POPULARITY
In this episode of Inside the Network, we sit down with Dug Song, the legendary co-founder and former CEO of Duo Security. Dug's journey is nothing short of iconic—he turned a side project into a cybersecurity powerhouse with over 50,000 customers and a $2.35 billion exit to Cisco. In a world obsessed with unicorn status and funding hype, Dug stands out as a founder who stayed grounded in values, culture, and customer empathy.We explore Dug's early years—from doing data entry in his father's liquor store in West Baltimore to cutting his teeth at Arbor Networks, leaving security, and coming back to change how security is delivered. Dug was also part of the hacker collective w00w00, alongside future tech luminaries like Jan Koum (WhatsApp) and Shawn Fanning (Napster), where he honed the ethos of solving hard problems and building in community. These experiences laid the foundation for Duo, which Dug and co-founder Jon Oberheide started not with a grand business plan but a desire to democratize security and make strong authentication simple and usable for all organizations—not just the Fortune 500.This conversation is packed with actionable lessons for founders: how to build a billion-dollar business with capital efficiency and discipline; how to prioritize user experience in security, not just infrastructure; and how to lead with integrity and build a “learning organization” that continuously improves across every function—engineering, sales, marketing, and customer success. Dug also gives an inside look at the decision to sell Duo to Cisco versus going public and what that choice meant for the company, team, and customers.We then dive into Dug's post-Duo chapter, where he and his wife Linh are reshaping philanthropy and backing the next generation of founders in Michigan, Detroit, and beyond. From punk rock to planetary-scale startups, Dug brings a rare mix of grit, humility, and wisdom, making this episode a must-listen for any entrepreneur.
The Twenty Minute VC: Venture Capital | Startup Funding | The Pitch
Mitchell Green is the Founder and Managing Partner of Lead Edge Capital. Mitchell has led or co-led investments in companies including Alibaba, Asana, Benchling, ByteDance, Duo Security, Grafana, Mindbody, and Xamarin, among several others. In Today's Episode We Discuss: 04:31 How Bessemer Taught Me The One Golden Rule of Investing 06:48 Why AI Infrastrcture is the Worst Investment to Make 08:51 Why it is Comical to think there will be $BN one person companies? 09:26 WTF Happens To The Cohort of SaaS Companies With Slow Growth, Not Yet Profitable and $50M-$200M in Revenue 16:12 What is the Biggest Problem with the IPO Market 23:24 When is the Right Time to Sell in VC and How a Generation F******* it Up 27:37 Biggest Advice to Smaller Emerging Managers 40:13 The One Question That Tells You if a Business is Good 43:01 Why LPs are More Important than Founders 45:03 One Question Every LP Should Ask Their VCs 46:03 Why TikTok Does Not Matter to ByteDance and It Is a Screaming Buy 51:30 Why We Drastically Underestimate the Power of Chinese AI? 55:18 Why Social Media is the Most Dangerous Thing in Society 01:00:07 Quick Fire Questions
Not many people make it to VP of Marketing Operations—Kimi Corrigan has done it twice. In this episode, she shares her journey from marketing coordinator to leading marketing ops at companies like Duo Security, Cisco, Wiz, Expel, and DataRobot. We dive into what it really takes to reach VP level, how to position yourself for leadership, and why marketing ops pros should start asking for that title.Kimi also gets real about the challenges of scaling teams, navigating internal politics, and balancing the tactical with the strategic. We talk about how marketing ops has evolved, the role of data and strategy, and why building strong cross-functional relationships is just as important as knowing your way around a tech stack.If you're a marketing ops pro wondering what's next in your career—or how to level up—this one's for you.About Today's Guest With over 19 years in marketing operations and leadership, Kimi Corrigan thrives on optimizing marketing strategies for efficiency and effectiveness.Kimi has held marketing ops leadershiop roles at Duo Security, Cisco, Wiz, Expel, and DataRobot.https://www.linkedin.com/in/kimicorrigan/Key Topics[00:53] - How Kimi got started in marketing operations[03:04] - Early-generation marketing automation[05:54] - How you know if MOPS is working well[10:11] - Navigating people and organizational problems[16:51] - Becoming a VP Marketing Ops[22:31] - Operations and strategy [33:47] - Composable stacks vs. suites[37:51] - MOPS team structure[39:50] - Planning cycleResource Links Learn MoreVisit the RevOps FM Substack for our weekly newsletter: Newsletter
Cash Flow Mastery with Anthony Nitsos On this episode of The Profit Answer Man, we welcome Anthony Nitsos, the CEO and Founder of SaaS Gurus. Anthony shares his journey from medical school to mastering finance and becoming a trusted advisor to SaaS startups. His unique perspective focuses on addressing the root causes of financial and operational inefficiencies, bringing lessons from medicine and Japanese manufacturing to the business world. In this episode, you will learn: Why Anthony left medical school and how that shaped his approach to problem-solving in business. The importance of preventive measures in finance, akin to healthcare practices. How understanding and applying lean processes can enhance operational efficiency. Insights from Anthony's experiences with Japanese business principles and their application in finance and accounting. Practical steps SaaS startups can take to streamline operations and achieve consistent profitability. Key Takeaways: Preventive Finance is Key: Much like in healthcare, treating symptoms without addressing the underlying cause can lead to recurring problems. Anthony emphasizes identifying and solving root issues in accounting and finance to prevent recurring operational challenges. Efficiency Through Standardization: Borrowing from Japanese manufacturing, Anthony underscores the value of creating standardized processes in repetitive tasks like invoicing, payroll, and sales order creation. This minimizes errors and saves time and resources. Cultural Lessons on Frugality and Value: Influenced by his Greek immigrant background and Japanese business culture, Anthony highlights the significance of being resourceful while delivering maximum impact—focusing on quality over quantity Understanding SaaS-Specific Challenges: SaaS companies face unique financial hurdles, from managing subscriptions to scaling operations. Addressing these challenges requires a tailored approach that includes proper financial forecasting, expense management, and strategic investment. About Anthony Nitsos: Anthony Nitsos is the founder of SaaS Gurus, a fractional CFO service dedicated to SaaS startups. With a rich background in medical training, lean manufacturing, and financial leadership, Anthony's insights are rooted in finding efficient, value-driven solutions for businesses. He has been instrumental in the success of unicorn exits like Duo Security and LLamasoft, helping SaaS businesses scale with financial clarity. Conclusion: Anthony Nitsos demonstrates the power of applying lessons from diverse disciplines to business finance. By focusing on prevention, standardization, and cultural efficiency, SaaS startups can navigate complex financial landscapes with confidence. His journey is a testament to the importance of holistic thinking in achieving sustainable profitability. Links: LinkedIn: https://www.linkedin.com/in/anthonynitsos/ Website: https://saasgurus.io/ Watch the full episode on YouTube: https://www.youtube.com/@profitanswerman Sign up to be notified when the next cohort of the Profit First Experience Course is available! Relay Bank (affiliate link) – https://relayfi.com/?referralcode=profitcomesfirst Profit Answer Man Facebook group: https://www.facebook.com/groups/profitanswerman/ My podcast about living a richer more meaningful life: http://richersoul.com/ Music provided by Junan from Junan Podcast Any financial advice is for educational purposes only and you should consult with an expert for your specific needs. #profitfirst
The Twenty Minute VC: Venture Capital | Startup Funding | The Pitch
Shardul Shah is a Partner at Index Ventures and one of the greatest cyber security investors of the last two decades. Among his many wins, Shardul has led rounds in Datadog, Wiz, Duo Security, Coalition and more. Shardul is also the only Partner investing at Index to have worked in every single Index office from London, to SF, to NYC to Geneva. Prior to Index, Shardul worked with Summit Partners, focusing on healthcare and internet technologies. In Today's Episode with Shardul Shah We Discuss: 1. Investing Lessons from Wiz and Datadog: Why does Shardul believe that TAM (total addressable market) is BS? Why does Shardul believe that every great deal will be expensive? How does Shardul evaluate when to double down and concentrate capital vs when to let someone else come in and lead a round in an existing company? How does Shardul think about when is the right time to sell a position in a company? 2. How the Best VCs Make Decisions: How does Shardul and Index create an environment of truth-seeking together, that is optimised for the best decision-making to take place? What are the biggest mistakes in how VCs make decisions today? Why does Shardul believe that all first meetings should be 30 mins not 60 mins? Why does Shardul believe it is so much harder to make investment decisions when partnerships are remote? What is better remote? 3. The Core Pillars of Venture: Sourcing, Selecting, Securing and Servicing: Which one does Shardul believe he is best at? What is he worst at? Does Shardul believe with the downturn we have moved into a world of selection and not just winning every new deal? Does Shardul believe that VCs provide any value? What are the biggest misnomers when it comes to "VC value add"? 4. Lessons from the Best Investors in the World: Who is the best board member that Shardul sits on a board with? What has Shardul learned from Gili Raanan and Doug Leone on being a good board member? What have been some of Shardul's biggest investing lessons from Danny Rimer? Why does Shardul hate benchmarks when it comes to investing?
Mike Hanley, Chief Security Officer and SVP of Engineering @ GitHub, joins us to discuss how GitHub has successfully combined its engineering & security orgs and shares recommendations for how other orgs can pivot to this model. We cover why it's so important for eng orgs to collaborate with security early on in the product development cycle and tips for educating your engineers on security best practices. We also discuss how the rise of AI tools / usage is changing how companies need to think about & practice security, why AI is providing opportunities for increased safety & security within product development, and strategies for encouraging your org to adopt AI tooling within engineering, security, and beyond.ABOUT MIKE HANLEYMike Hanley is the Chief Security Officer and SVP of Engineering at GitHub. Prior to GitHub, Mike was the Vice President of Security at Duo Security, where he built and led the security research, development, and operations functions. After Duo's acquisition by Cisco for $2.35 billion in 2018, Mike led the transformation of Cisco's cloud security framework and later served as CISO for the company. Mike also spent several years at CERT/CC as a Senior Member of the Technical Staff and security researcher focused on applied R&D programs for the US Department of Defense and the Intelligence Community.When he's not talking about security at GitHub, Mike can be found enjoying Ann Arbor, MI with his wife and eight kids."The idea that the security team is walled off or separate or not really connected, not just to engineering but the entirety of the business, you really can't have that. If you think about the pace of modern development, things are moving so quickly. It's so driven by software. The idea that you're like, ‘Hey, I got to walk down the hall and check in with somebody from security who has no idea what's going on in my roadmap, who has no idea what my day to day experience is living in engineering...' That just doesn't work!”- Mike Hanley We now have 10 local communities of engineering leaders hosting in-person meetups all over the world!Local communities are led by eng leaders just like you, who wanted to create a place to connect, share insights & tackle critical challenges in the job.New York City, Boston, Chicago, Seattle, Los Angeles, San Diego, San Francisco, London, Amsterdam, and Toronto in-person events are happening now!We're launching local events all the time - get involved at elc.community!SHOW NOTES:GitHub's convergence of the eng & security orgs (2:33)Benefits of combining engineering & security org mandates (4:46)How the security team is involved with the internal product dev lifecycle (8:05)The downsides of engaging your security team as an afterthought (10:46)What an early-stage yes/and product conversation looks like (12:48)Examples of educating your eng team on security best practices (17:17)Expanding two-factor authentication externally (19:29)Stewarding security as a responsibility & value (21:59)Security & safety implications for orgs using / building AI tools (23:44)Why the rise of AI is a great time for eng / security collaboration (27:09)How to leverage security best practices using AI tools (29:53)Mike's view that AI will create more opportunities & improve structural tech (32:14)Frameworks for getting to “yes” when it comes to adopting AI tooling (35:15)AI-powered tools GitHub is using to change workflows outside of eng & security (39:06)Considerations pivoting toward combining eng & security functions (40:35)Rapid fire questions (42:25)LINKS AND RESOURCESWhy Johnny Can't Encrypt - Alma Whitten And J. D. Tygar's argument that effective security requires a different usability standard that is not achievable through the user interface techniques commonly found in consumer software.The Space Trilogy - C.S. Lewis believed that popular science was the new mythology of his age, and in The Space Trilogy he ransacks the uncharted territory of space and makes that mythology the medium of his spiritual imagination.The Works of Peter DruckerThis episode wouldn't have been possible without the help of our incredible production team:Patrick Gallagher - Producer & Co-HostJerry Li - Co-HostNoah Olberding - Associate Producer, Audio & Video Editor https://www.linkedin.com/in/noah-olberding/Dan Overheim - Audio Engineer, Dan's also an avid 3D printer - https://www.bnd3d.com/Ellie Coggins Angus - Copywriter, Check out her other work at https://elliecoggins.com/about/
Ara Topouzian, Executive Director of Michigan Venture Capital Association talks with Raffaele Mautone, former CIO of Duo Security and current Founder and CEO of Detroit-based Judy Security (formerly AaDya Security). Raffaele's strategic thinking and effective leadership have been instrumental and paramount in his career as an IT, sales and operations professional. I talk with Raffaele about his rich background as well as Judy Security which is a cyber security company that offers cybersecurity software solutions for small and medium businesses. (Programming note: since the recording of this episode, the company was rebranded to Judy Security.) For more information: https://www.judysecurity.ai/
Join Chris Strahl, Kevin Goldman, and Sierre Wolfkostin as they sit down to explore the Fido Alliance's mission of revolutionizing online authentication by eliminating traditional passwords and replacing them with secure and user-friendly passkeys. Discover how these principles, tested and proven, are set to transform user experiences and incentivize the widespread use of passkeys, offering a glimpse into the future of design systems.View the transcript of this episode here.Register here for our upcoming webinar, ‘What Really Matters in Design Systems' on October 25th. GuestsKevin is the Chief Experience Officer at Trusona where he helped create the Trusona Authentication Cloud — a passkey-as-a-service platform, offering the simplest, quickest, and lowest cost way to increase website engagement with passkeys. Prior to Trusona, Kevin founded the user experience (UX) consulting firm, 29th Drive, which was acquired three years later. Kevin serves as a FIDO Alliance Board member. He chartered and is Chair of the FIDO Alliance UX Working Group comprised of UX professionals from 31 global brands. Outside of work, he likes quality time with his kids, motorcycle track riding, forging knives, and time away from the fragile glowing screen.Sierre is a product designer based in Ann Arbor, MI. With a learning mindset and a focus on understanding people, she has helped make Duo Security's authentication experience both easier and more secure for all. Most recently, she led design for the Universal Prompt: a ground up UX and technical redesign of Duo's core 2FA product. She now works to help kill the password and further improve our industry's standards for authentication in partnership with the FIDO Alliance. Sierre holds degrees in UX design and business from the University of Michigan. In her free time, she enjoys writing non-fiction, reading books, and greeting the neighborhood cats.HostChris Strahl is co-founder and CEO of Knapsack, host of @TheDSPod, DnD DM, and occasional river guide. You can find Chris on Twitter as @chrisstrahl and on LinkedIn.Sponsored by Knapsack, the design system platform that brings teams together. Learn more at knapsack.cloud.
Cisco zet woorden om in daden. Met de (voorgenomen) overname van Splunk krijgt het Full-Stack Observability-platform dat het eerder dit jaar aankondigde meteen veel meer vorm. In deze aflevering van Techzine Talks bespreken we alle ins en outs van deze overname. We zeggen op de redactie weleens half grappend dat Cisco drie overnames per week doet, dus dat we niet over iedere overname een artikel kunnen schrijven. Vaak zijn het relatief kleine overnames, met bedragen die in de miljoenen, tientallen miljoenen of zelfs honderden miljoenen lopen. Dat is binnen de IT-industrie niet echt bijzonder. Pas als het in de miljarden loopt, wordt het serieus. Recente voorbeelden van 'grote' overnames door Cisco zijn ThousandEyes (1 miljard dollar), Acacia Communications (2,6 miljard dollar), Duo Security (2,35 miljard dollar) en AppDynamics (3,7 miljard dollar). De overname die we in deze aflevering van Techzine Talks bespreken gaat hier echter heel erg dik overheen. Voor Splunk betaalt Cisco 28 miljard dollar. We kunnen ons geen grotere overname van Cisco herinneren in ieder geval. Het is er eentje die past in de categorie van Salesforce dat Slack koopt, of IBM dat Red Hat koopt. Daar zijn er niet zo heel veel van. FSO komt dichterbijVanuit het perspectief van Cisco bekeken is de overname van Splunk een zeer logische. Splunk voegt veel expertise op het gebied van SIEM, observability, security en AI toe aan het aanbod van Cisco. Met name op het gebied van observability wil Cisco grote stappen zetten. Dat werd eerder dit jaar wel duidelijk tijdens Cisco Live. Daar kondigde het bedrijf het Full-Stack Observability (FSO)-platform aan. Je kunt dit platform zien als het vertrekpunt voor alle onderdelen binnen het Cisco-ecosysteem richting de toekomst. De Security Cloud zal het gebruiken, maar ook de eveneens tijdens Cisco Live aangekondigde Networking Cloud gaat putten uit de inzichten die observability biedt.Wat betekent deze overname voor de markt?FSO is dus een cruciaal onderdeel van de visie van Cisco. Met de overname (en integratie) van Splunk in dat onderdeel, gaat Cisco onherroepelijk veel meters maken. We bespreken echter niet alleen de logische synergiën tussen Cisco en Splunk tijdens deze aflevering. We laten ook ons licht schijnen op wat deze overname voor de markt als geheel betekent. Gaat Cisco Splunk helemaal integreren in het aanbod, of blijft het een volledig op zichzelf opererende entiteit? Is deze overname goed of slecht nieuws voor Splunk, dat de laatste jaren toch een beetje aan het zwabberen is geweest? En wordt de enterprise IT-markt onderaan de streep beter of slechter van deze overname?Luister snel naar deze mooie nieuwe aflevering van Techzine Talks als je antwoord op deze en nog veel meer andere vragen wilt krijgen!
This week, we discuss VMware's Announcements, SUSE goes private and some thoughts on streaming services. Plus, Matt provides an update on the repercussions of spilled Orange Juice. Watch the YouTube Live Recording of Episode (https://www.youtube.com/live/U-2FKuo7Rdo?si=pSW288no0k5R6E_l) 429 (https://www.youtube.com/live/U-2FKuo7Rdo?si=pSW288no0k5R6E_l) Runner-up Titles Matt Ray Vibe Ethically flexible And one more thing me Is it new? You're gold plating your gold. Hello World and my Mom's Blog SAP known for being nimble I guess I am excited There's no way you sold 50,000 Chinese knock off water piks in Australia. Rundown Tech's broken promises: Streaming is now just as expensive and confusing as cable (https://www.businessinsider.com/tech-broken-promises-streaming-ride-hailing-cloud-computing-2023-8?utm_source=reddit.com) VMware Broadcom's $61B planned VMware purchase clears U.S., UK (https://seekingalpha.com/news/4004614-broadcoms-61b-planned-vmware-purchase-clears-us-uk) Introducing vSAN Max | VMware (https://core.vmware.com/blog/introducing-vsan-max) VMware Expands Tanzu to Accelerate App Delivery at Enterprise Scale (https://news.vmware.com/releases/vmware-explore-2023-tanzu) VMware Explore 2023 Media Kit - VMware News and Stories (https://news.vmware.com/vmware-explore-vegas-2023-media-kit) VMware edges towards multi-cloud, adds AI side quest (https://www.theregister.com/2023/08/22/vmware_explore_2023_ai_news/) SUSE EQT Private Equity Announces Voluntary Public Purchase Offer and Intention to Delist SUSE (https://www.suse.com/news/EQT-announces-voluntary-public-purchase-offer-and-intention-to-delist-SUSE/) SUSE Manager Ansible Integration Becomes Fully Supported (https://www.suse.com/c/suse-manager-ansible-integration-becomes-fully-supported/) Oracle, SUSE and CIQ launch the Open Enterprise Linux Association amid Red Hat controversy (https://techcrunch.com/2023/08/10/oracle-suse-and-ciq-launch-the-open-enterprise-linux-association-amid-red-hat-controversy/) Microsoft is bringing Python to Excel (https://www.theverge.com/2023/8/22/23841167/microsoft-excel-python-integration-support) What Happened to Wirecutter? (https://www.msn.com/en-us/news/us/what-happened-to-wirecutter/ar-AA1fCoQs?utm_source=substack&utm_medium=email) Relevant to your Interests YouTube is adding chat, highlights, and Shorts to NFL Sunday Ticket (https://www.theverge.com/2023/8/16/23834242/youtube-nfl-sunday-ticket-tv-shorts-highlights-chat) Hopin Events and Session Products Sold for $15 Million (https://meetings.skift.com/hopin-events-and-session-products-sold-for-15-million/) 80% of execs regret calling employees back to the office (https://www.theregister.com/2023/08/15/return_to_office_survey/?utm_source=substack&utm_medium=email) How we reduced the cost of building Twitter at Twitter-scale by 100x (https://blog.redplanetlabs.com/2023/08/15/how-we-reduced-the-cost-of-building-twitter-at-twitter-scale-by-100x/) Will Broadcom's pending purchase overhang VMware Explore? (https://www.sdxcentral.com/articles/analysis/will-broadcoms-pending-purchase-overhang-vmware-explore/2023/08/) VMware's future: Navigating multicloud complexity and generative AI under Broadcom's wing (https://siliconangle.com/2023/08/19/vmwares-future-navigating-multicloud-complexity-generative-ai-broadcoms-wing/) System Initiative Code Now Open Source (https://thenewstack.io/system-initiative-code-now-open-source/) How Amazon is racing to catch Microsoft and Google in generative A.I. with custom AWS chips (https://www.cnbc.com/2023/08/12/amazon-is-racing-to-catch-up-in-generative-ai-with-custom-aws-chips.html?ck_subscriber_id=512840665) Report: Threads app to launch website version this week - 9to5Mac (https://9to5mac.com/2023/08/21/report-threads-app-to-launch-website-version-this-week/) Cisco's Duo Security suffers major authentication outage (https://www.theregister.com/2023/08/21/ciscos_duo_outage/) If I were you: Here are the the Google Cloud Next '23 talks for six different audiences (https://seroter.com/2023/08/22/if-i-were-you-here-are-the-the-google-cloud-next-23-talks-for-six-different-audiences/) Amazon Worker Has A Witty Take On Return-To-Office Policy (https://www.benzinga.com/news/23/08/33931883/amazon-employee-crafts-satirical-leadership-principles-amid-return-to-office-uproar-fire-and-demote) Mark Zuckerberg's new ‘in-person time policy' will crack down on Meta's remote work rebels (https://finance.yahoo.com/news/mark-zuckerberg-person-time-policy-115713318.html) Nonsense All signs point to a late summer COVID wave (https://www.axios.com/2023/08/17/covid-19-cases-2023-uptick-where-why) American States As Real People Generated by AI (https://www.travlerz.com/en/american-states-real-people-generated-ai) LG now sells this bizarre TV in a suitcase, and I must have it (https://www.theverge.com/2023/8/15/23832712/lg-stanbyme-go-suitcase-tv-announced-pricing-features) Listener Feedback What is AWS after the Chasm? (https://www.thecloudcast.net/2023/08/what-is-aws-after-chasm.html) Conferences Sep 6th to 7th DevOpsDays Des Moines (https://devopsdays.org/events/2023-des-moines/welcome/), Coté speaking. Sep 18th to 19th SHIFT (https://shift.infobip.com/) in Zadar, Coté speaking. October 2-6, 2023, QCon San Francisco (https://qconsf.com/workshop/oct2023/open-source-kubernetes-cloud-cost-monitoring-opencost), Matt's doing a workshop, sign up! October 6, 2023, KCD Texas 2023 (https://community.cncf.io/events/details/cncf-kcd-texas-presents-kcd-texas-2023/), CFP Closes: August 30, 2023 November 6-9, 2023, KubeCon NA (https://events.linuxfoundation.org/kubecon-cloudnativecon-north-america/), SDT's a sponsor, Matt's there November 6-9, 2023 VMware Explore Barcelona (https://www.vmware.com/explore/eu.html), Coté's attending Jan 29, 2024 to Feb 1, 2024 That Conference Texas (https://that.us/events/tx/2024/schedule/) If you want your conference mentioned, let's talk media sponsorships. SDT news & hype Join us in Slack (http://www.softwaredefinedtalk.com/slack). Get a SDT Sticker! Send your postal address to stickers@softwaredefinedtalk.com (mailto:stickers@softwaredefinedtalk.com) and we will send you free laptop stickers! Follow us: Twitch (https://www.twitch.tv/sdtpodcast), Twitter (https://twitter.com/softwaredeftalk), Instagram (https://www.instagram.com/softwaredefinedtalk/), Mastodon (https://hachyderm.io/@softwaredefinedtalk), BlueSky (https://bsky.app/profile/softwaredefinedtalk.com), LinkedIn (https://www.linkedin.com/company/software-defined-talk/), TikTok (https://www.tiktok.com/@softwaredefinedtalk), Threads (https://www.threads.net/@softwaredefinedtalk) and YouTube (https://www.youtube.com/channel/UCi3OJPV6h9tp-hbsGBLGsDQ/featured). Use the code SDT to get $20 off Coté's book, Digital WTF (https://leanpub.com/digitalwtf/c/sdt), so $5 total. Become a sponsor of Software Defined Talk (https://www.softwaredefinedtalk.com/ads)! Recommendations Brandon: Costco | Acquired Podcast (https://www.acquired.fm/episodes/costco) Matt: Lenovo Go Wireless Split Keyboard (https://amzn.to/3smvHdP), decent clone of Microsoft Sculpt keyboard Photo Credits Artwork (https://unsplash.com/photos/CLFveFXjwyk)
In episode 66 of the We Hack Purple Podcast Host Tanya Janca sits down with one of her colleagues from IANs Research, Wolfgang Goerlich! We talked about his work and AMAZING team at Cisco (Hi Wendy and Dave!), how they were originally part of Duo Security, and that they missed their chance for a fun rebrand of Duo + Cisco = Disco! Besides all the silly jokes, we talked about what security looks like beyond just vulnerabilities and trying to keep the bad guys out. We zeroed in on legitimate users that misuse systems, and dug into how Threat modelling and diversity could be used to prevent situations such as the infamous apple AirTags misuse. We talked about including privacy as part of threat modelling, Cara Bloom's Mitre Privacy Framework (https://www.usenix.org/system/files/pepr22_slides_bloom.pdf), ‘least data collection', as well as using nudge economics to promote positive security and privacy culture change. This conversation was AWESOME. Plus, Wolfgang has a podcast (https://www.securingsexuality.com/), a conference (Detroit, 2023), and a book coming out! If you ‘colour outside the lines', you definitely want to check out everything Wolf does! Subscribe his newsletter, we know we did! Wolf's Bio:J. Wolfgang Goerlich is an Advisory CISO for Cisco Secure. Prior to this role, he led IT and IT security in the healthcare and financial services verticals. Wolfgang has held VP positions at several consulting firms, leading security advisory and assessment practices. He is an active part of the security community. Wolfgang regularly advises on the topics of security architecture and design, identity and access management, zero trust, and resilience. Social media:https://mastodon.social/@jwgoerlich@infosec.exchangehttps://twitter.com/jwgoerlichhttps://www.linkedin.com/in/jwgoerlich/ Websites:Personal - https://jwgoerlich.com/Conference and podcast - https://www.securingsexuality.com/ Very special thanks to our sponsor: The Diana Initiative! (https://www.dianainitiative.org/)A conference committed to helping all those underrepresented in Information SecurityMonday August 7, 2023 In-Person at The Westin Las Vegas Hotel & Spa Join We Hack Purple! Join us in the We Hack Purple Community: A fun and safe place to learn and share your knowledge with other professionals in the field. Subscribe to our newsletter for even more free knowledge! You can find us, in audio format, on Podcast Addict, Apple Podcast, Overcast, Pod, Amazon Music, Spotify, and more!
A We Hack Purple Live Stream with Matt Tesauro of Defect Dojo Inc (https://www.defectdojo.com/). Join We Hack Purple Community to be invited to awesome events like one! https://community.wehackpurple.com Description: You're tasked with ‘doing DevSecOps' for your company and you've got more apps and issues than you know how to deal with. How do you make sense of the different tools outputs for all your different apps? DefectDojo is an open source platform that can be your single pane of glass by aggregating, distilling, and automating your AppSec and DevSecOps tools. DefectDojo was created by DevSecOps people for DevSecOps people. In this talk, you'll learn about DefectDojo and how to make the most of the many features it offers including its REST-based API. DefectDojo can be your single pane of glass for discovered security vulnerabilities, report generation, aggregation of over 150+ different security tools, inventory of applications, tracking testing efforts / metrics on your AppSec program. DefectDojo was the heart of an AppSec automation effort that saw an increase in assessments from 44 to 414 in two years. Don't you want 9.4 times more output from your AppSec program? It's time to ditch spreadsheets and get DefectDojo. About Matt: Matt Tesauro is a DevSecOps and application security (AppSec) guru with specialization in creating security programs, leveraging automation to maximize team velocity and training emerging and senior professionals. When not writing automation code in Go, Matt is pushing for DevSecOps everywhere via his involvement in open-source projects, presentations, trainings and new technology innovation. Matt thrives on tackling technical problems, but his economics background gives him a unique understanding of business constraints and incentives around security initiatives. As a versatile engineer, Matt's background spans software development (primarily web development), Linux system administration, penetration testing and application / cloud security. Additionally, he offers more than 13 years of experience with the internationally recognized AppSec and open-source nonprofit OWASP Foundation. At OWASP, Matt has served on the global board of directors and conducted several highly successful open-source projects, including a web testing environment with 300,000+ downloads in a single year and the OWASP DefectDojo vulnerability management platform with 10 million+ downloads. As a recognized thought leader, Matt has presented at conferences multiple times per year since 2009 and has facilitated training around the world. Some of his noteworthy speaking engagements include a DHS Software Assurance Workshop; OpenStack Summit; SANS AppSec Summit; and AppSec US, EU and LATAM. He has also taught computer security courses at Texas A&M and the University of Texas at the undergraduate and graduate level. Matt leads by example and rolls up his sleeves to help teams reach their goals. He is a supportive and collaborative leader who mentors and motivates others to realize their potential. Colleagues note that Matt is fiendishly clever when solving problems and refreshingly honest in his work. In 2021, Matt was recruited for the role of Distinguished Engineer at Noname Security. His priority is to evangelize Noname's ground-breaking API security platform and API security in general. He works closely with the product team to ensure that Noname's platform addresses the application and product security issues that impact customers. Before joining Noname, Matt rolled out AppSec automation at USAA and founded 10Security. His early career includes tenures as Director of Community and Operations at the OWASP Foundation, Senior AppSec Engineer at Duo Security, Senior Software Security Engineer at Pearson and Senior Product Security Engineer at Rackspace. Matt received a master's degree in management information systems and a bachelor's degree in economics from Texas A&M Univers
In this episode of the Detection at Scale, Jack speaks with Michael Hanley, Chief Security Officer and SVP of Engineering at GitHub. He also spent five years at Duo Security building their security program, and is passionate about making security easy and accessible for everyone. Topics include: How to think about managing in a dual role as both head of security and engineering, and what success looks like for both. What some of the synergies are between security and engineering, and why the two should work as closely as possible. The security strategy of retaining the integrity of the world's important projects at GitHub. The importance of democratizing security, and making it accessible for everyone. The mentality of baking software development into security. When to introduce a security team into an organization, how to build a SecOps team, and the evolution of security within companies. Actionable steps for security leaders to take regarding professional development, culture, and sharing notes. Resources: Michael's favorite open source security tools: Stream Alert, Cloud Mapper, SiLK Suite Keep in touch with Michael Hanley on LinkedIn
In so many ways, the time is now for Metro Detroit and Michigan to act to compete and reach our full potential. Today's episode has a ton of topics, but they all do kind of go together. Where we've been: 01:48 - Devon went to the LinkedIn offices in a historic pair of Detroit buildings. 06:30 - Jer was at the MichAuto Summit, and shares some takeaways especially from Duo Security founder Dug Song who had some stunning statistics to pay attention to and act on for the future. Ohio and Ontario are leaning hard into attracting talent. 13:55 - We discuss new QLINE funding for the next 17 years, where the money will come from and if a major change needs to be made to make it run better 18:00 - We get into more of the lifestyle side of the city's capital investment priorities including money for Hart Plaza and a rebuilt shed for Eastern Market. But you should check out the full list: https://www.bridgedetroit.com/detroit-capital/ 21:19 - The Dearborn Inn is closed for now, but has big plans. Devon gets into the trailblazing history of the former airport hotel. Thanks to this episode's sponsor, Smith & Co. in beautiful Midtown Detroit - https://www.smithandcodetroit.com/ Sponsors do not decide or have input on the content of the show within unless we clearly say "hey, we're talking to a sponsor," and this is not one of those cases. Feedback: https://forms.gle/MnwUf8uJEtpyG9m2A or dailydetroit -at- gmail -dot- com
MLOps Coffee Sessions #134 with Jeremy Thomas Jordan, Building Threat Detection Systems: An MLE's Perspective co-hosted by Vishnu Rachakonda. // Abstract There is a clear pattern that we have been seeing with some of these greats in MLOps. So many use writing as a forcing function to learn about where they have holes in their understanding of something. If you are not writing, this episode is important as to why writing is important for your own development. Jeremy goes into writing in depth as to how beneficial it is for him to write and for him to see that he doesn't understand something if he cannot re-articulate it in writing. // Bio Jeremy is a machine learning engineer currently working at Duo Security where he focuses on building ML infrastructure to operate threat detection systems at scale. He previously worked at Proofpoint, where he built models for phishing and malware detection. // MLOps Jobs board https://mlops.pallet.xyz/jobs // MLOps Swag/Merch https://mlops-community.myshopify.com/ // Related Links Website: https://www.jeremyjordan.me/ --------------- ✌️Connect With Us ✌️ ------------- Join our slack community: https://go.mlops.community/slack Follow us on Twitter: @mlopscommunity Sign up for the next meetup: https://go.mlops.community/register Catch all episodes, blogs, newsletters, and more: https://mlops.community/ Connect with Demetrios on LinkedIn: https://www.linkedin.com/in/dpbrinkm/ Connect with Visnu on LinkedIn: https://www.linkedin.com/in/vrachakonda/ Connect with Jeremy on Twitter: https://twitter.com/jeremyjordan
In today's episode, Bethany joins us to discuss her latest project, Create with Conscience. We talk about the balance between technology and a healthy lifestyle, the difficulties end-users face when trying to build that balance, and how creators can use Create with Conscience to build ethical technological systems. Bethany shares the three principles of Create with Conscience that are used to help create healthier technology, some of the ways you can start to create healthy boundaries and values in your tech design, and how businesses as a whole might be incentivized to implement these ethical changes to their design. We also get into the design of modern tech products, how they are designed to manipulate and control the end-users' time, and how the battle for attention from all sorts of tech products and design patterns has contributed to the attention crisis in the modern world. In this episode you will hear: What is Create with Conscience? How creators can use Create with Conscience Principles for creating healthier technology What makes for healthy boundaries Giving control back to the users Tackling the addictive power of modern tech products The attention crisis of modern society What are the business incentives for these changes? Bethany is a designer that specializes in systems thinking, detail-oriented design, and scalable enterprise solutions. Her past roles include leading IBM's Carbon Design System and building a team for Cloudflare's Zero-Trust Product. Currently, Bethany is working as a Design Manager at Duo Security while also building Create with Conscience, a space dedicated to educating and committing to designing healthier technology. Connect with Bethany Sonefeld: Website: createwithconscience.com Email: bsonefeld@gmail.com LinkedIn: linkedin.com/in/bethany-sonefeld Twitter: twitter.com/bsonefeld Connect with R Blank and Stephanie Warner: For more Healthier Tech Podcast episodes, and to download our Healthier Tech Quick Start Guide, visit https://HealthierTech.co and follow https://instagram.com/healthiertech Additional Links: Shield Your Body website: https://ShieldYourBody.com Shield Your Body Youtube Channel: https://youtube.com/shieldyourbody Host R Blank on LinkedIn: https://www.linkedin.com/in/rblank9/ Shield Your Body on Instagram: https://instagram.com/shieldyourbody
October 24, 2022 ~ Mike Lee, Crain's Detroit Business Managing Editor kicks off Monday morning with Sean and they talk about the great success story of Dug Song and his Duo Security company.
In this episode we talk about: How designing for security is different from (and the same as) designing for other types of experiences. How to tackle aspects of the user experience that may be necessary but are perceived as annoying roadblocks. How to anticipate where things might go wrong for the user. How to effectively collaborate with technical teams. Bethany Sonefeld is the founder of Create With Conscience, a space dedicated to educating and committing to building healthier technology. Create With Conscience was something Bethany developed out of interest in creating a healthier balance of technology in her own life. Bethany is a design manager at Duo Security and was previously at Cloudflare, RetailMeNot, and IBM.Blair Shen is a product designer at Duo Security and was previously at Cloudflare and Harry&David. She is also a YouTube content creator, where she mentors and coaches aspiring UX designers.
Machine learning (ML) has reached an exciting phase of development, a phase that Vicki Boykis, Senior ML Engineer at Duo Security* has characterized as the “steam-powered days.” In this episode of Numerically Speaking: The Anaconda Podcast, Vicki talks about the state of the industry and where she sees things heading. Vicki's discussion with host Peter Wang covers: The interplay between software engineering and ML, the human element of the development lifecycle (and the lack thereof in social media) and the operationalization and the rise of microservices. Resources: Click https://vickiboykis.com to visit Vicki's blog. Click https://www.amazon.com/Presentation-Self-Everyday-Life/dp/0385094027 to purchase The Presentation of Self in Everyday Life by Erving Goffman, referenced by Vicki. Click https://www.amazon.com/Broad-Band-Untold-Story-Internet/dp/0735211752 to purchase Broad Band: The Untold Story of the Women Who Made the Internet, also referenced by Vicki. Click https://jimruttshow.blubrry.net/currents-rob-malda/ to listen to the Jim Rutt/Rob Malda (Slashdot) podcast episode referenced by Peter. Check out the P2 website https://wordpress.com/p2/ You can find a human-verified transcript of this episode here - https://know.anaconda.com/rs/387-XNW-688/images/ANACON_Vicki%20Boykis_V2%20%281%29.docx.pdf. If you enjoyed today's show, please leave a 5-star review. For more information, visit anaconda.com/podcast. *At the time of the interview, Vicki Boykis was an ML Engineer working on Tumblr at Automattic.
In this episode, host John Laurito talks with the CEO of Blumira, Jim Simpson, all about success and taking advantage of the opportunities they have in their life. Jim shares how he stepped outside his comfort zone, figuring out who he was and what shaped him to become the leader he is today.Jim Simpson joined Blumira in January as vice president of products. Over the past year, Simpson was responsible for guiding the company's strategic product roadmap to deliver the fastest time to security, with a focus on accessible, easy-to-use detection and response technology. With over two decades of experience growing successful security startups, Simpson previously led product management for the access security provider Duo Security, acquired by Cisco in 2018 for $2.35 billion. Before joining Duo, he led engineering and UX at the network security company Arbor Networks, acquired by NETSCOUT in 2015.Simpson's user-centric approach to solving customer problems is unique in an industry long known for overly complex, legacy solutions that often fail to protect organizations.Jim likes to look for the mystery in the world, and that comes in many forms: traveling, both locally on a bicycle and by planes, trains, and automobiles; creating, appreciating, and supporting art; and finally, sharing what he's learned via mentorship and coaching.Connect with Jim at:Website: https://www.blumira.com/LinkedIn: https://www.linkedin.com/in/gngrwsbi/Show notes:[1:59] Looking back on his life, what shaped who Jim is as a leader?[5:31] On stepping out of his comfort zone[11:45] Did he get to a point where he figured out who he really is as a leader?[16:28] Learning from his mistakes[19:24] Is there a time when a leader should display anger in an organization?[24:43] Good communication within the organization[29:14] What they do in Blumira[31:22] Where to find Jim[32:13] OutroGet a copy of Tomorrow's Leader on Amazon https://tinyurl.com/huseae9hText LEADER to 617-393-5383 to receive The Top 10 Things That The Best Leaders Are Doing Right NowFor questions, suggestions, or speaker inquiries, contact me at john@lauritogroup.com
In this episode, we talk about: How do you tackle situations where business goals might be at odds with what's ethical or what's best for the human using the product? How can designers make a difference even if they don't have a leadership role at their organization? How do you anticipate potentially unhealthy behaviors or unintended consequences? What are some actionable steps you can take today? Bethany Sonefeld is the founder of Create With Conscience, a space dedicated to educating and committing to building healthier technology. Create With Conscience was something Bethany developed out of interest in creating a healthier balance of technology in her own life. Bethany is a design manager at Duo Security and was previously at Cloudflare, RetailMeNot, and IBM.
Anthony Nitsos is the Founder and Lead Guru at SaaS Gurus, which provides Finance, Accounting, HR, Equity, Legal, and Admin best practices and systems for Founders and CEOs of SaaS Start-Ups in the Post Revenue, Pre-Seed to Pre-B phases of the investment. Previously, he served as the Chief Operating Officer/Chief Financial Officer at SkySync, the Chief Operating Officer/Chief Financial Officer at LLamasoft, and the Senior Director of Finance and Accounting at Duo Security. Besides SaaS Gurus, Anthony is also a Partner at Ascendeus. In this episode, he shares his experience helping SaaS companies scale quickly and set themselves up for success. In this episode, we discuss: - Managing ERP implementation - About Saas Gurus - The science behind rapid scaling For more interviews from the CFO Weekly podcast, check us out on Apple, Spotify, or your favorite podcast player! Presented by Personiv https://insights.personiv.com/cfo-weekly
Rick Howard, the Cyberwire's CSO and Chief Analyst, is joined by Hash Table members Helen Patton, CISO for Duo Security's Advisory, and Nikk Gilbert, CISO for the Cherokee Nation Businesses, to discuss how to buy security products.
Learn how to set up your SaaS or any Membership Company finance and accounting correctly from the start to save you potentiall millions in the event you sell your company. About Anthony Nitsos Anthony founded SaaS Gurus after years of experience building B2B SaaS finance and admin ecosystems for many companies including Duo Security (exit to Cisco $2.35Bn), LLamasoft (exit to Coupa $1.5Bn), and 10+ other start-ups. The deepest pain point he addresses is setting everything up properly the first time so Founders and CFOs can focus on optimizing revenue and cash instead of dealing with back-office roadblocks. Join over 17,000 others and sign up to receive bonus content with EDGE's weekly Newsletter. It's free sign up here >>> EPISODE LINKS: SaaS Gurus PODCAST INFO: Apple Podcasts: EDGE on Apple Podcasts Spotify: EDGE on Spotify RSS Feed: EDGE's RSS Feed Website: EDGE Podcast SUPPORT & CONNECT EDGE's Weekly NewsletterJoin over 17,000 others and sign up to receive bonus content. It's free sign up here >>> Please Support this Podcast by checking out our Sponsors: Mad River Botanicals 100% certified organic CBD products. The product is controlled from seed to end product by it's owners. Use code: EDGE22 to get 10% off all your orders. Shop here>>> A top podcast for entrepreneurs! *We respect your privacy and hate spam. We will not sell your information to others.
Rick Howard, the Cyberwire's CSO and Chief Analyst, is joined by Hash Table members Helen Patton, Duo Security at Cisco Advisory CISO, Steve Winterfeld, Akamai Advisory CISO, and Marc Sachs, Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security's Deputy Director for Research, to discuss cybersecurity strategies and tactics in the energy sector.
Frederic Van Haren and Stephen Foskett look back on all the subjects covered during Season 3 of Utilizing AI. The podcast covered many topics, from religious and ethical implications of AI to the technology that enables machine learning, but one topic that stands out is data science. If data is the key to AI, then the collection, management, organization, and sharing of data is a critical element of making AI projects possible. We also continue our “three questions” tradition by bringing in open-ended questions from Rich Harang of Duo Security, Sunil Samel of Akridata, Adi Gelvan of Speedb, Bin Fan of Alluxio, Professor Katina Michael, and David Kanter of MLCommons. Three Questions: Stephen's Question: Can you think of an application for ML that has not yet been rolled out but will make a major impact in the future? Frederic's Question: What market is going to benefit the most from AI technology in the next 12 months Rich Harang Senior Technical Lead, Duo Security: In an alternate timeline where we didn't develop automatic-differentiation and put it on top of GUPs do this entire deep learning hardware family that we depend on now never got invented. What would the dominat AI/ ML technology be and what would have been different? Sunil Samel, VP of Pusiness Development, Akriadata: How will new technologies like AI help marginalized members of the communities. Folks like senior citizens, minorities, pepole with disabilities, veterans trying to reenter civilian life? Adi Gelvan, CEO and Co-Founder of Speedb: What do you think the risks of AI are and what is your recommended solution? Bin Fan, Founding Member, Alluxio: Im wondering if AI can help with a humanitarian crisis happening in the future? Katina Michael, Professor, School for the Future of Innovation in Society, Arizona State University: If AI was to self replicate what would be the first thing it would do? David Kanter, Executive Director of MLCommons: what s a problem in the AI world where you are held back by the lack of good publicly available data? Hosts: Frederic Van Haren, Founder at HighFens Inc., Consultancy & Services. Connect with Frederic on Highfens.com or on Twitter at @FredericVHaren. Stephen Foskett, Publisher of Gestalt IT and Organizer of Tech Field Day. Find Stephen's writing at GestaltIT.com and on Twitter at @SFoskett. Date: 4/25/2022 Tags: @SFoskett, @FredericVHaren,
About ClintClint is the CEO and a co-founder at Cribl, a company focused on making observability viable for any organization, giving customers visibility and control over their data while maximizing value from existing tools.Prior to co-founding Cribl, Clint spent two decades leading product management and IT operations at technology and software companies, including Splunk and Cricket Communications. As a former practitioner, he has deep expertise in network issues, database administration, and security operations.Links: Cribl: https://cribl.io/ Cribl.io: https://cribl.io Docs.cribl.io: https://docs.cribl.io Sandbox.cribl.io: https://sandbox.cribl.io TranscriptAnnouncer: Hello, and welcome to Screaming in the Cloud with your host, Chief Cloud Economist at The Duckbill Group, Corey Quinn. This weekly show features conversations with people doing interesting work in the world of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.Corey: Today's episode is brought to you in part by our friends at MinIO the high-performance Kubernetes native object store that's built for the multi-cloud, creating a consistent data storage layer for your public cloud instances, your private cloud instances, and even your edge instances, depending upon what the heck you're defining those as, which depends probably on where you work. It's getting that unified is one of the greatest challenges facing developers and architects today. It requires S3 compatibility, enterprise-grade security and resiliency, the speed to run any workload, and the footprint to run anywhere, and that's exactly what MinIO offers. With superb read speeds in excess of 360 gigs and 100 megabyte binary that doesn't eat all the data you've gotten on the system, it's exactly what you've been looking for. Check it out today at min.io/download, and see for yourself. That's min.io/download, and be sure to tell them that I sent you.Corey: This episode is sponsored in part by our friends at Sysdig. Sysdig is the solution for securing DevOps. They have a blog post that went up recently about how an insecure AWS Lambda function could be used as a pivot point to get access into your environment. They've also gone deep in-depth with a bunch of other approaches to how DevOps and security are inextricably linked. To learn more, visit sysdig.com and tell them I sent you. That's S-Y-S-D-I-G dot com. My thanks to them for their continued support of this ridiculous nonsense.Corey: Welcome to Screaming in the Cloud. I'm Corey Quinn. I have a repeat guest joining me on this promoted episode. Clint Sharp is the CEO and co-founder of Cribl. Clint, thanks for joining me.Clint: Hey, Corey, nice to be back.Corey: I was super excited when you gave me the premise for this recording because you said you had some news to talk about, and I was really excited that oh, great, they're finally going to buy a vowel so that people look at their name and understand how to pronounce it. And no, that's nowhere near forward-looking enough. It's instead it's some, I guess, I don't know, some product announcement or something. But you know, hope springs eternal. What have you got for us today?Clint: Well, one of the reasons I love talking to your audiences because product announcements actually matter to this audience. It's super interesting, as you get into starting a company, you're such, like, a product person, you're like, “Oh, I have this new set of things that's really going to make your life better.” And then you go out to, like, the general media, and you're like, “Hey, I have this product.” And they're like, “I don't care. What product? Do you have a funding announcement? Do you have something big in the market that—you know, do you have a new executive? Do you”—it's like, “No, but, like, these features, like these things, that we—the way we make our lives better for our customers. Isn't that interesting?” “No.”Corey: Real depressing once you—“Do you have a security breach to announce?” It's, “No. God no. Why would I wind up being that excited about it?” “Well, I don't know. I'd be that excited about it.” And yeah, the stuff that mainstream media wants to write about in the context of tech companies is exactly the sort of thing that tech companies absolutely do not want to be written about for. But fortunately, that is neither here nor there.Clint: Yeah, they want the thing that gets the clicks.Corey: Exactly. You built a product that absolutely resonates in its target market and outside of that market. It's one of those, what is that thing, again? If you could give us a light refresher on what Cribl is and does, you'll probably do a better job of it than I will. We hope.Clint: We'd love to. Yeah, so we are an observability company, fundamentally. I think one of the interesting things to talk about when it comes to observability is that observability and security are merging. And so I like to say observability and include security people. If you're a security person, and you don't feel included by the word observability, sorry.We also include you; you're under our tent here. So, we sell to technology professionals, we help make their lives better. And we do that today through a flagship product called LogStream—which is part of this announcement, we're actually renaming to Stream. In some ways, we're dropping logs—and we are a pipeline company. So, we help you take all of your existing agents, all of your existing data that's moving, and we help you process that data in the stream to control costs and to send it multiple places.And it sounds kind of silly, but one of the biggest problems that we end up solving for a lot of our enterprises is, “Hey, I've got, like, this old Syslog feed coming off of my firewalls”—like, you remember those things, right? Palo Alto firewalls, ASA firewalls—“I actually get that thing to multiple places because, hey, I want to get that data into another security solution. I want to get that data into a data lake. How do I do that?” Well, in today's world, that actually turns out is sort of a neglected set of features, like, the vendors who provide you logging solutions, being able to reshape that data, filter that data, control costs, wasn't necessarily at the top of their priority list.It wasn't nefarious. It wasn't like people are like, “Oh, I'm going to make sure that they can't process this data before it comes into my solution.” It's more just, like, “I'll get around to it eventually.” And the eventually never actually comes. And so our streaming product helps people do that today.And the big announcement that we're making this week is that we're extending that same processing technology down to the endpoint with a new product we're calling Cribl Edge. And so we're taking our existing best-in-class management technology, and we're turning it into an agent. And that seems kind of interesting because… I think everybody sort of assumed that the agent is dead. Okay, well, we've been building agents for a decade or two decades. Isn't everything exactly the same as it was before?But we really saw kind of a dearth of innovation in that area in terms of being able to manage your agents, being able to understand what data is available to be collected, being able to auto-discover the data that needs to be able to be collected, turning those agents into interactive troubleshooting experiences so that we can, kind of, replicate the ability to zoom into a remote endpoint and replicate that Linux command line experience that we're not supposed to be getting anymore because we're not supposed to SSH into boxes anymore. Well, how do I replicate that? How do I see how much disk is on this given endpoint if I can't SSH into that box? And so Cribl Edge is a rethink about making this rich, interactive experience on top of all of these agents that become this really massive distributed system that we can process data all the way out at where the data is being emitted.And so that means that now we don't nec—if you want to process that data in the stream, okay, great, but if you want to process that data at its origination point, we can actually provide you cheaper cost because now you're using a lot of that capacity that's sitting out there on your endpoints that isn't really being used today anyway—the average utilization of a Kubernetes cluster is like 30%—Corey: It's that high. I'm sort of surprised.Clint: Right? I know. So, Datadog puts out the survey every year, which I think is really interesting, and that's a number that always surprised me is just that people are already paying for this capacity, right? It's sitting there, it's on their AWS bill already, and with that average utilization, a lot of the stuff that we're doing in other clusters, or while we're moving that data can actually just be done right there where the data is being emitted. And also, if we're doing things like filtering, we can lower egress charges, there's lots of really, really good goodness that we can do by pushing that processing further closer to its origination point.Corey: You know, the timing of this episode is somewhat apt because as of the time that we're recording this, I spent most of yesterday troubleshooting and fixing my home wireless network, which is a whole Ubiquity-managed thing. And the controller was one of their all-in-one box things that kept more or less power cycling for no apparent reason. How do I figure out why it's doing that? Well, I'm used to, these days, doing everything in a cloud environment where you can instrument things pretty easily, where things start and where things stop is well understood. Finally, I just gave up and used a controller that's sitting on an EC2 instance somewhere, and now great, now I can get useful telemetry out of it because now it's stuff I know how to deal with.It also, turns out that surprise, my EC2 instance is not magically restarting itself due to heat issues. What a concept. So, I have a newfound appreciation for the fact that oh, yeah, not everything lives in a cloud provider's regions. Who knew? This is a revelation that I think is going to be somewhat surprising for folks who've been building startups and believe that anything that's older than 18 months doesn't exist.But there's a lot of data centers out there, there are a lot of agents living all kinds of different places. And workloads continue to surprise me even now, just looking at my own client base. It's a very diverse world when we're talking about whether things are on-prem or whether they're in cloud environments.Clint: Well, also, there's a lot of agents on every endpoint period, just due to the fact that security guys want an agent, the observability guys want an agent, the logging people want an agent. And then suddenly, I'm, you know, I'm looking at every endpoint—cloud, on-prem, whatever—and there's 8, 10 agents sitting there. And so I think a lot of the opportunity that we saw was, we can unify the data collection for metric type of data. So, we have some really cool defaults. [unintelligible 00:07:30] this is one of the things where I think people don't focus much on, kind of, the end-user experience. Like, let's have reasonable defaults.Let's have the thing turn on, and actually, most people's needs are set without tweaking any knobs or buttons, and no diving into YAML files and looking at documentation and trying to figure out exactly the way I need to configure this thing. Let's collect metric data, let's collect log data, let's do it all from one central place with one agent that can send that data to multiple places. And I can send it to Grafana Cloud, if I want to; I can send it to Logz.io, I can send it to Splunk, I can send it to Elasticsearch, I can send it to AWS's new Elasticsearch-y the thing that we don't know what they're going to call it yet after the lawsuit. Any of those can be done right from the endpoint from, like, a rich graphical experience where I think that there's a really a desire now for people to kind of jump into these configuration files where really a lot of these users, this is a part-time job, and so hey, if I need to go set up data collection, do I want to learn about this detailed YAML file configuration that I'm only going to do once or twice, or should I be able to do it in an easy, intuitive way, where I can just sit down in front of the product, get my job done and move on without having to go learn some sort of new configuration language?Corey: Once upon a time, I saw an early circa 2012, 2013 talk from Jordan Sissel, who is the creator of Logstash, and he talked a lot about how challenging it was to wind up parsing all of the variety of log files out there. Even something is relatively straightforward—wink, wink, nudge, nudge—as timestamps was an absolute monstrosity. And a lot of people have been talking in recent years about OpenTelemetry being the lingua franca that everything speaks so that is the wave of the future, but I've got a level with you, looking around, it feels like these people are living in a very different reality than the one that I appear to have stumbled into because the conversations people are having about how great it is sound amazing, but nothing that I'm looking at—granted from a very particular point of view—seems to be embracing it or supporting it. Is that just because I'm hanging out in the wrong places, or is it still a great idea whose time has yet to come, or something else?Clint: So, I think a couple things. One is every conversation I have about OpenTelemetry is always, “Will be.” It's always in the future. And there's certainly a lot of interest. We see this from customer after customer, they're very interested in OpenTelemetry and what the OpenTelemetry strategy is, but as an example OpenTelemetry logging is not yet finalized specification; they believe that they're still six months to a year out. It seems to be perpetually six months to a year out there.They are finalized for metrics and they are finalized for tracing. Where we see OpenTelemetry tends to be with companies like Honeycomb, companies like Datadog with their tracing product, or Lightstep. So, for tracing, we see OpenTelemetry adoption. But tracing adoption is also not that high either, relative to just general metrics of logs.Corey: Yeah, the tracing implementations that I've seen, for example, Epsagon did this super well, where it would take a look at your Lambdas Function built into an application, and ah, we're going to go ahead and instrument this automatically using layers or extensions for you. And life was good because suddenly you got very detailed breakdowns of exactly how data was flowing in the course of a transaction through 15 Lambdas Function. Great. With everything else I've seen, it's, “Oh, you have to instrument all these things by hand.” Let me shortcut that for you: That means no one's going to do it. They never are.It's anytime you have to do that undifferentiated heavy lifting of making sure that you put the finicky code just so into your application's logic, it's a shorthand for it's only going to happen when you have no other choice. And I think that trying to surface that burden to the developer, instead of building it into the platform so they don't have to think about it is inherently the wrong move.Clint: I think there's a strong belief in Silicon Valley that—similar to, like, Hollywood—that the biggest export Silicon Valley is going to have is culture. And so that's going to be this culture of, like, developer supporting their stuff in production. I'm telling you, I sell to banks and governments and telcos and I don't see that culture prevailing. I see a application developed by Accenture that's operated by Tata. That's a lot of inertia to overcome and a lot of regulation to overcome as well, and so, like, we can say that, hey, separation of duties isn't really a thing and developers should be able to support all their own stuff in production.I don't see that happening. It may happen. It'll certainly happen more than zero. And tracing is predicated on the whole idea that the developer is scratching their own itch. Like that I am in production and troubleshooting this and so I need this high-fidelity trace-level information to understand what's going on with this one user's experience, but that doesn't tend to be in the enterprise, how things are actually troubleshot.And so I think that more than anything is the headwind that slowing down distributed tracing adoption. It's because you're putting the onus on solving the problem on a developer who never ends up using the distributed tracing solution to begin with because there's another operations department over there that's actually operating the thing on a day-to-day basis.Corey: Having come from one of those operations departments myself, the way that I would always fix things was—you know, in the era that I was operating it made sense—you'd SSH into a box and kick the tires, poke around, see what's going on, look at the logs locally, look at the behaviors, the way you'd expect it to these days, that is considered a screamingly bad anti-pattern and it's something that companies try their damnedest to avoid doing at all. When did that change? And what is the replacement for that? Because every time I asked people for the sorts of data that I would get from that sort of exploration when they're trying to track something down, I'm more or less met with blank stares.Clint: Yeah. Well, I think that's a huge hole and one of the things that we're actually trying to do with our new product. And I think the… how do I replicate that Linux command line experience? So, for example, something as simple, like, we'd like to think that these nodes are all ephemeral, but there's still a disk, whether it's virtual or not; that thing sometimes fills up, so how do I even do the simple thing like df -kh and see how much disk is there if I don't already have all the metrics collected that I needed, or I need to go dive deep into an application and understand what that application is doing or seeing, what files it's opening, or what log files it's writing even?Let's give some good examples. Like, how do I even know what files an application is running? Actually, all that information is all there; we can go discover that. And so some of the things that we're doing with Edge is trying to make this rich, interactive experience where you can actually teleport into the end node and see all the processes that are running and get a view that looks like top and be able to see how much disk is there and how much disk is being consumed. And really kind of replicating that whole troubleshooting experience that we used to get from the Linux command line, but now instead, it's a tightly controlled experience where you're not actually getting an arbitrary shell, where I could do anything that could give me root level access, or exploit holes in various pieces of software, but really trying to replicate getting you that high fidelity information because you don't need any of that information until you need it.And I think that's part of the problem that's hard with shipping all this data to some centralized platform and getting every metric and every log and moving all that data is the data is worthless until it isn't worthless anymore. And so why do we even move it? Why don't we provide a better experience for getting at the data at the time that we need to be able to get at the data. Or the other thing that we get to change fundamentally is if we have the edge available to us, we have way more capacity. I can store a lot of information in a few kilobytes of RAM on every node, but if I bring thousands of nodes into one central place, now I need a massive amount of RAM and a massive amount of cardinality when really what I need is the ability to actually go interrogate what's running out there.Corey: The thing that frustrates me the most is the way that I go back and find my old debug statements, which is, you know, I print out whatever it is that the current status is and so I can figure out where something's breaking.Clint: [Got here 00:15:08].Corey: Yeah. I do it within AWS Lambda functions, and that's great. And I go back and I remove them later when I notice how expensive CloudWatch logs are getting because at 50 cents per gigabyte of ingest on those things, and you have that Lambda function firing off a fair bit, that starts to add up when you've been excessively wordy with your print statements. It sounds ridiculous, but okay, then you're storing it somewhere. If I want to take that log data and have something else consume it, that's nine cents a gigabyte to get it out of AWS and then you're going to want to move it again from wherever it is over there—potentially to a third system, because why not?—and it seems like the entire purpose of this log data is to sit there and be moved around because every time it gets moved, it winds up somehow costing me yet more money. Why do we do this?Clint: I mean, it's a great question because one of the things that I think we decided 15 years ago was that the reason to move this data was because that data may go poof. So, it was on a, you know, back in my day, it was an HP DL360 1U rackmount server that I threw in there, and it had raid zero discs and so if that thing went dead, well, we didn't care, we'd replace it with another one. But if we wanted to find out why it went dead, we wanted to make sure that the data had moved before the thing went dead. But now that DL360 is a VM.Corey: Yeah, or a container that is going to be gone in 20 minutes. So yeah, you don't want to store it locally on that container. But discs are also a fair bit more durable than they once were, as well. And S3 talks about its 11 nines of durability. That's great and all but most of my application logs don't need that. So, I'm still trying to figure out where we went wrong.Clint: Well, I think it was right for the time. And I think now that we have durable storage at the edge where that blob storage has already replicated three times and we can reattach—if that box crashes, we can reattach new compute to that same block storage. Actually, AWS has some cool features now, you can actually attach multiple VMs to the same block store. So, we could actually even have logs being written by one VM, but processed by another VM. And so there are new primitives available to us in the cloud, which we should be going back and re-questioning all of the things that we did ten to 15 years ago and all the practices that we had because they may not be relevant anymore, but we just never stopped to ask why.Corey: Yeah, multi-attach was rolled out with their IO2 volumes, which are spendy but great. And they do warn you that you need a file system that actively supports that and applications that are aware of it. But cool, they have specific use cases that they're clearly imagining this for. But ten years ago, we were building things out, and, “Ooh, EBS, how do I wind up attaching that from multiple instances?” The answer was, “Ohh, don't do that.”And that shaped all of our perspectives on these things. Now suddenly, you can. Is that, “Ohh don't do that,” gut visceral reaction still valid? People don't tend to go back and re-examine the why behind certain best practices until long after those best practices are now actively harmful.Clint: And that's really what we're trying to do is to say, hey, should we move log data anymore if it's at a durable place at the edge? Should we move metric data at all? Like, hey, we have these big TSDBs that have huge cardinality challenges, but if I just had all that information sitting in RAM at the original endpoint, I can store a lot of information and barely even touch the free RAM that's already sitting out there at that endpoint. So, how to get out that data? Like, how to make that a rich user experience so that we can query it?We have to build some software to do this, but we can start to question from first principles, hey, things are different now. Maybe we can actually revisit a lot of these architectural assumptions, drive cost down, give more capability than we actually had before for fundamentally cheaper. And that's kind of what Cribl does is we're looking at software is to say, “Man, like, let's question everything and let's go back to first principles.” “Why do we want this information?” “Well, I need to troubleshoot stuff.” “Okay, well, if I need to troubleshoot stuff, well, how do I do that?” “Well, today we move it, but do we have to? Do we have to move that data?” “No, we could probably give you an experience where you can dive right into that endpoint and get really, really high fidelity data without having to pay to move that and store it forever.” Because also, like, telemetry information, it's basically worthless after 24 hours, like, if I'm moving that and paying to store it, then now I'm paying for something I'm never going to read back.Corey: This episode is sponsored in part by our friends at Vultr. Spelled V-U-L-T-R because they're all about helping save money, including on things like, you know, vowels. So, what they do is they are a cloud provider that provides surprisingly high performance cloud compute at a price that—while sure they claim its better than AWS pricing—and when they say that they mean it is less money. Sure, I don't dispute that but what I find interesting is that it's predictable. They tell you in advance on a monthly basis what it's going to going to cost. They have a bunch of advanced networking features. They have nineteen global locations and scale things elastically. Not to be confused with openly, because apparently elastic and open can mean the same thing sometimes. They have had over a million users. Deployments take less that sixty seconds across twelve pre-selected operating systems. Or, if you're one of those nutters like me, you can bring your own ISO and install basically any operating system you want. Starting with pricing as low as $2.50 a month for Vultr cloud compute they have plans for developers and businesses of all sizes, except maybe Amazon, who stubbornly insists on having something to scale all on their own. Try Vultr today for free by visiting: vultr.com/screaming, and you'll receive a $100 in credit. Thats V-U-L-T-R.com slash screaming.Corey: And worse, you wind up figuring out, okay, I'm going to store all that data going back to 2012, and it's petabytes upon petabytes. And great, how do I actually search for a thing? Well, I have to use some other expensive thing of compute that's going to start diving through all of that because the way I set up my partitioning, it isn't aligned with anything looking at, like, recency or based upon time period, so right every time I want to look at what happened 20 minutes ago, I'm looking at what happened 20 years ago. And that just gets incredibly expensive, not just to maintain but to query and the rest. Now, to be clear, yes, this is an anti-pattern. It isn't how things should be set up. But how should they be set up? And it is the collective the answer to that right now actually what's best, or is it still harkening back to old patterns that no longer apply?Clint: Well, the future is here, it's just unevenly distributed. So there's, you know, I think an important point about us or how we think about building software is with this customer is first attitude and fundamentally bringing them choice. Because the reality is that doing things the old way may be the right decision for you. You may have compliance requirements to say—there's a lot of financial services institutions, for example, like, they have to keep every byte of data written on any endpoint for seven years. And so we have to accommodate their requirements.Like, is that the right requirement? Well, I don't know. The regulator wrote it that way, so therefore, I have to do it. Whether it's the right thing or the wrong thing for the business, I have no choice. And their decisions are just as right as the person who says this data is worthless and should all just be thrown away.We really want to be able to go and say, like, hey, what decision is right? We're going to give you the option to do it this way, we're going to give you the option to do it this way. Now, the hard part—and that when it comes down to, like, marketing, it's like you want to have this really simple message, like, “This is the one true path.” And a lot of vendors are this way, “There's this new wonderful, right, true path that we are going to take you on, and follow along behind me.” But the reality is, enterprise worlds are gritty and ugly, and they're full of old technology and new technology.And they need to be able to support getting data off the mainframe the same way as they're doing a brand new containerized microservices application. In fact, that brand new containerized microservices application is probably talking to the mainframe through some API. And so all of that has to work at once.Corey: Oh, yeah. And it's all of our payment data is in our PCI environment that PCI needs to have every byte logged. Great. Why is three-quarters of your infrastructure considered the PCI environment? Maybe you can constrain that at some point and suddenly save a whole bunch of effort, time, money, and regulatory drag on this.But as you go through that journey, you need to not only have a tool that will work when you get there but a tool that will work where you are today. And a lot of companies miss that mark, too. It's, “Oh, once you modernize and become the serverless success story of the decade, then our product is going to be right for you.” “Great. We'll send you a postcard if we ever get there and then you can follow up with us.”Alternately, it's well, “Yeah, we're this is how we are today, but we have a visions of a brighter tomorrow.” You've got to be able to meet people where they are at any point of that journey. One of the things I've always respected about Cribl has been the way that you very fluidly tell both sides of that story.Clint: And it's not their fault.Corey: Yeah.Clint: Most of the people who pick a job, they pick the job because, like—look, I live in Kansas City, Missouri, and there's this data processing company that works primarily on mainframes, it's right down the road. And they gave me a job and it pays me $150,000 a year, and I got a big house and things are great. And I'm a sysadmin sitting there. I don't get to play with the new technology. Like, that customer is just as an applicable customer, we want to help them exactly the same as the new Silicon Valley hip kid who's working at you know, a venture-backed startup, they're doing everything natively in the cloud. Those are all right decisions, depending on where you happen to find yourself, and we want to support you with our products, no matter where you find yourself on the technology spectrum.Corey: Speaking of old and new, and the trends of the industry, when you first set up this recording, you mentioned, “Oh, yeah, we should make it a point to maybe talk about the acquisition,” at which point I sprayed coffee across my iMac. Thanks for that. Turns out it wasn't your acquisition we were talking about so much as it is the—at the time we record this—-the yet-to-close rumored acquisition of Splunk by Cisco.Clint: I think it's both interesting and positive for some people, and sad for others. I think Cisco is obviously a phenomenal company. They run the networking world. The fact that they've been moving into observability—they bought companies like AppDynamics, and we were talking about Epsagon before the show, they bought—ServiceNow, just bought Lightstep recently. There's a lot of acquisitions in this space.I think that when it comes to something like Splunk, Splunk is a fast-growing company by compared to Cisco. And so for them, this is something that they think that they can put into their distribution channel, and what Cisco knows how to do is to sell things like they're very good at putting things through their existing sales force and really amplifying the sales of that particular thing that they have just acquired. That being said, I think for a company that was as innovative as Splunk, I do find it a bit sad with the idea that it's going to become part of this much larger behemoth and not really probably driving the observability and security industry forward anymore because I don't think anybody really looks at Cisco as a company that's driving things—not to slam them or anything, but I don't really see them as driving the industry forward.Corey: Somewhere along the way, they got stuck and I don't know how to reconcile that because they were a phenomenally fast-paced innovative company, briefly the most valuable company in the world during the dotcom bubble. And then they just sort of stalled out somewhere and, on some level, not to talk smack about it, but it feels like the level of innovation we've seen from Splunk has curtailed over the past half-decade or so. And selling to Cisco feels almost like a tacit admission that they are effectively out of ideas. And maybe that's unfair.Clint: I mean, we can look at the track record of what's been shipped over the last five years from Splunk. And again they're a partner, their customers are great, I think they still have the best log indexing engine on the market. That was their core product and what has made them the majority of their money. But there's not been a lot new. And I think objectively we can look at that without throwing stones and say like, “Well, what net-new? You bought SignalFX. Like, good for you guys like that seems to be going well. You've launched your observability suite based off of these acquisitions.” But organic product-wise, there's not a lot coming out of the factory.Corey: I'll take it a bit further-slash-sadder, we take a look at some great companies that were acquired—OpenDNS, Duo Security, SignalFX, as you mentioned, Epsagon, ThousandEyes—and once they've gotten acquired by Cisco, they all more or less seem to be frozen in time, like they're trapped in amber, which leads us up to the natural dinosaur analogy that I'll probably make in a less formal setting. It just feels like once a company is bought by Cisco, their velocity peters out, a lot of their staff leaves, and what you see is what you get. And I don't know if that's accurate, I'm just not looking in the right places, but every time I talk to folks in the industry about this, I get a lot of knowing nods that are tied to it. So, whether or not that's true or not, that is very clearly, at least in some corners of the market, the active perception.Clint: There's a very real fact that if you look even at very large companies, innovation is driven from a core set of a handful of people. And when those people start to leave, the innovation really stops. It's those people who think about things back from first principles—like why are we doing things? What different can we do?—and they're the type of drivers that drive change.So, Frank Slootman wrote a book recently called Amp it Up that I've been reading over the last weekend, and he talks—has this article that was on LinkedIn a while back called “Drivers vs. Passengers” and he's always looking for drivers. And those drivers tend to not find themselves as happy in bigger companies and they tend to head for the exits. And so then you end up with the people who are a lot of the passenger type of people, the people who are like—they'll carry it forward, they'll continue to scale it, the business will continue to grow at whatever rate it's going to grow, but you're probably not going to see a lot of the net-new stuff. And I'll put it in comparison to a company like Datadog who I have a vast amount of respect for I think they're incredibly innovative company, and I think they continue to innovate.Still driven by the founders, the people who created the original product are still there driving the vision, driving forward innovation. And that's what tends to move the envelope is the people who have the moral authority inside of an even larger organization to say, “Get behind me. We're going in this direction. We're going to go take that hill. We're going to go make things better for our customers.” And when you start to lose those handful of really critical contributors, that's where you start to see the innovation dry up.Corey: Where do you see the acquisitions coming from? Is it just at some point people shove money at these companies that got acquired that is beyond the wildest dreams of avarice? Is it that they believe that they'll be able to execute better on their mission and they were independently? These are still smart, driven, people who have built something and I don't know that they necessarily see an acquisition as, “Well, time to give up and coast for a while and then I'll leave.” But maybe it is. I've never found myself in that situation, so I can't speak for sure.Clint: You kind of I think, have to look at the business and then whoever's running the business at that time—and I sit in the CEO chair—so you have to look at the business and say, “What do we have inside the house here?” Like, “What more can we do?” If we think that there's the next billion-dollar, multi-billion-dollar product sitting here, even just in our heads, but maybe in the factory and being worked on, then we should absolutely not sell because the value is still there and we're going to grow the company much faster as an independent entity than we would you know, inside of a larger organization. But if you're the board of directors and you're looking around and saying like, hey look, like, I don't see another billion-dollar line of bus—at this scale, right, if your Splunk scale, right? I don't see another billion-dollar line of business sitting here, we could probably go acquire it, we could try to add it in, but you know, in the case of something like a Splunk, I think part of—you know, they're looking for a new CEO right now, so now they have to go find a new leader who's going to come in, re-energize and, kind of, reboot that.But that's the options that they're considering, right? They're like, “Do I find a new CEO who's going to reinvigorate things and be able to attract the type of talent that's going to lead us to the next billion-dollar line of business that we can either build inside or we can acquire and bring in-house? Or is the right path for me just to say, ‘Okay, well, you know, somebody like Cisco's interested?'” or the other path that you may see them go down to something like Silver Lake, so Silver Lake put a billion dollars into the company last year. And so they may be looking at and say, “Okay, well, we really need to do some restructuring here and we want to do it outside the eyes of the public market. We want to be able to change pricing model, we want to be able to really do this without having to worry about the stock price's massive volatility because we're making big changes.”And so I would say there's probably two big options there considering. Like, do we sell to Cisco, do we sell to Silver Lake, or do we really take another run at this? And those are difficult decisions for the stewards of the business and I think it's a different decision if you're the steward of the business that created the business versus the steward of the business for whom this is—the I've been here for five years and I may be here for five years more. For somebody like me, a company like Cribl is literally the thing I plan to leave on this earth.Corey: Yeah. Do you have that sense of personal attachment to it? On some level, The Duckbill Group, that's exactly what I'm staring at where it's great. Someone wants to buy the Last Week in AWS media side of the house.Great. Okay. What is that really, beyond me? Because so much of it's been shaped by my personality. There's an audience, sure, but it's a skeptical audience, one that doesn't generally tend to respond well to mass market, generic advertisements, so monetizing that is not going to go super well.“All right, we're going to start doing data mining on people.” Well, that's explicitly against the terms of service people signed up for, so good luck with that. So, much starts becoming bizarre and strange when you start looking at building something with the idea of, oh, in three years, I'm going to unload this puppy and make it someone else's problem. The argument is that by building something with an eye toward selling it, you build a better-structured business, but it also means you potentially make trade-offs that are best not made. I'm not sure there's a right answer here.Clint: In my spare time, I do some investments, angel investments, and that sort of thing, and that's always a red flag for me when I meet a founder who's like, “In three to five years, I plan to sell it to these people.” If you don't have a vision for how you're fundamentally going to alter the marketplace and our perception of everything else, you're not dreaming big enough. And that to me doesn't look like a great investment. It doesn't look like the—how do you attract employees in that way? Like, “Okay, our goal is to work really hard for the next three years so that we will be attractive to this other bigger thing.” They may be thinking it on the inside as an available option, but if you think that's your default option when starting a company, I don't think you're going to end up with the outcome is truly what you're hoping for.Corey: Oh, yeah. In my case, the only acquisition story I see is some large company buying us just largely to shut me up. But—Clint: [laugh].Corey: —that turns out to be kind of expensive, so all right. I also don't think it serve any of them nearly as well as they think it would.Clint: Well, you'll just become somebody else on Twitter. [laugh].Corey: Yeah, “Time to change my name again. Here we go.” So, if people want to go and learn more about a Cribl Edge, where can they do that?Clint: Yeah, cribl.io. And then if you're more of a technical person, and you'd like to understand the specifics, docs.cribl.io. That's where I always go when I'm checking out a vendor; just skip past the main page and go straight to the docs. So, check that out.And then also, if you're wanting to play with the product, we make online available education called Sandboxes, at sandbox.cribl.io, where you can go spin up your own version of the product, walk through some interactive tutorials, and get a view on how it might work for you.Corey: Such a great pattern, at least for the way that I think about these things. You can have flashy videos, you can have great screenshots, you can have documentation that is the finest thing on this earth, but let me play with it; let me kick the tires on it, even with a sample data set. Because until I can do that, I'm not really going to understand where the product starts and where it stops. That is the right answer from where I sit. Again, I understand that everyone's different, not everyone thinks like I do—thankfully—but for me, that's the best way I've ever learned something.Clint: I love to get my hands on the product, and in fact, I'm always a little bit suspicious of any company when I go to their webpage and I can't either sign up for the product or I can't get to the documentation, and I have to talk to somebody in order to learn. That's pretty much I'm immediately going to the next person in that market to go look for somebody who will let me.Corey: [laugh]. Thank you again for taking so much time to speak with me. I appreciate it. As always, it's a pleasure.Clint: Thanks, Corey. Always enjoy talking to you.Corey: Clint Sharp, CEO and co-founder of Cribl. I'm Cloud Economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you've hated this podcast, please leave a five-star review on your podcast platform of choice along with an angry comment. And when you hit submit, be sure to follow it up with exactly how many distinct and disparate logging systems that obnoxious comment had to pass through on your end of things.Corey: If your AWS bill keeps rising and your blood pressure is doing the same, then you need The Duckbill Group. We help companies fix their AWS bill by making it smaller and less horrifying. The Duckbill Group works for you, not AWS. We tailor recommendations to your business and we get to the point. Visit duckbillgroup.com to get started.Announcer: This has been a HumblePod production. Stay humble.
This week, Mallory is joined in the studio by Tyler Carlisle, a Senior Information Security Consultant at Keller Schroeder, as they discuss Duo Security, a cloud-based software security company. Tune in to hear how Duo provides an easy and secure end-user experience utilizing multi-factor authentication, single sign-on, and several other features. Tyler and Mallory agree – this is a tool everyone can (and should) use! Contact your Keller Schroeder Account Manager to learn more about Duo.
MLOps Coffee Sessions #84 with Ernest Chan, Lessons from Studying FAANG ML Systems. // Abstract Large tech companies invest in ML platforms to accelerate their ML efforts. Become better prepared to solve your own MLOps problems by learning from their technology and design decisions. Tune in to learn about ML platform components, capabilities, and design considerations. // Bio Ernest is a Data Scientist at Duo Security. As part of the core team that built Duo's first ML-powered product, Duo Trust Monitor, he faced many (frustrating) MLOps problems first-hand. That led him to advocate for an ML infrastructure team to make it easier to deliver ML products at Duo. Prior to Duo, Ernest worked at an EdTech company, building data science products for higher-ed. Ernest is passionate about MLOps and using ML for social good. // Related Links Lessons on ML Platforms — from Netflix, DoorDash, Spotify, and more: https://ernestklchan.medium.com/lessons-on-ml-platforms-from-netflix-doordash-spotify-and-more-f455400115c7 Paper Highlights-Challenges in Deploying Machine Learning: a Survey of Case Studies https://towardsdatascience.com/paper-highlights-challenges-in-deploying-machine-learning-a-survey-of-case-studies-cafe61cfd04c Choose boring technologies Slideshare by Dan McKinley: https://www.slideshare.net/danmckinley/choose-boring-technology --------------- ✌️Connect With Us ✌️ ------------- Join our slack community: https://go.mlops.community/slack Follow us on Twitter: @mlopscommunity Sign up for the next meetup: https://go.mlops.community/register Catch all episodes, blogs, newsletter and more: https://mlops.community/ Connect with Demetrios on LinkedIn: https://www.linkedin.com/in/dpbrinkm/ Connect with Vishnu on LinkedIn: https://www.linkedin.com/in/vrachakonda/ Connect with Ernest on LinkedIn: https://www.linkedin.com/in/ernest-chan-68245773/ Timestamps: [00:00] Introduction to Ernest Chan [01:07] Takeaways [02:58] Ernest's Lessons on ML Platforms — from Netflix, DoorDash, Spotify, and more blog post [05:55] Five components of an ML Platform [10:09] Limitations highlighted in the blog post [14:41] Level of maturity or completion observed in company efforts [16:17] Platform/Architecture admired the most [17:46] Advice to big tech companies [22:03] Process of needing an infrastructure and aiming towards having a platform [24:23] Paper Highlights-Challenges in Deploying Machine Learning: a Survey of Case Studies blog post [26:24] Takeaways from Paper Highlights-Challenges in Deploying Machine Learning [30:33] Prioritization [33:04] Delta Lake [35:27] Model rollouts and shadow mode [39:23] Are you an ML Engineer or a Data Scientist? [40:15] Simple route platform vs flexible platform trade-offs [41:08] Opinionated and simple vs less opinionated and flexible [43:22] Choose boring technologies Slideshare by Dan McKinley [44:36] Wrap up
Mike Hanley, CSO at GitHub and former VP of security at Duo Security, joins Dennis Fisher to talk about the open source security summit at the White House, the Log4j response, and how the tech industry can support the open source community.
Connie & Alex skim over this week's tech news stories and then chat with Mitchell Green, founder of Lead Edge Capital, a bi-coastal venture capital firm with $3 billion under management that has used eight investment principles to make big bets in companies like Alibaba, Spotify, and Duo Security.
Although it's a powerful tool, deep learning is perhaps over-used in modern applications. In this episode of the Utilizing AI podcast, Rich Harang joins Chris Grundemann and Stephen Foskett to discuss the various reasons people use AI, both good and bad. In a November Twitter thread, Rich posited that the following conditions were required to use AI for real: The cost of errors must be extremely low, the decision needs to be possible but expensive, there needs to be the same kind of decision frequently, there needs to be a benefit and be better than a simple rule, you have to not care how it got the answer, the base rate must be close to even, you need a steady stream of data for training, and you must match the size and cost of the model to the application. On the other hand, these same considerations can point us to problem sets that make a great match for DL, and we should focus on using the right tool for the job. Three Questions: Chris Grundemann: Are there any jobs that will be completely eliminated by AI in the next five years? Stephen Foskett: How small can ML get? Will we have ML-powered household appliances? Toys? Disposable devices? Adam Probst of ZenML: What percentage of companies will be using ML in five years? Links: Rich's Twitter Thread: https://twitter.com/rharang/status/1465340190919217153 Sara Hooker's Paper, “The Hardware Lottery”: https://hardwarelottery.github.io Gests and Hosts Rich Harang, Senior Technical Lead at Duo Security. Connect with Rich on Twitter at @RHarang. Chris Grundemann, Gigaom Analyst and Managing Director at Grundemann Technology Solutions. Connect with Chris on ChrisGrundemann.com on Twitter at @ChrisGrundemann. Stephen Foskett, Publisher of Gestalt IT and Organizer of Tech Field Day. Find Stephen's writing at GestaltIT.com and on Twitter at @SFoskett. Date: 1/11/2022 Tags: @RHarang, @SFoskett, @ChrisGrundemann
02:01 - Kat's Superpower: Terrible Puns! * Puns & ADHD; Divergent Thinking (https://en.wikipedia.org/wiki/Divergent_thinking) * Punching Down (https://www.urbandictionary.com/define.php?term=punching%20down) * Idioms (https://www.ef.edu/english-resources/english-idioms/) 08:07 - Security Awareness Education & Accessibility * Phishing * Unconscious Bias Training That Works (https://hbr.org/2021/09/unconscious-bias-training-that-works) * Psychological Safety * 239: Accessibility and Sexuality with Eli Holderness (https://www.greaterthancode.com/accessibility-and-sexuality) * Management Theory of Frederick Taylor (https://www.business.com/articles/management-theory-of-frederick-taylor/) * Building a Security Culture For Oh Sh*t Moments | Human Layer Security Summit (https://www.youtube.com/watch?time_continue=21&v=d2girBtrbCQ&feature=emb_logo) * Decision Fatigue 20:58 - Making the Safe Thing Easy * (in)Secure Development - Why some product teams are great and others aren't… (https://tldrsec.com/blog/insecure-development-why-some-product-teams-are-great-and-others-arent/) * The Swiss Cheese Model of Error Prevention (https://www.ncbi.nlm.nih.gov/pmc/articles/PMC1298298/) 22:43 - Awareness; Security Motivation; Behavior and Culture (ABC) * AIDA: Awareness, Interest, Desire, Action (https://en.wikipedia.org/wiki/AIDA_(marketing)) * Inbound Marketing (https://www.hubspot.com/inbound-marketing) 33:34 - Dietary Accessibility; Harm Reduction and Threat Monitoring * Celiac Disease (https://celiac.org/about-celiac-disease/what-is-celiac-disease/) * A Beginner's Guide to a Low FODMAP Diet (https://www.benefiber.com/fiber-in-your-life/fiber-and-wellness/beginners-guide-to-low-fodmap-diet/?gclsrc=aw.ds&gclid=Cj0KCQiAnuGNBhCPARIsACbnLzqJkfl2XxxUQVSAGU96cmdVl5S7gn6GXnOQAHf-Sn0zEHvBBKINObUaAlOvEALw_wcB) * Casin (https://en.wikipedia.org/wiki/Casein) * DisInfoSec 2021: Kat Sweet - Dietary Accessibility in Tech Workplaces (https://www.youtube.com/watch?v=rG1DApAlcK4&feature=youtu.be) Reflections: John: Internal teams relating to other internal teams as a marketing issue. Casey: Phishing emails cause harm. Kat: AIDA: Awareness, Interest, Desire, Action (https://en.wikipedia.org/wiki/AIDA_(marketing)) Unconscious Bias Training That Works (https://hbr.org/2021/09/unconscious-bias-training-that-works) The Responsible Communication Style Guide (https://rcstyleguide.com/) This episode was brought to you by @therubyrep (https://twitter.com/therubyrep) of DevReps, LLC (http://www.devreps.com/). To pledge your support and to join our awesome Slack community, visit patreon.com/greaterthancode (https://www.patreon.com/greaterthancode) To make a one-time donation so that we can continue to bring you more content and transcripts like this, please do so at paypal.me/devreps (https://www.paypal.me/devreps). You will also get an invitation to our Slack community this way as well. Transcript: PRE-ROLL: Software is broken, but it can be fixed. Test Double's superpower is improving how the world builds software by building both great software and great teams. And you can help! Test Double is hiring empathetic senior software engineers and DevOps engineers. We work in Ruby, JavaScript, Elixir and a lot more. Test Double trusts developers with autonomy and flexibility at a remote, 100% employee-owned software consulting agency. Looking for more challenges? Enjoy lots of variety while working with the best teams in tech as a developer consultant at Test Double. Find out more and check out remote openings at link.testdouble.com/greater. That's link.testdouble.com/greater. JOHN: Welcome to Episode 263 of Greater Than Code. I'm John Sawers and I'm here with Casey Watts. CASEY: Hi, I'm Casey! And we're both here with our guest today, Kat Sweet. Hi, Kat. KAT: Hi, John! Hi, Casey! CASEY: Well, Kat Sweet is a security professional who specializes in security education and engagement. She currently works at HubSpot building out their employee security awareness program, and is also active in their disability ERG, Employee Resource Group. Since 2017, she has served on the staff of the security conference BSides Las Vegas, co-leading their lockpick village. Her other superpower is terrible puns, or, if they're printed on paper—she gave me this one—tearable puns. [laughter] KAT: Like written paper. CASEY: Anyway. Welcome, Kat. So glad to have you. KAT: Thanks! I'm happy to be here. CASEY: Let's kick it off with our question. What is your superpower and how did you acquire it? KAT: [chuckles] Well, as I was saying to both of y'all before this show started, I was thinking I'm going to do a really serious skillful superpower that makes me sound smart because that's what a lot of other people did in theirs. I don't know, something like I'm a connector, or I am good at crosspollination. Then I realized no, [chuckles] like it, or not, terrible puns are my actual superpower. [laughter] Might as well just embrace it. I think as far as where I acquired it, probably a mix of forces. Having a dad who was the king of dad puns certainly helped and actually, my dad's whole extended family is really into terrible puns as well. We have biweekly Zoom calls and they just turn into everyone telling bad jokes sometimes. [laughter] But I think it also probably helps that, I don't know, having ADHD, my brain hops around a lot and so, sometimes makes connections in weird places. Sometimes that happens with language and there were probably also some amount of influences just growing up, I don't know, listening to Weird Al, gets puns in his parodies. Oh, and Carlos from The Magic School Bus. CASEY: Mm hmm. Role models. I agree. Me too. [laughter] KAT: Indeed. So now I'm a pundit. CASEY: I got a pun counter going in my head. It just went ding! KAT: Ding! [laughter] CASEY: I never got – [overtalk] KAT: They've only gotten worse during the pandemic. CASEY: Oh! Ding! [laughter] Maybe we'll keep it up. We'll see. I never thought of the overlap of puns and ADHD. I wonder if there's any study showing if it does correlate. It sounds right. It sounds right to me. KAT: Yeah, that sounds like a thing. I have absolutely no idea, but I don't know, something to do with divergent thinking. CASEY: Yeah. JOHN: Yeah. I'm on board with that. CASEY: Sometimes I hang out in the channels on Slack that are like #puns, or #dadjokes. Are you in any of those? What's the first one that comes to mind for you, your pun community online? KAT: Oh yeah. So actually at work, I joined my current role in August and during the first week, aside from my regular team channels, I had three orders of business. I found the queer ERG Slack channel, I found the disability ERG Slack channel, and I found the dad jokes channel. [laughter] That was a couple of jobs ago when I worked at Duo Security. I've been told that some of them who are still there are still talking about my puns because we would get [laughs] pretty bad pun threads going in the Slack channels there. CASEY: What a good reputation. KAT: Good, bad, whatever. [laughs] CASEY: Yeah. KAT: I don't know. Decent as a form of humor that's safe for work goes, too because it's generally hard to, I guess, punch down with them other than the fact that everyone's getting punched with a really bad pun, but they're generally an equalizing force. [chuckles] CASEY: Yeah. I love that concept. Can you explain to our listeners, punching down? KAT: So this is now the Great British Bake Off and we're talking about bread. No, just kidding. [laughter] No, I think in humor a lot of times, sometimes people talk about punching up versus punching down in terms of who is actually in on the joke. When you're trying to be funny, are you poking fun at people who are more marginalized than you, or are you poking at the people with a ton of privilege? And I know it's not always an even concept because obviously, intersectionality is a thing and it's not just a – privilege isn't a linear thing. But generally, what comes to mind a lot is, I don't know, white comedians making fun of how Black people talk, or men comedians making rape jokes at women's expense, or something like that. Like who's actually being punched? [chuckles] CASEY: Yeah. KAT: Obviously, ideally, you don't want to punch anyone, but that whole concept of where's the humor directed and is it contributing to marginalization? CASEY: Right, right. And I guess puns aren't really punching at all. KAT: Yeah. CASEY: Ding! KAT: Ding! There goes the pun counter. Yeah, the only thing I have to mindful of, too is not over relying on them in my – my current role is in a very global company so even though all employees speak English to some extent, English isn't everyone's first language and there are going to be some things that fly over people's heads. So I don't want to use that exclusively as a way to connect with people. CASEY: Right, right. JOHN: Yeah. It is so specific to culture even, right. Because I would imagine even UK English would have a whole gray area where the puns may not land and vice versa. KAT: Oh, totally. Just humor in general is so different in every single culture. Yeah, it's really interesting. JOHN: Yeah, that reminds me. Actually, just today, I started becoming weirdly aware as I was typing something to one of my Indian colleagues and I'm not sure what triggered it, but I started being aware of all the idioms that I was using and what I was typing. I was like, “Well, this is what I would normally say to an American,” and I'm just like, “Wait, is this all going to come through?” I think that way might lead to madness, though if you start trying to analyze every idiom you use as you're speaking. But it was something that just suddenly popped into my mind that I'm going to try and keep being a little bit more aware of because there's so many ways to miss with communication when you rely on obscure idioms, or certain ways of saying things that aren't nearly as clear as they could be. [chuckles] KAT: Yeah, absolutely. I'm sure that's definitely a thing in all the corporate speak about doubling down, circling back, parking lots, and just all the clicking, all of those things. [laughter] But yeah, that's actually something that was on my run recently, too with revamping one of the general security awareness courses that everyone gets is that in the way we talk about how to look for a phishing – spot a phishing email. First of all, one of the things that at least they didn't do was say, “Oh, look for poor grammar, or misspelled words,” because that's automatically really exclusive to people whose first language isn't English, or people who have dyslexia. But I was also thinking we talk about things like subtle language cues in suspicious emails around a sense of urgency, like a request being made trying to prey on your emotion and I'm like, “How accessible is that, I guess, for people whose first language is English to try and spot a phishing email based on those kind of things?” Like how much – [chuckles] how much is too much to ask of…? Like opinions about phishing emails, or the phishing training anyway being too much to ask of people to some degree, but I don't know. There's so much subtlety in it that just is really easy for people to lose. JOHN: Yeah. I mean, I would imagine that even American English speakers – [overtalk] KAT: Yeah. JOHN: With a lot of experience still have trouble. Like actually, [chuckles] I just got apparently caught by one of them, the test phishing emails, but they notified me by sending me an email and saying, “You were phished, click here to go to the training.” And I'm like, “I'm not going to click on that!” [laughter] I just got phished! KAT: Yeah. JOHN: But I think my larger point is again, you're talking about so many subtleties of language and interpretations to try and tease these things out. I'm sure there are a lot of people with a range of non-typical neurologies where that sort of thing isn't going to be obvious, even if they are native English speakers. KAT: Exactly. Myself included having ADHD. [laughs] JOHN: Yeah. KAT: Yeah. It's been interesting trying to think through building out security awareness stuff in my current role and in past roles, and having ADHD and just thinking about how ADHD unfriendly a lot of the [laughs] traditional approaches are to all this. Even like you were just saying, “You got phished, take this training.” It seems like the wrong sequence of events because if you're trying to teach someone a concept, you need to not really delay the amount of time in between presenting somebody with a piece of information and giving them a chance to commit it to memory. ADHD-ers have less working memory than neurotypical people to begin with, but that concept goes for everyone. So when you're giving someone training that they might not actually use in practice for several more months until they potentially get phished again, then it becomes just information overload. So that's something that I think about. Another way that I see this playing out in phishing training in particular, but other security awareness stuff is motivation and reward because we have a less amount of intrinsic motivation. Something like, I don't know, motivation and reward system just works differently with people who have trouble hanging onto dopamine. ADHD-ers and other people's various executive dysfunction stuff. So when you're sitting through security training that's not engaging, that's not particular lead novel, or challenging, or of personal interest, or is going to have a very delayed sense of reward rather than something that immediately gratifying, there's going to be a limitation to how much people will actually learn, be engaged, and can actually be detrimental. So I definitely think about stuff like that. CASEY: That reminds me of a paper I read recently about—I said this on a previous episode, too. I guess, maybe I should find the paper, dig it up, and share. KAT: Cool. [laughter] CASEY: Oh, but it said, “Implicit bias awareness training doesn't work at all ever” was an original paper. No, that's not what it said of course, but that's how people read it and then a follow-up said, “No, boring! PowerPoint slide presentations that aren't interactive aren't interactive.” [laughter] “But the interactive ones are.” Surprise! KAT: Right. That's the thing. That's the thing. Yeah, and I think there's also just, I don't know. I remember when I was first getting into security, people were in offices more and security awareness posters were a big thing. Who is going to remember that? Who's going to need to know that they need to email security at when they're in the bathroom? [laughs] Stuff like that that's not particularly engaging nor particularly useful in the moment. But that DEI paper is an interesting one, too. I'll have to read that. CASEY: Do you have experience making some of these trainings more interactive and getting the quicker reward that's not delayed and what does that look like for something like phishing, or another example? KAT: It's a mixed bag and it's something that I'm still kind of – there's something that I'm figuring out just as we're scaling up because in past roles, mostly been in smaller companies. But one thing that I think people, who are building security awareness and security education content for employees, miss is the fact that there's a certain amount of baseline level of interaction and context that you can't really automate a way, especially for new hires. I know having just gone through process that onboarding weeks are always kind of information overload. But people are going to at least remember more, or be more engaged if they're getting some kind of actual human contact with somebody who they're going to be working with; they've got the face, they've got some context for who their security team is, what they do, and they won't just be clicking through a training that's got canned information that is no context to where they're working and really no narrative and nowhere for them to ask questions. Because I always get really interesting questions every time I give some kind of live security education stuff; people are curious. I think it's important that security education and engagement is really an enhancer to a security program. It can't be carrying all the weight of relationships between the security team and the rest of the company. You're going to get dividends by having ongoing positive relationships with your colleagues that aren't just contact the security team once a year during training. CASEY: And even John's email, like the sample test email, which I think is better than not doing it for sure. But that's like a ha ha got you. That's not really [chuckles] relationship building. Barely. You've got to already have the relationship for it to – [overtalk] KAT: No, it's not and that's – yeah. And that's why I think phishing campaigns are so tricky. I think they're required by some compliance frameworks and by cyber insurance frameworks. So some places just have to have them. You can't just say we're not going to run internal phishing campaigns, unfortunately, regardless of whether that's actually the right thing for businesses. But I think the angle should always be familiarizing people with how to report email like that to the security team and reinforcing psychological safety. Not making people feel judged, not making people feel bad, and also not making them sit through training if they get caught because that's not psychological safety either and it really doesn't pay attention to results. It's very interesting, I remember I listened to your episode with Eli Holderness and at some point, one of the hosts mentioned something about human factors and safety science on the evolving nature of how people management happens in the workplace. How there was this old model of humans being a problem to be managed, supervised, and well, just controlled and how the new view of organizational psychology and people management is more humans are your source of success so you need to enable their growth and build them up. I think a lot of security education approaches are kind of still stuck in that old model, almost. I've seen progress, but I think a lot of them have a lot of work to do in still being, even if they're not necessarily as antagonistic, or punitive, they still feel sometimes paternalistic. Humans are like, “If I hear the phrase, ‘Humans are the weakest link one more time,' I'm going to table flip.” First of all, humans are all the links, but also – [overtalk] JOHN: Yeah. KAT: It's saying like, we need to save humans, which are somehow the security team is not humans. We need to save humans from themselves because they're too incompetent to know what to do. So we need, yeah – which is a terrible attitude. CASEY: Yeah. KAT: And I think it misses the point that first of all, not everyone is going to become a security expert, or hypervigilant all the time and that's okay. But what we can do is focus on the good relationships, focus on making the training we have and need to do somewhat interactive and personal and contextual, and let go of the things you can't control. [chuckles] JOHN: Yeah, I think Taylorism is the name for that management style. I think it came around in the 40s and – [overtalk] KAT: Really? JOHN: Yeah, ruined a lot of lives. [laughs] Yeah, and I think your point about actually accepting the individual humanity of the people you're trying to influence and work with rather than as some sort of big amorphous group of fuckups, [laughs] for lack of a better word. Giving them some credit, giving them, like you said, something that's not punitive, somewhere where they don't get punished for their security lapses, or forgetting a thing, or clicking the link is going to be a lot more rewarding than, like you said, just making someone sit through training. Like for me, the training I want from whatever it was I clicked on is show me the email I clicked on, I will figure out how it tricked me and then I will learn. I don't need a whole – [overtalk] KAT: Yes. JOHN: 3 hours of video courses, or whatever. I will see the video, [chuckles] I will see the email, and that is a much more organic thing than here's the training for you. KAT: Exactly. Yeah, you have to again, give some people a way to actually commit it to memory. Get it out of RAM and into SSD. JOHN: Yeah. [laughter] KAT: But yeah, I love that and fortunately, I think some other places are starting to do interesting, innovative approaches. My former colleague, Kim Burton, who was the Security Education Lead at Duo when I was there and just moved to Texas, gave a webinar recently on doing the annuals security training as a choose your own adventure so that it could be replicated among a wide group of people, but that people could take various security education stuff that was specific to their own role and to their own threat model. I really liked that. I like being able to give people some amount of personalization and get them actually thinking about what they're specifically interacting with. JOHN: Yeah, yeah. That's great and it also makes me think about there are undoubtedly things I'm pretty well informed in security and other things that I'm completely ignorant about. I'd rather not sit through a training that covers both of those things. Like if there's a way for me to choose my own adventure through it so that I go to the parts where I'm actually learning useful things. Again, a, it saves everybody time and b, it means I'm not fast forwarding through the video, hoping it'll just end, and then possibly missing things that are actually useful to me. CASEY: I'm thinking of a concrete example, I always remember and think of and that's links and emails. I always hover and look at the URL except when I'm on my phone and you can't do that. Oh, I don't know. It has never come up in a training I've seen. KAT: Yeah, you can click and hold, but it's harder and I think that speaks to the fact that security teams should lead into putting protections around email security more so than relying entirely on their user base to hover every single link, or click and hold on their phone, or just do nothing when it comes to reporting suspicious emails. There's a lot of decision fatigue that, I think security teams still put on people whose job is not security and I hope that that continues to shift over time. JOHN: Yeah. I mean, you're bringing up the talking about management and safety theory that probably came from Rein Henrichs, who is one of our other hosts. But one of the things he also has talked about on, I think probably multiple shows is about setting the environment for the people that makes the safe thing easy. KAT: Right. JOHN: So that all the defaults roll downhill into safety and security rather than well, here's a level playing field you have to navigate yourself through and there's some potholes and da, da, da, and you have to be aware of them and constantly on alert and all those things. Whereas, if you tilt the field a little bit, you make sure everything runs in the right direction, then the right thing becomes the easy thing and then you win. KAT: Exactly, exactly. I think it's important to put that not only in the technical defaults – [overtalk] JOHN: Yeah, yeah. KAT: But also process defaults to some degree. One of my colleagues just showed me a talk that was, I think from perhaps at AppSec Cali. I'll have to dig it up. But there was somebody talking about making I guess, threat modeling and anti-abuse mindsets more of a default in product development teams and how they added one single line to their sprint planning—how could this feature potentially be misused by a user—and that alone just got people thinking just that little process change. JOHN: Yeah. That's beautiful. But such a small thing, but constantly repeated at a low level. It's not yelling at anyone to… KAT: Yeah. JOHN: Yeah. KAT: Yeah. And even if the developers and product designers themselves weren't security experts, or anti-abuse experts, it would just get them thinking, “Oh hey, we should reach out to the trust and safety team.” CASEY: Yeah. I'm thinking about so many steps and so many of these steps could be hard. The next one here is the security team responsive and that has a lot to do with are they well-staffed and is this a priority for them? Oh my goodness. KAT: Yeah. [laughs] So many things. CASEY: It's layers. But I'm sure you've heard of this, Kat. The Swiss cheese model of error prevention? KAT: Yeah. Defense in depth. CASEY: Yeah. [chuckles] I like to bring it up on the podcast, too because a lot of engineers and a lot of non-security people don't know about it. KAT: Hmm. CASEY: Do you want to explain it? I don't mind. I can. KAT: Oh, yeah. Basically that there are going to be holes in every step of the process, or the tech and so, that's why it's important to have this layered approach. Because over time, even if something gets through the first set of holes, it may not get through a second set where the holes are in different spots. So you end up with a giant stack of Swiss cheese, which is delicious, and you come out with something that's hopefully pretty same. [laughter] CASEY: Yeah, and it's the layers that are – the mind-blowing thing here is that there can be more than one layer. We don't just need one layer of Swiss cheese on this sandwich, which is everybody pay attention and don't ever get phished, or it's your fault. You can have so many layers than that. It can be like a grilled cheese, really, really thick, grilled cheese. [laughter] KAT: Yes. A grilled cheese where the bread is also cheese. CASEY: Yes! [laughs] MID-ROLL: This episode is supported by Compiler, an original podcast from Red Hat discussing tech topics big, small, and strange. Compiler unravels industry topics, trends, and the things you've always wanted to know about tech, through interviews with the people who know it best. On their show, you will hear a chorus of perspectives from the diverse communities behind the code. Compiler brings together a curious team of Red Hatters to tackle big questions in tech like, what is technical debt? What are tech hiring managers actually looking for? And do you have to know how to code to get started in open source? I checked out the “Should Managers Code?” episode of Compiler, and I thought it was interesting how the hosts spoke with Red Hatters who are vocal about what role, if any, that managers should have in code bases—and why they often fight to keep their hands on keys for as long as they can. Listen to Compiler on Apple Podcasts, or anywhere you listen to podcasts. We'll also include a link in the show notes. Our thanks to Compiler for their support. CASEY: Earlier, you mentioned awareness, Kat as something interesting. You want to talk about awareness more as a term and how it relates to this? KAT: Oh, yeah. So I – and technically, my job title has security awareness in it, but the more I've worked in the security space doing employee security education stuff as part of all my job. I know language isn't perfect, but I'm kind of the mindset that awareness isn't a good capture of what a role like mine actually should be doing because awareness without behavior change, or action is just noise. It's just we're all very aware of things, but if we don't have an environment that's friendly to us putting that awareness into some kind of action, or engagement, or response, we are just aware and scared. [laughs] CASEY: Yeah, awareness alone just makes us feel bad. We need more than that. KAT: Yeah. So I think security awareness is sometimes just a product of a term that got standardized over several years as it's in all of the compliance control frameworks, security awareness is a part of it. I don't know it's the best practice thing. I hope over time it will continue to evolve. CASEY: Yeah. KAT: As with any other kind of domains. JOHN: Yeah. I think that maybe security motivation might be a better term for it. KAT: I've seen a bunch of different ones used. So I end up speaking in terms of, I don't know, security education and engagement is what I'm working on. Security culture is my vision. I've seen things like security awareness, behavior, and culture, ABC, things like that. But all this to say security awareness not being in a vacuum. CASEY: I like those. This reminds me of a framework I've been thinking about a lot and I use in some of my DEI workshops. AIDA is an acronym. A-I-D-A. The first one's Awareness, the last one is Action, and in the middle is Interest and Desire. KAT: Nice. CASEY: So the questions I use to frame is like, are they aware of, for example, if they're misgendering someone? That's the context I'm using this in a lot. Are they aware of this person's pronouns in the first place? Are they interested in caring about this person and do they want to do anything about it and did they do it? Did they use their proper pronouns? Did they correct their actions? It's like 4 stages – [overtalk] KAT: I like that. CASEY: AIDA. It's used in marketing a lot for like a sales funnel, but I apply it to all sorts of how do you get someone from aware to action? KAT: I like that a lot. It's been interesting working at a place that makes a product that's more in the sales and marketing space. Definitely learned a lot because a couple of previous roles I've had been with security vendors. I think one of the interesting ideas that was a new concept to me when I started was this idea of inbound marketing, where instead of just cold contacting people and telling them, “Be interested in us, be interested in us, buy our stuff,” you generate this reputation as being of good service by putting out useful free nuggets of content, like blog posts, webinars, and things. Then you get people who are interested based on them knowing that you've got this, that you offer a good perspective, and then they all their friend. They are satisfied customers, and they go promote it to people. I think about this as it applies to security teams and the services they provide, because even though corporate security teams are internal, they've still got internal customers. They've still got services that they provide for people. So by making sure that the security team is visible, accessible, and that the good services that they provide are known and you've got satisfied customers, they become promoters to the rest of their teams. Think about like security can definitely learn a lot from [chuckles] these sales and marketing models. CASEY: I can totally imagine the security team being the fun team, the one you want to go work with and do workshops with because they make it so engaging and you want to. You can afford to spend your time on this thing. [laughter] KAT: Oh yes. CASEY: You might do it. [laughter] JOHN: Yeah, and I think marketing's a great model for that. Marketing sort of has a bad reputation, I think amongst a lot of people because it's done badly and evilly by a lot of people. But it's certainly possible and I think inbound market is one of those ways that you're engaging, you're spreading awareness, you're letting people select themselves into your service, and bring their interest to you. If you can develop that kind of rapport with the employees at your company as a security team, everybody wins. KAT: Yeah, absolutely, and it can absolutely be done. When I was working at Duo a couple jobs ago, I was on their security operations team and we were responsible, among other things, for both, the employee security education and being the point of intake; being the people that our colleagues would reach out to with security concerns to security and it definitely could see those relationships pay off by being visible and being of good service. CASEY: So now I'm getting my product manager hat on, like team management. KAT: Yeah. CASEY: I will want to choose the right metrics for a security team that incentivizes letting this marketing kind of approach happen and being the fun team people want to reach out to have the bigger impact and probably the highest metric is like nobody gets a security breach. But that can't be the only one because maybe you'll have a lucky year and maybe you'll have an unlucky that's not the best one. What other metrics are you thinking of? KAT: That's the thing, there's a lot more that goes into not getting pwned than how aware of security people are. There's just way too many factors to that. But – [overtalk] CASEY: Yeah. I guess, I'm especially interested in the human ones, like how come – [overtalk] KAT: Oh, yeah. And I mean like – [overtalk] CASEY: The department allowed to do the things that would be effective, like incentivized and measured in a sense. KAT: Yeah, and I think a lot of security education metrics often have a bit of a longer tail, but I think about not – I don't really care so much about the click rates for internal phishing campaigns, because again, anyone can fall for a phish if it's crafted correctly enough. If it's subtle enough, or if just somebody's distracted, or having a bad day, which we never have. It's not like there's a pandemic, or anything. But for things that are sort of numbers wise, I think about how much are people engaging with security teams not just in terms of reporting suspicious emails, but how often are they reporting ones that aren't a phishing simulation? How much are they working with security teams when they're building new features and what's the impact of that baseline level before there's, I don't know, formal process for security reviews, code reviews, threat modeling stuff in place? What does that story look like over time for the product and for product security? So I think there's quite a bit of narrative data involved in security education metrics. JOHN: Yeah. I mean you could look at inbound interests, like how often are you consulted out of the blue by another team, or even of the materials you've produced, what's the engagement rates on that? I think that's a lower quality one, but I think inbound interest would be fantastic. CASEY: Yeah. KAT: Yeah, exactly. I was thinking to some degree about well, what kinds of vulnerabilities are you shipping in your code? Because I think there's never 100% secure code. But I think if you catch some of the low-hanging fruits earlier on, then sometimes you get an interesting picture of like, okay, security is being infused into the SDLC at all of these various Swiss cheese checkpoints. So think about that to some degree and that's often more of a process thing than a purely an education thing, but getting an education is an enhancer to all of these other parts of the security programs. JOHN: So in the topics for the show that you had suggested to us, one of the things that stood out to me was something you called dietary accessibility. So can you tell me a little bit more about what that means? KAT: So earlier in this year, in the middle of all of this pandemic ridiculousness, I got diagnosed with celiac disease. Fortunately, I guess, if there was a time to be diagnosed with that, it's I'm working remotely and nobody's going out to eat really. Oh, I should back up. I think a lot of people know what it is, but just in case, it's an autoimmune disorder where my body attacks itself when I eat gluten. I've described it in the past as my body thinks that gluten is a nation state adversary named fancy beer. [laughter] Ding, one more for the pun counter. I don't know how many we're up to now. [laughs] CASEY: I have a random story about a diet I had to do for a while for my health. I have irritable bowel syndrome in my family and that means we have to follow over really strict diet called the low FODMAP diet. If your tummy hurts a lot, it's something you might look into because it's underdiagnosed. That meant I couldn't have wheat, but not because I had celiac disease; I was not allergic to the protein in wheat flour. I was intolerant to the starch and wheat flour. So it would bother me a lot. People said, “Do you have celiac, or?” And I was like, “No, but I cannot have wheat because the doctor told me so, but no, it's not an allergy.” I don't know, my logical brain did not like that question. [laughter] That was an invalid question. No, it's not a preference. I prefer to eat bread, but I cannot, or it hurts my body according to my doctor. KAT: [chuckles] So you can't have the starch and I can't have the protein. So together, we can just – [overtalk] CASEY: Separate it! KAT: Split all of the wheat molecules in the world and eat that. [laughs] CASEY: That's fair. I literally made gluten-free bread with gluten. [laughs] I got all the gluten-free starches and then the gluten from the wheat and I didn't have the starch in the wheat and it did not upset my stomach. KAT: Oh man. JOHN: Yeah. I've got a dairy sensitivity, but it's not lactose. It's casein so it's the protein in the dairy. CASEY: Protein, uh huh. KAT: Oh, interesting. CASEY: I apologize on behalf of all the Casey. [laughter] Casey in. KAT: Who let Casey in? CASEY: Ding! KAT: Ding! No, but it's made me think a lot about as I was – first of all, it's just I didn't fully appreciate until I was going through it firsthand, the amount of cognitive overload that just goes into living with it every day. [laughs] Speaking of constant state of hypervigilance, it took a while for that to make it through – I don't know, me to operationalize to my new life that's going to be my reality for the [laughs] rest of my life now because it was just like, “Oh, can I eat this? Can I eat that?” All of that. Something that at least helped ease me out of this initial overwhelm and grieving period was tying some of the stuff that I was dealing with back to how would I do this in my – how would I approach this if this were a security education and security awareness kind of thing? CASEY: Oh, yeah. KAT: Because it's a new concept and it's a thing that is unfamiliar and not everyone is an expert in it. so I'm like, “How would I treat myself as the person who's not an expert in it yet?” I, again, tried to get myself back to some of those same concepts of okay, let's not get stuck in thud mode, let's think about what are some of the actual facts versus what's scaremongering. I don't need to know how much my risk of colon cancer is increased, because that's not how helpful for me to actually be able to go about my day. I need to know what are the gluten-free brands of chips? That's critical infrastructure. CASEY: I love this parallel. This is so cool. KAT: And so I thought about to – I've mentioned earlier, decision fatigue as a security issue. I thought about how can I reduce the decision fatigue and not get stuck just reading all the labels on foods and stuff? What are the shortcuts I can take? Some of those were like okay, let me learn to recognize the labels of what the labels mean of a certified gluten-free logo and also just eat a lot of things that would never have touch gluten to begin with, like plain and raw meat, plain potatoes, plain vegetables, things like that. So just anything to take the cognitive load down a little bit, because it was never going to be zero. It's interesting. Sometimes, I don't know, I have tons of different interests and I've always interested in people's perspective outside of security. A lot of that stuff influences the way I think about security, but sometimes the way I think about security also ends up influencing other stuff in my life, so. CASEY: Yeah. I think that's brilliant. Use – [overtalk] KAT: And interesting to connect with those. CASEY: The patterns and you're comfortable with, and apply them. KAT: Exactly. CASEY: A lot of really cool ideas come from technology. KAT: Yeah, and go for harm reduction, not nothing because we don't live in a gluten-free world. It's like I can try to make myself as safe as possible, but at some point, my gut may suffer a data breach and [laughs] when I do, should be blameless and just work on getting myself recovered and trying – [overtalk] JOHN: Yeah. I mean, thinking about it as a threat model. There's this gluten out there and some of it's obvious, some of it's not obvious. What am I putting in place so that I get that 95th percentile, or whatever it is that you can think of it that way? I like that. KAT: Exactly. It's an interesting tie to threat modeling how the same people – even if people have the same thing that they can't eat, they may still have a different threat model. They may, like how we both had to avoid wheat, but for different reasons and with different side effects, if we eat it and things like that. CASEY: I love these parallels. I imagine you went into some of these in that talk at DisInfoSec. Is that right? KAT: Yeah. A little bit. So DisInfoSec, it's a virtual conference in its second year of existence, specifically highlighting disabled speakers in the InfoSec community run by Kim Crawley, who's a blogger for Hack the Box. There was a really interesting lineup of talks this year. Some people, I think about half of them touched on neurodiversity and various aspects of security through lenses of being autistic and ADHD, which is really cool. For mine, I focused on those of us who have disability-related dietary restrictions and how that affects our life in the tech workplace, where compared to a lot of other places I've worked, there's a lot of free food on the company dime hanging around and there's a lot of use of food as a way to build connection and build community. CASEY: Yeah, and a lot of stuff, a lot of people can't eat. I'm with you, uh huh. KAT: Yeah. I just took stock of all of the times that I would take people up for lunch interviews, go out to dinner with colleagues when they're in town, all of these things. Like snacks in the office. Just there not being a bathroom on the same floor as me for multiple jobs where I worked. [laughs] Things like that. So I really wanted to – the thing that I wanted to highlight in that talk in general was systemic level accommodations to be made for people with be they celiac IBS, food allergies, diabetes rather than relying on people individually requesting accommodations. This universal design model where you've got to make sure that your workplace is by default set up to accommodate people with a wide range of disabilities including dietary needs and a lot of times it doesn't come down to even feeding them. It comes down to making sure their health insurance is good, making sure people can work remotely, making sure that – [overtalk] CASEY: Higher levels of Swiss cheese on that. They are various levels. KAT: Yeah, the levels of Swiss cheese. A lot of stuff cascades from lunch interviews, making sure that if you do them at all, that you're really flexible about them. JOHN: Yeah. I can definitely relate to the being able to work from home, which I've done for the last decade, or more, has been huge for being able to have a solid control of my diet. Because it's really easy to have all the right things around for lunch rather than oh, I've only got half an hour, I can run out to the sub shop and I'll just deal with the consequences. Because that's what's nearby versus, or trying to bring food into the office and keep it in the fridge, or the free – that's a whole mess. So just like you said, good health insurance, working from home, these are things that allow for all sorts of different disabilities to be taken care of so well that you don't – that's the base, that's table stakes to formatting kind of inclusion. KAT: Exactly, exactly. CASEY: Yeah. KAT: Exactly. Yeah, and I think what sometimes gets missed is that even there are other things that I need to – the ability to just sometimes lay down, the ability to be close to a bathroom, and things that are not food related, but definitely are my reality. [laughs] CASEY: And companies went out, too. By accommodating you, they get all of your expertise and skills and puns. In exchange for flexibility, they get puns. KAT: [laughs] And I still make puns about gluten, wheat, rye, and barley even though I can I eat them anymore. That will never go away. CASEY: They just keep rising. KAT: Wheat for it. Wait for it. [laughter] CASEY: Ding! KAT: That's just my wry sense of humor. CASEY: All right. We're getting near end of time for today. This point, let's talk about reflections and plugs. JOHN: I can go first. I think the thing that's definitely sticking with me is thinking about the internal teams relating to other internal teams at a company as a marketing issue. Security is obviously one where you need to have that relationship with pretty much every team. But I'm thinking all sorts of all the way around development, DevOps, tech QA. Everyone can think this way and probably gain something from it as a what are we presenting to the rest of the company, what is our interface, and how do we bring more things to it such that people like working with our interface a lot so that we have great relationships with the rest of the team? I think I'm going to keep thinking about that for a while. CASEY: I'll share a reflection. I liked noticing that those phish emails can cause harm to people—they can feel bad and then make them less receptive. I've always been a fan of them overall. But thinking about that impact, I might have even been the one to say that, but it was still surprising to me when that came out of my mouth. Say, oh yeah, it hurts people in a way, too. We don't have to have that painful experience to teach people. It can be done in a safer environment. I wonder what else we can do for training of things like that to make it more positive and less negative. I'm going to be thinking on that. KAT: Yeah. And I wrote down AIDA. Awareness, Interest, Desire, and Action. Did I get that right? CASEY: Yeah. KAT: I'm definitely going to look into that. I think that's a great model for education of all kinds. CASEY: Yeah. If you want to go even deeper, there's like 6 and 7 tier models on the Wikipedia page links to a bunch of them. That's just the most common. KAT: Awesome. CASEY: For plugs, I just want to plug some homework for you all. Everyone listening, there's this Unconscious Bias Training That Works article that I've mentioned twice now. I hope you get to read that. And I guess, the AIDA – It'll be in the show notes for sure. And then the Wikipedia page for AIDA marketing just so you have a spot to look it up, if you forget about it. Try to apply that to situations, that's your homework. KAT: I think something I plugged on Twitter quite a bit over the years and a lot when we were talking about the language that we use earlier, I'm a huge fan of the Responsible Communication Style Guide, which was put out by the Recompiler, which is a feminist activist hacker publication. So they've got guides on words to avoid, words to use instead for when talking about race, gender, class, health, disability status. It's written for a tech audience and I really like that as a resource for using inclusive language. JOHN: Yeah. It's great stuff. CASEY: I love it. All right, thanks so much for are coming on our show today, Kat. Special Guest: Kat Sweet.
As cyber criminals evolve their methods, a zero-trust framework can help prevent a goodly number of attacks by ensuring users, applications, and devices are allowed to even begin interacting with protected system. Then, after being admitted (with minimum privileges), the framework checks again and again, at every point of interaction, to make sure that no-one or nothing gets access to people and systems that are off limits.One of the first companies to successfully offer zero trust architecture from the cloud was Duo Security, a company acquired by Cisco in 2018. Its CISO, Dave Lewis, talks to the Tech Means Business podcast about the zero-trust concept, and how it's used to keep the systems on which we all rely to stay safe from prying (and avaricious) eyes.From his high school days when he hacked his classmates for LOLs and ROFLMAOs, to the present day as Global Advisory CISO at Duo, Dave has been there, at the forefront of cyber defense. His entire career (save the first ten days or so) has been in cyber security, yet his enthusiasm for and contribution to the industry haven't waned.We talk about the accident of passwords' emergence as the de facto standard for cyber protection to today's systems of authentication based on granular definitions of trust, AKA access security: user to machine, user to user, and machine to machine.Dave's knowledge goes back to the days when modems warbled and trilled while handshaking and continues in this age of multi-cloud and the emergence of AI.To learn more about Duo Security's unique zero-trust cyber security offering, click here:https://duo.com/Dave Lewis's professional profile lives here, with the finest job title on all of LinkedIn:https://www.linkedin.com/in/gattaca/The Very Reverend Mother Green's LinkedIn is here:https://www.linkedin.com/in/josephedwardgreen/
True Ventures Chief Operating Officer, Jim Stewart, on what it's like to take four companies public, what goes into the operations to run a venture capital firm, how to take calculated risks, and what to do when you realize that you've just violated US government export controls when you're doing an IPO roadshow (don't panic).True Ventures is a venture capital firm with an astonishing track record of investing in the best companies like Peleton, Fitbit, Ring, Duo Security, Automattic, and Sweetgreen, which just went public on the New York Stock Exchange.Jim initially joined True Ventures as CFO in 2012 and now leads all operations as the firm's COO. He brings substantial operational and financial experience to venture-backed tech and biotech companies. Jim has held numerous operating and CFO positions, leading four companies through their IPO processes. When he is not focused on operations, he's doing all sorts of high-octane activities like racing his Yamaha R6 motorcycle.Ben Horowitz's Book, The Hard Thing About Hard Things - https://www.amazon.com/Hard-Thing-About-Things-Building/dp/0062273205True Ventures - https://trueventures.comJim Stewart - https://www.linkedin.com/in/james-stewart-b1b10320/Episode Webpage - https://betweentwocoos.com/jim-stewart-true-ventures-coo Episode Transcript - https://betweentwocoos.com/jim-stewart-true-ventures-coo /#transcriptMichael Koenig - https://linkedin.com/in/mkoenig514
This week, Tim is joined by Jon Oberheide, the co-founder and Chief Technology Officer of Duo Security - one of the most successful security start-ups the world has seen. Its mission was clear; democratize security by making it easy and effective.Since founding the company in 2009, the concept of zero trust becoming a market-recognized category was considered a ridiculous moonshot - but today, it's broadly recognized as the way to build an effective security program. Jon shares views on how and why this has happened and why he's so proud that Duo is leading the charge. A few days before this interview, Jon announced his departure from Duo and Tim was keen to look back over his journey at the company, hear his top learnings around building a security start-up, and find out what's in store for the future.
Jon Oberheide is the co-founder and CTO of Duo Security which was acquired by Cisco for $2.4 billion. On today's episode, Jon Sakoda speaks with Jon Oberheide about his personal journey to where he is today, including the “not illegal” way he met his Duo co-founder in a back stairwell. The Most Unorthodox Practices Are Sometimes The Most Fruitful [06:11-09:16] - From spamming unsolicited emails at Starbucks to hacking his future business partner's wifi network, Jon has done it all. Learn how his start at Quiznos helped him build a $2 billion app. Think Outside The Box For The Best Results [10:36-13:08] - After dropping out of his PhD program right before graduating and sneaking around Ann Arbor stairwells, Jon is no stranger to the untraditional path. Listen to hear how thinking outside the box and curiosity can help startups work around roadblocks. Lean Into The “Unsexy” Startup [17:16-17:50] - While people fixate over the idea of a “sexy” startup, Jon talks about his experience founding a startup that tackled seemingly boring problems with widespread effects. The Startup Journey Is An Emotional Rollercoaster [25:44-27:12] - Getting to where he is today was not an easy journey for Jon but the lessons he got from it proved to be invaluable. If you are or want to be a founder, hear what Jon believes is the most important part of founding a successful and scalable company.
This week, Tim welcomes Josh Yavor, Tessian's Chief Information Security Officer and former security leader for Duo Security, Facebook and Cisco Secure. He shares why he believes the human factor is so important in cybersecurity, particularly when you consider the variety of attacks that people are faced with today - like social engineering and business email compromise. Josh explains how security leaders can - and should - empower and entrust users if they are going to overcome these major challenges, using real-world examples from his own experiences. A must-listen! And here's a link to the report that Josh refers to. If you want more Human Layer Security insights, you can sign up to the Tessian newsletter and stay up to date.
Dug Song is the co-founder and CEO of Duo Security which was acquired by Cisco for $2.4 billion. On today's episode, Jon Sakoda speaks with Dug Song about how he fell into a world famous hacking group made up of “angels and devils” and how he got hired by his college after hacking into their networks. Understanding Your Customers Requires Deep Empathy [16:55-19:21] - Instead of giving your customers what they ask for, Dug believes you should give them something they never thought was possible. Listen to what they need, empathize with them so you can see their point-of-view, and then interpret it into the ever-coveted “wow moment”.Win or Learn - How to Build a Culture of Continuous Improvement [21:24-22:25] - It is inevitable that you have setbacks on the road to building a successful company. While failure can be a deterrent to many, Dug sees it as an important part of growth. The quality of a decision is not as important as the quality of the process to make a decision. Listen to learn more about why Dug believes you either win or you learn.Build A Team Of People You Actually Enjoy Working With [23:09-24:23] - Dug compares growing a company to nurturing a child and you should only share that responsibility with people you trust. Learn about what Dug calls “the grocery store test” and how it can be used to build a team of people you actually want next to you in this journey.
Blumira- Per crunchbase:“Blumira's end-to-end platform offers both automated threat detection and response, enabling organizations of any size to more efficiently defend against cybersecurity threats in near real-time. It eases the burden of alert fatigue, complexity of log management and lack of IT visibility. Blumira's cloud SIEM can be deployed in hours with broad integration coverage across cloud, endpoint protection, firewall and identity providers including Office 365, G Suite, Crowdstrike, Okta, Palo Alto, Cisco FTD and many others.” Contact sales@blumira.com Patrick Garrity, VP of Operations. Patrick has years of experience in the security industry building and scaling usable security products. He currently leads Blumira's product, sales and marketing teams. Prior to joining Blumira, he led sales engineering, product marketing and international expansion for Duo Security. Twitter = @Thisisnottap https://www.ibm.com/cloud/blog/top-5-advantages-of-software-as-a-service https://www.outsource2india.com/software/articles/software-as-a-service.asp 5 Advantages of SaaS Reduced time to benefit. Software as a service (SaaS) differs from the traditional model because the software (application) is already installed and configured. ... Lower costs. ... Scalability and integration. ... New releases (upgrades) ... Easy to use and perform proof-of-concepts. 5 Disadvantages of SaaS Insufficient Data Security. SaaS-based application model. Difficulty with Regulations Compliance. Cumbersome Data Mobility. Low Performance. Troublesome Software Integration. Limit Attack Surface https://www.wallix.com/blog/top-10-ways-to-limit-attack-surface https://www.okta.com/identity-101/what-is-an-attack-surface/ https://securityscorecard.com/blog/what-is-cyber-attack-surface-management
Dennis Fisher talks with Zoe Lindsey, one of the early Duo Security employees, about her entrance into hacker culture, finding her way in the tech world, and the importance of lifelong learning.
Today we have a discussion with an amazing UX designer Duo -- Andrea Neuhoff and Kristen Kite. Andrea is a Certified OOUX Strategist and a Senior Product Designer at Duo. Kristen is a Senior Product Designer at Detroit Labs and has designed products for enterprise users at companies including Duo Security, GE, and Google. In this episode of the podcast, Andrea, and Kristen talk with Sophia about their work together at Duo Security, how they have started bringing OOUX to Duo for a double whammy of complexity wrangling, and how taking all of people's weird behaviors into account helps design better online security products. Enjoy! LINKS: Connect with Andrea on LinkedIn: Andrea Connect with Kristen on LinkedIn: Kristen Get what is "easily one of the best training investments you could make.” Learn more at Ooux.com/certification and read more real reviews of the course at Ooux.com/testimonials Object-focused vs Task-focused Design by Everyl Yankee When Coffee and Kale Compete by Alan Klement --- Support this podcast: https://anchor.fm/ooux/support
While the notion of Zero Trust has been around for a long time, as a principle it's really only about ten years old. Recently on The Digital Decode, we had a conversation with Wolfgang Goerlich, the Advisory CISO for Duo Security, all about Zero Trust. We talked about: - What is Zero Trust and why is it such a big deal? - How today's market is responding to the Zero Trust movement. - How you can begin to implement Zero Trust in your organization. - How Duo is pushing adoption of Zero Trust across the IT Security industry. Thanks for listening! Keep connected with The Digital Decode at Apple Podcasts, Spotify, and our website. Listening on a desktop & can't see the links? Just search for The Digital Decode in your favorite podcast player.
Internal communications is about people. If done well, it can drive your organization to achieve top results, even during a pandemic. In this week's episode, Melissa talks to Amanda Todd, the Executive Communications Officer at Cisco, about the importance of internal communications. About Amanda: Amanda Todd is an Executive Communications Officer to Liz Centoni, Cisco's Chief Strategy Officer and General Manager of Applications at Cisco. Before joining Liz's Executive Communications team, Amanda built and led internal communications programs at Duo Security (now part of Cisco) and at car2go North America. She is a firm believer that the best communications understand people, products and culture - and has a special passion for employee well-being, corporate social responsibility and creating programs that foster a strong sense of purpose and belonging. Follow Amanda on LinkedIn: amanda-todd-austin Topics covered: - Defining internal communications - Internal communications during a pandemic - Internal communications in a post-pandemic world - How to build company culture while working from home - The measure of "good work" Actions to take: - Include employees in your communications plan - Minimize confusion - Bring heart into your message - Acknowledge the "elephant in the room" - Build in daily opportunities for laughter - Learn how to listen Resources mentioned: - Cisco: https://www.cisco.com/ - Staffbase: https://staffbase.com/en/- PR Pro Gear: https://www.prgearshop.com/
After growing up in Ann Arbor and attending the University of Michigan, Jon Oberheide and his partner Dug Song started their career as offensive security researchers. They soon found that it's really easy to break things in the security space but it's a lot harder to build something resilient. Jon joins us on this episode of The Founder Formula to share the story of their journey, and some of the simple solutions they were able to identify early on such as: - Changing the customer experience - Making free trials available - Offering a solution that can deploy in 5 minutes - Purchasing with a credit card (which at that time was unheard of!) Listen to this and all of The Founder Formula episodes on Apple Podcasts, Spotify, or our website.
My name is Corey Kupfer and I've been working in the business of negotiations for more than 30 years, both as a successful entrepreneur and as an attorney. My goal is to help you strategize, plan for, find, and complete deals that will help your company grow rapidly. This is called “inorganic growth”, and it differs from the traditional, often slower, organic growth you're probably familiar with. What You Will Learn: Learn why Gannett elected to acquire search marketing software maker WordStream for $150 million, and what benefits Gannett expects to receive from the deal. I also review IBM's 2018 acquisition of Red Hat for $33 billion, in an effort to expand and grow their open source capacity and cloud dominance. I examine Oracle's acquisition of DataFox for an undisclosed value, with the intention of increasing their capacity for Artificial Intelligence to analyze business data. I also look at Twilio's $2 billion acquisition of SendGrid to expand their cloud platform as an all-in platform for business growth. Learn about Adobe's $4.75 billion acquisition of Marketo, to improve the function of their cloud-based solutions suite; as well as Cisco's $2.35 billion acquisition of two-factor authentication specialists Duo Security. I discuss AT&T's purchase of AlienVault with undisclosed financial terms, with an effort to boost their own internal systems security, as well as Siemens' $700 million acquisition of low-code platform maker Mendix. Learn why DocuSign acquired SpringCM for $220 million as an effort to modernize its processes, and hear about the Salesforce acquisition of Israeli cloud and AI marketing platform Datorama at an undisclosed purchase price. I discuss the potential motivations behind the above-listed acquisitions, as well as key tech sector partnerships of 2018 and why they stand out. For example, learn why Walmart and Microsoft are partnering for the purpose of being more competitive in e-commerce, and why Apple and Google are partnering despite their ongoing competitive interests. Resources: Website: www.fuelingdeals.com
Our latest podcast features an interview with Dug Song, co-founder and CEO of Duo Security, LLC, a technology security company specializing in two-factor authentication. Duo's story is an incredible one, and Dug's life story and his journey into tech is fascinating. Listen to find out more, here on The Doers Network!! To find out more about Duo, click here: https://duo.com/ Learn more about us here: https://www.bamboodetroit.com/
Cisco today announced its intent to buy Ann Arbor, MI-based security firm, Duo Security. Under the terms of the agreement, Cisco is paying $2.35 billion in cash and assumed equity awards for Duo. Duo Security was founded in 2010 by Dug Song and Jonathan Oberheide and went on to raise $121.M through several rounds of funding. The company has 700 employees with offices throughout the United States and in London, though the company has remained headquartered in Ann Arbor, MI.
Zack Urlocker helped grow a number of software companies to billion dollar exits - including Active Software, MySQL, Zendesk and most recently Duo Security. And he's been an advisor and board member for many other successful venture-backed software companies including HubSpot and SugarCRM. He's also written a rock opera! Zack's worked with many Tier 1 VCs including Benchmark Capital, CRV, Index Ventures and Matrix Partners and he now lectures at the University of Michigan on Entrepreneurial Leadership. Zack discusses: Why product management is a great career path for any budding enterprise sofrtware entrepeneur The importance of focusing on great customer service when you expand internationally How and why you should avoiding micro-managing local decisions from an overseas HQ The importance of transferring your culture and cloning your successful DNA as you expand internationally The mis-step Duo Security took in failing to hire sufficient local domain expertise when they initially expanded into Europe His focus on developing entrepreneurs in the Mid-West: a US region historically starved of entrepreneurial development & learning opportunities Head over to www.alpinasearch.com for more advice on globally scaling your enterprise software venture