This week, Subhashish Bhadra, principal at Omidyar Network, sat down with the new CEO of Terbium Labs, Pat Clawson, to learn more about this portfolio company’s expanding role in the digital risk protection landscape.
Subhashish: Pat, thank you for doing this interview. You have spent several decades in the cyber security industry in very senior leadership positions. How have you seen this sector evolve over the years?
Pat: The first thing I’d like to say is it’s been fun and interesting. Over my time here, we’ve seen this space evolve from protection of gateways to machines, to files, to the cloud, and then back again. We’ve seen the advent of things like (the U.S. Computer Emergency Readiness Team) in 1986 and the Internet explosion of the 1990s. That led to an evolution of different technologies like encryption, internet protocols, SSL (secure sockets layer), anti-malware, hacking prevention, identity theft, and beyond. I think the theme I have recognized, at a very high level, is people have been working long and hard on preventative technologies.
Subhashish: In recent years, there’s been a lot of awareness and talk around privacy and data protection. How do you think laws like the California Consumer Privacy Act (CCPA) and GDPR are going to affect the cyber security space?
Pat: I think it’s huge! These are regulations that actually have teeth, both organizationally and financially. They get to the heart of protecting consumer and individual rights. I look at what California is doing now, similarly to how Germany led the way in Europe. They went down the path of data protection and data privacy rights for individuals more aggressively than any other country. When unified standards like GDPR evolved, they very much used Germany as a guiding light. So, I think CCPA will have a big impact in the United States as we move forward.
Subhashish: Can you tell us a little bit about Terbium Labs, what it does, and what the company is about?
Pat: Terbium Labs is a vendor that had its origins in helping governments and companies understand when their most sensitive data sets had been breached, and were finding their way into the deep and dark web marketplaces for sale or trade. That history goes back almost seven years now. We have evolved in that expertise and built out highly automated tools, assisted by data science and analysts, to provide valuable and actionable insights for companies, and enable them to understand when and where they’ve been breached and what data is compromised.
That’s evolved, and a whole industry has come up around it. The new industry that Terbium Labs finds itself competing in is one called Digital Risk Protection (DRP). It’s much broader than just the deep and dark web. It’s about finding malicious behavior wherever it may exist on the Internet — whether it’s the open, deep, dark. It includes new categories like social media, brand misuse, corporate data, mobile apps, and many others. We’re able to use our experience in finding things in the open, deep, and dark web, and broaden that to near real-time insights for our clients across all categories.
The nuance with Terbium Labs is that we do this safely, securely, and legally for our clients. We say to our clients, “Hey, you have some really sensitive data. You want to get it to us, as a vendor, to make sure you are monitoring and detecting anytime it’s exposed online, but you don’t want to open yourself to additional third-party risk.” The key here is our patented fingerprinting process that allows that to happen safely, legally, and securely.
Subhashish: You’ve joined Terbium Labs as CEO recently, and I’m sure there were larger tech companies in the cyber security space that may have offered you a bigger leadership platform. So, what excited you to join Terbium Labs in particular?
Pat: That’s a great question. When I took a look at the technology space, I noticed a consistent conversation around the concept of preventative technologies that, in my opinion, has grown old. The DRP space stood out because it is in putting a stake in the ground and saying: “Hey, we are not a preventative technology. You have a whole bunch of different vendors that you use to protect your endpoints, your employee data, your servers, your routers, your switches, all of that; it may be overpopulated.” This company had a completely different mission.
Our mission is that data breaches are inevitable, so let’s get our heads wrapped around that. How can we help clients seriously reduce the post-breach risk? That’s where Terbium Labs comes in. We help our clients load their most sensitive datasets safely and securely into our fingerprinting process, our Salted 512 Hash. That allows us to search the broad Internet in near real-time to see if anything is leaked out.
I think Ponemon Institute says that it takes a company 191 days on average to realize that it has been breached, and it’s usually as a result of a third-party telling the organization that it’s been breached. So, it’s from second 0 to the average of 191 days that we really help clients understand that their customer, employee or corporate data has been exposed; that fake coupons are being created against their brand and sold on social media; or that there are mobile apps that are popping up presenting as our client, but they aren’t really our client’s mobile app, they are just there to harvest their customers’ credentials. So, our job is that post-breach, early warning that other companies just didn’t want to focus on. I saw it as new, exciting, and fast growing.
Number two was that Terbium Labs had done something that no one else has thought of really doing. It is solving for the problem of searching for that data in a way that never, ever puts our client’s data at risk as a result of our activities, or ourselves. One of our tag lines is “your data stays private — even from us”. We never see it, and that’s the value of the patented fingerprinting process that I don’t think another vender in the world can answer to.
For example, think of a large enterprise that works with a DRP vendor like Terbium Labs. The number one thing they have to resolve is, “How does my person in HR get my complex HR data for my employees to that vendor, so that the vendor can safely search for breaches against it?” That involves the data moving around in the enterprise; maybe the Chief Risk Officer’s desk, at the very least, is sending those files out to the vendor, all of which are further exposing you to risks, and probably laws like CCPA or GDPR. The advantage of this digital fingerprinting technology and what Terbium Labs built is that it delivers that capability directly to the data set owner. Right there on their own machine, in their own department! This works whether it’s the head of HR, or the head of R&D, because they want to search for source code violations and theft, or if it’s legal because they want to search for documents; it doesn’t matter. They can load their most sensitive files, convert them to a Salted 512 Hash before they ever leave the enterprise and come over to us as a vendor to monitor.
So, we’re solving for a problem that people don’t fully recognize yet, but it’s real, and we’ve been talking about it for years. You put a stake in the ground about doing it in a safe, secure, and legal fashion.
Subhashish: I think (your arrival as CEO) comes at a very interesting time, when CCPA is about to go into effect in January, and there’s talk around a federal privacy law. Are you able to help your clients meet these regulations?
Pat: When we went out to the market to understand what obstacles our prospective clients were facing in understanding when a breach has happened, their number one obstacle was a recognition that their most sensitive data sets were indeed sensitive and needed to be protected. That was a wall that made it difficult for prospective clients to really engage with a deep dark web analytics firm or a DRP intelligence firm. They just didn’t know how to get that data to the vendor.
The CCPA is putting a spotlight on the importance of protecting your client, your employee, even your corporate sensitive data in ways that we’ve never thought of before. So, stop the loose handlings, stop passing that data off to a third-party which opens your risk even broader, because your third-party could be hacked. It puts a spotlight on the value and importance of securing private customer, employee data, and corporate data. It’s a big spotlight, and the good news is, Terbium Labs didn’t just think about this, this year, right? This is a cornerstone of how our founder built this company. He built it with data privacy at the core.
Subhashish: Thank you so much Pat for taking all the time this morning. It was great speaking to you. Good luck with the re-launch.
Pat: Thanks. Take care, appreciate it.
At Omidyar Network, we invest in companies and nonprofit organizations that, like Terbium Labs, aspire for all ID to be Good ID. Specifically, we invest patient capital in startups to:
- scale privacy-enhancing ideas,
- build technology that helps institutions comply with and exceed new data regulations, and
- test new business models that can disrupt the existing data economy.
For more information on how Omidyar Network backs Good ID, please click here.