Exciting News! We are transitioning from Cyber909 to 909Exec.
Carl shares his unique journey from flying B-52 bombers to becoming a Pentagon cyber warfare pioneer, then transitioning to corporate security roles at Campbell Soup Company before founding multiple security companies.
Narrator:
Welcome to 909 Exec, the executive leadership podcast from 909 Cyber, where cybersecurity intersects with business strategy. Your host is Den Jones, founder and CEO of 909 Cyber. For more than three decades, Den has led enterprise security at Adobe, Cisco, SonicWall, and Banyan Security, helping executives navigate risk, trust, and transformation. Each episode goes beyond headlines and hype with conversations that matter to leaders shaping the world of technology. So please join us for 909 Exec episode 59 with Den Jones and Carl Herberger.
Den:
Hey, everybody. Welcome to another episode of 99 Exec, your show that hopefully supports your journey as an executive in tech. And every episode, we bring in some fantastically amazing guests. And this week I've got Carl Herberger, the CEO of Corero. Carl, welcome to the show. And hey, thanks for your time. I know you're a busy guy.
Carl:
Nice to be here, Den. Thanks for taking some time to talk with me today. I'm looking forward to catching up with you.
Den:
Yeah, yeah, yeah. Now we met, we had a little bit of an intro and a prep call and stuff. And I know Michelle and your team, the queen of channel, the channel market queen. Amazing woman. And she introduced us and said, "Hey, you guys need to meet because you both have some fantastic stories and you're working on something which is near and dear to my heart, which is an awesome security product. So we're going to dig into that a little bit." Wonderful. But first, I want to kind of jump and learn about your background, your career. So let's talk about the young Carl. When you were a young glad and a teenager, what was your life like? Where did you grow up? And what were you thinking you were going to do with your life?
Carl:
That's funny. I don't know how most of your guests are. To me, I don't really think I'm extraordinary or come from an extraordinary background. Mine's not ... I don't think all that atypical except for the fact that my father was German. He was nine years old when the war ended and came on over to the US, married an American woman, my mom. I was born in the US, but because my father was an electrician for, at the time, Transworld Airlines, he got laid off in the mid '60s, late '60s when I was born. So you can do the math. And then I went to live in Europe in Germany till about eight, nine years old. Then returned back to the US when my father got a job with American Airlines, which was a much smaller airline back then, and wound up working for American Airlines for the next 45 years because he retired from there.
So I guess US, German sort of upbringing, high school and middle school in the US. And I haven't been back to New York really since, but I consider myself obviously a born and somewhat bred American.
Den:
Yeah. And you're in Pennsylvania now, right? Is that
Carl:
Correct? Yeah, that's right. Yeah. So I was in the military after I got a scholarship to Embry-Riddle Aeronautical University down in Florida. I got a flight degree, went into the military and was a B-52 aviator for the first eight years of my Air Force career. The last two years I was in the Pentagon. My career shifted because of a call by the US military to have an operator staff position in the Pentagon that was a brand new position for computer warfare. And I went kicking and screaming, to be honest with you, then I had no interest whatsoever in doing that. And I came out of that, actually changed my life and I changed my career. My wife contracted breast cancer. She asked me to get out of the military if she survives. I did. She did. I did. And that's how I got to Pennsylvania.
I did a search after I left the military, became the chief security officer at Campbell Suit Company for a little bit. And so that's kind of the kind of opportunistic journey that happened actually a lot.
Den:
Yeah. It's surprising how I think a lot of people, they don't necessarily go seeking something. It just kind of finds them, right? Yeah. What was it like? So B-52 bomber, right? That kind of seems like the environment where if shit goes wrong, it really goes wrong, right? So it's almost like failure's got a very physical and terminal definition there. How did that shape a lot of your learnings or decision making?
Carl:
I think being a military flight crew member, it is fundamentally rewires your brain. You learn things that maybe many other professions don't learn. You must fundamentally know everything about the machine. They have this saying in the US military, at least in the flying community, that it's what you don't know or you didn't research, that's what will kill you. It's as simple as that. So it's an easy way to get paranoid pretty quickly, you know what I mean? So you need to know everything about everything. So it's rather gritty when it comes to knowing it. And of course, these aircraft are super redundant. A B-52 typically has triple redundancy on every system that's out there. So you have to know pretty much everything three times over and what the differency in the redundant systems are and how you have different concerns on that. And then life being what it is, and of course it's a military aircraft, so people are trying to do bad things to you and trying to make sure that you don't return home.
So you have to figure out those scenarios too. So if this happens or when that happens or when this is hit and how that actually ... And of course in a B-52, takeoff weights 488,000 pounds with about 177,000 pounds of fuel. The rest of it is pretty much weapons. So odds are you get hit with something pretty good, you're probably going to go boom.
Den:
Yeah. Yeah. I mean, that's from a mind fuck perspective of trying to think of a better word other than swearing. But really that's a definitive kind of situation, right? Yeah. Sorry, I can go.
Carl:
No, so it also rewires your mind so that every time you take off and every time you do a pre-flight and every time, frankly, you return, you just live one day at a time. You write your story, you're the author that day, and you write your story one day at a time. I'm also quite a ... I wasn't in the beginning. I never resisted it, but along the way, I have quite a relationship with my Lord. And so I spend a lot of time with my Lord. And actually, I think honestly, most of my journey in life was being open to his propositions that people were providing for me and not being close to those propositions.
Den:
Yeah. Yeah. Yeah. And I think that's a good way to put it because in life, kind of going back to that career journey, you don't often think of what's next, what's next, what's next. Sometimes you try and steer your own career path, but then sometimes things just drop in front of you. So we're going to come back to that in a minute. The airplane business,
There was a guy on my team at Adobe when I ran enterprise security there that basically we were up in Seattle and we'd done a team thing and he's a pilot, small planes, and he's like, "Oh, well, let me take some of the team out for a flight around Seattle in the evening." And I was like, "Oh, that's brilliant." And he is wandering around that plane, checking things, double checking things, triple checking things. And I'm not the biggest attention to detail person, but he said one thing to me that really hit the nail on the head, which is, "If I don't check it here, I can't check it when we're up there."
Carl:
A hundred percent. Yeah, yeah. And
Den:
That's a different mindset entirely. When you're in your car and you're driving around your streets, you don't check shit before you go in your car.
Carl:
Yeah. You can always pull over. You always have this concept that you can kind of slow down and just kind of pull over. Can't do that in the air. It just doesn't work that way. Moreover, when you're military flying, there's so many sayings that we had. It was really funny. You don't worry about the runway behind you. If things aren't working, you make sure that the trees get smaller, otherwise you're doing something wrong. We flew, it was six miles a minute. So if you started to have the jet get ahead of you in your mind, at the very least, you're going to kill yourself. You'll probably kill a few other people along the way. So you had to think that fast, right? You had to think that far ahead. And it comes habitual. It needs to be. For all sorts of reasons, it needs to be.
The situational awareness needs to be great. Communication needs to be pithy.
You need to have sensibilities about time and place and matter. And of course, military, it's a totally different other thing. There's so many different pieces of military flying that's entirely different. People don't understand. When you get in a civilian jet, it gets pressurized to 8,000 feet. We can talk about why and how, but in military, you have a jet that's pressurized 8,000 feet and you fly low level, you get hit. That thing goes boom, just because of pressure differential. So we have ways of making sure that sometimes we fly unpressurized, but we have sliding pressurizations. And we're also, in a B-52, you're delivering ordinance, depending on the ordinance that you deliver. If you're not careful, that ordinance could take you out. So there's all sorts of sensibilities going on at the same time.
Den:
Yeah. And then, so the Pentagon business, so what dragged you into there and what kind of work were you doing there?
Carl:
Well, to be honest with you, I mean, I'll be completely honest with you. It was not something I ever fancied or wanted. I wasn't a flagpole guy. That wasn't my personality. It wasn't really what I was after. My desires were always just to be just, frankly, to be a crew dog. I really enjoyed that. One day, I got a letter from the Pentagon suggesting that there was orders actually headed back to the Pentagon to be at headquarters Air Force level. And a former squadron commander was recommending me for a position that they were forming the initial cadre of cyber warriors. This is back in the mid 90s. And to be honest with you, back in the mid 90s, what they didn't have was people that knew how to do cyber warfare. They just didn't ... So they didn't even know how to think about it.
So they were putting together a cadre of people and they put together disciplines that they believed would have sensibilities about this idea. And they were bringing together, for example, computer guys, people that did computer engineering and computer design and architecture. And then they would bring together counterintelligence people and sort of intelligence people, data people, that assemblers and so forth. Psyops people, this is also in the counterintelligence was people that knew how to do psychological operations. And then they were bringing together electronic warfare people and operators is what they call them. Operators are people that go to war. So a lot of the other folks were not typically what they call op plan people, people that would be participating in warfare operational plans.
The problem with that was that they just didn't know how the military went to war, right? And they didn't know how to use computer warfare, either an offense or defense in a plan, in an op plan. How do we integrate this into op ... So we were doing all that work. So they had to put me through training. They had to put them through training, sort of cross-functional training and all of that. They took me kicking and screaming because I mean, there was all sorts of reasons why I didn't want to do this, not the least of which I had to start wearing blues again as opposed to a flight suit. And it had been years since I did that. Plus, a senior captain in the Pentagon might as well be the bottom rung of everything that's just not ... Colonels make coffee, forget captains, that kind of thing.
And it was just not a discipline for me. I had no fundamental basis of it, but it changed my life, obviously. And so I started to understand that I'm relatively good at it and I really understood it. I got on with it very nicely. I got to see how more or less the mechanics of the Pentagon, the cogs in the wheel come together and how to think about things. So I learned a lot as foundational, but I really resisted it. And it was one of my biggest learning experiences, and I would say for anybody listening to this, if they're not already tuned out, is to not put yourself and your pride and your wants in front of some things that are presented to you. It may be just the very thing that you have no idea that you need.
Den:
Yeah. Yeah. Yeah.
Carl:
Yeah.
Den:
I got a tattoo that says everything happens for the reason.
Carl:
Yeah, exactly. Yeah.
Den:
I look at it like I've got a level of spirituality that goes along with this journey and kind of like you, right? There's a belief system. And in my belief system, I think there's an element of our life which is preplanned and carved out. And I think that we're on a journey and sometimes our ego doesn't see that or doesn't want it.
Carl:
Yeah. We want to see ourselves in a certain way and that is something I would encourage you not to do. I would say, this is how I think about it then. And for whatever reason, I think many people have different ways of articulating this, but I view it as your head ... So I believe when you're born, your soul, your person, you know what makes you happy, but really only you know what makes you happy. So in other words, as soon as you're born, you know whether or not whatever, a light or this food or this laugh or this person or this scenario or this temperature, these things please you or they don't please you. And I believe it's in your heart. It's like it's really written in your heart. You start to laugh at saying things almost instantly as a child and your brain is kind of like clueless at that stage, right?
And then somewhere along the way, your brain starts seeing what's going on and your heart can get you hurt. It can maybe even do some stupid things. You might like things like you might want to jump in a pool when you're a toddler and that's probably not wise and so forth. Your brain starts to be there in the beginning. I think to just help program around safety conditions, right? Say, "Hey, hey, that hurts or that's probably not wise."
The problem is as you get older, the brain catalogs all of these possibilities and these anxieties. And what it really comes down to, and this is where I'm going with this, is that, and I don't think enough people talk about this, your brain will never make you happy, never. There's no place in the world and no scenario in the world with thinking will make you happy. Only your heart will make you happy. And if you allow your brain to do all the thinking, you'll never be happy. That's why there's so many old people who are just completely salty and angry and they posit like ... And they're intellectual, they may have doctor's degrees, they might have done this and been that, but they're not happy.
Den:
Yeah. So I've done a lot of mentoring over the years and plan to continue to do more as well. One of the things I say to people all the time, especially when it's the career conversation, I look at it like, don't think about the career conversation. Think of it when you're on your deathbed, you're 85, and you're looking back at your life, what regrets do you have?
Carl:
Every person is a story and you are the author. And the coolest thing about that journey is like any movie that you watch, you ever watch ... Think about a great movie that you, like a movie that you love. What's a movie that you love, Ed?
Den:
Most of the Star Wars ones
Carl:
Are- Okay, Star Wars ones. Great. It's a great example. Let's just take, I don't know, the first one, story four, right? When you were going through it, what really made it great, especially the first time you saw it, is you don't know the end, right? You don't know that Darth Vader is Luke's father. So it's the middle of the story that really gets you going. And it's really the most powerful part of the story. Once you know the end, then if you see it again, it's a lot less impactful and it's a little less interesting because you know the end. We don't know our end. You don't know your end. We hope we have an idea about our end, but I'm sure that just like probably where you are today and I am today, we didn't know we would be there. I bet your title on your card was a title that didn't even exist 40 years ago or something like that, right?
So we don't know our end. We should just take that middle. We're in the middle. You and I hope we're in the middle, right? It's our stories. And I think trying to script out the end is not sensible and just enjoy the middle.
Den:
And you said one thing earlier, which really resonates with me is every day you get to write your story.
Carl:
A hundred
Den:
Percent. And then I saw some crappy meme, but it does ring home for me, which is someone's like, "Oh, you only live once." It's like, no, no, you only die once. You get to live every day.
Carl:
Every day. And
Den:
Every day we get to wake up and choose- If
Carl:
You're lucky.
Den:
Yeah. Yeah. And choose like, "Hey, how am I going to approach today?" And I always talk about- You're
Carl:
In my story and I'm in your story, right? No, we didn't know that was going to be.
Den:
Yeah. Certainly not a few months ago. And I love that. So I think there was a lot of lessons learned certainly in the B52 days and then the Pentagon. What would you say was the one thing that you learned that you still carry through, especially as you became the entrepreneur you are today?
Carl:
People are people, I think. Some of them are ... I think people are people. You get the same sensibilities. In business, people are motivated by maybe money in the Pentagon. People are probably motivated by more by money than you think, but power for sure, some sort of power ego. Pride is a powerful motivator throughout, and I would highly encourage trying to tamp that down. I think if you really want to be in successful ... Personally, I think people that are super prideful, eventually they fall off of that horse in one form or fashion or another. So I think the big thing that I learned is that the same things that kind of go around in the Pentagon go around in business, and it's just a different thing, different profession.
Den:
Yeah. And then, so first of all, thanks for your service.
Carl:
Thank
Den:
You. You left the service season and went to one of the fanciest soup companies on the planet. I mean, what was it like? See, I've spent a lot of time in companies and tech, right? So tech giants.
Carl:
Yeah.
Den:
I have done some manufacturing and actually one of our clients in the manufacturing, but again, semiconductors is tech for me, right? Yeah. So what was it like in this environment where you're manufacturing a food product that has the ability if shit hits a fan to kill people as well, not from the bombing business. But yeah, what was that journey like? And it seems like there's a theme of consistently focused on protecting up time. I mean
Carl:
High
Den:
Pressure job, right?
Carl:
Well, I was talking to you, if you just listen to your heart, if you listen to the thing, if you really listen to your soul, there's a calling there. And the closer you can get to it, the happier I think you are. And that's really where my calling is. There's no doubt about it. But yeah, so Campbell Soup was wonderful. I really enjoy manufacturing businesses. I like the production of an actual thing. Campbell's or is a very fascinating company, very old. And when I joined, it was 130 years old. So a company isn't around for that long that doesn't know how to develop talent and product and keep it going, built to last essentially. Campbell's what people didn't realize, and they still own many of these businesses, they own a lot of product. I mean, Pepperidge Farm, you're probably familiar with. They own that business for a very long time.
They actually grew Godiva chocolates. When I was there, they had owned Godiva of the brand for over 80 years. And they only sold it off about 20 years ago. Many brands like Franco, American Paste, Picanti Sauce, Prego's Tomato Sauce. It goes on and on and on. The V8, V8, Splash, lot of brands. And so it's a brand company. They call it consumer products company. I enjoyed so much about that journey. One of the first days I was there, I was in it, I happened to be in a meeting just because I was at the back of the meeting and they were talking about feminine soups and masculine soups. Have you ever heard of such a thing? I didn't either. And I didn't even know what they were talking about. They thought about the soup category in so hard that they had chunky soup, which was focused on men.
And then they had this thing called home style, which was focused on women, and they had the condensed line. So they viewed these things as fundamentally different demographically varied product portfolio, and it just blew my mind. I never thought of like, you could think that hard brands and demographics and sell to and so forth. It changed my whole mindset about how you think about a product, a demographic, a marketing campaign, a positioning and so forth. And they had another problem, which I think every successful business has,
20% of their users represented 80% of their volume, right? So they would find you would have somebody love paste picante sauce and put it on everything, put it in breakfast, lunch and dinner, snacks and so forth. It would be like this with every one of their products. And you always have this conundrum, how do you grow the business? You convert somebody that's not a heavy user to a heavy user, or do you convert your heavy users to eating yet even more? And it was a constant battle between two concepts around how do you grow a business?
Den:
And in your role as a CISO there, were you covering all the brands, the whole thing, and what was that experience? I mean, from a cyber perspective, a risk perspective, a risk tolerance, what was the tolerance for risk like there? And what were the attacks like? Because I'm sure there were attacks.
Carl:
Yeah, there were definitely attacks. Back in the late '90s, cybersecurity was a redheaded stepchild. There was nothing respected at all, but I had responsibility for the entire portfolio worldwide, and it was extremely difficult because we had thermal plants that produced heavy product like soup and drink, like V8 tomato juice and V8 fruit juices and so forth. And then Pepperidge Farm had a very interesting business. They had three businesses. They had a fresh business where they ran around and with literally bread trucks delivering fresh bread to stores. They had a frozen business, if you're probably familiar, they do a very good frozen cakes business and frozen pastry business. And so they had a frozen business. And then they had a shelf stable cracker business like the goldfish and the cookies, the Milano cookies and these kinds of things. And each one of those businesses had a very different go- to-market strategy.
The bread trucks had a lot of point of sale material that we had to lock down. So you don't think of a big food company having point of sale material and inventory control over one of the lines of their businesses. And then of course, Godiva was fundamentally a retail business, right? So it was all around the world and high scale retail business. And they basically, Godiva had seven days that it did all of its ... Seven holidays, that it did all of its business. You take away one of those holidays in terms of availability, it was huge. So you had Mother's Day, you had, of course, Valentine's Day, you had Easter, it was Halloween, Christmas, I forgot all the holidays that there were, but- All
Den:
Those normal money making commercial
Carl:
Things. They would ramp up their production so that they had available product along with the appropriate ribbons for the holiday for that. And you had to make sure that the retail environment was ready to handle that. So we had a very large on Pepperidge Farm. Even back in the late '90s, we had a very large online capability. So we had to protect all of that.
Den:
Wow. Wow.That would've been a fun gig. So we're going to take a break for a short minute and then we come back. I do want to dig into the Carrero business.
Carl:
Absolutely.
Den:
Hey folks, just want to take a minute to say thanks for listening to the show, watching the show Or however you engage with us. If you're liking the conversations, if you think we're adding some value, we'd love you to like, subscribe and share the show with your friends. If you know of anyone else that would benefit. Ideally for us, that will help us be able to grow the show, invest more in the quality, get some more exciting guests and keep bringing you some executive goodness. Thanks everybody. Take it easy and enjoy the rest of the discussion. Excellent. So Carl, so let's dig into this. So you're at the Campbell's place and you're sitting there thinking, okay, what's next? So what did you do after that? And I think what made you think of I'm going to start a business and this is the one for me?
Let's talk about that journey for a bit.
Carl:
Yeah. When I was at Campbell's, I really, really enjoyed myself, but it was local to Philadelphia. It was in Camden, New Jersey, but it's across the river from Philadelphia. And there was a gathering of CISOs from a company called SunGuard Availability Services. And they hosted a gathering of all local CISOs. And this was not unusual, especially back in the time. And I think you can tell I'm not exactly shy with my opinions and so forth. So out of that session, one of the fellows at Sunguard that ran one of their business professional business lines asked me if I'd be interested in starting a security business line over there. And you asked me about being an operator, an aviator, and how that changes my thinking. And I realized when I was at Campbell's that no matter what I did as a CISO, I would still always be a cost to the business.
Now that's okay,
But I was never going to be really, and that's okay, but I was never going to be a business line. I would never be really fundamentally revenue relevant to Campbell's. And I enjoy being relevant. That's just who I am. So when I had the opportunity to run a business and be asked to run a business, although there was no business that existed, so I would be mentored into running a business. It was super attractive to me. So I started the Sungard business back 2000, 2001 in cybersecurity, which was a long time ago. And it was really a professional services business built around disaster recovery and business availability. So I'd had vulnerability assessments, pen tests, compliance assessments and so forth and all of those things that we all know and understand today. But back then it was brand new. And they had already had a business around business continuity consulting like BIAs, if you're familiar with them and disaster recovery planning and all of that.
So I learned how to put together SOWs, how to sell features and benefits, how to be able to manage people's times and do service delivery and grow business and have clients and know how to commit to clients, know how to do escalations and escalation management and all of this. And happy to say we grew really a powerful business over a relatively short period of time.
Den:
Yeah. I mean, I think you were there about five years. And it seems from your career, you've just continued to evolve in that journey, right? So you then went to Allied and-
Carl:
Allied into security. Yeah, that was a business that I started. It was essentially a very analogous business, but I tacked on a managed security element to it, which was actually AlienVault, eventually a very early version of AlienVault. And then my business got purchased by a company called Evolve IP. I moved over there and that was a SEM through the cloud business back in 2008 or nine, which was early time to be doing this idea of security event management through the cloud. We used vendors tools like RSA and vision, if you remember that product.
And then I got approached by Rideware. Again, this is a phone call that came out of the blue, but somebody that knew me and I knew them. And a few years after I was at Evolv where they asked me to go into, consider the role at Radware to run their security business. And what was interesting about that business and what got my fancy, because it was super strange to actually even get the proposition for it, was to run R&D engineering for somebody that makes software and hardware, which up until that point, I had no history in R&D at all, only managed and professional services up until that point, right? Yeah. So that was exciting for me. It was a small business inside of a big business. It was only a $3 million business when I first arrived, but it was kind of on the way down and I had the good fortune of just being there at the right time at the right place.
Den:
So now Carrero, right? So you're a few years in on this business. So why don't you share what was the thought that got you into this? Why this? Why now? Why does it matter? Why should CISOs listen or pay attention in this space?
Carl:
The space that I'm in this space, the DDoS space or the cyber resiliency space, it is, I think both a fascinating space. I absolutely love it, but I will tell you that having been a CISO and also been in this space now for a long time, most CISOs don't care about it, truly. And what do I mean by that? I mean, they acknowledge that this is in the portfolio of cyber problems, but they prefer to deal with something else. They prefer to deal with data problems. They prefer to deal with encryption problems, identity management problems. They prefer to deal with what I would consider to be more what people consider to be table stakes, security problems. Mostly DDoS has handled both budget, engineering and talent wise by networking teams.
And mostly not because networking teams want to handle it, it's that the CISO either outsources it to them or they're just not strong enough technically actually to be able to understand the solution. So it goes in two ways. They either go and do a check the box solution somewhere and say, "Yeah, yeah." If you think about security, it's supposed to be the CIA triad around confidentiality, integrity, and availability. But if you were to ever really test most CISOs on their knowledge, what goes on in each one of those spaces, I would say that probably they would probably come out quite high on the confidentiality space. They probably would come out pretty good, but a little less high on the integrity space. On all things that make up availability, I would say this is an area that most of them struggle with because they just haven't had to be tested there, like they once had been in there.
So this area I love because to me, it's very similar to my military days again. I knew in a bombing sequence, most of our bomb runs were 120 seconds, and if an enemy could deny us even just a few of those seconds on a bomb run, they would win. If we had to withhold our ordinance, they would win. Availability is everything today. If you can't keep your internet up, if you can't keep your application up, if you can't keep your system up, if you can't keep your service up, you're done. It doesn't even make a difference if your data is secure. It doesn't even make a difference if it has high integrity. If you can't access it, if you can't see it, if you can't transact it, you're done. So it is so important. But most people, it's like air, it's like water. Most people don't think about it, but if you don't have air or water, you die.
Den:
Yeah. And I guess a lot of people think of DDoS has been probably a product service availability issue where they're thinking we've got a product that's online and if it becomes offline because of a DDoS attack, then we're down as a business. And a lot of CISOs maybe think of that as being an application team or product team problem more than the security problem.
Carl:
Yeah. It's like people drinking water in Flint, Michigan. It was somebody else's problem until they realized, oh, I should have been probably thinking about who was scrubbing my water before I drank my water. I should have probably been really looking at that before I drank. And businesses are the same in this space. DDoS or the service availability. I mean, look at what's happening around the world. As soon as there's conflict, people try to take you down.
Den:
So the good thing is you've got decades of experience in the security space as a CISO, but then also as building a practice where you're selling to people. So when you're in the conversations on the pitch of Corretto, what's the typical ICP and then who's calling you and why? And then how are those conversations playing out? And then what makes a good customer?
Carl:
Yeah. Yeah. So I appreciate that. Traditionally, Carrero was focused on tier two, tier three service providers. So people that are doing managed services or technology services, they're ... Think of the Arctic Wolf for DDoS, something like that. More recently now we are doing a lot of work with tier one service to provide big telcos, big SaaS companies, like table stake SaaS companies, the ones that you would know. And now big banks and big healthcare companies, right? So very large banks. There's a couple of things going on with DDoS cyber resiliency that wasn't here just a year ago or two years ago. There's now ... Security's used to having a lot of regulations, but almost nothing in cyber resiliency. So it was always data security of some sort or encryption or that kind of thing. Now that there are these big laws around the world, mostly because of the geopolitical environment, but not only ... In Europe, there's something called the Digital Organizational Resiliency Act.
And if you're a critical infrastructure provider, you have to prove that you're not just checking the box in this space. And critical infrastructure's got a broad, broad spectrum to it. So internet service providers, financial service providers, technology service providers, healthcare, water, electric, blah, blah, blah. So that's big, is now be regulated. And then there are a lot of regulatory authorities. There's something called the Telecom Security Act in UK, and they have demanded upon all of their internet service providers and critical infrastructure to prove to them this year that they can operate in country without any connectivity, and they're worried about basically their undersea cables being cut. And when they say operate, it's a supply chain thing. They want to make sure if you have software or hardware that you rely on to deliver your services, that those vendors operate, maintain that software and hardware in country locally.
So this sovereignty issue is becoming huge everywhere. If you're familiar with Saudi Arabia, they want everything in country and so forth and so on and so on. So for us, this is a boon. So said another way, we feel like every company needs some form of
Availability protection. So it's a question of how you're procuring it.
Den:
Yeah. And I do see that shift now where people are, countries and businesses within countries are more looking at localization of services because ... And I think there's like the chip situation with Taiwan, like Europe and the US need to build fabs quicker than crap. And then where do they get their services from in order to deliver an end to end thing?
Carl:
And like you were saying with your business, right? Your new concept, it's fundamentally who are these people and where do they operate and what are their real skills and do they have ... Yeah. So this is becoming huge everywhere. 25% of Carrero comes through product that you're probably consuming us, but you don't know it. So for example, one of our sell-through partners is Akamai. Another sell-through partner is Juniper, which is got purchased by HPE. So if you're doing DDoS on a Juniper router, 100% of your DDoS will be us. And if you're doing GTT, if you have a GTT link and you're doing DDoS, that is 100% Carrero.
Den:
Yeah. Yeah. And I think that's one thing like white labeling and the reselling piece. I know we're up on our allocated time. If you've got a few minutes, I would love just to wrap up on, A, we should try and get you back on the show because I've still got about 10 questions here, Karl, but I never even got to me.
Carl:
I will tell you that people have accused me a lot of things. Being short on words is not one of them.
Den:
I'm exactly the same myself. Somebody said I don't talk a lot. I just have stories to tell. So it's great catching up with you, great hanging out. Yeah, I'd love to have you come back on the show. So we'll start up-
Carl:
Maybe we can do it from Scotland live. I know that you're Scottish and we have all of our software development in Scotland, so maybe we can do something, bring the Scotts together.
Den:
That's right. You did say that, right? Yeah. We could do a little Scottish tour because I actually have quite a few friends that have their businesses and actually Harmonic Security is another Scottish CEO and stuff where he's got a lot of his dev team back in the homeland.
Carl:
Where in EDI or ...
Den:
They do AI. So they do AI security and they're focused on just finding out what people are using within the company. I think one of the biggest problems in security that we start off is know what you have, know what you've got to try and secure.
Carl:
100%. In the
Den:
AI space, I see most of the companies that we talk to, they have no visibility into how people are using AI and they'll put policies or guidelines or guardrails out there, but they still don't know whether you're using the company instance of ChatGPT or their own personal one and they don't know what data they're putting in there. And I think that that is the step one of solving that problem is let's know what we have and what people are doing and stuff.
Carl:
100%.
Den:
Yeah. Yeah. Carl, thank you very much. Carrero is something that I got excited about when I heard about it because I do agree. I think there's a ... I don't know. I just think there's a lapse in our CISO community or practitioner space where we think of DDoS as being something that it's someone else's problem really. But if you look in the last couple of years, there's been more and more globally impacting events because of DDoS attacks.
Carl:
The number two is cyber attack in the world. It's ransomware and DDoS. And you can look over reports over and over and over and over again. It's the number two attack in the world and CISOs seem to issue it. Not all of them, but a lot of them. It's really a funny thing. I don't really understand it. It's okay. Networks picks up the Slack, but it's really a funny thing. If you get, I think, a very powerful CISO, they really have a comprehensive religion around their role and availability is one of them.
Den:
Yeah. Well, Carl, I thank you very much for coming on the show. The one thing I was just thinking of is you're probably the only CEO founder I've had on the show that spent more time in the trenches of security than being the CEO. So I think the cool thing about this is quite often we meet founders and CEOs that have done stuff in security, but the number of years that you've been in this space, I think you're super well positioned to have that CSO conversation and probably no more shit than the CSO you're talking at the top of me.
Carl:
I used to have hair, right? That kind of thing.
Den:
Yeah. Yeah, exactly. So Carl, thank you very much. CEO of Corero, Carl Herberger, thank you, man. And we'll get you back on the show.
Carl:
Absolutely. It was great speaking with you. Thanks for having me on board. Look forward to any time going forward.
Den:
Of Course. Thanks very much.
Narrator:
That wraps up this episode of 909 Exec. If you found value here, subscribe and leave a rating to help others discover the show. To learn more about 909 Cyber, our advisory services, and how we help organizations secure growth, visit 909Cyber.com. Thanks for listening, and until next time, lead with clarity, build trust, and stay secure.
.svg){kind=icon}