Karthik Krishnan, founder and CEO at Concentric.ai talks about how their AI-powered solutions can discover and protect unstructured data.
1. Tell us how you came to be the CEO at Concentric. How much of your typical day is involved in innovating AI tech for your customers?
I’ve been a part of the security industry for years, at HPE, Niara, PGP and Juniper Networks. I met with lots of customers and every one of them – and I do mean every one – was struggling to secure their unstructured data. They were trying to use DLP or Data Access Governance tools to do it but the state of the art there was pretty miserable.
At the same time, I’d been keeping tabs on the AI space. At one point I realized that natural language processing had become accurate and granular enough to replace the rules and policies people were using to discover and categorize their data. So our co-founders, Madhu Shashanka and Shankar Subramanium, and I put the solution together. I guess we are an old-school startup – we’re innovating to build a better mousetrap that solves problems we deeply understand.
In a startup, the product is the company, so innovation takes up nearly all my time. Of course, now that we have a product in the market I’m spending more time on the Sales and Marketing side, but even then I’m taking what I learn from the field and using it to innovate the product.
2. What are the applications or rather opportunities you seek to have with your product?
We focus on data access governance for unstructured data, which includes all the documents, presentations, contracts, reports, PII/PCI and other business-critical information that, at least right now, is only as secure as content owners choose to make it. For example, we know our current work-from-home environment has led to an explosion of link-sharing – even for really sensitive information. Users create those links, and they’re often unrestricted and last forever. That’s handy for users but not a great practice for data security. It can lead to expensive fines, reputational damage, privacy violations, and all the other consequences of data loss.
As an industry, we’ve gotten pretty good at securing websites and databases. We aim to make unstructured data security just as manageable and effective. We have a report, by the way, with some hard data on just how extensive the issue is and the risk of data loss that the issue poses.
3. How did you define the vision of Concentric? How did you approach your first 100 days as the CEO at Concentric?
We’re committed to pioneering AI-powered solutions that can discover and protect unstructured data so security pros can deliver comprehensive least-privileges access controls on their most sensitive data. This is a transformative approach to data security – it eliminates rules, guesswork and overhead while dramatically reducing risk and improving coverage.
As far as my first 100 days, we spent a huge amount of time interviewing customers to really nail down what they need. I think we must have conducted more than 60 in-depth interviews. It was time well spent.
4. What are some of the unique lessons you have learnt from analysing your customer behaviour?
Data security professionals are smart. They’re not afraid to tackle complex, tough problems – but they really detest clutter and lack of visibility.
Two lessons out of that. First, the cure can’t be worse than the disease Alert fatigue is instructive here. When an avalanche of security warnings causes people to just throw up their hands in frustration, you’ve lost. The equivalent in the data access governance world is rule fatigue. Rule maintenance is a beast and at some point, people just give up. The lesson? We need clarity and simplicity, even in the face of complex problems. The second lesson is the need for automation. Automation delivers scale, and scale is the only way to get coverage when you’re trying to protect tens of millions of files with ever-smaller security teams.
5. Concentric was recently in the news resolving data security threats with an AI-based solution. Can you elaborate more on the same? How do you feel about being the industry’s first AI-based data access governance solution provider?
Yes, we recently announced an expansion of our Risk Distance analysis capabilities to help identify data at the intersection of risk, business criticality and urgency. Risk Distance compares the security of an individual file with peer file security practices to spot risk, and it does it completely autonomously. No rules, policies, configuration overhead or model training. It’s the first new approach to unstructured data security in a decade. The solution just keeps getting better and I’m very proud of our team!
6. Are the frameworks for data risk monitoring different for SMBs and Enterprises? What are your top 3 suggestions for InfoSec teams in both?
We’re big believers in the least-privileges model for data access governance. The goal is to restrict access to only the people with a need. But least-privileges is hard to implement, whether you’re a huge multinational or an SMB. That’s one thing companies of all sizes have in common. Have said that, here’s the advice I’d give to SMBs vs. Enterprises:
For SMBs, my three suggestions are:
1 – Automate. Find solutions that can automate some of your high-overhead tasks and use them to extend your staff.
2 – Leverage. One of the most compelling aspects of emerging AI technology is its ability to deliver expertise to your door. Skilled staff is getting harder and harder to find.
3 – Reduce. Specifically, reduce your attack surfaces by curating your organization’s sharing and SaaS resources so you’re not dealing with dozens of ad hoc services. Bigger companies can manage a large SaaS portfolio – smaller companies usually can’t.
For larger companies, my three recommendations are:
1 – Enable. Increasingly, business units are choosing – and even implementing – their own SaaS solutions. IT teams need to think strategically about how to enable this trend without breaking the back of the security team.
2 – Extend. Technologies such as AI-enabled data discovery and categorization are useful not just for data loss prevention but for internal information control, cloud migration support and more.
3 – Simplify. Even though you may have the staff to tackle a complex, rules-driven solution, most organizations are surprised at how quickly the rules-and-policies monster can grow.
7. How do you keep pace with the rapidly changing tech space?
My two co-founders – Madhu Shashanka and Shankar Subramanium – are great sources of information for me. And of course I spend time keeping tabs on big news in the space, product announcements, marketing initiatives, and other happenings.
In the past I would have probably said tradeshows, but that’s not happening right now. I’ve done a few virtual meetups but I think the jury’s still out on how to best replicate that in-person experience. I look forward to shaking hands again!
8. What are some of the common pain points that your customers commonly approach you with?
Regulatory pressures are certainly a big motivator. GDPR and the CCPA have expanded both the definition of privacy and the financial consequences of ignoring the issue – so that’s in the top three. Another big pain point comes in when organizations start transitioning some aspect of their business to the cloud. One of our customers, for example, was building a cloud-based data collection capability, and we helped them secure their data so they could gain customer trust. And finally, many customers want to improve data access governance (DAG). DAG solves a bunch of pain points, ranging from internal information walls to least-privileges programs that can reduce the risk of ransomware or insider compromises.
9. What advice would you like to give to the upcoming Data Risk Monitoring start-ups?
Buckle up. The technology we’ll be using in 5 years will be astonishing. Keeping up is going to be the hardest part of your journey.
10. Can you give us a sneak peek into some of the upcoming product upgrades that your customers can look forward to?
Concentric’s Semantic Intelligence solution today focuses on assessing risk based on how data is shared and managed. Increasingly, you’ll see us use AI to understand other aspects of risk, as the activities on a file for example. We’ve already rolled out our initial activity-based solution – but we have even more surprises in store in 2021.
11. Which is the one InfoSec breakthrough you will be on the lookout for in the upcoming year?
I don’t necessarily believe in InfoSec breakthroughs. I wrote a piece called “The Red Queen” for Forbes that describes cybersecurity as an ever-escalating arms race. To me, a “breakthrough” implies you think you’ve leapfrogged the cybercriminals – and that’s just a dangerous way to think. Drop the hubris and keep the paranoia if you want to survive in this industry.
12. What is the one leadership motto you live by?
“It’s amazing what you can accomplish if you do not care who gets the credit.” That’s a Harry S. Truman quote, by the way. We’ve thought about company culture quite a bit – you can read more here.
Karthik Krishnan
Karthik is the Founder/CEO at Concentric AI, a venture backed data security company. Previously, Karthik was VP, Security Products at HPE, where he was responsible for their security portfolio. He was part of the founding team and VP, Products at Niara, a security analytics company focused on user and entity behavior analytics. Karthik has more than 15 years of security and networking experience at several companies, including Neoteris, Juniper Networks, PGP and Symantec. He earned his BS in engineering from the Indian Institute of Technology, Madras, India and an MBA with distinction from the Kellogg School of Management, where he was an F.C. Austin Scholar.