Ron Gula's Cybersecurity Mission: 'Data Care,' InclusivityInvestor and Philanthropist Welcomes US National Cybersecurity Strategy as Catalyst
Cybersecurity industry veteran Ron Gula, as CEO and co-founder of Tenable Network Security from 2002 through 2016, shepherded the company's rapid growth and product vision. Now with his Gula Tech Adventures, he works as an investor and philanthropist, as well as a government policy influencer.
Practicing what he preaches, the Gula Tech Foundation that he runs with his wife, Cyndi, awards grants to nonprofits multiple times a year, including $1 million last week to six organizations focused on increasing neurodivergent opportunities in cybersecurity. As an industry, "we still have a lot of work to do - so we're very excited about being able to help and give back," Gula said. "One of the things we want to do, besides just creating great technology and great people, is change the conversation."
In particular, he's advocating for cybersecurity to be rebranded as "data care" - not to steal anyone's security budget, but to increase understanding and inclusivity. Calling it data care, he said, "gives you personal responsibility at the board level and also makes it something a little bit more inspirational to those outside of cybersecurity - especially minorities who might not be drawn to … the military terminology we have in cybersecurity."
In this video interview with Information Security Media Group at RSA Conference 2023, Gula discusses:
- Welcome changes in the cyber policy debate following the release of the Biden administration's national cybersecurity strategy;
- His work as investor, philanthropist and influencer of government policy;
- With the market currently "at a crossroads," his venture capital priorities related to funding, products and strategies.
Gula is an investor and philanthropist in over 100 cyber companies and organizations, including Huntress Labs, Girl Security, Scythe, Cybrary and Trinity Cyber. He was the co-founder and CEO of Tenable Network Security.
Mathew Schwartz: Hi, I'm Mathew Schwartz with Information Security Media Group. And it's my pleasure to welcome Ron Gula, president and co-founder of Gula Tech Adventures to the ISMG studio. Ron, great to have you here today.
Ron Gula: Thanks for having me here today.
Schwartz: It's exciting times. We're here at RSA. You've been described as an investor, a philanthropist and someone who appreciates a bit of policy work. What does RSA have in store for you?
Gula: We come to RSA for a wide variety of reasons. A lot of those policymakers are here, we get to interact with them. We're doing our million-dollar grant this afternoon. It's competitive grant for neurodiversity this year. And we have about 10 companies on the portfolio on the vendor floor now that we've got to go see and participate in events with.
Schwartz: Tell me a little more. So you have a number of companies, all cyber, I am guessing. You tell me a little bit more about what you're doing?
Gula: So when my wife, Cyndi, and I came out of Tenable Network Security, we started Gula Tech Adventures with the intent of investing in founders. We're stage-agnostic, but we also invested in some funds. So now we have about 30 companies that do a wide variety of cybersecurity work. Some pushing the grounds of innovation, and others just bringing cyber hygiene to markets that haven't had it yet.
Schwartz: What excites you from a capability standpoint? You're investing. You've been in industry for a long time as well. What is getting you excited about where we're going and where we could go?
Gula: So I still think we have a long way to go with cybersecurity. And one of the things we've realized is that when you invest in a cybersecurity company, you can give them guidance, some road map advice, even some capital to invest, get them to that next level. And we realized that we can do the same thing with nonprofits. A lot of our nonprofits, we treat like companies. We have them compete against specific cybersecurity social topics, such as this year, we're doing neurodiversity, autism, ADHD. And what we've seen is when all of those are awarded, they go to the next level. And next level for a company could be getting acquired or getting further investment. Next level for a nonprofit could be getting investment from DHS, grants from the University or grants from a local state. We're excited to be part of all of that.
Schwartz: So you've got grants, which as you say, that can be equivalent to investing in companies. What's interesting to me about this approach is you finding people who are doing things that you like, and giving them the opportunity, I guess, to do more of it, and to do better in a more sustainable fashion.
Gula: So, after running Tenable for a good 15 to 16 years, I thought I saw everything. Now with all these different companies we're in, all the different funds we're involved in, all these different nonprofits, the access we have to all the different policymakers, we still have a lot of work to do. So we're very excited about being able to help and give back. But one of the things we want to do besides just creating great technology and great people, is change the conversation. We'd like to broaden the word cybersecurity to something called data care. This not only gives personal responsibility at the board level, and also makes it something a little bit more inspirational to those outside of cybersecurity, especially minorities, who might not be drawn to the fire, like drawn to the military terminology we have in cybersecurity. And we just kind of think we need more people. And that, of course, is called data care.
Schwartz: I live in Britain, and it's been interesting to attend events aimed at promoting what's still typically referred to as cybersecurity, and to hear from younger people just entering the field, how they were drawn in by other people's stories, or by the use of more inclusive language, people explaining what it means and people going, oh wow, that is exciting. But the terminology, I guess, prior to potential rebranding hasn't been lighting any fires.
Gula: Well, we don't want to take anybody's cybersecurity budget away. That's one of the objections that's out there. But we've got a lot of experience speaking to the younger generation to try to go into this career field, as well as boards. And I got to tell you, when you talk to a board and they're trying to decide, have we taken enough risk, to run our company and keep us safe from the Russians, keep the oil flowing, and that kind of things. It's refreshing to say, look, it's all about the data. And every time, everybody in cybersecurity, they all remember confidentiality, integrity and availability. They're not talking about systems, they're not talking about your phones, they are talking about the data that's in there. So it just gets to the back to what's important for our industry.
Schwartz: So speaking of important, you're doing a lot of work with neurodiversity. So tell me more about what you are doing at the RSA Conference in particular.
Gula: So this is our fifth grant. I'm a couple of years ahead of schedule. I thought we would run a couple of competitive grants and then approach RSA. We got introduced to RSA by Aaron Turner. He's got a long history with that. Britta Glade is on our advisory board for making the grant. She's involved with RSA. And we've been doing the grants at RSA. During COVID, it was virtual. Last year, it was kind of blended. This is the first year that we're fully back. So at 12 O'clock today, we are doing a grant. And the grant is going to award a million dollars to a total of five recipients, first place, second place, third. We have a tie for third place and some runners-up, and it's all different types of cybersecurity nonprofits that do different things with autism, ADHD and other types of learning. Some of them are pure cyber, like let's do workforce development and get people into different jobs. Some are doing things like taking people with autism and trying to get them involved with national security think tanks and organizations. We don't go for volume, we don't go for just quality. We look for a variety of cybersecurity nonprofits, and we're just happy to be able to help these people out and get them to the next level.
Schwartz: And so this is your way as someone with deep experience and expertise in the industry, as you said, you look at the challenge, perhaps, sometimes integrating or interfacing with policy. So I guess this is more of a bottom-up attempt to shape things the way they need to get going.
Gula: So the way I look at it is we have a responsibility. And cybersecurity was good to us. We were taking the results of our efforts of working at Tenable and trying to get back. And it's more than just money. It's trying to talk to the policymakers, trying to help people who are trying to change things. Specifically with neurodiversity, I've had so many people in our industry pull me outside, say, hey look, my son, my niece, my nephew has say autism, ADHD, etc. And they want to go into IT, they want to go into cybersecurity. And, just like any type of social issue, there's a lot of unspoken, hey, can you say that word? Can you not say that word? Can I ask for help? How do we have that conversation? That's the one thing I've learned because this is the fifth one we've done, we've done increasing African-American engagement with cybersecurity, we've done increasing board work, we've tried to get just more general awareness of data care in cybersecurity. Every time we've done one of those grants, we've come away learning a lot more, and we're happy to help but then we can share that knowledge with those policymakers about what we're learning.
Schwartz: So another message, if I may, never underestimate the impact of giving people language to speak about things. Cybersecurity, as we know, the language that's often the very first hurdle for people when they get into it is how to talk about all the various aspects of it. Even, some of them can be quite interesting and engaging to people from outside cybersecurity, but they might not know how to crack that nut.
Gula: And, it's words mean things. And if you're uncomfortable talking about these topics, because of what you see in the news or you're afraid to offend somebody, it's hard to kind of take that first step. And then those on the outside of cybersecurity, they might interpret that as being cold or not welcoming, which is again, one of those words we want to call it data care. But it's also one of the reasons we're doing these grants and making them competitive and making it more about just winning, a little bit more funding for your nonprofit, is to give them more exposure to people here at the RSA Conference and to people in cyber in general.
Schwartz: Where to from here, if it's not too early to ask that. You have outlined a number of excellent initiatives, this is all tied to your foundation, I believe. Where do you see other areas in which we need help and you perhaps attempting to talk about the improving those areas?
Gula: Specifically for Gula Tech Adventures, the adventure is the venture capital arm of it. The foundation is the nonprofit arm of it, we're operating. It was just me and my wife when we started. We've got some great people working with us now. We're good partners with a number of other investors. We had Alberto Yépez from Forgepoint. So we're looking to double down and do more. Right now I'm filming this interview in 2023. The market is at crossroads. There's got a lot of economic pressures on startups who are traditionally funded by venture capital. So we're watching that close. What is the role of funding? What's the role of a good product? So we're trying to make sure that the companies we're working with have great exits, and a great strategy to help defend the country for the next couple of years. It's the same thing in the nonprofit side. How do you grow a nonprofit? How do you get funding? What's your relationship with the government? Can we go international? Those are all things that we're looking at.
Schwartz: So keeping a close eye on that, as you say, there have been some hiccups in the market lately. And we do need to make sure that startups are having the access while having access to the capital they require and the guidance as well.
Gula: Absolutely. You have to worry about if you have a cyber widget, if there are 20 companies that are doing the same kind of cyber widget, what's your strategy? Should you differentiate? Should you be more competitive with that? That's classic venture capital 101. So we're tracking things like that. But we're also tracking the new AI and quantum encryption. We're tracking all the different types of what you can do with the cloud, and how this impacts even things like privacy and availability of what you and I do on a daily basis.
Schwartz: Any other issues you're keeping close track of? AI and ML - there's lots of discussion about that at RSA. I think you've got to have that in your marketing tagline, no matter what. Any other areas?
Gula: So, we originally as a nation just released the National Cybersecurity Strategy. So everything in that is all good, moving in the right direction. So the question now is, how is it going to be implemented? The government wants the vendor, especially the large vendors, to do more. What does that mean?
Schwartz: They were clear about that in the strategy.
Gula: Yeah. What does that mean to you? What does that mean to somebody who's running a Windows operating system? What does that mean to a cloud operator? What does it mean for the privacy? I've seen this before. When I was at NSA, the government wanted to push the Clipper chip, which would have given us good security, if you trusted the government. So now there's similar language. And if you look back at when Microsoft was probably going against the DOJ as being a monopoly, the government is basically asking Microsoft to be more of a monopoly. And so it's kind of interesting to look at this from the last 20 to 25 years and see where we're doing. I'm just glad we're having the debate. I believe cyber policy as a combination of privacy, availability, integrity, and all that. But the question from whose point of view? What's the government's role? If it's going to protect you and give you safe harbor, to let them see your source code, or who your customers are, has to be an interesting time. I'm just glad we're having the debate kind of out in the open now.
Schwartz: As you say, words matter. It's hugely significant. I think the government's come out and said, these things are important. We don't always necessarily know how to get there. But here is where we would like to get to. I think it's been a notable step forward.
Gula: One other thing, I'm happy about the current state. Well, we don't want to see violence, we don't want to see having to do intelligence and what not. But I'm very excited that our intelligence community, and Cyber Command is getting some credit for doing some work to keep our country safe. And that involves offensive cyber actions. And that's something that we were not talking about much over the last 20 years except in the occasional, sensational book or things like that. But now it's almost a daily thing in our news feed.
Schwartz: Yes. You had the Hollywood version and now we have the real version, always a little more nuanced than the movies. Well, Ron, it's been a pleasure to speak with you. Thanks for being in our studios today.
Gula: Thanks for the opportunity. I hope you have a great RSA.
Schwartz: You too. Thank you. I'm Mathew Schwartz with ISMG. Thanks for joining us.