Navigating cyber risk in today’s rapidly evolving tech landscape requires more than just “whiz-bang” gadgets; it demands a strategic, aerial view, and that’s precisely what we dive into with our special guest, Domingo Guerra, a patented outdoorsman, cybersecurity company founder, and early-stage investor! In this episode, John Riley and Domingo peel back the layers of cyber threats and risk transference, exploring the differences between cybersecurity “trench warfare” and the bigger-picture strategic thinking required for executives. Domingo, with his unique blend of technical know-how, go-to-market expertise, and investor insights, shares his experiences from building and selling his mobile security company and his current focus on helping other founders in the space. We discuss the most significant cybersecurity threats facing companies today, including the AI revolution, quantum computing’s potential impact, and how startups can prioritize security without breaking the bank, plus some great insights on his love of skiing (Black Diamonds included). If you’re looking for actionable advice on reducing cyber risk and understanding the future of security, you won’t want to miss this dynamic conversation!
—
Watch the episode here
Listen to the episode here
Cyber Risk & Quantum: Perspective On Startup Security & Tech Trends With Domingo Guerra
We have an amazing guest who is a patented outdoorsman who likes skiing, running, biking, or anything outdoors. He’s also an investor in early-stage companies after exiting his own cybersecurity company. Introducing our special guest, Domingo Guerra. Did I get that right, Domingo?
You got it. Thanks, John.
Cybersecurity Vs. Cyber Risk & AI Threats: Decoding The Landscape
Thanks for being on the show. I appreciate you being here and let’s try to have some fun with cybersecurity, and risk transference. Basic question right off the bat is, what’s the difference that you see to in cybersecurity versus cyber risk?
Oftentimes, folks don’t differentiate them, but they’re actually different approaches or different things to look at. Cybersecurity, I look at more of an active thing is saying, “How are we going to detect defense and respond to incidents?” Whereas cyber risk is maybe even a higher level of just how do we evaluate where we might be vulnerable, not just from a technology, but as an organization, how are we going to recover if something happens? How are we going to prove to our stakeholders that we have done the homework, done the work, know where we might be weak, how we can protect ourselves, and how do we share that confidence with other stakeholders up and down the food chain within an organization?
I think what you’re saying also is that, like the people that are doing cybersecurity on a day-to-day basis, what we would consider like trenched warfare, they’re doing the defense, they’re in the firefight every day trying to keep the hackers out and scanning the horizon to try and figure things out. When we talk about cyber risk, I think it’s a little bit, as you said, higher view. It’s like the airplane flying over and getting the overall view of where things are that maybe just scanning the horizon doesn’t get you. That cyber risk is a way of looking at that, what might be needed outside of just the current view that you might have.
I think also from a resiliency perspective, it is really important to take both views. The granular is important for maybe setting up immediate action items or things to do and an active type of threat. Zooming out and seeing the overall horizon is equally important or else you can’t have the right informed approach as to how to tackle certain threats. I think they go hand in hand and organizations that do both well are way better than organizations that are maybe just strong in one versus the other.
I would say most organizations today have put more of the dollars towards that cybersecurity part. The cyber risk part is where things are starting to heat up, I would say, because they need that higher view. Executives are tired of being snowed by the technology and the next whizzbang thing that’s going to go save the network. Now they need another one, and another one because all the technology changes so quickly. They’re trying to get that higher view of what that cyber risk might look like versus what it just looks like down in the trench. What would you say the most significant cybersecurity threats are that are facing companies today?
I think we’re in a really interesting stage in the overall enterprise landscape where we’re seeing a transformation happen across the board. Every time this happens, it’s really exciting in terms of new technologies coming in. It’s also really scary because we have to rethink or rewrite our approach across the board. Obviously, right now, I’m talking about AI, but if we zoom out a little bit, we went through this in the early 2010s with mobile and everyone finally getting rid of their Blackberries for getting iPhones and Android. Everything was about push everything to the cloud. Now, it’s the whole digital transformation of the workplace. It’s not whether or not we adopt AI. I’ve heard it said, “AI or die.”
Companies are running towards what their AI strategy will be from a security hat. We’re saying, “What are going to be the unintended consequences of this? What are going to be the new types of threats from this?” It’s an exciting period, it’s a scary period, but at a high level, we’re seeing attack surface increase and also the types of threat actors increase and that’s a dangerous combination.
I would even add onto that, the internal threat. An employee who’s thinking that they’re trying to get things done and using AI, but maybe giving away data that they shouldn’t be. That’s what they’ve always done. At home, they’re able to run this AI thing and since it’s somewhat new, run this thing through it, tell me what I should do. They don’t realize what data they might be giving away or what shouldn’t be given away from that standpoint.
I think it also reminds me of BYOD or bring your own device and now it’s bring your own AI. When we think about all the existing security pillars, email security, that’s different when now your adversary is not just a human trying to do phishing or social engineering, but an LLM that’s trained to do that. Rule-based approaches won’t work when your adversary is not mimicking the exact same attack vectors that we’ve seen before.
Obviously, every category needs to be then reimagined and redesigned with an AI attack vector in mind. Likewise, on the opportunity side, is that now our security teams don’t just have to rely on additional humans for scale, which has always been a choke point. Even if you have budget, you don’t have unlimited security engineers. How do we then now have agents working for us, not just against us? It’s an exciting time.
Investing In Cyber: How To Prioritize Risk In Emerging Tech
I definitely think that it is the future on both sides, both from the hacker standpoint and even duplicating somebody’s voice and voice recognition and some of the security ways that we do two-factor authentication. There are so many things that are coming to light in how we’re going to have to rethink some of these items moving forward. I’m looking forward to that. Especially as an investor, the companies you’re investing in, how should they prioritize their cyber risk?
I think the interesting part there is that we can see a lot of new trends emerging. Sometimes the difficult part is saying how far is that trend though? Right now, everyone’s excited about AI and I think there’s been a realization moment in the last few years like, “This stuff is real now, not just machine learning or not just right something else that was called AI. Now the capabilities are actually there.”
There are still some companies that are saying, “Now we’re working on the next threat,” which is quantum, and there’s like still TBD as to how near that threat actually is but we have to recognize the fact that AI and LLMs in general will accelerate that development of quantum as well. Maybe what seems really far away is not that far away. I think some of the hardest part is not the trend, but getting the timing right. If you’re too early, it’s you’re wrong as well.
I think from that perspective, my approach as an investor has tried to be, what’s coming but sooner rather than later. What can we measure in terms of traction to show that there’s appetite from the enterprise to consume these products and services? Ultimately, the only truth is what traction you can get. It’s not about how nice the presentation is or how much sense it makes from a technology or approach perspective. Traction, at the end of the day, is the ultimate measure of truth. I think that’s what we always try to seek.
Your point on quantum computers there is a great one as well because most companies aren’t going to run out and buy quantum computers. The whole SaaS and everything else. I’ve been around long enough to see SaaS come in. I remember the old days of hosting sales logics and gold mine and my own applications within a fairly large organization. Lotus notes, we’ll just leave it at that.
Coming from that area of database backed in-house applications going to Salesforce.com and some of the OG SaaS companies that are building it around. Initially, the SaaS companies were very small, but you’ve always been renting somebody else’s computer and their space and the other pieces. I think when it comes to the quantum piece and AI, with so many AI bots, I think you’re still renting those from the vendor of choice.
We are definitely heading for some fun times as far as the quantum piece, because you’re right, getting the timing right for companies is going to be chess game, I would say, not checkers. Excellent. What about budgets? If you’re a startup, do you start need to start looking at the cybersecurity risk and cybersecurity itself as you’re building a SaaS? Most people are go fast and break things these days. Security’s not the top of mind, generally.
Startup Security: Building Cyber Resilience From Day One
It can be tough from a budget perspective to decide how to allocate. I think that’s another thing that has been changing. Whereas before, some folks could say, “I don’t have to worry about it because I’m not a big target. I’m not that popular. No one’s going to try to break in or ransom my backend,” or something. I think that’s stuck in the old paradigm where your adversary was some dudes in a basement with hoodies or something. Maybe your security was just being abstract and maybe not well known.
The reality now, though, is that the types of tools that attackers are using are just scanning for open ports or exposed backends or vulnerabilities, and they’re going to go after the low hanging fruit regardless of the brand or the industry or the size of the company. Counterintuitively, a large company that has a big threat on their back, a big target, they have more resiliency, they have more systems, they have proper backups, they probably have the right tools. They are essentially tougher to attack.
Versus the smaller companies, the startups, maybe they’re more exposed or probably, and a mistake or an issue could be catastrophic because if you don’t have backups and you don’t have funds to potentially pay a ransom, it could be game over. My answer is as soon as you can, you should start thinking about security. It’s not about how big of a company you are or not, it’s about what you have to lose. For a lot of companies, that’s everything.
If data is your business, then you need to make it your business. You look at somebody like a 23andMe that was collecting DNA data and then once they had the breach, that was pretty much it from a trust standpoint. They lost it. I know I’m not sending my information off to them or sending my DNA off and so it becomes a business killer if they haven’t thought about that.
I think the other thing to think about too is that sometimes the company itself or the startup is not the target, but their customers are. Especially for companies that are selling into government, selling into regulated industries or selling into large enterprise, you could just be used against your own customers. The security of your backend, the security of your product and your APIs becomes increasingly important, depending on your customer profile, or as you mentioned, the type of data that you’re hosting.
I always like to think about back at the initial target hack that happened years and years ago. The hackers initially targeted Target. They weren’t able to get there because of the enterprise level security. What they did is they went after some of the vendors that were listed on the website and were able to get in through the HVAC vendor. Brilliant to go through the smaller vendor that maybe didn’t have the right security controls or they’re like, “We’re an air conditioning company. Why would we need that?” Once you have that trusted advisor or that trusted piece that comes into their network, it’s not locked down, then you get access to the kingdom, so to speak.
That’s always been an interesting view of, “I’m too small.” I’ve seen it way too often. I’ve seen it backfire way too often too because, as you said, people are just scanning IPs and everything else. If you have talked to whoever’s in charge of your firewall, ask them to show you the scans that they’re receiving and you’ll just see minute by minute, second by second that you’re being targeted, whether you know it or not.
That makes it very difficult to fight against. Thank you for the technology. We talked about a little bit earlier. The emerging trends that, that you’re seeing right now that have a profound impact on cybersecurity. You talked about quantum computers, you talked about AI. Those are things that are close to being here now. What’s going to be after that?
I think we live in a world where we considered computers or bots bad in a sense that most websites we’re trying to block non-humans, so click on the chimneys or click on the stairs or whatever type of new caps were out there. We haven’t thought about that problem in a world where we have legitimate good agents doing work for us. In the workplace that might mean coworkers or employees or workloads that are essentially agents doing tasks.
I think overall, identity on the internet has to be rethought. It’s not just knowing a password. It’s not just, are you human or not? There’s going to be good humans and bad humans and good agents and bad agents. I think we have to rethink that. That has a lot of implications into enterprise security and risk management overall.
Disaster Drills: Planning For When A Cyber Breach Hits
Especially when the voice print’s not going to be enough or maybe face scans. There are all kinds of things that we’re going to be looking at can be fooled possibly. Definitely, fingerprint scans and irises and that type of thing that are pretty hard to fool. That’s a technology that we’re not, I would say, ready to put in the home yet. That’s a good point. What does a disaster journey look like? Being in cybersecurity, I don’t know if you’ve experienced one, but what does that look like and how do companies prepare for when that breach happens?
That’s a great point. It’s not if, it’s when. The other part that’s important is preparedness. You don’t want to go through an incident and it being the first time you ever think about it, because in a crisis situation, you’re not going to make the best decisions. You’re going to overlook a lot of things and you’re going to make mistakes.
Just like pilots have a checklist and surgeons have a checklist, enterprise teams or company teams need a checklist. They need to do some scenario planning ahead of time. What would happen in the event of a breach? Who will we notify and what will we do and how would we come out on the other end as best as possible? I think a huge aspect of security that gets overlooked is that preparedness and planning and running simulations and running drills and just having everyone’s contact info.
You can’t assume that you’ll be able to use Slack or email if your systems are compromised, for example. You can’t assume you’ll be able to meet in person because it might happen over the weekend and it usually does. A lot of that is just how do we prepare, how do we plan? I had an opportunity to go through this a lot, luckily on the planning side and not on the reactive side. When we sold our company into Symantec, they’re obviously a massive security vendor, but also a massive target.
They do a lot of planning and they did a really an amazing job of just having those different teams and stakeholders go through simulations and drills. It’s something that I’ve taken with me to every organization that I’ve been with after in terms of implementing some plans from the technology side, but then also from the PR side and messaging side because how do you respond to customers? How do you respond to quotes when it eventually gets out that you were breached? Which law enforcement or agencies do you need to notify? Things like that. That training is something that has to happen at every level of the organization, not every level, but every relevant level in the organization. Not just the security teams, but all the way up to the executive chain as well.
Yeah, because you definitely don’t want the executive out there at the last moment, making some statement that makes it worse. What I like to say is that you don’t want to send the peewee football team out to play the Super Bowl. When that breach actually happens, that is the Super Bowl. How you prepare for it or how you practiced for it will have a lot to do with how you get through it or not.
From a compliance perspective, there’s also a lot of potential legal and financial repercussions on how you handled it and what you said or you didn’t say when you had to say it or not. There are timelines, especially with things like GDPR where you have to make a statement and you have to make an announcement and you don’t want to be investigating those after the fact.
What’s interesting about that is that all 50 states now have breach notification laws and they’re different depending on which data it was and everything else. It’s very easy to make a mistake when you’re in that moment and you haven’t thought about it, and those mistakes will cost you. It’s a good way of trying to avoid that and avoid those fines from different places, especially if you have people that you work with in all the different states. Definitely keep track of that and practice. All right. Domingo, tell me a little bit about the journey. Who are you? How did you get here? How did you end up on this show? Let’s chat about you a little bit.
Domingo’s Journey: From Engineer to Cyber Investor
Yeah, absolutely. I started my career as an engineer, really focused on design and building new products. I loved that part of it, but I also realized that in order to have a winning product, there’s more than design. You needed to nail everything from the go to market, the messaging, the strategy. Over my career, I started moving up that chain and let go of my initial passion on the really technical side and moved more into like the management and product introduction and then essentially, eventually go to market.
For me, what got me into cybersecurity was living firsthand that BYOD movement. I remember when we got rid of our Blackberries in 2007, iPhone came out and the security team, or the IT team at the company I worked for said, “No way, it’s Blackberry or nothing. We’re not going to support iPhone.” Telling that to a bunch of engineers doesn’t really work. We all figured out a way to bring those into network, but we realized also that we were creating additional threats to the workplace and I saw that as a business opportunity.
My cofounder was at a McAfee and we joined forces to build a mobile security company called Authority and really grew a pretty nice business on helping enterprise manage mobile threats or mobile risk, specifically analyzing mobile apps, mobile behaviors, data leakage, permissions, and different types of network threats.
We grew the company quite a bit and eventually sold it to Symantec in 2018. I got to learn, again, a lot about go to market and one of the biggest security portfolios out there. Symantec had a lot of change a year later when Broadcom acquired Symantec. That created an opportunity for me to start looking at what was next.
For me, while I loved my startup journey and I loved the building of the startup, I also loved working with other founders. I started doing some angel investing, some advising, and eventually some of those companies became pretty large. One of them encode in the identity and biometric space. Again, we were discussing earlier about how to tell if it’s a human or not or an AI. They do a biometric scan and tie that to employee or customer accounts to be able to see if they’ve been had an account takeover or verify it’s really them.
I joined them to help grow their North America sales and expand the market. At that point, I had a realization that if I wanted to have greater impact in the space, as a founder, I could maybe build one company and hopefully make it a success as an investor and advisor over a ten-year period. I might make 50 or 100 investments and help that many founders really have a bigger impact.
If I’m a decade or two in the future, looking back, what would I feel more proud of more than building 1 or 2 companies is having an impact and being able to help potentially hundreds of founders grow this space and help reach more or solve more issues, that’s something that I could really feel proud of. That’s what brought me into the investment side full-time.
Excellent. That’s a great story. Being able to sell the company to being, working with some of the larger companies in the world as far as Symantec and these other ones, McAfee having a partner from McAfee, that is a great journey that you took to get there. You also had some great opportunities through school. I’m sure there’s some, some other people that you keep in touch with from Stanford and your days at Austin. Also, when I was looking at your LinkedIn profile, I noticed that you had a number of patents that you’ve been awarded, so congratulations on that. That’s another way of changing the world, helping others to realize maybe some patterns or things that are needed in today’s world.
Thank you. The part’s always exciting to me is going back to the technical nature. Even though I focus a lot on the business and the go-to market, I’m still a nerd at heart. Yeah, the patent is something that I’ve really enjoyed as well.
I can definitely understand. I get that because I started off my career doing networks for telecom networks and a whole bunch of internal networks back in the days before it was popular and easy. We’re talking dial up internet and it was actually the days before internet, we’ll just put it that way, so we had to make our own. I’ve always been a blinky light person. I like the blinky lights, I like the technology, but forced to manage it at times now. That’s the way I look at it. What are you currently working on that that most excites you nowadays?
Cybersecurity Investing: A Founder’s Insight On Market Strategy
Once I decided to focus on investing, it was really trying to carve a space that was new, a different approach. I tried to think back as a founder what I wish I had as well. Obviously, we had a lot of great investors and besides capital, they were able to open a lot of doors. Traditionally, many of the investors were generalists where they know a lot about different topics.
For me, the idea was what if we can really concentrate on cybersecurity, focus on the enterprise and bring additional value and help on that go-to-market side because like me, most founders are already technical or they have a technical team. When I started selling, I had zero idea how to go and sell into the workplace. When I’ve been in charge of security companies, I also realized that CISOs are the most targeted person in the workplace.
Especially from the C-suite, everyone sells to the CFO, some people sell to the CEO, but every single vendor will email or try to knock on the CISO’s door. How do we create a message that resonates? How do you first identify what the right approach is? It might be different depending on which company your vertical or even how they map out their organization.
To me, the big opportunity is saying, “Let’s make this into a process that’s repeatable.” Even though the different technologies that we work with are obviously very different, their go to market, their approach, we can follow a certain methodology and get more traction faster. I think to me, what was exciting is realizing that you can still innovate, you can still build, you can still go and change the world, but if you take a structured approach, you’re going to have more repeatable success.
It’s something maybe not very intuitive, but if you look at Stanford, you mentioned earlier the design school, they teach design thinking as a process. It’s counterintuitive to say, “How can design or creativity be a process or be a checklist or be taught it?” There’s actually science behind it. You can do innovation in a structured format and that’s what we’re trying to do.
It makes a lot of sense and that everybody would see value from being able to constructively focus on those items and move those items forward. Tell me, what do you like to do outside of work? I mentioned that you’re an outdoorsman, but are you a black diamond? Are you a blue square? Are you a Green Circle skier? Tell me a little bit about what you like to do outside of work.
Yeah, I grew up skiing and for me, that was something we did as a family. When I first moved to California, none of my friends here skied. Everyone snowboarded, so I had to learn how to snowboard. Of course, they take you through the black diamonds saying that’s the best way to learn. You learn the hard way, but you get pretty good pretty quickly.
More recent years, my kids are younger, so they wanted to learn how to ski, so I started helping them with skiing, and I went back to skiing. Now we’re skiing as a family. We just unlocked a new achievement this season. We all went down the blacks, but for the last few years, I was more in the green and blue runs with them. We made it to the blacks again.
My father was a ski patrolman at Heavenly Valley for a few years and such. My first lesson skiing was putting the skis on and then him knocking me over and saying, “Okay, get up.” I think that’s always the first lesson, but I think that was the first lesson. You also do bike riding. Do you bike ride around the city? Also, running.
We do some bike riding in the city. When I commute into the office, I usually try to take my bike. I also have a bike with a bench in the back, so that was how I was taking my kids to school when they were younger. They’re a little heavier now, so we skipped that. I love mountain biking as well. Something that I love about the Bay Area in general is there’s a lot of nature. For me, if we’re going to live here, it’s like a call to action constantly to go outside and explore the beautiful wilderness that we have. That keeps you active, but also keeps you enjoying the area.
If you ever get a chance to go do the Salmon Falls Road, there’s a bike trail that goes right along Folsom Lake there, a mountain bike trail and you can enjoy that one. That would be a good one. When I was out there last, I went and did that. It was a lot of fun. I enjoyed it. All right. Where can people find you? I know you’ve got a LinkedIn. Where would you like people to look you up?
I think LinkedIn is a great way to connect. We’re working on the new fund now, so we’ll announce that soon, but for now, I think LinkedIn is the best place to stay connected and see how I can help and also share ideas. I think that’s one of the things I like best about the space. Going to industry events, you see sometimes the same people with a new logo on their shirt and get to catch up on what they’re solving now or what they’re working on now. I think it’s a great way to keep the space interactive and keep helping each other out.
The last thing is that I’d like you to give our audience some action item. What is one piece of advice or tip would you give them for reducing the cybersecurity risk?
From a risk perspective, trying to realize that the current threats we had are only going to get worse when the adversary is using technology and tools at their disposal. The bar from an attacker perspective keeps getting lower where it’s not like an incredibly gifted person that has to figure out how to go phish your organization. They can use a tool that’s pre-trained or they can self-learn to do that now.
When we think about that, it might be scary, but at the same time, I think the challenge is how do we use these tools and technologies to defend ourselves as well. I think that’s, to me, what’s more exciting. It’s more optimistic. As a final note, instead of a scary note is that as the attackers get better, we can leapfrog and get even stronger as well, both from a security but also from a risk management perspective.
Two is to ask for help. Trying to solve everything ourselves I think is impossible. I think that’s why working with startups, working with other vendors, working with partners is how we get coverage because as an organization or as a security team on our own, it feels like hopeless. When we tap into these other technologies and networks is how we all win.
I would add onto that. Also, take a look at the frameworks. The cybersecurity frameworks. Use them as a guide for the parts that you can, if you’re in cybersecurity specifically, there’s a bunch of technical pieces. If you’re in executive management, there’s definitely executive ones. It goes back to what you were talking about with design thinking. Cybersecurity is an art. There’s maybe a form that can help you get to that artwork.
When you how to do design thinking and a lot of that’s already been done. Now it’s just a matter of making sure you follow through with. All right. Domingo, I appreciate your time. I think this was a great interview and I’m always happy to have somebody like you on here that has some cybersecurity experience and risk management understanding.
For our audience, thank you for reading. If you’ve learned something in this episode, laughed, liked some of the stories, if you want to try skiing, let us know. Tell somebody about the show. Again, Domingo, we appreciate you being on. I appreciate you being on the show. We appreciate you. Omnistruct appreciates you. There it is. There’s been another great episode. All right, thank you, everybody. See you next time.
Important Links
About Domingo Guerra
Domingo shared his background in entrepreneurship, having founded and sold a cybersecurity company, and his current role as a general manager for North America at a biometrics and identity access management company. He expressed his desire to have a greater impact on the cybersecurity ecosystem by investing in multiple companies rather than starting a new venture.
Domingo shared his current focus on investing in early-stage cybersecurity companies to accelerate innovation and close the gap between adversary capabilities and defensive measures. He advised organizations to rely on external services and experts in the field for better protection and return on investment. He is also an Angel Investor.
He also has several Patents per LinkedIn.
Scaling Network for Early-Stage Tech Growth
Domingo discussed the potential for scaling a network of individuals to assist with go-to-market strategies for early-stage technology companies. He emphasized the importance of accelerating growth and preparing companies for Series A funding. Domingo’s investment approach is that investments are typically made in companies with early validation and proof of concept.
Cyber Risk
Domingo believes in the increasing importance of cyber risk for CEOs and the C-suite, as it can lead to company-ending situations, legal accountability, and attacks from criminal organizations and nation-states. He also believes in the importance of having a disaster recovery plan and conducting regular exercises to identify blind spots and improve protection.
Domingo has a love for outdoor activities, with Domingo mentioning his enjoyment of hiking, biking, and skiing in the San Francisco Bay Area. Anything outdoors.
Graduated from Stanford and the University of Texas at Austin with degrees in Mechanical Engineering.
