Cybersecurity is no longer a technical function that can be delegated and revisited later. It is a compounding business risk that sits squarely at the CEO level.
What makes this difficult is not lack of awareness—it is prioritization. Most CEOs understand cyber risk exists. The failure point is that it consistently loses to more immediate pressures: revenue, hiring, product delivery, capital.
Brian Cute’s perspective reframes the issue. The risk is not static. It is accelerating—driven by AI, global coordination among attackers, and increasing system complexity. That changes the decision calculus. Delay is no longer neutral. It compounds exposure in ways that become harder to unwind over time.
The challenge CEOs face is not just external threat escalation. It is the interaction between external acceleration and internal decision behavior.
Externally, cybercrime has evolved into a structured, global system. As Cute puts it, “cybercrime has become transnational organized crime.” The actors are coordinated, economically motivated, and increasingly efficient.
AI has changed their operating model. It lowers cost, automates execution, and increases success rates. The shift is not incremental—it is structural. Attacks are becoming scalable in a way that mirrors how technology companies scale products.
Internally, most organizations are not structured to respond at that pace. Cybersecurity is still treated as an IT responsibility, not a core business risk. That mismatch creates a gap—and that gap is where exposure accumulates.
One of the clearest parallels between Cute’s leadership experience and scaling companies is not about cybersecurity directly. It is about focus.
In his transition to CEO, Cute recognized a pattern:
“We are too many things to too many people.”
The organization had built meaningful capabilities across multiple fronts. The issue was not quality. It was coherence. Without a clear, narrow value proposition, execution fragments and external stakeholders struggle to understand where to engage.
This is not unique to nonprofits. It is a common failure mode in scaling organizations. When the environment becomes more complex, the instinct is to expand—more initiatives, more responses, more coverage.
That instinct creates the opposite of resilience.
Focus is not reduction for its own sake. It is the mechanism that allows an organization to act decisively under pressure. Cute’s reframing was direct: narrow the aperture, define the value proposition, and align the organization around outcomes that can be clearly delivered and funded.
The first decision shift is structural.
When cybersecurity is positioned as an IT issue, it competes for resources within a technical budget. When it is treated as a business risk, it competes alongside revenue, operations, and capital allocation.
That distinction determines timing. IT issues can be deferred. Business risks cannot.
The consequence of misclassification is predictable. Investment is delayed. Exposure increases. When an incident occurs, it is handled reactively under pressure, often with higher cost and greater disruption.
Cute’s observation from working with small businesses applies broadly: “Cybersecurity is not a priority or risk to their company.”
That belief does not hold under current conditions.
The second decision lever is focus under constraint.
Cute’s organization faced a classic scaling problem—broad mission, limited resources, expanding external demands. The response was to concentrate effort around a more defined value proposition.
“We need to present a clear, more narrowly focused value proposition.”
For CEOs, the implication is direct. In high-complexity environments, breadth creates fragility. Every additional initiative dilutes attention, coordination, and execution quality.
Narrowing strategy does not reduce impact. It concentrates it.
This becomes more critical as cyber risk increases. The organizations that respond effectively will not be those attempting to cover every vulnerability. They will be those that identify the few areas where they can materially reduce risk and execute consistently against them.
AI introduces both capability and exposure. The mistake is to treat adoption as purely an efficiency decision.
Cute’s guidance is grounded in operational discipline. AI amplifies existing processes. If those processes are unclear, the output is unpredictable. If the data flowing through those processes is not controlled, the risk increases.
The decision is not whether to use AI. It is how to use it without introducing new vulnerabilities.
“If you’re going to use AI, you must, must, must address the risk aspects of this technology.”
The practical implication is that AI adoption requires two parallel tracks:
Clear documentation and understanding of internal processes
Explicit management of data exposure, accuracy, and system behavior
Without both, AI becomes an unbounded risk surface rather than a productivity tool.
The current trajectory of cyber risk is not stable. It is increasing in both volume and sophistication.
AI-assisted phishing has already demonstrated significantly higher engagement rates. That is not just a technical improvement—it is an economic one. Higher success rates reinforce the model, attracting more investment and more actors.
Cute describes what follows in operational terms: automated, always-on attack systems leveraging increasingly realistic deception techniques.
The implication for CEOs is not to predict specific threats. It is to recognize the direction of change. Systems that were adequate under slower conditions will not hold under accelerated ones.
This is a timing issue. Preparing after the shift is visible in financial impact is already late.
Cyber risk at scale cannot be addressed in isolation. This is not a domain where a single organization can fully protect itself through internal effort alone.
Cute’s model centers on coordination—what he describes as “communities of action.” Governments, corporations, and nonprofits align around shared outcomes and contribute from different positions.
For a CEO, the implication is not to replicate that model in full. It is to recognize that external alignment is part of risk management.
Vendors, partners, infrastructure providers, and industry groups all influence exposure. Treating cybersecurity as purely internal ignores how interconnected the system has become.
The patterns described are not theoretical. They show up in how organizations behave under pressure and how attackers adapt.
Small businesses defer investment because immediate survival takes precedence. Larger organizations struggle with internal alignment and competing priorities. Across both, the same gap appears—action lags behind risk acceleration.
On the attacker side, the shift is clearer. Lower cost, higher automation, and improved effectiveness create a reinforcing loop. What was once opportunistic is now systematic.
The result is an environment where inaction is increasingly consequential.
The most important shift is not tactical. It is how the problem is framed.
Cybersecurity cannot be treated as a future issue or a specialized function. It is an active, compounding exposure tied directly to how the business operates and scales.
That changes three decisions:
When to act — earlier than feels necessary
Where to focus — fewer, higher-impact areas with clear ownership
How to adopt new technology — with explicit attention to process and risk, not just speed
Cute’s broader leadership lesson reinforces this. In complex environments, the ability to distinguish signal from noise becomes central. Not every issue requires attention. A small number of decisions carry disproportionate impact.
“Focus on signal, what are the one or two things that really matter.”
Cyber risk is increasingly one of those signals.
Brian Cute is the CEO of Global Cyber Alliance, a nonprofit organization focused on reducing cyber risk at the infrastructure level through global collaboration. His background spans law, internet governance, and cybersecurity, with experience working alongside law enforcement, industry, and public sector stakeholders to address systemic risk.
Linkedin: https://www.linkedin.com/in/briancute
https://globalcyberalliance.org/
__________
Jeff Holman is a CEO advisor, legal strategist, and founder of Intellectual Strategies. With years of experience guiding leaders through complex business and legal challenges, Jeff equips CEOs to scale with confidence by blending legal expertise with strategic foresight. Connect with him on LinkedIn.
Intellectual Strategies provides innovative legal solutions for CEOs and founders through its fractional legal team model. By offering proactive, integrated legal support at predictable costs, the firm helps leaders protect their businesses, manage risk, and focus on growth with confidence.
__________
The Breakout CEO podcast brings you inside the pivotal moments of scaling leaders. Each week, host Jeff Holman spotlights breakout stories of scaling CEOs—showing how resilience, insight, and strategy create pivotal inflection points and lasting growth.
Listen and subscribe on your favorite podcast platform:
__________
Want to be a guest—or know a scaling CEO with a breakout story to share? Apply directly at go.intellectualstrategies.com.
TRANSCRIPT SUMMARY
00:00 The Small Business Mindset
00:14 Introduction to Global Cyber Alliance
01:13 Why Cybersecurity Is Uniquely Challenging
02:43 Cyber Threats: Movies vs. Reality
05:41 10-Year Milestone & Leadership Transition
07:57 Origins of GCA
12:06 Evolution of Cybercrime
14:30 The Power of Collaboration
17:30 Startup vs. Cybersecurity Priorities
21:18 Strategic Partnerships
27:43 Refocusing the Organization
42:00 AI, Deepfakes & the Coming Cyber Tsunami
FULL TRANSCRIPT
Brian Cute (00:00)
Small business owners are so focused on just getting to tomorrow. We need to present a clear, more narrowly focused value proposition, focus on signal, right? What are the one or two things that really, really matter?
Jeff Holman (00:14)
Welcome back everybody to the breakout CEO podcast. I'm your host, Jeff Holman, and I'm glad to be here today with Brian Kueb. Brian, thank you so much for joining us. Yeah, glad to have you. ⁓ We're going to talk about your business ⁓ and we're going to talk about some of your breakout moments today, but it feels like maybe there's two layers to this for me because you're in cybersecurity, your business or your organization is a nonprofit called Global Cyber Alliance.
Brian Cute (00:23)
Thanks for having me, Jeff.
Jeff Holman (00:44)
And it just seems to me that building a company is chaotic enough, but when you do it within the landscape of what I believe is a really difficult, externally influenced, maybe expensive landscape, that might make it even harder. So you've got two layers at least of the chaos in the organization. Is that anywhere close to correct?
Brian Cute (01:13)
⁓ It is. Every company and every leader has their own particular set of challenges. We're not different in that way. I do think that cybersecurity in general is a particularly challenging ⁓ environment and industry. It's complex. It's technical. I think also for end users and what we do, what we focus on is on making the Internet's infrastructure more secure. There are some
security flaws within the infrastructure. And we collaborate with others to develop solutions. We work with network operators, infrastructure providers, because if you fix a bug in the internet itself, every user is more safe by definition, right? So that we try to achieve scale working in collaboration. We also develop and offer free tools to micro and small businesses, NGOs. We target
the organizations that are at risk and also under resourced, right? They don't have enough money to buy commercial solutions or have a vendor do their cybersecurity for them like a large enterprise. So we're by definition taking on really big complex challenges. So I think in that way, yeah, you're painting a picture that's fairly accurate. We're taking on some pretty big challenges and ⁓ there's no easy way to...
to deliver those solutions.
Jeff Holman (02:43)
Yeah. So for those of us who are less educated in the space, you know, I'm going to come at it from a really naive perspective here. And I think, you know, you go to the movies and every year or two, there's, there are movies about these cyber attacks or, you know, technology. And, and I just assume because I see a lot of companies building technology of their own. And I know that the technology I see is, is well ahead of whatever makes it in the movies, you know. So when we see something in the movies, I assume that we're
that you're dealing with things that are, know, levels and levels beyond whatever has made it into the movies. Unless maybe it's a sci-fi, I don't know. Sci-fi might predate some of the chaos, but.
Brian Cute (03:25)
Yeah, I mean, the sci-fi, some of the sci-fi movies are presenting futuristic things like, well, like The Terminator and Skynet. Remember that? Right. Right. enough to remember that. And that's what, 25, 30 years old now? So the fun thing there is I made my daughters watch The Terminator. They didn't really want to, but I said, you've got to see this movie. Yeah. And I saw it 25 years ago. And I think the concept of Skynet
for us back then was like, wow, this is Skynet, what would that be? The interesting thing was when my daughters watched the movie, they became more troubled by it than I did because the concept of Skynet to them is actually, well that exists, right? We've got satellites, we've got computers, it's sharing data, these terminators could actually come and take over the world. And for them it was very real and present. So, you know, that's just one example.
For us, the challenges that we face, I would say this. ⁓ What you see in the movies tends to be fairly accurate. ⁓ What's going on in reality, if the average person knew ⁓ the types of attacks, the capabilities of the bad guys, the risks that they face, it would ⁓ unnerve them. There's a lot of risk out there.
more challenging, Jeff, with AI, and I'm happy to elaborate more on that with AI, the threats are becoming more serious. They're coming at us much faster, and they're becoming more effective ⁓ in their aim in terms of cybercrime. So we're really moving into an environment that's becoming very high risk, very challenging. And so people being protected, right?
The internet being safer as we can make it safer working with infrastructure providers, but people being protected, knowing what their risks are and being protected is at a premium.
Jeff Holman (05:27)
I feel like we need to get into that, we might need to step in a little bit slower because there's probably so much. Let's back up. So you've been involved with ⁓ Global Cyber Alliance for, is it 10 years now? that's how long it's been around?
Brian Cute (05:41)
It's been around since 2015. I've been here about four and a half years. Okay. The original CEO Phil Reitinger, we just celebrated our 10th anniversary last September 2025. And that was a big milestone for the organization. And at the same time, our founding CEO Phil Reitinger stepped out from his post. So
as a cybersecurity nonprofit, know, quite a, quite a, ⁓ you know, quite a big milestone to reach 10 years and be vibrant and be delivering services and helping the public. And then having your founding CEO step down, it's a big transition, right? You know, familiar startups, right? I mean, they are, the identity of the startup is the identity of the startup CEO. Yeah. Phil was a brilliant dynamic.
cybersecurity expert who was so creative and built GCA into what it is today. And so for me, stepping into the role, A, very big shoes, B, a really rapidly and changing environment, and so C, now where do we go? That's kind of what I'm trying to navigate.
Jeff Holman (07:03)
Well, and it seems like if I were to think about it, maybe they're, don't know the exact milestones, but I think 2015, like that picture looked totally different. I'm certain of it, right? And so the reason that this was started and the objectives you were trying to achieve as an organization were probably maybe simpler back in 2015. And then fast forward to when you took, when you became a part of the organization four and a half years ago, that would, you know, that would
probably be very different than 2015, but also very different than today. How has the landscape changed or how have the objectives of the organization changed? You know, what you're trying to achieve or the players that you're trying to collaborate with, how has that evolved since 2015?
Brian Cute (07:57)
Yeah, your instinct is spot on. In 2015, so Global Cyber Alliance was established by in partnership with the Manhattan District Attorney's Office, the City of London Police, and the Center for Internet Security. It was those three organizations that birthed GCA. And the original idea was it was really coming from the prosecutor's office, Manhattan District Attorney and City of London Police.
together at that point in time, and you're right, the cyber landscape was very different back then. It has evolved so much. But even back then, they were struggling with the concept of cybercrime and how to prosecute it, right? How do you capture a digital evidence of a crime, right? How do you secure it in the evidentiary chain? How do you establish jurisdiction? And we all know how cybercriminals can
tied behind different resources and not be visible within your geographic jurisdiction. So they were wrestling with all those challenges about getting cyber criminals and putting them in jail. And the simple idea was, wouldn't it make sense if there was a not-for-profit that was offering security tools to the public free of charge so we can prevent some cyber crime in the first place?
That was the germ of the idea. Let's create an organization that can get these tools into the public's hands so we can start preventing some cyber crime and lessen the load.
Jeff Holman (09:35)
Had there been a specific incident like to have New York and London forces come together, was there something that was happening at the time or this was just kind of the culmination of we've been dealing with this, we see it growing, we need to do something, let's be proactive? Just a quick note about our guests. I host the Breakout CEO podcast to share behind the scenes insights from scaling businesses. As an attorney, I see the real challenges leaders face.
long before success becomes public. But client stories have to stay confidential. So we invite guest CEOs to share their own moments of struggle and success. I'm so grateful to our guests and my team at Intellectual Strategies for making this show possible. Now, let's get back to the show.
Brian Cute (10:22)
think it was a culmination of that. And ⁓ I've worked in different capacities, kind of close to law enforcement in the past. ⁓ Law enforcement collaborates, you know, regularly, certainly between certain countries and certain types of ⁓ law enforcement agencies. But they do collaborate, they do share information. ⁓ And so I think it was a culmination of that recognition on both sides of the Atlantic that we need some help here, you know.
Jeff Holman (10:51)
Did anything else like this exist or was this kind of a ⁓ new thing like New York and London were kind of on the forefront of we got to devise a solution that doesn't yet exist. Because that's what a lot of other startup businesses do. They're in the middle of all these problems and then all of sudden someone says, well, there's this niche here. We should be the ones to proactively go out and create a solution for it. Sounds like that might be what happened here.
Brian Cute (11:17)
I think it was kind of new. And Will Pelgren, who is from Manhattan District Attorney's Office, and Cy Vance, who was the district attorney not so long ago, it really was their brainchild. And I think it was new. mean, I've been here in four and a half years. I wasn't here in 2015, but I'm pretty confident that the GCA was maybe the first of its ilk. There are many, many cybersecurity nonprofits now.
who offer a variety of different ⁓ solutions or services or educational resources, some that are focused on different areas than us. But I think it was a fairly new, a novel idea at the time.
Jeff Holman (12:00)
Yeah. So if we fast forward to four and a half years ago, what did the landscape look like when you joined?
Brian Cute (12:06)
Well, the internet has become a much ⁓ richer platform in terms of services and apps and social media and how the youth are using the internet in ever evolving and creative ways. ⁓ You know, I actually started my career working in the internet domain name system back in 2000. So I remember the internet back in those days and the
The internet you come online today compared to 2015 or 10 years prior is vastly different in terms of services, ⁓ interactive services, the types of tools and apps and gaming and ⁓ text and voice and video. It's just a much richer environment. And there it's also a richer, it's a target rich environment for cyber criminals, unfortunately, who...
Cyber criminals are always among the first adopters of technology, right? And from four and a half years ago to today, I think the notable change is that scams have become the white hot center of cyber crime globally. ⁓ Fishing emails are right part of that, but that cyber crime has become organized crime.
It has become transnational organized crime. There are scam centers that are the size of small cities in Southeast Asia that are spiking the attacks ⁓ in really concerning numbers. that change, and that is being driven by AI. They're leveraging AI as first adopters. I'd say from four and a half years ago to today, that's the biggest change and things are accelerating and not in a great direction.
Jeff Holman (14:02)
Yeah, you're making me think with all of this ⁓ momentum maybe in the wrong direction. What's the vision that GCA would like to accomplish? you know what saying, how do you create a vision that's large enough to combat the other things happening, but not so large that it becomes overwhelmingly undoable?
Brian Cute (14:30)
That's great question. We do it one way because we know in reality it's the only way. We work in collaboration with others, right? And we approach the problems that no single organization can solve alone. If we're going to succeed in protecting the public at scale,
That is only going to happen through the collaboration of many, many organizations working together. It's got to be some government. It's got to be some industry players. It has to be some not-for-profit civil society actors at the center, right? Getting the necessary services and protections to the public at large. That takes collaboration. It sounds ambitious, but it takes global collaboration.
to meet the threat that's coming at us right now. So we think about governments and industry and civil society coming together in global communities of action, right? And partnering, working together in their own lane, but making a commitment and agreement that we need to deliver cyber protection at scale. There's an example of that that's already working on data sharing, right? The importance of
sharing data between law enforcement and industry players, data that can provide insights into what the cyber criminals are doing so that the people in position to stop them can use that data to stop them. There are examples of these types of, we call them communities of action. The only way we get this done, is through coordination, collective action, agreement that it's in the public's interest to attack this problem in this way.
and get it done.
Jeff Holman (16:23)
Yeah. As you're explaining this, know, I'm picturing you walking into a room. I'm sure if you walk into a room of a bunch of other, you know, people leading ⁓ these nonprofit organizations, like you probably feel pretty comfortable, pretty familiar with the other people. You understand where they're coming from. If you walk into a room, you know, of a bunch of startup or scaling CEOs, do you feel like there's...
a common understanding as to what they're dealing with and what you're dealing with? Or are you just in a different realm? You know, I see it one way, but I'm really curious to hear your perspective.
Brian Cute (17:04)
It's a good question. I think as a generalization, the startup or scaling up CEO is laser focused. Yeah. Right. On growth and getting the next round.
Jeff Holman (17:20)
Yeah, find customers, find investors or revenue. One of the two, or if we don't do one of those, we don't have money, we don't continue to exist.
Brian Cute (17:30)
Exactly. And so I think ⁓ I'm focused on advancing GCA's mission always and keeping my eye on that horizon. And I think through the lens of collaboration, how do I influence these people to come on board? How can I make a large corporation see that joining this type of initiative is, it aligns with their business model. There's a business incentive for them.
to participate and support this type of work, right? I think the startup and scaling CEO with that laser focus that can't be distracted from that. They need to be laser focused. There's an analogy to the small businesses that we try to get tools to so they can protect themselves. Small business owners are so focused on just getting to tomorrow.
Right. You know, making it through the day, getting the revenue, ⁓ managing the team, the building, the service, the product, the widget. ⁓ That what we find with them is that they don't tend to think about cybersecurity as a priority or risk to their company. When we do a lot of engagement, we've done a lot of training around the world, working with partners to train micro and small businesses on what they need to know.
the steps they can take and the tools they need to use to protect themselves. And it's a very common mentality. I'm running a small business, Cyber security, yeah, but I've got to do this, this and this.
Jeff Holman (19:13)
When I have time and money, I'll do it, but not today.
Brian Cute (19:17)
Exactly. Or that, or the, but that's not going to happen to me. That's an attitude that's out there too, which is a very, a very dangerous attitude because it's going to happen. It's, know, whether it's one of your teammates or an employee clicking on the wrong link because they just didn't know it's going to happen at some point.
Jeff Holman (19:36)
I think like a lot of attorneys, it's not broadcast because when a company does that, nobody's like, hey, everybody, guess what? We just lost $40,000 or we just made a $1 million transfer, wire transfer we weren't supposed to. Nobody comes out and says that. I get access to, like you, I'm in some of those rooms when those things happen and they call me up and they're like, Jeff, what do do? Where do we go now? Can we get our money back? Do we call the FBI?
or, you know, we've gotten a ransom ⁓ email in, this real, is this fake? ⁓ So it's really different. ⁓ But just going back for a moment, like, you need revenue, you need, you know, funding, whatever, but when you're going out to these other businesses or organizations, know, ⁓ the infrastructure you said before, when you're going out to these infrastructure players,
Like you're not just saying I need some money to keep my organization going. You're saying, Hey, we might need money or whatever. I don't know if you ask for money in those situations, but you're, but you're saying we need a partner. Like we need to actually work together. This is more like strategic partnerships all over the place rather than, you know, again, going back to that analogy with a startup and investor rather than an investor and saying, Hey, I need a hundred thousand dollars. need $2 million. And they give you the money and they're there and they're on your board.
but you're running the show. This is no, actually have, we have to work together because we, the problem is so large. It impacts everyone in a dramatic way. If we don't have the partnership, not just the money, but the partnership, we're all going to fail.
Brian Cute (21:18)
Absolutely. There's two ⁓ current partners, MasterCard and Amazon, that we both work with in different ways, but the initiatives and the outcomes are shared, right? The end state that we want to create is shared. ⁓ MasterCard is heavily invested in small businesses around the world. They sell financial services to them. ⁓ They recognize as a company that it's
It's in their interest, right? That small businesses start up, get on their feet, thrive, grow, purchase services. ⁓ And they, as a company, have invested quite a bit of energy and resources themselves into making sure that ⁓ micro and small businesses have resources available to them so they can thrive as a business and be secure, right? Amazon.
came to us a couple, a years ago, they ⁓ have a very tight focus on their customers. That's where Amazon begins every conversation is from the customer back. ⁓ And they were seeing data around scams. again, I said scams have become the white hot center of cybercrime globally. They are. ⁓ And they saw some interesting data with respect to young adults, 18 to 25.
You know, just one example of how we partner. ⁓ It was very interesting. We had not seen that data. We are very good at developing or curating tools and packaging them up so the end user can have what they need, understand the risk. What steps do I take? What tool do I use to mitigate that? But it was an interesting learning experience too, because when we first started talking with them a few years back, I'm speaking for myself, but like a lot of people,
I just assume like my 18 year old son and my 22 year old daughter were digital natives. They were so much more skilled at the internet and social media than I, and that they are probably inherently savvier in terms of how to be safe.
Jeff Holman (23:30)
less likely to be successfully targeted.
Brian Cute (23:33)
Yes. Okay. Data says the exact opposite. Bureau and other, they're being targeted as much in volume by cyber criminals. They've been losing money ⁓ on average, on par with segments like senior citizens. And when we started doing some work and collecting some data and surveying, know, attitudes, they're not as confident online as we assume they are.
So it was really a learning journey with a partner organization about, here's a specific problem that's not being addressed. This is a community that needs awareness, that needs resources and understanding of risk and some tools. And so we ended up developing ⁓ a mobile forward solution that was social media ⁓ friendly that engages. And we brought young adults into design process.
of that product, which was the smartest thing we could have done. But yes, it is partnership and it's partnership in understanding the dimension of the problem, being aligned in the desired outcome, having aligned incentives, obviously, there's being commercial, ours being not for profit, but having a shared incentive. ⁓ That's critical to getting bigger things done.
Jeff Holman (24:54)
Yeah, yeah. I'm glad you said that because I think from, you know, I'm a small business owner. I've been a small business owner for a long time. I work with a lot of small business owners and I think small business owners and individuals and families look at a lot of these larger organizations and they say to themselves, man, MasterCard or Visa or American Express or Amazon or whoever it is, you know, like I'm paying for the fact that they just let this stuff happen and all this is going on and, and they're just charging me and
They probably don't like, like they make money either way. And, and I'm, I'm certain that's not their attitude, right? ⁓ It's interesting to hear that they're collaborating with people like you to try to tackle this. And I'm sure it's just as overwhelming for them, even with their resources as it is for the small business owner who, who doesn't know if they're going to be attacked or maybe has been attacked and is trying to, trying to navigate that.
It's just a universal problem, it sounds like, and seems like from what I've seen.
Brian Cute (25:57)
It is. That's not an understatement at all. And I think, yeah, they're commercial organizations and they're for-profit and they're market driven. And having worked with them both very closely, they really understand the dimension of the problem and the impact that it can have if it goes unaddressed, which is why they've committed their time and resources, not just to protect their own customers, but in these broader
coalition, these broader community of actions that I've referenced earlier, they're active participants. They support those broader community of action activities because they understand the dimension of the problem and what was required to address it.
Jeff Holman (26:43)
Yeah. Well, fascinating conversation. We could go on for hours about the expansiveness of this issue, but I want to, I want to give our audience some insight into maybe your role and what you, know, how you've managed within the organization. Whether you're, you know, CEO of a nonprofit, CEO of a scaling company, like you go through a lot of the same issues, I think, even though the playing field might be a little bit different.
And so I'm curious as you've been, as you've been in the company or in the, in the organization and even more recently as CEO, what kind of things do you run into where you're like, this is new or need to solve this. Like this is, this presents an issue, maybe not viability of the organization as a whole or maybe, but we got it like, like we got to figure this out to get to the next level. What kind of things have you run into that?
fall into that type of category.
Brian Cute (27:43)
I think the most immediate and important thing was with ⁓ the founding CEO stepping down and ⁓ some kind of seismic shifts in both technology with AI, but also in funding for nonprofits, which is becoming an increasingly challenging environment in the last couple of years. ⁓ There's a real question about what's the forward strategy now, right?
Phil has stepped down. And ⁓ I think one of the things I recognized early and with some internal colleagues as well was ⁓ we definitely punched above our weight as a small organization of 25 or so people with a very broad goal of cybersecurity at scale globally for the under-resourced and at risk.
organizations and working with the infrastructure providers. Nevertheless, we really punched above our weight, We have done so many different initiatives, delivered so many important solutions and contributions that, you know, the first recognition was we are too many things to too many people. Right? Like if we're going to...
Jeff Holman (29:11)
You're
saying that this is like one of the realizations during this leadership transition. you're like, do you think that happens? Because other companies go through leadership transitions. And from the outside, it would seem like, whatever goals you set last week, let's just keep those and keep going. What's the shift kind of the, I don't know, what's the word? I'm thinking of the ⁓ tectonic plates, right, in the earth.
Why do those things shift when there's a leadership transition?
Brian Cute (29:44)
Well, think there's a natural, ⁓ there's a maturity cycle for organizations, right? From startup to make it past startup, and then your young adult moving to mature, and then you get to the fully mature, and if you don't innovate, you then start the death cycle. ⁓ I think there's a general cycle here too. mean, what I think for global cyber alliances, ⁓ it has been defined by,
⁓ the identity of an incredibly brilliant, dynamic, creative CEO. And that has gotten us to where we are. I mean, a recognized player that does so many incredible things. But it's also time, it's one of those times where you have to mature in a different direction. mean, personally, I think we need to be more narrowly focused, right? We need to present a clearer, more narrowly focused value proposition.
to our funders, we can't be perceived as doing eight different really great things, but that doesn't lend to a kind of a cohesive value proposition, right? If you invest with us, you're gonna get these specific outcomes. So the first recognition was too many things to too many people, what should our value proposition be going forward? Narrowing the aperture of what we do.
and focusing on the thing that funders care about today. So we could make an effective value proposition pitch to them. So that's really the turn, kind of the pivot. And we're working on that. We developed a new strategy. We've developed a new value proposition statement. We're targeting potential funders with better intention and aligning with those who have an interest in art.
the direction we're going. ⁓ And I think moving through that and more clearly defining GCA in different ways, I also think it needs to become an organization. It needs to become a more professional organization in terms of how we operate. Well, I mean in terms of internal operations, the way the team works together.
Jeff Holman (31:57)
What do mean by that?
Brian Cute (32:05)
Eight different amazing things. You've got people focused in different directions. A lot of great, dedicated, capable people doing things and having impact. But sometimes team cohesion can suffer.
Jeff Holman (32:19)
Everyone's got their own initiatives. You know, you're describing this and I'm hearing, I'm hearing a lot of the same types of things that I hear from founders where they're like early, early on, we tried to be all things to all people. And then one day we're like, that's not going to work. We'll be, we'll be everything to nobody. If we keep it up, we got to, you know, refine our offering. That's what I'm hearing. have these different people who have different objectives and now you've got, you've got to get into, into alignment and you've got to say, Hey,
Brian Cute (32:39)
That's where.
Jeff Holman (32:47)
this, you know, if we're going to align on one offering, we all need to align our actions and behaviors and inputs toward that offering. can't keep going towards different offerings. So this is, it sounds like a parallel to what I see in for-profit businesses quite often.
Brian Cute (33:03)
It's precisely what's happening. So it's not a new ⁓ challenge. It's new for me. I've not been in this position before. I was a ⁓ CEO for eight years of Public Interest Registry, which runs the .org address on the internet, ⁓ which is a very, very well-funded, not a typical not-for-profit in that it has a funding machine by selling .org addresses to feed its programs. It has great financial stability.
But GCA is a classic not-for-profit which has to approach philanthropies, approach corporate donors, work with government programs that provide funding and align with them and get funding to do the things that we do and work together. So it's a challenge. The funding environment has changed significantly. You saw the US government eliminate USAID, which is an economic development ⁓ funding channel.
The good news for us is we were not dependent on that for our life's blood, but it's one source of funding that goes away. ⁓
Jeff Holman (34:11)
And then everybody else who was dependent is now coming to the sources where maybe you've had less competition.
Brian Cute (34:17)
Absolutely. Absolutely. There's competition. A lot of the corporate funders and even philanthropies for the last couple of years, the constant message has been, I have a finite pot of money. You know, I'm funding a number of you all, not-for-profits. We'd like to see more of you partnering together and proposing larger projects. We'd like to see other funders at the table.
as well, not just us. And this is coming from consistently, know, corporates and philanthropies. So that's the environment we're in right now. So that's the environment we need. We need to create an offering and a value proposition that's clear, that cuts through, that's attractive to certain funders. And yes, we're entertaining the idea of partnering with others and coming to the table with bigger projects. That's where these community of action initiatives, a lot more sense.
Let's get more people to the table, more funders, more not-for-profits, more corporates, and actually agree to drive a common initiative. That's where that ties in. ⁓ So that environment's really challenging. yeah. So founding CEO steps down, that's a change. ⁓ Too many things to too many people, refocusing, new strategy, navigating the funding environment, and then just to make it extra fun.
Here comes AI, which is putting cybercrime on steroids, right? So that's the environment. It's incredibly dynamic.
Jeff Holman (35:54)
That's amazing. How, how are, what have, what do you feel like you've been able to do and who have you turned to to help you do it, to start to navigate these types of things? Is this all internal? Do you bring in consultants? you, you know, you spend your Sunday evenings ideating like, what do do next? Like, like what's the, what's the solution to, to, to getting all of these things to come together as the external, you know,
chaos is just expanding.
Brian Cute (36:25)
So interesting question. Most of it's come honestly internally, know, ⁓ colleagues on staff ⁓ who've been in the fight for a long time and have been part of the team and understand the need for change. ⁓ Our board, we have got a terrifically supportive board that's, and many of them have there from the beginning, ⁓ who are open. ⁓
You know, they push us where we need to be pushed. They're supportive always. They're throwing in, you know, in moments like this, you want your board to throw in as opposed to be kind of sitting back posture-wise. ⁓ And then the one initiative that we recognized we needed was a communication strategy. Right? We realized that we haven't been the strongest in communications, but particularly with respect to the funder audience, right?
and the value proposition. So we did go engage an outside firm, we're just about done with that, to develop a new communication strategy that can help communicate the new narrowly defined mission, the value proposition statement, and get ourselves in front of the right audiences. So that was a piece that was missing that we did go outside to get help with.
Jeff Holman (37:47)
Okay, and who is that audience in case any of our any of our audience is listening and they say, wait, I might be that or I can make an introduction. Who is that audience that you're trying to get the communications to?
Brian Cute (37:58)
So I think primarily ⁓ if we were to order them, ⁓ communications firms, internet firms, ⁓ any large corporates who are dependent on the internet for e-commerce, for service delivery, ⁓ know, MasterCard is a great example, Amazon's a great example, ⁓ but companies of that ilk, their dependency on the internet, right, providing seamless service.
is the lifeblood of their company. And I may not be the thing that's top of mind every time they come into work in the morning, but it's a fact. And that's what been trying
Jeff Holman (38:38)
gateways that mean they're the gateways that everybody else uses to essentially transact on the internet and that's how they make their money which is fair. Right. But because they're the gateway they're probably some of the most impacted by the things that are happening right.
Brian Cute (38:54)
Right, we've seen, know, recent, in the last five years, so we've seen instances where parts of the internet go down, right? Or there's this massive disruption because of someone's software that wasn't updated. And we have examples of the macroeconomic impact that can happen. So those types of companies have a stake in the game. ⁓ Philanthropies, absolutely. There are some philanthropies out there. Craig Newmark.
who created Craigslist is an absolute champion of the cybersecurity nonprofit community. He's been a terrific supporter of many, not just us, ⁓ but other philanthropies who have supported the work that cybersecurity nonprofits do. Those types of philanthropies need to invest more with us. And then lastly, but not last, ⁓ governments. ⁓ There have been...
and still are government programs that provide funding to build digital skills, right? In their students, in their workers, like workforce development on AI skills building is gonna become a huge, huge thing, right? All governments see what AI is doing in its early stages. Many are assuming there's gonna be job displacements. You're gonna see funding for AI skills building.
Well, there needs to be funding for AI and cyber. The risk piece of that skills building is going to be critical. that's the type of message we're trying to get in front of governments is you need to also invest in the risk side of this technology and make sure that your, you know, your workers know how to use it securely, how to mitigate. There's hallucinations, there's inaccurate responses, there's poisoning, the exfiltrate PII. That's a
a real, there's great opportunity with AI and there's also risk. So getting governments to prioritize the risk side of skills development is something we think needs to happen as well.
Jeff Holman (41:02)
That's really interesting, Brian, because like I'm thinking about here in Utah where I live, you know, we think of ourselves, we call ourselves Silicon slopes, you know, as though as though we're maybe somewhere closely behind Silicon Valley. But ⁓ be it as it may, there's a lot of talk about all of the software and tech companies that are being built here, just like, you know, Arizona is talking about it and Colorado, everyone's talking about that. But I don't hear a whole lot about cybersecurity. You know, they're not pushing for
They're not necessarily pushing the message around cybersecurity the way they are around job creation, job growth, growth, IPOs, whatever it might be. So that's, seems like an area where ⁓ it's got to be just as important, if not maybe more important because without controlling cyber security, that whole technology base ⁓ could easily be impacted in a really significant way.
Brian Cute (42:00)
Increasingly important. ⁓ And it's only going to get more important. I'll give you an example. I was at a MasterCard security team briefing for two days in Singapore last September. And the attendees were largely Interpol and law enforcement agencies from the Southeast Asia region. And I've referenced those scam centers, right, in Southeast Asia that have grown to be the size
of small cities. They are being run by transnational organized crime. Law enforcement in the UN Office of Drugs and Crime have been documenting and tracking them for years. They are significant contributors to significant increases in phishing emails and scams, attacks that have happened globally in the last couple of years. ⁓ There was a Microsoft study that
showed that 40 % of phishing emails are now Gen.ai assisted. what's compounding that, so AI number one lowers their cost structure of doing business. Makes it easier for them to automate the delivery of attacks and they're doing it and the volume is showing. Now add deep fake technology, right? And we've seen it. mean, today's deep fake is good enough.
to fool a lot of people. Yeah, if you know a bit, you can look for like the extra finger or other indicators. But right now they have, according to that Microsoft study, ⁓ click-through rates of 54 % in AI-assisted phishing emails. 54 % click-through rates. That is a business driver, up from 12%.
Jeff Holman (43:44)
Really.
Brian Cute (43:55)
Business driver for a business model, right? That's just to today. So I'm in that briefing and there's a lot of data being shared amongst law enforcement. And somebody says that within two years time, we expect these scam centers to be operating fully AI agentic platforms.
Jeff Holman (44:14)
So they're going to build agents upon agents to run these things.
Brian Cute (44:19)
24 hours a day, seven days a week, 365, using increasingly sophisticated deepfake technology. So Jeff, you know enough, right? I left that briefing. sat on a, I'm not joking. I sat on a park bench for about half an hour, just kind of let that process, knowing what I know. There is a tsunami. This is not an overstep. is a tsunami. Cams and fishing attacks that are going to come at all of us in the next two years.
Jeff Holman (44:44)
That's it.
Brian Cute (44:49)
more effective
Jeff Holman (44:50)
Yeah, in my engineering, we studied the concept of harmonics at some point, right? When you get harmonics out of balance, you know, harmonics are, you kind of keep in balance and they're going, but if they get out of balance, all of a sudden, there's no end. I mean, until there's destruction, there's no end to the growth of those harmonics. ⁓ That feels like, I hope it's not, but it feels like that's what you're describing.
Brian Cute (45:17)
It is, and I'm connecting back to cybersecurity, should be an increasingly important priority for everybody.
Jeff Holman (45:26)
For sure, for sure. Man, well, I want to ask you two more questions. I want to ask you about what should some of our listeners who are building small companies or scaling companies be thinking of? What are one or two things they should be thinking about? But before we go to that question, I also want to ask you as you've taken the helm of this organization, what's an area where you feel like you've grown in an unexpected way?
Brian Cute (45:56)
I think it goes back to just, have my moments, right? I have my moments where I'm animated or reacting to something that's happened. But I think on the whole, just ⁓ being steady, ⁓ getting, not overreacting or underreacting too much in either direction, staying steady, know, let things come at you. They're going to come at you. ⁓
Trust the people around you. ⁓ Lately, what I've been saying is signal to noise, Focus on signal, right? What are the one or two things that really, really matter and keep your eye fixed there? The rest of it is noise, right? Don't get distracted. I think I'm doing better.
Jeff Holman (46:45)
And that comes with practice, think, knowing how to find the signal and knowing how to tune out the noise. two different tactics that are complimentary, but very different from each other. Yeah, I love that. I love that. Okay, so onto our audience. if we've got people listening, they're hearing this and they're saying, I didn't think I had time before I started listening to this episode to really put towards cybersecurity.
Brian Cute (46:57)
It's an ongoing thing.
Jeff Holman (47:15)
Like we're just trying to make money or trying to pay employees. We're trying to get the next product version out. That's a lot of time, a lot of energy. But what are the one or two things they really should be thinking about or even doing ⁓ in parallel to building their businesses?
Brian Cute (47:34)
Well, I think everyone should be leveraging AI for its opportunity and promise, right? Use AI, right? It can enhance your business. can save enormous amounts of time. ⁓ But if you're going to use it well, two things. Understand your processes, right? Because it can improve your processes, but that means you need to really have your processes well documented.
understand your processes and then see if you can use AI to leverage that to improve your business, ⁓ your intelligence, your decision making, your speed, ⁓ not to replace people necessarily, but to improve those things. And if you've heard anything I said today, if you're going to use AI, you must, must, must address the risk aspects of this technology.
Otherwise, you could be putting commercially sensitive data on a server that goes, shares data with God knows whom, right? ⁓ Are you getting accurate responses from the technology? Are you getting what you need from it? ⁓ What is it doing with PII? If you use AI blindly, are, you're, you know, you're driving with the back door open and God knows what's going to happen, right? So I say use it and use it.
intelligently and address the risk at risk aspect as well.
Jeff Holman (49:05)
Okay, I've got to dig one step one level deeper on that because you've got me really curious as an attorney, right? I'm very sensitive to not putting ⁓ client information identifiers, people, confidential trade secrets, any of that stuff into AI anywhere. I use AI a lot. I use it for my own business quite a bit, but I'm a lot more reluctant to use it for client issues, right? Because of that reason as an attorney and
Maybe it's not even the cyber issues as much as it is discoverability and legal ethics. But for somebody who's not in my seat, you know, what are the risks that you, that you would say, Hey, or, or what are the protocols where you might say, if it's me, I wouldn't do X, Y, or Z.
Brian Cute (49:52)
Well, and by the way, I'm a former attorney myself, ⁓
Jeff Holman (49:56)
I didn't know that.
We call you a reformed attorney then, because you're no longer practicing, right?
Brian Cute (50:02)
Recovering. ⁓ I really appreciate the responsibilities that you have with respect to your clients and your clients' data. So I hear you loud and clear. Again, I think it's really about understanding ⁓ your data, right? ⁓ Your customers' data, how you manage it, ⁓ how you store it. ⁓ know, little simple things like ⁓ sometimes creating
backup data sets. ⁓ The first question we're being asked is, what about GDPR? Is this exposing any ⁓ data to GDPR violations? the world going forward is going to be about data, data, data.
Jeff Holman (50:46)
answer
to that question is probably yes.
Brian Cute (50:49)
If Brussels has anything to say about it, Jeff, it's yes. ⁓ Yes. So understand your data, understand ⁓ your requirements, and just know that AI as a tool, ⁓ there's a number of, let's call them trap doors, right? If you're not aware, there are a number of trap doors that can open up and suddenly your data is exposed in ways you don't want it to be, whether it's...
your commercial secrets, whether it's your customer's data, whether it's something else, ⁓ there's trap doors. So be aware and mitigate and manage those risks with open eyes.
Jeff Holman (51:28)
And I imagine as soon as you start creating and connecting agents into your own infrastructure, you've just opened those trap doors pretty widely. So, wow, Brian, you've given me so much to think about here. ⁓ This went way beyond the scope of even what I was hoping to talk about. So I really appreciate you coming in and enlightening me and sharing some insights with the audience.
Brian Cute (51:56)
Thanks for having me, Jeff. Absolute pleasure, really.
Jeff Holman (51:58)
It's been great for me too. So thanks again. And for the audience who joined us, thanks for joining us on another episode of The Breakout CEO. Be sure to follow or subscribe on your favorite podcast platform. And if you enjoy the show, a rating or a review goes a long way. Our mission is to promote the stories of breakout CEOs in scaling SaaS, e-commerce, and tech companies to equip peer CEOs with valuable perspectives and confidence.
Thanks again for joining us on this episode of The Breakout CEO. I'm Jeff Holman and I'll see you next time.
