Cloudflare Careers Day: What does Security mean for Cloudflare

Hi, everyone. My name is Rory Malone. I'm responsible for privacy compliance at Cloudflare.

And yeah, so let's start. Thomas, could you give us a quick overview of the security team at Cloudflare?

Yeah. So we wanted to give you a high-level overview, a little bit of the security team.

So we have a detection and response team, which are doing amazing work to make sure that we're able to catch the bad guys and some of the incidents that happen at Cloudflare.

So they are building lots of tooling internally to basically make sure that we have detection pipelines and then we can process that data at scale.

So lots of engineering function and AI work that they're doing to basically make sure that as Cloudflare grows, we have everything that we need.

We also have the product security team, which I am a member of, and we work really closely with basically all of the engineering that is happening within Cloudflare to make sure that all of the application and the software that we use is in line with our security appetite.

So lots of cross-collaboration there. We also have an infrastructure security team, which is going to basically look more closely at how we make sure that all of the software that we run on Cloudflare hardware is only actually the software that we expect.

So they're going to look at the lower level of the stack to make sure that it's up to scratch there.

Nice. And then in the other part of the security team, we have the governance, risk, and compliance part of the team.

I sit within governance, risk, and compliance. We help our customers both when they have questions about our security and privacy posture and ask questions to our vendors as well about our security and compliance posture, manage our risk.

And we have a whole team that manage our validations and the certifications that we do external audits for.

So, okay, Thomas, tell me more about your role.

I'd love to know more about your role here in London in the security team.

Sure. So as I said early on, I'm the security engineering manager for the application security team, which lives within the product security team.

Now, basically we're really trying to build strong relationship with engineering team across the organization.

So to understand better the software that they're building, the problems that they're trying to solve, so that we can basically look at it and understand the security implications from all of those cool features that we try and roll out, both externally that are public facing, but also internally.

There's a lot of machinery happening behind the scenes to make Cloudflare work the way it does.

And so that means that there's an incredible amount of engineering happening.

And so on a day-to-day basis, we're carrying out security reviews, threat modeling exercises, code reviews, but also building a lot of tooling because we want to scale.

We want to be able to do that work at pace so that the innovation continues at the same rhythm that it's going.

And so that means also obviously developing our own set of tools and trying to bring in everything that we need there.

That's cool. So taking a step back, Cloudflare's doing engineering work here in London, here in Europe.

That's right. So there's an awful lot amount of engineering happening in Europe.

Cloudflare is a global company and there's lots of locations where engineering is happening, but specifically in London and Lisbon, we have, for instance, the frontline team, which is basically the doorway to handling HTTP and web traffic within Cloudflare.

So they're building all of the platform that is allowing to do that at the scale of Cloudflare.

There's also other cool teams like the team that's responsible for all of the anti-denial of service mitigation.

We have the firewall team that is present at Cloudflare that's bringing you like the WAF and the web application firewall and the traditional firewall features in the Cloudflare dashboard that you might be familiar with.

We also have a team called the Quicksilver team, which is building our internal key value store that is able to replicate configuration changes and settings across our huge points of presence all across the globe.

So really a lot of teams that are building core features of Cloudflare.

We also have other teams that are looking more at like opportunities and like emerging technologies.

So we have presence of like our teams that are focusing on like really like new products that are launched quite quickly and hit the market and basically like try and gather people's captivate, people's mind and attention.

That's really cool.

That sounds like there's the whole stack across Cloudflare, whether it's UI or some of the core products or some of the new emerging products that are being developed here in Europe.

That's really awesome. How do you as a security manager, how do you work with those engineering teams, both ones that are in the same time zone as you here in Europe, but also globally?

Yeah. So obviously we have a set of processes to basically make sure that we are interacting like in an efficient manner to basically know what's going on.

There's obviously so much more engineers that there are people in the security team.

So we need to make sure that we have good established process and communication channel to understand the changes that are going to happen and the kind of product that we're trying to launch.

So we have automated processes to basically notify us that some changes are coming, but also there's a significant human size of things where we are building relationship with various engineering teams.

So we have a security champion and partners program where we basically try and have a dedicated time between the project security team and the various engineering teams so that they know that they can have a go-to person to raise things, but also to work upstream of projects being released and developed.

So those are kind of like some of the main ways we work together.

That's really cool. Just I want to remind everyone before we go on to the next questions, there is somewhere down here, there is an email address, livestudio at Cloudflare.tv, please email any questions you have and we'll try and take them while we're live on air.

Thomas, over to you. Right. I mean, now that I've talked a little bit about myself, I mean, I'm sure everybody would be really keen to know a little bit more about yourself and your role here in London.

Yeah, absolutely.

So I'm formerly a security compliance privacy specialist. And what that means is I'm responsible for our global privacy compliance program.

That's my role.

That's what I'm doing here at Cloudflare. Right. So your title says both privacy and compliance in it.

Can you elaborate a little bit? Yeah. Yeah. Actually, it's really interesting.

So it has both privacy and compliance. And also, I sit within the security team.

It's a role that sits within the Cloudflare security team.

So it's got all those three different things mixed into it. The compliance team that I work with in security compliance, we help manage all our validations and our external certifications.

So for many of them, like ISO 27001, we have SOC certifications.

We certify to the PCI standard as well. We have a or quarterly audits.

And we need to make sure that we prepare for those, that we have all the information that either the internal teams need for internal audits or that the external audits is required.

And so that's the security compliance part.

The privacy part is that there's this, privacy is a really hot topic.

And there's increasingly privacy validation as well. So we're really proud that earlier on this year, Cloudflare got our first ISO privacy certification.

It's called ISO 27,701, as opposed to 27,001, which is about security and cybersecurity.

And we're continuing to work on other really exciting certifications.

Ultimately, they come from our customers.

It's what our customers ask of us. So many customers talk about things like ISO 27 ,018.

There's also one about Cloud security, ISO 27,017.

And we're always interested in hearing from our customers, what do they want?

What are they interested in us obtaining? And then we look at those and we see if we can put them into our audit calendar every year.

Awesome.

I mean, like you said, privacy is a huge topic. So I'm guessing you probably work with a lot of people like Cloudflare.

So can you enlighten us a little bit more on that?

And obviously, maybe talk a little bit about if there are privacy roles in Europe and things like that.

Yeah, absolutely. Obviously, I'm based here in London, in Europe, working for Cloudflare.

But we have a global team, but there's some key roles here in Europe in privacy.

So we have a data protection officer who's ultimately responsible for data protection over the whole company.

And she's based in San Francisco, where our headquarters are.

But we also have privacy councils based here in Europe.

We have a superstar team. We have privacy program managers who are also based stateside as well.

So we have a full suite of people, both on our operational side, from a legal side, and obviously, I'm working from the security compliance side, making sure that we can up our game with privacy and the standards we adhere to every quarter, every month.

And ultimately, as I said, listen to what our customers are asking us to do.

Nice. Awesome.

And can you talk a little bit more about also overall how the privacy team fit within the security team as a whole?

Yeah, absolutely. So although I was the first privacy role within the security team, we have other privacy roles now within the security team.

Increasingly, privacy is something that you can only build once you have good security, good cyber security.

You can have security without privacy, but you can't really have privacy without having security.

So that's why it's so important for us in the security team that we do think about privacy.

People like me are there advocating for privacy, considering how this might affect our customers, how certain things might affect our employees, et cetera.

And yeah, so there are privacy roles in the security team. There are also privacy roles, actually, elsewhere in the company, as I was saying.

There's some within the legal team.

There's obviously a huge team that do engineering work on privacy-first products and privacy-focused products.

So actually, yeah, privacy is a huge cross-functional thing across Cloudflare.

Awesome. Okay, I'm going to jump back to asking you questions.

Okay, so remind me of your current role at Cloudflare, because I know that it was different when you joined Cloudflare.

Yeah, so my first role when I applied was as a senior product security engineer, so slightly different from the role that I currently have.

Now, my journey towards applying and getting a job at Cloudflare, I think it's worth mentioning, and it's worth talking a bit about an insight into that.

And it was really, for me, a desire to try and work for a company where I would have a big impact, not only for a company that delivers security, so Cloudflare is a security company, so for a security professional, it's really appealing, but as a company that really cares deeply about building a strong security team and investing in security internally.

Now, Cloudflare has a ton of customers. We serve a lot of Internet traffic and we're in constant growth, and that means that by making sure that what we deliver to our customer in terms of product and working with our engineering to make sure that those products are safe and secure, that has a huge impact.

And that was one of the main drivers for working for Cloudflare.

Now, the second aspect is I love to learn about new things and new topics and new technologies, and because of our- Don't tell me all.

Yes, indeed, but because of our pace and the innovation that is going on and the number of products that we release and the variety of each of those, because they solve different types of issues, that means that there's always something new to put my teeth in and try and understand how it's been built and the various security implication of it.

So it's always super exciting to work with engineering to see how it all fits together and raising the bar as a team.

And then you have changed. So your first role was as a security engineer, you're now a security manager.

Can you tell me a little bit about that change and that move?

Yeah, sure. So like you said, I joined as what we generally call an individual contributor.

And at some point, because of the team growing, there was also an opportunity to switch to more of a management role, which is a bit of a career change type thing.

And here, the drive was also to try and basically not only get the fund just for myself, but also to try and develop other people.

And I think this is a great opportunity when becoming a manager to try and basically share the knowledge that you've acquired throughout your career at that point, but also try and have building a solid team and having people that grow with a team and pushing for an agenda, being more in control of your destiny in a way by setting certain goals and trying to deliver those by having a strong and solid team, really.

I've heard that people have a number of different interviews when they're applying and they come to work at Cloudflare.

Could you maybe talk a little bit about your process and who you're interviewed by or the kind of things that you talked about at your interviews?

Yeah, that sounds good. So basically, as part of the interview process, there's generally an informal chat or formal chat with a person from recruitment that is going to basically try and understand where you're coming from, see what your background, your priorities, talk you through a little bit more about details about the role and the team you might be applying to.

And that generally kind of like sets a little bit the next steps.

And after that, there's kind of like a well kind of like trodden path of a process.

I don't know if the process has probably changed a little bit and matured since I joined, but generally will be followed up with the technical interviews.

Some teams do carry out take-home tests where you basically have an exercise to complete and you submit your exercise and that helps a little bit understand some of your technical skills and your thought process around certain issues.

And when all of those kind of like phone conversation type interviews have done, generally we do an on-site where it's just like an opportunity for not only seeing you as fitting within the team, but also collaborating with other teams.

So there's generally like people from other organizations that are invited to kind of interview you.

And that's kind of like generally like what kind of like finishes the process in a way in terms of like the technical interviews.

And when there's a high degree of confidence with the candidate, then it pushes towards more some of the wrap-up interviews around like the executive interviews that you might have with various C-suites type people in the company.

That sounds nice. It's a balance between sort of actual technical interviews, like people that you're meeting that aren't necessarily that technical and kind of also, you know, both a spread of both junior and senior people that you might speak to in an interview.

Yeah, that's correct.

That's correct. It really is kind of like a mix where there's, it's not, Cloudflare is not only interested in like people, in people's technical skills, it's also about the values and how you fit in and make sure like some of your soft skills, making sure that you're going to be able to thrive and collaborate throughout your work.

It's certainly not like, okay, here's a Linux box that we've prepared for you.

Now, see if you can hack into it. It's certainly not that kind of like entirely technical, you know, you've got 60 minutes.

Yeah, exactly.

So we don't do that. We don't operate like that. I think we're more interested about people's potential than necessarily like being a guru at one topic.

It's also about seeing the potential as well. So we have a variety of people with different seniority, and we welcome all of that within our teams.

Cool.

Nice. Well, Rory, let me kind of like ask you a little bit like the opposite kind of like question.

How about you? How did you come about to work at Cloudflare?

Yeah, it's a really interesting one. And I think it's a slightly different to your experience as well, which is nice.

I left school at 18, 19, and I didn't go to university, I started working.

And so, you know, roll on many years, I've got a lot of technical experience.

And I've used Cloudflare. I've used Cloudflare as a product, both for DDoS protection for managing DNS records, various products that Cloudflare had in the first kind of 10 years.

And I saw a job opening as a privacy specialist in the team at Cloudflare.

And I thought it was really interesting.

I thought, as I went through it, I thought, oh, I've done that. That's really interesting.

I thought, oh, I'd like to do that. That's really interesting.

And I thought, oh, that's got my name on it, too. And I was like, yeah, okay, I definitely have to apply for this role.

So there was actually a Cloudflare careers day, an event happening.

And so it was the next day. So I signed up for it. And I came along to the event.

It wasn't entirely focused on the roles that I was, or the role that I was looking at.

But I still came along. And it was really interesting to hear about Cloudflare, hear about the process.

And I approached someone who seemed friendly.

I didn't know who she was. She had a name badge on. So I said, hi.

And I said, actually, I'm interested in a role. But it's not one of the ones that people are talking about here.

And she said, oh, which role? And I told her the role.

I said, oh, I'm actually a recruiter. And I'm the one that's responsible for looking for that role.

So let's chat about it. So that was really great.

And I had a couple minutes chat with her. And then she said, if you haven't already got the application in at that point, I had.

She said, great. Come to me in my queue.

And we can have a chat about it. So that was really nice. So I actually came along to a careers event like we're doing today on Cloudflare TV.

Yeah, so that's how I'd already known Cloudflare, already used Cloudflare.

I saw a role.

And I thought, yeah, I absolutely have to apply to this role. It's got my name on it.

Awesome. Yeah, that's a slightly different journey for me. For instance, I wasn't super familiar with what Cloudflare was doing when I applied.

I ended up documenting myself as an afterthought, as part of, obviously, the application process, and only discovered a bit more about what they were doing.

I had seen a few of the blog articles, but not necessarily used the service like you did.

Right. Yeah, the blog is amazing. I remember reading lots about the blog before I even thought about applying to Cloudflare.

I remember reading it during my hiring process. And I still read it now that I'm a Cloudflare employee.

Actually, I've written a blog post now as well about our certification earlier this year, the privacy certification.

It's really good. And we really recommend that to anyone who's interested in Cloudflare, anyone who's interested in a job at Cloudflare.

I like it. I like our different perspectives here.

It's a completely different. Actually, I think it shows the broad ways that you can come to end up working at Cloudflare, and how we're not just interested in someone who might have XYZ experience on their CV, or did XYZ degree at university.

We are, as you were saying, Tom, we're interested in the potential, interested in how people will work with their team, how they can grow, and what they can bring as a full person.

Let's talk about some of the roles. So we both have described a little bit about our roles.

There's a couple of other roles in the team.

So let me cover the first one. We currently have someone who works very closely with me and my team in the compliance team as a customer compliance, so security customer compliance specialist.

They're really interested in helping understand what our customers are asking from Cloudflare and making sure that we can give them answers to their many questions about how do we use this type of security?

Where is our data located? How many times a year do we do this?

And so that's one of the roles, someone who's already at Cloudflare. There's a couple more, Tom.

Can you maybe just give us a very brief overview of those three, and then we can talk about some of the open roles that we'd like to hire people for at Cloudflare?

Yeah, that sounds good. I mean, we have hired, and we're interested in people that have more of a data scientist type background.

So we're solving problems of scaling within the security team.

So we need people that are able to make sense of high volume of data and in an efficient manner.

So that aspect of data science and being able to cope with that is definitely something that we're really interested in.

And we have people in Lisbon that are part of our detection and response team that help us massively with that.

We also have within Europe people working in the infrastructure security team.

So that's the team that I mentioned that is ensuring that Cloudflare software is the only software that is allowed to run on our hardware.

So they're really putting their hands in the mud and trying to make sure that we have a secure boot enabled on our server, and that we can basically have a high degree of confidence and integrity on everything that runs them.

And we also have security engineer roles where they're basically jack of all trades, which are able to both work with engineering team to solve some of their problems, develop certain solution, build some tooling for us internally, and basically drive a bit some of the security engineering change that we have and that we need as a whole.

Nice. They're very different roles, which is cool.

Actually, I should add as well, in the last week or so, someone's accepted an offer to come and join a new person to come and join the governance risk and compliance team too.

So we've got someone else who's joining the compliance, which is really exciting.

But those are the kind of roles that we have at the moment. But I can see, let me just count the one, two, three, four, five, at least six different roles just within the security team that are open at the moment for people to apply to.

There are security engineers, people that might be working on enterprise security, people that might be working on infrastructure, I think is used referring to there.

We have product security engineers as well. So an open role for that.

And also there's a very senior role that's available. It's not just in Europe, but it's across the world.

It's a director of infrastructure security. So that's a really senior role here in the security team.

I think we're really interested in hearing from people.

If they haven't yet made an application, they're welcome to email.

Again, I'm going to point somewhere down here and the email will get through to the right people if they want to ask questions to recruiters about these roles.

I think diversity is also really important at Cloudflare.

We have really active, what we call employee resource groups or ERGs, whether it's Womenflare, championing the voice of women in the company.

We have Proudflare, which is an LGBT resource group.

We have Asianflare, we have Desiflare. We have all sorts of these really wide range of groups that are basically employee led.

And we really encourage applications from, if you're from an underrepresented minority, if you're from an underrepresented gender, we're really interested in hearing from you.

I've heard it best from some of the senior members in our team that say, when we have a diverse team, we build better products, we build better security, and we represent the areas we need to represent better.

I think the whole tech industry wants to make sure we're more diverse, but at Cloudflare, actually, I've noticed that it actually makes a real difference.

I work with a much wider variety of people from different backgrounds, cultures than I have done in previous roles, and I'm really proud about that.

No, that's awesome. You're right to say, to stress that point.

I mean, it definitely is really part of the culture, having all of those employee led groups that basically promotes diversity and inclusivity within the company.

And it really is like something that I've, in the past, for certain companies that I've worked for, was a bit more like on the fringe, whereas Cloudflare really is at the core and supported across the company.

So that's really great stuff.

We have about four minutes left, so let's jump to some of the final questions we have.

So, okay, number one for you, Tomer, what's the best part of working in the security team at Cloudflare?

So, I mean, just saying one thing is probably not going to cut it, but I mean, some of the great thing is that the quality of people that have joined Cloudflare as a whole, not only in the security team, makes it so interesting.

There's so many people to learn from, both in terms of their past experience, the knowledge they bring, the awesome product that they're building because of the complex problems that we have to solve.

It just makes it such an interesting experience to work at Cloudflare.

So just the technical breadth that is available and some of the challenges and the impact, like I said just earlier on, is, I think, one of the core factors of working for Cloudflare.

And there's also great things that you just mentioned about the culture and the values that Cloudflare is supporting.

And it's been tough with the pandemic. It's been tough, but the company has really done a lot of effort to try and kept the culture going, kept the employees engaged.

So that's also a huge part of- That's exciting.

Yeah, I think we may have lost your video for a second, but it's working again now, which is great.

And we heard you all the way through. I'm going to answer the same question, if you don't mind.

Yeah, best part of working in the security team at Cloudflare is just the variety of roles that are available.

I know that if I want to ask a specialist in, as you were saying before, our infrastructure, our edge network, if I want to ask a specialist in part of enterprise security, if I want to go and talk to one of our detection and response engineers, they've got a really wide skillset.

They're really approachable. They're really friendly.

And I can just ask them a question. And similarly, some of our teams, some people within the security team come and say to me, hi, could you give me a background on what this privacy thing means?

Or does this have an impact for privacy?

Should we be considering this when we're doing a privacy review or something like that?

So it's really nice to have that broad range. And I think unlike some other companies, Cloudflare has a security team with a security leader, Joe, who's our chief security officer, who report directly to the executives, right up to Matthew, who's the chief executive, and Michelle, who's the president and chief operating officer.

Other companies I've seen the security team where it's been maybe part of the IT team, and they report to maybe a chief information officer, or it could be sometimes part of finance or somewhere else in the organization.

But I think as you said earlier on, we're a cybersecurity company.

We're a security team in a security company in an industry that's hugely focused on security.

So of course, Cloudflare should have this really big and important security team, and they should report directly to the most senior leaders of the company.

I think that says it all really about how important security is taken at Cloudflare.

Thomas, okay, we've got one minute left. Can you please tell me, if I was interested in a role at Cloudflare, if something that we talked about today really piqued my interest, what should I do next?

How do I find out more about these roles?

Well, I think the real go-to thing would be to go and visit the Cloudflare careers page.

So it'll be www.Cloudflare.com slash careers, and there you'll find the links around all of our jobs.

There's some links here, I think, somewhere here as well.

Go for it. Click apply. Don't hesitate. We really, really want to talk to you.

Otherwise, there's plenty of other channels to reach out for jobs on LinkedIn and other social media platforms.

So plenty of ways to reach out to Cloudflare, and please apply.

Thomas, it's been an absolute pleasure. Thank you so much for spending these 30 minutes chatting to me.

Yeah, I hope everyone gets a chance to see some more of the great Careers Day content, and thank you.

That's it. Goodbye. Thank you. Goodbye.