Cloud Security Today
The Cloud Security Today podcast features expert commentary and personal stories on the “how” side of cloud security. This is not a news program but rather a podcast that focuses on the practical side of launching a cloud security program, implementing DevSecOps, and understanding the threats most impacting the cloud today.
Cloud Security Today
Matt joins a startup
This episode of the Cloud Security Today podcast is a little different from the others because this time host Matthew Chiodi gives the interviewer’s seat over to Yousuf Khan and they talk about an exciting new development in Matt’s career.
Matt announces a big career move and talks about how he’s hoping to fix some of the biggest problems in SaaS security today. He tells Yousuf about his new role and the fresh approach that his new company is bringing to the field. At the end of the episode, they discuss working in a start-up environment and give advice to anyone considering working in a start-up.
If you enjoyed this episode, subscribe, or follow Cloud Security Today wherever you get your podcasts.
Timestamps
[0:28] Matt introduces the topic for today’s episode
[1:50] Exciting news from Matt about his latest career move
[5:10] Matt explains one of the biggest challenges in app security today
[7:25] How have we managed app security up to now?
[9:20] So how does Cerby work?
[11:32] Matt’s new role at Cerby and an outline of his first few months
[12:50] Why Matt likes working in a start-up environment
[14:05] How Matt became interested in Cerby
[16:20] What’s next for Cerby?
[18:10] The advice that Matt would give to anyone looking to join a start-up
[20:40] Yousuf adds his thoughts about working for a start-up
Episode Links
Ridge Ventures
Yousuf Khan's Linkedin Profile
Cerby's website
Matt's Linkedin Profile
**NOTE: Generated via ML. Expect crazy stuff to be translated by an imperfect algorithm that may have never actually been said by the host or guest :-) ***
Narrator (00:02):
This is The Cloud Security Today Podcast where leaders learn how to get cloud security done. And now your host Matt Chiodi.
Matt Chiodi (00:15):
So this is the first special edition or special release of the cloud security today podcast, and I might end up doing a few more of these outside of the normal monthly cadence. And today's episode is a little bit special; I am actually going to be interviewed by Yousuf Khan. He is a partner at Ridge Ventures, a leading venture capital firm in Silicon Valley. And in this episode, I reveal some big news in terms of what I am doing next from a career perspective. So I won't spill the beans, but I will let you listen to the interview with myself and use Yousuf Khan, I hope you enjoy it.
Yousuf Khan (00:59):
Matt Chiodi, well, well, well, here we are, Mr. I worked at eBay as a Security Architect. You then did consulting, yoou worked for a big pro services company, then you joined a startup that got acquired as I understood it, is that correct?
Matt Chiodi (01:17):
That's right, RedLock.
Yousuf Khan (01:18):
Then you decided, you know what, I've had enough, I'm just going go and probably do something super light. So of course in your perseverance in building great companies and picking the right solutions, you went off and joined arguably one of the leading cyber security companies on the planet; that is Palo Alto Networks.
Matt Chiodi (01:41):
I did
Yousuf Khan (01:42):
What in the world are you doing now?
Matt Chiodi (01:46):
We'll officially announce it to the world, I did leave Palo Alto Networks at the end of February of 22, and I joined a small cyber security start-up called Cerby. And what Cerby does is Cerby deliver zero-trust architecture for unmanageable applications like Twitter, Facebook, and literally thousands of other apps that don't support security standards like single sign-on and skim.
(02:18):
And basically, what people are doing, they're using the Cerby platform to empower their end-users to register their own unmanageable applications. And it takes the burden off IT and security, and then in the background, Cerby automatically corrects some of the most common security lapses.
Yousuf Khan (02:36):
Okay, so clearly an underachiever, because heaven forbid you're ever going to be thoughtful about going into thinking about companies. Look, let's get serious, the reality is you've been advised at a bunch of security start-ups, and you've seen a ton of security companies, small, medium, and large pitch to you as a customer.
(02:59):
Heaven forbid, rumor has it that even some VCs reached out to you and said, "Hey, how about you come on board and try and tell us a little bit about our cyber security investing strategy." But you decided to basically pick Cerby, so I guess the question that everybody's asking is, why?
Matt Chiodi (03:18):
That's a great question, and I thought a lot about it too, there is really a massive gap between what identity providers and enterprise password managers provide. And that has just created a massive attack surface in most organizations, large, medium, and small. So this isn't something that's just unique to kind of the large enterprise.
Yousuf Khan (03:43):
Well, before we go into it, let's be clear, in order to basically manage or try to manage identity on these what you term as unmanageable apps, really the solution is basically being, Hey you tell users, could you please do us all a favor. A message from the security and IT team is a user password manager, I don't write stuff down and we'll roll things out for you to be able to do. And it's therefore if I'm not mistaken up to them to then say, "Oh, there's that little icon on my Chrome browser, what was that about?" The guy has to basically do that, and then they have to basically get reminders, but you're not actually managing the app, are you?
(04:30):
If you think about it, you're actually just saying, hey, this is kind of as best an effort as you can with an app that you basically have that we haven't been able to bring in which doesn't integrate with our identity management solution. Is this the approach that you've seen with enterprises, am I reading that correctly?
Matt Chiodi (04:48):
You are, that's typically what it is, if the application supports common identity standards like SSO and Skim, they'll plug it into an Okta or an Azure AD. And that full application life cycle, it works, it works great, but the challenge is that the majority of what we're calling unmanageable applications in the past, it might have been called shadow IT, the vast majority of them don't support SAML for SSO or Skim for provisioning and de-provisioning.
(05:21):
And Yousuf, we did some internal research, kind of trying to put some numbers around just what's missing in the vast majority of apps that are out there. So everyone's familiar with like the service nows, the sales forces, the Microsoft 365s. Those platforms have a tremendous amount of security capabilities that are built into them natively, but once you go outside of those, what I would call tier-one SAAS applications; it starts to drop off drastically.
(05:51):
So we found that 42% of those apps don't support two-factor authentication, 61% don't support single sign-on, and 85% have course role-based access control. So as you kind of go toward the tail of those types of SAAS applications, they don't have the security features that most security teams and IT teams require.
Yousuf Khan (06:16):
Let's make sure we're clear about this, you've got shadow IT, which is basically a bunch of, with all due respect, a lot of our fellow employees and enterprises, when I was a CIO at (Inaudible 6:29) companies, they would basically be taking in applications swiping on a credit card and being able to use them for business purposes. Let's agree on that, some of those applications decided that they wanted to go to the Okta ecosystem or an identity player.
(06:45):
Most found it super hard, they did not choose to do so just in the nature of terms of their architecture, how they were basically building the app, but then there's a whole bunch of applications that are not really shadow IT, they're just unmanageable, right?
Matt Chiodi (06:57):
That's right.
Yousuf Khan (07:00):
Well, you've mentioned some of the big ones, some of the biggest technology companies in the world, right? So Facebook Meta of course, then, you've got Twitter there as well. These are all critical for marketing teams and enterprises to be able to market. So what has been the traditional way of managing applications or at least security identity for those applications? And then how does Cerby look to basically solve that?
Matt Chiodi (07:24):
That's a great question, probably the best example to think about it is, like Twitter, most companies have several Twitter accounts that they manage. But, because Twitter was designed to be one user, one account, this is a challenge for companies that usually have dozens of employees and third-party agencies that need access to those accounts. So typically what they do is they have to share the password and turn two-factor authentication off, that's where the risk starts to increase dramatically.
Yousuf Khan (07:56):
In the background noise was a gast by the IT and security community going absolutely nuts.
Matt Chiodi (08:03):
That's right.
Yousuf Khan (08:04):
I just want to be clear; the context is that Matt Chiodi, a professional CISO is saying share passwords. No, I'm just joking, in the full context of is you're saying that they've been sharing those passwords, that's fair.
Matt Chiodi (08:16):
Absolutely, they've been sharing those passwords, and from what we've seen is that typically those passwords are shared in spreadsheets. If they're fancy they'll use a Google sheet and they'll have multiple people accessing it. And that might work, even though it's insecure, it might work when your teams are small, but when you start looking at third parties that need access to those kinds of social accounts, that's when things get messy.
(08:39):
Because even though you may be managing the password in a password manager, what happens when someone leaves the company, right? They walk out the doors and they still have access, so there is a major brand risk, especially when it comes to the social types of apps. And that's typically how it's been managed in the past because again, those platforms don't support common identity standards.
Yousuf Khan (09:03):
Got it, tell us a little bit about the functionality, I'm an IT administrator, like I used to be back in the day. I'm an Okta admin, I've been an Okta customer, I've been a customer of single sign-on solutions, how do I deploy Cerby?
Matt Chiodi (09:19):
Yes, that's a great question, Cerby is SAAS, and the way we work is we have a plugin that works in any browser and it works on mobile. And so what we've typically seen is in terms of setting it up, usually, most organizations can start to get value in probably less than an hour. It's very, very light, one thing that I've seen in my 22 years of doing cyber security as a hands-on practitioner, being a CISO, most cyber security tools are extremely operationally heavy. You could look at the price tag and say, okay, it costs X, but you have to factor in 30, 40% over that for trying to operationalize the tool. So again, Cerby SAAS, the only thing that you have to deploy is an agent, or rather not an agent but a plugin in the browser.
Matt Chiodi (10:11):
And from that, we take care of everything, if you have an identity provider like an Okta or an Azure ad, we've got those integrations. And then from there, what you do is once that plugin is deployed, your users can start registering their own apps. And if they're supported today in Cerby, you can go in if you're an IT or a security administrator, or even if you're somebody in marketing.
(10:34):
Cerby will automatically go in and start to enforce good security policies. For example, you can enforce a password complexity requirement, Cerby will automatically rotate passwords, and we can manage the two-factor codes. And that's one of the other things we see, and it's interesting enough, especially with marketing teams when it comes to paid social, in the past before they were using Cerby, they had to either use spreadsheets or password managers. But when it came to the two-factor code, they maybe had a corporate phone and they had to physically pass the phone around or quickly try to paste the code, the two-factor code in before it expired. And a lot of times they just turned it off, so we manage all of that.
Yousuf Khan (11:15):
Shared phone, share passwords.
Matt Chiodi (11:16):
Shared phone, shared password, it's a nightmare.
Yousuf Khan (11:20):
Exactly, completely, okay, let's move much more in terms of you moving into Cerby, tell us a little bit about what you are going to be focusing on. What is your title?
Matt Chiodi (11:33):
So my title is Chief Trust Officer and my role actually has a couple of different components to it. So security and privacy certainly are part of that, but it's also how we talk about our capabilities. So much of what I've seen in the industry is lots of promises, but very, very few good solutions, so my job is to make sure that we're building trust with our customers and make sure that it's embedded into every aspect of what we do.
(12:05):
So I look at the role in kind of different horizons, for the first few months, I'll be working with our customers to deeply understand their challenges around unmanageable applications. And because of again, how close we sit to the end-user, sitting right as a plugin on the browser; we want to make sure that everything we bring to market continues to be beautiful in terms of the UI, but that we also remain laser-focused on listening to our customers.
Yousuf Khan (12:33):
This is your second time doing this, it's not like you've gone from a very, very big corporate job, and you're like, "Oh my God, the travails of a start-up!" Like, how do I basically navigate through everything from expenses to onboarding to ITU, you did this previously, is that a fair assumption?
Matt Chiodi (12:52):
I did, before I came into the start-up world, I was always in fortune 500 companies. In fact, before I joined RedLock, which was my last start-up, I was actually at Cognizant, and Cognizant at the time had, I think 260,000 employees; it's just a massive company. And what I've learned about myself over the last, I'd say four to six years is that I am more of a builder than an operator.
(13:17):
And I love the semi-unstructured nature of start-ups and how everything is just every day, it's like something new. And you can have that occasionally in fortune 500 big companies, but it's in my experience just much rarer, in a start-up, it's new every day. There's always something new, and if you ever have to ask the question, "Hey, who's working on this?" The answer is you, you're working on it.
Yousuf Khan (13:45):
Look, there's no shortage of start-ups out there, and I found investing in early stages it's a bet on the team. How do you connect with the team? What is that conversation basically been like in the early days when you actually met with them; I would love to hear a little bit more depth there.
Matt Chiodi (14:05):
Absolutely, you mentioned that I was previously at a start-up called RedLock, I focused on cloud security. And we were acquired by Palo Alto Networks; I think it was back in 2018. So I was there for almost four years and I think it was probably about 18 months into my time at Palo, where I started to get a little bit of an itch, I was like, "Man, I miss being in a start-up, I miss advising startups." And so I reached out to one of our VCs from RedLock, and I just had a conversation, I kept the conversation going and I was just like, look, I would love to chat with some of, your portfolio companies. And he said, "What are you looking to do?" We talked, and he said, "Oh, let me get back to you."
Matt Chiodi (14:46):
So two weeks went by and he sent me a note and he said, "Hey, I want you to talk to this guy over here." And I did, I was chatting with Bismarck Lepe, who is the brother of the founder of Cerby. And I was talking to Bismarck and after about a half-hour, he's like, "You know what? I think you should talk to my brother; he's starting this new cyber security start-up. They're going to do things differently; you should talk to my brother Bell." And I was like, okay, and I did. And at the time, this is going back to early or mid-2020 and he was explaining to me what they were attempting to do around addressing unmanageable applications.
(15:25):
And to be honest, at the time I thought that's a pretty novel approach, no, one's tried that before, let's keep talking. So we did, and I came on the board as an advisor back in August of 2020, and it was still just an idea. There was no MVP, right. And since that time they've launched an MVP, they've brought on more than a dozen design partners, and have several paying customers. So they've done a lot, they have a massive amount of progress over the last 18-24 months.
Yousuf Khan (15:55):
That's fantastic, it's clear that you're a great fit for the company, you've been able to both have the experience at a start-up doing a similar role. And of course now basically operated at a large scale, both in consulting customer-facing roles, as well as large operational roles, et cetera. So what's next for the company? What's what does the time ahead look like for you?
Matt Chiodi (16:19):
As I mentioned at the beginning, when Cerby started out, the challenge that they were specifically trying to solve was around marketing applications, kind of those apps that you see in the MarTech stack. So think of like the MailChimps and all those types of apps, that's where they started. And they started here because the brand risk that social media apps bring is massive, and unfortunately a lot of times it's not even on the radar of a lot of cyber teams.
(16:47):
One thing I saw was looking at IBM found that it takes four years and tens of millions in lost revenue, and around just over $8 million in direct costs for a brand to recover. So while Cerby started with social, we're now pivoting to financial apps and others like them that don't support common identity standards. And there really is a much greater number of apps, again, that don't support those common identity standards than those that do. We're talking just a massive number of apps that are out there, and this is a problem that every organization has small, medium, and large.
Yousuf Khan (17:28):
Well, Matt, you've got a fantastic background and fantastic experience and of course, a great story as well in terms of how you've seen both the cyber security industry evolve and how customers are served. I get this question quite often where people ask the question like, hey, there's a lot happening in the tech space, there was over 300 billion invested in the early stage start-ups in the last year or so. And that will continue new generational transformative companies like Cerby will continue to basically be built and start to dominate the industry. A lot of excitement about it, what advice would you give to people who are thinking about making the same transition?
Matt Chiodi (18:10):
Yes, first off, I would say that if you're interested or you're thinking about joining a start-up, the first thing that they'll need to realize is that you likely won't be siloed in terms of what you're doing, right. So if it's a true start-up, 50 people or less, you're going to be doing a little bit of everything. So first off, if that doesn't appeal to you, you want to be a specialist that just focuses on one little area, then a start-up may not be the best path for you. The second thing is like you've said Yousuf, there has been a ton of money that has gone into start-ups, which means that there's going to be a lot of start-ups and not many of them are going to survive. The last number I saw was, I think like 90% of start-ups fail and 10% of them failed just in the first year.
Matt Chiodi (18:56):
So what I'd tell people to do is, if you're a cyber-practitioner, think about the challenges that you deal with on a daily basis, like what's a major source of stress. Make a list and then go and see what companies are trying to tackle those issues, that's like kind of your interest list, those are those things you're passionate about. The next thing I would do is if you've found maybe two or three companies that you're like, ah, they could be interesting, make sure you study the founding team. And founders come in all shapes and sizes, I've met a lot of them over the years, being an advisor, working with them, and using their technology. It's important to know what they are passionate about, see what they've written, and what they're writing about, and make sure that it really aligns with your values.
Matt Chiodi (19:42):
The other thing I encourage people to do is, look at the company's page, usually, depending on if they're out of stealth, they will put down, here are our advisors. Reach out to their advisors on LinkedIn, do your due diligence, and talk about them as much as possible. And the other thing is I've talked to quite a number of people and they think that 'Hey, I'm going to join a start-up, and I'm going to get rich," and certainly that's a possibility, but the probability is actually pretty low.
(20:12):
So if that's your main goal of joining a start-up is, "Hey, I want to try to get rich," I would tell you that that's probably not the best idea given some of the failure numbers. So for me, joining a start-up has always been about the learning experience and growth, because I knew I would not get that anywhere else. So those are some of the things I would say to look at and consider before joining a start-up. What about Yousuf, you obviously do invest in start-ups, what are some of the words of advice you would give?
Yousuf Khan (20:41):
Yes, it would be along similar lines, I had to make the transition from CIO to VC. And I think the critical thing that I agree with you on is number one is, with the intention, it needs to be in alignment either with the founders or with the product offering from your own vantage point as a former operator, and ideally both. And I think that makes a tremendous bit of difference. I think the second piece is, yes, sometimes you have to be out of your comfort zone, I think that's a way for you to be able to challenge and grow both professionally and personally. And I think those are things to sort of think about, and know, and probably the third thing I would say is, know that companies are built over the longer term and if you're optimizing for economic benefits, that will actually be a byproduct of the effort, not the effort itself.
Yousuf Khan (21:30):
And so kind of focus from that standpoint, I think if you definitively think about doing the best work in your career, in building up a company and building up the product from the ground up and serving customers from the ground up definitively successful follow. So that's kind of my advice, and look, you've had a fantastic background story, you could have worked with tons of start-ups. You could have been able to do it super easily in multiple ways, and that shows great Testament to both you, in terms of your character, but also validation to Cerby as well for them to be choosing (Inaudible 22:04) as a solution. So great collaborating with you today and I'm looking forward to the ahead.
Matt Chiodi (22:11):
Awesome, thank you so much Yousuf.
Narrator (22:16):
Thank you for joining us for today's episode to find out more, please visit us at Cloudsecuritytoday.com.