Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

The One-Way Street of Digital Transformation: OT Cybersecurity with Nozomi’s Edgard Capdevielle

Season 2 Episode 19 •

Show Notes

In this special RSA Conference edition of Cyber Focus, host Frank Cilluffo sits down with Edgard Capdevielle, President and CEO of Nozomi Networks, to unpack the evolving landscape of operational technology (OT) cybersecurity. Together, they explore how digital transformation and the convergence of IT and OT are reshaping the threat environment for critical infrastructure. Capdevielle outlines the three major phases of the OT security market, reflects on the role of AI and legacy systems, and explains why visibility remains foundational to cybersecurity. The conversation also highlights the growing risk from nation-state actors, the breakdown of air gap assumptions, and the tangible steps owner-operators must take to build resilience.

Main Topics Covered:

  • Defining the three phases of OT cybersecurity market maturity
  • The impact of digital transformation and IT/OT convergence
  • Why visibility remains the top concern for infrastructure operators
  • The role of AI in passive detection and firmware profiling
  • Nation-state threats, air gap fallacies, and Volt Typhoon’s implications
  • Practical steps for operators to improve risk visibility and resilience

Key Quotes:

“Digital transformation is a one-way street. We’re only going to automate more — automate everything — and IT and OT are only going to converge more.” — Edgard Capdevielle

“You cannot protect what you can’t see. So having a layer of visibility is number one.” — Edgard Capdevielle

“Air gapping has been our number one enemy because it’s not real… It’s brought a level of comfort that is not good for us.” — Edgard Capdevielle

Relevant Links and Resources:

Guest Bio:
Edgard Capdevielle is President and CEO of Nozomi Networks, a global leader in OT and IoT cybersecurity. He has a background in computer science and more than two decades of experience in cybersecurity and enterprise technology. Prior to joining Nozomi in 2016, he held leadership roles at Imperva and EMC (including post-acquisition work with Data Domain) and has served as an investor and advisor to several successful startups in the security space.

Transcript

1
00:00:00,000 –> 00:00:01,000
Edgard Capdevielle [00:00:00]:
Digital transformation is a one way street. We’re only going to automate more, automate everything. And ITOT are only going to converge more. One way streets.

2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:12]:
Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo and this week we are on set at RSA, and I have the privilege to sit down with Edgard Capdevielle. And Edgard is the CEO of Nozomi and president as well. One of the largest OT companies in the, in the country and in the world, and really excited to try to bring the OT issues to life. When everyone around here is talking cyber, OT doesn’t always get the attention it deserves and quite honestly, it should. So, Edgard, it’s a pleasure, pleasure to be with you. Thank you.

3
00:00:02,000 –> 00:00:03,000
Edgard Capdevielle [00:00:50]:
Thank you, Frank. It’s a pleasure to be here.

4
00:00:03,000 –> 00:00:04,000
Frank Cilluffo [00:00:51]:
So I thought we’d start with, I mean, maybe just painting the landscape in terms of what you’re seeing as, I mean, you’re getting so much information coming in and you’re in a unique position to be able to paint that. So a little bit of the landscape and then maybe the various phases that we had discussed earlier.

5
00:00:04,000 –> 00:00:05,000
Edgard Capdevielle [00:01:09]:
Yeah, absolutely. I think our market has gone through different phases, different transitions. We started our journey here at Nozomi about 13 years ago. I joined eight and a half, almost nine years ago. And that phase was what I would call the educational phase, maybe evangelical even, where we had to educate the public as to the need for our solutions. It was not a natural pool, if you will, from, from customers. We only had basically Stuxnet as a sample of an incident.

6
00:00:05,000 –> 00:00:06,000
Edgard Capdevielle [00:01:40]:
And the need for operational monitoring of industrial control networks was not as evident as a top priority. In the US, episodes like Colonial Pipeline, and we can argue whether it was IT, OT, it doesn’t really matter. But the impact of an incident that could affect our lives so significantly. And we have different episodes around the world. In fact, you know, today during, during RSA, not today, but this week during RSA, we have what I think is the biggest blackout Europe has experienced.

7
00:00:06,000 –> 00:00:07,000
Frank Cilluffo [00:02:09]:
Absolutely.

8
00:00:07,000 –> 00:00:08,000
Edgard Capdevielle [00:02:10]:
Which is another episode. We’re still arguing whether it’s cyber or not cyber. I actually don’t think it’s cyber, but the point is…

9
00:00:08,000 –> 00:00:09,000
Frank Cilluffo [00:02:16]:
But the impact’s the same, right?

10
00:00:09,000 –> 00:00:10,000
Edgard Capdevielle [00:02:18]:
The impact to our livelihood as human beings. It has. So Colonial Pipeline really marked for us if we want to look for a hypothetical virtual marker to the transition from evangelical to okay, it was an acceleration to the process of digital transformation and acceleration to IT/OT convergence. And what does that mean? That means that in the past, during these initial evangelical or educational period, the power and the authority and the budgets lived outside in the plants. It really accelerated, Colonial Pipeline, accelerated the centralization of authority. CISOs had got their finger pointed at them.

11
00:00:10,000 –> 00:00:11,000
Edgard Capdevielle [00:02:59]:
So like what are we doing to protect our refineries, our mines, our facilities, our substations and CISOs. 99% of the CISOs grew up through the IT security ranks.

12
00:00:11,000 –> 00:00:12,000
Frank Cilluffo [00:03:09]:
Absolutely.

13
00:00:12,000 –> 00:00:13,000
Edgard Capdevielle [00:03:10]:
And so the knowledge of OT is lacking. So as this budgets and authority centralized, some of these teams came along and the CISOs have deputized them because those are the experts. And that’s the characteristics of this second phase. I believe fundamentally we have transitioned into a third phase.

14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo [00:03:27]:
Okay.

15
00:00:14,000 –> 00:00:15,000
Edgard Capdevielle [00:03:27]:
And the marker for that phase, whether we like it or not, is Gardner. Gardner has published a magic quadrant for our space. They’ve called it the Cyber Physical Systems Protection Space. And cyber-physical systems is nothing more than the combination of OT and IoT. And they have, they’re very similar, they’re cousins, if you will, from the attributes perspective. And it’s a new attack surface and we have to protect it. And I think the catalyst for this third phase is really if Gartner has a magic quadrant, CISOs, not only they have a lot of reasons for the boards to look at them for, for cybersecurity, but now you can’t really justify not having a category spend in your budget for that.

16
00:00:15,000 –> 00:00:16,000
Edgard Capdevielle [00:04:07]:
So, so it’s, it’s this phase we’re calling mainstream.

17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:04:10]:
And, and you brought up visibility. Having visibility across IT/OT, that’s not a luxury anymore. It’s a necessity.

18
00:00:17,000 –> 00:00:18,000
Frank Cilluffo [00:04:17]:
It’s a necessity. Correct.

19
00:00:18,000 –> 00:00:19,000
Frank Cilluffo [00:04:17]:
And do you see a day where IT/OT SOCs will be a single SOC or any sort of security awareness? I know there you have unique differences and the like, but if you’re the CEO, you really don’t care whether it’s perpetrated by a bad actor or it’s an accident. At the end of the day, if it affects customers, it affects customers.

20
00:00:19,000 –> 00:00:20,000
Edgard Capdevielle [00:04:39]:
I always like to say, when we live in the day to day, it’s very hard to see the big picture. So if you pause from the day to day and you step out and you ask what movie are we living in? The movie is called digital transformation. And what is digital transformation? It’s like we’re automating more, we’re automating everything. And that is a one way street. It’s not a two way street. We’re going only in one direction.

21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:04:59]:
You’re right about that.

22
00:00:21,000 –> 00:00:22,000
Edgard Capdevielle [00:05:00]:
The subchapter for us is called IT/OT convergence, which is part of that digital transformation. And it means that OT practices, skill sets, technologies are eventually going to converge with IT. Also a one way street?

23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo [00:05:12]:
Absolutely. No, I think that’s very well said.

24
00:00:23,000 –> 00:00:24,000
Edgard Capdevielle [00:05:16]:
Answer the question, would we eventually see a converged SOC? I think the days of, hey, the socks are going to be forever and universally separate. Those days are gone. Those days belong to the first phase of this market. I think OT has certain characteristics. We’re dealing with a physical process, generating electricity, refining oil, mining materials. And an IT person may not necessarily, hat’s what makes OT different, that you’re associated with a physical process. So I think there’s always going to be a specialty associated with OT, but it’s not going to necessarily require, especially as we progress through this movie, a separate SOC.

25
00:00:24,000 –> 00:00:25,000
Frank Cilluffo [00:05:52]:
Visibility is visibility. Right? One of the differences though between OT is you’ve got legacy systems, some that are 30 years old, that are being connected and netted together with IoT devices and the like. So it does require, I mean, it’s great when we’re building the highway, the best time to build something is to bake it in. But it’s sometimes harder when it comes to OT just because your exposure.

26
00:00:25,000 –> 00:00:26,000
Edgard Capdevielle [00:06:15]:
99% of what’s out there is not new.

27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo [00:06:17]:
Is not new, but it is being networked in some way. So what are you, what are you hearing most from critical infrastructure owner operators? What are their biggest concerns?

28
00:00:27,000 –> 00:00:28,000
Edgard Capdevielle [00:06:29]:
Visibility continues to be number one. I think we’re still in the very early innings of this game now, changing from movies to baseball games. We’re in the early innings.

29
00:00:28,000 –> 00:00:29,000
Frank Cilluffo [00:06:38]:
Yeah.

30
00:00:29,000 –> 00:00:30,000
Edgard Capdevielle [00:06:39]:
So visibility continues to be the main. I first want visibility. I cannot protect what I can’t see. I’m merging my, you know, my company with somebody else’s company. I’m acquiring things. And the number one question is, okay, what assets do I have?

31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo [00:06:52]:
Who you bringing in? Yeah.

32
00:00:31,000 –> 00:00:32,000
Edgard Capdevielle [00:06:53]:
I heard that this vendor came in and disconnected this part of the system and moved that part of the system over. Okay, is it really disconnected or is it still talking to the internet? You have to be able to see that. And folks that are not familiar with IT don’t understand that there’s a huge difference in instrumentation.

33
00:00:32,000 –> 00:00:33,000
Edgard Capdevielle [00:07:08]:
In IT, it is extremely easy for me to tell you in 3 seconds, even if I have mediocre skills, how many IP addresses are connected to this network. It’s very easy. That question is not easy to answer in OT. Instrumentation is very, very dramatically different. Operational visibility is a value proposition of our bringing the instrumentation of OT at the part of IT.

34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo [00:07:29]:
And the implications can be very significant. When you’re talking valves, you brought up Colonial Pipeline and the like, it can have actual life death consequences.

35
00:00:34,000 –> 00:00:35,000
Edgard Capdevielle [00:07:38]:
So let’s look at this European thing. We don’t know what it is yet. It’s too early. And misinformation, as we all know, is rampant.

36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:07:45]:
Flying. Yeah, yeah.

37
00:00:36,000 –> 00:00:37,000
Edgard Capdevielle [00:07:46]:
But let’s assume that it could be cyber or it could not be cyber. And in fact we may never know because one of the things that happens in IT is that forensics around an episode is easy to do. There’s logs, everybody remembers what they were doing when something happened. I mean the devices. In OT, a lot of devices don’t keep state. So if you were not monitoring and recording sessions and what happening, you don’t know what happened. You just know that the power came back on, everything’s working because it was rebooted. But you don’t have no sense of what was happening at that time unless you have a technology like, you know, OT IoT security monitoring and recording the sessions.

38
00:00:37,000 –> 00:00:38,000
Frank Cilluffo [00:08:21]:
Awesome. Do you have clients in Spain and Portugal?

39
00:00:38,000 –> 00:00:39,000
Edgard Capdevielle [00:08:23]:
We do, we do.

40
00:00:39,000 –> 00:00:40,000
Frank Cilluffo [00:08:24]:
And have you been hearing more from them recently?

41
00:00:40,000 –> 00:00:41,000
Edgard Capdevielle [00:08:27]:
I think right now, people, you know, livelihood, returning civilization to the normal state is number one.

42
00:00:41,000 –> 00:00:42,000
Frank Cilluffo [00:08:33]:
Absolutely, absolutely. And you know, we can’t have escape without a discussion around AI. Where does AI fit into the whole OT defender, whether it’s visibility or whether it’s actually on the remediation or what have you. Where do you see that fitting into the discussion?

43
00:00:42,000 –> 00:00:43,000
Edgard Capdevielle [00:08:49]:
AI is the main topic here at RSA. I’m hearing about agentic cybersecurity. How do you protect from AI agents?

44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:08:58]:
Yeah.

45
00:00:44,000 –> 00:00:45,000
Edgard Capdevielle [00:08:58]:
Which is all cool.

46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:08:59]:
Adversarial AI. Yeah, yeah. But…

47
00:00:46,000 –> 00:00:47,000
Edgard Capdevielle [00:09:01]:
OT, it’s about, you’re protecting critical infrastructure. I can speak about my company. We have been incorporating AI since the very beginning of the company. One of the attributes of OT and IoT cybersecurity is that you cannot be an active cybersecurity solution. An active means that you can come in and ask devices, who are you? Are you authorized to be doing what you’re doing? Credentials, what are your intents? In OT, there is no level of sophistication. So we have to do everything that we do passively we or mostly passively. And that requires AI. It requires AI to recognize assets by their behavior or profile vendor firmware.

48
00:00:47,000 –> 00:00:48,000
Edgard Capdevielle [00:09:40]:
It requires AI for us to detect abnormal activity that may have to do with the physical process.

49
00:00:48,000 –> 00:00:49,000
Frank Cilluffo [00:09:45]:
So firmware you’re using, that’s actually very interesting because I mean, we talk a lot about software and hardware, but at the end of the day, firmware… And I mean just getting your arms around a supply chain is really complex too. You want to know what’s inside whatever product or, or element we’re talking about here. So I, do see that as an area of business interest, actually?

50
00:00:49,000 –> 00:00:50,000
Edgard Capdevielle [00:10:12]:
I think it’s a major main component of, of operational visibility. You need to understand what’s in your network. You need to understand makes, models, firmware levels, which…

51
00:00:50,000 –> 00:00:51,000
Frank Cilluffo [00:10:22]:
Getting down to the firmware is a big deal.

52
00:00:51,000 –> 00:00:52,000
Edgard Capdevielle [00:10:24]:
Which systems are out of service, out of sale. As you may expect if the life of a substation is 20 to 30 years or maybe the components, the depreciation cycle, some equipment will likely be out of sale, out of support, and that may be acceptable or not depending on vulnerabilities, etc.

53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:10:44]:
What would you be recommending? So a lot of the OT legacy systems, but if they can get it right going forward. Any thoughts there in terms of if you’re, if you’re an owner operator, obviously the best chance to actually fix something is before it starts or at least to be thinking about it.

54
00:00:53,000 –> 00:00:54,000
Edgard Capdevielle [00:11:04]:
In OT, you don’t have that luxury. Right? You’re inheriting a system. In fact, you haven’t, as a CISO, so what is a typical case? As a CISO, you grew up through IT security. So post Colonial Pipeline, the board and especially with the SEC regulatory requirements, the board is looking at you to tell us hey, is our main means of production and revenue protected? And what has happened? The authority, the budgets have been centralized. You were able to inherit a team that came from a team. You have deputized that team. The first thing you need is to have operational visibility. You cannot protect what you can’t see.

55
00:00:54,000 –> 00:00:55,000
Edgard Capdevielle [00:11:39]:
So having a layer of visibility is number one, making sure that the networks are properly segmented, that you have segmentation and separation, whether it’s Purdue model or something else. And then obviously detection and monitoring and recording in the right places at the right time.

56
00:00:55,000 –> 00:00:56,000
Frank Cilluffo [00:11:55]:
So DC is hyper focused on the various Typhoons, whether it’s Volt Typhoon, whether it’s Salt Typhoon, whether it’s Flax Typhoon that did have an OT component to it, whether it’s Silk Typhoon. Are you hearing from your customers this had any impact? Are they taking it a little more seriously or…

57
00:00:56,000 –> 00:00:57,000
Edgard Capdevielle [00:12:13]:
Yeah, a lot of incidents are happening. Not every incident is public. Thankfully, a lot of these initiatives can be detected early. And yes, unfortunately in the current geopolitical environment, we have a lot of activity from outside of the US into our critical infrastructure that is happening. And I don’t think it’s a question of if we need to be monitoring and protecting ourselves. It’s a question of you must.

58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo [00:12:40]:
Yeah, yeah. And now…

59
00:00:58,000 –> 00:00:59,000
Edgard Capdevielle [00:12:42]:
I don’t want to say a rash statement, but is it responsible for critical infrastructure not to be monitored? That is not responsible.

60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo [00:12:51]:
I would agree with that. I don’t think that’s, I think that’s a prerequisite. And shame on us. I feel like we keep hitting that snooze button over and over and over. We’ve seen this movie before, so time to actually step up and act. And I, I know in D.C. because of the perpetrator in this case, people are taking it seriously, but is it resonating within industry?

61
00:01:00,000 –> 00:01:01,000
Edgard Capdevielle [00:13:13]:
Absolutely. I think folks…

62
00:01:01,000 –> 00:01:02,000
Frank Cilluffo [00:13:14]:
They get it now.

63
00:01:02,000 –> 00:01:03,000
Edgard Capdevielle [00:13:16]:
Customers, obviously, if you have had an episode, which again is more common that we would like to, that we see publicly and that we’d like to recognize, those sales cycles for us are very short. Budgets appear. Our number one enemy right now is that the category is a new category. So when you have a category that is new that doesn’t replace any previous budget and the budget process becomes more challenging. That’s, I want to also sit in the side of operators.

64
00:01:03,000 –> 00:01:04,000
Frank Cilluffo [00:13:41]:
Yeah, yeah.

65
00:01:04,000 –> 00:01:05,000
Edgard Capdevielle [00:13:42]:
Are they just late? No, they’re not. They’re just dealing with the realities of a business.

66
00:01:05,000 –> 00:01:06,000
Frank Cilluffo [00:13:46]:
Exactly.

67
00:01:06,000 –> 00:01:07,000
Edgard Capdevielle [00:13:47]:
You have a new category like OT IoT security or like Gartner calls it CPS protection. When you have a new category, it is important that the spend is processed through the business model of the company.

68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo [00:13:58]:
And do you see that more of a CFO decision, a chief risk officer decision if it’s a bigger company or is it still the CIO or.

69
00:01:08,000 –> 00:01:09,000
Edgard Capdevielle [00:14:08]:
I’m always going to have a bias towards having, you know, the hero needs to have agency, and whoever hero…

70
00:01:09,000 –> 00:01:10,000
Frank Cilluffo [00:14:13]:
That’s what I was going to ask. Who, it is…

71
00:01:10,000 –> 00:01:11,000
Edgard Capdevielle [00:14:15]:
You have to have agency.

72
00:01:11,000 –> 00:01:12,000
Frank Cilluffo [00:14:17]:
Yep, yep.

73
00:01:12,000 –> 00:01:13,000
Edgard Capdevielle [00:14:18]:
Agency is, this is what’s right, this is what we need to do. And it will have a cost or a trade off.

74
00:01:13,000 –> 00:01:14,000
Frank Cilluffo [00:14:24]:
And increasingly are you seeing board members asking questions? Potentially they have to, but that matrix isn’t there yet. Cyber. Yes. But OT the, the, the level of discussion is probably not, unless you’re a utility.

75
00:01:14,000 –> 00:01:15,000
Edgard Capdevielle [00:14:39]:
I think they’re not, one builds on top of the other one. You cannot have OT cybersecurity. You cannot have, make an educated statement around OT cybersecurity if you don’t have a foundation of operational visibility. So operational visibility is a requirement to having any cybersecurity comprehension.

76
00:01:15,000 –> 00:01:16,000
Frank Cilluffo [00:14:58]:
Yeah. Yeah.

77
00:01:16,000 –> 00:01:17,000
Edgard Capdevielle [00:14:59]:
So, so yes.

78
00:01:17,000 –> 00:01:18,000
Frank Cilluffo [00:15:00]:
And given the work that you’ve seen. How would you differentiate perhaps the difference between, whether tactics, techniques, procedures, capabilities between nation state actors, which, here’s the reality. Companies, none of our companies went into business thinking they’re defending against nation state threats, whether foreign intelligence services or foreign militaries. It’s not a level playing field. But that’s the field we live in. That’s, we don’t have a vote in that matter.

79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo [00:15:26]:
The adversaries made that clear. So I’m curious the difference between non state actors through state actors that you’ve seen in terms of your…

80
00:01:19,000 –> 00:01:20,000
Edgard Capdevielle [00:15:36]:
State actors are obviously a huge…

81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:15:37]:
And have all sorts of intelligence to throw at it. Right?

82
00:01:21,000 –> 00:01:22,000
Edgard Capdevielle [00:15:39]:
All sorts of intelligence. They have almost infinite resources. They have all the time in the world. And they’re addressing critical infrastructure which is for, for legacy reasons, have had a history of, of non protection. Air gapping, the concept of air gapping has been our number one enemy because it’s not real. It’s not…

83
00:01:22,000 –> 00:01:23,000
Frank Cilluffo [00:15:59]:
It’s not science. It’s wishful thinking. Yeah.

84
00:01:23,000 –> 00:01:24,000
Edgard Capdevielle [00:16:02]:
It’s brought a level of comfort that is not good for us. When you have non state actors, then that’s relatively easy. They’re looking for profits for things that can be monetized. Ransomware has made monetization of our uptime a very real trade off.

85
00:01:24,000 –> 00:01:25,000
Frank Cilluffo [00:16:18]:
Yep.

86
00:01:25,000 –> 00:01:26,000
Edgard Capdevielle [00:16:18]:
I’m no longer looking for money.

87
00:01:26,000 –> 00:01:27,000
Frank Cilluffo [00:16:22]:
In OT, it’s essential. Exactly.

88
00:01:27,000 –> 00:01:28,000
Edgard Capdevielle [00:16:23]:
So yeah, we have a duty. It is now table stakes. If you want to be an operator, a responsible operator in critical infrastructure, whether we’re talking about electric utilities, oil and gas, airports, transportation, even providing food to people, processing.

89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo [00:16:38]:
Absolutely. Agriculture is at the heart of it.

90
00:01:29,000 –> 00:01:30,000
Edgard Capdevielle [00:16:40]:
It is, it is fundamental table stakes that you consider cybersecurity as, as, as a necessary component.

91
00:01:30,000 –> 00:01:31,000
Frank Cilluffo [00:16:48]:
And I would think all the focus on advanced manufacturing, that’s going to become a much bigger issue as well.

92
00:01:31,000 –> 00:01:32,000
Edgard Capdevielle [00:16:53]:
I’ll say it again, digital transformation is a one way street.

93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:16:56]:
Yeah.

94
00:01:33,000 –> 00:01:34,000
Edgard Capdevielle [00:16:57]:
We’re only going to automate more. Automate everything and IT/OT are only going to converge more. One way streets.

95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:17:04]:
Absolutely. I know we’re getting near the end of our time. So what are some steps that critical infrastructure owner operators should be taking? What are some tangible things that if you were not speaking to your client and no, don’t mention clients obviously, unless you want to.

96
00:01:35,000 –> 00:01:36,000
Edgard Capdevielle [00:17:22]:
Unless, because we usually speak to our clients from kind of the other side of the table where the vendor and we’re trying to partner with them. But now let me get to this side of the table. I’m a counselor, consigliere. So first of all…

97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:17:34]:
Cilluffo, you got that right. Yeah.

98
00:01:37,000 –> 00:01:38,000
Edgard Capdevielle [00:17:36]:
First of all, I believe in hero stories, right? So you need to be the hero, have agency. You’re going to have the finger pointed at you, then you need the authority, you need the responsibility, and you need the budgets. And that comes with people and expertise. You cannot get only part of that. Right? So with people and expertise, you need to deputize them. You need to get a really, really good assessment of what is happening today.

99
00:01:38,000 –> 00:01:39,000
Edgard Capdevielle [00:17:57]:
Do we know what we have? After you know what we have, then you need to have what level of maturity are we? How we properly segment it? Do we understand our vulnerabilities? Do we understand the steps? Do we have a risk scoring system? Because I think the board likes to get…

100
00:01:39,000 –> 00:01:40,000
Frank Cilluffo [00:18:12]:
Absolutely.

101
00:01:40,000 –> 00:01:41,000
Edgard Capdevielle [00:18:14]:
In the form of…

102
00:01:41,000 –> 00:01:42,000
Frank Cilluffo [00:18:15]:
Risk is risk, whether it’s cyber, finance…

103
00:01:42,000 –> 00:01:43,000
Edgard Capdevielle [00:18:17]:
$300,000 or $3 million to do X in cybersecurity. And you’re going to say, okay, I need to justify it. And getting X done is not a justification. You need to tell me that you have lowered the risk from X to Y. And how does that play relative to our peers?

104
00:01:43,000 –> 00:01:44,000
Frank Cilluffo [00:18:33]:
Awesome. Penultimate question. What excites you the most about Nozomi and where you see the market going?

105
00:01:44,000 –> 00:01:45,000
Edgard Capdevielle [00:18:39]:
Nozomi is a fantastic company. We’re doing really, really well. I think we’re hitting the market at the right time. I think industrial cybersecurity, critical infrastructure security maybe doesn’t have the same buzz as agentic security, but it is in an upswing. I think in the current geopolitical environment, it is a solution to a very, very real problem.

106
00:01:45,000 –> 00:01:46,000
Frank Cilluffo [00:19:03]:
And blocking and tackling is 90% of the game.

107
00:01:46,000 –> 00:01:47,000
Edgard Capdevielle [00:19:05]:
Blocking and tackling is 99% of the game.

108
00:01:47,000 –> 00:01:48,000
Frank Cilluffo [00:19:07]:
Yeah. And, Edgard, my last question. What questions didn’t I ask that I should have?

109
00:01:48,000 –> 00:01:49,000
Edgard Capdevielle [00:19:11]:
One question you didn’t ask is what differentiates our company from our competitors? And I’m not here to, our competitors are great. Our competitors make us a better company.

110
00:01:49,000 –> 00:01:50,000
Frank Cilluffo [00:19:20]:
All boats rise too.

111
00:01:50,000 –> 00:01:51,000
Edgard Capdevielle [00:19:22]:
One way in which we’re different. A lot of our competitors are pouring money into, into the space. If you look at the size of the booths here at the RSA conference, that’s one way of measuring how much. And one of the things that our management team and our board have put into the company is the need to run our business profitable. So I’m very, very happy and proud to say that we’re the only company in our space that is cash flow breakeven or cash flow positive.

112
00:01:51,000 –> 00:01:52,000
Frank Cilluffo [00:19:51]:
Boom.

113
00:01:52,000 –> 00:01:53,000
Edgard Capdevielle [00:19:52]:
Yes.

114
00:01:53,000 –> 00:01:54,000
Frank Cilluffo [00:19:52]:
Edgard, thank you for joining us today. Thank you for your leadership, and I hope we’ll hear much more from you in the days ahead. So thank you.

115
00:01:54,000 –> 00:01:55,000
Edgard Capdevielle [00:19:59]:
Thank you so much.

116
00:01:55,000 –> 00:01:56,000
Frank Cilluffo [00:20:00]:
Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.

Related Content