Listen on Apple & Spotify!

Episode 47 of Venture Everywhere is hosted by Ari Newman, an LP of Everywhere Ventures and Partner in The Fund Rockies and also the co-founder and managing director at Massive, a multi-stage venture firm that invests in deep tech, enterprise, and climate.

He chats with Gadalia Montoya Weinberg O'Bryan, Founder and CEO of Dapple Security, a cybersecurity company protecting companies against phishing and ransomware by securing their workforce logins. Gadalia shares how Dapple’s biometric login solution is transforming security, especially for small and medium-sized businesses. Gadalia also discusses the future of multi-factor authentication (MFA) and the impact of quantum computing in the cybersecurity landscape.

In this episode, you will hear:

• Key difference between traditional MFA (such as SMS-based) and phishing-resistant technology.

• Evolution of cryptographic standards in the face of growing computational power.

• How Dapple’s biometric solution eliminates shared secrets.

• Balancing security with ease of use to drive higher adoption rates for MFA solutions.

• Dapple’s aim to enhance user experience and security with low-friction solutions for greater adoption.

If you liked this episode, please give us a rating wherever you found us. To learn more about our work, visit Everywhere.vc and subscribe to our Founders Everywhere Substack. You can also follow us on YouTube, LinkedIn and Twitter for regular updates and news.

RSS Link

TRANSCRIPT

00:00:00 Jenny Fielding: Hi, and welcome to the Everywhere podcast. We're a global community of founders and operators who've come together to support the next generation of builders. So the premise of the podcast is just that, founders interviewing other founders about the trials and tribulations of building a company. Hope you enjoy the episode.

00:00:21 Ari: Welcome everyone. My name is Ari Newman. I am an LP and a partner at Everywhere Ventures. I'm also the co-founder and managing director at Massive Capital Partners. We are a multi-stage venture firm that invests in deep tech, enterprise, and climate.

00:00:38 Ari: I was previously a founder and after 15 years on the operating side, joined the venture world and have been investing in amazing technologies and companies like Dapple ever since. So without further ado, I would love to introduce Gadalia. So excited to chat with you today. Please jump in, introduce yourself and we'll take it from there.

00:00:59 Gadalia: Thanks, Ari. Great to be here. So I'm Gadalia Montoya Weinberg-O'Bryan. I'm the founder and CEO of Dapple Security. We're a cybersecurity company protecting companies against phishing and ransomware by securing their workforce logins. And I've been in the security space my whole career.

00:01:17 Gadalia: I started out as a crypto mathematician at the NSA for about a decade and then transitioned to the private sector. And I helped lead one prior startup to exit. And now, yes, I'm proud to be part of the Everywhere portfolio.

00:01:30 Ari: Fantastic. So you're building a business called Dapple Security.

00:01:35 Gadalia: Yes.

00:01:36 Ari: Tell us more about the work and what the vision is for the company.

00:01:39 Gadalia: So I, as a cybersecurity practitioner, was really starting to get frustrated by continually seeing breaches and hacks start with the wrong person logging in. It really is the easiest way for hackers to get right in through the front door by tricking someone into giving up their login.

00:01:58 Gadalia:So being in that profession, it was the problem that I knew I wanted to address. And I realized I had something unique to bring to the space and that harkens back to my math background.

00:02:09 Gadalia: So we're really working on a next-gen MFA solution. So replacing those vulnerable password or traditional MFA logins with something that's using biometrics and phishing resistant and much more user-friendly.

00:02:25 Gadalia: The other thing I wanna emphasize is that we're really targeting the small and mid-size market first, which I think is not always the case for a lot of cybersecurity vendors, and that's a really underserved market. So that's a piece of what we're doing that I'm also really excited about in addition to the tech.

00:02:43 Ari: Super interesting. When you talk about MFA, maybe we can get further into the product conversation and also talk about the world of two-factor authentication and why SMS has got its issues because I'm sure folks would love to really understand why this is so critical.

00:02:57 Gadalia: Love to.

00:02:58 Ari: So based on your background and all the work that you've done prior, what compelled you to become a founder? And if you think back to your career, like what were some key moments that sort of got you to this point?

00:03:09 Gadalia: Honestly, it's surprising to think back on my career to find myself here because first and foremost, I was a mathematician and then I fell in love with security and I fancied myself a career government employee.

00:03:20 Gadalia: And then I made this huge leap to working at a startup that some colleagues from the NSA had founded and had me join really early on. And it was a surprise but a pleasant one to me that I really love operating and I really love building, like something that has continued as a thread through my career is building things from the ground up.

00:03:40 Gadalia: So I think I realized I am a natural founder at heart and that is where I belong. In terms of the problem space, I've been a witness to some pretty intense security breaches.

00:03:53 Gadalia: I was working at NSA when the Edward Snowden breaches occurred. I was a consultant at Merck Pharmaceuticals when they were hit by a ransomware attack in 2017 that brought their global operations down for weeks.

00:04:06 Gadalia: And it was shocking to me to see the impact of those, but also to think through what happens when a smaller organization experiences something like this? How would they weather, could they even weather?

00:04:18 Gadalia: So I think really having always been a mission-driven person at heart, that really brought me to, I think, the space of trying to tackle the fundamental problems that are facing businesses.

00:04:31 Ari: So one thing I wanted to ask you about, the security space is quite crowded. There's tons of vendors. And I think that's for good reason. There's a lot of problems and there's a lot of opportunity. Can we talk a little bit about what unique challenges and opportunities you see in your domain and security?

00:04:48 Gadalia: Yeah, like you said, there's so much to say. It's hard to know kind of where to start. But one thing I will say is, 90% of security breaches are starting with those stolen logins and things like phishing happening. And that leads to ransomware, it leads to wire fraud, it leads to data breaches.

00:05:06 Gadalia: And there are not solutions out there that are really targeting that small and mid-sized market first. And so I think I see that as a unique opportunity, as I kind of already mentioned, to offer an easier to adopt more affordable solution for businesses of all sizes.

00:05:22 Gadalia: Not to say we're excluding the enterprise, but really focusing on it being accessible. The other thing I'll say just in terms of challenges, because like you said, it is a crowded space.

00:05:31 Gadalia: One thing I do run into is that when we think about how we log into things in our personal lives and our work lives, big tech players really do control a lot of that. And they're not necessarily incentivized to accommodate innovation from smaller players or give users agency over their own data.

00:05:50 Gadalia: And so I do feel like as a company, I'm battling that on a daily basis in this space, but it feels to me like a challenge worth taking on.

00:06:00 Ari: Super interesting. I think there's two things there that really resonate with me personally is one, we all look for the low friction way to deal with login, which usually means the platform that you're on controls it.

00:06:12 Gadalia: Yep, I do. I do too. Yep.

00:06:15 Ari: Yep. And we have very little control. And especially when it comes to enterprise, that's extremely risky because we all get lazy. Okay, so now we're gonna play a game.

00:06:24 Gadalia: Okay.

00:06:24 Ari: I want you to finish the sentence for me.

00:06:26 Gadalia: Oh no!

00:06:27 Ari: When Dapple Security gets to scale, we will...?

00:06:31 Gadalia: We will have a fundamental impact on how digital identity is being handled on the internet.

00:06:40 Ari: Pretty profound opportunity in front of you.

00:06:42 Gadalia: It is.

00:06:43 Ari: Yeah, that's exciting. So as you work against that big giant goal, what stresses you out, what keeps you up at night? What do you sort of worry about getting in your way?

00:06:53 Gadalia: I'd say a couple of things. One I already mentioned, which is we are coming up against big players in the space who I think on the surface are trying to be more open and galvanize around standards to improve login experience and security for end users.

00:07:09 Gadalia: But as I said, are not necessarily incentivized in the same direction that businesses and consumers are. So that's one of them.

00:07:16 Gadalia: The other is our tech is based on some core technology that is inherently very difficult. It's based on some mathematical techniques that are not something we can just slap together and throw out there.

00:07:29 Gadalia: So we're always, as a company, straddling, iterating, and getting something out there and testing and having customers working with something while at the same time doing the R&D to develop our core tech.

00:07:42 Ari: Interesting. I don't want to put words in your mouth, but I'm trying to understand, your cryptography is unique in the market or is it stronger encryption than what is commonly used around login? Can you talk about that?

00:07:53 Gadalia: Yeah. Thanks for asking. It's nuanced, so I'll try to explain a bit more so that I'm not just dancing around it. What we're doing is you can think of it as replacing the traditional login with something passwordless. So we're starting with fingerprint.

00:08:07 Gadalia: So, okay, instead of entering username and password, I'm going to enter my username and then I can provide a fingerprint. The cool thing that we do that's different is that we can accomplish that without having to store the fingerprint anywhere and without having to store these credentials that are being passed back and forth behind the scenes anywhere.

00:08:28 Gadalia: And that brings a really nice user experience because if you think about the experience you have logging into your phone using maybe Face ID or a fingerprint on your laptop, it's trying to bring that same user experience to all of your logins having the same behavior as you're logging in across your different devices.

00:08:48 Gadalia: So there's a lot of magic that has to happen behind the scenes to accomplish that. And hopefully what the result is, is a delightful user experience and they shouldn't have to care that there's really fancy biometrics and cryptography happening behind the scenes. But it is something, like I said, that we have to battle through.

00:09:07 Ari: Right. And if you're not storing the fingerprint then it's much more difficult for that piece of data encrypted otherwise to be stolen and reused.

00:09:15 Gadalia: Yes. So I'll break something else down, just a couple of analogies. The basic way that most of our logins work today is based around something. I call it a shared secret. That's often what we in the industry talk about it as. And you can think of it as I know some secret, my password, or maybe my one-time code, and the server that I'm logging into knows the same secret.

00:09:37 Gadalia: And the way that they confirm it's me is by saying, oh yeah, the secrets match. But think of how easy it is to get in the middle of that transaction, to either trick me into telling you my secret or intercept those communications between me and the server and just relay things to pretend that you're the wrong user.

00:09:53 Gadalia: So we're basing our technology around a new set of standards. They're called the FIDO2 standards for anyone who wants to nerd out and care about it. And essentially that splits that paradigm in half so that you no longer have to have a shared secret. You can think of it as the server having a lock and the user having a key.

00:10:13 Gadalia: And as long as I have that correct key that fits the lock, I can get in, but I never have to tell anyone what my key is. And the lock can be public because it doesn't say anything about me. So we're essentially creating a lock out of the biometric itself.

00:10:29 Ari: I think it's important to talk about the details because your technology is unique and your approach is unique. And there's a reason that you've done this based on your past experience, which is really interesting.

00:10:38 Gadalia: Absolutely.

00:10:39 Ari: Changing gears a little bit. One of the things I know about you is that you're really passionate about increasing equity and representation in STEM fields. So I'm curious, what are some of the things that you see going on around STEM and equity? What are you passionate about there specifically? And what should your audience know about where to apply efforts or what's interesting?

00:11:01 Gadalia: I will be honest about the fact that probably half of the reason I became a founder was because I wanted to create a different kind of tech company, one that I hadn't worked for before, one that had a CEO that had looked different than what I'd worked for before.

00:11:15 Gadalia: So yeah, I do think part of my personal mission is not only to put great tech out there in the world and help our users, but also to just represent a tech company that, and show that not all tech companies have to look exactly the same in terms of their culture, in terms of who's leading them, in terms of who works there.

00:11:32 Gadalia: So I think in that representation is super important, always. And as a part of that, I try to always practice lift as I climb. And I love it when others do as well. If you have gotten to a point in your career where you can help others do so. And supporting all young people.

00:11:51 Gadalia: I have two teenagers and whenever their friends are over, I'm like, how's math going, how's science going, do you love it? You know, just trying to increase that curiosity and enthusiasm for all kids to think about entrepreneurship and STEM fields from a really young age. So those are the things that I really lean into personally.

00:12:09 Ari: Nice. That's fantastic. My son's interested in engineering and psyched about that also.

00:12:14 Gadalia: Yep. Like they may not be, right? But that's okay.

00:12:17 Ari: Right.

00:12:17 Gadalia: As long as they feel like that's an okay thing to be interested in and an option for them.

00:12:22 Ari: Yep. A curious mind is a good thing, right?

00:12:24 Gadalia: Absolutely. Yeah.

00:12:26 Ari: I'm sure that although the company is relatively young, you've already had some good wins and seen some positive impact of your technology. Do you have any particular, like case studies that you can mention or sort of moments where you got validation that you were really on the right path?

00:12:42 Gadalia: Yeah. And you're right, we are still early. We're still technically pre-product. We're working with some design partners who are early adopters and giving us feedback as we develop things. And one thing that really strikes me, for example, one of our design partners experienced a ransomware attack and it could have been very devastating for them.

00:13:03 Gadalia: So this is an opportunity for them to put something in place that is proactive from a cybersecurity perspective. So not just having to think about, okay, how do we react as quickly as we can when a ransomware attack is occurring and has breached our walls, but putting something in place that can prevent that from happening in the first place.

00:13:21 Gadalia: And if you think about it, that's the cheapest way for a business of any size to deal with a cyber attack is just for it not to happen. So seeing that, the comfort, I guess, that that gives them to know that they have something proactive they can put in place.

00:13:34 Gadalia: Reactive pieces of the system are also extremely important. You have to assume things will go wrong and defense in depth. But yeah, that's something that I really enjoy seeing. The last thing I guess I'll say there is this is a unique opportunity when security and user experience go hand in hand.

00:13:52 Gadalia: Those can often be competing priorities in an organization. So the fact that we're able to say, hey, yeah, this is a much more secure way of logging in to protect your business. But by the way, your users are really going to like it better than what they're doing right now. That feels pretty great.

00:14:08 Ari: That's important, right? A good low friction user experience drives greater adoption, which means more product success.

00:14:13 Gadalia: Yeah, it is first and foremost in terms of what we're trying to put out there.

00:14:17 Ari: That's fantastic. Let's talk about the future a little bit. So something I'm really curious to ask you about, given your math and cryptography and NSA background, is quantum.

00:14:27 Gadalia: Ah.

00:14:27 Ari: Right? So the setup is the obvious thing, which is as the world approaches Q-Day, which is this moment where quantum computers become commercially viable to the point where they can be applied against what we currently use as modern encryption.

00:14:42 Ari: And it can beat encryption fast enough that it becomes a huge problem. Like everyone's paranoid. We're going to hit Q-Day and the entire world is going to melt. And the first thing people are going to apply quantum computers for are breaking things like SSL and 256 DES and all of the sort of robust security that we think we have today that's based on public-private key encryption.

00:15:04 Ari: What's your take on all of that? How big of a threat is it? What do you see happening in the security sector as these two traditional public-private key encryption technologies and quantum encryption or quantum computers sort of come to ahead?

00:15:18 Gadalia: Yeah. Call me a pragmatist. I'm not super worried about it. To me, it's an evolution of the same thing that has been happening already, which is that Moore's law means that our computers get faster all the time and have been over history.

00:15:32 Gadalia: And we have had to replace our cryptographic algorithms over time as that has happened. So we can rely on standards bodies like NIST who has provided guidance on which quantum resistant algorithms we should be using.

00:15:46 Gadalia: So I honestly think that we have practiced this before as an ecosystem and that if we just continue to learn from those exercises in the past and not put our heads in the sands and start to adopt those quantum resistant algorithms, but hopefully a lot of that can be done gradually so that it's a non issue.

00:16:07 Ari: Got it. So all these quantum companies that are telling us the world's going to melt the minute we hit this inflection plane, you say not so much.

00:16:15 Gadalia: Yeah, not so much. I mean, it's something to be aware of, like I said, and I'm glad that folks are out there that are working on technologies that will help us protect ourselves in that way. But to me, it just feels like an evolution of the fact that our computers have gotten increasingly better over time anyway.

00:16:31 Ari: Right, okay, I like the semi-contrarian view there. Do you have any other semi or totally contrarian views about the security sector as a whole that we should know about?

00:16:41 Gadalia: I don't know if it's so much contrarian as I have a little bit of a beef right now. As in cybersecurity or talking about multi-factor authentication or MFA. We've been beating this drum of MFA being so important for a while now, and I agree with that.

00:16:55 Gadalia: The problem is that we don't talk a lot about the fact that not all MFA is equal in terms of how it can protect us against phishing specifically. And most of the MFA that we're all currently using is very phishable.

00:17:08 Gadalia: And so I think my beef is that we talk about MFA as if it's this pangea of one thing when really there's a spectrum of different MFA solutions and they protect us differently end-to-end more or less.

00:17:23 Ari: I think you're being polite. And if I'm gonna say this back to you in a more direct way, if you think that your SMS-based MFA security is doing you any good, you're probably wrong.

00:17:35 Gadalia: Yes, and the crappy thing about it is that it's more of a pain to use and it's not helping us really at all. And so I think this was an example that I sent out in a recent investor update, but my bank recently started changing from using SMS because everyone's starting to understand that that's not very secure.

00:17:56 Gadalia: So now they insist on calling to give your one-time code, which isn't helping anything, but it is even more painful now to log in. So if you are using a multifactor authentication that is SMS, email-based, another one that folks feel is very secure are those one-time codes that you get using an authenticator app on your phone.

00:18:19 Gadalia: Same thing, it's still a shared secret. It is still a number that you know that the server knows that someone else can intercept. So yeah, unfortunately, even though they're a lot harder to use, they're really not protecting us any more than a simple password.

00:18:31 Ari: Yeah, my take is that the shared secret of a two-factor authentication app or generator is better than SMS because it's less vulnerable to SIM jacking, but only incrementally.

00:18:42 Gadalia: Yes, exactly. Yep. That's that spectrum that I was kind of talking about.

00:18:45 Ari: Got it. Okay, fantastic. Is there anything else that we should know about multi-factor authentication or about Dapple going forward?

00:18:56 Gadalia: I think one thing I'm really excited about is just that we have this chance or opportunity to fundamentally change the way that biometric data and cryptographic keys are handled on the internet. So I really love the solution that we're building today.

00:19:11 Gadalia: I think it has the potential to really help businesses of all sizes be more secure. But I also love the fact that this core technology is something that we can apply in a lot of different modalities going forward. So I would say this is only the beginning, I hope.

00:19:30 Ari: Do you feel sometimes in order for the enterprise, small business, like the business world, your customer base to understand how important your approach is.

00:19:40 Ari: Do we need some other high profile event, some situation where someone using an authenticator code gets a man in the middle attack and the whole company gets compromised and they thought they were secure only to then open the door to your narrative that a non-stored biometric object is the only way to solve that?

00:20:00 Ari: Are you waiting for your moment where all of the other stuff out there breaks and you're like, we're over here?

00:20:06 Gadalia: In some ways, yes. And there are some predictions that I made even a year ago that weren't sort of being understood by the market that even now are. And so it does feel somewhat satisfying to kind of look ahead and know that as more and more of these problems occur, that we have put something in place that is getting out ahead of that.

00:20:27 Gadalia: I will say though, that when we make a sale, it doesn't tend to be based on all of this fancy math that we talked about. It's really based around adoption, and affordability and user experience. The cool thing about what we're doing is that it makes all of those things better and cheaper and easier.

00:20:46 Gadalia: And by the way, there's some really cool stuff happening in the background that's privacy preserving and gives the enterprise and business more control over their employees' accounts and the end user more control, et cetera.

00:20:58 Gadalia: But I think, again, from a mission perspective, that's just satisfying for me to know is that we're taking this privacy first approach to everything we're doing. And we're not forcing our users to make that choice. We're saying we're giving you the best product we can. And oh, by the way, we are doing the right thing.

00:21:17 Ari: Right. Well, as a product nerd, I think that's super important. Great applications are kind of like icebergs. You should only really see what's above the waterline and that should be simple and beautiful. And there's a lot of complexity that nobody needs to see. It just needs to be done right. So...

00:21:31 Gadalia: Yeah, absolutely. Yep.

00:21:33 Ari: I think you're absolutely on the right path. That's fantastic. Let's change gears and jump into something we love to do called the speed round. So I'm gonna ask you a series of questions. You're gonna answer me stream of consciousness. You ready?

00:21:46 Gadalia: Okay, I'll try.

00:21:47 Ari: Okay. What's a current book that you're reading or a podcast that you're enjoying?

00:21:51 Gadalia: Okay. So from an industry perspective, I love Liminal State of Identity podcast. There's a Risky Business podcast as well. So those are two cybersecurity ones. From a business side, I love this podcast, Everywhere Ventures, great content.

00:22:08 Gadalia: And there's also a Practical Founders podcast that I really like because it offers some contrarian views on the space. And I'm going to say also just old-fashioned Denver Business Journal imprint on my kitchen counter. I love leafing through that and devour that every week. 

00:22:25 Ari: That's great. Okay, if you could live anywhere in the world for one year, where would you go?

00:22:30 Gadalia: Probably Spain. I lived there as a kid. I haven't been back as an adult and I think that would be really cool to experience again, 40 years later.

00:22:40 Ari: Any city or area or just Spain period?

00:22:43 Gadalia: Oh, that's a good question. I lived in Zaragoza before, so maybe that one.

00:22:48 Ari: Okay, perfect. As a founder, what's your favorite productivity hack?

00:22:52 Gadalia: Okay, I'm saying this from a standpoint of a person who is horrible at calendars, but blocking time on my calendar to work on specific things. It's simple, but it really does do miracles for me.

00:23:04 Ari: Most importantly, where can people find you on the internet?

00:23:08 Gadalia: Ah, yes. Well, I'm always happy to receive inbound emails. So gadalia@dapplesecurity.com. Given my name, I'm also super easy to find on LinkedIn and I will respond to chats there as well. So either of those places.

00:23:22 Ari: Fantastic. Well, this has been super fun. Thank you so much for joining me for the conversation and wishing you and Dapple great success going forward. For the rest of you, thanks for tuning in today to the Everywhere podcast and have a great day.

00:23:37 Scott Harley: Thanks for joining us and hope you enjoyed today's episode. For those of you listening, you might also be interested to learn more about Everywhere. We're a first-check pre-seed fund that does exactly that, invests everywhere. We're a community of 500 founders and operators, and we've invested in over 250 companies around the globe. Find us at our website, everywhere.vc, on LinkedIn, and through our regular founder spotlights on Substack. Be sure to subscribe, and we'll catch you on the next episode.

Read more from Gadalia Montoya Weinberg O'Bryan in Founders Everywhere.