Grant Borzikas' Unconventional Journey to CISO of Cloudflare

Show Notes

In this episode, we dive into the fascinating story of Grant Borzikas, the CISO of Cloudflare. From his passion for baseball and a brief stint in accounting to becoming a prominent figure in IT, Grant's journey is anything but typical. Listen as he recounts how his father's influence and his own relentless curiosity led him into the tech world.

Grant shares his early experiences balancing financial auditing and computer risk management roles at Arthur Andersen, highlighting the challenges he faced and how he overcame imposter syndrome through continuous learning. His insights and personal anecdotes offer valuable lessons for anyone navigating their career path.

We discuss the importance of continuous learning for IT professionals, covering key areas such as understanding personal learning styles, asking fundamental questions, and securing certifications. Grant emphasizes building a strong foundation in technical areas like Linux, networking, and DNS, and staying ahead in rapidly evolving fields like AI and machine learning. Discover how tackling challenging subjects and maintaining curiosity can significantly enhance your career, keeping you relevant and effective in the fast-paced tech industry.

The episode also explores the future of AI in cybersecurity, addressing both the promising advancements and the sophisticated threats posed by AI-driven attacks. Learn about the crucial role of data and intelligence in strengthening network security practices and the innovative approaches of companies like Cloudflare. Grant discusses the accessibility of Cloudflare's services, from creating accounts and developing websites to utilizing security solutions with ease.

Packed with insights and practical tips, this episode is a must-listen for anyone interested in IT, cybersecurity, and the relentless pursuit of knowledge. Join us as we uncover the remarkable journey of Grant Borzikas and his contributions to the tech industry.

Support the Show.

Affiliate Links:
NordVPN: https://go.nordvpn.net/aff_c?offer_id=15&aff_id=87753&url_id=902

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Chapters

• 0:54: Navigating Imposter Syndrome in IT
• 7:53: Continuous Learning for IT Professionals
• 18:22: The Future of AI in Cybersecurity
• 29:35: Strengthening Network Security Practices
• 42:55: Enhancing Network Security Capabilities
• 51:41: Connecting With Cloudflare

Transcript

Speaker 1: 0:54

How's it going? Grant, it's great to finally get you on the podcast. We've been planning this thing for a while and you know I'm really excited for our conversation today. Thanks for having me, joe.

Speaker 2: 1:03

It's great to be here, so I've been looking forward to this.

Speaker 1: 1:07

Yeah, absolutely so, grant. You know why don't you take me back to when you started, you know, or when you started to kind of think maybe IT is for me. You know what made you start to think that way, what made you start to go down the IT path.

Speaker 2: 1:22

It's a good question and funny one. So I grew up playing baseball. I was kind of a jock playing baseball on a baseball scholarship and when I decided I kind of got burned out. I didn't really know what I wanted to do. So the one thing I realized is you should always listen to your mother. And so my mother said I should be an accountant. You know, I said, well, that seems like a good career, not what I'm doing today. Right, and so I kind of started to pursue this accounting thing.

Speaker 2: 1:51

You know, early in life my dad was a teacher and he, you know, he was kind of kind of the. You know, in the early to mid 80s it was the teacher who supported the school systems or computers, and so every summer he'd bring on his computer. So I was always interested in, so I've always had a hobby in this. Now what's interesting is, going back to the college thing is, you know, I did, I wanted to be an accountant and about halfway through my accounting curriculum I decided it was terrible. This is the most worst thing I could ever do and realized that I wasn't really good at it either. If you've never had to do a T-account and figure out your debits and credits. You know it's not super exciting. And so I kind of went back to the roots and started. Like you know, I'm going to go see if I can get my, you know, computer science degree and sort of taking C++ and you know, some database courses.

Speaker 2: 2:42

Now maybe this was the late nineties and, you know, decided that that was for me. But I was too late, you know kind of in my curriculum. So I finished out my accounting degree, um, and then I joined Arthur Anderson, um, kind of their audit practice, audit practice, but they actually did. A really good thing for me is they were taking advantage of me either way. So I worked busy season with the financial auditors, you know, using kind of my CPA and my credentials, and then during the kind of off season for the financial auditors, I worked the busy season for the technology people.

Speaker 2: 3:18

When I joined Arthur Anderson I had two jobs and that was they even called it computer risk management, which I always think is kind of funny. You know it needs to be a little bit, but that was how I kind of got into it and I've always felt, you know, I think every technology person feels a little inadequate of their technology skills, especially, you know somebody who has a GPA, and so I just learned and learned and learned and learned and read every book I could possibly find, you know, when Borders and Barnes and Nobles have the stores. Every weekend, after I would travel on a project, I would come home, get a new book and read it the week, and I would do that over and over and over and over. And that's how I kind of got into doing security, you know, 25 years ago.

Speaker 1: 4:02

Yeah, it's fascinating. You know you pretty much answered what would have been my next question. Right, is the imposter syndrome part of it? And you know you bring up reading books, right, and going through them just to learn more and learn as much as you can.

Speaker 1: 4:17

And I remember, you know, one of the very first jobs I had out of college I was working with federal agencies and I mean, you know they, they just they put you in the most difficult situations possible when you're on site, you know with with the most intimidating people possible. You know you're talking about like someone that like you want, want to, you want to enable SELinux. Oh well, we have the guy that wrote SELinux down the hall, you know. And so, like you can debate different topics and things like that, Right. And I just remember, you know, for going on site, that that very first day I felt so inadequate, Right. So like I shouldn't be here, what, what the hell am I doing? I'm just going to catch an early flight home. This isn't for me. I'll change careers.

Speaker 1: 5:01

And I sucked it up and I went and got a book. You know, I think it was like the Linux Bible or whatever. It was. Right, it started going through it and you know, my first trip was pretty rough. My second trip was a little rough, a little bit better. Still some room for improvement and it got better the more I did it. And it's interesting that you bring that up because I feel like most people nowadays most people coming out of college, I guess that are trying to get into these roles, they're more focused on knowing everything right, Going into it. And it sounds like you and I relate on this. I mean, we know, we knew maybe what 10, 20 percent of what we actually had to know to get in, and it's like someone gives you a break, right, and it's like, okay, we'll take a risk on you. You know with this and you take it and you grow with it yeah, I would agree.

Speaker 2: 5:54

Uh, it's like just inin-time knowledge. One of my favorite stories I haven't thought about this in a long time was I think I was 22, and they asked me to do an AS400 audit. And I'm like what's an AS400, right? So they're like that's not something you learn in college. So I read the book, I read all the IBM manuals and did all this stuff and did this audit on them.

Speaker 2: 6:16

And in the middle of me reporting out this audit, I get Holden. This was going to be right. His name was Fletcher. Fletcher looks at me and goes son, how old are you? I'm like, oh no, this is going to be a terrible like 22. He goes like shit, man, I've been on IT longer than you've been alive. What are you going to tell me that I don't already know? And I'm like no, that's. And I just looked down on the side. I'm like, no, I appreciate it, sir, but I think I'm right here and you have to stick to your ground. It was one of those things that it was one that you had to be prepared for, everything you did. But I didn't know anything about the US at that point, or web applications weren't even out back then. And so to your point.

Speaker 2: 6:56

The imposter syndrome is real. You can't know everything that there is to know. I think, now that I've done this for a long time, same thing with you. You can ask the right questions, but there's always going to be somebody that knows something more about something than you do. But you have to be able to put it together and I do think you know I am still back.

Speaker 2: 7:19

How did I go from you know an accountant to learning programming, to growing up with computers, to learning DNS? Or you know, I got my MCSB. Why did I make my MCSB? I've never been in MCSB because it was a learning track, right, I got an NTE in 2000 and I got my all my Cisco certifications just because it was a learning track. At some point it was read and then try to figure out a way to learn All of these things that are very beneficial today. I'm glad I did it now, because back then because it'd be a lot harder.

Speaker 2: 7:53

But I think you always have this imposter syndrome of how do you know these things? Now, the things I know really well today, there's things I you know amusably well. There's things I can kind of guess at. It's a little bit like the matrix. If you do this a long time you kind of know that kind of connects into this. So you know this operating system is like that or this operating system is like that. You may say the wrong thing but in general it's not the same thing. But it is a tough, it's a steep market to get over.

Speaker 1: 8:29

But once you kind of get to that peak, you know after you know 10, 15 years, you have a pretty good idea of what's wrong pretty quickly. Yeah, that's a really good point. You know, I always start everyone off with figuring out how they learn. You know, one of the one of the best benefits that I got in my undergrad was just learning how I learned what made sense. You know, for my brain, for me to consume as much information as quickly as possible, right, and you know like to your point. You know, asking the expert on site about the AS400, you know, whatever solution it might be right. But you know, when they're giving you the answers, you have to not just sit there, at least for me, right? I can't just sit there and just take it in, I need to. You know, at a minimum, now that I've been in this thing for 10 years, right, I can at least think about the picture. But in the beginning I had to draw out the picture, like, hey, show me what this, what this looks like. And it wasn't until I got the picture that I could actually understand. You know what was going on, and so it's. It's critical for you know people getting started to ask those questions that they're probably even nervous to ask, right, because you're like to ask those questions that they're probably even nervous to ask, right, because you're like, probably feel like you're almost insulting the expert, right? But at the same time, it's also very important to understand how you learn best so that you can take that response and really internalize it and move forward. And you know what you were saying.

Speaker 1: 9:52

With the certifications, you know that's something that is, I guess, hotly debated, you know, in security and IT overall, right Is do I need certifications? Can I get started without them? You know, whatever it might be, and I always tell people the certifications they solidify your knowledge, right? So you can say I've worked in cloud security, aws is my primary cloud. You can say that that's fine. But if you have the AWS security specialist certification, where 5% of AWS employees have this certification, it's not very well owned, I guess community right, because it's such a difficult certification to get.

Speaker 1: 10:39

You're immediately you know you're, you're taking that conversation from. I understand AWS security to. Oh yeah, no matter what we throw at this guy in our environment, he's going to understand how to do it. And you get that skill because you're able to at least with these you know higher level, technical, technical certs. You're able to dive into it at such a level to where it's like no, I understand what I need to use a vpcm point versus a bastion host. You know, I know the benefits, I know the cons of it right, and all these different ins and outs that you know pay dividends in the long run did. Did you think that as well when you were, maybe when you were going through it, or even when you look back on it now and you have that foundation?

Speaker 2: 11:22

I think and I'll add one more I think I've always thought about books, kind of certifications, and then, you know, kind of professional education. And so I think, for the certifications I didn't know what to do. Like, what should I learn? Like you know, I see a lot of people come out of college I want to be a pen tester. What does that mean? Like, what is a pen testing school? Like, well, you need to know Linux, right, like, let me teach you Linux, then you know Linux. You know how networks work. Can you know routers? It's going to be real tough in those things.

Speaker 2: 11:54

And so I, you know, my thing was there'd be a topic that I wanted to learn. It would take something like DNS. I didn't understand DNS. I made a mind book Okay, well, that's super dry, but I read it.

Speaker 2: 12:05

Or you know a lot of the sort of occasions where I needed, I wanted to learn and master an operating system or networking. And so I kind of picked a topic and went through it and I think that was was very beneficial. And then it allowed me to say, oh well, you know they, you know they talk about ipsec. What is ipsec? Well, ipsec, I think vpns, and what does a vpn work and then I could kind of like start to focus on things. Right, you know what's a firewall? Do and go read a firewall book. Right, and you know I've listened to many of your podcasts and people talk about they got to start from firewalls with one of the Fortinets or the Gauntlets or the Raptors. And you know IP tables, right, you know, the thing I remember is ShoreVol was the one that always helped me get IP tables to work on Linux, because IP tables was confusing back 25 years ago and you know it would give me a path. And the other one I think is interesting.

Speaker 2: 12:59

And so I've always thought I just started to find masters about two years ago in machine learning and data science, and I did it because I thought I needed a bigger push on learning, kind of the fundamentals. I thought AI back in 2019 would be important. I think I was right, but I spent three years doing it. But that was hard-forced statistics. What's chi-squared? I forgot. I haven't heard chi-squared in 30 years, right, and so I looked at it as I needed a professional education that was well-equipped with connections. That, I thought, was something was super relevant.

Speaker 2: 13:41

You know dns is. You can read a book on dns, can't really read a book on neural networks. If you do, you can, but then you won't understand the statistics and the fundamentals and the. You know it's python or you know you want pytorch or tensorflow and what's a layer, and so that stuff gets complicated and I thought I needed the basics and so I always say there's those three things. If you're looking for a point topic, it works a great way. You know if there's a certification that can get you mastered in a core area, or you know professional education on something that has been very beneficial, and I think I try to look at it as those three things. And then the last one I would say is like take your own career into your own hands and try to manage it and apply those kind of three capabilities or three levers you can do and build yourself to what you want to be.

Speaker 1: 14:29

Yeah, that is a really fascinating way of putting it. You know, I feel like people should use, you know, use formal education as that stepping stone to get into a new emerging area. I'll give you an example Back in 2017, 2018, I graduated with my master's in cybersecurity and I used that to catapult my career into cloud security. To build those bricks, I got different certifications. I read, you know, more books than I can even remember on AWS and Azure and GCP, and so I have, I have forgotten more about the cloud than I feel like I even know today. Right, that's the situation.

Speaker 1: 15:11

And now, you know, fast forward a couple of years. Right, I'm getting my PhD in satellite security. Why am I doing that? Because the next, the next war that takes place, is going to start in the satellites before it ever hits the ground, or anything like that. Right, and you know we need to have the capability to protect our communications against quantum. You know quantum computing algorithms and things of that nature, right, so it all starts and ends with the satellites, at least in my mind. So I'm stretching myself to get this phd in an area that you know. Even my chair, who's done this for 20, 23 years now, he's like, hey, this will be a stretch. You know it's gonna be. It's not gonna be easy. This is gonna be hard for you like okay, well, you know I'm up for the task, right and it.

Speaker 2: 16:01

Yeah, that's a good analogy. I think you're at the same point. What you're doing. There is something you believe that's important. I think it's important in the future. Same thing with what I did with AI. I just don't think I can teach this to myself. I need to be enriched in writing Python three hours a night. We had a new kid, a new baby at the time, and I remember I would go lay down with him and on my phone I'd be reading the books, textbooks, while he was sleeping so I could get him to go down, and so it's a different rigor, right, it's commitment of 15 to 20 hours a week.

Speaker 2: 16:40

For me it was coding, which was nice for being in my role today. Uh, just to sit there, put my headphones on, tune everything out of the world and just write some crappy code, because I'm not a real good coder. I'm a good data science coder, but I think in in essence, it was. It was. It was a really good way to understand fundamentals and, just to your point, you know, with what you're doing with your phd, you know you're going to understand it very well. When you hear people talk about it, you're like it's not very accurate and that's what I hear all the time with ai, I'm like, oh, I'm not sure ai is a small or mean, but there may be people that think it is and so you know, I think it's a, you know it's. It's sounds like we're you know kind yeah yeah, absolutely.

Speaker 1: 17:25

Why don't we dive into what you're doing now? What's your role? Where are you at now?

Speaker 2: 17:31

Yeah, so I'm at Cloudflare. Cloudflare's a really cool place. I'm talking about Cloudflare and I'm the chief security officer and I also have the CloudForce One broad intelligence. So that moved over to me about six months ago and so kind of the system rules what you would expect it to be. You know, protecting Cloudflare, so kind of the charter, protect Cloudflare, foster innovation, so working with the product teams, using all of our products, you know, just providing feedback and then talking to customers and so having a pretty long, extensive CISO background, if I could help people, I'm kind of a free resource, which is kind of cool, and so that's been. That job alone is super cool.

Speaker 2: 18:15

And when you protect 20% of the internet and you see 209 million attacks a day, you get attacked. We had our security incident in Code Red that we openly talked about. That's one of the things we do. We talk about everything and that was really exciting to talk about because most people don't do it. And then I think the CloudForce One side, and so I have a group of analysts that you're thinking of. All this intelligence and threat intelligence and data, how do we use it for? How do we capture it for our telemetry? How do we use it for machine learning? How do we use it for research? You know how are we stopping attackers, and so I think that's, like you know, security person's kid in a candy store.

Speaker 1: 18:57

Yeah, that is. It's really fascinating, you know and I was actually just having a conversation about this with someone where I feel like with ai, we've kind of let the genie out of the bottle and the genie won't go back in, and I feel like we're opening ourselves up to so many different and brand new threats and attack vectors that we don't even know about. You know, like I, I'm working on several side projects and some of them are using ChatGPT and ChatGPT just put NSA director on their board of directors and it's like okay. Well, yes, this guy could be completely separated from the NSA, but I'm not an idiot. There's only so much that you're going to be separated from, right. So we have to protect our intellectual property from an AI algorithm that could literally just read what's on your screen and post it on the internet. I saw this yesterday, right where someone held up a sticky note with their Wi-Fi password.

Speaker 2: 20:02

Yeah, so how I got into this, it was when I was at McAfee and I ran the labs organization. You know, at that point McAfee had a. It was when kind of a consolidation in McAfee existed. And you know, they'll get sensors and be like, well, we just need to use machine learning and fix it. And I'm like, well, what does that mean? Like we just need to do a random forest on all our data. And I'm like I didn't know a random forest on all our data means. And so that was kind of how I got into going down this path. And then I, you know, went to McAfee and joined a couple of banks.

Speaker 2: 20:39

But I think to your point is, you know, we don't always understand what the technology is doing and you know it's relevant. I always think what we're doing with LLMs is very simple it's NLP, it's data protection, don't let data leak to the internet. Like we've been talking about that for 20 years and we just all have enabled the tool. That is really good at it, right. And so I think to your point, you don't know what the data is. And so to your point, I'm just, if he goes on here, or the data is, and so 2.1, stiffy goes on here that where the data is captured in an LLM, it's the same thing. I don't actually know what's in the LLM. Is it right? Is it accurate? Do I need an LLM to check the validity of my LLM, right?

Speaker 2: 21:16

So you know, it's all this stuff that's very interesting, you know. Interesting, you know, are they putting bad data in there? So when people use it, you know, and so I think we've injured a chasm that is dangerous, super up, like I think I'm super optimistic about AI, but it's, you know, I've watched people. I've watched people on our workers platform. You know, workers AI is super cool and you can go pull a LLM model down and run it. I'm like that was way too easy. And then I'm like, well, what's in the model? Is there like a root kit? Are they stealing my API keys when I do a build book? Are they just part of this data off my machine, like whoa? And so I think those are things that you know the technology is so cool and there's so many advantages of it, um, that it just is is there and I'll even say, like I used it the other day, um, for a home project.

Speaker 2: 22:10

I was like I don't really want to code. This api is put in like hey, you really colored the hook in the api, it spits it out, I'm done right. That that's, you know, super amazing progress for developers. But you know, you guys go what. What did that do Right? And and and what is that data being used for, right? So I think it's, you know, super interesting. And we're just in the early stages of AI because, you know, the LMs don't actually know anything, they just assimilate words, right? We're not into inferring words or references at this point.

Speaker 1: 22:45

That's you know, a few years out, and that's where it'll get very interesting yeah, you know being at cloudflare especially, you know, at the role that you're in. Are you seeing ai change the kind of attacks that you are, you know, protecting your customers against? And when you see if, if they are something like brand new right, that wouldn't be possible or would be very difficult without ai. Um, how are you, how are you able to quickly adapt right?

Speaker 2: 23:13

yeah, so it's a good. It's a good question. I always smile when, when somebody asks because, like, how do I know that they're using ai to attack me? Um, I think they're probably using very similar things that we're all using is you know? They're trying to find ways to automate, and so what I've seen a lot is attackers are much quicker. They're building automation scripts. They're saying, hey, give me the you know, be able to give me the code to pull down all of my customers from Active Directory and they'll exhumate it. I think it's still probably in an infancy of AI is what I will say, and I always say well, what does AI mean? Are they trying to figure out what my algorithm is, what data sets I've put into it, what features I've extracted, what feature importance, and then they're going to manipulate the model? That very well could be true, but it's really hard to detect those things. I do know some things that we've seen.

Speaker 2: 24:11

I think we wrote a blog about Log4J. We saw Log4J early before. Log4j was Log4J. That was a year, because we were able to source it back to the original developer that wrote it, and I think that was a cheater, because we were able to source it back to the original developer that wrote it, and I think that was a few months before it actually occurred, and so it's one of those that you actually you know it's interesting from a data, from a reporting standpoint of what is out there and how it's being used, and so I still think it's early and still think that companies are still kind of learning wealth, wellness and learning and algorithms and things outside of the logistic progression.

Speaker 2: 24:54

You know, I think it's going to be more important on how you can actually automate and get into things and what else. Even our kind of the first reach we had this year with Okta, that was 100% scripted. I mean, they were so fast, not having access to very long. They did a lot of reconnaissance, and so I might call that AI, but I also might call that really good intelligence, knowing exactly what they were doing, and so reconnaissance is probably intelligence as well. Right, like, what tools is company a using? And gpt will probably tell you. So it's a lot easier than having the skin and tasks and, you know, be stolen yeah, that is.

Speaker 1: 25:33

It's really fascinating. There's a lot of things there that we can dive into. I I feel like you know, with, with log4j, how, how were you able to and I'm not expecting you to know this answer, but how were you able to, I guess attribute that code to the specific developer or the group or whatever it is? What does that look like?

Speaker 2: 25:56

Yeah, so I think once you figure out what the attack looks like I was talking with John here in Cummings. He was telling me the story. I wasn't here, but once you understand what the attack is, you have so much data and we can replay the data right, so we get 20% of the internet. So if we know actually what the attack is, we can actually go back in time through our geometry and look to see where we first saw that Right, and I think this is what makes Godflare unique. This is one of the reasons I thought coming here would be amazing is, you know, if we can do something like that, we're endless in the opportunities and technology that we have, especially with the platform that allows us to do it. So you can actually, and I believe we worked with the government to help find attribution on the person, and so it's one that you can't. You know, even if you talk a little small, tiny website, we have the logs right. About 20% of the internet is coming for us. We're going to see something, and so they're not going to launch a log for JMR making institution for the first time. They're going to try, right, and they're going to try a small website that's been posted on GoDaddy or somebody like that because they don't want it to be caught, and so we have little websites.

Speaker 2: 27:10

We have over 30 million internet properties, and so I think it's a good place to test and then we can go trace it back and say, well, what is the inception of this, of this and I think even in those things we see that we do this actually a lot that there might be a zero day that somebody gets hit by a company will call us.

Speaker 2: 27:30

We can kind of trace it back and then put a signature in, because they're writing around the email, right, so they can kind of figure out what works and what doesn't work. It's either blocked or not blocked. It's pretty easy to know if you're blocked or not blocked, and so they have to try that somewhere. So if we can kind of go back and look at it and say, kind of like a time machine, you know that's a really cool capability because of where we sit on the internet and nobody can do that right and so, and that helps the platform, that helps the product and that helps efficacy, right, things that I think are super important on how do we do that? And you know, I just think that's really cool.

Speaker 1: 28:13

You know I have, I guess, an interesting question, right, so you bring up that. You know you guys see 20% of the total traffic of the internet, which is it's a really impressive number, you know's. It's a huge amount of traffic that you see, right. Just to even parse it and identify something wrong in that data is impressive alone, right. Is there ever maybe a internal discussion around like what a critical mass you know traffic consumption would look like?

Speaker 1: 28:44

And the reason why I ask is because you know when, when companies start to you know I, I guess, potentially consume that much data of the internet or see that much you know data of the internet, it could be like a single point of failure where, if you know, if cloud, you know, let's say, sees 51% of the internet and a hacker finds a way into Cloudflare, that could, you know, theoretically right, put 51% of the internet at risk of something. Is there ever any talk about what that looks like? Because obviously, you know, from a business perspective you would want 100% of the internet. Obviously that's not a controversial thing at all, right, but from a security perspective it's like, well, what's the right amount that we should actually be at?

Speaker 2: 29:33

Yeah, it's a good question. I think our view is, the more data you can run through us, the more intelligence that we can give you. We'll never get to 100% of the internet. 20% of the internet took Matthew and know Matthew and Michelle, you know 14, 15 years to build, and so you know we'd love to double it, probably, and be able to provide telemetry. I think the network, the reason we have the network, is because we have the websites that have the traffic that give us access to. You know carrier level grades, you know, you know peering with ISPs and those things that none of our competitors have, so you can almost call us a global ISP, right, and so I think that's interesting.

Speaker 2: 30:10

The one thing I'll put my CISO hat on and say you know, from a strategy security standpoint, you know I think about things differently. So one of the things I'm talking about is how do we build a mutable infrastructure? Right, then you know we could have a severity issue, and so if I get to new infrastructure and you know a lot of our infrastructure is already immutable, which really helped us kind of with the Thanksgiving incident where you know everything's in memory, everything's encrypted. We redo it every 30 days, we reload operating systems every 30 days. There are other things that we want to make sure we want to do consistently across the environment, but that allows me to have a trigger that, in a breach, I can just start resetting things and evict. You know, in minutes and I think this was something that Matt and I have talked a lot about is how do we get to immutable, how do we only have signed things right here, how do we, you know, you know all everything's short-lived certificates, everything is. You know, you know, hard in the way that it would be. You know you can't get in the cages that get turned off, and so that you have a lot of this in place today.

Speaker 2: 31:17

But I think, when you think about our place in critical infrastructure, that's what you have to expect out of us. Right, you know. And so and I use this with a lot of CISOs and say, well, can you trust cloud service? So this is where we are, this is what I'm building. Can anybody do that? Right, and it's not me building, it's the engineering teams. Right, it's how do we build backup control planes in every country? How do we have data sovereignty in every country? And so you know, that's not something you know we talk about. We're a security company we talk about, hey, we're. You know, the next artificial intelligence company with all we do on the edge will be the largest inference network in the world.

Speaker 2: 31:58

But at the end of the day we'll have 20 plus percent of the internet coming through us and the team takes it very serious about security and how we do things. Even you know the bash to zero acquisition we just made up, hey, the Bastian Zero acquisition we just made of hey. We've got to improve how we do privilege management, right, and that's. You know they get a few trolls in those places, but it's, how do we get this to world class? And then we have a conversation about you know how we do security versus how our competitors do security, and we're not. You know they're going to be like, wow, we're trying to hard run. No, I have the same version of Linux running on everything in the global network and it's, you know, everything's updated every 30 days to the latest.

Speaker 2: 32:39

And then we have a whole other management program Because, right, I mean, that's just an amazing thing, but you know, with you want 40% of the internet, or you know whatever that number is. Or you know, get to 25% of the internet, or 30% of the internet, is something that is good for the internet, we believe, because we're trying to help route mini ISPs, because if you look at radar, there's a lot of you know. Look at some of the elections you know global networks are being turned off in certain countries so you can't get the latest news on elections, and so we're trying to help people be able to not do that. And that's the thing I always think, the mission of helping build a better internet, and we just did a pulse survey, the engagement scores and more than 90% of them said this is one of the single most important things in joining CloudFlare. And so I think you have this. You know we protect the Internet, we defend the Internet, we want an open Internet and with that comes a great security posture.

Speaker 1: 33:44

Yeah, that's really fascinating. You know that you're doing those things, that you're securing and hardening your network and your infrastructure that way. As a security practitioner, I'm always thinking in terms of HA. What happens if I just pull that server out of rotation, right? What if it just crashes? Right there? Are we dead in the water? Are we having massive issues, or am I not even waking up in the middle of the night because our HA is so good and so thoroughly tested? I always go back to one of the credit bureaus that I used to work for.

Speaker 1: 34:26

We had some of the most impressive HA that I've ever seen for sure, where we, you know we would have multiple data centers and 50% of it every other month, would be literally powered off, like completely powered off hard down. The main power switch is pulled and we just see what happens. You know, and in the very beginning a lot of things were breaking right, as expected, but over time we built DHA to be so robust that we could lose, you know, 75, 80% of the network. And we're still up, we're still making money. We may not be happy, but you know, we're still able to operate, which is a significant. It's a significant feat to really, you know overcome is having that ability to you know, hardening your network to that degree. I mean that takes, that takes. You know of non-stop work and engineering and thinking through problems. You know forward and backwards and starting at the middle and going to the front. You know there's so many, there's so many variables in there, so that is very impressive yeah, and I think it's a.

Speaker 2: 35:33

You have to do it right, I think, and you just have. You know, I always think you made a cloud security person. I mean the conversations I've had about automobile security, infrastructure and AWS and like, okay, they use, you know, cloud security controls, aws is secure, and you're like, no, we're going the wrong way and so you know it's it's. You know, even the start of this conversation like, oh, we're just going to give you that. You know, we're going to give you that infrastructure secure, we're going to do this securely and right. Like I think it's one that you know it's where we are, the team.

Speaker 2: 36:03

I can't take any credit for this. A lot of this has been welcome to get to where we want to be, but what an amazing organization to be thinking about this 10 years ago and how to build it. You know we're contributors to many of the kernels and Linux distros and Nginx and the things that we've built just to push the envelope for how we operate and to harden it, and it's really impressive to see these, know these people and it's even better. I go you see him on zoom and see him on you know these, these things, but to meet him in person. You know it's like wow, you know, I was in london and met one of kind of the top network people and like just as humble as you that would be, and he built a lot of the network. You know, just really cool things.

Speaker 1: 36:49

Yeah, it's uh, you know the the I guess my initial question. You know I just really cool things. Yeah, it's. You know, I guess, my initial question. You know, I guess it could trip some people up, right, but you provided, you know, probably the perfect answer right to that question. That question wasn't meant to trip you up or anything like that.

Speaker 1: 37:04

Right, it's out of my own curiosity, but you know, the only real answer is saying, yeah, if we're consuming a large portion of the internet, sure I understand how your security brain is going to say, well, that's a risk because that's a single point of failure and it's grilled into all of us to never have a single point of failure. But if you enhance the security so significantly, I mean that's that's competing with. You know government agency. You know data, data center, like security and things like that, right, that that is what that's that's actually competing you know with. It's really impressive. Whenever I see a private company I mean a public company obviously, but you know what I'm I'm saying it's a company that isn't a government agency doing that level of work.

Speaker 2: 37:53

Yeah, and you know I think this is something that you know we talk about supply chain and you know everybody gets breached in the supply chain and so we, you know a lot of questions about what's your security posture and I'm like I'm happy to talk about it, right, but to challenge all of our competitors, challenge everybody in the industry, right? Like I don't think there's any place I've ever been you know, probably no place to have been that you walked in, like what are we doing here?

Speaker 1: 38:22

Like whoa like.

Speaker 2: 38:23

That's not what I thought. You know, and I always used that. Well, we have a three-year spread. We have a three-year spread because we've got three years worth of work. It has to be secure, which probably means we've got more than three years, and I think these are things that when you know the vendors have to take this seriously. You know I've always been, you know I haven't spent a lot of time on the product side of diamond banking right, and so expectation is that my vendors are resilient, they have good controls. But the reality is you take the large banking institution, probably the fortune 50, they're probably in pretty good shape, but the rest of the world isn't, and we all know this. And and that's why we see the supply chains, because it's a lot harder to attack cloudflare than it is to attack one of our supply chains- yeah, it's a really good point.

Speaker 1: 39:09

You know when, when, when more money is on the line, you you get everything that you want, you know, from a security perspective, and we always talk about that. You know I've been in the financial sector for security for far too long at this point and we always talk about. You know there's certain things that you just spare no expense on and you get it. You do it right. If it takes it longer, that's fine. You know all those sorts of things, but that is not widespread throughout the industry of you know where security professionals need to be. That's not widespread throughout all the other sectors in the market. I wish I could say that, but I mean, I've seen some some crazy environments that you know in a pci world that would never, ever be acceptable, like that whole team would be fired.

Speaker 2: 40:02

You know it's uh, it's yeah and you know, when I was at the big bank, I had I had a billion dollar budget and 1500 people that worked for me and and like there were two complaints, there were only two we didn't have enough people, we didn't have enough money.

Speaker 2: 40:16

And I thought, if we don't have enough people that have money and I have this like we're all new, right, and so it's now a privatization discussion, because you can't the banks can apply a lot of money to a lot of things, and they do, and they do a very good job at it. But you know, if you're, you know, a medium-sized company and you got 10 security people, stuff for a 24-hour sock, right, you get outsourced and you have the right data, and so you go to this bath and it's, it becomes very hard. And then you have vendors that are getting breached and it just you know, just you know. So you're like, well, being sis was tough, yeah, because you're having to think about all these things. Then I got a five-year-old waking me up in the middle of the night, right, screaming for daddy. You know he's just screaming for mommy, but you know, it's like you have all these things that you're trying to think of and you know you're just getting kind of attacked from all angles and you're just trying to touch a finger in the nail.

Speaker 1: 41:06

Yeah, that's a good point. You, you see this going, I guess. Right, where do you see, I guess, the cloud flare side of it going and evolving? You know what areas are you guys trying to get more penetration into in terms of security offering and then how is that being informed by? You know potential threat actors that you're seeing in the environment that are switching their methods, and you know technology and things like that, right?

Speaker 2: 41:33

yeah, I think you know what people always. It's an interesting conversation. When I started about a year ago, people were interested in cloud. We kind of would talk to cloud you know your CDN company and I think over the last 15 months people are very intrigued and so I think what we've done over that period of time, people are like we've actually done some interesting things with Zero Trust and Web Firewalls and DDoS, and so you know, I think you're going to see more of that.

Speaker 2: 42:01

I think you know, when I listen to Matthew and Michelle talk, you know the first seven years were to build a network. That's what they did. You know it's unmatched and it it's pretty well. You can't reproduce what we have. The second step of the year is we're building products and I think we have some. You know I will challenge anybody to go to CloudFlare, sign up, go to dashcloudflarecom, log in, get a free account, set up a WAF, move your DNS over and if it's more than 20 minutes to put a whole like, I'd be surprised. Right, and so the products have always been very good to use, but people haven't really known us and I think you know the cornerstone that we have and it's.

Speaker 2: 42:40

You know, there's always that question of security versus performance that I've dealt with for a long time. And you know our products are in the top one or two or three or one, you know, depending on who you like better are top notch. But I always go back to. You know we're doing a lot with zero trust. We're doing a lot with your intelligence, we're doing a lot with web applications and APIs and so you kind of have a, you know, a fully redundant IndyCast network with all of these capabilities that's faster than everybody. Because you just can't. You know you can't. There's 320 locations and it will be 350 by the end of the year. Once you can use in every location by the end of the year for kind of the workers and ai inference stuff that we do. And you know, if you want a vpn, I'm living in st louis, my vpn terminates in st louis and then we optimize your route to, to wherever it goes, and all of my controls, every product we have runs in St Louis, every one of those 320 locations it runs. And so when you start thinking about resilience, and if St Louis goes down, I go to Chicago, right, so I might go to Dallas or Indianapolis and I think where I think this goes is and you're starting to see it with.

Speaker 2: 43:51

You know you need security, you need resilience, you need performance and we're going to be more resilient and perform better than anybody just because of what we are, and that's kind of the cornerstone. So I think the security platform on top is just amazing. When you talk about the telemetry we have well, we have more telemetry than anybody in the world from a security standpoint, so we should. About the telemetry we have well, we have more telemetry than anybody in the world from a security standpoint. So we should have the best models, we should have the best data. And so I think you know what.

Speaker 2: 44:21

What you know kind of how we think about the next seven years is we're going to be a very customer driven organization. We've been kind of cool, fun, cool techies, and now you're going to see a link there and how we do things. You've seen it with. You know, bringing Mark Anderson off of our board amazing person. You know he was the CEO of a publicly held company. He's running revenue and Stephanie Cohen, who was on the executive committee at Goldman, and so I think you're going to see this really big question. I always, I always wanted to work for that company that people were kind of scared of. I always worked for a company like ooh, I got to worry about them, they're going to crush us. And so, like I think we're that company now we're the ones that people kind of look at over their shoulder and go you know how are we going to compete with that global network and a VPN? I don't know why anybody would put another VPN other than us. You look at the locations we terminate in every one of the 320 locations, 320 data centers. I think you're going to see that become very prevalent and become kind of a marquee component.

Speaker 2: 45:27

But don't underestimate the AI. There's a lot of articles written. There's one written today about us and Apple speculation. But I think you're going to see, you know, to have the largest inference network in the world where we can run AI. I think people are still trying to figure out what AI is. You know how do we run models. You know, when it comes that you want the model closest to the user, well, that's kind of our bread and butter. And so you know the serverless compute platform that you can stream 50 million people if you want. If Taylor Swift decided that she wanted to stream a concert, we can handle it. That's kind of cool to be able to say that without knocking it over and distributing the networks. And so I think you're going to see this the security will really be dominant. I think you're going to see AI over. Know this. You know the security really be dominant. I think you're going to see you know AI over the next year, two years, three years. You'll see us play a huge role in what goes on globally.

Speaker 1: 46:22

Yeah, that is. You know, it's interesting to see what you guys put together and put out right. Put out right Because having that large of a network really enables you to. You know, for instance, take zero trust to a level that no other provider out there probably could. Another, another thing I always forget that you provide zero trust. You know, it's a, it's a.

Speaker 1: 46:45

There's always something new that you guys are coming out with that you know, is is I feel like it's often a little bit overlooked, even right, and you know to your point of how quick, how quickly you can switch over to cloudflare. You know, from a from a security engineer perspective, right, I worked for a company and we were deploying cloudflare and of course, you know we heard the same thing the entire time throughout the sales pitch it's gonna take you 20 minutes. You know it's, it's pretty instant, pretty seamless, you're not gonna have to, you know, fiddle with it a whole bunch or anything like that. You know, whenever a company tells me that, okay, you know, whatever we, we go to deploy it and you know, just like you said, 15, 10, 15 minutes, it's, it's technically deployed and everything.

Speaker 1: 47:32

And you know, my first question to the sales engineer that's helping me with it is so what's next? You know what do I? Okay, well, we did this, that's fine. Well, what do we need to do now? And he goes no, that's just about it. You know that's everything, let it just do its thing. And I said what? And I had to, like, check the availability of our applications, make sure that we weren't down. You know like that might yeah, I think it's one.

Speaker 2: 48:01

That that's. That's that's. You know the origination of the company where I build the network, build products, make them easy. Um, you know, the only way to get 20 percent of the internet is that they can free stuff away, and that that's what we do. And you make it easy. And so I even get to the other conversation and when I talk to customers I'm like well, are you terraforming everything? You should be terraforming and put it in the pipeline, split out your roles and responsibilities, get out of that, click house and roll. And they're looking at me like I've got two heads, and I'm like how else are you going to do cloud security right?

Speaker 2: 48:31

Like, everybody's trying to put it in a pipeline. Like, just put this in a pipeline, pull a configuration out, you know, get cloud or get hub or whatever source, and then make it sticky and like, not find a little machine. You know there's always been the thing of, well, our security is better, like and you know everybody compares security like we're top-notch at this, but then operationally, like you can move right. So you know, you don't have to wait for 30 approvals, I can put it in the pipeline, you can actually do detections for you know the thing about doing this is something we do internally. We do detections off of our pipeline, for you know people playing code and that they shut't, run off or ask changes and only stay in something. Now we are actually getting into like hey, this is real security stuff.

Speaker 2: 49:17

Versus I got to go to an user interface and I'm going to meet us for a period. I'm not like it's a little stressful, right, because you should stop all that. And you know you can see the look on people's face Like how do you do that? And, and one of my other issues internally is like getting the click ops. I'm like we can't. How do you shift left when everybody's clicking on everything? Right, like it's terrible. Like I would say you have this issue on Sunday and they're like, well, the API's not good. I'm like how, like it's 2024. Like you should have APIs, you should have a big telephone provider, you should be able to be able to do the things, because business wants to move fast.

Speaker 2: 49:58

Security you know we want to be an enabler, but we're often a distractor, and so how do we move fast with all the things that are there? And so you know this is one that we often talk about is you need better security and it's going to be faster. You know I don't need to change a center. You know security team doesn't need to get in the way of a certificate, but the dev team can, right. So you know what are those rules that you want to do. You're going to push a code and it's just images Like why do I need to be involved, right? So those things like free up time to do higher value things, I think you know we're kind of.

Speaker 2: 50:32

I do feel like there was probably 20 years ago. There was a heavy. You know networks was more important than security. Probably over the last 20 years, security was more important. Maybe 10 years over, security is an important network. And now you're saying you know everybody's working from home in different geolocations. It's about speed, performance, availability and you've got to have security, and so I think these things are really interesting to the business model because it's all things we've always wanted to do. I mean, just, no vendor could ever help us and that was, even when I came here, the only problems I had in the banking world. That I'm like I didn't know Cloudflare could do that. I didn't know IGGT can solidify five graphs into one and have this kind of performance or zero trust. Why am I backhanging people to 15 data centers with a zero-cost provider versus having no traffic limits there? All my web traffic goes there, my CASB and the data production is there, versus backhanging them to Singapore. You know, I think those are things that people are starting to gather less and super.

Speaker 1: 51:42

Yeah, grant, you know this has been a fantastic conversation. I feel like we could, you know, easily keep going for another couple hours, right, but you know I try to be very cognizant of you know, the time frame, right that I give all my guests and everyone, because everyone has such a busy schedule. But you know, before I let you go, how about you tell my audience, you know where they could find you if they wanted to reach out and you know potentially connect. And in case they've been living under a rock for the past 10-15 years, where can they find Cloudflare?

Speaker 2: 52:14

Yeah, so good. So you know, let's start with Cloudflare. So you know, go to cloudflarecom. You know, if you're you know this is what we see a lot is go play with it, get an account, put up a website, you know, put it on pages, develop your own site on pages, and workers protect it. Just see how easy it is and play with it Pretty cool and see what the product offers. You can even get a zero-trust client for your home. So if you're one of those crazy people like probably you and I, and we have VPNs, we can do that Free. Right, there's free work clients. We have our own free version that's anonymous and surfing on the internet. So check us out.

Speaker 2: 52:49

I think that's cool. We need you to meet me. I think the best way is LinkedIn. I'm Grant Borzikas, it's probably pretty easy. You can get Grant Peace Probably super simple. Love to hear from you, love to connect. And if I can ever help with anybody, you know I think that's one of the best part about this job is I can become a free consultant to help and guide, and I find that highly rewarding.