Hey, it's Andrew. Each week day I share examples, tips and strategies in the newsletter. Sign up in the yellow box on the home page.
April 20, 2023

209: The importance of people over job titles in early stage startups with Chris Sestito, CEO of machine learning security company Hidden Layer

209: On this episode of Sales Bluebird, we dive into the world of Hidden Layer, a company bridging the gap between security and data science teams to protect machine learning models. CEO Chris Sestito discusses hiring the right people for a startup rather than worrying about specific job titles. Chris shares insights about their innovative work in security and ML and how they are making strides in the ML AI world. Additionally, we learn about the company's world-first machine learning security platform, which has two products geared towards detecting malware and protecting models in real time.

[00:05:01] "Cybersecurity founders go all in together"
[00:09:37] "Adversarial Machine Learning Attack Inspires Hidden Layer"
[00:13:20] "World's first ML security platform detects malware"
[00:15:22] "Model Lifespan Variations Based on Use Cases"
[00:17:03] "Empowering Data Scientists and Security Operators Together"
[00:19:38] "Data Science and Security: Bridging the Gap"
[00:21:24] "Covert Cyber Threats Require Proactive Investigation: Experts"
[00:29:08] "Building Generic Solutions to Protect Machine Learning"
[00:31:19] "Why Abigail Maines was the perfect hire"
[00:34:21] "Success Determined by Who You Hire"

Hidden Layer website
Chris Sestito on LinkedIn

Support the show

Andrew Monaghan [00:00:00]:

Today I got to chat with another innovation sandbox finalist. And that's Chris Sestito, the CEO and cofounder at Hidden Layer. Hidden Layer is tackling the problem of protecting machine learning models and algorithms. This is an emerging category right now, but much needed, especially given all the focus and attention on generative AI out there right now. Tito talks about in the episode, the event that happened for him and his co-founders to realize that this was a problem and one that was worth solving because it's going to be spread and going to be needed by solved by a lot of different companies. The state of awareness right now of the problem, who they talked to in a given organization and then how they started their sales team and then a lot more than that besides. So don't go away. Welcome to the Sales Bluebird podcast, where we help cybersecurity startups grow sales faster. I am your host, Andrew Monaghan. Our guest today is Chris Sestito, CEO and co-founder at Hidden Layer. Chris. Welcome to Sales Bluebird.

Chris Sestito [00:01:14]:

Thank you, Andrew. Excited to be here.

Andrew Monaghan [00:01:16]:

Yeah, I'm looking forward to this episode for a number of reasons. But let me say, first of all, I think you go by Tito, so I'm going to call you Tito from now on rather than just Chris, if that's all right. So Hidden Layer just a couple of weeks ago, was announced as a finalist in the RSA Innovation Sandbox, I guess competition, we call it. So a couple of weeks time, you're going to be the Monday of RSA in San Francisco on stage doing your thing. So I'm kind of interested to learn about the innovation that you're doing and all the things that you have going on. Because clearly some smart people have said of the hundreds of people applied, there's one company that's doing something different, innovative, and I'm keen to understand more about that. Secondly, when I looked at your website, I saw a phrase I had not heard before. Maybe I'm just a little bit behind, I don't know, machine learning, detection and response. MLDR so this, I guess, is the new area you're in. It's hitting a couple of words in there that we know, which is detection, response, and a couple of words in there, I think, at least for the security side, which is probably relatively new, which is machine learning combined with detention response. So there's a whole bunch in there that I'm trying to learn without trying to get too technical for our audience. So we'll try and understand that and how you're thinking about the market and growing a company and getting your name out there. A quick break to say that this episode is sponsored by It Harvest. With over 3200 vendors in cybersecurity, it is hard to keep track of all the latest developments, as well as research and analyze categories and subcategories within cybersecurity, which is where the It Harvest cybersecurity platform comes in. Want to know which subcategories in cloud security are growing the fastest. You'll get it in a few clicks. Want to know and track everything about your main competitors and keep up with their hiring and news. Simple search to be done. Want to know the top 20 fastest growing companies based out of Israel. Easy. Just a couple of clicks to get that it. Harvest is the first and only research platform dedicated to cybersecurity and it's run by Richard Steenan, who has done it all in cybersecurity from the VP of Research at Gartner, a CMO at a cybersecurity vendor, a lecturer on cybersecurity, advisor to startups, advisory board member at Startups and a main board member as well, the whole lot. Find out more by going to Salesbluebird.com Research. That's salesbluebird.com research. Now back to the episode. Well, let's look at your LinkedIn history quickly. Here's why. I see you started off malware analyst at US Foods, and then you switched over reasonably quickly to be on the vendor side. You joined Cylance, I think, quite early in their development, right. As a malware analyst as well. You spent five years advancing your roles at Cylance in the Threat Research side and you ended up as a Director of Threat Research, I think, even after the acquisition by BlackBerry, is that right?

Chris Sestito [00:04:22]:

That's right, yeah. I stayed about a year and a half through that acquisition, helped with the integration and combining of the teams and the projects and that kind of thing.

Andrew Monaghan [00:04:34]:

And then after that, quick couple of stops at Agari and Qualys, well known names in cyber. And then in April 2022, pretty much a year ago, actually, right now, officially was the coming out of Hidden Layer. Let me ask you one thing before we get into Hidden layer. Was first time founder, how natural was that for you to go and do, or was it something that you really thought long and hard about?

Chris Sestito [00:05:01]:

Yeah, it's a great question because there's a lot behind that decision, right? I mean, there's certainly some risks, there's consequences along the sides of is this going to go well, people are going to join you and trust this sort of thing. But I think that there was one of the major advantages we have, and there's a few of us, so it's myself and two co founders, jim Ballard and Tanner Burns, and we work together at Cylance and Agari and Qualys. We've been traveling together sort of as a pack for the last few organizations, so doing it together really helped out quite a bit. We feel very passionately about the problem that we're solving and the need to have a dedicated cybersecurity solution around it. And so when in general, it really wasn't just this decision that, hey, let's go found a business, it was really more along the lines of there's a real problem we want to go solve. And so this was the best route to really solving that problem in that regard, that part did feel very natural. But as far as the decision to co found or be a CEO or something along those lines, that's sort of like symptoms of this decision that are, you know, things that we're kind of learning as we go. Now, the the other thing that helps is, is we have a fantastic support system around us. We've we met a lot of great people at Cylance and at some of these other organizations like Qualis and Agari. And so, you know, we're three technical founders. It's nice to have some folks we met on the go to market side and some folks we met in different areas of the business that are helping us out today and including some co founders as well. So we feel like we know who to call when we come across things that we haven't come across before. And there's plenty of good advice around us. But, yeah, still first time founders, and a lot of this is very new to us. But as long as we stay true to the mission and stay true to the problem that we're trying to solve, it does feel pretty natural.

Andrew Monaghan [00:06:51]:

What was the biggest surprise in the first six months or so of getting going?

Chris Sestito [00:06:56]:

Well, it's funny. I like to say that the Adversarial machine learning company that Tanner and Jim work at is awesome, but the sales and marketing company I work at kind of different at times, and obviously it's the same company, so I'm just kind of joking around. But in my career so far, it had been a relatively technical role even as I moved into leadership generally. A lot of coaching and mentoring and trainings. And I would train sales and sales engineers. I would train all kinds of folks on the technical side as well. So a lot of my role here at In Layer is not as deep on the tech side as it has been in the past. But that's okay. There's not too many of us. We're not an army of people working here, so I still get to be involved with a lot of that as well. But I would say that's the biggest shift for me is focusing more on sort of the external sides of the business versus what I'm used to in the past. But it's been a lot of fun. It's been a lot of good learning, and it's been a good chance to use some of the skills I've developed over my career that are a little bit different from solving some of the technical problems in malware analysis or data science. But I would say that was probably the biggest change for me.

Andrew Monaghan [00:08:09]:

Yeah, that's a tough one to take on. Sometimes three technical founders, someone's got to step up and take that role, right? Remember, I talked to a CEO last year at RSA, and he said, very experienced, smart dude. And he was like, when I went into this thing, I thought the hardest thing would be product. And then now I've got into the go to market site, I've realized the hardest thing is figuring out distribution. How do we get out there, talk to the right people at the right time, and get some mind share?

Chris Sestito [00:08:36]:

Yeah, I mean, I think there's a lot of people who are very good at it. That's just not been our history. And then so we're lucky that we've brought people into the organization who are very good at that, that we trust implicitly, but at the same time, it is still a new world and having to spend some time in that. But I think it would be very hard for me to say what is the hardest part of what we've been able to do so far, because there's certainly challenges associated with all of it, really. A lot of people pick an area that say you have to be good at, but the truth is you have to be successful in all of these avenues. It's really more about a cohesive unit and a lot of good, strong communication and a lot of belief in each other at this level. And we're lucky to have that right now.

Andrew Monaghan [00:09:17]:

Well, let's go right back to the moment, not the PR moment that anyone might be telling you to talk about, but the real moment when you guys were somewhere sitting around a campfire drinking beer or whatever, saying, you know, that thing that we did last month, we should probably start a company to do that. Where was that and how did it come around?

Chris Sestito [00:09:37]:

Yeah, Hidden Layer was really born out of a real world event that happened to us at Cylance. So when we were there at this point, I was the Vice President of Research and Intelligence. And that was a position that involved a lot in terms of the product side, the threat research side, the data science side of the house. And actually in 2019, our ML model for Windows environments was attacked. And it wasn't with a traditional network attack, it was with an adversarial machine learning attack. And it was pretty novel at the time. We had to figure a lot out at the time. Today it's a lot better understood. There's now frameworks like Mitre, Atlas and other defining frameworks that can sort of help explain this type of attack, but back then, pretty novel. And so we led the response effort, myself and the co founders. After the dust settled and everything was redeployed and we were back into a good spot, we all kind of looked at each other and said, this is going to be a problem for the whole world, for everybody who's deploying machine learning models into their hardware and software products. And so we knew that we wanted to keep working in this space. And this was really going to be a very critical area for the fastest growing technology we've ever seen. And so it was almost kind of known that we needed to keep working in this space and working this problem. And again, we've known each other a very long time and we've been last five organizations at six of you included In Layer. We've worked that together. So it wasn't something that we had to figure out who was going to be involved because we knew that much. But yeah, it was really born out of that attack that we knew we were going to be moving into founding in Layer.

Andrew Monaghan [00:11:12]:

So when people come and attack ML and algorithm or a model, whatever you have going, what are they actually trying to do? What's the purpose? They trying to steal something or change something or disrupt or what?

Chris Sestito [00:11:26]:

Yeah. Yes to all of that, really. The motivations are very similar with traditional cybersecurity attacks. You can just think of this as sort of a new area of attack within the threat landscape. And so there are many examples. Most common would be like a lot of machine learning models are used in fraud detection. So threat actors are trying to bypass fraud detection models so they can continue making fraudulent transactions. There's models used in cybersecurity specifically that are at the edge and able to be interacted with, just like that attack that happened to us back at Silence, where bypassing that model, learning how to abuse that model, will allow you to get other malware samples through to execute. So just like traditional cybersecurity tax, the majority of it is financially motivated. And then you also have disruption causes. You also have IP, like you mentioned, if I want to steal a model that's of very high value and it's at the edge and able to be interacted with via API or hardware, software, product, what have you, there's examples of attacks that are trying to build a.

Andrew Monaghan [00:12:24]:

Surrogate of the model.

Chris Sestito [00:12:25]:

There's examples of attacks that are trying to abuse its decisions. And then there are very traditional versions of the attack where they're just trying to pivot off of the model to launch executable code that they should not otherwise be able to have access to. And so there's sort of the logical attacks on the poisoning side. There's all kinds of ways. In fact, that Miter Atlas framework that I mentioned earlier has over 60 examples of attack techniques when it comes to artificial intelligence in the adversarial machine learning space. And so we built a framework to address all of it because it's just as widespread and just as pervasive as cybersecurity as a problem in general. It's really just sort of a new environment for all of those same types of attacks to take place.

Andrew Monaghan [00:13:06]:

You said you build a framework. Let's put a situation here. We got RSA coming up in a couple of weeks time. You know how people come up to you ad nauseam? What do you guys do? How do you answer that question when someone walks up and says that?

Chris Sestito [00:13:20]:

So we build the world's first machine learning security platform. And currently that platform has two products in it. We have what we call our ML scanner. And that's very simple. If you think of the way in which an organization is going to be attacked, the most likely circumstance in which they're going to be attacked is very simple. A data scientist who's not concerned with security, nor should they have to be, is going to go out to one of these model repositories online. If you've heard of OpenAI or Hugging Face or any of these other repository is where you can buy pretrained models or you can pull down and download source pre trained models. Many of them are compromised. Many of them have malware built into them. Many of them have text embedded in them. We and our research team have found over 500 examples of that online. And unfortunately, antivirus doesn't scan model files. EDR is not going to pick up on something launched out of a Python process that the model originated from. So pre hidden layer, there's no part of the modern day security stack that's going to stop that from launching an attack in an environment. So we built our model scanner. You can think of that simply as like an antivirus for models. It also works on things that you build. So if you build a model internally and you want to set a known good state on that model and say, every time we use this model in production, it better look like this, we can guarantee that as well. And that's our first product. And then our real time product is that machine learning detection and response that you mentioned earlier. And that's a real time solution that would protect a model in a data pipeline in a hardware or software product. So we look at inputs and outputs to that model and we look at behavioral patterns and those who are interacting with the model very similar to how EDR works on an endpoint. We look at those same behavioral patterns on a machine learning model and that's why we call it MLDR. And that allows us to protect against things like inference attacks or people who are trying to steal the model. A whole bunch of attacks that can happen at inference time in the ML Ops pipeline. So that's pretty much it. We can protect the model in real time or we can scan the integrity of the model.

Andrew Monaghan [00:15:14]:

And do models change a lot? Are they like a normal file or is it something that's more set in stone and therefore they can a whitelist idea works quite nicely with it?

Chris Sestito [00:15:22]:

Yeah, great question. And that really depends on the Use case. We've seen sort of all sorts of examples. There's kind of big monolithic models that persist for years even. And then there's organizations that spin up a model per customer per night. And so it really depends on sort of the use case, generally speaking, I think when a model is trained, on average, it definitely exists for at least months in sort of the circumstances that we're seeing now. So there's examples of models that you do want to see change when retraining it and updating it and trying to improve it. And then there's examples of times where none of those things happened. And if it changed, it means that there's some sort of compromise going on there. But we're not just scanning to see if there's a change, we're scanning to see if there is malicious executable code on the integrity side. And then in that real term pipeline. We're also going to tell you not only that something's weird here. We're going to tell you exactly what's happening and somebody's trying to do something like enumerate your decision boundaries or understand your feature importance, the things that the model is considering that kind of thing, or potentially steal or recreate your model. We let everybody know there. It really is sort of use case driven, like algorithmic trading models change very frequently. Fraud models are relatively static, but they do definitely change it's all. Like recommendation engines tend to be very similar for a long period of time. So it really just depends on the use case.

Andrew Monaghan [00:16:39]:

When I hear you talking about the different types of attack and what they're after, I could see lots of different groups inside an organization thinking we need some sort of protection, right? If you go to IP, it might be the CTO office. If they're protecting products, they've built traditional security for some fraud prevention, things like that. What have you learnt about who to approach first inside your target organizations?

Chris Sestito [00:17:03]:

So it's interesting, right, because this is definitely a problem space that has two major subject matter experts involved, which is the security side of the house and the data science side of the house. And so we have a very strong core belief at hidden layer that pardon me, that data scientists should not have to be concerned with security. They should be able to grow and build and create and solve problems and not really worry about if their solution is hardened enough for the real world. And likewise, we believe security operators should be empowered to protect machine learning models without having to be data scientists themselves. So everything we build really keeps that in mind. We want to empower those two groups in their existing workflows, but what is required is strong communication between those groups. And we build our product to be the bridge between those two units that traditionally don't always have a whole lot to do with each other in the day to day business. So that's just sort of a little bit of how we like to frame it up. We like to bring both groups to the table, but generally speaking, the group that feels responsibility for securing the organization is that CISO organization at the earliest stage of the adversarial machine learning existence really. It's not new to data scientists adversarial machine learning. White papers have been written and published since 2013. It's really well understood for the most part. It's really the CISO organization and the decision makers on that side that need to be more aware of the fact that this is now a mainstream attack surface. And there are automated attack tools that exist on GitHub, there's over 30 of them where someone, even a script kiddie, can kind of start performing these types of attacks now. So I would say roughly 80% of the personas that we are doing business with today are on the CISO side of the house. It's actually very similar to really the migration to cloud that we've seen over really the last most recent era in tooling where right out of the gate that was really more of like a DevOps decision. But now then it very quickly became a security responsibility in the CISO line item for securing cloud. And I think we're going to see a very similar pattern here where right out of the gate data science is going to need to be heavily involved just because they're subject matter experts. But ultimately as this becomes more and more of an understood problem space and a typical cycle to purchase a solution for it, that's going to be more and more of a CISO responsibility. I think a year from now, it'll very much be something that a CISO buys just like any other security solution for their organization and for the systems.

Andrew Monaghan [00:19:28]:

That you talk to or even the security teams you talk to. How many do you have to still educate that there's even a need to do this and how many they'll go, no, we get it. We just need to figure out what we're going to buy.

Chris Sestito [00:19:38]:

Yeah, it's kind of split up, I would say again, sort of use case and maturity level of the organization. I think organizations like if you go up in the Fortune 500, they have pretty mature data science teams. Usually there is a data scientist on the security team, if nothing else, to help build them models for security purposes and they seem to be pretty well versed and understand it pretty well. Then you have other organizations that either outsource a lot of their data science or just generally speaking have they're a little bit more siloed in those two organizations and it does require a little bit more education. We actually enjoy that part of it. We like to go through the education and really help both sides understand the other side's point of view. So we like training CISOs and their security staff on what data science and what machine learning does expose you to and all that. And likewise we enjoy training data scientists on sort of the security implications of what they're putting out in their data pipelines in their products. So there's still a good amount of that. I think we can seriously help those two groups and organizations understand each other. But it's a little bit I would say the more mature the data science team is usually a pretty strong indication of how well understood this problem is going to be in that space or inside of that organization. But it's a little different organization by organization, but it's definitely a lot more well understood than a year ago. And I think we'll still we'll still see more and more familiarity as we see more and more of these attacks in the real world.

Andrew Monaghan [00:21:08]:

Yeah, it seems like even though there's getting more awareness, it's still relatively early. I imagine the adoption cycle, a lot of people dipping their toe in it's probably what you're experiencing or wanting to take meetings and some don't go anywhere. It's just not ready yet for some reason. Is that fair?

Chris Sestito [00:21:24]:

Yeah, I would say the awareness could be described that way. I think in terms of the actual problem, it's here. These attacks are certainly taking place. We see it with organizations that we work with. I think it's funny, as security operators, we've gotten very used to ransomware and ransomware. That doesn't surprise anybody. Nobody isn't aware that they've been hit with a ransomware attack because they get a ransom note and they don't have access to their files. But pre ransomware. If you think back to when we were dealing with these problems, kind of in the 2000s, early 2000s, you were looking for backdoors, you were looking for types of threats like rootkits threats that were intended to fly under the radar. If you didn't look for them, you weren't even aware that you were being attacked. And I think we see a little bit more of that today with this type of attack. And it does require a little bit of proactive investigation to see what's going on. And so a little bit of it is it's a familiar kind of workflow for security operators. It's just that there's been so much focus on ransomware that they haven't had to look for that covert threat in a while, but certainly exists, I think, to your point around sort of the awareness of the problem space. It isn't getting talked about a whole lot. I think there's a couple of reasons for that. The biggest being regulation hasn't caught up to the problem yet. Organizations are not under the same level of requirement to divulge information that they would be if they lost data from their network or a database that they currently are today if they were to have lost that same information inferred out of an ML Ops pipeline. And so we're helping some organizations on the regulatory side catch up there too. But I think that's probably the biggest reason that we don't hear about this as often, because the attacks are certainly taking place. We're helping organizations where the attacks have taken place. Threat actors at this point can just plug and play tools that exist online they certainly are. So it's definitely happening. It's definitely out there. It's really the job of decision makers and security now to make themselves aware of it, because at this point, I think it's the easiest route into an organization from a threat actor's perspective.

Andrew Monaghan [00:23:28]:

I remember a few years back at Silence, I never worked at Silence, and you correct me if I've got this wrong in any way, but my recollection is that the sales team and the Se team had this awesome thing that actually called the awesome demo. I think that's right. Right. You go around different cities and the idea was bring your own malware. Is that right?

Chris Sestito [00:23:47]:

Yeah, we called it the Unbelievable Tour. It was a great sort of exercise for bring your own malware. We'll show how it would be detected. It was a very powerful demo. It was a very powerful sort of way to let people interact with our product. And yeah, it still gets talked about today. I was talking to somebody about that last week, actually, so definitely left an impression.

Andrew Monaghan [00:24:08]:

And I remember I think it was RSC or somewhere I went, usual thing, people milling around the floor, looking at booths, but there was like 100 people, friend of Silence Booth watching the Incredible Demo or the awesome Demo, and they were just waiting. Obviously they're waiting for things to fall apart and not detect someone's malware. But I think you guys had a really high hit rate on that. I'm just wondering, it sounds like you're talking about it right at Hidden Layer. Is there something like that you're thinking about that might be a way to get the same sort of impact that that demo had?

Chris Sestito [00:24:37]:

Absolutely. Yeah, we have some thoughts there on the on the marketing side to try and help everyone understand sort of how real and imminent this problem is and as well as ways to engage, just like the unbelievable tour. Because I think the easier you can make it, the more interesting you can make it for folks to want to familiarize themselves with this space, the better that's going to be. A lot of people get intimidated by data science and machine learning right out of the gate. They sort of think that's some nebulous topic that I'm never going to understand. And I think that that's not the right approach because at this point, it's getting easier and easier to do. Tooling on the ML side is getting easier and easier to interact with. I actually don't even think the data science position is going to look anywhere near the same way as it will even five years from now. You're going to have subject matter experts using data science tooling versus a data scientist specialist in these areas. So it's really not as intimidating as a lot of people believe it to be. So the ways that we can work with organizations to sort of show them how useful a technology it is and how. It really works. It's not magic. There's math behind it. Here's how you can interact with the tools. Here's what the inputs look like, here's what the outputs look like. The more familiar organizations are going to be, and the better they understand it, the better they can understand how it can be abused. And so it's a big part of our job to educate folks on exactly that.

Andrew Monaghan [00:26:01]:

Patita, before we go any further, let's get to know a bit more about you. So I've got 35 questions here, but the good news is I'm not going to ask you to answer 35 questions. I'm going to ask you to pick three random numbers, seem one in 35, and I'll read out the question.

Chris Sestito [00:26:16]:

Okay, sounds good. Let's do four.

Andrew Monaghan [00:26:21]:

Four. What is the most used app on your phone?

Chris Sestito [00:26:28]:

LinkedIn. I wish I had a cooler answer than that, but it's definitely LinkedIn.

Andrew Monaghan [00:26:32]:

You just lost a lot of tread with the kids with that answer.

Chris Sestito [00:26:35]:

I know, yeah. I should have said TikTok, but it's not even on there.

Andrew Monaghan [00:26:40]:

I don't have on there either. Yeah, I'm probably reasonably the same. Yeah, I'm on LinkedIn a lot. I guess it's just the world that we're in these days in our world, right?

Chris Sestito [00:26:48]:


Andrew Monaghan [00:26:48]:

Next numbers. He won in 35.

Chris Sestito [00:26:51]:


Andrew Monaghan [00:26:52]:

What is your favorite summer pastime?

Chris Sestito [00:26:56]:

Oh, favorite summer pastime, that's a good question. Well, I like to golf, so if that counts, I like to get out and golf, and that's about the only sport I can still play these days, so I think that I spend a lot of time there, so we'll go with that. But I like to do other things with the kids and we like to take them out to the pool and go to the beach, that kind of thing, whenever we get an opportunity to. But if we're just talking me, the answer is golf. The good family man response probably would have been the beach or something like that with the kids, but that's the real answer.

Andrew Monaghan [00:27:28]:

I'm a golfer as well, and I'll tell you the thing that bugs me a little bit about it is it takes so damn long to play it right in a golf gosh. Do I have all that time? The four or 5 hours? It's nuts.

Chris Sestito [00:27:38]:

Yeah, you're pretty much setting aside half a day for it, right?

Andrew Monaghan [00:27:41]:

It can be, especially in the weekends, right. Things get backed up before you know it. You take an hour to get there. You play a five hour round, an hour to kind of have a drink and go home. The whole day is shut at that point.

Chris Sestito [00:27:52]:

Oh, yeah.

Andrew Monaghan [00:27:55]:

As family man, I know it can be difficult to carve out the time, so I'm glad you're at least finding some time in these days to play some golf. And last question between one and 30, 512. Window or aisle?

Chris Sestito [00:28:11]:

Oh, aisle. That's easy. I like to walk around whenever they let me. So I stick around on the aisle and when I'm impatient and want to leave right away, that's helpful too.

Andrew Monaghan [00:28:23]:

Yeah. A little more flexible in the aisle, right? I find that in short flights, I can do the window.

Chris Sestito [00:28:30]:

Yeah, that's right. A lot of flying these days.

Andrew Monaghan [00:28:33]:

You're doing a lot of flying?

Chris Sestito [00:28:35]:

Oh, yeah, a lot of flying. Got a lot of meeting customers for hidden layers, so going all around and yeah, I can say with confidence I prefer the aisle.

Andrew Monaghan [00:28:47]:

Well, Tita, one important day to start up is the day that you start right. You get together and you say, we're going to do this. Another important day is when you win your first real live paying customer who's not a design partner, not doing it as a favor, but a real customer in the wild. Take us back to that day and describe what was going on.

Chris Sestito [00:29:08]:

Yeah, I think we're very lucky to have several of those going on today, but it was certainly a monumentous occasion when you get that validation of an organization saying, you know what? You're right. This is something that we need to invest in. And for us, it was a financial services company that was concerned with account takeovers and fraudulent transactions. And there was awareness on that side that there was certainly some adversarial abuse going on of their models. And so it was very validating, it was very fulfilling to be able to solve that problem for a group that otherwise didn't really know how to address the problem. And so it was a lot of fun, and it still is. And one of the most exciting things about the solution that we're building is how generic it is across this problem space. We built a solution that much like EDR, as we say, it doesn't need access to any raw data or the algorithms themselves. And so that allows us to protect models of all kinds, and whether it's like healthcare data, insurance data, financial data, security data, that's of no consequence to us. We don't actually want to see any of that. We want to see those behavioral patterns with the model. So it really is very cool to be able to help solve problems in all of those different industries because you can see what an impact you're making right out of the gate. So you're absolutely right. It was a very big day for us, and we've had a lot of wins since then, and we're excited to have a lot more because every one of them means another piece of machine learning and artificial intelligence technology that's secure and can continue improving whatever problem it's been designed to solve.

Andrew Monaghan [00:30:46]:

Yeah, it definitely fuels the mission and helps people realize shit's got real all of a sudden, right? We've got real customers to support and let's get some more. Let's keep doing this again and again.

Chris Sestito [00:30:57]:


Andrew Monaghan [00:30:58]:

Speaking of which, looking in from the outside, it looked like you hired a CRO six months or so ago, maybe end of last summer. Lots of different ways to start selling motions and start a sales team. You went for the rut of bringing in the leader with experience first. I'm wondering how you thought about that versus all the other different ways you could have done it.

Chris Sestito [00:31:19]:

Yeah, I mean, there's certainly, as you mentioned, many ways to do it right there's. A lot of organizations start with kind of the marketing side and move outward, or start with a specific account manager and then go from there. Truthfully, it wasn't about the role as much as it was about the person. Abigail Mains is our CRO, and she's somebody that I've been incredibly impressed with ever since we worked together back at Silence. And she managed our partner and channel sales there, and she's out here in Austin as well. So we would work together a little bit there. And I was always incredibly impressed with her. She's brilliant. She was fantastic at working with the customer to understand what mattered to them. I really knew what we were doing. That was the exact type of person we needed to be leading our sales effort. And at an early stage startup, you wear a lot of hats, so even if you come in as a leader, you're still a contributor. So she comes in, she's a salesperson, she's a sales leader, she's a marketing leader. To be honest, it was mostly that I knew she was the right person to join us early on, and we built a lot of the strategy around that. And it's really been validated as a great decision based on how much she's been able to influence us in terms of how this company needs to grow and what we need to focus on. So the easiest answer to your question is really just that we knew Abigail should be here and she should be helping us on all the go to market functions. But then there's sort of the strategic side where I would say to have a healthy, successful seed round in a new category, I don't think it makes a whole lot of sense to focus on things like top of the funnel, lead generation or anything like that. At the earliest stages of a company, you need a few really good partners who can be your early customers and give you great feedback, and that's really about building those relationships. And so, to me, a CRO makes more sense at this stage than a CMO does. But again, there's many ways to do it right. There's organizations who have been very successful doing it in different ways. That's just sort of what we thought made the most sense for us right now. And we're very happy that that's the route we went, because Abigail is just as much of a leader in marketing and in general, strategy and all other things with us co founders as she is a sales leader as well.

Andrew Monaghan [00:33:35]:

Two things spring to mind when you were talking there. One is this idea of getting the right people on the bus. If you know the right person or find the right person, you figure out the role for them. Right? And that sounds like we go with Abigail. The second thing is, I do think, as you say at this early stage, there's so much to do that I think people get too lost in the role. Like they'll say, I want to hire a CMO first or hire something else first. But really, maybe the more impactful thing is having the right person come in that can span or has strengths in different areas that will actually have a bigger impact than saying, oh no, we must have a CMO and then a CRO and then an SDR or wherever it might be. Right. You got to think about, is the right person going to come in and have a general impact on what we're doing?

Chris Sestito [00:34:21]:

I couldn't agree more, Andrew. That's basically exactly how we've made all our decisions for who's coming in here. And in an early stage startup, you're wearing so many different hats that trying to fit the role is going to become very inefficient very quickly. I mean, there's days where I'm talking to an investor that I'm trying to close a sale, then we're writing some code on a new detection mechanism and then we're going to open a PO box because we need to have a mailing address for something and then it's lunchtime. Right? So to try and figure out what kind of person is supposed to fill those things, that doesn't really make a whole lot of sense, but we're strong believers that you bring the right people in. I honestly have always believed, even before hidden layer when I was building security teams, that 90% of your success is determined by who you bring in. And so if there's one area that you could call me like an overbearing CEO on, it's interviewing who comes in to join the team. We're also very lucky that we've had the ability to hire kind of within our existing networks and we haven't had to do any job posting and we probably won't have to for quite some time. But no, I couldn't agree with you more. I think it's very well said think that it's about bringing problem solvers in who are good decision makers. They have good minds for strategy, they have good minds for empathy and for understanding how to work with others and how to solve problems for customers. And then once you have that group of people in, then it's more about just diving up the work than it is about specialties or roles. And I think we're very much at that stage right now and I hope we can hold onto it for a long time. Obviously, the more complexity in the organization, the more specific roles you need to be successful but like anything, there's sort of phases of growth. And at the phase we're in right now, it's really more about making sure the right people are involved. Yeah.

Andrew Monaghan [00:36:03]:

I've never been a founder like you are right now, but it would seem to me that anytime you bring new people in the organization, it's some sort of risk. Right. You've got someone come in, you need to expand, so you know you need to do it, but you don't really know until they get in what they're going to be like. But if you know the people and you've done it before, at least you got a good sense of what it's going to be like. And the last thing you really want to be worrying about is this person even going to fit in? I don't know how they work. Do I trust them? I want to, but I don't know them. Right. And if you take away that edge, it seems like it's going to give you a big leg up.

Chris Sestito [00:36:34]:

In those days, it's super helpful, especially now, as you mentioned. I think when there's only 20 people in an organization, there's no room for someone not to be a major contributor. And so I think that's really important. And again, we're lucky that there's many people who want to join the mission and work with us, and we're very fortunate that that's the position we're in. But it's not always true. There's a lot of organizations that do end up stumbling very early on because they invite somebody in who was great on paper or interviewed very well and then it didn't work out in the long run. So I think that it's a critical thing and the organization is really only the people who are in it. So I think if you don't focus a lot on making sure that that's the right team and the right responsibilities and the right sort of ways in which we interact with each other, then you're going to end up seeing problems sooner rather than later.

Andrew Monaghan [00:37:27]:

And you mentioned that when Abigail came in, she had immediate impact on some of the things you do on the go to market side. Can you give us one example of something that she kind of looked at and said, now we probably need to do this a little bit differently?

Chris Sestito [00:37:38]:

Yeah, I mean, Abigail has very strong feelings on our go to market. I think she came up through the channel and as such has some strong feelings about what that means for us. Our strategy is really built around that in the near future. I think there's obviously a sort of way in which an early stage startup is going to do business earlier on. You should have her on because she can give you a much better answer than I can. But she's got strong feelings about how this needs to be best brought to market for security folks who are not always the data science expert we'll be embracing those mechanisms to get the product out there and to get that solution out there. And we've seen her be very successful with that in the past and we were a part of it at Silence and she's gone on to some other organizations where she's been very successful using the channel as well. And oftentimes you're not going to hear a lot of seed stage startups talking about their channel strategy. I would say that is a different approach for her. But it makes a lot of sense. And when she explains it and when she lays it out and when you build it into your financial model, I think it is a very strong strategy. And there's a lot of good reasons to to help create a category with partners like that. So, you know, we're excited to to execute on that vision.

Andrew Monaghan [00:38:57]:

I'd love to touch her by that, actually, because I think the conventional wisdom is that the channel doesn't make your market. So you kind of need to do the heavy lifting yourself. So I'd be interested to hear how she's going by doing that and see who she's partnering with. Let's flip this around Tito, though. You guys are at an interesting stage right now. You're starting to build out the go to market. Is there any question for me around that whole process that I might be able to shed some light on for you?

Chris Sestito [00:39:23]:

Yeah, I would ask you because one of the things that everything we do is relatively similar to what other organizations have to do in cybersecurity. But there's always differences when you are creating a category. For us, machine learning is a brand new technology that needs to be secured. So when we say new category, we really mean new category. And so I would ask you, what things should we pay more attention to? How would you change your approach with an organization in a brand new category that we're the organization creating versus a more traditional go to market strategy or mechanism? I would be curious to your response there.

Andrew Monaghan [00:40:02]:

Yeah, I think that traditionally what people will do is they'll hire their first couple of salespeople. They'll think, okay, we need some pipeline, let's get some SDRs in here. Then they'll maybe do some outsource to work with SDRs or marketing company to try and get leads. They'll do some webinars and do a lot of the heavy lifting themselves. I don't think that model would work for you guys. What I would be thinking about, and maybe this is where Abigail is going with this, is to say you're at an interesting time because I know it's a different side of AI, but Generative AI has got all the buzz around it right now. But how could you go out to the market and do the education at a higher level, let's say, than an SDR calling up a Cisco expecting to get a meeting? Right? So I'd be thinking about all the ways that you can go out there, you or the team or anyone, and just completely embed yourselves in every data science conference, whatever's going on in that world, as well as a security world, right? I think that's probably a natural thing to do. I think the one thing that I would say that I've seen people miss on when they're doing this is they feel like what they need to do is going to evangelize their company, their solution, their unique way of doing it, their fantastic, innovative thing that no one else is doing. Things like that. I think that's the mistake that people make. I think the way to actually do it is you go out and evangelize a problem. 98% of the time, all you talk about is the challenges and all the different the 30 tools and all the things that are finding in the ML AI world, and keep talking and talking and talking and talking about that. Not to frighten people, obviously, FUD in our world is kind of went out the door 20 years ago, but to just educate and open people's eyes a little bit about what's going on and how maybe some other don't name companies, but how other approaches might not get it right. So you might say, for example, that I think the temptation is for people just to go on the scanning side, right, and think that if I just had I don't know what my EDR environment, if they just added on this feature to say, let's do some ML as well. Well, I think that's going to get you 25% away there. But here's why this extra 75% is not going to be met and here's what people are not thinking about and do all the education around that. And it sounds like you do podcasts a lot and things like that. I think that's the way to become known as, oh, when I think about Mlai, I'm thinking Hidden Letter because I heard Chris talk about this and that. He was on here, he was on there, he's everywhere, whoever the nominated kind of spokesperson is and just way over index on that right now and try and capture that lightning in the bottle that's going on to the point where you might wonder why you're doing it? And why don't people come up with new questions all the time?

Chris Sestito [00:43:03]:

Where it might be and could it.

Andrew Monaghan [00:43:05]:

Tackle it from that standpoint? That, to me, is the way maybe through the channel, they might help with that. But I wouldn't be investing in SDRs. I said to someone last week, you probably have this spokesperson ready in yourself, but if I was looking at investing dollars right now, especially in what you're doing, I would take two or three SDRs at the business plan and put in a very well known high level evangelist, former CISO, someone like that, and have them. Your job is to be on everything that's going be on the road, going to every conference and engaging with your network around this at the Cisco level, I think that's probably how I would do it.

Chris Sestito [00:43:47]:

Those are great ideas and I think you're spot on with that kind of education first strategy. That's something that we're embracing and I think that's great advice and ever more important with a brand new category, so I appreciate that.

Andrew Monaghan [00:43:59]:

I talked to Eric Olden a few weeks back. Eric's the CEO at Strata Identity, it's his third identity company. He sold the previous two to RSA. He's got a strong track record. He had a rule that when they were a seat stage company and an A company, no one sent a cold email and no one made a cold call and he got there. They've got teams up to like 70. He's got a lot of traction on the revenue side and he got there because they over indexed on content and doing these events, things like that. And I actually had an R CEO reach out to me today saying, how do we do that? I want that strategy rather than hiring ten BDRs, please.

Chris Sestito [00:44:42]:

Yeah, that's fantastic. Yeah, that makes a lot more sense. I mean, that's how we are. We commit a lot of research right now and try and contribute wherever we can because I think that's what people want to see, that's how people understand. So I think that's a pretty cool to hear that that strategy has worked a few times over for her.

Andrew Monaghan [00:44:57]:

That's great. Well, Tito, we've got RSA coming up in a couple of weeks time. I wish you every success for the Innovation Sandbox competition. You've got a long way down the road already to get the final ten, so I wish that Monday goes well for you. If someone was getting in touch with you to engage at RSA or afterwards, what's the best way to do that?

Chris Sestito [00:45:18]:

Yeah, right. On our website we have an opportunity, there's a tab for RSA, just@hiddenlayer.com you click RSA 2023. There's an opportunity to either set up meetings with us in a suite where we're hosting there or you can come to any of our events. We have a breakfast to lunch and a dinner throughout the week, so there's a ton of opportunities to meet up with us and we'll be at a bunch of the events there as well. And then even outside of RSA, if you'd just like to have a meeting with us or check out the product in action or any of those things that can all be done@hiddenlayer.com.

Andrew Monaghan [00:45:46]:

That's awesome. Well, a truly amazing time to be in the world that you're in right now. It sounds like it's super exciting. So wish you every success for this year and beyond.

Chris Sestito [00:45:54]:

Thank you so much, Andrew. I appreciate the call today.

Andrew Monaghan [00:45:57]:

So Chris and his team are doing some great work. There hidden layer and definitely an emergence category. Seems to be more and more attention and probably fueled a little bit by the rise in the generative AI that we've seen in the last few months. Given chat GPT and things like that. Takeaways from me, I'm sure you've got more different ones than these, but for me, first one was the concept going way back to the book good to great from Jim Collins. Get the right people on the bus first and then figure out what the right role is for them. And I really was interested to hear Chris talk about their approach with getting Abigail Maines on board as a CRO. They worked with her in the past, knew her strength and how good she was and said, let's get her on board as the leader on the go to market side. We gave her a title CRO, but it sounds like she's spanning a lot of different things right now as an early stage company, but there was someone they knew, they trusted, knew could do a great job for them, and had some fresh ideas and approaches that she brought with her. So what a great approach to have. And as we said in the episode, they're getting too wrapped around job titles so much it perhaps is more important to think about the person as opposed to necessarily the job title. Secondly, it was interesting to hear about the genesis of Hidden Layer three founders security researchers at Silence at the time. And Silence was hit with an issue and as they resolved it, they realized, you know what, this is not going to be just us that has to deal with this. From now on, there's going to be many organizations out there that are going to face the same problem. And that got the head scratching a little bit about what do we do about it and do we build a company? And sometimes it is that thing where suddenly you realize, here's something that we can't solve easily and it's going to be a big problem in your current job that's going to drive the thinking to say, let's do something about this. Let's go form a company to go and do something about this. So that was interesting for me to hear. Thirdly, as a first time founder, there's so much you don't know. There's probably some things that you think you know, but you find out afterwards you didn't know quite so much. But what Tito was saying was that he had that network of people around him that he was able to turn to for advice of the star and still turns to as they're facing things. The founding team can call up someone and say, look, I need you to help us out with thinking through this one area about our business or the growth or development side or just anything to do with a startup world which is ever changing and changed a lot from when they started to when they're going right now. Those are the three takeaways for me. I'm sure you could say a different one, but whatever. I love what they're doing. I love Tito's passion for what he's working on and the approaches that he's got. So I wish them very successfully. Innovation sandbox final next week and also beyond of the 23 inch week four.