‘We want to become the Netflix of cybersecurity’

If you’ve asked any CEO which was the most important asset of their organisation, the answer most of the time is people. At the same time, if you end up asking an organisation’s chief security officer, or a chief technology officer, the weakest link in their entire cybersecurity ecosystem, the answer again would be the same: people. This essential conundrum is at the heart of what drives Saket Modi, the co-founder and CEO of cybersecurity firm, Lucideus.

According to Modi—the 30-year-old tech entrepreneur based out of Palo Alto in California—more than 90% of cyberattacks have a human element in them. But the problem gets complicated because, on an average, less than 10% of a firm’s cybersecurity budget is spent on protecting this very human element. In fact, a recent report brought out jointly by computer security company McAfee along with the Center for Strategic and International Studies (CSIS) argues that cybercrime costs the world economy more than $1 trillion, or just more than 1% of the global GDP. This large scale need for cybersecurity is one of the reasons why the Palo Alto-headquartered Lucideus entered the consumer space earlier this month with the launch of the SAFE Me app for Android and iOS devices.

SAFE—an acronym for Security Assessment Framework for an Enterprise—gives a breach likelihood score between 0 and 5 for every individual on their phone. While making the individual aware of their vulnerability, it also educates them on safe practices and gives them access to 50 short educational videos in English and Hindi on how to protect themselves. After watching each video—each with a duration of three minutes or less—a consumer can answer a quiz to improve their score.

Modi says that SAFE was originally built for businesses, where it assessed the breach likelihood threat of every device which has an IP address. Businesses, he says, lapped it up. But the missing area was the focus on people. In a freewheeling chat with Fortune India, Modi discusses these cybersecurity issues in the times of Covid-19, why he entered the consumer space, and why he would like this app to become the “Netflix of cybersecurity”, among other things. Edited excerpts:

Have cyber threats gone up because of the prevailing circumstances? Has the pandemic led to enterprises becoming more conscious about cybersecurity and spends increasing?

It’s been almost nine months that most of us are now officially working from home. I think the dependence on technology has gone up exponentially, whether it’s in our personal lives, or our professional lives. And there has been an exponential rise in the number of breach attempts, cyber hacks, or attacks.

Cybersecurity spends have definitely gone up amidst times when most of other spends have been cut down. Enterprises now understand that cybersecurity is not a luxury spend but one required for their existence. India Inc. has become more conscious about cyber breaches. I don’t know of a single Indian Fortune 500 company which does not discuss cybersecurity on its board. Globally, we have some of the largest companies as customers, including Google, Facebook, GE, News Corp, and SoftBank; in India we have customers such as ICICI Bank, HDFC, Bank, Axis Bank, Kotak Mahindra Bank, Delhi airport, Mumbai airport, KFC, Pizza Hut, and Tata Sky, and we work very closely with them. They’ve definitely started taking cybersecurity as front and centre.

This has reflected in the revenues and the top lines and the bottom lines of companies like us going up exponentially. The last two quarters were the best quarters in the history of our company. Not only have we grown subjectively, objectively, our growth has been almost 300%, year-over-year on our top line.

What was the genesis of the SAFE Me app?

The laser focus of our enterprise product SAFE, which continues to sell today, is that when we go inside an organisation, we go to every breach likelihood score; that’s the meaning of the SAFE score, what is the likelihood that your laptop will get breached. We give a breach likelihood score to a laptop, server, database, data storage device, middleware, firewall, cloud instance—anything that has an IP address gets a real-time breach likelihood score. This score between zero and five tells what is the likelihood that this laptop or the server or this database will get breached in the next 12 months.

However, there was a common missing area in my product. The missing area was that if you went to any organisation and asked their CEO, what is your most important asset, almost every time they would say they were people. But on the other side, if you went to the chief security officer, chief information officer or chief technology officer and asked them what the weakest link in their entire cybersecurity ecosystem was, almost every time they would say people. On one side, people are the strongest assets. On the other side, they’re the weakest link. In fact, more than 90% of cyber-attacks on the planet have a human element, while on an average, less than 10% of your cybersecurity budget goes to protecting the human element.

So, we said we have to get the human element to the front and centre of the cyber defence matrix. And therefore, for the last one year, we spent a couple of million dollars in building what you have on your phone—we had a dedicated team of 25-30 people, of our total team strength of 220, working only on this app. And we said the number one thing that we want to do in the app, is visibility at an employee-by-employee level. And I’ll explain what I mean by that. If you’re an employee today of an organisation, your chief technology or chief security officer can run phishing campaigns, they can make you go through training, etc, etc. But they’re all ticking the boxes, because till the time you don’t have a personalised cybersecurity score, that you can see in one tap, you won’t know that you’re at risk. Our enterprise product gave a score for every device with an IP address; [with the app] we are now giving a score for every employee of the company.

What made you get into the consumer space? Was it the fragmented nature of consumer digital security?

We’ve always been a B2B traditional enterprise company. So why did we venture into the consumer space? Yes, you’re right [about the fragmented nature of consumer digital security]. We always had this concept of BYOD, which was bring your own device, right? It went to something called BYOA. Bring your own access. Then the pandemic hit. And we truly digitally transformed.

Coming back, why I mentioned this to you is when we started thinking about the people problem of an enterprise, we thought to ourselves that look, this is a big problem. And we must solve it at an employee-by-employee level, not just by giving a central dashboard to the chief technology officer, who will just look at things and say, hey, are we secure or not. Security is everybody’s problem; it’s the culture, the way people don’t have to teach you that when you’re crossing the road, look left and look, right. And then cross the road.

In other words, what I’m trying to say is that the intersection of consumer and enterprise has almost disappeared. Your home has become your office, your personal space and your professional space are the same. So, a year back when we started building an enterprise-only app, where we said that only companies will be able to log into it, when they pay money to us. Then we took a step back because one day, one of our employees came back and said, ‘I’m having trouble with my kids; they all want to be on Facebook and Instagram. We are making these courses to make people aware. I want to give these courses to my kids.’

And similarly, people came back and said, ‘My parents are using WhatsApp for the first time and want to make payments on it. They don’t know what to do.’ If you go to YouTube and type WhatsApp security, you will get 20,000 videos, and most of them will be paid videos where they will want you to use their platform in a particular way that they want. It’s not a trustworthy source where you can find what you want to find. So, we said we’re already making so many reports, videos, and all these things. Why not make a free-of-cost, zero-permission application and put it out in the public? Because today you know that the thing has disappeared between what is an enterprise and what is a consumer—it’s all intersecting with each other. And that was the reason why we came up with the concept of SAFE Me, which is fairly unique.

We call it ‘re-engineering cyber consciousness’. That’s the reason why we didn’t say we want to give you learning or device security or deep and dark web exposure; we wanted to go ahead and go to the point where the app tells you your own breach likelihood score. The consumer version, which is free of cost, has access to 50 three-minute training videos, available in English and Hindi. And then you have a quiz based on that video. In fact, one of the taglines we like using is think of this like the Netflix of cybersecurity, where you can go in on your mobile phone, watch the videos and then take the quizzes.

Will you monetise the consumer business?

We intentionally stayed away from monetising from the consumers. Because if you see the history of most consumer apps, we feel that it’s better to make your app and give away most of what is out there free of cost. Because, on the business model side, we want to have the tagline that consumers are always free. We’ve not gone to that point where we charge individuals $36; we want it to be an enterprise deal, given the ticket size of the customers that we want. And remember, in our business plan, we never had monetisation of the consumer. Can we do it? Yes, we can. But I always like it when consumers are free of cost.

Are you planning something else in the consumer space?

I think the power of a mobile application is tremendous. And that was the other reason why we said that people-based assessment should not be anything but a mobile app. Because today a mobile app—the WeChats of the world, and even the Facebooks and the Instagrams—are not one app; they are a super app. There are a gazillion things you can do in one app itself. We want this app to become the super app of the world when it comes to cybersecurity, which by the way, today does not exist. We want to become that app through SAFE Me.

So, two parts to your answer. The first part of it, I am convinced that anything to do with consumers in the future, we’ll do a mobile app. And it will not be anything else. Because, we’re all going mobile first. So, this is our foray on the foundation stone of setting where we will go with the mobile app. That’s number one. Number two, because we now have a mobile app, I will extend things within the mobile app itself. So, there’s a set of features where my team has already started working for the next version of the mobile app. And that will take this to a completely different dimension and a different level.

The point I’m making is that I don’t need to come up with another product. In this itself, I can go deeper and deeper and deeper. And I want to keep it free of cost for consumers for as long as possible. In that way, I go to that point where, you know, my consumers are happy. And, you know, because our ticket size is generally a couple of crores a year for an enterprise, so I always want to go to that point where I’m able to monetise, but at that ticket size, and not the consumer version. That’s why you don’t see any ads as well.

What next for Lucideus? What will be your focus areas?

We are today, a global company with a presence across the Americas, Europe, Singapore, India, and other Asian markets. With the launch of SAFE Me and our enterprise offering SAFE, we want to continue expanding across the globe and continue to be the trusted advisor for multiple Fortune 2000 companies globally. With the launch of SAFE Me, it also opens new avenues for us and for the first time bring our industry leading product to the consumers.

Moving forward, we will continue to focus on bringing new features and capabilities to SAFE Me and truly become the one-stop solution to every human’s personal cybersecurity requirements. From an enterprise perspective, we now have a more compelling solution with the launch of SAFE Me where enterprises can not only measure and mitigate cyber risks across the infrastructure side, but now also manage people-related cyber risks, and turn it into the strongest link in their cyber resilience strategy.