From NSA Security to Startup Founder: A Cybersecurity Journey

Speaker 1: 0:00

How's it going, Mike? It's really good to finally have you on the podcast. I mean, we've been trying to get this thing together for quite some time now, but you know, I'm really excited for our conversation today. I think it'll be interesting.

Speaker 2: 0:12

Yeah, fantastic to be here. Thanks for having me on and, yeah, my, my travel schedule is a little hectic, and so I appreciate you dealing with the flexibility to have me on the show.

Speaker 1: 0:23

Yeah, absolutely it's. It's like playing 3D, chess or something you know, juggling and everything. Not only my guest schedules, but you know my schedule of working a full-time job, raising a kid, running a podcast. I mean, it's like the, the, the. The preciseness that I have to be with my schedule is insane.

Speaker 2: 0:44

It's, it's frustrating at times. You think generative AI would have us figured out, given all the all, the all the press around, all the things that it can do, and it's miraculousness.

Speaker 1: 0:56

Oh, I've been looking into AI to be an assistant at this point.

Speaker 2: 1:02

Can you? You got to get out like hologram generation, so that you can either either feign being here or with your, with your newborn.

Speaker 1: 1:09

Right, I don't know which one will be better. Well, mike, you know I always start everyone off with uh, given their background, you know how you got into IT, what that journey was like? Um, you know what made you want to go down this route?

Speaker 2: 1:27

Yeah, it's a. It's a, I guess, probably not a super great story, um, but I was given the option to take a pre-calculate course in high school or a Cisco like CCNA course, and I figured the ladder had significantly less math. And so I took that route and fell in love with configuring the routers and switches and, uh, maybe, maybe a little bit of my millennial uh tendencies of, like instant gratification of watching, uh, you know, routes and packets being delivered as soon as you're done uh with, with, uh, router configuration. And so after that, I just, I, you know, I chose university based on a Cisco Cisco certified academy university. Uh, got selected, uh, for an internship down in DC, and I've been ever been down here ever since, um, just trudging away at, uh, you know, it, and, uh, I got to work at the help desk at an undergrad and that solidified my my you know, I guess, uh, uh like hunting for, like tinkering and troubleshooting and all these like weird things that are. You know, it seems like when you, when you first run into a problem, you're like, oh, it should be this simple thing. You dig in, you're like, oh, well, that's not the case, uh, and and so, yeah, just the constant um brainwrecking which, as you can see is has caused aggressive hair loss. But uh, I do it anyway. It's uh, it's fun, fun time.

Speaker 1: 2:53

Yeah, I've, I've definitely experienced my fair share of hair loss as well. Um, you know, that's, that's uh, that's fascinating, because you know, when I was in high school, if I was, if I was confronted with the choice of getting a CCNA or pre-calic, I would have taken pre-calic all day long. Really, um yeah, oh yeah. I mean, when I, when I finally got kind of my first bit of IT experience it was in college and right from the start I hated networking, everything about it. Um, when I when I got out of college and I got into, you know, the professional side of the career, of actually being on the help desk and whatnot, you know, I figured, okay, it's, it'll be a good time to get some certs. Uh well, let's start with network plus, right? Because everywhere online says, oh, start with network plus, it builds you up from there, right. And I mean I, I couldn't stay awake while reading the network plus study guide book. I couldn't stay awake and I'm like, all right, maybe networking isn't for me, let's just try and make the jump in the security.

Speaker 2: 3:57

Yeah, it's, it's an ordinarily boring uh like you have to trudge through gobs and gobs of just so such boring shit, uh, before you get to a point where you have enough knowledge to actually do really interesting stuff. Uh, and when I tell people all the time that you know, it's like, well, how do, how, like what you do is extraordinary, blah, blah, blah. I'm like anyone can do this. Uh, you just have to be willing to. It's just how much. How much boring bullshit can you, can you stomach before you quit? Uh, and so, yeah, I mean truly that you know, and that's just kind of been my mantra and you know it's. It's not different from security or or software development or any of these kinds of things. Um, there's now, there's different levels of of boringness, of course, uh, across each of these, but any anyone can, can you know, get into IT, get into security, software development? Um, it's just how, how, how much are you willing to train your brain to, to enjoy the boring?

Speaker 1: 4:54

Yeah, that, uh, that's a really good point, you know, and I I haven't heard someone explain it like that before of of trudging through the boringness of what this field can actually be. You know, not not every aspect of security I find to be, you know, extremely like riveting or attention grabbing, right Like network security shocker. I do not like application security. I do not like, right, Um, you know, those sorts of things I hate. But when we start talking about hacking cars, when we start talking about hacking satellites and all that sort of stuff, right, it starts getting interesting to me, it wakes me up, peaks my interest, even though you know someone would argue well, oh, you should, you should know the network side of that, because you're going over the network, it's. You know, those kinds of people are pushed away from me intentionally.

Speaker 2: 5:49

You know what it's interesting to hack these kinds of low, a calm, low level systems, um, you actually have to have a similar expertise around, uh understanding of how protocols work, as you do, to be like a good network engineer, uh, or or internet operator, uh. And so, yes, it's, you know, you don't just jump into internet operations and build a you know global network, Uh, first you got to understand, uh, you know what the hell is an IP header right, yeah, it's.

Speaker 1: 6:16

Uh, it's challenging. You know, like I feel like I know probably the bare minimum right Of those areas to to get by. You know, I know what I need to know to to be able to do my job effectively, but when we start talking about, like, the different you know aspects of a header, or the different aspects of what's included in a body, and you know things like that, it starts going over me. It's right, like there's other experts out there that have that stuff. All I need to know is what my tool is, queuing off of what we're looking at and go from there. Right, and it's um, it's absolutely a building block, but I feel like it's a specialty for a reason, right, like, not not everyone needs to go 12 feet deep into it, right, it's um it's something that you can know bits and pieces about. You know when, when you were in school and getting this, you know certification did you? Did you think forward of what you wanted your life or your career to look like outside of that or after it?

Speaker 2: 7:19

You know, what's funny is, uh, I never, I I never ended up actually getting a CCNA. Uh, I took the cert once and I failed it. Uh, and I failed it because I spent too much time on one of the simulations trying to understand the totality of the network, uh, as opposed to just solving the one one, um, the actual problem, uh, so I took that as a lesson, like, hey, if you actually pay attention and read and I've always been a terrible test taker but, um, what really? What solidified me in that mind is kind of a tangent to your question is that, like, just because you have a cert or just because you don't have a cert, doesn't make you, uh, have, doesn't make sure, make you either peg you immediately as a better network engineer or a worse engineer in either scenario? Um, what I, what I like to say to people that are chasing certs is if, if that's the thing that you need to help you study, then then you do that. If you need that, that, that structure, some people don't, uh, and you know that says the same thing with, with uh, university and higher level education. Um, but as far as, like, what the hell did I want to do with my career. Um, I didn't really understand what I wanted to do until I took a like a cybersecurity class. I took like a uh uh. I participated in the North Eastern Collegiate Cyber Defense Competition in in my alma mater as the network weenie and um. I started chatting with um, uh, some of the hackers that were sponsoring the event, and and um applied to a Homeland Security uh, summer uh, uh uh internship. And what I found down there was that being at the NSA would be the most badass thing you could, could ever do. Like that was my goal. And I was like, oh, it's going to take me 10 years to get into NSA and you're never going to respond to me and blah, blah, blah, uh. And so that's what I focused on. I, you know, I applied, I don't know, probably to 150 or 200 openings, uh, all across the nation at the at the agency and, um, I mean, a year went by and nothing happened. And then I got the call from the agency actually two of them in contiguously, within 10 minutes of one another, completely separate interviewers didn't know one another called me, no kind of overlap. And yeah, that kind of like kicked off my career, like truly kicked off my cyber career when I joined the agency. So then I was like, well, shit, now what do I do with my career, now that I have my dream job? Right?

Speaker 1: 9:48

Yeah it's. I always tell people it's really important that once you hit your goal, to reset your goals pretty quickly afterwards, because if you don't do that, you'll get there and you'll kind of coast right and there's more to it, there's more to grow in, there's more to become an expert in and whatnot. So I find that really interesting, right If you going into the different agencies and applying around, because I myself I spent a significant amount of time of my life applying to different agencies, interviewing, getting into different steps of the process, never hearing back, and it's a really disappointing process for me because it's like.

Speaker 2: 10:35

That's the area.

Speaker 1: 10:37

It's just like okay, I guess this will just never happen. I wanted it to happen. I guess it'll never happen. After you got those first two phone calls, how long was it until you were actually in your job, at your desk, doing the work? That's a great question.

Speaker 2: 10:56

I believe it was about a year because I was still at Homeland Security at the time and I remember this so vividly. I was getting. It was like Metro system in DC is terrible, but I was transitioning from the red line to the blue line, I was in Metro Center if anyone, if any of your listeners are familiar with this and I was about to board my train get the call. They said can you do an interview? I was like, yeah, sure, why not? Just like blown away that. I actually got the call and then did that thing, was waiting for my next train. The next train showed up and then I got the same call and it shows up as unknown or sometimes just all zeros, and you're like, and at the time I was working at DHS. I was like, oh, it's DHS, whatever. Answered again, whatever. And so that was, I think, june-ish of 2011, 12, maybe 12, and then I started at the agency in 2013, something like that maybe my dates are wrong, but it was quick comparatively because I didn't have any international travel, I didn't have any really close and continuing contacts with any foreign nationals, any of that kind of stuff, other than Canada, which doesn't really count, and so seven months and I had already worked for DHS and so that probably accelerated the process. But, yeah, I think, if I'm remembering correctly, I think my first day was January 13th and yeah, it was wild. First six months I was an intrusion analyst doing some crazy stuff with intrusion sets, malware, families, how they do things, et cetera. I got asked to transition over to a more operations-focused team to build military intelligence and cyber operations networks, and so that's really where I got like hardcore really deep, really really wide understanding of the understanding, the practicalities of networking and really, you know, the NSA, let me do and I had my boss, his boss, and his boss covered my ass hard because I should have been fired probably 1,000 times, was pretty aggressive. I'm still pretty aggressive, but I was significantly more aggressive then. And, yeah, we got done in three years. What a lot of things they were planned for, like over the next like 15 years or more, oh my God. Yeah, so we spent a lot of silver bullets protecting my ass, and so the thing I learned there is like having a leader that supports you a good leader that supports you and isn't intimidated by your aggression and knows how to temper you and tell you like hey, you need to shut up and sit down, like this is gonna hurt your career, and actually listen to them. That's what made my career, having those folks cover my ass and then also tell me like hey, dumbass, like cool it.

Speaker 1: 14:12

Yeah, that's extremely important, you know, to really understand your limits, right, and to be able to have a manager that's able to, I guess, handle your ambitions and counterweight it with the organization's expectations. Right, like that's the biggest thing. So I did a little bit. It wasn't consulting work, it was like some third party, like vendor, professional services. Right, for the government earlier on in my career, and that was the biggest thing. I mean, that was such a painful experience. Right, because for me it's like, okay, this is 30 minutes of work, right, 30 minutes. And I'm on a plane going back. Right? No, it was 10 days and you have to write down every single command that you're gonna run. Before you run it, you have to write down a reasoning behind it, you have to write down what it's doing and then they put someone sitting next to you that can barely spell IT to write down exactly what you're doing and if it doesn't match up, you have to attest to why it doesn't match up. And that was just so. It was so arduous, you know, and I couldn't imagine being someone starting out your career and going into the federal government, because when you have the personality of an IT person, you're already curious, you're probably already self-driven right, because no one that isn't doesn't make it in this field. Right, and so you probably are. You already have the perfect mentality to be successful at a startup moving a million miles an hour trying to make that progress right, and then you're put into the government. That is like this thousand year old behemoth that moves extremely slowly. I mean, you know, america's not obviously a thousand years old, but you and I was saying like they're really old in every way, shape and form, and so they move extremely slowly. I couldn't imagine how that would have been.

Speaker 2: 16:27

Yeah, dhs was fairly slow. Now I was in the front office and so we things were moved much more quickly in the front office of Homeland Security, obviously necessitated by the needs of the homeland, and at the NSA, like being part of the intelligence community, like there's time sensitive things that go on and, as a result, you know, very rarely did I run into an issue where we couldn't move fast. Well, where we were tempered and by typical bureaucratic limitations that you would see at, like maybe the FDA or USDA or some of these other non-intelligence community organizations, and so when you have this kind of mission that's, like you know, tied to national defense and has time sensitive things, like there's less of it. Now, I wish I could have done more and done faster, but of course, there are implications to moving too quickly in certain lines of work, and so, yeah, I mean so I finished three projects and essentially wanted to start the fourth and they like kind of had it just pat me in my head and they're like you've done enough, you need to chill. And so, as soon as that happened, I was like, you know, screw this, I'm out. And that's when I made my leap to start up land in 2015.

Speaker 1: 18:02

Hmm, so you mentioned that you worked on. Was it intrusion prevention or intrusion detection for the agency? A part of that? Do you also deal with insider threat? I mean, obviously I would assume that it's like totally separate functionality and whatnot. But you know, when we're thinking about intrusion detection, primarily you're thinking about external trying to get in, but a part of that is also insider threat. Right, someone could be compromised that's already on the end and get things that they shouldn't be so in that team or in that workspace. Are you also thinking about both sides of it or primarily just external in?

Speaker 2: 18:48

Yeah, for us it was just external stuff Focused on the agency's goal, which is foreign intelligence. There's, I'm sure, many teams within the agency that focus on that, but that wasn't my charge.

Speaker 1: 19:05

Yeah, I always just find the agencies interesting, right, Because it's something I never, I always wanted to get into, never got into it.

Speaker 2: 19:16

But you know along there's all the secrecy around. It makes it sound so sexy and interesting and, at the end of the day, like you're just sitting at a cube like everybody else, tapping at a keyboard like everybody else, which is kind of cool. It's extraordinarily cool, depending on what you're working on, but there's a lot of allure and secrecy which drives a lot of the FOMO and whatever else, but it's. I could have easily been saddled in one of the shitty roles with shitty leaders and have ended up rage quitting after six months because I wasn't given the latitude to do the things that I wanted to do, and so I just got extraordinarily lucky where I landed. But yeah, that's really just a matter of fact.

Speaker 1: 20:09

Yeah, yeah, that's a really good point, like when I first went on site to the agency that I did work with. You drive up to this very nondescript building in the middle of the mountains, right, you go inside, the lobby is fantastic, you don't see any cubes or anything like that. And then you walk like 100 feet, 150 feet, and it's just a cube farm. Like what the hell? Like I did not expect this like at all, especially at this facility. You know, it's just nothing but cubes and they have several floors of it, you know, oh yeah, that's describes every headquarters I've ever walked into of any of the agencies. Yeah, and. I've been to a lot of them With, yeah, with you working for that agency, do you have the opportunity regularly to engage with other agencies, go on site with other agencies or whatnot? Is it, once you're in and cleared sort of thing, you're able to go where you need to go, or does not everyone get that opportunity?

Speaker 2: 21:17

Most don't. Again, I was extraordinarily lucky on the things we were doing and things that are working on, and so I was, you know, afforded the opportunity and you know when the agencies need your help they're willing to move mountains so that things are easy for you to do the things. But if they don't need your help or they don't want it maybe they need it but they don't want it they make it extraordinarily difficult and thankfully I never ran into any of those hurdles and so, yeah, I just it was just looking back at the three years is like the closest thing to a nerd can be to like James Bondi than that I could ever imagine. It was just, it was just cool. You know, I'd go two, three months and be like, okay, I've seen everything, and then my brain would explode at some cool new shit that I saw and that just happened consistently until I left. So really cool. But again, I got super lucky Because there's a lot of really boring shit. You get the NSA and at every agency.

Speaker 1: 22:24

Yeah, I had a friend that told me that you know, once you get in and you get read into different things like, your mind will just blow up with like, oh, I can't believe that we can do this, that we have this capability or whatnot, and then they're going to sit you at a desk at a cube and they're going to give you the most basic thing to work on. You're going to feel so over qualified for your job and whatnot. It was just like it's a really interesting, like start contrast. You know from what you would think going into it. But so when you're, when you're at the agency, you know, towards the end of your tenure there are you thinking, oh, I want to go into the startup world. I want to go, you know, I don't know, work for Cisco or something like that. Because you have that specialty, you'd probably be worth your weight in gold, you know, to Cisco. I would think at least. What were you thinking? Maybe what spurred the thought to you know, make that jump.

Speaker 2: 23:21

I wasn't really I had met a friend, or I had met a guy through Mutual Friend at you know, a barbecue home, their barbecue every year. We got like big data centers based out here in Ashburn DC area and a friend of ours throws a barbecue. And so, you know, I got to invite, and you know, and met this dude who at the time was an expert in software, defined networking, openflow, and one of the few at the time before you know, obviously OpenFlow is dead. And so, you know, I wanted to push the envelope, continue pushing the envelope at the agency. And I said, after a couple of weeks of meeting him, I reached out and said hey, how do you get people to buy into this SDN, openflow bullshit. And he goes why don't you just come do it for me at the startup and I'll double your salary? And I was like so, so, like there's no, like, no, no intention. I wanted to continue pushing at the agency. And, yeah, working at the agency, living in DC with you know the hour, commute, blah, blah, blah, all that kind of crap. I was just like I can tangibly increase the way that I'm living right now and from you know what I would have sold like there are no roadblocks, you just do all the things. And at the beginning, once I transitioned to my first startup, it certainly was that it was cool and it was the first time not to sound like an asshole, but it was the first time that I was surrounded by people where I was like, oh shit, I'm the dummy in the group, like I'm the idiot, and it was the best feeling in the world. I was like, oh, like this is this is fucking awesome. And so, yeah, it was an amazing. It was just there for like two years, but that original infrastructure team that I was on was just a group of absolute badasses.

Speaker 1: 25:27

Yeah, that's. You know what you bring up with the. You know the money side of it right Now, where I'm at with my career. Yeah, I'd probably be a great resource for the agencies or something like that, right, whatever you want to call it. But the pay cut would be so substantial that I would literally never be able to convince my wife to be like, yeah, we're gonna move across the country. We're gonna take a 50% pay cut and I'm gonna go do work that I can't talk to you about for the next four years and then we're gonna go do something else. Right, Like that's an insane sell.

Speaker 2: 26:07

Yeah, yeah, I mean it's a great.

Speaker 1: 26:10

It's perfect when you're right out of like school, you know when you're getting started. It's absolutely perfect, but anything beyond is just unduable.

Speaker 2: 26:20

Yeah, and we I say we. The US government has a really, I think, shitty outlook on this thing. Like you get trained whatever two, three, four years, you become well versed in this thing, doing only certain things people can, and then they bounce because they can make more money and there's no resources outside of this. Where I think, where I think, or a country that I think does really well with this, is Israel. Israel has this, you know, obviously this elite cyber force, blah, blah, blah, and it's specifically built because they're only conscripted for two years. It's specifically built to get them as smart as they can possibly be, and then when they get shit out of the military, they have all these entrepreneurial resources and the government helps them fundraise and all these kinds of things. And so, as a result, Israel's startup market, especially in cyber, like it's really the only competitor, at least in the cyber startup landscape in the world at least I'm concerned about with like patent infringement, that kind of shit, but just an amazing, amazing program. And if the US government had this similar kind of program with computer science and cyber and all this thing, like it would drive, I think, innovation in the US even harder than it already is.

Speaker 1: 27:48

Yeah, that's a really good point. You know, I actually I have on quite a few people from you know Israel that have founded companies and every single one of them have the same story. Like I did this really cool thing for Israel's military, the IDF, whatever it might be right, and now we're starting this really cool company of doing this legacy thing like I don't know vulnerability management or application security, whatever it might be. We're doing it differently than what everyone else is doing. They've learned those skills over there. They've learned those skills you know from their government teaching them. That's really interesting. What you said that they even help them get funding right, like that's like so abnormal right From anything that you would hear about in America because, from what I understand, once you're out you're out it's like you're dead to them. They don't know you anymore. You know it's like they don't want to deal with you.

Speaker 2: 28:53

It depends on how valuable your knowledge is.

Speaker 1: 28:55

But yeah, in general, yes, that's good, yeah, you know like you really get cut off and so like that avenue of still progressing and pushing forward in those areas are, I guess, that kind of limited? Was that your experience too, or maybe not so much?

Speaker 2: 29:16

I mean I never had the. I mean I kind of like dashed out the door there, right, and I never looked back, and so I don't really have any. Now I know, if I call you, know anyone that's still there, or even those that have contacts to those that are still there, like I could get through the process again in a heartbeat. I know that, no doubt, and so I think that there's like, I think there's again the skill set is really important. How you left is really important, like I didn't leave on bad terms, I just left because the opportunity was greater on the outside, and so, yeah, I think that the government could do more. Our government could do more to entice on entrepreneurship and that kind of stuff, especially in these kinds of programs, especially coming out of the military right, like there's stuff that the cyber operators in the armed forces of the US can do that civilians just can't, based on our laws, and so there's some really cool shit, and this is exactly what these really military cyber operators are doing is they're learning all these really cool tactics and they're taking the ones that aren't national secrets and applying them to defense mechanisms in these new vendors, or even I mean, they're all defense mechanisms right, but taking potentially interesting attack vectors or attack operations and morphing them into more of a blue team type of so yeah, I think I like I have nothing bad to say about my time at the agency other than they could have paid me more. But shit, anywhere you go, like that's kind of the sentiment I'd be, like I don't know anybody that's like, oh yeah, like I'm cool with this If you don't have to give me more money. I think everyone would take a pay increase, regardless of what they make.

Speaker 1: 31:13

Right, right. You're never going to, you're never going to turn that down. I mean, most of us have significant others that'll, that'll shoot us if we don't, if we don't take that.

Speaker 2: 31:22

Right there, or or just my, my nagging desire to buy more wine.

Speaker 1: 31:31

Yeah, that's a rabbit hole that we could go down for easily another hour. You know I fairly recently, in the last couple of years, I started going down the whiskey rabbit hole, oh yeah, where you know. Now I'm at the point where the whiskies that I want you can't find it, you know, in the States, because it's made. It's made here but it's sold at other countries to Japan. So it's like OK, I have to go register for this auction and get for it, and you know it's a rabbit hole that that I mean. I guess I'm overall happy I went down. I'm sure my wife isn't, you're right.

Speaker 2: 32:13

So you're admitting that you're a tater.

Speaker 1: 32:16

I mean, I guess.

Speaker 2: 32:22

Yeah, I couldn't. I couldn't deal with with the tatering for the, the listenership that doesn't tater. Is this, these, those that chase these, these super sensationalized bottles of whiskey? But what I found is that if you join there's there's a bunch of like private barrel programs. One of my favorites is our, our bourbon on Reddit, and they have fantastic bottles. It's run. Can you remember this dude's name? But his handle is J8KE. I assume it's pronounced Jake, that's how I read it every time I get an email from him. But it's a fantastic program and I've gotten amazing bottles from it. Whistle pig, penelope barrel but yeah, I can talk about whiskey forever. Tequila wine. I'm just, I suppose, like an alcoholic is part of part of the, the nature of being an IT and cyber, I think.

Speaker 1: 33:18

Drinking coffee is real. Yeah, it's. I mean, at a lot of places it's even like encouraged. You know, like I remember my first big role. I was working, you know, at a credit bureau and the director, you know, once or twice a week, would invite everyone to go to the bar with him and he would pay for everything. Whatever you want to get, just go get it. You know, yeah, and it's like man, this is, I mean, this is a lot of fun, but what's the lasting impact? Because, you know, now I'm expected to show up tomorrow on time, which I always did. But man, it's a different ball game when you've been out all night drinking with your director and you know handling it like that.

Speaker 2: 34:04

But the other thing is like you're expected to go right. If not, then you're seeing, you know, be made a pro and all this kind of thing. And so what I? What I felt, like what we tried to do at Track and what you know I've granted, our team is small and I think we do that fairly successfully is, you know, we do, we do team things that are fairly inclusive, especially for those that don't drink, and I'm I'm very happy that this kind of mocktail culture has started to make its way into mainstream. And I don't think we've been. You know, I fly the team out to a city every every six months so we can do in person things because we're completely remote, but I don't think we've been to a place that doesn't have mocktails, and so even even we're going to New Orleans in a couple of weeks for our end of year planning sessions and look back, and every place we go to, even even in the drinking culture that is New Orleans, there are mocktails for the team members that don't drink. So it's it. There are plenty of plenty of opportunities. Where I can, I can see organizations that don't have these kinds of inclusive events, and so, yeah, we try to be mindful about that at Track and I, you know, implore everybody to.

Speaker 1: 35:21

Yeah, absolutely so, you know, let's let's talk about what it's like, I guess, founding the startup and going through that whole process. You know, I have a friend that I worked for earlier on in my career. Now he's a CEO of a company and he said the the biggest difference between, you know, his last role, that I that I knew him from in his current role, is that if there's something wrong with the company, something wrong with the culture, whatever it might be, he used to be able to just point the finger, you know, at the CEO, be like hey, it's that guy's the problem. You know, he has to do something, I can't do anything. But now he's like no, the finger, like I can't point it at my board, it's me, you know, I'm the one where, if I wake up one day and I make a bad decision, you know I'm the one that has to correct that. You know, it's no one else's job to do that. So can we just talk a little bit about that change, because I would think that that that change, that switch and mentality, you know, didn't happen overnight. But can we talk about how you, you know, went down this path of being a founder of a startup and you know what you're doing and whatnot.

Speaker 2: 36:38

Yeah, I think the mentality of ownership, regardless of the scenario, happened far before I became a founder, and I think that if it hadn't, I would have certainly failed. I I'm certainly not a natural empath and anyone that knows me, even for you, know 10 minutes or so. We'll tell you that this, that they concur, and so I've spent a lot of time putting a lot of effort into being good at being human, is what I call it, and and one of the books that that I read, that change that had the. It certainly had the largest impact, and I, you know, I read it at least once a year is called Leadership and Self Deception by the Arbanger Institute, and it's absolutely fantastic. Essentially, the plot is that, or the focus of the book is that you should be treating people like people that have wants and feelings just like yours, as opposed to objects and hurdles that need to be bulldozed in order to achieve your goals. And, of course, I'm butchering it and I implore you also read it. It's only 400 pages, is a very quick read and it's written as fiction, so it's really interesting. So so, yeah, I think that your, your friend, is spot on. There's if anything goes wrong in the company is my fault and I truly believe that it's not just, you know, just conjecture and lip service. I think I believe that my team would, would echo that and and. But I think you truly have to believe this thing, otherwise it is just lip service and you, you foster this culture of of hate and discontent and all these kinds of things. And so founding founding tract was you know what my last start? I've got acquired. A last start I worked at was my startup got acquired by a large security company. And because you know this problem, that we're solving a track, that I've been dealing with it for over a decade and finally I just like the reason I started track was rage. I was like this this problem is so inordinately difficult and frustrating and disruptive that, like I just have to, I just have to solve it like it's solvable, I just have to solve it and never look back like that. This I tell people that this is the best job I've ever had and the day, if ever, the day, I was in the, the day, if ever the day comes that I have to, that I'm not tracked anymore and I have to get a real job. I call it a real job because then you have like things, like people that you have to answer to Bullshit, that you like it's not your baby anymore. That that's what really keeps me driving forward right. Like one, I never want a real job again. And two, like the team that we have is just the absolute best team I've ever worked with. And and, yeah, I get to be the dumb guy again, which is, which is fantastic. So, yeah, I there are a handful of these, these like CEO founder Groups that you go to in this, I'll describe a founder being a founder in one word, and I'll be was a responsibility and or a couple words right, responsibility and leadership and all this kind of bullshit. And when, when it came to me, I was just like it's fucking awesome, that's job ever like, just fucking awesome.

Speaker 1: 40:11

Yeah, that's, um, it's, it's a, it's a different kind of mentality, I guess. Right, because if it's gonna succeed, it's on you and if it fails it's on you and you know, for, from my perspective, right and I've talked about this before Having a family and going from a nine to five to doing your own thing is Maybe the most like scary thing I could think of, right and and uh, because, like you, there's no room for error, there's no room for messing up or not working hard, not succeeding. You know all those things Matter and they just don't. They just don't randomly happen, right, they happen over years of extremely hard work and dedication, and and always, you know fine tuning, you know even the smallest things, so that they, they come together and work correctly, right, so what, what? What's the solution, that that you have built currently, and what's the problem that you're trying to solve with your company?

Speaker 2: 41:18

Yeah, great question. Uh, so so what we found is that most people, when they're going to fix their software vulnerabilities, are crossing their fingers, hoping patches won't break their shit. And so we built the platform that not only unifies vulnerability management and patch management. Essentially, this dichotomy that's been this false dichotomy that's been perpetuated in the workplace, where security is only does security things and it only does it Things, and they throw each shit over the wall and under the bus and that's kind of shit. In addition to building this unified platform to do both, we we also let you know how patches have broken other people's shit before you apply it to yours.

Speaker 1: 41:54

We do this for outsourcing.

Speaker 2: 41:55

We're able to collect telemetry on how patches break, break other systems or how they're, how they're affecting Other systems as we install them, and then we anonymize and share it with everybody else in real time. So, come patch Tuesday or whatever, you can see, oh, four people have applied this patch. We haven't detected an issue that no one's reported. One, oh four hundred, oh four thousand, oh, four million. Right, we're not there yet, but that's the idea. Is this, uh, you know, collective defense idea, which Isn't, isn't? Uh, obviously it's not new, right, this is a NATO term. But also the first startup I worked at called ironet cyber security, which unfortunately just declare bankruptcy, founded by jennel key, philax, and or was was really this eye opener? A fantastic idea of like you can't Like. This is a cliche, cliche thing to say. Like the, the defenders have to be right every time. The bad guys only have to be right once and it's it's. It's not reasonable to expect One company to defend against all the things and I need to argue like one particular tool Used by everybody sharing all this intelligence. Still not reasonable to expect everybody to be right 100% of the time, but it's as close as we can get to to Perfection, and that's, you know, crowd sourcing, data working together, blah, blah, blah. And and I think the best, best, what's the word I'm looking for? Example of how this works or or how it's been useful is General McChrystal's book called team of teams. What an amazing. Essentially details how jsoc was created, I believe, for the the war event war, the war event war in Afghanistan, getting the intelligence communities to cooperate, so so we could actually make a progress there. An absolute killer of a book, really really well written and just super interesting, both both from a behavioral science standpoint, but also like if you're interested in how the agency is the military, these kinds of things work. It's really, really cool.

Speaker 1: 44:04

Oh, wow, I'll have to definitely pick up that book. I've, uh, I took like a few months hiatus from From reading books and then we're listening to audiobooks, right like the the first like six months of the year. I Just like steamrolled through my book list and now I'm just like burnt out on books. But yeah, I'm slowly, you know, ramping back up and looking for that right book. So I'll definitely check out those that team of teams book that you mentioned.

Speaker 2: 44:33

Yeah, I get it, I, um. So I, I haven't read anything. Non, I haven't read anything for for work outside of like real worship, but for books In in a long time. I, you know, I, you know, I complain. I fly all the time, I'm on united all the time and I complain About wi-fi not being available, but every time it doesn't work, especially when I'm on a, you know, coast-to-coast flight across the us, I, I silently cheer because I can actually read. Uh, and I've, you know, been reading fan fantasy novels. Is this kind of way for me to want? I just love fantasy, but it's a great way to just kind of like decompress and Recharge. And so, yeah, I haven't, really I haven't read a business book or like a how to be, like how to be good at being human book, and in a long time it's all about, you know, shooting fireballs out of fingers and dragons and all that kind of shit. So, yeah, I, but I, but I get it. It if you, if you don't pace yourself, it's hard, it's hard, it's a lot of, you know, reading these kinds of books is draining, but, um, sometimes at the same time, really exciting.

Speaker 1: 45:37

Yeah, yeah, that's uh, that's a good way of putting it. It can be really draining and exciting all at the same time, I guess. Um, so, with with what you're doing right now, that's really interesting. I wonder if there's a way for you to somehow plug into, you know, like the, the error feeds of different systems, whether or not someone's a you know a customer of yours, right, like, let's say, someone you know deploys a patch on patch Tuesday for Microsoft, and you just see the error report like, oh, someone you know had an issue with this thing, right, um, is there, is there an avenue for that? Is there a way that you're, you know, potentially exploring, gaining new intelligence or you know stats around those sorts of things, or is it? Is it strictly you know, more open source or through your own customer base? I guess?

Speaker 2: 46:35

Yeah, right now it's just through our customer base, and we're looking to build this, this open community, uh, to help operators understand, like, essentially, what we call, what I call operational risk. Right, like I, you know, I'll set this, I say this all the time. It's like security is not free, and I'm not talking about cash, right, there's operational risk associated with implementing security controls and, at at best, the security people are just ignorant to it. At worst, they're, they just don't care and and so you know, today, the way that we, we operators, reason about, like, is this patch going to break my shit? As we go on the red day, we go to twitter, we, you know, go down these websites, um, and and pray, and so what we, what we've built, attract is is this idea that you can see how many people have installed this thing, how many, how, what's the percentage of failure rate globally across our install base? Um, we're working on a what I call similarity analytic, which essentially shows, like, how close to how similar is your shit to my shit? And did it break that stuff? And and over time, we want to, we want to build that and expand that, uh, and so we have. You know it, uh, uh, currently, the platform is entirely free, um, but one of the things that's great about our platform is that, uh, finding and fixing your vulnerabilities across all of your operating systems. We'll always be free, uh, and we support every major operating system except for mac os. Mac os will come live and into one of next year, um, but, but it's. It's why we've had so much success, I think, in our early adoption, even though our product is is generally fairly infantile and it's in its development stage. We've been in market for about six months with our, with, um, what we call a private beta, but it's, it's. It's fairly uh, uh, it's certainly stable, but there's of course, always improvements, um, but, but yeah, you can. Anyone can log in, go, you know, trackcom, sign up. All you need is a business email address and if you want to use it on your personal lab, just reach out to me like a trackcom and I can set you up an account. Uh, uh, that gets past the, the business filter.

Speaker 1: 48:39

Yeah, that is. That's really fascinating because, you know, I literally earlier today I got off a call of someone arguing with me that all, all of our applications are so extremely unique that we can't group these things together in configurations. I'm like guys. Doesn't make any sense Like that. We're using open source libraries, right, like we might be deploying them differently, but but we're not rewriting Java.

Speaker 2: 49:11

Yeah, unlikely, like people say this all the time is like you may have one or two arbitrarily compiled uh executables on your endpoint, but Over 99 of your, your system is fucking Linux. Right, it's rail, or it's maybe in, whatever is running a Linux kernel, or it's just, or its windows, uh, but it's 99 the same. And so the the thing that you're afraid of, like now, if you're like afraid of Upgrading from, like, java 5 to Java 9. Okay, that's kind of scary, I'll give you that. But but keeping up with minor updates, like we've, we've deployed about 2000 patches now across all of our agent installs and not a single one has caused a single disruption. This includes five patch Tuesdays now, um, sorry, april, may, june, july, august, seven, seven patch Tuesdays, and not a single one has broken. Now We've had some failures, um, and we've, you know, been able to to deal with those, but failures that didn't, they didn't cause any disruptions, uh, which is a big deal, um, and so, you know, I, my, my, my mantra is you know, less than two percent of patches Ever fail, and this is uh fueled by an independent study, um, our private study, and but but people aren't really going to play restaurant, let with their um with their critical infrastructure. But, um, even when it does cause failures, uh, the the reduction in cyber risk, even doing so blindly, is far greater than the operational risk. But at the end of the day, operators, you're asking them to risk impacting their lives, right? Maybe they got a Tinder date or a daughter's recital or a dinner, you know? Whatever the hell they have, book club, whatever it is, like a wine tasting, for example. Like, if you're going to patch today or patch next week because your life's potentially going to be impacted, like I'm pushing, I'm not, I'm not board of directors, I'm not the CEO to your, to your earlier point, right? Like I'll get paid to worry about that shit. I got my life to live and so that's what we're trying to solve for is, you know, giving people confidence and being able to quantify what, what their fear actually is in these things and and declare what safety is in a certain, in a handful of types of thresholds, so that they can actually auto patch, but in a way that's safe and compliant with their organization but, most importantly, the operators' lives.

Speaker 1: 51:39

Hmm, yeah, that that definitely really hits home. When I was working out of another company many years ago, when I lost all my hair, you know if we, if we, had to deploy a patch on a certain system, it was like, okay, you know, let me cancel plans for the weekend. Yep, you know who's on call, make sure that the right person's on call Like there was so much worry and that would be all that I would think about for two or three weeks. Yep, you know, and it sounds dumb, but these updates would break our system in so many different, seemingly random ways and the vendor would never tell us if there was other reports of this issue. Yeah, and there was other issues in other customers. It's like, guys, if I need to deploy a hot fix after I deploy this update, just tell me. I'm more than happy to deploy it because I don't want any issues. You know, at 2am, 3am, waking me up, that's what I'm going to be mad, you know. And of course they would never tell me and of course it would always happen, like almost every single time. That was the most, that was the most painful thing you could ever go through as an engineer, as an operator, you know, going through this yeah, now, don't get me wrong in the early 2000s and late 90s, like shiprock all the time.

Speaker 2: 53:02

And so this is where all that fear is steeped in, and what's really interesting and this kind of goes into my interest in human behaviors is that it's non-generational meaning. Old folks like you and me have taught Gen Z to be afraid of patching even though, empirically, the likelihood of an issue coming up is almost zero, and so it's really really interesting to understand. And you know, one of the cool things, one of the things that I just enjoy doing, is, you know, getting people to change behavior, which is inordinately difficult, but doing so in a way that's comfortable enough for them that they're even willing to try it at all.

Speaker 1: 53:44

Well, mike, you know, I think we're unfortunately running out of time here. I feel like we could go for another hour or two, especially in the bourbon. Yeah, absolutely. Maybe we'll do a part two to this episode. I think that'll be fun, but we have to have bourbon. You know something like that. But you know, before I let you go, how about you tell my audience, you know where they could find you, where they could find your company, if they wanted to learn more information and, you know, maybe sign up, for you know getting their hands on the solution?

Speaker 2: 54:14

Yeah, absolutely, you can reach out support at trackcom and it's spelled T-R-A-C-K-D for your Unix and Unix nerds it's track D. For those that are not Unix nerds it's just tracked. But, mike at trackcom, trackcom slash, sign up whatever you guys want, linkedin, mike Starr on LinkedIn and the Baldwin that shows up. And, yeah, happy to have a conversation either about tract or anything in general, cyber, computer science, behavioral things and like how humans behave, wine, whatever it is. But I'll be warned I can talk at nauseam, so awesome.

Speaker 1: 54:53

Well, thanks, Mike. I really appreciate you coming on and I appreciate everyone listening to this episode. I hope you enjoyed it.

Speaker 2: 55:00

Awesome. Thanks, joe, for having me Appreciate you.

Speaker 1: 55:02

Absolutely, that was awesome. Thank you very much.