Bio:
Luis Abreu is a seasoned tech entrepreneur who has successfully launched several startups, including Nmbrs, WallyLabs, Grappster, and his most recent venture, Cyver. As the CEO of Cyver, Luis is dedicated to developing innovative software solutions that enhance collaboration between cybersecurity testers and end customers, automate penetration test processes, and help security testers improve the security profiles of their client's apps and services.
In addition to his entrepreneurial pursuits, Luis is also the author of "Vision to Value," a book that outlines the operational framework he developed over nearly a decade as the COO of Nmbrs. This framework aims to help tech companies scale effectively. Luis strongly believes in the importance of sustainable design, delivering exceptional products to users, and building both software and organizations on solid foundations.
Episode Summary:
In this episode of the "Ideate with Florian" podcast, we're joined by Luis Abreu, a cybersecurity expert and entrepreneur. We discuss the significance of penetration testing, the risks associated with data storage, and the challenges of managing multiple projects and allocating resources. Luis shares his experience of growing a cybersecurity company from a team of five to 120 employees and his inspiration for writing a book to help others. We also dive into Cyver, a platform designed for ethical hackers to manage projects and report to their customers. Tune in to learn about the latest trends and innovations in cybersecurity and ethical hacking!
Resources
https://www.linkedin.com/in/lfabreu/
Share:
Subscribe:
FH - Hey. So welcome from sunny Portugal. We're talking to Luis this morning. Good morning, Luis.
LA - Hello. Good morning. Good morning indeed. It's very, very sunny here.
FH - Perfect. I can see it. We're doing video, and it's pretty sunny in the Netherlands as well. But you really look like you're in a sunny spot. And good on you. Good on you. And I understand that you're traveling between Amsterdam and Portugal.
LA - Lisbon yes, indeed, because I'm originally from Portugal, but I've been living in the Netherlands, in Amsterdam for many years now, around 15. But well, I definitely miss my home country sometimes, and especially in the wintertimes, I tend to go to the sunny places of Portugal.
FH - I can totally imagine. And what brought you to the 15 years ago?
LA - Actually, for studies, so I went to Delft University, to the technical university. So I did Erasmus program to finalize my studies there. And well, it should have been a one year journey, but it turned into a little bit longer stay, actually.
FH - Right. Because I've known you for, I think, since 2008. That's 15 years. And it's a little bit of a story, but that's a bit of an adventure, actually.
LA - Right, yeah, indeed, indeed. Because I was not planning to stay that long. And actually, when I went to study in Delft, I was in computer graphics, so not in the area where I'm currently at. So I really thought, well, in computer graphics, I could work in gaming, gaming industry, for instance. But at a certain moment in time, after graduating, I really felt that going to cloud applications was my thing and was also the future and was revolutionizing a lot of industries. So I really wanted to be a part of that. So I made a very quick jump, and that's when I then started to work for this Internet apps application in Delft that you are very familiar with Octavaland, where we were just building websites, web application, CMS for a lot of.
FH - Companies and eventually ended up doing payroll.
LA - Yeah, indeed, indeed. There was one client who wanted something a little bit more or bigger than just a CMS, or perhaps it started as an online portal, but then, well, there was the need to have a pay slip being calculated somewhere in a back end. So that turned into a very big project eventually, that started a whole new company, a whole new product called Numbers Payroll.
FH - Right. So while you're working at Octaval and I worked at that company, too, I was one of the owners when you left. When I came, you left. That was sort of the story. I think we've seen each other at the office.
LA - Then we said exactly.
FH - That'S where Numbers started. And then Numbers grow out to be one of the bigger payroll companies in the Netherlands, or what exactly is the functionality? How would you describe numbers?
LA - Yeah, so Numbers is a payroll engine. So it's a Payroll HR cloud application where accountants and businesses can run payroll for their customers. And let's say the difference or the revolution there is that it was all about doing payroll together with their customers and with their employees. Because traditionally payroll was these type of applications that were done by the accountant, totally disconnected from everything else. Although it was very clear that all the data to process and manage employees was coming from the HR department. And the idea of numbers was to connect, bring together those worlds, HR payroll fully connected so that in the end employees could be served better.
FH - And then you've wrote a book about it?
LA - Yeah, kind of. So yeah, the book came actually a little bit later because for numbers. So I started as the first developer, so with my technical background eventually grew to development managers. So we had our own team of developers that I was managing. Then I also took under my wing the customer support team. So I started to take more operational responsibilities within the company. So a lot about setting up teams, processes, et cetera. And it was mostly with the learnings of that journey of starting from a small company. And when we started we were perhaps around five and then we grew to 120 on the moment I wrote the book. And of course for me it was a lot of discovery, which I also to learn from it, I discussed approaches with a lot of other people on similar journeys from other companies, other entrepreneurs and let's say operating officers. And then there were a lot of patterns, a lot of similarities and that was kind of the motivation to compile everything into a book. All the techniques or a lot of techniques that you normally need to grow a company so that let's say a future me in a way, or for someone else who goes into a similar path could already sort of get sort of a quicker start.
FH - And did you write the book in anticipation of you leaving the company or is that completely unrelated?
LA - So the book was written on the moment in the company. I was doing both the technical part, so let's say CTO, and also the operational part COO that was not sustainable for the long run. So it was kind of in a moment that I had to choose one of those options to keep developing myself and I chose more the technical part because well, I thought that's more what I like, it's more my backgrounds. But I also see a lot of interesting stuff happening in this space that could bring a lot of new opportunities and that's when I decided to, let's say quit in a way the operational part. So the book was kind of the ending of that journey, right?
FH - And by the way, I will link to the book in the show notes so people interested in the book about how to run a software company can read all about it at a later stage. And we're going to talk about your current venture. Absolutely. Numbers was acquired both how would you describe that? By Visma?
LA - Yes, acquired.
FH - Indeed. How did that change your role?
LA - Let's say on the daily operations, not a lot of impact because so I kept being CTO of the company. So my, let's say, responsibilities just remained. Well, it's also the approach of Visma once companies are acquired to keep them working as is, whereas some corporates they acquire and merge, then all the departments are merged with other departments, things like that. In case of Visma, that's not really the case. So we just turn into a business unit, sort of an independent business unit with the same name, same team, everything the same. So that didn't change a lot. Of course from a more personal perspective to come from owner to an employee, that of course has quite some impact because then at least I see things from a different perspective. And at the end of the day you need to report to your boss and the boss of course has to report to his boss or shareholders. So the game becomes slightly different.
FH - Right. And that's perhaps a good moment to jump to your current venture. You now run a cybersecurity company from going from payroll to security.
LA - Exactly. Feels like a big jump. There are some connection points also maybe good to mention that meanwhile, from Numbers or between Numbers and Cybers of the current venture, I also started other ventures as well. So I always had a bit of the urge to start a new project or to explore certain ideas in the market. The other two ventures didn't turn into anything actually so we decided to actually really stop but came really great learnings from those. So also gave me more confidence to then start Cyber. To start yet another one. I felt just better equipped for it. The idea from Cyber actually came during my work at Numbers because I was responsible for tech everything that was tech related, including security. So I had to implement proper security profiles, security processes, vulnerability scanning, et cetera to ensure that the data of our customers was fully secured.
FH - To recap that a little bit, we talked about that the software that you run with Numbers is payroll software. So we're talking about people salaries, you're talking about very confidential data that this cannot be hacked, there's not an option.
LA - Right, exactly. So that was always one of the biggest concerns we had from a technical perspective was just to keep the data safe and of course the product is fully in the cloud. So that used to raise quite some questions regarding security data, location, privacy, et cetera, et cetera. So a lot of attention was going into that area.
FH - Does that make you a Pen test expert? Because your current company does Pen test as a service? Are you a Pen test expert because of your experience by Numbers or how.
LA - Would you no I would totally not consider myself a Pen test expert because my, let's say, introduction to Pen testing was from the customer side. So as CTO of numbers, I had to hire what you call Ethical Hackers. So these really pen test experts that are able to hack, or at least they try to hack in any kind of systems. And that's a type of project you do to check your own security. So you really give them an assignment, as in, okay, try to hack my product and they will hack it, but they will not exploit it, they will not steal data. So they are the good Ethical Hackers, but they will explain you and tell you how they did it and how they can enter. Right? Yeah.
FH - So it's like hiring a burglar to burgl your building and then once he's in, it's like, I'm in, I'm in. And exactly you do it and it's like, well, the door is open and maybe you should put a lock there. Is that exactly testing?
LA - Exactly. That's kind of how it works. And in the past, these kind of projects were really that you would hire this special team and it was a bit happening under the table because the services was probably not as professionalized or streamlined as they start to happen nowadays. And that's when the idea for the cyber platform comes into play, because once I was hiring these Ethical Hackers, there was really not a clear process or way for them to communicate with our team. And also at the end of the day, they were just sending a report with a lot of information, but hard to make it actionable for my team because once they have findings, it's very important to track if the findings have been fixed, and if not, why not. And the risk profiling. So that to have that whole sort of profile there.
FH - How is cypher different from the competition or previous experiences? How do you work?
LA - Yeah, so what Cyber offers then? It's the whole platform for these Ethical Hackers to use so that they can manage the whole projects and the reporting together with their customer. So in the old days, Ethical Hackers were just using no specific tool for these and they were just writing these reports in Word. But of course, these reports nowadays have a lot of standardizations. There's a lot of compliance norms that you have to follow, there's a lot of findings that are repeated, so there's needs to streamline as much as possible. And of course, there's also way more demands from tech companies to have Pen test services so that they ensure that their applications are secured. So with all this happening, so the introduction of these cloud portals really starts to be super critical for cybersecurity firms to grow into the next level, to be prepared for these new demands of cybersecurity services. So actually, Cyber is very pioneer in this area, so there are some competitors in the space yet. But we are really exploring a whole new trend here.
FH - Because I can remember when we used to do penetration testing, that was really a thing. It was a complete project that you went on to select a consulting company and they would come in, spend three days, then charge you an arm and a leg. But penetration as a service almost sounds like something that is continuously running maybe every week. Is that where the industry is going to?
LA - Yeah, so it's going into that direction where you have these vulnerability scanners that are indeed running every day or running every week, but at the end of the day it's always the combination of that and the ethical hackers who are, let's say, very creative to come up with total new approaches of entering your application. Because the vulnerability scanners only scan or detect what was already previously found by someone. So they just automate certain checks that a human already found. And the beauty of penetration testing is that you combine both, but you also focus a lot in the manual part and of course it's also all about how much budget do you want to spend in a test. So normally when you spend less budget, there's more automation and less manual testing. But once you really want to be sure that there's no possibility for anyone to enter, then you normally also allocate more budget to it and then you will have a team of people really trying crazy stuff sometimes to enter. And crazy stuff can also mean not only technical things but also social engineering, really trying to enter the building to impersonate that they are a colleague from another company and want to speak with someone, things like that.
FH - Right, so you actually go on site. I heard that if you put on a reflective vest and you carry a letter you can get in any building, you just say, hey, I'm going to do maintenance.
LA - Exactly.
FH - Straight through the door.
LA - Right, exactly. Yeah, indeed. So it can be very broad as well. Mostly pen testing is on the technical aspects of the system, but it could also go into the organizational part, building security all that.
FH - Right. You mentioned that you did a few initiatives, startups while you were working at Numbers for Cyber. You made a decision to actually quit your job. So how is cyber different than these other initiatives? What make you jump the ship?
LA - I think what I learned from the other initiatives was to spend more time on the early stage of, let's say, market fits, really market analysis, talking to people and really get a feeling for demand for a new product. I guess perhaps with my technical background in the previous ventures, it was more about, let's say, building a product that I thought, okay, this is a great idea and someone else will also use it like it for cyber. The approach was slightly different. And that's why actually the first year of Cyber was just market research, just talking to Pen Testers, also being customer of Pen Testers, checking how they were doing the services, showing some drawings of how a platform could look like just to get their feedback if they would use or if they would feel the need to use such platform. Because that analysis had a positive outcome. So that gave the motivation to actually decide to invest in building a first version of the platform to really prove or to at least show them how it could really, really work.
FH - So you spent a whole year before you actually did the file new project and start building the software. Don't you get like antsy where you just like I don't want to get start coding. I mean, that's what the software engineers do, right? Holy restraint.
LA - No indeed. But for me it was not just about coding. So that was not, let's say, the reason why I started, but it was more as in so I really believe that in Pen testing customers are served better with this portal, much better than just getting a PDF report. They would rather go to a portal to see the findings, to click on the findings, to chat with the Pen testers, asking questions. So really to collaborate together. So I had a strong belief in that. So the motivation was mostly to explain or not convinced, but to explain or to show this vision to Pen Testers for them to become enthusiastic about it. And that was all done with slide decks, drawings, things like that. So actually the building parts that becomes indeed sort of okay, now we need to implement. So can we really prove it again so that they can really try themselves and give again positive feedback on it? It was more about that part.
FH - It sounds like you postponed the engineering part, the actual building part to as late a state as possible just to market validate first.
LA - Yeah, and that's an approach that we keep doing in the software development process because once you start building, there's always a lot of ideas for things that you want to build. But we always first try to have a very concrete use case and customer need before we decide to invest in a certain functionality. So there's always a business case behind every feature we build or every bigger functionality. There's always a business case behind right.
FH - And the investment is in money. But I also feel there's an investment emotionally that once you start developing a functionality, you start to believe in it and you create sort of a blind spot for the weaknesses of that functionality. Not sure if you recognize that.
LA - Yeah, I think I do. We try to start from the customer and also work the use case with the customer as well already to sort of set expectations together. So we actually spend quite some time on that, especially with bigger customers that have very specific needs. We just spend a lot of time just writing together user stories so that we try to align our mental models together as much as possible before building, so that building becomes more sort of an implementation exercise than a creative process on that moment because we tried to split it before.
FH - Yeah, there's still a lot of creativity necessary to build a kick ass product to actually implement it. But I understand, like you're saying, it's an implementation thing. Then.
LA - Of course, there's always the product design and the U Weeks part, how it's going to look like. Of course, that part is done at a later stage for sure. And there's a lot of creativity there.
FH - Of course I can understand that you take a lot of lessons from Numbers to your new startup, but I can also understand that there's things that you do different now because you're with a smaller team. You don't have the financial backing of a multimillion dollar company. Can you just highlight a few of these changes that are most apparent to you?
LA - Yeah, so the funny thing is that, of course, Numbers was a much bigger company with way more resources, et cetera. But from the beginning, as was also a bootstrapped company and that concept was I remember that exactly. So of course, when you start, there's always something missing. But the funny thing is that once you are bigger, there's always something missing as well, because if there's continuous growth, there's new customers onboarding that you need to consider, maybe new use cases that you have to implement. But there's always a lot of commercial activities that you also have to take into account. So there's always more in the backlog than what your team can do in a reasonable amount of time and there's always more ideas than what you can achieve. So that part, I think it's very similar coming to Cyber because the feeling is exactly the same. Of course, everything is then much, much smaller. It's in a different stage. And I think for me, the part that is more or the new challenge, let's say that's more different, is that in Cyber I'm leading the entire company. So I'm also able to connect the commercial parts and the product parts together, while in Numbers teams were more, let's say, independent in a way. So I was more with the technical scope, of course, interacting with the commercial scope. But I see a lot of value of being more together with the customer, giving demos, showcasing the product, collecting feedback and then bringing that feedback into product development, into a more shorter line.
FH - Right. And you mentioned that Numbers was bootstrapped in the beginning. Later it was a larger company, I think you heard 150 employees, is that right?
LA - Yeah, around that size, indeed.
FH - And did you consciously foster the idea of being bootstrapped while the company was growing to that size?
LA - Yeah. So it was really a decision to not bring external investors to accelerate growth yeah, there's all kind of reasons for that. And of course, the fact that when you are full owner, you have also the whole flexibility and the freedom to make a long term plan, which we also thought that is more beneficial to customers in the end because, well, sometimes investors are looking to a shorter period of time and that could compromise, let's say, long term company growth, in my opinion.
FH - Right. And what's your approach for Cypher when it comes to this? Needs a big investment, of course, like every software company does. Do you plan to bootstrap again or are you looking to work with investors?
LA - So, so far it's been fully bootstrapped, so well, there's no other investors aboard. We are in the face to see, to learn some cycles, sales cycles, development cycles, to see how the industry goes and the demand and to get a bit of a good feeling for the industry to have maybe better metrics or a better baseline. To know how much we would need to invest in marketing sales to get certain customers aboard. And maybe once that is more clear, then the question is, okay, so we know how much we put in and we know how much we expect to get out, then the investment decision or equation would be in place. But currently I find it too early because it can be quite unpredictable.
FH - Right, that makes sense. That makes sense. So you want to first see where you're going and what the metrics are and then see how investments actually accelerate growth instead of but you need to have some growth first, autonomously.
LA - Indeed, indeed. So, and that part of course, I had to invest in a venture and I did so because I also.
FH - Cut that out.
LA - What was the question again? Could you ask again?
FH - It's about the investment and that you want to postpone investors.
LA - Yeah. So of course to start this first phase I had to invest myself and I did so because I truly believe there's a future for this industry and there will be a lot of demand in this industry and we are in a very good position to grow there. But I also feel that as a company we need to have certain processes better in place or better optimized to think about growing faster. But I mean, so far very positive. So we are onboarding new customers every month and of course that validates the need for the platform. Also they bring feedback so we know exactly what to improve in the platform. So we are now in this sort of learning cycle because once we get feedback, we make it better, perhaps it's going to be easier to sell it in the future. So we are in that phase at the moment. So the company is growing for sure.
FH - Right.
LA - And then.
FH - These are always a bit of hard questions that I ask in my podcast is why is this your calling? Why do you feel that this is something that you need to do with your time. You could have stated numbers, you could have done anything with your time, and now you say, okay, I really want to do this. Yeah, you mentioned market opportunity, but that cannot be the whole reason, right?
LA - No, exactly. I mean, I feel there's definitely something in cybersecurity and on the need for software products to be better secured because what we see is more and more we are exposing our data to other entities. We are storing data in servers that we don't know. I also see the complexity of the applications is increasing and that brings vulnerabilities that even teams that are building the software don't understand. And I experienced that also as a software builder in the past as well. Sometimes there are vulnerabilities that we don't even are aware that are there. So there are increasing risks there. So I think the combination of those risks and people putting more data in places that they don't really know where it's stored, I think it can bring a lot of impact to our society. So I would like to be in a place where systems are better secured. And I believe, I think that with cyber, I feel I'm contributing for that. So I'm not an ethical hacker myself, so I'm not the one, let's say, finding, exposing vulnerabilities. But I hope that by making the work of ethical hackers better, more streamlined, they can serve more customers, they can serve them better. And with that, with the help of the platform, end customers can also solve the vulnerabilities quicker so that in the end we all have more secured software.
FH - Right, that sounds like a very good reason to get out of your bed and do your best work.
LA - Exactly. To avoid the data leaks.
FH - Yeah, and I can attest to the fact that software is getting more complex and like you said, we don't know what we don't know. As a software developer, you do whatever you can to keep data safe, but if you don't know about vulnerabilities, you can't code against that.
LA - Exactly. And that's why at the end of the day, you do need external teams to check what you don't know. Because I guess as humans we have a bias to focus on what we know and a bit of a blind spot for the unknown unknowns, if you get what I mean.
FH - So just to conclude that cipher. So you do cybersecurity, the penetration testing, what exactly is your business model? How would you define your business model? Where do you make money? Where do you have your costs?
LA - Yeah, so the business model is it's pretty simple. So we sell the product to cybersecurity firms that are doing pen testing themselves.
FH - Okay, so your client is a cybersecurity firm.
LA - Exactly. So they use our product fully white label so that they can render their services in their own branding. And then we have three flavors of the products. For smaller teams we have the starter plan or medium teams, we have the professional plan and for, let's say bigger companies, the enterprise. So it's a monthly base model and basically the difference is the feature set on the different plans.
FH - So if I run a small Pen test firm and let's say I've got 20 people working with me, would I be on the starter, would I be on the professional?
LA - So 20 people would be already on the professional. So the professional is designed for teamwork already within cybersecurity firm, whereas the starter is more for either freelancers or very small teams, maybe team of two people, three people that are just working together to do Pen testing.
FH - Right, and then your software would help me become more professional towards my client. The eventual the software developers themselves.
LA - Exactly, yeah. Because if you have a team of 20 people, probably you are doing hundreds of projects per year. So that means that you have to definitely manage the different projects, manage the customers as well. Allocate people Pen testers into the projects and of course reduce as much manual work as you can, mostly on the report generation part. That normally takes a lot of typing. So with our tool, we try to optimize that as much as possible with all kind of functionality that you can have libraries of content. But also the latest experiment we did with Chat GPT, where wouldn't you see a TTP today? Exactly now. But we thought, well, at least people can generate parts of the report, at least as a starting point, and Chat GPT can do that. But of course it's all about checking the quality at the end because the quality is what you bring to the customers and it's about informing customers really well about the vulnerabilities and the risks and how to solve.
FH - Right, so you're not cutting out the middleman. It's not like you as a software vendor sell directly to other software vendors. No, the middleman, the Pen tester stays there. And the word that I take out of this interview is the word creativity. Because you need the creativity of that middleman, if I may use that word.
LA - Yeah. So that's something that I strongly believe. I mean, as we discussed before, I do see the rise of the vulnerability scanners. And I'm not against vulnerability scanners. I encourage teams to implement vulnerability scanners as well. The thing is that vulnerability scanners will only check for known issues and then Pen testing. It's sort of a next level where ethical hackers will really try whole new things to come up with vulnerabilities that you could never think of and those ones are normally never caught by vulnerability scanners.
FH - Right. That makes a lot of sense. Luis, as a closure of this episode, is this something that our listeners can help you with? What are you looking for? Is that a call to action that you want to bring out to the. World.
LA - Yeah, I think your audience has a lot of entrepreneurs as well. And, of course, well, this journey, it's a lot about collaboration, a lot about exchanging experiences and best practices. So I would be very glad if someone would, after listening to this interview, perhaps give some tips or give some directions or share some knowledge that could be interesting to know. So that would be a lot of value, for sure.
FH - That's great. That's a great call to action just to, as a community of entrepreneurs, help each other grow. And I will leave your contact details in the show notes. So if you're listening to this, if you interesting to get in touch with Louise go to the show notes and you'll find his contact details there. And with that being said, I want to thank Louise. Thank you very much. It was a wonderful half hour to chat with you. Thank you. Thank you. I hope you had a good time, too.
LA - Yeah, indeed. It was wonderful. Thank you so much for the invites. And it was a pleasure having this interview.
FH - Okay, hope to talk soon. Again, thank you.
LA - Thanks, bye.