🎂 Chris Young & John Graham-Cumming Fireside Chat

All right, welcome to this segment on Cloudflare TV. I'm John Graham-Cumming, Cloudflare's CTO, and I'm really happy to have Chris Young as a guest today. Chris, if you don't know him, he's former CEO of McAfee. He's also currently on the board of Snap and American Express, two wildly different companies, I imagine. And Chris's background is very heavily in cybersecurity, so RSA and Rapid7 and Intel and Cisco. And well, I won't read the whole LinkedIn thing, but welcome, Chris. Thank you very much, John. And just before we came on, we were talking about the fact that either you or I are a groundhog day because it feels like we're going round and round and round in security in some ways. It's like the same things seem to come up every 10 years or something. So just giving you a perspective, that's a rather depressing view of things. But what progress have we made in cybersecurity and what mistakes are we still making? Yeah, I like to start with the glass half full examples here. One, if you look at what we can do today, if you were one o'clock 10 years ago, we couldn't do nearly as much with technology as we can today. And so much of what we can do today is very much supported, enabled, cured by the cybersecurity infrastructure that we've put in place across the ecosystem. For example, I mean, it's not lost on anyone that in March of this year, literally hundreds of thousands, potentially millions of knowledge workers, pretty much everybody who could go remote, you know, over video and working remotely, went remote, literally overnight, like in a matter of just a few weeks. You mentioned American Express, I'm on the board of, like American Express is, you know, over 50,000 people, and many of them were going to an office every day, entire company went online in March. And, you know, we wouldn't have been able to do that without a strong confidence, as well as actual cybersecurity architecture in place. But as you point out, it's not perfect. And we keep finding issues. And, you know, I used to talk at RSA, you know, every the conference every year, and I would put up this chart, I've done it a couple of times, which shows the history of different cyber attacks. And, you know, what you see is that almost nothing that we've experienced traditionally has ever completely gone away. I mean, if you think about it, one thing you guys do is protect organizations against denial of service attacks. How long have we been dealing with that problem? It's not rid of it. It's morphed and changed, and it's moved around and become something different. It's evolved in many regards. And so that's in some ways why it feels like Groundhog Day, because, you know, almost like in the, you know, we spend a lot of time talking about this as well, almost like the human, you know, sort of health situation where you have viruses and such that don't ever quite go away, the common cold, the flu, we spend a lot of time learning about these things. They never go away, they morph and change and come back every year. And in so many regards, cyber security issues are quite similar to that in certain ways. It's interesting, though, that you mentioned humans there. One of the things that struck me in March was, yes, everybody was able to go home, but it opened up a bit of a richer environment for cyber attackers, and partly because of human psychology, right? People were suddenly in an unfamiliar way, their company was saying, hey, log into this new system we've set up. And that was kind of a fisher's paradise in some ways. We saw a huge rise in phishing attacks that were directly correlated to the move to work from home. Yeah, if you think about it, if you think about it this way, you know, there's cyber attackers understand that, you know, all of a sudden, you've got 1000s of workers that are million, in some cases, probably millions of workers across different organizations that are, they're not supervised in the same way, like you say, new systems, new protocols for how they work. And they preyed upon that very quickly. Notwithstanding the fact that we're all dealing with COVID, you know, new terms, COVID, Coronavirus, you know, and testing and just all of a sudden, you know, you saw cyber attacks going after the consumer and just, you know, sort of with misinformation, trying to get them to click on links, very traditional approaches. You also saw upticks in ransomware, you know, we continue to see that morph and evolve. We've seen that grow throughout the year. And then yes, you know, there's a whole litany of attacks that have been levied against the work from home model. And you know, what we haven't seen yet that I'm at least on mass that I would have expected to see in March is a little bit more attacking directly on sort of a home networking infrastructure itself. You know, we talk a lot about insecure routers and things like that, you know, a lot of firmware that hasn't been patched in people's homes. You know, we haven't heard as much about that. I don't, I think it's probably a bit less obvious to see some of those attacks. And perhaps it's too easy for the attackers to go after people in these other mechanisms. So they, so why bother? I mean, yeah, things like phishing are technically not complicated at all, and probably were pretty rich environments for attacking people. But essentially, you mentioned the home router thing. At one point in Brazil, that was a huge problem. What people would do is they would attack the home routers, change DNS, and if you went to your bank, you actually went to a fake, so literally hacked your router so that when you went to your bank, you logged into something that wasn't your bank, and it was quite stunning. So you're right, I hadn't thought about that. That is another potential vector, just securing the home network. Yeah, it's something that I think, irrespective of whether or not we've seen a massive uptick in attacks on home routing infrastructure, I still think it's prudent, and I still provide, I give this advice to the organizations, I still think it's prudent to make sure that if you're going to have people working from home, that they take some steps to protect the home networking infrastructure, because you could find, we could find ourselves in a situation where if we don't pay attention to that over the long run, you do see what happened in Brazil, and you do start to see an uptick of attackers going after the home networking infrastructure, the router in this case, and using that as a vehicle. And we always know the attackers will, you know, this is tried and true in our industry, never changes. Path of least resistance, it's like water on a roof, it will find the hole and go right there. Yeah, exactly. That's one of the things that often when I'm talking to people, they, you know, I just say to them, you just have to look at everything, because someone's out there just probing and finding, oh yeah, that one thing you set up five years ago, and you didn't path, whatever, that's how they're going to get in, and then it, then there's a stepping stone from there. But don't you think this, you know, one thing we've seen is this concentration on the network as a protection mechanism has also sort of been challenged by this situation, and general trends around public, public SaaS things, public cloud, Zero Trust things that come more to the fore. What extent do you think that's real? And also, what extent does that put us, put more focus, and this goes back a little bit to the McAfee thing, on the endpoint device as being like the thing you now got to protect when you're not protecting the network so much? I think, I think of it a little bit different. I think you still have to have a solid, trusted network architecture. It's kind of like, you know, like if you're running trains, like the rails have to, have to be there, like they have to be good, the bridges you go over have to be solid, you know, you have to, you have to have good rails to run on. So the network architecture still has to be secure, if you will, against attacks. But I do think that this move to more of a Zero Trust model, where we're looking at identity more closely, and really getting more, the way I think about it is zero trust is more of a fine grained approach to security. Like instead of focusing on a coarse grain, like, you know, I log into a network, and I have access to everything, it's no, I'm going to be more specific about who are you? What are you trying to get access to? Under what context are you trying to get access to it? And then I'm going to grant you access based on your ability to authenticate yourself, and therefore proved and also proved to me that you are operating in an environment that's more secure. Like if I take your, you know, Brazilian, you know, fraud example, where, you know, home router DNS has been changed, like, that's a great example of probably had the right user to start with. But the context around that user session was compromised. And therefore, you know, if you're just looking at a certain coarse grained element of security around that, you might get that decision wrong, you have fine grained access control, there are zero trust model, you're much more likely to get that decision, right, you're going to block, you're going to see this as a compromise session, user might be might be accurate, but the session itself is compromised. So therefore, I'm going to block that session and therefore make the right call from a security perspective. So I fundamentally believe and look, you mentioned I worked at RSA many, many years ago, like that was our dream is to be able to, you know, one day we'd be able to provide, you know, the right user access to the right application under trusted circumstances, and be able to make really truly fine grained decisions about that. And I do believe that with SaaS applications with cloud infrastructure, and this move to a more Zero Trust model, we're in a position now to increasingly be able to provide that kind of experience. And I think that's better for the user. And I think it's more secure for the organization. Yeah, what's interesting about it is you mentioned this, it really puts a lot of weight on the identity of the of the person or the or the entity that could be a device connecting and that then brings up all of the questions around identity management, and also authentication. So, so I think you're seeing an increase, I think you're seeing an increased amount of interest in that or in some ways, a resurgence of interest, you know, identity management used to be much more about, you know, authorization, you know, sort of provisioning users to internal applications, you know, in today's world, you know, obviously, a lot more focus on identity, you know, sort of proving identity, single sign on between applications, authentication is made, you know, two factor authentication has really become more democratized, you know, software based, you know, the mobile device, right? This thing has changed our ability to authenticate the user, without, you know, like, and again, in my day with RSA, like, you literally had that secure ID token with six, you read it, type it in, and you still do that with an SMS text message. But, you know, that's kind of coming to you in a more flexible kind of manner. So I, I do see a resurgence in that. And I think there's a lot of a lot of energy, you know, both at very large companies that are focusing on this, you know, like Microsoft is a great example, massive identity, infrastructure, companies that are fast growth, like Okta, VMware with Horizon, and there's a lot of players paying, you know, that are really innovating in the space. And I think it's I think it's good for the user. I think, again, it's good for security. Yeah. So let's flip back to one thing. I'm interested in your American Express experience, because one of the things that I think we've seen is that a lot of companies were thinking about greater flexibility for their employees, because there were forces that were making them do that, maybe it was SaaS, maybe it was public cloud, maybe it was they had a workforce that comes and goes through contractors. And then suddenly, in March, a lot of those plans got accelerated enormously. And the one thing that I found interesting was that it companies turned out to have the security sign off compliance and all those things, they could do them in a real hurry if they had to. And so what does that what does that tell us about how we should be making decisions around security going forward, if it was possible to make them that fast, back in March? I think it tells us in some way, it's probably more about organizational inertia. And, and why it's important to, you know, it's kind of like you read the Jeff Bezos letter every year, he talks about the day one thinking and really, you know, look, most organizations have a lot of inertia and really should have been doing and providing a lot of these capabilities a long time ago, and forced by the pandemic to just accelerate things, and show that the capabilities are there. It's just the will, it's the it's the need that, you know, pushed organizations to move faster, you know, big companies, you know, tend to be a bit more conservative, they're going to move a little bit slower. But the pandemic, I think, you know, there's a lot of quotes out there from, you know, various CEOs and others about, you know, the accelerated pace of change, digital transformation is, you know, accelerate, you know, more in two months than the last two years. Yeah, that kind of thing. I think that's all true. I think it's all happening. You see it in the numbers, right? You see it in kind of how companies are doing. I mean, we saw it just in terms of load on our system. So we saw over a three-month period, basically over a 12-week period, about a 12-month growth in Internet traffic. It just was, you know, everything was going online massively, and including a lot of corporate traffic. So yeah, that acceleration really happened. My sense is that, you know, if you read about the vaccines and the testing, we're still in this for months, this is not going to be over by Christmas or in three months, there's not a magic solution, which means I think a lot of this homeworking or flexible working is really ingrained. And what do you think that is going to imply about the security landscape? You know, if we go out a year, two years, five years from now, what's going to stick and what's going to be, what's coming down the pipe? I think we've underestimated how fast we and how well we would handle this virus from the very beginning. We've constantly been overly optimistic about how fast we'd get back to work, how fast we'd open up. Look, even in Europe, where things were good for way faster than the US, like the numbers are coming back up as an example. So it's just going to be a thing we're going to have to manage. And like you say, probably live with for some time to come. But more important, I think it's shifting, it's causing a shift in patterns of work, as you suggest, you know, perhaps, you know, there'll be less in person visits, you know, for selling less, you know, fewer in person meetings, they'll come back, but but fewer, a little bit more flexibility in terms of letting people work from home. So you can have a much more hybrid model in terms of how companies operate themselves. And I think it means a few things for, for us in a cybersecurity landscape, I do think it's going to continue to shift, put a premium on that identity based architecture, we talked about that, you know, the Zero Trust model, authentication is going to be key, but it's really the it's really going to going to be the combination of can I trust the user? And can I trust the device in order to make a decision of do I trust this session? Do I trust this transaction? Right? Because at the end of the day, like if you're the the application, you're the, you know, like, I might be an online banking application, I might be, I might be zoom or teams. And a user wants to access a meeting, they want to access a transaction, the application itself needs to determine, is this the right user? And not only are they the right user, but as we talked about, are they coming to me in a trusted fashion, meaning the machine's not compromised. And so I have to have the right endpoint security, as you as you say, yeah, a test that it's not been compromised. Yeah, user is able to authenticate themselves appropriately. And, you know, with video, and unfortunately, for zoom, there was a lot of noise about that early on. Right? Well, you know, that was an authentication problem, right? People were getting into access, you know, people were getting into sessions that shouldn't have been able to get into those sessions. Yeah. And there's been a lot of work to fix those, those kinds of challenges. And then, and then obviously, it's back to you got to have a trusted connection between user and application. And, you know, what we've seen is, you know, forever in security, we've talked about the enterprise perimeter, kind of going away, we've been talking about that about the last 10 years, right? Enterprise perimeter is going away. You know, if you're in certain parts of the security industry, you've been marketing that for a long time, the perimeter, blah, blah, blah, it was sort of gone. It was moving in the direction. I think what we've seen now with the, you know, the pandemic is it's really pushed the perimeter inside out. And so organizations can no longer rely on just kind of you're in the network, you're trusted, you're out of the network, you're untrusted, and you VPN in on a course frame basis, because you might not VPN in, I might be coming in over a zoom session, I'm going to be doing a lot more transactions that are point to point between me and the application. And that requires a bigger premium on identity, device trust. And it requires smarter analytics on the back end of the application side to make sure that I don't see anything from a behavioral standpoint that that also would lead me to distrust the connection as well. Yeah, that knows you bring up an interesting point, which is around the analytics, because I think one of the things we've seen, obviously, we've tried all these security services, performance services, is that, you know, any of the every, every large customer is they want logs, and they want them as fast as they can get them, and they want them into their into their platform, their Sumo logic or Splunk or something like that. And this, this to me is an interesting problem, which is that we're actually now, you know, we're talking about how we can do so much now online, but by doing so much, we're now creating this incredible amount of logging data. And now, you know, security teams are trying to try to tackle that. So that seems to be like the next problem that people are going to really have to concentrate on is how do they deal with this, this huge amount of event information. Yeah, it's interesting, because the log is really the, you know, the source of core information to, you know, upon which you run the analytics to determine, you know, do I trust or not trust, you know, logs, you know, look, when we first started looking at Sam, you know, using Sims, it was mostly, hey, we captured logs, we kept them, they were used for compliance reporting purposes, the initiative, they started to become about alerting, you know, and again, it was really rules based coarse grain. Now, the log is the source of information for, you know, real time decisions that are being made, you know, a lot of which are correlating a lot of, you know, number of different events, context elements together, in order to be able to make, make fine grained decisions. So I think, and because we're doing more point to point application, we're relying a lot more heavily on the application itself. And so, you know, one of the one of the other trends we're seeing is obviously a shift more towards security at an application level as well, right? Because, again, when we all lived in a world, an enterprise world, where all the applications kind of sat behind the firewall, so to speak, and, you know, we had an internal security apparatus, there wasn't, you didn't need to pay as much attention to the security capability or the security posture, if you will, the architecture of the application itself. And I think it's one of the other reasons why you're starting to see a lot more activity amongst, you know, security, you know, being provided to developers and, you know, security being instrumented into the applications and monitoring the applications themselves for not only for performance, but for behavioral anomalies, from a security perspective, because that, you know, you can no longer rely on this kind of shell, you know, sort of, you know, sort of exoskeletal approach to security. Right, right. It's interesting, because that approach, that sort of brass kind of approach is, it's always had a hard time getting traction, just because it required instrumenting the app, and people were worried about performance problems. But it does seem to maybe that's the next thing that has its day is really getting that event information from within an application. Well, you know, I think, look, it's a logical extension for, you know, a lot of the, you know, the folks that are in application performance, you know, performance, you know, I think you're going to see, mostly going to see that shift from a operational only, I want to say, an operational first focus to application performance becoming something that gets more broad, and becomes about a little bit more about security and eventing. Because ideally, I think, you know, you can learn more, look, the activity that's happening in an application is going to give you, again, it's back to the Zero Trust architecture conversation, and give you a lot more fine grained point of view on whether or not there's a trust issue here than just kind of watching what's going on coarse grained over the over the network itself. And so I think, I think both are important. Like I said, the rails have to be solid, but then you have to understand what's going on inside the train. Listen, we got a few minutes left. And there's something else I'd like to switch gears and talk to you about, which is, you know, if you've been in the cybersecurity industry for a long time, you've met a lot of people, and there's a lot of people who are attracted to that. But we don't have enough people doing this kind of work, right, this now becomes central to keeping organizations safe. So, you know, what are your thoughts on how we go about nurturing the kind of talent we need to keep ourselves on lock, you know, safe online, given that our entire lives have gone online, basically? Yeah, it's been it's been a kind of a persistent problem. I think it's getting better, because cyber is becoming more mainstream. And I also think, look, economically, you know, cybersecurity companies are doing well, the ones that are publicly traded, you know, like you guys doing well in the public markets. And so, look, naturally, people who are talented, you know, they're gonna look for a couple of things, can I solve hard problems? We got that in spades in cyber? You know, can I make a difference that I think that matters? You know, in fact, one of the things that was always important to me at McAfee was it, you know, reminding people that we have a mission here, like, we're trying to keep people safe. And I think that's really important. You know, we actually people ask people to sign that mission, that call it our pledge. And I think that it's something that's always been personally important to me. And then can they earn right? Can they can they are our cybersecurity jobs lucrative? And, you know, you see the, you know, the, the moves people are making, I think, I think we can certainly say yes to that question. So I think there's some economic sort of economic momentum behind people getting into cyber. But look, technology in general, continues to be good. And so we're going to be competing largely in similar talent pools, and need to continue to do our part to make sure that cybersecurity is accessible. You know, I think if I rewind the clock back 10 years, in some ways, this cybersecurity was felt a bit like a club and a little bit like, hey, it was almost like a skepticism, like sort of you weren't in cyber, you know, and you were new to it, you sort of, you know, people kind of looked at, you know, in a weird way. You know, as a guy who's been around it forever, I don't see that as much anymore. I think, you know, it's much more of a, hey, you want we want you to come join the, you know, come join the team. And, you know, I think that's, you know, it takes a long time for these things to manifest themselves with, you know, students in school, you know, high school, going to college, coming out, graduate programs, etc. But I'm encouraged by cyber becoming more mainstream and that opening up opportunity as well as desire for talented men and women to join into cybersecurity companies, government roles, etc. One of the things that I found striking about cybersecurity, first of all, the term cybersecurity has become acceptable. It was at one point a little bit of a joke, it's kind of cyber sounds a bit funny, but now it's like a perfectly fine setup. But a lot of the people I've worked with in cybersecurity, they don't have a very conventional, straight up degree kind of background, a lot of diversity of backgrounds in cybersecurity. And I think that's very encouraging, because what you need is, it's, you know, creative people, it's a very complicated world. And it's not just when you got the right degree or the right piece of paper. I think that's a really important point. I'll give you, you know, to your point about cyber, you know, I always like to joke, I'm actually one of the people who actually was in cyber before we ever used the term cyber, was one of the people debating, like, should we call it cyber? And I remember somebody said to me, he's like, you know, if I'm on a plane, and I tell somebody, I'm an infosec, they sort of look at me funny. But if I say I do cybersecurity, they say, that's pretty interesting. So that was, yeah, I think that was a turning point for me a while back. But, um, you know, what I what I, what I like about our opportunity here in cyber is, as you say, we're driving technology. So all the disciplines and the educational building blocks for a good career as a software developer, or anything in technology is very relevant. But what's interesting is, like, we have this adversary, who, in some ways, there's a there's a behavioral component to what the adversary does, that needs to be understood. You know, it's, it's why, you know, security companies have developers like any software or hardware company, but they also have, you know, labs, and they have, you know, threat teams and threat researchers who come from all walks of life, they're, you know, some of them are technical, some of them are more behavioral, some of them come out of law enforcement, you know, where there's a whole, there's a whole discipline of psychology around, you know, sort of the attacker and how they function, how they think how they operate. Right. So I always like to say, what makes our jobs interesting, as well as hard in cyber, is we have to keep up and drive with all the changes going on in the technology landscape. But we also have these attackers that just randomize everything that we have to worry about. And you got to be able to think about both, because it matters in your product roadmaps, it matters in your delivery, it matters in your interfaces with customers and the issues that they're facing and dealing with. And like I say, in some respects, it's exciting. In other respects, it's hard, it can be thankless, you're often wrong. Yeah, it's hard to prove that you've done a good job. And, you know, because usually, usually, like you're on the other end of something bad has happened. And that's how people know that, you know, wasn't really working. And so it's a challenge, but one that's very necessary. And when people do get it, right, I do know that there's a good reward there. One of the things that we're going to run out of time, but one of the things that we touched on just there was that, you know, that that great variety of backgrounds and people involved in cybersecurity is one of the reasons why I think it's so fascinating, because the teams that work together, there are a group of people with different skill sets. And it's really fascinating to watch that work and go up against an adversary. Yeah, it requires all you know, like, for example, you know, so many cybersecurity companies now are all about data science and analytics. That's a found that's basically becoming table stakes to being able to effectively compete in the space. And, you know, you find data scientists come from all walks of life, they don't necessarily come from McAfee, our chief data scientist, you know, she was, she is so still there, or she's, you know, she's comes from a biomedical background, right? She was a chemist at one point. So, you know, she learned her craft that way. And so, you know, a lot of the more traditional folks who understood threats would kind of get together with her and kind of help her understand like, this is how you need to think about the models, such that they become good at identifying the threat actors out there. And that's a, you know, that's a perfect example of the of the interdisciplinary approach that often happens in many companies that are trying to solve the same problem. All right. On that note, we have 15 seconds left. Chris Young, thank you so much for doing this. It was great to talk to you about this. Hopefully, in 10 years time, I get to talk to you about something different. And we've solved all these problems. But I'm not 100% positive that will be true. But thank you so much today. John, thanks very much. My pleasure.