Start your day with intelligence. Get The OODA Daily Pulse.

Subscribe Sign In

Home > Analysis > Nate Fick on Company Culture, the Cybersecurity Community, Endgame/Elastic and Emerging Cyber Threats (Part 2 of 2)

Nate Fick on Company Culture, the Cybersecurity Community, Endgame/Elastic and Emerging Cyber Threats (Part 2 of 2)

OODA Original

12/06/2021 | Written by: Daniel Pereira

In March 2021, Matt Devost had an OODAcast conversation with Nate Fick, whose career has been eclectic with a throughline of demonstrating superior leadership abilities in a diverse array of successful opportunities. Nate is currently a General Manager at Elastic, having joined the firm with their acquisition of Endgame where he served as CEO. After graduating from Dartmouth, Nate took the unconventional path of joining the military and serving as a USMC officer, leading some of the first U.S. troop deployments into Afghanistan and Iraq after the September 11th terrorist attacks.

His service in the military is chronicled in his New York Times best-selling book, One Bullet Away. The book was also a Washington Post “Best Book of the Year,” and one of the Military Times’ “Best Military Books of the Decade.” Nate also served as the head of the esteemed national security-focused non-profit think tank, the Center for a New American Security, and has had a ten-year tenure as an operating partner at Bessemer Venture Partners.

We continue our effort to underscore certain patterns and themes found throughout the OODAcast library of over 90 conversations with leaders and decision-makers, on topics such as leadership, clear decision-making while operating in a low information environment, future threats, and strategic action.

In Part I of this conversation, Matt and Nate discuss lessons learned from leading a non-profit, writing One Bullet Away, Stoicism, and dynamic leadership.

Here, in Part II of the conversation, Matt and Nate discuss building a company culture, leadership in the cybersecurity community, the business model and value creation/capture play that is the Endgame/Elastic merger and emerging threats in cyber.

“…you have a great reputation as a kind of outsider who came into the community to lead some of these hyper geeks.”

Matt Devost: I have always found that from a leadership perspective, especially in startups, I have more stress about my employee’s putting food on the table and the impact on them than my family and personally, and that is something I have always tried to reconcile and until I finally accepted it and said, “it’s okay, that that’s the essence of leadership is that you’re taking responsibility for others.” So obviously that weighs heavily.

Nate Fick: The good thing, Matt, I want to work for people and on teams who have leaders like that. And so, I feel like it is good behavior to try to perpetuate. We had a company picnic once at Endgame, early on when it was one of those times when things felt very precarious to me. And I did not know how it was all going to turn out. And I just remember looking around not only at the employees, but at their spouses and their kids, and like thinking about all the braces and all the eyeglasses and all the school tuitions and all the car payments and all the mortgages and like all this stuff that all the peaceful home life and everything that depended upon on us do doing this well and doing it right.

And, quite frankly, getting lucky too. It is a real sense of responsibility. There is a lot of cynicism, I think, today about business writ large. But the fact is businesses are such an intrinsic part of so many of our lives, our employers, our spouses, and we rely on them for so much that I think if you are going to be an entrepreneur today, I, I hope that you can believe in the power of businesses to do good in society, to do good by their employees, to do good by their communities. And I do not think that is in any way at odds with a profitability imperative.

Devost: Yeah, no, I agree. I used to spend money as a business person you want to take care of the employees, but you can make a strong business case as well for taking very good care of your employees. At FusionX, I remember we paid for the very best health plan I could provide, and we paid a hundred percent of the costs and a lot of employees asked, “Why would you do that?” or “We could save expenses” and my perspective was that healthcare is a huge stressor for families. It is a huge distraction. If you have to get three referrals to make your way to the ear specialist to check on your kid’s issues, that creates stress and anxiety. And if there is something I can do that, at the end of the day, is not a huge expense that helps minimize that stress in that environment and makes them also more productive as employees. So, it is beneficial to the employees and you are taking care of them, but there is a business benefit as well to treat your employees as well as you can.

Fick: Certainly. And, I think in security, and it is true in many industries, but I think it is definitely true in security. The talent market is so tight, right? And, and everybody is, in a sense, a free agent. And you have got to persuade people to join your team, commit and give their time and their energy to what you are trying to do. And that absolutely requires you to treat people really well.

Devost: So how did you find the transition to security? That was a question that I wanted to ask you. It is a fairly tight-knit community. And you came in, primarily as an outsider, you had the military experience, but did not have the cybersecurity experience. So how did you adapt to being a leader in the cybersecurity community?

Fick: I think it is a work in progress for me still. I am not the kind of security entrepreneur executive who is going to be on the Black Hat Review Board. Like that is not me. Luckily Jamie Butler is on our team. I think you are. I am I’m not a guy who’s been steeped in this stuff since I was 14 years old. I think that the security community is motivated by an incredible sense of mission and purpose. If I boiled it all down to what are the sort of the tenants of this community? There is a really healthy technology geekdom for sure. And there’s a massive sense of purpose and a belief that what we do matters and that what we do is intrinsic to basically, I don’t think it’s hyperbolic to say, the future. The future of the economy, the future of the nation, the future of the world.

So throw me into a group of really smart and mission-committed people. And I think I can find my way. And I’ve been really fortunate to work with an incredible team of security technologists over the course of the last decade who have helped keep me honest.

Devost: Excellent. We have a great reputation, as I mentioned, it’s a tight community, with lots of information sharing and a tremendous amount of respect for your leadership, the style, and what you’ve done with the team at Endgame and now at Elastic. So it definitely doing something right, because you have a great reputation as a kind of outsider who came into the community to lead some of these hyper geeks.

Fick: I appreciate that. Thank you.

“…recognizing that if we are going to join forces, we need to bring the team along, or else the value goes away.”

Devost: I want to transition and ask you a little bit about the world in general, but I’d love to hear more about what you’re up to now with Elastic. Endgame was acquired by Elastic. What are some of the important issues that you’re working on there right now?

Fick: Maybe I can answer that by kind of going back a little bit and telling a little bit of the story that, that brought us to this point because I think that teams go through these journeys and I know you were leading the team at FusionX over what was it? seven or seven or eight years? Like about the same duration as my attorney at Endgame? And over the course of those seven or eight years, I think we as a team began to develop, based on experience, some really deeply held kind of core convictions about where things were going and what really matters. And they almost exist at the level of philosophy. But I’ll try to tease them out a little bit because they informed what we did.

One was a belief that this incredible tight-knit nature of the security community is almost Shakespearean. It’s like the community’s greatest strength, but it can also be a weakness. And there can be an inclination to draw the dark curtain, across and say, “Hey, this is classified, or “you wouldn’t understand just trust us.” There’s a little bit of a black box in parts of the security community. There’s a little bit of this black box ethos. And it is not everywhere of course, but it’s there. And we developed a conviction that more openness in some sense of security was going to be a good thing. Good for culture and recruiting and diversity and inclusion.

And, and just the idea that we’re in this competitive talent market. I want to be able to fish in every part of the pond, right? To build a team good for customers who generally aren’t served by black boxes. Aren’t generally served by vendor fragmentation. Good for the users who generally are best served by a rich ability to customize and to develop a workflow that fits into the way that their team or their business operates. So, there was this emerging conviction in our minds that openness was going to matter. It was going to be a big, important part of the future. There was an emerging realization in our minds that the data problem was becoming increasingly overwhelming, right? That we were, for a few years, we were function forced.

Fick: We were focused on the front end of the product. And by that I don’t mean the user experience necessarily, but I mean, features and functionality that are in the security market, kind of caught in this never-ending cat and mouse game with the adversary, right? Where every Attacker TTP results in a new Defender TTP. And that while, while we were kind of pursuing that kind of game of 10-foot walls and 12-foot ladders, we realized that we re-architected the backend of the product a couple of times in order to try to keep up with the overwhelming data challenge. And the second time we went through the process, we ended up long before joining forces with Elastic.

We ended up choosing Elastic as the back end for the Endgame product because it solved the scale and speed issues that we felt were going to be increasingly “core” and prevalent in what we were doing. So there was this openness issue. There was this core data issue. There was a cultural issue and sort of a belief that every aspect of technology, obviously, requires a lot of innovation. Something that’s unique to security is the fact that you’ve got a living, breathing, human being on the other end of the connection, right? And so, it introduces this different competitive dynamic, not only market competitive but adversary competitive. And all those things kind of led us, as I look back on it again, these things sometimes only make sense in hindsight, led us to combine Endgame and Elastic.

I reached out to Elastic CEO Shay Banon and we got to know one another. And it was clear Elastic started out as an open-source business and hundreds of millions of downloads of the Elastic stack globally and big global community of users, this organic grassroots, bottom-up enthusiasm coupled with the core Elastic stack and the ability to make sense of vast amounts of data in a way that we thought was differentiated for a long time. And culture. Back to that point about talent and people. And recognizing that if we are going to join forces, we need to bring the team along, or else the value goes away. And I was going to have a really hard time bringing the team along into a combination that they perceived as legacy or stepping backward. It had to be a step forward in an exciting direction. So that is the backstory to get to where we are today.

“We had security users…who were making this kind of devil’s choice decisions about what data they kept and what ended up on the cutting room floor.”

Devost: And so today the focus is around when is data science going to have an impact in cybersecurity? And there is kind of a pathway where three things need to happen. First, cybersecurity was not collecting the right data. We were collecting data, but it was not the right stuff with the right level of granularity. And I feel like with Endgame you have helped to start solving that problem. Second, you’re going to have to be able to store it on mass to be able to do the real data analytics, which is kind of the Elastic piece. And now the combined entity is you have to be able to apply the data science to the data that you have collected to solve those problems. That is what has evolved in the Endgame and the Elastic combination.

Fick: Yeah. I mean, I think that is right. And I am never going to have credibility on this, I will always be questioned in this because it sounds like I am talking about my own book. But I absolutely believe those three pieces. And I would even add a fourth, which is like, it is not enough then to be told, hey, you have a lion in your house. You have to enable some sort of response that is going to be, timely, appropriate, a business context to solve your problem. And I, we have those four elements now by taking a decade-plus of massive commitment to the core data problem at Elastic and then injecting a couple of hundred people with their proverbial 10,000 hours of security expertise and say, okay, this is a powerful combination.

I think that a customer lament that I heard all the time at Endgame, that I think that many in the security market identify with, is we had security users in their SOC (security operations center) who were making this kind of devil’s choice decisions about what data they kept and what ended up on the cutting room floor for cost reasons or for retention reasons even absent costs, but just sheer ability. And we can eliminate that and eliminate those kinds of decisions and say, okay, you need the ability to ingest kind of all this security-relevant data or potential security-relevant data. You gotta be able to store it for some meaningful period of time. And make sense of it and act on it and do it all in a cost-effective way. And, oh, by the way, do it in a way that does not add to the vendor proliferation and fragmentation in your environment. And so that’s kind of fundamentally the problem that we think we can solve.

“The most effective defense is informed by a very fine-grained understanding of offense.”

Devost: Excellent. As a guy who runs a company named after the OODA Loop, I am happy to add the act component into that cycle. So, yeah. Cool. You mentioned kind of the unique nature of cybersecurity and that you have the living breathing adversary on the other side. And you wrote the Harvard business review article, that I wanted to write, about “turning the map and cyber.” So, step us through your perspective. What do you see as kind of the threat environment out there from a cybersecurity perspective?

Fick: One of the realizations I’ve had, as you said as an outsider coming into this community, is that I think we all bring our own kind of experience and some preconceived notions about any problem that we are working on. And some of my preconceived notions and experiences are apart from this community and I’ve tried to apply them here in ways that that might resonate. And that idea of turning them around was drilled into me in the Marines. And, and in that case, we did it literally, right? If we are launching an attack or doing reconnaissance or something, literally take your physical map and turn it 180 degrees and look at your plan on the map from the perspective of your adversary.

And it can be really illustrative. All of a sudden you realize, oh man, from this hilltop they have a line of sight into exactly what we’re doing. We wanted to bring that perspective to bear in cybersecurity. And meant trying to state that the best defense in cybersecurity is not a good offense, at least not for a company. It might have some validity for nation-states, but not for a company. And the most effective defense is informed by a very fine-grained understanding of offense. And so, we wanted to take some of the best offensive operators we could find out of places like NSA and the Air Force and other parts of the government and task them with building the defense that they didn’t want to encounter when they had the American flag on their shoulder, right. When they were doing things on behalf of the nation, and at a conceptual level that framework proved to be pretty helpful. So sorry, I lost the thread of where I was going with that, but that’s the mindset.

“We need to have a credible deterrent policy on the part of the U.S. government. That’s hard to do [in the U.S.] for a bunch of technical reasons.”

Devost: I definitely relate, with 25 years as a Red Teamer, the perspective that we’ve taken as the outside in, or even with the mirror image training that we did back in the Terrorism Research Center days, where the idea was to get the good guys thinking like the bad guys to better understand the perspective. From an adversary perspective, is there a particular attack, vector, or set of attackers that you are most worried about or that you think we need to be concerned with?

Fick: Yeah. It’s interesting. I tend to look at activity in the cyber domain, again, without getting into a semantic argument about whether this is a domain or something different, but online activity by geopolitical adversaries in my experience tends to track somewhat their behavior elsewhere, right? It’s another tool in the pursuit of national objectives. So, this is an oversimplification, but let’s go major actor by major actor. You’ve got the Chinese who are involved in a whole of government, the whole of the economy, the whole of society geopolitical competition with the United States in a lot of ways to define norms, values, if not globally, then at least in a large portion of the earth in its 21st century. And they’re using every tool, I mean, rationally and understandably, using every tool at their disposal to do that, including cyber tools. The Russians are, more disruptive.

Let me finish on the Chinese. So, think about the systemic long-term, and systemic, and long-term I think are two good hallmarks of Chinese cyber activity systemic and long-term compromise of intellectual property, particularly defense-related intellectual property, the United States, and then building a social graph of people in the United States who are, or potentially will be, in positions of national influence and responsibility. And if you sort of turn the map around and think about geopolitical competition from a Chinese perspective, those are smart and rational acts in my view. I think the Russians are a little bit more of a wild card, right? Economically a lot weaker demographically, a lot weaker, a little bit more prone to kind of tantrums on the world stage. And you see that reflected in the cyber world. Iran, similarly, you can sort of track changes in Iranian cyber activity based on the nuclear deal during the period where the deal was held and then kind of post-deal.

The North Koreans are a total wild card, and it’s hard to ascribe totally rational behavior to North Korea. So those are the big adversarial actors. I think the technique that is probably most prevalent, most disruptive for most organizations, is ransomware. Sometimes ransomware is tied to nation-states. Sometimes it’s tied to criminal groups. But that’s just, in terms of sheer prevalence, that’s probably what we see more than anything else. And then the last piece in security, in my view, is that offense has a structural advantage: the proverbial dollar of offense beats a dollar of defense generally.

What that means for most companies is I don’t care if you’re a wall street bank spending hundreds of millions of dollars a year on security, you are still going to be structurally disadvantaged if you’re up against a nation-state adversary. This is one of those places where even a free-market entrepreneur can raise a hand and say, we need the government very tightly involved in this space because only the government can marshal the power needed to deter nation-state actors in cyberspace. If we leave it up to individual companies, even big companies, they are going to lose. And so, we need to have a credible deterrent policy on the part of the U.S. government. That’s hard to do here for a bunch of technical reasons.

“Turn the map around: if I want to attack the F-35, I want to attack a major defense contractor.”

Devost: So, putting your Bessemer hat on, are there technologies or principles that are emerging either in cybersecurity or at the national strategic level that you’re encouraged by, that contribute to, I don’t want to say solve the cyber defense problem but, at least contribute greatly to it over the next five to 10 years?

Fick: Yeah, for sure. I mean, everybody’s hope is that you’re going to see some silver bullet and there’s going to be a shift in the balance of power. I don’t think that is likely. We used to say, and in the Marines, we didn’t encounter a lot of problems that had silver bullet solutions, but we did encounter a lot of problems that had thousand lead bullets solutions. And that’s a little bit of a case here – where it’s the combined energy of a lot of technologists and a lot of entrepreneurs and a lot of government policymakers and a lot of intelligence community folks, like all of that together can perhaps tip the balance in favor of stability instead of instability.

There are a lot of interesting areas. I think one that COVID has highlighted. COVID generally I think in this space has been an accelerant – as it has in so many areas of the economy – it has accelerated transitions that were already underway. It has accelerated attention on problems that we all knew were problems, but they become more urgent, more pressing problems because of the changes globally due to the virus. One of the ones that I think is interesting is supply chain visibility, supply chain security.

The idea is that risk federates across these interconnected environments. And yeah, it is turn the map around: if I want to attack the F-35, I want to attack a major defense contractor. I sort of look at the soft underbelly and the mom-and-pop contractor that is daisy chains down the supply chain. It’s really interesting to think about how we can apply, particularly some of the data science and visibility principles that we’re applying in other parts of cybersecurity, and federate them along the supply chain. I think that’s one of those places that can move the needle in the right direction.

Additional Reading:

Part I of this conversation: Nate Fick on His Early Career, Writing ‘One Bullet Away’, The Stoics and Dynamic Leadership (Part 1 of 2)

Nate’s book One Bullet Away

Meditations by Marcus Aurelius

Turning the Map in Cyber

Elastic Security

ElasticON Public Sector 13 April

The original OODAcast: OODAcast: Nate Fick on Dynamic Leadership and Adapting to Change

Other recent OODAcast thematic posts

John Robb on Hyper-networked Tribes, Digital Sovereignty, Digital Identity, Digital Rights and “The Long Night” (2 of 2)

John Robb on the Early Internet, Frameworks to Drive Decision Making, Network Tribalism and Emerging Threats (1 of 2)

Chet Richards and the Origin Story of The OODA Loop (Part 1 of 2)