The Future of Cybersecurity Brought Me to Comcast
Comcast Technology Solutions is proud to announce that Nicole Bucala has been brought on board to lead our new Cybersecurity business unit as its Vice President and General Manager. We asked Nicole to share the reasons why, as a cybersecurity leader, she made the choice to join us – and to set the stage as we bring Comcast’s scale and innovation to bear for the security needs of industries around the world.
By: Nicole Bucala | VP & GM, CTS Cybersecurity
When I was approached to join Comcast last summer to lead its new SaaS enterprise cybersecurity business unit, I was both skeptical and intrigued. Skeptical for the obvious reasons: there aren’t many stellar success stories about a diversified global conglomerate getting into enterprise cybersecurity, which is a complex and challenging market. Yet at the same time, Comcast was approaching its foray into enterprise cybersecurity in a way I hadn’t seen anyone try before. Comcast was, in fact, choosing to bring its own chief information security officer’s (CISO) inventions to market. This meant that Comcast was commercializing proven, accepted product concepts in use by experts, internally, and at scale.
Why did this scream out to me as powerful? Well, for those of us who’ve sold security to Comcast before, we know their security organization is staunch. The stakes are high when trying to secure critical infrastructure at scale. Staffed with over a thousand security professionals, Comcast builds many of its own security technologies to cater to its size and scale, as well as to address the advanced threats and increasing regulatory scrutiny it must withstand. In addition, Comcast is a Fortune 30, highly profitable company that has a substantial, wisely allocated security investment profile. So, anything built internally has to improve security efficacy, work at Comcast scale AND be cost-effective enough to save the organization money overall – a key value proposition that can immediately differentiate a commercial security offering.
At the time, I was employed at Zscaler, in charge of building innovative partnerships with the largest global conglomerates, which entailed designing and launching Zscaler’s zero trust innovations to the forefront of the next major adjacencies: 5G, operational technology (OT), IoT, and application security. I was working at the fastest growing public company in cyber, leading a phenomenal team, working for incredibly inspiring executives, and I had zero intention of leaving. Yet, to the surprise (and perhaps caution) of many around me, I made the leap, and I don’t regret it.
Here are five reasons why Comcast is poised to win in its new adventure, and I consider myself fortunate to be a leader of this amazing team:
- The solutions we are commercializing are imagined, designed, built and used by Comcast itself. I have been surprised to learn that this translates to a solution that both saves an organization money, and can be sold in a differentiated manner. Comcast is a financially driven company with a high bar for the effectiveness of its technologies; so for any internally built solution to survive, it has to be efficient and cost effective at scale. In addition, from a commercialization perspective I’ve found that practitioner-to-practitioner conversations are naturally laden with inherent trust. When we are talking with the CISO of another Fortune 100 company about our solution, we are able to get to a much more ‘real’ level of talk, faster, when compared generally to customer calls I attended as an employee of a pure-play cybersecurity vendor. There’s a simple reason for this inherent trust: When you’re a practitioner looking to help other practitioners, you have a grounded level of understanding in the pros and cons of the solution you’re discussing. You know the essence of the pain points it addresses. You know, with precision, the outcomes you saw. And yes, you have experienced issues with the solution, because nothing is perfect – and you have resolutions to them that worked. What this means, is that other practitioners can trust that your knowledge of the solution is accurate and pertinent.
- Comcast’s solution is a novel architectural approach that solves a long-standing pain point for security and compliance teams. The proposed solution is solving a problem I’d seen vendors try to address, unsuccessfully, for years: the desire to centralize security, compliance, and business data neatly, sorted and combined elegantly in a single place, from which insights could be derived and actions to be taken. Back in 2019, RSA Security’s annual industry conference had a theme of Business-Driven Security. That was also the first year that Extended Detection and Response (XDR) became a “real thing.” Vendors had dreams of combining enterprise and security data and controls to create a single source of truth and single pane of glass for investigations and compliance assurance, replete with business-oriented risk analytics for C-suites and boards. It’s now 2022, and XDR still hasn’t caught on the way practitioners hoped. I had seen other companies try to create similar solutions to the problem but they were unable to identify an architecture that didn’t skyrocket the storage costs, or were unable to make the product reliably scale for Fortune 50 accounts, or the system was “closed” such that only certain security personas could use it in prescribed ways. And so, I was delighted to see that Comcast had figured out an elegant new scalable, open architecture that saved money, while also being built on all the latest cloud-based tech.
This cloud-native platform was a new class of tech: a security, risk and compliance data fabric platform. It sat between a customer’s data sources, data lake, and analytical tools, achieving a true decoupling of security & compliance data ingest, from data storage, from the analytical layer. It ingests and transforms data such that a compressed, normalized, enriched, and time-series dataset is stored in a single data lake, in a way that reduces your SIEM costs by at least 30% and yields detections 3x faster. With approximately 100 data feeds from the top security and compliance tools today, protecting an enterprise with ~150K workforce, millions of endpoints and saving $15M+ in costs, the Comcast solution was proven to have profound impact in several ways. For a company with a huge amount of data to contend with, this single invention has changed how Comcast does security, for the better.
- Comcast offers a proven model for commercializing in-house inventions. The new cybersecurity business unit is housed in Comcast Technology Solutions (CTS), the division within Comcast that takes internally developed technology and makes it available to other enterprises. CTS has successfully commercialized several other internal inventions, including those in content and streaming, advertising, communications infrastructure, and other technology. CTS offers its business units much flexibility and autonomy, which means that as the leader of the cybersecurity BU, I’d have the ability to set up new sales channels, billing and payment methods, and bring on new types of roles and talent.
- Comcast offers excellent security career development. Believe it or not, I considered the chance to work with a large team of security practitioners to be a rare learning opportunity for someone whose career was largely on the commercial security vendor side. For years, I’d worked at security vendors who’d revered CISOs, trying to understand their motives, desires, anxieties and doubts… but never had I worked directly with one or one’s team closely over an extended period of time. I also had hired a few leaders in the past who’d worked as SOC analysts early in their careers, and saw they had a really grounded orientation around security products that everyone else on the security vendor side seemed to lack. By being embedded with practitioners, you simply get a better innate sense of the real problems, and can discern which security innovations will provide lasting value. It eliminates the element of guesswork that, no matter how many customer conversations you have, is otherwise unavoidably part of the product development process at traditional security vendors, unless you are also a stereotypical customer yourself.
- Passion, and the benefit of being naive. The employees at Comcast who are working on commercializing this offering are without a doubt, by and large, some of the most passionate people I have worked with in my career. There is often a stereotype that employees of big companies work 9-5, but I have found the opposite to be true at Comcast: everyone is routinely working at all hours of the day to make this program a success. I can’t remember who said it, but there’s a famous saying out there that passionate people almost always succeed at their mission. They almost always achieve more than someone who lacks passion. Furthermore, the fact that Comcast is newish to selling SaaS security solutions to large enterprises is, in many ways, a blessing. The battle scars of “experience” can sometimes be a negative: they can cloud judgment, cause risk intolerance, and damper innovation. Grit, determination, and a willingness to learn can almost always make up for a lack of experience.
Over the next year, we have set some really exciting and daunting goals. We are launching a Generally Available first version of DataBee™, along with iterative releases every few months. We are going to build our brand in enterprise security. We are going to sign some fantastic strategic design partners. We will build relationships with strategic technology and go-to-market partners. I’ll be building out my team of product development, marketing, sales, business development and operations professionals, and I would be very excited to bring along some of the top talent in cyber. Feel free to contact me if you want to learn more about how to become part of the amazing team here at Comcast!
Upcoming virtual event: Top 5 Predictions For the Future of Security Data Lakes Webinar
In the past year, security teams have had to endure many new cybersecurity challenges—from managing hybrid work environments to sustaining major ransomware attacks, catastrophic vulnerabilities, and supply chain risks. As an industry, we must take a step back and look at these challenges from a different angle. We should rethink the technologies and data architectures that are in place today to understand why they are no longer serving their purpose.
Interested in joining the CTS Cybersecurity team? We are hiring for the following roles.
|United States Based Positions
|India Based Positions
Software Development Manager:
Development Engineer 4:
Development Engineer 3:
SDET Engineer 3:
Learn more about DataBee™ Platform.