“What we realized is data protection was the last bastion of undisrupted technology.”

It’s not a matter of if, it’s a matter of when.

If you’ve never been the victim of a cyberattack or a data breach, the chances are that you will be soon.

Ranging from simple Nigerian Prince phishing emails to elaborate and highly-coordinated campaigns to steal government secrets, the severity of cyberattacks all across the globe is intensifying.

And the need to for best-in-class security vendors — to proactively protect you before an “oh shoot” moment occurs — has never been greater.

Yet how do we know who to trust? There are also thousands of cybersecurity providers who offer services to protect against cybercrime.

That ranges from small startups with a clever idea, to independent corporations like CrowdStrike (Nasdaq: CRWD) or SentinelOne (NYSE: S) who leaders in their niche, to consolidated behemoths like Microsoft  (Nasdaq: MSFT) and Palo Alto Networks (Nasdaq: PANW) with a full suite of products.

There’s an massive pool of vendors to choose from. According to research from Cisco (Nasdaq: CSC), 13% of companies are working with at least 20 different vendors for cybersecurity alone.

So how should companies differentiate themselves in this crowded field? What dangerous security vulnerabilities still aren’t yet adequately protected against? And how should investors figure out which publicly-traded companies to put their money behind?

To help us answer those questions, we’ve brought in an expert. 7investing CEO Simon Erickson recently spoke with Simon Taylor, who is the founder and CEO of HYCU.

HYCU is developing strategies for organizations to protect their important data from cyberattacks, focusing primarily on multi-cloud and SaaS backup. They’re helping companies be prepared in advance for cyberattacks by ensuring their data is safe and recoverable in the case of a data breach or a ransomware attack.

Simon begins by describing how organizations are “averting the SaaS data apocalypse” (which is also the title of a book he published). Simon explains that cybersecurity strategy boils down into “Prevention, Detection, and Recovery.” There is a lot of time spent on those first two topics — “building higher walls and deeper moats.” But there’s been a significant underinvestment in recovery — i.e. ensuring that you’ll still be okay even in the event of a breach.

Simon and Simon then discussed the Security & Exchange Commission’s new Cybersecurity Risk Management regulations. Beginning this month, publicly-traded companies will need to begin disclosing any breaches they have experienced and also their detailed risk management strategies as an item of their annual report.

Simon believes these new SEC requirements will be huge — both for helping investors identify the companies who are adequately protected and also to help their Boards of Directors to put the right tooling in place to properly respond to an incident.

Simon then discusses how cyberattacks have evolved. Specifically, he points out how the average company has 212 unique data silos and is more vulnerable to attacks than ever before.

In the final segment, Simon describes how Software as a Service is responsible for a much higher percentage of overall vulnerabilities. He also shares a few trends — highly related to AI — that investors should keep an eye on today.

Publicly-traded companies mentioned in this podcast include Asana, Atlassian, Cisco, Microsoft and Palo Alto Networks. 7investing’s advisors and/or its guests may have positions in the companies that are mentioned.

Don’t miss out on future conversations like this! 7investing has recently published interviews with the CEOs of PubMatic, Rocket Lab, and more. Join 7investing’s free email list to get our podcasts and investing insights delivered directly to your Inbox.

This episode of our 7investing podcast is supported by our affiliate partner Koyfin. Koyfin’s financial dashboards are empowering individual investors to make better-informed decisions. Through our partner program with Koyfin, they have prepared a special pricing offer exclusively for 7investing’s podcast listeners. Click on the Koyfin image below to learn more about this offer:

Transcript

Simon Taylor  00:00

Hello, everyone and welcome to this edition of our 7investing podcast where it’s our mission to empower you to invest in your future. You can learn more about our long term investing approach and see all of our stock market recommendations at 7investing.com.

Simon Erickson  00:14

My name is Simon Erickson. Today we’re going to be talking about cybersecurity, an important topic out there when it gets in the headlines quite a bit, but also a lot of changes going on in the security industry. Very excited to welcome another Simon to the program. Simon Taylor is the founder and CEO of HYCU. This is a company that’s building the vision and strategy for the multi cloud and SaaS backup security industry. He joins me today from Boston. Simon, welcome to the 7investing podcast.

Simon Taylor  00:43

Thank you so much, Simon, it’s great to be here.

Simon Erickson  00:45

We’re gonna chat a little bit about HYCU. We’ll do it in three lines, five syllables, seven syllables and five syllables at the end, of course.  But before we jump into that, maybe to frame the conversation today. In addition to being a CEO and a founder of a business, you also wrote a book that was called “Averting the SaaS Data Apocalypse”. That’s kind of provocative to me. But tell me what that means. And what’s going on out there in the cybersecurity world right now?

Simon Taylor  01:10

Yeah, you know, Simon, it is it’s a provocative title, intentionally averting the SaaS Data Apocalypse, it sounds like the end of the world, right. But I think if you look at what’s really going on in cyber today, people talk a lot about the threats, they talk a lot about the bad actors. But what they don’t talk about is the insane levels of complexity in the modern IT stack.  So if you go back, you know, 20-30 years, people have their data in four or five different places. Today, the average company has their data in no less than 212 different data silos. So if you picture sort of this, you know, multi sided dice from four years ago, 20 years ago, it would have four or five, six sides, easy to manage. Now picture, a dice that has 200 sides to it, every one of those different sides represents a different threat vector, that our customers and our marketplace needs to protect and defend.  And because of that, the ability for the cyber criminals to attack us has become easier than ever before. So you’ve got this massive increase in the cost of defended environment, and a massive decrease in the complexity of actually going after attacking someone. And that’s what leads to the SaaS Data apocalypse. Our lives are run by digital data, and all of these apps that are running our personal lives and our business. And if just one of them goes down, just one, it can lead to this sort of spiderweb effect, where we lose all of our data. And we’re in a world of trouble.

Simon Erickson  02:47

So I’m going to do want to talk a little bit about the the industry bigger picture in a minute here. I want to ask a little bit about some changing SEC regulations. But just one more question, as we kind of frame this as you’ve been in the tech industry for a couple of decades. How did you get into founding this company HYCU? And what is your mission to accomplish with it?

Simon Taylor  03:04

My gosh, well, look, our mission is simple. It’s to build a safer world by eliminating data silos. We want to make it easy for anybody, any organization worldwide to visualize where all of their data is see it all under a single pane of glass. And automatically add easy data protection elements that will protect them on prem in the public cloud, and SaaS.  And it’s the SaaS Simon, it’s so critical. There are 30,000 SaaS services in the US alone today. 30,000. Before HYCU, only five of them were protected by any member of the backup and recovery community. And so we really set out on this journey to make SaaS protection accessible to everybody. And I think that’s really been our major focus.  Okay, so but going back to me in the journey, this maybe gets a little bit complex. But you know, I started my first company when I was 24 years old. I was sitting in Cambridge, Massachusetts, and I had this wild idea that I was going to go to Eastern Europe, find all of the engineers out there, build a database, almost like a dating app. And then broker agreements so that any company in America can easily gain access to outsource engineering, something only a 24 year old comes up with and this was in the early 2000s. So I sold everything I had, which wasn’t much, I moved to Eastern Europe, I set up a little company, I built an algorithm, algorithmic matching engine that effectively acted as a platform to do that matching. And then I started traveling, you know, all over Eastern Europe. I think I build a database of about 20,000 software engineers. And then ultimately, I sold that company to a company called Contract Group. After that, I built a second company and sold it to Citrix. And I was actually in Las Vegas, believe it or not, and I was sitting around, uh, celebrating the success of this big exit. And I ran into an engineer I had met in Europe years before and we got to talking about this state of technology in the state of the world.  And what we realized is data protection was the last bastion of undisrupted technology. Effectively backup and recovery has been built the same way for 30 years. And we said, in a world in which people have their data, and hundreds of different data silos, we’ve got to build a new kind of platform in order to support that. We’ve got to make it easy for customers to see their data and protect it.  And that’s what we did. You know, so we launched April 2018. And we’ve now got 4000 customers in 78 countries around the world.

Simon Erickson  05:35

And tell me a little bit about what SaaS backup and recovery software means? What piece of the larger picture does this fit into?

Simon Taylor  05:41

Yeah, so think of it like this. You know, we talked about cybersecurity, Simon, in the realm of PDR. “Prevention, detection and recovery.” And you know, I would say 90% of the world’s folks think about the P and the D. So they think about how to build the walls higher, how to dig the moats deeper. Because ultimately, we want to believe we’re in control that way. So we want to believe that if the bad actors attack us, we are immune. We’ve invested in all the right tools to keep them out. But the reality is, there’s so many more of them than there are of you. And so we always say is, “it’s not if…it’s when.” So as a result of that, we focus on the recovery, how you can evaluate where all your SaaS data is, and then actually recover it easily with a click of a button.

Simon Erickson  06:29

Absolutely. So Simon, our program is individual investors, most of people listen to seven investing podcasts are really interested in how the cybersecurity industry is changing. To stay on top of that, right now, you mentioned kind of having the right tools in place, being proactive to prevent and you know, then possibly detect them and recover down down downstream as well. But we do know that recently, the SEC has got some new regulations out there right now, the cybersecurity risk management regulations, not only are asking companies to disclose breaches that do happen out there, but also to talk a little bit about the risk management in their protocols and the strategies that they have, that are out there to be disclosed within the annual reports.  How is this impacting your business or the industry as a whole, just something that just happened?

Simon Taylor  07:12

It’s huge. It’s huge. So let’s go back in time a little bit. You know, I remember two years ago, I was on stage at the Boston College, FBI annual Cyber Conference, and I’m standing up there and the keynote speaker was not me, it was FBI director, Chris rea. And he gets up and he tells this heart wrenching story Simon about a the Boston Children’s Hospital, and about how it was shut down by the Iranian government as a result of a cyber breach that could ultimately have affected children’s operating procedures in the medical room.  And, you know, I think when you when you think about the absolute incongruity around what cyber actually does, when it when a cyber attack takes place, versus what we think about right, because when we think about ransomware attacks, we think about one word, money, that’s what everybody thinks about. But the reality is the damage these cyber attacks can do, can affect almost every aspect of our lives. And so I think, you know, what started to happen is shareholders invested in all of these different companies, publicly traded companies started saying, Well, wait, wait a second, there’s a lot of risk here. And I don’t really have a way of evaluating that risk, I don’t really know whether or not this company I’m investing in as a shareholder is likely to be attacked. I also don’t really know what they’re doing to mitigate those attacks. And I certainly don’t know what the likelihood is that they’ll be able to recover their data if there is an issue.  So the SEC sort of took it upon themselves to move from a position of reactivity to proactivity. And what they’ve said is, first and foremost, you are now legally obliged to disclose a cyber incident that is material to your business. I think this is really, really of high value, it’s going to be frustrating for companies, it’s going to cause a lot of a lot of bruised concerns and egos I’m sure. But at the end of the day, we always say in HYCU, that the cyber problem ransomware attacks are like the mental health crisis of the 80s. You know, if you think back then, you know, people didn’t say when they were depressed, they didn’t want to say out loud, when there was a mental health issue, they hit it inside and they couldn’t get the help they need. It’s exactly the same thing with cyber ransomware attacks, because people do not disclose the challenges they’re facing. They can’t get the support, they need to do better and defend themselves against these attackers. So I’m actually very, very impressed with the SEC his take on this and the fact that they’re now pushing for those disclosures, disclosures.  The second piece, you know, that we’re seeing in the new 2023 regs, is a move towards risk mitigation. So I think what that ultimately means means is that there’s going to be a lot more emphasis from the board and on senior management, to put the tooling in place to make sure they can prevent, detect and recover data in the event of an incident. And again, I think that’s, that’s a wonderful thing, not just for the industry that I happen to be in, but for the world at large, because it protects all companies and all of the valuable work that they do across the world.

Simon Erickson  10:22

Yeah, and Simon, okay, so you’ve been around for quite a while you’ve seen technology shifting, you’ve seen, you know, data is being stored in the cloud now. And everything that we talked about all those SaaS vendors that are out there, we’re also in a pretty unstable geopolitical world right now to a lot of attacks might not be coming from people on their grandma’s computer in the basement anymore, it might be more state funded. What do we know about the the attackers and the nature of the attacks and the intentions? Is it monetary gain? Is it hacking or on behalf of a nation state? What is the nature of the attacks that are happening out there in the largest amount, here?

Simon Taylor  10:57

Here is probably the most terrifying element of what we’re seeing today. It’s easy to look at the news and see what’s going on across the world and be very afraid of nation state attackers, and for sure, they have the most resources, and are going to be able to compromise almost anybody that they want.  But the real scary sort of frightening thing that we’re experiencing across the world today is that it only costs $100 on the dark web, to buy what’s called ransomware as a service. So think of it like this, yes, it’s very scary that big countries can attack you, but they’re probably not going to attack you. Right? Unless you have a national security, you know, related issue, or there’s some strategic threat.  Who is most likely to get get attacked by are the random kid in college who decides to do the wrong thing. And the fact that all of these ransomware services are so available, so accessible, and so cheap to execute. So think of it like this. Think of it like a scale. If it cost the company $10 million in cost to defend against a cyber attack. And it’s only $100 to execute one, who has the advantage?  And I think that, to me, is the real threat. That’s the real risk. And that’s why we’ve got to get this issue of sprawling data silos under control. We’ve got to find a better way. And we’ve got to stop pretending that our SaaS services are all protected. Because I’ll tell you, Simon, one of the biggest misconceptions that we hear out there today, is this idea that “Well, it’s SaaS.” Somebody else is taking care of my data. They’re not the shared responsibility model that every SaaS service and every hyper scalar uses all states the same thing in your contracts. It says we’re providing the service, the data is yours to protect. And that should give everybody pause, you don’t know where your data is, you don’t know how to protect it. And you have no way to recover your data when there’s no. And that’s really what HYCU is here to help.

Simon Erickson  12:59

Those are great points. Like you mentioned earlier, the average company has 212 data silos and there’s now 30,000, SaaS services software as a service companies and providers. That’s a lot. That’s a lot of complexity. Like you mentioned earlier, a lot, a lot of vulnerable ways to be hacked. Let’s talk about kind of the solutions that are available out there. Obviously, this is a very, very complex industry as well, because it’s hard to do everything. But we have seen that there’s a lot of consolidation of vendors in this space.  Cisco put out a report just recently, and that says that the out of the companies that do have cybersecurity protection, 13% of them have more than 20 vendors right now, that might sound pretty large, but actually 21% of them had more than 20 vendors just five years ago. There’s some consolidation in this space.  Of course, it’s a bias perhaps. The report is from Cisco, one of the large tech companies that does consolidate. But also you’ve gotten the Microsoft’s, you’ve got the Palo Altos, you’ve got others that are kind of offering a perhaps a broader, wider net of coverage. As opposed to a company like yours, which is much more independent, not tied to a larger organization, and has found a niche that you guys are able to protect companies.  Can you tell me a little bit about kind of the questions that customers are asking in the sales process? Or how do you differentiate from these giant companies like Microsoft out there knowing that certainly companies would would not want to work with 20 or more vendors, I would think? But how are they thinking about, you know, who is essential and differentiated from a lot of other companies that might be offering similar services?

Simon Taylor  14:31

You know, there’s a lot in there. I’ll start with your last question. I’ll go back to some of the other points that you made. It’s really interesting, you know, when we started on the HYCU journey, as it were, you know, we used to think about the iPhone, just because it’s an easy paradigm to kind of conceptualize what SaaS is. So think about, you know, a company’s tech stack today. Like your phone, and on that phone is maybe 100 200 different applications. Okay. So I want you to imagine that every one of those applications had a separate backup and recovery product that you had to buy attached to it. Okay, that would be insane. It would be so complicated is so expensive. Nobody would do it, frankly.  So what did Apple do? They built that beautiful little green button, you’ve got the cloud data backup. You just, you know, slide right, and all of your data is protected. So in a company, unfortunately, there’s no little green button. There’s never been a way to protect all of your data across on prem, public cloud and SaaS.  And the challenge that the SaaS vendors have is very simple. Let’s say that I’m, we can use Microsoft as an example, but let’s take a look at Asana, for example. A project management company, they are focused on building their application. They don’t want to spend 25% of their time, money and resources, building backup recovery software. So what do they do? It goes on the backburner?  What we realized that HYCU is that. Unless we did something, the SaaS Data Protection problem was never going to go away. It was too big and too meaty for any one backup vendor to build data protection integrations for 30,000 software pieces of software. And you know, the individual SaaS services themselves, we’re never going to build it.  So we took a very unique approach. What we did Simon is we said, you know, what if we could open up our platform, and let all those SaaS vendors right on top of us. So instead of essentially us having to build 30,000 different SaaS integrations, now the SaaS vendors can actually build on top of HYCU. We launched that in April of this year. And we’ve now got 10 times the SaaS coverage of anyone else in the marketplace. Now we’re a small company, relatively speaking, compared to Microsoft. But we’re well funded. You know, we’re backed by Bain Capital, Cisco, Okta, Atlassian, A crew. And I think what we’ve found is that with the explosion of SaaS, and the explosion of cloud workloads, there really isn’t anybody else out there that suited to providing this kind of protection.  And you might say, why don’t Microsoft, you know, why don’t they do this? Why don’t AWS? The reality is, their goal is to keep the data in their own cloud. So going out and building data protection solutions for everybody else, just is never going to be top of mind for any of these major companies. And so it’s going to take an independent company like HYCU to really re innovate or re energize the whole data protection space.

Simon Erickson  17:29

Yeah. And then maybe just a couple more questions here for you about innovation. Since you are such an innovator, such a great entrepreneur, who sees the need for this developing industry. If we go back just a couple of years, really to the kind of the old castle and moat framework for protecting. Once the bad guys are in, they could go anywhere that they wanted to within an organization, right? If they got through the firewall, they were in the network, everything’s fair game now.  And then kind of we had the zero trust movement in the industry. That improved the level of protection, if we can call it that. And now it seems like everyone’s been talking about Zero Trust for a couple of years. Pushed by the enterprise, pushed by a better way of doing it.  And as an innovator, I mean, where do you see cybersecurity going in three or five years? Is there something else that’s still unmet? That is a real big problem out there that hasn’t been solved? Or perhaps the industry is kind of pushing towards, like zero trust was a couple of years ago? Where do you see things going in the security industry? Maybe a couple years out from here.

Simon Taylor  18:25

So two things I’d say on that. The first is, let’s pretend that you have a house on a lake. And you know, every one of your neighbors when you buy the house comes to you and says “Listen, Simon, don’t worry about flood insurance. It’s never happened, never happened in 50 years, none of us have flood insurance, don’t worry about it.”  The very first thing I would do is go out and buy flood insurance. Because Murphy’s Law, the day that I buy that darn house is absolutely the day it’s gonna flood. And so I think the number one thing we need to show people, I think this SEC framework is doing that, to some extent, and in this framework as well, is help people to get educated around being able to recover their data, they need to be able to assess their entire environment, understand where all their data is, whether it’s on prem, in the cloud, or in any of the SaaS services.  And they need to ask themselves a simple question. If the bad guys get in the door, and my data is compromised, can I recover to another point in time? That’s your insurance? And if that answer is no, you’ve got to make a change. You’ve got to go deep, and you’ve got to fix it.  Now, but you asked a great question. So it’s all answer the second part as well, which is where’s the industry going? Look, I would be foolish if I didn’t bring up artificial intelligence.  You know, AI is going to change the world in so many different ways. It’s going to create a lot more risk. Now, I think we’re going to see social engineering and phishing attacks that are off the charts, and the social engineering that I’m really concerned when one of my employees gets a call that sounds like my voice. And it’s actually AI. And it’s telling them to give them all the passwords, right? It’s things like this very simple. It does not take a genius to understand that problem. And the simple answer is don’t give out the password.  But the problem is human error can so be influenced by the advent of these new AI advancements. And so again, the only thing we can do, the only surefire way to make sure that we are protecting not only our own company, but I would, I would say civilization as a whole, is to make sure you’ve got a plan in place, and you’re able to recover that data at a moment’s notice.

Simon Erickson  20:42

Yeah, this certainly does seem like a more preventative way. It’s it’s very highly complex chess match, right? A wake up call, and you’ve got the SEC kind of saying, hey, you’ve got to get your your house in order here for this.  Anything else? An open ended last question. You know, our audience, individual investors, you know, we’re very interested in this space right. Now, this certainly seems to be a good time to be investing in cybersecurity, anything else we should know, that you’ve seen in this space?

Simon Taylor  21:07

Yeah, I think the last thing I would say is that when we started on this journey, you know, we did an assessment, and we said, you know, what, what is the percentage of ransomware attacks that occur through SaaS? And at the time, I think it was it was it was 20%. Today, that number is 52%. And a majority of them Simon are successful. That’s what scares me.  And the reason they’re successful is because when someone gets control of your SaaS environment, the first thing you say is, well, how do I get my data back? And when the answer is “I can’t” then you pay the ransom. And people know that, and so they’re going to target SaaS more and more and more. And I would really encourage, whether it’s investors, board members, senior executives, we’ve all got to be vigilant. And we’ve got to be proactive and taking a stance against this explosion of data silos, and the correspondence corresponding threat that goes along with it.

Simon Erickson  22:04

Well, once again, Simon Taylor is the founder and CEO of HYCU. You can check out their website www.hcu.com. It’s HYCU if you want to learn more about the fantastic work that they’re doing.  Simon thanks very much for being a part of the 7investing podcast this afternoon.

Simon Taylor  22:20

My pleasure, Simon, great to be here.

Simon Erickson  22:22

Thanks, everybody for tuning into this edition of our 7investing podcast. We are here to empower you to invest in your future. We are 7investing!