The world is more connected than ever, but with increased connectivity comes increased risk. From life-saving medical equipment in hospitals to the traffic signals managing our city streets, the Internet of Things (IoT) has become the backbone of modern infrastructure. Yet, these devices are often the most vulnerable entry points for cyberattacks. In this episode, we sit down with Shankar Somasundaram, the founder of Asimily, to discuss how his company is tackling this monumental challenge. Shankar draws from his extensive experience at Symantec and his deep engineering background to explain the unique security threats facing healthcare, smart cities, and manufacturing. He breaks down the complexity of securing these heterogeneous environments, the evolution of customer needs from simple visibility to sophisticated vulnerability management, and his journey as a founder in a highly regulated and mission-critical industry. This conversation offers a crucial look into the future of IoT security.
→ Enjoy this conversation with Shankar Somasundaram, on Spotify or Apple.
→ Subscribe to our newsletter and never miss an update.
Nataraj: On the podcast, we feature interesting companies solving big problems in different sectors. You’re in two intersecting sectors: security and the Internet of Things. It would be a useful session for our audience to talk about the problems you’re solving. To level-set for the audience, can you give an introduction to yourself and your career until now?
Shankar Somasundaram: Thanks, Nataraj, for having me. I’m Shankar. I started Asimily a few years ago. Asimily is focused on helping provide visibility and security for medical, IoT, and OT devices. We work across verticals like healthcare, smart cities, universities, and manufacturing. Healthcare is our prime vertical where we started the company and have since expanded. Prior to Asimily, I ran the IoT business at Symantec for a few years, which is where I got exposed to IoT. Before I even started the business, I did a full strategy project for Symantec on how they should expand into the IoT vertical. My journey in IoT has been going on for 13 or 14 years now. It started as a strategy project, which led to a few other things, and then Symantec started a business and asked me to run that group. Eventually, I reached a point where I wanted to start Asimily. Before that, I had a product and engineering background. I built the iPhone 3G modem many years ago and some of the early chipsets and algorithms at Qualcomm. I’ve mostly been on the product and engineering side. I like the space I am in because there’s a lot of innovation possible, which aligns well with everything I have done so far.
Nataraj: Going back a little, what was the idea when you were first thinking about starting Asimily? What was the forcing factor and the big problem you were trying to solve?
Shankar Somasundaram: When I was at Symantec, I saw the opportunity in healthcare. The initial idea was focused there, and we did a lot of work for many years. The big problem then was that healthcare is a very complex, heterogeneous environment. I call it a system of systems because it’s not just what’s happening inside the organization; it’s the suppliers and vendors. It is the one environment that singularly contains all kinds of devices: medical, IoT, and OT. I don’t think any other environment has everything. In that kind of environment, how do you provide visibility, vulnerability management, detection, and all kinds of operational metrics? And you have to do it in an environment that is very constrained, fairly regulated, and where there are severe patient impacts if you get it wrong. It is the most challenging environment I know among all verticals. I saw a couple of players in the space taking a very IT-centric approach, but there had to be a completely different, bottoms-up approach to solve for these unique devices. I said, we’ll go solve this problem in healthcare, and we can do it better than anybody else. That’s how the company began. Symantec wasn’t as interested then in going after this problem, and I decided if they weren’t going to do it, I would.
Nataraj: How does Asimily help its customers today? It’s a primarily security-based product, but healthcare is such an interesting space in terms of software. How do you connect the hardware monitoring to the existing software used in healthcare?
Shankar Somasundaram: Our system’s principle is the same whether it’s healthcare, smart cities, universities, or manufacturing. In healthcare, we’ve done a ton of work. We put a hardware appliance inside the environment that connects to the network and collects and extracts device-related data. Because of HIPAA, GDPR, and other regulations, you cannot transmit patient information outside. So, we transmit only device-related information to our cloud, or we have an on-premise version. There, the data gets processed for more than just cybersecurity; we provide visibility, operational metrics, and we are adding new capabilities that go beyond cybersecurity. The data we collect then integrates with other systems. We have APIs with configuration management systems, CMDBs, asset management systems, vulnerability scanners, SIEMs, NACs, firewalls—you name it. Our system does a ton of work by itself, but we interoperate with other systems, creating an integrated view for the health system, city, or manufacturing plant. We provide a high level of data granularity, deep visibility, and robust capability around vulnerability management and incident response, which improves their overall posture and enriches other systems that lack the context of these devices.
Nataraj: You mentioned Asimily has a hardware product that collects data from other devices. How are you interacting with those devices? Is it through the firmware on the other hardware?
Shankar Somasundaram: To be clear, we are a software company. The hardware we use is just a commodity; we can also put our collector as a virtual machine in their environment. We are collecting purely network data. We have other non-network mechanisms, like collecting manufacturer documents, but the primary method is passive, where data is fed from the network into our box. We don’t have to interact with the hardware directly because we’re not interrogating these devices. For medical devices, it’s very risky to interrogate them. For certain kinds of IoT and OT devices, you can, but mostly you are getting data from these devices on the network. Based on that data, you act on them without directly interacting with the hardware’s firmware.
Nataraj: Healthcare is notorious for security attacks and being prone to hacking. We often hear about healthcare organizations being hacked and held for ransom. Do you see that as a common pattern you’re helping to solve? What types of issues are you solving for customers?
Shankar Somasundaram: Cybersecurity is a multifaceted problem with no single silver bullet. Our focus is on the IOMT, IoT, and OT devices in the environment. Ransomware attacks have become more common because health data is so much more valuable than credit card data—I think 100 or 1000 times more. So, this is here to stay. Securing all these other devices is one big step toward protecting against ransomware attacks. We are a big piece of the puzzle. A hospital might have a firewall for IT systems, DLP, and an email gateway, but what about the medical and IoT devices? There are two problems: what if they’re connecting externally, and how do I protect them against internal threats? You have to assume some threats will bypass your perimeter. When they get inside, you need to know what your devices are and where attacks can come from. We do a ton of work around attack analysis, identifying how vulnerabilities on these devices could be exploited and what lateral movement could happen. We also help collect data for forensic analysis. This in turn helps protect against ransomware because medical IoT devices are the core bread and butter of a hospital’s operation. Protecting the core of the system is what we are doing.
Nataraj: You brought up smart cities. We’ve heard this phrase and passed the hype cycle. From your observation, what does it mean to be a smart city today, and where does Asimily fit in?
Shankar Somasundaram: I’ll rephrase ‘smart cities’ because that term has been used so many times. I think the concept is simpler: more devices are getting connected. For example, wastewater plants, which come under the city’s purview, are fairly connected. What if your wastewater plant gets attacked or goes down? Imagine your sewage isn’t flowing anymore. That would be a nightmare. All the traffic signals in a city are connected to a central controller. What if some of them fail or get attacked? The concept of a smart city I’m talking about isn’t the futuristic one touted for 20 years. It’s simpler: all these devices, whether traffic lights, sensors, or wastewater plants, are connected. How do you understand what’s in that environment and protect it? The problems are similar: protection, visibility, and operational metrics. I think the difference between then and now is there’s a lot more focus on critical infrastructure, partly because connectivity has risen. When you reach a certain threshold, like 30-40% connectivity, it becomes important. The present reality is that devices are connected, and with that comes the need for visibility and cybersecurity management. That’s what we have solved.
Nataraj: You mentioned catering to clients in healthcare and smart cities, both of which are highly regulated. You mentioned HIPAA, which I know from a past job can be complicated. What was the experience like dealing with two highly regulated sectors?
Shankar Somasundaram: The good news is that we touch device data, not patient data. Regulations focus on patient data, PII in smart cities, or confidential information in manufacturing. We aren’t touching that, so it’s simpler. The architecture we built, where we only send certain kinds of device data to the cloud, helps. For very critical environments where customers won’t allow anything to be transmitted to the cloud, we also have an on-premise version. Because of these architectural capabilities and our focus, regulations don’t directly impact us. However, because these are more regulated environments, there is far more scrutiny on the technology and the product. You have to have an enterprise-grade product, which is something we have built. There are certain levels of quality and assurance you have to provide in these verticals, which we have been able to do.
Nataraj: You mentioned you got started with Asimily because you were writing the strategy paper. When you decided to start this yourself, what were those initial days like? How did you bring together the founding team?
Shankar Somasundaram: It was pretty challenging. When you leave a large company where you’re running a business and then suddenly you’re all by yourself, it’s tough. Initially, I was lucky to have built some core advisors and relationships. One of the ex-CEOs of Symantec, Mike Brown, is an advisor and investor. I call him our first co-founder. He was one of the first people I spoke to about it, said it was a good idea, and even gave me a check. One of our investors, Ashmeet from Engineering Capital, wrote our first check. He took a bet on me when I had nothing but some slides. I would almost call Mike Brown and Ashmeet our co-founders. I got the backing of people who believed in me through previous relationships. Then I was able to reach out into my network. I brought in Hitesh, whom I had studied with at Rutgers, and he’s still with us. Then we brought in some other people and expanded the network from there. We’ve since built a very strong leadership team, mostly from Symantec and other areas. It’s a struggle initially, but I was fortunate.
Nataraj: How did you get your first customer? When you work in big companies, there’s a whole sales system working for you. As a product builder, your job ends at supplying information to marketing and sales.
Shankar Somasundaram: Because I had been in the industry and doing IoT, I knew a few people. I was able to reach out to some partners and people in the industry to get feedback. When I got feedback, some people said it was a good idea and to come back when I had a product. It took us a little time to get there, but once we had something, I could go back and show them. It wasn’t easy at the beginning because healthcare has a very high bar; they don’t buy half-baked products. They want a more sophisticated product even in the first round. It took us a couple of iterations, but the product had and still has some very core differentiators. That allowed us to get some initial customers. Then we were able to improve the quality to an enterprise-grade level. Through the contacts I had built, the quality we had built, and the differentiators we created, we were able to land our initial customers.
Nataraj: How does the sales process look today compared to then? What is your process for reaching customers?
Shankar Somasundaram: The very first sale was just me. But now, we have a full-fledged sales team, a channel team, a marketing team, and solution engineers. We also have partners. It’s a very different motion now. Our partners refer us, and being the number one rated Gartner vendor helps, so people sometimes reach out. We are constantly getting customer feedback, and we have some very strong, loyal customers who refer us. Our sales process is now largely channel-first. A lot of our business comes through our channel, and we want to encourage that. At least in healthcare, a lot of people know us. In non-healthcare, we have a channel ecosystem in place. So, between our sales channel, our existing relationships, and the credibility we’ve built, that’s what’s driving many of the leads. It’s a more formal, defined sales momentum, whereas the very first sale was completely ad hoc.
Nataraj: When you’re talking to prospective clients, who are the decision-makers, either in healthcare or smart cities? For example, with cloud products, it could be a top-down decision from a CIO or a bottom-up decision from developers.
Shankar Somasundaram: It does depend, but I would say 80% of the time it’s the CISO, the Chief Information Security Officer, or someone in that area like the CIO who takes care of IT and cybersecurity. Beyond that, there is some dependency on the vertical. In healthcare, it could be the Chief Clinical Officer or Biomed. In smart cities, it could be someone who manages operations. In manufacturing, it could also be someone who manages operations. There is some nuance to every vertical, but the common thread across all of them is the CISO.
Nataraj: I think of Asimily as a security company, but security is such a broad term. Can you give an idea of the layers in this industry, who’s capturing what value, and where you position Asimily?
Shankar Somasundaram: We are focused on device-related security—IOMT, IoT, OT. Security has different layers like data security, network security, and email security. We are focused on the non-IT side. In the non-IT world, there is a different kind of value chain. There are part suppliers, full device suppliers (like someone who provides a traffic light or an ultrasound), and system integrators who put the entire network together. There are also people who manage and maintain these devices, which can run for 10 to 15 years. Then there’s an IT infrastructure, networking, and cybersecurity overlay. We come in after these systems have been connected. We fall into that IT, networking, cybersecurity, and even maintenance layer, because we provide some metrics that help with maintenance. A lot of what is done in these industries is manual. Our value proposition is to automate much of that and bring them to a similar state of capability as the IT side. That’s where Asimily fits in the value picture.
Nataraj: You mentioned being number one in Gartner. How do you think about competition and differentiate Asimily from other companies doing similar things?
Shankar Somasundaram: There are players in this space, but I feel there’s a lot more innovation to be done. We are launching two completely new modules now that are the first of their kind in the industry. I feel the industry is at 50-60% of where it needs to be. What eventually needs to happen is a much broader, wider set of capabilities. When I started Asimily, all people wanted was visibility. That’s still a big problem, but now people are asking for more. They’re asking for more and more with every passing year. They want to manage all their devices with similar parity to IT devices. So one level of differentiation is innovation. I think in a space like this, similar to AI, the winners will be decided over a 10-12 year timeframe as innovations play out and customers pick more capable, mature, and holistic platforms. The other place we differentiate is depth. Whether it’s inventory, vulnerability management, or incident response, we have some core differentiators. For example, everything is vulnerable, but which vulnerabilities can be taken advantage of by an attacker for that device in that specific environment? How do you mitigate it if there’s no patch? We have unique approaches to mitigation and remediation. So, depth of capabilities and continuous innovation are what will determine the winner.
Nataraj: Security and the IoT space are huge. If you were to look at some white spaces for a new founder interested in security, is there any area you would suggest they look into?
Shankar Somasundaram: It’s hard for me to say because I’m so focused on this. If there was a white space, I’d go to RSA and there would already be 10 companies attacking it. You could have said GenAI is a white space, but what if GenAI starts to misbehave? Now I see five companies doing GenAI security and compliance. This question is probably better suited for a VC who is looking at all spaces. But I do think a lot of things are happening in AI that open up a ton of opportunity in security. GenAI security is just one aspect. There’s an entire suite around data loss prevention and sandboxing around it. I think that will open up a ton of opportunities, and the companies I’ve seen are still scratching the surface. Then there will be something new that comes next year and that will open up another Pandora’s box.
Nataraj: Speaking of GenAI, are you using it in any way to improve your own startup’s productivity, not just as a business offering?
Shankar Somasundaram: Yes, we are using GenAI. We have some partnerships with some of the larger companies releasing GenAI tools. We are using it for our own internal productivity. We actually adopted a form of AI long ago for some of our research, building our own NLP algorithm to improve our research abilities. We have used GenAI more recently to improve our productivity, DevOps processes, and internal research. Beyond that, we have always been using AI in the product, even though we haven’t created a buzz around it. As GenAI comes in, it’s just an evolution for us. We’re introducing it into our engineering productivity and also have some uses in our product.
Nataraj: Are there any specific products or companies you’re using that you can mention?
Shankar Somasundaram: Right now, we are partnering with the big companies. We have a deep partnership with Google and we’re doing some work with Microsoft. We’re using those kinds of tools internally for our own productivity purposes. We never feed them any customer data; that’s a strict no. We use it for our own productivity, and as GenAI has evolved, we are continuing to evolve our own algorithms because there’s more scope to do so. But partnership-wise, we are leveraging some of the bigger, more established AI models to improve our productivity and go faster.
Nataraj: And is the productivity gain meaningful? I’m asking because there’s so much hype in the news.
Shankar Somasundaram: That’s a good question. If you ask me this in three to six months, I’ll have a more concrete answer. You’re right, there’s a lot of hype. We’ve asked ourselves internally if paying for these tools is really improving our productivity. Is it a 5% gain for all the work we are doing, or is it truly making us significantly better? We decided to try it out. We’ve been running this and we’ll see over the next two or three quarters and get an answer on how much better and faster we can move. I don’t have a real quantifiable answer right now, but it looks promising. We have to see whether it works for us or not.
Nataraj: We’re almost at the end. I have a couple of quick questions I ask all my guests. First, what are you consuming these days? What are you reading or listening to?
Shankar Somasundaram: I listen to some general podcasts like Masters of Scale and sometimes read Andreessen Horowitz’s content. As the company is growing, I’m trying to understand how to scale by talking to people in the industry who have grown bigger companies. My focus is on how the company scales—what happens when it grows bigger and larger. We’re operating internationally and growing every year. So I’m looking at that, and there are some podcasts and go-to-market books on that topic. But a lot of my thinking also comes from talking to mentors and people. That’s how I learn fastest—not necessarily reading or listening, but talking to people in the industry. I’m also part of some CEO forums, and our investors introduce us to other people.
Nataraj: Who are your mentors that have shaped your career?
Shankar Somasundaram: There are too many to name over my entire career. But specifically for Asimily, like I said, the company doesn’t exist without Mike Brown and Ashmeet Siddharth. Thanks to them. But over my career, many other people have gotten me here. I wouldn’t be a quarter of where we are without these mentors, and also the people you work with—your team members.
Nataraj: One last question: what do you know now about starting a company that you wish you knew when you started Asimily?
Shankar Somasundaram: That it’s going to be harder and take longer than you anticipated. You truly realize what that means when you run a company.
Nataraj: That’s pretty much what every founder says. This was a really fun chat, Shankar. Thanks for coming on the show and sharing your story.
Shankar Somasundaram: Thank you, Nataraj, for having me. Thank you so much.
This conversation with Shankar reveals that securing our connected world isn’t just about technology but about a deep, contextual understanding of each unique environment. As industries from healthcare to smart cities continue to evolve, holistic security platforms like Asimily will be essential in protecting the critical infrastructure we all rely on.
→ If you enjoyed this conversation with Shankar Somasundaram, listen to the full episode here on Spotify or Apple.
→ Subscribe to our Newsletter and never miss an update.
