Imagine this: You hire a new chief security officer who tells you they don’t plan on implementing any systems to protect your company against cybersecurity threats.
It’s an unfathomable thought today, but the same is now true of weather and climate impact. In 2021 alone, extreme weather and climate disasters in the U.S. killed 688 people and cost more than $145 billion. Yet many enterprise businesses have no systems in place to mitigate weather and climate risks in a scalable way.
This failure to implement automated predictive systems is one that the cybersecurity field also faced in its early stages. Sam Curry, a cybersecurity pioneer, CSO at Cybereason, and advisor to Tomorrow.io, has witnessed and navigated this resistance in the cyber realm over the course of his 30-year career.
We sat down with Sam to understand the parallels between cyber and climate, how technology empowers operators to supercharge their impact, and what advice he has for executives.
Tell us about your career in cybersecurity.
I started my career nearly 30 years ago. I had begun in cyber by looking at codes and then trying to make communications as secure as possible between two points, which sounds pretty obvious when you look at it. I was part of a startup that did VPNs and along the way, we accidentally invented the personal firewall.
I’ve held senior roles at McAfee, Computer Associates, and RSA. Over the course of about 15 years, I spent some time with Arbor Networks really understanding the internet. I had the privilege of managing RSA labs. And today I’m the chief security officer for Cybereason, a president for the Cybereason government subsidiary, and enjoy a number of roles, including advising Tomorrow.io.
What similarities do you see between cyber and climate security?
At the highest level, cybersecurity and climate technology both deal with the risks associated with very complex and hard-to-predict adaptive systems. They’re a little bit different in terms of what the models entail from an algorithmic point of view—what the data in and data out is—but fundamentally, they’re both boardroom conversations that have to look at acceptable risk for acceptable return. Agility can be a very high differentiator and affect the P&L directly.
So, this isn’t just a need to pay attention to what’s going on outside the window in either a cyber or climate sense. It’s understanding the models as they become more chaotic, and then seeing how to take advantage of those through systems—the integration of person and machine. You must be able to adapt as a business and turn what might otherwise be a disadvantage— problems with the weather problems with global climate change—and turn them instead into advantages. These can be ways of being responsible citizens and responsible corporate entities, but also to show returns for the shareholders. At the end of the day, we’re in business to accept the risks and accept the returns. So we have to understand those deeply. And that doesn’t happen unless we really invest in both.
Was there a time in the cybersecurity industry when humans feared onboarding new technology would replace them?
There’s always a fear, to some degree, going back to Luddites, that technology is going to replace people. But the truth is that even when we talk about efficiencies in business models, we’re really talking about making human efforts more worthwhile. And I think that climate is going through a change very similar to what cyber has gone through. In the cyber world, we had enough technology—we thought. We thought this wasn’t an area that was going to change very much. And that has been radically disrupted by the opponents and by the battle that we face in cyber conflict highlighted all over the world every day.
Now, the same is true in cyber as in climate. In the climate world, we have models and we have data. We were getting things from the public sources, but they’re not enough, especially as the world changes further. And so it’s time to update our systems—it’s time to lean in on this. And true innovation can happen and can return real results.
What would you say to a company that is resisting implementing automated systems around climate security?
I would say to anybody who’s sitting there going “Why should I invest in this?”—well, it’ll be proven out. Talk to others who are doing it, see if you need information, and I bet you do about what’s happening meteorologically. And ask yourself: What does that mean, in terms of logistics? What does that mean in terms of customer demand and customer need? What does that mean for supply? What does that mean for planning? How do you effectively not waste money and resources and investment and put it in better places?
We’re always going to have people who are worried about what it means to automate and bring new things in but, frankly, it should uplift the human condition. I’m reminded of something Garry Kasparov, who was a chess master, said at a show not long ago. He said that he could beat the old computers time and time again, reliably, predictably until he couldn’t. And then he was depressed a bit and he said, at least he was winning more than he was losing. And then he wasn’t. But he made a really important point. He said for the next ten years, the level of chess game improved enormously with the fusion of person and machine.
It’s the combination of the two—humans are very good at spotting anomalies and not doing a lot of the rote work. Machines are good at the opposite. And how you put these two together can make a huge difference. So automate, be automatable, integrate, and make your humans plus machines greater than the sum of the parts.
What have been the benefits of watching human + technology creating a 1 + 1 = 3 scenario in cybersecurity and beyond?
What we want to do is take the people and uplift their game. We want them working on more valuable things. And we want the results to be increasing exponentially. If you find yourself in a situation where something is being commoditized, and that means it’s available everywhere, and it’s the same quality everywhere, then it’s an opportunity to differentiate. Innovation comes not just in the aha-eureka breakthrough leaps. It comes in incremental improvements.
So what does that mean? It means if you invest here, there’s a chance to change the game. And history is filled with examples of people who thought they knew the market. Let’s take smartphones: everybody thought they knew what smartphones were in 2008. And the players in 2012 were not the same as 2008. That’s how we got smartphones, and, frankly, that’s how we’ll get smart cyber, and that’s how we’re going to get smart weather.
What advice would you give to executives overseeing operations, safety, weather, climate, ESG, sustainability, etc.?
Stop looking at the same risks you’re comfortable looking at, by which I mean finance, operations, legal etc. We understand these. You understand these. Instead, keep doing what you’re doing, but you need to step back from your business and say “What are the biggest risks globally that come into my industry and could affect my company?” You’ll find that cyber is there, as, by the way, is conflict around the world. And global climate change is there—understanding weather patterns when they break away from the old models, when the old sources of data are not sufficient. Then, look at it through the same kind of risk lens you’ve been using for years for operations, finance, and legal. These are similar types of problems.
The first job of an executive, aside from revenue and profit, is to understand risk—acceptable risk for acceptable return. If you don’t want risk, turn all your systems off and close the company. But if you’re in the business in the 21st century, you have to take care of cyber risk and climate risk without question.
See How Tomorrow.io Can Enhance Your Climate Security