JANET LEVESQUE JOINS CTM INSIGHTS ADVISORY BOARD

JULY 18, 2020, YORKTOWN HEIGHTS, N.Y. - CTM Insights, llc ("CTM"), a leading cybersecurity research lab and build studio, announced the appointment of Janet Levesque to its Advisory Board.  Levesque replaces the seat held by Bob Lam, who stepped down to run CTM portfolio company ShardSecure,  Levesque joins other industry luminaries who help guide the investment and operational strategies of CTM's portfolio.  As the former CIO and Data Protection Officer of Mimecast and CISO at RSA, Janet brings a wealth of experience managing current and future cybersecurity risk.

"Cyber adversaries are constantly improving their capabilities, sometimes dramatically," said Levesque.  "CTM is different from other investors and vendors.  They look for the hard problems that will cause real pain, and invest in completely new approaches to solving them.  I'm thrilled to join other world-class advisors that help shape CTM’s approach.”

“Janet has built some of the best, forward thinking cyber security programs anywhere.  She’s both a designer and a practitioner, two skills I deeply respect.  I’m pleased to welcome Janet to the Board and look forward to working with her," said Lou Steinberg, Founder and Managing Partner of CTM.  "I also want to thank Bob for his guidance and wish him great success as CEO of ShardSecure."   

CTM’s ongoing initiatives include ways to limit the damage caused by ransomware, secure data without encryption, stop fraud and eliminate customer challenges though frictionless transaction authorization, and a trust overlay for the Internet.   New research includes creating a method for the efficient detection of attacks against data integrity, such as deep fakes.

About CTM

CTM invests in radically new approaches to solve some of the hardest problems in cyber, providing seed funding and resources to turn them into companies.  In just two years, investments have been made in six "big ideas" which have already resulted in four pending patents and the launch of two companies, Authoriti and ShardSecure , creating a combined IRR of over 200%.

Like many parents, I have kids who will graduate from their respective schools during this period of COVID-19 uncertainty (Tim from grad school and Becky from high school).  Neither knows if or when they will have a formal commencement ceremony.  That got me thinking about the many commencements I’ve attended over the years; some were entertaining, others just long, but few featured speakers with useful insights. 

In light of this, I decided to offer the commencement keynote I wish I had received.  No lofty platitudes, just eight bits of practical advice for navigating the future.  These are things that I had to figure out for myself in the decades since my own graduations.

1)      Be an exception.  You want an exceptional set of opportunities?  An exceptional career?  Most places are designed to efficiently handle a large group of requests the same, whether the task is approval to move ahead with a project, manage a budget, hire talent, give a promotion, etc.  You can try to circumvent the process when it doesn’t make sense, but that’s not a great idea.  Instead, find a reason that your case is an exception.  Once you are in an exception category, you can get almost anything done that’s reasonable.

2)      You get the job you are doing.  If you want a promotion or a great new assignment, prove you are up to it.  Volunteer to assist, invest some effort, and demonstrate your ability.  That’s far more effective than just asking to be given something.  As Edison once said, “don’t be afraid to earn more than you are paid.”  Earn the job and it will be given to you.

3)      You get what you measure.  As your career progresses, you will find that people pay the most attention to things that are inspected by others.  Create a consistent set of metrics around the “critical few” things that matter most because they have a disproportionate effect on the outcomes you seek.   That also means your metrics have to be balanced so you don’t succeed in one area at the expense of something equally important.  Measure constantly and publicly.  People will focus on what is measured. 

4)      Take risks when the cost of failure is low.  Every decision involves some kind of risk, so take the biggest risks (with the most upside potential) when your downside is limited.  I left a good job and started a company at a time when I knew I could get another job if needed.  It’s also worth remembering that risks accumulate, so if you are taking a lot of risk in one area, don’t simultaneously take risk elsewhere.

5)      Time is the enemy.  There will always be competitors, but they are just competition.  Your enemy is time.  Efforts that take a long time allow other things around them to change— business priorities shift, people take on new roles, economies rise and fall.  If you don’t have a sense of urgency and execute while the conditions are right, the conditions will change.  A boss of mine used to say “the longer it takes, the longer it will take.”

6)      People who can’t communicate work for people who can.  This is extremely important.  Learn the art of public speaking.  Learn to organize your thoughts with mind maps and write clearly.  Avoid jargon and use analogies when communicating with people who don’t deeply know your space.   Join Toastmasters.  Read Tufte’s books.  Learn the art of communicating to others.

7)      Life is long and your industry small.  Be nice to people.  You may meet them again, and they will remember whether you cared about them and their challenges – or just yourself.

8)      Make smart choices.  This neatly summarizes the seven things before it.  Life is a series of choices and consequences.   Sometimes people express this as “you make your own luck.”  It’s true.  Understand the likely (longer-term) outcomes from your actions and decisions, vs. focusing on just the immediate result.  You influence your outcomes far more than you think.

That’s it.  No lofty visions, no inspirational platitudes.  Instead, you have eight bits of practical advice that can be applied throughout all aspects of your life and career.  It took me 35 years to find and distill these, so you just got a 35-year head start.  Use it to do something great.  Make smart choices.

Lou Steinberg is Founder & Managing Partner of CTM Insights, a cybersecurity research lab and early stage incubator

(Hoboken, N.J. – Jan. 14, 2020) – Lou Steinberg ’85 M.S. ’85 B.E.,  who has been at the leading edge of  network security and technology innovation throughout his career, has been elected to the Stevens Institute of Technology Board of Trustees. His term as a Board member began Dec. 11, 2019.

Steinberg is founder and a managing partner for CTM Insights, a research lab and technology incubator/build studio that invests in solving some of the hardest problems in cybersecurity and then launches companies to bring those solutions to market. Prior to CTM Insights, Steinberg served for six years as the chief technology officer of TD Ameritrade, where he was responsible for technology innovation, platform architecture, engineering, operations, risk management and cybersecurity.  

“I am enormously grateful and extremely honored that Lou Steinberg has joined the Board of Trustees of his alma mater after serving on the Board of the Stevens Venture Center,” said Stevens President Nariman Farvardin. “By virtue of his deep industry experience in technology-based companies and his impressive successes as an entrepreneur, Lou will bring important insights and perspectives to strengthen and advance Stevens as we make progress toward our goal to become a premier, student-centric technological research university.”

“I’m honored and thrilled to be joining the Stevens Board of Trustees,” said Steinberg. “Stevens' focus on innovation, along with its world-class capabilities in research and education, fills a vital need in a creating the workforce and technologies of the future.”

Prior to joining TD Ameritrade, Steinberg was the founder and chief executive of several start-ups, including Rev2 (operational risk management software), Cranite Systems (cybersecurity) and NetOps (data analytics and fault prediction). He also spent several years as chief technology officer of Symbol Technologies (now Motorola), driving a company-wide solutions strategy while also serving as the general manager of its software division. 

Steinberg previously served as an entrepreneur-in-residence at Warburg Pincus and as a strategy advisor to senior management at companies including Comcast, Citigroup and Fidelity. He was the senior vice president of marketing and market development at Micromuse (now IBM), a network management and analytics company that he joined through the acquisition of NetOps. Additionally, Steinberg spent more than a decade at IBM in various technical and management roles, notably contributing to router development for NSFNet, a second-generation Internet backbone.  

“We are fortunate to have Lou join the board,” said Chairman of the Board Stephen T. Boswell ’89 Ph.D. ’91 Hon. D. Eng. ’13. “He has both a strong skillset and deep commitments to our institution that will undoubtedly help us build a stronger Stevens. I am looking forward to working with him as we move ahead with implementing our strategic plan.”

Steinberg is the author of "Troubleshooting with SNMP and Understanding MIBs," as well as numerous articles on technology and innovation. He has seven patents issued or pending in the areas of cybersecurity, resiliency and analytics. He joins Michael Lipper, an icon in the money management and investment analytics world who was elected Oct. 17, 2019, as one of the newest members of the Board.

Steinberg holds a bachelor's degree in engineering and a master's degree in computer science, both from Stevens, and is an active member of the Board of the Stevens Venture Center. He has also served on numerous private company boards and currently serves as board chairman of The Authoriti Network and ShardSecure, as a member of the Technology Advisory Committee to the board of the MITRE Corporation, and on the CXO Advisory Council to the Digital Value Institute.  

– Stevens – 

About Stevens Institute of Technology 

Stevens Institute of Technology is a premier, private research university situated in Hoboken, New Jersey overlooking the Manhattan skyline. Since our founding in 1870, technological innovation has always been the hallmark and legacy of Stevens education and research. Within the university’s three schools and one college, 6,900 undergraduate and graduate students collaborate closely with faculty in an interdisciplinary, student-centric, entrepreneurial environment. A range of academic and research programming spanning business, computing, engineering, the arts and other fields actively advances the frontiers of science and leverages technology to confront our most pressing global challenges. The university is consistently ranked among the nation’s elite for return on tuition investment, career services and the mid-career salaries of alumni.

Stevens media contact: Katie Koch, 201-216-5139, katie.koch@stevens.edu

 reposted from https://www.stevens.edu/news/lou-steinberg-85-ms-85-be-elected-stevens-board-trustees

By Lou Steinberg

My good friend Felix Davidson used to quietly write down the best comments he heard in meetings and post them each December in a “Quotes of the Year” blog.  Following in his footsteps, I’ve collected some of my favorites from his and other colleagues’ material over time; my nominees for the best business quote of the 2010-2019 decade. 

Most are meant to be humorous, but I’ve selected those that also offer business insights.  Where appropriate, I’m attributing their sources and providing context.  I hope you enjoy them as you reflect on your year.

1)      “You’re working on the wrong side of the decimal point.”

This comes from futurist Thornton May.  It was absolutely brilliant at highlighting that, while correct, we were focusing on immaterial things vs. things that really matter.

2)      “Don’t confuse activity with progress.”

Perhaps the most insightful thing that Ken Degiglio ever said, and he’s said some insightful things.  It’s easy to think we are advancing because we have a lot of activity— but progress is the measure we care about.  I often remind sales teams of this.

3)      “We are negotiating with ourselves.”

Another good one from Ken.  He stopped us when we were talking ourselves down before a negotiation with a third party had even begun.

4)      “[They] show up by not showing up.”

Fred Tomczyk said this about my technology risk team, and he was right.  Once we built a system to effectively manage risk, we stopped being a topic of conversation.  It’s important to recognize things that work well and not just focus on things when they are broken.

5)      “Incremental innovation is really just adjusting for inflation.”

From the Twitter account “Bored Elon Musk,” this quote perfectly captures how I feel about innovation.  Nobody ever gained sustainable competitive advantages through incrementalism.  If you want to create change that matters, it needs to be disruptive.

6)      “What we did, we did well.  It’s what we didn’t do that sucked.”

A Managing Director in tech said this.  Our challenges weren’t with what we did, they were with what we missed.  We needed a system to sense what was missing and deliver it.

7)      “The essence of a great strategy is in what you decide to not do.”

John Bruno said this when we were losing focus during a strategic planning cycle.  It’s the flip side to the previous quote…your sensing needs to be analyzed so you can filter out the noise and focus on the critical few items that have a disproportionate impact to the upside.

8)      “Everyone is entitled to his own opinion, but not to his own facts.”

Senator Daniel P. Moynihan said this more than a decade ago, but it still applies today..  At a previous firm, we frequently had “facts” introduced stating a legal or compliance mandate.  On closer inspection, it wasn’t a requirement, just someone’s favorite idea.

9)      “He’s an oxygen thief.”

This label was applied to people who sat in meetings and consumed air, but offered little value in return.

10)  “There’s a difference between wishing and trying.”

Another one from a Managing Director in tech.  Either go build/fix something or stop complaining that it doesn’t work.

11)  “Finance may want to capitalize my mojito, which requires me to drink it over three years.”

I said this, after a financial planning session in which the request was made to amortize equipment over a longer time period than was supportable.  The result was that we would have aging equipment in use that would increase future technical debt.

12)  “Without data, you are just another person with an opinion.”

Unattributed, but true.  Facts trump instinct.  Recognize the difference, even when it means accepting your own confirmation bias.

Lou Steinberg is Founder & Managing Partner at CTM Insights, a cyber-security research lab combined with an early stage technology studio/incubator.

Enough already.  It’s time to change our approach to ransomware.  What we’ve been doing isn’t working.  

While there is no guaranteed way to stop all attacks, most ransomware exploits that succeed do so because we let them.  We let them succeed by not denying them the ability to cause harm.  WE LET THEM SUCCEED.

What are we doing wrong?  We need to start by deconstructing an attack.  Every incident has three components that answer critical questions:

1. Susceptibility— Am I immune? If not, do I have compensating controls?

2. Exploitability— How easy is the attack to pull off? Can a “script-kiddie” do it or does it require the advanced capabilities of a nation state?

3. Impact— What’s the outcome if an attack succeeds?

Under the NIST framework, Susceptibility and Exploitability controls generally fit under the “Identify” and “Prevent” functions, while Impact mitigation aligns with our ability to “Detect,” “Respond,” and “Recover” from incidents once they begin.

To stop ransomware from establishing a foothold, we depend on controls that are never going to be perfect.  We rely on authentication and firewalls to keep bad actors out, antivirus signatures and proxies to keep out or contain malware, patching and basic hygiene to close vulnerabilities, and we train people to not click links in emails or open risky attachments.  

These reduce our Susceptibility and Exploitability, but not enough.  We see the proof of this every day when we learn of yet another attack. 

Focus on Mitigating Impact

That leaves us with mitigating Impact.  Most Impact controls focus on recovery, such as having a good backup.  Even if our backups work, restoring systems at scale is painful.  

Detection and mitigation controls tend to be in the form of designs and playbooks to keep an attack from spreading once begun.  We abandon the systems that were breached and try to limit the damage.  That sounds reasonable, unless the systems that were breached are important.

What’s missing is a way to mitigate the impact of an attack on each and every system.  It’s not hard to detect ransomware by looking for specific behavior— we just haven’t done it.  Nearly all ransomware that encrypts files exhibit a similar pattern: open files, read, encrypt, write encrypted version, and delete the original files (this last step varies if the ransomware overwrites files).  Repeat in a loop as fast as possible to inflict maximum damage before being noticed.  

That’s the key, because repeating behavior in a loop makes it detectable.

A Better Approach Requires Action

We can look in real-time for large amounts of file reads and writes, CPU workloads indicating encryption, changes in file names or types, and changes in system “entropy” (randomness of data). We can look at the sequence of activities to minimize false alarm.  Behavior monitoring tools do some or all of this today.

It’s been less clear what we should do once ransomware is suspected by automated tools.  Ransomware does its work quickly, so by the time we respond to a notification the system is well on its way to being lost.  

Some tools focus on the behavior of individual processes, so if a ransomware process is detected it can be stopped.  We don’t want to stop something critical, so we begin to whitelist processes not subject to supervision.   This starts us down a path of increasing complexity and maintenance costs that can be both error prone and allow a path for ransomware to exploit.  In most cases, this is a bad trade-off.

A better approach is to slow suspect behavior instead of stopping it, giving us time to notify a user and ask if the system should be permitted to proceed.  We can incrementally slow the system more and more while waiting.  Ransomware’s need to work quickly is mitigated, and we limit the damage it can do without the catastrophic side effects of hard-stopping processes if we have false alarms.

With this approach, both our detection and mitigation can happen in the same place— ransomware needs to access files on a disk.  Rather than looking at the behavior of individual processes, we can observe the behavior of the full system by “wrapping” the storage device drivers.  This becomes harder for processes to work around. 

If ransomware is detected, we use the same wrapper to increasingly slow write access while a user is notified.  We contain the damage ransomware does on each system vs just containing the ransomware from spreading to other systems.

Someone Needs to Build it

Who should implement this approach?  Ideally, we demand it of our malware detection vendors.  Scream at them, loudly.  Tell them that if they don’t implement this, you will find a vendor who will.  Their inaction can’t be your disaster.  If they don’t act, we should build our own solutions.   Making backups and waiting for an attack can’t be our response.

I honestly don’t believe we need another vendor providing malware solutions.  CTM, a cybersecurity research lab and incubator, is in the business of solving hard problems and building companies around those solutions.  This is a problem worth solving but not a stand-alone business worth building.  

CTM might build this and give it away free to end users if existing vendors don’t step up.  I’m that tired of letting these attacks succeed.

If you are tired of ransomware too, and don’t see a better solution coming from your existing vendors, let me know.  If enough interest, I’ll invest some resources to build this and make it available.  Sometimes you just do what’s needed instead of looking to monetize a market.

Anyone else tired of letting this happen to us?  Anyone else want a better solution?  Let me know.

YORKTOWN HEIGHTS, N.Y. - CTM Insights, llc ("CTM"), a leading cybersecurity incubator and build studio,   announced the appointment of Josh Shaul to its Advisory Board, replacing the seat held by Roland Cloutier.  Shaul joins other industry luminaries who help guide the investment and operational strategies of CTM's portfolio.  As the Vice President of Web Security at Akamai, he is uniquely qualified to spot emerging market needs for which no solutions currently exist.

"Cybersecurity presents all of us with constantly evolving problems," said Shaul.  "CTM occupies a unique space, investing in big ideas to solve big problems.  While most investors wait for a market, CTM proactively identifies needs and creates solutions that let us stay ahead.  I'm excited to be a part.”

"I've known Josh for many years and respect both his technical prowess and his intellectual horsepower.  I’m pleased to welcome him to the Board and look forward to working with him   for years to come," said Lou Steinberg, Founder and Managing Partner of CTM.  "I also want to thank Roland for his guidance over the past two years as we took CTM from concept to reality."   

CTM’s ongoing initiatives include ways to secure data without encryption, ways to protect against fraud though frictionless transaction authorization, and a trust overlay for the Internet.   New research includes creating a method for the efficient detection of attacks against data integrity, such as deep fakes.

About CTM

CTM invests in radically new approaches to solve some of the hardest problems in cyber, providing seed funding and resources to turn them into companies.  In just two years, investments have been made in four "big ideas" which have already resulted in three pending patents and the launch of two companies, Authoriti and ShardSecure , creating a combined IRR of over 200%.

Lou Steinberg appeared with Maria Bartiromo during the Business of Innovation segment on "Mornings with Maria." Lou explained how the Authoriti Permission Code eliminates friction and fraud with a new approach that personalizes and simplifies transaction authorization. Used with permission, May 30, 2019.

link to interview here

FEBRUARY 5, 2019, NEW YORK – The Authoriti Network, which was founded in 2017 to eliminate fraud and data privacy risks by letting customers easily and securely authorize any transaction, announced that Michael C. Cutlip has joined the company as President & Chief Executive Officer.

Cutlip has more than 30 years of experience across a range of roles in the financial services industry, the majority at HSBC Holdings plc. As COO of the Global Banking and Markets’ Banking business in the Americas, he led teams delivering and improving HSBC’s business management, credit, operational and enterprise risk, and regulatory and financial crime compliance initiatives.

“Mike is a hands-on leader of large and small risk management businesses,” said Lou Steinberg, Managing Partner at CTM Insights, which created Authoriti. “His operating experience in protecting HSBC and its global clientele against fraud will prove to be of immeasurable value in his role as CEO of Authoriti. We are fortunate to have someone with Mike’s outstanding reputation and experience come on board at this early stage in our growth.”

“Like many in the financial services industry, I am excited about Authoriti’s ability to eliminate fraud and improve client experience. The Authoriti Permission Code™ is simple but secure, and provides institutions with the confidence that every transaction is authorized,” said Cutlip. “Authoriti’s multi-factor smart PIN technology flips the model and gives customers control of every transaction. We have a strong future combatting fraud in the financial vertical, as well as other areas where fraud is on the rise, such as healthcare and real estate.”

Concurrent with his COO responsibilities, Cutlip served on the Board of Directors of HSBC Capital (USA) Inc., HSBC’s direct and fund of funds principal investments business in the Americas. Mike relocated to Hong Kong between 2009 and 2012 to build out GB&M’s Credit Portfolio Management capabilities covering 18 countries in Asia. Mike holds a Bachelor of Science degree from Iowa State University and a Master of Business Administration from The University of Iowa.

How the Permission Code Works

The Authoriti Permission Code Smart PIN puts control of transactions in the hands of the consumer and gives institutions the confidence that every action is authorized. Consumers can authorize a wide variety of requests, including tax return filing, money transfers, insurance billing, sharing medical and financial information, or even social network data sharing. The Permission Code answers one question – was this activity authorized?

Institutions that need to approve a transaction simply ask for an Authoriti Permission Code. The consumer generates the Permission Code with a smartphone app. The consumer may set a Permission Code to authorize a specific activity, last for a set period of time, within a certain place, for a specific service. A simple RESTful service call to Authoriti validates that the user associated with the ID has generated the code and that the transaction is authorized for the specific purpose.

About The Authoriti Network

The Authoriti Network was founded in 2017 to eliminate fraud and data privacy risks by letting customers easily and securely authorize any transaction. Our founders have significant leadership experience dealing with InfoSec at-scale in the world's leading financial institutions. Authoriti develops the patent-pending Authoriti Permission Code Smart PIN, which puts control of transactions in the hands of the consumer and gives institutions the confidence that every action is authorized. Visit https://authoriti.net.

I’ve interviewed a lot of people over the years. Most had applied to join companies that I’ve founded or organizations that I ran. It’s hard to get to know someone in 30 minutes. It’s harder when both sides are in full-on sales mode (me pitching why they want to work here; the applicant pitching why we want them).

Over time, I’ve developed three simple questions that tell me a lot about a technologist. Like hiring managers everywhere, I look at what skills a person brings, whether they will execute and deliver, and if they culturally fit with the team.

What I try to assess beyond that, especially for technologists, is how they think. Nail these if you ever want to get hired by me. Since I started using them, I have never hired someone who answered badly (there is a difference between a “bad” answer and one that’s factually “wrong”). I promise to explain why I’m asking what seem to be unrelated questions, but only after I have the answers. I’m sharing my questions so that others might build upon them.

Question 1: “How many telephones are there in the United States?”

I actually don’t know the answer to this question, nor do I care. What I care about is how someone approaches a problem that wasn’t well defined. I look for the breadth of their thinking; did they include office phones or just home? Mobile phones or just landlines? How it was defined doesn’t matter; what does matter is that he or she identified the ambiguity and clarified it. If asked what types of phones I’m including, I always respond with “that’s up to you.”

Once the problem became clear, how did they approach it? I want technologists who know how to break a problem down into parts and solve it in an organized way. Consider the number of adults/businesses/households, estimate phone density, and repeat.

The only truly awful answer is “I don’t know” or a random guess with no thought.

This question has only failed me once; an applicant immediately responded with a number. When I asked “how did you get that?” he told me that it was referenced in an article he had read the day before. Even that had one upside...at least I knew that he read and remembered things!

Question 2: “How does a toilet work?”

This question is designed to probe for intellectual curiosity. A toilet is a device that each of us has used every day of our adult life. Any engineer that hasn’t bothered to open up the back and look in the tank (or other mechanism, depending on where one lives) isn’t someone I want. I believe that problems are often solved by applying tools and techniques from other disciplines so I try to hire people who want to know how everything works.

Again, the only failing answer is that they have never cared to look. There are degrees of answers that range from good (able to describe the mechanism) to very good (able to describe it using the correct terminology for the flapper, float valve, etc.). Once, an applicant not only described the mechanism, but then explained the physics and connected the two. I made him an offer that same day.

Question 3: “Tabs or spaces, and why?”

The newest addition to my list elicits the most passionate responses. I’m still tuning how to probe the responses, in part because when I tested it on some very competent people I didn’t get the answers I expected. Still, I believe it delves into an important aspect of solving problems and I’m determined to get it right.

The important part of the question is “why?” When writing code, indentation is used simply to make the software more understandable for the next reader. The compiler doesn’t care if you indent at all (Python programmers may now object). Most programmers and engineers appreciate this. Please don't tell me that tabs consume fewer bytes on the disk— disks are cheap and the amount of storage saved or consumed is negligible. Focus on this and you are solving the wrong problem.

\What’s shocking is when they fail to apply their understanding that this is all about the next reader. Indenting works fine with tabs or spaces, until you get more than 2-3 indents deep. Then, lines of software often no longer fit on the remaining space on the screen. They “wrap.” Splitting lines unnecessarily makes the software harder to read. Not impossible, but if we are doing this for the convenience of the next person, we should make it as convenient as can be practically implemented.

“Spaces” is a good answer if the “why” is thoughtful. So is “tabs at the beginning, but I change to spaces when indenting more than a couple of levels.” I’ve even accepted answers that say if you have more than three levels of indentation, the code needs to be refactored to be more readable. The only failing answer is to not understand “why,” followed by understanding but refusing to apply it in practice.

Some have defended a “tabs-only” approach by saying that the next person should adapt by resetting the default “tab-stops,” the number of spaces that equates to a tab. They miss the point...if we are trying to make this easy for someone else, we shouldn’t impose extra work on them.

As I said, the answer to this one often surprises me. With many, the choice of tabs versus spaces seems to be tied to a deep-seated beliefs system, with those in an opposing camp labeled heretics. Fans of the HBO show “Silicon Valley” will doubtless remember Richard’s epic rant when he realized that his new girlfriend uses spaces.

Maybe he should have asked “why?”

Most of my blogs focus on cyber-security innovation, which is my current mission. In this post, I’m going to write about innovation in general and disruptive innovation in particular. My case study is Tesla.

For full disclosure, I own a Model S and shares of TSLA. You may choose to prejudge me as biased or just putting my money where my mouth is. What I will ask is that you not label me as a fan boy of Tesla; I’ve suffered through the expected challenges of a relatively new product from a relatively new company. I have concerns. It doesn’t matter. Tesla is going to win the automotive space. Here’s why:

Innovation #1: cars are a software problem

I first realized the power of “tin wrapped software” when I was the CTO of Symbol Technologies. Symbol built hardware, but was able to use software to tune how it worked in different environments. Flexible software meant that the hardware behaved one way in a hospital (long battery life for a 12-hour shift) and another way in a retail store (higher power radios to overcome dead zones).

I bought the Model S because it was the first time I had ever seen someone treat a car as a software problem. Of course, modern cars are full of computers, but their manufacturers have legacies of building and tuning hardware. It’s wired into their DNA.

While manufacturing innovations such as mass customization may change their appearance, cars have evolved to a place where the opportunity to disrupt is diminished. They all have modern engines, they all have modern suspensions, they all have modern safety systems. We’ve seen little disruption because they have all reached the same place against a current set of use cases.

Tesla is different.

We can debate the merits and disadvantages of electric motors over gasoline engines. I see issues with both. What’s disruptive is that, for the first time, an individual car can improve itself via software upgrades – rather than waiting for future generations of that car to ship. I own BMWs and a Mercedes, and have previously owned Audis, an Infinity, an Acura, a Ford, and a couple of Chryslers; most were or are reasonably good cars. Aside from navigation maps, all of my cars had features that were largely fixed on the day they left the factory.

Not my Tesla.

Every month, it gets software updates that make it better. It learned how to park. Then it learned how to do it better. It opens my garage door when I come home. It improved its self-driving. It improved the stereo. It added anti-theft features. After one year, my car is safer and better to drive than the day I bought it. My Tesla driving experience keeps improving through patches and updates.

BMW, Audi, Jaguar and others have reacted to Tesla’s success by making a big push towards electric cars. They are missing the point. Their hardware DNA will likely lead them to build cars with fixed features -- not continuously improving software. Yes, you can sometimes take a car to the dealer and update the software when you have a problem, or let them swap the “computer module” to get new firmware.

How very 1980s. I never again want to buy a car whose capabilities are frozen in time.

Innovation #2: Free up constrained resources

I’ve never used a Tesla Ranger – the roving vans that come to you for minor service items. It sounds like a great convenience to the customer…and I’m sure it is. That’s not the real innovation.

Tesla’s bigger innovation comes from a realization that the most constrained real estate at a service center is in the service bays. You can hire more technicians if demand increases, but the service bays are a big capital investment that can’t be flexed up and down.

The second most valuable real estate at a showroom is in the parking lot. You can fill it with cars to sell, but only if you don’t have a lot of cars you already sold taking up space while waiting for a service bay to become available. Cars waiting for service, especially warranty service, crowd out cars that are ready to be sold and delivered. Add to this the fact that many owners will ask for a loaner car, and you need a fleet of loaners. It all costs money.

Suddenly, the idea of a van that comes to the customer isn’t just a convenience, it’s a way to optimize constrained resources and save capital. It frees up the parking lots to sell and deliver cars. This “convenience” shows how process redesign can redefine the cost curve and let a showroom focus on where it makes money (which Elon Musk has clearly said isn’t service). I bought stock in Tesla the day I realized how smart this was.

Innovation 3: Sell the roadmap

“People don’t buy software, they buy a roadmap.”

That’s a true statement. Companies that shell out big bucks for software want to know that it will keep getting better. Since its first innovation was realizing that cars are now a software problem, Tesla isn’t limited to promoting the current features.

Tesla and Musk are either lauded for offering vision or panned for over-promising, but they offer a glimpse of what your car will be able to do in the future. Not another car you have to purchase again…the very same car you buy today.

My car knows how to park, and will someday have full autonomous driving. Why shouldn’t it drop me off in front of the store and then find a parking space on its own? There is no value in my hunting for open parking (this may kill paid-for parking garages).

If my daughter needs a ride home from school, why wouldn’t my car go and get her?

Cars have had adaptive cruise control for a while, meaning they can follow the car ahead of you. If my car uses cameras to see things, why not use them as a dash cam to record what happened if there is an accident? (Actually, a hardware limitation on my Tesla doesn’t allow this, but cars built right after mine just got that feature through a software update)? If the navigation knows that I’m moving from a highway to a dirt road, why can’t the suspension automatically raise the height of the car?

By treating cars as software, and constantly pushing updates, Tesla can command a premium price today by selling the roadmap. That’s it.

We can talk about Tesla’s financials (including their debt); the antics of a larger-than-life CEO; how powerful dealership networks seek to maintain control by lobbying to prevent car manufacturers from selling directly to the public, etc. They are all valid points and all will affect Tesla’s business. So will aggressively launching new models that consume cash as soon as a current model becomes profitable (Musk said that was his strategy when he thanked Model S buyers for funding the Model 3. Many analysts didn’t realize Tesla’s cashflow with the Model S, X, and 3 all followed the exact same pattern).

Assuming it works through the above issues, Tesla’s disruptive innovations will continue to drive value. Others manufacturers may innovate incrementally, but as the character “bored Elon Musk” once tweeted, “Incremental innovation is really just adjusting for inflation.”

I’ll back a disruptive innovator every time.

When I graduated from high school, I went off to study Engineering and Computer Science—the normal next step for a kid from a long line of scientists and engineers. Bob, my best friend since the age of two, decided to go to “Ringling Brothers Clown College.” Yes, that was a real thing; he ran off and joined the circus.

Clown College seemed unusual by any objective standard, even for those who wanted to study performance. The traditional next step would have been to go to acting school or enroll in a theatre program. Bob explicitly didn’t want to take the usual, incremental “next step.”

Instead, Bob decided to shake up the etch-a-sketch, and do something new. He brought with him the knowledge from previous experiences, but none of the baggage from when one follows the well-worn path.

Constant Change

After a distinguished circus career, he changed again and started a magic shop. After that, he became a full time magician, and then started a karate school. Each time he succeeded, learned what he could, and then did something completely new.

I realized that he was able to start over because he could afford to take the risk. Each time, Bob had enough prior success to cover his downside should things not go well and enough self-confidence to try a new pursuit. He would get to learn something new and apply those skills in later endeavors.

Each time Bob traded a job in which he had “picked all of the low-hanging fruit” - in which incremental success would come slower and with greater effort - for one in which he could more rapidly deliver value. In essence, he swapped a tree with no low hanging fruit for an entirely new orchard!

My Journey

I’ve tried to do something similar. Since leaving IBM many years ago, I’ve been the CEO of three startups. I’ve also been the CTO of two public companies and the CMO of a third. When I’ve contributed what I can, and begin to get too comfortable, I offer my thanks and find something entirely new to do.

This happened most recently when I was CTO of TD Ameritrade. It’s a great company with fantastic prospects. After four years, my team had achieved their objectives and had shifted focus to new platforms, emerging technologies, and reducing technical debt.

It was fun, but the period of rapid gains through thoughtfully designed innovation practices, risk mitigation, throughput, and efficiency had leveled off. There is always more that can be done, and things to be improved, but we had picked the low hanging fruit. It was time to start thinking about my next circus.

I agreed to stay two more years to help meet some new objectives. After six years, I left TD Ameritrade and started a cyber security incubator and build studio; a company that creates start-up companies.

My New Circus

Start-ups seem to have a lot in common with a circus; an overwhelming frenzy of activity, risk-taking excitement, fun, and a ringleader (I’ll skip comparisons involving clowns and animals). Start-ups are an opportunity to completely commit to an idea and see it through for clients.

They are high risk, high return because you are working without a safety net…but in exchange they offer the freedom to execute with levels of agility that larger firms generally can’t match. Large firms have horsepower, but startups have Formula 1 race car steering. An incubator building multiple start-ups is like a three-ring circus: one ringleader, common infrastructure, and three times the chaos!

Why cyber security? Cyber is one of the few areas of risk management that isn’t random. Motivated attackers have a specific purpose, and continuously evolve their methods. I like to say that “we only play defense against people who only play offense,” so defenders have to out-evolve attackers.

I recently gave a talk at the Wall Street Technology Association’s Cyber Security conference, in which I explained that the key to winning as a defender is to not play the same game as your adversary. You can’t win a game in which you only defensively react - you can only defer losing.

Staying Ahead

Instead, we must predict emerging capabilities that attackers will acquire, and create entirely new defense methods first. When data breaches reveal secret information that let bad actors compromise client authentication and take over accounts, we need to flip the model; we need to authorize client activity instead of trying to incrementally improving authentication.

When faster computers can break the encryption on stolen files, we need to find new ways to protect data by making it impossible to find and steal instead of trying to incrementally strengthen encryption. When tens of millions of consumer devices can overload Denial of Service mitigation providers, we need to find ways to tell the Internet how to give preferential treatment to traffic we like instead of just adding capacity to our mitigation. Winning as a defender is about Changing The Model (CTM) so that attackers capabilities don’t apply.

Changing the Model

I started my incubator, CTM Insights, to invest in solving problems like these. We collaborated with Akamai, Google, Comcast and others to create a solution for adding trust to the Internet. We recently launched our first company, The Authoriti Network, that allows consumers to authorize high-risk activity (sharing data, transferring money, etc).

Authoriti changes the model from improving authentication to adding multi-factor authorization. And there is more to come.

What’s Bob up to now? He shook things up yet again and is now starting an acting career. His new circus will let him apply what he already knows about entertaining to a new discipline. I suspect he will rapidly succeed in a new orchard full of low-hanging fruit.