Sign up for my newsletter to see more interviews with the biggest names in cybersecurity.
Hope you all had an awesome Thanksgiving! I’m really excited about this week’s interview. Check it out below.
This week I spoke to Rohyt Belani, the Co-founder and CEO of PhishMe. Rohyt previously founded the security consultancy Intrepidus and was a managing director at Mandiant. He has also spoken at industry conferences such as Black Hat and RSA. Rohyt is clearly a security industry veteran and this interview has a lot of fascinating insights.
Congratulations on the Malcovery acquisition. Can you talk a little bit about the thesis behind that?
We’re very excited about the Malcovery acquisition as it compliments our long-term strategy and extends our security portfolio. But to understand that, let me explain what we do at PhishMe because we are often miscategorized as a security computer-based-training (CBT) company. Through many years of hands-on experience in the security field, my co-founder and I realized that most organizations relied too heavily on technology and ignored the human element of security. However, human susceptibility is at the heart of many of the major attacks that we’ve seen and over 90% of attacks involve phishing. Thus, PhishMe started out as an immersive phishing attack simulator—not just a phishing test.
The other side of running these simulations was to provide metrics to organizations regarding the results of the simulations. This allows them to identify their pain points.
Further, as a result of the phishing simulations, employees began reporting suspicious emails into their security teams in a rather ‘noisy’ manner – calling help desks, forwarding emails, etc. So, we responded by creating a button (an add-in in Outlook, and other email clients) that anyone could use to report suspicious emails.
The next logical step in the process was to help cut through the noise and provide actionable data to companies’ internal security teams. We launched a new product called Triage last year to do just that.
To summarize, our initial value proposition focused on simulating phishing attacks and training employees to improve their behavior and to act as a human defense against phishing – turning them into “phishing informants” – so the security team can then process and analyze phishing threats. The logical next step was supplementing this internal information with external threat intelligence as it relates to phishing. That’s where Malcovery fits in, by providing external threat intelligence focused on phishing. Unlike some other threat intelligence providers, they are very precise and specific with the information they provide.
In essence, Malcovery allows us to look at the most important threats as identified by the employees of an organization, prioritize them, and provide information on how those threats are affecting other organizations.
You and Wombat are the two big players in the security CBT space, and you both have had very different strategies. Wombat has expanded beyond phishing into other forms of cybersecurity training. You have maintained a focus on phishing, but you’ve expanded beyond CBT into phishing threat intelligence and analysis of phishing emails. Can you explain the thought process behind that?
When it comes to our strategy, we rely on our experience in the security market and the evolving needs of our customers.
One of the main reasons we haven’t expanded into other forms of CBT is because, frankly, they don’t work. We’ve been using it in organizations for two decades and it has proven to be ineffective. People don’t like CBTs. They tend to view them as a required distraction from their real work. It’s best to focus on phishing–the #1 attack vector—to keep them engaged in security.
CBT are also extremely simple to replicate which is why e-learning companies rarely demand premium values. It’s a low barrier to entry with little return. In fact, we just launched free modules and they took only four weeks to create internally. Phishing has been the number 1 attack vector for over a decade and most of the high profile breaches covered in the news began with a phishing email to an employee of the targeted company. That’s why we focus on phishing.
Can you explain the rationale behind this decision to launch these free modules? Is the idea to get consumers using your CBT product, with the hope that once they see how useful it is, they’ll purchase other products as a result?
No. The sad truth is that organizations buy CBT modules to check a compliance box. I was sick of hearing about how our customers had to pay thousands of dollars to check a compliance box that doesn’t address the real issues. We offer the CBTs for free and are determined to continue offering them at no cost to anyone that wants to use them, whether they are a paying PhishMe customer or not. We launched the free CBTs to help organizations use their resources to invest in solutions that will really improve their security, whether it’s our service or not, rather than checking a box.
You have a presence in the phishing CBT space, now you provide phishing threat intelligence, and analysis of phishing emails, where do you go from here?
Both the Triage product and Malcovery acquisition are fairly recent so we’re focused on ensuring our lines are integrated and meeting the needs of our customers. Between this recent growth and significant continued growth for our Simulator product, I believe that we can triple our current revenues in the next two years. Additionally, we remain opportunistic with regards to other M&A opportunities.
On your website you say that you can reduce an organization’s’ susceptibility to phishing from 58% to 8%? That’s remarkable. Does most of that come from the simulations?
Yes, that’s purely from the simulation piece. Our solutions are built on the fact that people learn from their experiences and our results reflect the validity of this principal. People learn when they are immersed in situations. To effect real change, you need to give them 30-60 seconds of quick feedback to correct their actions rather than making them watch a 30-60 minute instructional video.
How much money does that save organizations?
We’re about to release a study that quantifies the return on investment in PhishMe in a commissioned study by Forrester Consulting. As a sneak preview – the ROI was calculated in several 100s of percent.
Do you have any thoughts on Wombat’s acquisition of ThreatSim?
ThreatSim was a late entry to the space so we didn’t often see them come up in competitive sales situations. Their offering is by no means complementary to that of Wombat – they both offer a phishing simulation product and clearly one of those products isn’t going to survive the merger. I see no obvious value and am quite happy to have one less copycat competitor in the market. Even with their combined assets, PhishMe continues to maintain a leadership position in the anti-phishing market.
The News:
- Ray Rothrock, formerly of Venrock, discusses his investments in companies such as Check Point, FireEye, and Splunk and explains why he’s now running RedSeal.
Solving The Persistent Security Threats For The Internet Of Things
- How existing companies are attempting to build security into their IoT devices and how security companies like Luma and F-Secure are trying to security these devices over wifi.
Handicapping Enterprise Security Vendors
- Out of the major cybersecurity vendors like Dell, Cisco, Intel and Symantec, who is the best positioned to be dominant in the future?
Fortscale Adds $4M to Detect Rogue Employee Behavior
- The funding comes from the venture arm of the Chicago Mercantile Exchange and UST Global. Fortscale uses machine learning to detect anomalous network activity.
S&P: Cyber Joins Climate Change as Risk To Corporate Credit Ratings
- Corporate costs of debt may soon increase if organizations are unable to demonstrate adequate cyber protections.
Nick's Cybersecurity Blog 