idea of building a platform with that sort of idea of making things more efficient for the music industry and where we really focused was in the music festival space because we felt like just the logistics of putting on a festival You've got like a whole year to plan a festival and then everything happens in three days and it's absolute chaos all the time, no matter how organized the festival may or may not be, and it was a niche product in a very niche industry. We didn't raise a lot of capital. It wasn't really a venture-backable business, so we didn't really take any like traditional institutional capital per se. But we built a profitable business and by 2015, 2016, we were being used by Coachella and Burning man and Bonnaroo and other cultural events like Just For Laugh, even some supporting events like X Games, and it was a really wild ride.
Speaker 2:But what we noticed is, as we got into the later stage of that business and our feature sets started requiring us to store, process more information, a lot of confidential information, as we started working with enterprise organizations Disney and Life Nation and AEG the security requirements and concerns that they had started to mature pretty quickly and that put a lot of pressure on us. So we were really getting forced to tighten up our security from confidentiality, from integrity and availability perspective. We had to go through a SOC too. I think we did that in 2015. We ended up being an ISO program, in effect, and near the end, before that company was acquired, it was right on the onset of GDPR, and so we had to go through the process of navigating GDPR because we had we were in 23 different countries around the world. A lot of them were in Europe.
Speaker 2:So you know, just like that's how I got introduced to security and for us it, quite frankly, just really became something that initially with a pain in the ass, and then it was something that we figured out, a really good way to do an actual strong security program. We started to take it very seriously, but then we even saw it as a competitive advantage towards some of the little ankle biter competitors that were popping up in the market that didn't have the insight on how important the trust element was becoming, and we doubled down and I ended up doing a CISSP certification and you know we ended up really really tighten up. We built a really awesome security report and like trust report and all this kind of stuff, and this was this was when a lot of companies certainly SaaS companies weren't really taking this stuff seriously. So that's how I kind of navigate it from from being a musician to a music entrepreneur to a music tech entrepreneur, and then, of course, you know it was kind of I was looking for something bigger.
Speaker 2:I wanted to build a bigger company and a bigger space, and I really saw the writing on the wall in terms of what the impacts of all these data privacy regulations seeing the increase in the velocity of increase in the hacking world Like it's, it's effectively was becoming the new go to you know money grab in the black market for illegal activity. You're less likely to get caught hacking some business with a crypto locker than you were trying to cross the border with a bunch of bags of cocaine in your in your luggage. So it just became a really obvious scenario that, wow, hackers are making money, everybody's moving to cloud Every. You know this, this, this is all going to happen, and then regulation is going to jump in and everybody's going to get reactive and then trust is going to be the big thing and of course, you know I got that part right. We're definitely seeing that in the world. But now that's how I went from from from playing drums in a in a band to be in the CEO of a cyber security data privacy company.
Speaker 1:I love it. It's both creative and an element of high regulation, and selling into a core area of a business around security is not an easy thing. So I'm sure the showmanship and and all your years spent in music, learning about the art of performance and storytelling, really helped humanize an area as as hard to talk about. Right? Because again, if you're talking about security, it's either something happened in most cases or you're trying to decide what to do after it's happened. And and maybe that alludes to the question that I have for you there's like this big debate in tech circles, and I'll even say by the role in which you ask within the tech community, whether you integrate and embed security first, or is security an afterthought. And so, from your experience someone that's lived this day in and day out what are each approaches, inherent risks and rewards from your perspective?
Speaker 2:Yeah, I would say first of all that most companies think about it as an after effect.
Speaker 2:Yeah, sure, yeah and the mentality always has been like build quick, build it fast, mvp, just get stuff out there, prove the concept like, and then clean up the mess later. So I get I get that mentality and that's certainly what I did in my last company. The challenge with that and this was a challenge that that that cost us heavily in my last company. If you spend five or six years building technology and you build it in a not so secure way, you make really not necessarily the best architectural decisions or product decisions or how you go about things. You're totally oblivious to data security, data privacy. You can certainly end up in a situation that where it's not going to be just flick a few switches to solve the problem, and that was certainly what happened with us in our last company, like when we were. I remember we got our first pen test and there was a lot of findings. Now I will say, like the quality of most modern dev stacks nowadays, like there's a lot of stuff that can be baked in the box, depending on how you build your tech stack and whatnot back in 08. Now, 2010, 2011, there was very little coming out of the box for you. You were really kind of left to your own resources, certainly on the security side, so, but we had that and that was a problem we ran into. We had a lot of challenges in our application from a security perspective that required us to build things over and upgrade things and change the way we're doing things. So we ended up in a period of time of about six to eight months when we really didn't have the resources to spend on increasing, improving features and doing what customers are requesting us to do. We had to do all the stuff that they can't see that we needed to do to make sure that we were not exposing them right. So so that's the. That's the big downside of bolting it on.
Speaker 2:After the fact, the other big downside of doing that is when you go into, when you go in looking for those first customers, like when you're not thinking about security and it's obvious and you don't have the knowledge to talk about it, you're starting a conversation off. You're already starting the conversation off with a low trust score because it's like who are you, your new company? You don't really have customers, you don't really have revenue. Right, you're already. It's a leap of faith to get somebody to trust you, but going in there without having sophistication around your ability to respond to questions about data security and architectural security, your application, your software, etc. It's not a great look and it's more and more of a thing and we hear the term now more and more often about security and privacy by design and by default.
Speaker 2:So you know I would argue, and you know we still see this all the time. I would argue that yes, I mean, I get it, you need to move quick. But I would say you don't have to do. You have to build the top secure application from day one. I'm not saying that. But if you can just have some lunch and learns about security and set some pretty high level policies or standards that you operate on, you know it's in. The accessibility of sort of tool is now like you can get. You can get vulnerability scanners for next to nothing that are pretty high quality, that can stand scan externally or credential wise, just to, like you know, put that in prettier testing.
Speaker 2:Think about security and privacy when you're scoping new features. Like it's amazing, like you know, see people like hey, we lost this new feature. It's like holy shit, do you realize the exposure that this new feature, like now you're going to, you went from scheduling this class of confidentiality to like, now you're going to, now you're talking like you're going to turn this on and all your customers are going to ideally jump for this product, but like, look at the exposure you're creating, right? So did you think about that, did you? Did you look at that from a security perspective? And so so, yeah, I mean, I think, the learnings, the lunch and learns, adopting some some coding best practices, some some cloud configuration best practices, getting into the habit of keeping your dev stack up to date. Don't allow things to lapse to the point where you know, oh, we haven't done an update in a year and now we can't just do an update. There's things we have to, you know, there's, there's actual work involved in modifying the way things work or changing some code to do that.
Speaker 2:So so I would argue, like you know, I would argue that having some degree of security, thoughtfulness and education from day one is going to, in the mid to long term, help you speed up.
Speaker 2:And then the other factor that I would think about in terms of how far you go with that is like from the customer that you're, you're proposing you're going to sell to, and what you're going to do from them.
Speaker 2:How are they going to look at you from a risk perspective? Because that's also going to determine the degree of you know how lenient they may or may not be in terms of your security posture If you're a low risk vendor, just by the nature of the amount of data or the degree of integrity requirement or availability required, if you're a lower risk vendor, then the questions are in the degree at which they'll look at your security posture is going to be different than if you're. You know you're going to be connected to a bank in America and you're going to instantly have, you know, millions of records and things like that right. So you know, look, understanding what your customers are, what your customers expectation is, and understand how they're going to look at you selling your ideal, you know, positioning yourself in their business. How are they going to look at that from a supply chain risk perspective?
Speaker 1:Yeah, I. It's always a hard debate and I think you've really articulated both sides of it and I really actually the one that you just mentioned about target market was the one that was always top of mind. It's like, no, nothing worse than getting the almost to the finish line of a deal to find out you didn't make it because of a security or the infrastructure provider that you chose. One other quick question for you when do you see more risk? Do you see it on the infrastructure side or do you see it on the application level side? If you were to out of 100, what would be the, the delineation between the two?
Speaker 2:Yeah, I mean the way I look at risk, generally speaking, is like you're really only as good as your weakest link. So I think it depends, like it depends on the type of application and what that stack looks like. I mean, on an infrastructure side, like I think it's wise, very wise, to pick your infrastructure very wisely because you can get wins, like you can actually take components of the equation and defer that off and not worry about that. Well, you need yourself to do your vendor due diligence on the vendor. You have to make sure that you're using the tools properly.
Speaker 2:But the guy always tell people, like when you're partnering with infrastructure, like, look at their shared secure, look at their shared responsibility model. Like what are you, what are you getting here from a security perspective, and and you know, and then that kind of that gives you the opportunity to take certain components of this and push that off to the, to the, to the infrastructure, to the companies that you're you're partnering with, and then at least understand what your responsibility is on the infrastructure. So you know, failed infrastructure, poor infrastructure security can, can result in serious data breaches, but so can crappy code or testing.
Speaker 1:Yeah, yeah, I agree, they're. They're equally as important and I think from my experience I've kind of found the cobbler's shoes for a SaaS company in many ways is that is the infrastructure. Just by design to your point move fast, find product, market, fake, ship as many MPPs as possible. But then there's always this inflection point and it's hard to equate whether or not doing it before or after is is is right, it's just. If you're going to be in that scale up phase, there's nothing worse than putting in a fire. That's distracting you from the next big opportunity that you should be focused on, I think.
Speaker 2:I think there's a hybrid like and it comes back to like again understanding what the expectations are, understanding what the bar needs to look like, and then just pick, making a conscious decision of okay well we're going to do this now, like let's make sure we follow you know, follow good coding practices.
Speaker 2:Let's make sure that we make good infrastructural decisions, let's make sure we architect intelligently and be mindful, and and you can still decide. Hey, maybe there's a certain component of where ideally we want to be from a security perspective that we are going to put off. But when you just ignore, kind of naively, ignore the whole topic, you don't really know what you don't know, you don't know, and so like, if you end up in the situation, like we did at that time, where we had a situation where we had a lot of customers ask them for a lot of things and it was an ideal time for us to be shipping features, we weren't shipping features, we were shipping things that were invisible to the customer but that were critical for us to get the security clients security. You know the security posture in terms of the application infrastructure that we need it.
Speaker 1:Yeah, and again, I think this, like if you think about the investment right, it's another core reason to believe For your organization right postures you differently, definitely builds trust and credibility to anchors for any you know new client that's going to join your company. Investors, all of those types of different modalities. Final question you know, with organizations like med stack right that offer hippocomplient environments, and you know I'm sure there's more that are out there that are similar in nature. They found you know a niche which you know there's a whole bunch of health tech companies that are sprouting up in hippos, hard to get compliance. So we'll just, you know, build a solution on top of Azure, charge of premium and in a day you can be hippocomplient. What's your thoughts on? You know tools and platforms that get you there really quickly but may cost you more in the end. I don't know what. What are your thoughts on it?
Speaker 2:Well, I mean, the first side of it is when you look at something like hippo, for example, if the security rule is one of the rules, but there's a lot of other components. And Now what I find you know some of the challenges. I find and we've dealt with companies that are on various different platforms, where the platform is like hey, this is going to get you comply, this is going to get you compliant, and when you know this tools going to do the hard parts and it's like well, what concerns me there is sometimes there's some snake oil there, because the reality is is well, it's not always the infrastructure that's the hard part. It really depends on what you're building, how you're building it. There's also a lot of administrative control requirements and there's a lot of process and there's a lot of educational requirements. So, you know, I think the reality is, yeah, I mean, there's, there's definitely these, these tools out there that can Help. And again, it goes back to what we said earlier, like a first parts of this equation that you can offload to a vendor.
Speaker 2:Then then that is going to be beneficial for you and all likelihood, you know, to some point there may be a point where there may be a point in scale in your business where where you know you're going to want to have more control over the situation, but there's more to it than that, like sometimes I'm. You know we work with customers. They're they're surprised like they throw their their CTO in there and then it's like, well, we're gonna have to. There's all the stuff you need to do this related to governance. There's all the stuff you need to do related to privacy. There's all the stuff you need to do relate like policies and procedures and controls and control mapping. There's a lot of HR onboarding and offboarding and awareness training and there's a lot of things there's. There's there's a lot of things you need to put in place that aren't really that technical and you know sometimes people like, well, and what, why are we doing all this?
Speaker 1:because you have to right like what's the point of having some business value right, whether that's unlocking your next client or protecting your business against threat and risk. I think those are the apparent ones. I think it. I actually that's a great point knowing investing into a platform like this. What's the return on investment? No-transcript.
Speaker 2:Yeah, I mean, you know, when I see companies come to us that have a platform or an architecture solution where you know they don't have to go through and manage all that configuration, it's certainly, you know, it's beneficial to us in one sense because it means well, we're not gonna, you know, we're not gonna have to help them with that problem.
Speaker 1:Yeah.
Speaker 2:And if they've chose their vendor. Well, that's one box you know that we hope is checked. You still need, but unfortunately a lot of times they're not. It's like well, you still need to code securely, you still need to test your code, you still need to. You know, and that's you know. So there's still work to be done and I think you know the value proposition that I feel that our customers experience is, as they're going through their journey growing their customer base, maybe moving up market or just expanding both the feature set and the customer profile is that as more and more standards and more requirements come down the pipeline, what we're able to do with them is give them a single set of policies, a single set of controls that that map across a variety of data privacy regulations and a lot of security standards and frameworks. So so they can they can very quickly analyze their posture compared to whatever benchmark is critical for that particular customer, and you know where the efficiency comes is having segregated programs like that.
Speaker 2:That's not really manageable, like it's likely. If you're, let's say, you start selling in Canada and you're selling your health like a healthcare or a Medtech product, you have different requirements in each province. It's kind of a bit of a hot mess and you know how each province manages that. Then you go down the states. You've got the HIPAA compliance equation. If you're going into Europe, you know GDPR has coverage when it comes to, you know, healthcare and cost-fazard is a certain degree of of PII and you know every every place in the world is kind of has their own flavor right. There's a lot of shared principles and best practices there, but you know you want to be able to have one program like your SaaS company. You can't have like a compliance department and you can't have five different technologies that you know manage different subsets of controls.
Speaker 2:That's just like that becomes like heavily very red tape. So that consolidation and understanding. You know, again, it all comes back to risk and most of the standards and frameworks and a lot of the regulations it was added to risk, like you need to understand your risk, given you'd have a risk management platform you know in place in the business and that can help you understand, like the things you need to do well and the things you may be able to get by without doing or can do it at a much lighter intensity, and you can validate that through, you know, understanding and practical, you know, correction of actual risks.
Speaker 1:Gotcha. And so, darren, if any of our listeners who are tuning in right now, if they wanted to, you know, find your company online or reach out to you, what's the best way for them to do that?
Speaker 2:Yeah, I mean, if you can reach out to me on LinkedIn, I'm on there. I'm checking it at least once every day or two. So if anybody has any reason they want to hit me up, hit me up there and I'll get back to you within a day or two and then you know. If you're more interested in learning more about the company, just go to CarbideSecurecom and there's tons of information about what we do there.
Speaker 1:Amazing. Well, darren, thank you so much for your time today. Thanks for sharing kind of some of your perspective on security, first or as an afterthought. I think it's a great healthy debate that will continue much more into the future. It probably never stopped, but good recommendations and thoughts and perspectives from you were shared today. So thank you again for your time. We'll be cheering you along the sidelines on your next round of growth as you scale in and keep on building the company.
Speaker 2:Awesome. I appreciate it.