🔒 Security Week Fireside Chat: Joe Sullivan and Ugo Enyioha
Presented by: Joe Sullivan , Ugo Enyioha
Originally aired on July 9, 2022 @ 5:00 PM - 5:30 PM EDT
In this Security Week segment, Joe Sullivan will host a fireside chat with Ugo Enyioha, VP of Security Engineering at Cloudflare.
Tune in daily for more Security Week at Cloudflare!
SecurityWeek
English
Security Week
Transcript (Beta)
Hi everyone. Welcome to this episode of Cloudflare TV. I'm Joe Sullivan.
I'm the chief security officer here at Cloudflare, and I'm joined by Hugo.
Why don't you go ahead and introduce yourself. Hi, everyone.
It's really nice to meet you all. My name is Ugochukwu and you can call me a rebel for short.
I am the VP of Security Engineering at Cloudflare.
The new VP, by the way, I'm really about four weeks at this point.
And we're going to use this segment to kind of look at the world through and look at Cloudflare through your perspective as as a new leader who's just joined the company.
This week is security week. It's one of the innovation weeks we have at the company.
And first off, what do you think about this idea of innovation weeks, given that we're the security team sitting over in.
Primarily, we focus on managing risk.
Mm hmm.
Well, you know, for me personally, it's nice to see Cloudflare as a company continuously try to communicate to its customers how much it thinks about the security problem and reflecting how it solves it right through the products that it actually shares.
So, for example, just reading through the blog post this week, reading about API Gateway and the capability, the capabilities being deployed, I was blown away.
I was like, Wow, this is a really nice feature set for customers looking to protect the APIs, right?
And it's just great when I think about that constant customer touch that the company has.
Yeah, it's.
It's one thing I've found is, is one of the fun parts about doing security at Cloudflare is we're the security practitioners at a security product company.
And so to the product and engineering teams, we're kind of customer number one.
And we're also the first security practitioners who get to give them feedback on the new products when they start working on them.
Yeah, that is true.
Right.
Even today, just out of the box and I saw the feature set and I immediately emailed the product manager saying, hey, I didn't know this was coming out, but I've got a couple of ideas that we should consider.
And I can imagine that's been something that's happened within our security team right throughout the life of these programs, where we're constantly reaching out to customers or talking about their new features and capabilities.
Yeah, we have we have a saying on the team, use Cloudflare to secure Cloudflare.
And so we dogfood every product to a certain extent before it is offered to anyone, any other customer other than us.
And one of the fun parts is we don't just dogfood products, we, we help.
In this context you describe we get to help suggest and sometimes we even develop and prototype products that we can hand off the product and engineering to kind of take to the rest of the world.
Yes, that's one of the stories that I heard as soon as I joined.
Right.
I mean, when we look at what we've done for identity and access management. Right.
You know, when I compare to other companies that I've worked with in the past, this was the first company I've seen a company wide, 100% deployment of Yubikey style technology.
Can you imagine what the impact is in terms of managing risk to things like social engineering and phishing and so on?
That class of attacks, which we all know is one of the most, you know, the most vulnerable aspects of a security program, the users.
Right.
We've literally done, if you ask me, a fantastic job or nurturing that type of problem with that type of rollout.
And that started off from the security team building out that capability.
So it's fantastic to see.
Yeah, I started in 2018 and we had a company retreat in the fall of 2018 and.
We actually got up on stage in front of the company and we had a pinata of a giant VPN.
So this is a fun story, but we actually went to a pinata maker in San Francisco and asked if they could make a pinata in the shape of the VPN, which was definitely not a request they'd ever had before.
And.
And so on stage we. We said we want to do two things.
We want to get rid of the clunky VPN that we're all using here, and we want to, at the same time increase our security, not decrease it by rolling out hard keys to the whole company.
And so during the retreat, we actually made every employee take 5 minutes to connect their yubikey to their account and.
We felt like we have the entire company in one room at one time.
What better chance to like skip the IT helpdesk side of it?
But the fun part was we then smashed the VPN and then everybody got to eat the candy.
But the best part was we came out of that with hard cheese. But the underlying technological requirements we wouldn't have been able to accomplish if it wasn't for the fact that we were a security company.
We used we use the Cloudflare access product in 2018 to require heart disease because our single sign on provider wouldn't allow us to differentiate.
Oh, for certain applications you need a hard key, and when you roll out hard keys, you kind of want to roll them out in a staged process to get the workforce used to.
So to me, that was the first example of us using Cloudflare to secure Cloudflare.
And a couple of points I can tease out from that, too.
First of all, that's a very unique way to do a security rollout.
It's this rollout so many times.
It's a lot of investment and a lot of selling and a lot of planning and before you actually get it done, but to try and get everyone together and then take advantage of that, it's great.
The other thing I want to tease out there is trying to get the company to align on a mission.
Right? Bringing everyone together and even coming up with our mantra, no more VPNs are going to use Cloudflare Access.
It's nice when you do things that way because then everybody gets to see what the direction is as well as start to even appreciate the benefit.
Right.
So it's great. It's just tons of interesting stories about how Cloudflare as a company, right, is using the products to actually secure itself, but also getting its staff, its employees riled up on that mission, on driving to that particular objective.
So that's just really a nice story to.
Yeah.
It's when I when I've built security teams at other companies, one of the biggest challenges was that security was kind of a team on the side.
You didn't you didn't feel like you played a role in driving revenue.
You didn't feel like you played a role in driving innovation.
But it feels like and I'm curious if you've observed that in your starting weeks.
Right. Our team, in my mind, our team has like three legs to the stool. One is what every security team has to do, which is manage risk.
That's correct.
So that's job number one for any security team to find the risks and make them smaller.
Yet help the business to contextualize that risk, prioritize it, and then start working on plans to retire that risk over time.
That's the infinite game domain.
Right, right, right.
But to your point, right. Other things that I see this company and this team do that's a little bit different is, you know, we do a lot of investment in business value as well.
We contribute to that bottom line.
Right.
There's a lot of work we're doing right now to prove to our customers the security posture of our network.
And we're trying to get that in a durable way by having certifications that demonstrate that.
Today we have five.
We're still working on that on an active set to increase that number of certifications.
Right. But then a lot of that innovation as well where we're contributing to the capabilities of the products that we build.
Right.
So unlike other teams that just focus on that infinite game of looking for risk, we're actually contributing to the bottom line by driving that business value.
Those certifications, for example, have unlocked some of our customer accounts for us because our customers care about these things.
And by getting those certifications and showing it to customers, it actually makes them move from deciding to actually acquiring our products.
Right.
Yeah, there's no doubt about it. When you work at Cloudflare, you realize every one of our customers wants to know that we as a company are really committed to security.
And yeah, you can't have every single customer come in and audit us to see how much we care about security and the certifications that are the best real way to validate our commitment to security.
And I see every time we've gotten a certification, it has unlocked revenue for the business.
And that means that when we go to the other teams, getting the certifications isn't easy.
A lot of teams at the company have to do a lot of work, you know, technical process, people across all areas.
And yet when we go to the rest of the company and say we're working on another certification.
They're happy to help us because they see that the dynamic, the relationship, is good for everybody.
Right.
And, you know, when you when you talk about that challenge of moving towards meeting the requirements of a certification, it's actually one of those areas that I'm very excited about when you think of about security, because it's like, how do you do that for a company like Cloudflare that, you know, it's still a very young company.
It's innovating very quickly.
And in fact, the innovation is critical to the growth of the organization.
But remember how Matthew looks at us as, hey, we're trying to angle for the fourth biggest cloud you can.
You can see that in terms of the number of features and capabilities that we release on a regular basis for customers.
So that's to me part of the challenge that I'm really excited about.
How do we unlock that innovation and the ability to move fast but still meet the requirements of security certification and just general security itself?
How do you do that?
Right now?
There are a lot of different ways companies have tried in the past. Right.
I've been very lucky to be on teams that have unlocked that capability. I mean, it's it's something I'm really looking forward to the ability to bring that kind of thinking here to Cloudflare and apply that to our process so that our general activities results in certification versus us driving certification as using certification as a driving function for security.
Right?
Being able to marry those two and allow the company to continue to innovate, it's just very exciting if you can make that happen.
That's that's a huge win.
And lots of other companies can learn from that, too.
Yeah.
One of the biggest. One of the biggest challenges right now for us as a team is growing up, we're in the same kind of growth trajectory as the rest of Cloudflare we are.
We started out as a really small company.
We went through an IPO.
We've crossed over 2000 employees.
We have really large customers around the world.
We've we've raised our security game substantially.
But when you just think about it from a people standpoint, if you have a 20 person security team, everyone knows what everyone else is doing and you can't tackle all the risks all at once.
So you're kind of scrappy and you're scrambling around.
And then we're crossing past 70 people on the security team now.
And, you know, and I look at it and I think when you're small, scrappy is cute.
When you're big, scrappy is messy.
And so but the challenge is you've got to figure out what's the right level of process to help us grow up, but not so much that it feels like a 20,000 person bureaucratic.
Right.
So that's us in three things. One of the starts you mentioned when I joined the company, right?
I took a look at the numbers.
I got access to ping word and I took a look at the numbers and was made about 2700.
I took a look again today and it's almost 3000. So literally within four weeks, somehow 300 people have shown up.
That's just aggressive hiring.
This is clearly going on.
And the same thing is true for us in our security.
We are actually aggressively starting to hire.
So if you want to join Cloudflare, please, by all means reach out to myself or Jim right now to the question that you asked, Joe.
Right.
I think it's really about a couple of things. One, rallying the team on a clear mission and vision.
Right, especially as you grow larger, that scrappy execution, if it's aligned in a particular direction, that's really, really helpful because then everybody understands the mission vision and they can now align the activities to meet that mission and vision for your organization.
I think the other aspect is, like you mentioned, we've got so many different areas that we need to focus on.
The company is growing larger.
The attack surface is interesting and also expanding.
So how do you now figure out where to invest and what?
What I've seen successful in the past is you try and apply a portfolio style approach.
The failure mode that sometimes is tricky is when you try to introduce investments in every single area that you care about, basically trying to peanut butter investment.
You may not get the outsized impact you're looking for, but if you take a portfolio approach and typically you prioritize it by, you know, by company or business risk, right, then you can start seeing that allocation of investment time and measuring the outputs on whether it's giving you what you're looking for.
And that's exactly what I've seen happen at Cloudflare.
And I look at the list of investments that we've made in the past two years, identity and access management.
We talked about Uber, right, and how we've done that for customers, investing in understanding the risk at the edge of our networks, investing on understanding the risks that we have with hardware and our migration, for example, to our latest Gen ten hardware innovations in how we protect our customer keys, because one of our basic duties is basically decontamination of customers.
So you can imagine we have access to a lot of very sensitive data that somebody adversary would care about.
Right?
And that's why, for example, that's investment turned into SSL, which we use obviously in a lot of high risk countries, even in the current situation.
That's the geopolitical situation that's going on in Eastern Europe, in Ukraine, Russia and Belarus.
So it's really nice to see that what we're doing is taking a very measured approach to look up our foundational right technologies and platforms and then trying to be intentional in how we allocate our time there so that we can get outsized returns.
The key the key is technology is an example of an outsized return.
When it now became a situation where we had to respond to the geopolitical situation, we had foundational technology in place that could give us protection for ourselves and for our customers.
Right?
And so that's when I coming back to the question, that's how I think you should think about how you prioritize and invest in security in a team, especially as it grows.
Right. Think it portfolio style approach.
Also think about clearing up the mission and vision for the team so that you can have an aligned strategy towards delivering credibility.
I think it gets harder when you get bigger.
When we were small as a team in the fall of 2018, when we sat down as a small dozen people or so and we picked priorities, we decided we can only have two priorities we picked.
Any an access management and we and we picked securing our edge network. And when I look back in hindsight, those were the exact priorities when you could only have two.
Number one, because our employees are under attack all the time.
And so making sure that an employee's account can't be taken over and used to manipulate Cloudflare tools from the inside or access customer data and the like, having, having identity and access management to me should be priority number one for every security team.
And so that was that was good.
And then priority number two, securing the edge.
You're absolutely right.
With the crisis in Ukraine right now, ever since the invasion by Russia, we have seen pressure put on our data center in Kiev.
And the idea that we can still keep that data center up and running and feel confident from a security standpoint, because we have key because we have the latest generation technology there with secure boot memory encryption and all the other controls that we put in place.
It's kind of like we had the right priorities for that.
But how do you.
How do you avoid that peanut butter thing that you mentioned when you get a little bigger now and you're kind of like.
We have to.
The world scrutiny is on us. We have to be good at security in every context.
But you can't.
You can't do everything well at the same time.
And you have to prioritize.
What's the process for prioritization that you want to do?
That's a great question.
You know, it's tricky.
But I always kind of look at it like in terms of compounded.
Right, compounded investment.
So if you're looking at the REITs, your previous investments should actually inform your future investments.
So when you focus on some of the foundational aspects, like looking at the age or identity and access management.
Right.
One thing I always like to look at is, okay, how do we deploy sensors that tell us where risk is, right?
The types of risk that we have, we are security practitioners have context about risk.
Right. Especially when we've invested a lot of time in this in this field, you start having thoughts about these areas like identity and so on are important, but you should also deploy sensors in the environment.
A lot of the security activities you do, you can think about them as sensors.
You introduce a bug bounty program, right?
That's the sensor.
You perform design reviews and threat modeling. That's also a sensor.
So if you can aggregate that information, you can start to get insights into where incidents or risk is happening.
And ideally, you use that as part of your planning process to inform right where you need to go next.
Right. Also looking at threats, intelligence and external insights as well.
So it's it's a little bit of art plus science.
You have to deploy these capabilities and get you to see what risks the company is facing.
Right. Use that and then obviously look at external concerns as well and use that at least for me.
I'd like to see you use that to drive the initiatives that you're going to push right year over year as you continue to play in this infinite game.
Looking for trying to mitigate to get to this. Yeah.
I mean, that to me, one of the hardest one of the hard parts about security is it's really attractive to go work on the innovation side.
But there's a lot that we have to do where we just have to roll up our sleeves and dig in to kind of like the murky, deeper end of the pool.
And we've got to go pull the weeds and really.
Live in the muck and it's not always fun.
How do you get teams excited to do that side of the work?
But they got teams to do that outside.
Outside of their.
Sorry.
I think that's part of the question. I wasn't really clear about the question.
Yeah.
So part of security is, is there's different parts to security, I guess. Some parts are like you're working on the shiny new project or the thing that everyone's paying attention to.
But sometimes you're doing things where we've got to go pull a bunch of logs, analyze a bunch of things, review a bunch of vulnerability management alerts, just roll up your sleeves and get into the muck.
And to top it off, you do that work and then you get out and nobody celebrates it because you didn't launch a new product or close a new contract for the company.
Right.
Right, right. Well, that's a great question. You know, some of it is cultural setting, right?
How you as a leader celebrates, you know, the investments that people do.
There's this nice article that I read once on LinkedIn that talks about the void, right?
The work that nobody really looks at and how you can actually make your career in investing in the void.
I think as leaders, we should definitely celebrate that with our team so that they get to see the outsized impact and the implications of that work.
But in previous roles, it's something I had to do all the time.
Right.
Talk about to the team about that particular aspect of work that's not as visible or appealing and how it actually helps the company.
Right.
You know, stepping back, I look at what we do to some extent are telling stories about risk data as we go back to the business and when we're helping them to rationalize our risk.
You're telling stories about that risk of weaving all this information from different sectors and helping the business realize that so that work that appears less interesting if you're able to contextualize it for the team so they can see how it actually contributes in a meaningful way to the organization's understanding of risk.
Right.
Is hopefully appealing, right. And if you celebrate that impact right.
When it actually lands with the team, so they see how much you value it.
Right.
It sets the right tone, I think. Right.
And that's that's strategies I've used in the past and the strategies I intend to use even here, that should work.
You may not look it may not look appealing, but it is important.
Right.
So we just have to help the team, see why that's important. Yeah.
A good example of that was last year. We spent a big amount of our time as a team prioritizing a new compliance framework for us, the FEDRAMP compliance framework.
And we're literally this week finalizing our submission to the Federal Government for Fedramp.
But all, all the work had to be done last year, and it was a heavy lift.
And when I look at the work that we did, it feels like 80% of it was important for security and good things to help us upgrade.
And 20% was stuff that like.
Philosophically, you could argue, oh, that might be a good thing for some company to do, but not for us, because we've we've got these other controls.
And so it feels like a waste of time.
But you've got to do it anyway to get the certification right.
And it felt like.
For the 80%.
That was good security work they needed to get done anyway. It might not have been the work that we would have done in the sequence that we did it if it wasn't for the certification.
But we might have we would have done all of that 80%.
It just might not.
We wouldn't have necessarily had it all done yet. And so we had to drop other things that were passion projects that we thought were important in order to prioritize that.
And I thought our team did an amazing job of just accepting the hand that I dealt them by saying we should go get the certification and we got the work done.
And it's it's led to, I think, our vulnerability management program being much further along than it would have otherwise been because we prioritized it.
And that's that's important.
It led to.
Us getting much further along on our capability to pull logs off of our edge.
Right.
And wow. When we all of a sudden needed to make sure we had extreme visibility into all of our data centers in Ukraine and Russia.
Like we could just flip a switch and make it happen.
Because we've done the FedRAMP work last year.
And so I'm hoping that the team starts to appreciate that all that work is valuable.
You know, it's I'll tell you a story, not a Cloudflare one, but a similar narrative in one of the older orgs I worked with where they were aggressively moving to public cloud.
We invested a year and a half just building up guardrail capability.
Right. It did not it was not fun.
Right.
But when we started to see the effects, where there are hundreds of thousands, millions of security and product releases on a daily basis, organization is moving to daily releases, but that's the platform that's now being used to enable paved paths within your organization.
Right.
It's foundational, it's preparatory. And the payoff can be significant.
It's just really how do you sell it to the team?
Right.
So that they get to see. Right.
The implications. So it's nice to hear that story.
Yeah, too.
It's also when I step back and think about is also one of the challenges as managers, but because you have to think about what the business needs and you also have to think about your team's aspirations and your staff's aspirations.
And the trait of a good manager is how do you intersect the two to meet the overall business goal, as well as keep your team satisfied and engaged and interested in the mission?
Right. It's what makes it so what makes it for me rewarding as a manager and as a leader, right?
Finding that healthy spot. And that really to me translates to a lot of what we're talking about here, right?
Yep.
Yeah. And I think.
To go back to that. The three priorities of our team reference that we talked about a little while ago like that we do have that opportunity to not just do the work that manages risk, but hopefully all that work towards Fedramp will start generating a bunch of revenue for the company.
When we finished, we finished the Fedramp journey in the coming months.
We already have lots of good US government customers and hopefully we'll get a lot more correct.
It's going to make us definitely more appealing to the US government and customers in that area.
Yes, I agree.
Awesome.
Before we wrap up, I'm curious, like, what are some of the biggest surprises you've had since you started at Cloudflare as an outsider coming in?
First of all, it's very refreshing to see a lot of very focused engineering considerations to solving many of the problems we see in the organization.
So it's very engineering driven culture and also very collaborative.
So I think that aspect was it was great. The diversity, especially in your org Joe, for me was surprising and actually quite refreshing.
I have to give you some kudos for that. When I look at the number of underrepresented minorities that are within your organization, it really is an example.
I think other companies should emulate.
So from that aspect, I found that really very pleasant surprise.
There are obviously it's not all roses.
Right.
A couple of challenges I personally am now seeing firsthand. Some of the challenges of managers are managing the past.
We came in at the time of COVID.
I started managing teams, but I have no a new level of empathy for them, right?
Where you have to deal with making and trying to drive context, building over Zoom and meeting a lot of people and the eyes glaze over because of Zoom fatigue.
But it's for me, it's been really nice seeing how congenial and everyone's been very, very supportive and helping me to understand what they're working on and where the aspirations are and how I can and helping you understand where I can support them as a as a business.
So a lot of surprising, surprising, pleasantly surprising attributes that I've seen within the organization.
Everyone is really helpful, but then also a lot of opportunities I see in terms of managing in the time of the pandemic and on basically remote work and hybrid work.
Right.
So you probably haven't met anyone on the team in person yet? No, no, not.
But I'm looking forward to it.
I'm actually going to be in town next week in San Francisco.
So I'm definitely looking forward to the happy hour that we're going to have and giving it to you in person.
Yeah, I'm looking forward to that as well.
Because of the team, too.
I mean, from Susan to Catherine and everyone in the team, I'm definitely looking forward to that.
Yeah, it's going to be fun.
You and I got to spend a lot of time talking during the process before we made the decision to make an offer to you and you made the decision to come join us.
So I felt like I got to know you really well over video before you even started, and I'm really glad you're here.
So we'll just wrap up this conversation by let me just say thank you for joining Cloudflare.
I'm glad you're here and thanks for sharing your insights today.