Dave Gerry Podcast Transcript
Dave Gerry joins host Brian Thomas on The Digital Executive Podcast.
Brian Thomas: Welcome to Coruzant Technologies, home of the Digital Executive podcast.
Welcome to the Digital Executive. Today’s guest is Dave Gerry. Dave Gerry serves as the Chief Executive Officer at Bugcrowd. Prior to Bugcrowd, Dave was the Chief Revenue Officer and Chief Operating Officer at White Hat Security, where he oversaw strategic planning and execution for global revenue growth, service delivery and customer facing operations from 2017 to 2022.
With over a decade of experience within the cybersecurity industry. Dave possesses a keen understanding of industry developments with the fast changing market and has held key business leadership positions within several cybersecurity companies, such as White Hat Security, NTT, Veracode, Sumo Logic, and the Hi Java Group.
Well, good afternoon, Dave. Welcome to the show.
Dave Gerry: Thanks so much for having me. Great to be here.
Brian Thomas: Absolutely. I appreciate it, brother. I, I know that we’re just an hour apart. You’re in that just outside of Boston and I’m in Kansas City. I love to traverse the globe every single day. So, Dave, jumping into your first question at Bugcrowd, you’re at the forefront of crowdsource security.
What makes this model more effective or adaptive compared to traditional approaches.
Dave Gerry: Yeah. You know, it’s, it’s a really good question, Brian. I think as organizations look at the cybersecurity landscape today, they’re seeing more attacks than ever before. They have a wider, more dispersed attack surface, and companies are still struggling to hire elite cyber talent, right?
This isn’t something that’s new. We’ve seen this everywhere. Fundamentally, what’s different than our model is we start to look a lot more like consumer on demand models and start to democratize access to cybersecurity skills. So instead of having to go out and hire people full-time, you’re able to access over 600,000 security researchers.
On demand for the exact skill sets that organizations need today. And that’s really kinda helping them start to take what historically has been a really asymmetrical battle, right? This defender versus the adversary, and start to bring an army of defenders alongside our customers to help them win in this changing environment.
Brian Thomas: I really love that. That’s totally awesome. You’re putting a bunch of experts together and really just leveling the playing field. As you know, the latest cyber attacks are just getting more and more advanced. People are leveraging new tools, ai, some of them are state sponsored. As you know, some come outta China, so I really appreciate what you’re doing to make the world safer.
So, Dave, cybersecurity threats are constantly evolving. How does Bugcrowd stay ahead of zero day vulnerabilities and emerging attack vectors?
Dave Gerry: This is really the power of the crowd, right? This is the ingenuity and the creativity that exists amongst all of these security researchers. Unlike traditional security scanning companies or security vendors that have to keep up with the pace of r and d.
We’re able to tap into the latest and greatest knowledge that exists within that community, so they’re finding zero day vulnerabilities before anybody else’s. We’re seeing that these folks are developing skill sets and tactics for identifying vulnerabilities. That would take weeks or months to put into a scanner.
So it’s helping from a bug crowd perspective that we can stay a step ahead. But the more important part is that we’re helping our customers identify these vulnerabilities before a bad actor does. You talked earlier about nation state versus kind of cyber criminal gangs and how that’s playing out. One of the really interesting things for us is we’re seeing that there’s a narrower gap and it’s becoming harder to identify.
A nation state actor from a cyber criminal gang, and a big piece of that is that the sophistication is growing really quickly due to ai. You have more amateur actors that are able to come off or appear more sophisticated because of the ability to tap into ai, and our customers are feeling the same thing.
So we’re helping to bring the right experts at exactly the right time to help them solve whatever challenge it is that they’re facing and drive, most importantly, the cybersecurity outcomes that they care about.
Brian Thomas: Thank you, and I like your model again, that crowdsource cyber teams, you know, you’re sharing knowledge, you’ve got a knowledge base, you have tools that you obviously share, and this allows you to stay a step ahead of the criminals.
Now, of course we know AI and some of these other tools are making it. Even more difficult to prevent attacks because of the sophistication that’s coming down the pike, so I appreciate you highlighting that. Dave, what are some of the biggest misconceptions companies still have about vulnerability disclosure and working with ethical hackers?
Dave Gerry: For a long time, there’s been this connotation of a hacker sitting in a dark room with a hoodie typing furiously over a computer, right? That vision’s been baked in since the days of the hacker’s movie, all the way through Mr. Robot, right? And you see this view of hackers as the proverbial bad guy. And I think organizations today are really starting to realize that this is a really diverse, amazing group of individuals that come from all walks of life, right?
We release what we call our inside the mind of a hacker report every year, and then the metrics continue to change, right? In terms of. The age of the hacker community, the skill sets that they have, how they’re furthering and bettering themselves, how many of them are actually working in household brands, uh, on a day-to-day basis as security engineers or in some cases security leadership.
Then they’re doing this in their free time because they actually care about it. Right. If you look at the motivations, we all have this perception that they’re doing it for the money, right? You think about ransomware, gangs, and, and even nation states in some instances, I think as organizations come together, they’re realizing that there’s a a ton of talent that exists.
I think a lot of this was normalized in the kind of 20 15, 20 16 range. When the Pentagon came out and said that they were gonna run that the first hack the Pentagon program and start to tap into the ingenuity of the crowd, I think that’s really where we started to see this industry shift. And today, the fear has somewhat gone away, right?
There’s a trepidation sometimes around, well, how do I know that it’s not gonna be disclosed? And we can walk them through the controls that are in place there, but. Fundamentally, they’re looking at the crowd as an extension of their team, I think is the regulatory environment continues to shift, and more government agencies are starting to require vulnerability disclosure programs or responsible disclosure.
That’s gonna help further this mission of let’s tap into the most elite talent when we need it, and be able to solicit feedback from the public and, and most importantly, again, help us find these vulnerabilities before a bad actor does.
Brian Thomas: Thank you. I really like that. And I like that you produced that report, I think you called it, inside Mind of a Hacker.
I think that’s great. And of course, you know, tapping into this most elite group of people, again, I think crowdsourcing is one of the biggest things that we can do to be stronger, especially in this space. But I like how many professionals in every industry are working or volunteering their time to make the world a safer place.
So I appreciate that. And Dave, looking ahead, what innovations or market shifts do you believe will define the next era of cybersecurity and how is Bugcrowd preparing for them?
Dave Gerry: I. Without a doubt, it’s this AI era, right? And there’s been a lot of hype around AI in terms of the benefit that it’s gonna provide and it’s gonna revolutionize everything we do.
But from a cybersecurity standpoint, we’re seeing some really actionable things coming out of it. So if you think about, for example, from a defender point of view, they’re able to now within milliseconds, detect unusual behavior in their environment, whether that’s coming from an internal or an external source.
And be able to act upon that by leveraging. Ai, whether it’s agent AI or in some cases they’re leveraging kind of homegrown models that they’ve built. Now, what’s equally impressive but scary on the bad actor side is that they’re also leveraging ai, right? They’re becoming more sophisticated. In terms of attacks, right?
One of the things and changes we’ve seen over the past 12 to 18 months has been the speed of zero day identification to exploit. If you think back, we used to have Patch Tuesday and the patches would come out, folks would start, bad actors would start to reverse engineer those. They built an exploit package and ultimately deploy that, and that would be about a week.
We’re now seeing this and we’re confirming this by talking with our customers. We’re now seeing that this is happening in under 24 hours, so bad actors are moving faster. They’re leveraging ai, and it’s incumbent on us as an industry to start to empower our defenders with this. If you look at how AI is being used across every organization, right, where you think about it’s helping sales and marketing, it’s helping finance, it’s helping legal.
It’s helping development and we’re seeing a level of productivity. But in all of those cases, it also does introduce potential risk into the environment. It continues to expand that attack surface. So it’s a really delicate balance for a chief security officer, in some cases, a chief data officer today to sit where you’re trying to control the privacy, safety, and security risk.
That happens when you introduce AI into the environment. At the same time, you’re trying to keep pace with the speed of business and organizations want to grow and they wanna continue to develop their capability. And now you have this third cohort of the employee where we can all go sign up for the latest and greatest AI tech and realize how much more productive or efficient, and makes us as individuals.
But business does need to move a little bit slower. They do need to have more controls in place. So it’s a really delicate balance, I think, as we see. The industry start to shift, you’ll see more and more of the security vendor market start to shift to how do we accelerate the pace of our own innovation, to stay one step ahead of the bad actor and make sure that our customers have the tools that they need to be able to deploy some of these AI solutions with confidence and in a really safe and secure way.
Brian Thomas: Thank you. I appreciate that. You know, you highlighted something, you know, defenders, obviously they’ve got some great tools now, including AI tools on the networks. Again, agentic AI is, is really coming out now, but it’s nice that we can detect things within milliseconds. But as you know, with these zero day vulnerabilities, we’ve gotta be on the lookout and ever so vigilant, you highlighted a point that I think is important is businesses do need to really slow down a little bit more.
Make sure there are controls in place so we can minimize that privacy, security, and risk that is so important in these days. As you know, Dave, it was such a pleasure having you on today, and I look forward to speaking with you real soon.
Dave Gerry: Yeah, this was a ton of fun. Thanks again.
Brian Thomas: Bye for now.
Dave Gerry Podcast Transcript. Listen to the audio on the guest’s Podcast Page.
