THE DOWNLOAD WITH RONNIE ALTIT ft. GERRY SILLARS

Ronnie Altit: Welcome to The Download. Today, I’m joined by Gerry Sillars, Asia Pac head of a company called UpGuard. Gerry, welcome to The Download.

Gerry Sillars: Thank you, Ronnie. It’s such a pleasure to be here.

Ronnie: I’m sure we’re going to have an entire Sean Connery session. Gerry’s one of our favorite Scots in the IT channel. Some of you may have known him from his career history, but let’s find out about what Gerry’s doing today. Gerry, tell me a little bit about UpGuard. Tell me a bit about the background of UpGuard, how it started.

Gerry: UpGuard, an Australian-born organization started by two guys who worked in the corporate IT area of the banking and finance industry. A guy called Mike Baukes and a guy called Alan Sharp-Paul. I’ve actually interestingly known Mike since 2002 when I arrived in Australia and working for a company called Commvault, who you obviously know well. Mike was the backup guy at Colonial First State, who are the wealth management arm of Commonwealth Bank.

Mike had a fairly meteoric rise in his career, certainly, inside CBA. Within two years, he was running all of the server environment, which is actually thousands of servers and a couple hundred people that are working for them. Mike and I, personal history, go back a few. When I arrived in Australia, CBA were one of five customers that Commvault had, originally, at that time.

Alan, on the other hand, comes from a development background. Mike and Alan worked together in Colonial First State. The first meeting that they had, Alan being the dev guy. As you know, dev guys always develop the best software in the planet. Alan was the best software developer in the planet, had the best piece of software they wanted to deploy in production in CBA.

He went to Mike and said, “I need three servers.” Mike said, “Get lost, I’m giving you nothing. What’d you want it for?” He said, “I’m not telling you.” That was the start of, ultimately, what became UpGuard. Actually, ScriptRock, and then UpGuard. Mike and Alan careers progressed going through the years. They laterally worked together at an organization called Lloyds International. Again, you probably know. They bought a bank from scratch in nine months, and then did some consultancy after that.

They realized in every financial institution they were in, that they had the same problems. Typically, when something had gone wrong, they were called in to try and understand what had gone wrong in an organization. They’d sit down with 10 people, 10 consultants, 10 IT staff and see what went wrong. They would get 20 different answers. They thought that they could go and write a piece of software that would help and going to address that challenge. End of 2012, they gave up their jobs and they started coding.

Ronnie: The infrastructure guys started coding too?

Gerry: The infrastructure guy’s a fairly smart guy, yes. He plays guitar, speaks German, did a law degree in his part-time.

Ronnie: Hence the logo?

Gerry: Hence the logo, indeed.

Ronnie: The guitar pick logo.

Gerry: Yes, the guitar pick logo. We worked in an organization where everyone has a musical talent. Mine’s playing the spoons. [laughs] Everyone could play an instrument, I get to play too.

Ronnie: We had you before trying to sing. That didn’t work. Wasn’t so bad.

Gerry: I can do a bit of that. I can do a bit of that. Anyway, getting back to my story, if I can. If that’s okay.

Ronnie: Of course.

Gerry: The ATP, the innovation center here in Redfern, I had several months. As I said, it’s activating some code, got a small piece of investment through the StartMate organization which is an Australian-based organization that invest in tech startups. One of the nicest stories, from my perspective, I think that helps understand the acts of these guys: they got through some old contacts and opportunity an organization called Amadeus.

Amadeus, if you’ve ever travelled in Europe, you’ll have touched some piece of Amadeus technology. They typically do ticketing systems and beacon systems for all the airlines in Europe. Had an opportunity, they got phone calls in. It was five people in the business at this time, they had about $100,000 investment in the bank, $100,000 in the bank at that point in time.

They got calls in. We want to do what we call a proof of value, which is a better description of what people would traditionally have called POCs or proof of concepts. Our goal is to maintain value in the technology, and the customer understands that.

Ronnie: The concept is proven, right?

Gerry: Absolutely. Got a phone call on the Thursday from some guy in Munich. He was going to work with him on the POV and said, “We are very much looking forward to seeing you next week for the POV.” Shit, they actually expect us to be in Munich. They made a decision in the end that they would take all five of the staff, jump on a plane and go to Munich to do this POV. Basically, the decision was we’re going to burn half the cash that we got in the bank to going with all of these and win this deal.

They arrived in Munich on a Sunday and coded because they hadn’t finished coding what they needed to code for the customer. The upshot of that was they ended up getting a deal for $1.4 million, which really set the organization off and running. Right about that time, some of the early investors in the business — today, we’ve got a whole series of investors in the business – but some of the early investors in the business, a guy called Scott Perry, who had built and created a number of large US-based IT organizations, had said, “Guys, look, if you’re serious about this, you’re going to have to go to the Valley and try win some dough. Jumped on a plane, did that, went up and down the 101. We co-found, as in co-CEOs, Mike and Alan. I’d say, if you’re going to look at the two individuals and two characters, Mike’s the comedian and Alan’s the straight guy.

Alan decided halfway through this trip that his pitching and presentation skills weren’t up to scratch and figured that the reason they were getting no’s every door that they knocked on was because Alan couldn’t pitch. Alan went and did a two-day course in a comedy club and did some standup to get over his inability to go and pitch. Next call they made, they got some funding, so they uprooted themselves and moved to the US. Literally, walked themselves in a room, five going to about 10 people for the best part of two years.

Ronnie: I might just stop you there because there’s a really interesting side story. He wouldn’t be the only person who struggles to present.

Gerry: Absolutely.

Ronnie: He struggles to pitch. His angle to that was throw himself right in the deep end, go and learn how to do standup comedy and put himself in front of a group of people trying to make them laugh.

Gerry: I don’t think they laughed, Ronnie, but at least he tried.

Ronnie: You found that it changed, totally changes his ability to pitch.

Gerry: Absolutely.

Ronnie: That’s a really interesting concept.

Gerry: Very humorous guy, very human, and very, very competent on his feet, nowadays, a great guy. Going the organization through to probably early 2015, hadn’t really tried to go and sell any products. They started recruiting. For sales, they recruited someone we actually just moved to Sydney to help us grow our business here. He joined the business mid-2015.

By the end of 2015, they decided that we’re going to invest in a sales organization. Did that in the US through 2016 with some notable success and won a number of flagship accounts in the US. Accounts like NASA, accounts like Intercontinental Exchange who owns seven exchanges worldwide. The New York Stock Exchange being the largest of those. We’ve just done a case study with ServiceNow on ice, which has Intercontinental Exchange, not to make issues with those type of ice. Home Depot and a number of others.

It had always been the organization’s intention to make the first international investment back in Australia. As I said, an Australian-born organization, very passionate about going and building a business in Australia. I joined the organization, I started this year. I’ve got a phone call from Mike in August of last year, which has done a B series of funding. We released now the $17 million.

Mike said, “Gerry, we want to do Australia. Let’s get going.” I said, “That’s awesome, no problem.” I’m in Singapore, so if we can do it in Singapore, that’s great. I can start at the beginning of the year.

Ronnie: You’ve started in earnest in Australia?

Gerry: Yes.

Ronnie: We’ll talk about our relationship in a moment. You’re also building the business in the Asia Pac region?

Gerry: I am.

Ronnie: What’s happening in the UK?

Gerry: I’m doing that as well.

Ronnie: You’re doing that too?

Gerry: Yes.

Ronnie: The business is really now truly going global?

Gerry: Absolutely, yes.

Ronnie: You’re series B funding?

Gerry: Series B funding.

Ronnie: Who are some of the investors that you’ve gotten now?

Gerry: Good point. I meant to mention that earlier on. We have a number of institutional investors in the US. I have a lot of ventures you may be aware of. August Capital, who were the first investors in Splunk, Paleon of Utah. We also have a couple of notable Australian investors. Insurance Australia Group ventures invested in the business, specifically, because they see a challenge in the cyber insurance marketplace or they see an opportunity in the cyber insurance marketplace.

Ronnie: That’s probably a good segue. Why don’t we segue that point into what are the problems that UpGuard solves. Gerry, tell me the top three or four problems that UpGuard solves through organizations, and then we can tie that into how does that fit with cyber insurance.

Gerry: Absolutely. We present ourselves today as the world’s first cyber resilience platform. The first question we typically get is, “What does that mean?” Although cyber resilience is a terminology that stand to be more widely used around the IT industry, and we’ve been talking about cybersecurity for a long time now, lots of people have made a lot of money. I’m talking about cybersecurity.

A plethora of organizations have built security software products to try and address security issues. Most of them focus on the parameter. Our view is that it’s okay. Clearly, you need to go and understand how to protect a parameter. Obviously, there’s also firewalls of an organization. The biggest challenge and issue that we saw and see in the marketplace, first and foremost, is the visibility in an environment.

People just do not know what they have. It’s impossible to understand the risk you have in an environment, therefore, absolutely impossible to be resilient if you do not first fundamentally understand what you have in the environment.

Ronnie: When you say what you have, to what extent can you guys discover what people have?

Gerry: So, servers, desktops. From mainframe right down to IOT devices, anything with an IP address, applications, operating systems. We can tell what’s changed on an ongoing basis.

Ronnie: You can first discover.

Gerry: We can first discover.

Ronnie: Understand everything that’s out there that’s got an IP address.

Gerry: The three areas, if you like, that we’re going to tackle are discovery, and control, and predict. The discovery is, first and foremost, going and understanding exactly what I’ve got. How many servers I’ve got, how many desktops I’ve got, what operating systems I’ve got, what packages I’ve got installed in each device, what packets have I got installed with a mark from a patch level, et cetera.

Ronnie: Right now, just because it’s timely. When we’re talking, we just had the WannaCry virus come through. If UpGuard was in at the time, an organization would have been able to rapidly work out which device is out there are at what patch levels today so that they could do targeted patching. Identify if it was an XP device out there that you couldn’t put a patch on until Microsoft happened to release one, but you could do that with the discovery capability. It goes right down to operating system’s patch provisions.

Gerry: Absolutely. I had one of my guys, a customer in Singapore, the day that the WannaCry hit. We sat in with head of IT and he said, “I’ve just had a phone call from the CEO saying, ‘Where are we hit?'” We said, “Can you tell us?” “Yes, I can tell you exactly what has been installed where and give you a view in terms of priorities, in terms of machine that could collapse, et cetera, which systems do you need to go and patch immediately.”

It was also a customer in Australia, yesterday. It will take them nine weeks to go and probably patch, pretty much, every system they’ve got. The biggest challenge was, to your point again, understand where have we been hurt and where are we susceptible.

Ronnie: Even though you might call it discovery, it’s also that analysis that allows you to be targeted and do triaging scenarios?

Gerry: Sure. That really moves us and that’s a distant segment of what we call control. That’s find gold and discovering assets. Discovering assets without putting some control on what you have. It’s not meaningless because, clearly, you’re never going to fake that resilience. You’re never going to achieve the outcome of the resilience if you don’t understand what you’ve got.

A big part of resilience then has been control in your environment. Having a benchmark, what does a gold standard look like across my Window servers, across my Linux box, across my Oracle database, et cetera, then constantly monitoring change. Becoming compliant, effectively, with rules of the organization define the extra stuff internally. That could be some benchmarks from CIS benchmarks, or NES benchmark, PCI DSS benchmarks for people who are taking credit card payments.

Or it could just be, “This is my gold standard and I need to understand anything that deviates from that,” and or, “I need to understand if I have a vulnerability, again, like WannaCry, MongoDB, whatever.” I need an ability to go and say, “I’ve got a challenge, I’ve got an issue,” and have it flagged so the IT organization can then go and take a corrective action. We don’t take corrective actions but we go and flag the requirement for corrective action, and then we’re going to pass off to another product.

That may be, in the ITSM type world, that could be to an organization like ServiceNow, on Cheetah, or Cherwell through the DevOps, an environment that could be turned automation tool to share et cetera. We’ll do an auto-reconciliation at the backend, so we’ve gone through a bad state to a good state. Really, what we’re trying to do there– I came up with a terminology on what we’re trying to do.

We’re noise cancelling headphones for IT. We’re trying to takeout  all the day-to-day hubbub of an environment and get to the root cause, to your point of it, earlier on, and really manage, “Where are my risks right now and how do I go and control those?”

Ronnie: Let me just take that and summarize that for a second just to make sure that everybody that is listening here has a good understanding of it.

Gerry: Or indeed that they understand that.

Ronnie: Or maybe that I understand. You can identify a gold configuration state. You can then monitor what’s happening in a platform against that gold configuration state, and then feed other systems information to say, “Hey, heads up, this is now no longer what it was there.” How does that work when you’re doing change controls? How do you integrate change control into that process?

Gerry: Again, typically, with products like Cherwell and products like ServiceNow, the workflow systems now typically control, and change, and release, and manage. We are, again, an integral part of that because we’re giving them detail on where changes need to be made. Going to hand off and save an ITSM into the change group on that workflow, so take it from change through all the authorizations.

Again, we’re not handling the output to potentially 10 different responsible people in an IT organization to check the box to say, “Yes, I’m good with that, I’m good with that, I’m good with that,” to go through that release process, but we hand off to change, to release. We track that through the lifecycle of that actually happening.

We hand off in a manner that the lowest products understand a requirement, a set that we check in effectively into that change management process, if you like. And then track it through its lifecycle so when it’s back again, we go from a bad state to a good state. It’s been done, that’s been in action.

We can also provide reporting that we’ve been waiting 24 hours. That still hasn’t been actioned for years. That still hasn’t been actioned. We can report on anything that we touch in an environment or we hand off in an environment.

Ronnie: Okay, that’s cool. Now we’ve done that part.

Gerry: Control?

Ronnie: Let’s go to control.

Gerry: That is control.

Ronnie: Sorry.

Gerry: Predict. I mean, go back to control, if you want.

Ronnie: No, we’ve done control.

Gerry: Okay, splendid. The predict piece is, I think, one of the first things we talked about and actually talked of UpGuard was a CSTAR rating, a cybersecurity threat assessment rating. It’s aggregated, easier for me to say.

Ronnie: Struggle with that word?

Gerry: Aggregated, yes. Aggregated score of an organization’s cyber posture, if you like. We go and build that cyber posture rating or CSTAR rating from–

Ronnie: What does CSTAR stand for?

Gerry: Cybersecurity threat assessment rating. That’s an aggregated score of external and internal assets that an organization has and the level of compliance. We also take some reputational data as well so we can talk to organizations like Glassdoor. Again, to understand risk in an organization, and certainly, operational IT risk in an organization, there are some other aspects like reputational risk. If you see your CEO has a bad reputation or if people in your organization don’t enjoy being in the organization, that could have a detrimental effect, obviously.

Ronnie: Greater chance they’re going to potentially do something untoward.

Gerry: It could create a chance that’s someone’s going to do something malicious in an organization. Taking that control piece from an internal perspective, we give a rating against how well you’re actually doing from a compliance perspective.

Ronnie: That’s a score out of 980?

Gerry: 950.

Ronnie: 950?

Gerry: Yes, it’s 0-950. Zero being bad, 950 being off the charts, as good as you can get. We’re also going to assess the external assets, the external-facing assets of an organization. The web servers, et cetera, and how susceptible or not they are to potential threat. Again, relatively simple stuff. Best practice on how well I’ve locked down my external assets. We’re also working towards going and building out that capability to go and add greater detail from a third party vendor, risk assessment rating perspective.

How susceptible are you as an organization if you’ve got MongoDB in your environment? How susceptible are you if you’re an IBM customer and you’ve got OASIS that are going to go into life in three months, six months, nine months, whatever. Certainly, that component of a given predictability range, where your potential challenge is going to be at some point in the future.

Ronnie: Predictability is one of those things in IT that everyone wants. Tell me about the problem before I may have the problem so I could fix it before it’s a problem.

Gerry: Absolutely. Again, going back into that control place and go in and flagging challenges that you’ve got in an organization, an ability to go and see that someone has gone and opened a port, an unauthorized opening of a port. They’ve opened up for 30 minutes and then the port’s been closed again. The ability to go and track that, who did it, when did they do it, and have an audit trail, again, certainly helps organizations, any regulated body, any publicly traded organization. It helps on a compliance perspective through the audit piece.

Ronnie: That’s interesting. One of the things I guess you guys can do as well is keep DR in production in sync with one another.

Gerry: Absolutely.

Ronnie: That’s always the problem, right? If you look at particularly in large organizations, we got dev, tests, production DR. How do you make sure they’re all the same?

Gerry: Sure, absolutely. It’s fundamental to what we do. From dev through tests, through production, and through DR, that whole lifecycle, ensure them that that’s in sync. We’re working with a very large global bank right now. We’ve discussed this before.

This organization have something like 200,000 servers on their management. They have 780 DR instances on a weekly basis, about. Some of those planned, some of those unplanned. They fail 60% of the time, so six zero percent of the time because of misconfiguration. Through time, the production environment has changed so significantly to the DR environment. That’s a stable environment. Nobody’s touched that DR environment. They’re trying to build a field over it and it doesn’t work.

Certainly, the ability to go in a huge benefit through the DevOps piece. Going and understanding that what I’ve got in development as indeed, to your point, is the same version as we get through the production environment. Very, very importantly through that DR environment because a lot of people tend to forget the DR something that’s maybe never going to happen. It’s never going to work if you don’t–

Ronnie: It doesn’t work when you need it most.

Gerry: Exactly.

Ronnie: Very, very broad set of products instead of used cases that you sold for. Possibly, I think one of the interesting things for me when we started talking about our relationship, in the Insentra relationship with UpGuard, what we’re doing together with you. One of the things that I found most interesting is you don’t have to buy modules to do all of these. You buy a license and you can now do all of these things that you’ve just been talking to us about for the past 15 minutes. One license, right?

Gerry: Correct.

Ronnie: Your go-to-market model, what’s been the go-to-market model? What’s the plan for what you’re doing in the market?

Gerry: When I joined the organization, we had a 100% direct model in North America. I said, “No way that’s not going to happen in the international marketplaces.” We’ve now flipped that in the US as well. We’re now 100% indirect.

Ronnie: 100% channel-based?

Gerry: 100% channel-based, globally, now.

Ronnie: That makes a great connection for us, right?

Gerry: Of course.

Ronnie: That’s the same as us.

Gerry: Absolutely. With the two-tier distribution model in every country that we operate. Today, we have a distributor, we have resellers working effectively underneath that distributor. Certainly, every new market we’re going to enter, I’m trying to find an Insentra-type organization because I have a belief. Obviously, I wouldn’t be here if I didn’t believe this is going to become a very large organization.

The opportunity is there, the time is right. I think the people around this organization are the right people to go and grow a large organization. We can’t do that without a channel, the nature of what we do, and certainly the nature of what we do as you go and grow a channel. Channel partners today, and possibly never, have never had an ability to go and properly invest, technically, and vendors.

You wouldn’t be in business if that was the case. My firm belief is, increasingly, our channel partners over the last 5-10 years have had more downward pressure and margins, downward pressure on them, understand how they remain relevant to an enterprise of your business worth because of the advent of Cloud, and Amazon, and Azure, Google, et cetera.

They are looking for solutions they’re going to take to the customer to go and expand their offering but they don’t necessarily have the manpower to go and invest in the technical skills. It was imperative to me that we find an organization like Insentra that had that depth of technical skill that can go and support our channel. That can go and support us to go and grow our revenue and our business but are entirely complementary to our channel as well.

Ronnie: I guess what I’m hearing is you’ve got an entire channel-based go-to-market strategy like a vendor would normally invest on their own presales, and their own delivery resources and support network. That’s what you’re leveraging Insentra to do on behalf of UpGuard. We can do that noncompetitively because we don’t transact the product. We leave that with the partners to do, help the partners to scale up. If the partners want to go do it themselves, moving on, then they can.

Gerry: Absolutely.

Ronnie: There’ll be partners who do want to invest to your product. There’ll be a lot of partners who can see a way to solve problems for their clients, particularly, people who are delivering managed services and who could put this into their managed services, and make them more resilient. Then they could choose to leverage services from you, which ultimately would be us. That’s what the strategy is going to be?

Gerry: 100%.

Ronnie: That’s great. You’re planning on building a big channel and you’re planning on building targeted channel of certain partners, what’s the thought process there?
Gerry: The thought process in going and building a channel right now is limited to solution, I can call it that. We don’t want to have every channel partner in every geo that we’re doing business in falling off each other and competing with each other. We want to go in with partners who want to be committed to us, certainly, from a sales and marketing perspective.

We, as an organization don’t have the bandwidth to go and handle hundreds of partners. Distributors don’t necessarily have the bandwidth to go and handle hundreds of partners. What we do as enterprise by default is– Fundamentally, what we do from a technology perspective is relatively simple, but the issues that we’re addressing for organizations are very complex. There’s issues that they all have.

We’re looking for limited numbers of partners in each of the geography’s– Trying those partners verticals and key verticals that they’re working on. Those key verticals today, for us, are the FSI, a marketplace massive issue. Really, any public real estate organization, large scale retailers who’ve got issues relating to PCI, DSS, and increasingly, government.

Certainly, from an Australian perspective, there’s a big push. As that are on most governments around the globe today and the whole cyber area has become a massive challenge when nation states are using technology against each other.

Ronnie: Absolutely. Gerry, that’s great. Thank you very much for spending some time with us today on The Download. Is there anything else that you think that you’d like to share with the audience that you haven’t potentially shared yet?

Gerry: I should have worn my kilt and I could have shared that with you, Ronnie.

Ronnie: As long as you have shared what was above the kilt and not below the kilt, I think our audience will be happy.

Gerry: That’s one of the problems, Ronnie.

[laughter]

Gerry: My kilt’s too short.

Ronnie: Gerry, thank you very much.

Gerry: Thanks to you, Ronnie.

Ronnie: It’s been wonderful having you with us. We’re very excited about the relationship we have with UpGuard. I think it’s a fantastic technology platform. As you can hear from Gerry, there’s a lot of different things that you can do with UpGuard. It plugs a lot of the gaps and a lot of the issues that– Historically, when I was on the client’s side, they were problems that I had. Now, that’s 20 years later, we’re finding an organization that can actually get across all of those problems and help to resolve them.

Encourage everyone to have a look at the UpGuard technologies. Gerry’s a great guy, I’ve known him for many, many years. I’m sure he’s going to be as successful building the UpGuard channel as what he was for the CommVault channel, when he was working with CommVault. We’re very excited about the relationship. Have a great day everyone.