He started in cybersecurity 25 years ago as a teen, and now says: ‘There’s something changing on the overall internet landscape’
Today Ondrej Vlcek, former President of the company’s Consumer Business, officially takes on the role of CEO at Avast. He sat down with the Avast Blog to discuss his 20 years in cybersecurity and view of the future.
What’s at the top of your to-do list as the new CEO of Avast?
There are really three things that successful CEOs do: Set the strategy, the goal, the vision; work internally with the executive team to create the company culture and make the environment fulfilling; and work externally with investors and the press. In the past I’ve worked a good deal on the first and second, but not so much on the third. The thing that I have to do more is make myself more visible externally. I think all three are equally important.
You’re a bit of an unusual CEO in that you started in this industry as an intern. You can code in several different languages. You’ve worked on different mobile platforms. Do you think that gives you a good perspective on the cybersecurity industry?
I think many tech companies want top executives who are engineers by training. It makes good sense as the tech industry focuses more on innovation and hardcore technology in the product. If you look at Microsoft and Google, those are two huge tech companies with CEOs who are engineers by training – and there are many more. Hopefully I’ll be able to deliver on that as well, with my background. Having 25 years’ experience in this industry starting at the lowest level gives me pretty good insight into what we need to build.
You have said the next big thing for the cybersecurity industry is the profound challenge of securing the Internet of Things. Do companies and consumers need to see the big picture? How so?
I see IoT as a bit of a ticking time bomb – especially on the consumer side. There’s something changing on the overall internet landscape: The majority of devices that are being connected to the internet are not computers and not mobile phones. They are smart devices, from coffee makers to smart TVs. And while people don’t tend to think of them as computers, they very much are – but often with a broken architecture when it comes to security. They have vulnerable operating systems with legacy code, unencrypted communications protocols, and all kinds of other vulnerabilities that laptops and other computers had 10 or 20 years ago. That’s a big problem for our industry because it creates a huge attack surface for the bad guys. It’s easier for them to hack those devices rather than laptops and mobiles. We’ll be seeing more and more of that as PCs become more secure and vulnerable IoT devices are more prevalent.
“There’s something changing on the overall internet landscape: The majority of devices that are being connected to the internet are not computers and not mobile phones.”
What we’ve been building at Avast for almost the past three years is a solution specifically designed to help people with this. It’s a network-based security module, based on what happened on the enterprise side. We discovered that companies need protection not just on endpoints like laptops and mobile phones, but also at the network level to see what’s going on across the entire company. We’re bringing that same approach to the consumer space – network-level security that protects everything online in their home – computers and also IoT devices.
The challenge is how do you make it convenient enough that people actually use it? On the enterprise side you might have a whole team of IT professionals, but on the consumer side you have ordinary people just trying to use their “smart” devices. So a consumer network module has to be built with user friendliness in mind, first and foremost.
People will always trade security for convenience. If it’s not convenient enough, if it’s not easy to use, if it somehow interferes with their daily lives, they will get rid of it. Our vision is that this product should be pretty self-sufficient in the sense that you install it, and it operates essentially on its own. If you wish you can look at it, check interesting stats about your network, configure it to your liking, but you don’t have to.
As the head of a global cybersecurity company, do you believe international cooperation among companies, nations, and law enforcement is important in stopping big threats like WannaCry?
From the perspective of running global teams and having people in various countries, I see government cooperation as still being very fragmented. For example, most countries in the European Union have their own agenda, their own nationwide authorities. There are some law enforcement agencies like the FBI and Europol that share some of the same cybersecurity goals, and those cybersecurity goals seem to go higher and higher up their list of priorities. But still there is very much room for improvement when it comes to cooperation between these authorities and the cybersecurity industry.
A new report from Avast Business shows many people avoid security updates because warnings that evoke fear are not effective. People have grown accustomed to scary warnings of what could happen if they don’t do this or that. Do cybersecurity experts need to do a better job of explaining threats and engaging people’s interest?
I would say on the consumer side that’s probably the case. It’s different on the enterprise side with companies, where cybersecurity has become a real necessity, like insurance, that everyone has to deal with in some way, because it’s a significant business risk. On the consumer side it’s something that many people feel they haven’t had a problem with yet, so it’s probably not going to happen to them. That’s a dangerous attitude; sort of comparable to not maintaining your car because it hasn’t broken down on you yet. So why change the oil or check the tires? You have to ask why people would rather not deal with it if they don’t have to, and some of that is due to the cybersecurity industry not explaining things to consumers. There has been fear-mongering, but that’s not useful. People want to know the relevant information, and if explaining that with a little more engagement works, great.
You have said that “computer safety should not be a luxury only a few can afford.” Does the spirit Avast was founded on – protection for the people – still hold true today?
The values really are our North Star that we can look at as never changing. Very few things in this world of cybersecurity are constant. Strategies can change. Tactics change all the time. The competitive landscape can change. You’ve got to have something that can always guide you. I think our values are extremely inspirational for me and the entire company. We’re very lucky to be in this industry where our work of keeping people safe around the world is so inspiring.
Protection for the people is really our mission. Integrity, transparency, and openness are among the values I’ll be talking about soon as CEO.
Look ahead 10 years. Where would you like to see Avast? Where would you like to see the global cybersecurity industry?
Right now Avast has about 15% of the consumer cybersecurity market. I want to see us own a lot more. We’re gaining market share from our competitors, and that’s inspiring. We need to keep driving that momentum.
More importantly though, as IoT evolves there will be many big opportunities. We need to capitalize on those opportunities culturally and operationally. We don’t want to just jump on the bandwagon. Any company can do that, but that’s not how you grow and succeed exponentially. We need to see the opportunities coming and be ready for them.
One of those big, game-changing opportunities – to protect consumers’ networks and not just their devices – is clearly already here. But when will consumers make the breakthrough in their thinking? That I’m not sure we know yet. Will it require a big hack or catastrophic event? I hope not. We have to explain the vulnerabilities better to people.
We have a researcher who has hacked a “smart” coffee maker many different ways. The point isn’t that a hacker could change your Americano coffee to cappuccino. That’s probably survivable, no matter how seriously you take your coffee. The point is that a device you use every day, that is an intimate part of your life, could become a gateway to your entire network, and allow attackers to grab the data from your entire online life. Explaining that is an educational process.
You’ve worked in cybersecurity since you were a teenager. What was the industry like then, and what were you like then?
I was around 12 when I started coding. It was, at the time, a really weird thing to do. These days lots of kids learn to code, and it’s a very cool and educational thing. But my parents had no idea whatsoever what I was doing. They just knew I was in my room doing snippets of code – and I don’t think they knew it was computer code, they just knew it wasn’t regular writing. Security was the first and foremost application of what I learned because it was the most interesting opportunity I saw to get a job.
Cybersecurity at that point was brutal because it was so easy to hack. Everything was unsecured. Computer systems assumed everyone was a friend. Hacks were done to show you could do something better than your buddies.
Do your kids have smartphones? As a parent, what’s your biggest concern about your kids getting online?
My kids do have smartphones. My youngest is 9, and the older kids do as well. I think smartphones are great for kids in many ways, but they absolutely are a double-edged sword. It’s excellent for them to get access to information, to be able to communicate. But the content they have access to all the time can be very not kid-friendly. On YouTube, you can be watching an educational video and be one or two clicks away from something very nasty. My approach has been to aIways try to talk to them about online dangers. I hope they know they can always come to me and ask if something is OK. My oldest is 14 and it’s not always easy. At that age kids don’t always want to check in. But as a result of our conversations, I believe he’s more rational and aware of what he does online. You have to spend a lot of time with your kids online and give them an idea of what’s happening, but you also have to give them some freedom, too. Better to prepare than protect.
You’re a fan of fine Italian wines. If you could drink a bottle of wine with two people from throughout history, living or dead, who would you share it with?
My biggest hero is Churchill, and drinking a bottle with Sir Winston would be interesting. Now he might be more interested in whiskey or something else, but still I think he would drink that bottle of wine happily as well. The fascinating thing about him to me is that all the odds were against him. No one else would have thought to pursue some of the strategies he did in World War II, which at the time seemed counterintuitive. But he was a good enough leader that he was able to energize everyone and get them on his side. He’s an example of someone showing great leadership during a very challenging time.
“My biggest hero is Churchill, and drinking a bottle with Sir Winston would be interesting.”
The second would be Sting, who actually became a winemaker in Italy, in Tuscany, with his wife as he wound down his music career. My understanding is that he plays his guitar in the village in the evenings and sings for the locals and they drink wine together. To me, that sounds fantastic.
In the eighth episode of our podcast Avast Hacker Archives, security expert Dave Aitel demystifies the NSA, explains the fallacy of the term “zero-day,” and tells Avast CISO Jaya Baloo what started him down the hacker’s path.
In the seventh episode of our podcast Avast Hacker Archives, Avast CISO Jaya Baloo talks with Phil Zimmermann, creator of the PGP email encryption package and longtime activist for privacy and human rights.