In this episode of Cyber Thoughts, Lucas interviews Maxime Lamothe-Brassard, the founder and CEO of LimaCharlie, a Lytical Venture's portfolio company. Maxime shares his journey in cybersecurity, starting from his time at the CSE, Canada’s national cryptologic agency, through his stints at CrowdStrike and Google, and founding LimaCharlie.
Welcome to the Cyber Thoughts podcast, where we explore the world of cybersecurity through the eyes of practitioners and leaders in the field. In each episode, we invite a guest from the world of Infosec to share their insights and expertise on the latest trends and developments in the cybersecurity market.
Whether you're a seasoned Infosec professional or just starting in the field, this podcast is for you; our guests will provide valuable insights and perspectives on the challenges and opportunities facing the Infosec market.
Join us as we delve into the world of Cybersecurity and learn from the experts on the Cyber Thoughts podcast.
[Lucas] [00:00:06]: Hi, welcome to Cyber Thoughts, the podcast where we explore the market of cybersecurity through leaders in the field. Today I'd like to welcome Maxime Lamothe-Bressard, the founder and CEO of Lima Charlie, one of Lytical's companies. Hey, Max, how's it going?
[Maxime Lamothe-Brassard]: Hey, really good, thanks. How about yourself?
[Lucas]: It's awesome. It's a great day in New York. It's a little rainy but otherwise lovely.
[Maxime Lamothe-Brassard]: Nice to hear.
[Lucas]: So why don't we start out with origin stories? How did you get into cybersecurity?
[Maxime Lamothe-Brassard]: Yeah, so I got in cybersecurity right out of university. Cybersecurity is the only thing I've ever done. So as a background, right, I don't have sort of one of those interesting stories where like, I was a lawyer and then I totally changed everything. So right out of university, I got in security by working for the Canadian government, a place called CSE. It's okay. Nobody's ever heard of it. It's the NSA in Canada. Even Canadians have never heard of it. So worked into Five Eyes, I guess I kind of lied. I started as a as a Java developer internally in university when I did my work terms. But as you can imagine, you know, if you're like, I was working on stuff like parking web apps. And so you work for the NSA. building parking web apps, parking management. Like, I didn't want to keep doing that for long. It was just too attractive to explore all the other cool stuff being done. So I approached the person doing all the work terms and really pushed for a couple of work terms to be able to get into the cool groups. And I got in eventually. And it was. It was really like a, you know, a mind blown kind of moment, because I, you know, I'd really found the green field kind of space where I could just go wild. Uh, you know, I was able to, I didn't know anything about security. I didn't know anything about like low level, you know, development or reverse engineering or any of those things. And it was pretty much just like thrown in the ocean and told like, just go wherever you'd like and do as much as you can. And I was told like, actually, whatever you do, it's not gonna be used. So we're just evaluating what you can do. So for me, that was like the perfect thing. So I did a ton of crazy stuff over kind of that winter. And yeah, it was clear from that moment on, this is where I kind of belong. And so... I worked there for several years, did a bunch of things internally, did some operations and development, some more CI type stuff, lots of amazing stuff. And I kind of reached a point where I didn't know at the time, but now hindsight to kind of learn to learn yourself. And I've always been a very much an N plus one kind of person. And so I found like, okay, I can feel the envelope of being in the government here. I want to go and kind of expand a little bit the scope of what I'm working on. And so I moved to CrowdStrike. So I was back in the early days of CrowdStrike, like pre-product.
[Lucas] [00:03:51]: How people were there at that point?
[Maxime Lamothe-Brassard]: About a hundred people. Yeah. So it was like, It wasn't the tiny, tiny company, but it was not the juggernaut that it is today. So I did a bunch of architecting of the yearly security operation center, which was kind of a buildup from a lot of things that I'd done in the government around counter C&E, so detecting the bad guys.
[Lucas]: For those of us who don't know, CNE?
[Maxime Lamothe-Brassard]: Computer network exploitation.
[Lucas]: Beautiful. Breaking into stuff.
[Maxime Lamothe-Brassard]: Yeah, it's like, it's looking and detecting other hackers, nation state hackers, not directly for the purpose of like defending the way the blue team does it, but in the similar way as traditional counterintelligence would do it, right? So from the perspective of understanding that opponents and their technology and being able to see where they're going and what they're doing, what their intent is, all that cool stuff. Fascinating. I mean, yeah, government, there's some downsides to government, but the mission is by far, you don't get quite that anywhere else. So yeah, early CrowdStrike eventually made my way again, kind of an N plus one-ing.And made my way to Google internal security. And that was fascinating.I mean, it's kind of like sort of like a government in many aspects. So a really large organization, but a caliber of people. I mean, government is really high caliber throughout my career, everywhere I've been. But at such a large organization to have the caliber of people there, especially internal security, Google was very. Um, it was not surface, right? Like people after, I mean, after the, what was it? The Aurora?
[Lucas]: Aurora, yeah.
[Maxime Lamothe-Brassard]: Big incident, you know, in circa 2001, I want to say maybe it was later. I jumbled the dates, but I was after that.
[Lucas] [00:06:10]: I was going to say, I think Aurora is like 2009, 2010, because I was at Adobe for that. And so I think for that it’s 2010.
[Maxime Lamothe-Brassard]: That makes more sense, yeah.
[Lucas]: But yeah.
[Maxime Lamothe-Brassard]: Yeah, yeah, that's gonna be it. So they learned their lesson and they were like pretty deep into that stuff. So that was really cool. And got a bunch of experiences, honestly, that again, in hindsight were pretty important for me in what I did later on around evaluating products for the use of Google internal security and all that stuff. And while I was there, I heard about a thing. that was getting started in Google X, which at the time, I'm super vague about it because at the time it was this vague, it was, I kind of got in touch with them and it was like, hey, Google X does moonshots. We want to do a moonshot in cybersecurity. That's it, like that's the scope, that's the mission. So I was like, as soon as I heard about that, like, yep, all in. So I joined them, that was Project Lantern for a good. one or two years before it pivoted into, or in X terms, it's like graduated, it's graduated as Chronicle Security. So that was also a very fascinating experience where, you know, you're kind of a sort of a startup within Google, but you know, you start off with 40 million in like, in funding, so it's not quite like the startup, so it's this weird like, weird environment. So that was really cool. And that's the point where I decided to go and kind of start something. Sorry, I feel like maybe I'm getting ahead.
[Lucas]: No, no, you're fine.
[Maxime Lamothe-Brassard]: Happy to keep going.
[Lucas]: No, you've served up on a silver platter. So OK, so you're at Google, and you decide you want to start your own thing. You hit yourself in the head. What made you think, hey, I want to leave the safety and security of Google to go start my own company?
[Maxime Lamothe-Brassard]: Yeah, security has a bunch of different weird functions, limiting functions around what it does. And part of the ideation that we'd been doing at X was, hey, how do we go beyond that scope? And a lot had percolated for me at that point. You know, I had built an open source EDR. So EDR is endpoint detection and response things like carbon black and crowd strike, that type of tool. Um, it's something that I've done many times in the past in my career. So, um, I had that in my back pocket and. Chronicle was graduating, which meant kind of a big shift in like how things were, you know, would being done. And like even as simple as changing contracts and all that stuff. And I felt like, okay, it's my N plus one moment. There's only one plus one left out there and it's starting a company. And I was at the point where in my career, I'd done a lot and I really felt like I had to go and do something that had the potential to have a really, really, really large impact. Nothing's ever guaranteed. It's not like, hey, I have this billion dollar idea. It's a sure thing. It was a lot more around, you know, I'd been, I don't know, I can't count the years, but many, many, many years at that point in security, I'd seen a bunch of different environments. I could feel that there's a lot of legacy still in cybersecurity. There's a lot of people doing things the way that They'd been doing it for the past 20 years. And some things had changed, but a lot hadn't, especially in the vendor space. I kind of mentioned, you know, while I was at Google, this kind of review of like EDR, so endpoint detection and response vendors that we were looking at for Google. And everybody was just selling the blinking red light that I like to call it, right? This like, hey, this is a tool. You just give it to whoever and now they're fighting the Russians, like, prevent everything magically. And I was like, I knew at that point enough to know that for most people, it's kind of BS, but, and especially for somebody like Google. So I was kind of seeing all of these points that were just telling me like, yeah, there's gotta be something that can be done. And if I'm going to spend, you know, the next X number of years, I might as well do it for something that could. Yeah, I hate the cliche. I hate it. But like not change the world, but like change security fundamentally. That's really what I'm, what I'm in for.
[Lucas] [00:11:15]: Okay, so this is perfect because we've touched on it, but what is the idea of Lima Charlie? And then what gave you that idea? So you wanna do something different, you wanna fundamentally kind of break things and start new, but give us the meat of that.
[Maxime Lamothe-Brassard]: Yes, so the meat of it is this realization. Again, it's not really like a single aha moment I can point to as much as a lot of experience and then getting at the point when you're starting something where you really start to do that introspection and like looking at a macro level what's happening. And the realization was that in security, everybody is reinventing the wheel to a very, very, very large extent. A lot of innovation is necessary, a lot of innovation is happening, but there's a lot around cybersecurity that isn't innovation anymore. The industry has learned and matured a lot about the types of tools that it employs. It just, I could see the wasted effort by a lot of people, a lot of like really, really bright people reinventing the wheel. So, you know, starting a new company or, or just building a security posture within an organization and rebuilding a ton of different types of systems that had been built a hundred times before. Um, seeing new vendors pop up and, and, before getting to the point where they could really innovate, they had just so much work to do to go and like, our first example was EDR was an agent, right? Like having an agent, everybody hates the number of agents that they have. And so, you know, you're a startup, you kind of had to go and reinvent that. If you were an enterprise, you had to go and see a bunch of different vendors, each vendor pretending that they're the end all be all, they have the secret. ML, blockchain, AI, silver bullet to do it all. And in reality, I, at that point, I kind of knew that a lot of like things like the EDR really aren't secret sauce anymore. So why is, why was that happening? So very specifically that was happening because those vendors that did have those technologies were treating it as a silo, right? You just had a bunch of products. that in my mind, at this stage of maturity in the industry, shouldn't be products and companies, they should be features. So if you're a new company, you kind of had to reinvent the wheel because every other vendor was just, you know, putting a price point on what they were building and kind of this, the silo, this walled garden. And so that's when I kind of had this realization that, um, what would fundamentally change the equation of like the, the, the bedrock of a ton of feature not features, but, but products and capabilities and security was this idea of having a cloud provider type of field or type of company for the fundamentals of cybersecurity. And what that meant was we started with EDR because we had an EDR in our back pocket, but it was this idea that, look, we're going to break all assumptions of 99% of vendors in that space. We're going to build a cloud provider. And what that means is, you know, everything is API first and self-service and OEM friendly and bill per usage, which right there, like we're not even talking technology, but right there was different than 99%. And by having this fundamentally open public cloud, you know, public infrastructure with those characteristics, every product that we put on top of that, every primitive or capability is now something that a huge number of people can use and can use in a way that's compatible for them. So, you know, some startups are able to build their products on top of what we do. And we have companies that are growing, right? They're not like three guys anymore, right? It's like they have a security team. They know what.
[Lucas]: Very, very cool.
[Maxime Lamothe-Brassard]: That's kind of mine.
[Lucas] [00:16:53]: All right, so I'm going to take you in a different direction. You're clearly a very technical founder. I've got to watch your progress. But how do you go from having a product to the sales side of the house? Get that first set of revenue and then build it up to where you are now.
[Maxime Lamothe-Brassard]: Yeah, I mean, yeah, for a technical founder, at least talking about my experience, that's the challenge, right? The way that we did it is, I guess the first kind of broad statements about it is, we had a vision, so we knew where we were going, but we knew that there was no straight line to this, right? Many years, well, many, it's not that long ago. When we started, if we ever talked about that vision, we would just get a lot of blank stares for people. It was just too different to say it was too different to be kind of a quick understanding. And the product wasn't there. Meaning we had this EDR, that's where we started, it was our EC2, right? We had this EDR as like a primitive in a cloud type environment, but it's not super clear. You're not a cloud provider yet if all you have is one primitive. So we wanted to be really careful about growing into that vision and really, really avoiding all the side quests. Meaning we've had so many people over the years that we talked to that were like, hey, this thing is really, really cool. You should go and make this really easy for level one analysts to go and do this and that. And kind of bringing us down a side quest, like a road, a different road. And fundamentally, our statement was always the pot of gold is in the big vision and we need to become this cloud provider. And to do that, we have to be careful not to kind of go into a different pigeonhole. So we started early on with less customers, but customers that were really, really, really good fit for what we were building. So that was a lot of really technically deep companies and users that were using the EDR. And they were happy to have this really, really tight feedback loop about the product. So again, it's not like, hey, we did everything every user ever asked for. But it was this ability to just really quickly go from, oh yeah, you're trying to do that. It really fits within the vision where we're going. We're just gonna do this right away and turn it around in a day. And that really made a lot of fans of what we were doing. And we had this great relationship with really technical people in the industry that had the right type of influence that we were looking for. So we kind of grew it that way initially. And then we reached a point where, yeah, that doesn't scale anymore. Right. It was a point where we had to, you know, I would say I would describe it as level up, uh, the, to have salespeople. Um, and, and I say salespeople in the widest possible definition, um, having somebody whose job it is to go and increase sales in one way or another. And for us, what that meant. Wasn't so much like, hey, we're going to hire a bunch of cold callers and go and do that, because we're such a technical product. We didn't have the reputation yet to really be able to go and do top down. We're engineers, technical products. So doing top down, going to talk to CSOs it was a really, really hard thing. We had a ton of inbound. So we hired somebody to do demand gen. Somebody to kind of oversee the sales engine, so CRO, a solution engineer. And so for us, that level two of sales is this idea of leveraging a lot of the product led growth aspect to what we do, meaning inbound self-serve, OEM friendly, scale up, scale down, like those are all great things if you're trying to do PLG. So leverage that top of funnel. And then instead of reaching a point where we're going to go and do really, really hard sale and, you know, let's do a three year contract and negotiate for a month, it really transforms into us having a discussion with people that already know what the product is. They already like it. And now we're advising them on how to transition the whole company, having those higher level discussions with Guidance around what's the best way of architecting, how they're using the product, all that kind of thing. So for us, that was really powerful and it kind of really leveled us up.
[Lucas] [00:22:07]: So, you kind of last on this starting a company thread, what surprises you the most starting your own company?
[Maxime Lamothe-Brassard]: Um, I think it's the depth of, uh, the depth of what it means to do of the whole business side of the business. Um, as an engineer, right? Like I kind of started out with these assumptions that the product has started complexity sale is going to be sale. You know, you get people like, you know, that's a well-known process and there's kind of a couple of ways to go at it, but it's pretty simple. And really what I found is there's as much complexity in how you approach sale, how you approach the go-to-market motion, how do you drive different optimizations, like business optimizations for different people and structure pricing and all that stuff is, that's where I'm learning the most these days.
[Lucas] [00:23:14]: Awesome. All right. So kind of in the back section, I'm going to ask you questions that are generally for the InfoSec community. So if you're new to InfoSec, what resources do you love?
[Maxime Lamothe-Brassard]: Um, I think it will depend a little bit on the side of InfoSec that you're attracted, that you're most attracted to. Like if you're into like policy stuff, I'll be honest, it's not where like my background, so I suspect that it won't be as relevant, but I think, um, still Twitter has a lot of great threads for you to pull, right? Um, starting to follow, good people in Twitter. space and whatever they post, you know, interesting articles, a lot of rabbit holes that you can down go down. The other one is Sigma. So Sigma is an open source community, community slash project slash rule set. So there's a lot of security rules. And the advantage of that is that it just, it just opens up the hood. For people like you've never done security, you don't really know what it's like to look for bad guys and bad behavior and interesting and weird things. This is everything in as like rules and you can inspect those, you can understand them, you can deploy them to many different types of tools, including what we do. And I think that's really valuable to get to bare metal really fast. One of the dangers nowadays with so many tools is to just learn a tool. And I would argue that it's really important to understand the fundamentals and then whatever tool it's just, it's icing on the cake after.
[Lucas] [00:25:01]: Okay, so rapid fire here. What's your favorite book and why?
[Maxime Lamothe-Brassard]: Um, so I have probably two very different ones. So one, I actually haven't finished yet, but it's already, it's already probably my favorite fiction. Uh, and that is “Speaker for the Dead” uh, in the, in the like Ender's Game.
[Lucas]: Orson Scott Card? Yeah.
[Maxime Lamothe-Brassard]: I believe so. Yeah. Um, it's just, that's my kind of, uh, of sci-fi kind of taking fundamental concepts and exploring how they translate into humanity and space travel and all that stuff. I love that. The other one that I just finished reading which is totally different, but for me has been eye-opening is “Play Bigger”, which I forget who's the writer, but look it up. One of the very very rare business books that I actually really enjoy. I think there's a lot of like, hey, here's the recipe and at some point you realize there's no recipe. But I think those guys kind of really build up like a case around the category definition and for me that really resonated. So I enjoyed that a lot.
[Lucas] [00:26:14]: All right, I got homework. It's one I haven't read. Finally, what's your favorite information medium? How do you like to learn?
[Maxime Lamothe-Brassard]: Um, I think for me right now, that medium is actually audio book, not as much because of the medium itself, but because of the, uh, the place that it can take in my life, meaning, um, you know, I work a lot, right. Um, I've discovered that I can't, I can't really like read on a computer screen or do things that are like too stimulating before bed kind of thing. So I've gotten into that point where it's got to be a downtime, you know, before bedtime. So I'm able to just do that, put it on, you know, lay down somewhere and kind of absorb it in a really relaxing way. So that's why it's really filled that niche really well. And it's, it's very effective.
[Lucas] [00:27:11]: Awesome. So to end, any plugs you want to add, what do you got going on that other people should know about?
[Maxime Lamothe-Brassard]: Oh yeah. I mean, I think there's two highlights that are pretty cool that we're doing that are like super accessible for anybody. So one is we started a podcast a little while back. It's the kind of podcast I like to listen to. So I'm very happy about where we ended up going. So it's kind of a mix of good technical, but as well things like hacker history, which I love war stories. It's a really good podcast. It's the Defenders podcast. The other one would be, we are starting a conference. So we kind of realized that there's a bunch of security conferences for a bunch of different things, but there wasn't something that kind of fit well with the way that we think about the industry, which is we have a big focus on security, like an engineering approach to security, a innovation specific approach. So we started a conference called Mission Control. So mssnctrl.org.
[Lucas]: Great name.
[Maxime Lamothe-Brassard]: Yeah, yeah, I really like it. I'm a big fan of like space exploration. So that's awesome. So yeah, it's gonna be a really interesting conference. It's gonna have a different kind of spin around innovation and kind of, you know, the n plus one that is the core of what I do. So, yeah.
[Lucas] [00:28:47]: And what was the URL for that one more time? I'll make sure to get this in the show notes too.
[Maxime Lamothe-Brassard]: Yes, mssnctrl.org.
[Lucas]: I'll put it in the show notes, no worries.
[Maxime Lamothe-Brassard]: Thank you.
[Lucas]: Well, Max, thank you for taking the time to be with us today. We really appreciate having you here.
[Maxime Lamothe-Brassard]: My pleasure.