We are Cloudflare
We are Cloudflare aims to showcase all the people who make up the Cloudflare team from as many offices, teams, levels, and in as many languages as possible.
Hello, everyone. This is Chaat Butsunturn, and this is We Are Cloudflare. And my guest today is Jackie.
Hi, Jackie. How are you? Hi, how are you doing? I'm good. So this is compliance week.
And so, or actually, I guess it's really more broadly a security week.
And so I am grateful for you coming in on behalf of your team to talk a little bit about the your team and the broader team and the function of compliance within security.
So thanks so much. Let me start with like, what is your what's your title?
And what's your what's your role? Compliance seems kind of big. Yeah, so I'm head of security engagement at Cloudflare.
We are embedded embedded in the security compliance team.
We are essentially the PR arm, I would say of the entire security organization.
And what that means is we support internal and external engagement.
So anything that an employee needs to know about security, pushing initiatives, awareness campaigns, things like that.
As well as anything that a customer needs to know.
So, you know, we've got our sales team, they are selling our products, and we need to get customers to understand where we're at as an organization and why they should trust Cloudflare with their data.
Okay, so do do customers want to generally know, like, are we compliant?
Or do they want to know how will you help us be compliant?
Both all of the above. So compliance, security compliance, there's kind of like a baseline.
There's some validations that we have that kind of just allow us to enter the ring to enter conversations with customers and prospects about is Cloudflare a company that I can trust with my data.
We have three validations right now. Many people are very familiar with PCI compliance.
So 27,001, as well as SOC 2. So we have those validations. And those allow us to just kind of enter conversations with customers as hey, baseline foundational stuff we have.
You know, you kind of know that we're okay on the outside, but then we have a lot that we have to sell over and above that.
So some of our products help customers meet their own compliance requirements.
And that's kind of where it gets a little bit more detailed.
And you start talking to customers about how can help Cloudflare help you as well as protect the data that you're entrusting to us.
Got it, right. So within the compliance team, so my understanding is like you're just one pillar of compliance, right?
And yours sounds like as the PR arm, I think you put it, is basically customer facing and engaging them.
Now, do you engage them? Is it kind of a more responsive or proactive motion?
I think it mostly has started off as responsive, but as the team is growing and maturing, we're definitely getting much more proactive.
I have two fabulous colleagues on our security compliance team.
Madeline Gregory runs our risk management team, and Rebecca Rogers is in charge of making sure that we get all of those validations that I previously mentioned.
Those two are the brains of the operation.
I am the, I'm going to say the brawn that's out kind of selling these things to everybody in Cloudflare and outside of Cloudflare.
So as these mature and the program matures, we're able to kind of provide what customers need on an incoming basis, but also now we're starting to be a lot more active with marketing and kind of outward content.
Here's how Cloudflare can help you from a security compliance perspective, things like that.
Right, right, right. So I work in the sales group.
I'm usually at the top of the funnel. Where do we bring in your team?
When does your team come in? Chad, you've never engaged with my team. That's a terrifying feeling.
Well, you know what, I get people through the door, right?
And as they move along, I mean, people certainly ask about compliance.
And we also talk about, you know, PCI compliance, especially for e -commerce sites and the like that have a lot of financial transactions.
But I'm, you know, personally, I'm generally not part of the conversations once they get to you, right?
Yes. When does that happen? So when we think about the sales cycle, you know, you're one prospecting, you're getting people excited about Cloudflare.
They like you as a salesperson. They are seeing the value that we can provide.
And you kind of get to the point where, you know, they're probably going to start negotiating.
We're going to start talking about contracts.
We're going to start talking about these things. And at that point, they have a lot of questions about third-party security.
So they start to realize that what Cloudflare does is provide security and privacy kind of products.
So that means we're going to have access to some of their data. And some of that data can be sensitive.
So their questions typically are kind of like, okay, we're going to use these products, but what are you doing on the back end with the data that you have access to?
And my team is engaged. So typically, you've kind of handed off the deal.
We're starting to get involved with, you know, how much are these things going to cost?
What are the terms of engagement? And at that point, I'm coming in with my wider team, incredible team, Matt Gallagher and Omar Cervantes, just rocking this entire global sales organization and saying, hey, this is what you can expect from us from a security compliance perspective.
Sometimes it's a thousand questions. Sometimes it's five. But my team is the one who ultimately is responsible for making sure that the customer and the prospect feels good about what we're going to be doing and is very clear on how we're going to handle data for them.
Yeah, that's it. You actually bring up another interesting point.
So you work cross-functionally with a lot of other teams, including sales.
So who are those other teams that you're engaging with?
It seems like marketing might be one of them, but there are probably others. Certainly.
Yeah. So the security team at Cloudflare is pretty big. So we're a 50 plus person team, very large compared to the overall employee count at Cloudflare.
So quite often I'm taking the requirements or the initiatives that the rest of my team is pushing and explaining those across the company to customers, as well as sometimes internally.
Part of what this team does is, yes, sales, but it also encourages engineering and infrastructure and other teams to adopt security policies and things that we want to push.
Marketing, obviously, from an external perspective, from getting customers, huge partner.
I'm really grateful to Arun Singh, who is my closest marketing partner.
Fantastic man. Good to work with. I'm glad to have him as a partner, as well as Daniella, who runs our PR team.
We are intersecting at all fronts because we are united.
Emily Hancock, our data protection officer, incredible woman.
I've learned so much from her. So I am touching almost every single organization in Cloudflare, absorbing from my own information, but then also processing all of that and making it something digestible for non -technical people.
Do you work with product too? I do sometimes. We recently, in October, we had Security Awareness Month and we did a really interesting, we tried a series and it was bringing in six of Cloudflare's most purchased and most profitable products.
And we had those product managers sell that product to the security team.
That's actually great. It was super interesting. It was like security shark tank.
It was killer. Yeah. We learned all about the products and we did make some personal connections there.
It wasn't a team I'd worked with closely before, but now it is someone that I, or a team that I am embedded with pretty frequently.
I like that analogy, shark tank. If I had his money, maybe. We're a global organization, you mentioned, right?
And I was curious how you support that globally and what are the different compliance concerns from region to region?
Is it, there are similarities, there are differences?
There are some, I would say there's, there is pretty significant difference in what is important, like maybe the order of what's important to the regions, but overall it all kind of comes out in the wash.
So we have a large presence in EMEA. Our European customers obviously care a lot about GDPR.
You see them ask a lot about our ISO certifications.
Those things are very highly valued in country. In the US, it's more kind of our SOC 2.
We get a lot of questions around HIPAA as well. In Asia, it's kind of, kind of depends on the country.
I think we sometimes think about Asia or APAC as just like one huge region, as opposed to very different countries with different concerns.
They prefer to hear more about the ISO certifications. PCI is really large.
Their payment processing in Asia is just, I think that's might be the highest processing region.
So they ask a lot about our PCI certification.
So we're ready with content for all of these regions and making sure that they can understand how we're meeting the compliance obligations that they need.
Do you have regional partners or a global team, or is it all out of, you know, all you or all out of San Francisco or all out of the US or where's compliance located?
So Matt Gallagher, who's the manager of this team is located in San Francisco. We will be in Austin whenever it is appropriate and safe to move.
But shameless plug, I have an open position in London right now, or in Europe.
It actually can be located in any of our European offices.
We would like to have supporting that region.
Their compliance requirements are great. They're very heavy.
And, you know, we feel a lot of responsibility towards making sure those customers feel especially secure with what we're doing.
So we are hiring someone dedicated to that region to make sure they have support.
Watching an interest did apply.
Right. So, and you mentioned they could be in any of our AMIA locations. Yeah, we're pretty open.
It's currently posted on our website in London, but if you've got French or German speaking capabilities, we certainly could accommodate a presence in those offices.
Right. So that would be Paris, which is a brand new office, right?
Very exciting. Munich? Yes, Munich. We would be open to both of those.
We're seeing some good candidates, but the more the merrier. It's a really important position and we're really looking forward to that expertise.
Well, let's talk about that for a moment.
So the types of people that are in compliance, I'm curious if there are common threads or if people are basically coming from all different kinds of backgrounds.
And maybe, let me start with you.
What did you do before Cloudflare? So I've been in security for 14 years, so it's been my entire career.
Before Cloudflare, I was in fintech for about four years and I supported the US Department of Defense for the eight before that.
Always in a security role. First internship was just scheduling compliance audits for the Department of Defense.
That was what I did for the first six months of my career.
So I kind of feel that compliance is a great entryway for people that want to get into security and you don't have to be super technical to get started.
You just kind of start learning about some of the rules and how you meet those rules and your knowledge can grow from there.
How did you first get into this?
It sounds like security has been a long interest. So what was the draw? Was it intentional or kind of accidental?
Like, oh, look at this. Well, I'm in security now.
Well, I was originally going to school to be an ocean scientist and I got to the physics portion and I didn't have the inclination to pass it.
And the only other thing that fit that time slot was an Arabic course.
So I took Arabic. This was in the 9-11 times.
So I switched majors into kind of an international security realm.
Kind of figured I wasn't physically big enough or tough enough to be boots on the ground for any of the intelligence agencies, but I could be pretty good behind a computer.
So that's how it grew. Do you speak Arabic or Farsi or any of those?
Oh, God. At this point, it's just a party trick. I can still read it pretty well, but there's no comprehension happening.
You read it? It's a beautiful script.
Oh, yeah. Gorgeous. And an incredible alphabet. It makes total logical sense.
It's a very logical language. So logical, but doesn't it write right to left versus left to right?
It does. The opposite. Did you have to think about it differently?
Reprogram your head? Yes, absolutely. In fact, recently I was telling some of my team that I do speak multiple languages and sometimes mentally I kind of like interchange words and sometimes I feel I can't speak any of them very well because I'm thinking in all of them.
Right. So my parents are immigrants. My dad's Thai, my mom's Filipino, but in the classic American immigrant story, they didn't want to pass on a handicap to their children.
So I speak only English. I forgive you, mom and dad, if you're watching.
It would have been nice. It would have been a great party trick, especially at Thai restaurants.
I'd be like the most popular guy.
And one more thing.
Pick it up. Right. I know. I probably could. Now they have all kinds of apps for language learning.
So what was your fun fact? So my fun fact was, and it was at the time, this is no longer true, but at the time I had over 200 unique bottles of French champagne.
Oh my gosh. Right. Are you down to like 129 right now or something?
I know. I should count. I should count. I think I'm probably around 180.
I'm kind of picking them off slowly. Are you drinking them or gifting them?
I'm drinking them. No way. Why bubbly? I mean, that's pretty specific.
I don't know. I think there's always a reason to celebrate, right? Sometimes we only have champagne when we think there's a celebration, but day-to -day life is actually a celebration.
Not that I drink a bottle every day, but I'm just saying you don't have to wait for big events.
I like that. It's very versatile. Low calorie content.
So I'm able to keep my COVID diet going and still indulge a little bit.
So yes, I picked out all of these bottles. They are beautiful. And I do kind of just like the way they look in a wine cooler.
Yeah. Where do you store them?
I have some storage in my home. Very nice. So I can't complain about that. That's great.
I would have thought your fun fact would have been that you speak Arabic.
But I think the champagne collection, that's pretty fun. That's pretty spectacular.
Our PCI expert at Cloudflare, a man named Jacob, was also in my onboarding class.
And his fun fact was that he had been to over 200 Taco Bells in his previous career because he was a PCI auditor.
So we joke that we are the J200 compliance crew.
Because both names start with J. Both had an over 200 fun fact. So that's compliance at Cloudflare is something over 200.
There you go. That's pretty funny.
So in terms of the general background of your compliance colleagues, of which you have many, would you say there are common threads or what's different?
What are you guys looking for generally on your team? What makes a compliance professional?
Yeah. I think a lot of companies will say something along the lines of, we want people who are curious.
Which, yes, I think that's kind of true.
But I think in order to work, you kind of need to be a curious person. I think with compliance people, there has to be, I think a general, like you have to have tough, thick skin, but a soft heart.
Like you're doing a lot of this. It's a labor of love.
And sometimes that means pressing through things that are difficult.
There's a lot of adversity. You have to want to get to yes. You have to want to get to protective measures.
So I would say that being personable, yes, it's important.
Being curious, yes, it's important. But there needs to just be a drive to completion.
And you need to do it without just ruining your relationships with everybody.
You're not bringing down the hammer a lot of the times. You're not using the compliance stick to force people into compliance.
A lot of the times we need to speak their language and take them on the journey so they understand that by meeting this compliance requirement, you are protecting these people in these ways.
And that really helps a lot towards achieving goals.
So for a technical company like Cloudflare, do you require a technical background or an ability to talk to engineers?
Who on the customer side are you engaging with? Is it the engineers? Is it the C-levels?
Where are we connecting the dots? I think Cloudflare as a whole, we are a very technical company.
I've actually been shocked at even my own knowledge, how technical I've had to become just to operate in this space.
So yes, we are looking for a few years of previous experience.
You don't have to know how to code, but you should have had some type of experience in the security realm.
Maybe you don't have to be able to code, I don't necessarily think, but you do need to be able to understand basic things.
TLS, the way that Cloudflare products works, all of those things are totally learnable, though.
There's nothing that a person can't learn.
You do have to be able to hold your own. Customers expect that you are the expert in your field, and some of these are large-scale customers.
We need to come to the table showing that we do know what we're talking about and helping them understand.
So it does require a bit of grit. You've got to be probably smooth and calm under pressure, but also genuine and transparent.
That's, I think, a Cloudflare… Absolutely.
Are they part of the conversations that compliance is a part of?
Are they in the room? Oh, yeah. Our SEs are people we lean on incredibly heavily across Cloudflare.
We are an engineering company. Oh, they're the best.
Our solutions engineers, I work with them a lot on the sales side. They do pre-sales, they do post-sales, they're working with compliance.
They wear many hats, and I'm always impressed with our… I think they wear so many hats that I often wonder how do they manage it all, right?
Yeah, they are the workhorses of this organization, hands down.
Yeah, right. Interesting. So in terms of the background, then, a technical background might be nice, a security background might be nice.
Are there any common threads in terms of education? Or certainly the personality traits or work habits that you laid out are fairly consistent and apparent.
But anything else that you think would be a common thread? Or are the backgrounds similar?
And I don't want to say predictable, because there's nothing ever predictable about what a fit could be, right?
Yeah, I think security kind of collects a very interesting bunch of people.
There's not a normal path towards security.
We're all from such different backgrounds and interests that collectively, I think with all of us, it patches together a really secure organization because almost nobody's coming with the same skill set.
Until a few years ago, it's not like there were cybersecurity degrees.
I remember when I got my undergrad, it wasn't really a thing.
Yeah, right. Super long ago. So we have people that have come with English degrees, we have people with finance degrees, we have people with no degree.
I was really shocked to learn that recently with some colleagues.
And we're very lucky to work with Joe Sullivan, who is just an incredible mentor and one of the reasons that I came to Cloudflare.
But when you talk about somebody that really cares about diversity and candidates with a diverse background, Joe pushes.
I've had a couple of positions I tried to hire for, and he said, did you do your due diligence in trying to find the most diverse candidate?
And has redirected me many times to make sure we were meeting that requirement.
Yeah, he's been a great leader. I know that he's our executive sponsor for Afroflare, ERG for African -American descent and globally, that's a global organization.
And he's been a big executive sponsor for that. That's great. So had you worked with Joe before?
No, I never worked with him before. But obviously he's such an incredible person, like diverse background himself, been in a lot of companies, been through a lot of situations and such a strong leader and really genuine.
And I was looking to work for somebody like that. I think when your early career, you kind of look for these big company names and maybe you're targeting those.
But as time goes on, you start really looking for leaders that you want to work for.
And Joe was my top pick when I was last kind of evaluating what I was going to do professionally.
Wow. Well, congratulations. Here you are. I made it. I tricked him.
Very lucky to have you.
So within the security realm, then we talked about the compliance engagement function.
What are some of those other other pillars? And how are even within those pillars, do you find similar threads of backgrounds or are they more specialized?
Shall we say? Yeah, they are a little bit narrower. One thing that we do is provide security expertise and support to our public policy team.
And actually, this is my favorite part of my job is we have a group where it's, you know, what's the Starzak who runs public policy?
Joe, our data protection officer, Emily Hancock, our head of PR, Daniela.
We're there about once a month and thinking about what positive security narratives can we put out into the, you know, into the universe that kind of highlight Cloudflare's commitment to security and to privacy.
And I love this. Like, it's such a deep conversation every time.
And I learn from it every single time. And supporting that to me is kind of my favorite part.
It's a small part, but it's my favorite part of this position. And we also do kind of the general training and awareness that are, yes, there's compliance requirements, but I do feel Cloudflare takes it one step further and really enables this team to go and talk to organizations like, you know, our customer support team.
Hey, how can we work together better? And as a team going forward, now we kind of know more about the products.
How do we hook in and make sure that we're starting at the beginning with security requirements, which they're already doing most of anyway, or even with sales, right?
Yeah, I like that. Clicking on phishing attempts.
Right. I feel like everybody at Cloudflare is part of compliance.
Oh, yeah. We all have a role in it. And I think that's something that's been emphasized from the top down.
And I know that I have to do our, our compliance check-ins.
Yeah, I want you to know I did check to make sure you had completed your training before this session, and you did.
What was in your session?
I did, right? Okay, good. Oh, that's good. So you're based in the San Francisco office, but you're obviously, we're all in our home offices now.
Yes. You're based in the San Francisco office.
Where's the home office? The home office is in Southern California.
So I've been going back and forth as needed. But it's been nice to just sit in my empty house.
And, you know, the only, the only office mate is the cat.
Oh, nice. He's pretty demanding. So I don't know how I feel about this for the long term, but it's been nice to get away.
But there are things that I do miss about the actual office.
Yeah. So, yeah, it's one of the things I wanted to ask.
What do you miss? It's been a while, right? Yeah. Other than like someone else cooking food, I would love for someone else to be cooking food.
That's one thing I do miss.
Man, Wednesday catered lunch. I do miss that. You know, I don't miss the commute, but I do miss kind of the feeling of approaching the office door and like badging in and just feeling like, okay, I'm here.
This is where I wanted to be professionally.
Like, I'm really proud to work here. And there's just like something for me that happens when you kind of cross that into that threshold.
Yeah. And it's a nice physical space, right? Oh, yeah. I love it. It's open with all the sunlight in the windows.
And I agree, actually. And I do miss the food.
And one of the things I miss about the food, actually, is just the random meetups that you have with people while waiting in line.
Although I wonder. So when we do go back and it's looking like it's going to be a little while still, I imagine that the office environment will have been reimagined, right?
Yeah. I have no idea what that's going to look like.
I don't think anybody knows. I like to call it the before times, right?
Yeah. And then now we're kind of in it. And then there's going to be like the after times.
BC and AC before COVID and after COVID. Yeah. Yeah.
I'm also interested in how it's going to impact us culturally.
Like in the media and their storytelling.
And some of the things I heard during COVID, they talk about the epidemic flu of the pandemic of 1918 and how there really aren't any global memorials.
Maybe a couple, I think. And I don't know what that's going to look like.
We're obviously still waiting on a vaccine. Still got to turn the corner. So we're not out of the woods yet.
Yeah. I think whatever it's going to be, I have faith that the Cloudflare team is going to make it as normal as possible.
And I think we do have a really strong culture.
We're very connected. And I think they're going to do the best to kind of retain that.
And I'm really looking forward to it. They have a big responsibility to make it such as that.
And I hope to participate in it. I'm making a lot of efforts to make sure my team isn't feeling too overbogged.
And in fact, I'm trying to make them take time off actively.
Oh, that's good. I know we can get head down, right?
And just really press forward. But we do need to press the reset button every now and then.
It's a very challenging time. And I think that's great.
I know we talked yesterday and you'd mentioned that you've really been very proactive with your team and making sure that everyone's got their head straight.
And taking care of themselves. Yeah, yeah. That's been really important. Mental health checks, I think, are really important.
Whether it's just a, hey, how are you doing?
You don't have to pry. But I think asking the question and really caring about the response is a sign of a good leader.
It's a sign of a good friend. And if it's not those two things at work, then really, what are we doing?
Yeah, right, yeah.
I wonder, one of my favorite spaces in the office is the club level, right?
Oh, yeah. So for those not in the know, it's basically the basement, right? But they have graffiti painted on the walls.
It looks kind of hip and urban. It has a ping pong table and a pool table.
As well as conference rooms and the like. But I imagine that might not change much.
But it's really just the where we're sitting. How that's going to look.
I think the roof deck is going to be a popular space, right?
With the open air. Yeah, yeah. A security team is sitting in that club level right now.
Or was sitting in the club level. So I'll be happy to go up on the rooftop.
That's fine. Yeah, I like to go there for lunch. But also, they had a cornhole up there.
Oh, yeah, you're right. We go up there, especially on a Friday. And we just hang out a little bit later.
But yeah, we're, believe it or not, out of time.
Not bad. We have like 40 seconds. So Jackie, I want to thank you so much again for being my guest.
And I look forward to seeing you in the office.
Any last comments in our last 30 seconds? No, thanks for having me.
Incredible experience. And I'm looking forward to finally seeing you in person one day.
Likewise. Take care of yourself. Happy holidays.
Happy New Year. And we'll catch you soon. And good luck with the rest of Compliance Week.
You too. Take care.