Cloudflare TV

🔒 Security _TEAM_

Presented by Susan Chiang, Evan Johnson, James Espinosa, Rebecca Rogers
Originally aired on 

Talk to a few security leaders about what makes a security team tick.

Privacy Week

Transcript (Beta)

All right, welcome. Thanks you all for watching for a special episode of Cloudflare TV with our very own security team taking place during privacy week here at Cloudflare.

And with us today, we've got people from all corners of our security team to talk about security and privacy.

You might know me from my Cloudflare TV show and Rebecca, Hacker Time, but she was a esteemed guest on Hacker Time in the past.

And we took a break this week to make sure that we spoke during privacy week, the special week where we've had a lot of security announcements.

So I'd love to go around the room and talk about our backgrounds and do a quick introduction of who we are, because I think we all have interesting backgrounds that aren't necessarily, well, that are just all over the place and I can start.

I'm Evan and I am on our product security team here at Cloudflare and I have a software engineering background and I'm an engineer at heart, but I really am passionate about security and I kind of got into security in college and ended up wanting to work at a startup and found my way to a security startup and eventually found my way here to Cloudflare.

And yeah, all things security, all things application security and distributed systems are things that I love.

And I'd love to hear, Susan, about your background.

Sure. So I'm Susan. My team does a couple of things, namely our PM organization, which wears multiple hats, including technical program management and product management.

Secondly, is strategic projects.

Then we have our business operations function and lastly, our physical security.

So my background is in business and I basically fell into the classic career path of someone who didn't know exactly what they're passionate about.

So I started in consulting, worked in all sorts of industries from healthcare to tech included, but also oil and gas and different things like that.

Then I wanted to be a part of something historic in the city.

I lived in San Francisco, so I transitioned to different kind of strategy and operations and different roles related to that at a couple of different tech companies.

And I really stumbled upon security and fell in love with it first and foremost for the people that work on the security team I joined.

And then they then showed me their passion and showed me just how cool security is.

And ever since then, I felt like my career is just a free education that I get and also just time I get to spend with people that I enjoy being around and love learning from every day.

And that's how we got here. Love it. Up next, James.

Yeah, thanks. Yeah, my name is James. I'm on the detection and response team here at Cloudflare.

Our team focuses on detecting and responding to security threats to help protect Cloudflare and employees.

My background is a little bit different.

I actually was more in the incident response. I think kind of getting into the whole security field for me has always been just, I've been interested in like malware and things like that and naturally progressed into a consulting role, mostly on post breach type of work.

So our team would come in and do more of the investigation, forensics, that kind of thing.

And so Cloudflare is kind of one of the first places where I came where I was on the other side of the fence now, like instead of seeing different customer environments for a short period of time, now we get to work on our own and do a lot of security work here, which is really interesting.

Very cool.

What about you, Rebecca? All right. Yeah. All right. So yeah, my name is Rebecca.

I am on our governance risk and compliance team on the security team. And I manage our security compliance team.

So really what that means is my team looks at all of the different security and actually privacy compliance certifications that are out there.

And we maintain all of our existing certifications, which is something that really enables our customers to trust us and trust that we adhere to our security and privacy industry standards.

So that's what my team does.

My background is a bit similar to some of the folks here. I started in consulting because I didn't really know what I wanted to do coming out of college.

And I started doing IT socks consulting, which is actually more of like a finance regulatory standard, but kind of got me into the compliance side of things.

And then I got staffed on various different cloud companies within the Bay Area.

And that's kind of how I fell into the security compliance space.

So yeah, I've been here at Cloudflare for about two and a half years now and kind of echo what Susan was saying.

I feel like I'm always learning from the team and learning new stuff every day, which is awesome.

Very, very cool. So I think one thing that I feel like working on this security team more so than other security teams I've seen in the past at other companies or in the industry, I feel like we are kind of, maybe I'd describe it as a little more new school or different than other security teams.

And I think that, well, the first reason that is, is because of the people that we have on our team, but I'd love to hear from, go around and talk about what makes people good security people.

And I'm happy to start as well, and maybe you all can steal some of my ideas.

But one of the big things is I think action oriented is a big one.

If I was to list personality traits, I would say action oriented people, people who don't want to sit around and mostly be clipboard holders.

And I think that I see this in our compliance team doing it perfectly, where they, like Rebecca's team and the way that our compliance folks integrate with our engineering org, it's very much taking ownership of a lot of the controls and just getting an answer from them.

And then I also think that another thing that makes people good security people are probably in our Cloudflare values of curiosity is a big one.

Just people who want to understand how things work and go around like, oh, I'd like to figure out how this thing works.

Or I'm curious how this thing works, because you never really are the, I guess in security, you're always worried about someone else's stuff.

Like you don't really own a lot of stuff. You're always worried about like the databases or our servers around the world.

It's always like something that you don't own, but our stakeholder in.

And so you're constantly learning new details about new things.

So curiosity would be the other one. I don't want to go in the same clockwise manner.

So how about back to Rebecca? Well, yeah, I was thinking about this.

I have top of my list curiosity as well. So I think that's just embedded within Cloudflare, which I think is awesome.

But I think going off that too, what makes good security people is also going back to all, we all as a security team get to work with like almost all parts of the business, which is really cool.

So I think like that comes opportunity of learning how to work with really different types of people and really different types of teams.

So I think just building off that and learning how to work with different teams, because it's not going to be the same across the board.

I think it's something that's really important on any team within the security team.

Yeah, I think for me, I think it's pretty similar.

Curiosity is definitely on top of my list.

But I think a couple other things, mostly because I'm working more on the response side and detection, like being empathetic and being able to be transparent with people.

I think when I first joined Cloudflare, one of the things that was different, at least for me, whenever we'd have like an alert or something and reaching out to the user and explaining to them like what this is and what we're going to do.

And that's something that has been new for me because I've never really worked on that side of security.

I've always been on the other end where we're coming in, kind of doing what we need to do, and then getting out.

So I think it's been interesting here seeing that side of security as well, transparency and empathy with people.

No, that's spot on.

And this is perhaps more of a summary of what everyone else says.

I always think to really four things. Really, it's number one, as you mentioned, James, empathy.

Number two is integrity. And number three is resilience. And last but not least, going back to what Evan said about our specific security team, we really also value diversity because of our global mandate, both for our customers and employees and data.

Ability to have a diversity of experiences, backgrounds, race, gender, helps us be more empathetic and help each other become more empathetic.

And the empathy part is, Rebecca said it so well, we are so grateful and privileged to be one of the few teams at any company that works with every single other team.

And the bedrock of success is leading with empathy on those decisions and relationships.

Otherwise, traditional security sometimes carries this negative connotation of being scary or intimidating or burdensome or annoying.

And by leading with empathy and understanding, whether it's another person or another team or another company, it helps us bust through that.

Integrity is because with security and especially James' team, you have access to a lot of data.

You have a lot of tools. You are constantly faced with decisions and you need to have a clear principle of integrity that you fall to so that you make sure that you lead with that.

And then resilience, as James mentioned with his managing part of detection and response, security is a never-ending marathon.

Our adversaries are constantly evolving. It can be draining on mental health as well.

So finding ways to be resilient, to be empathetic to yourself, is critical to not burning out.

Nice. So I hear curiosity, number one, that's one of Cloudflare's core values.

And then I hear integrity and empathy. If you're ever interviewing for our team and Susan's on your panel, her question to you is undoubtedly about integrity.

So you might want to look it up in the dictionary before you show up.

And then integrity is a big one for sure. And then empathy also for sure.

Understanding how to meet people where they're at to advance security. And so those are all really great.

Thanks for copying my answer on curiosity. How do you think that security teams are changing?

I have my opinion and I think that security teams are evolving to be more in a position of ownership of different things.

I think if you rewind 10, 15 years, you see a lot of security teams just reporting on things and consulting on things.

I think most security teams in Silicon Valley, at least, especially at tech companies, are solving the problems for the company in a way that an engineering team would.

I think they're getting more and more focused on engineering across the board as well, because I think in the industry, in the global economy, you see more and more companies becoming tech companies or emulating them.

And so it's getting more and more important.

And then I also would say that I think security teams are changing to the people that make them up.

I think one aspect is diversity of that, where in the past, a security team used to mostly be the crew that you see at DEF CON.

And then maybe some people with a financial or insurancy or regulatory background, or feds.

So it used to be like three, which you would see at DEF CON. So it's basically like three groups of people who have been in security.

And I think that's changing to be more approachable and more diverse workforce.

So that'd be what I'd say.

What say you, James? Yeah, that's interesting. I agree with you with that. It just reminds me of DEF CON.

It's been a while since I've been there. But when I go to DC for the conferences out there, too, we have an intelligence community.

I'm originally from Chicago.

So a lot of the people that I would see in conferences there were mostly from the financial or insurance sector.

But it's very different. I think one thing that's interesting, especially from thinking about detection and response, is the whole privacy around detection and things, and being a little bit more thoughtful with the way we're collecting data.

I think I've worked in places, too, where we have proxies that are capturing web traffic from all of our users, and something that I just thought we needed for doing proper detection.

But coming here to Cloudflare, it's different.

And probably the same with other tech companies, where you now start to look at, what kind of data do we really need to do proper detection and keep people safe without really necessarily invading too much of their privacy?

So that's been something new for me coming here. And I'm sure different industries have different requirements, but that's something that's stuck out a lot for me.

Yeah, I think that's the main one. I think the other thing I had was around what's kind of similar to what Susan mentioned around the traditional mindset around how security teams are generally seen as people that come when there's a problem.

And instead, we're trying to now just be more involved early on in the process and work with teams ahead of time, and understand they have their priorities as well, and seeing how we fit in the line with them.

So that you see security more as a partnership versus people that just knock on your door when something bad happened.


I think that's really interesting, your first point about how companies are almost adversarial to their employees, where they're a little bit of a big brother mindset for a lot of security teams.

Yeah. Yeah. I think sometimes, just like when I introduce myself to people and say, hi, I'm from security team, that thought process, uh-oh, what did I do, generally comes to mind.

It's just like, we want to avoid that happening, right?

But definitely. Yeah. And even I've seen James on a number of responses to our, we have an internal alias for reporting any security concerns or issues or worries.

And something I've seen James do so well is he always puts the person at ease, because if you're submitting something like, I think I got hacked, my phone is doing X, Y, Z, he's always thanking them for raising it.

And even if it's a false positive, and it's just a non-security related bug, he always thanks them for reporting it and appreciates them taking it.

And there's nothing as it's too silly of a submission. And that turns what can be a scary situation into a positive engagement.

And I love that you led from example from the moment you joined on that front.

And that kind of going back to the purpose and positioning of security and organization.

One thing I've felt so fortunate is to have started my security career and have continued on teams that are one of the central functions of a company.

So for example, from a hierarchy standpoint, our CSO reports to our CEO, and we present at the Cloudflare board meeting, every board meeting, because we're fortunate to be at a company that understands the strategic and fundamental importance of security.

And I think that's a shift we're seeing.

And it's a shift that's fast, fast moving and tech companies slower in traditional fortune 100s is that it's security is no longer that nested niche silo team, it's becoming one of the central functions of a company.

And part of earning our place and keeping our place as a central function is starting to be a voice, a leadership voice on not just security topics, but perhaps also adjacent topics.

You know, James, I love that you mentioned privacy. And that's one of the working with legal and working with HR and others on privacy is a huge pillar for us to come.

Another thing and I see Evans team do this so well is what I call solve for Yes, security.

I think traditionally, people think of security as a gatekeeper or a blocker that tells you what you're not you can't do, or what you shouldn't do.

What we like to do is really just hear what our various stakeholders are trying to accomplish, and work with them and find a way to do that in the most secure way possible.

And that also requires like adaptive risk decisioning so that you know, it's not just black and white, but you weigh like the business benefits and different risks associated to arrive at a mutually agreed outcome.

I liked your first point about a about a reporting structure and where security reports, I think like when you talk to different security teams or people at different companies, conferences or wherever, back when conferences existed, you'd be like, Oh, where does security report there?

And you'd get answers of like, oh, reports to the General Counsel or reports to the Director of Security who reports the CIO or reports to the CSO who reports the VP of Eng.

And like, it's all over the board, and it's slowly like becoming its own thing.

At least that's what we're seeing here.

I am agree with what everyone said already.

So I'll try to think of something unique.

And the only the only other thing that hasn't been brought up is, at least on the GRC side or on the security compliance side is automation.

With all of the security like requirements and controls that we have to maintain, there's a lot of things that are very manual or can be very manual.

So I think as we evolve and security gets more mature, and then also privacy gets more mature, thinking about how we can play the long game and automate all of that manual work and start thinking about new, you know, security risks or privacy risks.

So it kind of, you know, through automation, it opens us up to look at what's coming down the pipeline.

I love it. Yeah, instead of instead of doing the same work all the time, getting to get involved as a value add and give your be more proactive.

Love it.

All right, well, here is, I think, one of the most interesting questions we have on the docket, which is what are some pitfalls you've seen security teams fall into and do things wrong, going about things the wrong way, or maybe it's a process that they get too ingrained in.

I'd love to, I'd love to start with somebody not named Evan.

And here going back around the circle, Rebecca, back to you.

I think the first thing in terms of pitfalls that I think of is prioritizing work.

Because when I think of the overarching security team, there's so much work to do.

And there's always stuff that's being added to it. And so I think sometimes I see prioritizing work while also not thinking about flexibility and how Canon is going to change throughout the course of a year or a few years.

So yeah, I think that's one of the pitfalls is making sure that you're prioritizing what's important, but also leaving room for things that are going to come up out of the blue or things might get shifted around in terms of priority.

I'll stop there.

I'll think about it a little bit more. All right, we'll jump in if you think of one.

One of the pitfalls that I've seen is I think I kind of mentioned it already where you kind of just tell people what to do as a security team, like do this, do that, do this just doesn't work well because people don't like to be bossed around.

And also, they it's like, well, what are you doing is what I would respond with if somebody was telling me what to do.

Well, what about you? Like, why can't you do this?

So I think that is a big one that I see a lot of security teams fall into.

And then the other one is like, I think you can go too far in the opposite direction where you try to get involved in everything.

And I philosophically don't know if I agree that security should be a blocker to many things.

I think the default should be yes.

And that by and large, the security team at whatever company should not think of themselves as the decision maker on all matters.

Yes or no at the company, whether it's in the system, whether it's how you onboard contractors or how you are building your next product.

So I think trying to take on too much and and try to be like the binary yes, no team, thumbs up, thumbs down about if if something is allowed or not, is just not a healthy relationship with the rest of the company.

Because like, even if it works for a while, you'll eventually drown in it because there's too much to do and you'll not make many friends.

So those would be my two big ones.

I'll also jump in if I think of anything else. Yeah, a couple of things and really related to some of the things that we've brought up is I think first and foremost, nurture and look out for your top talents.

We all know that security is very hard to hire for, especially in critical roles.

And it takes a long time, whether it's security or any team to hire, to find somebody to make sure they're a good fit, to onboard them, to integrate them into a team.

And going back to security being a never ending marathon, right? There's no, we need to be constantly on alert for potential incidents or issues.

So nurturing and looking out for your talent is critical there.

I think second thing and James can attest to this one is not realizing you are firefighting before it's a five alarm fire.

Because of how rapidly shifting security is, both in terms of adversaries, but also for example, Cloudflare has matured a lot in the last year or two, which has risen our profile.

And we also have more employees, all these contribute to more engagement with security, more potential incidents to look into more alerts, right?

When you are firefighting, and don't realize that early on, you get stuck in a situation where you're only reacting from one thing to the next.

And you know, you need to automate, as Rebecca mentioned, you know, you need to, you know, pivot, you need, you know, you need to build, but all your, all your time is spent reacting.

So it's a tough situation to get out of once you're knee deep in it.

The last thing I'd say, and going back to what Evan saying is taking on too much.

And it's really hard, especially when they're all legitimate risks that you need to handle.

But if you, but if you, even if you are the ultimate owner, if you start doing all of them at once, you just end up doing them all shallowly, as well, or perhaps incurring tech debt as you're doing it, which is not going to win you friends on engineering and product and other sides.

And lastly, it's toothless, right?

You don't want to, you know, you don't want to be the team that sets a bunch of sets a bunch of things that you can't follow up and keep and keep your word or keep your or keep true to your actions on.

So that means that the big trade off there is like, you have to be comfortable with having no coverage or minimal coverage in an area.

And that's okay, because you rather, if you want to be a respected security team, you need to make sure that what you put yourself behind is done in a way that's thoughtful.

Yeah, that's, those are all good.

I think a lot of the main points that I had are also brought up. Oh, he's the last person that has to say that, right.

But yeah, no. Yeah, I think a lot of it that I thought about was just like also like the whole, I think we've already mentioned this with like having wanting to have control over things, wanting to audit everything, monitor everything, having eyes on everything.

Like, you know, it's not, you have to really like the more visibility and things that we're getting, as you mentioned, Susan, like that could also turn into one, more alerts, more of the same work that you're doing.

And if you're not automating, you know, that's just the cycle that we get ourselves into.

The big thing also that we've already talked about was like silos and lack of communication.

One thing that Evan, that you wrote when I first, I think, joined or at some point that I read in one of your wiki spaces about making an impact here at Cloudflare that really like stuck with me.

And I occasionally still go back and read it because I think it's important, but it's really about like identifying problems and owning them.

And I like how you kind of like wrote that out.

And because it's like a lot of times we come to people with problems and say like, Hey, we need help from your team to help us with something.

And I like your, you know, your, the way you think about it and just being more part of that solution with other teams.

So yeah, I think just not being involved with other teams and owning part of the problems that we have, I think is definitely a pitfall.

Love it. That's great. All good stuff. I'm glad you liked that doc, James.

I worked hard on all 30 lines of it. And we're fast approaching the end of our questions that we had prepared, but that is okay because I'm adding more questions as you all are talking.

And we might go off the just more team aspect things, which I think there's plenty of good conversation to be had there.

But the last prepared question before things totally go off the rails, if you're a viewer and that's when things will really get good.

But how do you all think of the role of security at Cloudflare?

What is our job here? And what is our mandate?

I've heard that word. Last couple of weeks. So I picked up on using it.

I think we do three things. First and foremost is common across any security team.

We mitigate security risks and a definition of what is a security risk is that the big question that seems to be ever expanding scope.

Secondly is, and this is somewhat unique to Cloudflare or any security product company is driving innovation.

When we see a problem or an opportunity, we first adapt the mindset of how do we solve it using Cloudflare?

And if we can't do it now, can we do in the future?

Can we work with our emerging technologies and incubation team to do that?

Can we work with existing product to build additional features? And last but not least is we also enable revenue, given that we're a part of every sales cycle that wants to bring Cloudflare to their organization.

We represent, not only do we represent how we secure Cloudflare, but by inflection, by relation, the principles of security that are built into Cloudflare and what we stand for in our products.

So I think that's also probably the order of how much we spend our time, but as we evolve, I think that will fluctuate.

That is well said, Susan.

I don't think I can top that. I'm just going to add a little bit to it.

I do think we have a responsibility to help our customers and our employees, our users to be more secure, especially because at Cloudflare we have security products.

So naturally that's just in our DNA. So yeah, I don't really have too much more to add to that, Susan.

Well said. Rebecca, I don't know if you have anything.

Yeah, I have thought of being an enabler for the business and then also customer oriented.

And I think, at least on my team, it's really our responsibility to really listen to our customers and know what they're worried about, because that can differ from different regions or different industries.

And so making sure we gain their trust by letting them know we have thought about this and we have, I guess, built it into our security program.

And then I think one other thing that I see as the role of the security team, and maybe it's just me, is I think we have the ability to be creative.

We have the guiding principle, again, of helping the business and then also doing things right.

So whatever we prioritize, we want to do it not shallowly, and we want to do it right.

So being creative with the resources we have and the projects we have.

Yeah, Rebecca, your team does that really well, which sometimes people don't think about when they think compliance, is you have that solve for yes, how do we achieve what's being asked but in a creative way?

And I think that's really one of the hearts and minds of the stakeholders that may be traditionally not as excited about compliance.

If anyone wants to see an epitome of excitement about compliance, I encourage you to check out our blog.

One of Rebecca's team members, Jacob, is amazing at making any topic the most exciting thing that you've ever learned.

So PCI, that was one of the best blogs I've read.

Yeah, how can you think PCI is boring when it's framed through the lens of like 1,500 Taco Bells?

Everything's exciting when you talk about that.

I would say our role is, I liked what everybody else said as well.

I thought that there were some good things there. But if I had to add something, I would probably add that I see our team as a connective tissue type of team between a lot of parts of the business.

I can't think of any one big initiative we've had on our team that hasn't been, okay, we need to get these other two teams talking as well, because they're both doing something that we want, but we want them to do it a little better together.

And so I see ourselves a little bit as the connective tissue between between big problems at the company to help solve them.

And I see ourselves as the first best customer of a lot of our products as well.

There's this great blog post called Amazon's first best customer. And I try to think of ourselves like that as well, where if it's good enough for us, then it should be good enough for everybody else.

And if it's not good enough for us, then it probably isn't good enough for anybody else.

So we sometimes end up being the voice of the customer, being the voice of a different company, being the voice of an engineer who thinks something's wrong or also like connecting the dots between two teams.

So, ooh, we also had, I just noticed our first question roll in from a viewer.

Thanks for watching. Viewer question, what are your thoughts about building tools in-house versus using cloud-based tools versus hosting on-prem?

What's Cloudflare's thoughts on making sure we have the right tools in place to be effective?

Very good question. Somebody could write a PhD dissertation on this.

And I'm curious if, I know James has been in the world of build versus buy and would love to hear from him.

Yeah, I think that's a really good question.

I think it depends as always with budget and resourcing. I think that's a big one.

I think our team is small and Susan mentioned this, right? We have multiple jobs, not just building, but also firefighting and doing a lot of that work.

So as we grow, I think we just have to figure out what makes the most sense. I think one thing that's interesting with Cloudflare that's unique, I think, to other companies, at least that I've worked at, is just the sheer volume of data that we have access to or that we need to have from a log perspective, for example, to help us do our job.

And so it's just like, sometimes we can't just buy something off the shelf that'll support or scale the way that we need.

So I think those are also big drivers to going one way or the other.

We had a three S's role, of which I'm not going to say all of them, but one of them at the start of rebuilding our team in 2018 was serverless.

And that's the premise of not hosting anything on premise where possible.

I think we more or less have done that to date, but never say never.

Though I think it's a nod to the fact that we are Cloudflare, but it's also understanding that it creates additional complexity.

And Joe, our CSO, likes to tell us, complexity is the enemy of security in a lot of contexts.

So I think that in itself was a big selling point for us.

The other thing I would say at Cloudflare that we've intentionally added to that decision-making framework is it's a buy, partner, or build.

And by partner, we mean when we decided not to build in -house, sometimes we look for a smaller company, usually a startup, that has exciting potential or has exciting technology.

But due to their size and the fact that they're still the infancy of their company trajectory, they're more willing to partner with us.

And by partner, we mean really ingest our requirements and not put it on a three -year roadmap, but really work alongside our engineers.

I think David on Evan's team is a great example on that. Check out his Forbes article where he cited one of those magazines, where he really worked with 4AllSecure to develop their product, and not just for ourselves, but be an essential MVP customer.

And so we really look for those opportunities. And it's also, there's risks, right?

When you're working with a smaller, less established company, there can be more bugs.

There can be a bit more volatility. But we see the payoff, especially going back to what James said, the resourcing.

A lot of times, they're more flexible because we both see the mutual potential of a partnership and are willing to be, say, give you leeway on, for example, number of users or the number of features included, right?

You may be getting a premium for the price of standards, something like that.

Yeah. And even just to add a little bit more to that with being our own customer, something that Evan mentioned, and partnerships, but even internal partnerships, right?

When I first joined, I think working with, I believe we worked with the access team just to help us to add additional features that we would need to help us get additional visibility or things like that, that maybe our customers could also benefit from.

So stuff like that, that's also opportunities where we can work with what we already have.

Love it.

I want to add on to what Susan was saying. I really like, from the GRC side, when we come and we have requirements that we have to give our security engineers, I really like that we have in place the option of build, partner, or buy, and that we actually go through that process to determine what's going to make the most sense for us.

So that we're not just, as the GRC side, coming with a requirement saying you have to go buy something or you have to go build something.

We really go through that process.

So that's all I wanted to add. Yeah, for sure. The ICS generally being pretty frugal with the different tools that we spend money on, we are usually very thoughtful that if we want to buy something, we want it to be the thing that actually solves the problem.

I think a lot of security, I'll candidly say, I think a lot of security products are overpriced and have a lot of features nobody really wants.

So if there's a product that we want, that's we only wanted one thing out of it, we're probably not going to spend money on it.

And I think we are hosting on-prem versus cloud.

We, for the most part, are very on -prem. We have data centers and points of presence all over the globe.

So it just makes sense to use our own hardware since we have it from both a cost perspective and also a convenience perspective.

But we do use the, we aren't completely against the cloud.

We use it for things that make sense.

It's a great way to just shave off something and put it in the cloud. And it can be isolated and away from everything else.

And I think on our security team, we've embraced that probably more than other parts of the company.

Since everything else is on-prem, it's pretty nice that we can say, okay, we're gonna keep a lot of our stuff in the cloud.

So I'd say we like to build, we like the cloud, but we also like on-prem.

And if we're buying, we want to get our money's worth. Since I think the going rate of any security product, people just quote 250K to quote it.

And then you get a lot of really strange pricing out there once you start talking to different companies.

Not Cloudflare security product. Those are a good bang for your buck.

Yeah. We sell a subscription pricing, not usage based pricing.

So it's always, people are never surprised by their bill. And actually we were surprised by a bill from one of our security vendors recently.

And it's never a good feeling.

So we empathize. Well, thank you for that question. Person who asked the question, no clue who you are, but thanks for writing in.

We appreciate it.

I have some other questions. We have 16 minutes, two seconds left in the program.

And I think we can get to some very good stuff that's not necessarily security related, but it is good questions about leading a team.

And and this might be on everybody's mind now, since I think I just saw some of you in a related meeting, but so everybody, most tech companies aren't in the office right now.

Everybody is for the most part working from home in a distributed world. How have you all been keeping connected with your team during this time?

And how do you, how do you stay mentally healthy?

How do you keep everybody feeling mentally healthy?

I can start if, since not everybody came off mute at the same time.

And the answer I'd say is it's hard, but especially trying to connect with different people on the team through Zoom or Hangouts or whatever you're talking to them in.

I think it's really hard sometimes because, but, but it's, it is important to ask how people are doing and all of that and have time to, to have less serious time.

I think in an office, you have time where I like, I would talk to people in the kitchen and I was a big kitchen talker because I would just like eat.

I like to eat. So I'd hang out in the kitchen, eat and talk to different people more casually.

And a lot of that is taken up by meetings or like a little less fun Zoom interactions.

One thing that I tried a few weeks ago that I think was pretty fun was as a team, we played Among Us and you get to see who is a good liar on the team and who's not.

You get to, it was pretty fun. And I'll try to invite y'all next time we do it.

I think we want to try it again next Friday. But I thought that was a lot of fun and a creative way to like connect during, during what's going on.

Anyone else? We were going to do Among Us as well. It was between that or Quiplash and we went with Quiplash from Jackbox.

You need more people. Quiplash is good.

You need like close to 10 people for Among Us. Oh, is that it? Okay. Otherwise it's just not fun.

The games end pretty quick. I think we had some very expressive people who were worried that they were unable to lie convincingly.

So we went with Quiplash instead, which was pretty fun and kind of brought to life some of our inside jokes as well as fun quirks about each other.

And we had some new hires that got to learn more about each other.

One thing, as you mentioned, I've been kind of thinking through what energizes us in an office space.

And I know Rebecca, you and I have talked about Zoom fatigue.

And one thing we realized is we're just, when you're in back-to-back meetings as we tend to be as managers on the team, is you just end up sitting in front of a computer, right, for six hours.

And it's not just physically draining, but in a stiff sense, but also mentally draining.

So one thing I've done, and I more stumbled upon this, I don't pretend that this was a master plan, but one of my quarantine hobbies has been becoming quite the plant, especially succulents and houseplants.

I've developed quite the collection.

And what I actually do in between meetings is I take like three minutes where I walk around and tend to them, and it mimics going to a meeting.

And that's something I've thought about is in a daily, you know, in a daily day of going to the office, there's the commute.

The commute is, you know, a lot of times we view it as a big, you know, waste of our time, and which, you know, I oftentimes felt that because mine was probably three hours a day.

But there was a benefit to it of it being a time to decompress and transition between work and personal.

So I've been looking for ways to mimic that period of time between when I am mostly working to mostly on my personal time.

So for example, I'll go outside and take my dog for a walk, or I'll go gardening, or I'll pull weeds.

It's a quirk about me is I love pulling weeds from gardens.

So to me, like that has become my decompression time between like micro segments throughout the day that mimic walking around the office.

Maybe that's even going pet my dog, like talking to another co-worker, or saying hi to my partner.

Also, but and also doing something that's a transitionary activity at the beginning and end of the day.

I see.

For us, two things. Well, we one thing, two things that our team is planning doing this month, which I'm kind of excited for that they set up is like a secret Santa, and like a social event, call it a social event, where we just like instead of like having just like meetings and things like that all the time, it's just like a time where we just get to talk and enjoy, you know, our company, even if it's still virtually.

And then the secret Santa is obviously secret Santa, which will be fun.

But yeah, for me, I definitely miss the walking or the commute aspect of it, getting to the office.

I love being around people. I love being in the office.

I miss that. And I hope, you know, someday we'll be able to get back to doing that again.

But yeah, I don't have plans. I don't have a dog. So I mean, I have a few plans.

I don't have a dog, but I will probably occasionally pretend I can go for a walk with one just because I see them running around it.

Yeah, but yeah, that's what we're what we're doing in our on our team.

So I'm hearing you want a dog in 2021.

Yeah, my partner definitely wants one. I would like one but it's just our building does not accept dogs is what I say.

San Francisco emotional support. Yeah, try that one.

Yeah. We're not advocating any type of dog fraud here. I have to share just because I'm very excited about this.

But on the GRC side, we do we try to do like a quarterly social gathering, which they're really helpful.

And this, they're also very unique, which is great.

And so this quarter, we're going to do a palm reading to see what's in store for us for 2021.

And it's going to be exciting.

I'm excited to see if things will turn around in 2021. But I think it'll also be a good bonding experience for the team.

So do you hold your palm up to the camera?

And somebody just, I'll let you know once we do it. But I'm excited to look into my future.

That's really interesting. I wonder how that's gonna work.

Yeah. That'll be fun. Yeah. Very cool. Yeah, it's been it's been a different year.

Everybody's trying different things. And it's definitely been.

It's definitely been interesting. But I think lights at the end of the tunnel now.

And I do have another question. And that is, I know on our team, I'll keep you in suspense for a little while.

So I'll talk and then build suspense to what's the actual question.

I know on our team, we put a big emphasis on hiring diverse candidates and building a diverse team.

And it is really, really just important to our security team.

And we also think that it's important for us to be successful in the long term as a team.

But I'd open it up and and ask, how? How have you each of you have done?

Has I think we've done a good job with a diverse team, building one?

And how do you maintain that diverse team once you build it?

And how do you how do you go about building it? And especially in security, which has such specialized needs.

And I'll give you a moment to think, unless Susan's already unmuted, she can.

Maybe maybe she can just go. But Susan, do you want to start or I'm happy to go?

Sure, I've I've had the privilege of kind of co authoring a blog post on this topic earlier this year on Cloudflare blogs called building a modern security team.

So there are some thoughts. And I don't think we have it all figured out.

And that's what's exciting about it is the opportunity to be to be part of a shift in the broader industry and learning, failing, succeeding along the way.

So to answer your question, it seems like there's two parts. The first is how do you build a diverse team?

I think with hiring, the most important thing is being patient and not accepting the first candidate that applies.

Because the raw inbound for any security role is probably 90%, if if not more, not diverse.

And if you just evaluate each resume based upon just the experiences and move straight to on site, you're not giving room to build a diverse pipeline.

And a lot of times that falls on you know, the the hiring manager or the source or recruiting to actively seek candidates that are diverse.

And that's, and that's even more important as you built out part of your team, every additional person you need to evaluate how do they complement the team?

What are they bring to the team that we don't have or we need more of?

It's not just about filling that specific role. It's about what they add to the team.

As for how do we I think where we are thinking deeply about this, about once you hiring a diverse team is just the first step, how do you make sure that everyone you've hired are thriving and can see a future in a community that they belong to?

And that part is harder initially, right? Because by the very nature of hiring diversity, you're fundamentally having a wider breadth of perceptions, experiences, decision decisions, they're just less common ground.

And so I think that's the first step is helping build common ground amongst your diverse team members, and making sure that you are not unintentionally giving less space to somebody because they're more, for example, introverted than somebody else.

They're located in a different country than maybe perhaps the team.

So it's identifying areas that are easily kind of unbalanced and helping make that be balanced.

And I think second thing is making sure you don't wait for feedback.

You seek feedback and be proactive about reaching out to those that you think may be more susceptible to finding harder, finding a harder time to connect, who may be having trouble adjusting, right?

So I think those are the things that I would say that are top of mind for me.

Whoa, that was great.

All great points. Rebecca was hot off the mute button too. Do you have anything?

Just an echo of one of Susan's points is patience when hiring. It sounds easy, but definitely when you have pressure to get things done and you have an open role, that would be helpful for getting that stuff done.

It's easy to get impatient.

But always sticking to that patience will lead you to the right person rather than letting go of some of the things that you wanted within that role.

So I know it's a really easy answer, but it is pivotal, I think, for hiring.

I think also where we're sourcing candidates from, because I know in security, we have a lot of our circles, especially at conferences, the people you work with and you follow each other.

We say security is a small field and you're just going to eventually meet somebody else again.

But there's a lot of organizations out there, a lot of groups, like Women in Tech and others, that you can go have a presence in and source candidates from different areas as well.

So it's not just the groups that you know you're familiar with, but also just opening it up to the other areas.

For sure.

I like that. I'll just go on the same topic that Rebecca and Susan were talking about, which is not just looking for the first candidate who meets the job requirements.

When you're really thinking about building a team in the long term, you're looking a lot of times for personality and things that don't show up on a resume or things that don't go into JD.

And so it's really important to be thinking about building your team for the long haul and that you're adding all the right personalities and things to your team that you're looking for.

So it is really important to be patient and be intentional about looking for people who might not have the same security background, but are the right person for that role.

And I think like I was a software engineer, I think like three of the four of us, maybe James as well, three of the four of us didn't start in security.

We kind of ended up there.

And I'd say we're doing all right. So I think that there's a lot of people who can be huge assets to any security team who didn't necessarily go to DEF CON the second year it was made or whatever.

Yeah, well, with that, we've got about 40 seconds left of airtime.

And I want to thank you all for showing up, especially last minute, Rebecca and James.

Susan and I couldn't find anybody to hang out with us for an hour.

And this has been a great show.

Yeah, it's been fun. Thanks, Evan. Yeah. Thanks, Evan. You've been a fearless emcee.

Yeah, I don't mind at all. It was fun. I got my practice for our next episode of Hacker Time.

And with that, we are out of time. Thank you all so much for watching.

Cheers and stay safe.