1653 – What Saves A Company in Cyber Security with Carbide Secure’s Darren Gallop

Josh (00:00:05) - Hey there, thoughtful listener. Would you like consistent and predictable sales activity with no spam and no ads? I'll teach you step by step how to do this, particularly if you're an agency owner, consultant, coach or B2B service provider. What I teach has worked for me for more than 15 years and has helped me create more than $10 million in revenue. Just head to up my influence and watch my free class on how to create endless high ticket sales appointments. You can even chat with me live and I'll see and reply to your messages. Also, don't forget the thoughtful entrepreneur is always looking for guests. Go to up my influence com and click on podcast. We'd love to have you. With us right now, it's the CEO and co-founder of Carbide. It's Darren Gallop. Darren, thank you so much for joining us.

Darren (00:01:06) - Thanks for having me.

Josh (00:01:07) - Your website, is Carbide secure? And would you mind maybe just kind of giving us just a quick 101. On what Carbide is?

Darren (00:01:17) - Absolutely. So Carbide is a platform for information security and data privacy compliance.

Darren (00:01:23) - So basically what we do is we help small to medium sized companies build, manage and report on their information security and data privacy posture. So that may be for their board, for their investors more often than not for customers. And just to be able to do what you're supposed to be doing to follow the regulations and to comply with what your customers need you to comply with.

Josh (00:01:45) - Yeah. What are the you know, so obviously, there's the, you know, just kind of staying within the good graces of regulations and laws, and that's mandatory. But, you know, those regulations and laws are there for a reason. And that is is that, you know, cybersecurity risks can be incredibly painful. It can put a company out of business. Would you mind maybe just kind of talking about the whole kind of risk versus just complying just because you have to, because it's the law?

Darren (00:02:13) - Yeah. I mean, look, I, I am a big fan of cybersecurity. I've become very interested in, in all the concepts around it.

Darren (00:02:24) - Probably about ten years ago. I have a brother, my older brother, who ran a leadership role with the RCMP and involved in cybersecurity. So I've just had it around me. I've dealt with it in my last company. We've been very close to breaches. We've had incidents, we've been part of breaches that were very scary, you know, so a lot of exposure and seeing the stats, seeing the just the the revenue that the criminal environment is making. So, so yeah, it's it's I'm all in for cybersecurity versus doing it because you have to um we get a lot of customers though that are not quite as aware of the risks and really taking the security side, you know, see prospects come to us. They're coming to us because they're trying to close a big deal and they need to meet certain requirements. But yeah, the reason the requirements are there is because companies haven't been really jumping on and and really thinking about it properly because it is a cost center you're paying to protect yourself. And it's not.

Darren (00:03:22) - It's so so it is really important. And so, you know, the way I look at it is, yeah, companies should follow best practices because that's what's going to save them. If you have a major data breach, if you're a SaaS company, say you've got a couple of million records in your platform and you get a data breach, you're going to have a whole kind all kinds of problems. You're going to have the embarrassment. You're going to lose customers. You may get sued in class action. You may get sued from other businesses you work with. You may get fines from privacy regulations. You'll destroy your brand. And so I think a lot of people forget just how damaging that can be to a company.

Josh (00:03:57) - Yeah. And I would imagine in your tenure you've likely are you typically coming in when there's already a problem or hopefully most of your clients are coming in because just once a prevention. Right. What what do you typically see?

Darren (00:04:17) - There are those cases, but I'd be honest to say that most organizations that are coming to us with a need to meet the growing stringency that we see in supply chain.

Darren (00:04:30) - So if you're selling to government or if you're selling to enterprise, even mid-market or smaller businesses now are starting to mandate various different requirements. Some of them are regulatory or some of them are dialed into standards. Some of them are just doing due diligence to make sure that the organizations they work with are following best practices. And we're also seeing pressures like insurance. So we're seeing insurance companies not be willing to give an insurance policy, certainly not a cyber insurance policy, unless they have some affirmation that the organization is following due care and due diligence in the way they approach cybersecurity and organization. So it is a fact, I would say, if I was to estimate, I would say 20% of the people that come for it come to us are like, Hey, we just want to do what's best and be preventative. And the rest are like, Oh, wow, we're getting we're getting asked to meet this and we need to put this in place and we need to put a formal risk program in place. And, you know, we need to have testing and we need to have all these things in place.

Darren (00:05:25) - So it is it is is more coming in the small to medium sized businesses. It's more coming from them being required to do it in order to do something else that's in their strategic roadmap, whether it's being sales goals, moving up, market raising rounds of capital or insurance plans, things like that.

Josh (00:05:42) - Yeah. So without Carbide, how do we do this?

Darren (00:05:46) - Well, how have.

Josh (00:05:47) - We been forced to do? Another way to ask is how have we been forced to do this? Well, before Carbide came on the scene.

Darren (00:05:53) - I'll tell you how I did it in my last company and how I got into this and got the idea in the first place. So my last please was it was a company that did festival management. It was a SaaS platform, all the backend logistics. So not your tickets, not your mobile app that the the people that go to the concerts or the events go to all the back and stuff, the artists, what they're getting paid when they're playing, who they're playing with, their phone numbers, what gates are coming in, what flights are coming on, what hotel they're staying in, all this logistics.

Darren (00:06:16) - And we were working with some of the biggest festivals in the world. By 2014, 2015, we had Bonnaroo Burning Man just for last festivals. We're in 20 something different countries and we were just getting hit by all kinds of challenges around that we were getting, you know. So when we went in to do it, what we did is we hired a consultant to come in and do an analysis and assessment. We hired a an auditing company to do an audit. We discovered that there was a lot of things we weren't doing. We had consultants help us with certain aspects. I did a lot of reading because this became a very big problem in the business. We had a bunch of our festivals getting hacked through other technology partners. Where were lineups for Coachella and lineups for Bonnaroo are being leaked and things like that. So there was a lot of heat around the security problem. And yeah, I drove in 100%. Like I was literally, you know, working on this very diligently. My CTO for about, I'd say 6 to 8 months, eating up a lot of my time and his time.

Darren (00:07:14) - And, you know, we had consultants in, we had auditors in we were reading, we were downloading templates, we were taking online courses even just to try to figure out how do we talk about this stuff, what do we really need to do? And that's the way people did it. Either you either did some sort of combination of doing it internally with some outside assistance, or you just pay a premium to a cybersecurity consulting firm to come in and really sit in your business and do the work for you. So, you know, big, big cost items there. And so the new way of doing it is having tools that leverage more intelligent technology and cloud based tools and some AI stuff in there to really help organizations get a pretty significant, you know, way in this success in building a security program, a privacy program quickly and spending significantly less dollars.

Josh (00:08:10) - Yeah. And so today, what would be examples of of companies that are working with Carbide right now and and you know, and I'm just kind of thinking of like, you know, there are probably folks that need to have a conversation posthaste.

Josh (00:08:26) - But but who today do you find yourself working with most often? Like specifically, you don't have to name names unless you're able to.

Darren (00:08:34) - Yeah. You know, I usually like to. What I would say is the majority of our customers are B2B software as a service companies. So they're selling they're selling to Enterprise more often than not, or government. And they're they are being met by very strict security questionnaires, security requirements. They are in their contracts before working with these organizations, signing security and data privacy addendums, where they're basically confirming their commitment to follow, you know, several pages of best practices or comply with with with some standard or framework or frameworks that is, and they range on the smaller side. Yeah, we have companies that are small as 11, ten, 12, 20 people. I would say on average it's more like 80 to 100. And then we have starting to see a lot more companies as our product evolves and becomes more sophisticated. We're doing a lot more business with companies.

Darren (00:09:33) - 250, 405 hundred, even 1000 employees. And in that realm, which is fascinating, we're actually getting into different different companies. We have a company called Proto Case that does they do custom enclosures and it's effectively it's manufacturing, right? We have another organization, 45 drives that makes actual hardware for on site servers and data clustering. And and, you know, so we're starting to broaden out as as we're seeing the demand for sophisticated security tools evolve and we're starting to move up market with our own technology.

Josh (00:10:08) - Yeah. And how did so kind of thinking about like when you launched Carbide, what was going to market like? How did you acquire your first batch of customers?

Darren (00:10:21) - You know, to be honest, it was a lot of like, friends and family and network, right? Like, you know, I'd already had a couple of different companies in the past. I knew a bunch of different investors, my co-founder and myself. We went through the Techstars program in Boston, so we were, you know, had a bunch of connections to the Techstars network.

Darren (00:10:38) - And yeah, that's really how we started, right? It's like knocking on doors, you know, when you launch, you're usually pretty MVP and, and a little rough around the edges, not necessarily ready for prime time, which, you know, certainly was our case when we in the early days when we originally launched. So yeah, we went to we went through our network at first and that was probably our first 25 or 30 customers paying customers and really helpful and sort of validating the product and, and getting great product feedback and getting feedback on pricing and things like that.

Josh (00:11:08) - Yeah. And so today, you know, Carbide, you've got an impressive client roster, you've got a great sized company. What do you do for growth and like where is Carbide going from just like a growth perspective now.

Darren (00:11:23) - Yeah. So we're very growth focused. We have a phenomenal VP of Sales and Marketing, Michelle Russell, who has come on board. Guess not just a little over a year ago now. And so really starting to build out that that sales motion.

Darren (00:11:38) - She's come in and put in a sales team. So we have a sales team with with business development reps and account representatives, account executives. We have a channel, a person who leads channel partners. We're starting to build out a channel network of through for Go-To market purposes, and we're starting to build out our marketing department now as well, starting to do things like paid advertising, content marketing, things like that. So, you know, really just sort of firing up the jets from a go to market strategy. You know, a lot of it, you know, in the early days, it went from sort of friends and family network to word of mouth to an inbound content strategy. And now we're really starting to fire up the jets. We've been looking at averaging just a little over 100% growth year over year. And of course, as the number gets bigger, the requirements, the the new customer requirement to meet that same percentage becomes heavier and heavier. So, you know, the friends and family founder led approach is not you know, might have got us there the first first couple of flips.

Darren (00:12:39) - But you know, we've we've definitely brought things up from a sophisticated sophistication level.

Josh (00:12:44) - Well, that's exciting. And it seems like trends are only going to move in your favor. Right. There's the laws are going to get more and more tight because every time, just from a PR standpoint, like every time there's a, you know, some sort of a hack, there's, you know, data that, you know, some sort of a leak or something like that. Like that's those headlines generally evoke the ire of those who set regulations. And, you know, so companies are going to listen. You know, either you you kind of stay ahead of this or, you know, you become a statistic in the headline and you don't want to be that sort of a statistic or a headline. So it's better to a little ounce of prevention.

Darren (00:13:27) - Well, the black market from a cyber crime for profit perspective has been explosive in growth. And in fact, it was 2017, Interpol estimated that the proceeds from cyber crime in the black market exceeded all of the illicit drugs globally.

Darren (00:13:45) - So just to put it in perspective, and that growth continues. And and we're even seeing now the organized crime groups, we're seeing cartels getting involved. Yeah. Becomes a it's and the tool which keeps getting better and now you have AI being a very helpful, you know, set of tools coming from the AI world to help hackers be better at what they do. And so it's a money it's a profit game. It's a it's very hard for law enforcement to catch a lot of these folks. And depending on where they're out of, you know, where they're where they're conducting their quote unquote business from, it can be very difficult to prosecute people as well. So there's that element. So, yeah, you're definitely and we see we're hearing more and more companies being hacked. We do get customers more now that are like, Oh God, two other competitors of ours just had major breaches. And you know, we we we're fearing we're next. And, you know, there is that. But yeah, to your point, what happens is what's happening and that's been happening is the regulatory environment has stepped in very aggressively.

Darren (00:14:45) - The challenge with this is, you know, this is some of the this is some of the pain point that that we we focus on in Carbide in addition to to best practices and securing your business. The problem is if you're an international company or even a national company and you're selling in multiple different regions, the problem we're running into now is that you have, for example, in the United States, each state is pretty much coming up with its own privacy regulations. Some of them have cybersecurity regulations. Various industries have their own certifications. From a cybersecurity perspective, you have things like the GDPR in Europe. Then Canada has its own federal law, plus the provinces have regulations. So the red tape complexity for an international business or even a smaller SaaS company that sells to a big international business, the amount of things that they may need to comply with becomes very complex. So it's, you know, you have your security requirements, best practice of securing data, but you also have to make sure that you are you're you're carving that out in a way where you're complying with all of the requirements that you're going to be met with as you're selling to your customer base.

Josh (00:15:46) - How are you able to and I'm just curious about leaks that are the result of maybe a little bit of carelessness with data internally. So someone clicking on a bad email, someone mishandling information, they leave, you know, a terminal unsecure, you know, just the sorts of human error like that that seems more like educational. Are there any ways to enforce that or what are what how is Carbide involved in that side of it?

Darren (00:16:19) - Yeah. So we would be very involved in our platform we use in the. Prescriptive side of determining what are the risks associated to your business? What are the threat vectors that would be, you know, very prominent for your business. And in most businesses, I can't think of any businesses that don't fall into the bucket of human error. And and user and user side error is a huge weakness. And so you think about it through layers of defense. And what I mean by that is you want to have the awareness and the training because your humans are your front line.

Darren (00:16:55) - So then just having a proper, appropriate training program, awareness training, making a personal making it real, don't make it just like some BBS that people have to go through to check a box, but actually actually train them and make them aware of what the threats are to the business. That's a big one. And then testing how that awareness is working. So you're seeing a lot of uptick out there in phishing simulators out in the marketplace where, you know, you're kind of testing your employees to see if they're really capturing the knowledge and putting it to practice. And then also on the technical side, there's a ton of different function to tools depending on the environment and the certain risks to your business. That can also help, you know, spam filtering, anomaly detections, different things like that. So it's really you really look at every business, there's a there's a and look at what tools are using. Look at what the risks are to the business with those threats are and building a program. And that's really where we come in.

Darren (00:17:47) - We we will likely bring in other partners from our network, other tools that we either white label or partner with in the organization will implement things like endpoint detection, phishing simulators, vulnerability assessors, things like that. So you really want to think layers of defense. You're never going to be able to get to a point with a business where every human being is never going to make a mistake and never going to accidentally click on things. So you want to have those layers in place that makes sure that when they do, there's there's still other lines of defense and other mechanisms in there.

Josh (00:18:21) - Carbide offers a seven day trial. There's a self-guided demo. Can you talk about, like, someone that's maybe they're listening to this podcast because they they're familiar or they searching this because they know that they need help. And so where do they go from here? What would you recommend their next steps be?

Darren (00:18:38) - You just go to our website and you can click on the Try It for free. Or if you want to talk to a sales rep, you can just click right there, either in the chat window in the bottom right hand corner of the website or on there on our contact information.

Darren (00:18:50) - There will be somebody happy to, to, to, to have a quick chat and understand what you're trying know. What is it that you're looking for, what's the pain, what's the challenge? And then find the experts within our business that can can most appropriately look at your situation and share what you know, how we can help solve those problems.

Josh (00:19:09) - Yeah the website carbide secure.com we've got a link to it in the show notes And again Darren Gallop, your CEO co-founder. It's been great having you. Thank you so much for joining us.

Darren (00:19:22) - Thanks for having me.

Josh (00:19:30) - Thanks for listening to the Thoughtful Entrepreneur Show. If you are a thoughtful business owner or professional who would like to be on this daily program, please visit up My Influence slash guest. If you're a listener, I'd love to shout out your business to our whole audience for free. You can do that by leaving a review on Apple Podcasts or join our listener Facebook group. Just search for the thoughtful entrepreneur and Facebook. I'd love even if you just stopped by to say hi, I'd love to meet you.

Josh (00:20:04) - We believe that every person has a message that can positively impact the world. We love our community who listens and shares our program every day. Together, we are empowering one another as thoughtful entrepreneurs. Hit subscribe so that tomorrow morning. That's right, seven days a week, you are going to be inspired and motivated to succeed. I promise to bring positivity and inspiration to you for around 15 minutes each day. Thanks for listening and thank you for being a part of the thoughtful entrepreneur movement.