Ron Gula is the President of Gula Tech Adventures, a cybersecurity investment fund he founded with his wife Cyndi. Before launching Gula Tech Adventures, Ron served as CEO of Tenable Network Security, an organization that helps others address their digital vulnerabilities and reduce their cybersecurity risk. Ron first developed his cybersecurity expertise during his time at the National Security Administration. He transitioned to a career in the private sector after meeting Cyndi, who has frequently acted as his business partner throughout the Gulas’ numerous ventures.
EDWIN WARFIELD: Tell us about your career. How did you get started in cybersecurity?
RON GULA: When I first came to Maryland, I was in the United States Air Force. I was stationed at the National Security Agency in the mid-90s, and I was part of a group called The Pit—that was our informal name for them—that got to do network penetration testing. We just call it cybersecurity these days. I got to see a lot of failures and successes in what works and what doesn’t work with computer security. Even today, in 2017, all those experiences I had at the NSA are really influencing how I think about cloud, how I think about product solutions, but most importantly, how we think about working with each other as human beings.
In 2002, I had just come off of selling my previous company, Network Security Wizards, which my wife and I had sold to Enterasys Networks. While we were there, we met Jack Huffard, and we joked a couple of times about starting a company. He was in the area and we actually had a great idea to do something that was proactive in cybersecurity rather than reactive—waiting for people to get to attack you. We formed Tenable Network Security. Renaud Deraison, who was the author and architect of the Nessus open-source vulnerability scanner, joined us as a founder, and we launched Tenable with a lot of really interesting opportunities at that time.
In 2002, the Slammer Worm had occurred already—people had that—and e-commerce was happening, but the cloud had burst at that point. Anybody who was involved in IT and hi-tech didn’t think of terms like cloud and compliance. There were no nation state actors on the news every night. But IT was a real thing. It was moving from the basement to the boardroom, and people were more and more concerned about security. When we started Tenable, many of the same facets that we talk about today were true in 2002: know what’s on your network, know how you can be attacked, and since you can’t fix everything, what’s the most important thing that you fix today? Back in 2002 we called it “vulnerability management;” today we call it cyber exposure.
Q. Can you give us some insight into how that works at Tenable? What’s different in what your company offered?
A. I’d like to explain what Tenable does as sort of like a Fitbit for cybersecurity. When you go to the doctor, and you get a checkup, you get a comprehensive health audit. You probably get that once a year, but every day you’re doing things that could impact your health. In IT and cybersecurity, it’s the same thing. You could have an audit, you can have a penetration test, and you could say, “wow, there’s a lot of things we need to fix,” but unless you have the culture of being secure, not doing practices that are going to get you drive-by malware or drive-by downloads, you’re going to have a hard time staying secure. People who wear a Fitbit walk more. People who wear a Fitbit sleep more. Well, people who have continuous network monitoring or cyber exposure, they have the ability to instantly see what’s wrong with their network and reduce things like dwell time for compromised devices. There are lots of studies out there that say when you’re broken into, not only is the device that’s broken into compromised for months on end, but it was probably in that state of being vulnerable for months before that. Cyber exposure, Fitbit for cybersecurity, are all ways to shorten that gap and keep hackers off of your network.
Tenable offers three different technologies today. We have the Nessus vulnerability scanner, we have Tenable.io, and we have SecurityCenter. Now, it used to be that we just had Nessus and SecurityCenter. Nessus is something that you could put on your laptop, plug into the network, do a scan, and get a list of all your vulnerabilities—very point in time, really good for auditors, really good for incident response and vulnerability testers. SecurityCenter was more of our permanent offering where you could basically deploy a management console, deploy multiple scanners, because some of our customers had networks all over the world. And you could also in just packet data and log data and control it from one point called SecurityCenter.
We were very successful with this approach because not everybody needs a permanent dedicated solution, especially if you’re a consultant. But with the onset of the cloud, and more specifically cloud computing—where you have Amazon, where you have Google Cloud, where you have the ability to have your perimeter computer still be in somebody else’s cloud network—we wanted to have a solution that was cloud-first, and this is what Tenable.io is. It has a lot of the same things you’d recognize, such as being able to schedule a scan, being able to get certain types of compliance reports and audits, but there’s no software that you have to download and install on your network. You could run everything 100 percent far away, so it’s truly a SaaS offer. More importantly, the Tenable.io platform was built in a DevOps, cloud-first manner, so we’re speaking the same language as a lot of our customers who were doing cutting edge mobile application and web page development.
Connect with Ron on LinkedIn