Mentorflare
Presented by: Joe Sullivan, Susan Chiang
Originally aired on January 26, 2022 @ 3:30 AM - 4:30 AM EST
Mentorflare is a virtual series of discussions with leaders at Cloudflare and guests in the technology industry. The sole purpose for Mentorflare is to provide mentorship to students that we were unable to offer an internship this summer. Cloudflare cares deeply about students that have been challenged due to the current health and economic climate and want to empower these students by sharing our resources.
English
Mentorship
Transcript (Beta)
Thanks for tuning in to another episode of MentorFlare. So today we have Joe Sullivan and Susan Chiang, both from the security team.
This is our sixth installment, and it's a virtual series of discussions with leaders at Cloudflare and sometimes guests in the technology industry.
The sole purpose of MentorFlare is really to provide mentorship to students interested in learning about Cloudflare.
In this case, learning about security, both broadly in the industry, as well as at Cloudflare.
Staying connected with industry leaders and also just learning about future opportunities here at the company or elsewhere.
We'll start with introducing ourselves.
We'll talk about some general topics around hiring students in the security industry or new grads or at times even returnship.
Or those coming from a different profession and want to switch into security.
And then we'll move to Q&A.
And thank you to those that submitted questions in advance. We got a lot of great ones and we'll do our best to hit on the key topics.
And for context, I think we asked about 1500 of you to do so.
Jumping to introduction. So my name is Susan Chiang and I lead a couple of functions on the Cloudflare security team.
You know, thinking back to the internship days.
Funny story. I started internship during my freshman year at college.
And at that time, that was highly unusual. And to be honest, I did that because I didn't want to go back and live back home with my parents.
And I knew I needed to find one that paid money so that I could afford my rent while I lived where I went to college for the summer.
And I didn't know what I wanted to do.
And every summer I did a different internship in a different industry, but always anchored around what I identified as my core strengths, which was strategy, program management, and business operations.
So I went from healthcare at Kaiser Permanente to Google to then Deloitte Consulting and started my career in management consulting and Deloitte Consulting.
A very classic career starter for someone who didn't know what they wanted to do in their career, which described me to a T then.
And I continued with the core strengths that I honed over time, both there and then entering into the tech industry, both at Salesforce, then at Uber.
And I met Joe at Uber when I joined the security team. I actually joined the security team because I heard that Joe is a leader that cared about his people and had integrity.
I didn't know very much about security when I joined, but that was the primary reason I did so.
And then I quickly fell in love with security after I got the exposure to it and learned just how interesting it is and just how it's just a continuous curve of rapid learning.
And I've been fortunate to be on the security journey since alongside Joe, both at Uber and now at Cloudflare.
And how has my role grown over the years?
Oh gosh, I would say that I get bored if I don't feel like I'm continuously learning.
And I also feel a lot of imposter syndrome whenever I take on that new rapid growth of learning.
So I've been fortunate to have managers and mentors and sponsors who've increasingly grown my role before I feel like I'm quite ready.
And what I've always held on to is realize my value and my core strengths from my first day of internships.
Understanding strategy, program management, and business operations and use that as core pillars to expand into areas.
For example, security at Cloudflare is very technical. So how do I expand that into learning about the areas and grow from there?
So I now lead four functions at Cloudflare, both around program management, business operations, strategic projects, as well as physical security.
I'll turn it over to Joe now. Thanks, Susan.
Hi, everyone. It's awesome to be spending time with you today. So yeah, my name is Joe Sullivan and I'm the Chief Security Officer at Cloudflare.
I started at the company a little over two years ago.
My journey into the world of security is probably unique, but also similar to that of a lot of people from my generation, if you will.
One of the nice things now is there's a lot more structured paths into the world of security and a lot more defined opportunities for internships and roles.
The whole concept of a security team inside a company is much more developed than it was when I started.
To take you back on my journey, I would say that my first experience in security started when I was in college and I got a job as a bouncer at a bar.
It was my job to stand at the front door and decide who could go in and who had to leave.
I started learning the people side of security as I was learning the technical side of things.
I became a prosecutor and I was a federal prosecutor focused on cybercrime in the late 1990s.
I went in that direction because it was interesting to me personally, the combination of law, social impact, and security.
Security for me is about helping people and being there to manage risk for an organization and for a broader community.
I didn't have a lot of the traditional development opportunities that have slowly come into the security world and are now available to people who are just starting to crack in.
In some ways, it was easier for my generation because we got to make it up as we went along.
Now, there's a lot more discipline and structure and there are also a lot more people coming into the profession.
I think that both are good things.
I'm happy that we are now in a world that prioritizes and values the security profession.
I think that a lot of us who have been in security teams in the past were used to the leaders that we were underneath feeling like they weren't really treated as leaders.
That's no longer the case. As an executive at Cloudflare, I'm treated as one of the executives that runs the company.
It was the same thing at my last two companies.
My background was I was a federal prosecutor and then I saw that as a prosecutor dealing with cybercrime, I was mostly just involved after the bad thing happened.
We would come in and working with the law enforcement agencies have to bring consequences to the people who did bad things online.
That's very reactive. My favorite part about being on a security organization is that we're proactive.
We're trying to identify risk and make it go away before the bad thing happens.
I was convinced to come into eBay in 2002 and work on what we call trust and safety, trying to make it a safe experience for the people who are buying and selling on eBay.
I then moved to Facebook in 2008 and focused on building out the security organization there and I was the CSO at Facebook.
From when we were smaller than MySpace to over a billion users in a big public company.
Got to see a security organization grow up and then I met Susan and we built out the security team at Uber and together we've been building out and really helping grow the security team at Cloudflare.
I kind of view this conversation today as an extension of the one-on-ones that Susan and I have every week.
We spend a half hour to an hour every week talking through how to be intentional about building a security team that can be effective in a modern tech company.
We built this security team at Cloudflare in a very intentional way with interns, with people right out of college, with people out of grad school, with people with lots of experience.
We've prioritized bringing together the different pieces of the puzzle.
A big part of that is we like hiring interns and we love hiring people right out of school from all different kinds of backgrounds.
I think we have a lot of interesting things to share today.
I think so too. It's very true.
I think the live streaming of our one-on-ones would not be too dissimilar to the conversation that's about to occur.
Just to start broadly, because there's so much that we can talk about specific to our last two years at Cloudflare.
As you mentioned, you've built and led a number of security teams during your career and also advised many others.
What are some similarities and differences you see across industries, including governments, regarding hiring new grads or interns into security?
Yeah, it's funny. I remember when I was graduating, I made the academic path choices to go to law school.
Honestly, I think back when I was a college student, I really never met many lawyers in my life.
I didn't actually understand the profession when I chose to go to law school.
I quickly learned that there are so many different types of lawyers.
There are the lawyers who stand up in a courtroom before a jury, and then there are the lawyers who help people write their wills, and so many other types of jobs in between.
I think that the security profession is even more complex than that.
By just saying you're going into security, you could be doing 100 different things or 1,000 different things, because there are so many options.
What I like to tell people is, I don't think you want to just get in a narrow lane in security and stay in it unless you absolutely know you love that.
You really want to, pretty early on, take the time to understand how broad a field it is and how different the roles could be.
Just on our team, in a particular type of company, we have so many different skill sets.
We hire people who are really good at organizing a process and managing cross-functional teams to execute.
We hire people who have deep technical expertise in very narrow areas of hardware and everything in between.
Sometimes we need a teacher, sometimes we need a technician, sometimes we need a nurse.
We need all kinds of different skill sets on a security team.
Then, like Susan said, what governments hire for often is very different from what different types of companies hire for.
I think about myself as a security leader.
I've chosen to stay in the tech company realm because I like how we approach building security teams and the role that we play inside our companies.
I think I could have found an equally rewarding different path staying inside government.
I enjoyed my government roles, but they were certainly very different.
I also see the skills that are valued are different. I've been on stage on panels where I've been the representative of tech companies talking about what we're looking for in a student who's coming into the profession.
I'll be sitting next to a general coming out of the military talking about what they're looking for.
It's not even the same. The certifications, the experience that they're looking for is fundamentally different from what I'm looking for.
What they'll look for on a resume in terms of there's some acronyms they want to see are completely different than the acronyms I want to see.
I think you need to step back as someone coming into the profession and learn about the different roles.
What's the difference between pen testing and sitting in a sock? What's the difference between doing product security and infrastructure security?
Do I want to spend all day in meetings talking with people, moving things along?
Do I want to spend long hours sitting in front of a computer looking at code or building something?
Are you a builder or a breaker? There's probably a lot of different things that we could dig into on this.
Yeah, that's a great point.
I had a similar experience recently where I was part of a webinar and I followed somebody who, as they delved into their key points, I realized my key points in a lot of ways were very opposite of the points that they were hitting on.
I think that actually shows just the breadth of opportunities in security.
There's a home for many paths that you choose to take, whether it's very structured, because there are companies that have very structured internal organization, and that may be the right fit for you.
Whereas a lot of times, Joe and I talk about just the incredible amount of ambiguity, right?
We know there's a problem in that general area.
Now we want to find someone who is capable of figuring out, finding order, and understanding that at times can be chaos and ambiguity.
That may not be a fit for everyone either.
I'm kind of diving into that, and I'm smiling because we're about to have some reminiscences to conversations in the summer of 2018.
Can you talk a little bit about what you alluded to around the values when you started hiring the team at Cloudflare, and how that translates to what we look for in candidates?
Sure. The two of us wrote a blog post about that, and I definitely encourage people to take a look at it.
We published it for International Women's Day earlier this year.
When we started doing a lot of hiring for this team, we thought about diversity.
We wanted to have the most diverse security team possible, and I mean diversity in every sense of the word.
We wanted to have people who were representative of different communities.
We wanted to have people who were representative of different backgrounds and experience levels.
We believe the data and the research that shows that diverse teams make better decisions.
That's really worked out for us, I think.
We also recognized that taking a bunch of different ingredients and throwing them in a pot together doesn't make a delicious meal.
In fact, you could get a lot more conflict if you take people who don't have similar backgrounds and just throw them in together.
We really prioritized the culture of our team around collaboration.
I think we really value EQ and the ability to communicate.
To go deeper on that value of communication thing, when COVID-19 happened and we went to being a fully remote team, one of the things we did as a company was our CEO started doing these fireside chats with business leaders from technology and other industries to get the company thinking strategically and not just falling into the moment of COVID.
As a company, it was a great stimulating thing, and we decided to do the same thing for our team.
I worried that as a team, we would stagnate in our career development while we were all forced to work remotely.
We would just get trapped thinking about what's the task of the day?
How do I just get through it?
I asked five different security leaders to do fireside chats with me during the last quarter.
One of my favorite responses from one was I asked a woman who has been so successful in her career.
She was running a security organization, and then the company asked her to run product and engineering, so all the technology for her company.
I asked her, what was the skill that would surprise my team that has helped you be so successful as a security leader?
She said, writing.
We were all just like, what? Writing? She explained how in her role as a security person and growing into an executive, communication is so critical.
I think we have valued that on our team.
A lot of our job is risk detection, but even more of our job is risk mitigation.
We identify a problem, an area where the company or our customers could fall short.
What we need to do then is influence the company to fix the issue.
It's not enough to just point out there's a problem. You actually have to get people to rally around it and want to fix it.
In a world of always finite resources, we have to be the advocate for spending our precious resources on reducing a risk.
In every company and organization, there's always the tension.
We have limited resources. Do we build new products or do we patch the holes in the old ones?
You have to find the right balance. We're going to be the advocates of managing the risk.
We also need to have that business perspective, like Susan talked about, of understanding which risks are important.
That means you have to be able to zoom out from just looking at all the problems and think about the opportunities for the company.
I don't think any of us are too early in our career to start thinking about these concepts of communication and business judgment and weaving them in with the risk work that we do.
To build upon that, for those of you hearing some of the key skill sets and values we look for and are worrying, I don't think I have those.
We're not looking for all those attributes in every candidate.
That's why diversity is extremely important. We understand that we don't want to hire the same person with all of these attributes.
We want to build a team that together has all of these attributes and can help each other be better, both within the team and also help our whole team be more effective with others.
This is where I feel very grateful that we, for example, started building a PM organization right out the gate.
We knew that to help our engineers be as effective at working across the company and working across our rapidly building security teams, having a PM that really focuses on being the glue and working on planning and prioritization was very important.
To your point, the very opposite.
We needed niche hardware engineers who understood very specialized aspects of what is a competitive advantage of how Cloudflare operates.
Go ahead. Just jumping on that point.
I think what it means for someone who's early in their career or just about to start is don't sell yourself short on the skills that you have that might be on the soft side of things and just focus on the technical things.
We're looking for well-rounded people who can be part of a team and organization and kind of like row the boat in the same direction together, but add different strengths to it.
I sometimes see resumes and I'm trying to find out who's the person behind these certifications or this degree.
I think the candidates who are willing to show a little bit more of themselves, not afraid to talk about, if you worked in retail in high school or in college and did the things on the side that I did, I'm going to value that and I'm going to want to see that you're more than just following the formula, that you have a broader perspective on the different types of roles and the different things that you can do to put yourself through school and get yourself ahead.
That's a great setup to just start diving into some of the questions that were pre -submitted.
We've organized them around a couple of categories and you hit on the first one really well.
So let's talk about degrees.
There were a number of questions that were asking just first and most broadly, are degrees required to enter into security?
Not on my teams. I have a funny story back when I was the CSO at Facebook.
We were interviewing an intern. It was a candidate to be an intern.
I think he was halfway through his junior year in college and he came in.
We flew him into the Bay Area and he interviewed and I was sitting with the interview team afterwards and we were talking about the candidate and someone said, I would just hire him for my team right now.
And I was like, well, let's dig into that.
And we actually concluded that he had done so well on his interview process that we would actually hire him for a role on the team.
And so we said, why are we limiting our perspective to just hiring him as an intern?
Is it the right thing to do to only offer him an internship or should we just offer him a job?
And it was funny, the person who'd been managing the relationship said, I think his mom will kill us if we give him a job and he has to drop out of college.
But we decided, look, if the person's qualified to do the job, why should we not tell him he's qualified?
And so we came back to him and we said, would you like an internship or a full -time job?
And he said, I would like the full-time job, but can we do a little bit of scheduling stuff to work it out so that I can keep working towards my degree?
So we hired him as a security engineer without a degree.
We were worried that we were going to burn bridges with his academic institution because he was a referral from a professor there.
So we kind of talked to the professor a little bit too.
And this person joined my team at Facebook, was successful there, and he's moved on to be successful at a couple other companies and I followed his career all along.
He worked on our team at Uber as well, and he's now doing quite well at another company.
And I don't know if he ever went back and got his degree, and I don't think it matters.
That said, there are other organizations that are going to be a lot firmer about requirements.
I think in the tech company world, we're more focused on your ability to get the job done than any pedigree.
But I'm not naive. I know that in a competitive world, employers are looking for ways to filter through the noise of lots of resumes.
When we made our internship program remote for this summer and gave people the opportunity to work from lots of different places and other companies were cutting their intern programs, the sheer volume of resumes we got put a lot of pressure on us to figure out how do we get through thousands of resumes in weeks?
You can probably speak to that.
What were you looking to see pop out of that resume? Was it a pedigree or was it something else?
That's a good question. I would summarize as I was looking for objective indicators of success or aptitude to be on a security team.
And to your point, that included a lot of what a lot of times are categorized under soft skills and also diversity too.
One thing that I feel increasingly strong about, especially in a hyper-competitive environment, is the comeback of the cover letter.
We have more than one intern on the team that perhaps just by resume didn't pop out amongst the hundreds of others I looked at.
But when I looked at their cover letter, they genuinely spoke about their passion, their interests and what they've done to build towards that and how that aligned with what we were looking for.
And we knew that this person was not only invested in having a good experience, they were passionate about growing in that experience.
So that's definitely one thing we look for.
And to Joe's point about the degree, it doesn't matter as much about what degree you got or what major you got or what level of degree you attained.
It's what you're able to show of what you did with that degree. I would never trade the degree I got for anything else, not because of the school or the major, but the people I got to meet, the experiences I got to be a part of and the opportunities it afforded me.
It's what the value that I got out of it and then was able to translate into my value to give to the teams that I then joined.
And just to highlight, just to hit home what Joe has said about our specific team, when I look back on our current security team, we have everything from people with no college degrees, people with community college degrees, bachelors, masters, PhDs, and they're all thriving.
And we have everything from very technical degrees to multiple psychology majors, accounting majors, business majors, history, English, just all over the gamut.
And I genuinely feel like we're better for it.
And something I talked about last week on Cloudflare TV is our COVID response and business continuity is in a lot of ways executed really well because we have a communications major driving it, right?
A lot of it. And really able to use that skillset in conjunction with leading a global physical security function.
So that just kind of circles back to Joe's point about diversity and what that brings in a lot of situations.
Yeah, I think that one other thing that we focus on that might be different than outside of the tech industry is we do value and expect a baseline of technical ability, but I actually think we focus more on the build side than the break side.
And I would encourage everybody who's going into security to think about that.
I remember saying I would rather see your GitHub than your certifications.
Meaning I wanted to see you were practically hands-on good with technology, that you weren't afraid to try and build things.
As someone who's gotten to hire and manage both engineers and lawyers, I really enjoy managing engineers more than I enjoy managing lawyers because as lawyers, we have a tendency, we look at words and we break things down and we split them apart and we dissect them.
As security professionals, we look at technology, we break it down and dissect it, but we also build it.
And fundamentally, the companies that we work at and have worked at are building companies.
We're on a mission to build a better Internet and help build a better Internet at Cloudflare.
And that means that the people around us are builders. And when we talk about the values of our security team, we don't just talk about we're a risk management organization.
We're here to reduce risk because that's honestly too vanilla and wouldn't resonate with the rest of our company and wouldn't inspire our team to go do the things we want to do.
We think of ourselves as builders.
We're here to help build an enduring company and a better Internet. And that means we're looking at resumes and trying to find people who want to build.
I think it's easier to teach breaking than it is to teach building. And it might be easier to learn breaking than it is to learn building because building takes a lot of patience.
It takes a lot of self-criticism. It takes the reality of if the code doesn't work, the code doesn't work.
If there's a vulnerability, there's a vulnerability.
And it's working or it's not and you just got to be persistent. And so I think we look for that build mentality.
And then I think especially with people coming right out of school, we're not looking for a finished product.
We're looking for potential.
I think about the interns that we have had who have turned into employees on our team.
We took them as interns to see if they had potential, to learn about them.
And the ones who've made the transition to employee for us are the ones who were learners, who were sponges when they got inside our environment.
They didn't wait to be taught, they asked. They didn't wait to be invited to meetings they joined.
And I think that something, Susan, you said about when you're talking about yourself, like every time you started something new, you feel imposter syndrome.
We all do. It doesn't matter. One of my favorite quotes from 2020 was coming out of all of the Michael Jordan TV series on ESPN, the career retrospective on him.
And someone tweeted about it and said, even Michael Jordan had imposter syndrome.
He was the best player in the league, but he hadn't won a championship yet.
And he felt insecure. Best player in the history of the game felt insecure, even when he was on the top of his game.
And I think we all go through that.
And if you let that hold yourself back from applying for a role or putting yourself out there or asking to take on projects, you won't get very far.
But if you put yourself out there, the worst thing that can happen is you get told no.
But if you get told no, you're at the same place you started. So it's not really, it's not a setback.
It's just an experience that will help you grow. It's funny because something you said to me recently and Jess, but really hits home on how I've grown with my own imposter syndrome is that it hasn't necessarily lessened in terms of how often I feel it.
But you mentioned that I've learned to say yes.
Because I've learned through repeated experiences that even if I didn't feel confident in myself when entering into something, I now have a track record of succeeding.
And I can lean back to that. And the first step is just to say yes or to your point, to put yourself out there.
I know a lot of the people, when I've been talking to people in school right now or who just graduated, there's a lot of anxiety about the changing job market right now and the economy.
And I think that security has become more important in this new normal world.
And security hiring is going to continue happening.
And so I think people need to keep putting themselves out there.
Understand that a lot of companies kind of slowed down hiring in 2020 because they needed to step back and understand the impact of the economy on their business model.
And if you didn't get the job you wanted right away, that doesn't mean you should give up on the profession or compromise too much.
I think you want to keep doing the things that are going to help you build.
Sometimes we all have to take jobs to pay the bills. Not everyone loves every job they've ever had.
But you can still go get experiences, even if you have to do something outside the profession in order to get by during this time.
I think you want to keep the passion up and you want to keep doing things on the side.
There are still lots of ways to continue to develop your resume and your experiences, even if you don't have the right job right away.
And I think you just got to keep putting yourself out there and keep trying.
And I'm really optimistic about this profession right now.
I am too. And while it may seem like we're going off script, which is actually very commonplace for us, I assure everyone that we're actually hitting on a number of questions that have come in about these things.
And I do want to go back to something you said about builder versus breaker.
We recognize that a lot of you interested in security got interested because of how fun and how exciting and thrilling it can be to break things.
Right? A lot of folks get started in security by doing some fun hacking or breaking things.
And this, a lot of times, translates into a lot of focus on capture the flag competitions where you get you...
For those that aren't aware, these are competitions organized around being able to break a particular problem that are set out.
And they've become very popular across the country.
And Joe, I'd love if you could touch on just how, what do you value out of capture the flag competitions?
And what do you caution people around that?
Because we've talked about how sometimes a message can get lost about what the real value is versus what else people should be focusing on.
Yeah. Honestly, I think if we wanted to hire a million pen testers, we could, because I get a million pen testing resumes.
And the resumes that stand out to me are the ones who, people who do have some experience with the things like the capture the flag.
I think those are good skills to develop.
Like there's some collaboration, there's teamwork, there's understanding different types of environments and having to adapt under time pressure.
So there's some good things in there. But we're looking for, in parallel to that, kind of the two things we talked about already, which is the ability to build and the ability to communicate.
And so, and I think that we're pretty good at teaching people how to break and to communicate over time on our teams with opportunities.
But people who don't come with that builder mindset are harder to find.
I like, or harder to like have them succeed and be nimble in their career inside the company.
If you have a good technical foundation as a builder, you can do so many different things.
And just to translate that into something specific on the resume, we actually get cautious if we see only offensive experiences on your resume because fundamentally to Joe's point, what is at the heart of us internal security team is building and preventing and collaborating.
So when we see just offensive experiences, we worry that that person, that may be all you care about or what you want to do.
And we worry then that what we're hiring for is not a fit for you.
And so for those of you that are very interested in Capture the Flag competitions, we're not saying stop doing that.
They'll also find blue team opportunities, whether within those competitions or adjacent to that.
And to Joe's point about GitHubs, attending a competition doesn't tell us what you are actually able to do.
It tells us you participated in something.
So if you can turn what you are able to build or do and put it somewhere public that a hiring manager looking at your resume can look at it.
Or for example, if you applied that to a Bug Bounty program and are able to talk about that in some way or show the statistics of your Bug Bounty program, what are some other ways that you've seen that can be kind of objective indicators of what people can do in security when you look at candidates or even interview them?
You raise a good point about the Bug Bounty programs.
I've hired a number of people into the companies I worked at that we met through our Bug Bounty programs.
People who lived in different countries, spoke different primary languages, but showed through their work in Bounty programs that they had a breadth of technical skills.
So if we could go into the Bounty program and look and see, here's a person who, they found web application vulnerabilities at company A and got paid for them.
They did some research on infrastructure vulnerabilities for company B.
And you can learn a lot about a person and their technical ability.
And Bounty programs are a great way to get actual experience in real environments that are real world.
One of the things that I've learned in my career is that what's happening in the academic world and what's happening in the real world diverge quite a bit at times.
There's a lot of theory in one place and there's a lot of practical reality in another.
And they frequently don't meet. And I mean that in a few different ways.
So number one, security in the real world, it's not all glamorous.
It's not like researching some amazing new technology. Most of our security issues are around the basics.
It's are we hiring people who are ready to roll up their sleeves and work their way through?
How do we get identity and access management to work well?
As opposed to let's go work on some theoretical encryption solution for five years from now.
We're much more looking for practical operational skills that come from looking at real technology.
Also technology changes so fast.
And going really deep on a particular coding language seems kind of dangerous to me because different companies use different languages.
And what's the most important language for development seems to change fairly quickly.
And so we're looking for people who have experience across a few different types of languages and are more practical than theoretical, I think.
And so I like the Bug Bounty programs.
I like internships at different types of companies.
I like projects in different realms of security. We're looking for curiosity and people who aren't afraid to dive into different types of technology.
And on that point, Ian, you mentioned at the start that we hire for hardware security.
And we actually had a specific question from a student who mentioned that they've been researching hardware security at their university but have been having a hard time finding opportunities outside of academia or defense government.
Do you foresee the private sector expanding its interest in hardware security and or that becoming a viable career path?
Yeah, I think of, to a certain extent, I think hardware security is a 1% problem.
To take a phrase from a different world. Most companies that have security teams are not scaling those teams to be big enough to handle hardware security.
In fact, what are most companies doing? They're getting rid of their hardware.
Most companies are moving to SaaS apps and infrastructure in the cloud.
And that's because there are so many benefits to the company in terms of maintenance and upgrading.
Those things come for free when you're hiring someone else as a service to provide you your infrastructure.
But that said, the infrastructure is still there.
And it's just someone else running it. And so if you're looking at a career in hardware security, you've got to look to the companies that actually manage the hardware.
Those companies are in the 1%. There's actually more pressure on them to do hardware security really, really well because they're doing it for the rest of the world.
And so when I was the CSO at Facebook, as we were growing, we realized we were running our own data centers.
We're not putting everything in someone else's cloud.
We're putting it in our cloud.
And so we spent a lot of time and effort thinking about how do we build out infrastructure and hardware security and looking at all of the different aspects of that.
And it's the same thing at Cloudflare. We're not putting our customers' traffic in someone else's cloud.
We're deploying hardware all over the world.
So the opportunities are there. And in fact, I think they're going to continue to be there.
They're just going to be a more limited number of places that you can go work.
But the total volume of focus on it is going to be the same. It's just you're going to have to be thoughtful about where you look.
And then one thing I would say is I've been running security teams for almost, I don't know how many years, a long time.
There's been one job requisition that we've had open that we never, ever take down.
And we will hire every single person we find who can meet that.
And that's infrastructure security engineer. It is, you know, this is my third company in a row where we just have a permanent position up.
And if resumes come in that look like they can meet that standard, we'll hire them.
There's so much to do in that context and there's so many lesser resumes in that context than any other one that if you're excited about infrastructure and hardware security, I think you should go for it because the demand for quality people in that context is going to be there.
Yes, this is the arbitrage opportunity we continuously see. And to that student who submitted the question, please reach out to us.
We love to chat and learn more about your interests and see if you're a fit for our team.
Yeah, I would say half the people who do infrastructure security on the teams that I have are doing it for the first time.
And we hired them a little bit out of desperation because we couldn't find anyone experienced and because we thought they had the aptitude and the interest to just really learn a new area of security.
And just to hit on a topic that we got a number of questions on and I think we've touched upon it here and there, but just to really hit on it and be clear.
Let's talk about certifications. So you've talked about how that's not required on our specific security team, but can you talk to the pros and cons of certifications at an industry level?
Yeah, I think that there are a lot of mixed messages about certifications.
And what I would say is it depends on the role and the organization that you're trying to apply to.
We don't use degrees and where you went to school as an obvious indicator of potential success on our team.
We don't view certifications as an obvious indicator of success either.
I know people who've gone through and gotten certain security certifications and it's really helped them.
And I know other people who have completely rejected that type of approach to their career and they've turned out just fine as well.
We don't look at certifications as a necessary indicator of success.
It's like a lot of things.
Some people have opportunities to get those certifications and so they take advantage of them, but other people don't have those opportunities and we don't want to disqualify those candidates.
Because sometimes the certifications are just about paying some money and sitting through some lectures.
And that's not really something that we care about.
I do think that in some contexts, certifications are more valuable.
Like with our governance, risk and compliance team, they spent a lot of time bringing our company through certifications like ISO and SOC2 and PCI and things like that.
And so for those teams and the way we think about things like vulnerability management, we want people who have experience kind of working through those standards, understand the terminology of those standards.
And so for certain roles, we will a little bit more value those backgrounds, but we'll look more to the experience side than the certifications.
Yeah, and just to add on to that, and Joe hit on it really well, is we recognize that with degrees and certifications and even internship experiences, it's not equal access in the current environment to all of them.
And we don't want to unintentionally exclude anyone from that, right?
Some people have to work multiple full-time jobs at a certain pay grade for their life circumstances.
Some people may live in an area where internships available, as well as the degrees you can attain locally.
If you have family obligations, there are all sorts of reasons why you may not have equal opportunity.
And so if that's you in that situation, try to look for other ways that you can gain similar experiences, right?
Look at the rubric of what a certification covers.
There are so many free opportunities, especially during now, that you can take, right?
Use that as almost a template that you fill yourself if you feel like you cannot attain a certification and what you can do with that knowledge.
I think that's a great point.
I have this general observation that people succeed at things that they're excited to do and they perform well in environments that they like.
And so I would look at what is the process of getting this certification look like to me?
And is it something that I'm excited about being covered and this feels like, is this a checkbox to get something on my resume?
Or is it something that like, yeah, I really want to learn this area of security because when I'm done with the course and the certification, I'll spend my spare time digging in even more.
And that when we're interviewing people, that stuff comes through.
I don't really want to interview someone and say, oh, I see you got the certification.
They're like, yeah, I did.
I want someone to say, I want you to learn about this, an area that I cared about.
And now I'm better at that. And then I've been digging in on my own. There's a big difference.
And so when we look at certification, we kind of look past it into what does it really mean to you?
And why did you do it? Just to switch gears a little bit because we were actually about 10 minutes away from the end of this episode.
I greatly enjoy what I call story time with Joe. Less so if you're powered by Red Bull because then they get a little lengthy.
But we had some great questions around how did you progress to the position you are in today?
I know you talked about your journey, but what are maybe some of the skill sets that you've really leaned on?
What are some that you didn't have when you started that you've had to learn to get to where you are?
Yeah, I think about one thing in particular a lot.
And that is why did I get the opportunities I got? And why was I able to succeed in them when there were lots of other people around me who were maybe interested in those opportunities or maybe got similar opportunities but didn't succeed in them?
And I think a big thing for me has been I've done what I just talked about.
I pick roles and companies that make me want to run to work. And if I run to work, I'm bringing enthusiasm.
I'm bringing energy to the role and it's contagious around me and people want to work with me on it.
If I'm not excited about what I'm getting up and going to do that day, it's obvious to everybody else and it's obvious to my manager and it's obvious in the results.
And so I've picked roles where I want to run to do the work.
And I think that also has had this secondary positive impact which is it means I'm curious about the adjacent areas and I'm willing to jump into things that I'm not yet good at because I'm interested in it.
When you're interested in things, you go towards them. You don't let, oh, I'm not an expert running through your head to hold you back because you're just like, I want to learn more about that.
And so you just go. And what that's meant for me is I haven't been able, my career hasn't forced me into a silo.
If you look at a lot of people on security teams, and this goes for finance teams and HR teams and any other team inside a company, people get stuck in silos inside their organizations.
If you go into a security team and you come in and say the detection and response space, it could be very easy to spend your entire career doing detection and response.
But as you progress over time, how are you going to be able to break out of that and become a leader of other areas of security if you haven't, if you've always stayed in a singular lane?
And so I think about like, why didn't I stay in a lane?
And it was that curiosity and the willingness to like go dive into things that were outside my comfort zone.
And so I think that people need to go where they're excited to do the work, even if it means less pay at a different company.
It will it will actually in the long term lead to more pay and better jobs.
That's that's that's a lesson I've taken. I haven't always viewed my career as, OK, I'm at this level at this company right now.
I'm I'm not leaving until I get this level at the next company.
I've actually gone the opposite direction and gone because I was like, that role will help me grow.
I will drop down several levels and move to that company because I think what that company is doing in that area is really exciting.
And then you get in there and everybody's like, whoa, they love this and they can handle all these different things.
And then they just throw more responsibility at you and your career grows magically.
We've talked a lot about this in the sense that we both have a similar approach of when we are passionate, whether it's about the people around us or the work we're doing or both.
We've noticed that a lot of times the best opportunities that we have are in the workplace.
So I think that's a really good Thank you. Sorry, I just my headphones died, so I just switched voice.
I missed the end of your question.
Oh, no worries. I may have made it because you're listening too much Green Day and your AirPods ran out of batteries.
That's something like that. I did have one other question there.
And we've talked a lot about collaboration, EQ, communication.
And those are things that are often not offered as a course necessarily.
So what would you advise to those listening how to build those skills, skill sets or where to start or where to continue to enhance those skill sets?
But sometimes they come up in the security context and sometimes they come up outside of the security context.
We have at our company, there are programs for people to learn how to become better public speakers.
Even if you never want to speak at a security conference, it's it's worth kind of being part of one of those programs and putting yourself out there.
There are so many. I think we get caught up in thinking, OK, if it's not on this specific curriculum for my profession, then I'm not going to focus on it.
But like I remember when I went into when I started at eBay, I quickly realized that the way that my company communicated was PowerPoint.
And I'd never made a PowerPoint in my life. And so I actually I think I should admit this, but I like I I signed up for a course at Office Depot and I spent and I spent a few nights learning everything I could about PowerPoint.
And then I realized as soon as I became a manager and became accountable for a budget and things like that, that I didn't know anything about Excel.
And so I went back to Office Depot and signed up for it.
But I didn't want to betray my ignorance at work.
But it was like and it's not on my resume that I got through the Office Depot courses on Microsoft Office.
But they were just kind of like these are tools of the profession that if I'm going to succeed inside a company, I better know how to use them.
And over time, I've continued to look for things like that that are outside the obvious path.
And so I've taken classes on understanding how to read a balance sheet and how to and lots of classes on how to manage people and how to help develop team members.
And I've sought out mentors and tried to learn from them.
A lot of stuff that doesn't show up on your resume, per se, that's going to help you become strong.
Yes.
And it's never too late. Even I won't betray what the topic is. But Joe and I sit next to each other.
And even up until this year or last year, when we're still in the office, I would catch him on a intro 101 video about a topic.
Right. It's never too late to start learning or continuing to learn because the industry we work in is so dynamic.
Right. If you just hold on to the knowledge you had yesterday or yesteryear, you will quickly become outdated in terms of your effectiveness to continue to lead in this space.
For sure. You touched on maybe this is our last topic.
And it's actually one near and dear to both of our hearts. You talked about mentorships.
And a lot of students listening now are likely looking for a mentor but don't know where to start or feel nervous about it.
As somebody that actively mentors a number of people at all different levels, what would you advise to those looking for a mentor?
When I was hosting one of the security leaders for our fireside chats this spring, one of the CISOs brought up a really great personal perspective that I've been thinking about.
He said, I don't look for a mentor. I build a personal board of directors.
And the way he thought about it was in the same way that a company has a set of a board that brings together different skill sets.
I think about the Cloudflare board.
We have people who are very technical. We have people who are sales oriented.
We have people who are communications oriented and so on down the line.
And that board helps us as a company by bringing a bunch of different skill sets and perspectives to bear.
And really, the board in many ways is a mentor to the CEO of the company and the rest of us in the leadership team.
And I really like that idea that there's not one mentor for each of us.
There are a lot of mentors. And you shouldn't.
And one of the things I like about this profession is people are not afraid to ask for help.
And I've enjoyed mentoring. I mentor a few different people right now.
And I've mentored a lot of different people over the years.
And I've also had a number of formal and informal mentors who I turn to. And I, you know, even though I've been in senior roles in the profession for a long time now, I still have mentors.
I have a call scheduled for later today with someone that I have talked to in the past and that I want to get advice from her on how to deal with certain types of situations now.
And, you know, I'm thinking about, like, how do I expand my perspective?
And I want to understand, how are CEOs thinking about security?
Because I'm the one who engages with CEOs. So I actually like to talk to CEOs about how they think about security and what they want to see from a person like me.
And so no matter what level we're at, we should be thinking about mentors.
And we should be thinking about them as, like, a board of mentors for us and not just one person.
And now we're on our last minute. So just to wrap up what Joe said and to bring it full circle, we also view the new grads on our teams and interns, they also teach us a lot and in some ways mentor us because they bring fresh perspectives and raise the expectations on us a lot of times.
And in some ways I feel like I feel fortunate to be mentored by them on topics and knowledge and perspectives that they bring to us.
I totally agree with you. I think I learn more from mentoring others than the mentees do sometimes.
It forces me to it's actually forced me to stop and think about, like, what how did I develop what I know in this area in an unstructured way and how could I make it more structured in terms of how I approach problems because I actually have to articulate it and that just dialogue is just healthy for all of us.
Well, thank you for joining us today. It's been fun.
Yeah, thanks for all the insights you've shared as well and thanks, everyone, for all the questions.
Hopefully this was a good use of time.