Interview: Chris Rouland
Chris Rouland is a 25-year veteran of the information security industry and a valued member of the Atlanta technology community. Chris has founded several companies focused on providing cyber security to Fortune 500 corporations and government establishments earning him the distinction of one of Atlanta’s most respected technology entrepreneurs.
Most recently, Chris founded Bastille, the only company focused exclusively on providing intrusion detection and vulnerability assessment for the Internet of Things (IoT). With more than 50 billion connected devices expected by 2020, Bastille is pioneering security for enterprise IoT with a committed focus on detecting and mitigating airborne threats.
In 2008, Chris founded Endgame, leader in cyber security and defense for the government sector. In just three years, he grew the company from his basement to more than $10 million in revenue and nearly 100 employees. Chris also put together a world-class team of investors and board of directors investing over $58 million in venture capital. His innovation and leadership combined with Endgame’s rapid growth awarded him the Metro Atlanta Chamber’s Business Person of the Year in 2011.
Prior to founding Endgame, Chris served as chief technology officer at Internet Security Systems Inc. (ISS) where he was responsible for the overall technical direction of its product and services portfolio. In addition, he was a formidable figure in the success of ISS’s X-Force online threat taskforce. In 2006, IBM Corp. purchased ISS, where Chris remained CTO and was appointed an IBM Distinguished Engineer. From 1994 to 1998, Chris served as vice president of distributed technology at Lehman Brothers. A noted information security expert, Chris is a sought after speaker and has been featured in national publications, including Forbes and Wall Street Journal.
1. Over the last 25 years, you’ve founded a number of companies in the IS space. What was the rationale behind starting up your most recent company, Bastille?
I have always had an interest in security, technology and amateur radio. After a successful move from my last company, I took some much needed time off to spend with my family. Part of that time involved taking my kids to carpool in the morning, and I found the entire process to be lengthy and cumbersome. In an effort to expedite this process, I tried to figure out if we could use RF emissions from IoT devices such as mobile phones, wearables and even vehicles to identify parents and create a sort order/prioritization of the carpool line.
Bastille was born with another name, and after taking my idea to Silicon Valley, they said, “This is great – but what you’re doing could be incredibly valuable for the enterprise.” I left the meeting and decided to shift the focus of the company. Obviously, through the work of our top talent, we’re able to do a lot more than just get through carpool more quickly.
I have been interested in cybersecurity since my early teens, and while Lehman Brothers was an incredible company to cut my teeth in technology and finance, I wanted to try working in a security startup and building products.
3. What hard and soft skills are needed to be successful in the fast-pace IT/IS industry?
I build companies on a great deal of trust. I tell every potential new-hire that my job as CEO is to hire top talent, set vision and not run out of money. Culture is very important. We invest heavily in making sure we’re not just working on the coolest technology, but also working with the brightest people and given the necessary work-life balance to remain focused and dedicated. Of course, this also means that I have to work very hard to make sure the company’s financial performance positions us for continued growth.
Security for wired and Wi-Fi threats is pretty secure, and even MDM has brought some additional security to certain mobile devices. However, the truth is, the average CISO has no idea what’s happening in their airspace. They simply do not have the ability or tools necessary to see all of the devices that interact with their employees and assets on a daily basis – and these devices will become the next threat vector. Situational awareness is critical in securing IoT, ICS and M2M in the enterprise, and more importantly, mitigating insider threat.
5. Are there differences in term of levels of preparedness when comparing Fortune 500 entities and government agencies? Please explain.
JP Morgan’s Cyber Security budget is the same as U.S. Cyber Command. This seems to be a mismatch to me.
6. In your opinion, what are the greatest cyber security threats on the tech radar right now?
I certainly see the influx of 15M connected devices per day as one of the biggest threats. Data hostage technology is probably one that concerns me the most; criminals have created tremendous wealth with it already.
7. What newer cyber security issues could in the near future cause big problems for businesses and government agencies?
The old style attacks of Phishing, malware, etc. will remain table stakes for the immediate future, but the Internet of Things is probably the biggest threat we face in the near future. Embedded devices are largely insecure, so it’s only a matter of time before the bad guys start trying to find ways in through the IoT. We’ve seen some of it already with the recent retail breaches. Of course, we’ve always had concern with insider threats and that won’t change, the difference is now there’s a lot of IoT technology that they can leverage to cause damage to companies.
8. What are some of the negative consequences that can materialize if cyberattacks are successful?
A bad cyberattack could be existential. A successful attack can damage brands and consumer confidence, while costing millions – if not billions – in damages. We haven’t seen a large public company go under from one yet, but I predict we will.
9. How can businesses go about developing a corporate culture that places an appropriate emphasis on cyber security?
I think this is a huge challenge; I’d even go so far as to say impossible. Millennials have grown up with technology, and they’re not going to give up their connectivity for corporate policy. It’s critical that corporations view each employee, vendor, partner and visitor as if they have the potential for harm. Even if it’s unwitting.