Welcome to our Blog

The Foundry Files


Students vs. Startups EP. 51: Putting Cybersecurity Back in the Hands of Users

Students vs. Startups EP. 51: Putting Cybersecurity Back in the Hands of Users


Featuring CynjaTech

Read Time: 15 minutes

Welcome to Episode 51 of Students vs. Startups. This week, moderator John Gilroy talks with Dr. Chase Gunningham, the founder of CynjaTech. How did a company who started making apps for kids turn into a cybersecurity company? Listen below to find out!

[audio src="https://easternfoundry.files.wordpress.com/2018/02/students_vs_startups_podcast_episode_51-final.mp3"][/audio]
If you would like to get weekly updates sent straight to your phone, you can subscribe below on iTunes!


Thanks to our Sponsor:

00 00 00 radiant_logo


John Gilroy: Welcome to Students Versus Startups, Showdown on the Potomac. My name's John Gilroy. I'll be your moderator today. Big round of applause for Show Number 51. Yeah, 51 times. Al Gore hasn't shut us down. The FCC hasn't shut us down. I guess we're getting lucky here. If you've listened, you know what's going on here. We kind of took over a room at Eastern Foundry, got a little conference room here, big table. One side of the table, some students, the other side of the table, a startup. Have a little back-and-forth yelling and screaming, throwing chairs. After 26 minutes, we walk out of here fast friends.

On this side of the table, we have three students. Most of them are from Georgetown University School for Continuing Studies. I'll let Phil introduce himself, who doesn't need any introduction, I don't think. Phil, your background, please.

Phil Crawford: Yeah, hey, I'm Phil Crawford. I'm in my fifth semester at Georgetown University's Technology Management program, a senior consultant, basically helping federal CIOs do IT better, whether it's data center services, or making the websites accessible.

John Gilroy: So you're in the middle of the program. Is that right?

Phil Crawford: Yes, I am in the middle of the program.

John Gilroy: All right, great. Connie your background please?

Connie: I recently graduated in December of 2017, and I work as a clinical data scientist for PhRMA, just making sure that the data is clean and is meaningful.

John Gilroy: So Phil is just a wannabe and you're an actual graduate, right? And Matt, you're back on please.

Matt: Yes, I work for Georgetown University, been doing data analytics for them for about six months now, and before that was doing operations and support for academic programs.

John Gilroy: And your picture is all over the Internet at Georgetown University, isn't it?

Matt: Oh, I'm not greedy.

John Gilroy: Well, good or bad, it is. Well we've got some students with good technology background. Our startup is a company called CynjaTech. I'll spell that, C-Y-N-J-A, CynjaTech, and we have Dr. Chase Cunningham, he's the founder. Dr. Cunningham, how are you?

Dr. Cunningham: Great, thanks for having me.


IMG_2457.JPG Dr. Cunningham- Founder, CynjaTech


John Gilroy: Give us a little nutshell of your background before we go into the questioning please.

Dr. Cunningham: Sure, I'm a retired U.S. Navy, spent my career supporting special operations guys, so I was the unfortunate geek that wound up running around with all the dudes with too much ammo and way more, way too much testosterone. Did that, until I got medically retired from the military back in 2011. Came out and started just doing regular consulting work and what I would call hard-core cyber opts for the government and for companies. And then about four years ago, almost five years ago now, we started down this path of building up this CynjaTech platform.

John Gilroy: Interesting. So I know you fly a lot. What if you were to get stuck in the airport in Chicago, and the person next to you says, "What kind of a strange name? What's that company do?" So what business problem does CynjaTech solve?

Dr. Cunningham: Yeah, so what we really solve is fixing the giant problem you have with massive data security. If you look at the site, you'll see things around MicroCloud, and really what we're talking about there is flipping to security paradigm on its head. It used to be where if you go to a bank, everybody takes your money and they put it in those lock boxes, and you get your money, because it's your money and you have control of it, right? Well, the problem that we have with Internet data is you take all of your data and you stick it in someone's database, in their cloud, and you hope that they did their security, right? So what we've done is we've basically flipped that paradigm on its head and said, "If Chase Cunningham's data is going to be in an insurance provider's cloud or whatever else, I'm in control of that data, I manage, maintain, and control who has access to my information, based on the privacy controls that I put in place."

So really, what we're trying to do is give the individual back the power of control of their data using the security capabilities that are built into cloud capabilities anyway.

John Gilroy: Constance, I'm going to start off with you. When I first moved to town here, the joke was you can swing a dead cat and hit a lawyer. I think in town now, if you swing a dead cat you bump into a cyber startup. So lots of cyber startups in this town. I mean, there's dozens and dozens.

Connie: I know that there's a few around. I'm curious to know about who your clients are. Do you have some examples?


IMG_2445 (1).JPG Connie Chen


Dr. Cunningham: Yeah, so interestingly enough, we actually built the app a few years ago for kids and families and our thinking there was if we can make this sort of distribute, led to your privacy, security, controlled MicroCloud thing work for a bunch of five and seven-year-olds, then we could dang sure do it right for Enterprise. So we actually started off with a few, about 4,000, families that use this system currently. My kids use it, basically I give my daughter the iPad and I don't have to worry about what website she's going to, I run no antivirus on anything she uses, because she's in control of the secure sort of MicroCloud infrastructure, and I know that the controls are applied to her, then I don't have to worry about it. I honestly could care less whether or not, where she's going is secure, with quotes around it.

John Gilroy: Matt, when I read the phrase descriptive ledger, bang [inaudible 00:04:59], it's like the phrase of pace.

Dr. Cunningham: That's a sexy term, yeah.

John Gilroy: Yeah, I'm going to let you jump in here, Matt.

Matt: Yeah, I'm curious on both that and just general and NextGen IT and technology patterns and here's ... how are you tackling Internet of things, other sort of developing ideas and technologies?

Dr. Cunningham: Yeah, so unfortunately, we're at that sort of time in history where everything is taking off at speed of light times 10, after smoking crack or something. I mean, it's just crazy how fast this stuff is going. So what we've got a line on doing some things in IoT and whatnot. Honestly, we've had to sort of pick where we think we can win. And really where that is right now is enabling privacy for individuals within cloud infrastructures. The sort of Blockchain, speed push there really, we didn't even realize we were doing Blockchain when we started this thing almost five years ago, but we're taking Chase Cunningham Security Controls within that cloud infrastructure and spreading out who I talk to, where I talk, with the data that I share, based on whether or not the other individuals in that infrastructure have the same controls in place.

So I mean, really, this is Blockchain, bo, dah, oh, honestly, but thankfully now with cloud being as powerful as it is, we can do things at speed net scale.

John Gilroy: Phil Crawford.

Phil Crawford: Yeah, so I'm always curious about origins, history of companies. So I'm curious about the actual name itself. It almost looks like a couple things, a couple observations. It looks like it's cyber plus ninja, maybe together. There's also a symbol in red. I'm curious what the symbol is, and the name have any connection to your overall identity, what you're trying to do for your customers.

Dr. Cunningham: So, like I said, we started out with kids. And funny enough, we started because ... this is a horrible, horrible joke between us at CynjaTech, but ... So when I came out of the military, I did Cyber for the military and for NSA and whatnot, and we were always joking, people were always going, "Oh, you're like a Cyber Ninja. Ha, ha, ha, right?"

Phil Crawford: So that's right, yeah.

Dr. Cunningham: Yeah, so anyway, my partner, Heather, her nephew asked us to write a book for him and we wrote this comic book, and you can go look at it now, it's in four languages, and-

Phil Crawford: Cool. Wow.

Dr. Cunningham: It's literally the Cynja


IMG_2449.JPG Dr. Cunningham


Dr. Cunningham: Yeah, so it's out there and it basically teaches kids how to use the Internet safely and securely. So we already had a pretty good line on Cynja, and we thought, "Well, that's kind of cool, so we'll just stick Tech on the back of it," and now we have CynjaTech.

John Gilroy: Okay. User experience, remember Connie? Was our user experience? Seems like this would be a very user-friendly solution, wouldn't it?

Connie: Yeah, it does. I did take a look at your website and I saw your products for the children, and I thought it could definitely be applied to a lot of cohorts, other than children. But what are the similarities between your solution for families and companies?

Dr. Cunningham: So that's the great thing is we really built everything on an infrastructure that honestly is rooted in cloud and is mobile as well. So if a ... we're working with the insurance industry right now primarily, because the insurance industry has a real dedicated focus on trying to keep things private and controlled, and make it where the individual is in control of that, because honestly, they don't want to be responsible for it after that whole Blue Cross thing. Like one in three Americans, and it was bad.

So for us, it's really ... the infrastructure itself doesn't change. microCloud is a microCloud, a container is a container. If a company like MetLife or whoever comes along and says, "We would like to try this out." We just rip off the kitty skin and stick on a MetLife sticker and there you go. So the infrastructure itself lives, breathes, eats, and grows and changes, based on the needs of the platform.

John Gilroy: Now we're right here in Rosslyn, Virginia, all kinds of companies bounce around here. I can give you geography directions, Key Bridge, and everything else. A couple blocks north of here is a company called Ostendio, and they were a guest on the show previously. But there's a lot of similar companies to what you do. So who do you compete with, again a price level, or what level do you compete?

Dr. Cunningham: So we're really just now starting to roll in the enterprise area, and honestly, insurance was a pretty easy place for us to get into because they were willing to put the power of the control within the individual, rather than the company. Honestly, like I said earlier, they don't want to control that stuff, they know that it's a nightmare. So while we compete with some of those, like the one you were mentioning, and Vormetric, and some of these other companies that do encryption and containers and cloud, and whatever, they do pieces of a puzzle. We do all of that in one particular solution. So literally, when I've been doing this pitch decks and things like that, I show folks these are the six or seven other competitors that are out there, but they do one-seventh of what we do in one spot.

Matt: Matt ... I'm curious as just to speak to you as the founder, to kind of look behind the curtain and see what strategies have you used to grow the organization? Have you tried to do a lot in house? Have you looked to expand your employee pool? Or have you looked for other resources as you grow the company?


IMG_2433 (1).JPG Matt Pearson


Dr. Cunningham: Yeah, so we're trying pretty much everything that we can to be perfectly honest with you, because that's the nature of startup, right? It's hustle, hustle, hustle. So we've got about nine people right now that work at CynjaTech, but we've sort of reached out and brought in some consultants here and there, and things like that. We've got folks that live overseas as well, that are helping us, too. So right now we're at that stage where everybody's just fighting and clawing uphill, but as soon as we've got the customers that we're looking at landing right now, we'll be hiring a lot of folks to grow that.

Matt: So are you based in the Washington, D.C. area, or where are you based?

Dr. Cunningham: Yeah, Washington, D.C. area.

Phil Crawford: Yeah, so I think on Saturday, two of Apple's biggest investors, they released this open letter to the community about think differently about kids, the base of the premise was Apple needs to be more thoughtful about technology addiction for kids, for youth, and I was just curious, is that like an area you guys can see as potential interest? I mean, you already do the privacy security, but is that something you could be interested in tackling later down the line or-

Dr. Cunningham: Having been doing IT security for children and families of the last three plus years, I think there's tons of merit in it and I have two daughter's that are seven and nine, so I want to help families and kids, but the problem that we have is companies, be it Apple or whoever, don't see a whole lot of revenue generation within helping families and kids, to be perfectly upfront with you. I mean, look at Vtech that just had six million people's information breached, and they got a $600,000 fine, like whoopy do.

It's not a nature of, or question of whether or not they want to help, but when it comes down to it, and you go up and say, "Look, I need a million dollars, then I can secure every family in this country." They kind of go, "Mmm, how about I give you 10 grand."

John Gilroy: Yeah.

Dr. Cunningham: So would Chase Cunningham love to help families and kids? Absolutely. Today sign me up. However, in the auspices of growing the business, probably is going to be further down the road.

John Gilroy: A lot of trade shows come to town here. There's a real popular one in your community called BlackHat. Do you attend these shows? Is there any value to you? What do you think of these trade shows?

Dr. Cunningham: Yeah, I've been going to BlackHat for quite a long time, and RSA for quite a long time. I used to go, back when I had the badge that said, DOD, and no one would talk to me because they kind of figured I was one of the fed guys there, the haircut and the bad suit gave it away. But, yeah, I think those are great. BlackHat and DEF CON, and those are great to go and talk with all the other practitioners and really sort of grow the network, too, and then there's a bunch of smaller cons that come around here, like SchmooCon and DerbyCon and Suits to Spooks, and things like that that are also really good to go to. So, yeah, if you're in the cyber industry, you could go to a con every month, and it'd be worth it, honestly.

John Gilroy: Wow.

Dr. Cunningham: And then there's RSA in April, which is the big SEMA car show for cyber security, if you will.

John Gilroy: Yeah, the big one.

Connie: When you're talking to different clients, I'm guessing that there is different customizations you would offer them. Have you ever experienced where they would push back on a suggestion? If so, how do you deal with that?

Dr. Cunningham: Well, I think a lot of times clients push back on something, especially when they're talking about doing pilots and sort of customized platforms, when they don't exactly understand how hard it is to change things on the back end. So if it's one of those things where we're looking at a big time cost of infrastructure migration move or something like that, it's time to be frank with them and be like, "Yes, I can do that for you, but it's not going to be cheap. We're adding into this pretty quickly." If it's just a graphics thing or something small, then sure we'll make that happen, bend over backwards to keep the client happy. I think where people go wrong is they kind of just go and say, they just want to win the deal and go, "Oh, yeah, sure we'll make that happen." And then you wind up having to go back a month later and go, "Sorry, I didn't actually mean that. What I meant was I need a hundred grand to fix that problem." And that doesn't go too well with your client growth and they get kind of pissed off when you need more money, when you didn't in the first place.

Matt: You mentioned some of the leaks that's happened both in insurance and there's been banking, all sorts of areas. How have you ... I'm curious what's your perspective and then is it shaped to your business model, looking at the current regulatory state on an organization and their data?

Dr. Cunningham: Yeah, so as somebody that's grown up in cyber and writes about cyber and has books and whatever else, I think we have a fundamental categorical problem that we're still trying to apply old security paradigms to stuff that doesn't like to live that way. The perimeter is gone, BYOD, and cloud has obliterated all that stuff. The only thing that really matters is the data, and if you can secure the individual, then great. So that's really where we tried to focus is, I'm not worried about whether or not I can secure your laptop, I don't care what antivirus you're running, all that other stuff that you put in place that you think is going to save you and secure you, which obviously doesn't work, because we continue to have breaches. We've moved away from that and said, "Look, I know that I can ... if I put the power in Chase Cunningham's hands and he controls who he shares information with and does it like I do in my normal daily life, and we apply controls to my piece of that cloud, then we can manage it and maintain it."

It's kind of funny when people wrap their head around that because just like every day when I'm going to go talk with somebody about doing a business deal, I don't walk into a room full of a thousand people and scream at the top of my lungs, "Hey, I'm Chase, I was born in Dallas, these are my kids, here's my wallet, my dog's name is Chopper, dah, dah, dah." I go up and I hand them a business card and they have my phone number and email. That's what they need to start the deal. And once we've validated that they need to do business with me, and I need to do business with them, we exchange information. That's what we're talking about within a MicroCloud infrastructure. But we're applying security controls to those two individuals.

John Gilroy: Now Chase, I brought in this figure of the classic guy named Blake Hall who has a company called ID.me, and he talks about identity management. And so what if identity is compromised? I mean, how does this fit into your model?

Dr. Cunningham: So we mandate things within the MicroCloud infrastructure, such as to factor authentication such as validated controls. Because we've grown it out of dealing with families and children, where you have things like COPA, which means you have to protect kids' information from bad people, like sexual predators and pedophiles, and things like that. We had to build in controls that didn't exist within a regular corporate cloud infrastructure. So those things that now are optional where you would think about an ID be compromised or whatever, we've changed it around and said, "You have to have those by default." And I think from being a security practitioner and a former Red Teamer, it makes it infinitely harder. If you look around, you'll read that the goal in cyber is not to be perfect. The goal in cyber is to be better than the guy next to you, so that they go somewhere else. Because from a Red Teamer perspective, if I know I can get a hundred thousand people's information on some really terribly secured cloud, I'll go there rather than try and go on a cloud where I know they have mandated two-factor, mandated encryption, mandated secure protocols, that type of stuff.

John Gilroy: Now a Red Teamer is not a Boston Red Sox fan.

Dr. Cunningham: No.

John Gilroy: So tell us what a Red Teamer is.

Dr. Cunningham: A Red Teamer is somebody that's basically either paid or does it because they have nothing else to do and live in their mother's basement, and break into networks and systems, and things like that. I used to get paid for it, but I don't anymore. I've moved past that, I think, so. I don't live in my mom's basement either.

John Gilroy: Yeah, but I think a lot of them do, don't they. I'm just curious about your credibility. Does your background in the military give you more credibility in these situations, or are they ... again, wary your background ... and kind of holding back to it. Do they enjoy that, does that give you credibility?

Dr. Cunningham: I think with the way things are now, it kind of offers a little bit of credibility to it, because there are so many CISOs and security people that are coming out of the Intelligence Community and out of the military that are taking up pretty big, like C-level roles within big, big companies.

Five years ago, it was one of those things where people were really resonant to start saying like, "Hey, why don't you go play on my network, former Red Teamer guy, for the government." But now they seem to really gravitate toward that to be honest.

John Gilroy: So the concept here is penetration testing, and have you had any experience in that Phil?

Phil Crawford: No, I haven't. And I think it's something to be real interesting to know more about. But I would actually be kind of curious to know who do you view as your biggest competitors in this space?


IMG_2460.JPG Phil Crawford


Dr. Cunningham: So the folks that do encryption, the folks that do, like you were talking about ID.me, and Digi.me, and some of those other ones that are focused on personal private security and digital identity. Those are the ones that we would compete against directly.

Phil Crawford: Okay.

Dr. Cunningham: And I think that there's a real big push coming in Europe for privacy and for controlled cyber accesses. The U.S. is probably still two to three years behind Europe, but it's coming, with GDPR and some of the stuff that's growing over there, it's just a matter of time.

Matt: You mentioned living in your mother's basement. I'm curious for other people-

Dr. Cunningham: No more.

Matt: For other people looking to start similar companies, or looking to be where you guys were at three years ago, what was your funding model, funding perspective, how did you pursue getting to where you're at now?

Dr. Cunningham: We've raised close to a million dollars overall, three-quarters of a mil roughly. A lot of it was from startup ... or, excuse me, from angels reaching out to people that you know have got the money and don't have something to do with it, and sort of saying like, "Look, I have an idea, and here's the plan," and going forth with that. And then some of it's come from some very small venture capital funds and things like that. But we really didn't want to deal with any big-time VCs at the time because you can get muscled out of control of your company pretty quickly, so we've been extremely selective with whom we've talked with.

And luckily, Heather, who's not here, who's been really the major fundraiser in all this, she's a woman in technology, and she's a woman in cyber technology, so she's got a leg up when she starts asking for things, just because of that. And honestly, I'm really glad that she is a woman in technology, because we need more of them. I've got daughters and my seven-year-old is learning to write code right now. So I want more women. Actually, our second comic book has a female hero in it, just because we were trying to get more women in technology.

John: Wonder woman.

Dr. Cunningham: Right.

John Gilroy: Well, you know, there was an anime fair in town here just over the weekend. Hundreds and hundreds of people there, so it's a new way to communicate, different from an old guy, Dan Bricklin model of rows and columns, and everything else. So any business from the federal government? Or is that out of your radar, or-

Dr. Cunningham: We've actually put some stuff together with the VA, funny enough, because I'm a veteran, where we're talking about doing some stuff around private secure cloud infrastructure. We're not sure exactly where that's going to go, because it was just sort of an RF, request for questions from the government, but it doesn't mean that we wouldn't entertain doing business with the feds. Honestly, I think some of the technology that we're putting in the controls that we're putting in place, would be far ahead of what the federal government's asking for right now on an individual basis. It's still trying to put up great big walls to keep people out, and that just doesn't work. And if it didn't we wouldn't have had a billion records breached last year.

John Gilroy: So what you're saying is that the bad guy is already inside the walls.

Dr. Cunningham: Guaranteed.

John Gilroy: And even with encryption, that's not enough, because the bad guy could have encryption code as well, and so one way is through identity management, or role-based access to documents. Does that pretty much summarize . .?

Dr. Cunningham: Yeah, I mean if you still conceptually think about it, just like you have with your home or your apartment, I have a key to my house. I know it's safe inside of my house. I've got my controls. People come into my house the I want to allow, rather than I don't live in an open field with 10,000 other people and hope somebody shut the gate. That's what we're trying to get away from, and put the power back in the hands of the individuals to use data the way that they see it should be used rather.

John Gilroy: Well, great job, students, and great job startup here. We're running out of time, but if someone would like to have more information about your company, Chase, where would they go please?

Dr. Cunningham: www.cynjatech.com. C-Y-N-J-A tech.com.

John Gilroy: C-Y-N-J-A tech.com. Well, great. If you'd like to have show notes or links or a transcript, please visit the oakmontgroupllc.com. I'd like to thank our sponsor, Radiant Solutions. If you are interested in getting involved in geospatial projects, contact Radiant Solutions.

We are hosted by Eastern Foundry, a community of government contractors who are bringing innovative solutions to the government marketplace. More information, go to eastern-foundry.com. If you'd like to participate as a student or startup, contact me, John Gilroy, at the oakmontgroupllc.com, and thanks for listening to Students vs. Startups Showdown on the Potomac.