Rick Gordon Of Tidal Cyber On 5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity

Identify your threat profile. Know which malicious actors and threats might actually pertain to your organization. Prioritize the factors, including your industry, size, and location that help determine your level of risk to a particular threat and the actions you may need to take.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Cybersecurity”, I had the pleasure of interviewing Rick Gordon.

Rick is a proven leader with over 25 years of experience providing organizations with strategic growth — with expertise in technology investing, business strategy and early-stage venture development. Rick previously served as Managing Director of Programs at MITRE, where he was responsible for scaling key initiatives that included the Center for Threat-Informed Defense, ATT&CK® Evaluations and MITRE ATT&CK Defender (MAD) Training.

Additionally, Rick was Founding Managing Partner of MACH37 Cyber Accelerator. Under Rick’s leadership, MACH37 launched several leading cybersecurity companies, including Huntress, Syncurity (acquired by Swimlane), Atomicorp, Black Kite (formerly Normshield), Adlumin, Threatswitch, Virgil Security, and Cyber Algorithms (acquired by Thycotic). Before MACH37, Rick served as the COO of Lookingglass Cyber Solutions, a Managing Director at the Civitas Group, an investment banker at Bear Stearns and a submarine officer in the U.S. Navy.

He received his MBA from The Darden School at the University of Virginia and his BS in Engineering with Merit from the U.S. Naval Academy

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

My path to cybersecurity was really quite serendipitous. Entrepreneurship was always something that interested me, and early on in my career I crossed paths with a group of entrepreneurs that were working on building an email security gateway platform. We joined forces, and I have been involved in cybersecurity basically ever since.

In addition to the appeal of entrepreneurship and building something from the ground up, I’ve always been drawn to missions that matter. I am a Naval Academy graduate and served in the military, so have always had a passion for protection and defense. At the time that this all began for me, cybersecurity wasn’t as mainstream as it is today. We often heard of the new or interesting attacks, but they didn’t generate the headlines and concern that they do today. In 2008 when the Comprehensive National Cybersecurity Initiative (CNCI) was established and ultimately raised the alarm on cybersecurity as a real threat, I felt as though my interest in securing the cyber ecosystem really solidified.

Can you share the most interesting story that happened to you since you began this fascinating career?

This industry is filled with fascinating stories. The ones that really resonate with me are the moments when you have the good fortune to witness, or take part in, a real change.

Earlier on in my career, there was a major issue that was really holding back many of the organizations in the security industry. Threat intelligence was not democratized. At the time, there were companies doing a really good job of collecting data and threat intelligence information, but all of them used different formats, which may have been optimal for their approach, but were really limiting for the customer. There was this glaring need for access to threat intelligence in a common language.

The folks at MITRE not only recognized this issue, but were also one of the only organizations in a position to address it, creating MITRE ATT&CK, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK blew the paradigm of limited access to digestible threat intelligence out of the water and created a mechanism for the way that we think about, talk about, describe and share threat intelligence. This had a profound effect on the industry where threat intelligence became much more accessible to smaller security organizations.

Today, our company Tidal Cyber allows defenders to make the most out of ATT&CK, among many other threat defensive resources. Tidal makes it seamless for users to always be on the latest version of ATT&CK, meaning they can access all the latest knowledge base content, including the latest techniques and sub-techniques, threat objects and defensive content like data sources and mitigations. Using ATT&CK’s intelligence along with Tidal-curated content that is updated every week ensures that our customers always have access to the most complete picture of the threat landscape.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

I have been lucky enough to have had a number of impactful mentors that have helped shape my career in one way or another, but I will say that one person who most dramatically influenced my current path is probably Pete Jobse. Pete gave me the opportunity to build MACH37- an opportunity to build something meaningful. MACH37 was designed to facilitate the creation of the next generation of cyber product companies, and it has gone on to launch over 80 companies and is now the top cyber accelerator program in the United States. While I get a lot of the credit, it was all Pete’s idea, he just handed me the baton and gave me an amazing opportunity that has opened so many doors for me and my career.

Are you working on any exciting new projects now? How do you think that will help people?

Absolutely. After working at MITRE and realizing that there was still a need for threat intelligence to be actionable and more widely accessible, Rich Struse, Frank Duff and I decided that our best path to really solving these challenges was to leave MITRE and create Tidal Cyber.

We formed Tidal Cyber in 2022 with one simple goal — provide defenders with solutions and services that make threat-informed defense practical and sustainable. The goal is to make it practical and affordable for all enterprises to adopt the intelligence provided by MITRE ATT&CK. Tidal’s platforms help businesses assess, organize and optimize their cyber defenses based on a deep understanding of the threats and adversaries that are most relevant to them specifically. It’s been a very exciting journey and we look forward to seeing how many organizations Tidal is able to help in the coming years.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Tidal has taught me to focus on what matters most and ensure that your priorities are in order. It’s easy to find yourself piling on a to-do list that just isn’t realistic or sustainable. It’s important to understand what balls can be dropped so that your current priority or objective can be met. Evaluate what is essential for the company to get to the next stage, and work backwards from there.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

I think we’ve already touched on one of the major developments that is most exciting, being that threat intelligence is much more accessible than it was 10 years ago.

Second, the mission has grown tremendously. All of the problems that we were prognosticating a decade ago are now occurring every day. Today, we have the opportunity to solve some really hard challenges and have a meaningful impact. The last thing is more specific to what we’re doing at Tidal Cyber. Threat-informed defense is a real thing- the integration of knowledge associated with adversarial behaviors is invaluable. It used to be a challenge to integrate cyber threat intelligence (CTI) on adversaries into operations because there wasn’t a clear structure on how to do so. What we’re doing at Tidal is making threat intelligence incredibly actionable by making it easy for a customer to understand the effectiveness of their current security stack in defending against threats that are relevant to them, and identifying any gaps or redundancies. It’s called coverage mapping, and it is changing security.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

Malicious actors are always evolving their tactics, and new threats constantly present themselves. The question that companies need to be asking themselves is- am I at risk from this threat specifically? Not every threat or adversary technique is applicable to every organization. So, what companies should be doing is keeping up with the latest threats that could be critical to them.

For example, Tidal Cyber regularly creates new threat intelligence and Vendor Registry content to share with the Tidal Community. It keeps them apprised of the latest threats and details which types of organizations could be impacted. Just recently, we released an update on a ransomware group, Akira, that we believe is poised to become a top threat. We provide all of the information needed for organizations to pinpoint if it could be relevant to them, including the group’s motivation, geographic targets, targeted sectors, techniques and more. This is the type of data that we provide regularly to keep organizations properly informed and prepared.

Over the last decade, our industry has become obsessed with the adversary and the threat — and don’t get me wrong, this is critical. But, we are now at an inflection point, where we need to start turning the lens inward. We need to understand how these threats pertain to our particular environments.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

To help avoid data breaches, it’s important to understand the value of actionable threat intelligence.

Take the notorious Russian ransomware group, BlackCat, for example. As the group surfaced, there was buzz throughout the industry about the attacks, and folks were worried about being vulnerable. We heard from a new customer who was concerned, and immediately began to build a coverage map to show exactly how their existing security solutions would defend against a BlackCat attack. The coverage map proved that their defensive stack was equipped to handle a potential attack — within minutes, this organization was able to confidently understand how susceptible they were to the threat in question. Without Tidal, this type of analysis could have taken a week, if not longer.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

The type of cybersecurity tools I’d recommend fall under threat-informed defense. These tools collect and analyze critical tactics, techniques and procedures (TTPs) and evaluate how well your security stack defends against them. By pairing the threats most relevant to your organization with the tools in your defensive stack, you’re able to gain a complete picture of your cyber posture, allowing security teams to make the most well-informed decisions and take a much more strategic approach to defense. This helps to refine the wide scope of threats within the landscape, and allows you to focus on the ones that pose the most risk to you.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

As organizations work to defend themselves, it’s easy for teams to become overwhelmed, especially if they don’t have the headcount of larger organizations. It’s simply unrealistic to patch every single vulnerability- especially when the threat intelligence is coming from multiple sources and requires the team to hunt for answers. Determining what actions need to be taken to defend the business can be difficult.

The most important thing a smaller organization, or any organization for that matter, can do to ease the burden on its security team is to differentiate which threats actually require attention vs. the ones that don’t. By taking this step, you are already significantly reducing the amount of work that needs to be done, because you are not spending time and resources on the threats that don’t pose a risk. Education is key. Additionally, find a source that delivers threat intelligence in one unified platform and language to make it much easier to make the intel actionable.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

The best way to understand if something is amiss is to have a complete understanding of your environment and the relevant threats to your particular environment. Think of it this way- there are an endless number of threats that you could be monitoring for, but what really matters are the threats that pose an actual risk to your organization. For example, does the ransomware group or bad actor target similar sized organizations in your industry? Once you have context, it’s much easier to know when something is wrong, because you know what types of threats to look out for and which ones might actually be dangerous. This is where threat-informed defense comes in and gives you the power to rule out irrelevant threats and make the best risk-based decisions for your organization.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

As quickly as possible, get a sense of what happened. Ensure that the threat is being mitigated and relay as much detail and information as you can to the affected customer.

After a breach, organizations also need to know what they have in their environment and the capabilities of their protections so that when a new attack emerges, they can compare it to their defensive stack and determine whether they are safe or not.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The biggest mistake that we’re seeing is businesses being overly deterministic in their approach to security. We’re seeing organizations spread themselves too thin by trying to address every problem or existing potential threat- almost like a “whack-a-mole” type of approach- a problem or alert pops up, the immediate reaction is to fix it. But the truth of it is, no one security solution does everything, and not every cyber threat is relevant to your organization. It’s a mistake to think that we should endeavor to “whack” every threat.

What we need to do is risk stratify. Look at the issue in terms of risk and make decisions around defending against adversary actions in a more significant and scalable way.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Network and security architectures are different than they were a few years ago. As the workforce became more dispersed and diverse, we’ve seen a significant move away from traditional enterprise solutions and toward SaaS.

While this move offers increased flexibility and some inherent security benefits, it’s important not to assume that the SaaS provider has the same capabilities that you would otherwise have. In certain cases, organizations are sacrificing a level of threat visibility, as well as mitigation capabilities. Customers need to understand the tradeoffs, so that they know where they need to supplement defenses or adjust for their vendor’s cybersecurity capabilities.

What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why?

1. Identify your threat profile. Know which malicious actors and threats might actually pertain to your organization. Prioritize the factors, including your industry, size, and location that help determine your level of risk to a particular threat and the actions you may need to take.
2. Understand the behaviors of adversaries that are attacking companies similar to yours. Let’s use boxing as a metaphor here- if your opponent has a strong uppercut, you’re not going to practice defending against the jab, right? Realistically, especially in scenarios where there’s not enough room in the budget to cross every “t” and dot every “i”, organizations must know the TTPs that an adversary is likely to use against you in order to establish the best plan of defense.
3. Know how your security tools actually defend you, and how they don’t. It’s not always the things that you are detecting that are dangerous, it’s typically what you haven’t been detecting or areas where you don’t have defensive capabilities that can cause the most harm. By understanding where you have unacceptable levels of residual risk in your environment, you can take a much more tailored approach to a plan of action.
4. Evolve your defenses. Bad actors continually evolve their techniques as they try to attack your organization. You have to stay on top of this constant change. Have a system in place that alerts you to changes in your defensive coverage due to shifts in adversary behavior or new security solution updates so you can stay one step ahead.
5. Make data-driven decisions to mitigate threats specific to your environment. Create defensive stacks that calculate risk based on your existing environmental factors. Test how your defenses may hold up against a specific threat, and make adjustments accordingly. This is the best way to feel confident in the event that an attack does take place.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

Start thinking about risk. We need to have a more granular system in place that helps people understand where their money is best spent in terms of mitigating risk. The only rational way to decide which investments are worth it is to understand which actions and deployments reduce the amount of risk to the organization by the greatest amount. We must find a way to make this type of information and analysis more widely consumable.

How can our readers further follow your work online?

Keep a close eye on Tidal Cyber’s website for the latest developments and connect with me on LinkedIn.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!