Video with Wes O’Donnell
Managing Editor, InCyberDefense
Note: This article and video originally appeared on InCyberDefense.
Bryson Bort is a National Security Institute Fellow and an Advisor to the Army Cyber Institute. He is also the Founder of SCYTHE, a start-up building a next-generation attack emulation platform. In this interview, InCyberDefense Managing Editor Wes O’Donnell discusses both the current state of cybersecurity and veteran entrepreneurship.
Transcript:
Wes O’Donnell: Hi. I’m Wes O’Donnell. Welcome to National Harbor. I’m here with Bryson Bort, founder and CEO of SCYTHE, and founder of GRIMM cybersecurity. Also, an Army veteran and West Point graduate. Bryson, thanks so much for joining me.
Bryson: Thanks for having me, Wes.
Wes: Can you start by telling me a little bit about your military background?
Bryson: Sure. I was a Signal Corps officer, which pretty much meant I ran around sand and grit squares where I didn’t know I was and made sure I didn’t get yelled at because everybody else could communicate.
Wes: I was in the infantry in the time I was in. It was a rough life, but we relied on the Signal Corps. That was our life line. I don’t think that a lot of active duty service members are well‑prepared for their transition. How was that transition for you? Was it difficult?
Bryson: Absolutely. To start, I was injured. I was MEBed in 2004 when we were redeploying to Iraq. It was emotionally very difficult. Not only was I struggling with an injury that was painful and very restrictive, I was now also facing a whole new world.
I went to West Point because I wanted to go out of a sense of patriotism. I wanted to give something back. To suddenly now be facing a future that doesn’t involve that was very disorienting. I didn’t know where to start. I went to one of the JLMO recruiting companies where they call you through to a bunch of companies. You don’t know who you’re going to meet until you walk in the door.
I took the first job I was offered, which in hindsight said a lot about them, more than it did about me, because I told them in the job interview, I didn’t even know what the job title meant. I wasn’t joking. I wasn’t being humble. I really had no clue what they were asking me to do. They hired me.
Wes: That’s awesome. What led you to cybersecurity initially?
Bryson: I started as a kid. I pretty much got through high school because we had those graphing calculators. It didn’t matter what subject I was in. I was on my graphing calculator creating games. I created Street Fighter on a graphing calculator. You would fight the computer.
I sold those games to my friends. It kept me entertained because I could be in English class programming on my calculator. [laughs] My English teacher would generally frown upon that. For the most part, I was allowed to pursue it.
Then I went and studied computer science at West Point. Ironically, the first job I got out of the Army had absolutely nothing to do with IT because I really felt like I needed sabbatical from doing that. Within a year, I got back into it again.
Wes: That was a different generation when you were in school. I think today, one of the keys for cybersecurity is really getting the youth interested at a young age. I just visited Pinckney, which is a high school in Michigan that has a cybersecurity range in it and tries to grab these kids when they’re still in high school and get them interested into cybersecurity.
Switching gears, talking about your business and your entrepreneurship journey, where do you find good individuals to bring into your organization who have that cybersecurity background?
Bryson: Before I started my company, I was a corporate vice president at a defense contractor. I ran the capabilities division. We had several hundred folks. We grew it to several hundred folks. I’ve seen thousands of resumes. Probably in the last decade, I’ve been in charge of hiring 500 to 600 people.
What’s interesting is we always, as a group, ask that question of how do we find folks that would work, because if we can refine the interview process, then we will have a greater chance of bringing in better talent earlier as opposed to the failure where somebody doesn’t get it.
We found a few characteristics that worked. We tried all sorts of different technical tests. We tried multiple interviews with different parts of the team.
At the end of the day, it really was a 50/50 thing. We would bring in folks that were very technically confident, because what cybersecurity requires you to do is not the engineering perspective of I need to be the best at this part of the stack,” but I need to be able to think holistically of risk and I need to always be considering that at all time.
It’s a very different mindset. It’s really hard to gauge somebody’s mindset. Even after about a year, we would find about a 50 percent rate of those who got it. The biggest trait that really seem to make the difference was that passion and curiosity that they had of really trying.
There’s what you do during your day job and then there was what they would go in extracurricular to master, to learn, to engage, to understand, and build a network of relationships that would help them be better at their job. That was the biggest thing that I saw as a difference.
Wes: That passion. You’re looking for that passion. It’s not just a job for them. I recently visited your GRIMM cybersecurity facility in Michigan. I saw this Internet of Things model. This model is used almost like a challenge to try and get people to hack into different IoT devices inside this house. Can you tell me about the toaster?
Bryson: [laughs] Has the toaster insulted you? Are you still upset, Wes, about that?
Wes: Yeah. I’m a little upset about the toaster.
Bryson: What we have in Michigan is what we call our embedded systems or critical infrastructure lab. It’s a 7,000‑square‑foot facility that you can drive in vehicles. You can work on all sorts of these computers that aren’t the kind of computers that are on your desktop, but are the kinds of computers that pervade our everyday life.
A few years ago, we created a lab called Howdy Neighbor, which is the house you’re talking about. There’s been a million dollars of research and development into that house. The construction doesn’t look like it, but all the engineering that went on the back end is the complexity. It has 25 different devices.
What we did is we crafted what are called challenges around those devices. Folks at different conferences were working to put it online, so it would be the kind of thing that you could work with from your own home, not our home. [laughs]
What those challenges allow you to do is start to get understanding of different principles around reverse engineering, exploitation, open systems intelligence on this working house. That exhibit was at the non‑profit I co‑founded at the ICS Village where we do critical infrastructure education and awareness.
The biggest security conference in the world for individuals is called DEF CON every year in Las Vegas. The Howdy Neighbor exhibit was at DEF CON last year.
That capture of the flag competition as a part of the Village actually earned the winner, a black badge at DEF CON, which is the highest mark of honor that you can get in a hacking community, because you now have guaranteed free access to DEF CON for life.
Wes: That’s awesome. A lot of other veteran entrepreneurs that I’ve spoken with, they tap into their military network to try and score some of those early customers. For you in your startup journey, where do those early customers come from?
Bryson: [laughs] Day one of GRIMM, I was there on my couch by myself, looking at the phone and going, “OK, now I’m on my own. Now what?” [laughs] Honestly, I went back to the network of relationships that I built up, because the myth of the entrepreneur is this super human who does all of these things. It’s their passion and drive that make it all happen.
That’s certainly a factor, but more importantly, it’s the relationships, it’s the network that they have, and using that network and asking that network for help because your friends will help you. That’s what I did for two years. We scrambled from odd job to odd job. I was basically a cyber janitor. If you needed it, we did it.
No job was too small. No work was to and beneath us. We did everything until we finally started to get that momentum as a small business where you start to get the bigger work, the bigger contracts. We broke into the commercial space out of typical government contracting. That’s where things really took off for us.
Wes: That’s interesting. Just asking, are you a service‑disabled veteran‑owned small business?
Bryson: Yes, GRIMM is.
Wes: Let’s talk about funding, because I know that funding is a barrier for a lot of transitioning service members. Some that may have a brilliant idea don’t always have a perfect credit score or have the ability to get a bank loan, or they don’t have the network for angel investors. What would you suggest to that aspiring veteran entrepreneur?
Bryson: I have two for‑profit companies, GRIMM and SCYTHE. Each had a different funding model. Consultant‑based businesses grow organically. You make money for the work you do. You eventually make enough money that you hire somebody and then you hire somebody. It just slowly grows that way.
GRIMM I was able to start by myself with a little bit of money. We grew into our revenue. That’s how the company eventually blossomed. The idea for the product SCYTHE that we created, originally, we incubated that ourselves and we paid for the research and development out of the money we were making at GRIMM.
The biggest thing I realized at that point was it wasn’t a question of money, it was a question of I didn’t know what the hell I was doing. I didn’t know commercial products. I didn’t know enterprise sales and marketing. These were all foreign concepts to me. What I needed was help.
I went out and looked to raise money from investors who had been there and had done it themselves so that I wouldn’t make the mistakes that I would probably make on my own, because I would have that counsel and guidance from somebody who has the skin in the game with me.
Now that being said, that all sounds really easy. That was a very painful 10 months of trying to raise for my seed round with SCYTHE. Considering I was technically already a successful entrepreneur, the fact that I was East Coast, the fact that the company that I built was consultancy were seen as strikes against me to the VC community.
Going and trying to raise money is like a decade of dating in a relationship and there’s no sex. You never get anywhere. You just get rejected over and over and over until finally somebody comes and goes, “All right, you’re good-looking. Let’s see where this goes.”
That’s the first time you get be the prettiest girl in the room for a brief moment until you close your round, and then they’re like, “All right, go to work.” [laughs]
Wes: I love that analogy. It’s not about me personally, but when I first left the Air Force, I worked for corporate America for a while. I went and started a very small business using my own savings. I think I had $60,000 in savings at the time, designed and got a patent pending on modular medical cart.
It was during that first 12 months where I had this look in the mirror moment. What have I done? I haven’t sold anything. I’ve just taken my family from a very comfortable six‑figure job to the poverty line where we’re on WIC and food stamps. There’s that moment in an entrepreneur, especially in those early days in that valley of death where you’re like, “Man, did I make the right decision?”
Bryson: The honeymoon, that initial surge of enthusiasm when you start, quickly fades into the grind of reality, which is one, as the entrepreneur, everything rests on you. The paycheck, insurance, benefits, things happening or not happening. There’s nobody to look back and go, “Oh, no, wait.” You’re it. You’re the last stop.
The metaphor I always thought is it’s like being a cheetah in the Serengeti. You’re in that dry season, your ribs are poking through, you’re hungry, you’re thirsty, and you do whatever you can do to make it to when it’s going to rain, because it will rain if you can survive through it.
That’s when you get to fill your belly, drink as much as you want, and prosper until the next dry season because these things continue to feast and famine. That is that gut check as an entrepreneur as you push through that, you wake up each day going, “All right, I can get through this and I’m going to do this.”
The biggest advice I always give to a budding entrepreneur, because I think entrepreneurs, we’re very exclusive society that’s willing to accept anybody. Once you’re in, everybody will help you.
Whatever idea you have to go do, you have to want to do it so badly that when you wake up on those mornings where you’re starving and you’re thirsty, you’re still going to attack the day and you’re not going to give up.
Wes: I love it. Jumping back to cybersecurity, more and more companies are looking at vulnerability assessments. I think after last year, we had these pretty massive breaches. We got Facebook, T‑Mobile. There were some big names out there, Uber.
I think companies are finally waking up to we’re in the midst of a severe manpower shortage, a severe shortage of cybersecurity professionals. What could companies be doing to better protect themselves?
Bryson: There’s a lot of focus right now in cybersecurity on automation, security orchestration and automation in all these different levels because we don’t have the talent. There are not enough people to turn the cyber wrenches every day in the trenches to make this all work.
The part that I would not blame on corporate America is I think we as a technical field have failed them. What I mean by that, and you see this in the military as well, the purpose of the military is that infantrymen, or infantrywomen now, going with speed in violence. That’s what we do. The technical field is there to support and enable that.
It’s the same thing in corporate American with business. The business was started and created for a reason. That business is there to make the world’s best cookies. This computer stuff is just there to help them make the world’s best cookies.
The technical field, when they were talking to them and saying, “Well, cybersecurity is something we need to assure you that you can do this with these cookies.” The problem is that they did it in nerd speak. Nerds talking to other nerds. They didn’t understand the business. They didn’t talk to the business.
How is the business supposed to understand this person who’s standing in front of you babbling in gibberish about CVSS vulnerabilities and why you should care? Didn’t I already give you enough money? Why isn’t this problem solved? They don’t understand the cookies are still good, they’re still going out. I don’t get it.
It’s hard to understand that not only is this the former realm of what we thought of as the 400‑pound hacker eating pizza in his mom’s basement to this is now a nation‑state activity. We have adversarial countries causing all sorts of damage and entropy in intelligence operations continually in places that we wouldn’t necessarily think as direct targets.
The hack of Marriott was most likely done because somebody was collecting intelligence on U.S. officials. Back to your question of what can corporate America do, I think they need to start to frame everything into the risk to the business.
It’s not just this technical risk. Everything you do for that IT side needs to be prioritized and funneled back to how does it work to the business priorities and then funnel from there.
Wes: Where is SCYTHE in five years?
Bryson: This is where I get to sail on a yacht.
[laughter]
Bryson: I will never own a boat. I will always have a friend who owns a boat, but not me. Where I hope SCYTHE is in five years, first, what we’ve built is a tool that allows executives, the executive perspective of you’re spending this money on security. You’re spending it on technology which everybody immediately thinks so. More importantly, you’re also spending it on people.
Are your employees trained? Do they support or degrade the controls around your business? Your IT staff, are they able to function at the speed that you need them to? The folks that you contract to provide that support, are they providing you that support that you want? Are you getting your money’s worth? That’s what our tool does.
How we did that is very much the military perspective of your risk is defined by your threat. What we allow you to do is dial up that threat on your production environment across the enterprise. If I get to be bold here, what I would hope is in five years, I’ve completely tipped the apple cart of how we look at this whole cybersecurity space.
All of these vendors and all of these sectors, we’ve brought a measuring stick to the table for the first time where a company can evaluate for themselves, because business risk is contextual and it’s your risk. You don’t care about my risk, you care about your risk.
Now, you can look at all of those products and all those services with that measuring stick that fits you and decide what works for you. That’s my hope, my claim, what I want to do in five years.
Wes: That’s actually surprising to me that companies don’t already provide that. It’s almost like a one‑size‑fits‑all cybersecurity solution for a lot of firms offering their services. It seems simultaneously brilliant, but also obvious that you should be allowing the companies to tailor their own solutions based on their needs, based on the problems that they’re having.
Bryson: Wes, this is why I was an Army officer, because simple and obvious is about the best I can do.
Wes: [laughs] Last question, what book are you reading right now?
Bryson: I just finished reading “The Cuckoo’s Nest.” Very funny book that gives you an insight to the beginning of computer security from this sys admin. Basically, he describes himself a hippie at Berkeley who suddenly found himself in the middle of one of the first major hacks across all of our military and intelligence infrastructure in the early ’80s. It’s very interesting and easy to read.
The book that I’m reading right now on my nightstand is written by a friend of mine, Chris Kubecka. It’s called “Hacking the World with OSINT.” OSINT is open systems intelligence. It’s the ability to gain data on anything you want because it’s publicly available, and then using that to be able to conduct operations.
Wes: Bryson, thank you much for taking the time. This has been Wes O’Donnell at National Harbor with Bryson Bort, founder and CEO of SCYTHE and GRIMM cybersecurity.