Episode 61: Reinventing Cyber Tabletop Exercises with AI: Den Jones & Cassio Goldschmidt

Narrator:

Welcome to 909 Exec, the executive leadership podcast from 909 Cyber, where cybersecurity intersects with business strategy. Your host is Den Jones, founder and CEO of 909 Cyber. For more than three decades, Den has led enterprise security at Adobe, Cisco, SonicWall, and Banyan Security, helping executives navigate risk, trust, and transformation. Each episode goes beyond headlines and hype with conversations that matter to leaders shaping the world of technology. So please join us for 909 Exec episode 61 with Den Jones and Cassio Goldschmidt.

Den:

Hey, everybody. Welcome to another episode of 909 Exec. Hopefully we are giving you some good education along your executive journey and I always believe that we're lucky in our network to have some amazing guests come on the show and share some of their wisdom. And today is just like that we've got Cassio Goldschmidt. And Cassio, you are a bit of a revolutionist in the startup world. You're currently the chief technology officer at Reflex, so we want to dig into that a little bit, but why don't you introduce yourself for the audience and then we'll dig into your journey.

Cassio:

Hey Den. So glad to be here. So my journey started about 20 some years ago and I started when I got an internship at Cisco Systems. Soon after that internship, I joined the Advanced Technology Group there and designed a number of systems for Cisco. Moving down to Symantec where I spent like 10 years as a senior principal engineer developing the enterprise software for them. Several companies later I ended up at ServiceTitan where I served as a CISO for seven years from all the way since the company was a pre-unicorn all the way to their IPO. And after that I decided to start Reflex Security.

Den:

Awesome. I mean throughout your, you've got this storied LinkedIn career really, right? So founder, advisor, OWASP, venture, VC advisor and things of this nature and now Reflex. So why don't you share a little bit on the ... When you were a kid growing up, I mean, did you grow up in the Valley and therefore things like Cisco is just on your doorstep? I mean, what was that childhood like?

Cassio:

That's a great question. So I start working with computers when I was about 13, 14 years old in Brazil and computers are really rare at that time. I remember asking my dad, "Hey, I read this book about computers. I want one." And it would cost quite a bit of money. The first computer he had for his business cost the price of a van. I was lucky to get one at my place and we start programming things. And by the time that I went to university, it was like the obvious choice was to go to computer science for me. After I finished my bachelor's degree, I was looking for what I would do next. And there was this opportunity to work for a company in the US in California that I didn't hear much about was called Cisco. And to my surprise was right before the internet revolution and that's how things really get started.

So it was from early beginnings in another country directly to Silicon Valley where things were happening.

Den:

Yeah. And I think you and I, I mean, we've got probably an overlap of our journeys where I think my first IT job was about 92 or 93 or something of that nature and doing technician type of work. And again, like you, right, it was just at the start of that internet boom thing. And the thing, what was one of the earlier projects that you got involved with and your early lessons that you learned, what was that experience like?

Cassio:

Yeah. So there were a number of projects that I got involved early on from industrial automation before coming to US in Brazil and it was a lot of fun because every week I would get a new device on my desk and have to figure out what that device was and how it connects to the computer and how it talks to the computer. So that was one of the things that I did that was really fascinating because of the discovery. I think we all have this thing about passion for computers, for the discovery, for understanding different things. When I went to Cisco, the first project was a project to integrate and configure the new PCs they had was called Splice. And the idea was you have all the software, but you have to configure your email, you have to configure all the productivity tools, customize the computer and so on.

And that was not something that you could just press a button on the internet and then get all downloaded for you. The next thing, once they finish that project, they go and say, "Well, we'll give you something different. You have to do a video conference," which was really, really early on given where we were with the technology at that time.

Den:

Yeah. Wow. And that reminds me of my old Novell days with Novells group-wise. I used to be big into Novell. Love that technology. Okay. So as you go through your journey now, you've done some CISO work. So why don't you share ... I think quite a lot of the audience are security practitioners. So why don't you share a couple of things. If you wanted to be a CISO today, what did you learn that you would advise other people do or other people avoid?

Cassio:

Yeah, it's actually a great question. I think as a CISO, the first thing is prepare yourself for the position and preparing yourself takes a lot more than just technical knowledge. A lot of people are promoted to CISO because they are really technically savvy and you see they're failing because they fall in love with the technology and not necessarily with the problem or the people and you need to have a little bit of both. I was fortunate in my background to not only have the computer science master's degree, but also an MBA and generally care about people and make sure that when implement projects have the right buy off from the general employee audience as well and do something thinking about them, how they would actually receive things and the usability of things. I mean, sometimes you have to do hard decisions. A lot of times you have to say no, but you also have to see what makes sense for the business and what's the right size for security whenever you have to create policies and make determinations about what makes sense for the company.

Den:

And you raised a good point, right? There's a lot of executives that are technologists and they're more in love with technology and nice, shiny objects and they kind of really forget. I think as you get to the C level situation, then you're really a business leader. You're a business leader with a discipline and in our case security. Now you've done an interesting role into it though, right? You were a business information security officer. So can you share what do you see as a difference between that role and a traditional CISO and then how did that help? What did you learn in that journey that really helped round out your career?

Cassio:

Yeah. So when you are a BISO, a business information security officer, you will be working with several business units a lot of times. And the difference is that the resources are not owned by you. You have a shared resource that you pull people for projects and when you're a CISO, you do have your own resources. We still have to deal with other teams and make sure they are on board and work in a very cooperative way. But the main difference is how much you get involved with things. A lot of times when you're dealing with several different business units, you are perceived as a outsider that wants to help more of a consultant than really somebody who is in there for the journey. I would say that is the main difference. When I was a CISO, I felt a lot more integrated with the day-to-day of business.

Den:

Yeah. And I'm guessing, I mean, it also depends on the size of the company and the maturity of the company for those roles to even exist. I mean, the CISO role I'm going to say is newer than the CFO or the CIO. So even how that role is treated, I think is still in flux sometimes. I mean, you've got a lot of cyber experience, right? So then you're AON, you're also part of the Forbes Council, you're part of OWASP. And so the community side of your life, there's a lot of executives I think that really mess up their networking, they're insular with their own company, then when shit hits the fan, then they suddenly have to go find a job and they realize they've not networked, they've not been part of any of these outside networking groups or like OASP and things of this nature.

So how vital do you think it is for people to get involved with, grow their network early? I always tell people you should do this stuff all the time, but what's your take and then what was the benefit?

Cassio:

Yeah, 100%. I think all the time that they put for OAS by CSquare and many others actually paid back double, triple. And that's the people that you meet, the network that you create, what you learn from each other and find people who really are passionate about the same things that you are. So with OWASP, which is an international organization, I actually made great friends who were in other continents and I was able to work closely with them helping to review material and create material or even helping with conferences that made a big difference in order to know what are the newest, what's the latest, and what works, what doesn't work. So I definitely recommend everyone who has the opportunity to actually work with these kind of communities to actually take the plunging and do it. And in fact, it's not something that is hard. Those communities, you can actually volunteer.

You just go and say, "Hey, I want to work in some projects." And they will actually accept you. They will actually welcome your contribution.

Den:

Yeah. I mean, I found that although personally I've really not spent enough time to get involved, but I mean, anything from ISE to CSA to OAS to ISSA and all of these guys, they all need help or they also really need practitioners to come in and share their experiences and stuff. Now, okay, so you're the CISO, the company's doing great for whatever reason, and I want to dig into this, but for whatever reason you're like, "I'm going to not be a CISO any longer. I'm going to start something new." What was the trigger for you that made you think this was the right move?

Cassio:

Yeah. So I think it's pretty rare for a CISO to be in a company for as long as I did, which was nearly seven years the same company coming from starting the security program for the company all the way to a IPO two years ago. And I felt like, okay, I've done what I'm supposed to do here. The company has a very mature program and it's time to do something new. And deep down, I always felt like I'm an engineer at heart. I like to invent things. I like to create new things and there came this opportunity at the right time and the right place to actually create something that was very innovative and that was the main catalysis to actually go and decide to do Reflex Security.

Den:

Awesome. That's awesome. Yeah. Right. Okay. We'll take a minute for a quick break and then we'll come back and dig into Reflex. Hey folks, just want to take a minute to say thanks for listening to the show, watching the show, however you engage with us. If you're liking the conversations, if you think we're adding some value, we'd love you to like, subscribe and share the show with your friends if you know of anyone else that would benefit. Ideally for us, that will help us be able to grow the show, invest more in the quality, get some more exciting guests and keep bringing you some executive goodness. Thanks everybody. Take it easy and enjoy the rest of the discussion. So Cassie, so let's talk about Reflex Security. So first of all, let's start with what advice would you give someone who is about to take the leap that you've done?

Give me one thing that you say they have to think of when they're just starting this new business.

Cassio:

Yeah. I think a lot of people think about starting new businesses because of the potential payback of starting a new business. It's not the right reason. It should be something that you're really, truly passionate about. Something that you go and say, "Hey, I have to implement this. I have to make it. It is a good idea and it makes sense." You have to see how long you can actually commit because it's usually not a small commitment of time and from snow and also professional time so that's also very important and also find the right partners. If you just try to do everything yourself, you're very likely not to be able to fill all the roles that you need.

Den:

Well, that's certainly an observation I've made since starting 909 and talking about partners, I mean, we're super excited with what you guys are up to. We've been paying attention. We've got a partnership in place. We've even dropped a little link on our website. So we're really excited not only about the space you're in but how you're approaching this. So why don't you share with everybody, okay, so what is reflex security? What are you bringing to market and why are you different?

Cassio:

Yes, that's a great question. Reflex security came from the fact that the way we do tabletops today is simply inadequate. It doesn't give you what you really need, which is to prepare for incident response. And if you look at the practice of tabletops, it actually started in the 1800s and it started as a game that was played against militaries and they would actually prepare for a war human against humans. So somebody would do a move, somebody else would do a countermove and so on. And that was a really great way to prepare and think about the battle before the battle starts. Fast forward to today, we have PowerPoints. So now it's executives against static inject PowerPoints, which they just discuss around the table, a theoretical type of attack that a lot of times doesn't even have the right level of details for actually a CTO or engineering to get excited about.

So we decide to change that. And the way we're doing is using AI and leverage agents to actually simulate attacks. So we have a set of agents prepare for tabletops. The first one will help you to design the right tabletop, given the old synth about your company and everything that we can actually find out about the company. Then we create several agents to actually be part of the tabletop and add the pressure that you actually see in a real incident. With the simulation, we can actually tell people things that you cannot with the regular tabletop, whether people panic, whether people choke, whether people do incorrect mistakes or whether somebody is overwhelmed with their responsibilities. And then we can actually have all this data in order to write meaningful reports that are based on facts and not just some opinion from somebody.

Den:

So a couple of things that our team observed while going through the demos and then further demos and actually seeing the platform and operation, there's a couple of things. One is in a real life scenario, sometimes executives are there in the room with you, but usually you divide them into a couple of different rooms. You've usually got the techies working away. Then you've maybe got the executives that'll pop in for the briefing or they'll do a side briefing and even some of the questions and the things that you get, you need them to answer, that might be separate. And you guys do a really good job of having the ability to do a separate tabletop for a group of execs versus the tabletop for a group of techs and engineers. You can have them all together, but you can really easily carve and slice and dice this so that you have the maximum impact.

I thought that was really cool.

I loved in the agents where you can even get into personalities because you do in real life have different personality types. I've got someone who's my general counsel and maybe they're cheery and happy and oh no, wait, normally that's not the case. Yeah, sometimes. But then you've got an engineer who's grumpy as two shits and you've got also people that don't want to share their communication styles are different. And I love the fact that you could personalize the whole thing and also the speed to get up and running I thought was insane. I mean, it's pretty much like we could talk about this today and do the tabletop tomorrow. Actually, you could do it today, but the slowest part, the tabletop is actually not your platform. It's getting the people from the company to turn up and agree actually. I think that's usually the thing.

Okay. So pricing and stuff like that, one thing for me, I was pretty excited because the pricing models, it seems to be, "Hey, I could do a subscription like a monthly or annual subscription and then I can actually run and simulate tabletops on a regular basis or I can pay for the tabletop." So do you want to share just a little bit about the model, not necessarily the actual price because I know that prices are negotiated, but the actual model and how this is priced out.

Cassio:

Of course. Yeah. So I think you hit the nail on the head, meaning when you have this type of technology that was created by based on agents, it actually unlocks a lot of things. You can do a synchronous tabletops with smaller groups. Whenever you don't have people actually coming to a tabletop, you can actually have an agent to also play part of the people who are not there. So you could do a tabletop for, let's say the comms team and have the incident responder to be an agent or vice versa. You can have a more technical type of tabletop and have the comms and legal to be agents that will communicate and look at your communications and let you send to a customer. There's also a agent. So with that, you have as many tabletops that you can do usually for the price of what you would pay for one.

And you can have many tabletops that also have themes that are related to things that just happen in the industry because you can create things on the fly within minutes. So those are the things. It's priced depending on whether you're going to use a consultant, which you should, because it brings a lot of knowledge about things and it actually instruments things for people to actually diagnose how your team is doing, or you can buy and use as many times as you want and do yourself.

Den:

Yeah. And I was going to say, right, you guys have the consultant led approach like you'd normally expect in a traditional tabletop, but then you also have the, you can do it yourself. I know we talked about the train, the trainer type thing. I mean, I would love to think of you guys having training available where you get certified and you can lead the thing.That could also be a fun avenue. The thing that also strikes me is this lends itself really well to remote working situations where you don't want to bring everybody all in together, but you still want to do a tabletop where you're all on the same call together and go through the same experience, right?

Cassio:

Yes. Yeah. I think the reality for most companies today is that people work remotely and the incident range happens over Zoom or Google Meet or Microsoft Teams and so on and the product integrates with that. So it becomes very natural because it's just people talking about the incident and so on and we actually are transcribing everything that happens and we'll actually use a agent that will facilitate or co-facilitate the tabletop. They'll provide very pointed questions to every person that is in this video conference given their position and what they're doing in the platform and talking during the video conference.

Den:

Yeah. No, that's brilliant. And yeah, I think this is, as we discussed prior, I mean, our teams have met a few times and as we've discussed, I think this is a really good option for people in a certain niche where they don't have the money or don't want to spend $100,000 on a tabletop, but they do want to do quick rapid multiple tabletops a year. And actually the thing I thought of is this actually could be considered a pass mark for your annual security awareness training. You could bundle things into this tabletop that really checks enough boxes for that even to be considered good enough because at the end of it, a lot of the security awareness training I think is bullshit to begin with and people don't pay attention, but they certainly would pay attention when we're in this scenario and it could be anything from MFA bypass to somebody found a USB drive and plugged it in.

I mean, there's a whole bunch of regular security training things that just kind of drop in here. Now you guys are funded or you guys self-funded, you series A, series, where's that investment journey?

Cassio:

Yeah. So we have a number of investors already and among them, several professional VCs investors, but we're not series A yet. We're yet to announce our series A, but enough funding for years to come. So we're doing pretty good there. Another point I want to make is what you mentioned about the immersiveness of the experience and that is one of the things that is a differentiator for the platform. Once we do AOC about a company, the story is about that company. You will see executives from that company being simulated as agents and so on and that makes the entire difference on how people engage with the platform and the experience they have

Den:

Because you can easily learn enough about all the executives in the company. There's a lot of ... And actually for me, that's one of the biggest things when it comes to things about executive protection. I'm not surprised why the world of cyber executives get ... They always think because they're the CEO or they're the C level person, they don't need to be involved in this and they don't need to worry about the security, but the actual fact is they're probably the higher risk because they're the target.

Cassio:

Yes,

Den:

Absolutely.

Cassio:

Yeah.

Den:

Yeah. So I love the thought of you've started this product company, you've saw the market and you've saw the opportunity to transform the market. When you're speaking with customers and the funding thing for me kind of also sets the stag for where are you on the journey of this? So you guys are brand new, you're hot off the press. I can't remember, but was it roundabout? So we're recording this in May, but was it roundabout RSA when you guys were starting to come out as it were?

Cassio:

Yeah. So we came out January from Stealth after pretty much one year just developing this thing full-time. Yes.

Den:

That's excellent. Yeah. And then so I guess note to budding VCs that are looking to invest in something brilliant, then this is probably an option for them. As you move forward, I think from a competition perspective, you're really up against the traditional people that want to come in and take a month to plan and then all that prep work and roll in with 10 people and blah, blah, blah. Is that how you see it?

Cassio:

Yeah, I see that we have a disruptive product. It's truly native AI and very different from what we do today. And it is really a product that goes and does faster, better, and cheaper. It's faster to create scenarios, it's faster to generate reports. It's better in the sense that it actually capture things that the traditional tabletops cannot and cheaper in the sense that you can have several different tabletops if you buy a subscription and you can do many tabletops or tabletops with a subset of your people. So it really gives a lot of, how you say, advantages on the way that people do tabletops today.

Den:

Yeah. Yeah. Well, that's the thing is today, as everybody knows, there's different levels of quality of these things. And you can do the ones where you're just checking the box for some compliance nonsense where the quality is low and the price is low. And I look at it like this is a really good option for a company that they don't want to spend a hundred million on it, but they recognize that they actually want to take the time to do it right. So I think you guys have the ability to do it right really quickly and at a quality that I think beats a lot of companies that are going to charge 10 times your price.

Cassio:

And a

Den:

Lot

Cassio:

Of things that you experience, right?

Den:

That's

Cassio:

How we learn. That's how we internalize things. So that is also differentiator in the sense that if you experience something, you will remember when the incident is there.

Den:

Yeah. So Reflex security a year from now, what's your plan on how this evolves? Is it continue get funding, get clients, obviously grow the business, but how do you see this discipline evolving with what you're bringing to market?

Cassio:

Yeah. I think for the first time we're going to have reports that are not based on opinions, but based on facts and you can actually see companies improving, not only as individuals, but as a team in order to solve problems. And I think companies that actually adopt a system such as Reflex Security, they will be able to see this kind of improvement over time and that will make a big difference when an incident will happen. And quite frankly, we all see what's in the news today about the number of vulnerabilities and so on. And unfortunately incidents are going to become inevitable. Not to mention other compliance requirements for better training, training that also involves your third party or just one way or another when you do this kind of incident preparedness.

Den:

Yeah. No, that's so true. I see it where you have a disruptive product and I think it's pretty easy for me to imagine the time where this is how tabletops happen. And the thing about the subscription, I think some of these larger companies, I mean if you are like a Cisco today actually, right? I mean, let's pick on them for a minute. You and I both work there, so we get to use their name in vain a little. Cisco have got so many products that I could see them running a tabletop every month and in a way that is engaging and rapid and not drain on their resources. So yeah, maybe we should give them a call actually.

Cassio:

Several companies there follow this profile. Private equity companies who have several different companies underneath under them that are very different when you consider their stack, their executive teams, their industry they operate. They're the big companies that just acquire a new company. And wouldn't it be great if you could just run a tabletop, understand where they are and actually use that in order to get your budget as a CSO?

Den:

Yeah. Yeah. We should be knocking on some PE firm doors. I do have a few of them in our network. So as we wrap up, Cassie, I mean, what advice do you have for people in your shoes that ... First of all, you've picked something that you're passionate about. You've got the why in there, you've found something that is disruptive, you're obviously the cutting edge of technology with AI. What advice would you give someone who's following your footsteps? One thing to do right and one thing to avoid.

Cassio:

Yeah. I think continue to learn. I mean, if you look at what's going on with the industry right now, there are a number of new technologies and not a lot of things there are closing doors and a lot of new doors that are being open right now and the way that we develop software we use software is going to change radically. So keep seeing what's going on in the industry is very important, more important than ever.

Den:

Yeah. So one thing that you wish you'd never done, man, but you want to tell people, "Hey, avoid this, that was a pitfall." What would that be?

Cassio:

Oh,

Den:

Pick one. You don't need to go through 10 of them.

Cassio:

Yeah. I think pessim opportunities, right? Back to where we were talking, working with not- for-profit and so on. A lot of people think, okay, this is not going to go anywhere, want to help me in my career. It does in so many ways. I definitely think it's a great investment amount of time.

Den:

Yeah. I've had a lot of conversations with founders over the last year doing this podcast and I think there's a theme that really arises. One is understand your why really, as you mentioned, and this is the theme of don't think if I'm doing it because I'm going to be rich. Think of it I'm doing it because I'm passionate about the thing I'm solving. And I think the thing that I'm solving is going to really bring something different to the industry. And for me, the more disruptive your strategy can be, then the better it probably is because a strategy that's not disruptive. An old mentor of mine basically said, "Hey, if your strategy's not disruptive, it's not really a strategy. It's much the same old shit." And I'm like, "Yeah, that sounds about right." So yeah, hey, great catching up with you. We definitely, as I mentioned, at 99 Cyber, we're always engaging with companies with new, exciting tech and you guys checked all the boxes for us.

You got something that I think can save people money. I think you can reduce friction as part of what you're doing here. You certainly have the ability to reduce risk because you have the ability to expose risks that people aren't thinking about. And I think compared to the traditional method, you guys have got something special that I think is really accessible at a price point that is really accessible. And the important thing for companies these days, all the CISOs I know, they're all in a budget. I've never met a CISO yet that said I've got more money than I need. So I think you guys have, you're hitting a nail on the head, man. It's really, really exciting tech. Cassio, parting words, if the audience were going to take one thing away from this conversation, what would that be?

Cassio:

Then we're very excited with the partnership and I think it's not only about building the right platform, but also the right people who can serve this platform, right? Because at the end of the day, it's a tool and how people were going to use, what kind of insights people were going to get really requires a team of experts. And that's what we've found with 909 Cyber is that the background and the caliber of the step the staff speaks for itself.

Den:

Thanks. Really appreciate that. Yeah. And everybody, so look, Cassio Goldschmidt from Reflex Security, he's a CTO there. He's a seasoned CISO, BSO advisor, all the things we can add in. And honestly, it's been great working with you guys. We're super stoked and yeah, I'm looking forward to the next year ahead. I think there's huge opportunity to help some people get some really good tabletops and I think this is a much needed space. So Casio, thank you very much, Sir.

Cassio:

Thank you. It's been a pleasure.

Narrator:

That wraps up this episode of 909 Exec. If you found value here, subscribe and leave a rating to help others discover the show. To learn more about 909 Cyber, our advisory services, and how we help organizations secure growth, visit 909Cyber.com. Thanks for listening and until next time, lead with clarity, build trust, and stay secure.

‍