9: Dragon Wizard with Ron Gula

This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.

Chris Glanden 01:59

Today I’m with Ron Gula, president of Gula Tech Adventures or GTA, which is a firm focused on investing in companies and nonprofits that help close the gap in needed technology and workforce to defend the country in cyberspace. Ron is known as a cybersecurity visionary innovator and engineer of extraordinary talent. He also co-founded Tenable, developed Dragon, which potentially is the first IDS to ever exist, ran risk mitigation for the first cloud company, deployed honeypots in the mid-90s. for the DoD and was a pentester for the NSA. Ron, thanks for joining me.

Ron Gula 02:36

Hey, thanks for the opportunity. And I don’t think dragon was the first intrusion detection system. There are definitely a lot of folks who came before what we did there.  We were definitely the first one on Linux that people could edit signatures with, though that was a big innovation there.

Chris Glanden 02:51

Nice. Definitely groundbreaking, at least in that space at the time.

Ron Gula 02:55

Yeah, at the time, everybody was using Windows and the time just for folks who are listening, late 90s, early 2000s. Right. This is before VMs. for, you know, Ubuntu. This is before many, many, many things. We were on very, very old versions of Linux and people were tired of working with Solaris and other these high ends, Unix is out there and, man, it was just a great right place the right time, and then we helped a lot of people protect their networks.

Chris Glanden 03:24

Now, did you have a programming background going into that or was this just spawned off an idea that you had?

Ron Gula 03:29

I’m a very poor programmer, I understand algorithms and how things work. I’m much more of an engineer, so I can usually understand what needs to be done. I did program a good bit of what was in, Dragon, and I got some smarter people to help me out, though. And same thing is Tenable. I mean, I did some of the first initial user interfaces and what things we got rid of that pretty quickly going down the road as we scaled up, but I think everybody should code to some extent so they can understand how things work. They probably have the days people don’t understand how things work. If you don’t know how things work, you don’t know how to protect it, you don’t know how to use it, you don’t know what to do next. We need to have more that.

Chris Glanden 04:12

Agreed. And we’re all familiar with Tenable. I mean, congratulations, by the way on the continued success of that solution.

Ron Gula 04:18

That is Tenable’s biggest claim, I think, our mark on the industry is that we just kept up with technology. If we had just stuck with basically, Windows and Linux and network scans and didn’t do web and didn’t do mobile and didn’t do cloud didn’t do virtualization, it didn’t do Amazon just goes on and on and on. That’s what you need to do as a cybersecurity companies need to like pay attention to the tech that’s out there and be very relevant to your customers.

Chris Glanden 04:43

So, the word tenable is not a word that I hear every day. I’m curious to know who came up with that name for the solution?

Ron Gula 04:50

I’m going to give credit to– So we have two co-founders. We have Jack Hufford and Renaud Darrison and my wife Cindy was employee number one, we wanted to avoid the husband-and-wife sort of connotation publicly there but I believe it was Jack. Jack certainly was the one who got the Tenable domain name because when we originally started it was tenablesecurity.com. And we were playing around with different brands and different names, but tenable means obtainable and defendable. And if you think about cybersecurity, we all talk about, like the patching cycle or it’s like laundry, it’s never done, it’s this infinite process, but tenable is, can you run a network and to a certain point and make it defendable on so as a very apt name, you know, it was service very well continues to serve the company well today,

Chris Glanden 05:45

It fits for sure. When you started working on Tenable, did you expect it to be this successful?

Ron Gula 05:51

We certainly didn’t start off with the sense that we’re going to go public. After 16 years, and I feel a little bit longer than that, but this was our second company. So, we had sold the first company, the dragon company was called Network Security Wizards, that, that changed our life. We didn’t really have to work and we had the luxury of being able to really be purposeful about starting the next company. And we always ran it to be opportunistic, which goes against some of my advice for startups, I tell a lot of startups, you should be really goal oriented but, the Tenable story was much more about creating opportunity, creating value for not only the founders, but the customer. I mean, every year, we thought we might have been acquired, because we were the exact kind of company that was good, but we were growing so fast, it was such a good decision to just keep investing in the company and the people and support the customers.

Chris Glanden 06:49

So, I guess that would lead into my next question is, and you touched on this a little bit. What advice would you give young tech entrepreneurs with nothing more than an idea to help them stay motivated and focused?

Ron Gula 07:03

Yeah, so I’ve got a lot of content on this, we try to spend a lot of time with entrepreneurs, but I really tell people– I want to know five things, if you can describe the problem you solve. The second thing is how you solve that problem. The third thing is, if you got some proof, if you’ve got some reason for thinking you can do this first the problem and how you solve it and then if you’re asking for help, like perhaps as an investment, or perhaps from a customer, what do you want, what do you need to succeed? A lot of times, if it’s fundraising, what are you going to do with the money or hire salespeople invest in tech but then the last thing is, what’s the vision of success? And lot of times, we talked to entrepreneurs who can’t answer any of these questions. You might have a brilliant founder, who’s knows that they can make, I don’t know, like a cryptographic algorithm that’s unbreakable. They can maybe do a higher speed pattern matcher, but they have no sense of what problem they’re solving in the aspect of customers, or maybe they’ve got a great company, but they don’t have any sense of what exit looks like, and if you don’t have a sense of an exit, or what success or what your impact on society is, that means somebody else is going to do it for you. And you’re always going to be playing well, Is this enough or what do I want? So, if you can answer all those five questions, you should think about starting a company and sticking with it.

Chris Glanden 08:28

Well, you have to prove value, right? And it sounds like, an idea isn’t enough, you need to also have those people around you to help drive that vision.

Ron Gula 08:38

Yeah, and I like to see people who have personal experience in these problems. I mean, there’s a lot of great companies where once you’ve been a CEO, once you can help, you know, a completely different company with guidance and vision, because at some, at some level, we have to all recruit, advertise, hire, pay taxes, you know, ship products, and whatnot.

So, there’s certain some muscle memory of just being a successful executive and entrepreneur. But one of the things I really like to see in cybersecurity is some sort of experience and, maybe you were an offensive hacker for the CIA. And now you’re going to help you know, doctors protect data, add to patient data at hospitals, maybe that’s relevant, especially if you were hacking into hospitals, but maybe some of your experience is not relevant, if you’re a consultant for PCI, and you’ve been doing a lot of credit card, e commerce work, that might have exposed you to something like, cloud architectures with Amazon and Google and containers, and maybe it is relevant.

So, the point is, if you’ve got a passion for something, and you’re you’ve got experience, and you can see these problems firsthand, you’re probably in a great place to come up with that next great idea.

Chris Glanden 09:44

Sure. So, you’ve been in the cybersecurity game for a long time. If you could only use one word to describe the current state of cybersecurity, what would it be?

Ron Gula 09:55

Failing.

Chris Glanden 09:57

Could you explain why?

Ron Gula 09:59

So, we have Failed multiple things. So, for example, and maybe it’s an accurate assessment. So voting, we can put a man on the moon, we can put, we can build dams we can. I mean, I bought something on Amazon yesterday and it showed up at my door the same day, but when it comes to something super critical, like voting, for example, the entire cybersecurity industry is like, yeah, paper ballots. You can’t secure this stuff.

So, I kind of feel like that’s a failure. And it’s sort of like, we can fly the president around on an airplane, we can fly ourselves around on airplanes, and we accept that risk but when it comes to cyber as an as an industry, we’re sort of like, Yeah, no, and then you look at something like solarwinds, I mean, we’re recording this and at the end of 2020, in December, and this is like the second week of the solarwinds event, you basically have somebody who hacked into a cybersecurity vendor. I mean, solarwinds, they do they do IT work, or they do security work, and use that to hack other people. I mean, this is something that the industry has been talking about. So, if we fail detecting that, or we fail, maybe, educating the public about that, then it’s, again failure, we have a much, much, much longer way to go. And I still have hope, you know, I’m still very committed, I’m still very positive, but we’ve been failing people.

Chris Glanden 11:21

I commend you for recognizing that and hopefully, point everyone that’s listening here in the right direction. So, in 20 years from now, when you talk to your grandkids about 2020, how will you describe it?

Ron Gula 11:35

It’s going to be interesting, because obviously, you can’t talk about 2020, without talking about COVID, working from home, you can’t ignore the racial tension, you can’t ignore the election and now it’s not even just racial tension. It’s tension between red and blue, liberals and conservatives, but the dramatic economic impact. Our favorite restaurants are closing down, people we know are dying. Most people are living a very comfortable life, if you’re at least a little bit well off, your COVID not probably that big of a deal. I mean, and so there’s going to be this weird reflection of what are the memories we get from this time period. For Kids, though, who are in school, it’s going to be much more impactful. I mean, if you missed your senior year of high school football, I mean, that’s nothing compared to losing a parent. But the vast majority of people have had these social and psychological impacts. I think the 2020 story for 20 years from now, is going to be this sort of mishmash of all those things I talked about.

Chris Glanden 12:42

I agree, and I’m curious to know, leading up to this point, how has COVID affected you professionally, and has it disrupted your workflow?

Ron Gula 12:54

Cindy, my wife, when we left Tenable, we started working from home immediately. So, we didn’t have to go through the sort of psychological and emotional switch of working at home that a lot of people did it beginning of the COVID crisis, but what is a venture capitalist do? What is somebody who tries to be useful to politicians do in cybersecurity, and nonprofits, we have to go and meet these people. Well, once you’ve removed the physical need to kind of be present, you could do a lot more meetings.

So, we spent a lot of time during COVID doing Zooms, and we got to meet people a lot, that we never met in person. And this was a very, very easy thing for us to kind of adapt to because we’re pretty easy as far as when it comes to meeting people understanding, we know, the questions to ask when we’ve got a great network of other venture capitalists and donating organizations, we can do due diligence, pretty quickly. And then as far as cyber security companies go, those COVID move things along quite a bit. I mean, some companies did have an impact. Certain industries like travel, recreation, hospitality. Yeah, you were selling to the hotel industry, you probably didn’t get your quota with them this year but cyber was such an increase in awareness across the board. Almost all of our companies saw some sort of positive increase either in interest or sales or product adoption. So, it’s been generally positive for us.

Chris Glanden 14:32

Yeah, it’s great. I think it really brought cybersecurity to the surface and these organizations like Zoom that really forced them to aggressively implement security controls when you know, in other circumstances, they may not have had that.

Ron Gula 14:45

A COVID made IT and cybersecurity personal for a lot of people and when you can see a school system kind of mess up the Zoom controls and now you’ve got people putting pornography into parent teacher meetings or people just understanding that, when IT works, nobody cares about it, right. But when you are responsible, and you’re starting to do things like oh, I don’t have good Wi Fi in the house, I’ve got to share it with my kids, because they’re on. All of a sudden mom and dad or the IT department. And this is really an opportunity for the cybersecurity industry to kind of be a lot more influential and raising awareness, because everybody kind of lived it and I think it’s going to continue to persist in 2021 and I think it’s something that cybersecurity entity can definitely capitalize on.

Chris Glanden 15:31

Do you think COVID is going to change the threat landscape? I mean, you start to see the vaccine cold chain attack and, and those type of things starting to emerge. So, just curious to know if this is going to shift sort of that landscape, or is the landscape just going to naturally progress and COVID is going to be in the middle of that.

Ron Gula 15:49

So, there’s a lot to unpack in that. On one hand, if you define the cybersecurity industry, as from the intelligence community, the intelligence community, both are not agencies, and our adversaries, they are going to continue to be able to go anywhere they want and get any type of data. So that’s not going to change because they have satellites, and they have human intelligence, and they can bribe people, and they can, you know, that they can literally implant bugs and software backdoors. When you’re FedExing things around the country, that’s not going change. Enterprises, I do think we’re going to have some changes there. I mean, there’s this embarrassment of cybersecurity products and technologies and the security operation team, Red team, Blue team, you’re this embarrassment of riches and yet, we’re still missing things like the solarwinds attacks, and still talking about how information sharing, you know what, somehow solve that.

The reality is, we still need to step up our game in the enterprise and then finally, outside of the enterprise, my mom and dad, my dentist office, my car dealer, they have no idea how what the difference between hunting and hygiene is, and we need to change that. We need to make sure that people who are only putting a little bit of effort into cybersecurity know how easily that they can lose everything, be it from a nation state, or be it from maybe their competitor across the street at the other car dealership. So, I want all that to change, and of course, socially, we need to get more people into the cybersecurity career field, we need to get more women are African American, and if we don’t do that, we’re going to have a hard time solving those other three areas I talked about.

Chris Glanden 17:30

How do we accomplish translating the importance of that to the public?

Ron Gula 17:34

So, one thing that we’re trying to do there is work with this new concept called Data Care and we’re trying to steal some emotional cues from the healthcare industry, and basically, we’ve blogged about this at GULA TECH. We’ve done a lot of talks and keynotes on this but basically, cybersecurity as a general rule, it’s a poor job of tracking people because we’re pitching it that you have to be a brain surgeon to kind of go into the healthcare field. That’s kind of how we pitch cybersecurity. But at the same time, cybersecurity, because we set up these experts in these technologies, the general public really sees it as cybersecurity somebody else’s problem.

You ask anybody who’s like not in the business a What do you do for cybersecurity? They’re like, Oh, we have an IT, outsource firm, we have a firewall we have any viruses. It’s a thing, it’s not a responsibility. So, so changing it to Data Care. And you say, Well, how do you care for the data that you have? How do you protect the data that you have, whether it’s personal data, or data from a restaurant customer? It instantly changes the conversation, and it makes people understand that there’s some sort of social responsibility to doing this. I really want to see the industry transformed into what I call the Data Care industry and I think that it will go a long way towards getting that social sort of awareness of just how bad things can be.

Chris Glanden 18:53

That’s a great approach and you can’t avoid seeing the headlines, you can’t avoid seeing the news about breaches and how much companies are getting hit. Even from a financial standpoint.

Ron Gula 19:03

It’s so similar to healthcare, because you know, you can quit smoking, you can die, you can exercise, you can sleep, and you can die of a heart attack the next day. There is no guaranteed and it’s the same thing in cybersecurity, you can patch, you can do intrusion protection and have firewalls; a two-factor authentication, and the Russians could walk into your building you know, the next day virtually. So, a lot of people they feel overwhelmed they don’t know what to do. And Data Care is a way to kind of ease into that and I think it’s much more of a societal impact concept than the specific thing because nobody in cyber is going to tell you that look, if you follow the NIST cybersecurity framework, and you set up MITRE attack. Yeah, you can still be hacked, but that’s the reality and it’s the same thing, right? You can wear a mask, you can get a vaccine, and you can still catch a major disease even though you’re doing the safe card. It’s a numbers game.

Chris Glanden 19:55

Absolutely. Is there a reason that you can think of why cyber attackers always seem to be one step ahead of the defenders?

Ron Gula 20:05

So, the reason that cyber attackers always one step ahead of the attackers is they have time. They have time to plan and do the attack. So, if you’re well resourced, and you want to break into– I really don’t want to jinx anybody. Let’s say you want to break into a large CRM provider or change the way. Let’s say you’re Korea, and you want to North Korea and you want to change the way Netflix is distributing a movie, you know, you don’t want or something like that. It’s just, math and engineering and time and reconnaissance to figure out where you want to go, and what you want to do. So, in many ways, it’s just a reality that, look, if your job is to do this, you need to understand who your threat actors are, and what capabilities they have, and realize that they could be coming for you. It’s a mindset shift that that books are going through.

Chris Glanden 20:55

What do you see as cyber security’s number one myth?

Ron Gula 21:03

So, my number one myth is that you can actually measure cybersecurity, somehow you can quantify and put a number on it and models are useful, don’t get me wrong. I think it’s great to have models but when somebody says, this is my model, to measure all cyber risk, it becomes flawed very, very quickly. It’s like measuring religion. I think everybody’s personal relationship with God, with religion, if you try to quantify that and measure it, it’s very similar to what we do in cybersecurity, and there’s so much bias and assumptions that goes into producing that risk. Now, I’m not saying it’s wrong to count vulnerabilities and put them into a score so, I can, maybe relatively measure organizations, but to then somehow say that this one organization is more secure than another in the face of what nation states what about, UFOs with, you know, quantum computers that can do photon interference and read from my CPU, right? So, everybody says, that’s kind of crazy talk but the reality is, these attacks that we’re looking at, are like science fiction, they are definitely coming down that pipe. So, I think that’s the biggest myth.

Chris Glanden 22:13

I understand. You think it’s really hard to quantify cybersecurity risk but if you had to choose a framework, what would you suggest?

Ron Gula 22:19

So, I blogged about this a good bit, I want two things; I want hygiene, and hunting. And if your hygiene, is, you know, the NIST cybersecurity framework, that the Payment Card Industry framework, you know, if you’re a D.O.D person, how that D.O.D does it. God bless you; I think that’s great, but if you are going to rely on passion alone and access controls, and zero trust alone. You’re going to fail, because people who want your data are going to connect, so you have to hunt, you have to be on the prowl for not only insiders, but people who’ve compromised those machines that are poking around, and you have to hunt.

So, the there’s great frameworks out there in the hunting area as well. We’ve purchased the Lockheed Martin, attack chain which did not really term, it’s not that but it was the precursor of what the popularity is for MITRE attack, those things are great, too. But it’s this really mental commitment that organizations need to have, they need to have some balance of hunting and hygiene, and that’s a personal decision, it really is based on your risk, based on your budget based on what you’re trying to protect, and you need to kind of figure that out, and when I say hygiene, maybe your hygiene is you have a separate air gapped network. And I think that’s kind of where a lot of organizations are headed, because they’re realizing that, you know, defense is hard, and hunting is hard. If you can really lock stuff down hunting is pretty easy.

So, if you have an air gapped network, and you have a really, really good boundary controls over those things, that’s a lot easier to kind of inspect and look at versus letting every computer on the network, go directly to the to the internet. So that’s what I want to say. And I’m not going to say NIST is better than PCI, or other standards, because it’s all about how its implemented and what you’re trying to protect.

Chris Glanden 24:17

Sure, and then you have, you know, your industry compliance requirements that obviously, you can’t avoid. And I’ve noticed that NIST is actually started to become more precise in their frameworks as well for ICS and other industries. They’re writing frameworks or white papers specifically geared towards those lines of businesses as well.

Ron Gula 24:40

I think anybody who’s implementing a framework should understand that there’s debates and approaches. You know what these things and they should also know that some of these frameworks come from different places like PCI, they don’t really care about availability, they care about loss of data, loss of credit card, loss of PII, But if you DoS one of their websites, so, if you go through PCI, you’re going to see less emphasis, the at the same time, you know, there’s these frameworks have not done a great job of addressing BYOD they have not done a good job of addressing, okay, what if I put all my stuff in Amazon? You know, and I only have one Amazon area, and I don’t have automatic failover in my apps, but what if I put everything into a great company like Salesforce, and they go down one day? I mean, we had we had an outage last week with Google, Google was down for an hour, and I mean, I saw people saying, I’m rethinking my email strategy. Like really? Their uptime is still better than anything you can do probably privately but it’s that lack of control that people so, you know, a lot of times these frameworks don’t take those kinds of philosophical and almost religious questions into account and people really need to understand that you know, where these frameworks are coming before they implement them blindly.

Chris Glanden 25:59

Now, that makes complete sense. Let’s get into Gula Tech Adventures, GTA, would you mind just giving us a high-level understanding of how GTA came about and the inception of GTA?

Ron Gula 26:15

Absolutely. So Gula Tech Adventures was named by my wife, Cindy, we knew we wanted to establish ourselves as venture capitalists, but also not just do venture capital. So, we launched a foundation about a month ago, that’s called Gula Tech Foundation. And we do a lot of — we’ll just call support of the cyber community, whether it’s at the government level, or at some of the think tank policy levels, and to us, this is an adventure, so we want to invest. And we’ve done probably about 30, 35, investments directly into companies, we’ve had a couple exits, already and then we’ve also invested in funds. We’ve done about seven investments directly into cybersecurity funds.

So, all of that we were actually kind of calling ourselves cyber industrialists for a while, because we kind of do carry a lot of impact in different areas, whether it’s nonprofit, government or investing, but this has just been, you know, we’re calling it an adventure, and if people want to contact us for travel tips that would sometimes, we get that joke, but for the most part, we think this is an adventure, and we’re certainly not done with our cybersecurity adventure. And we think almost anybody in the industry, they’ve been on an adventure, whether they’re starting a company or starting a career, or, just trying to be you know, maybe they’re a victim, with their own adventure. So, we were very happy to name at that, and happy to get into a little bit more of either the companies or some of the nonprofit’s that we’re working with.

Chris Glanden 27:51

Yeah, that’s fantastic. The first competitive grant program starts January 4th, could you talk about what it focuses on?

Ron Gula 28:00

I think one of the biggest lessons I learned from tenable is and just doing companies in general is being very purposeful about messaging and what we’re doing. So, we have been doing investments in nonprofits, grants, donations, whatever you want to call it, and we saw a big need for probably about 15-20 different areas, whether it could be getting more minorities into cybersecurity, getting better policy, enhancing public awareness and we said, well, we don’t want to focus on just one.

So, at the same time, we wanted to be able to focus on things and have a meaningful impact, and then kind of move on to something else. So, we came up with the Gula Tech Foundation. The idea is to do a competitive grant process a few times a year on very specific topics. So, the first one we’re doing is a Competitive Grant Program, it’s actually January 4, which is the first Monday of 2021. We’ve got a application form where the focus is going to be on any cybersecurity nonprofit, that increases engagement for the African American community.

So, this could be research programs trying to figure out why there aren’t more African American chief information security officers. Why aren’t black kids in K through 12, Why aren’t they going into the I.T field? This could be professional engagements, it could be grants or scholarships, you know, specifically for Africans-Americans. We have been in contact with a lot of different organizations, we’re going to be awarding three grants, $500,000, $300,000 and $200,000. And our grand advisory board is not only going to help us pick the winners, but when we move on to the next topic, they’re going to be very influential on picking those things.

Chris Glanden 29:53

That’s awesome.

Ron Gula 29:54

We’re hoping that we can be very impactful and purposeful because we kind of feel at least for this first topic, we really feel like just saying, hey, look, you know, I’ve got an open job, and I really want to have an African American, a female, or.. it just doesn’t get done, you have to go and be very purposeful, to black colleges. It’s a different type of professional society focused on African Americans and cyber in it. So, if you’re not purposeful, a lot of times these connections aren’t really there. And that’s why we’re being so direct about this topic and what we want to do.

Chris Glanden 30:34

Are you able to disclose any future themes your grants may focus on?

Ron Gula 30:39

We care very much about diversity, I don’t think we’re going to do another diversity themed one this year, we want to get into some other aspects of cybersecurity, such as technology, such as perhaps privacy. There’s a lot of open-source technology that people use and those things need funding. There’s education, which, in and of itself is part of the diversity. Potential opportunity, that kind of increase engagement there. But just getting actual good cyber curriculum into the hands of kids is a big problem.

So, there’s a lot to work on. We’ve been volunteering with elections for good bit. So, we just did an interview with Ben Adida, who runs voting works, there’s an open source election voting. There’s a lot of different topics and Dis-information be another good one. So, I’m purposely saying many, many different things to not disclose what we’re doing next.

Chris Glanden 31:43

Understood. I don’t believe there’s anyone else more qualified to lead this charge than yourself to see it through and see the success and see you change the landscape of cybersecurity workforce, I think that’s great.

Ron Gula 31:56

You’re very kind, and I would tell anybody who’s thinking about it, it’s pretty easy to like, look at the depth of the problem and think you can’t have an impact. And it’s also like, if you look at what Jeff Bezos, his ex-wife’s doing, she’s giving away like, a billion dollars a month or something like that. I mean, Zuckerberg gave $400 million, just to counties who needed help. So, sometimes we look at that, or like, Oh, I really hope our million-dollar grants can have an impact, but what we find is that there’s other people who want to give maybe $100,000, or 50,000, and they don’t think it’s impactful. Everything you can do, no matter how big or how small, it’s very impactful to somebody who’s going to find your passion and don’t be afraid to help.

Chris Glanden 32:40

So where can our listeners go to get more information about this? Could you go into a little bit about what the application process is, and sort of what organizations are in scope?

Ron Gula 32:51

So, our websites, Gula.tech, and the foundation link is at the very top of the page. We’re only asking six really pieces of information from the grant applicants. So, the first is just the basics. Are you a nonprofit? What’s your EIN number? Where are you located website, you know, that kinds of but then the other questions are those same five questions that we ask entrepreneurs, what problem do you solve? How do you solve it all the way to what your vision of success is? And these questions are tailored for our grant process for the increasing African American engagement cybersecurity.

So, we want to know very specifically, what part of that problem does somebody try to solve? How do they solve it? If they are giving grants to scholarships to let’s just say, like African American women, we’ve seen some programs like that, how many have you given? What’s the result of that? What kind of impact does it have, whereas other things are a little bit more either like professional societies or academic research in this area? We want those questions answered and then our grand advisory board, which about 30 folks, they are going to look at the answers and we’re going to pick the top three folks. So, the grant form, we tried really hard to make this easy. The questions themselves are limited to 1500 words. We’re not trying to create a lot of work for people, we’re trying to create a lot of opportunity for them to apply. We’re using an automated system on the backend Wufoo, which is a very common application for collecting forms and surveys and that form goes live January 4.

Chris Glanden 34:30

I’m looking forward to seeing his rollout and seeing the program develop. Very excited about it. So I want to switch gears here just for a moment. You’re based in Columbia, Maryland. Is that correct?

Ron Gula 34:42

That is correct. The center of the cybersecurity universe. A lot of people think it’s in Silicon Valley, but it’s actually in Columbia, Maryland.

Chris Glanden 34:51

I’m curious to know if someone would come in from outside of the area maybe to a conference or to visit a client. Would you be able to recommend a good bar in your area? What comes to mind?

Ron Gula 35:02

So, Maryland has got a lot of really, really good places to go. So, you’ve got Baltimore, and you can’t talk about Maryland without being realizing that DC is right there. It’s not technically in Maryland, and you got Annapolis, and there’s a lot of really, really good craft Breweries around here. There’s also been a lot of distilleries.

So, there’s a couple good– So just north of Columbia, in in Sykesville, is a Sykesville distillery, they have something called Bigfoot Bourbon, which is pretty good. Down towards Southern Maryland, there’s a tobacco farm distillery where they, they make some bourbons and some rums as well, and then also, if you’re kind of doing tourist thing, Guinness, actually has a brewery, right here in Maryland, just on the southwest side of Baltimore, you can get their blonde Ale. It’s the only Guinness pub here in in the States, where they make it, and then if you’re actually in Columbia, which was your question, Victoria’s GastroPub has just a great selection of craft Bourbons and beer in the area. So hopefully people will enjoy any of those things.

Chris Glanden 36:22

Yeah, I definitely recommend that Guinness brewery, I’ve been there several times and it’s phenomenal. So, when you visit a bar, or you go to a brewery, what’s your poison? What’s your favorite drink at the moment?

Ron Gula 36:34

Oh, I like all sorts of different things that go with cigars. Whiskies, bourbons and I don’t drink just one thing. So, everything’s in moderation. I like variety. So, if I’m going to a bar and its fancy drink time. I get like an old fashioned, something like that. I kind of like if you’re going to go to a bar and kind of do it up and they’re going to smoke it for you and maybe put some rosemary in the drink that kind of stuff. I do enjoy that, but usually if we’re going to do Bourbons and whiskeys and talk cybersecurity, we’re probably going to be dipping a cigar in there as well.

Chris Glanden 37:21

Yeah, I’m in line with you. That’s sort of my go to is bourbon, The BigFoot bourbon and I got to check that out now because BigFoot bourbon, it sounds like it’s hard to find, and you just gave me the secret on where to find Bigfoot.

Ron Gula 37:34

And it’s blurry, when you get the bottle. So that’s the same distillery like a limoncellos and that is like lemon infused, vodka and you put a splash of that in your bourbon, you get a really, it’s almost like a craft drink at that point.

Chris Glanden 37:53

From a risk management perspective, could you name the biggest vulnerability you tend to notice in bars?

Ron Gula 37:59

Wi Fi. I can still remember, I had an uncle, we were at a bar. And he had McAfee mobile protection on his phone and he is like, Oh, it’s saying I shouldn’t connect to this Wi Fi because it’s not secured and I kind of told him well if it was secured, how do you know that the guy behind it, isn’t recording anything, everything anyway, you know, and it was just kind of a telling kind of moment, but Wi Fi is a big deal.

Everybody kind of trusts, what they what they see and I just think it’s really tough for the general public to be an ISP, because that’s really what you’re doing, and so that Wi Fi is a big attack vector for other people to look at your data on your phone. Same thing, Bluetooth, you know, a lot of times, I think people don’t realize how easily you can get information on somebody else, just by doing Bluetooth sniffing. So that’s not really the fault of the bar and one of the cold cooler things that when people bring their own remote controls into bars and change the channel, I’ve seen people like turn off news or turn on Fox News, depending on where you’re at, and that’s always fun.

Chris Glanden 39:14

You’re from out of town, you need your game on, right? Get it on the TV somehow.

Ron Gula 39:18

That’s right. Probably, the most sophisticated ones, people airplay from their phone, they realize that there’s a Mac and I’ve seen people try to do that, which is you got to figure out the Apple ID and all that kind of stuff but it’s been done.

Chris Glanden 39:33

Thinking like an attacker if you want easy targets that may– I’m not a proponent for this in any way but you know what I mean?

Ron Gula 39:42

Bar security point of view, I think a lot of them have cameras, but then the question is, what’s the state of the art on those cameras? Is somebody watching that 24/7, it is an AI who’s going to flag something and then a human’s going to look at it. What’s the deterrent there? And, for people who are concerned about being videoed, you’re going to get a lot of that in these bars.

Chris Glanden 40:10

I just heard its last call here. So, I have one more question for you. If you opened a cybersecurity themed bar, what would the name be? And what would your signature drink be called?

Ron Gula 40:21

Holy cow! If I was going to open a cyber security…? That’s a great question. I was going to open a cybersecurity themed bar; I would probably have to go with some sort of binary hex double meaning in the name. Sometimes with hex codes, you call things fox box. You know, for FF, that kind of thing. So, I probably call it like, zero x fox box-01, just something that and people call Fox, that’s maybe cyber-Fox, but try to get some of that out there. I would probably then do a drink. I would have to probably use products from our past.

So, I’d probably have a Dragon drink, a Nessus drink and maybe like a Tenable drink. They’d all be bourbon based. They’d all be have different levels of stuff, but probably, maybe like a Manhattan, or even like a Negroni, those are some of the drinks I’ve been making lately. So that’s what’s coming to mind.

Chris Glanden 41:25

That sounds like my type of bar, and please build it in Columbia, or close to me, because I feel like I’ll be a regular there.

Ron Gula 41:33

It’s got to get a better name.

Chris Glanden 41:35

No, I like it. It’s very niche. And you know who’s walking in. Could you explain to us really quick, you mentioned the Gula Tech website, but is there any other website or link you can direct us to and also, what is your online footprint? How can our listeners, keep in tune with what you’re doing?

Ron Gula 41:53

So, we put everything in Gula.tech. We have a blog, we have a podcast, we talk about all of our companies. Recently, just for example, had WhiteOps was had an acquisition by Goldman Sachs and a couple other events. That’s all that information’s out there. I’m pretty active on LinkedIn.

I will post stuff to Facebook and in Twitter. Twitter, I find a little bit harder to have a conversation. So, I try to just kind of, either support explorer companies who are on there a lot and whatnot. But I’m Ron Gula, on Twitter, Ron Gula, at LinkedIn, and the website again Gula.tech.

Chris Glanden 42:33

Excellent. Thanks again, Ron. It was great speaking with you.

Ron Gula 42:36

Thank you very much for the opportunity, and I look forward to having a glass of Dragon bourbon with you at some point.

Chris Glanden 42:37

I’ll be there.