30 8 月, 2022

EP 10 – Skating to Where the Cyber Puck’s Going, Not Where it’s Been w/ Clarence Hinton, CyberArk Chief Strategy Officer, Head of Corporate Development

Sports, at their highest levels, are shaped by lifetimes dedicated to practicing, strategizing and anticipating. The same goes for cybersecurity. Although, in our world, it’s not a game and there are no set parameters. On today’s episode, host David Puner speaks with Clarence Hinton, CyberArk Chief Strategy Officer, Head of Corporate Development about looking into the future and preparing for the unknown. Like hockey, it’s about skating to where the puck’s going – not where it’s been. 

[00:00:00.160] – David Puner
You’re listening to the Trust Issues podcast. I’m David Puner, a senior editorial manager at CyberArk, the global leader in identity security.

[00:00:24.050] – David Puner
Think of an iconic sports moment, something that becomes the stuff of highlight reels for decades after it occurs. These heroic, indelible plays typically unfold in a blink. On the other side of the equation, there’s failure. The results of these moments can linger in perpetuity, and while they’re unusual, they’re not necessarily the freak occurrences they may seem in their live moments.

[00:00:50.270] – David Puner
To prepare for the unknown, there are years lifetimes really of practicing, strategizing, and anticipating the reps, the whiteboard and video sessions, it goes on and on. Over time, muscle memory develops and evolves and the level of play becomes more sophisticated as whatever the sport is reveals layers of nuance that can only be obtained from being deeply incontinence for a long time to a lifetime.

[00:01:19.060] – David Puner
There’s all sorts of layers of support to assist in achieving singular moments of greatness managers, general managers, analytics people, specialty coaches, trainers, hot dog vendors. They’re all integral members of the team. Maybe not the hot dog vendors. Of course, innovation can always help provide a winning edge. The same goes for all sorts of other industries and activities, cybersecurity being just one of them, although of course it’s not a game and there are no set parameters.

[00:01:52.790] – David Puner
On today’s episode, I talk with Clarence Hinton, who’s CyberArk’s Chief Strategy Officer, Head of Corporate Development. As his bio tells it, he’s responsible for formulating, assessing and executing strategic growth initiatives. What that means is he’s charged with looking into the future and preparing for the unknown, skating to where the puck is going to be, not where it’s been. That’s a hockey reference, obviously. It gets a mention during our talk.

[00:02:21.490] – David Puner
In preparation for his current role, which he couldn’t possibly have fathomed at the time. As a kid, Clarence discussed global events at the family dinner table. We talk about that experience and how it influences his approach to the world today. There are a lot of layers to it. Hope you enjoy it.

[00:02:49.770] – David Puner
You are CyberArk’s Chief Strategy Officer and Head of Corporate Development I guess that’s somewhat obvious what it means, but love to hear from you what it means and what the role encompasses and what a typical day looks like for you.

[00:03:07.070] – Clarence Hinton
Of course. If you start with corporate strategy and that’s really working with colleagues on the senior leadership team to set the strategic direction based on what we’re seeing in the market, based on technological trends, security and cyber trends and also competitive actions and potential actions, but most importantly, customer requirements against all of that. At the end of the day, that’s what it’s all about.

[00:03:35.350] – Clarence Hinton
But once you do that, it’s okay. Now you have to make the difficult decisions on what are we doing? What are we not doing? Which markets are we in? Which markets are we not in? Which investment opportunities are in or out? It’s really determining how we deploy our scarce resources as a company at a high level. That’s the strategy side of it.

[00:03:56.780] – Clarence Hinton
You move to class of Corp Dev. That’s M&A and this just end-to-end identifying, assessing, evaluating, doing the due diligence, negotiation, et cetera, all the way through the integration of acquisitions. We’ve done a couple here recently.

[00:04:12.210] – Clarence Hinton
The next element, strategic alliances. Just think about broad-based business development, not the resell and channel side of it, but really thinking about other technology partners. Some on the tech infrastructure side, others on the security side really help us, expand our reach, but provide leverage to sales force.

[00:04:33.100] – Clarence Hinton
Finally and most recently, we have cyber ventures, and that’s where we’re basically placing small thoughtful bets and emerging companies that are addressing future dynamics in the broader cybersecurity industry.

[00:04:47.890] – David Puner
You were talking about your role and all that it encompasses. How does a cybersecurity space differ in your focus and what you’ve seen and how the processes go and all that stuff compared to other industries you’ve been in?

[00:05:02.930] – Clarence Hinton
Sure. If I go back to broad-based it whether that be on the hardware side, at Dell, the software side at BMC, a lot of that is about enablement from the infrastructure side and then the monitoring on top of it. It’s very important when you think about getting up and running and efficiency and so forth. Think about it more of the skeletal system of your broad-based IT now.

[00:05:35.600] – Clarence Hinton
With the security side of it, it’s different and that is protecting against things that could go wrong. That’s really evolved, particularly over the last half a decade or so it’s gone from well, I really hope, nothing goes wrong. Let me get some insurance out here and hopefully won’t go too bad to it’s becoming increasingly existential.

[00:06:01.730] – Clarence Hinton
What I mean by that before is just a nuisance. Somebody breaks in they shut down some systems. It was more cyber vandals if you go back far enough, cybercrime has a clear business model, even have organized crime and things like ransomware can be used to execute any number of nefarious strategies. It’s really gone to this point of being this existential threat to businesses everywhere and in security, being the gate against that.

[00:06:31.780] – David Puner
When you’re going about your day-to-day and you’re thinking about the gravity of organized crime, working against organized crime, how does that make you feel and how does it affect how you go about your day-to-day?

[00:06:46.530] – Clarence Hinton
Sure. You start with the fundamental, stuff that you have to do in terms of understanding just the market dynamics, market growth, competitive dynamics and moves, all of that is the same across industries. But we have this special dynamic of also having to understand what the bad guys are doing or what they may do and how they may do it.

[00:07:11.150] – Clarence Hinton
It has an entirely new vector in terms of how we have to contemplate our future moves and the impact that those moves will have on our customers. Now, for me personally and selflessly it’s exhilarating. It just makes the problem that much more complex. But it is quite daunting for all organizations in this space.

[00:07:34.880] – David Puner
Let’s take a step back for a second. This is a James Lipton portion of the program where we get a little bit into here into your childhood influence and how that affects your current perspective on cybersecurity and maybe, take us through the whirlwind of childhood, through career path to where you are now.

[00:07:55.630] – Clarence Hinton
Sure. You may recall that for impact event. I spoke a bit about growing up as an Army Brad and on at a certain level, fine, there’s travel involved. It wasn’t crazy like some other families, but it was enough to where you gain a certain amount of perspective, just in being pulled in out of situations and dropped into new ones at different times. You see things differently. You adapt to situations differently. That’s just part of who you are.

[00:08:27.040] – Clarence Hinton
But the thing that’s much more relevant to what we’re doing now is, we lived in the household. It was all about national security. That was those front and center. Those are the conversations and those natural. You talk about you see things in the news. We’ve been talking about certain countries that are back in the news that had different names then for a long time.

[00:08:50.950] – Clarence Hinton
You fast forward to where we are now and where I am now. It feels very similar. We’re talking about security. But this is the difference here is this global security? The bad guys are woven in and out of global society it’s not just based on a map, but it’s the same talk track of good versus evil if you will. But now it’s something that, you’ll hear this word a number of times it’s existential for a number of different entities on a global basis. It’s feels like almost a natural progression when I sit up here and say it aloud from where I was all those years ago to where I’m now.

[00:09:36.010] – David Puner
I know you can’t necessarily reveal the details of some of those conversations you had at the dinner table as a kid. But if you were to generalize what those national security conversations were about and where was that dinner table? What was a little more of the context there?

[00:09:56.330] – Clarence Hinton
Again is things like everybody sees the news. Especially in broadcast news. There are fewer channels than it’s just the interpretation of what was said. This is a lot of times just me and my father and my mother just something comes up and they may show a leader in a foreign country, they may say something.

[00:10:18.180] – Clarence Hinton
Then my father may say, well, they’re really talking about this. That means that and it’s like, wow. All of a sudden you go to risk, you go to risk and you start playing this game of chess where even though it’s somewhat low odds in certain cases, it’s like, well, if they continue like that or if we respond in this way, and that’s how your mind thinks you foreshadow things like if they move certain equipment this way or if they elevate threat levels, if they move troops, that’s how you just start to interpret the news differently and it kicks off different thought processes.

[00:10:56.570] – David Puner
Well fast forward through the childhood a little bit. You become an undergrad and you studied mechanical engineering. How does that background figure into your career and what you do now?

[00:11:07.970] – Clarence Hinton
With engineering. The thing I really enjoyed about that undergrad was the problem-solving. First it is this you have all these models and formulas that either approximate or explain how things work that we see. That’s one reason are really liked and preferred mechanical to electrical even, because a lot of that is not for me at least, it wasn’t as straightforward in terms of what was going with being able to see it, cars crashing things flying is like, oh, now we have the formula forward that even for me, I sprinkled in some econ and their models that explain how financial markets work. All that was very fascinating.

[00:11:50.480] – Clarence Hinton
But the real part of it that I use even today is just the whole problem-solving mindset. The formulas and equations may change, the structures may change. I don’t use kinematics and dynamics and thermodynamics and all this. I don’t use any of that. I have in quite some time. But the problem solving methodology I probably use that every day since I graduated. That’s really stuck with me.

[00:12:15.990] – David Puner
When you think of the cybersecurity skills gap, people coming potentially from different backgrounds and different educations, what do you think is like is most important to starting a career in cybersecurity, wherever it may be?

[00:12:30.940] – Clarence Hinton
That’s an excellent question, because it’s so everything is moving so quickly here. Obviously, it’s helpful, always helpful to have baseline understanding of programming computer science, et cetera. When I say baseline, it doesn’t mean major or masters or PhD or anything. But having a baseline understanding because all of this is executed through computers and through code. It’s all software-based.

[00:13:01.620] – Clarence Hinton
I think that’s fundamental. It’s also helpful to have an understanding of a layer above that, just the IT systems, how things are connected, how hardware is connected to networks and how applications run on top of hardware and how applications speak to each other. That’s less about programming, just more of a systems type of understanding. Again, not necessarily major.

[00:13:27.690] – Clarence Hinton
But that’s important because this is also how these threats are these attacks are executed. They use the propagate the entire network. You land on an endpoint, you may go through an application, go through an operating system and you move left to right and elevate your privileges and so on, but they manage this entire landscape. I think that is also helpful.

[00:13:51.640] – Clarence Hinton
As an added bonus, any time spent informally just playing around with stuff, trying to get places that you weren’t necessarily supposed to get as a kid, young adult, et cetera, is part of the mindset. I mean the most important thing here is to be able to think like an attacker, to be able to defend.

[00:14:13.190] – Clarence Hinton
Those are just some things I throw out there as more of the ideal, the more of those you have, the better. But there’s such a massive skills gap that right now we just need thoughtful technical savvy bodies out there getting trained up to fight this massive global scale war.

[00:14:35.410] – David Puner
Speaking of thinking like an attacker, let’s talk about today’s risk landscape. It’s been a tumultuous few years. Can you describe the macro trends that have shaped and continue to shape today’s risk landscape and what they mean for organizations.

[00:14:51.560] – Clarence Hinton
At a high level, you can think about, digital transformation, cloud migration shift left us, those are the go-to digital transformation just broadly speaking, all companies were undergoing some form of transformation, going from more of an analog face-to-face business to remote and digital software-based internet-based. The pandemic accelerated all of that.

[00:15:19.180] – Clarence Hinton
If you think about financial services, that was already happening. There are more app-based banking, remote banking, but then certain branches just close down. You start to step up the types of services going to more complex loan originations that were being done almost entirely remotely. That’s just an acceleration within a vertical that was already going that way. But if you’re in the food and beverage business, especially on the retail side, you never expected to have to be a digital business, to survive.

[00:15:50.950] – Clarence Hinton
But then when everything becomes curbside for a bit, it’s like curbside or you shut down all of a sudden you have these traditional businesses having to expose their entire menu online if it wasn’t already, and then having to be able to transact more efficiently and effectively through the internet. So you have these larger-scale digital trends automation is being accelerated in places where you wouldn’t expect.

[00:16:17.530] – Clarence Hinton
That’s a big one. Parallel to that is just cloud migration. Again, and you’re looking to spool up. Add more servers and things like that. You hit the pandemic. You really can’t you don’t have the people that you need to go in and physically deploy more servers. Then you’re relying more on public clouds. So that happened, that accelerated.

[00:16:39.280] – Clarence Hinton
As you do all this, as you become more of a software business, and your workloads are everywhere is like where you’re putting more and more trust and power in the hands of developers and that it already happens some. But then they’re now in the front lines of value creation for your business. It’s those three new trends really accelerate by the pandemic and all of that’s great. But you’ve just massively increased your tax surface. Massively.

[00:17:10.160] – Clarence Hinton
You have all of your business now is in electrons and can be accessed remotely by someone with bad intentions. A lot of your infrastructure now isn’t protected behind your corporate firewalls. People who are accessing it, aren’t protected behind your corporate firewalls and so the attack surface just really ballooned.

[00:17:35.240] – Clarence Hinton
Companies really didn’t have much choice they had to. Again, for many, it was a matter of existing or not existential, and so security was secondary. You find you survive, companies survive, many thrived. I used sit back and say, wow, I have a big problem now that I have to deal with in terms of security. That’s the table that has been set for us now when you look at the last few years.

[00:18:01.450] – David Puner
With that increased attack surface, you’ve got obviously increased vulnerability. With the increased acceleration. You’ve got increased volatility, which remains a top business challenge, of course, but organizations, they aren’t standing still. The problem is many are moving full steam ahead without proper security protections. How does this notion of cybersecurity debt, which we heard about at the Impact conference figure into your day-to-day thinking and perspective?

[00:18:29.610] – Clarence Hinton
Sure. You can think about the graph. I think I even threw one up there. As all this innovation occurs, you have this exponential increase and the attack surface, so it’s massive. Now, companies have continued to invest in security. It’s gone up, but not anywhere near at the rate with the tech surface has expanded. That gap, the large and rapidly growing gap. That’s the cybersecurity debt that we now have.

[00:19:02.810] – Clarence Hinton
You mentioned it earlier. It’s not like we can go ahead and solve with bodies. We have a headcount shortage here. Now there’s a global headcount shortage that added to, the IT general headcounts shortage that then amplifies the ongoing for many years shortage of cybersecurity professionals we have. We just can’t throw bodies at it to dress the cybersecurity debt.

[00:19:30.560] – Clarence Hinton
Can’t throw vendors at it either. The step that’s thrown out there is you have 70 to 80 cyber cybersecurity vendors for every enterprise. The last thing we want to do is add another 70 to 80 to try to address cyber cybersecurity debt. Even if they did, they don’t have the people to deploy, managed, modern and operate the systems from the vendors.

[00:19:52.600] – Clarence Hinton
They really need a set of key vendors to Step Up and solve a larger and larger portion of these critical problems at a very high level. You can’t check boxes here. You have to really solve the problem.

[00:20:07.590] – David Puner
You mentioned earlier in the interview that CyberArk Launch CyberArk Ventures and that was launched in the spring of this year how does this figure in to everything that we just talked about, cybersecurity debt and solving all of our problems?

[00:20:23.980] – Clarence Hinton
If nothing else? I think we’ve talked about how dynamic everything is. This is just where what we can see so far and based on the trend line over the next couple of years in terms of what we’re looking to address as a company and even with our partner ecosystem, but things will continue to evolve in ways that are not readily apparent right now.

[00:20:47.970] – Clarence Hinton
So part of what we want to do with cyber adventures is to make sure that we have visibility to and some stake in the future of cybersecurity, the problems that will need to be solved in effective ways as the clock rolls forward. Obviously we can’t just guess on all of those ourselves and invest and incubate all of these ourselves. That’s not how we’re set up.

[00:21:16.760] – Clarence Hinton
But we are in a strong position to work with some of these thought leaders and in the industry that have visions that are currently, as I described it, an adjacency and a half to two adjacencies away, meaning it’s not where we are right now.

[00:21:33.560] – David Puner
It’s like hockey when you’re supposed to you don’t just follow the puck. You want to be where the puck’s going to be or something like that, I’m sure it’s phrased much better by Wayne Gretzky’s dad at some point?

[00:21:44.880] – Clarence Hinton
That is definitely part of it, right? Think about it in dimensions where you couldn’t possibly you can’t be sure of exactly where the puck is going to go. You have to have plans for any number of possible outcomes. That’s why it’s more of a venture model here. Where we’re planting the seeds and we’re preparing for the future in terms of how things could end up.

[00:22:08.640] – Clarence Hinton
If you look at our three investments, Zero Network, this identity-based micro segmentation, you have dig security, this data detection and response and you have Enzo, it’s application security posture management. Those are things that we’re in now. If you look at Dig and Enzo, those are there in data, they’re an application, which is in adjacent, but not they’re not thinking identity.

[00:22:32.570] – Clarence Hinton
We’re playing that playing it forward to see will there be an intersection? If there is, how can we work together to build that? If you look at the case of Zero Networks, well, they’re a network, which is a bit further away from us. But they’re taking an identity approach to micro-segmentation.

[00:22:52.220] – Clarence Hinton
There is more of a near term does network start to intersect with what we’re doing down the road if it does? It is very likely that identity will be the connective tissue.

[00:23:03.360] – David Puner
We may have mentioned this a little bit before, but I’d like to go and just take it head on based on your discussions and work with global organizations around the world. What is the greatest cybersecurity challenge facing companies today?

[00:23:16.720] – Clarence Hinton
You know well, I think this whole concept of cybersecurity, that’s big. It really underpins everything. But if I have to pick something very specific, ransomware is pervasive, what’s troubling about ransomware, just the availability of it so it’s so easy for the bad guys to get access to ransomware. Again, it’s almost like they’re teaming up to throw different pieces of ransomware. You have this ransomware, their own supply chain where you have certain groups focus on deploying, building certain types of exploits that can be used for whatever means downstream. You have that.

[00:23:57.020] – Clarence Hinton
Then somewhat related to it because you have more of this supply chain approach to ransomware, it can be used to do anything. If you think about someone who is pure monetary, you can go in and do old school, just shut down your systems and do what it says, you ransom them off and they get paid. Thanks to cryptocurrency they can do it anonymously and get away with it. If you just want to attack and you want to disable systems, if you want to disrupt whether you do that on the IT side or on the operational side, on the physical infrastructure side, ransomware can be used to do that.

[00:24:36.350] – David Puner
As far as ransomware goes, I would encourage CISOs and others out there are listening to check out Trust Issues, episode 1 with Andy Thompson which is just a blockbuster on all things ransomware. We’ll call that ransomware part one.

[00:24:49.500] – David Puner
Name one innovation initiative or strategic growth opportunity that you’re particularly excited about right now and how will it impact cyber our customers and the cybersecurity community at large.

[00:25:00.890] – Clarence Hinton
I know this isn’t a favorite for people asking the questions when the person and other side says, yes, I want to answer a different question. And I did-

[00:25:15.460] – David Puner
Make it your own.

[00:25:16.300] – Clarence Hinton
But I thought about this. The way I look at it is this when I think what I’m most excited about, again, with a pure cyber I had just the rate and pace of innovation that we’ve had over the past year or so. I just flashback to impact. Not only did we throw out, I think it was almost 10 recent innovations that were available in the market that threw up on this slide.

[00:25:46.520] – Clarence Hinton
On top of that, we called out another five that were coming soon. Not only were there five that called on top of the 10 that we really hadn’t fully given, you know, given the aerospace to yet, but there were across multiple areas. We had know we had secrets management with Condra Cloud and also with Secrets Hub, you had innovations on cloud private security and you had innovations on the identity side with workflows and identity compliance.

[00:26:22.320] – Clarence Hinton
Just the breadth, the rate and pace of scale. All of that for me is tremendously exciting. I think we have to continue that rate and pace of innovation and the diversity of innovation to address everything we’ve talked about before.

[00:26:35.040] – Clarence Hinton
For me, I’m most excited about us doing all of that, because I’m extremely excited about the overall mission we have in terms of being the leader in identity security, because it is so important. When you go back to the very top and think about the problem, what we’re dealing with this, we have to succeed here not just for us and our shareholders, but we really have to succeed for our customers.

[00:26:58.300] – David Puner
Aside from pinched nerves, which we want to thank you for joining us today, despite the fact that you sustained a bit of a workout injury this morning, the show must go on you’re true pro and we appreciate that.

[00:27:10.490] – Clarence Hinton
Well thank you.

[00:27:11.890] – David Puner
What I think people would be surprised to learn about you other than you got a lot probably Advil on you right now.

[00:27:18.970] – Clarence Hinton
If you go way back. I’ve been into music for a really long time. It’s really personal for me in terms of if it even goes back to the whole army rat ties and all of that is like, how do you ground yourself? How do you maintain yourself? Oftentimes you do that through music, listening, of course. But I played a number of different things. I played the piano for a number of years. I played a few different instruments in the band and there as an athlete the whole time, but one of the summers, I think was between freshman and sophomore year, I even hacked together my own a couple of albums.

[00:27:59.660] – David Puner
We got to get the research team to get a hold a couple of those albums and we’ll expense them, of course. But just kidding. But can you find them out there?

[00:28:08.970] – Clarence Hinton
There’s one. First of all, these are all tapes now and nobody. Good luck finding a tape player. But given the business here. I know you have access to them. The first album is somewhere out there with master copies I don’t have one on me. I think my father may have one.

[00:28:25.000] – Clarence Hinton
The second is it’s unfortunate. I had a piece of equipment that was lost in a move and it had the master and the step below the master in it because I was going back to edit to some, even though it was finished. Those were lost with it.

[00:28:44.070] – Clarence Hinton
The second album, there’s no way to get that unless somebody found that thing and kept it, which I’m sure is crushed and melted somewhere long, far away and long ago. The first one, maybe second, unfortunately is unrecoverable.

[00:29:00.730] – David Puner
We’ll get to work on that. The next time you’re on the podcast, we can go through some tracks and talk about how you put them together and what your motivation was and inspiration and all that stuff.

[00:29:12.290] – David Puner
I guess one last question related to the music, because this could be a podcast in itself and it’s endlessly interesting. What are some tracks that you currently have on a playlist that you’d be listening to say on your way to the office?

[00:29:25.360] – Clarence Hinton
There’s a song just an example is called DjaDja by a French Artist. I heard when I was on vacation with my family in Miami, you used Shazam because you have to. I just loved it. It’s a sound you’re not going to hear anywhere. It’s mainly in French it’s a little bit of a different hip-hop vibe. I understand pieces of it because I studied French long ago, but I understand enough just to know what’s being said, but not be able to understand the end of what they’re saying, but just things like that. That’s an example of something that it’s a little bit off the wall. Just not you don’t hear it on the radio that I like to discover and like to take advantage of all the different Internet-type music services that are out there to uncover.

[00:30:12.540] – David Puner
Thanks, Clarence. Really appreciate you coming on to the podcast and look forward to talking to you again soon. Seeing you in person, maybe one of these days.

[00:30:19.740] – Clarence Hinton
Absolutely. Very soon.

[00:30:26.660] – David Puner
Thanks for listening to today’s episode of Trust Issues. We’d love to hear from you. If you have a question, comment a constructive comment preferably, but it’s up to you or an episode suggestion, please drop us an email at [email protected] and make sure you’re following us wherever you listen to podcasts.