In this episode, we dive into the fascinating story of Grant Borzikas, the CISO of Cloudflare. From his passion for baseball and a brief stint in accounting to becoming a prominent figure in IT, Grant's journey is anything but typical. Listen as he recounts how his father's influence and his own relentless curiosity led him into the tech world.
Grant shares his early experiences balancing financial auditing and computer risk management roles at Arthur Andersen, highlighting the challenges he faced and how he overcame imposter syndrome through continuous learning. His insights and personal anecdotes offer valuable lessons for anyone navigating their career path.
We discuss the importance of continuous learning for IT professionals, covering key areas such as understanding personal learning styles, asking fundamental questions, and securing certifications. Grant emphasizes building a strong foundation in technical areas like Linux, networking, and DNS, and staying ahead in rapidly evolving fields like AI and machine learning. Discover how tackling challenging subjects and maintaining curiosity can significantly enhance your career, keeping you relevant and effective in the fast-paced tech industry.
The episode also explores the future of AI in cybersecurity, addressing both the promising advancements and the sophisticated threats posed by AI-driven attacks. Learn about the crucial role of data and intelligence in strengthening network security practices and the innovative approaches of companies like Cloudflare. Grant discusses the accessibility of Cloudflare's services, from creating accounts and developing websites to utilizing security solutions with ease.
Packed with insights and practical tips, this episode is a must-listen for anyone interested in IT, cybersecurity, and the relentless pursuit of knowledge. Join us as we uncover the remarkable journey of Grant Borzikas and his contributions to the tech industry.
Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today
Speaker 1: How's it going?
00:00:01
Grant, it's great to finally get you on the podcast.
00:00:04
We've been planning this thing for a while and you know I'm
00:00:07
really excited for our conversation today.
00:00:08
Thanks for having me, joe.
00:00:10
Speaker 2: It's great to be here , so I've been looking forward
00:00:13
to this.
00:00:14
Speaker 1: Yeah, absolutely so, grant.
00:00:16
You know why don't you take me back to when you started, you
00:00:19
know, or when you started to kind of think maybe IT is for me
00:00:23
.
00:00:23
You know what made you start to think that way, what made you
00:00:27
start to go down the IT path.
00:00:29
Speaker 2: It's a good question and funny one.
00:00:32
So I grew up playing baseball.
00:00:35
I was kind of a jock playing baseball on a baseball
00:00:38
scholarship and when I decided I kind of got burned out.
00:00:40
I didn't really know what I wanted to do.
00:00:43
So the one thing I realized is you should always listen to your
00:00:46
mother.
00:00:46
And so my mother said I should be an accountant.
00:00:48
You know, I said, well, that seems like a good career, not
00:00:53
what I'm doing today.
00:00:53
Right, and so I kind of started to pursue this accounting thing
00:00:58
.
00:00:58
You know, early in life my dad was a teacher and he, you know,
00:01:03
he was kind of kind of the.
00:01:04
You know, in the early to mid 80s it was the teacher who
00:01:07
supported the school systems or computers, and so every summer
00:01:10
he'd bring on his computer.
00:01:11
So I was always interested in, so I've always had a hobby in
00:01:13
this.
00:01:13
Now what's interesting is, going back to the college thing
00:01:17
is, you know, I did, I wanted to be an accountant and about
00:01:20
halfway through my accounting curriculum I decided it was
00:01:23
terrible.
00:01:24
This is the most worst thing I could ever do and realized that
00:01:28
I wasn't really good at it either.
00:01:30
If you've never had to do a T-account and figure out your
00:01:34
debits and credits.
00:01:35
You know it's not super exciting.
00:01:38
And so I kind of went back to the roots and started.
00:01:41
Like you know, I'm going to go see if I can get my, you know,
00:01:44
computer science degree and sort of taking C++ and you know,
00:01:47
some database courses.
00:01:48
Now maybe this was the late nineties and, you know, decided
00:01:52
that that was for me.
00:01:53
But I was too late, you know kind of in my curriculum.
00:01:56
So I finished out my accounting degree, um, and then I joined
00:02:01
Arthur Anderson, um, kind of their audit practice, audit
00:02:05
practice, but they actually did.
00:02:06
A really good thing for me is they were taking advantage of me
00:02:12
either way.
00:02:13
So I worked busy season with the financial auditors, you know
00:02:15
, using kind of my CPA and my credentials, and then during the
00:02:19
kind of off season for the financial auditors, I worked the
00:02:22
busy season for the technology people.
00:02:24
When I joined Arthur Anderson I had two jobs and that was they
00:02:27
even called it computer risk management, which I always think
00:02:30
is kind of funny.
00:02:31
You know it needs to be a little bit, but that was how I
00:02:34
kind of got into it and I've always felt, you know, I think
00:02:39
every technology person feels a little inadequate of their
00:02:41
technology skills, especially, you know somebody who has a GPA,
00:02:46
and so I just learned and learned and learned and learned
00:02:48
and read every book I could possibly find, you know, when
00:02:51
Borders and Barnes and Nobles have the stores.
00:02:53
Every weekend, after I would travel on a project, I would
00:02:56
come home, get a new book and read it the week, and I would do
00:02:59
that over and over and over and over.
00:03:01
And that's how I kind of got into doing security, you know,
00:03:06
25 years ago.
00:03:09
Speaker 1: Yeah, it's fascinating.
00:03:11
You know you pretty much answered what would have been my
00:03:15
next question.
00:03:15
Right, is the imposter syndrome part of it?
00:03:17
And you know you bring up reading books, right, and going
00:03:21
through them just to learn more and learn as much as you can.
00:03:24
And I remember, you know, one of the very first jobs I had out
00:03:27
of college I was working with federal agencies and I mean, you
00:03:34
know they, they just they put you in the most difficult
00:03:36
situations possible when you're on site, you know with with the
00:03:37
most intimidating people possible.
00:03:39
You know you're talking about like someone that like you want,
00:03:43
want to, you want to enable SELinux.
00:03:45
Oh well, we have the guy that wrote SELinux down the hall, you
00:03:49
know.
00:03:49
And so, like you can debate different topics and things like
00:03:52
that, Right.
00:03:53
And I just remember, you know, for going on site, that that
00:03:57
very first day I felt so inadequate, Right.
00:03:59
So like I shouldn't be here, what, what the hell am I doing?
00:04:04
I'm just going to catch an early flight home.
00:04:05
This isn't for me.
00:04:07
I'll change careers.
00:04:08
And I sucked it up and I went and got a book.
00:04:10
You know, I think it was like the Linux Bible or whatever.
00:04:13
It was.
00:04:13
Right, it started going through it and you know, my first trip
00:04:16
was pretty rough.
00:04:17
My second trip was a little rough, a little bit better.
00:04:21
Still some room for improvement and it got better the more I
00:04:24
did it.
00:04:25
And it's interesting that you bring that up because I feel
00:04:29
like most people nowadays most people coming out of college, I
00:04:33
guess that are trying to get into these roles, they're more
00:04:37
focused on knowing everything right, Going into it.
00:04:40
And it sounds like you and I relate on this.
00:04:43
I mean, we know, we knew maybe what 10, 20 percent of what we
00:04:48
actually had to know to get in, and it's like someone gives you
00:04:52
a break, right, and it's like, okay, we'll take a risk on you.
00:04:55
You know with this and you take it and you grow with it yeah, I
00:05:00
would agree.
00:05:01
Speaker 2: Uh, it's like just inin-time knowledge.
00:05:03
One of my favorite stories I haven't thought about this in a
00:05:05
long time was I think I was 22, and they asked me to do an AS400
00:05:11
audit.
00:05:11
And I'm like what's an AS400, right?
00:05:13
So they're like that's not something you learn in college.
00:05:17
So I read the book, I read all the IBM manuals and did all this
00:05:21
stuff and did this audit on them.
00:05:23
And in the middle of me reporting out this audit, I get
00:05:26
Holden.
00:05:27
This was going to be right.
00:05:28
His name was Fletcher.
00:05:29
Fletcher looks at me and goes son, how old are you?
00:05:32
I'm like, oh no, this is going to be a terrible like 22.
00:05:36
He goes like shit, man, I've been on IT longer than you've
00:05:39
been alive.
00:05:40
What are you going to tell me that I don't already know?
00:05:41
And I'm like no, that's.
00:05:43
And I just looked down on the side.
00:05:46
I'm like, no, I appreciate it, sir, but I think I'm right here
00:05:50
and you have to stick to your ground.
00:05:51
It was one of those things that it was one that you had to be
00:05:55
prepared for, everything you did .
00:05:56
But I didn't know anything about the US at that point, or
00:06:00
web applications weren't even out back then.
00:06:02
And so to your point.
00:06:03
The imposter syndrome is real.
00:06:05
You can't know everything that there is to know.
00:06:09
I think, now that I've done this for a long time, same thing
00:06:11
with you.
00:06:12
You can ask the right questions , but there's always going to be
00:06:14
somebody that knows something more about something than you do
00:06:17
.
00:06:17
But you have to be able to put it together and I do think you
00:06:22
know I am still back.
00:06:26
How did I go from you know an accountant to learning
00:06:27
programming, to growing up with computers, to learning DNS?
00:06:31
Or you know, I got my MCSB.
00:06:34
Why did I make my MCSB?
00:06:35
I've never been in MCSB because it was a learning track, right,
00:06:39
I got an NTE in 2000 and I got my all my Cisco certifications
00:06:43
just because it was a learning track.
00:06:45
At some point it was read and then try to figure out a way to
00:06:50
learn All of these things that are very beneficial today.
00:06:55
I'm glad I did it now, because back then because it'd be a lot
00:06:59
harder.
00:07:00
But I think you always have this imposter syndrome of how do you
00:07:04
know these things?
00:07:04
Now, the things I know really well today, there's things I you
00:07:08
know amusably well.
00:07:09
There's things I can kind of guess at.
00:07:11
It's a little bit like the matrix.
00:07:12
If you do this a long time you kind of know that kind of
00:07:15
connects into this.
00:07:16
So you know this operating system is like that or this
00:07:19
operating system is like that.
00:07:20
You may say the wrong thing but in general it's not the same
00:07:23
thing.
00:07:23
But it is a tough, it's a steep market to get over.
00:07:36
Speaker 1: But once you kind of get to that peak, you know after
00:07:37
you know 10, 15 years, you have a pretty good idea of what's
00:07:38
wrong pretty quickly.
00:07:39
Yeah, that's a really good point.
00:07:40
You know, I always start everyone off with figuring out
00:07:44
how they learn.
00:07:44
You know, one of the one of the best benefits that I got in my
00:07:52
undergrad was just learning how I learned what made sense.
00:07:53
You know, for my brain, for me to consume as much information
00:07:56
as quickly as possible, right, and you know like to your point.
00:08:00
You know, asking the expert on site about the AS400, you know,
00:08:07
whatever solution it might be right.
00:08:09
But you know, when they're giving you the answers, you have
00:08:12
to not just sit there, at least for me, right?
00:08:15
I can't just sit there and just take it in, I need to.
00:08:18
You know, at a minimum, now that I've been in this thing for
00:08:22
10 years, right, I can at least think about the picture.
00:08:25
But in the beginning I had to draw out the picture, like, hey,
00:08:27
show me what this, what this looks like.
00:08:30
And it wasn't until I got the picture that I could actually
00:08:32
understand.
00:08:33
You know what was going on, and so it's.
00:08:35
It's critical for you know people getting started to ask
00:08:40
those questions that they're probably even nervous to ask,
00:08:43
right, because you're like to ask those questions that they're
00:08:46
probably even nervous to ask, right, because you're like,
00:08:50
probably feel like you're almost insulting the expert, right?
00:08:51
But at the same time, it's also very important to understand
00:08:53
how you learn best so that you can take that response and
00:08:56
really internalize it and move forward.
00:08:58
And you know what you were saying.
00:08:59
With the certifications, you know that's something that is, I
00:09:06
guess, hotly debated, you know, in security and IT overall,
00:09:10
right Is do I need certifications?
00:09:12
Can I get started without them?
00:09:14
You know, whatever it might be, and I always tell people the
00:09:16
certifications they solidify your knowledge, right?
00:09:20
So you can say I've worked in cloud security, aws is my
00:09:26
primary cloud.
00:09:27
You can say that that's fine.
00:09:29
But if you have the AWS security specialist
00:09:32
certification, where 5% of AWS employees have this
00:09:37
certification, it's not very well owned, I guess community
00:09:43
right, because it's such a difficult certification to get.
00:09:46
You're immediately you know you're, you're taking that
00:09:49
conversation from.
00:09:50
I understand AWS security to.
00:09:52
Oh yeah, no matter what we throw at this guy in our
00:09:55
environment, he's going to understand how to do it.
00:09:57
And you get that skill because you're able to at least with
00:10:01
these you know higher level, technical, technical certs.
00:10:03
You're able to dive into it at such a level to where it's like
00:10:08
no, I understand what I need to use a vpcm point versus a
00:10:12
bastion host.
00:10:12
You know, I know the benefits, I know the cons of it right, and
00:10:16
all these different ins and outs that you know pay dividends
00:10:20
in the long run did.
00:10:21
Did you think that as well when you were, maybe when you were
00:10:24
going through it, or even when you look back on it now and you
00:10:27
have that foundation?
00:10:29
Speaker 2: I think and I'll add one more I think I've always
00:10:31
thought about books, kind of certifications, and then, you
00:10:34
know, kind of professional education.
00:10:35
And so I think, for the certifications I didn't know
00:10:39
what to do.
00:10:39
Like, what should I learn?
00:10:41
Like you know, I see a lot of people come out of college I
00:10:45
want to be a pen tester.
00:10:46
What does that mean?
00:10:48
Like, what is a pen testing school?
00:10:50
Like, well, you need to know Linux, right, like, let me teach
00:10:53
you Linux, then you know Linux.
00:10:55
You know how networks work.
00:10:57
Can you know routers?
00:10:58
It's going to be real tough in those things.
00:11:01
And so I, you know, my thing was there'd be a topic that I
00:11:04
wanted to learn.
00:11:05
It would take something like DNS.
00:11:06
I didn't understand DNS.
00:11:07
I made a mind book Okay, well, that's super dry, but I read it.
00:11:12
Or you know a lot of the sort of occasions where I needed, I
00:11:15
wanted to learn and master an operating system or networking.
00:11:19
And so I kind of picked a topic and went through it and I think
00:11:22
that was was very beneficial.
00:11:24
And then it allowed me to say, oh well, you know they, you know
00:11:28
they talk about ipsec.
00:11:29
What is ipsec?
00:11:30
Well, ipsec, I think vpns, and what does a vpn work and then I
00:11:34
could kind of like start to focus on things.
00:11:37
Right, you know what's a firewall?
00:11:39
Do and go read a firewall book.
00:11:41
Right, and you know I've listened to many of your
00:11:43
podcasts and people talk about they got to start from firewalls
00:11:46
with one of the Fortinets or the Gauntlets or the Raptors.
00:11:50
And you know IP tables, right, you know, the thing I remember
00:11:53
is ShoreVol was the one that always helped me get IP tables
00:11:56
to work on Linux, because IP tables was confusing back 25
00:11:59
years ago and you know it would give me a path.
00:12:02
And the other one I think is interesting.
00:12:06
And so I've always thought I just started to find masters
00:12:09
about two years ago in machine learning and data science, and I
00:12:15
did it because I thought I needed a bigger push on learning
00:12:19
, kind of the fundamentals.
00:12:20
I thought AI back in 2019 would be important.
00:12:23
I think I was right, but I spent three years doing it.
00:12:27
But that was hard-forced statistics.
00:12:29
What's chi-squared?
00:12:31
I forgot.
00:12:32
I haven't heard chi-squared in 30 years, right, and so I looked
00:12:37
at it as I needed a professional education that was
00:12:42
well-equipped with connections.
00:12:44
That, I thought, was something was super relevant.
00:12:48
You know dns is.
00:12:49
You can read a book on dns, can't really read a book on
00:12:52
neural networks.
00:12:53
If you do, you can, but then you won't understand the
00:12:55
statistics and the fundamentals and the.
00:12:57
You know it's python or you know you want pytorch or
00:13:00
tensorflow and what's a layer, and so that stuff gets
00:13:04
complicated and I thought I needed the basics and so I
00:13:06
always say there's those three things.
00:13:08
If you're looking for a point topic, it works a great way.
00:13:10
You know if there's a certification that can get you
00:13:13
mastered in a core area, or you know professional education on
00:13:17
something that has been very beneficial, and I think I try to
00:13:21
look at it as those three things.
00:13:22
And then the last one I would say is like take your own career
00:13:25
into your own hands and try to manage it and apply those kind
00:13:29
of three capabilities or three levers you can do and build
00:13:35
yourself to what you want to be.
00:13:36
Speaker 1: Yeah, that is a really fascinating way of
00:13:40
putting it.
00:13:40
You know, I feel like people should use, you know, use formal
00:13:44
education as that stepping stone to get into a new emerging
00:13:49
area.
00:13:49
I'll give you an example Back in 2017, 2018, I graduated with
00:13:55
my master's in cybersecurity and I used that to catapult my
00:13:59
career into cloud security.
00:14:01
To build those bricks, I got different certifications.
00:14:04
I read, you know, more books than I can even remember on AWS
00:14:09
and Azure and GCP, and so I have , I have forgotten more about
00:14:14
the cloud than I feel like I even know today.
00:14:16
Right, that's the situation.
00:14:17
And now, you know, fast forward a couple of years.
00:14:21
Right, I'm getting my PhD in satellite security.
00:14:23
Why am I doing that?
00:14:24
Because the next, the next war that takes place, is going to
00:14:28
start in the satellites before it ever hits the ground, or
00:14:31
anything like that.
00:14:32
Right, and you know we need to have the capability to protect
00:14:35
our communications against quantum.
00:14:37
You know quantum computing algorithms and things of that
00:14:42
nature, right, so it all starts and ends with the satellites, at
00:14:46
least in my mind.
00:14:47
So I'm stretching myself to get this phd in an area that you
00:14:52
know.
00:14:52
Even my chair, who's done this for 20, 23 years now, he's like,
00:14:57
hey, this will be a stretch.
00:14:58
You know it's gonna be.
00:14:59
It's not gonna be easy.
00:15:00
This is gonna be hard for you like okay, well, you know I'm up
00:15:04
for the task, right and it.
00:15:08
Speaker 2: Yeah, that's a good analogy.
00:15:09
I think you're at the same point.
00:15:10
What you're doing.
00:15:11
There is something you believe that's important.
00:15:13
I think it's important in the future.
00:15:14
Same thing with what I did with AI.
00:15:16
I just don't think I can teach this to myself.
00:15:18
I need to be enriched in writing Python three hours a
00:15:22
night.
00:15:23
We had a new kid, a new baby at the time, and I remember I
00:15:33
would go lay down with him and on my phone I'd be reading the
00:15:37
books, textbooks, while he was sleeping so I could get him to
00:15:39
go down, and so it's a different rigor, right, it's commitment
00:15:44
of 15 to 20 hours a week.
00:15:47
For me it was coding, which was nice for being in my role today.
00:15:51
Uh, just to sit there, put my headphones on, tune everything
00:15:55
out of the world and just write some crappy code, because I'm
00:15:58
not a real good coder.
00:15:59
I'm a good data science coder, but I think in in essence, it
00:16:03
was.
00:16:03
It was.
00:16:03
It was a really good way to understand fundamentals and,
00:16:07
just to your point, you know, with what you're doing with your
00:16:09
phd, you know you're going to understand it very well.
00:16:12
When you hear people talk about it, you're like it's not very
00:16:15
accurate and that's what I hear all the time with ai, I'm like,
00:16:17
oh, I'm not sure ai is a small or mean, but there may be people
00:16:21
that think it is and so you know, I think it's a, you know
00:16:25
it's.
00:16:25
It's sounds like we're you know kind yeah yeah, absolutely.
00:16:32
Speaker 1: Why don't we dive into what you're doing now?
00:16:35
What's your role?
00:16:36
Where are you at now?
00:16:38
Speaker 2: Yeah, so I'm at Cloudflare.
00:16:40
Cloudflare's a really cool place.
00:16:41
I'm talking about Cloudflare and I'm the chief security
00:16:45
officer and I also have the CloudForce One broad
00:16:51
intelligence.
00:16:52
So that moved over to me about six months ago and so kind of
00:16:54
the system rules what you would expect it to be.
00:16:57
You know, protecting Cloudflare , so kind of the charter,
00:16:59
protect Cloudflare, foster innovation, so working with the
00:17:02
product teams, using all of our products, you know, just
00:17:07
providing feedback and then talking to customers and so
00:17:10
having a pretty long, extensive CISO background, if I could help
00:17:14
people, I'm kind of a free resource, which is kind of cool,
00:17:16
and so that's been.
00:17:19
That job alone is super cool.
00:17:22
And when you protect 20% of the internet and you see 209 million
00:17:26
attacks a day, you get attacked .
00:17:29
We had our security incident in Code Red that we openly talked
00:17:32
about.
00:17:33
That's one of the things we do.
00:17:34
We talk about everything and that was really exciting to talk
00:17:38
about because most people don't do it.
00:17:40
And then I think the CloudForce One side, and so I have a group
00:17:44
of analysts that you're thinking of.
00:17:46
All this intelligence and threat intelligence and data,
00:17:49
how do we use it for?
00:17:50
How do we capture it for our telemetry?
00:17:53
How do we use it for machine learning?
00:17:54
How do we use it for research?
00:17:56
You know how are we stopping attackers, and so I think that's
00:18:00
, like you know, security person's kid in a candy store.
00:18:04
Speaker 1: Yeah, that is.
00:18:05
It's really fascinating, you know and I was actually just
00:18:08
having a conversation about this with someone where I feel like
00:18:11
with ai, we've kind of let the genie out of the bottle and the
00:18:14
genie won't go back in, and I feel like we're opening
00:18:18
ourselves up to so many different and brand new threats
00:18:22
and attack vectors that we don't even know about.
00:18:25
You know, like I, I'm working on several side projects and
00:18:29
some of them are using ChatGPT and ChatGPT just put NSA
00:18:35
director on their board of directors and it's like okay.
00:18:39
Well, yes, this guy could be completely separated from the
00:18:44
NSA, but I'm not an idiot.
00:18:45
There's only so much that you're going to be separated
00:18:48
from, right.
00:18:49
So we have to protect our intellectual property from an AI
00:18:53
algorithm that could literally just read what's on your screen
00:18:59
and post it on the internet.
00:19:00
I saw this yesterday, right where someone held up a sticky
00:19:05
note with their Wi-Fi password.
00:19:09
Speaker 2: Yeah, so how I got into this, it was when I was at
00:19:12
McAfee and I ran the labs organization.
00:19:14
You know, at that point McAfee had a.
00:19:16
It was when kind of a consolidation in McAfee existed.
00:19:19
And you know, they'll get sensors and be like, well, we
00:19:21
just need to use machine learning and fix it.
00:19:23
And I'm like, well, what does that mean?
00:19:25
Like we just need to do a random forest on all our data.
00:19:28
And I'm like I didn't know a random forest on all our data
00:19:31
means.
00:19:31
And so that was kind of how I got into going down this path.
00:19:36
And then I, you know, went to McAfee and joined a couple of
00:19:40
banks.
00:19:46
But I think to your point is, you know, we don't always
00:19:47
understand what the technology is doing and you know it's
00:19:49
relevant.
00:19:49
I always think what we're doing with LLMs is very simple it's
00:19:53
NLP, it's data protection, don't let data leak to the internet.
00:19:56
Like we've been talking about that for 20 years and we just
00:20:00
all have enabled the tool.
00:20:01
That is really good at it, right.
00:20:03
And so I think to your point, you don't know what the data is.
00:20:07
And so to your point, I'm just, if he goes on here, or the data
00:20:09
is, and so 2.1, stiffy goes on here that where the data is
00:20:13
captured in an LLM, it's the same thing.
00:20:15
I don't actually know what's in the LLM.
00:20:17
Is it right?
00:20:18
Is it accurate?
00:20:19
Do I need an LLM to check the validity of my LLM, right?
00:20:23
So you know, it's all this stuff that's very interesting, you
00:20:32
know.
00:20:32
Interesting, you know, are they putting bad data in there?
00:20:34
So when people use it, you know , and so I think we've injured a
00:20:37
chasm that is dangerous, super up, like I think I'm super
00:20:38
optimistic about AI, but it's, you know, I've watched people.
00:20:42
I've watched people on our workers platform.
00:20:43
You know, workers AI is super cool and you can go pull a LLM
00:20:47
model down and run it.
00:20:48
I'm like that was way too easy.
00:20:51
And then I'm like, well, what's in the model?
00:20:52
Is there like a root kit?
00:20:55
Are they stealing my API keys when I do a build book?
00:20:57
Are they just part of this data off my machine, like whoa?
00:21:03
And so I think those are things that you know the technology is
00:21:10
so cool and there's so many advantages of it, um, that it
00:21:12
just is is there and I'll even say, like I used it the other
00:21:14
day, um, for a home project.
00:21:17
I was like I don't really want to code.
00:21:18
This api is put in like hey, you really colored the hook in
00:21:21
the api, it spits it out, I'm done right.
00:21:23
That that's, you know, super amazing progress for developers.
00:21:28
But you know, you guys go what.
00:21:30
What did that do Right?
00:21:32
And and and what is that data being used for, right?
00:21:35
So I think it's, you know, super interesting.
00:21:40
And we're just in the early stages of AI because, you know,
00:21:44
the LMs don't actually know anything, they just assimilate
00:21:46
words, right?
00:21:46
We're not into inferring words or references at this point.
00:21:51
Speaker 1: That's you know, a few years out, and that's where
00:21:53
it'll get very interesting yeah, you know being at cloudflare
00:21:57
especially, you know, at the role that you're in.
00:21:59
Are you seeing ai change the kind of attacks that you are,
00:22:05
you know, protecting your customers against?
00:22:07
And when you see if, if they are something like brand new
00:22:11
right, that wouldn't be possible or would be very difficult
00:22:14
without ai.
00:22:15
Um, how are you, how are you able to quickly adapt right?
00:22:20
Speaker 2: yeah, so it's a good.
00:22:22
It's a good question.
00:22:23
I always smile when, when somebody asks because, like, how
00:22:26
do I know that they're using ai to attack me?
00:22:27
Um, I think they're probably using very similar things that
00:22:31
we're all using is you know?
00:22:33
They're trying to find ways to automate, and so what I've seen
00:22:35
a lot is attackers are much quicker.
00:22:38
They're building automation scripts.
00:22:40
They're saying, hey, give me the you know, be able to give me
00:22:43
the code to pull down all of my customers from Active Directory
00:22:46
and they'll exhumate it.
00:22:48
I think it's still probably in an infancy of AI is what I will
00:22:52
say, and I always say well, what does AI mean?
00:22:54
Are they trying to figure out what my algorithm is, what data
00:23:02
sets I've put into it, what features I've extracted, what
00:23:04
feature importance, and then they're going to manipulate the
00:23:07
model?
00:23:07
That very well could be true, but it's really hard to detect
00:23:13
those things.
00:23:13
I do know some things that we've seen.
00:23:18
I think we wrote a blog about Log4J.
00:23:20
We saw Log4J early before.
00:23:24
Log4j was Log4J.
00:23:26
That was a year, because we were able to source it back to
00:23:30
the original developer that wrote it, and I think that was a
00:23:31
cheater, because we were able to source it back to the
00:23:32
original developer that wrote it , and I think that was a few
00:23:35
months before it actually occurred, and so it's one of
00:23:38
those that you actually you know it's interesting from a data,
00:23:42
from a reporting standpoint of what is out there and how it's
00:23:45
being used, and so I still think it's early and still think that
00:23:49
companies are still kind of learning wealth, wellness and
00:23:53
learning and algorithms and things outside of the logistic
00:23:57
progression.
00:24:01
You know, I think it's going to be more important on how you can
00:24:05
actually automate and get into things and what else.
00:24:08
Even our kind of the first reach we had this year with Okta
00:24:12
, that was 100% scripted.
00:24:13
I mean, they were so fast, not having access to very long.
00:24:17
They did a lot of reconnaissance, and so I might
00:24:21
call that AI, but I also might call that really good
00:24:24
intelligence, knowing exactly what they were doing, and so
00:24:27
reconnaissance is probably intelligence as well.
00:24:29
Right, like, what tools is company a using?
00:24:33
And gpt will probably tell you.
00:24:35
So it's a lot easier than having the skin and tasks and,
00:24:38
you know, be stolen yeah, that is.
00:24:40
Speaker 1: It's really fascinating.
00:24:42
There's a lot of things there that we can dive into.
00:24:44
I I feel like you know, with, with log4j, how, how were you
00:24:49
able to and I'm not expecting you to know this answer, but how
00:24:52
were you able to, I guess attribute that code to the
00:24:59
specific developer or the group or whatever it is?
00:25:01
What does that look like?
00:25:02
Speaker 2: Yeah, so I think once you figure out what the attack
00:25:05
looks like I was talking with John here in Cummings.
00:25:07
He was telling me the story.
00:25:08
I wasn't here, but once you understand what the attack is,
00:25:10
you have so much data and we can replay the data right, so we
00:25:14
get 20% of the internet.
00:25:15
So if we know actually what the attack is, we can actually go
00:25:19
back in time through our geometry and look to see where
00:25:23
we first saw that Right, and I think this is what makes
00:25:27
Godflare unique.
00:25:28
This is one of the reasons I thought coming here would be
00:25:30
amazing is, you know, if we can do something like that, we're
00:25:35
endless in the opportunities and technology that we have,
00:25:38
especially with the platform that allows us to do it.
00:25:41
So you can actually, and I believe we worked with the
00:25:44
government to help find attribution on the person, and
00:25:47
so it's one that you can't.
00:25:49
You know, even if you talk a little small, tiny website, we
00:25:54
have the logs right.
00:25:55
About 20% of the internet is coming for us.
00:25:57
We're going to see something, and so they're not going to
00:26:00
launch a log for JMR making institution for the first time.
00:26:04
They're going to try, right, and they're going to try a small
00:26:08
website that's been posted on GoDaddy or somebody like that
00:26:12
because they don't want it to be caught, and so we have little
00:26:16
websites.
00:26:17
We have over 30 million internet properties, and so I think it's
00:26:21
a good place to test and then we can go trace it back and say,
00:26:24
well, what is the inception of this, of this and I think even
00:26:31
in those things we see that we do this actually a lot that
00:26:33
there might be a zero day that somebody gets hit by a company
00:26:36
will call us.
00:26:37
We can kind of trace it back and then put a signature in,
00:26:39
because they're writing around the email, right, so they can
00:26:41
kind of figure out what works and what doesn't work.
00:26:43
It's either blocked or not blocked.
00:26:47
It's pretty easy to know if you're blocked or not blocked,
00:26:49
and so they have to try that somewhere.
00:26:51
So if we can kind of go back and look at it and say, kind of
00:26:54
like a time machine, you know that's a really cool capability
00:26:58
because of where we sit on the internet and nobody can do that
00:27:02
right and so, and that helps the platform, that helps the
00:27:07
product and that helps efficacy, right, things that I think are
00:27:11
super important on how do we do that?
00:27:14
And you know, I just think that's really cool.
00:27:20
Speaker 1: You know I have, I guess, an interesting question,
00:27:21
right, so you bring up that.
00:27:22
You know you guys see 20% of the total traffic of the
00:27:25
internet, which is it's a really impressive number, you know's.
00:27:31
It's a huge amount of traffic that you see, right.
00:27:34
Just to even parse it and identify something wrong in that
00:27:38
data is impressive alone, right .
00:27:40
Is there ever maybe a internal discussion around like what a
00:27:47
critical mass you know traffic consumption would look like?
00:27:51
And the reason why I ask is because you know when, when
00:27:55
companies start to you know I, I guess, potentially consume that
00:28:00
much data of the internet or see that much you know data of
00:28:03
the internet, it could be like a single point of failure where,
00:28:06
if you know, if cloud, you know, let's say, sees 51% of the
00:28:10
internet and a hacker finds a way into Cloudflare, that could,
00:28:15
you know, theoretically right, put 51% of the internet at risk
00:28:19
of something.
00:28:20
Is there ever any talk about what that looks like?
00:28:23
Because obviously, you know, from a business perspective you
00:28:26
would want 100% of the internet.
00:28:27
Obviously that's not a controversial thing at all,
00:28:31
right, but from a security perspective it's like, well,
00:28:35
what's the right amount that we should actually be at?
00:28:40
Speaker 2: Yeah, it's a good question.
00:28:41
I think our view is, the more data you can run through us, the
00:28:45
more intelligence that we can give you.
00:28:46
We'll never get to 100% of the internet.
00:28:49
20% of the internet took Matthew and know Matthew and
00:28:51
Michelle, you know 14, 15 years to build, and so you know we'd
00:28:55
love to double it, probably, and be able to provide telemetry.
00:28:58
I think the network, the reason we have the network, is because
00:29:02
we have the websites that have the traffic that give us access
00:29:05
to.
00:29:05
You know carrier level grades, you know, you know peering with
00:29:08
ISPs and those things that none of our competitors have, so you
00:29:11
can almost call us a global ISP, right, and so I think that's
00:29:16
interesting.
00:29:17
The one thing I'll put my CISO hat on and say you know, from a
00:29:21
strategy security standpoint, you know I think about things
00:29:28
differently.
00:29:28
So one of the things I'm talking about is how do we build
00:29:30
a mutable infrastructure?
00:29:31
Right, then you know we could have a severity issue, and so if
00:29:38
I get to new infrastructure and you know a lot of our
00:29:40
infrastructure is already immutable, which really helped
00:29:43
us kind of with the Thanksgiving incident where you know
00:29:47
everything's in memory, everything's encrypted.
00:29:49
We redo it every 30 days, we reload operating systems every
00:29:52
30 days.
00:29:53
There are other things that we want to make sure we want to do
00:29:55
consistently across the environment, but that allows me
00:29:58
to have a trigger that, in a breach, I can just start
00:30:01
resetting things and evict.
00:30:03
You know, in minutes and I think this was something that
00:30:06
Matt and I have talked a lot about is how do we get to
00:30:09
immutable, how do we only have signed things right here, how do
00:30:12
we, you know, you know all everything's short-lived
00:30:15
certificates, everything is.
00:30:16
You know, you know, hard in the way that it would be.
00:30:19
You know you can't get in the cages that get turned off, and
00:30:22
so that you have a lot of this in place today.
00:30:24
But I think, when you think about our place in critical
00:30:27
infrastructure, that's what you have to expect out of us.
00:30:31
Right, you know.
00:30:31
And so and I use this with a lot of CISOs and say, well, can
00:30:35
you trust cloud service?
00:30:35
So this is where we are, this is what I'm building.
00:30:38
Can anybody do that?
00:30:41
Right, and it's not me building , it's the engineering teams.
00:30:44
Right, it's how do we build backup control planes in every
00:30:48
country?
00:30:48
How do we have data sovereignty in every country?
00:30:50
And so you know, that's not something you know we talk about
00:30:55
.
00:30:55
We're a security company we talk about, hey, we're.
00:30:58
You know, the next artificial intelligence company with all we
00:31:01
do on the edge will be the largest inference network in the
00:31:04
world.
00:31:04
But at the end of the day we'll have 20 plus percent of the
00:31:07
internet coming through us and the team takes it very serious
00:31:11
about security and how we do things.
00:31:13
Even you know the bash to zero acquisition we just made up, hey
00:31:18
, the Bastian Zero acquisition we just made of hey.
00:31:19
We've got to improve how we do privilege management, right, and
00:31:21
that's.
00:31:22
You know they get a few trolls in those places, but it's, how
00:31:24
do we get this to world class?
00:31:27
And then we have a conversation about you know how we do
00:31:31
security versus how our competitors do security, and
00:31:34
we're not.
00:31:34
You know they're going to be like, wow, we're trying to hard
00:31:36
run.
00:31:37
No, I have the same version of Linux running on everything in
00:31:40
the global network and it's, you know, everything's updated
00:31:44
every 30 days to the latest.
00:31:46
And then we have a whole other management program Because,
00:31:49
right, I mean, that's just an amazing thing, but you know,
00:31:57
with you want 40% of the internet, or you know whatever
00:31:59
that number is.
00:32:00
Or you know, get to 25% of the internet, or 30% of the internet
00:32:03
, is something that is good for the internet, we believe,
00:32:08
because we're trying to help route mini ISPs, because if you
00:32:12
look at radar, there's a lot of you know.
00:32:14
Look at some of the elections you know global networks are
00:32:17
being turned off in certain countries so you can't get the
00:32:20
latest news on elections, and so we're trying to help people be
00:32:24
able to not do that.
00:32:25
And that's the thing I always think, the mission of helping
00:32:29
build a better internet, and we just did a pulse survey, the
00:32:33
engagement scores and more than 90% of them said this is one of
00:32:38
the single most important things in joining CloudFlare.
00:32:40
And so I think you have this.
00:32:42
You know we protect the Internet, we defend the Internet
00:32:45
, we want an open Internet and with that comes a great security
00:32:50
posture.
00:32:51
Speaker 1: Yeah, that's really fascinating.
00:32:53
You know that you're doing those things, that you're
00:32:59
securing and hardening your network and your infrastructure
00:33:02
that way.
00:33:03
As a security practitioner, I'm always thinking in terms of HA.
00:33:09
What happens if I just pull that server out of rotation,
00:33:13
right?
00:33:14
What if it just crashes?
00:33:15
Right there?
00:33:15
Are we dead in the water?
00:33:17
Are we having massive issues, or am I not even waking up in
00:33:22
the middle of the night because our HA is so good and so
00:33:25
thoroughly tested?
00:33:26
I always go back to one of the credit bureaus that I used to
00:33:31
work for.
00:33:33
We had some of the most impressive HA that I've ever
00:33:36
seen for sure, where we, you know we would have multiple data
00:33:40
centers and 50% of it every other month, would be literally
00:33:44
powered off, like completely powered off hard down.
00:33:48
The main power switch is pulled and we just see what happens.
00:33:53
You know, and in the very beginning a lot of things were
00:33:55
breaking right, as expected, but over time we built DHA to be so
00:34:00
robust that we could lose, you know, 75, 80% of the network.
00:34:04
And we're still up, we're still making money.
00:34:06
We may not be happy, but you know, we're still able to
00:34:10
operate, which is a significant.
00:34:12
It's a significant feat to really, you know overcome is
00:34:18
having that ability to you know, hardening your network to that
00:34:21
degree.
00:34:21
I mean that takes, that takes.
00:34:23
You know of non-stop work and engineering and thinking through
00:34:27
problems.
00:34:28
You know forward and backwards and starting at the middle and
00:34:31
going to the front.
00:34:32
You know there's so many, there's so many variables in
00:34:35
there, so that is very impressive yeah, and I think
00:34:39
it's a.
00:34:40
Speaker 2: You have to do it right, I think, and you just
00:34:42
have.
00:34:42
You know, I always think you made a cloud security person.
00:34:45
I mean the conversations I've had about automobile security,
00:34:48
infrastructure and AWS and like, okay, they use, you know, cloud
00:34:52
security controls, aws is secure, and you're like, no,
00:34:55
we're going the wrong way and so you know it's it's.
00:34:57
You know, even the start of this conversation like, oh,
00:35:01
we're just going to give you that.
00:35:02
You know, we're going to give you that infrastructure secure,
00:35:04
we're going to do this securely and right.
00:35:05
Like I think it's one that you know it's where we are, the team
00:35:10
.
00:35:10
I can't take any credit for this .
00:35:12
A lot of this has been welcome to get to where we want to be,
00:35:17
but what an amazing organization to be thinking about this 10
00:35:21
years ago and how to build it.
00:35:22
You know we're contributors to many of the kernels and Linux
00:35:28
distros and Nginx and the things that we've built just to push
00:35:33
the envelope for how we operate and to harden it, and it's
00:35:37
really impressive to see these, know these people and it's even
00:35:41
better.
00:35:41
I go you see him on zoom and see him on you know these, these
00:35:44
things, but to meet him in person.
00:35:46
You know it's like wow, you know, I was in london and met
00:35:49
one of kind of the top network people and like just as humble
00:35:53
as you that would be, and he built a lot of the network.
00:35:54
You know, just really cool things.
00:35:56
Speaker 1: Yeah, it's uh, you know the the I guess my initial
00:35:57
question.
00:35:57
You know I just really cool things.
00:35:58
Yeah, it's.
00:35:59
You know, I guess, my initial question.
00:36:00
You know, I guess it could trip some people up, right, but you
00:36:05
provided, you know, probably the perfect answer right to that
00:36:08
question.
00:36:08
That question wasn't meant to trip you up or anything like
00:36:11
that.
00:36:11
Right, it's out of my own curiosity, but you know, the
00:36:15
only real answer is saying, yeah , if we're consuming a large
00:36:19
portion of the internet, sure I understand how your security
00:36:23
brain is going to say, well, that's a risk because that's a
00:36:26
single point of failure and it's grilled into all of us to never
00:36:29
have a single point of failure.
00:36:30
But if you enhance the security so significantly, I mean that's
00:36:34
that's competing with.
00:36:35
You know government agency.
00:36:38
You know data, data center, like security and things like
00:36:42
that, right, that that is what that's that's actually competing
00:36:45
you know with.
00:36:46
It's really impressive.
00:36:48
Whenever I see a private company I mean a public company
00:36:52
obviously, but you know what I'm I'm saying it's a company that
00:36:56
isn't a government agency doing that level of work.
00:37:00
Speaker 2: Yeah, and you know I think this is something that you
00:37:03
know we talk about supply chain and you know everybody gets
00:37:06
breached in the supply chain and so we, you know a lot of
00:37:12
questions about what's your security posture and I'm like
00:37:15
I'm happy to talk about it, right, but to challenge all of
00:37:18
our competitors, challenge everybody in the industry, right
00:37:21
?
00:37:21
Like I don't think there's any place I've ever been you know,
00:37:25
probably no place to have been that you walked in, like what
00:37:28
are we doing here?
00:37:29
Speaker 1: Like whoa like.
00:37:30
Speaker 2: That's not what I thought.
00:37:31
You know, and I always used that.
00:37:33
Well, we have a three-year spread.
00:37:34
We have a three-year spread because we've got three years
00:37:36
worth of work.
00:37:37
It has to be secure, which probably means we've got more
00:37:39
than three years, and I think these are things that when you
00:37:43
know the vendors have to take this seriously.
00:37:47
You know I've always been, you know I haven't spent a lot of
00:37:49
time on the product side of diamond banking right, and so
00:37:53
expectation is that my vendors are resilient, they have good
00:37:56
controls.
00:37:56
But the reality is you take the large banking institution,
00:38:00
probably the fortune 50, they're probably in pretty good shape,
00:38:04
but the rest of the world isn't, and we all know this.
00:38:07
And and that's why we see the supply chains, because it's a
00:38:10
lot harder to attack cloudflare than it is to attack one of our
00:38:13
supply chains- yeah, it's a really good point.
00:38:16
Speaker 1: You know when, when, when more money is on the line,
00:38:20
you you get everything that you want, you know, from a security
00:38:25
perspective, and we always talk about that.
00:38:27
You know I've been in the financial sector for security
00:38:32
for far too long at this point and we always talk about.
00:38:36
You know there's certain things that you just spare no expense
00:38:40
on and you get it.
00:38:41
You do it right.
00:38:42
If it takes it longer, that's fine.
00:38:44
You know all those sorts of things, but that is not
00:38:47
widespread throughout the industry of you know where
00:38:51
security professionals need to be.
00:38:53
That's not widespread throughout all the other sectors
00:38:55
in the market.
00:38:56
I wish I could say that, but I mean, I've seen some some crazy
00:39:02
environments that you know in a pci world that would never, ever
00:39:06
be acceptable, like that whole team would be fired.
00:39:09
Speaker 2: You know it's uh, it's yeah and you know, when I
00:39:13
was at the big bank, I had I had a billion dollar budget and
00:39:15
1500 people that worked for me and and like there were two
00:39:19
complaints, there were only two we didn't have enough people, we
00:39:22
didn't have enough money.
00:39:23
And I thought, if we don't have enough people that have money
00:39:26
and I have this like we're all new, right, and so it's now a
00:39:29
privatization discussion, because you can't the banks can
00:39:32
apply a lot of money to a lot of things, and they do, and they
00:39:36
do a very good job at it.
00:39:37
But you know, if you're, you know, a medium-sized company and
00:39:41
you got 10 security people, stuff for a 24-hour sock, right,
00:39:44
you get outsourced and you have the right data, and so you go
00:39:47
to this bath and it's, it becomes very hard.
00:39:49
And then you have vendors that are getting breached and it just
00:39:52
you know, just you know.
00:39:53
So you're like, well, being sis was tough, yeah, because you're
00:39:56
having to think about all these things.
00:39:57
Then I got a five-year-old waking me up in the middle of
00:40:00
the night, right, screaming for daddy.
00:40:01
You know he's just screaming for mommy, but you know, it's
00:40:03
like you have all these things that you're trying to think of
00:40:06
and you know you're just getting kind of attacked from all
00:40:09
angles and you're just trying to touch a finger in the nail.
00:40:13
Speaker 1: Yeah, that's a good point.
00:40:14
You, you see this going, I guess.
00:40:23
Right, where do you see, I guess, the cloud flare side of
00:40:25
it going and evolving?
00:40:25
You know what areas are you guys trying to get more
00:40:26
penetration into in terms of security offering and then how
00:40:30
is that being informed by?
00:40:32
You know potential threat actors that you're seeing in the
00:40:34
environment that are switching their methods, and you know
00:40:37
technology and things like that, right?
00:40:39
Speaker 2: yeah, I think you know what people always.
00:40:42
It's an interesting conversation.
00:40:44
When I started about a year ago , people were interested in
00:40:47
cloud.
00:40:47
We kind of would talk to cloud you know your CDN company and I
00:40:54
think over the last 15 months people are very intrigued and so
00:40:58
I think what we've done over that period of time, people are
00:41:00
like we've actually done some interesting things with Zero
00:41:02
Trust and Web Firewalls and DDoS , and so you know, I think
00:41:07
you're going to see more of that .
00:41:08
I think you know, when I listen to Matthew and Michelle talk,
00:41:11
you know the first seven years were to build a network.
00:41:13
That's what they did.
00:41:15
You know it's unmatched and it it's pretty well.
00:41:17
You can't reproduce what we have.
00:41:19
The second step of the year is we're building products and I
00:41:22
think we have some.
00:41:23
You know I will challenge anybody to go to CloudFlare,
00:41:26
sign up, go to dashcloudflarecom , log in, get a free account,
00:41:31
set up a WAF, move your DNS over and if it's more than 20
00:41:34
minutes to put a whole like, I'd be surprised.
00:41:37
Right, and so the products have always been very good to use,
00:41:42
but people haven't really known us and I think you know the
00:41:45
cornerstone that we have and it's.
00:41:47
You know, there's always that question of security versus
00:41:50
performance that I've dealt with for a long time.
00:41:52
And you know our products are in the top one or two or three
00:41:56
or one, you know, depending on who you like better are top
00:41:59
notch.
00:42:00
But I always go back to.
00:42:02
You know we're doing a lot with zero trust.
00:42:03
We're doing a lot with your intelligence, we're doing a lot
00:42:06
with web applications and APIs and so you kind of have a, you
00:42:10
know, a fully redundant IndyCast network with all of these
00:42:15
capabilities that's faster than everybody.
00:42:18
Because you just can't.
00:42:19
You know you can't.
00:42:20
There's 320 locations and it will be 350 by the end of the
00:42:23
year.
00:42:24
Once you can use in every location by the end of the year
00:42:27
for kind of the workers and ai inference stuff that we do.
00:42:30
And you know, if you want a vpn , I'm living in st louis, my vpn
00:42:35
terminates in st louis and then we optimize your route to, to
00:42:39
wherever it goes, and all of my controls, every product we have
00:42:43
runs in St Louis, every one of those 320 locations it runs.
00:42:46
And so when you start thinking about resilience, and if St
00:42:50
Louis goes down, I go to Chicago , right, so I might go to Dallas
00:42:53
or Indianapolis and I think where I think this goes is and
00:42:57
you're starting to see it with.
00:42:58
You know you need security, you need resilience, you need
00:43:01
performance and we're going to be more resilient and perform
00:43:06
better than anybody just because of what we are, and that's kind
00:43:10
of the cornerstone.
00:43:11
So I think the security platform on top is just amazing.
00:43:14
When you talk about the telemetry we have well, we have
00:43:18
more telemetry than anybody in the world from a security
00:43:19
standpoint, so we should.
00:43:19
About the telemetry we have well, we have more telemetry
00:43:20
than anybody in the world from a security standpoint.
00:43:21
So we should have the best models, we should have the best
00:43:25
data.
00:43:25
And so I think you know what.
00:43:28
What you know kind of how we think about the next seven years
00:43:30
is we're going to be a very customer driven organization.
00:43:33
We've been kind of cool, fun, cool techies, and now you're
00:43:38
going to see a link there and how we do things.
00:43:41
You've seen it with.
00:43:42
You know, bringing Mark Anderson off of our board
00:43:45
amazing person.
00:43:46
You know he was the CEO of a publicly held company.
00:43:49
He's running revenue and Stephanie Cohen, who was on the
00:43:53
executive committee at Goldman, and so I think you're going to
00:43:56
see this really big question.
00:43:58
I always, I always wanted to work for that company that
00:44:01
people were kind of scared of.
00:44:03
I always worked for a company like ooh, I got to worry about
00:44:06
them, they're going to crush us.
00:44:06
And so, like I think we're that company now we're the ones that
00:44:10
people kind of look at over their shoulder and go you know
00:44:13
how are we going to compete with that global network and a VPN?
00:44:16
I don't know why anybody would put another VPN other than us.
00:44:19
You look at the locations we terminate in every one of the
00:44:23
320 locations, 320 data centers.
00:44:26
I think you're going to see that become very prevalent and
00:44:30
become kind of a marquee component.
00:44:34
But don't underestimate the AI.
00:44:35
There's a lot of articles written.
00:44:37
There's one written today about us and Apple speculation.
00:44:41
But I think you're going to see , you know, to have the largest
00:44:46
inference network in the world where we can run AI.
00:44:48
I think people are still trying to figure out what AI is.
00:44:51
You know how do we run models.
00:44:52
You know, when it comes that you want the model closest to
00:44:56
the user, well, that's kind of our bread and butter.
00:44:59
And so you know the serverless compute platform that you can
00:45:03
stream 50 million people if you want.
00:45:05
If Taylor Swift decided that she wanted to stream a concert,
00:45:08
we can handle it.
00:45:09
That's kind of cool to be able to say that without knocking it
00:45:13
over and distributing the networks.
00:45:15
And so I think you're going to see this the security will
00:45:18
really be dominant.
00:45:19
I think you're going to see AI over.
00:45:21
Know this.
00:45:21
You know the security really be dominant.
00:45:22
I think you're going to see you know AI over the next year, two
00:45:23
years, three years.
00:45:24
You'll see us play a huge role in what goes on globally.
00:45:29
Speaker 1: Yeah, that is.
00:45:29
You know, it's interesting to see what you guys put together
00:45:35
and put out right.
00:45:35
Put out right Because having that large of a network really
00:45:42
enables you to.
00:45:42
You know, for instance, take zero trust to a level that no
00:45:44
other provider out there probably could.
00:45:45
Another, another thing I always forget that you provide zero
00:45:49
trust.
00:45:49
You know, it's a, it's a.
00:45:52
There's always something new that you guys are coming out
00:45:54
with that you know, is is I feel like it's often a little bit
00:45:59
overlooked, even right, and you know to your point of how quick,
00:46:04
how quickly you can switch over to cloudflare.
00:46:06
You know, from a from a security engineer perspective,
00:46:10
right, I worked for a company and we were deploying cloudflare
00:46:13
and of course, you know we heard the same thing the entire
00:46:17
time throughout the sales pitch it's gonna take you 20 minutes.
00:46:19
You know it's, it's pretty instant, pretty seamless, you're
00:46:23
not gonna have to, you know, fiddle with it a whole bunch or
00:46:26
anything like that.
00:46:27
You know, whenever a company tells me that, okay, you know,
00:46:30
whatever we, we go to deploy it and you know, just like you said
00:46:34
, 15, 10, 15 minutes, it's, it's technically deployed and
00:46:39
everything.
00:46:39
And you know, my first question to the sales engineer that's
00:46:44
helping me with it is so what's next?
00:46:46
You know what do I?
00:46:47
Okay, well, we did this, that's fine.
00:46:50
Well, what do we need to do now ?
00:46:51
And he goes no, that's just about it.
00:46:54
You know that's everything, let it just do its thing.
00:46:57
And I said what?
00:46:58
And I had to, like, check the availability of our applications
00:47:01
, make sure that we weren't down .
00:47:03
You know like that might yeah, I think it's one.
00:47:08
Speaker 2: That that's.
00:47:08
That's that's.
00:47:09
You know the origination of the company where I build the
00:47:11
network, build products, make them easy.
00:47:13
Um, you know, the only way to get 20 percent of the internet
00:47:17
is that they can free stuff away , and that that's what we do.
00:47:19
And you make it easy.
00:47:20
And so I even get to the other conversation and when I talk to
00:47:23
customers I'm like well, are you terraforming everything?
00:47:25
You should be terraforming and put it in the pipeline, split
00:47:29
out your roles and responsibilities, get out of
00:47:31
that, click house and roll.
00:47:32
And they're looking at me like I've got two heads, and I'm like
00:47:35
how else are you going to do cloud security right?
00:47:38
Like, everybody's trying to put it in a pipeline.
00:47:40
Like, just put this in a pipeline, pull a configuration
00:47:44
out, you know, get cloud or get hub or whatever source, and then
00:47:48
make it sticky and like, not find a little machine.
00:47:51
You know there's always been the thing of, well, our security
00:47:54
is better, like and you know everybody compares security like
00:47:58
we're top-notch at this, but then operationally, like you can
00:48:02
move right.
00:48:03
So you know, you don't have to wait for 30 approvals, I can put
00:48:07
it in the pipeline, you can actually do detections for you
00:48:10
know the thing about doing this is something we do internally.
00:48:14
We do detections off of our pipeline, for you know people
00:48:15
playing code and that they shut't, run off or ask changes
00:48:18
and only stay in something.
00:48:19
Now we are actually getting into like hey, this is real
00:48:23
security stuff.
00:48:24
Versus I got to go to an user interface and I'm going to meet
00:48:27
us for a period.
00:48:28
I'm not like it's a little stressful, right, because you
00:48:31
should stop all that.
00:48:32
And you know you can see the look on people's face Like how
00:48:38
do you do that?
00:48:38
And, and one of my other issues internally is like getting the
00:48:42
click ops.
00:48:42
I'm like we can't.
00:48:44
How do you shift left when everybody's clicking on
00:48:46
everything?
00:48:47
Right, like it's terrible.
00:48:48
Like I would say you have this issue on Sunday and they're like
00:48:51
, well, the API's not good.
00:48:53
I'm like how, like it's 2024.
00:48:55
Like you should have APIs, you should have a big telephone
00:48:59
provider, you should be able to be able to do the things,
00:49:02
because business wants to move fast.
00:49:05
Security you know we want to be an enabler, but we're often a
00:49:09
distractor, and so how do we move fast with all the things
00:49:15
that are there?
00:49:15
And so you know this is one that we often talk about is you
00:49:17
need better security and it's going to be faster.
00:49:19
You know I don't need to change a center.
00:49:21
You know security team doesn't need to get in the way of a
00:49:23
certificate, but the dev team can, right.
00:49:25
So you know what are those rules that you want to do.
00:49:28
You're going to push a code and it's just images Like why do I
00:49:31
need to be involved, right?
00:49:32
So those things like free up time to do higher value things,
00:49:38
I think you know we're kind of.
00:49:39
I do feel like there was probably 20 years ago.
00:49:42
There was a heavy.
00:49:43
You know networks was more important than security.
00:49:45
Probably over the last 20 years , security was more important.
00:49:48
Maybe 10 years over, security is an important network.
00:49:51
And now you're saying you know everybody's working from home in
00:49:55
different geolocations.
00:49:56
It's about speed, performance, availability and you've got to
00:50:00
have security, and so I think these things are really
00:50:04
interesting to the business model because it's all things
00:50:06
we've always wanted to do.
00:50:07
I mean, just, no vendor could ever help us and that was, even
00:50:11
when I came here, the only problems I had in the banking
00:50:14
world.
00:50:14
That I'm like I didn't know Cloudflare could do that.
00:50:17
I didn't know IGGT can solidify five graphs into one and have
00:50:22
this kind of performance or zero trust.
00:50:24
Why am I backhanging people to 15 data centers with a zero-cost
00:50:29
provider versus having no traffic limits there?
00:50:32
All my web traffic goes there, my CASB and the data production
00:50:36
is there, versus backhanging them to Singapore.
00:50:40
You know, I think those are things that people are starting
00:50:44
to gather less and super.
00:50:48
Speaker 1: Yeah, grant, you know this has been a fantastic
00:50:52
conversation.
00:50:52
I feel like we could, you know, easily keep going for another
00:50:56
couple hours, right, but you know I try to be very cognizant
00:51:01
of you know, the time frame, right that I give all my guests
00:51:03
and everyone, because everyone has such a busy schedule.
00:51:06
But you know, before I let you go, how about you tell my
00:51:10
audience, you know where they could find you if they wanted to
00:51:12
reach out and you know potentially connect.
00:51:14
And in case they've been living under a rock for the past 10-15
00:51:19
years, where can they find Cloudflare?
00:51:21
Speaker 2: Yeah, so good.
00:51:22
So you know, let's start with Cloudflare.
00:51:23
So you know, go to cloudflarecom.
00:51:25
You know, if you're you know this is what we see a lot is go
00:51:29
play with it, get an account, put up a website, you know, put
00:51:32
it on pages, develop your own site on pages, and workers
00:51:36
protect it.
00:51:36
Just see how easy it is and play with it Pretty cool and see
00:51:40
what the product offers.
00:51:41
You can even get a zero-trust client for your home.
00:51:43
So if you're one of those crazy people like probably you and I,
00:51:46
and we have VPNs, we can do that Free.
00:51:48
Right, there's free work clients.
00:51:51
We have our own free version that's anonymous and surfing on
00:51:54
the internet.
00:51:55
So check us out.
00:51:56
I think that's cool.
00:51:57
We need you to meet me.
00:51:58
I think the best way is LinkedIn.
00:52:00
I'm Grant Borzikas, it's probably pretty easy.
00:52:03
You can get Grant Peace Probably super simple.
00:52:05
Love to hear from you, love to connect.
00:52:07
And if I can ever help with anybody, you know I think that's
00:52:10
one of the best part about this job is I can become a free
00:52:13
consultant to help and guide, and I find that highly rewarding
00:52:18
.