[00:31]Innovation in Cybersecurity with Audra Simons

Arika Pierce: We have another, guest from the UK with us this week. We have Audra Simons. Thank you for joining us, Audra.

Audra Simons: Good morning.

Arika Pierce: So, Audra, you are the director of Innovation Labs at Forcepoint. And as we said, you're based where in the UK are you based, by the way?

Audra Simons: We're based in Reading in Berkshire.

Arika Pierce: Oh, very good.

Eric Trexler: So Right outside London.

Arika Pierce: Gotcha.

Audra Simons: It's just like the IT hub. London.

Arika Pierce: Okay. So, you know, we hear so much about innovation. It's kind of a buzzword, I would say, in so many different, sectors right now. But I thought today we could spend a little bit of time talking about, you know, what truly is innovation, especially from a cybersecurity perspective. So just curious, how do you view innovation, Audra? And we, also like to know how you view it as well.

Audra Simons: Personally, I view innovation very much as, creating the the products and solutions of the future. A lot of what we do is, looking at where the market's going, look at the trends, look at the problems that our customers are facing and how we can address those. But what I do a lot of is focus on the ideation side of things, so the ideation and research side, execute and actually make them into something. But if you don't execute and actually make them into something, they don't really count.

Balancing Risk and Innovation in Cybersecurity

Eric Trexler: I think that's a great point, Audra. I actually ran an innovation, and development organization around threats, and threat innovation. You had techniques on how to determine, malware, APTs, 0 days. And that was the biggest thing that I learned in that process. Innovators like to do fun things. They like to try things. And you've gotta be willing to fail. You've gotta give them the latitude to fail, but you also have to put constraints around it because, without guardrails, they'll literally innovate on anything.

Audra Simons: Oh, absolutely.

Eric Trexler: Or try to. And what ends up happening is you lose focus of why you're doing it, what you're what you're really trying to accomplish, which is to solve customer problems.

Audra Simons: Exactly. And one of our mantras is if we're gonna fail, we wanna fail quickly because failing quickly doesn't cost as much as failing in the longer term.

Arika Pierce: Yes. I always say you should fail quickly and fail forward. Right?

Eric Trexler: But you you need a focus. I remember one of the things when the new MacBook Pro came out, the trash can model. Everybody had to have one so we could innovate faster. And it was like, well, okay. That'd be cool. Help me understand what that will do to help the customer. Right? Now there are things. You had we had to have we had to have Xboxes.

Fostering Innovation in Cybersecurity

Eric Trexler: We had an Xbox game room where they would just take breaks to chill, to think, to bond as a team while they thought about customer problems. And that was a really, you know, it wasn't necessarily innovation in itself, but it fostered an innovative environment and it made sense. Whether you were developing on a Mac Pro or something else, you know, it's so you gotta have those, you gotta have a strong leader who can look at and direct the innovative team in my opinion.

Audra Simons: Agree. And, I've actually done some courses on innovation to identify what kind of people you need to be part of your innovation team to make it successful. The people who are the ideas people are absolutely essential, but the delivery people and the ones who actually execute are essential too. Most innovation teams in businesses tend to be more made up of the ideation side of things rather than the executors.

Eric Trexler: Agreed.

Arika Pierce: That's interesting. Never the same person. Right? You have they have your idea people and the people that can execute.

Eric Trexler: Well, sometimes you have the same person. You know, you'll you'll see they they have a great idea. They'll do a mock-up for you. They'll they'll even do a production pilot, we might call it in the industry. And all of a sudden you've got something that almost works, which is a really great idea or a really bad idea. 

Aligning Ideas with Innovation in Cybersecurity

Eric Trexler: But many times, you have the idea of people, and they either don't know how to convert that into a product or productize it, or they don't know how to Q and A it from the perspective of, is there value here for our customer or not? Like, great. How do you how do you figure out what a great idea it looks like?

Audra Simons: Exactly. And at the end of the day, everything that you do in innovation should be aligned with your customer's needs. I truly believe that. I mean, I know that Steve Jobs said that we'll build it and they'll come, but most businesses don't work that way. Our customers need us to be solving real-world problems. So, therefore, getting customers involved upfront in innovation is incredibly important.

Eric Trexler: Audra, I love that concept. In my experience, the most successful innovation I've seen is when we had a customer problem and we threw a really creative smart team at it and said, okay. Here's the problem statement. How do we solve it? As opposed to just generating ideas for the sake of generating ideas. They were able to target and and bound themselves and it worked a lot Mark effectively.

Audra Simons: It does, and it tends to to be more mean you're more successful in the market because you've actually taken your customers along the journey with you. So they've been part of the innovation. So it's it becomes real.

[06:12] Cybersecurity Trust Scores and the Evolution of Innovation

Arika Pierce: So what kind of innovations are we seeing right now, especially, you know, in terms of innovation in cybersecurity? You know, I know some of the innovations that we probably can't talk about, but, you know, what's on the horizon right now? What type of customer problems do you see in terms of the industry that need to be solved?

Audra Simons: Some things I can tell you about because I've actually spoken externally about them. I actually believe that trust scores or risk scores are going to start becoming something that businesses have to report on. There are, companies like Moody's who are beginning to put, cyber risk scores as part of their overall financial scoring of businesses.

So I believe that's definitely coming, and it's and with the number of breaches that are happening and so on, like, companies' cyber hygiene is going to become as important as their financial health. So that is definitely something that's coming. And, Eric, I don't know if you're seeing that so much on the government side of things of maybe government departments being able to prove that their cyber hygiene is healthy?

Eric Trexler: We're seeing you know, the DOD has the cyber scorecard. We see the FISMA reports on the civilian side. So we're we're seeing the rankings and the, you know, the metrics being rolled out. Risk is still a really difficult conversation to have in the government space. And from what I hear from my peers, even in the commercial space, getting your hands around cyber risk, the risk to the business, is still very challenging primarily because there is there's still a wall between IT and security and the business.

Driving Innovation in Cybersecurity

Audra Simons: Agreed. But if you start having the conversations as part of, you know, business risk management rather than naming it cybersecurity, then you start getting board members who actually get what you're talking about.

Eric Trexler: Oh, I think the board wants it. I mean, the board speaks about risk all the time. Right?

Audra Simons: Yes.

Eric Trexler: So the board wants it. I think the insurance companies want to talk in that language.

Audra Simons: Definitely.

Eric Trexler: Right? And honestly, I think those two entities will be driving that risk conversation. 3 to 5 years from now, I think this would be a very different answer to the question.

Audra Simons: Absolutely. I mean, the way I see it is that going forward, once it's established, people will have it on their website. You know, it'll be like like when you go to restaurants and you see kind of people's hygiene rating in a restaurant, it'll be that, but for cybersecurity. So it'll make it a lot easier to make decisions on who you want to do business with and who you have within the supply chain and your supplier's supply chain.

Eric Trexler: But there still needs to be an education process. I mean, in in some cases, what we see at least in the states, consumers continue to do business with companies even after post-breach.

Arika Pierce: So I was thinking that same thing. Like, would I not bank with someone who recently had a breach?

Eric Trexler: Would you move your banking accounts? Maybe even another better question.

The Role of Innovation in Cybersecurity

Audra Simons: I would. But the thing is, at the end of the day, there's free will across everything for people to make their decisions. But at least if you're beginning to get the information to help you make an educated decision on who you want to do business with, then it's there. If people decide not to take advantage of that, then that's a personal choice.

Eric Trexler: I think it comes down to the education of the audience also. We speak from an educated cyber perspective. We understand somewhat the risk. I don't know that the common constituent of the United States or your country across the globe necessarily understands what the risk looks like until they've actually had to deal with it. Right? If your your data your your identity is stolen

Audra Simons: Yes.

Eric Trexler: That's a real problem.

Audra Simons: An impact on their lives. Absolutely. But maybe it's about being able to tell the story so people can actually see it as tangible and how it will affect their lives if it happens.

Eric Trexler: Oh, absolutely. Audra, let's let's get back to innovation. I mean, when we talk about innovation in cybersecurity, how do you how do you do it? What does it look like? How fast is it from idea to productization? Can you give us some examples?

Audra Simons: I can indeed. The way we tend to work, we have 3 different streams, where ideas come into our team. We have directed research, which is one of our main channels where it comes through from, the business. 

A Multi-Faceted Approach to Ideation and Development

Audra Simons: So, effectively, we have new idea-generation workshops that we do when we need to innovate in particular areas. We do hackathons. We have R and D weeks. And we also work on patent harvesting. On top of that, we have input from our customers, from our sales teams, from the SEs, and from the industry.

Audra Simons: We also work very closely with our parent company looking at some areas of co-development. And one of the areas that, the last area of innovation streams is around our university program. So we we have a university program where we try to inject some of academia into our research. So Why do

Eric Trexler: Why do we do that? Why not just do it all in-house?

Audra Simons: Because of the fact we don't you know, there are a lot of very smart, very innovative people out in the world beyond us, and it helps to actually expand your view because I'd like even speaking with you, Eric, on a regular basis. We have very different points of view on specific topics, but it helps to actually develop your ideas if you're actually getting people to come at it from a different direction. It helps with creativity. It helps with how you're actually addressing the problem and your approach to addressing the problem.

Eric Trexler: Interesting.

Arika Pierce: Well, I guess innovators come in different, flavors. Right?

Audra Simons: Absolutely. And it's like spinning a Rubik's cube. Every time you turn it, it can be different depending on who you actually have as part of that.

[12:27] Maximizing Returns Through Innovation in Cybersecurity

Eric Trexler: So that's the thing I've I've noticed. You never know if it's going to pay off or if you're going to spend your time and end up with nothing. Yeah. That's true. Just proving an idea.

Arika Pierce: But that's all part of the risk. Right?

Audra Simons: I mean It is risk.

Eric Trexler: Part of the risk. Actually,

Audra Simons: Part of what we do is derisk our investments. So therefore in doing that, we do things like we expose the ideas, we expose the concepts, we expose the prototypes to our customers to actually get their feedback on what we're doing the direction we're taking and find you know true world, like, are we actually addressing your problems if we do it in this manner? So that helps a lot from a de-risking. Also, if you create a prototype and you test it, you're going to be even if it's a failure, you may actually discover something from it that can actually take you in a different direction that won't be a failure.

Eric Trexler: It reminds me of interviewing. You know, the hiring process is so, so complex and it drives me crazy because you wanna get to the best candidate. That's your goal. You wanna hire somebody. But you have to go through let's say you interview and you put 10 people through the process. Yes. That's a 10% success rate. Yeah.

Eric Trexler: In most evaluations, in most things in life, that would be an absolute failure. Really, you're successful though, if you get the best possible person by going through that arduous process you can.

Audra Simons: It's and that's that's

Eric Trexler: Even though only yes.

Lessons in Effective Development

Audra Simons: But you also have to look at something else through what we're doing. Companies who do not have innovation groups but are trying to innovate may take a solution all the way to go to market and out into the market, invest all the time and energy in the development of that and try and sell it to customers, and then it doesn't address a problem. So it's it's a lame-duck product. Like, it's not doing anything out there, and they've just invested x number of 1,000,000 dollars taking it to market because they didn't test it in the first place.

Eric Trexler: This is equivalent to hiring the wrong person because you spend 30 minutes talking to them. So I fundamentally, I agree with it. It just drives me crazy in innovation and in hiring. So take us through an example Audra, where I don't know maybe we worked with a university program. Let's take it outside the company From idea or concept creation through to productization, what does that look like?

Audra Simons: Okay. Well, University of Texas San Antonio, we've been working with. We had a program that ran with them over the last year. We define that we wanted to look at particular areas, 1 being insider threat, and 2, identification of insider threat through, like, effectively data at rest and looking at whether it was possible to develop an algorithm that could identify insider threat potential based on the files that people store. Because you have to look at files, like, that you store, and you don't touch that often, but you're keeping them. Mhmm. Tech to be reasonably valuable details. They tend to be valuable data.

Exploring Insider Threats Through Data Analysis

Eric Trexler: Like, I have I have Senell. I have PII all over my laptop. Yeah. And I may have it from 5 years ago where it's I'm not using it, but it's there.

Arika Pierce: Still there.

Audra Simons: Exactly. So our approach with the university was around defining what we wanted to try to find and, and work out whether it's even feasible. Because how do you know whether, looking at what people store on their c drive, whether or not that actually is going to show anything of value? So we did we did a series of tests with them. They actually focused, their algorithm development around graph measurements, which is very graph theories around, well, it's dedicated to the study of structures made up of verticals Ford, sorry, vertices, connected by direct and indirect edges, which is it generally, it makes some really good pictures that that I'll actually show you. It's very visual. But the idea was to see whether or not we could create a risk a risk profile based on the data that people held.

Eric Trexler: Who came up with the idea?

Audra Simons: The idea actually came from us, but we actually agreed on the details with, the university because they have very they have a cyber security center where they focus particularly on insider threats.

Eric Trexler: So how do you decide to go out of the house instead of keeping it in-house to do the research?

Lessons Learned Through Innovation in Cybersecurity

Audra Simons: We decided that this was an area that, we didn't necessarily like. Insider threat, we have expertise within the business, but actually identification, going out to look at, say, Tech pilers and, and data hoarding and those sorts of things, we didn't feel we had the ability to invest the time to actually go out and do the algorithm development. And, there's a key Tech, based at the university that is completely algorithm-focused and around insider threat. 

So sometimes it's it's better to farm out the research, but we held hands the whole way. We had monthly meetings or much more often, quite often in different parts of it to actually look at where we Mark going, the findings that we're getting, and so on. And, admittedly, we did do several, passes in terms of datasets to actually work out what kind of datasets provide meaning and what ones don't. So when Go Go ahead, Erica. Yeah.

Arika Pierce: I was gonna say, so, in terms of what what what did you find or what were some of the outcomes? Can you share any of that?

Audra Simons: Oh, yes. I can. It's weird.

Eric Trexler: Did it work?

Audra Simons: Well, we found that there's definitely value in it. We also after the algorithm had been developed and we had findings that were showing, like, we actually provided them some data was seeded with bad actors in order to see whether or not we could find those bad actors, and we did, which was a good start to it. 

[18:31] Profile Validation and Algorithmic Innovation in Cybersecurity

Audra Simons: But we also then, did a validation of the admin rhythm using random Ford to make certain the ones that were actually some of the things that we found that were interesting were not necessarily related to the algorithm. Some of the things that we discovered were the data itself and looking at, so you look at the profile that you get set up with when you join Forcepoint. So like the like IT, they may go and look at what's the most relevant profile for you. All businesses do this differently, but the problem is those profiles at the very beginning can actually be things that will lead to problems for a company later on. So, Eric, say if we gave you an HR profile, we decided that's most appropriate for you.

Eric Trexler: A very bad idea, but go ahead.

Audra Simons: We're gonna give you the HR profile, and you're going to have visibility of all offer letters, all salary rises, and all that sort of things. It was some of these things started kind of highlighting what could happen and things that we need to think about because those can be some of the problems that people have access to data that they shouldn't. Another thing we found is sometimes we overshare. 

So sometimes we send out information and data far more than we should to to people who don't necessarily need to have that information. And, so in that case, that can kind of lead to false positives just surely because of the fact people saved it because it was sent to them. So that that was interesting. But, learning from the algorithm itself, made peer-to-peer comparisons within departments very easy. 

Data Clustering for Enhanced Security

Audra Simons: So if you're looking at finance, there was absolutely you could kind of lay one graph over the other and actually see how similar people are who work in certain departments in terms of the types of data they have, the volumes of data they have, kind of the clustering of what the content of the data is.

And so it proves you can actually see that at least from data at rest. And then when you have individuals who are very outside of their peers, then it's easier to actually go, is it just because our job is that much different, or is it something we should be concerned about?

Eric Trexler: In this case then, we took an idea concept. We actually proved it. In addition to proving the idea or the concept, we learned a time. We had auxiliary benefits if you will. Secondary benefits. How long did what how long did it take to produce it? Has this been productized?

Audra Simons: At the moment, we're actually going through, recreating the results internally because the results were delivered by UTSA.

Eric Trexler: Okay.

Audra Simons: And at the same time, we are sharing all this with the business and working out how we can actually integrate this into our solution.

Eric Trexler: From a feature. Okay. How long is that research period typically? Is it

Audra Simons: Short, long? To be honest, the UTSA is the longest research, project that I've run within the business. So it it lasted for over a year, but, a normal like, pretty normal, prototype lasts anywhere between 3 weeks to 3 months. Oh, wow. Longer than that.

Accelerating Productization from Idea to Market

Arika Pierce: That's a pretty short time frame. I would have thought it would have been Erica,

Eric Trexler: How long do you think it takes to productize that on average?

Audra Simons: What do you think, Erica?

Eric Trexler: Give me a number of months.

Arika Pierce: I'm going to go with 9 9 months of a full gestational period.

Eric Trexler: I'm an optimist. I'm going with 6, Audra.

Arika Pierce: What does it typically take to productize?

Audra Simons: Well, I'll tell you the fastest. The fastest way we did, was a research project around our lexicons, our behavior analytics, and how we could actually improve our lexicons to be much better. And we did a load of testing with several customers.

Eric Trexler: Half a year.

Audra Simons: Sorry? No. We did it. It started at the end of January, and it went into May, the end of May.

Arika Pierce: Okay.

Audra Simons: Beginning of June. So 5 months.

Eric Trexler: But if you're playing Christ is right, Erica, we both lose.

Audra Simons: I know. So, yeah, you can do the research, but it went straight into the product because the results were so good.

Eric Trexler: Oh, so the research was 5 months, and it goes straight into the product?

Audra Simons: Yes. So it's 5 months. We actually went to market with it.

Eric Trexler: From idea from idea concept creation to actual productization is 5 months.

Audra Simons: That was for the Lexicon project. I would say, generally speaking, you're talking more kind of because we're much further out in terms of what we look at in terms of the ideas in the future.

From Idea to Innovation in Cybersecurity

Audra Simons: It can take anywhere between, 6 to 12 months probably of what we've done. But most once we've released research because it still has to be scaled, it still has to be developed, Still has to go through the productizing process.

Eric Trexler: Right. So you need skews, you need technical documentation, you need to Q and A it, and everything else. So, Eric, I think we both won Yeah. On that secondary. I think the answer it depends covers both of our

Arika Pierce: It depends.

Eric Trexler: But that's still pretty impressive. From idea to delivery, we're probably talking a year. That's pretty impressive.

Arika Pierce: No. I would have thought it would take much longer. So that's very impressive and exciting. I mean, it must be great to be able to continue to be always looking for new ideas and being able to move them through the queue at that speed.

Audra Simons: So Absolutely. And it's we do lots of exciting stuff with suppliers and, like, partners and things like that. And that's also really interesting being able to look at how you can merge other solutions, like, we did a prototype with Ping, who are an identity access management supplier, and about kind of integrating what they have in terms of, signing in. So when people are authorized to sign in, taking information and logs they could provide us with our behavior analytics and then passing back risk scores. So, I mean, there are a lot of things that we do that it's stepping Ford, both for our internal solutions, as well as those of our partners.

Empowering Teams Through Secondment

Eric Trexler: Okay, Adra. Last question. You're queen for a day. What would you change about the innovation process if you had a magic wand?

Audra Simons: I would continue to grow by secondment because I actually get some amazing people who come into my team through secondment, and I would actually have additional focus and budget to enable us to move quicker.

Eric Trexler: That's 2. You've gotta pick 1.

Arika Pierce: Well, she's clean, so, you know, she gets to have she could have both.

Audra Simons: People it is all about the people, So I'd go with the growing by secondment with additional subject matter experts because there are amazing people in this company.

Eric Trexler: Okay. And I just looked up, secondment because I wanted to make sure I understood the terminology. For all of our readers at my level, a secondment is the opportunity to work temporarily in a different firm or department to the one you are already working in.

Audra Simons: Correct.

Arika Pierce: Some cross learning.

Audra Simons: It's and when you get people, when they come into it and their passion is there, you get incredible results.

Eric Trexler: Well, we appreciate what you and your team are doing, not just for the company, but also for, you know, our customers in the world. I think innovation is key to improving human society. So thank you for everything.

Audra Simons: Absolutely. Excellent. Thank you, Eric.

Arika Pierce: Thank you for being on the podcast and keep on innovating.

Audra Simons: Great. Thank you. Take care.

Eric Trexler: Faster, please.

Audra Simons: Yeah. Faster, please.

Arika Pierce: And thank you to everyone for tuning in this week. 

About Our Guest

Audra Simons professionally and personally make things happen. She does not believe that anything is impossible. Deeply passionate about innovation execution - to her, ideas without implementation are just words. She has a proven track record in companies from start-up to global blue chip. She is a business-minded with excellent relationship management skills and the gravitas to communicate, persuade, negotiate, and facilitate at all levels.