Conversation with Duncan Greatwood
Good day, and welcome to edition 126 of our Digital Industry Leadership Series. I’m pleased today to have Duncan Greatwood, CEO of Xage Security, Zero Trust Security company protecting today’s industrial IoT, we are proud investors behind Xage. Duncan is a serial founder and a successful CEO having sold Topsy Labs – the leader in social media search in analytics – to Apple in 2013, and PostPath the email collaboration security company to Cisco in 2008. Previously Duncan held Vice President roles in marketing, corporate development, and sales at Verada, as well as earlier engineering and product marketing positions at Madge Networks. Duncan holds a BA in Mathematics and a master’s in computer science from Oxford University and an MBA from London Business School. Duncan, it’s my great pleasure to welcome you to the Digital Industry Leadership Podcast Series.
Ken, great to be here.
And this is long overdue given all of the interesting things that have happened relative to cybersecurity over the last several months, especially in the US, so I’m greatly looking forward to this discussion. So, I always like to start off by asking the question, what would you consider to be the red thread through your professional journey?
Sure, red thread, so I never had a hyper-structured career, I tried to basically do big, interesting problems, working with interesting people, and I followed my nose to do that. I think for me the center of building the businesses that we built has really been building great products and making the customer successful with those products. So, lots of ways to make businesses successful, but for me, a lot does come down to the product and how the customers benefit from it, so I always get my head deep into that. And then as you develop as a leader, I think you also learn more about how the critical importance of making the teamwork together successfully. Of course, we have to get the right people in the right business and everything else, but really making the group work effectively as a group has been a key part of everything I’ve managed to do, combined again with a slightly insane passion for building great products.
How did your early work and collaboration in social media prepare you to play the leading role that you are in cybersecurity?
Well, cybersecurity always had my attention, even in my very first job out of college I remember we made a little program, we’d hire these passwords of the corporate network, in those days you could do that kind of thing. I remember the CIO of that company had set all of his passwords to a single word of ‘money’, make of that what you will! But by pointing out those insecurities they were able to improve was improved and then they adopted a more secure log-in system and so-on. It’s always been a thread for me and in collaboration tools including email that’s really the brain of the company that’s using it, and if you expose that to cyber risk then there are so many issues of course with stealing ideas, faking information, and so-on and so-forth.
So even at PostPath and Cisco, we had a very strong emphasis on securing the mechanisms and enabling people to share what they wanted and not share what they didn’t want. That’s also a strong value at Xage, we’re about enabling people to work together successfully in industrial IoT, we’re not the kind of security that tend to stop things, we’re enabling things, but at the same time we want people to be able to place their own limits on what they share and with whom, and really continue down that thread.
With Topsy and Apple you might think that search, it’s like the opposite of security, you’re trying your hardest user data, etc. but we didn’t approach it that way, in fact, we developed a whole bunch of techniques for gathering and understanding without having to expose people’s private information, and it’s one of the reasons why we did the deal with Apple because that gave us a way to continue that, and obviously broaden its spread dramatically by protecting people’s privacy there. So, it’s always been an area of close interest to me, and a core part of the product side build in the past. I think until they Xage I’d never really found a cybersecurity company that was also so concerned with enabling new ways of doing business, many cyber companies are spackle companies, they find a hole in the wall and the run forward and fill it in, that’s great. But for us at Xage enabling these transformative changes in the customer's business and underpinning those is just as important as the security part itself.
What was the origin story behind Xage, prior to you joining it?
There are technically three founders of Xage, myself, Susanto, and Roman, we came together with an investor in Palo Alto, Chenna Ravi, whom I’d known from back in email days when both Ravi and I were running email companies. We had a couple of insights, one was that there was a coming wave of transformation in real-world systems, everything from how we generate energy, how do we make things, how do we transport ourselves, how do we grow food, and on, and on, and on. That set of changes was intersecting with a need to work much more cooperatively across a much broader group of people, so rather than close systems you ended up opening systems, collaborative systems. All of that meant that the cybersecurity approaches of the past in industrial companies were profoundly obsolete.
We had that market understanding I think, and when combined with the deep tech that Sosanto and Roman, in particular, were responsible for creating, to address highly distributed and highly cooperative cyber problems. So, we felt like we had the right technical direction combined with the market need, and so of course that’s really what you need to make a company.
You did well connecting with the people that you did, I know TM Ravi well and The Hive there in Palo Alto, he’s had a whole string of great companies in this industrial space, so a good partner in that regard. Maybe that might answer my next question, but why the focus on industrial IoT particularly, especially because I think at the time many of your peers were looking at the B2C use cases.
Sure and having been at Apple myself the B2C is close to my heart too but, I think there’s going to be a ton of continuing evolution in B2C. The dramatic impact of digital transformation over the next 10 years is perhaps going to be seen most strongly in these real-world operations, and really starting to see it in some places, so familiar with the successes of Tesla and some of these other extremely disruptive companies. So, in some cases, it will be new companies, and in some cases, it will be disruptions to existing companies, but there’s nowhere I think that’s going to see such a maelstrom of change as these companies will over the next decade.
It also is a close fit for the innovative and deep tech approaches that we have at Xage, often if you’re trying to sell cybersecurity for some B2C issues, my first job is to beg people to change the password on their home router, it’s not so much a technical problem as almost a social problem in B2C. Whereas in industrial it really is a technical problem, people just don’t have the right solutions to go and secure their operations and make their operations more collaborative, and so that’s why we felt there was this special unanswered need in IoT.
Yes very clearly, plus there’s a lot of legacy in this case, so the ability to work across even non-IP networks in many of these cases is critical, and so those systems sit there for a long, long time!
Yeah, definitely. We’ve become familiar with large banks of serial modems and other things that you might think have long since disappeared from the industry, but sometimes those systems are connected up to very sophisticated modern compute environments, and part of the zen of Xage I guess is really accepting the nature of that legacy set of environments and embracing it, but also helping to bring it into the modern age and provide the kinds of security services that should exist in these environments.
What are some of your key use cases, and probably more importantly some of your wins?
So, at the product level, there are three primary use cases or three primary capabilities to the product. One is simply access control; it is easy to forget that most real-world operations really have very limited access control capabilities. So, by access control, we just mean that everyone who should get legitimate access to something can get that access, and people who don’t have legitimate access should not get access. You should be allowed to do what you’re supposed to be able to do, and not to be allowed to do what you shouldn’t be able to do, and this is a huge issue across oil and gas, green energy, manufacturing, and so forth. So that was really where Xage started was building a true access management system, often called a Xero Trust Access Management System, and implementing that to some of these industries.
In the last year, we layered on top of that an additional set of secure remote access capabilities, also Xero Trust in access capabilities, and of course part of the change that was already underway in these operations was doing more work remotely; that could be humans doing work remotely, it could be automation systems running remotely, it could be analytics running remotely, whatever else. But getting data securely in and out of the operation is a huge issue, and when you get the data in and out you need to know is that data authentic, does it really come from where it claims it did, does it have integrity, has somebody changed it or uncertified data, and can I maintain its confidentiality? I don’t necessarily want to share it with everyone, can I share it with the people with whom I want to share it? So that data security that goes all the way back to the route of the data generated in the physical machines has also been a big play for Xage.
If we think about some of the custom areas where we’ve been winning with those products, you can start with some of the electrical utility companies, one that’s been talked about publicly for instance is Exelon or ComEd in Chicago where we’ve been helping them with the design of a next-generation electrical system, people generating solar energy on top of their buildings, trading energy with their neighbors, or maybe you have more battery capacity than your neighbor or less, and you can trade the energy back and forwards as its needed. That’s a great illustration of the way that Xage works to protect basic access control, who can access the controller for that solar array, for instance, all the way through protecting a business process of agreeing to sell electricity to building B, was it actually delivered to building B, and if so then that becomes a financial transaction ultimately at the end of the day. So, those utility cases and green energy cases is a big-big sector for us, solar wind farms, both local ones, and utility-scale ones as well.
We also have made a hard splash in the world of logistics which is another area, of course, that’s had huge attention during the pandemic. Again, one of the customers that spoke in public about this is Dematic, one of the biggest warehouse automation companies in the world. In a warehouse, you have thousands of suppliers, or tens of thousands of suppliers involved sharing data backward and forwards, you have autonomous machines like forklifts, you have humans moving around, you have transactions constantly going in and out of the system, and so it’s another very rich industrial stack, from machines to data, to business process, that we’ve been able to help protect.
We’ve also done some more adventurous deals, one that’s a fun one is with the US Space Force, and just as physical things are changing on the ground, they’re also changing in space, so satellites are communicating more with each other and not just with the ground. They are becoming increasingly powerful, so you may have a whole bunch of different payloads on the satellites, and some may be relatively uncontroversial like a TV service or what have you, some may be moderately controversial, moderately sensitive, like telephone calls or weather gathering, and some payloads may be very sensitive, they may be US military payloads for instance. So, the ability to establish real access control in those kinds of environments is becoming extremely paramount and is something we are enjoying working with Space Force. It’s also the ultimate in distributed systems technical challenges as well, so that’s fun for our technical team to go and bite off as somebody said to me the other day, ‘It does make for an expensive site visit when your software is running 200 miles above the ground! We’ve got all that going on.
Manufacturing is important to us as well, especially the remote access aspects in manufacturing, they’ve needed to have fewer people in the plant, especially with COVID, but in any case, it makes sense to take people out of the hazardous environments and so on, and so more and more of the work is being done remotely and remote access capability has just fit right in with that. As you probably sense, I could go on about this all day! There are water utilities as well as electrical utilities, there are transport systems, port operator rail system, and there are some smart city things going on as well, protecting security cameras across a whole bunch of buildings and a couple of the cities in Asia. So, it’s a broad array of use cases and customer wins, but it tends to always come back to these major themes of, call it zero trust in security terms, or in plain English it means you can do what you’re supposed to be able to do, and not do what you’re not supposed to be able to do, across the whole system, combined with enabling these more collaborative and more remote work-oriented approaches to their operations.
Over the last several months, as I said earlier, there’s certainly been a lot of news relative to cybersecurity. I’m speaking of course about the recent news on the SolarWinds hack, and the implications and second – third-order impact that seems to have had. Was this as surprising to the industry as we’ve been led to believe, or was this something that people would predict that would have happened sooner or later given the state of our systems?
I think it’s a little bit of both. SolarWinds is or has been a well-regarded company, so I don’t think people would have looked at them and thought that they were riding for a fall or anything, rather the opposite actually. But I think once the nature of the hack became apparent it’s a little bit of clutching of the forehead and going, ‘Oh yeah, that was a risk that we were running.’ The nature of the risk really is one that occurs in different forms in many-many environments which is, there is really nothing in cybersecurity that you can absolutely trust, and in fact, once you cross the emotional bridge that you place some kind of absolute trust in something, you’re already headed for a failure because nothing actually is absolutely trustworthy in that way. But the excess of trust in the SolarWinds hack came down to two main things, I think:
One was trust in the digital signing of the SolarWinds software, and I know it sounds a little bit technical but, people felt well if SolarWinds have digitally signed their Orion software… Orion was the name of the product, then we know that it’s got to be okay, we’re not going to give it much additional scrutiny because we know it’s signed by them, they’re good people, it’s going to be fine. Of course, as part of the hack the attackers had to either compromise that system or compromise the build process at SolarWinds, so that bad software was getting digitally signed. It’s something we emphasize at Xage, we build a system with no single point of security failure, and so even if an attacker for instance captures one of our servers or several of our servers, they still can’t change policies, or insert false information and so forth. There’s no single point of security failure, it’s just critical to any protected system, and even something that is really quite secure like a digital certificate can be compromised ultimately, and you have to protect yourself against all of those eventualities. I think that’s one aspect.
The other aspect was also an excessive trust problem, which is that because people trusted the Orion software, they would essentially allow it to anything. For instance, the Orion clients were placed on Windows machines, the hacks Orion software would then implant additional malware on those machines. Now normally speaking the malware scanners on those windows machines would detect the malware and toss it out, but the Orion clients were able to reach over to the operating system and disable those scanners. So, in that case, the Orion software was being trusted to change or remove any of the software running on the PC, there was no reason why it needed to be able to do that, it was just, ‘Well, we trust Orion software, so we won’t do anything’.
The principles of giving software, or people or whatever it is, just enough access rights to do what they need to do, for just long enough for them to do it, is what we bundle under the idea of Zero Trust. If you apply those Zero Trust principles in these cases, then the damage from the Orion hack would have been dramatically-dramatically reduced.
Switching from the IT to the OT, and there’s probably a thin like given that this did affect pretty much everything, do you believe OT systems as we know today, are susceptible to the same type of patterns, and I guess what would you see then as the critical challenges as we look forward, having learned what we did from the Solar hack?
Well without causing undue alarm I think generally the OT systems are significantly more vulnerable, they will tend to make much broader use of an implicit trust or excessive trust in their set-ups. Just as an example, generally today the legacy method of implementing security in OT has been to divide the OT into a few network zones, and then if you gain access to the network zone, you’re essentially allowed to do whatever you like in that zone, including re-programming production controllers in a manufacturing plant, or recalibrating a sensor on an oil tank, or whatever else it might be that you can do on that zone. So, even though you might have no reason, or no need to do any of those things given your role in the company, or given your function as a piece of software, and once you get inside the zone it's unprotected, there’s very often no more passwords or very limited security beyond that point.
So, this excessive trust problem is worse in OT than it is in IT, and OT has survived to this point because OT has been separated off to a very significant extent, but of course, as people digitally transform, they’re no longer separated off, now IT and OT are converging and almost becoming one thing. People need access from the outside world, partners have access to the data so they can run clever AI and be better partners for you, and on and on. So, the need to bring Zero Trust solutions into the OT world is actually even more pressing than it is within traditional IT environments.
So, if I was deploying a new OT system today, or even just overseeing one, what would your advice be relative to my cybersecurity stance, and how best to protect myself?
I think firstly people need to get comfortable in everything remote and partially remote operations and collaboration. I have seen some customers who have suffered problems and their reaction was like, ‘That is it, I’ve had it with this internet thing. I’m disconnecting myself!’ The reality is you actually can’t do that, and as they attempt to do it what they end up with is, they’re trying to build a hard perimeter, but they’ve punched a whole bunch of holes into and out of the perimeter, so they’re virtually in the worst state than where they started. So, I think to embrace the needs of transformation is step one, accept that you’re going to have to do it, you should do it, it’s the only way to improve your business which you need to do to survive.
And then I think given that acceptance, then you really have to bring true granular Zero Trust control over what’s happening, and that means moving from a reliance on the perimeter of course into reliance on identity, authentication, and authorization systems. Sometimes people say that each identity becomes its own perimeter, and so you can decide what’s going into and out of an individual machine, rather than deciding what’s coming into and out of OT as a whole. These Zero Trust approaches are not easy to implement in OT today, but they are possible and of course, Xage is also the leader in enabling that to happen, but you really need that rigorous access control and integrity assurance in order to be able to run a modern collaborative OT system.
There are also pro-action third parties that will try and detect breaches and look for incoming threats and so on, those are valid products to include as well. But the baseline really is, have you implemented real access control and end-to-end integrity in the systems that you’re using? if you haven’t it’s only a matter of time before somebody jumps over the OT perimeter, or the zone perimeter that you’re using, and starts to go haywire within your environment.
So the short answer is, call Duncan if you’re getting ready to deploy an OT system!
We can help you, we can help! We don’t want to scare people, but we think we can help for sure.
Well for any of those of us who have been on the factory floor and seen, as you say, the banks of modems, believe me, you can begin to imagine the number of holes that must be in all of that, so I’m glad you guys are around. Let’s switch a little bit and talk about you as a successful serial entrepreneur. Given your own experience and especially the jumps you’ve made between different domains, what would you advise the aspiring entrepreneurs who want to follow in your footsteps?
Well, I think the first thing is to check-in with yourself that you’re doing it for the right reasons almost. For most people, there are easier ways to make money quite honestly, and if you’re just after recognition and fame then I guess you can put your cute dog on Instagram or something, again there are easier ways to go after it. I think it tends to work best for people who actually enjoy going and solving problems, especially solving problems in concert with other people, whether that’s colleagues and customers, probably in combination. If you enjoy that problem solving for its own sake, then you’re at least on a path where you have a better chance of success, I think.
It definitely has been the case to me that resilience is key as well, there’s always ups and downs in the journey of building a company, you have to be willing to fall back on your inner resources from time-to-time, and again that’s not for everybody but it's exciting flying when you do that and you end up with a group of people who have been successful together and make that work.
I think one of the other things is the importance of stepping back as you’re making the journey with your company. Part of building a company is incredibly focused hardworking periods where you just hammer-hammer-hammer on things, but the stepping back where you say, ‘Should we really do it like that, or would it be better if we did this? Should we engage with that kind of customer? Should we go to market in that kind of way?’ Those stepping back moments are often the hardest work because they require you to challenge your pre-conceptions or your ideas that you have at the beginning when you may be a bit in love with, and whatever else; but the stepping back is often what makes the thing successful in the end. So, I think that ability to swap backward and forwards between hammering on the idea, pushing it forward, and then being a little dispassionate and figuring out what needs to change is also key.
The main things you could say, of course, many people have said many good things about being an entrepreneur, I think having fun is important as well. There’s always going to be good days and bad days, but if you have fun along the way then it makes it a lot easier to ride out the bad days and ultimately get success.
I often like to ask this question of our success story entrepreneurs, and one I remember a while back, ‘Basically, what would be your advice?’ ‘Don’t do it!’
I came a little close to saying that perhaps, but I think it’s one of those if you know that you should do it – then do it, and if you don’t know that you should do it – then think twice before just running into it because you think it’s the quite incredible thing to do.
Yeah well said. Finally, we always like to ask what people, books, and/or resources inspire you, Duncan?
In people terms, I think some of the most influential people on me were some of the early bosses that I had, I was very fortunate to start my career in the entrepreneurial world, I didn’t have to suffer through the low levels of corporate life really. There are people there who inspired me directly and we all get inspired as well by some of the people who’ve built brilliant companies. I think Jeff Bezos, not everybody loves Jeff Bezos, but he has done truly amazing things with his business, and thinking about him this week with the changes that he’s announced.
In terms of resources, I think a lot of entrepreneurship does come from within, and so I’ve never been one of those people who hero-worships or follows a playbook or what have you, I think you have to figure it out. In the cyberworld there have been a couple of books that have been really interesting, there’s one by Nitesh Dhanjani, ‘Abusing the Internet of Things’ which is really quite a good guide to thinking creatively about cyber. We’ve also leaned on some of the work that’s been done on distributed security at Stamford, there’s a really nice educational website, cbr.stamford.edu, there’s a lot of resources there if you want to go deeper technically on the theory of distributed cyber operations. So, I think successful entrepreneurs usually are a little bit spurlish or jackdaw-ish that they pick up shiny things from all kinds of different places and get ideas from all kinds of different people and places, I think that’s the best way to get inspired and build from your personal experience as well.
Perfect. Thank you so much for this insightful interview, I’ve really appreciated getting to know you even more at this point.
Ken, it’s been my absolute pleasure, thank you very much.
So, this has been Duncan Greatwood, CEO of Xage Security, and if I may, Mr. Xero Trust. Thank you for listening and please join us next week for the next episode of our Digital Industry Leadership Series. Thank you and have a great day.