📺 CFTV Anniversary: Cloudflare Careers Day: Security at Cloudflare
Susan Chiang (Deputy CISO) and Joe Sullivan (SVP, Chief Security Officer) will represent the Security team to discuss their hiring philosophy, share profiles of great candidates, and give advice on building a career in Security.
Join our LinkedIn Event: http://cfl.re/CloudflareCareersDayNAMER
To find all of our current open roles, go to https://www.cloudflare.com/careers/jobs/
Well, in that case, welcome to the security edition of today's careers day. We have Joe, do you want to introduce yourself?
Yeah. Hi, my name is Joe Sullivan.
I'm the chief security officer here at Cloudflare. And where are you located today?
I'm located at home in Palo Alto, California. Lovely. Well, I'm Susan. I'm also on the security team at Cloudflare.
I joined about the same time as Joe, almost three years ago, and I oversee a couple of functions on our team.
So let's start a little bit about you.
How long have you been at Cloudflare, which I already covered, and how has your role grown?
So I've been in Cloudflare for almost three years, started in summer of 2018.
And our team has grown a lot in that time.
We've been hiring pretty much nonstop. It's been a fun journey. I think we started with less than 10 people back then, and we have over 60 people now, and a bunch of people starting and we have a bunch of open recs as well.
And that's why we're doing this session to share more about the roles we have open and what we're looking for in terms of people joining the team.
When I think about building a security team, it's all about the people.
And as a leader, this is my third time building a security team.
And I always remember before the first time, I got a good lesson from a friend of mine.
He said, you can whiteboard a perfect organization in terms of the different functions that you want to have.
But if you try and stay rigid to that, you'll never actually build the team that you want.
Because the reality is people don't fit into boxes on a whiteboard. People bring different skills that they have and areas of interest that they want to grow into.
And so, we've tried to build a team with flexibility here that allows people to grow in roles and into new roles.
And so, we didn't start with a perfect whiteboard plan, but we've ended up in a pretty good place after three years.
Yes. Related to that, on my end, I joined without a job title or job description, because I think you had other priorities on your first week at Cloudflare.
But that kind of signifies the type of team we want to build.
We want to track the right people.
And we know that security as an industry is very dynamic. And working at Cloudflare is a multiplier for that.
So, hiring the right people, aiming them in a way that they can grow personally, professionally, and everything else has really led to success on that front.
And so, on that front, let's talk a little bit more about what's unique about working on a security team at Cloudflare.
Oh, so much is unique.
I like to say that a lot of roles in security have gotten disintermediated from technology.
When I think about the first security team that I built at Facebook, where we were dealing with our own servers and our own data centers all the way through to our website and our mobile apps.
And so, we had to understand everything.
If something broke on the Internet, if something broke in terms of a type of phone, if something broke in terms of a type of computer or server anywhere in the world, it impacted us.
And if was any security issue in any part of the stack, it was relevant.
And that's the case for us too. If there's a Linux kernel vulnerability, it's something we have to deal with.
If it's a routing issue on the Internet, we have to deal with it.
And so, it requires a really deep understanding of technology.
And we get to focus on all the different areas. We're in the middle of supporting the infrastructure team as they select the next generation of hardware.
And so, we have to think about how do we do secure boot, trusted boot, memory encryption, all of those things, all at one end.
And at the other end, we have to think about web application vulnerabilities on our website.
So, it's, I think, a really great place to learn because you can't show up knowing how to do all of that.
But this is a place where you can learn and choose to work on different aspects of that as part of our team.
Yeah, I think, in fact, we frequently look for people who, even though they may have a lot of experience in one area, they're oftentimes attracted to us because they want to grow and develop in a new area that's either adjacent to their area of expertise or just another area of security.
So, I think that that makes a lot of sense. And I'd love to hear more from you on how our security kind of works with each other, as well as works with other teams at Cloudflare.
Sure. Well, we have three. So, it's funny, like most security teams wake up every day and they have one mission.
It's find all the risks and reduce them.
And that's definitely a core mission for us.
That's our job every day when we come in, make sure that whatever new code gets rolled today is secure and whatever's out there stays secure and that our customers and their data that are flowing through our network are protected.
That's job number one for us, just like every other security team in their environment.
And that would be challenging enough, given our global network and the percentage of the Internet's traffic that's going through us and the large number of customers we have.
But we also have two other, I think, legs in our stool that we sit on as a team.
One of those is helping enable innovation. I remember before I started talking to our CEO about that and he had said, you know, as a security team, you're going to be the closest thing to talking to the customer that a lot of our teams that are building product can get.
And that's proven to be 100% true. We dog food every Cloudflare product before it gets public.
And in fact, we don't just dog food it, we actually contribute ideas to the making of it and sometimes even build kind of like the first version of it ourselves.
I can think of a bunch of different examples where our team needed to solve a problem and then it ended up becoming part of a Cloudflare product.
And so that's something that a lot of people on our team really enjoy.
They know that they're doing job number one, reducing risk for us, but also getting to be part of an innovation cycle at the company.
And that's really fun because at most companies, security is viewed not as a contributor of value, but as a manager of risk.
And it's funny how at a lot of companies, those teams kind of fall into different categories in terms of resourcing, support, cheering for them at all hands meetings.
You know, security teams, sometimes their leaders have to spend a lot of energy reminding them that they're appreciated.
And because our team gets to be part of the innovation cycle, we feel appreciated even on the hard days.
And then the third thing for us is we get to support sales and revenue for the company.
And that's something that in my career I hadn't been so close to before because my prior companies had all been B2C companies.
Consumers care about security, but they don't have the leverage to turn to the company and say, show us your certifications, open up your data centers and let us come audit you.
But the type of customers we have at Cloudflare demand that.
They say, if our traffic's going to be decrypted in your data center, in your server, then we need to see how committed you are to security.
And so we have to host those audits.
We have to demonstrate to all of our customers that we really care about security.
So we spend a good amount of time talking to customers, finding out what they want to see us do next from a security standpoint.
And then we get to go do that.
And then afterwards, we get to have the auditors come in and validate how good we have done at it.
And so as a result, over the last three years, we've renewed our PCI certification every year.
But we also went and got the ISO 27001 certification, the 27701 privacy certification.
We've gotten the SOC 2 Type 1, the SOC 2 Type 2.
And we're now on the road to getting FedRAMP, among other things, in terms of regional certifications around the world.
And every time we get one of those validations, it unlocks more revenue for the company.
And so it feels really good that our work generates revenue.
So because we are, I like your analogy of a stool, there's kind of three legs to it.
How does that translate to the makeup of the team?
How does that translate to the skill sets or values that you look for in candidates?
Yeah. So I think we're a builder team. You know, like some security teams like to brand themselves as hackers.
I think every security team needs to have some of those skills, the ability to deconstruct things to find the vulnerabilities.
But you also need to build solutions to the problems. You need to have a builder mentality.
And so we have quite a few engineers on our team who could, and we have had people transfer out of our team to go work on development teams at the company and vice versa.
We have mobility in and out of our team, which you don't typically see because we hire people who have that builder mentality.
We also, because we communicate so frequently with other teams on not just about explaining why a risk is important to address, but in terms of like ideas for products and speaking with customers about risks that they care about and understanding their concerns, we have to be really good at communication as a team.
We're also fairly distributed as a company. And so that puts another level of need for good collaboration, communication, and empathy.
And so I think when we talk about values for our team, we talk about that builder mentality, and we definitely interview for that and empathy and communication as well as technical skills.
So let's talk about some of the kind of exciting build opportunities I had.
What excites you or what keeps you awake at night, but in a good way? Yeah. A few different things.
When we talk, I mentioned that we have to deal with a hardware security and everything going on on every server in every one of our data centers.
And one of the things that people say is, oh, you got to build a server that's as secure as an iPhone.
The idea being that if I leave my iPhone on a table in a restaurant, the odds of it getting compromised before I recover are pretty low, right?
Even if someone has access to it, they're not going to have very much luck breaking into it unless they're spending a ton of money and all that.
We want to be at least that secure with our servers because we can't always guarantee the physical security of those environments.
And even if we do, we can't always stop someone from breaking in.
And so it has to be so secure that if someone was to grab that machine, it would be secure.
And so that's one of our three engineering teams is our infrastructure security team has so much exciting work to do in that context.
But then there's an even bigger challenge than that, which is on our detection and response engineering team, we don't just have to deal with the typical kind of risks that come from the phishing attacks and social engineering of employees.
But we also have to think about how do we build out detection and response really well for all those servers and all those data centers all around the world.
And so if you take that iPhone analogy even further, it's like we don't just have to build a server that's as secure as an iPhone.
We also have to build a server where we can get an alert that someone's trying to tamper with it.
Like Apple hasn't even gone that far with an iPhone, right?
Or you can take any phone. Is there some central organization that anytime someone tries to plug it in a different way or tries to reset the password, that an alert goes to a team?
And so we have to and have been building out our own kind of central logging and alerting system where we can ingest the logs coming from those servers, analyze them, and detect attempts of abuse really quickly, shut down that machine, and protect our customers' data.
So to me, that is a massive challenge.
It's really exciting and that we've been on that journey.
And we actually have a couple, well, we have roles open for both that infrastructure security team and the detection and response team.
In particular, we're looking for people who have those kind of skills to do software engineering and build out our SIM type of environment.
So we need people who have expertise in data pipelines and machine learning and everything in between in terms of analyzing the logs that are going to be coming in from all over the world.
Yep. So at the beginning, you talked about seeing this team grow rapidly from, I still remember in your first week, you texted me that you were in the security team meeting and it fit in a pretty tiny room with just a handful of people in it.
And us having worked together before, that was such a difference in terms of what that is and that we are over 10 times bigger probably at this point.
What are some things that you're really proud of during that journey, just some moments or accomplishments?
A few things. It was interesting, when we joined Cloudflare, it was a pretty small pre-IPO company that some people had heard of and had paid attention to, but not a lot of people had.
And so when we started reaching out for people to recruit to the team, they didn't know how do I value Cloudflare stock?
Where is this company? Where is it going? Don't you just do DDoS mitigation?
And isn't that a solved problem? Those were the kind of questions we're getting.
We're like, no, the opportunity is huge here. The company has a great leadership team and so much potential.
And we recruited some really smart people who were ready to take a chance on the company and believed in the mission because there's so much about it that you can get behind.
We're so pro-privacy, so pro-security, the kind of things you want to see a company value when you're on a security team.
A lot of the reason we go into security is because we want to help people and everything we build here helps people.
And so it's just a very rewarding kind of place for the team.
And so I think that's number one. But number two, we knew that we were going to build a team where we were going to bring in people who could grow in their roles.
And we've seen so much development of this team in the three years that we've been working with people on the team.
I think that on our leadership team, probably half of the leadership team wasn't hired in to be part of a leadership team in security, maybe more than half.
People were hired in and started as individual contributors and have moved into manager roles.
Quite a few of our managers started as individual contributors and asked to be mentored into management roles.
And we've had really great success at that internal promotion stuff.
And we've got to see people develop in their careers.
We hired quite a few people right out of college who had been growing as well and taking on a lot more responsibility and even moving into tech lead type roles already.
And then the last thing I'd say is we had a real intentional commitment to diversity around this team.
I started thinking about diversity and security back two jobs ago.
And I probably started thinking about it a little later on because I was in over my head and it was just like, hire the first person that I can find who can do this job.
And you're relying on kind of resumes coming to you rather than proactive sourcing and prioritization.
And it was harder to do diversity once you had fallen behind because it wasn't the kind of environment a diverse candidate would look at and say, oh, I could succeed here because I don't see anyone else like me or I don't see a commitment to diversity.
And then at my second company, I was an exec sponsor for an ERG group.
And I learned a lot from that.
And I've been happy to be an exec sponsor for our black employee ERG here at Cloudflare.
And I continue to learn a lot from that experience. And as a team, we have really embraced diversity in our hiring.
And so if our leadership team is diverse, our whole team is diverse.
I don't know the statistics off the top of my head, but it's something we've been really committed to.
And I we were close to 50% women and we're, I think, close to a third underrepresented minorities.
And so we just, you know, partially that's because we prioritized it at the beginning.
And now, you know, when someone interviews with our team, they, you know, their interview loop, it's just naturally presents as a diverse team.
And as our team has developed, we're out there speaking and talking about our work.
And we naturally present as a diverse team in that context as well.
And so it's been really rewarding to see that when you give a little bit of effort to that, it really pays off.
Yeah. I think when I last looked at it a little bit ago for another conversation, I think we're about 47% women managers on the team of which going back to your other point, many were promoted from within some from, you know, having been a strong performer as an individual contributor and us, you know, continuously investing in our people and growing them in the ways that they're excited about.
So I think to quote you though, where we're still just getting started in a lot of ways.
And in that context, I think you and I talk a lot about diversity.
What do you think, you know, we, now that we've, even though we're just getting started hiring for diversity, what are some ways that you found successful in terms of creating a space for diverse employees to thrive?
So I think one of the things that you and I talked about a lot at the beginning was it's not enough to just hire diverse candidates.
You actually have to create an environment where a diverse team can thrive.
Like in a, in a strange way, bringing together a bunch of people who are the same, you might actually get a, like by default, a smoother functioning team because they, you know, they, they spend more time agreeing, spend more time agreeing.
Exactly. And they, you know, people who come from the same experience, like they, and background, they just, they agree.
And so there's, there's harmony in terms of decisions, but that doesn't get you the right decision.
You actually like the data shows that like, you need diverse perspectives and an environment where those diverse perspectives can be debated before you get to the best decisions.
And so we've tried to create an environment where every opinion is valued.
And, and we like, we judge ideas, not people, I think. And we've, we've tried to encourage a lot of our younger, less experienced members of our team to present, to get comfortable talking in front of the group.
And I think we have a lot of different mechanisms for that.
You know, we do ops reviews, we do team all hands meetings, we do smaller meetings and give people chances to get comfortable talking and asserting themselves.
One of the ways I think it feels like we've succeeded is when I look at how many members of our team are active as ERG leaders in the company proper, you know, we have people on our team who are really active leaders of a bunch of the different resource groups inside the company.
And when I see that, you know, people from our team are really comfortable speaking up and raising their hand in a company all hands or, and, you know, I'm in front of the whole company and promoting a diverse group and saying, you know, that, you know, for this month, it's pride month.
And, and it's someone from the security team standing up and talking about it.
And, you know, for when we were doing black history month, it was someone from the security team standing up and talking about it.
And, you know, when there's a woman in engineering meeting, and they're hosting our head of engineering, it's someone from the security team doing the interviewing of the head of engineering, like over and over again, I see members of our team comfortable voicing their views inside the company and helping shape how the company as a whole thinks about diversity, not just our team.
Yeah, I think a huge part of that is the very makeup of the team that we've not just hired, but carefully cultivated the right culture to really multiply and emphasize the values, right, that really enable us to do that work.
I think it's also kind of going back, I think you went over this very quickly at the beginning, but we're also a very well positioned team, right?
I think a lot, you know, just thinking through a lot of folks that we met in other industries, a lot of times security teams are a department within a larger department.
Whereas here, you know, we're one of the central teams in the on the R&D side, right?
You know, we're not a risk management team, which oftentimes is looked as a cost aspect, but we're really looked at as on the innovation side.
It's also, you know, you present at every board meeting, I think we're one of the only teams that have a permanent slot on that front.
And I think, you know, just to wrap that up, you've instilled in me early on that doing good security is not taking a security mindset is taking a company mindset, right?
It's really solving for the problems that we face, yes, from a security perspective, but always in the best kind of for the best of the company, right?
And that really helps us think more holistically, objectively, and solve for the right things.
I think you're right. Yeah, I am one of the few security leaders I know who reports to the CEO at their company and sits on the company management team.
And this is the second time I've had a chance to do that.
And I think that it helps me get a much better perspective and have context for every security decision to understand the risks.
It's also easier for me to raise the alarm with credibility with the other executives, because they're used to interacting with me, and they know my judgment, they know the role our team plays, because we have a lot of visibility.
We've had one of the things I like is that we don't just kind of sit aside as a team, we get involved in supporting a lot of different engineering initiatives.
And so we're constantly interacting with the other executives and members of our team are stepping in and doing engineering on calls or being incident commanders for non security related incidents.
We get to have a presence inside the company that's not typical of a security team.
And so partially, I enjoy the privilege of getting to have a voice in those different environments.
But I also enjoy bringing that perspective back to the team.
I think sometimes some members of our team even say, I have my projects, and it's really nice to see how they fit into the context of the whole company.
And then other people say, like, you present too much information to us, I just want to focus on my projects.
And so we try and push a lot of information to the team and let the team selectively consume it to a certain extent.
But I think there are a lot of future security executives on our team right now.
And I want them to have like that context all the way through their career, not just you know, when they get to that leadership role someday.
Yeah, I know we have four minutes left.
So I did want to kind of get to the heart of our audience and see you know, what advice do you have for folks who now are interested in applying for our security team?
Yeah, I think. Well, first of all, we get a ton of resumes.
So you do have to do something to stand out. I think when we're evaluating people, we look for passion for cloud and understanding of our products and our mission and how we fit in the world.
It is special. We look for people who want to be in an environment like ours.
You can't think you know all the answers because you don't.
We work with really smart people across the company. And we have to be humble, we have to be good communicators.
And we definitely do need to be passionate about growth and learning.
I remember when I was in orientation, being amazed that like we were having these very technical presentations.
And this was like the beginning of orientation with you know, like there's an administrative assistant and someone on the sales team, and someone on the finance team.
And we're all getting the same technical presentation.
And I thought, wow, at other companies, they wouldn't expect everybody to understand how the Internet works.
But at Cloudflare, everybody needs to know how the Internet works.
And so you're going to show up and you're not going to know it all here.
And you're going to just be in learning mode all the time.
And so that's, we look for people who are excited to continue to learn and grow.
And I, you and I get this question a lot, and we talk a lot about it.
So I'll pose it to you, for our current audience, you know, do we require any degrees, certifications, or, you know, what are some must haves for our team on that front?
We do not. We've, we've, we have and have had members of the team who didn't graduate from college, all the way up.
Yeah. So we also have PhDs. Yeah, we also have PhDs.
So it's, we look for relevant experience. And there are lots of ways to show your experience.
It can be that you've, you know, been really successful working through bug bounty programs, it can be that you've done a lot of development work, and you want to share some of your public repos, or, you know, different things like that.
There are lots of different ways to show that you have relevant experience.
It's, we look for that hands-on curiosity, more than anything else.
We've hired people from, you know, the, the fanciest academic institutions down to the ones that nobody ever heard of, or, you know, people with just high school diplomas.
And so it's, we try not to have a bias in any way when we start looking at resumes.
Yes, in fact, I think, you know, there are some roles where we don't even require years of security experience beforehand.
In fact, finding folks, like myself, security wasn't my first or second field or industry, so to speak, but finding people to come into security broadens our diversity and our depth of knowledge in that front.
Yeah, that's a really good point, because not every role requires the deep technical experience.
Some do, but, you know, we have to do security awareness training for the company.
We have to do a bunch of other different things, and so we look for people with different skill sets to make us well-rounded as a team.
Well, I know we are, we're about time, but one last question is, in front of the whole audience, are you team dogs or team cats?
I am definitely team cat.
Are you team phoenix? Team phoenix, yes. You should tell the story of why we have the phoenix on your shirt.
Optimistic and resilience, and also it flies, it's an orange being that flies high above the clouds.
It's both visual and symbolic.
So, all right, I think we're, that's it. Thank you for joining, everyone.
Thank you, everyone.