In this episode of CyberThoughts, host Lucas Nelson speaks with Ross Haleliuk, author of "Cyber for Builders" and a cybersecurity founder. Haleliuk discusses his journey into cybersecurity and why he views it as a horizontal, rather than a vertical, market. He introduces the concept of cybersecurity as a "market for silver bullets," where neither buyers nor sellers can guarantee a product's future efficacy, and explains why this, combined with high switching costs, makes market entry for new companies extremely challenging, despite the hype around new technologies like AI.
Lucas Nelson
Hi, welcome to Cyber Thoughts, the podcast where we explore the market of cybersecurity through leaders in the field. Today is my great pleasure to welcome my friend Ross Haleliuk. Did I say that correct, Ross? Your name is a little difficult for me.
Ross Haleliuk
You did say that correctly, yes.
Lucas Nelson
Nailed it. Awesome. Ross is an author and a founder. He's currently doing a stealth startup and he's the author of the book, Cyber for Builders. So it is my pleasure to have you today. Ross, why don't we start a little bit with your background? You you've got a tough name for me to say and a little bit of an accent. You know, where do you come from and how did you find yourself here?
Ross Haleliuk
Yes, so I come from a faraway land that is all over the news these days. was born and raised in... Well, I come from two faraway lands that are both all over the news today. So I was born and raised in Ukraine and about 11 years ago, I moved to Canada, lived in Canada for just about a decade and then ended up moving to San Francisco and now I'm based here.
Career wise, started in, like I studied history and political science, so absolutely nothing related to anything I'm doing today. And when I moved to Canada, I transitioned into business analysis and project management. So I started on that end. I started within the e-commerce, retail space, wholesale, moved into product, and worked in financial technology for a number of years. I was quite excited about the fintech space.
And then I became passionate about cybersecurity and ended up pivoting my career into cyber. Fell in love with the industry, like absolutely enjoying every single bit of it and ever since been in security.
Lucas Nelson
Awesome. So you first came on my radar when you were working at company I've invested in, Lima Charlie, but you really started blogging a ton about the cybersecurity industry and investment in it. Like what led you to become kind of a VC whisperer?
On LinkedIn in if nothing else and an influencer.
Ross Haleliuk
Yeah, it is an interesting question. See, I kind of see it a bit differently. And the background story here is that I remember when I ended up in cybersecurity, what I very quickly came to realize was that there was at the time a ton of fantastic, incredible blogs and sources around the technical side of security.
But there was relatively little about the business side of security. I mean, Mike Privette was already starting to do a Return on Security. And I think that was really just about it, or at least it was the only thing that I could remember. And so for me, working in product, I really needed to understand the ins and outs of the go-to-market strategies of how do different companies make procurement decisions.
How do different companies go to market? What kind of mistakes people make and what are some of the things to avoid and so on and so forth. And I was essentially working really hard to piss all of those bits of knowledge myself. And when I did, I came to realize that if it took me like many months and then probably like well over a year to understand the business fundamentals of the industry.
there's probably somebody else who is like me and who is trying to get all of that stuff together on their own. And the least I can do is to share some of the learnings that I've had. And so I did, I wrote an article and several people reached out saying, hey, that was useful. And to which I said, well, cool, I guess I'll do another one. And then I did another one, then one more after that. the initial angle was around product management, product lead growth, go to market.
became then it expanded and started encompassing a lot of like a lot of the, you know, the sales aspects and marketing aspects. And naturally one step after another, you kind of get into the VC space because really when you think about the business of security, you start thinking about distributors. think about channel partners. And if you think about venture, you think about, you know, media, you think about the kind of players that an hour security practitioner doesn't really have.
any reasons really to pay attention to. So VC is certainly like one aspect of it, but there is much more that I talk about that has nothing to do with venture. In fact, it may sometimes be interpreted as anti-venture, if anything.
Lucas Nelson
Fair enough. So that led you to your book. Let's get a plug in for the book. Tell us about Cyber for Builders.
Ross Haleliuk
Yeah, again, it wasn't me waking up one day and saying, you know, what's missing in my life is a book and I'm going to write one. No, it was really an evolution whereby one day I woke up and I came to realize that I already have like one third of the book written and I just need to finish it. So about probably two and a half or three years into writing the blog and really doing it weekly.
I realized that I have accumulated a ton of materials and it would be a waste to not try and combine it all together and do it in a way that is easy to digest and may be helpful for people. The other bit that I realized is that, when you write a blog, what ends up happening, and I'm sure you, I think you can relate to it, knowing that you also have a fantastic blog, which I read on a monthly basis. When you write a blog, eventually,
All the knowledge and all the posts that you've accumulated over the years just become forgotten because when you subscribe to a new blog, you never go into the history of it and say, hey, is there anything interesting I can check out from two years ago? It just never happens. then all the good work that was done before you subscribe gets lost. But more importantly,
on a weekly basis or bi-weekly basis or wherever cadence you write your blog on, most people have so much stuff in their inboxes that whenever I send my yet another issue of the blog, it just gets lost. And I know that because, look, I am personally subscribed to, I don't know, 100 different newsletters. I just like so far, well, I've been actively unsubscribing from the vast majority, but the ones that are still there,
is just, okay, what's the title? No, not today. Click delete, click delete. I just don't have the time. And when you're writing a blog, you're competing with people for their attention or you're competing for people's attention with every single other email that they're getting into their inbox. So a book, on the other hand, is something that we allocate a different time budget to. If you buy a book or if you get a copy of the book,
You're not reading a book, so you will, you will, it will sit on your desk or it will sit on, you know, on the side table and every once every now and then you will open the book, you will spend an hour on it, you will close the book and until you finish, obviously, unless it's so bad that you're never going to finish it. But the point is that book, like the time people allocate to read the book comes from a different budget. And so if you want.
Lucas Nelson
Yeah.
Ross Haleliuk
to get people to actually pay attention to something you're doing for several hours, the blog is not going to cut it because the moment you're in a blog, you're, okay. right. What was it? What was it? I meant to buy an Amazon. Then you've wandered off to Amazon and now you've forgotten what you were doing. There's a book. It's a very different story. So it was, it was partly a pragmatic decision to say, Hey, I've done all of that work. I really don't want it to go to waste. I want people to benefit from it. Partly it was me saying, you
There's already one third of the book written. might as well just finish it. And partly I had several people just asking all kinds of questions. I said, you know what? I have no time to answer it. I'm just going to go write it once. And if you're interested, 25 bucks on Amazon, it's there.
Lucas Nelson
Awesome. All right. So let's pivot into the world of cybersecurity. You've got this idea that I like a lot, partially because I've said it before myself, but I think you've said it eloquently. Why is it you view cybersecurity as horizontal rather than a vertical? Let's start there, the basis.
Ross Haleliuk
Yeah. So I think at the fundamental level, the way I think of cybersecurity is I think of security as a property of everything around us, particularly a property of software. To my mind, cybersecurity is very similar to the concept of quality. If you write software, you want the software to be performant. You want the software to be bug free, to be...
concise and so on and so forth, easy to manage and you want it to be secure. So in the context of software, security is a yet another property of quality. In the same way, like I think of security when I, like if we take, if we take many, many steps back, security is a cross industry, cross technology and across customer need. So what does that mean? Well, it means that whether you're in manufacturing or in finance or in education or in any other industry, you need to think about security.
Whether you are building AI bots, whether you're working on machine learning or whether you're designing some IoT devices, you need to think about security. So technology agnostic. And whether we are talking about SMBs, individuals, large enterprises, you need to think about security. Now, not everybody does, but at the very fundamental level, you should. And so this cross-industry, cross-technology and cross-customer
aspect of security just makes it so that it's not really security isn't really a separate functionality that something needs to interact with. It's just a fundamental aspect of what everything is and hence why it is horizontal. It is not a vertical.
Lucas Nelson
So you have this nice section on the security market and what did you call it? Silver bullet markets versus lemon markets. You wanna explain that entire, I really liked this one.
Ross Haleliuk
Yes, so I think it was in 2008 that Ian Grigg, a researcher, wrote an article titled The Market for Silver Bullets. And then probably a year before or a year after, there was another article written by somebody else on the topic that cybersecurity is a market for lemons. And what the article about security being market for lemons argued was that in a market
Essentially, there are four types of markets as defined by access to information and the party that's involved. If the seller knows as much information about the product as the buyer, that's a regular efficient goods market. Like when you're buying a pen or you're buying a hat, you can touch it, you can test it, you know exactly how it works. Now, if the buyer has the information, but the seller doesn't, it's a market for limes.
And an example of that would be a cyber insurer or not necessarily cyber, but insurance market in general. If I go to buy an insurance policy, I, and let's just say it's a travel insurance policy. I know very well what my plans are for that trip. The insurance company doesn't. So when I buy an insurance, they will ask me, are you planning to engage in this type of activity in this other type of activity? I may say, no, I'm just there, you know, to read the book on the, on, on the beach
But I have the actual information about my plans. And for that reason, I may be able to essentially trick an insurance company into insuring me for something that I can predict is going to happen or is likely to happen. Now, if the buyer lacks the information about the good they're buying, but the seller has that information, then that is defined as market for lemons. And that is very...
traditional example of the car market or like used car market, right? You have no idea what this Mercedes has been through. You have no idea what is waiting for you, like, you three months after you buy it, but the seller has a very good idea. It's just they're not really incentivized to disclose it to you. Now, the argument has historically been that cybersecurity is the market for lemons, meaning as a buyer, as a security leader,
when I talk to a security vendor, the assumption has always been that the security vendor knows where their product is going to work and in which areas it won't work, but they have no reason to disclose it to the buyer. And so when the CISO ends up on the RSA floor, like every single vendor is promising things that they can never deliver and they know that they can never deliver them. So we often talk about this imbalance, like this inefficiency.
where CISOs don't know what's happening, but vendors do. And so what this essay by Ian Grigg was talking about is that in reality, security is not a market for lemons because in the market for lemons, the seller has to have the information about what they're selling. Cyber security on the other hand, is a different type of good. Is the type of a good when neither the buyer nor the seller has any information about what it is that they're buying or selling. And exactly.
Lucas Nelson
Everybody's ignorant.
Ross Haleliuk
And so, POCs only reveal a very small amount of the functionality that products offer. And what's tested when the product is being evaluated through the POC is not the efficacy of the product, but it's really the operational burden that this product is going to introduce. Like for example, if you are evaluating an endpoint security vendor, and let's just say you're looking at five of them.
You can obviously run some basic tests. can deploy it in your home lab. can, you know, you can see if you can spot some very, very obvious differences. But the reality, the fact of the matter is that tomorrow when the new attack type is going to, is going to appear, you have absolutely no idea which of those tools will be able to catch it in which one. And so that is really the essence of the, of the market for silver bullets. And the important part is that it's not just the
the CISO that doesn't know which product is going to work and which won't, it's also the vendor that will never be able to say with certainty that their product will be able to protect the customer against the future attacks or maybe against something that attackers will devise tomorrow as a way to get into the customer environment. And so that's really at the core, the definition of the market for silver bullets is that we are selling and buying things, but neither of us
actually knows if they're going to work.
Lucas Nelson
So you're starting a new venture, but.
Let's not talk about your new venture in specific new ventures in general. If you're thinking about where do I want to play when I start a new cybersecurity company? How do you look at the market? How do you say, you know, this seems like a rich mind of vein to mine and I'm to let that one sit. Like how do you view that?
Ross Haleliuk
Yeah, I mean, look, I don't think there is an easy answer. I absolutely don't. We spent so much time going through customer interviews and discovery calls and our additional research trying to understand where there could be an opportunity to innovate. I will say that at a very fundamental level, I think in my view, the state of cybersecurity today is such that there is not an
obvious or there is not an open space when you can go and do something. It just does not exist. It simply doesn't. I remember when we would look at the problem area, we would say, this could be it. This could be a veg. And then I would message a few friends and I would be like, hey, have you seen anything like this? And they're like, yeah, there are like four startups in stealth that are building it right now. And it's obviously not a bad thing. It's great when there are companies.
going after the same problems or taking similar approaches because that is at the end what creates a market. But the part that matters is that there is no open opportunity out there. Like the market is over saturated with different solutions. Now, it also does not mean that there is no opportunity. What it comes down to is that when you go out and you say, hey, what should I build? I think the answer is you should build a thing that you have a very strong perspective on and you have experience in building.
Because what ends up happening is the moment you are starting something new, if the market is not at all mature or if it's not at all competitive, then you can take a problem that is, whether it's well understood or not, it doesn't really matter, but you can take a problem and you can take time figuring out what is the best way to tackle it. You can take time playing with different ways to approach it. You can build a prototype.
invalidate it, scrap it, do something else, but instills the same problem space. Like you have the luxury of having that time. If you look at the cybersecurity space, the market is so, so, so, so, so competitive that the moment you're starting on some path, there is like 16 other teams that are pursuing the same path. Now it's not the fact that they're pursuing the same path is not neither good nor bad. It's just the fact.
But what matters is that in order for you to be able to compete, you need to be able, like you don't have the right or the time to make too many mistakes. Like you have to know what it is that you're doing. And obviously you have to do the customer discover. You have to make sure that there is the market that's willing to pay for it and so on and so forth. But also you need to have the team. You need to have the co-founder. You need to have the technical talent and the experience to build.
quickly, to iterate quickly, and you don't have the luxury of being able to go out and taking your time and trying to learn. So that's really what I think about it. Everything else is still important, but it's secondary. so if you are looking at the founding team that has experience in cloud security, yes, cloud security market is incredibly competitive. But guess what? They already have a head start. If they've built cloud security solutions before,
They know what works, they know what doesn't. They've accumulated that knowledge. And so if they're starting out something new today, they're going to be able to easily out-compete almost anybody that has experience, for example, in email security, but no experience in cloud security. So it's not enough in this day and age to just go out and be like, yes, this is our saying that...
there is an opportunity in, in email and the existing solutions are not great because if you don't have the experience building in that space, if you don't know what you're going to be dealing with, you, you will just be much slower than everybody else. And if you are the only player in the market, great, you're probably not, not in 2025. And so you have to go with what you know.
Lucas Nelson
So I've often thought that one of the nice parts about for me investing in cybersecurity, but building in it is you can definitely see where the puck is going when it comes to new technology. Right? So the example we'll use cloud BC just used it for a long time. Now, everyone knew the cloud was going be important, but most workloads weren't there. And so you had a time where there's no one buying products. So you could build kind of quietly.
can argue that's sort of what Wiz might have done, right? Like they got in there early, played with it before it was an obvious need for Everest Sizzle. And by the time Sizzle's woke up to it, boom, there it is. Go ahead.
Ross Haleliuk
I see it differently. I actually see it differently because you see, I think this is a fantastic case study for so many different reasons, but in this specific context, in what year did this start?
Lucas Nelson
So what, I think they're seven years old, is that right? Five years old, okay. Yep.
Ross Haleliuk
They're five years old. So, so 2020, when did, when did AWS, well, when did Amazon launch AWS?
Lucas Nelson
Oh, so AWS is much older. I graduated in a business school in 09. So they'd already launched it in 09, maybe 10. And it was clear it was going to be big by let's say 12 or 13, right?
Ross Haleliuk
Yeah, but the thing itself, like I think it was 2003 or 2004 or 2005. So the point that I'm making is that it's taken 15 years and it wasn't just 15 years of nobody buying cloud security or nobody caring about cloud security. It was just a very, very slow burn. Where was it? There were two companies that Palo Alto ended up acquiring and merging them into Prisma Cloud or creating Prisma Cloud.
Lucas Nelson
okay, so it's early on the side. Go ahead.
Ross Haleliuk
There was, I think, RedLock and...
Lucas Nelson
Oh, no, was a Twist Lock and something had read in it. Yeah. Yep.
Ross Haleliuk
Correct. Yeah.
So, so, so then there were, I think Sysdig was, has been around for quite some time by then. And, and then there were a bunch of other sort of open source attempts at CSPM. And so it's the customer demand was there. It wasn't like a mass market at the time, but the demand was there. Customers understood that the problem was there.
There were different attempts at solving that problem, some better than others. And it's taken 15 years from the emergence of the new quote unquote attack surface area to the time when somebody like Viz could come in and there was already enough of the market understanding, enough of the market awareness, the attacks, like the types of attacks that would happen were already more or less understood. And then on top of that, like let's look at things like
the pandemic, like the pandemic came and even the customers that were talking that had cloud migration on their roadmap for maybe 2045 had no other choice but to actually start earlier. Then the log4j happened and it just so happened that this was the only solution in the market that would actually answer the customer, help customer answer the question, where is log4j environment in my environment? And then
Lucas Nelson
Yeah.
Ross Haleliuk
The founding team has previously built and then sold the company at like what half a billion dollars? So there were just blasts like a fantastic investor support like there's just so many factors that made this vis but I wouldn't argue that like the market wasn't there and they were the first company they were not
Lucas Nelson
No, I didn't say they were the first company. I said you could figure out where the market was going, right? So look.
Ross Haleliuk (22:07)
I don't know if
you could, like I think in the hindsight, it's easy to say it, but in reality, like for example, today, where is the market going? Like, yeah.
Lucas Nelson
Sure.
There's some obvious answers, right? In my mind, IoT security and OT security are obvious places where I don't think we've got the whiz for that space yet. Right? Armist might disagree with me about OT, but I'm going to argue that, like, no, that market's not sewn up, right? Like, you could launch something there. Now, it might not be the time yet, right? But you know where it's going.
Ross Haleliuk
But 100%.
Lucas Nelson
There will be another big company in IOT security, right? There just will be. I don't know when exactly it will happen, but I do like the fact versus, I don't know, social networks. I can't predict when a social network is gonna happen or what it's like. Those things just seem random to me, but I do like your thoughts on that. Let's see, let's ask a couple more. What's it like? are some, along the slides, what are some industry trends
that have you either interested, excited, or you think are overblown. Like take your pick there.
Ross Haleliuk
It's a tough one. Do you want to throw a few industry trends at me the way you see them and then we can talk?
Lucas Nelson
What?
Well, OK, let me throw the obvious industry trend at you. Sprinkle AI on anything and it's better. What do you think of that one?
Ross Haleliuk
Okay?
Yeah, soI think if you talk to the buyers of security solutions, it very quickly becomes obvious that people get excited about AI, but they don't care about AI. And so what I mean by that, when you talk to a CISO, see, when you talk to a CISO and they say, you're doing something AI, tell me more, it doesn't actually mean that they're interested in AI. The way I think about it is that when I tell a CISO, hey, what do you think about this AI solution? In their mind, what's sitting there is that
Lucas Nelson
It's provocative. I like that. Yeah.
Ross Haleliuk
my God, I have tried to use this product or products in roughly this space for the past 10 years. There were always gaps in there. Like there was always something that didn't work, something where we needed to have like a ton of manual processes to just make it work and so on and so forth. So maybe now that there is this AI, the problems will suddenly go away and this tool will just work the way it was supposed to work. It's like when people say like, like agentic automation.
Like when I hear a genetic automation, I close my eyes and I picture this seesaw saying, my God, so does that mean that my saw will finally work the way it was supposed to work from the beginning? So that's how I think about it. So people get excited when they hear the worry eye, but they don't actually care about the eye. They care about the outcomes that that product is going to deliver. And so if you take that approach and if we agree that that perspective has the right to exist and it may be true. And if it is true, then...
Lucas Nelson
Okay.
Ross Haleliuk
What does AI solve for and what does AI not solve for? I mean, there is definitely going to be some amounts of like operational overhead or like some manual work that was there before and it won't be there now. And in some areas of security, I would say in high volume, high impact areas of security, that may make a big difference. When I say high volume, high impact, I mean stuff like SOC automation. I mean stuff like email security where you just have so many alerts, but if one of them...
If one of them is the alert that you should be paying attention to, you 100 % want to pay attention to that alert. Like if one employee clicks on one link, bad things can happen. If one SOC alert will get missed, bad things can happen. Now, there are going to be areas where there is just a lot of manual work and manual toll. Like if you think about, for example, the identity and access management, there is a lot of the identity governance, like access reviews and so on and so forth.
that can probably be streamlined and made better. Now, the question here is, what is the size? What is the scope of that opportunity? What does the opportunity look like? And my take would be that in some areas, it's enough for you to be just a bit better than this other company. And because the switching costs are so low, the customer will try it and say, yeah, know, this is better. I'll just go with this. But in many areas of security, the products get embedded so deeply
that you cannot go after an incumbent just because you've got an AI agent in there. And also, realistically speaking, a lot of the problems in security are just not going to be solved by throwing AI agents. Like if you think, for example, about endpoint security, you need to build an agent.
You need to go super deep into the infrastructure. You need to understand like how to piss together those events and how to, you know, how to build a broader picture of what's happening on my, on my end point. And each of those things are good. Which of those things are bad AI, AI bit maybe like a 1 % of the value driver, but there is the other 99 % that you have to go deep and build. If you think about the identity and access management and for example, IGA solutions.
Everybody is talking about going after SalePoint, going after Saviant. There is this like, my God, now may finally be the time. And then you talk to security leaders and you come to realize that if a security leader has invested like $15 million into just making that one of those existing solutions work, and they may hate that product, they may very well think like, my God, this is the worst product I've ever seen. Or they may not.
doesn't matter. What matters is that just because they dislike a product doesn't mean that they will go to their CFO and say, hey, you know, this product that you've spent $15 million on, how about you replace it with something else? They're going to get fired immediately. And so the switching costs are just so high. The sunk costs are so high that people won't switch for the next decade. I think there is a lot of complexity. And as far as the eye is concerned, like, look,
It's a great technology. It will be able to solve some problems better. It will probably not be a fit for many of the other problems that it's being thrown on. But at the end of the day, just because something better exists doesn't mean that customers will switch.
Lucas Nelson
Okay. Where do you think, where do you think people are in the, it's easier to find a switching cost than that? Let me try it again him. There are certain times when upgrading becomes a natural way of going, right? So let's, let's argue or argue that as people moved to the cloud, they didn't bring their old security with them. They needed new tools and it was easy to say, Oh, because I'm moving in the cloud, I'm also going to relook at my whatever. Right. So where do you think that most of that movement has happened? Right. You, you, you nailed it, you know, 2021, 22, most of that movement has happened. there a spot you see, you know, coming up in the future? Like, yeah, as people migrate from this to that, there's going to be that open opportunity, or as people decide how to defend against this new type of attack, like, is there anything you see in the future that you're like,
Well that seems like an exciting place to get out in front of.
Ross Haleliuk
I don't think I have a good answer. do think that, by the way, just to comment on this, think that optimistically, we would hope that people will make the change because there is some change happening in infrastructure. But if you look at the reality of the market, for example, people who had firewalls on-prem when the cloud came, they just wanted the same unified experience. They didn't suddenly go and start adopting the firewall offerings.
by the CSPs, they didn't also, like you didn't also see like a new type of firewall emerging that takes over the cloud firewalling needs. It's the same Palo Alto, lifted and shifted to the cloud. It's the same, know, checkpoint. It's the same Fortinet. So I guess the point being is that people, again, there are new needs that are emerging and so on and so forth. But I think that...
Lucas Nelson
You don't think Zscaler got a lot of play because of that move or no?
Ross Haleliuk
No, 100%. See, for me, again, if you take a few steps back, I think that fundamentally there are only two types of trends or two types of drivers that actually force people to change. And this product is a bit better than this other product because it has AI is not one of them. So people are not gonna switch to AI enabled products just because they're 10 % better. It removes some work. They just won't.
Not in mass anyway, like some may. The only two drivers in security specifically are the shift, like a massive shift in infrastructure and the new attack vector or a new type of attacks that cannot be defended against this, the existing tool. Like if you look at, if you look at like some of the biggest companies out there, like Okta, Zscaler, CrowdStrike, Palo Alto, they're all just textbook, great textbook examples of that. Like if you look at Okta.
like shift in infrastructure was happening, right? Like the companies were moving to the cloud and cloud identity became a necessity. Now, the thing is that Okta started in 2009. At the time, the company struggled for a number of years. It was bad. Okta was not going well at all. And then in 2014, 2015, Microsoft started pushing its Microsoft 365.
And that's what created the why now for Okta. Because now as companies went on and Microsoft was and continues to be a powerful force, as companies went on to start adopting Microsoft solutions in the cloud, they also had a need to secure their identity in the cloud. And it just so happens that Microsoft at the time was not great in the cloud when it comes to their own cloud.
identity security solutions. Zscaler is an interesting example too, right? When Zscaler started and put forward the vision that the enterprise security should not be based on perimeters, but instead should move away from the traditional perimeters and become based on the cloud native and zero trust architecture. When Zscaler put forward that vision, nobody believed in it either.
Ross Haleliuk
So Jay and Zscaler to me is actually an example of a company that won not because it was VC backed, but because it wasn't. Jay put 50 million of his own money into building Zscaler. He didn't raise a seed round, he didn't raise an A round. He spent 50 million of his own money to go out and build those points of presence around the world and establish the infrastructure that was needed. And it took time.
Like it took time, like Zscaler was founded in what, I think like 2008. And at the time the company was struggling. It's taken such a long time for it to get to the point where it was today. And so if it was a venture backed company, it would have gone under way sooner than the cloud adoption and mass would have even started. But they were playing a long term game. So yes, they anticipated the shift.
Lucas Nelson
That's right.
Ross Haleliuk
But for them, they had enough money to weather the absence of the customers believing in their vision because they knew that it's going to happen. So like if today, for example, you're thinking about some futuristic trends, you're then making a timing bet. Because yes, things are going to evolve. But if they evolve over the next three years, you'll probably have a venture-backed company. If they evolved over the next eight years,
You probably don't. If you start today and the change happens like seven years from now, by like year three, you will be out of money. And if you have no traction, you will not be able to raise a follow-on route. Now, if you have 50 million of your own money to put in into their company and let it grow and build towards the future, then you can most definitely pursue that vision. If you look at CrowdStrike, for example, like for them, the driver was shifting the adversarial behavior, right? The founders...
Saw that the existing endpoint solutions at the time, which were all signature based, were no longer working and that something else was needed. And even for CrowdStrike, it was also not an overnight success, right? They build their own ADR solution. they still like, but it was only when they added their next gen AV that the company actually started to get traction and grow as quickly as it's growing today. Before that, it was still like...
Lucas Nelson
Okay.
Ross Haleliuk
relatively modest. it's, think like all of those big overnight successes, like they do happen because of some either shifts in shifts in infrastructure or shifts in adversarial behaviors. I don't know what infrastructure shifts are happening. I think if I did, I would probably be building towards that. It's typically hard to answer. I mean, you can have a perspective of what's happening, but you can never predict the timing.
Lucas Nelson
You've nailed it. mean, to be fair, I think most companies are an overnight success after 10 years of hard work, right? I think whiz is by far the standard of like,
Well, that doesn't happen in enterprise, right? Like you don't get to a billion dollar outcome in five years in enterprise. No, it takes you 10, 15. He's like, you need to lay a whole bunch of groundwork. And so like, I think they're the outlier rather than, you know, CrowdStrike or anybody else. Cool. So let me ask you two quick questions and we'll wrap it up. You talked about, you you subscribe to a bunch of blogs. Like what's your favorite information source? What, you know, what do you read in a daily basis that keeps you smart?
Ross Haleliuk
I agree. Obviously, I wish I had a fantastic answer. So I obviously read the Lytical monthly blog.
Lucas Nelson
Aww, thank you.
Ross Haleliuk
Look, there isn't one specific source that I follow. I try to read books whenever I can. I like to read stuff that makes it easier for me to think about problems holistically and bite-sized pieces and articles and podcasts are not that. And so whenever possible, I'll read a book. It can be anything, a ton about...
Lucas Nelson
Okay. So what's the in the last 12 months? What's your favorite book you read?
Ross Haleliuk
Let's see, let's see, let's see. What are some of the useful books that I read?
I think that the cold start problem is definitely one of them. So it's essentially, I can get the copy, but yes, it's a book about the challenges of bootstrapping a two-sided marketplace or like multi-sided marketplace. And if you think about Ubers, Lyfts and so on and so forth, like if you have more than one side, or let's just say you have a marketplace for, I don't know, CISOs and buyers, CISOs and vendors, or anything else.
Like how do you incentivize those interactions? Which of those sides do you attract and how, and how do you create the right incentives for people to continue participating and for that not to turn into a shit show where it's like dating apps that are predominantly, you know, that have predominantly more participants of like one gender, but not the other. So it's a fascinating problem. Like in general, I try to read about technology, about business, about psychology, human interactions, and so on and so forth. I don't follow a specific set of industry sources. If I see something interesting, I will read it. I'll least skim through it. I am subscribed to a number of Substacks stacks. So for me, think when it comes to the industry updates,
Like my approach is like to look at my inbox or one of my inboxes that is designed for that sort of thing. It'd be like, okay, is this like, I've already took an action. I've already preselected this source among all the other sources. Okay. Is this interesting? Like, should I look at this? Should I look at this? But yeah. And honestly, I think in this day and age, the news, the interesting things just find you.
So you don't have to try hard. Like somebody will send you something, somebody will message you with something, somebody will tag you on the social media post. So for me, the exercise is less about what to read, well, the exercise is not about finding, it's more about filtering through and saying, okay, among all of those 200 things, here is one that I'm actually gonna take a look at everything else I didn't have time.
Lucas Nelson
All right, last but not least, give me some plugs. Where can people find you? Talk about your book a little more. Where can they find that? Yeah, please.
Ross Haleliuk
Yeah, I am not active on any social media except LinkedIn. So I never had Instagram in my life. For example, I don't know how to navigate it. I don't even know what features it offers, but I am super active on LinkedIn. So you can most definitely subscribe to me on LinkedIn. And because my last name is too complicated, Lucas is going to add the actual link under the podcast, I am sure.
Lucas Nelson
Okay.
Ross Haleliuk
Yeah, find me on LinkedIn. I have a fairly active blog which we discussed called Venture Insecurity. It's ventureinsecurity.net. I used to do it weekly. Now, sadly, I no longer have time to do it weekly. So I do it when I have time to do it. And lastly, there is a book titled Cyber for Builders. You can find it on Amazon. It's... Yeah, I...
I know eventually I will have to probably rewrite some of the bits within that book because I personally no longer agree with them, but again, it's not going to happen anytime soon.
Lucas Nelson
It's a great book, and I appreciate you putting it out there for everybody. Ross, thank you for joining us. It was really great to see you.
Ross Haleliuk
Thank you, Lucas. Always a pleasure.