🎂 Paul Judge & John Graham-Cumming Fireside Chat
Presented by: John Graham-Cumming, Paul Judge
Originally aired on September 29, 2021 @ 1:30 PM - 2:00 PM EDT
2021 marks Cloudflare's 11th birthday. For our annual Birthday Week celebration CFTV is featuring an array of new products and guest speakers, as well as a look back at some of our favorites from last year.
In this segment from Birthday Week 2020, Cloudflare CTO John Graham-Cumming hosts a fireside chat with Paul Judge, Co-Founder & Partner of TechSquare Labs and Co-Founder & Executive Chairman of Pindrop.
English
Birthday Week
Fireside Chat
Transcript (Beta)
Well, good afternoon from Lisbon and I think good morning from the US where Paul Judge, my guest is today.
This is one of a series of fireside chats we're doing, although it's too warm in Lisbon for a fire right now, to celebrate Cloudflare's 10th birthday.
And Paul is the co-founder and partner of a thing called TechSquare Labs and co-founder and exec chairman of Pindrop and somebody I've known for a long time because, well, originally we were both doing anti-spam stuff and there was lots of cyber security over the time.
So Paul, welcome. Nice to have you on this little fireside chat.
Why don't you just tell us a little bit about Pindrop and about TechSquare?
Hey, John. Yeah, good morning from here in Atlanta. And it has indeed been a while since we've known each other.
It's kind of funny, spammers. I guess it's about 10, 15 years ago now.
Yeah. Yeah. If not longer. Yeah. So I tell you, Pindrop is a cyber security company that focuses on protecting voice interactions, meaning phone calls that go into call centers like at banks.
But it also means voice interactions that go into things like IOT devices, because so much work in network security over the years has been kind of around this presumption of the keyboard as the interface.
And so nowadays, as many applications and devices, the interface is our voice talking to other people or talking to other machines.
The need for anti-fraud and the need for authentication allows the work that happened in the network focused space.
Now it needs to happen in a voice focused space.
And so that is what Pindrop does. It's a company that was founded in 2011.
A co-founder, Vijay Vellasubramanian is CEO of the company is based on his PhD research from Georgia Tech.
So that's Pindrop at a high level. And then TechSquare Labs is a early stage venture fund and the studio that was started about six years ago now.
And it's really, you know, after a few companies, I realized, and after meeting Vijay and started Pindrop, I realized, wait, there's more smart people who want to bring their ideas to life and they just need help.
They need help on business architecture and go to market and funding and so forth.
And so we started a space as close as possible to Georgia Tech and said, we want people that want to work on big ideas to come over, come in, kind of co-work.
And through that effort over the last five years, we've now invested in about 40 early stage companies.
They range now from cybersecurity over to marketing automation, to material sciences, to augmented reality.
And it's, you know, it's obviously with the investment goes kind of expertise.
What are the sorts of things you're seeing entrepreneurs in that world needing help with today?
You know, it's interesting right now, you know, the first question becomes like, what problem to work on?
Like what kind of unique insight have you seen that others have overlooked, right?
What is a solution that needs to exist that people are willing to kind of pay money for?
And what many would call, you know, it's a product market fit, right?
And so that kind of becomes the core element. And then from there, there's so many parts of building a successful company from team building, right?
How do you build a world-class team that can tackle this problem over the next, you know, seven years or 10 years that you're going to be working on it?
You know, how do you really figure out your right go-to -market?
You know, what's the right pricing strategy?
What's, you know, the beachhead for you? Is it mid-market or enterprise?
You know, then how do you build that out? You know, it's one thing to have a prototype, it's another thing to go from that to having scalable DevOps and, you know, all of those pieces.
And then how do you navigate the waters of fundraising and navigate the waters of strategic partnerships?
And so what I've found is, you know, regardless of the industry and vertical, so many lessons we can learn and pull from one company to another to help entrepreneurs focus on the thing that is truly unique to them and their company and not have to reinvent the wheel on so many of the other elements of business building.
And it seems to me you mentioned that, you know, you're likely to be with an enterprise seven to 10 years.
And I think, you know, Cloudflare is now 10 years old.
When I joined, which was nine years ago, I kind of never imagined I was going to be still here because so many startups you go through, they last a few years and maybe they succeed or they don't.
But the ones that really have legs, they actually take a long time, right? Success is a really a long process.
It's not this overnight thing. No, absolutely. You know, I think that the stats would suggest that, you know, kind of a successful startup takes about seven years on average, you know, to kind of go from beginning to some form of, you know, liquidity event, whether it be a merger, IPO, et cetera.
And, yeah, so many kind of fell along the way for various reasons, right?
Either the market did not want the product that they were delivering or they could not efficiently acquire customers.
And, you know, your customer acquisition just doesn't match the lifetime value.
Eventually, you know, funding drives up, drives up and you run out of money or, you know, sometimes just give up, right?
They get tired and don't persevere.
And so the rare companies that are able to get that initial lift off and then figure out other products to take to market and figure out how to expand from one country to internationally is rare.
So, no, congrats to you and Matthew and the team for this 10-year anniversary.
Yeah, thank you. Thank you.
What do you, just to dig into this, what do you tell entrepreneurs about that?
I mean, you up front with them and say, you know, if you're really going to make this work, you're talking about a decade of your life.
How do you prepare people for that?
You know, one is to really, just saying that kind of scares some people because some people watch these movies and these movies would suggest that this is all easy and happens overnight, right?
The movie was The Social Network and within 90 minutes, he had an idea, didn't go to a party, built some software, met some friends, grew the thing and was a billionaire and it all happened in 90 minutes.
So, you know, things like examples like that, I think cause some to believe that, you know, this overnight success thing actually happens overnight, you know, not over like 3000 nights.
And so I think part of it is educating people that, this is, you're dedicating a portion of your life, whether it be seven years or 10 years, is this a problem that you care deeply enough about to work on it for the next, you know, seven years or 10 years?
Do you really in your gut believe that this solution needs to exist?
Because when it gets hard and, you know, code isn't working and systems go down and customers aren't responding, you know, there would need to be something inside of you that's not just driven by monetary gain that suggests you have to push through this.
And then if you do that multiple times, then, you know, all the rewards that you seek will be on the other side, but there has to be something in you that is detached from monetary gain.
It's really things the world needs to see the solution.
And so with something like that, you know, some set of people say, oh no, I didn't really mean it.
I, nah, this isn't, I was just kidding.
I was just thinking I'm going to just keep my job a half year. And so that, that filter of kind of the reality versus the, kind of the dream of what it means to build a startup.
I think it helps people decide if it's the right fit for them.
Yeah. And now you've done this multiple times. So something's driving you to do this, build companies.
What is it? Do you, do you know what it is or is it, was it, were you born with it?
Is that what happened? You know, I always think of it like, I always just wanted to kind of get good and be better at something.
Right. And to me, it's a, it's an exercise in kind of reaching your personal best.
And it just so happens that my craft, you know, it isn't making music, it's not necessarily painting art, but it's not necessarily sport, but building companies is some combination of those things, right?
It's, it's a, it's a personal endurance test.
It's a creativity test. It's also, you know, understanding the taste of customers.
And I think as you, as you go through, you know, different companies and different seasons it's, you know, how can I improve?
How can I get better?
How can I solve a bigger problem? How can I touch more customers? How can I help other entrepreneurs get?
And so it's, it's really to me a quest to keep getting better.
So I stumbled into, in some ways, the cybersecurity world, right?
I stumbled, John, into computer science because my mother taught typing and I was playing typing games.
And I realized if I didn't put the five inch disc in the drive and close the door, then I would get this C colon thing that if I typed, it would type back.
And next thing I knew, I was like, oh wait, I could build my own games.
Right. And so I stumbled into coding that way, not knowing at the time that it was even a, a major in college.
Yeah. Yeah. You know, in the nineties and, you know, in Baton Rouge, Louisiana, and when I got to college, I realized it was a major.
So I switched my major to that and then started doing, you know, web development, just want to make website next to me.
What was your original major?
It was chemical engineering. Chemical engineering. Okay, cool. Yeah. So I, growing up in Louisiana, there's lots of chemical refineries.
And so it started off saying, oh, I'm going to work at a chemical plant and be a chemical engineer.
And I started college with that major first semester in, took a programming class and realized, oh wait, this is a whole world.
And so I actually, John stumbled upon cybersecurity because I was, I was working at IBM kind of my senior year in college.
And I wanted to like do e -commerce development. I wanted to do web development.
And I got a job on the e -commerce team at IBM. And we're just making a website where people will buy like computers and hard drives and chips.
And this was 1998.
The price point of those things was so expensive that we're looking around the office saying, who has this much money?
Who's putting $50,000 on a hard drive?
And like, where's the money going? Is it under your desk? Is it under your desk?
Who's going to, somebody's going to steal it. And then just open up like, oh wait, if somebody's going to steal it, how do you protect it?
And that's how I realized like, oh wait, there's a security and there's encryption and decided, wait a second, I need to know more about this.
If I need to know more about this, my default was, okay, I need to go find a class.
I need to go to school more.
I need to go to grad school for this. And that's how I decided to go work on a PhD with a focus on cybersecurity.
Right. And so you did all that and then you ended up with spam as a thing, as did I.
Is it, in my case, spam found me, right?
Because so much spam came to my way. I was like, I have to do something about this.
How did it find you? So I was, I was in grad school at Georgia Tech and I was working on some work around secure content distribution, right?
Like video streaming, audio streaming, watermarking, group key encryption, you know, access control of routers.
And I met a gentleman who was, had just built a company that was acquired.
He was about to start another company. And it was a gentleman named Jay Chaudry.
And he was about to start a company called Cypher Trust. And so I went over to meet with him and he was explaining kind of, you know, email security that he was planning to do and encryption and intrusion detection for email systems.
And I was like, well, this is interesting. There's a lot of similarities between the security that you want to do and what I'm working on in my research.
And I originally just said, oh yeah, great. I'll, I'll come here and I should be like vice president of technology.
And I'll just, I'll run everything.
And he looked at my resume at the time, which was like this long and look, you can, you can write the encryption software and you know, you can be like a junior developer.
And I was like, wait a second. All my friends make way more than this and have much fancier titles, but there was something that was drawing me to the startup world.
I was like, there's something here. And so I joined and I started off working on the encryption software, right.
To do a secure communication between mail servers, right.
So like the TLS and SSL communication. So I was writing that software and then we started to do the intrusion detection work, right.
To like people trying to break into mail servers, going to build an intrusion detection.
And we actually built that product that was about encryption and intrusion detection.
And we took it to market and people, and it was originally going to be a mail server.
So it was going to replace Microsoft exchange. And it turns out that people, they didn't like Microsoft exchange, but they didn't hate it enough to rip it out.
And people like would try us and then kick us out. And at this point in life, like what people would call that is we didn't have product market fit.
All they knew was, man, we just wrote a bunch of code and people keep kicking us out and it doesn't feel good.
And then we started adding more stuff to it. Like, oh, we need to stop viruses.
Let's add antivirus. And then I remember one of the customers said, Hey, I have this problem with spam.
Like spam, searching. Oh, like email.
They're like, can you solve that? Sure. We'll figure it out. And we're like, no idea.
And we just said, yeah, sure. We'll figure it out. And that started our journey into developing anti-spam software and anti-spam algorithms.
And there we are.
And so I often think about that spam period as there's parallels with today. So Cloudflare, one of the things we do is a lot of DDoS mitigation.
And the interesting thing about DDoS mitigation is that essentially it's a bit like the spam thing in the sense that there are techniques to deal with it, but it never goes away.
And so it's like spam is still here. We're still filtering that stuff out, but it still keeps coming.
And DDoS kind of feels like the same thing. And it makes me feel like there's almost like a sort of groundhog day thing going on with security, which the same kind of things keep coming up over and over again.
So if you look back over the last, what is it, probably 10, 15 years of the cybersecurity stuff, what are the themes you think we're going to carry forward into 2030 that are sort of the same thing all over again, but different?
You're right.
No matter what the communication protocol is or the application, these hackers are figuring out how to break into it.
At the same time, the normal world is celebrating some new technology or some new platform.
While we're still in this period of excitement that it exists, the attackers are already figuring out how they're going to break it, how they're going to monetize it.
And I think we'll continue to see largely that trend.
And so look at, okay, what are the technologies that we're generally excited about right now that are new?
And it's like, well, the hackers are busy figuring out how to break into those, how to leverage those, whether those be kind of ways to reach consumers' eyeballs, or whether those be new ways to reach enterprise assets.
And so I'm going to look at the new ways to reach consumer eyeballs.
There's so much happening with IoT devices showing up in your home.
I saw a company this week announced a drone that will fly around your house.
Yeah, that doesn't sound good to me, but okay. Right, which is an amazing idea for security.
But for like, no one knows what's happening in my house, and it feels very futuristic.
But the attacker somewhere is sitting there figuring out, okay, great, how am I going to break into this?
How am I going to use that to access someone's house?
How am I going to fly around and steal the confidential information? How am I going to take pictures and use those to blackmail people?
They're figuring out, I think of it like the attackers almost have like a Y-combinator for attackers.
They're constantly figuring out new business ideas, which it took me years to figure out that, but go back to the Cypher Trust or now at PenDrop, there's so many smart people on our team building our technology and our solutions.
And the fact that it's this constant battle just shows how many smart people on the other side figuring out how to break into these things, which is very different than I think some over the years have always thought about hackers has been kind of this one or two lone individuals kind of in a basement somewhere.
And I think over the last decade, we've seen examples that shows it's very much different than that.
It's very much a true enterprise.
It's very much organized and resourceful. So moving forward, I think, you know, IoT devices have very unique access to our lives, and that will continue to be a target.
I think voice-based interactions, especially in this post-COVID world where, you know, you don't have to go into a physical bank.
You don't have to go into physical retail.
You can do so much either online or by picking up the phone.
And that has become the weakest link for so many organizations because now I don't have to break an algorithm.
I just have to socially engineer an individual.
And so I think we'll continue to see more attacks there in voice channels.
But now also, you know, we've for years talked about the perimeter disappearing, but man, I don't think we ever imagined this, right, that, you know, literally everyone's working from home and everyone's going to school from home.
I mean, we did not envision that attributed systems really meant this.
And so now that, you know, we're back to every individual employee, the cybersecurity of their home network is just as important.
I think we'll see many more, kind of much more thought there on how secure the home network is.
Before, it was simply, okay, when I'm at home, I might VPN in, I might check my email, but now this is a true workstation.
Yep. Yep. I totally agree there. One thing that's interesting for us is that, you know, we have this thing called Cloudflare for Teams, which is remote working.
I get to get access to all the apps and everything in your enterprise.
And, you know, that just took off like wildfire because everybody was suddenly like, hey, go home, access everything from home.
And to me, even though I was in this, it brought home crystal clear to me, there's this world in which everyone's going to access everything like that for wherever they are.
And that suddenly says, well, the perimeter's gone. How you protect the communication between the device and the application becomes really, really important.
But also the device itself, like the end computer or the phone or whatever, securing those things suddenly becomes much more in focus and the network kind of disappears into the background.
And in a way, that's great because networks were designed to be layers where you don't have to worry about their existence in a way.
So it's actually kind of pleasing that Zero Trust is coming, but it also changes how we have to think about our security.
Absolutely. Absolutely. And I love that you all are, you know, constantly innovating in the space to provide different solutions for what's happening there.
And, you know, now that it's not only the adults that are on computers from home, but, you know, kids now all day at school.
Now we have to educate our kids on what malicious links, what Zoom links, and so it's a very different level of education awareness that needs to happen.
And it's tough because in the past, it might be that when a kid was on a computer, the parent was nearby or there.
Now that the parents are working on one device, the kids in school on a different device, there's not the same type of supervision that might have been there traditionally.
Yeah, that's absolutely right.
I'm curious actually what, you know, if you're like me, been in cybersecurity for such a long time, you're just sort of, you know, you're in it all the time.
But what do you, what would you say to your loved ones about cybersecurity?
Like what are the things that you would say, you know, to parents or brothers and sisters, children about how they should think about cybersecurity?
It's interesting, John.
There's so many basics that people don't do correctly. And so I often want parents and others to go back to the basics of, you know, one, don't click anything, right?
Don't click anything. I'm standing away from the keyboard right now.
When you start with that, because, you know, they get these emails, they're older, and they get these emails that sound too good to be true.
Yeah.
And oh, but no, I won this prize or someone needs my, and it's no, don't click anything.
Don't trust anything. Because it's one thing for you and I to look at an email and know that it seems suspicious.
But you know, for our parents and others, it's really difficult to distinguish.
So I think, you know, starting from this point of don't trust, you know, messages by default, I think is a big, is a big shift, like just by default, don't trust it.
If someone needs to talk to you, they'll, they'll send it by mail, like just don't.
And so I've had to do education around that.
The second thing is really just passwords, right? Like, how do you, you help someone who's older or younger, like do good password management and not just use the same password for everything.
And so, and then, you know, you know, associated with that is just, you know, basic two factor, right, that if you're gonna do it, take the extra moment, turn on two factor, allow the text to your phone, you know, makes such a difference as you and I know, but people don't default to that.
And so helping people understand that. And then lastly, really thinking through, like, what elements of your data are most sensitive?
And like, where do you keep those?
Right? What are you keeping in your email, like some people, you know, use their email, like a secure vault, and keep all their important data, or to keep the notepad, like a secure book, like, what's the most critical information?
And where are you? Where are you keeping that? And, you know, let's, let's think about keeping that most safe, because maybe if your email is compromised, or your note taking app is compromised, let's think about the most critical data, and where we keep that separately than than everything else.
Yeah, I totally agree with that one.
It's fascinating to me that people have insecure email, and that's the reset mechanism for everything in the entire world.
And if you take over their email to take over their life, they haven't kind of kind of groped that.
So listen, we've only got about four or five minutes left, I'd love to talk a little bit about your current venture, because I'm fascinated, because I'm a network guy, keyboard guy, typical nerd, don't want to talk to humans.
But your point here is that lots of humans have to talk to other humans doing voice stuff, or talk to machines.
And you've got technology there to help with that.
So take us through that, because I'm fascinated about that as a as a future for us.
Yeah, yeah. I mean, just, you know, if you look at, you know, interactions between humans, I mean, the default natural communication protocol for humans is this, is voice.
There's certainly apps that have pulled us into kind of using our thumbs more than anything.
But, naturally, humans want to speak verbally to other humans, and both in business and personal.
And, you know, the number of phone calls that are increasing, you look at voice based apps, like, like Clubhouse, you know, the voice based communication is increasing, you look at voice assistants, like, you know, Alexa and Google.
And so there's this rise of this voice based interaction for, for personal life and for business.
And if someone's able to, you know, easily spoof your phone number, I mean, it's kind of known fact that phone numbers are easy to spoof.
And so, you know, someone can, you know, pretend to be you and, you know, go call, you know, Matthew and just spoof your number or call me and pretend.
And so that that part is simple, because of vulnerabilities in the phone network.
So like phone spoofing can happen. And then if you think about the authentication that's been most used, it's been this knowledge based authentication, where you dial into a company, and it asks you, you know, what's your favorite color?
What's your high school mascot? What's your mother's name?
And with all the data breaches that have happened, that information is largely available.
Yeah, go back to the Equifax and others are people can guess it, right?
Your high school mascot. Okay, that takes me 30 seconds to figure out on Google.
And in most of those voice based systems, there's no such thing as like a certain number of failed attempts blocking an account.
Right? If I tried to guess your password on a network base, it will lock me out after a number of attempts, right?
Those basics. In the phone network, I can call the call center all day long.
I can call 1000 times. And I can bounce around until I get to the agent that I feel is most vulnerable.
Right? So there's some basics that we're accustomed to in a network world that don't really exist in a phone based world.
And so hackers have realized that.
And they've realized that, wait a second, if I call the bank, and I say the right things to an agent, I can convince them to let me into someone's account.
And once I'm into that account, I can then wire money from a bank account, I can wire funds from a mortgage line of credit, I can take go after state benefits programs, I can call a cell phone company and say, send me two new phones, send me the most expensive ones, but similar to this address.
And so they figured out the attackers have figured out, there's so many things of value hiding behind phone calls.
And so there's, you know, lots of dollars that are stolen, both business accounts, personal accounts, state benefit, and so forth.
And so, I mean, what pin drop does towards that is, you know, BJ and his PhD thesis figured out that every voice interaction has a phone interaction has a different, like acoustical fingerprint.
And so you can tell based on just the audio of an interaction, is this phone call coming from the US?
Is it coming from Portugal? Is it a white line?
Is it a landline? Is it a cell? What kind of device is it? What kind of transmission medium did it use?
Where is it coming from geographically? And then is it really is that the same device I saw john on before or not?
You take that and layer it with device fingerprinting, then you layer it with like your voice biometrics.
You take that and layer it with doing behavior anomaly detection.
Like when you call into IVR, you press buttons at a certain pace. When a machine calls in and tries to, it doesn't, when you take that collection of things, you've been able to add really precise anti-fraud and authentication.
We're going to get cut off.
Fascinating. We're out of time. Thank you so much for being part of this and thanks for being part of the 10th anniversary.
Hey, my pleasure.
Thanks for having me. Hey, congrats again on this achievement and all that you all are doing in the industry.
I'll talk to you soon.
