No silver bullets
For Stu Sjouwerman, deciding which road to take did not come easy. Whereas other kids had some idea of what they wanted to be when they grew up, he did not immediately know what he was going to do with his life.
At 16 he became obsessed with reading science fiction and decided he wanted to train as a science teacher. But by the time he was 20, the writing on the wall was clear – the future was in computers. “I am changing careers,” he told himself.
Decades would pass until everything would make sense. Sjouwerman would be able to combine two seemingly disparate career paths. As founder and CEO of KnowBe4, he is educating people, not inside a classroom but online, on how to best shield themselves from security attacks.
His business venture Sunbelt Software, an anti-malware company, was acquired by GFI Software in 2010. After the sale, Sjouwerman found himself in forced retirement – for a grand total of five days. “I was bored out of my skull!” he said. Again, as before, he wondered what he would do next.
It was during this lull that he fleshed out the thoughts he had been having over 15 years at Sunbelt. Sjouwerman observed that people, himself included, were taken up with the endless pursuit of the perfect anti-virus product. “Most IT security focused on the next fantastic technical solution – the next silver bullet to take all the bad guys out.”
But was this even the objective in the first place?
He concluded that no product can fix social engineering – the practice, no the art, of manipulating, influencing, or deceiving [a person] in order to gain control over a computer system.
Social engineering can bypass security layers and cannot be solved by security software, because it attacks a fundamental weak point. “Humans are always your weakest link,” he says.
“That is what the bad guys are going after…they are hacking humans first. If that doesn’t work, then they will start hacking software.”
According to Sjouwerman, humans are easiest to hack. “They are not trained to spot social engineering. They are quickly manipulated into doing something that is against the interest of themselves or the organization.”
Other firms had tried doing work in this field, but Sjouwerman observed they were doing it for large enterprises. “Nobody was taking care of small and medium-sized companies.”
And so his work was cut out.
Collaborating with ‘the enemy’
And at around the time he was trying to firm up his ideas for this new venture, Sjouwerman met Kevin Mitnick through his neighbor, who turned out to be the latter’s cousin. Mitnick was a notorious hacker who was on the FBI’s Most Wanted. He was arrested in 1995 and served five years in a federal prison. He has since left prison and is a white-hat hacker who advises companies and governments on how to prevent hackers from accessing their systems.
The two explored ways they could work together. “I had a good idea about what I wanted but I needed his 30 years of hacking experience to create good simulated phishing attacks so we would be able to test employees,” Sjouwerman says.
Mitnick came on board as chief hacking officer. After all, who could better pick the brains of hackers than a former hacker, himself? Part of the job is having sessions where they recorded Mitnick explaining how hacking works.
Teaching a new language
KnowBe4 offers training on a subscription basis. They work across all industries, but tend to have many companies in the financial industries among their customers. “Healthcare, hi-tech and manufacturing are also strong,” Sjouwerman says.
It’s essentially a three-step process – a baseline test, the actual training, and constant testing. “You have to make sure people recognize social engineering,” he says. “If they don’t, they get a quick remedial training.”
The companies that engage KnowBe4 know they have a problem. “They know their employees are not alert enough, aware enough…they understand that they need to do something about it.”
This is also where Sjowerman’s own training as an educator comes to play.
The courses enable people to learn a new language. You need to know the words. “We train people to make sure that they understand all the terms that we use so that they can understand and think with that information. So if you run into a word you don’t know, you kind of stop and make sure you clear it up before you do anything else.”
To his team, Sjouwerman describes himself as an unusual CEO. “I consider everyone to be an owner and give them the same data that I have so they can make good business decisions where they are.” Talk about empowerment through information.
No dull moment
Sjouwerman has been in IT for such a long time that he has observed the industry well. “There is never a dull moment!” he says. “You see long-term trends, and often these come back in another form. In the olden days there were mainframes and everyone had a thin terminal with no intelligence. Today most of our employees run a thin client with only a browser and all processing happens on a shared server in the cloud. Not all that different!”
There’s room for even greater dynamism. “The internet really is a beta that was not developed for security but only with resilience in mind. To be really secure, we need internet 2.0, and that will take decades,” he says. As for providing security training – this is a brand-new space which is only starting to develop. Again the emphasis is on the human, rather than the technical side, of security.
In his free time, Sjouwerman reads, watches good TV and walks. He lives five minutes from the beach. His philosophy: “Do it right the first time. Do it fast…and have fun while you do it.”