Eldon Sprickerhoff Of Caledon Ventures: On The Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry

Expand your network and do favors for other people — teach, speak, offer to make connections.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry”, we had the pleasure of interviewing Eldon Sprickerhoff.

Eldon Sprickerhoff is an active entrepreneur, investor, mentor, advisory and board member at the intersections of information security, computer science, machine learning, SaaS, and finance. He is best known for founding eSentire, a leading global cybersecurity Managed Detection and Response company.

He has a Bachelor of Mathematics (Major: Computer Science, Minor: Economics) from the University of Waterloo, and in 2019 was awarded their J.W. Graham Medal in Computing and Innovation for his groundbreaking and entrepreneurial achievements in cybersecurity.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I’m Canadian; as a teenager always drawn to the tech side; grew up during the early days of the personal computer (I had a TI-99/4A and a Commodore 64); learned how to program in C in Grade 11; used a version of the QNX operating system in Grade 13. Went to the University of Waterloo in the late 80’s and graduated with a Bachelors in Mathematics in Computer Science in 1991. 1991 is a pivotal year in the Internet — it is when HTTP and the “World Wide Web” made its first debut. After graduating I worked at a few different companies; a large bank, a small software company — working on programming, databases, network and sysadmin duties. I started consulting in 1997 and worked for a large newspaper chain and then prime brokerage through to 2001 during the dot-com gold rush and the dot-bomb aftermath. In 2001 I started a company called eSentire which over the last two-plus decades has become a global cybersecurity services and platform company.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

One book that I probably recommend more than any other is Setting The Table: The Transforming Power of Hospitality in Business by Danny Meyer. He is a NYC-based restauranteur who had opened and operated many excellent places in the city including Gramercy Park Tavern, Eleven Madison Park, Blue Smoke, and Union Square Café. His book distills his specific philosophy regarding hospitality and service, generosity, and success belief system. I appreciated his perspectives on unreasonable hospitality — where you bend over backwards and overdeliver in every perspective you can. I had experienced his philosophy from fine dining through to more casual fare and was sure that there was something that I could take away from it and apply to our own business.

Is there a particular story or incident that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I already had a strong hands-on technical background, and had been a long-time subscriber to 2600 — a scruffy hacker zine that’s been published since the mid-80’s. I had (and still do) a lifetime subscription to it. In the early days of the Internet — with USENET and dailup/telnet etc it was one of the few resources/beacons of interesting behavior — where you’re looking behind the curtain poking in the dark and digging for the really interesting weaknesses and details.

In the summer of 1997, I attended my first “hacker convention”: Beyond HOPE in NYC and I was hooked. All of the technology that I’d been working with programming, networking, databases, systems administration — they all came together and helped me build a platform to support information security (what we used to call cybersecurity).

It has been said that our mistakes can be our greatest teachers. Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

I don’t know if it was funny — but early on my journey in eSentire I hired a senior salesperson so that I could focus on the consulting and technology side. I am more than a bit of a introvert, and while I had some competency with sales (through founder’s authenticity) I wasn’t yet comfortable with it. It was a bit of a relief for me to abdicate the sales process to someone else. But as it turned out, he couldn’t be trusted. The final straw occurred when, instead of being “sick in bed” I found him on a ski hill taking yet another day off (after he had taken a few weeks of scheduled vacation).

Are you working on any exciting new projects now? How do you think that will help people?

Over the past two years I have been working as an Entrepreneur-In-Residence/Mentor with a cybersecurity accelerator called Rogers Cybersecure Catalyst; they bring in cohorts of early-stage cybersecurity startups and try to give them mentorship to improve their eventual success and survival. I had intended to be a technical resource but what I discovered was that when these startup founders engaged with me to work through their issues the vast majority of the questions asked were NOT of technical matters but rather business. I myself don’t have a business background (or even any significant business acumen). When I started eSentire there was not much in the way of resources for founders — there was no Y Combinator, no YouTube, LinkedIn and such — so had to fight through it as the School of Hard Knocks. Anyways, what I discovered that in the early 2020’s even though there are significant resources available for startup founders some of the core messaging wasn’t getting through). The founders in the Catalyst program would ask me questions such as, “How do I find a co-founder?”, “How do I hire employees?”, “How do I FIRE a problem employee?”, “How do I find customers?”, “How do I set up partnership deals?”, “How do I get people to call me back?” and “How do I raise capital?” among many other similar questions.

Some of these interactions were VERY open and personal — these founders had staked their whole livelihoods on these endeavors, and I felt compelled to help them work through their problems. Along the way, I felt some PTSD almost reliving my own early days in startup land. I didn’t know of a business resource for first-time technical founders (written by a technical founder themselves) so I decided to start writing down some of these mistakes made and lessons learned. The end result is a book called COMMITTED: Startup Survival Tips and Uncommon Sense for First-Time Tech Founders. It will come out later by November 2024. It is equal parts personal memoir of my startup journey, founder cheerleading, and startup survival guide.

I’m hoping that my radical candor and openness will help other first-time tech founders avoid some of the mistakes that I made. I recognize that everyone will make mistakes in their own journey, but I’d like them to make more interesting mistakes than the ones I made: to become a Mistake Innovator.

The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

1. Cybersecurity continues to be relevant today (even moreso than in previous decades). New horizons continue to open and problems to be addressed.
2. There doesn’t appear to be a single solution that solves all problems within the cybersecurity realm.
3. There’s considerable interest in young people who have been “bitten by the bug” and want to have a career in cybersecurity — not only by the financial possibilities that it holds but addressing the never ending challenges that arise.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

1. I’m concerned about the perception of cybersecurity products — that there’s a new “shiny toy” that is going to fix everything. I’ve been in the industry long enough to see so many product categories rise and sunset while not addressing the primary problems.
2. I’m concerned about gatekeeping entry-stage positions in cybersecurity paired with unrealistic demands made of employees starting their first steps in this journey.
3. I’m also concerned about the messaging that there’s a deficit of about 750k cybersecurity practitioners in the US (and millions worldwide) with some unscrupulous boot camps taking advantage of this statement of dubious provenance. Some of the currently unemployed cybersecurity practitioners are struggling to *find* those positions belie that statement.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

There are serious concerns regarding disinformation: truth and provenance surrounding data of which we rely upon. I believe that trust in institutions is near an all-time low, and while we have more raw data available at our fingertips than ever before, we struggle with absolute truth. I think about the quote attributed to Winston Churchill: “A lie gets halfway around the world before the truth has a chance to get its pants on.”

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Over two decades-plus in the trenches, I’ve had the opportunity and privilege to work with some of the finest people in the industry help to secure clients, dog-fight attackers, and restore the peace. I have personally worked incident response events that lasted over multiple days and have marveled at the sophistication of the attack and knowledge of the attackers. The best advice that I can offer is to spend significant time preparing for an attack — have playbooks made in advance, ensure contact information is up-to-date, that you have communication channels at the ready, and work through various scenarios. Sweat in peace so you’ll bleed less in war.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

I’m a fan of what I call regular “Skepticism Inoculations” — where you need to exercise a certain small level of mistrust with interactions that can have high end game ramifications — these could include vectors of phishing, romance scams, etc. leading to identity theft or theft of currency. Going with your “gut” if something feels improbable, “rushed”, false familiarity, or stressful situations.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

This does not make for a good day. Tongue firmly-planted in cheek: as Warren Zevon said, “Send lawyers, guns, and money — the shit has hit the fan.” But realistically, this is a situation where the horse has already left the barn. You had better invoke your incident response plan — where you already have a sense as to what is the scope of the attack — how broadly the attackers have breached your environment, what was their level of access, what data they have gained access, if they’re still embedded, what is required from a regulatory and legal perspective, and what are your responsibilities to your stakeholders (including employees and shareholders). Buckle up.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Many companies struggle with what I call the regular “brushing and flossing” of cybersecurity. I would say that the vast majority of issues can be greatly mitigated by:

1. Multi-factor Authentication strongly enforced
2. Regular backups (regularly tested)
3. Patches kept up-to-date on all devices (servers, routers, mobile devices)
4. Default “wary/skeptical” stance on inbound communications (e.g. phone, SMS, email)
5. Preparing for the eventual attack with incident response planning/playbooks

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

It’s not all like you see in the popular media — where you’re a red team hacker madly typing on a keyboard for thirty seconds to break into the system. There are so many different job responsibilities that have a cybersecurity component (including tech leads, product management, and good old regular people management) that there’s no specific stereotype that applies across the board.

What are your “Five Things You Need To Create A Highly Successful Career In The Cybersecurity Industry?

1. You are in charge of your career arc and don’t rely on someone else to define it. Find out what you are interested in by exploring opportunities outside of your current role.
2. Devote a portion of your day to reading — it helps to expand your mind.
3. Expand your network and do favors for other people — teach, speak, offer to make connections.
4. Discover what you can do to personally improve the world around you.
5. Enjoy yourself along the way — we are not here for very long.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

Would love to have an hour-long lunch with Danny Meyer at one of his excellent restaurants. eSentire used to host an annual client BBQ at Blue Smoke on 27th Street; it has since closed down but I never got a chance to actually meet him.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!