[00:00:00] Speaker A: You can't let a vendor hold you back from your security posture because you're worried about the change. This is stuff that we have been as an industry gun shy of doing. It's hard to replace your endpoint, it's hard to replace your WAF, it's hard to replace your IDP. So we continually invest in technology that's 20 years old when there's a lot better stuff that's out there that will seamlessly integrate, make your life easier, and you're going to be in a lot better spot.
[00:00:35] Speaker B: This is katiecast as a primary target.
[00:00:39] Speaker C: For ransomware campaigns, security and testing, and.
[00:00:42] Speaker A: Performance, risk and compliance. We can actually automate that, take that.
[00:00:46] Speaker C: Data and use it.
Joining me today is Grant Borzekis, Chief Security Officer from cloudflare. And today we're discussing lessons learned from a global CSO in the year of elections. So, Grant, thanks for joining and welcome.
[00:01:02] Speaker A: Thank you, kd. Wonderful to be here. Happy, happy to be finally to get this on the schedule and do it.
[00:01:08] Speaker C: So I know we are coming towards the end of the year, so maybe share a little bit more about your thoughts. What have you sort of learned this year as you sort of reflect back now in this interview?
[00:01:18] Speaker A: Yeah, so it's a great question. I think as we look back into 2024 and I think about how we're going to transition into 2025, the big lesson that I've taken away is that systems are facing very similar challenges, but we're all dealing with it a little bit differently. And I think the challenge that I'm hearing, consistency among all the answers I get is this. How do we lower cost within our operating environment and how do we reduce complexity? And those things I've seen a lot and I've talked to just about 150 CISOs over the year and that's loud and clear. The number one thing I hear, number two thing that I hear is around artificial intelligence and what are we doing with AI, LLMs, machine learning, deep learning. But those are the two things that I think as I look that we're all facing similar challenges. We're just opting to handle them a little bit differently. And I think sharing knowledge with each other is something that we're all looking to do because these are monumental tasks that we're all facing.
[00:02:29] Speaker C: So what do you think we are doing with AI? Because I know there's a lot of hype around it. I know that companies are now focused on beyond the hype. What does this actually mean? What's your view?
[00:02:38] Speaker A: I always Answer, what is AI? Right. That's the first thing I always answer, because there's a lot of different discussions around what AI is and what are the risks around AI. And I always need to clarify how we think about this. I was just at the World Economic Forum, the security meeting in Geneva, and this was the big topic. And are we talking about models? Are we talking about business and how the business is using AI, or are we talking about what we're doing with data classification, data sensitivity, data localization, how we're protecting data? And so I think all of those topics are on the table, and depending on which conversation you're having, I think it's always good to know where you're driven. I do think, and this is something I talk regularly about is AI from a security practitioner is about data in most simple terms. And it's something we've tried to solve for 15 years around how do you protect data from leaving the organization? And so when I think about a lot of the conversations around model governance, how we're building LLMs, how are we keeping our data outside of public models? This is just another conversation I could have had 15 years ago at any of the banks that I worked at and really trying to, you know, protect data. And so that, that's a very common one. And I think it's a really good perspective to start, at least from an AI standpoint.
[00:04:15] Speaker C: Yeah, and look, that, that is a, that's a great question on what is AI and what, what does it actually mean? Do you think that now with 2025 and there's, you know, and AI has probably, and I know it's been around for a long time, I get all of that. But in terms of it being more ubiquitous in the market, probably since the end of 2022 really came into the market, and it started to take a massive turn in terms of the conversations. Do you think people are sort of embracing a little bit more and are looking at ways on how they can leverage it in their organization? Because, again, like, you can reduce a lot of heavy lifting with automating things and leveraging AI. So what is some of your key predictions then on that front?
[00:04:57] Speaker A: So, you know, when I think about 2024, I'll start with 2024. One of the things I thought would be super interesting was, you know, having some predictions around AI. And one of the predictions was that you would, you would see our first model breach. And I thought that was a little, you know, it would take some time before we saw that. I thought it would come true in 2024, and I think it was two weeks later we started to see it. And so when I think about what we're seeing from a security standpoint, it's another vulnerable vector that we should pay close attention to. What I think in 2025, you know, we're still not really using AI at this point. I always think, well, to kind of the first question, you know, well, what is AI? I think a lot of people are talking about LLMs, right? And how, how are we using LLMs? I think there's some advantages. You know, we're seeing all this copilot and you know, all these autonomous SOCs and all of these things that we think we're getting great benefits, are going to see great benefits. I don't still think we're going to see the benefits in 2025. I think it'll roll into the out years. And I think it's primarily due to the thing that I'm consistently hearing from all the CISOs, which is how do I address cost, how do I decrease complexity in my environment? And now I have this AI thing that I'm trying to do and invest and it's really forcing us into what I'll call a security transformation component of, you know, I'm a CISO and I have 50 security tools. Well, I can tell you you probably don't have the people, the resources, the dollars to be able to support it and take on new efforts with AI because the environment's just too complex. And so when I think about where we're headed from a AI standpoint, and I think it's, you know, from a cloudflare perspective versus, you know, a traditional CISO that's in a banking or reinsurance organization or retail manufacturing. It's a little bit different view because I take it from a cloudflare standpoint. We're using machine learning, we're using neural networks, you know, we're using LLMs as part of our products. You know, from a Cisco standpoint, it's a lot harder to build a data model that I can run, you know, an LLM on and gain tremendous efficiency that isn't really packaged from a vendor. Some of the large organizations have done this, I've done this in some of the large organizations I've been. But it gets to be costly from an R and D standpoint. And so one of the things I think is as we look into 2025, is this adoption of machine learning, deep learning products into our organization, that from a third party standpoint. But I also think there's risk there because we don't know what these models are doing. The fundamental component or difference between machine learning and deep learning and LLMs is that machine learning. I know exactly what you're doing and what the models are doing. I can understand feature importance, I can understand what the features look like and how they're being manipulated. Deep learning and LLMs, I don't. And I think this is going to be something, as we look at is how do we adopt models? Whose models do we adopt? Where's the data trained from? I think are going to be all key elements of 2025.
[00:08:16] Speaker C: So is it fair assumption to say companies are still in this reconnaissance phase around, like, you know, whose models they're worried about hallucinations, they're worried about what data it's being trained on. Like, are we still trying to navigate this charted territory? And it's going to take a little bit of time right before people feel comfortable on understanding exactly where they sit. Because at the moment, I think there's a lot of conversations even I can't even keep up all the conversations that are being happening at this in this space. So do you think it'll take a few years before people are comfortable with this state of play from an AI perspective?
[00:08:50] Speaker A: So I think you're right on TV on, it's going to take some time for adoption. And AI and I, I draw parallels even into the cyber security industry now. I started, you know, doing pen testing and I'll call it firewall management in the late 90s. And I think of AI as in a very similar state where the first five, six, seven, eight years of my career, you know, like, oh, you can't have to be, you know, security, you're not needing security.
And we're at the same infancy of where there aren't a lot of skills in AI. They're still being developed and with where we were 25 years from a security standpoint. And I even look at it from an advancement in technology. Even when I finished my master's, I spent three years coding Python every night. You know, the technology's gotten even more advanced. You know, there were very little LLMs back when I was doing this. And now LLMs are the big thing. And so I think you have two things is the industry's moving forward very quickly and people cannot stay on top of it. And then I think, even more importantly, from a security standpoint, how do you stay up with cybersecurity and AI? It's a tough thing. We already have a shortage of talent and skills in the cyber workforce and you know, tag data science, machine learning skills on top of it. And I think we're at a big loss here. And so I think as we look forward for this, we're going to be very dependent on vendors like Cloudflare to help protect our environments because they're going to have resources and machine learning resources that are going to be able to help. You know, I'm lucky having Dean Assisto here that I get to leverage the technology and all the things that are there. But I think it's going to be something unique as how do we learn about what AI is or what's the difference between an LLM and deep learning and machine learning and are going to be very fascinating things as we kind of venture forward in the future.
[00:10:51] Speaker C: The other thing that's interesting in terms of observation that I hear from people is people that they're saying, oh, if you don't adopt AI, like you're not going to be around. There's a lot of that. Maybe it's fear mongering, maybe there's truth to it. Like there's, you know, there's a bit in both camps, but do you then that just overwhelms people and then maybe they just do nothing as a result of it.
[00:11:09] Speaker A: You know, I did our keynote in Sydney in August when I was down there and this was the topic, this was my third topic. You know, when I talk about cost and complexity in AI, but the thing I tell people is you have to embrace it. And I do think that there are companies that don't get involved in AI, they're going to be short circuiting their capabilities in the future. And the companies that are using data and using AI. Right. Will be the ones that are more successful. And you know, that may not be in 2024, that may not be in 2025. We are seeing some fascinating organizations leveraging AI, but I think for mainstream organizations, we're still learning through this. And so what I tell every security practitioner is something that has to be near and dear to what we're doing. You know, partnering with the business, helping drive the business from an AI, thinking about the risks that we're facing and that will help us get through it. You know, I think when we ask, you know, if the business wants to do this and we say no, I think that's a problem, right? Like how do we enable the business to move forward in a secure AI model? There's a lot of the practices, you know, just thinking about open source, you know, models, LLMs that we already know how to manage. We don't always think about it that way, but it's the same way we've been managing open source today. We just aren't thinking about that. And so I think it's something that CISO security leaders have to do is embrace AI, help the business move it forward, and not be scared of it.
[00:12:42] Speaker C: Do you think people say no because they don't understand it? And there's also so many different opinions and thoughts and, you know, there's still people out there saying, you know, we're not going to have any jobs left. Like, there's, you know, there's so many varying opinions that perhaps that clouds their judgment. And then they're like, oh, no, I don't want to go down that path. You think there's a bit of that in there?
[00:13:00] Speaker A: I think there's always that in cybersecurity that there's a little bit of no because we don't understand what it is. And I think this is a point of inflection because I do think in the next five years, we're going to see major advancements. I'm a six year old and I think about, I think about this every day. Like, what is the job force going to look like when he comes out in 15, you know, 17 years from, you know, the university? What does that look like in an AI world? And so I think that this is something, and this, this is why I went and did a full master's program in AI is because I didn't understand it and it did scare me, right? It's okay to be scared of something. And cybersecurity is hard enough as it is that I got to learn AI and how do I think about AI risks and what are they doing with my data? And these are all things we're going to just have to head down and learn, and that's going to help us get through it. The systems that always say no and aren't embracing what the businesses are doing should go extinct. Right? There are a lot of people that have a lot of ambition, curiosity to learn this. And if you don't know it, you know, that may be part of the journey you're on with the organization, to learn and experiment on things that will help the business move forward. And that's the opportunity that I hear in every kind of CISO forum is, well, how do we become on par with a cio, how do we report to the CEO because security is important, or how do I appears with the cto and what sort of my reporting structure we get hung up on that stuff. But I think it demonstrates, like, especially AI, that if we want to be business leaders and lead an organization forward, this is an opportunity for us to deal with AI and show the value of what CISOs can do.
[00:14:54] Speaker C: So I want to switch gears now and I want to talk about future proofing security in an uncertain economy. Now, people are going to have different versions of what their definition of an uncertain economy is, but I'm curious to know, how do you see it? Talk me through your thinking here.
[00:15:11] Speaker A: When I think about future proofing security and how do we think about this, the thing that always comes to my mind is like, we have to simplify this. This is the first year I've seen CISOs unanimously say things are too complicated in my environment. I worked on some major breaches this year that, that I, I got lucky to kind of be tasked and asked for help. And I've dug into a couple of these and unanimously, every single one of them is, I don't understand how your network works. I don't understand what your security posture is. Things are so complicated with multiple endpoints, multiple firewalls, multiple 25 different egress ingress points, that the only way that I think from a future proof is really to simplify what it looks like. And so this was something that I was on a panel in the World Economic Forum about this. It's, we have to go through a security transformation and we have to be part of the business as we move forward, because business is making transformation. But if I think about 10 years of systems, the last 20 years, we fought product after product after product after product, and it's not working. We've seen more breaches over the years. You know, the adding more products is not a good idea because what ultimately ever happens every single time is you buy a product because it's supposed to protect us, but we never configured it, enabled it, set it up right. And I think this is, when I think about this is, you know, to get to a spot where we can be nimble and future proof our security to even start thinking about how do we do detection at scale, how do we do validation and posture at scale? We have to have a simplified environment that we can control.
[00:17:04] Speaker C: That's a good observation because I think when you were speaking, what was coming to my mind is so many people have gone out and just bought these point solutions, right? And then to your point, haven't configured it, haven't done this is, you know, lack of interoperability. So do you think that now people are probably seeing the complexity and they're now trying to find a way to reduce that, reduce the tooling. I mean, I would say the main undertone a lot of the interviews at the moment is this, we got to reduce tooling, we've got to consolidate, we got to do all of these things. But how do people do that so things aren't going by the wayside because, like, oh, we just removed something that we probably shouldn't have and then keeping the lights on. How do you find that equilibrium from your experience, Grant?
[00:17:44] Speaker A: You know, the one thing we see, I see this with every customer and I get involved with a lot of customers that ask me this exact same question of I have all these priorities. The business is saying, you know, AI, and we have all these complicated regulations, you know, but I got five web application firewalls, like, how do I think about transformation with this? And so priority is I got to, you know, I got to help the business move forward. Which is the right answer. But I also, I think we have to stop and think, like, are we going to be able to transform the business? There was a big organization in Australia that we just wanted the deal and it was around how Cloudflare can help streamline DevOps to be able to get it at the speed that the organization wants. Because we can shift left, use all the buzzwords, everything's in Terraform. Because we were the only vendor that could do that. When I think about these things, we gotta be thinking about our own business, right? We need to help the business, but we have to transform it. And I'll use, I mean, I'll give you a little inside ball. Even with us, like, we've switched our iep. That is tough. We did it in eight weeks. We switched our IBP in eight weeks. We swapped our entire EDR platform and we just swapped our siem. We did that all this year. And, you know, we're under 10 tools for Cloudflare because I'm focused on how do we modernize our architecture, how do I build immutable infrastructure into our edge network? And when I think about these things, these are tough decisions. Is there any value in me swapping out an IDP other than from a supply chain risk? That's the biggest one because I'm hosting it ourselves. And I think from this perspective, I feel a lot better with the simplicity that we've created then that can enable our business to go forward. And I think that's something that I think we have to be conscious in our transformation budgets. We have to be honest with ourselves and really put in a, you know, kind of an architecture view of how do I want this network to look like? Because I mean, for us, for a lot of people that have been in this business 20 years, 30 years, 30 years ago, networks were all over the place. We had NAT problems, rodeo, L2 and L3 problems, and we just inherited it, never really fixed it. And now we're kind of stuck in this spot of the business wants to go faster, we want to use AI, but we just don't have control of our existing environment. And I think my biggest worry with AI is just that the confidential data gets in the public models and secondary like, well, our data protection's never been good from a world perspective. And so how are we going to do this? We get our fundamental controls in place.
[00:20:40] Speaker C: Another thing that's come up in my interviews as well as platformization. So everything you just said, would you say that there's a shift more now towards platformization to, you know, reduce the complexity, make things a little bit more simple, etc.
[00:20:52] Speaker A: Marketing has caught on to that, right? Like everything's become a platform. I talk a lot about this at Cloudflare because, you know, we standardize on a couple of vendors and leverage them. But just because I pick a company, company A and you know, they're marketing as a platform, that doesn't mean that they got five different operating systems and five different interfaces because they've rolled up a bunch of companies and now I got basically a platform of M and A activity. And so I think you got to be careful of what a platform is in a kind of marketing standpoint. And this is one of the things I talk and one of the primary reasons I came to Cloudflare because I was so impressed that every piece of software runs on every server and every data center and controlled through one interface. That's a platform and that's something you can get behind. But I think what I worry about, you know, the question you asked me is, well, should we think about platforms or technology? Yes, we absolutely should be. But don't be fooled by company A. GOT has done seven roll ups or seven acquisitions and now I have this big mass of stuff that doesn't integrate in different interfaces. And it's made it more complex because company A is trying to invest into integration of these products and it's really hard to do that. So I think that's the gotcha because marketing is something that we see all the time. It looks good and then we look under the hood and say, well, this product has you know, all of these things. But then it's like you got three interfaces and three agents and we've just created one, one purchase order. But we still have this complexity issue that we're facing.
[00:22:41] Speaker C: So just to extend on this a little bit more, cause this is interesting. So as you would know, it started off with companies outsourced to, you know, IBM and friends back in the day. Then we saw a wave with point solutions. Now people are saying we were going to reduce things, we want to do platformization.
So what I'm also hearing from people I'm keen to get your thoughts is, well they're like, well yes, since certain incidents have happened this year, people are now worried about, well I don't put all my eggs in one basket because now that's a risk. So how do you manage trying to reduce risk, ensure that you've got uptime, not complicating things, making sure things are integrated, things are talking to one another and trying to reduce your cost.
[00:23:21] Speaker A: It's a good factor. And this is something, this is another one I think is you're right on point and you say, well do I want best to breed, right or what do I want to look at it? My personal belief on this, right, is you got to manage costs, so how do you aggregate vendors? You got to reduce complexity. I mean at a minimum you have to know what goes in and out of your organization. And then I think you have this best of breed thing. And I always think if looking at an architect, and sometimes I think what I am as a CISO is a little bit of a, kind of an enterprise architect. As I think about how do I piecemeal this thing together in an aggregate view. That makes sense. And so just because let's pick on, use us as an example, hey, we're going to use Cloudflare, we're going to put your zero trust in, we're going to put your web application firewalls and API protection and all the lead offs. Well, you've over pivoted on you. And what I would say is there's a lot of endpoint solutions, right? So now you have, you know, you could pick a CrowdStrike, a Sentinel one, a Microsoft, just to name a few, you know, in conjunction with Crowdfund. Now you go down this path of well I need a vulnerability scanner. Pick one of the big three or four vulnerability scanners, not even in your ivp. And so when you start to piecemeal these all together, well now we need a token, right? And so you're down this Path. And when I look at this, even in a simplified environment, you're still eight to 12 vendors that you're reliant on. And I had been a big believer in almost every organization that I've ever been in. I go in and I start checking endpoint configurations, and they're always 100% of the time configured wrong. We never actually leveraged it. And so I think the more technology that you put in, the bigger the chance on misconfiguration is keeping it simple, configuring it right is the best option. Because I think if you can, you have a good, you know, zero trust deployment, you have a good IDP deployment with msa, right. And good governance around access controls. You have a good endpoint deployment or, you know, or Internet provider graph protection, you're in good shape. But I think you got to make sure that you understand the control and the posture that you have. And so that if something fails, you still have another level of protection that is independent of just one vendor.
[00:25:50] Speaker C: And I guess 12 is better than like 150. I heard tools, people, some companies have some enterprises, which is a lot. So I guess even going from 150 down to 12 is still a massive reduction. But then as you were talking, what I, and this is what was coming my mind in terms of an analogy is like, okay, we've got a problem now we got to find another point solution. We keep buying that, keep buying that. I don't know, sometimes if you've been to someone's renovated house, you know, that just keep extending on a room because it just doesn't look good. And you know that it wasn't engineered at the beginning to have this house. So do you think that now we're at this point in security or it more broadly, it's like, okay, we've got all these things that are added on, and now we really have to like, knock. Tear down the house and sort of start, you know, proverbially tear down the house and start again to make things make sense. Because they just kept adding on because new problems would start to emerge. And I, I don't blame the industry. It's just an observation.
[00:26:45] Speaker A: You're right on, on this point. I think as people buy houses, you're like, well, that kitchen's beautiful. But then you're like, oh, that dining room. And they're like, that doesn't even make sense in the house. Or, you know, the bedroom is, you know, from 30 years old, because, you know, and then when you take a step back and you look at this house. And this doesn't even make sense. Right. It made sense 30 years ago, 20 years ago, 10 years ago, but not today. And I think this is the point I make is you're at a point solution. I mean, I always think, you know, I watched and I was a big believer in McAfee 20 years ago when Dave DeWalt was, you know, he had the antivirus and then he bought Intercept and inter shield and he was buying all these amazing tools and integrating them. And you know, I'm just buying this stuff like it was cookies and it seemed like it was the right thing to do. Now 20 years ago there wasn't a lot of options, but now, you know, some of that infrastructure still lives. And so I hear this all the time, like I can't replace, you know, when I, when you know, we really want to use soundflow, but I can't replace our existing vendor because it's too complicated. That's the point that you have to change. You can't let a vendor hold you back from your security posture because you're worried about the change. Yeah, you know, when you, you reho your kitchen or you know, you build a house, then yeah, it's going to be a very stressful thing but at the end of the day you're going to be ecstatic with it and you're going to see what modern technology can bring you. And I think this is stuff that we have been as an industry gun shy of doing. You know, it's hard to replace your endpoint, it's hard to replace your WAF, it's hard to replace your IDP. So we've continually invested in technology that's 20 years old when there's a lot better stuff that's out there that will seamlessly integrate, make your life easier and you're going to be in a lot better spot. You know, the other thing I'll say about this is, and I see this with my team, they get excited about doing new technology. And every organization, if there's like an urgent project with something I think every organization does very well, there's an urgent project where we need to rally around something and do a kick ass job. It always goes well. I could have swapped our EDR platform, our SIN platform and our IDP all in 12 months if I didn't have a team that was excited about this. And you know, you're using the technology or new these new things and we're in a much better spot for where this goes. And I just think this is something the security industry is scared of because it might break something. Well, if it breaks something, work with change windows, you know, work with the IT organization, work with the business, work with the engineering teams. There's some brilliantly smart people out there that can do this and we just never given them the chance. And I think when you get out at the end of the day, if you've got a house that complete rehab, it's a lot of work. But when you get done with it and you have this beautiful new house that has the right chi in it, you're in a good spot. And I think this is something we need to do is clean up our house so that we can focus and enable the business to move forward.
[00:29:54] Speaker C: So I want to move forward. Now on to an interesting topic. Now people can obviously machiming detect that you're from the U.S. now there was an election this year as you know, so I'm curious to sort of get your view grant on how do you sort of see global events like US election impact cybersecurity. I think that sort of is going back into know the economy question as well. Like I'm just want to get a little bit your lay of the land.
[00:30:20] Speaker A: Yeah. You know, this is something I'm very proud to be part of Cloudflare with and I, I, I, you know, I think about you know, just the election. You probably could tell that I, I'm not from Australia and I have a US accent and we've protected and, and you know, or protecting over 400 different election websites with our project Athenia. We protect these major events and you know, I think everybody in the U. S if you go back, it's almost a month, a month ago when we had the election, everybody was worried about cybersecurity, everybody was worried about what would happen in the election and the tampering and you know, nothing happened. And I think this is kudos to the government. You know, spending time, and this is all governments, right. Spending time thinking about this. You know, we're offering free services to protect because we want, you know, a free Internet. We want to be able to make the Internet a better place. That's the mission of Cloudflare and I think it's something that we need to pay close attention to. I'll even talk about, you know, the Olympics. We, you know, we, we had a big say in what goes on with the Paris Olympics and we didn't see anything from a cyber attack. And you know, as you look at this, these major world events are major targets and, and whether it's you know, somebody wants to disrupt operations, they want to do something. You know, there's always cyber warfare included. And it's something we all have to pay attention to because it's just too easy to disrupt operation from a cyber standpoint if people aren't paying attention. And it's easy, it's super easy to make a mistake for these major events that, you know, they're focused on bringing millions of people or millions of viewers or billions of viewers into these sites that they're just not used to this and this is something that we've tried to really do is you need help, we'll help you, right? Like that's, you know, we're doing it for free, right? Like this is the best charity work that we can do. And it was something we've talked with the government in Australia and many non for profits of. You know, if the organizations that need help, like we have this Project G for non for profit organizations that get attacked because they may be controversial, but they're needed in the world. And these are things that I think are important for, you know, humanity to keep protected.
[00:32:51] Speaker C: Do you think as well? Because, like example, US election is just so high profile, right? Like, it's the most high profile election like in the world. Like, I don't even watch the Australian election, but I watch the US one. So do you think that maybe people get absorbed into that, like you said with the Olympics, like people get absorbed into that and then they sort of lose focus for a little bit?
[00:33:09] Speaker A: I think with the election, you know, it was so polarizing here with all of the things that had happened and you know, whether you were Republican or Democratic, whether you were for Trump or whether you were for Biden or Kamala. And it was very polarizing and people were worried, you know, about what was this election going to be close and, you know, is there going to be fake balloting? And even from a conflict perspective, like I was so proud to be part of protecting the elections and there was not a bleep of anything, right? We saw DOS attacks, we saw DDoS attacks, but we mitigate them just like we do in real time. And I think there were even some speculation that, you know, websites might be defaced and would distract from, you know, an election win. Nothing. Right? And I just think that was, you know, that was a win for cybersecurity, that was a win for democracy. I never thought would happen because, you know, you. It was the daily topic, you know, even on Zoom and Teams and Google Meet, it was a daily topic about the election and what we were seeing and, and you people were very sensitive and you just watch, you know, what happened to where we are today. It was non cyber related. And I think, you know, even the US government learned over the last eight years how to protect the ballots. You know, we got, they got help from companies like Cloudflare to protect and it turned out to be a very, you know, good situation. And, and whether it's in the us, whether it's in Australia, whether it's in Europe, these are things I think are important is to protect the sensitive matters, these sensitive events. Because, you know, one inclination of a cyber attack in any, you know, election will cause, you know, chaos. And I just, you know, I was proud to watch this and proud that it was a non event, which was pretty cool.
[00:35:11] Speaker C: So where do you think we go from here now as an industry? We discussed obviously, you know, the election, the us, the landscape, the consolidation, how people are moving towards leveraging AI and embracing it. What do you think happens now, Grant?
[00:35:23] Speaker A: Yeah, I think all these things that we've talked about is really where we have to focus right as we go from an industry. Like we really have to play catch up, like in, in simple terms. And so we talk about modern, you know, security modernization, we talk about reducing complexity. And why I say this is, I, I wrote an article that talked about the difference and the gap of where the world is going and where we are as a security industry at least 15 years. And, and you know, the thing I always think about this is, you know, I'm thinking about AI, how we're using LLMs to parse data, how are we thinking about using machine learning and deep learning and true artificial intelligence to get better autonomous, as I quote it, security operations and detection, that stuff. I'm thinking about three years, five years, yet every security operations. Everybody listening to your podcast is still trying to collect data into their SIEM and still trying to collect the logs into the SIN, which is the same thing I was doing in 2010, in 2005. And so I think as an industry, we really have to think about this is how do we move the needle quick AI is going to outpace us. How do we start to leverage AI, how do we modernize our infrastructure? But if we can't even capture our server logs, our Linux logs, our router logs, we're never going to get there.
I think this is this kind of view of we need to play catch up, we need to think about how to modernize our architecture and move forward from an industry. So I think that's one big component. The other one I think highly of is how do we continually build and develop talent. I don't think there's a lot of surveys on this one. There's a shortage of people wanting to get into cyber, or there's a shortage of jobs. I think we could fill every job in cybersecurity tomorrow if we wanted to, but they don't have the skills. And so I watch it for every job I post. We have between thousand and five thousand applicants, and there are people that want jobs, but we don't think they have the experience. And so I think this other big component is how do we think outside of the box where we can actually develop people. And I often think some of the early in career people are the best because they work, they work hard, they learn, and we're not even giving them a chance. And so I think this is something of how do we do this? And I talk to my team about this every day and it's like, well, no, I have to have somebody with five years experience, I have to have somebody with 10 years experience. I'm like, Cloudflare can hire the best people in the world, and we get, you know, that's, that's an advantage. But when I worked at our company, I couldn't hire the best people in the world, and I invested into early and career people, and it was successful.
[00:38:26] Speaker C: So, Grant, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:38:31] Speaker A: I think the first thing I think is have the courage to make the change, right? Like this is something we see in every organization is have the courage to make big changes, take chances, and trust your people, right? So I think as we talk about this, we know we have a cost problem, we know we have a complexity problem, we know AI is a good or bad thing based on our perspective, and we know that we have to embrace it. And so, you know, trust your teams, trust your people. I've seen amazing results from people when you empower them and challenge them to do major things and so use that superpower that I think cybersecurity people have to make those big changes your organization has and explain we have to do these things to go faster, right? And so I think as we look at this, we have to modernize our portfolio to be able to catch up to 2024, 2025 technology, when you really should be thinking about 2030. So I think that's something that I always encourage because we're often scared by these changes and the what if scenarios because that's what we do. We what if everything as cyber professionals. Trust our people and let them show all of us how solid they are.
[00:39:57] Speaker B: This is KBCast, the voice of Cyber.
[00:40:01] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:40:09] Speaker B: This episode is brought to you by MercSec. Your smarter route to security talent MercSec's executive search has helped enterprise organizations find the right people from around the world since2012. Their on demand Talent acquisition team helps startups and midsized businesses scale faster and more efficiently. Find out
[email protected] today.
