Podcast - Resilience, Not Perfection: Cybersecurity Enterprises in the Age of AI

Patrick Driscoll: Welcome everyone and thanks for tuning in to "The Innovation Imperative." My name is Patrick Driscoll, and I'm the Director of Client Development for Emerging Companies and Venture Capital (VC) at Holland & Knight. At Holland & Knight, I work closely with founders, venture capital firms and investors navigating the full life cycle of innovation, from company formation and early fundraising through growth, scaling and, ultimately, exit. A big part of our role sits at the intersection of law, capital and storytelling: helping innovators and investors think strategically about how they build, fund and protect what they're creating. "The Innovation Imperative" is really about that journey. Each episode, we sit down with founders, investors and operators who are shaping the future, often behind the scenes, to unpack the real stories, lessons learned and inflection points that don't always show up in a pitch deck or press release. We focus on VC, startups and the decisions that matter most when the stakes are high.

Today's conversation is one I'm particularly excited about. It's a practical, forward-looking conversation on cybersecurity and software supply chain risk, focused on how founders, investors and enterprises can build secure, scalable technology businesses. Topics include the founding story of ReversingLabs, shifts in modern threat detection, what investors should look for in security platforms and how legal and compliant strategies support growth in regulated and enterprise-focused markets. Joining me first is Jeff Seul, my colleague and partner at Holland & Knight. Jeff is a partner who focuses on working with technology companies and investors on complex legal and strategic issues, especially as companies scale and face increasingly sophisticated risks. He brings a thoughtful, pragmatic perspective to these conversations, and he'll be helping guide today's discussion alongside me. We're thrilled to be joined by our guest, Mario Vuksan. Mario is the co-founder and CEO of ReversingLabs, a company widely recognized as a leader in cybersecurity and threat intelligence. So with that, Jeff, let's get started.

Jeff Seul: Excellent. Thanks Patrick, and Mario, it's really great to be with you. We've known each other a long time. I've seen the long arc of your journey. For those who are just meeting you, maybe you could give us the flyover, the 90-second version of your path, and focusing on what experiences got you interested in cybersecurity and risk and how you think about it.

Mario Vuksan: So, Jeff, I was really always very excited about building technology, something that's new, something that has a chance of changing how we do things. And in my trajectory, I was always looking for that next level of challenge. And as you well know, we had lots of great challenges that, you know, group networks some, I don't know, 25-plus years ago. And from my perspective a lot of the lessons learned are still with us today. My first deep dive into the latest technologies that can manage tremendous amount of data, back in the day, it was Microsoft, you know, SQL server technology, that was rapidly displacing Oracle in those days from many different places and something that had started to open up space for a lot of new, radical ideas. Of course that was not the only element that was important, it grew. It's really sort of the place where the privacy encryption, the security became, you know, the first-class citizen, from a security perspective, that I remember seeing in my career.

Now, that sort of experience did follow me later on to Bit9, where we tried to build the next generation, a very innovative security company. And I tried to put together this knowledge and skills into a trust repository that was really put together before trust was the thing for all of us. Actually, we were literally using these large repositories as an inverse filter, really just to say is something not good and therefore it's potentially bad and we should do something about it – which eventually got very much used for digital forensics. But today's sort of focus on being able to understand how our critical infrastructure can best serve us, when can we trust it, when do we replace it, those ideas, were coming further down the pipe.

Jeff Seul: You've seen a lot over the days. That's quite an arc of history in the industry around cybersecurity. I remember our first conversation around founding ReversingLabs. But what I can't remember clearly is, what was the specific, sort of, inflection point that made you decide that you needed to found a company to do what you're doing as opposed to just continuing on as the world-class engineer that you are?

Mario Vuksan: Those are interesting moments, maybe for some people that happen overnight, just like, where you wake up and say, I want to do this. I think for many people these things are gradual, building up in you. I was always very much interested in engineering, I majored in math and computer science, but as you know I also majored in art history. I was very much interested in how different information influences the technology and other way around. I always viewed it as being one part of a much larger, more important whole for society in general. Anyway, for large chunks of history, art was tied with religion, with warfare, with science, with medicine. Certainly, like Leonardo [DaVinci] was an engineer and artist at the same time. There was really no clear differentiation between what society may need. And of course, when we build something, the care comes with it. You want it to feel good. You want to feel proud of the achievement. You want it to last long. I mean, a lot of architects building bridges took a tremendous amount of care how they visually appear. And therefore, for me, it was very important to apply myself into something where I have deep belief about what I'm doing, where I end up having the freedom to see through the end. And that's sort of the beautiful thing about building things. You build it, you may eventually have a chance to see how other people react to what you have built. At least for me, it gives the pride of responsibility for my actions, something where, you know, I believe I had a good idea, we built something, there was a great reaction, and I think that's wonderful, sort of the meaning of life, the ability to build what new technology brings.

Jeff Seul: That's really interesting and beautiful. I don't think I've ever heard anyone put it quite that way. But you know, it's a creative impulse. It's not just about the engineering, it's about creating something beautiful, impactful, the whole package. And you have to meet a market, right? I guess the architect building the bridge is doing that too – people want to cross the river. As you think about the market, at the time, what was like the critical gap that others weren't addressing, you know, that you sort of decided to direct your creativity towards?

Mario Vuksan: You mean specifically from a perspective of cybersecurity?

Jeff Seul: Yeah, I mean, as I recall, you had been ideating on a suite of really interesting technologies and you sort of directed them towards an initial set of problems. Like what were others getting at the time that, you know, you were getting and ReversingLabs began to address?

Mario Vuksan: Yeah, so when we started the company, it was very, very interesting. It was 2008, you know, bad economic crisis, not so much focused on early funding new ideas, but, depending on who you ask, you know, maybe the best time to start something new – in a time where you can sort of focus on the next generation of ideas and where things were moving. And we felt that the ideas, the last ideas, are usually sort of the things that propel you further. At Bit9, there were ideas that were not fully allowing us to actually solve the challenges that the industry was facing. And at the time, the industry, I would probably call it a first-generation security industry, you had a lot of companies that went public, where a lot of technology was being built with limited resources, even in big companies, and there was a lot of items left unsolved.

Now, that was sort of an opportunity, obviously, for the next generation of attackers to come through. There was almost a docile element that the criminal actors were probably the one thing that we should be worried about. It's more the nuisance, uptime, making sure the PCs work. And it really was not until the nation-state actors got into the game with advanced persistent threats that the industry realized that everything they've been building is not sufficient, is not going to solve what their customers are expecting. I mean, there was a total belief before 2008 that my secure investment is the provenance of the IT. It's just something you buy and you don't worry about it. The fact that you need to start hiring executives to deal with these problems, build programs, hiring intelligence folks to look through your alerts and look at those parties that may be interested in stealing things from you, that was generally rather new as a concept.

And so we had this feeling, we obviously had no idea what is going to come – I mean, this is sort of like nobody really knew how strong, especially the Chinese and the Russians, are going to go after the U.S. infrastructure. We just realized that the answers being provided, the whack-a-mole approach, the traditional AV, simply is just too manual, it is still not scaling. And even at Bit9, we realized that a little trick of tracking files using their cryptographic hash values is just too fragile to be truly useful. So we said to ourselves, to solve this, we're going to have to research, there'll be lots of creativity, there'll be looking into unknown, it'll be effectively taking this digital world in the shining sunlight, looking in areas where there's no documentation. Also, think of it, open source was in very early days, you know, so like whatever you had in an open source was in its very early phases – documentation, conferences, a lot of these things are yet to come. So when it came to really understanding what some binary code could possibly do, it was as good as attempting to decode the alien space signals coming from other galaxies.

Jeff Seul: You're describing a kind of dizzying array of new developments. I mean, from hybrid warfare to the rise of sophisticated cybercriminality to shifts in the tech industry itself, like open source. That's a lot to cope with and a lot of problems to solve, a lot of room for creativity. What did the first six months look like? Take me back there, I can't recall. Like, you know, building a team, early customer contact and so forth.

Mario Vuksan: Yeah, so that's a really good question. I mean, when you start a company, obviously you want to have a sense that you're on good grounds of being successful. You know the problem as a user or consumer, you intimately know what's wrong so you can help. Also, if you're not 100 percent sure, you should be able to intimately figure out how you could get to answers or how to find people who will lead you towards that solution, what you can make different. And in our particular case, we were unique from a perspective that I knew most of our potential early customers from the industry. I knew their problems, there was mutual respect, and I knew that the challenge was providing them with a solution for the problem that their organizations were trying to solve, but also doing it in terms that are difficult to ignore.

So this meant, come back with a lot more value than they were able to do or generate internally themselves. In fact, I'll tell them, I'm going to take something really difficult that it's going to be very hard for you to staff, everybody's smart, everybody can do everything, but, you know, if there is a personal trust, we can build something to solve the problem that is not the thing you run after every day. And you know those are our first few contracts, those are the sort of items that gave us the chance to build the first version of the product, second version of the product, and then, as you start talking to people about what you're doing, you get some awards, people talk about you, you get called back. And this was, you know, at the moment, a unique and crazy idea that, you know, was definitely not consumer focused, but really targeting the most sophisticated organizations.

Jeff Seul: I remember those days, yeah, I think it's really important to underscore what you're saying about the opportunity young companies have when they can partner with customer prospects as you did to really build things that are guided by their requirements, and it's a sort of reciprocal loop. Well, let me shift a bit and let's talk a bit about the cybersecurity landscape and what ReversingLabs is laser-focused on today. What do you think teams in customer organizations or customer prospects know and don't know, I guess, about software supply chain security? What are common misunderstandings about how software is developed, managed and secured these days?

Mario Vuksan: Well, when it comes specifically to software supply chain security, there's lots of confusion and misunderstanding of what it is. On one hand, there are people thinking it's a governance issue, it's pen and paper checkbox items: You give me a list of questions to answer, I do it, and then you store it and hopefully something comes out of that along the way. That's great, I mean it allows companies to deal with regulators and regulatory environments, but it's not a fix. Now those that are really considering a fix at best do what today in [cyber]security we call application security segmenting of the market, where you believe that there's some kind of a scanner – you scan, usually in a source code, have some findings, have the vendor do it, and that's an easy fix. Now, the challenge here is that simplifying the problem to let's scan the source code, which is usually text, so like in a much easier version of the problem, or subjecting any included open source to evaluation and ignoring everything else as it usually happens, that's really not sufficient. The reality is that the most critical software is there because we cannot remove it then replace it. It has aged, needs overhaul, modernization, careful scrubbing down, something that takes a long time to address. And something that is there for us until something significant happens. And this is sort of where we strongly believe that significant efforts between those using acquiring software and willing parties that want to improve their software needs to take place. Just assume not everybody is really incentivized or wants to fix something that took so much pain to build some 10, 20 years ago, but unfortunately, we need to go down this path.

Jeff Seul: Right. Where do you see companies underinvesting in security generally?

Mario Vuksan: Well, I mean, that obviously depends on the company. So today, most organizations have a chief information security officer running their problems. And they do just try to solve that problem. However, it has become a super complex problem, that naturally takes lots of money, lots of skills. Some of them are more technical, others have more legal or finance skills, but also it will take time and focus to lead towards a situation, that something will be out of focus or needing additional investment. But, you know, one thing that I would want to highlight for all the organizations looking for how to enhance their security programs is to really focus on critical resilience. Assume that they will be at some point subject to a catastrophic attack. This will happen. Maybe you're lucky, it hasn't happened, maybe you get to move from job to job, but something unfortunately is in waiting there. Now, the critical thinking that needs to happen is what do you need to do to assure that your company can operate the next day. Because that's usually what's required from our IT organizations. We understand that servers can burn, things can get corrupted, but we need to work tomorrow. And if we don't, our customers may not get served. And those customers may have critical, if not life-threatening, dependency on what we do. And so if you as a CISO cannot ensure that an organization can operate the next day, I mean, that can have a severe business, personal and societal impact.

Jeff Seul: So looking three to five years out, what is changing fastest in the security domain? What are you focused on for the future?

Mario Vuksan: With the AI and the hindsight, no one really could have predicted how quickly things can move. But when it comes to actual security response, attackers and defenders will always be playing a sophisticated game of cat and mouse, with or without AI agents or the like. The goal will always be to get as fast as possible to a position of advantage at the lowest possible cost. Even with AI, it's just sort of the cheapest path to getting things done, which then sort of allows the other side to respond at equal pace. So same thing for defenders. We're going to do the fastest, easiest, cheapest way to address the need. Not like some sort of massive regulator overhaul and something else that may take 10-20 years to come to fruition.

Jeff Seul: Interesting. Yeah, AI is really changing the game everywhere. But I guess people are going to use it for good as well. They'll defend against the threats that AI can be used to generate, yeah.

Mario Vuksan: Absolutely. And unfortunately, the way we are as a society, you know, one use of technology may be positive and another one may be considered negative. And this is outside, you know, pure, clear, fraudulent, malicious use cases.

Jeff Seul: Well, shifting gears again, what advice would you give early founders of cybersecurity companies? What are one or two things they need to know before they launch and really try to scale and go to market and follow in your footsteps?

Mario Vuksan: I mean, it's simple and yet, you know, tremendously complicated. You literally have to define a problem that's, you know, worth solving and that customers feel is worth talking about. And if you do not have that match, it's just something exciting, more in art, less in engineering. And I think you really need something that people can take, make their own and create further value on top of what you've just created.

Jeff Seul: Super important to know the difference between whether you've built a feature and whether you've built a product or whether you've got a company there.

Mario Vuksan: Right, so those are the things that happen on the trajectory. If you can't even design a feature that makes sense, it's kind of hard to get to the conversational product or the wherewithal of building a company. I would recommend people not to stress and be proud of one thing, see results, and then see where that takes you. Usually new ideas come at every different stage, and I think that's sort of a beautiful element of building a company. You never quite know where some business plan will take you, and I mean, I think it's just like life, you know, you got to live it to enjoy.

Jeff Seul: So one last question. How does having a strong legal partnership with lawyers impact growth of a company like yours? And I'm sort of thinking less about the nuts and bolts and blocking and tackling and stuff but, you know, sort of strategic value.

Mario Vuksan: I think having a good legal partner is essential and critical for any fledgling company. And you really want a partner that has the ability to help you in many areas all at once. Because, you know, contracts are very, very important, but not the only element that matter. So I would really recommend a new founder to think hard, first thing to build a relationship, trust with an organization that has breadth and gravitas. An organization that would be able to see the totality of your company from contracts to patents to different privacy open source licensing issue, that will be able to sort of give advice as the company is growing to potentially bring in the resources in different geographies, whether commercial or federal, where organizations that may even, in our cases, like we probably need security advice from a perspective of real building security products. What do you think, what are you hearing from the regulatory perspective? But I could imagine that there will be organizations that need more differentiated services that we haven't even tapped into, and from my perspective, Jeff, working with you and Holland & Knight has been a real privilege, knowing that no matter what happens, there will be a very strong bench of people being able to assist us. And as you know, we've utilized all kinds of services within the firm over the years.

Jeff Seul: Yeah, it's really cool. And I appreciate you saying that. It really underscores what we see. We see time and again how important it is for a young company that may have a focus or a narrow focus here initially, as they scale, things change. They have customers in other industries where you need that industry expertise. Stuff comes up where you need specialists, and breadth and depth is super important. So you got to think about the future, I think, when you make these choices for sure. That's all I got. Patrick, I wonder whether you have any questions, having heard all this.

Patrick Driscoll: I could probably talk for another hour with Mario here, but we do have to wrap up, unfortunately. But before we do, I did want to double click on some of the three practical takeaways that I found to be insightful. And the first one, I think, was made clear throughout the conversation, which is to know the problem if you're building the company, like truly, in-depthly understand the problem that you're trying to solve and make sure that it's scalable and it's, again, not a feature, it's an actual company that you're building around the product. So I enjoyed the conversation there. The second one is to build from conviction, not trends. So I enjoy that you were, Mario, blending your deep technical expertise with a kind of creativity. You talked about art history and thinking outside the box about cybersecurity. So believe in what you're actually building, and you can bring real care and intentionality to it. So I appreciated that. And then the third one is to prioritize resilience over perfection. So you mentioned kind of the influx of AI into this mix: Everything is faster, cheaper, it's more persistent, and you need to really be able to adapt with solutions to deal with these threats. So there's no perfect checklist, there's no silver bullet, but you need to be nimble when you're building a company in a cybersecurity space and your journey has been fascinating.

So thanks again for sharing your thoughts and your insights. Jeff, as always, thanks for the great conversation and perspective. It's very clear you both have known each other for a long time, which makes these conversations super fun for me to sit in and listen to. If you want to learn more about ReversingLabs, you can check out their website, find out information on the work that they're doing to secure the software supply chain. For founders, investors and funds navigating growth, governance and risk, Holland & Knight is proud to support you in the innovation ecosystem. You can check us out at hklaw.com. You could find information about Jeff, myself, and feel free to reach out if you have any questions. Thanks again so much to our speakers and to everyone listening. We'll see you next time on "The Innovation Imperative."