20-Minute Leaders“Identifying what I don't know is one of the hardest things to do.”
20-Minute Leaders
“Identifying what I don't know is one of the hardest things to do.”
Figuring out what he doesn’t know and asking others for help with it is a big part of the success of Slava Bronfman, CEO of Cybellum
Figuring out what he doesn’t know and asking others for help with it is a big part of Slava Bronfman’s success, he shares. He is CEO of Cybellum, which provides product security for big safety-critical systems like vehicles and medical devices. He explains that asking the right questions and continually consulting with others who have more experience has been crucial to the company’s journey. Bronfman says that he started Cybellum with an understanding that the need for product security was growing and that it needed its own solution rather than using traditional IT tools. He shares that he truly fell in love with the problem, which was the intersection of a technological and a business problem. Bronfman also says that he saw that regulation and standards would be coming to the field, and Cybellum wanted to be ready to help companies comply.
You're running Cybellum, looking at the life cycle of connected devices, end-to-end securing them. Tell me a little bit about yourself, how you got into the cyber space, and why you love it so much.
On a personal level, I like to build things, especially when there is a big challenge and there is really a big problem that involves a technological problem together with some business problem. The interaction of the two is really where I'm getting excited. That's something that we are solving today in Cybellum. We are in the product security world, which is different from IT security or OT security. When you say product security, it's really not about IOT or small devices, it's more about big safety-critical systems, like connected vehicles and medical devices, industrial IOT, stuff like that. I got to the cyber field in general from the Israeli army. I served in the intelligence corps and dealt a lot with connected devices.
When we started Cybellum, we were looking for a big problem to solve. One of our advisors used to run the product security team in Daimler, that’s now Mercedes-Benz. He basically presented us the challenges that he had as the head of product security. It was really funny for me then to see that there is no regulation whatsoever. If you look at all the IT security, there are tons of cybersecurity practices and regulation and standards. When it came to physical, to real safety-critical systems like vehicles, there was practically nothing there.
The other very interesting challenge is that this entire industry, like automotive and others, is completely built on a very complex supply chain. They are taking all the components from their tier-one suppliers who then receive components from their tier-twos, and so on. Eventually, they are integrating all these black boxes together. Traditionally, they were okay because you don't need to see inside those black box components to understand the safety level of them. You can just do some crash tests and stuff like that to understand if the component or the system is safe or not. When it comes to cyber security, it is challenging to protect the system even if you have full visibility inside, if you are developing it. So just think how complicated and complex it is when you just get the completely black box component and, eventually, the liability for the security of that is yours.
To me, it was absolutely fascinating to see both the challenges and how complex it is and that there is no solution. The business part of that was that I understood that this is an emerging market with very few players that are playing there. The ones that are playing are trying to take traditional IT solutions and apply it to the product security world. And we basically thought differently.
Can you tell me about the early days of when you started this? There is a gap between creating a company to post series-A from an initial excitement. So how did you fill that gap?
It was actually a huge gap that I think I'm still filling slowly, mainly by consulting with many other people. That's basically my strategy or my philosophy of approaching things. I usually try to identify what I don't know. That's one of the hardest things to do. But once you pinpoint what you exactly don't know, then you can present this problem to someone that's been there, done that. I was lucky enough to have around me a bunch of strategic advisors that I've used for various topics.
I think the main thing that I was trying to do throughout this period is to ask the right question and then to consult with many other people. There is a big gap from identifying an issue and being excited about it. I truly believe in getting in love with the problem, and that's what I really had early on when we started Cybellum. But moving forward, I was really consulting almost on a daily basis with other people. I think that's really one of the secrets to success.
Tell me about the vision for Cybellum and translating your passion for this research and for the space to the productization of it.
At the beginning, in a very few companies, we've identified there is a new role: CPSO, chief product security officer. Which, in a sense, is a peer of the CISO. We understood that for these huge companies that are manufacturing cars and so on, their biggest asset is obviously their product. They invest so much on IT security. We understood that there is no chance that in a couple of years the role of the CPSO and the budget that the entire product security team will get wouldn't be at least equivalent to IT security. We really tried to build a solution around that practice. When we started product security, it wasn't even a term. There's for sure no practices of how to run it, what are the proper ways to conduct product security assessments or manage vulnerabilities for products, and so on. Our thesis back then was that it's a growing practice and it's going to be a huge market, as we actually are witnessing today.
Our vision is actually to continue with that growth and continue to support the product security team. So in our vision, product security is going to be a practice by itself. Cybellum’s solution, in our vision, is the go-to product or the go-to platform for product security teams where they actually manage the risk and the security of all their products throughout the entire life cycle.
You are continuing on a vision that was set forth when you first started out. What led you to that belief five or six years ago? How did you get that conviction where you were able to come up with this thesis?
It was a combination of multiple things. The first thing was that we saw a new role in the company, a senior role that was reporting to the board or directly to the CEO. The other thing was the great connectivity that was starting or was just picking up. We understood that there is no chance that in a couple of years there won't be any regulation and compliance for this. So we really bet that there will be regulation and compliance. And budgets, of course, will follow. Above all, it was a bit of belief that everything that is connected needs security. This belief that it will come to those products was, for us, kind of obvious.
When will you declare success on your own mission as Slava?
Maybe you know that about seven months ago, we actually sold most of the company to LG Electronics. For us, it wasn’t the end but just another milestone. Because we actually remained a fully independent company, independent brand. Just we have a change of board members. The reason that we decided to leave the company independent and not just be part of LG is that we understand that this field is just scratching the surface. A success for me would be that Cybellum will be really the go-to platform for product security teams around the world where they are really managing the security of all their products. Today we're focused mostly on automotive, medical, and a bit of energy, so going to other verticals, like telecom and aviation and so on, and expanding the solution and seeing that Cybellum will remain a sustainable company in all these areas, for me, would be a success.
Michael Matias, Forbes 30 Under 30, is a Venture Fellow at Innovation Endeavors as well as investment Venture Partner at Secret Chord and J-Ventures. He studies Artificial Intelligence and Human-Computer Interaction at Stanford University, and was an engineer at Hippo Insurance. Matias previously served as an officer in the 8200 unit. 20MinuteLeaders is a tech entrepreneurship interview series featuring one-on-one interviews with fascinating founders, innovators and thought leaders sharing their journeys and experiences.
Contributing editors: Michael Matias, Megan Ryan
