Interview mit dem Cyber Security Experten Justin Leger, CEO von Cybeats

Show Notes

In dieser letzten Ausgabe in 2023 dreht sich alles um das Thema Cyber Security und durfte dafür Justin Leger von der Firma Cybeats als Gast begrüssen, der uns interessante Einblicke in aktuelle Technologien und Anwendungsfelder gibt. 

Über Cybeats

WKN: A3DTZW | ISIN: CA23249F1099 | Ticker-Symbol: P4T

Cybeats ist ein Cybersicherheitsunternehmen, das SBOM-Management und Software-Supply-Chain-Intelligence-Technologien anbietet, die Unternehmen beim Risikomanagement, bei der Erfüllung von Compliance-Anforderungen und bei der Sicherung ihrer Software von der Beschaffung über die Entwicklung bis zum Betrieb unterstützen. Unsere Plattform verschafft den Kunden einen umfassenden Einblick und Transparenz in ihre Software-Lieferkette und ermöglicht es ihnen, die betriebliche Effizienz zu verbessern und den Umsatz zu steigern. Cybeats. Software sicher gemacht.

Website: https://cybeats.com

Transcript

Welcome to a new edition of the Aktien Talk. Today I have a guest from a company that is active in the cyber security sector. I'm talking about the company Cybeats, maybe some of you already know the term.

And I welcome Justin Legere for that today. I have the interview, as you probably can imagine, in English. And here, too, a transcript should be included in this podcast,
so that you can read all the important things as well. So, first of all, hello, Justin, and welcome to our show. Could you start by giving our listeners a brief introduction about yourself and your journey in the cyber security domain?

Of course, I'd be happy to. Thanks so much for having me. My name is Justin Legere.
Throughout my career, my driving mission has always been rooted in the protection and preservation of what matters most. I started my journey in the armed forces, where I spent over a decade. Later, I transitioned into the medical services program here in Canada, and even took on a leadership role during the Canadian national elections. These experiences ingrained in me, I think, the importance of integrity,
vigilance, adaptability, I would say. And drawing from this foundation, I eventually transitioned to the cyber security with Cybeats Technologies.
Though I definitely classify myself as a student in this field, as chief operating officer, I've got the privilege of collaborating with a dedicated team.
And we're working to protect digital infrastructure that's essential in our everyday lives. In many ways, I think our role isn't just about protecting data.
Safeguarding information is tantamount to preserving data. It's about preserving trust, privacy, and in some ways, the very foundation of modern society.
So whether it's in the fields or online, my core principles remain the same.
Leveraging teamwork, technology, and strategy to build resilient defense. We live in an age of intertwined digital and physical realities, right?
I see cyber security... as vital to safeguarding the things that we care about. So I feel a great sense of responsibility and frankly, gratitude
that I have some small part to play in all this. So we got pretty deep pretty fast there, but that's me and that's the context I'm working in.
How would you describe the landscape of cyber security, its various areas, and perhaps share some notable security breaches to highlight its significance? Yeah, certainly.
Simply put, cyber security, I would say, is just protecting information systems, or networks, or data from unauthorized access, theft, damage, that kind of thing.
And the landscape is multifaceted. There's a huge threat service, if you will, and it reflects the dynamic nature of technology.
So the threats are always changing.
Some areas of cyber include endpoint security, network security, cloud security, application security, identity and access management, to name a few.
So it's a very, very broad subject. You mentioned some vulnerabilities or security breaches. Top of mind, and I do keep a few atop of mind in my line of work, is security.
Equifax, back in 2017, was massive. This is the largest credit bureau in the United States.
They had a breach where the data of 147 million people was compromised due to a vulnerability in a web application. I don't know if you remember that one.
And then a couple that are really relevant to the work that I'm doing are SolarWinds in 2020. This was a sophisticated supply chain attack, where malicious code was used to hack into the network.
It was inserted into a software update for the SolarWinds Orion product, I believe it was. And this allowed attackers to access the systems of tens of thousands of organizations, including government agencies.
And then another one in late 2021 was Log4j. And this vulnerability allowed attackers to execute their own code on effective systems.
And the really crazy thing about Log4j is that it was everywhere. It was very, very rare. It was widespread. Another software supply chain issue.
It was part of every Apache server, wasn't it?
Yeah, it's in almost every enterprise out there has software with Log4j component in it somewhere.
So it's just a matter of finding that weakness within their stack. So it was everywhere.
But I think these examples show that the problems we have on this aren't just a technical challenge, but they're a societal one.
Because we're so increasingly interconnected. The importance of robust cybersecurity across all domains, from personal to national infrastructure, it can't be overstated.
It's so important. Justin, we'd love to hear your thoughts on the evolving role of Log4j. The role of cybersecurity in the economic circle. And any recent developments or trends that have caught your attention?
On the economic side, I would say that as we continue to digitize and rely more heavily on digital infrastructure for economic growth,
I would say the role of cybersecurity in the economic cycle has become more pronounced commensurately with our increasing reliance. In essence, with an increasing dependency on digital infrastructure.
I think that the digital platforms, cloud computing, AI, IoT, other emerging technologies, I think this digital transition is a driving force for economic growth.
However, with this growth comes an amplified risk of cyber threats. Cyber threats that have cost the world's economy trillions of dollars.
So I think a secure digital ecosystem becomes essential for sustained economic development. And that's been well backed up by our governments and institutions.
So consider a few concepts. Like trust in digital transactions. The global economy heavily depends on e-commerce and online banking at this point.
And for these to function smoothly and for consumers to trust them, robust cybersecurity measures are critical. A single breach can erode trust that took years to build.
Consider supply chain interdependencies. We've got modern supply chains that are basically intricate webs of interdependency, heavily reliant on digital tools and platforms.
A cyber attack on one can have a cascading effect, disrupting the economic cycle we're dependent on.
And in the case of software supply chains, this is even more pronounced. So consider solar wind. And log4j is examples of that kind of disruption.
And then lastly, I would say, you know, this is my industry. Cyber security industry is a significant job creator.
You know, and as these threats evolve, there's a growing demand for skilled professionals. And this in turn contributes to economic activity. It's a big question, Marcus.
Question about trends. And I'll briefly just talk about three. Okay. These might be, you know, well known by your audience. You'll see why I'm picking these three.
We're seeing a shift to zero trust architecture. Okay. The traditional approach of trust but verify is shifting to never trust, always verify.
Zero trust architectures, they don't automatically trust anything inside or outside the network. And they're gaining more trust. They're gaining more traction as a more secure model.
We're seeing emerging uses of AI and machine learning in cybersecurity.
These technologies are being deployed to detect and respond to threats mostly because they can do it faster than humans can. But these technologies, they're a double-edged sword, right?
Because adversaries can also use them to launch their attacks. And lastly, I got to mention software bills.
So, if you're interested in the details of material or SBOM, understanding what's in the software that serves as the backbone of our society, whether it's critical infrastructure, medical devices, telecom, or financial systems, is critically important.
For those unfamiliar, could you provide an introduction to SBOM? What is the significance in today's tech-driven era? Certainly.
And SBOM is a comprehensive list of components in a piece of software. It's akin to a list of ingredients in food packaging.
With the increasing complexity of software and the frequent use of open-source components, having a clear understanding of what's inside software becomes crucial.
SBOMs provide transparency, helping organizations identify potential vulnerabilities. Stemming from the data. From outdated or even compromised components.
They play an essential role in software supply chain security. And there's ongoing discussion about making them a standard requirement in lots of different industries.
Especially for critical infrastructure providers and medical device manufacturers, for example. The push for SBOM has gained traction in recent years. For a few reasons.
Because they help companies. They help companies better manage and respond to security risks associated with third-party software. Third-party components, rather.
And because of a push from government to regulate this and bring them into more common use.
It might be surprising for people to realize that most of the software that we interact with in our daily lives, the components that, or the building blocks, rather, that make up this software,
are often open-source. And developers aren't going through line by line and looking at what's in each line of code. So they don't really know what's in there.
They know what works, what gives the effect that they need. But they can't account for every vulnerability, every, you know, every malicious line of code. But eventually they will be exploited.
Eventually it will come to light. And that's why knowing what's in your software is so essential. And many of the vendors out there don't. They don't know what's in their software.
So an SBOM becomes a very obvious thing that you would have expected that we would already have at this point. So it's really great that it's becoming more widely used.
And we've got lots of examples of issues where they could have helped save a lot of trouble. You mentioned the lock4j. This security issue.
Shook the tech world. How does a solution like Cybeats ensure that such oversights are minimized? Yeah, certainly. Lock4j is one of these components, right?
It's a bit of code that, its specific role is managing data and software. And like you had said earlier, it is everywhere. It's prolific, right? 95% of enterprises have software with the lock4j component in it.
And I believe it was December 2021. Yeah.
And that's when a major vulnerability in lock4j came to light, which opened the proverbial door to cybercriminals, nefarious state actors, you know, adversaries of all kind.
And this allowed these actors to remotely execute their own code in your software, which, yeah, is crazy, right? Yeah. Yeah.
And this was a zero-day vulnerability, too. So when it was announced, there was no fix for it. So, you know, essentially letting the whole world know that it's open season on most large companies.
And, you know, what the security researchers found is in the first 72 hours following disclosure, I think it was 800,000 estimated attempts to avoid the vulnerability.
I'm not even sure how they would come up with that number, but they did. And, you know, within those first 72 hours, at that point, most companies didn't even understand the vulnerability. They didn't understand the scope of the problem.
They were desperately trying to answer the question, what is in my software?
And in one case, a Fortune 100 company spent millions of dollars, and they took upward of three months to address where lock4j was in their environment, never mind actually remediating the problem.
So if these companies... Sorry, go ahead. Was this also something like a turning point for all these companies that they... Yeah.
I mean, they have to invest at least something in their security infrastructure, right? I believe so.
We saw with SolarWinds that that was a very deliberate methodical attack. That was a huge wake up call. Lock4j was really a huge wake up call just because of how prolific it was.
And I think they realized that something else needed to be done. Because, you know, if these companies had adopted...
If these companies had adopted SBOM into their cybersecurity practices and had been using our products, Saadid's product, SBOM Studio, they could have answered these questions that they spent months and millions of dollars trying to address.
They could have answered these questions virtually immediately and known exactly where the vulnerabilities were. And, you know, knowing is half the battle, right?
So while SBOMs give companies the data that they need to identify risk...
And I think people thinking through the process here are starting to realize, okay, if I have all these lists of ingredients, you know, how do I actually find where those issues are, right?
Because, you know, you're going to find thousands of... When you look at a complex bit of software, you're going to find hundreds if not thousands of vulnerabilities. That doesn't mean you need to pay attention to every one today, right?
So when you've got all of this SBOM...
That you need to identify the risks in the software supply chain, unless this data is managed, analyzed, and can inform decision-making, it's pretty useless, right?
And that's the solution that Saadid's provides.
We're providing our customers with actionable cyber intelligence using SBOMs as the primary data source and mixing that with our own blend of proprietary and third-party sources to really enhance the quality of the information that we're producing.
Okay. So, you know, this so-called SBOM problem that we solve is something that many early adopters have realized, and many have become our customers.
Because as more companies adopt SBOMs into their cybersecurity practice, particularly those in industries like medical and vendors to the US government, for example, we're going to see rapidly increasing need for solutions like ours to, you know, to help quiet the noise and help create real value out of SBOMs.
So, you know, we're going to see a lot of people start using SBOM adoption. Yeah. If you think of it, you're going to have, you know, thousands of pages of machine-readable data.
And SBOM isn't a list that you're going to, you know, break it out in a binder and start looking for specific things, right? You need an intelligence layer to actually point you in the right direction.
So, you know, giving you access to find the vulnerabilities in there. But, you know, it's not going to be easy.
But taking the next step and actually giving you an intelligent pointer on what you need to address, that's the core solution that I think we're providing.
Was the Log4j also the reason why the Biden administration made SBOM mandatory for government contractors in 2022?
Yeah, I don't know if that was specifically the impetus for it. You know, at the start, you know, everything, the wheels of government turned slowly. So this is something they've been working on for a long time.
And I probably should have mentioned SBOMs, you know, software, bills, and material. It seems pretty simple what's a list. But really what it is is a standard.
And this is a standard that is agreed upon, you know, between government, between industry. So everybody just is on the same page within sort of the security establishment, if you will.
And what I think the Biden administration did there is just settle the question for everybody that, okay, this is what it looks like.
This is essential. And in terms of what that means, let me put it to you this way.
Today, anything sold to the U.S. government, the U.S. federal government that contains software will require an SBOM. So how is all this data going to be managed?
How are these vendors going to realize the benefit of SBOM without a solution like ours, right?
So but while the U.S. government is providing massive tailwinds to SBOM adoption, you know, with that regulatory push, I think, and I think many of our customers would agree, there's a strong business case beyond compliance with regulation for SBOM adoption.
And we can get into the benefits of SBOM Studio later.
But I think it's really only a matter of time before SBOMs become a really pervasive thing globally as the advantages of SBOM adoption become more obvious and help governments and companies gain competitive advantage against either their competition or their adversaries.
What implications does this have for international markets and specifically for cybers? Well, first of all, I think it's a very important question. Yeah.
I think, you know, we're starting to see some traction within other jurisdictions, right, within the EU, for example.
So, like I said, SBOMs are, in essence, a standard.
And, you know, part of our product philosophy is to remain agnostic in terms of the source of your SBOM or even the quality, right? We have built in tools to help that.
We have built in tools to help enhance the quality of SBOMs to ensure they contain the right information.
I can't, you know, we don't have any specific contracts right now or are aware of any emerging contracts with any governments in the EU.
But we have seen recent movement to support SBOM adoption with the proposed EU Cyber Resiliency Act.
I think it was proposed about a year ago. And it's obviously still in the works. But this includes provisions for SBOM adoption.
So, we'll be keeping a close eye on the European market. But we've also seen interest from companies in Asia, particularly in Japan.
A lot of companies out there are very aware of the issues that we're trying to solve. And are interested in SBOM adoption.
So, as far as the market's concerned, if I have to start a conversation with a potential client and answer the question, what is an SBOM?
That's not a sale that's happening anytime soon, right? We're really solving a problem that is almost created by SBOMs, which is a data management problem.
But first of all, we have to be able to do that. Obviously, for many of the early adopters, we're able to provide huge value.
So, the real challenge for us as an SBOM management company or a software supply chain intelligence company, you can call us and look at it through different lenses.
But the real challenge for us is finding those folks that have adopted it and helping them address the challenges that SBOM adoption presents.
Cybeats has recently gained traction in the market. Could you share insights on how Cybeats is uniquely positioned in the SBOM solution space?
And what makes SBOM Studio stand out in the crowded market for cybersecurity solutions? Yeah, yeah, yeah.
The market isn't, we don't have too much competition. We've actually focused and done things a little differently than most of our competition. We've actually focused and done things a little differently than most of our competition.
Which is why I think we're pulling ahead. A lot of companies focused on SBOM adoption and SBOM generation.
So, actually creating the SBOM, the digital artifact, the ingredients list. And we never saw that as the real value.
We saw the management phase of SBOM adoption as being where the real value lies. We saw the management phase of SBOM adoption as being where the real value lies. And that's been reflected in our product.
And that's, I mean, I think that's why we're pulling ahead. Because our customers have nine different ways of generating SBOMs. Some of them free.
So, it's really commoditized very quickly. And, you know, there's some software that's harder to generate SBOMs than others. And there's going to be a market there. And, you know, we're really excited that people are adopting.
And, you know, there's companies out there doing that work. That's great. But that's not our focus. Our focus is on having that central repository that can ingest all of that data.
And one of the cool things about our solution is that as part of that ingestion process, SBOM Studio corrects, normalizes, and enriches all of your SBOMs. Right?
And part of the way we do that, I think, is our second major differentiator is our data lake. So, this uses a mix of sources, you know, with a dash of data.
We have machine learning in there to help identify software vulnerabilities more quickly and with minimal false positives. As I mentioned before, there's a lot of noise in this space.
And once I've identified 2000 vulnerabilities in your software, you know, how do you prioritize? How do you even begin to tackle that? And this is something that SBOM, yeah, yeah.
This is something SBOM Studio can help decision-makers and developers do. To identify the things they need to pay attention to right now.
Could you provide some insights into Cybead's revenue model and what potential clients can expect in terms of terms and offerings? Right, right. Certainly.
And I'm just going to speak to, you know, what's being reflected today. There's a lot of room for growth for us.
A little, let's say, down market. Because right now, most of our customers are, you know, they're not going to be able to afford a lot of things. There's a lot of opportunity for them. And we're seeing the growth of companies like Fortune 500 companies. You know, they're the early adopters of SBOM.
They're the most, those with the most to lose and those with the most to gain by taking on a new cyber practice like SBOM adoption.
And they're also the ones that have the most SBOM data to contend with. So they're feeling that pressure of, okay, how do I actually get value out of this?
So we've seen uptake of our solution from a core group of early adopters. Particularly in the industrial control systems and medical device manufacturing spaces.
These are typically, you know, Fortune 500 companies, like I said, with tens of thousands of pieces of software to account for. With many versions of that software and many stakeholders.
And so we've developed SBOM Studio as a SaaS solution, a software as a service solution. With recurring annual license fees based on customer usage. And so we've developed SBOM Studio as a SaaS solution, a software as a service solution.
There's setup fees usually, and there could be development fees for any of the spoke work that might be required.
And so typically we're seeing contract values in the range of $700,000 in terms up to three years. We also have some shorter term contracts that have come up for renewal.
And, you know, we're currently boasting 100% customer retention. Very proud of. But speaking back to the model. We have a defined pricing methodology.
And we work really hard to ensure that we're matching our offering with customer needs.
And for the age and maturity of our company, we've managed to navigate some really complex enterprise-grade procurements.
And we've managed to do so in a way that, in my opinion, would put many more senior companies to shame. So, you know, you can mark that down as another one of our competitive advantages. Given the name SBOM Studio.
And the nature of your business. Are there any restrictions or considerations regarding discussing your clients? Oh, absolutely. Yeah. Yeah.
This is a huge frustration, particularly because, you know, investors want to know and we want to tell them. Right. But, you know, with my military background, I hope you'll forgive the metaphors.
But you don't always want your adversaries to know what your capabilities are. Right. Particularly when you're operating with a powerful intelligence tool.
That gives you a significant advantage in countering certain kinds of threats. So, like you say, many of our customers don't want to make those capabilities public. Totally understood.
But we've been fortunate that others don't mind so much, which is great. However, there's usually a lot of red.
Honestly, there's just a lot of red tape involved with getting these mega enterprises to let you share their name and logo.
Every contract I've seen, for example, stipulates that you need their permission to use their name or logo publicly.
And there's usually, you know, a review by legal and, you know, it goes fairly high up the chain to get that permission.
Which, you know, is frustrating for an emerging company like ours. But it's just part of the process. And, you know, we go through the process where we can. And we do have some requests currently in the pipeline.
And as soon as we're able to announce things, we will. Certainly, information we wish we could share. But, you know, this is the environment that we're in. And we certainly want to respect our customers' privacy when they ask for it.
So, when Saabit makes announcements, especially pertaining to partnerships or agreements, how can stakeholders ensure their authenticity?
Could you explain the role of third-party regulators like IROC in this process? Sure. Yeah, yeah, of course.
You know, some of your listeners may know we're publicly traded on the Canadian Securities Exchange.
So, when we make any claims in press releases, we have to validate them with IROC. And IROC is the Investment Industry Regulatory Organization of Canada, okay?
This is the regulatory body that's ensuring that we can back up our claims and stay in line with Canadian securities law. So, that's part of our process.
When we make claims publicly, we don't shoot from the hip on that stuff. And we certainly don't want to draw any negative attention or make any claims that we can't back up.
How do you envision the growth trajectory for Saabit, especially considering the current penetration of the export market in the business world? Yeah, the growth trajectory.
Well, with consideration for my previous answer. I need to be careful about forward-looking statements, okay? But let me put it to you this way, okay?
This market is large and it's growing. We have major regulatory tailwinds acting as a primer for growth.
And we estimate this market to be valued at upward of 100 billion US dollars, okay? And this growth is validated by Gartner. I'm not sure if you'd be familiar with Gartner.
It's a leading technology industry industry. It's an analyst firm.
They anticipate that 65% of all companies worldwide will need to manage S-fonds in some way by 2025.
This is a huge number, right? So, a company with industry credibility, with strong customer validation,
and with a scalable platform like ours, is going to be well-positioned to take advantage of that growth. Do you feel that the criticality of cybersecurity, especially for infrastructure,
is accurately reflected in the current economic and stock market valuations? I mean, I don't think so. But the next time there's a massive cyber breach,
the market will probably see a bump. I think that cybersecurity companies as a whole do get a lot of love from, let's call them institutional investors,
the VC crowd. And they often get quickly bought up by larger companies before they even hit the exchanges. So, I think Cybeats is an interesting case
because, you know, we're a small company. We're based in Canada. It's not conventional for cyber. We're working in a new and relatively unknown domain of cybersecurity that's, you know, it's gaining commercial value,
commercial traction, and industry credibility fairly quickly, which is good. And we do have those regulatory tailwinds out of the U.S. and increasingly the EU.
So, I'll let you make your own assessment of what that means for Cybeats in particular. But I do think there's room for improvement for sure.
What we have heard is that Cybeats has made notable strides in the industry. It's in the medtech domain. What's the secret sauce behind this success? Yeah.
Yeah. So, medtech, that's an interesting one. I mean, there's lots of government help there for sure. But why we're, you know, Cybeats in particular, has been able to address it.
Cybeats was acquired. You know, it was started in 2016. It was more focused on IoT security.
And it was later acquired by a company called Scribe. That's S-E-R-Y-B. A bit of a funny spelling. And Scribe has its roots in medical technology development.
In fact, our current Cybeats CEO, Yoav Radar, he came from Scribe. And I think it's fair to say that our management team understands
the medical device industry. And we've been able to leverage that understanding to provide the value that those companies need right now in their SBOM journey.
And they see a path for how we're going to be able to continue to provide that value for them in the future. The US Food and Drug Administration has mandated the submission
of SBOMs for all new medical devices effective this month. Okay. So, there is a burning need within that vertical, particularly among the large players for what we do.
So, I think it's a mix of external factors and internal factors that have allowed us to really make strides there.
With giants in the tech industry always looking for promising acquisitions, is there any possibility of Cybeats being on their radar?
Well, we're focused on the fundamentals of the business and, you know, providing value for the customers, growing our revenue, all the stuff you would expect from us.
And, you know, we're certainly open to anything that would, at the end, you know, make the investors happy.
But there's no deliberate effort to get acquired right now. You know, we're listed and we're making a go of it. But I think Cybeats is making a name for ourselves.
And, you know, cyber industry is highly innovative, fast moving, constant new entrants, and then followed by consolidation, right? So, I would not be surprised if, you know,
we're on some M&A VP's list somewhere. But I think they're going to be looking for us to have a bit more in our rearview mirror, so to speak, if that makes sense.
They're going to want to see a little bit more history, a little bit more traction. And, yeah, so we haven't had anything to bring to the board of directors yet,
but it wouldn't surprise me if that happens. For investors tuning in, could you share three compelling reasons they should consider adding Cybeats to their watch list?
You know, I'll give you a little bit of alliteration here. The market, the model, and the management. And I say the management because, you know, bad management can ruin a great team.
And I think it's fair to say we've got lucky with both an incredible team and competent leadership across the board. So, speaking to the market, there's enormous market potential here, right?
The addressable market for Cybeats is not only big, but it's also growing. And, you know, this is expanded market growth is catalyzed by government regulation,
which I think underscores the inevitability of this sector's development. It's inevitable.
Our SaaS sales model with recurring revenue is, I think, proven by this point to help foster leverage. It's a long-term and sustainable growth. And when you match that with our first mover advantage
and the enterprise customer validation that we've received, I think you've got a compelling case for investment. And lastly, we've cultivated a winning team
and a winning culture that understands the industry, understands the customer, understands how to deliver, and understands how to stay ahead of the technological curve.
And so, for those reasons, and many more, I'm heavily invested in Cybeats, both with my career, financially, and I'm very excited to see where we can take this opportunity. Justin, thank you for your time
and for such interesting insights into Cybeats and the cybersecurity domain. I really hope we will talk soon again
and hear from you about the progress Cybeats has made in the future. Fair enough. Yeah, thank you so much.