From NSA Security to Startup Founder: A Cybersecurity Journey

1 00:00:00
Speaker 1: How's it going, Mike?

00:00:00
It's really good to finally have you on the podcast.

00:00:03
I mean, we've been trying to get this thing together for

00:00:06
quite some time now, but you know, I'm really excited for our

00:00:09
conversation today.

00:00:10
I think it'll be interesting.

00:00:12
Speaker 2: Yeah, fantastic to be here.

00:00:14
Thanks for having me on and, yeah, my, my travel schedule is

00:00:16
a little hectic, and so I appreciate you dealing with the

00:00:19
flexibility to have me on the show.

00:00:23
Speaker 1: Yeah, absolutely it's .

00:00:25
It's like playing 3D, chess or something you know, juggling and

00:00:28
everything.

00:00:29
Not only my guest schedules, but you know my schedule of

00:00:32
working a full-time job, raising a kid, running a podcast.

00:00:36
I mean, it's like the, the, the .

00:00:40
The preciseness that I have to be with my schedule is insane.

00:00:44
Speaker 2: It's, it's frustrating at times.

00:00:47
You think generative AI would have us figured out, given all

00:00:51
the all, the all the press around, all the things that it

00:00:53
can do, and it's miraculousness.

00:00:56
Speaker 1: Oh, I've been looking into AI to be an assistant at

00:00:59
this point.

00:01:02
Speaker 2: Can you?

00:01:02
You got to get out like hologram generation, so that you

00:01:05
can either either feign being here or with your, with your

00:01:08
newborn.

00:01:09
Speaker 1: Right, I don't know which one will be better.

00:01:13
Well, mike, you know I always start everyone off with uh,

00:01:20
given their background, you know how you got into IT, what that

00:01:23
journey was like?

00:01:23
Um, you know what made you want to go down this route?

00:01:27
Speaker 2: Yeah, it's a.

00:01:28
It's a, I guess, probably not a super great story, um, but I

00:01:32
was given the option to take a pre-calculate course in high

00:01:35
school or a Cisco like CCNA course, and I figured the ladder

00:01:40
had significantly less math.

00:01:42
And so I took that route and fell in love with configuring

00:01:47
the routers and switches and, uh , maybe, maybe a little bit of

00:01:50
my millennial uh tendencies of, like instant gratification of

00:01:56
watching, uh, you know, routes and packets being delivered as

00:01:59
soon as you're done uh with, with, uh, router configuration.

00:02:02
And so after that, I just, I, you know, I chose university

00:02:06
based on a Cisco Cisco certified academy university.

00:02:11
Uh, got selected, uh, for an internship down in DC, and I've

00:02:14
been ever been down here ever since, um, just trudging away at

00:02:18
, uh, you know, it, and, uh, I got to work at the help desk at

00:02:22
an undergrad and that solidified my my you know, I guess, uh, uh

00:02:28
like hunting for, like tinkering and troubleshooting

00:02:31
and all these like weird things that are.

00:02:33
You know, it seems like when you, when you first run into a

00:02:36
problem, you're like, oh, it should be this simple thing.

00:02:38
You dig in, you're like, oh, well, that's not the case, uh,

00:02:41
and and so, yeah, just the constant um brainwrecking which,

00:02:45
as you can see is has caused aggressive hair loss.

00:02:48
But uh, I do it anyway.

00:02:50
It's uh, it's fun, fun time.

00:02:53
Speaker 1: Yeah, I've, I've definitely experienced my fair

00:02:55
share of hair loss as well.

00:02:57
Um, you know, that's, that's uh , that's fascinating, because

00:03:03
you know, when I was in high school, if I was, if I was

00:03:06
confronted with the choice of getting a CCNA or pre-calic, I

00:03:09
would have taken pre-calic all day long.

00:03:12
Really, um yeah, oh yeah.

00:03:14
I mean, when I, when I finally got kind of my first bit of IT

00:03:19
experience it was in college and right from the start I hated

00:03:23
networking, everything about it.

00:03:26
Um, when I when I got out of college and I got into, you know

00:03:30
, the professional side of the career, of actually being on the

00:03:33
help desk and whatnot, you know , I figured, okay, it's, it'll

00:03:36
be a good time to get some certs .

00:03:37
Uh well, let's start with network plus, right?

00:03:40
Because everywhere online says, oh, start with network plus, it

00:03:43
builds you up from there, right .

00:03:45
And I mean I, I couldn't stay awake while reading the network

00:03:49
plus study guide book.

00:03:50
I couldn't stay awake and I'm like, all right, maybe

00:03:53
networking isn't for me, let's just try and make the jump in

00:03:55
the security.

00:03:57
Speaker 2: Yeah, it's, it's an ordinarily boring uh like you

00:04:00
have to trudge through gobs and gobs of just so such boring shit

00:04:06
, uh, before you get to a point where you have enough knowledge

00:04:09
to actually do really interesting stuff.

00:04:11
Uh, and when I tell people all the time that you know, it's

00:04:14
like, well, how do, how, like what you do is extraordinary,

00:04:17
blah, blah, blah.

00:04:17
I'm like anyone can do this.

00:04:19
Uh, you just have to be willing to.

00:04:20
It's just how much.

00:04:22
How much boring bullshit can you, can you stomach before you

00:04:25
quit?

00:04:25
Uh, and so, yeah, I mean truly that you know, and that's just

00:04:29
kind of been my mantra and you know it's.

00:04:31
It's not different from security or or software

00:04:35
development or any of these kinds of things.

00:04:36
Um, there's now, there's different levels of of

00:04:39
boringness, of course, uh, across each of these, but any

00:04:42
anyone can, can you know, get into IT, get into security,

00:04:45
software development?

00:04:46
Um, it's just how, how, how much are you willing to train

00:04:51
your brain to, to enjoy the boring?

00:04:54
Speaker 1: Yeah, that, uh, that's a really good point, you

00:04:58
know, and I I haven't heard someone explain it like that

00:05:01
before of of trudging through the boringness of what this

00:05:05
field can actually be.

00:05:06
You know, not not every aspect of security I find to be, you

00:05:11
know, extremely like riveting or attention grabbing, right Like

00:05:16
network security shocker.

00:05:18
I do not like application security.

00:05:21
I do not like, right, Um, you know, those sorts of things I

00:05:25
hate.

00:05:26
But when we start talking about hacking cars, when we start

00:05:29
talking about hacking satellites and all that sort of stuff,

00:05:32
right, it starts getting interesting to me, it wakes me

00:05:35
up, peaks my interest, even though you know someone would

00:05:38
argue well, oh, you should, you should know the network side of

00:05:42
that, because you're going over the network, it's.

00:05:43
You know, those kinds of people are pushed away from me

00:05:47
intentionally.

00:05:49
Speaker 2: You know what it's interesting to hack these kinds

00:05:51
of low, a calm, low level systems, um, you actually have

00:05:55
to have a similar expertise around, uh understanding of how

00:05:59
protocols work, as you do, to be like a good network engineer,

00:06:02
uh, or or internet operator, uh.

00:06:04
And so, yes, it's, you know, you don't just jump into

00:06:07
internet operations and build a you know global network, Uh,

00:06:10
first you got to understand, uh, you know what the hell is an IP

00:06:13
header right, yeah, it's.

00:06:16
Speaker 1: Uh, it's challenging.

00:06:18
You know, like I feel like I know probably the bare minimum

00:06:22
right Of those areas to to get by.

00:06:25
You know, I know what I need to know to to be able to do my job

00:06:28
effectively, but when we start talking about, like, the

00:06:31
different you know aspects of a header, or the different aspects

00:06:35
of what's included in a body, and you know things like that,

00:06:39
it starts going over me.

00:06:40
It's right, like there's other experts out there that have that

00:06:43
stuff.

00:06:43
All I need to know is what my tool is, queuing off of what

00:06:46
we're looking at and go from there.

00:06:48
Right, and it's um, it's absolutely a building block, but

00:06:53
I feel like it's a specialty for a reason, right, like, not

00:06:57
not everyone needs to go 12 feet deep into it, right, it's um

00:07:01
it's something that you can know bits and pieces about.

00:07:06
You know when, when you were in school and getting this, you

00:07:10
know certification did you?

00:07:12
Did you think forward of what you wanted your life or your

00:07:16
career to look like outside of that or after it?

00:07:19
Speaker 2: You know, what's funny is, uh, I never, I I never

00:07:22
ended up actually getting a CCNA.

00:07:24
Uh, I took the cert once and I failed it.

00:07:28
Uh, and I failed it because I spent too much time on one of

00:07:33
the simulations trying to understand the totality of the

00:07:35
network, uh, as opposed to just solving the one one, um, the

00:07:40
actual problem, uh, so I took that as a lesson, like, hey, if

00:07:43
you actually pay attention and read and I've always been a

00:07:45
terrible test taker but, um, what really?

00:07:48
What solidified me in that mind is kind of a tangent to your

00:07:51
question is that, like, just because you have a cert or just

00:07:54
because you don't have a cert, doesn't make you, uh, have,

00:07:57
doesn't make sure, make you either peg you immediately as a

00:08:00
better network engineer or a worse engineer in either

00:08:02
scenario?

00:08:03
Um, what I, what I like to say to people that are chasing certs

00:08:06
is if, if that's the thing that you need to help you study,

00:08:09
then then you do that.

00:08:10
If you need that, that, that structure, some people don't, uh

00:08:13
, and you know that says the same thing with, with uh,

00:08:16
university and higher level education.

00:08:18
Um, but as far as, like, what the hell did I want to do with

00:08:22
my career.

00:08:23
Um, I didn't really understand what I wanted to do until I took

00:08:28
a like a cybersecurity class.

00:08:30
I took like a uh uh.

00:08:31
I participated in the North Eastern Collegiate Cyber Defense

00:08:33
Competition in in my alma mater as the network weenie and um.

00:08:39
I started chatting with um, uh, some of the hackers that were

00:08:43
sponsoring the event, and and um applied to a Homeland Security

00:08:48
uh, summer uh, uh uh internship.

00:08:52
And what I found down there was that being at the NSA would be

00:08:58
the most badass thing you could, could ever do.

00:09:01
Like that was my goal.

00:09:01
And I was like, oh, it's going to take me 10 years to get into

00:09:03
NSA and you're never going to respond to me and blah, blah,

00:09:06
blah, uh.

00:09:07
And so that's what I focused on .

00:09:08
I, you know, I applied, I don't know, probably to 150 or 200

00:09:11
openings, uh, all across the nation at the at the agency and,

00:09:15
um, I mean, a year went by and nothing happened.

00:09:18
And then I got the call from the agency actually two of them

00:09:21
in contiguously, within 10 minutes of one another,

00:09:25
completely separate interviewers didn't know one another called

00:09:29
me, no kind of overlap.

00:09:30
And yeah, that kind of like kicked off my career, like truly

00:09:36
kicked off my cyber career when I joined the agency.

00:09:40
So then I was like, well, shit, now what do I do with my career

00:09:43
, now that I have my dream job?

00:09:45
Right?

00:09:48
Speaker 1: Yeah it's.

00:09:49
I always tell people it's really important that once you

00:09:52
hit your goal, to reset your goals pretty quickly afterwards,

00:09:55
because if you don't do that, you'll get there and you'll kind

00:10:00
of coast right and there's more to it, there's more to grow in,

00:10:03
there's more to become an expert in and whatnot.

00:10:06
So I find that really interesting, right If you going

00:10:12
into the different agencies and applying around, because I

00:10:17
myself I spent a significant amount of time of my life

00:10:22
applying to different agencies, interviewing, getting into

00:10:26
different steps of the process, never hearing back, and it's a

00:10:32
really disappointing process for me because it's like.

00:10:35
Speaker 2: That's the area.

00:10:37
Speaker 1: It's just like okay, I guess this will just never

00:10:39
happen.

00:10:39
I wanted it to happen.

00:10:41
I guess it'll never happen.

00:10:42
After you got those first two phone calls, how long was it

00:10:48
until you were actually in your job, at your desk, doing the

00:10:52
work?

00:10:52
That's a great question.

00:10:56
Speaker 2: I believe it was about a year because I was still

00:11:07
at Homeland Security at the time and I remember this so

00:11:10
vividly.

00:11:11
I was getting.

00:11:11
It was like Metro system in DC is terrible, but I was

00:11:16
transitioning from the red line to the blue line, I was in Metro

00:11:19
Center if anyone, if any of your listeners are familiar with

00:11:21
this and I was about to board my train get the call.

00:11:24
They said can you do an interview?

00:11:27
I was like, yeah, sure, why not ?

00:11:29
Just like blown away that.

00:11:31
I actually got the call and then did that thing, was waiting

00:11:34
for my next train.

00:11:35
The next train showed up and then I got the same call and it

00:11:37
shows up as unknown or sometimes just all zeros, and you're like

00:11:42
, and at the time I was working at DHS.

00:11:43
I was like, oh, it's DHS, whatever.

00:11:45
Answered again, whatever.

00:11:47
And so that was, I think, june-ish of 2011, 12, maybe 12,

00:11:58
and then I started at the agency in 2013, something like that

00:12:03
maybe my dates are wrong, but it was quick comparatively because

00:12:07
I didn't have any international travel, I didn't have any

00:12:12
really close and continuing contacts with any foreign

00:12:14
nationals, any of that kind of stuff, other than Canada, which

00:12:18
doesn't really count, and so seven months and I had already

00:12:22
worked for DHS and so that probably accelerated the process

00:12:24
.

00:12:24
But, yeah, I think, if I'm remembering correctly, I think

00:12:29
my first day was January 13th and yeah, it was wild.

00:12:36
First six months I was an intrusion analyst doing some

00:12:42
crazy stuff with intrusion sets, malware, families, how they do

00:12:46
things, et cetera.

00:12:47
I got asked to transition over to a more operations-focused

00:12:53
team to build military intelligence and cyber

00:12:57
operations networks, and so that's really where I got like

00:13:01
hardcore really deep, really really wide understanding of the

00:13:06
understanding, the practicalities of networking and

00:13:11
really, you know, the NSA, let me do and I had my boss, his

00:13:16
boss, and his boss covered my ass hard because I should have

00:13:20
been fired probably 1 times, was pretty aggressive.

00:13:23
I'm still pretty aggressive, but I was significantly more

00:13:25
aggressive then.

00:13:26
And, yeah, we got done in three years.

00:13:30
What a lot of things they were planned for, like over the next

00:13:34
like 15 years or more, oh my God .

00:13:36
Yeah, so we spent a lot of silver bullets protecting my ass

00:13:41
, and so the thing I learned there is like having a leader

00:13:48
that supports you a good leader that supports you and isn't

00:13:51
intimidated by your aggression and knows how to temper you and

00:13:54
tell you like hey, you need to shut up and sit down, like this

00:13:57
is gonna hurt your career, and actually listen to them.

00:14:00
That's what made my career, having those folks cover my ass

00:14:07
and then also tell me like hey, dumbass, like cool it.

00:14:12
Speaker 1: Yeah, that's extremely important, you know,

00:14:16
to really understand your limits , right, and to be able to have

00:14:22
a manager that's able to, I guess, handle your ambitions and

00:14:27
counterweight it with the organization's expectations.

00:14:30
Right, like that's the biggest thing.

00:14:33
So I did a little bit.

00:14:35
It wasn't consulting work, it was like some third party, like

00:14:39
vendor, professional services.

00:14:41
Right, for the government earlier on in my career, and

00:14:47
that was the biggest thing.

00:14:48
I mean, that was such a painful experience.

00:14:52
Right, because for me it's like , okay, this is 30 minutes of

00:14:57
work, right, 30 minutes.

00:14:58
And I'm on a plane going back.

00:15:00
Right?

00:15:03
No, it was 10 days and you have to write down every single

00:15:09
command that you're gonna run.

00:15:11
Before you run it, you have to write down a reasoning behind it

00:15:14
, you have to write down what it's doing and then they put

00:15:17
someone sitting next to you that can barely spell IT to write

00:15:24
down exactly what you're doing and if it doesn't match up, you

00:15:27
have to attest to why it doesn't match up.

00:15:30
And that was just so.

00:15:32
It was so arduous, you know, and I couldn't imagine being

00:15:36
someone starting out your career and going into the federal

00:15:41
government, because when you have the personality of an IT

00:15:44
person, you're already curious, you're probably already

00:15:47
self-driven right, because no one that isn't doesn't make it

00:15:51
in this field.

00:15:52
Right, and so you probably are.

00:15:55
You already have the perfect mentality to be successful at a

00:15:59
startup moving a million miles an hour trying to make that

00:16:03
progress right, and then you're put into the government.

00:16:06
That is like this thousand year old behemoth that moves

00:16:11
extremely slowly.

00:16:12
I mean, you know, america's not obviously a thousand years old,

00:16:15
but you and I was saying like they're really old in every way,

00:16:19
shape and form, and so they move extremely slowly.

00:16:23
I couldn't imagine how that would have been.

00:16:27
Speaker 2: Yeah, dhs was fairly slow.

00:16:29
Now I was in the front office and so we things were moved much

00:16:36
more quickly in the front office of Homeland Security,

00:16:39
obviously necessitated by the needs of the homeland, and at

00:16:45
the NSA, like being part of the intelligence community, like

00:16:49
there's time sensitive things that go on and, as a result, you

00:16:55
know, very rarely did I run into an issue where we couldn't

00:17:01
move fast.

00:17:01
Well, where we were tempered and by typical bureaucratic

00:17:07
limitations that you would see at, like maybe the FDA or USDA

00:17:17
or some of these other non-intelligence community

00:17:22
organizations, and so when you have this kind of mission that's

00:17:24
, like you know, tied to national defense and has time

00:17:29
sensitive things, like there's less of it.

00:17:32
Now, I wish I could have done more and done faster, but of

00:17:36
course, there are implications to moving too quickly in certain

00:17:40
lines of work, and so, yeah, I mean so I finished three

00:17:45
projects and essentially wanted to start the fourth and they

00:17:49
like kind of had it just pat me in my head and they're like

00:17:51
you've done enough, you need to chill.

00:17:53
And so, as soon as that happened, I was like, you know,

00:17:56
screw this, I'm out.

00:17:58
And that's when I made my leap to start up land in 2015.

00:18:02
Speaker 1: Hmm, so you mentioned that you worked on.

00:18:07
Was it intrusion prevention or intrusion detection for the

00:18:12
agency?

00:18:12
A part of that?

00:18:14
Do you also deal with insider threat?

00:18:16
I mean, obviously I would assume that it's like totally

00:18:19
separate functionality and whatnot.

00:18:21
But you know, when we're thinking about intrusion

00:18:23
detection, primarily you're thinking about external trying

00:18:27
to get in, but a part of that is also insider threat.

00:18:31
Right, someone could be compromised that's already on

00:18:34
the end and get things that they shouldn't be so in that team or

00:18:39
in that workspace.

00:18:42
Are you also thinking about both sides of it or primarily

00:18:46
just external in?

00:18:48
Speaker 2: Yeah, for us it was just external stuff Focused on

00:18:52
the agency's goal, which is foreign intelligence.

00:18:55
There's, I'm sure, many teams within the agency that focus on

00:19:00
that, but that wasn't my charge.

00:19:05
Speaker 1: Yeah, I always just find the agencies interesting,

00:19:09
right, Because it's something I never, I always wanted to get

00:19:13
into, never got into it.

00:19:16
Speaker 2: But you know along there's all the secrecy around.

00:19:19
It makes it sound so sexy and interesting and, at the end of

00:19:22
the day, like you're just sitting at a cube like everybody

00:19:26
else, tapping at a keyboard like everybody else, which is

00:19:30
kind of cool.

00:19:31
It's extraordinarily cool, depending on what you're working

00:19:33
on, but there's a lot of allure and secrecy which drives a lot

00:19:38
of the FOMO and whatever else, but it's.

00:19:43
I could have easily been saddled in one of the shitty

00:19:45
roles with shitty leaders and have ended up rage quitting

00:19:52
after six months because I wasn't given the latitude to do

00:19:59
the things that I wanted to do, and so I just got

00:20:01
extraordinarily lucky where I landed.

00:20:02
But yeah, that's really just a matter of fact.

00:20:09
Speaker 1: Yeah, yeah, that's a really good point, like when I

00:20:12
first went on site to the agency that I did work with.

00:20:16
You drive up to this very nondescript building in the

00:20:22
middle of the mountains, right, you go inside, the lobby is

00:20:25
fantastic, you don't see any cubes or anything like that.

00:20:28
And then you walk like 100 feet , 150 feet, and it's just a cube

00:20:32
farm.

00:20:33
Like what the hell?

00:20:34
Like I did not expect this like at all, especially at this

00:20:38
facility.

00:20:39
You know, it's just nothing but cubes and they have several

00:20:42
floors of it, you know, oh yeah, that's describes every

00:20:47
headquarters I've ever walked into of any of the agencies.

00:20:50
Yeah, and.

00:20:52
I've been to a lot of them With , yeah, with you working for

00:20:56
that agency, do you have the opportunity regularly to engage

00:21:03
with other agencies, go on site with other agencies or whatnot?

00:21:07
Is it, once you're in and cleared sort of thing, you're

00:21:11
able to go where you need to go, or does not everyone get that

00:21:16
opportunity?

00:21:17
Speaker 2: Most don't.

00:21:17
Again, I was extraordinarily lucky on the things we were

00:21:21
doing and things that are working on, and so I was, you

00:21:27
know, afforded the opportunity and you know when the agencies

00:21:30
need your help they're willing to move mountains so that things

00:21:33
are easy for you to do the things.

00:21:34
But if they don't need your help or they don't want it maybe

00:21:41
they need it but they don't want it they make it

00:21:43
extraordinarily difficult and thankfully I never ran into any

00:21:46
of those hurdles and so, yeah, I just it was just looking back

00:21:53
at the three years is like the closest thing to a nerd can be

00:21:56
to like James Bondi than that I could ever imagine.

00:21:59
It was just, it was just cool.

00:22:02
You know, I'd go two, three months and be like, okay, I've

00:22:05
seen everything, and then my brain would explode at some cool

00:22:09
new shit that I saw and that just happened consistently until

00:22:12
I left.

00:22:13
So really cool.

00:22:14
But again, I got super lucky Because there's a lot of really

00:22:20
boring shit.

00:22:20
You get the NSA and at every agency.

00:22:24
Speaker 1: Yeah, I had a friend that told me that you know, once

00:22:28
you get in and you get read into different things like, your

00:22:31
mind will just blow up with like, oh, I can't believe that

00:22:35
we can do this, that we have this capability or whatnot, and

00:22:38
then they're going to sit you at a desk at a cube and they're

00:22:41
going to give you the most basic thing to work on.

00:22:42
You're going to feel so over qualified for your job and

00:22:46
whatnot.

00:22:46
It was just like it's a really interesting, like start contrast

00:22:50
.

00:22:50
You know from what you would think going into it.

00:22:53
But so when you're, when you're at the agency, you know,

00:22:57
towards the end of your tenure there are you thinking, oh, I

00:23:02
want to go into the startup world.

00:23:03
I want to go, you know, I don't know, work for Cisco or

00:23:06
something like that.

00:23:07
Because you have that specialty , you'd probably be worth your

00:23:10
weight in gold, you know, to Cisco.

00:23:14
I would think at least.

00:23:14
What were you thinking?

00:23:16
Maybe what spurred the thought to you know, make that jump.

00:23:21
Speaker 2: I wasn't really I had met a friend, or I had met a

00:23:28
guy through Mutual Friend at you know, a barbecue home, their

00:23:31
barbecue every year.

00:23:32
We got like big data centers based out here in Ashburn DC

00:23:36
area and a friend of ours throws a barbecue.

00:23:39
And so, you know, I got to invite, and you know, and met

00:23:44
this dude who at the time was an expert in software, defined

00:23:48
networking, openflow, and one of the few at the time before you

00:23:53
know, obviously OpenFlow is dead .

00:23:54
And so, you know, I wanted to push the envelope, continue

00:23:58
pushing the envelope at the agency.

00:24:00
And I said, after a couple of weeks of meeting him, I reached

00:24:04
out and said hey, how do you get people to buy into this SDN,

00:24:08
openflow bullshit.

00:24:09
And he goes why don't you just come do it for me at the startup

00:24:12
and I'll double your salary?

00:24:13
And I was like so, so, like there's no, like, no, no

00:24:19
intention.

00:24:19
I wanted to continue pushing at the agency.

00:24:24
And, yeah, working at the agency , living in DC with you know the

00:24:32
hour, commute, blah, blah, blah , all that kind of crap.

00:24:34
I was just like I can tangibly increase the way that I'm living

00:24:38
right now and from you know what I would have sold like

00:24:43
there are no roadblocks, you just do all the things.

00:24:45
And at the beginning, once I transitioned to my first startup

00:24:52
, it certainly was that it was cool and it was the first time

00:24:56
not to sound like an asshole, but it was the first time that I

00:24:59
was surrounded by people where I was like, oh shit, I'm the

00:25:04
dummy in the group, like I'm the idiot, and it was the best

00:25:07
feeling in the world.

00:25:07
I was like, oh, like this is this is fucking awesome.

00:25:10
And so, yeah, it was an amazing .

00:25:14
It was just there for like two years, but that original

00:25:21
infrastructure team that I was on was just a group of absolute

00:25:25
badasses.

00:25:27
Speaker 1: Yeah, that's.

00:25:28
You know what you bring up with the.

00:25:31
You know the money side of it right Now, where I'm at with my

00:25:37
career.

00:25:37
Yeah, I'd probably be a great resource for the agencies or

00:25:41
something like that, right, whatever you want to call it.

00:25:44
But the pay cut would be so substantial that I would

00:25:50
literally never be able to convince my wife to be like,

00:25:53
yeah, we're gonna move across the country.

00:25:55
We're gonna take a 50% pay cut and I'm gonna go do work that I

00:25:58
can't talk to you about for the next four years and then we're

00:26:02
gonna go do something else.

00:26:03
Right, Like that's an insane sell.

00:26:07
Speaker 2: Yeah, yeah, I mean it's a great.

00:26:10
Speaker 1: It's perfect when you're right out of like school,

00:26:12
you know when you're getting started.

00:26:14
It's absolutely perfect, but anything beyond is just unduable

00:26:19
.

00:26:20
Speaker 2: Yeah, and we I say we .

00:26:22
The US government has a really, I think, shitty outlook on this

00:26:25
thing.

00:26:25
Like you get trained whatever two, three, four years, you

00:26:29
become well versed in this thing , doing only certain things

00:26:32
people can, and then they bounce because they can make more

00:26:36
money and there's no resources outside of this.

00:26:38
Where I think, where I think, or a country that I think does

00:26:44
really well with this, is Israel .

00:26:46
Israel has this, you know, obviously this elite cyber force

00:26:48
, blah, blah, blah, and it's specifically built because

00:26:52
they're only conscripted for two years.

00:26:53
It's specifically built to get them as smart as they can

00:26:57
possibly be, and then when they get shit out of the military,

00:27:02
they have all these entrepreneurial resources and

00:27:06
the government helps them fundraise and all these kinds of

00:27:08
things.

00:27:09
And so, as a result, Israel's startup market, especially in

00:27:13
cyber, like it's really the only competitor, at least in the

00:27:17
cyber startup landscape in the world at least I'm concerned

00:27:21
about with like patent infringement, that kind of shit,

00:27:23
but just an amazing, amazing program.

00:27:30
And if the US government had this similar kind of program

00:27:34
with computer science and cyber and all this thing, like it

00:27:39
would drive, I think, innovation in the US even harder than it

00:27:45
already is.

00:27:48
Speaker 1: Yeah, that's a really good point.

00:27:49
You know, I actually I have on quite a few people from you know

00:27:54
Israel that have founded companies and every single one

00:27:57
of them have the same story.

00:27:58
Like I did this really cool thing for Israel's military, the

00:28:03
IDF, whatever it might be right , and now we're starting this

00:28:08
really cool company of doing this legacy thing like I don't

00:28:14
know vulnerability management or application security, whatever

00:28:17
it might be.

00:28:18
We're doing it differently than what everyone else is doing.

00:28:21
They've learned those skills over there.

00:28:24
They've learned those skills you know from their government

00:28:28
teaching them.

00:28:28
That's really interesting.

00:28:30
What you said that they even help them get funding right,

00:28:36
like that's like so abnormal right From anything that you

00:28:40
would hear about in America because, from what I understand,

00:28:44
once you're out you're out it's like you're dead to them.

00:28:48
They don't know you anymore.

00:28:50
You know it's like they don't want to deal with you.

00:28:53
Speaker 2: It depends on how valuable your knowledge is.

00:28:55
Speaker 1: But yeah, in general, yes, that's good, yeah, you

00:28:58
know like you really get cut off and so like that avenue of

00:29:04
still progressing and pushing forward in those areas are, I

00:29:09
guess, that kind of limited?

00:29:10
Was that your experience too, or maybe not so much?

00:29:16
Speaker 2: I mean I never had the.

00:29:18
I mean I kind of like dashed out the door there, right, and I

00:29:21
never looked back, and so I don't really have any.

00:29:25
Now I know, if I call you, know anyone that's still there, or

00:29:29
even those that have contacts to those that are still there,

00:29:32
like I could get through the process again in a heartbeat.

00:29:35
I know that, no doubt, and so I think that there's like, I

00:29:41
think there's again the skill set is really important.

00:29:43
How you left is really important, like I didn't leave

00:29:45
on bad terms, I just left because the opportunity was

00:29:49
greater on the outside, and so, yeah, I think that the

00:29:54
government could do more.

00:30:01
Our government could do more to entice on entrepreneurship and

00:30:05
that kind of stuff, especially in these kinds of programs,

00:30:08
especially coming out of the military right, like there's

00:30:12
stuff that the cyber operators in the armed forces of the US

00:30:15
can do that civilians just can't , based on our laws, and so

00:30:20
there's some really cool shit, and this is exactly what these

00:30:25
really military cyber operators are doing is they're learning

00:30:29
all these really cool tactics and they're taking the ones that

00:30:32
aren't national secrets and applying them to defense

00:30:35
mechanisms in these new vendors, or even I mean, they're all

00:30:39
defense mechanisms right, but taking potentially interesting

00:30:44
attack vectors or attack operations and morphing them

00:30:49
into more of a blue team type of so yeah, I think I like I have

00:30:54
nothing bad to say about my time at the agency other than they

00:30:59
could have paid me more.

00:31:01
But shit, anywhere you go, like that's kind of the sentiment I'd

00:31:04
be, like I don't know anybody that's like, oh yeah, like I'm

00:31:07
cool with this If you don't have to give me more money.

00:31:09
I think everyone would take a pay increase, regardless of what

00:31:12
they make.

00:31:13
Speaker 1: Right, right.

00:31:14
You're never going to, you're never going to turn that down.

00:31:16
I mean, most of us have significant others that'll,

00:31:19
that'll shoot us if we don't, if we don't take that.

00:31:22
Speaker 2: Right there, or or just my, my nagging desire to

00:31:28
buy more wine.

00:31:31
Speaker 1: Yeah, that's a rabbit hole that we could go down for

00:31:33
easily another hour.

00:31:34
You know I fairly recently, in the last couple of years, I

00:31:38
started going down the whiskey rabbit hole, oh yeah, where you

00:31:42
know.

00:31:42
Now I'm at the point where the whiskies that I want you can't

00:31:47
find it, you know, in the States , because it's made.

00:31:51
It's made here but it's sold at other countries to Japan.

00:31:55
So it's like OK, I have to go register for this auction and

00:31:59
get for it, and you know it's a rabbit hole that that I mean.

00:32:05
I guess I'm overall happy I went down.

00:32:08
I'm sure my wife isn't, you're right.

00:32:13
Speaker 2: So you're admitting that you're a tater.

00:32:16
Speaker 1: I mean, I guess.

00:32:22
Speaker 2: Yeah, I couldn't.

00:32:23
I couldn't deal with with the tatering for the, the

00:32:27
listenership that doesn't tater.

00:32:28
Is this, these, those that chase these, these super

00:32:32
sensationalized bottles of whiskey?

00:32:34
But what I found is that if you join there's there's a bunch of

00:32:39
like private barrel programs.

00:32:40
One of my favorites is our, our bourbon on Reddit, and they

00:32:46
have fantastic bottles.

00:32:47
It's run.

00:32:48
Can you remember this dude's name?

00:32:50
But his handle is J8KE.

00:32:52
I assume it's pronounced Jake, that's how I read it every time

00:32:56
I get an email from him.

00:32:57
But it's a fantastic program and I've gotten amazing bottles

00:33:01
from it.

00:33:01
Whistle pig, penelope barrel but yeah, I can talk about

00:33:07
whiskey forever.

00:33:08
Tequila wine.

00:33:09
I'm just, I suppose, like an alcoholic is part of part of the

00:33:14
, the nature of being an IT and cyber, I think.

00:33:18
Speaker 1: Drinking coffee is real.

00:33:19
Yeah, it's.

00:33:21
I mean, at a lot of places it's even like encouraged.

00:33:24
You know, like I remember my first big role.

00:33:29
I was working, you know, at a credit bureau and the director,

00:33:35
you know, once or twice a week, would invite everyone to go to

00:33:39
the bar with him and he would pay for everything.

00:33:42
Whatever you want to get, just go get it.

00:33:44
You know, yeah, and it's like man, this is, I mean, this is a

00:33:47
lot of fun, but what's the lasting impact?

00:33:52
Because, you know, now I'm expected to show up tomorrow on

00:33:55
time, which I always did.

00:33:57
But man, it's a different ball game when you've been out all

00:34:00
night drinking with your director and you know handling

00:34:03
it like that.

00:34:04
Speaker 2: But the other thing is like you're expected to go

00:34:07
right.

00:34:08
If not, then you're seeing, you know, be made a pro and all

00:34:11
this kind of thing.

00:34:11
And so what I?

00:34:11
What I felt, like what we tried to do at Track and what you

00:34:15
know I've granted, our team is small and I think we do that

00:34:17
fairly successfully is, you know , we do, we do team things that

00:34:21
are fairly inclusive, especially for those that don't drink, and

00:34:24
I'm I'm very happy that this kind of mocktail culture has

00:34:30
started to make its way into mainstream.

00:34:33
And I don't think we've been.

00:34:33
You know, I fly the team out to a city every every six months

00:34:39
so we can do in person things because we're completely remote,

00:34:41
but I don't think we've been to a place that doesn't have

00:34:44
mocktails, and so even even we're going to New Orleans in a

00:34:48
couple of weeks for our end of year planning sessions and look

00:34:50
back, and every place we go to, even even in the drinking

00:34:54
culture that is New Orleans, there are mocktails for the team

00:34:58
members that don't drink.

00:34:59
So it's it.

00:35:03
There are plenty of plenty of opportunities.

00:35:05
Where I can, I can see organizations that don't have

00:35:07
these kinds of inclusive events, and so, yeah, we try to be

00:35:16
mindful about that at Track and I, you know, implore everybody

00:35:20
to.

00:35:21
Speaker 1: Yeah, absolutely so, you know, let's let's talk about

00:35:26
what it's like, I guess, founding the startup and going

00:35:30
through that whole process.

00:35:32
You know, I have a friend that I worked for earlier on in my

00:35:35
career.

00:35:36
Now he's a CEO of a company and he said the the biggest

00:35:41
difference between, you know, his last role, that I that I

00:35:44
knew him from in his current role, is that if there's

00:35:47
something wrong with the company , something wrong with the

00:35:49
culture, whatever it might be, he used to be able to just point

00:35:54
the finger, you know, at the CEO, be like hey, it's that

00:35:59
guy's the problem.

00:36:00
You know, he has to do something, I can't do anything.

00:36:03
But now he's like no, the finger, like I can't point it at

00:36:07
my board, it's me, you know, I'm the one where, if I wake up

00:36:11
one day and I make a bad decision, you know I'm the one

00:36:15
that has to correct that.

00:36:16
You know, it's no one else's job to do that.

00:36:18
So can we just talk a little bit about that change, because I

00:36:23
would think that that that change, that switch and

00:36:27
mentality, you know, didn't happen overnight.

00:36:29
But can we talk about how you, you know, went down this path of

00:36:33
being a founder of a startup and you know what you're doing

00:36:36
and whatnot.

00:36:38
Speaker 2: Yeah, I think the mentality of ownership,

00:36:40
regardless of the scenario, happened far before I became a

00:36:45
founder, and I think that if it hadn't, I would have certainly

00:36:47
failed.

00:36:48
I I'm certainly not a natural empath and anyone that knows me,

00:36:55
even for you, know 10 minutes or so.

00:36:57
We'll tell you that this, that they concur, and so I've spent a

00:37:00
lot of time putting a lot of effort into being good at being

00:37:06
human, is what I call it, and and one of the books that that I

00:37:12
read, that change that had the.

00:37:14
It certainly had the largest impact, and I, you know, I read

00:37:16
it at least once a year is called Leadership and Self

00:37:19
Deception by the Arbanger Institute, and it's absolutely

00:37:22
fantastic.

00:37:22
Essentially, the plot is that, or the focus of the book is that

00:37:25
you should be treating people like people that have wants and

00:37:31
feelings just like yours, as opposed to objects and hurdles

00:37:34
that need to be bulldozed in order to achieve your goals.

00:37:38
And, of course, I'm butchering it and I implore you also read

00:37:42
it.

00:37:42
It's only 400 pages, is a very quick read and it's written as

00:37:48
fiction, so it's really interesting.

00:37:49
So so, yeah, I think that your, your friend, is spot on.

00:37:55
There's if anything goes wrong in the company is my fault and I

00:37:58
truly believe that it's not just, you know, just conjecture

00:38:03
and lip service.

00:38:05
I think I believe that my team would, would echo that and and.

00:38:11
But I think you truly have to believe this thing, otherwise it

00:38:14
is just lip service and you, you foster this culture of of

00:38:17
hate and discontent and all these kinds of things.

00:38:22
And so founding founding tract was you know what my last start?

00:38:27
I've got acquired.

00:38:28
A last start I worked at was my startup got acquired by a large

00:38:33
security company.

00:38:34
And because you know this problem, that we're solving a

00:38:36
track, that I've been dealing with it for over a decade and

00:38:39
finally I just like the reason I started track was rage.

00:38:41
I was like this this problem is so inordinately difficult and

00:38:43
frustrating and disruptive that, like I just have to, I just

00:38:49
have to solve it like it's solvable, I just have to solve

00:38:56
it and never look back like that .

00:39:00
This I tell people that this is the best job I've ever had and

00:39:04
the day, if ever, the day, I was in the, the day, if ever the

00:39:12
day comes that I have to, that I'm not tracked anymore and I

00:39:17
have to get a real job.

00:39:18
I call it a real job because then you have like things, like

00:39:21
people that you have to answer to Bullshit, that you like it's

00:39:25
not your baby anymore.

00:39:26
That that's what really keeps me driving forward right.

00:39:31
Like one, I never want a real job again.

00:39:33
And two, like the team that we have is just the absolute best

00:39:38
team I've ever worked with.

00:39:39
And and, yeah, I get to be the dumb guy again, which is, which

00:39:43
is fantastic.

00:39:44
So, yeah, I there are a handful of these, these like CEO

00:39:51
founder Groups that you go to in this, I'll describe a founder

00:39:55
being a founder in one word, and I'll be was a responsibility

00:39:58
and or a couple words right, responsibility and leadership

00:40:03
and all this kind of bullshit.

00:40:04
And when, when it came to me, I was just like it's fucking

00:40:06
awesome, that's job ever like, just fucking awesome.

00:40:11
Speaker 1: Yeah, that's, um, it's, it's a, it's a different

00:40:15
kind of mentality, I guess.

00:40:17
Right, because if it's gonna succeed, it's on you and if it

00:40:21
fails it's on you and you know, for, from my perspective, right

00:40:25
and I've talked about this before Having a family and going

00:40:30
from a nine to five to doing your own thing is Maybe the most

00:40:35
like scary thing I could think of, right and and uh, because,

00:40:42
like you, there's no room for error, there's no room for

00:40:45
messing up or not working hard, not succeeding.

00:40:48
You know all those things Matter and they just don't.

00:40:52
They just don't randomly happen , right, they happen over years

00:40:58
of extremely hard work and dedication, and and always, you

00:41:03
know fine tuning, you know even the smallest things, so that

00:41:06
they, they come together and work correctly, right, so what,

00:41:11
what?

00:41:11
What's the solution, that that you have built currently, and

00:41:15
what's the problem that you're trying to solve with your

00:41:17
company?

00:41:18
Speaker 2: Yeah, great question.

00:41:19
Uh, so so what we found is that most people, when they're going

00:41:23
to fix their software vulnerabilities, are crossing

00:41:25
their fingers, hoping patches won't break their shit.

00:41:27
And so we built the platform that not only unifies

00:41:31
vulnerability management and patch management.

00:41:32
Essentially, this dichotomy that's been this false dichotomy

00:41:36
that's been perpetuated in the workplace, where security is

00:41:38
only does security things and it only does it Things, and they

00:41:41
throw each shit over the wall and under the bus and that's

00:41:43
kind of shit.

00:41:43
In addition to building this unified platform to do both, we

00:41:49
we also let you know how patches have broken other people's shit

00:41:52
before you apply it to yours.

00:41:54
Speaker 1: We do this for outsourcing.

00:41:55
Speaker 2: We're able to collect telemetry on how patches break,

00:41:57
break other systems or how they're, how they're affecting

00:42:00
Other systems as we install them , and then we anonymize and

00:42:02
share it with everybody else in real time.

00:42:03
So, come patch Tuesday or whatever, you can see, oh, four

00:42:07
people have applied this patch.

00:42:07
We haven't detected an issue that no one's reported.

00:42:10
One, oh four hundred, oh four thousand, oh, four million.

00:42:13
Right, we're not there yet, but that's the idea.

00:42:16
Is this, uh, you know, collective defense idea, which

00:42:20
Isn't, isn't?

00:42:21
Uh, obviously it's not new, right, this is a NATO term.

00:42:23
But also the first startup I worked at called ironet cyber

00:42:24
security, which unfortunately just declare bankruptcy, founded

00:42:30
by jennel key, philax, and or was was really this eye opener?

00:42:33
A fantastic idea of like you can't Like.

00:42:35
This is a cliche, cliche thing to say.

00:42:38
Like the, the defenders have to be right every time.

00:42:43
The bad guys only have to be right once and it's it's.

00:42:44
It's not reasonable to expect One company to defend against

00:42:49
all the things and I need to argue like one particular tool

00:42:56
Used by everybody sharing all this intelligence.

00:42:57
Still not reasonable to expect everybody to be right 100% of

00:43:01
the time, but it's as close as we can get to to Perfection, and

00:43:07
that's, you know, crowd sourcing, data working together,

00:43:10
blah, blah, blah.

00:43:14
And and I think the best, best, what's the word I'm looking for?

00:43:22
Example of how this works or or how it's been useful is General

00:43:30
McChrystal's book called team of teams.

00:43:32
What an amazing.

00:43:34
Essentially details how jsoc was created, I believe, for the

00:43:38
the war event war, the war event war in Afghanistan, getting the

00:43:42
intelligence communities to cooperate, so so we could

00:43:45
actually make a progress there.

00:43:47
An absolute killer of a book, really really well written and

00:43:54
just super interesting, both both from a behavioral science

00:43:57
standpoint, but also like if you're interested in how the

00:44:00
agency is the military, these kinds of things work.

00:44:02
It's really, really cool.

00:44:04
Speaker 1: Oh, wow, I'll have to definitely pick up that book.

00:44:06
I've, uh, I took like a few months hiatus from From reading

00:44:12
books and then we're listening to audiobooks, right like the

00:44:16
the first like six months of the year.

00:44:18
I Just like steamrolled through my book list and now I'm just

00:44:23
like burnt out on books.

00:44:24
But yeah, I'm slowly, you know, ramping back up and looking for

00:44:28
that right book.

00:44:29
So I'll definitely check out those that team of teams book

00:44:32
that you mentioned.

00:44:33
Speaker 2: Yeah, I get it, I, um .

00:44:35
So I, I haven't read anything.

00:44:37
Non, I haven't read anything for for work outside of like

00:44:41
real worship, but for books In in a long time.

00:44:45
I, you know, I, you know, I complain.

00:44:47
I fly all the time, I'm on united all the time and I

00:44:49
complain About wi-fi not being available, but every time it

00:44:52
doesn't work, especially when I'm on a, you know,

00:44:55
coast-to-coast flight across the us, I, I silently cheer because

00:44:59
I can actually read.

00:45:00
Uh, and I've, you know, been reading fan fantasy novels.

00:45:03
Is this kind of way for me to want?

00:45:05
I just love fantasy, but it's a great way to just kind of like

00:45:08
decompress and Recharge.

00:45:11
And so, yeah, I haven't, really I haven't read a business book

00:45:14
or like a how to be, like how to be good at being human book,

00:45:17
and in a long time it's all about, you know, shooting

00:45:20
fireballs out of fingers and dragons and all that kind of

00:45:23
shit.

00:45:23
So, yeah, I, but I, but I get it.

00:45:26
It if you, if you don't pace yourself, it's hard, it's hard,

00:45:30
it's a lot of, you know, reading these kinds of books is

00:45:33
draining, but, um, sometimes at the same time, really exciting.

00:45:37
Speaker 1: Yeah, yeah, that's uh , that's a good way of putting

00:45:41
it.

00:45:41
It can be really draining and exciting all at the same time, I

00:45:44
guess.

00:45:45
Um, so, with with what you're doing right now, that's really

00:45:51
interesting.

00:45:51
I wonder if there's a way for you to somehow plug into, you

00:45:57
know, like the, the error feeds of different systems, whether or

00:46:01
not someone's a you know a customer of yours, right, like,

00:46:05
let's say, someone you know deploys a patch on patch Tuesday

00:46:08
for Microsoft, and you just see the error report like, oh,

00:46:11
someone you know had an issue with this thing, right, um, is

00:46:16
there, is there an avenue for that?

00:46:18
Is there a way that you're, you know, potentially exploring,

00:46:23
gaining new intelligence or you know stats around those sorts of

00:46:27
things, or is it?

00:46:29
Is it strictly you know, more open source or through your own

00:46:33
customer base?

00:46:34
I guess?

00:46:35
Speaker 2: Yeah, right now it's just through our customer base,

00:46:36
and we're looking to build this, this open community, uh, to

00:46:40
help operators understand, like, essentially, what we call, what

00:46:43
I call operational risk.

00:46:45
Right, like I, you know, I'll set this, I say this all the

00:46:47
time.

00:46:47
It's like security is not free, and I'm not talking about cash,

00:46:50
right, there's operational risk associated with implementing

00:46:53
security controls and, at at best, the security people are

00:46:57
just ignorant to it.

00:46:57
At worst, they're, they just don't care and and so you know,

00:47:03
today, the way that we, we operators, reason about, like,

00:47:06
is this patch going to break my shit?

00:47:08
As we go on the red day, we go to twitter, we, you know, go

00:47:10
down these websites, um, and and pray, and so what we, what

00:47:17
we've built, attract is is this idea that you can see how many

00:47:21
people have installed this thing , how many, how, what's the

00:47:24
percentage of failure rate globally across our install base

00:47:27
?

00:47:27
Um, we're working on a what I call similarity analytic, which

00:47:31
essentially shows, like, how close to how similar is your

00:47:34
shit to my shit?

00:47:34
And did it break that stuff?

00:47:36
And and over time, we want to, we want to build that and expand

00:47:41
that, uh, and so we have.

00:47:42
You know it, uh, uh, currently, the platform is entirely free,

00:47:47
um, but one of the things that's great about our platform is

00:47:49
that, uh, finding and fixing your vulnerabilities across all

00:47:52
of your operating systems.

00:47:53
We'll always be free, uh, and we support every major operating

00:47:56
system except for mac os.

00:47:57
Mac os will come live and into one of next year, um, but, but

00:48:01
it's.

00:48:01
It's why we've had so much success, I think, in our early

00:48:04
adoption, even though our product is is generally fairly

00:48:07
infantile and it's in its development stage.

00:48:09
We've been in market for about six months with our, with, um,

00:48:13
what we call a private beta, but it's, it's.

00:48:14
It's fairly uh, uh, it's certainly stable, but there's of

00:48:19
course, always improvements, um , but, but yeah, you can.

00:48:23
Anyone can log in, go, you know , trackcom, sign up.

00:48:26
All you need is a business email address and if you want to

00:48:30
use it on your personal lab, just reach out to me like a

00:48:32
trackcom and I can set you up an account.

00:48:34
Uh, uh, that gets past the, the business filter.

00:48:39
Speaker 1: Yeah, that is.

00:48:39
That's really fascinating because, you know, I literally

00:48:44
earlier today I got off a call of someone arguing with me that

00:48:50
all, all of our applications are so extremely unique that we

00:48:54
can't group these things together in configurations.

00:48:57
I'm like guys.

00:48:59
Doesn't make any sense Like that.

00:49:03
We're using open source libraries, right, like we might

00:49:07
be deploying them differently, but but we're not rewriting Java

00:49:11
.

00:49:11
Speaker 2: Yeah, unlikely, like people say this all the time is

00:49:14
like you may have one or two arbitrarily compiled uh

00:49:17
executables on your endpoint, but Over 99 of your, your system

00:49:21
is fucking Linux.

00:49:23
Right, it's rail, or it's maybe in, whatever is running a Linux

00:49:25
kernel, or it's just, or its windows, uh, but it's 99 the

00:49:30
same.

00:49:30
And so the the thing that you're afraid of, like now, if

00:49:35
you're like afraid of Upgrading from, like, java 5 to Java 9.

00:49:38
Okay, that's kind of scary, I'll give you that.

00:49:40
But but keeping up with minor updates, like we've, we've

00:49:44
deployed about 2000 patches now across all of our agent installs

00:49:48
and not a single one has caused a single disruption.

00:49:51
This includes five patch Tuesdays now, um, sorry, april,

00:49:57
may, june, july, august, seven, seven patch Tuesdays, and not a

00:50:03
single one has broken.

00:50:04
Now We've had some failures, um , and we've, you know, been able

00:50:07
to to deal with those, but failures that didn't, they

00:50:09
didn't cause any disruptions, uh , which is a big deal, um, and

00:50:14
so, you know, I, my, my, my mantra is you know, less than

00:50:18
two percent of patches Ever fail , and this is uh fueled by an

00:50:23
independent study, um, our private study, and but but

00:50:28
people aren't really going to play restaurant, let with their

00:50:31
um with their critical infrastructure.

00:50:32
But, um, even when it does cause failures, uh, the the reduction

00:50:39
in cyber risk, even doing so blindly, is far greater than the

00:50:44
operational risk.

00:50:45
But at the end of the day, operators, you're asking them to

00:50:50
risk impacting their lives, right?

00:50:51
Maybe they got a Tinder date or a daughter's recital or a

00:50:54
dinner, you know?

00:50:55
Whatever the hell they have, book club, whatever it is, like

00:50:58
a wine tasting, for example.

00:50:59
Like, if you're going to patch today or patch next week because

00:51:04
your life's potentially going to be impacted, like I'm pushing

00:51:07
, I'm not, I'm not board of directors, I'm not the CEO to

00:51:10
your, to your earlier point, right?

00:51:11
Like I'll get paid to worry about that shit.

00:51:13
I got my life to live and so that's what we're trying to

00:51:17
solve for is, you know, giving people confidence and being able

00:51:20
to quantify what, what their fear actually is in these things

00:51:26
and and declare what safety is in a certain, in a handful of

00:51:31
types of thresholds, so that they can actually auto patch,

00:51:33
but in a way that's safe and compliant with their

00:51:37
organization but, most importantly, the operators'

00:51:38
lives.

00:51:39
Speaker 1: Hmm, yeah, that that definitely really hits home.

00:51:43
When I was working out of another company many years ago,

00:51:48
when I lost all my hair, you know if we, if we, had to deploy

00:51:54
a patch on a certain system, it was like, okay, you know, let

00:52:00
me cancel plans for the weekend.

00:52:02
Yep, you know who's on call, make sure that the right

00:52:05
person's on call Like there was so much worry and that would be

00:52:10
all that I would think about for two or three weeks.

00:52:12
Yep, you know, and it sounds dumb, but these updates would

00:52:17
break our system in so many different, seemingly random ways

00:52:21
and the vendor would never tell us if there was other reports

00:52:25
of this issue.

00:52:25
Yeah, and there was other issues in other customers.

00:52:29
It's like, guys, if I need to deploy a hot fix after I deploy

00:52:32
this update, just tell me.

00:52:34
I'm more than happy to deploy it because I don't want any

00:52:37
issues.

00:52:38
You know, at 2am, 3am, waking me up, that's what I'm going to

00:52:42
be mad, you know.

00:52:43
And of course they would never tell me and of course it would

00:52:47
always happen, like almost every single time.

00:52:49
That was the most, that was the most painful thing you could

00:52:52
ever go through as an engineer, as an operator, you know, going

00:52:55
through this yeah, now, don't get me wrong in the early 2000s

00:52:59
and late 90s, like shiprock all the time.

00:53:02
Speaker 2: And so this is where all that fear is steeped in, and

00:53:04
what's really interesting and this kind of goes into my

00:53:07
interest in human behaviors is that it's non-generational

00:53:12
meaning.

00:53:13
Old folks like you and me have taught Gen Z to be afraid of

00:53:17
patching even though, empirically, the likelihood of

00:53:20
an issue coming up is almost zero, and so it's really really

00:53:24
interesting to understand.

00:53:25
And you know, one of the cool things, one of the things that I

00:53:29
just enjoy doing, is, you know, getting people to change

00:53:34
behavior, which is inordinately difficult, but doing so in a way

00:53:38
that's comfortable enough for them that they're even willing

00:53:40
to try it at all.

00:53:44
Speaker 1: Well, mike, you know, I think we're unfortunately

00:53:48
running out of time here.

00:53:49
I feel like we could go for another hour or two, especially

00:53:52
in the bourbon.

00:53:53
Yeah, absolutely.

00:53:54
Maybe we'll do a part two to this episode.

00:53:57
I think that'll be fun, but we have to have bourbon.

00:53:59
You know something like that.

00:54:01
But you know, before I let you go, how about you tell my

00:54:04
audience, you know where they could find you, where they could

00:54:07
find your company, if they wanted to learn more information

00:54:10
and, you know, maybe sign up, for you know getting their hands

00:54:13
on the solution?

00:54:14
Speaker 2: Yeah, absolutely, you can reach out support at

00:54:16
trackcom and it's spelled T-R-A-C-K-D for your Unix and

00:54:21
Unix nerds it's track D.

00:54:22
For those that are not Unix nerds it's just tracked.

00:54:24
But, mike at trackcom, trackcom slash, sign up whatever you

00:54:29
guys want, linkedin, mike Starr on LinkedIn and the Baldwin that

00:54:33
shows up.

00:54:34
And, yeah, happy to have a conversation either about tract

00:54:38
or anything in general, cyber, computer science, behavioral

00:54:43
things and like how humans behave, wine, whatever it is.

00:54:47
But I'll be warned I can talk at nauseam, so awesome.

00:54:53
Speaker 1: Well, thanks, Mike.

00:54:53
I really appreciate you coming on and I appreciate everyone

00:54:57
listening to this episode.

00:54:58
I hope you enjoyed it.

00:55:00
Speaker 2: Awesome.

00:55:00
Thanks, joe, for having me Appreciate you.

00:55:02
Speaker 1: Absolutely, that was awesome.

00:55:04
Thank you very much.