Cyber-Securing the Supply Chain

In a prior life, the co-founders of Fortress Information Security created the company that accurately evaluated subprime mortgage credit. Their digital platform for that was shown in the film The Big Short. Now they've created a digital platform for utilities to share evaluations of equipment vendor cybersecurity. Here we talked with these serial entrepreneurs about their focus on supply chain security and unique collaborative approach and then to some of the smart folks on their team.

Fortress founders look back and forward

PUF: Peter, what did you do before Fortress, and what brought you and Alex together?

Peter Kassabov: Alex and I are serial entrepreneurs, and Fortress is our fourth venture together. I guess we like the thrill, the adrenaline, the opportunity to build something from nothing. But we also like the challenge. It's like building a brand-new house. When you build it nicely, and everybody enjoys it, you forget how difficult it was to start from the foundation.

Alex and I have been doing these startups now for almost twenty years, and we each bring something different to the table. That's why we are a good fit. Alex is analytical and detail-oriented. I'm more of a big-picture person, and we complement each other well. 

PUF: Can you provide me with some detail about some of the ventures you worked on together? I heard a bit about what you did during the 2008 financial crisis.

Peter Kassabov: We choose to go into cybersecurity. Our mission now is to hopefully prevent another crisis like what happened in the financial industry.

Peter Kassabov: If we continue with the analogy of building the houses, our creative juices are triggered when we feel that there is a big storm on the horizon. If there is a major change in the climate, then we see opportunity and start building.

Our first adventure was in the early days of the internet in the late nineties. Amazon was just a bookstore, and many of the Fortune 100 companies were still looking at the internet like a new video game created in Silicon Valley, but they didn't know how to play it.

I'm Bulgarian, and I moved from communist Bulgaria. I landed in Silicon Valley, and I was involved in the very early days of the internet, working with companies like Medscape, Dell, and others.

Then I moved to the East Coast, where I met with Alex, and we started thinking about ways to help traditional consumer-oriented companies utilize the internet. The idea was that they would meet a company like Amazon and eventually have everything under one roof. We are focusing not on the selling part, but on the infrastructure side.

Alex Santos: We like to say we recovered ninety billion to the U.S. taxpayer because the taxpayer had bailed out those three companies and others. We were developing a strong sense of mission.

We provided solutions for companies like Mercedes Benz, Sprint, Federal Express, JP Morgan, and many others to use the open storefronts, and have a call center with customer service. In those days, people were not using email much yet, and they had a warehouse that shipped from there.

To continue with our analogy, this was our first house in the early days before the skyscrapers came. It was rewarding and at the same time, challenging because it's difficult to explain. In the late nineties, people didn't know what they could do on the internet besides being on AOL and chatting with their friends.

So, we had to do a lot of educating. Alex and I discovered that with new, cool things, at the right time and the right place, usually many companies adopt them. A lot of competition came from this.

Not because of us, but Amazon and many other companies discovered that the internet is the new infrastructure for everything. Our business became a commodity.

Steve Earley: We work to figure out which vendor represents the greatest risk based on access to data, services they provide, and in some cases, where they are located.

Alex and I decided, okay, we have the tools, we have the knowledge, we know what the internet can do. We can build something valuable and something that you can't see on every corner.

We started looking for opportunities to leverage regulatory changes. We repurposed our technology to be used in the healthcare sector.

So, we built the first platform for selling health insurance directly online. It was ahead of its time, and one of the earliest challenges we faced was having to go to the department of insurance and convince them the internet is a safe place to sell insurance. The department of insurance said, okay, but first, you need to become licensed insurance agents.

So, we hired licensed insurance agents so that people who didn't know how to use the internet could call or chat online.

Bart Gasiorowski: All organizations, although similar in sector, are at different maturity levels in their cyber risk management journey.

We quickly become a major part of Blue Cross United Healthcare and other direct-to-consumer sellers of insurance. Now, twenty years later, online sales account for about forty percent of the business of health insurance companies.

After you build the house, you have to worry about the risk. One thing we discovered as part of building a solution for health insurance companies to do business on the internet was that they didn't know whom they were really doing business with.

When they were selling insurance to companies in person, they were able to take an employee census, so they knew how to price the insurance. But when individual consumers apply on the internet, they didn't have their health history, and it is illegal to ask them if they have diabetes or other health concerns and price the insurance differently based on their answers. So, ten percent of the population ends up contributing eighty percent of the cost.

In order to comply, we had to combine our solution with disease management and wellness programs.

Ty Short: I love the nonstop creation and solving complicated problems.

It's worth noting that in every solution we build, we provide the total platform. So not only were we helping people buy insurance online, but we were helping the insurance companies identify the risk factors. We looked for, say diabetes or heart conditions, and then enrolled the consumer to be involved in a health and wellness program to reduce the risk.

PUF: What happened next?

Alex Santos: Digital Risk was the third "house" we built. The original premise - this was before the financial crisis - was that we perceived a significant trend developing around mortgage fraud. Borrowers were lying or committing fraud to get approved for mortgages.

People wanted to keep up with the Jones's, they wanted to live a lifestyle they couldn't afford, and they were willing to commit fraud to make that happen. So, we built a technology that banks, specifically mortgage originators, could use to detect, and therefore prevent, making mortgages based on fraudulent representations by applicants. For example, we would tell them we think fifteen percent of your mortgage applications contain fraud.

Jace Powell: We foster critical thinking. We’re always encouraged to find alternate or better ways to do our job.

What was frustrating about this business was that the financial institutions, before the financial crisis, didn't share our view. They didn't care about fraudulent applications, because from their perspective, if borrowers were committing fraud, and they were going to default on their payments, the bank would still make money by foreclosing on the properties. Because the home prices were going up so fast, the banks didn't care. 

We would go to banks, and our analytics would produce a multipage report on a mortgage application, and it would tell if the borrower lied about their identity, or income, or falsified the appraisal. The banks would reply by asking us weird things like, can you take the page numbers off of the report? Can you put page breaks in between the various checks that you do?

The reason they were asking me these things was because they wanted to pull out the negative information and only leave in the good stuff so that the investor in the mortgage wouldn't see the negative information.

Peter and I would sit back and think, there's a crisis brewing here. This cannot be sustainable. Then as Americans, we all saw it. In our social networks, we would see that someone just bought a new house and they have more big-screen TVs and a nice new car. Where was all this money coming from? A lot of people were using their houses as ATMs.

Cassie Kennedy: I’m composing a pocket booklet on cybersecurity best practices that will be distributed to employees of power utilities.

Being entrepreneurs, we had to pay our bills and make payroll, so we needed to find clients who cared about this because the banks sure didn't. So, we said to ourselves, hey, if the banks don't care, who are they stiffing with these loans? 

Well, they are stiffing the investors. So, we started talking to investors. When we talked to Wall Street, we realized that they're not really the investor, they're just the middleman. They're passing the mortgage from the bank to the investors. 

When we started meeting investors, we actually met the guys in the movie, "The Big Short." In the movie, there's a scene where they're pointing on the computer screen, and they're looking at individual loans. We supplied that information. 

In another scene, one of the investors plops down a book on the table of the Wall Street conference room and says, I want to short this bond. We would look at the fraud characteristics of every loan, and we could identify which bonds had the most fraud, so investors could cherry-pick which bonds they wanted to short. That's our connection to that movie. 

Tony Turner: We are betting on the flip side, on the defensive side for our utilities.

We kept talking to investors, and we started working with the largest investors that were benefiting from the crisis. But there were many more investors hurting from the crisis. When you buy a mortgage bond, you're not supposed to lose money. These bonds were now at fifty percent of the value that they paid for it. It was devastating.

We found the largest investors, Fannie Mae, Freddie Mac, AIG, the Federal Reserve, and the life insurance companies who are big investors in these mortgage bonds. But those names aren't as recognizable. Most of these companies have been bailed out by the government, Fannie, Freddie, and AIG, most notably.

We saw the storm clouds growing and the crisis coming, and we kept at it. We kept finding the eventual victims, and we helped them. Ultimately, we helped Fannie, Freddie, and AIG recover ninety billion dollars. We like to say we recovered ninety billion to the U.S. taxpayer because the taxpayer had bailed out those three companies and others as well.

After that, we were developing a strong sense of mission. We thought we had done a good thing for health care. We thought we had done a nice thing for the U.S. economy and the U.S. taxpayer. So, we looked next at where there could be some storm clouds brewing. Where is the next area where we could have a strong mission to complement our entrepreneurial spirit?

Daniel Broderick: I’m a detective.

Cybersecurity was the clear choice. The Target hack had just happened, and the Sony hack. This was when cloud computing was being adopted, and the pace of technological change was accelerating. We reflected on our path.

We realized that whether it was when we were an eCommerce company, a healthcare company, or a financial company, that we were a vendor that helped our clients care for millions of their customer records. 

PUF: What mechanically happened to say, okay, this is the next one?

Peter Kassabov: We always tried to serve a mission. Before the financial crisis, our mission was to help investors in the financial institutions prevent the crisis through better fault control, fraud detection, and everything else.

Nick Noll: We’re hoping to help make America a safer place and maybe help people remain blissfully ignorant.

The last part of this story of digital risk is that two years before we sold the business to Hewlett Packard, the banks and all the mortgage originators finally adopted our system. We became the quality control for twenty-five percent of the mortgages in the United States. We want to have the same impact in cybersecurity.

At Digital Risk, we were instrumental in forcing the mortgage industry to do something about fraud. We disclosed all the risk during the securitization. We showed the entire roadmap of where it was going in a matter of seven years. The financial crisis ultimately forced everybody to do the right thing. 

After the internet, cybersecurity is probably the biggest thing that will affect our lives in every aspect. So, we choose to go into cybersecurity. Our mission now is to hopefully prevent another crisis like what happened in the financial industry. 

Alex and I first identified the industry that touches every aspect of our lives. After that, we look for areas where our experience will be relevant, where we know we can make a difference using lessons we learned from past ventures.

We were also looking for new regulations that can help cybersecurity to be elevated from "nice to have" to "must-have." Because one thing that we discovered in the financial crisis was that although it is exciting to be a little bit ahead of your time, it is also painful. 

Being early is both a curse and a blessing because, on the one hand, you are ahead of the competition, but on the other hand, your prospective clients don't see the need, or even if they do, they might not feel the urgency. Today everybody knows that they have to do something about mortgages, but they don't know what to do about cybersecurity. They know that they have to do something, but they aren't sure what to do, and they don't feel the urgency to take action now.

We noticed that the new regulations coming from NERC are helping financial institutions to at least see the roadmap. Just like in the financial crisis, many of these companies are not extremely motivated to do something until they're hit with a major breach, like Target.

So, we founded Fortress Information Security, and are following the same roadmap as before, identify an industry that is going through a major transformation, identify the new regulatory changes that will motivate the companies, especially those in critical infrastructure, do the right thing. 

Then we identified competitors. Everybody's using the technologies that were developed to fight the last battle. We're focusing on the next battle.

Many countries expected World War II to be fought by trench warfare because that was how World War 1 was fought. But WWII was very different, it was fought with guns and airplanes, with no real front lines.

Cybersecurity is going through the same paradigm shift. Many companies are still fighting cyberwar I with antivirus software, putting all of their data inside the firewall, but the nature of cyberwar has changed. Now we are fighting Cyberwar II, and the supply chain in the cloud is where the risk is. 

Our experience at Digital Risk was helpful, when we were doing business with key vendors from the Federal Reserve to Blue Cross or Bank of America, because we know what vendors do.

It's amazing to read the data. JP Morgan spends, let's say, $1.5 billion on cybersecurity, but then they give their database of customers and mortgages to a small company that operates the call center. This small company can't afford to spend more than two hundred thousand dollars. It's the same mortgages that JP Morgan was trying to protect, but they are much less secure.

PUF: Talk to this idea of a platform, almost a marketplace for doing the supply vendor assessments. That sounds like what you've done in some of these early housing constructions. 

Alex Santos: It's similar because, in a bond, there are multiple bondholders who all benefit. Think of that as a supply chain. When we secure a supply chain, all of the stakeholders of that supply chain benefit: the utilities, the vendors, and the regulators.

Think of it this way. As homeowners, it's our personal responsibility to secure our own homes, to lock our doors and windows. It's more efficient for us to do that ourselves. 

But the roads in our city that we all share, it's more efficient for the police to secure those, and for the homeowners to pay taxes.

In the same way, all the utilities share a supply chain, which includes the industrial habitat. In other words, the security will be higher if everyone shares a portion of the burden. If we come together and collaborate as a team, and share the cost, we can all have greater security at a lower cost. That's the idea behind the Asset to Vendor Network. m

Fortress team talks shop

PUF: Bart, what's your role at Fortress?

Bart Gasiorowski: I'm the vice president of security solutions and in charge of business development. I've been with Fortress since its inception. I was the fourth employee in late 2015. When I started with Fortress, I came in as the director of talent acquisition and management.

From a four-to-five-person team, I've experienced the entire life cycle of where we were to where we are today as an organization. It has been a fantastic ride, and I think all of us here bleed Fortress blue!

Being a small new startup, we wanted to focus on creating a culture, hiring individuals with the right technical ability but focused on a passion for security. We dub everybody here as the Fortress Family. We operate as a team, and each employee contributes to the success of Fortress, from our analysts up to the VP level.

We focus on culture since the organization values both strategic and tactical approaches to our solutions, and the help of our hands-on analysts bring us to that point. Our top-class analysts provide tremendous amounts of intelligence and keep us abreast of daily threats.

We're big in continuing education and provide our employees with the ability to attain specific security-focused certifications as well as ongoing education. We also drive a culture of continuous learning and development.

The threat landscape changes each day, so we always have to be on top of the emerging threats. We empower our employees on the frontline to dig deep into the current and emerging risks so that we, as a solutions provider, can stay ahead of the adversaries and keep mitigating cyber risk to the energy and utility and critical infrastructure sectors.

PUF: You created this culture. Do you have foosball, ping pong, and funny things on the wall?

Bart Gasiorowski: Yes. When we were building out our offices, we were looking at setting up a game room that ended up becoming additional office space as Fortress continues its growth. We appreciate work/life balance and have corporate sporting events where the majority of us participate. For instance, we have a local Fortress kickball team, a volleyball team, and we also sponsor many local 5Ks as a Fortress team. From a team-building perspective, we've attended and have gone through a few escape rooms as well as had team outings at our local TopGolf venues. We like to keep the atmosphere fun.

We value our employees and provide many benefits such as Chic-Fil-A Wednesdays, where we bring in breakfast for the entire office, provide snacks and unlimited amounts of coffee and espresso, and always have a full refrigerator of healthy food and drink options for our employees.

PUF: Steve, you're the vice president of third-party risk operations. What's your job like?

Steve Earley: I lead what's effectively the consulting arm of the business. We have teams of professionals who do security assessments on vendors. Our clients have tens of thousands of vendors that they're dealing with regularly. We work to figure out which vendor represents the greatest risk based on their access to data, services they provide, and in some cases, where they are located.

Once we have identified which vendors represent the greatest risk vendors, we perform assessments. We're effectively an audit organization. We review the cybersecurity controls that the vendors have in place to make sure that they are handling our clients' data securely and safely.

PUF: Ty, you're the vice president of information. What do you do every day?

Ty Short: I spend a lot of my time looking at data and trying to make data useful. I'm turning the data into information that can be productized and also solving unique problems for our clients. We do a lot of work in risk management.

Risk management covers so many areas, and similar to what Steve described, we're policing the vendors. There are probably at least twenty high-level ways to look at risk for a vendor. My team is always trying to find new data sources to ingest and say, hey, how can we use this to gain insight into risk?

We also utilize machine learning, which we have implemented in our products in the last year, and that enhanced our quality control. Most of my team is in a research capacity as well as business intelligence.

On the analytics product side, I spend a lot of time working with Tony Turner on developing the solutions we offer. It's a broad range of things, but it's fun.

PUF: Cassie Kennedy, you're the pre-sales engineer. What do you do every day?

Cassie Kennedy: This is my second month now in this position. It's something different every day, which makes it exciting. I work in the marketing department, researching, copywriting, and managing some of our projects. I focus on the social media aspects, as well as technical presentations. One project I'm excited about I'm currently composing a pocket booklet on cybersecurity best practices that will be distributed to the employees of power utilities.

PUF: Jace, what does a security analyst do?

Jace Powell: I focus on detecting, analyzing, and remediating cybersecurity vulnerabilities. It's mostly a technical job. I focus a lot on scanning and analyzing networks, finding vulnerabilities where attackers could get in and cause havoc, and focus on fixing the holes and keeping the bad guys out.

PUF: Daniel, what do you do?

Daniel Broderick: I work on the research team. My job is to find whatever information we can on the vendors that we're researching. I check to see if they've been a part of any recent negative news or are there any dangerous violations attached to them, like cyber health concerns, or labor issues. I also look at where they're from, what they're about, and where they have locations.

A vendor will only answer the questions we ask them in a way that reflects on them positively. My job is to find the dirt they don't want us to see, if there is any.

What's blocking their cyber hygiene? Do they have sloppy corporate social responsibility going on with their fourth party vendors? What regulatory bodies are behind them? Where have they been breached? I'm a detective.

PUF: Bart, what's the most rewarding or interesting part of your job?

Bart Gasiorowski: When I first joined Fortress in 2015, my role was to attract the best security talent in the country, which was extremely satisfying coupled with experiencing the growth of great succession plans for many of the pioneers of Fortress. During the last two years at Fortress, my main focus has been on business and partner development. 

Throughout that time, I have had the chance to participate in many security-focused conferences around protecting our country's critical infrastructure and have given numerous talks within the industry. One of the most exciting parts of this role has been getting the chance to understand that all organizations, although similar in sector, are at different maturity levels in their cyber risk management journey. Also, understanding the primary objective from the hands-on individuals that are focused on tactical initiatives to the C Suite and their strategic mindset of their programs around risk management, vulnerabilities, and threats as a whole.

PUF: Steve, what's the most rewarding or interesting aspect of your job?

Steve Earley: The most rewarding part of my day is interfacing with our clients. I spend a lot of time with our clients, help with understanding their needs, and blowing away their expectations.

The other most rewarding part of my day is managing our team's exponential growth. Our team is growing in leaps and bounds, and I love that. We're growing headcount. That's exciting.

PUF: Is your office located in different places too?

Steve Earley: We are. I'm in Columbus, Ohio. I have a team in Western Virginia, outside of D.C., and I have teams in Orlando. We have a few folks in remote areas too. One of my senior managers is in the Kansas City area and Boise, Idaho.

We're dispersed and have a lot of collaborative tools if you want to work remotely and are distant. But we have opportunities to get together as well. 

PUF: Ty, what's the most rewarding or interesting part of your job?

Ty Short: I love both the nonstop creation of new things that are valuable to the client and solving complicated problems. Analytics comes to the rescue several times to surprise clients with things they're not expecting. Some of these things are relatively easy for us to deploy, and the value that we get from these leave clients amazed, and that's satisfying.

Sometimes clients come to us because they have challenges that they can't overcome