Cybersecurity in the European Union Compared to the United States

Opening

Mike Krass: Welcome to What's the Problem, the podcast where we dive deep into the most pressing issues facing cyber and data security leaders today. In each episode, we are joined by guest experts who share their insights and their experiences on the challenges that they currently see in the world of cyber or data security. Whether you're a seasoned veteran or a new leader to the field, this podcast provides valuable info and some strategies to get your organization moving to the next level. So join us as we explore the ever evolving landscape of cybersecurity and discover new ways to tackle the problems that keep us up at night. This is What's the Problem. I am your host, Mike Krass. Let's get started.

Conversation

Mike Krass: Today we are joined by Cody Barrow. Cody, say hello to our listeners.

Cody Barrow: How are you Mike and everyone listening?

Mike Krass: Now, Cody, why are you qualified to talk about security?

Cody Barrow: I am what I would call a relatively rare breed, a hybrid in multiple areas. I have been in intelligence for the last 20 years. And about half of that was in the United States government. I was an intelligence officer at the Defense Intelligence Agency or DIA, which (for those who don't know) is the Pentagon's intelligence agency. It is an all source agency, sort of a Defense Department or military counterpart to the Central Intelligence Agency. So I worked in Washington DC at the headquarters element there. I also served regularly at the Pentagon in various roles. And I am what you call a plank holder for US Cyber Command, which is a navy term for first on the ship. So I am a member of the US Cyber Command establishment team way back. It really started in about 2008-2009. And I spent some time in Afghanistan. I came back to the Pentagon and did what I would call strategic information operations planning. We'll just have to leave it there. And then I eventually joined the private sector, which I used to say was the real world. Now I'm not really sure which is which. In the private sector, I have been with three startups. I am at my third right now. The second had a large exit with a recorded future of about 780 million dollars USD, which was the largest threat intelligence acquisition at that time. It was private equity so one could argue they still have yet to fully exit. First was a sort of basement startup that I won't really bore you with too much, although it's a very interesting subject. Maybe more applicably, I have also led threat intelligence at a fortune 25: Fannie Mae. I really have experienced all sides of this. I spent the last four to five years, cumulatively, in Europe with the last three and a half years living in Europe. Essentially, I have gone native here in the Netherlands and Amsterdam for my current company Eclectic IQ, which is I think, probably the largest cybersecurity scale up in the Benelux region here in Northwest Europe.

Mike Krass: First of all, Cody, I wanted to say thank you for your service. We do appreciate you serving both domestically and abroad. That's something that I didn't want to skip over. You also had the perfect segue here. You've been in security, intelligence specifically, for a government organization. And then in the private sector. The real world, as you said, you're not so sure it is the real world or private sector not. But you've also done that across two continents. North America being in the United States and Europe being in Amsterdam. Can you tell our listeners a little bit about what does security look like in the European Union versus the United States? Are there any differences or similarities that you immediately think about? Anything we might not know because we don't have that experience?

Cody Barrow: Absolutely. I'll start it off by saying that there are great private vendors and intelligence services companies on both sides of the ocean. There are extremely sophisticated operations and enterprises and governments on both sides of the ocean and the world. But I do think that there are some really key trends that you see that are different, generally in Europe versus the United States and Canada. One of them that is at the forefront of my mind is you tend to see that Western Europe and I guess you could say, Central and Eastern Europe too. So really spanning from the UK at least all the way to Poland. They tend to have a more tactical and operational and technical mindset. So what I mean by this is, I think in the United States and Canada, we have largely begun to acknowledge, at least in the Fortune 500 or so. Maybe even more than that. Cybersecurity is a business problem. It is not just an IT problem. I know some listeners will immediately have their hair start to raise and think I'm still trying to solve that problem at my enterprise, or I don't think that's quite true yet. And I would just say, I think it's getting better every year. And ever since probably the Target attack in 2013, I think that's really the big starting point from where we saw that evolution. So I think fast forward to 2023. 10 years later, and I think we're winning those battles. You're seeing a lot more CISOs that are reporting to the CEO, that are in the boardroom, that are at least in the C suite conversation. Because increasingly, North American businesses recognize that safeguarding their information assets is safeguarding their business. This is about revenue protection. Versus in Europe, with some notable exceptions. Largely, you see in enterprise, it is more common that you'll see CISOs that are really more of what you might otherwise call an IT Security Director. He or she is responsible for regulatory compliance. He or she is responsible for endpoint device security. All the things that you see in the US. But it's really hard for a CISO to really understand how to prioritize security and how to prioritize trying to get left of boom from threats and attacks without understanding the why of why the business wants to protect certain assets. Understand which ones would cause more damage if they were to be compromised. Really make a true holistic security plan. And that's because they don't normally have the same accesses that you see in the US. And I'll just stop there. I know there's a whole lot there. And there's a whole lot more.

Mike Krass: Yeah, there's a lot to unpack there. So if I'm understanding correctly, your experience is that in the US and Canada versus Western Europe, in the United Kingdom to Poland, essentially. And in North America and the US and Canada, that Chief Information Security Officer is more focused on the business and understanding the business implications of security. Whereas in Western Europe, the role is still, in your experience, largely technical and focused on… I think you called it the IT Security Director. It's more of that type of role. Who obviously, they are a director. They have business acumen. And they're the head of a department. And they've got some other responsibilities within the company outside of technology. But if I'm understanding you correctly, they're really more (in Western Europe) focused on the technical aspect of the role and not so much the business aspect. And the one thing I didn't get clear on that I'd love for you to clear up for us is are they invited into the boardroom in Western Europe? Or is that a concept of like, oh the Chief Information Security Officer doesn't come to these types of meetings. They don't talk to the CEO regularly. Is it just more of an organizational function? Why is that the case, do you think, over in Western Europe?

Cody Barrow: First, I want to mention that obviously there are exceptions. Some of the exceptions, I think, are, one could argue, becoming regional. I think Nordics, for example, or at least Scandinavia. And the reason why I have to say that is because I don't have a ton of experience with Finland. The experience that I have, which is mostly the Scandinavian part of the Nordics, is more advanced here with some of their large enterprises. The UK can also be more advanced here. But, for the most part, I think that primarily, they’re not invited. I think it’s more of an organizational component. So you'll see the CISO reporting to someone in the C suite, but he or she is really not functioning at that C level despite having C in the name.

Mike Krass: Do you think that they want to be invited?

Cody Barrow: Good question. I think that if you were to ask a financial services CISO, they would say absolutely. And I think they even are having increasing success, although I don't think that it's as prevalent as in the US yet, with that level of success. I think that they still have a hard time successfully gaining the buy-in that they need to know the sorts of things that they asked about, and that they're more than an Expense Center. I do think that if you look at some organizations that are more established, some organizations that are in industries that haven't changed as much over decades. Manufacturing industries such as those. For those that even have a CISO, I don't think that they're necessarily thinking about the business either right now. I think they're thinking primarily about detecting and responding to incidents much more tactically.

Mike Krass: Interesting. What is the venture capital environment like over in Western Europe?

Cody Barrow: Yeah, I think that's where you see a lot of the differences manifest both in the domain and in the financial aspects of it. So in the finance world, I think that drawing from my experience at three startups now and fundraising at at least two of them, and being in the weeds getting in the mud with that dealing with venture capital, in one case, dealing with Angel investors and seed stage. I think that generally, American venture investors tend to be more hands on, tend to be willing to invest more money at an earlier stage. Honestly, I've racked my brain trying to figure out why that is. And I think one of the things that I've observed is that the institutional investors don't have as big of a pocketbook, or I should say, appetite. You really don't have as many mid to late stage institutional investors willing to put in big money. There's a lot more focus on the early stage and lesser amounts. And you find that after a startup begins to reach the scale up phase, they look for more money abroad, which is in the United States. And you really don't have that ecosystem of acquisitions that you've seen from Microsoft, Google, Apple, where they've really swallowed up a lot of other companies. Where I think we, as Americans, tend to forget that that's a huge aspect of our ecosystem.

Mike Krass: Yeah, I'm glad that you brought up the ecosystem. That was a big curious point for me. At what stage is venture capital more active? And you just answered that question. More of the startup or early stage in Europe versus the US. When European startups are looking at their scale up stage and needing some capital to grow, at that point that's where they start looking abroad. Do these companies ever look at Israeli investors? Or is it just like you go straight West and you head to America?

Cody Barrow: No, I think a lot of early stage companies emerge from Israel. But I think Israel is probably the second largest, at least in cybersecurity. It probably has the second largest contingent out of the US in cybersecurity startups and scale ups. I can say confidently, top four, because someone else might be number two or number three. I think that you see a lot of earlier stage startups there for similar reasons that you might see Europe is more technical than the US. And that's because of the national security pipeline and the sort of cultural traits. And what I mean by that is when I say Europe is more technical, I don't mean the US is not technical. What I mean is that the US tends to be more strategy focused. More strategic in its thinking. And Israel is similar. Israel, the US, and to a certain extent, the UK, have very robust national security pipelines. Where you'll have someone from, in Israel's case, very famously, unit 8200. Or in the US case, such as with yours truly, someone from either the National Security Agency, DIA, or somewhere else enter the private sector and bring that knowledge with them. Whereas in Europe, there is a national security apparatus and the respective countries, but it's not nearly as large. And it, in my anecdotal experience, doesn't seem to really produce the same volume of Public to Private founders that you see in the US, Israel, and to some extent the UK.

Mike Krass: As we come to the end of this episode, Cody, what's a takeaway, one or two takeaways? What can the US learn from the EU? And what could the EU learn from the US?

Cody Barrow: Absolutely. First, you are seeing that on the venture side, the EU sees what the US has achieved. And they're trying. But they're trying in the way that fits their values. And so there's been a lot of debate about big tech and privacy. GDPR is famously a European regulation and law. And so the European Union does have vehicles. There's the NATO Innovation Fund, which is going to be based in Amsterdam. It will inject 1 billion… I’m unsure if it’s US dollars or Euros, but it’s a pretty similar exchange rate… over 15 years. Various vehicles like that. But on the operational side, I think that for sure, the European Union or companies in Europe, not necessarily just the EU, but also the UK, can think about this cybersecurity problem set with a longer horizon. So think about it as revenue protection, not an Expense Center. And think about why you are trying to protect the assets that you are trying to protect. Then program that into your wider business strategy. Bank of America in the US, their CEO a couple years ago, famously said… or famous in my mind anyway. Maybe no one else caught it. But he spends $1 billion on information security because he is responsible for something like… I don't know the exact figure…but probably over $3 trillion in assets. So it's not that much for revenue protection or asset protection. But on the flip side, the US can really examine Europe and then admire, as I think we have for decades, how technically skilled they often are here. There is a richness in highly skilled technical training universities. There is a richness in being self taught. Linux comes from Finland. And there is a richness in understanding the far more complex, operational, and tactical problems that I think the US can draw from when we are building talent pipelines in our respective organizations.

Mike Krass: Well, Cody, thank you so much for joining us.

Outro

Mike Krass: For our listeners. That is a wrap for this episode of What's the Problem. We hope you found our conversation with Cody Barrow to be insightful, to be informative. Remember to tune in next time for more discussions on challenges in cybersecurity. I also want to give a quick shout out to our host MKG Marketing. MKG is focused on helping cyber companies get found, drive leads, and close deals. So if your cybersecurity business is struggling to do any of those things, let us help you. To learn more, you can visit our website at mkgmarketinginc.com. Thank you for listening. Don't forget to subscribe and leave a rating for the podcast. Cody appreciates all five stars so please don't let Cody down. We appreciate your support. Until next time, my friends.