Who’s Got the Stick for the Cyber Moonshot? - Ep. 129

This week we caught up with Lisa Donnan, Partner at Option3 Ventures to discuss the world of cyber venture capital and private equity and the importance of disruptive technology and commercialization for breaking through the white noise of the more than 3,500 cyber start-ups today. She also shares insights on why the SMB market is a $50B opportunity for cyber.

Why the U.S. needs a cyber moonshot to catch up the criticality of security by design. And why the Cyberspace Solarium Commission is a good start. Ultimately, as we consider public/private partnerships’ success ahead, who carries the stick for actions, accountability, and milestones? Eric recommends his favorite book of the week “Think Again: The Power of Knowing What You Don’t Know” by Adam Grant.

Lisa Donnan - Option3 Ventures

Episode Table of Contents

  • [01:10] The Intersection of Information Security and National Security
  • [08:08] A Fabulous Term Often Used In Cyber Moonshot and High Tech
  • [16:12] There Are Options in Cybersecurity
  • [24:04] Why Do We Accept Losers
  • [32:38] Why Private Equity Firms Get Attacked
  • [41:25] The Perfect Weapon For Cyber Moonshot
  • About Our Guest

The Intersection of Information Security and National Security

Rachael: We have Lisa Donnan here today. She's a partner at Option 3 Ventures, and I really love the focus of what they do.

Rachael: They're a cybersecurity private equity firm that focuses on the intersection of information security and national security. They have expertise and experience in companies coming out of the US Intelligence Community. Welcome, Lisa. I'm so excited to have our conversation today.

Lisa: We're swimming in a lot of alligators lately.

Eric: The cyber front? Absolutely. Alligators, crocodiles, caiman, you name it.

Rachael: For those who aren't clear on the venture capital/private equity front, what's each of their focus? How do they function? Could you shed a little light on that, Lisa? There's a lot of money funneling through both of these pathways recently.

Lisa: This year alone, private equity and venture capital are putting about $44 billion into cybersecurity. Venture capital is really categorized as an early stage. So seed, Series A, Series B. Private equity is much more late stage, Series C, D, and E and F, buyouts, and whatnot. So you've got both sides.

Lisa: When we first started cybersecurity investing five years ago, there really wasn't any late stage in cybersecurity. Fast forward, there is a late stage now and we do a full cycle from seed all the way to the other end. It's been fascinating.

Eric: When you say, "the other end," you're really talking about from round C, D, whatever it may be, until IPO, acquisition?

Cyber Moonshot Companies Positioning For IPO

Lisa: By and large, in the past, it was usually strategic acquisition. Now, we've got roughly 20 cyber companies that are positioning for IPO.

Eric: When you say "now," you're talking in 2021?

Lisa: Correct. It's really a market that has matured in many ways financially. But we're still dealing with the breadth of just coming out of SolarWinds and the Microsoft Exchange hacks. We can go on and on about the state of the attack surface, it's sometimes incongruent.

Eric: You see companies like Barracuda, McAfee that IPOed. Now they're going back to private again. McAfee has done it twice. What's the motivation there from a cybersecurity company perspective when they do something like that? Especially when the market's high. The market's hot right now. You would argue that McAfee theoretically is in that market. They've gone private.

Lisa: The McAfee divestiture really was quite interesting. They sold off the enterprise business and they're going to rebrand that. They’re privately purchased. Then you've got the consumer side of McAfee which is going to continue to serve the customers that it has.

Lisa: I can't speak directly to what's motivating these particular companies to be in the public markets or the private markets. But it's usually growth-oriented, where they're focused, where the capital has to be deployed. And how fast does that capital have to be deployed?

Lisa: So folks have different strategies in different markets. But we should add though. We are now at the point where we've got 3,500 cybersecurity companies, and that's growing. They're all not going to be winners.

Rachael: How do you figure out who to invest in?

Three Investment Themes of Cyber Moonshot

Rachael: Because when you have a landscape that large and you're differentiating between let's say next-gen tech, disruptive companies or companies that are just kind of doing it better than the rest. How do you know where to focus or how do you balance that mix in your portfolio?

Lisa: At Option3, we've got three investment themes. When we look at a company, we make sure the company fits in one or more of those investment themes. First one would be cyber-physical systems. The reality right now is that there are a host of IT solutions. But those do not fit the rigor for operational technology. So HVAC systems, power generators, electric grids.

Lisa: The hack that we just recently saw in Oldsmar, Florida. We had a hacker going into a remote accessible device, putting more chemicals into the water. Thank goodness there was a plant operator who saw that there was something erroneous going on. Horrific.

Lisa: So, cyber-physical systems are all about industrial control systems, SCADA systems. The IT solutions out there right now don't support the requirements for OT.

Eric: This isn't new. Target? We can go way back. This has been a long-term problem. Do you find that the space is specifically moved quickly enough?

Lisa: I don't think it's moving quickly enough. Operational technology for years had the mindset that they were air-gapped, that they had no connectivity to the internet. Therefore, they were fine. Well, fast forward. That has dramatically changed.

Lisa: 40% of industrials have at least one connection to the internet. 80% have discoverable devices to the internet. So fast forward. $22 billion going into cyber-physical systems. It's an area that obviously we look at very closely.

A Fabulous Term Often Used In Cyber Moonshot and High Tech

Eric: I bet most have no idea that they are connected to the internet and how they're connected to the internet.

Lisa: Disruptive technology. So next generation, a fabulous term that's often used in cyber and high tech.

Eric: And jet fighters.

Lisa: Yes. Next-generation to me, really, I use car analogies all the time. That's kind of like a six-cylinder going hybrid. The disruptive would be Tesla. So, technology. Emerging technology that’s dramatically either reducing the cost or significantly improving the state of cybersecurity effectiveness or efficiency.

Eric: I can't wait to hear your examples here. HVAC we could hang with. What would you throw into the disruptive bucket at this point?

Lisa: Quantum computing. Out of 3,500 cybersecurity companies, there are maybe 35 working on quantum. Quantum's really interesting in cybersecurity. The ability for exponential higher processing power enables hackers to break through public-key standards that we widely rely on today.

Lisa: All sorts of security going on in automotive. Rachael was earlier discussing the ability for a car to be ransomwared at 75 miles an hour. Kind of scary.

Eric: Especially when you're on autopilot and then it goes away.

Lisa: Folks actually just think that this is only for autonomous, and it's not. These are for connected cars. Anything between 2014 and fast forward; your car's connected. Cars have a lot of computer systems already in them when you're buying them.

Eric: Your brakes could be remotely disconnected. I went on the radio, on WTOP about a year ago. We were talking about quantum. As a cybersecurity, I've been in the business a little while and I really hadn't thought about it.

The Real Problem

Eric: I was like, "I don't know that that's hitting us just yet." Then we had Steve Grobman, the CTO of McAfee on the show, probably May, June. We were talking about quantum, about voting systems. Steve said, "The real problem is you can steal the data now.

Eric: And through quantum computing, you're going to decrypt it later. You'll break those algorithms." The light bulb went off. I said, "This is a major problem in cybersecurity where we have a lot of major problems."

Lisa: We get back to PE versus VC. Quantum, the 35 companies right now are very much in that venture capital bucket versus PE right now.

Eric: I would think the larger, more established companies would not have the patience, the capital. The desire to really do the R&D required on the quantum side. They would wait for it to happen. I’d think they would wait for some kind of disruptive invention or capabilities. Then they would want to just buy it.

Lisa: It's that whole build versus buy. It kind of gets back to that whole concept of commercializing technologies. And so people ask me all the time, "How did you get into investing? What were your thoughts about that?"

Lisa: The reality is after 25 years of commercializing technology, so taking a technology to market, creating financial value. Staying ahead of competition, doing it quickly, efficiently, frankly, it was a great translation to investing. A great on-ramp to investing because VC to PE is all about those companies, whether large, medium.

Lisa: Even small that can do the commercialization. Whether that's coming out of R&D or whether that's a piece of technology that they found and got it to scale.

Are We Solving a Pervasive Problem in Cyber Moonshot

Lisa: That's another thing I look to in this whole situation whether it's cybersecurity, physical, disruptive, or the last one, automation. Are we solving a pervasive problem that someone will spend a dollar for?

Lisa: There are lots of great ideas but they don't all make good businesses. It's like the pizza analogy. I know a lot of people want to make pizzas but they don't want to be in the pizza business. Very different.

Eric: We talk about machine learning; we talk about artificial intelligence all the time in cybersecurity. If you ask five people what those technology areas really mean to them, you'd get at least 20 different answers.

Eric: But I really think automation, which is not as sexy, not as interesting. It’s going to bring more value to the business, to the agencies, than machine learning or artificial intelligence.

Eric: They go hand-in-hand almost but we don't talk about automation a lot. If I'm in a meeting with a customer, you'll hear machine learning, you'll hear AI all the time. I'll throw back automation.

Eric: We'll be talking about just automating some process. Automating the way they do things, simplifying and speeding up something. It doesn't resonate with the typical customer. Do you see that?

Lisa: It doesn't have that pizazz but the reality is, it's not sexier, automation is not sexy. Automation is really important. It's our third investment thesis and the ability to mitigate, detect, prevent cyber-attacks that are now so much more sophisticated, persistent.

Lisa: To be able to do it effectively, efficiently, and faster than humans is really important. You add on the fact that we've got four million unfilled cybersecurity jobs in the world.

The Biggest Threat in Cyber Moonshot

Lisa: We're the only place that has had zero unemployment for the last decade. That actually is our biggest threat, the lack of talent.

Eric: We've talked about it a ton on the show. There aren't enough people to fill the jobs. We have talked about it from a gender perspective. We've talked about it from coming outside, bringing English majors in, artists, you name it, getting people into the industry.

Eric: Why isn't automation resonating with people? What I see when I talk to customers or partners even, it's almost like we're attacking their jobs. We're going to automate.

Rachael: 100%.

Eric: But they don't close that gap, that linkage, where there are two-to-four-million jobs open right now. Those are probably better jobs. If I can get a machine to hit these buttons that I hit every day all day, or to analyze this report. I wouldn't have to do that and I could do something more exciting.

Lisa: I'm sure you've been in those rooms. Where you've got security teams trying to digest gobs and gobs of data and turn that into actionable information. To solve that is why there's automation.

Eric: I look at it and I'm like, just give me the answer. Let me make the decisions.

Lisa: We haven't had a very big pipeline of talents. We've got a lot of universities. I'm the chairman of George Mason's Volgenau College of Engineering. Several years ago, we launched the undergrad in cybersecurity engineering. We launched the Masters in Cybersecurity Engineering.

Lisa: These are programs that did not exist, we had no people working on them. Now we've got a thousand students coming out of it.

There Are Options in Cybersecurity

Lisa: But then, we said, "Okay, well, that's great," but then we even had to go more downmarket. We did partnerships with NOVA Community College here in Northern Virginia. We're going down into the high schools to get internships. So that kids understand that there are options. That cybersecurity doesn't mean just, "I need an IEEE engineering degree. There are other jobs that can be done."

Eric: But we're not going to make four million, and it's growing. We're not going to make four million students into employees anytime soon.

Lisa: Not overnight but we have to start. You've got kind of multiple tentacles having to solve this issue. The government recognizes it as well. So, there's a lot of certification programs. Again, you don't have to be a EE just to get a job in cybersecurity. But we have to start somewhere because as I said earlier, this is our largest issue, lack of talent.

Eric: But as a business owner, and I don't want to get hung up on this too much more. I think that automation would be one of the most important driving components. It's one of your three critical areas.

Rachael: It should be table stakes.

Eric: I just don't see it. It's like giving me the answers so I can make decisions. That's not the discussion that I have 98% of the time.

Lisa: It actually is. If you go into SMB, small-medium-size businesses, it's absolutely probably the number one because-

Eric: Because they have to.

Lisa: They have no choice. You've got companies that traditionally have less than 500 employees. You don't have the technical expertise, you don't have the resources. Yet, you still have the same challenges that the Fortune 500 do.

Who Gets Attacked the Most

Lisa: By the way, bad guys know it, and who gets attacked the most? Small-medium-size businesses.

Eric: I'm not an expert in SMB. But I might argue that they have bigger challenges like ransomware, and they're easier targets. So you get drive-bys and everything else. Where a DHS or a Citibank may not have to deal with those in the same way or they're certainly more equipped to.

Lisa: It's a large market so from an investment standpoint, it's 50 billion over the next few years. That's a very attractive market. But very few have figured it out. And it really gets down to the distribution.

Eric: Distribution of?

Lisa: How do you sell it? Do you sell it through MS, managed service providers, managed security service providers directly? No one has quite figured it out yet, but I think this whole concept of security in a box, one-stop shopping is critical.

Lisa: To your point, the ransomware, the other people who have taken notice about this is cyber insurance. Ransomware is the number one area that cyber insurers are addressing right now.

Eric: They're paying out? Because of payouts?

Lisa: Yes.

Rachael: Although people shouldn't payout, that's a whole other conversation. You want to talk to the Department of Treasury.

Eric: Should they, should they not?

Rachael: It's a decision calculus.

Lisa: Well, look what happened with NotPetya back in 2017. Insurers didn't payout on that. They declared that an act of war and they did not payout on that.

Rachael: How do they delineate and how do they determine? Attribution is very difficult as we know. So maybe one big one you can kind of make a guess.

How Can Cyber Moonshot Determine an Act of War

Rachael: But by and large how could something like that be sustainable in determining an act of war? Nation-state versus just some guy trying to see what he can do.

Lisa: It's an interesting development on the insurer side of the house. At some point, you will see sort of like that automotive insurance. If you drive a certain way, you will get a discount.

Lisa: Fast forward in cyber insurance, you will see something similar. If you've got a cybersecurity risk management profile, if you've taken cyber resiliency seriously. You've put certain practices in place, I could see that evolving.

Eric: So Petya was discovered in March of 2016. Then new variants came out in June of 2017 right after WannaCry. It was a double whammy that year.

Lisa: So we weren't that off.

Eric: No, you were dead on. You were talking about the 3,500 companies before you went into the three areas you look to invest in. Or the categories I should say. How do you even count them? Who's even counting? I had a vice president I worked with. This was probably '13.

Eric: Said, "There are more than 4,000 companies in cybersecurity and the industry is unprofitable." I remember at the time saying, "How are you counting that? Who's actually even counting those things? And who's determining profitability?" I trust your information though. How do you do it?

Lisa: You've got a host of firms that do databases. So just like there is on the Fortune 500. There are databases that log how many companies are in this from a private equity and a venture capital.

Eric: So like codes and things like that?

The Industry Shifts

Lisa: Correct. Then we've got our own ways to verify that there are roughly that amount of companies. Every single time you go to a conference you can see who's not new. Who's already been there for the X amount of years prior. For such a vast amount of money invested in this space, it's a pretty small community.

Eric: You're constantly hearing about employees that are going to a new place and the industry shifts. It's a really small community, but there are 3,500 companies. If you think back to your experience with technology, any other industry you can think of that is disaggregated?

Eric: Disjointed? I don't know what the dis- word is here, but can you think of anything similar? Even the dot-com bubble back in the late '90s and everything was totally different.

Lisa: No. But even that was very concentrated and the ecosystem of telecommunications, suppliers to them. That was still I think pretty consolidated compared to these. To your point, it is fragmented.

Lisa: Depending on what analyst you look at, you've got roughly six to eight industry verticals that represent cybersecurity. Everything from mobility, cloud, endpoint, perimeter, threat intelligence. The reality is that 3,500 to your point, it's a noisy space.

Eric: So why is that?

Lisa: From an investor standpoint, you've got to be really good at picking winners. Which goes back to your earlier question, what makes good? You've got to have those thesis, you've got to understand how to commercialize.

Lisa: If you understand that process, you have a better understanding of what it takes. For these in particular early-stage companies to grow, later stages to get profitable. What those exits look like.

Why Do We Accept Losers

Eric: Why do we accept so many losers? Is it such an innovative space and dynamic that they're just allowed to persist? That's got to be the hardest thing for you and your firm to figure out. Like "Where do we place our bets?" There are so many people in the market.

Lisa: Well, we've been blessed, we've got a strong operating team, strong national security team. We've got a great Wall Street team, so we've got a nice trifecta there. We think we're pretty good at picking winners, and we've seen some testament of that over the last while. But to your point, there's a lot of noise and you've got to break through the noise.

Lisa: So it goes back to the fundamentals. You want to try and find the white space. We don't need more firewall companies, we have a lot of stuff. You've also got an environment where you speak to your customers. Those customers on the enterprise side have more than 50 to 60 cybersecurity vendors already in their environment.

Lisa: So that whole "How can I help you?" gets a little challenging. It goes back to the thesis. You better have a pervasive problem that you're solving for and that someone will pay for it.

Eric: We are seeing disruption in the automotive industry. We're seeing manufacturing come back to the States with Tesla and Rivian and Lucid now. There's a host of them that really revolutionizing.

Lisa: Great looking car.

Eric: How many people bet against Tesla over the last decade? Think about the revolution in the automotive industry. Do you see that coming into cyber at some point? I’d like to see that. The industry needs it. Our customers need it.

The Cyber Moonshot Is Horizontal

Lisa: You're making a really interesting point, but I kind of turn it on its head. You are highlighting the fact that cybersecurity is horizontal. So what you just described in my brain is that you see automotive, which is a platform. Their need to put cybersecurity into their platform for all the reasons we spoke about earlier.

Lisa: Ransomware attacks, driving, now autonomous. Tesla is basically computers with a battery and all good looking, but still, all software. Cybersecurity must be addressed because it's life-threatening. We've moved over the last 15, 20 years from financial, reputational. Now we're in life-threatening scenarios. It dramatically changed.

Lisa: The same thing as you're saying, manufacturing. Manufacturing may be moving, may be changing, but the requirement for cybersecurity to be built from the beginning. Designed from the beginning, versus bolted on, needs to change. That takes life cycles to do.

Eric: We've talked about that a lot. What I was saying was that the move from internal combustion engine to electric being a big shift in the automotive industry. Really, company-level shift. We've got companies now that are massive that didn't exist 20 years ago. They weren't threats, they weren't anything.

Eric: Do you see a similar shift in cyber where we are focused on the malware coming in? We've been perimeter-based, now we're going to support the cloud. But it's been evolutionary improvements at a slower pace than the evolution of adversarial attacks.

Eric: Do you see a momentum shift or some kind of massive shift like internal combustion to electric? Do you see the same thing in cyber? Like built-in maybe. Someone's going to figure it out built-in in the future. I don't know the answer.

The Cyber Moonshot Is Not an IT Issue

Lisa: One aspect is security design from the beginning. But the other kind of more recent that I've seen is the boards and C-suites. Understanding and recognizing and taking much more seriously that cybersecurity is not an IT issue. It's a business issue.

Lisa: In some places, that has trickled down, in other places, I still see that it has to happen. I'm encouraged by that especially in large enterprises. It starts from the top and leadership has to recognize that frankly, this could be a differentiation.

Rachael: I think a lot of people forget about it.

Lisa: Versus being defensive about it. It should be a differentiation that you've invested whatever you've invested. That you've turned your offering, your value proposition with the customer in mind. The customer in mind wants to be protected, wants to be resilient. So if you're able to leverage that, you have differentiation and probably a sustainable one.

Rachael: You're more about people specifically putting a cyber person on their board. I've been hearing about it more and more, and that's the debate. Do you have just a cyber person or does it become everyone's responsibility on the board to know cyber? How do you approach this kind of thing?

Lisa: It's kind of my view when they say, well, it's an IT person. Well, no. Everyone in IT needs to be a security person now. You can't have this, that's an IT person and that's a security person. No, that's really not going to work anymore. I say the same thing at the board. The board needs to be at some level cybersecurity knowledgeable.

Eric: Now, they may have somebody who really has a deep background.

It Pays Off to Be Cyber Aware

Eric: We turn to Sara because Sara came from the industry and can render opinions that are trusted. But I agree with you. Everybody has to be financially knowledgeable so they can understand a balance sheet as the board is communicating. I think cyber's similar to that.

Rachael: You become accountable too. If there's an attack, they can also become accountable in any kind of class-action lawsuit or what have you. It pays off to be cyber aware.

Lisa: The reality is, you guys know and many in our community know, it's not a matter of if. It's a matter of when you are attacked. What is your posture? It reminds me of when you have children. I used to go through, "Okay, if the fire alarm goes off, this is what you do."

Lisa: You have the plan, you practice the plan. The same thing goes with cybersecurity, especially when you're pivoting from cybersecurity to resiliency. Can you predict? Are you going to practice it? Is it a priority?

Eric: You spend a lot of time on the small-medium business side. A lot of attacks hit them. They're different, they're less prepared. Why is that? What do you see there? Why is that interesting to you?

Lisa: Small doesn't equate to not valuable. In the US for so many years, folks thought, "Well, that's a small company. There's no value there. Oh, it's not a Fortune 500 company." But I can give you plenty of examples of small companies, family offices for instance. People with high net worth who have very small amounts of employees. Usually less than 10, but the value that they have is highly attractive to bad people.

Why Private Equity Firms Get Attacked

Lisa: Private equity firms were in this last year attacked 240% more than the previous year. Why is that? Because every single time a private equity firm puts out a press release that they've just invested in a company. That says to the hacker, "Wow. If those guys did all that due diligence and think there's value there.

Lisa: We're going to go there. So they must have some intellectual property or something that must be worth something." Private equity firms by and large are pretty small compared to a Fortune 500, but it's the value. So very attractive parts.

Eric: But they don't have the capabilities of a large firm.

Lisa: Many don't.

Eric: They probably have one person who's part-time on cybersecurity. Or an IT fellow. A guy or a girl who takes care of their computers.

Eric: Call up Rachael. She can fix it. Oh, she's on vacation. Well, she'll get to it next week. Don't worry about it.

Lisa: Or putting something into the cloud. "I think we're secure now."

Eric: That's an area where the cloud has been huge in helping these smaller firms accelerate from a velocity perspective. Take on protections. I do question whether the IT administrator, the person maybe understands some of the option services capabilities to take advantage of them. But Microsoft and Amazon have done a pretty good job in some ways of providing capabilities to the masses. At least from what I've seen.

Lisa: They've also enabled managed services providers. Many of these small companies look to a managed service provider. Who may or may not have security as one of their value propositions, but that's evolving as well. They’re helping those companies put stuff into the cloud.

The Cyber Moonshot Certification Process

Lisa: Eric, for your space, get CMMC certified. There you've got, what, 300,000 federal contractors. Everything from mom-and-pops if you will to the biggest of the DIB, Defense Industrial Base, moving into CMMC. Well, getting assessed in CMMC has been an eye-opener for many companies. Let alone the certification process.

Eric: Imagine if you're selling tractors or trucks or something to the federal government. You probably don't know a whole lot about cybersecurity. You'd love to just outsource that I suspect. I'd outsource all of IT, quite frankly. Just if there were options available.

Lisa: You think, "Well, I only have like, what, four systems? I got payroll. Oh, no problem. I can take care of that." If you want to get further into the stack of certification in CMMC, that's a whole different kettle of fish.

Eric: But I don't know that they have great options today to outsource IT.

Lisa: It's evolving.

Eric: But I'm not sure I'd know where to go.

Lisa: There are 30,000-plus managed-service providers in this country. A host of those do security really well. More are going to do security really well. You go back to the market opportunity. You've got 50 billion in cybersecurity just target to SMB over the next few years. That's a big chunk of change.

Eric: Yes, and some businesses want it. Rachael and I have been in this business a long time, Lisa. You've definitely got that macro perspective. Where do we go next? Career-wise, what's going to move the needle in cybersecurity? Where's the next field? Is it quantum as you talked about earlier? Where should we be looking to go to help our customers?

Cyber Moonshot Risk Management Profile

Lisa: There are a couple of things you have to think about. So from a customer standpoint, you want to be filling. Many have your cybersecurity architecture stack. You want to have a cybersecurity risk management profile. You need to have whatever it's taken for you to have that and to be confident about it.

Lisa: You're going to have an ongoing assessment on how well that is performing for you like quarterly. Whether it's red teaming, whatever testing you guys are doing, you need to continue to do that. From a technology standpoint, there's going to be a host of technologies.

Lisa: We've talked about a few, there's more. There are generative adversarial networks that are part of our artificial intelligence but at a deep learning method. But many of these are in their early stages. They're moving from research and development, academic. Moving to hopefully commercial technologies in a shorter time than none.

Lisa: But the country is behind. We almost need a go-to-the-moon type of initiative because whether it's quantum, AI, forget about 5G. Let's go 6G, we're not in a position that makes us the most competitive.

Eric: We're not structurally set up to do that. Other than the government, who would drive us on that moonshot you referred to? Who would bring the nation together to get us there? Whether it is 5G, quantum or whatever?

Lisa: Well, that's really interesting. I was really encouraged by last year's Cyberspace Solarium Commission report which was bipartisan. I'm really hoping that Congress acts on a whole host of those recommendations.

Lisa: You just had the recent national artificial intelligence led by Eric Schmidt, a former Google. Which gave a host somewhat like the Solarium report on artificial intelligence.

We Are Siloed In so Many Areas

Lisa: I almost equate it to curing cancer. We are so ahead in so many areas but we're also siloed in so many areas.

Eric: I was going to say, we're very fragmented.

Lisa: You've got to bring those together because the more you can harness, the easier it will be to get ahead.

Eric: Is that not a goal, a requirement of the federal government? Right now I feel industry is taking the lead in most areas, but they're doing it for profit, for gain. Who brings everybody together from an industry perspective? Say, "This is how and where we're going to go?" That happened in the '60s with the Apollo and Mercury programs.

Lisa: I've heard a lot of dialogue about that. We talk about public and private partnerships all the time. We've been speaking about them for years. We probably could show examples of success and then a whole bunch of not. But it has to be actionable.

Lisa: I don't see how you get to any of what the Commission said on both AI and cyberspace without having a robust public-private partnership. But it has to be actionable. There's got to be accountability. It's not just information sharing as we've seen it before.

Eric: I've been involved on the information-sharing side. It's like, "Here's what I have. What do you have?" We've all got the same stuff. It's mislabeled. They get 40 copies of it. It's like, okay, but nobody's driving. Why are we doing this? What are we trying to accomplish? I think that you mentioned the Solarium.

Lisa: What are the milestones? What's it going to cost us to do that? What have we solved for?

The Perfect Weapon For Cyber Moonshot

Eric: Who's in charge? I look back to the Solarium Commission report. It opens up with it, which is actually a segment from the end of P. W. Singer's book. The Perfect Weapon. It's like this staffer who's looking back on what happened.

Eric: We didn't do anything. I think about that and you look at the Solarium Commission report. You could reprint it this year, put 2021 on it. I'm not sure that we've moved the needle.

Lisa: The good news, bad news about the pandemic is I've read a lot of books. There are almost 50 books. I had to put some chick-lit books in there too. I won't talk about those books, but just kind of our cybersecurity book, besides Sanger's book and then you had Nicole Perlroth’s new book.

Eric: It's great. We're going to get her on the show.

Eric: We had Sanger on the show. He's brilliant.

Lisa: They both have been involved with this for so many years and This Is How They Tell Me the World Will End. If you're not, if you haven't been in cybersecurity, she was sharing stories. I'm like, "Oh boy, I remember that." There are so many of us who have been in it for so long.

Eric: Where I didn't have that perspective at that time, but I know what was going on there. It's like the pieces are coming together.

Lisa: The individuals, and the parties, and the conferences, and the stuff that was happening. I'm so glad she wrote it. So glad she wrote it.

Eric: Who's going to do something about it? I have a new book for you to read and it's called Think Again by Adam Grant.

The Approach We Need With Proper Leadership in Cyber Moonshot

Eric: If you read it from the perspective of skip life for a second, but cybersecurity and you just allow yourself to look at the problem, open up your mind. That's what I love about this podcast. We meet so many fascinating people with different perspectives.

Eric: We learn so much. He talks about that in the book. Not in the construct of a cybersecurity background, but it is fascinating. That's the approach we need with proper leadership in cybersecurity to fix the problems we have.

Lisa: It's almost like running a company. You need management, you need to understand where you're going, do you have a solution. You're going to do milestones, and KPIs, and all that stuff to say, "Okay, were we successful? Are we being successful?"

Eric: We're running a poorly run company right now.

Lisa: We're giving a lot of lip service to it and I would put the cyber experts in this country against any in the world. I've been blessed to work with many of them and both from military to civilian to the intel to commercial to Silicon Valley. There are some enormously big brains and a lot of people who want to do the right thing. But we got to get at it.

Eric: But to your analogy, we have great employees. We need to lead them with a proper vision and structure to success for this organization.

We Can Solve Many Important Things In Cyber Moonshot

Lisa: So far, our Glassdoor ratings are not very good.

Rachael: Big problems. I know. With no clear answers. That could be like a whole other discussion.

Lisa: But the thing is we actually, this country does really well with big problems. Sometimes we don't do emergencies really well a la pandemic, but we do think really well. If we got that mindset going, we could solve many important things in cybersecurity.

Eric: We'll probably know it if you read Think Again because it's a pretty good read.

Lisa: I will. Let me know when you're having the call.

Rachael: Absolutely. Thank you so much, Lisa, for joining us today. This has been an awesome conversation.

Eric: Lisa, you really opened my mind. I appreciate it.

Rachael: So with that, we'll close today's podcast. Be sure to subscribe. We can come straight to your inbox every week. Until next time, take care.

About Our Guest

Lisa Donnan - Option3 Ventures

In the wake of cyber warfare, Lisa Donnan is at the forefront of successfully commercializing innovative and disruptive technologies. Launching new businesses and markets in the public and private sectors. Lisa is a world-class operation executive with over 25 years of expertise in National Security and Commercial markets.

She is a recognized thought leader in cybersecurity, artificial intelligence, and social media data analytics. Lisa currently is an Operating Partner at Option 3 Ventures, LLC. A cybersecurity private equity firm that focuses on the intersection of information security and national security. With specific expertise and experience in companies coming out of the U.S. Intelligence Community.

Lisa serves as Chairman of the Volgenau School of Engineering Board of Directors at George Mason University. She also serves on the National Defense Industrial Association Board of Directors.