I sat down recently with The Record, the excellent publication of threat intelligence provider Recorded Future, to share the story of how I became interested and involved in cybersecurity and why I co-founded Bluevoyant LLC with Jim Rosenthal. The full interview can be found at The Record
When Tom Glocer was serving as a top executive at Reuters, the business news and information provider, cybersecurity was rarely the main story.
But in the roughly ten years since he’s left the firm, the finance sector has been rocked by cyberattacks and internet-enabled bank fraud, including multimillion-dollar nation-state heists and data breaches that have cost CEOs their jobs. Glocer, who has served on the board of directors at Morgan Stanley since 2013, decided to get into the business of cybersecurity in 2017 by launching BlueVoyant with former Morgan Stanley COO Jim Rosenthal. The startup has since added executives and advisors to its ranks including former GCHQ director Robert Hannigan and former Joint Chiefs of Staff chairman Admiral Michael Mullen.
One of the firm’s focuses is on small and mid-sized companies that often lack the budget and expertise for state-of-the-art security tools. These businesses, to which BlueVoyant acts as something akin to a for-hire security operations center, might have data, customers, or technology that makes them an attractive target. The Record caught up with Glocer recently to talk about the company’s long-term plans, how boards are dealing with cybersecurity, and how the finance industry is handling new threats. The conversation below has been lightly edited for clarity.
The Record: I want to start by going back in time to your experience at Reuters—when did you first realize that cybersecurity was going to be such an important issue both in your life and in day-to-day business operations?
Tom Glocer: I had always been enamored of technology and computing in particular since college. But other than writing some early code, which I had the better sense of stopping, I wasn’t in the weeds on it and nor was I Reuters. But we were operating through the ’90s and into the first decade of the 21st century this really large electronic foreign currency dealing system. There were really only two platforms at the time if you were trading foreign currency, which was the first asset class to really go predominantly electronic. Later we also had Instinet, an equities trading platform, and much later Tradeweb, a fixed income trading platform. But we had already noticed things around 2000—my CTO came to me and said we’re getting probed. At the time we had better control of our internet access, because most people on staff could run their job without it and everyone didn’t require ubiquitous immediate access. So we only had openings to the public internet at like three points, and we could see weird stuff being hurled against our proxy servers there.
And that was interesting to me—it was interesting on a technological level, how do you do this? And it was interesting geopolitically as well, who’s doing this? A 400-pound teenager, a nation state, or some shadow in between the two? That was really how it got started, and then to pick up the story at a certain point… towards the end of my Reuters time—I stayed until 2012, but let’s say 2008, when I moved back to U.S. from London to run the combined Thomson Reuters—somebody who worked at the company came to me and said there are a bunch of NSA, CIA types—Mike McConnell, Michael Hayden, Michael Chertoff—who are concerned that Wall Street is not paying enough attention to the threat. Would you be willing to host a series of lunches and dinners in New York or in a couple of cases take a traveling troop down to Fort Meade and we’ll just scare them a bit?
They didn’t share anything that you couldn’t find in The New York Times, but they did it in a way that made you feel like you’re an insider—they’re sharing these incredible secrets, isn’t this cool? It was pretty targeted, it was pre-JPMorgan, pre-Equifax, it was before CEOs had come to learn that you could lose your job if you didn’t pay attention to this.
TR: Looking at the financial sector 10+ years later, the general reputation is that they at least spend more on cybersecurity than other sectors, and are probably more secure. Do you think the intelligence folks who came to you with concerns in 2008 still have the same fears?
TG: I think that’s accurate… I obviously do see what gets done at Morgan Stanley, which is how I came to form BlueVoyant with Jim Rosenthal because he was the COO at Morgan Stanley with operational responsibility for technology, and therefore of cyber. To me, the great question that every director wants to know—whether they’re more technical or less—is am I spending enough money? And then number two is, am I getting bang for the buck?
The first one is hard enough to answer. You can sort of begin to benchmark that. But whether you’re actually spending on the right things and getting value for money and how defended are you… that’s all over the map.
TR: Metrics have become a big discussion among cybersecurity leaders—as a board member, where do you think the industry needs to mature?
TG: I think part of it is a generational thing. I have not sat in on a Facebook security board review, but I would think that an audience like Mark Zuckerberg would be more interested, more receptive, and care a lot about this issue. I’m 61, and my era of CEOs—and this is a terrible generalization—if you mention tech or cyber or even we’re thinking of swapping out PeopleSoft for Workday… the answer you should get is, “That’s incredibly important. These are platform decisions. They’re core to agility and strategy and cost.” But what you often get is, “Oh, you want to talk about plumbing? Let me take you over to this little room with no windows where we’ve got the geeky CIO, because I’m a big swinging CEO and I only deal with strategy and important issues.”
Fortunately, I think that’s changing naturally as this generation of managers has grown up in and around computing. And there’s been enough bad stuff that’s happened—people who’ve really lost their jobs—that even if you’re inclined to do that, you at least have to pay lip service and say that this is a super important issue. Therefore, yes, I think CEOs and boards are paying more attention to metrics, things like the NIST standards that helped at least create a framework.
To me, there are a whole bunch of really interesting governance questions around things like do you need a cyber expert on your board? Well, it doesn’t hurt to have somebody who’s well-versed, but the rest of the directors certainly shouldn’t say, “Great, we’ll let Mikey try the cereal and now we don’t have to care about it.” There is no concept under at least U.S. corporate law that you can expertize one director and therefore the others are off of some liability hook—and nor should there be. But I think in general, people are getting more educated and asking better questions.
I do speak a lot to boards with BlueVoyant and I’m also chairman of this thing called Istari, which is the holding company for Temasek of Singapore’s various cyber investments, including BlueVoyant. And what I tell people is that the questions don’t have to be about API injection scripts or other deep minutia. You can ask the CISO out of the earshot of the CFO: “What was the total budget you put in a request for? What did you end up getting? Are you comfortable where that line was drawn? What are the next three topics that fell out of the budget that actually you must have felt important enough to include in the first place? What do you think about that? What’s your strategy? Do you do it in-house or are you outsourcing it?” A lot of that stuff is not technical and doesn’t need to be.
TR: To follow up on what you were saying earlier about people losing their jobs over cybersecurity failures, are you referring to a specific incident?
TG: I was thinking of Equifax, and I think the CEO of Target also essentially lost his job. Others haven’t, and when I get asked by CEOs what’s the difference, the answer usually ends up being an ex-post review by the board with a whole bunch of experts that they’ve pulled in. And the question is, did our CEO at least take all the reasonable steps? Did we spend roughly as much money? Did they have a process to review this, etc.? And it’s like every other aspect—you get the benefit of the business judgment rule. But the question is, viewed in hindsight, were the efforts you made reasonable under the circumstances of the threats that you were aware of or should be aware of?
TR: It’s interesting how it took until CEOs started losing their jobs for the conversation to shift.
TG: And I think context matters a lot. In the case of Equifax, there’s obviously a huge amount of private consumer data, as there is in, let’s say, the Morgan Stanley private wealth business. You would expect us to take more care to keep that financial information private than say Zoetis, the animal health company that produces flea and tick collars. I’d like to keep that pet health information confidential too, but on a relative basis… If data about the temperature of a cow population ends up in a pastebin site, that doesn’t worry me as much.
Glocer serves on the board of Morgan Stanley. “To me, the great question that every director wants to know—whether they’re more technical or less—is am I spending enough money?”
TR: What is the latest with BlueVoyant? The company raised $83 million in 2019—how big is the company now?
TG: The latest raise was actually in the 2nd quarter of 2020, and I’m pretty sure we haven’t said publicly what it is, but let’s say we’re closer to unicorn status [a $1 billion valuation] than farther away. That was our B round led by Temasek of Singapore, which as an investor is very focused on the security of Singapore Inc.—they’re making a significant financial and energy commitment to the space.
TR: What’s the grand plan for the company?
TG: It’s still early years and we have a lot of growing to do. The history of the company was Jim was retiring from Morgan Stanley, where, as I mentioned, he was the COO. I at the time was chairing a committee of the board called the Operations and Technology Committee, which now we’re seeing more companies follow the idea of a dedicated committee not just to cover cyber—although obviously that as a defensive matter is a large part of the mandate—but also what I think of as the offensive uses of technology. Not cyber offensive techniques as much as are we using everything we should be in machine learning, cloud, etc.
So anyway, Jim was getting ready to retire, I guess in 2017. And I had been babysitting a set of cyber assets and relationships at a friend’s company, K2 Integrity. So we had a dark web capability out of Tel Aviv and we had what’s grown into the BlueVoyant Incident Response Group, which was sort of the former New York FBI cyber unit. Jim wanted to do one more entrepreneurial thing after Morgan Stanley and McKinsey and Lehman, and I said why don’t you take a look at these assets and figure out what part is underserved or where is the opportunity? And what came back was two ideas: One is the third party risk supply chain focus, which is really the most differentiated part of the business. The idea that, take Morgan Stanley as an example, I would never say we’re 100% guaranteed from first party attackers, but you have to be a pretty sophisticated nation state to get in, move laterally and and do damage. Nobody would say impossible. But Morgan Stanley has over 10,000 suppliers and one is vulnerable via the supply chain and the potential there to introduce malware and ransomware. Even if it’s just one key supplier and they’re out of business… If you’re a pharma company and your supplier of active pharmaceutical ingredients is taken out… Everyone’s got these just-in-time supply chains, and that’s also a significant risk of your business.
The other part was, since we believe the right way to do that was not to send out another hundred thousand signals from the supply chain, we thought we should do it on a managed basis to actually help with that load and improve the signal-to-noise ratio— which ultimately I think is the holy grail across cyber.
And so we thought, OK, while it’s a little crazy to start two business lines as a startup, there would be a natural synergy in doing a modern managed service. If we were going to do a managed third party risk for large institutions, why not also do managed service for smaller and mid size businesses who frankly could never spend enough money to protect themselves. I always use the example of the Dime Savings Bank in New York—Morgan Stanley spends hundreds of millions of dollars just on cyber defense and hires fabulous people like Jen Easterly, who’s now leaving to go into government to lead the Cybersecurity and Infrastructure Security Agency. You’re not going to be able to do that if you’re a small or medium sized bank, but nonetheless, you’ve got SWIFT codes, you’ve got electronic payments, etc. I think you’d be an attractive target. What do you do? Do you roll your own, or maybe it makes sense to rely on a third party like us where we can invest once and spread that cost of that sophistication?
So that was the genesis of the company, and more or less the two business lines.
TR: When you talk about supply chain risks, I assume that the SolarWinds attack has been a wake-up call for all sorts of companies. Have you seen a lot of interest there?
TG: It’s interesting, NotPetya had just happened when we were forming the company and I certainly didn’t think it was that esoteric—it was certainly well publicized even in the more general business press. So I was going around basically saying, look, this was contamination via a small Ukrainian tax provider where they managed to weaponize an automatic update of the tax software, it’s a supply chain attack. People recognized it, but somehow it didn’t feel that the penny had dropped, or at least not to us. But now with SolarWinds, it’s unfortunately for society a very good thing for BlueVoyant, because now the penny has dropped.
Maybe the difference in the four or five years is that people were still playing catch up to their own perimeter defense and their own endpoints… They’re not 100% done there either, but now you raise your head above the parapet and start worrying about your periphery.
After the Equifax breach, “CEOs had come to learn that you could lose your job if you didn’t pay attention to [cybersecurity],” Glocer said.
TR: How would you characterize the companies that have come to you in the wake of SolarWinds? Are they both big and small, or are they in certain sectors? Have you gotten a lot of interest from government-related organizations?
TG: It’s definitely the largest ones, in part because it takes a fair amount of work to do it properly. You need to identify all of the suppliers—that’s not too difficult, most well-organized companies can pull that out of their billing systems or procurement. But then to get that signal-to-noise ratio right, you need to accurately footprint the attack surface of the supply chain, and you’re looking a lot from the outside. We’ve invested a lot in the tools to take an outside-in view of the supply chain and then work with those companies and say, “Look, your rating is an 83, let us help you get up to a 90 because that’s what your purchaser expects you to be.”
And then, yes, government especially now with the change of administrations and the really terrible revelations of just how broad the penetration is—not just SolarWinds, but the Microsoft Exchange situation as well—they’re for the first time realizing we can’t do this all out of the NSA. It’s very nice that we’ve secured the .mil infrastructure, hopefully. But the government is very reliant on .com for everything from logistics to projection of force. And we’ve got really good ongoing discussions about rolling out the capability for government.
TR: SolarWinds also showed that hackers are looking at attacking their targets through the side door, which makes managed service providers especially vulnerable. I’m curious how your company, which falls into this category, deals with this risk and stays protected?
TG: It’s a very good question. We certainly live by the adage that people who live in glass houses shouldn’t throw stones. We use our own technology and data on ourselves. We have a first-class CISO. And we do that famous trade-off between security and convenience. It’s a royal pain in the ass trying to log into BlueVoyant… we do all the things we tell our customers to do. We don’t have the arrogance to believe that we can’t be penetrated, but if we were it would require a high level of sophistication.
TR: When you’re thinking about new technologies or practices down the road, what is catching your interest?
TG: I’m thinking a lot about the increasing dependence in all of our businesses and our personal lives on technology. I hear stories about people who have old-fashioned mechanical typewriters because they don’t want to create a digital record. I think a lot about central bank digital currencies, including crypto, because there seems to be a whole lot of momentum—appropriately—to moving the world’s cash systems to a digital currency. And just based on the experience of the last 10 years, if the Bank of Bangladesh had a digital currency rather than just moving some money via SWIFT out of their Fed account, how much worse would it be? And what happens if the ledgers are somehow able to be tampered with? You don’t have to necessarily steal actual currency, it would be enough that if everyone’s ledgers or enough ledgers were off by a penny and you couldn’t balance the amounts of assets and liabilities, I think the world would run into an instant bank run panic. And those are things that folks at the Fed and the Bank of England worry about, and rightly so. In the U.S. right now, there’s this whole popular theme of the Chinese outpacing us to go to a digital Yuan. Nonetheless, this is an area where you want to be really, really careful. And our experience with places like the OPM and other parts of the federal government don’t give a lot of confidence that we’d be able to protect it at the moment.
TR: Cryptocurrency has gotten a lot of blame for the rise in ransomware attacks over the last few years—it will be interesting to see how governments deal with that as they try to role out digital currencies.
TG: In many respects, the current regimes on things like know your customer and anti-money laundering are diametrically opposed to the foundational principles of blockchain and bitcoin, right? If it’s supposed to be a decentralized end node authentication system and you actually don’t know the identity of the endpoints, you therefore have to reintroduce as an aftermarket retrofit the machinery of know your customer on a framework and an architecture that was built precisely not to allow you to do that.
When I look at the deeper future, I think we will live in a world where it will be too important not to know identity on what we call the internet. The Chinese already do. Their digital currency—they’re not running on a free ledger system there. They will know exactly who’s transferring to whom. So one is the end of anonymity. The other is that the internet that we built on the back of 13 or so trusted institutions, where Harvard trusted MIT, which trusted Stanford… that’s got to be replaced by something that’s secure down to the chip level. But I think the cost will be too high to continue to run this pretend Wild West, which actually is vulnerable.
Unfortunately for all of us as world citizens, cybersecurity is an amazing growing market. Maybe there will come a day when all of this ends up being concentrated in only three firms. But I think more likely than not, there are probably 500 firms around the world that can each make a major contribution to keeping us safer and grow really substantial billion-dollar businesses. And it’s nice to be in that phase of industry.