Inside RSA Conference & jam.dev (a bug-fixing tool powered by Cloudflare)
This week, host João Tomé heads to San Francisco for the cybersecurity RSA Conference (May 6-9, 2024). First, we gather insights from attendees, ranging from a cybersecurity student on the brink of graduation to seasoned managers and experts.
We also feature Emily Hancock, Cloudflare’s Chief Privacy Officer, discussing the nexus of security and privacy. Plus, insights from Carlos Alberto Silva, a Portuguese venture capitalist with extensive experience in cybersecurity investments.
Last but not least, we hear from Dani Grant, a former Cloudflare employee and co-founder of jam.dev, a company dedicated to fixing software bugs and built on Cloudflare's platform.
In the coming weeks, we will host additional security-related conversations.
Transcript (Beta)
Hello everyone and welcome to San Francisco, California where the RSA conference is happening.
We're going to have conversations with Cloudflare folks, experts in security and also external folks.
And we'll also hear from Dani Grant that was a former Cloudflare employee and is now in a company called Jam.dev.
So we're going to hear from her too.
So check it out. So my name is Elizabeth Bushy, I'm a master's student at Carnegie Mellon University.
I'm graduating on Saturday with a degree in information security and I focus on threat analysis and intelligence.
So my name is Dr. Lisa McKee, I'm located in Nebraska and I am an assistant cyber professor at Bellevue University and I also am a founding partner at American Security and Privacy.
We do security and product services.
I've actually been at RSA many times, in fact I am now part of the loyalty program.
So this is a great event and one of my favorite conferences to attend every year.
It is my first time at RSA, it's been amazing.
I've learned so much from the different talks and meeting different people and the networking has been incredible and it's incredible to see all these different companies and people and the community that's come here.
So my name is Jace English, I work for Columbia University, we're based out of New York City and I work in their security operations center.
Just recently DDoS is something that we had to adapt to.
Before that it was phishing, rolling out our phishing simulation program and trying to get the results and make sure that people that are clicking on the simulated phishing they get remedial training and make sure that they know that, you know, just be on the lookout because the Internet is a bad place, it's a bad and scary place.
I've seen a really good focus on threat analysis and intelligence and not just like different technologies and isolation but sort of the confluence of these technologies and how we look at them together and their interactions and how we need to look at that going forward in terms of policy and implementation.
Tyler Wurtenbrook, I'm the technical manager for the IT team at St.
John's Health in Jackson Hole, Wyoming. We're healthcare so security is paramount, it's the thing we take first with regards to any of the solutions that we're looking at.
We have highly monetizable data so we've got to try and figure out whether it's point solutions or holistic solutions, how to protect it so we can do patient care.
My name is Adam Cullen and I am a security evangelist with Securion out of Chicago.
We are an information security consultancy serving large global multinationals.
Things that I was really invested in and things that my customers were paying attention to ten years ago are all extremely different now and, you know, as a consultant the things that I care about are generally the things that the marketplace cares about because, when we think about 3.5 million global recs open worldwide, finding the talent, the correct hands and the right blend of skills to be able to get stuff done is critical, but what things are we doing?
And that's the trends that evolve as the state of the market continues.
So it's primarily figuring out how to master the cloud, how to handle identities, vulnerability management and certainly how generative AI is impacting modern global networks.
What I really enjoyed was the opening keynote where they talked about some of the trends for this year and the one that caught my interest was risk because one of the things that I do is GRC and risk management, so that was exciting to hear.
So some of the things that are concerning is my friends and I always talk about Groundhog's Day and that we talk about the same problems year after year after year and that companies still haven't solved for some of the basic things.
So that's one thing that's still concerning and it leads to a lot of the data breaches and compromises that we see.
And I'm most passionate about data privacy because I think privacy laws and regulations are really going to help us move security forward because privacy laws, they have a lot of significant fines and penalties that come with them that I am hopeful will deter companies to do the right thing.
The main challenge with working in EDU space is the fact that knowledge is considered a shareable resource, something that everyone should have access to.
There should be no limiters. There should be no barriers.
Working in security, my job title and role goes directly against the nature of higher education.
So we are a Cloudflare customer. We've been with Cloudflare for probably about five years now.
We had to do an emergency onboarding of our main website because we had just been taken down by some DDoS attacks.
So overall, the experience with Cloudflare has been good.
There's some tweaks that we need to iron out considering the options that we just turned on from this DDoS event.
But overall, things are good. Initially, we purchased it for security, but our developers are looking forward to using it for other products, other functionality of the product.
I'm Emily Hancock.
I'm the Chief Privacy Officer at Cloudflare, and I oversee the product privacy and IP legal team.
So that means my team handles product counseling, privacy counseling, and all of our privacy program operations.
I've been at the company for six years.
So security is critical for privacy. And that's actually, for Cloudflare, one of the things that we talk about a lot is that all the security technology, all the security software, all the security software that we have in place to protect data, that's all kind of like privacy enhancing technologies in a way.
Because if you don't secure your personal data, then you're at risk. And in fact, like GDPR and the Federal Trade Commission here in the United States, the enforcement actions they've brought, they all say you have to have reasonable security as part of your overall data protection plan.
Some of the trends I've seen is, in addition to just the myriad things that are coming up in terms of the different kinds of security technologies that you can implement, one of the big things we're seeing, though, is the emphasis on reporting security incidents.
But those are almost always personal data breaches also.
So that's one of the big trends we're watching right now is new regulation in the United States and Europe and elsewhere to report on cybersecurity incidents.
There's just more pressure, both from customers and regulators, to make sure that you're talking about whenever you have that kind of an incident.
And that's one of the things that we think about at Cloudflare.
Not only, you know, if something happens here, how would we report it, but also we think about it for our customers because we know our customers have those reporting obligations.
So we focus a lot on that as well.
So if I'm trying to explain what I'm doing and what my job is, it's really trying to figure out how to identify the data that a company has, how to understand who has access to that data, and how we protect that data.
So that's all part of our privacy program, as well as other things to help sell our products and to show how the products that we make, that we distribute, all can be privacy enhancing and help make the Internet a more private place for personal data.
I think we are tagline at Cloudflare is always to say that a better Internet is a more private Internet.
And so I think for me, that means a couple things. One is we have a lot of products like 1.1, for example, that can help disassociate an end user from the IP address that then a website sees when somebody is traveling around the Internet.
And that helps give somebody a little bit more anonymity, and it helps protect personal data.
It helps protect you from being tracked across the Internet, for example.
So I think a better Internet is more technologies like that and more widespread technologies like that that will help people feel like they have more privacy as they're moving around the Internet and less visibility with tracking technologies.
That's really the biggest thing for me. And then I think the other thing for me that I spend a lot of time talking about or thinking about is cross -border data transfers.
And a better Internet to me is that data is able to flow and that we stop equating location with privacy.
And that instead we allow data to flow across borders and figure out ways to keep it secure through technology and not just through the application of laws.
I think the most fun thing about working at Cloudflare is the people I get to work with because everybody is really smart and knows a lot about technology.
And so it's really just fun to always be learning about a new thing we're doing and trying to understand it.
So my name is Carlos Alberto Silva. I'm a co-founder and managing partner at 33N Ventures.
We are based in Portugal, of all the places, with offices in Porto and Lisbon.
We also have a venture partner in Israel and another one in Luxembourg.
What I do is basically we invest in cybersecurity companies, Series A, Series B, companies between 1 and 10 million ARR.
And we help them mainly with the expansion across the European market.
But as we are a global investor, we also bring a lot of experience and a global perspective that typically is seen as very valuable by founders.
So we are here at the RSA in San Francisco.
And this is something that we do for quite some time now, probably more than 10 years.
This is the biggest cybersecurity conference. And this is the place to be if you are a specialized investor like ourselves in cybersecurity, because here you meet pretty much everyone.
So besides the Zoom meetings throughout the year, here is the place for you to hang out with your peers, to meet new companies, to speak also with the existing companies, the companies that you have in the portfolio, the investment banks, so pretty much the entire ecosystem.
So the trends actually is a good question, because this year... So AI, of course, is something that comes pretty much in every conversation.
The space itself is going through some sort of adjustment post the crazy years of 2021 and 2022.
But it's kind of picking up. So the spending, of course, continues to grow.
And there are strong paths or strong avenues in terms of innovation. So AI is definitely the priority in the budgets nowadays in the big corporates, but a concern across the board.
And then you have, whenever there's a new innovation coming in, there are 12 or more attack vectors.
So meaning that there's a space for a lot of innovation.
Besides AI, areas like third party cybersecurity risk management, efficiency for the cybersecurity teams, IoT security, where you still have a lot of blind spots, OT security for the factories, the plants, the reality out there, the geopolitics dynamic that you can see.
So the cyber warfare is something that also comes along.
So I would say that more and more and looking backwards and in perspective, you see that cybersecurity is becoming more pervasive every single year that passes.
What we typically do, and it's on an ongoing and continuous basis, we try to identify interesting spaces well in advance of the companies coming to our sweet spot, because we invest in companies between 1 and 10 million ARR, which means that we need to start looking at companies well before that, well before they reach that mark.
Because what we do is on each specific space that we identify, we try to track the market traction.
We try to assess whether or not the problem is real. And then whenever we, so as soon as we get comfort on those things, we start to look at the companies with a little bit more detail.
We start to engage, we start to collaborate with them.
And so if you ask me now that in terms of some of the most emerging spaces we are looking at, so we are looking at things like computational computing.
We are looking, of course, at AI, but not necessarily because it's still very emerging.
On AI, there are a lot of, so the picks and shovels. So we are looking at how to structure the data, how to take the benefit of the data, because we know that data will be key for whatever AI deployment you do.
IoT, I mentioned it, so it's a space that we continue to look at.
But there are a lot more, so of course.
It's a good question and fundamentally, so being an investor in cybersecurity means that we have kind of a cynical view over the innovation, right?
Because as I told you, right, so for each new technology that you adopt, there are a number of attack factors.
And what's more, and this is unique to cybersecurity, right? So these innovations are also adopted by the cyber criminals, right?
So by the bad actors, which means that this is a two -fold challenge for cybersecurity.
So of course, the Internet of the future, my wish list is that it will be a safe Internet, a more secure Internet.
But we do have significant challenges, not only on protecting the assets, but now, for example, one of the, and this is something that I forgot to mention in terms of something that we hear a lot in this conference, misinformation.
So misinformation, even though it's not as a core cybersecurity technology, right?
It encompasses several technologies. But misinformation is more and more a significant concern.
It started on the governments and the law enforcement agencies, but now it's definitely something that is coming to the corporates as well.
I'm Dani, I'm one of the founders of Jam.dev, and I'm based here in San Francisco.
We help anyone, we help 100,000 people around the world report bugs to engineers in a way that helps them debug faster.
We've helped people solve more than 2 million bugs now, and now we're on to the next 2 million, 10 million, 200 million bugs.
Every single one of our users is someone who's trying to shape some corner of the world through software, through the web.
Like whether it's education or healthcare or financial, they're all trying to make a difference in that corner of the world, and they're doing so by building for the web.
Well, of course, by connecting everything, we also connect bad actors too.
And so we spend a lot of time making sure that everything is buckled down, very secure.
And so that's one of the challenges.
But in terms of opportunity, I get to work with incredible people all over the world who I otherwise would not have met.
And as the Internet connects more of us, as it helps translate between even language barriers, I'm really excited that we're able to build a company where we can hire literally anyone, anywhere, anyone who wants to join us on the mission, and is going to work really hard with us to do that.
We get to work with them to do that. Jam is more important today than it was five years ago, because as more of the world is coming online, as we have remote work, and we're working from our phones, working from all sorts of network conditions all over the planet, the bar for quality is just higher for every company that's online.
And quality is now more than ever correlated to revenue for software companies.
And that's why tools like Jam that help you ship better software are more important today.
Look, most people who have reported a bug to an engineer have had the experience of, you put all the screenshots and the JIRA ticket, and then the engineer opens the JIRA ticket, and then they write, it works fine on my end, and then they close the ticket.
It's so frustrating, because you know there's a real issue for the customer, and the engineer wants to help, but they just don't have enough information to repro the issue.
And so we're trying to put that to an end. Engineers' time is so valuable.
You should be able to solve issues immediately and then get back to building what's next, because software is what's changing the world so rapidly.
The more time engineers get to build new features, the faster the world evolves.
About a year ago, we started to see engineers, when they get bugs reported to them in Jam, they copy-paste the errors from Jam, and they put it into ChatGPT.
And we want to streamline everything about the bug-fixing process, and so we brought ChatGPT into Jam.
And instead of in the old world, you'd open 14 Chrome tabs in order to debug something, and you'd look through every Stack Overflow tab.
Now you're prompted with, here's how AI would solve this, and where you might look in your code base.
AI helps us do more for our customers. It's super, super exciting. But more than that, the promise of AI for all of our customers, that they'll be able to deliver more features, they'll be able to do more with a small team.
But that actually means that the surface area of their software is bigger, and so there's more stuff to fix and maintain and iterate on, and so the need for Jam becomes greater.
Like a slow communication cycle in the AI age, it's a non-starter. It's too expensive.
So you have to streamline that bug communication. I'm so optimistic.
For one thing, the amount of opportunity that the Internet is bringing to the world through access to education and information, access to services, and access to jobs, is just super, super exciting.
I grew up in Mountain View, California.
I grew up in the Silicon Valley, and the meaning of Silicon Valley was this was a place where a lot of tech startups were being started.
But that's not really how the world works today.
Because of the Internet, people are able to join forces to build amazing things wherever they are in the world, and that is so freaking awesome.
But I think the Internet is also changing in other ways.
Like up until now, the more you use the Internet, the more useful it was for you.
I think in the future, the less you use the Internet, the more useful it will be for you.
And that's because the Internet is gaining intelligence with AI, and it's going to be able to operate in the background, and it's going to be able to do things for you without you interacting with it right in that moment.
That makes it so that it powers you in your day-to-day, allows you to spend time in the real world, but you don't have to always be in front of a screen to use it.
There are a lot of startups building AI agents, and it's so amazing where the world is headed.
You could imagine something like in the future, you're walking around, you have your AirPods in, for example, and instead of you having to ask Siri for something, ask an agent to get you something, you could imagine you're on your way to the next meeting, the AI agent knows where you are, says, you'll need to turn here, and while you're on your way, let me prep you with what you should know, what you should think about before the next meeting.
In the past, the Internet was a place you would go to.
Think in the 90s, you would log online, and then you'd come back to the real world.
And now it's even more fuzzy, right?
Do you go to the Internet? I spend all day in the Internet. My team's in Slack.
But I think that trend will continue onwards, where the Internet is not a place you go, but it's something that powers the real world as well.
I think the Internet in its prime form is twofold.
One, that spreads opportunity all over the globe, so that anyone who's hardworking, determined, and wants to impact the world positively can do so, and build tools to do so.
And two, that it empowers us to build real connection in the real world, and that rather than spending our time alone on a screen, it's a force that brings us all together.
Look, definitely there's an energy here in San Francisco.
For example, tonight we're hosting Tech Talks on Cloudflare's roof, and more than 500 people tried to sign up for it.
The wait list is hundreds of people's long. And so there's this energy to build here that's really special.
And last week, the whole Jam team went to Bogota in Colombia to do a work off-site, and we met some users, and they all told us most of their friends are not in tech.
There's not that same level of...
It's not a hub in the same way. And so, yes, there's still meaning to the Silicon Valley.
Yes, there's still many people coming together all around the topic of software, but how we've built our team at Jam is it's people from all over the world.
Whoever wants to contribute to the cause of helping software be produced faster, and is going to work hard and be on the mission with us, we're in it.
I mean, Jam is all built on Cloudflare.
We use Stream, we use Workers, we use every Cloudflare product, and we absolutely love it.
What an amazing product to get to build on top of.
Actually, the way we do product development at Jam is what we learned from Dane, who runs the Emerging Technologies team here at Cloudflare.
So on Dane's team, they do something that most teams don't, which is they built zero-to-one products, and they have a special formula for doing so.
That's what we use at Jam now, too.
The first step is you build a prototype that's meant to be thrown away. And the reason for that is you learn more from a prototype than you do from a PRD.
And so you write throwaway code so it's fast, but you can get something in hand and just start using it and learn.
So step one, prototype. Step two, you discard the prototype, and then you build what you actually wanted to build.
And you get it to something that the team itself can use.
And no external customers use it until it's good enough for the team.
So there are iteration cycles there. Step three is a customer beta, and step four is a launch.
We learned it from Cloudflare, and we do it now at Jam.
That's it for this week. Goodbye from San Francisco.