🔒 Cloudflare’s CIO & CSO — On Privacy and Compliance
Presented by: Joe Sullivan, Juan Rodriguez
Originally aired on December 14, 2021 @ 8:30 PM - 9:00 PM EST
Cloudflare Chief Security Officer Joe Sullivan and Chief Information Officer Juan Rodriguez discuss the challenges faced by businesses around the world — and approaches to solving them.
English
Privacy Week
Transcript (Beta)
Hey Joe, how are you? Hey Juan, how are you doing? I'm alright. Fancy meeting you here.
Yes, we don't talk enough to each other. We got to meet like this in Cloudflare TV.
Yeah, this is fun. I'm glad it's Privacy and Compliance Week here at Cloudflare, so we get to share what we typically talk about with a lot of other people.
That's right. And hopefully to give a little bit of insight to people that may be watching on some of the things that we talk about every day, some of the things that we deal with, and how do we make sure that compliance and privacy and security is one of the things that is top of mind for everyone in the company.
Yeah, I joined Cloudflare in 2018.
And when I joined, we had PCI as our one certification.
And the sales team, this is the funny story, when I accepted my offer at Cloudflare to start, it was a month and a half or so before I was going to start.
And so I had this interim period where I was talking to a couple of people about my job.
And one day I was out and my phone rang and I answered my phone. And it was a member, I was an employee from Cloudflare calling to welcome me to the company.
And it was this guy, John.
And he was like, Joe, it's John. I'm like, John, who? And he told me his last name.
And I was like, he's like, I'm calling to greet you and welcome you to Cloudflare.
I'm like, oh, are you on the security team? You're going to be part of my team?
He's like, no, I'm in sales. I was like, why are you calling me?
I haven't even started yet. He said, I want to tell you your number one priority will be when you get to Cloudflare.
I was like, oh, really? What is it? And he told me a compliance certification that he really cared about.
Literally, the guy called me a month before I started my job at Cloudflare to tell me the importance of getting the security certifications.
Oh, wow. That's pretty good. I didn't get a, you know, my welcome before I started was with you and some of the other part of the team was spending like a week with you guys.
That's pretty good. So one of the things that probably people, you know, in a company like Cloudflare that I think that they would be interested to know is, you know, where privacy and compliance really are the heart of what we do.
And, you know, part of our missions and core values and things like that is, what do you think?
I mean, you know, that we can tell people out there that what are some of the most important things that make that happen, right?
That is something that, you know, permit, you know, becomes almost like part of the furniture, if you want to call it that way.
It's not like we have a security team that nobody wants to talk to, if you want to call it that way, right?
Right. Well, that was the, you know, that was like that greeting I got to Cloudflare in 2018 with the salesperson calling me, telling me about the importance of a certification made me think a lot because when I got to the company, what I found was our customers wanted to talk to my team.
They wanted to know, how do you do security?
And it's fun to talk about what you're doing to do security like the first five times.
And then you're like, okay, now leave me alone so I can go actually do security.
And that's where the certifications come in. And that's the thing I've come to appreciate.
So yeah, we had the PCI certification in 2018.
We've renewed that every year since. So we're still PCI, but then we also went and we got the ISO 27001 certification.
We got a SOC 2 Type 1 certification.
Then we got the SOC 2 Type 2 and the SOC 3. And now we're working on some other certifications.
We went and spoke to some of our European customers and we started working with BSI in Germany.
And we looked at the different standards around Europe and we've been embracing those as well.
And if there's a certification out there, I've become a fan of getting the certifications for a couple of different reasons.
One of them, I think the first reason is because when that outsider comes to say, should I trust you as a company, you kind of have two choices.
One is you can go in and interview everybody at the company and see what their practices are, or you can rely on a third party to do that audit.
And that's what the certifications signal.
Each one of those certifications is proof that we've been audited by like strict third parties on a bunch of security standards.
So that really helps our customers evaluate us without having to come in and interview the whole company, so to speak.
Yeah. One of the things that I think also, having done just like you in my previous company where I had like product security reporting to me, one of the things also very important when you go through these certifications, there's a way and a way to do these certifications, right?
One is kind of basically just kind of like have a rubber stamp on a piece of paper, right?
I mean, as we know, a certification is almost like a snapshot in time, right?
But the other thing also you can do from when you're going through the process of trying to achieve a seal of certification is introduce also cultural changes on the way that you work that actually basically you are living every day and you're behaving and operating every day to the standard that that certification sets, right?
Not like, hey, we got the stamp. We're good until next year, right?
Right. Yeah. You don't want the certification to be like that family picture that gets taken once a year where everybody puts on their nice suit and jacket and dress and gets a haircut and poses for the holiday photo.
You want it to be a reflection.
The certification should be a snapshot of what you really look like if somebody came by the house on Sunday afternoon.
At any time. And for example, the difference between the SOC 2 type 1 and the type 2 is exactly that.
The type 1 is a snapshot in time and the type 2 is were you able to keep those controls in place through the course of a whole period of time?
And I think the way we do that is we don't just look at the certifications as that like family picture day.
We look at the certifications as a blueprint for how we operate. And so we use the audit process as a way to drive our kind of engineering roadmap inside security and your team and my team kind of aggregates what do we learn from the audit?
Now let's institutionalize it over the course of the next year. And then if you're really good, then you start automating it because then it becomes it's just it happens without human labor.
And so I think you could look at companies in their certifications and compliance journey as somewhere along that path from like the holiday picture to like fully automated, that holiday picture.
Looking good every time, right?
You're shaved and you've got a haircut and a nice style. And one of the things that I think is very important is in order to be able to do that, there is a certain sort of a tone that doesn't happen by osmosis, right?
I mean, probably.
Talk a little bit about that, right? I mean, like in Cloudflare, how as a leadership team, we make those things happen or we create the environment for that.
And I mean, as you know, in every organization, the team does what the leadership signals is important.
Tone from the top matters. Whether it's like we're a non-profit or we're here to make as much money as possible, or we're here to change the world, whatever it is, tone matters.
And prioritization and rewarding the behaviors that you want matters.
Same thing in a family as in a company. And at this company, we have a really positive tone from the top about compliance and security more generally.
And I think that's for a few different reasons. One is it's what our customers want.
Two, the world has changed and it's what customers and governments are demanding of every company.
And then three, we realize it's a good way to run the company.
It's a discipline, it's accountability, and it lines up with our values around we're a company that really cares about privacy and putting our customers first.
Yeah. And I think that just to add to your point, one of the things that is also very, very important, I think, when you do these things is I've been in organizations where you have a security team.
One of the problems that you can have is basically that everybody said like, well, security is not our problem.
It's the securities team problem. And I think one of the things that is very important is when you set up basically that tone of the discussion, it's like the security team is there to help us and create the frameworks and obviously, and the tooling and all those things.
But security is everybody's job.
The security team is there to partner with you to make sure that we have good security embedded in all the different departments that we have, whether it's IT, whether it's engineering, whether it's whatever.
But it's one of those things that I think is important also from the top is that you're always going to be as weak as your weakest link.
And therefore, security is everybody's job, not just the security team's job.
Yeah. A couple of concrete examples of that. I speak at new employee orientation when we have a new employee class.
And I do it in a Q&A format.
And so I put up a I have the answer. And one of the questions is how many people are on the security team at Cloudflare?
And I let the audience guess. And then I flip to the next slide and it says, no, 1,800 people.
Every single employee at the company is part of the security team.
And the other thing I always point to, and I love our CEO points to this as well.
And he lives this all the time.
We train all of our employees to report any kind of security instance to a specific email alias.
And as you know, one of the neat things about that email alias is, well, there's a couple of neat things.
One is we get lots of reports from our employees.
There's no shame in reporting a security issue. There's the opposite here. Typically, people will report stuff to us and we'll see our CEO respond to them before my team even gets a chance saying, thank you for reporting that.
And when they say, oh, I'm not sure this is even a real issue, he will chime in and say, better safe than sorry.
Thank you for letting us know. And to have a CEO sitting on that email alias, seeing all of those inbound reports and actually engaging on them shows the passion from the top of this company about security.
Yeah. And that is absolutely correct.
And again, I think that just to reinforce that point with people that may be thinking about that these things, again, don't happen organically, right?
You need to create that umbrella and that culture and lead by example, basically, from a leadership perspective to create that type of environment.
And that's one of those things that I think in Cloudflare, we're very proud of that, the culture, the open culture that we were able to create about security and reporting issues.
And as I said, I'm reinforcing the message like, we'll rather prefer you to report even if you have it out than just even if it ends up being nothing, right?
I think that sometimes in some organizations, maybe not so mature from a security perspective, there may be a little bit of hesitation sometimes on how much are we investing in security?
Are we investing enough? Or is this like money that we're wasting?
Maybe we should lower the bar. Talk a little bit about like experience, for instance, about how really investing in privacy and compliance and security also helps from a revenue perspective, good business and things like that based on what we see in Cloudflare.
Yeah, there's no doubt that, well, number one, in the world of security, one of the buzzwords these days is supply chain and vendor security.
No organization operates by themselves anymore.
We are all codependent. We are part of the infrastructure of the technology stack of a lot of other companies and vice versa.
And so it's one thing to look at and figure out the security of your own organization and company.
It's another to figure out how do I make sure that there's good security through the whole pipeline of development of products, building of what we sell.
And that's where compliance really plays a part.
It's like I said, I can look at another company and I don't have to send my team in to audit them.
I can look at the certifications and I can narrow my questions down.
It's not always going to answer all the questions, but it's going to help you.
And so you take that and you see that it's just good practice to have those certifications in place.
And then you realize it unlocks revenue.
Like for us, we got the ISO 27001, and that meant a lot to potential customers in Europe.
We got the SOC 2, and that meant a lot to customers in the United States.
And the business team saw it. And it's interesting because security is viewed not as a business enabler.
It's often viewed as a risk mitigant.
Sort of like insurance. Yeah. You kind of think about in every company, every dollar gets spent on one of two things.
Bring in more money or stop us from losing money.
And if a company only has $1, it usually goes to the bring in more money.
And so the stop risk teams are generally saying, hey, we're over here, give us some resources, please.
And what I've found as a security leader, and I talked to a lot of other security leaders about this at other companies, getting that narrative together about how security isn't just a risk mitigant, but it's also a business enabler is really important.
I think that I started that the day I got here in terms of defining the mission of my team.
It's not just minimize risk. It's also do things to help the business.
Everybody who works at a company works there to help the company succeed.
And it turns out security and trust are things that customers value.
And you just have to, in some companies, remind the rest of the company that's a core part of their value proposition.
I'm fortunate when I got to Cloudflare that the entire management team knew that already.
They wanted to make an investment.
Yeah. And I also think that, you know, one of the things that has been very interesting, you know, for you and I in Cloudflare is that in many cases, you know, we are Cloudflare's first customer, right?
You know, your team and my team.
And, you know, to your point around basically helping generate business, that collaboration, and that may be a little bit, you know, that may not be something that happens obviously in every business, depending on the industry.
But that collaboration that, you know, your team, my team have with the product teams, whether it's like testing capabilities, giving ideas for new features and things like that, that actually then results into things that, you know, we sell customers and we're able to also, you know, you and I engage many times with prospects and customers, you know, and telling them it's like, hey, you know, we created this feature based on our own experience, basically, you know, that we needed this capability, or we were trying to protect this, or we weren't trying to do this.
I think that's also, you know, a very interesting angle that we're not just like, you know, teams that are like there, as you said, like, you know, mitigating risk or providing services, but also contributing actively to a product roadmap that then teams like ours, you know, can consume on the other side, right?
Yeah, my favorite example of that right now is one that your team and my team collaborated on together.
You know, probably the most, I don't know, maybe one of the most high profile hacks of this year was the Twitter hack, where customer support tools got taken over by bad people on the outside of the company, and they were able to then go into the system and manipulate customer accounts.
That won't happen here in that way, because our customer support tool is locked down to hard keys only, meaning you have to have a physical hard key to access that system.
And that is a part of a Cloudflare product, part of Cloudflare access, because we wanted that.
We wanted to be able to say, multi-factor authentication for everything, and some things must be a security key only, and the identity and access provider that we use couldn't give us that level of control to say, okay, you can get email on your phone without a hard key, but the support tool has to be hard key only on a company laptop.
And so we helped build that feature, and we deployed it, and we made sure our support team can get access to the system, but no one else can from outside, even though it's Internet facing.
And so that's a really fun part of the job, to see security in good place.
And it also feels really good when a hack like that hits the news, and the rest of the company turns and said, could that happen to us?
And you say, we're a little bit ahead of that.
That's right. We worked on this, and we were able to basically implement this capability in our product.
And also, as a result of that, we're going to help other customers not suffer from that potential attack as well.
So I think that I agree.
It's one of the things that being in California in roles like you and I, this is one of the things that makes the job a lot of fun, right?
I wanted to see if we could chat a little bit about some of the things that we're seeing in the, you know, there's some companies basically, and I'm talking with people that are still, I don't know if you want to call it whinging or try to figure out, you know, the level of investment on some of these things like, you know, when they design solutions or things around compliance or privacy.
But we're seeing a trend in the market, right?
From, you know, whether it's like GDPR or more data locality requirements, you know, in a lot of countries, you know, Europe probably leading the way in certain areas where this is not becoming optional anymore, right?
I mean, it's more like, you know, either you do it or you can't do business there.
So what are you seeing when you talk, like, with some of the other CISOs and things that are out there about, you know, that how are they processing, you know, basically these almost waves that we're seeing towards these type of trends, you know, in the different countries?
Yeah, I think it's hard because you're right, things are changing.
And there have been some concrete changes like GDPR happened already.
But, you know, with the Shrems decision and what's followed from that, even in Europe, where you have, you know, the strictest, clearest, longest privacy directive, we still don't, we have a lot of companies that still aren't sure how to operate in terms of moving and protecting their customers' data.
So when I'm talking to security leaders at other companies in Europe right now, they don't, they're often looking to us for the answers.
They want us to, they want their product solutions, to your point, to solve the compliance issues for them.
You know, like one of the things you and I talk about is like, some, because sometimes when we buy products from third parties, we have to pay extra to get the compliance version of their product, you know, it's like, oh, you're going for FedRAMP, you, you know, we get that FedRAMP pass.
Yeah, yeah. So you'll pay us extra for the FedRAMP version of the product, or, oh, you, you want to be GDPR compliant?
Well, then pay extra for that.
And that's not something we do. It's really built right into our product.
And that's, and that's what this week's a lot about is highlighting and educating our customers and others about how we've built our products to respect these privacy and security laws.
And, you know, the fun part is, it's easier for us to do than others, because we've always had that value of putting privacy first.
So then, like, if you ask people before GDPR, you know, where privacy was, or where Cloudflare was on the, on the spectrum of companies that care about privacy, we've always been on the, oh, that's a company that's focusing on protecting people and encrypting their traffic.
That's where we've always been. It's who we are.
It's our DNA. And so as the law is catching up with our values, it's, it's, it's a, it's a nice symbiotic thing for us as a company.
Yeah. And I think one of the things that, you know, to your point around, also, you know, the fact that for many of these things that, you know, they're just so embedded on, you know, not just on the product, I mean, the product is a little bit of a reflection of our, you know, from a privacy point of view, and in compliance enablement, you know, it's just a reflection, a lot of our, you know, our values and, you know, our, our, our, our, our privacy commitment is, all the companies also, you know, they, they leverage, you know, data that they gather, you know, from customers as part of using the products, and they monetize that in a way, right, through advertisement, or certain things like that.
So, you know, they may not charge you in the front, but you kind of like our, you know, the company's paying, getting like their money's worth, if you want to call it out of your data in the, in the, in the back.
However, you know, we've never done anything like that. And, you know, we, we, I think that, again, you know, another part of the commitment, basically, that we make to our customers, you know, our own data and privacy commitment is, you know, we're not charging you a subsidy for a lot of these capabilities that, you know, provides for the core product, but we also don't use, you know, your data in ways that, that, that, you know, that they may be harmful, basically, to your, to your privacy and compliance and security commitments.
I think that's important point to make as well.
Yeah, one of the interesting things that I've spent some time thinking about in that area is that, you know, we, we have gone and pursued these security certifications.
And so, you know, they, these are all about security.
And, you know, sometimes people are quick to point out, well, security and privacy are not exactly the same thing.
They're, they're, they're very much overlapping, right?
Security, security is about making sure that, you know, unauthorized people don't get access to your data.
And privacy is about making sure that your data is used only in appropriate ways.
So there are two sides of the same coin, in my mind, and all of the controls you build for privacy are the same controls you build for security.
You know, we think about it from threats from the outside.
If somebody hacks into us and takes our customers' data, it's a privacy and a security violation.
If an insider turns malicious and abuses our customer data from the inside, it's a privacy and a security violation.
And my team and your team work right next to our privacy lawyers on every one of these issues.
But the interesting thing is there, there, there's, there's a certain level of maturity on the security certifications that I talked about, but, but, you know, there's no way to go get quote unquote GDPR certified.
It's still like, I think the expectations around privacy are a bit of a moving target.
And the key thing for everyone to think about when they think about their privacy is the relationship with the company.
What did they consent to the company doing with their data?
You know, like the social media companies are very quick to say, no, like you told us we could monetize that data in the user agreement that you spent so much time reading.
And we, you know, we try and be more transparent and very blunt, you know, about that.
And then there's no certification necessarily to go get.
So a good example is we, you know, we have this 1.1.1.1 product that we give away for free to anyone to help protect their Internet traffic and DNS.
And we, when we launched that product, we made a bunch of promises.
And one of the promises was that we would go and get it audited.
And so we had one of the big four auditors come in and do a serious audit because we said, we're not going to take, you know, arguably we could see a whole bunch of your Internet browsing history, but we said, we're not going to store that stuff.
We're not going to take that. We're not interested in that.
We're not going to monetize it. And so we had an outside auditor come in and audit and make sure that we were living up to those commitments.
And you don't see very many companies go and get those audits. We actually published that one on our website on Cloudflare.com slash compliance.
You can go see the audit we did around how we handle that data.
Most of the time we choose not to get the data at all.
We try, like one of my favorite things from a security standpoint is not having the data.
If we don't hold it, we don't have to protect it.
So I like a company that says, we don't want your data. The more data you have, the bigger the walls you need around the data.
Exactly. Yeah, exactly.
It's like, you know, what's the fastest way to do something, not doing it right at all.
Great. So we have a couple of more minutes. Joe, any last thoughts for, you know, for, you know, people, CISOs or CIOs that are like, you know, getting started on some of this journey or, you know, they want to improve their security on the company that you may want to share?
Yeah. I mean, I think you're right.
It's a journey and there's two kinds of journeys, right? There's a journey that you get like kicked and dragged along down the road when you don't want to go there, or the journey where you're jumping in the car and you're in the left lane and you want to get there fast in a good way.
And my advice to everyone is embrace this.
Like, like, number one, you're going to get dragged along anyway, you know, the laws are changing, customer expectations are changing.
But like, if you embrace it, if you get excited about it, if you recognize it's the right thing for your customers, it will optimize your business, it will make, it will build trust, it will create a halo for your brand, it'll help you and your team get more resources and support if you put that frame on it.
And so I think it's really important.
It's not what, it's not just what you do, it's how you do it in this case.
Yeah. Yeah, I agree with you. Well, thank you, Joe. This has been a great, a great chat and hope that people that may be watching the session, you know, they find it interesting.
You know, if we can help anybody or anybody has a question, you know, customers, you know, you can reach us at any given point in time.
We'd love to interact with other IT teams and other security teams and in customers and prospects.
So thank you so much and Joe, have a great rest of the week.
You too, Juan. I'll see you soon.
