Research shows that 80% of the users of your tools cause 8% of your security incidents. You cannot safeguard your entire business until you know who these people are. When identifying risky employees, reducing future incidents, and defending the workforce, Robert Fly is your security guy! In this episode, he sits with Matthew Stephenson to share his career path in the security space and his efforts to turn Elevate Security into an interesting company. He also discusses why security teams must understand that keeping a business productive is also one of their responsibilities.
Listen to the podcast here
Robert Fly: Pretty Fly For A Security Guy
Here in our show, we are bringing you all the top experts in the industry for a chat about anything interesting in keeping our world secure. We are very excited to welcome Robert Fly to the show. He is the Cofounder and CEO of Elevate Security, an investor, board member, and CISO across a dozen global startups, including some you may have heard of, Airtable, BigCommerce, Redlock, SafeBreach, Qualia, Cobalt, and more previous lives, a Vice President at Salesforce. He was involved with Security Engineering, Trust Labs, Trust Technology, and Product Security. Eight years at Microsoft as a Director of Product Security and not for nothing. He was once recruited for the US Men’s National Junior Soccer team as we are rolling into World Cup season. Robert, welcome to the show.
Thank you so much for having me. It’s great to be on, and I know where I sit in the priority queue based on, what would you say, 8 or 20 episodes in?
What are you talking about? We have been begging on this for months but you were like, “I got things to do. I got customers,” all the stuff where you are pouring the foundation but making sure that everything is level. It’s not about where you sit. It’s about where we sit. You have things to do.
We are here now, so we could have some fun.
One of the things that I want to do upfront. You, a very spry young startup executive type, have this impossible CV behind you. Please check him out on LinkedIn. You told me that you picked up your first Hacker Magazine at age nine. Two questions. What magazine? Did you read it just for the articles?
It wasn’t nine. I’m sure someone in marketing got a hold of that number and put a little bit of a spin on it. I was 11 or 12. I was reading 2600. I was super fascinated by how the technology worked. At that time in my life, I was hanging out in BBS, which was probably 90% of the audience. People are like, “BBS, we have no idea.” Pre-browsers, early internet days.
It was super interesting how the internet and software worked together. I was fascinated by it. Did I read it for the articles? If you remember the old 2600 Magazines, they were massive blocks of text. I remember, later on, the pictures that they started adding were these big, beautiful phone booths. That’s what you got. Those were the pictures. That was a long time ago.
Like a photo of Matthew Broderick and war games holding up the beer tab to phone freaks and doing the long-distance thing, and you were like, “I can totally do that.”
Here are some phone booths from Perth, Paris, and Duluth, Iowa. I’m not sure why I should be entranced by these phone booths but they are beautiful.
There are many jokes we can make there. I will tell you what I’m going to stick with, and it’s not even a phone booth. It’s a police box but I will go with Dr. Whos because they are bigger on the inside. They look like phone booths to the rest of us. Another question about young Robert. Your entrance into Microsoft and the tech world at large, even by today’s standards, going into a company like that, you are young. You are twenty. You are a high school valedictorian. Go into Microsoft. How’s that working? Is that hard or one of those big and wide-eyed, all excited you got your lanyard and lunchbox? How do you go?
The backstory, I graduated early from university because I was taking a full load of credits at the main campus and the extension campus. It wasn’t until I was about to graduate that the school said, “Can you come in the office? We noticed that you took 30 credits last semester. You can’t do that.” I already did. It’s time for me to graduate.
We are noticing this on the way out the door. Thank you.
They didn’t know and never connected the two systems until they were like, “You didn’t pay that much money to graduate from school.” At that time, I was talking to the guidance counselor and she was asking me, “You are going to graduate faster than you should have but you are going to graduate. What do you want to do?” I said, “I’m going to Microsoft to be an engineer.” Her reaction was to laugh out loud and follow up that not a single person from the university that I was at had ever worked at Microsoft. I’m a bit of a smart a**, and my response was, “That’s good. I will be the first.”
I’m sending my resume to the HR team at Microsoft. I’m not getting anywhere trying to hustle to find anyone that I know that knows anyone who works at Microsoft. It turned out it was a friend of a friend who worked there and was about to leave. I said, “Let me print out my resume. I will give it to you. You can give it to the hiring manager,” and she did. This was in the ‘90s. People printed things back then. The hiring manager prints out the resumes for everybody that applied for the position, and he creates two piles on his desk. He’s got a yes pile and a no pile.
My resume is at the top of the no pile. He calls up the recruiter and says, “Come pick up the resumes for the folks that I want to interview.” The recruiter goes to his office, and he is not there. He sees two piles and does not recognize a yes pile and a no pile. He squeezes them together. He calls me up and schedules me for an interview.
It’s interesting because this is back when Microsoft interviews were 8 or 9 hours of interview, and I don’t know how they are now. It’s straight coding and brain teasers. That’s what they were. I show up at 9:00 AM. The hiring manager was the first person that’s going to interview me. I walked in and saw him. He got the resume, looked at it, looked at me, and said, “I didn’t want to interview you.” I was like, “I’m ready to go.”
I was there and was like, “If I’m not good enough, you can always cancel the interview after your conversation with me. Let’s see how it goes.” I’m scraping by the skin of my teeth. Every interview, every hour is a new person that I’m trying to convince. I was able to make it to 3 the 9 hours. They gave me an offer, and I spent almost nine years there. It was a good run.
I am blown away by the notion of the, “I’m not even supposed to be here in this interview,” which led to a nine-year career that set you down this path. I promise we are going to get into everything else that we were supposed to talk about. Look at the way that you got in there. Even with your CV, you did the work. You crushed it, and they put you in a pile that they didn’t want you in.
We look at what’s going on in the world of technology. We can take a moment to look into the eyes of our readers metaphorically. What does that say about how to approach this stuff where you don’t necessarily need to be, “I’m not an AI scientist. I’m going to play one in this interview,” and then get out there and crush?
It’s different now than it was back when I was interviewed at Microsoft. It was well-known that they loved people who could do brain teasers. You’ve got these pirates and split up the gold, and there’s all this confusion. How do you figure out this weird riddle? I was lucky enough when I was younger, I spent a lot of time doing those on my own, and I loved them. I was able to breeze through the interview and answered at the end what was called the AS app at Microsoft as appropriate but no one’s ever solved this.
I’m going to give you one that no one’s ever solved, and twenty minutes later, I figured it out. That’s not the point. The takeaway that still applies now is, at the end of the day, it’s grit. You have to keep pushing and take whatever you can get and get in. Once you get in, you have to prove yourself. Once I got into Microsoft, I was nowhere near the quality of a candidate that everybody else was around me. I had massive Imposter syndrome. I looked around and was like, “This guy got a PhD from MIT. This girl graduated from Stanford at the top of her class.” I remember, six months in, I was talking to my hiring manager and was like, “I don’t know if I could do this. Everybody was smarter than me.”
They put your resume in the correct stack after all because you beat Kobayashi Maru. You can establish yourself nine years later. Now we see what it meant.
It was tough back then because you are coming in and thinking everybody is so much better than you. That’s a terrible mindset to come in with. You’ve got to take the mindset of, “I am where I am. The only way to get better is to apply myself, get more experience, take whatever opportunities are in front of me, and try to say no to nothing.” Take every opportunity, even if it’s the worst job that nobody wants. You are going to grow and learn. That is what’s most important. That was the mindset I had when I started Microsoft.
That was to Microsoft’s benefit, Salesforce’s benefit, and now to the rest of the world at large, as you have co-founded Elevate. That was an incredibly cheesy segue but you have to do these things as a host. Let’s ask you this question. I asked your Cofounder, Masha. Talking about Elevate to paraphrase, what was it, office space? What would you say you do here? I could go with one of the Bobs because we are not going to do that. Your role Cofounder, Elevate as a whole, how do you co-found something interesting? All of these questions and assume that there are 28 more of them than you can answer. I’m going to turn my mic off and get out of the way.
If you ask any CEO, they are probably going to say the same thing, that they have three jobs. The first is to set the vision strategy for the company. The second job is to recruit and retain the best talent you can. The third job is to make sure you have enough money in the bank you have to survive. Interestingly, that’s what I would tell you here. I have been speaking to a lot of candidates that we have been recruiting, and that’s a common question. They ask me, “What is your role? What do you do at Elevate?”
My response is different. I say, “My job is to take out the garbage,” and I mean literally and figuratively. It’s important to me, especially in a startup, that folks understand we are recruiting for a specific role but at the early stage, everybody’s got to be able to do everything and jump in whenever and wherever they are needed. We have a value internal to Elevate called Explorers and not Tourists. No one knows the map that we are following. We’ve all got to figure it out. That’s the old VW ad, “You want drivers, not passengers.”
In the earliest stages of a startup business, everybody has to be able to do everything. They must jump in whenever they’re needed.
At the end of the day, though, every single person has to take ownership and accountability for anything that they see that needs to get fixed. If folks don’t see me doing it, they don’t have a model. There’s no reason why they want it. It’s up to me to set that stage and set that for the whole company. We are all rolling up our sleeves, grabbing a shovel, and digging in.
I’ve had great fortune over my time here with Elevate and other places doing these types of blogs and interviews, talking to founders, men, and women. They say, “I take out the trash.” You are the one who signs your name on the lease and opens the building. You are the first one there, the last one out. While everyone is in there writing code doing all this incredible stuff, you are the one who has the elbow-length rubber gloves on. That’s making sure the toilets are clean and getting stuff out.
How do you have time to execute your vision knowing that you also have to do all of that? You have to make sure that there’s decent coffee for the first, I would assume, a couple of years to make sure that the talent that you are reaching out to appreciates the place and the opportunity that you are helping to make it available to them.
I was on a first-name basis at Trader Joe’s. During those first couple of years. We had an office down the street. There was a great Trader Joe’s. I would go there many times a week to make sure that folks had what they needed. There’s the saying it’s in technology but you hear it pretty much across any industry, which is, “We are going to hire the best people we can and get out of their way.” Enable them to do their best work. That’s part of what my job is.
Part of that is setting the vision and removing roadblocks so that they can get the jobs that they need to do. The last part of it was building a company with a culture in office space when we had office spaces because that was conducive for them to do their best work. That was important as setting the strategy, building the culture, driving the vision of the company, and making sure we had enough money in the bank.
Let’s do a little bit of she said, he said. We got Masha on for the first episode. You, have been chasing out there being the Founder and had to do foundry things. We got you building on the conversation that we had with Masha Sedova, make sure you check it out. It’s on all of your show networks, and if you are a subscriber, you should be able to grab it easily.
She was a colleague of yours at Salesforce, and you all started talking about something. What was the motivation to step away from what is not a pillar of an industry? Salesforce is a pillar of the economy at this time. You were like, “I can go do something else. I’m going to hang out my shingle with my friend, she’s awesome and smart, and we have a good idea.” Did I answer my own question?
I consider myself lucky to have this type of choice, grateful and humbled to be in this position because many people aren’t. Every decision that I’ve made when it comes to my career has been based on two points. First, “Where am I going to learn the most?” I’ve always had that growth mindset of finding opportunities for me as an individual to have an opportunity to grow. It’s selfish from that perspective. That’s my number one priority anytime I’m making a decision. The second side of it is, “Where can I have the biggest impact in the world?”
When I was weighing, “What am I going to do next,” I had CISO job offers. I won’t name them all. Most of the technology companies are in the Bay Area. I wanted to make this next move for me to have the biggest impact both on my ability to learn and grow. Where can I have the biggest impact? Taking a CISO gig would have been nice. It would’ve paid well but at the end of the day, it’s like, “Am I going to learn and grow? Is my impact going to be beyond this company?” The answer is that it wasn’t.
When I joined Salesforce way back in 2007, it was tiny. I built up the security team over that 8 or 9 years from nothing to 100 or 150 folks. My decision to leave was based on a single conversation, which sounds funny. I’m talking to another executive that I mentioned. Let’s call him John Doe. I’m talking to John, “I’m feeling comfortable like a historian internally. It feels like this ship is going whether I’m on it or not.”
His response back to me, and the first thing he said was, “It’s nice, isn’t it?” I go, “No, it’s not nice. It makes me feel terrible.” His second response was when he realized I wasn’t into that like coasting. It’s a big positive because what it’s saying is that you built a good team or a great team. He was right. I was proud of the team and what we had accomplished.
That other thing was nudging at me, though. I didn’t feel good about feeling comfortable. If you are feeling comfortable, you are probably not growing enough. I needed to find the thing that made me feel uncomfortable, where I was going to put all of my time and energy into bettering my knowledge and myself around that particular area.
If you feel comfortable, you probably need to grow more. Put all your time and energy into bettering your knowledge and yourself around your weakest areas.
As I understand, a place that is not so comfortable to be sitting in is a sidewalk. There is a relevant story about sitting on the sidewalk, whether it’s the founding of Elevate or a particular conversation you may have had with a cofounder. Is there a sidewalk thing?
Yes. If I were ever to write an Autobot biography, it would be called Sitting on the Sidewalk. For some of these answers, I feel like I’m bloviating a bit on and on.
Bloviate, come on now. What are you talking about? It’s a show. We bloviate. Therefore, we are. Great word.
Rule number three, biggest CEO, do you remember what it was? I’m putting you on the spot. Always have money in the bank. That was rule number three. Don’t run out of money. It’s 2017. We had just started Elevate. Masha and I decided to go heads down into building the earliest version of what the product would be, and we are maybe a month in. A friend of ours introduced us to a VC, Venture Capital, same investors.
He said, “I wanted you to do this VC. You don’t have to take his money. You should just talk to him.” I was like, “We will wing it. We will talk to him, and we weren’t looking to raise any money.” We showed up with no deck, nothing. We were like, “Whatever, we will be there.” We talked for an hour, and an hour turned into two hours, and he’s leading into what we are trying to build. We are like, “This went well.”
After the conversation, he goes, “I would like to give you money.” We were like, “We didn’t know we were raising money. Are we raising money now?” There’s this saying inside, from a founder’s perspective, that you can’t be half fundraising. In the same way, you can’t be half-pregnant. You have to be in or out. You can’t go halfway. Given the fact that this was the first person we pitched and nailed it to, we felt good about ourselves. We were like, “We get whatever investor we want. We are pros at this. We’ve only done it once but we are pros.”
Fast forward to not being pros. We pitched 30, 40, and 50. I don’t even remember the number. Fifty sounds good but somewhere between 30 and 50, and we get 50 straight no’s after that. We are pros. The sidewalk comment is about that. We had finished a pitch with an investment firm called Costanoa Ventures. We love the Costanoa team. Value-wise, they matched up well with us.
They were good people all around. You don’t see that on the VC side, after the pitch, we were like, “This was one of our worst pitches.” We walked out dejected, sat on the sidewalk, and were discussing, “What the heck are we going to do?” I remember when we were sitting there so vividly. It was one of those conversations about, “Are we going to do this thing or not? What are we doing here?”
It was a powerful conversation because it doubled down the conviction to go solve this problem. Who cares what the investors say? We believe it’s a problem we are solving. It’s the hardest unsolved problem in cybersecurity. We are going to do this whether people are going to invest in us or not. That was one of the lowest lows at Elevate but also one of the highest highs because the conviction goes through the roof in wanting to do that. Funny enough, in a surprise to us, luck swung in our direction. Costanoa called us up, and they wanted to invest.
After that, we had a couple of other people that said they wanted to invest. It’s one of those things. There’s an old saying, I remember, and you probably remember this too, when you were in high school. There was a guy who had a girlfriend, and all the girls loved him. Soon as we got that one investor coming in, then all of a sudden, we had 5 or 6 others that were interested. We had to go.
One of my trademark hamfisted segues. You get your motivation and inspiration from that. You and Masha started building. You’ve turned this interesting company into a company that is now very interesting to a lot of other people. When we talk about motivation and inspiration inside an organization, at the end of the day, nobody is saying, “What motivates and inspires me is the security team.”
As you are coming in and talking to your prospects, customers, and users, for lack of a better term, and explaining what Elevate does and why it’s relevant to your users and potential users. How do you get them to understand why this is important? They are like, “We throw AI. We got endpoint security, firewalls, and all this stuff.” Maybe you need to look at some other things.
It’s interesting. I see security teams talking about how we motivate and inspire the employees to be better security stewards. To a certain degree, you can get champions onboard, especially on the engineering side. I’ve seen and done it. You can get champions on the engineering side to buy into security and build things the right way, etc. The average employee wants to get their job done. If you are in accounting, “I’m not inspired by the security team. Should I be inspired by the security team?” No one is saying that. No one is having that conversation in their head.
I’m not picturing this sales cowboy who’s flying into Dallas be like, “I’m so fired up about what security announced now.”
Most people are trying to get their job done, and they want to know what the rules of the road are. They want the security team to do the job they need to do to protect them. There’s this whole balance, and it’s hard but there’s this whole balance between keeping the business productive and the workforce secure. Sometimes security teams will go overboard on keeping the business secure and not necessarily productive by putting controls after controls at their layers that slow people down. When we talk about motivation and inspiration, the conversation that I would have backed with security teams is about how we inspire security teams to recognize that part of their job is keeping the business productive.
What is the right level of security controls that we need that’s going to balance out risk and productivity? We can use some motivational techniques, social proof, and positive psychology. How do we message, change management, and communicate with employees? At the end of the day, a large brunt of that focus from a security perspective must be the security team recognizing that this is a two-way street. Security seems often looked at as a one-way street and a dialogue like, “I tell you what to do, I’m in my pillar, my tower of no, and I’m going to throw policies down upon you.” That’s not how it works. Immediately, what you are going to get is a whole bunch of people working around those policies to get their job done.
I love the idea of the tower of no, and someone standing there throwing down decrees, and the salespeople are down holding torches. As the decrees land, they set them on fire. That seems to be the battle. I have been on both sides of that discussion. I love both of them. Without them, none of us would work. If you don’t sell things, nobody buys things. If you don’t make things, there’s nothing to sell.
I was at a company that will be left unnamed. I remember sitting down with our compliance team and them saying, “We need to make sure employees read our policies.” I commented back to them, I probably shouldn’t have made the snarky comment but I commented back to them. “I won’t even read it. Why do you think they will?”
I was laughing before you even started because, “We need to make them read it.” That’s not how reading works. One of the things that Elevate does is address people specifically with a technology approach and a strategic approach. In your experience, and you have been at the most important companies in not the tech world, the world in your experience, who in the organization owns the “people problem”? I don’t even like the word problem. I wrote that down. I’m going to go with the people issue, the people conundrum, whatever the right word is there. What’s the org that needs to be addressing people’s role in the idea of keeping the house safe?
I’m glad that you questioned yourself on word choice there. The way that the individuals in your organization are the primary attack factor, not a problem, a solution or anything. It’s like, “What attackers are focusing on.”
The people, let’s go with a big 2022 bright sunshiny word. The People Opportunity.
It’s an interesting question because when you talk to security teams and you are covering things like, “Who owns email security?” There’s a clear answer. Who owns Endpoint security? Clear answer. Who owns identity? Clear answer. The reality is that the people’s side of this equation is not owned by anyone. Historically, teams have said, “It’s the awareness and training team.” We have been doing awareness and training for the industry for twenty-plus years, and clearly, that’s not enough for us to prevent and reduce the number of incidents that we are trying to respond to. The team that has the brunt of the challenge of having to deal with the fact that people are getting attacked and falling for different types of threats is the security operations team.
I feel bad for Security operations teams because it’s like this game of Whack-A-Mole, and I’ve managed a bunch of these teams. They are constantly new threats to pop up, and you are hitting them down. I don’t know how familiar folks that are reading are to the average lifespan of a SOC Analyst in their role but it is short. I don’t have data for 12 to 18 months. It’s about right. It’s very short.
The reason is that they get burned out quickly because they are grinding through the same thing over again. There needs to be this recognition within security teams that when we talk about the people’s opportunity, that is an opportunity across the entirety of the security team to better address it. That starts with the CISO, the security operations team, the security engineering team, the awareness, and training team, the compliance team, etc. Going back to my original question of keeping the business productivity in the workforce secure, “How do we balance that with the right set of controls and responses to make sure that we are achieving the goal?”
When you come into, whether it’s a boardroom, a C-Suite, or any office, talking about what Elevate brings, I’m being careful to word this. This isn’t a commercial. Elevate does different cool stuff. When you are coming in to talk to a boardroom, a C-Suite or anybody about what Elevate can do to help them understand their employees better, they might look back and say, “You are going to help us understand our employees?” We can help you in a way that’s not big brotherly. It is a way to get what the people are doing and how they are acting and reacting. From there, you can make decisions to do the best thing for them, to get them better at keeping everybody safe. How do you get in there and overcome some of the obstacles for people who may think we can throw AI at it and fix problems?
Our biggest champion within any of the enterprises we have customers in is the C-Suite. I can’t tell you how many CISOs circle back to us after we roll out and tell us where the star of their security program is. When we started the company, one of the things that Masha and I wrote down as one of the goals was to get anyone that buys Elevate promoted. This is a weird goal.
That’s such a great inspiration going in there. Nobody ever got fired for buying IBM. That’s the cliché.
Most security products have the opposite. “Nobody got fired because,” and we were saying, “You will get promoted because.” What we wanted to do, and there was inspiration from the duo of how do we build a product that people love, number one, and how do we build a hero product that makes individuals look good to their peers? The C-Suite was all about how we build the most beautiful dashboards that communicate to other executives in a way that they can understand.
It’s not, “We have 40,000 vulnerabilities this week, and we had 30,000 the week before,” and people go, “I don’t know what that means.” It’s about, “How do we communicate risk effectively at a level that executives would see in the Wall Street Journal, the news, etc.” One of the things that we’ve tried to do, from how we engage with executives, employees, and security teams, we try to meet them where they are at. That is a different thing for executives than it is for employees and security teams.
It is super important when you are building a people-oriented product. We were talking about challenges earlier. One of the biggest opportunities that we’ve had is building a product that nobody else is doing, and being on the front lines of trying to figure out that it’s fun and allows you to spin those creative deuces.
It’s because time is out of the premium. I am going to suspend the other 29 questions I have on this list and invite you back. We are getting you and Masha together in time for the holiday season. I want to move over into leadership corner stuff. You are a founder and have been a part of companies like Microsoft and Salesforce. These are massive industry things. You have always had to have your eye on the ball for what’s happening. Is there any technology out there ready for prime time, whether it’s in place? It doesn’t have to be a company name. Are there things you are looking at and thinking, “That is interesting to me. That might be the next thing that’s going to do the next thing?” We are in the middle of the FTX meltdown.
Historically, security teams and also include my security teams in the past. We’ve spent a tremendous amount of money on protecting devices, networks, and applications. I’m going to apologize upfront for how I answer this because it’s going to get philosophical. If we think about most industries when they are building software, they have a very simple model where at the center of their products are people, and everything builds off of that.
Sales, software people, marketing, eCommerce people, and oversimplifying it but the reason that people are front and center in most software is that we need to engage with people intelligently in a personalized way to achieve the outcomes that we want. As an industry, we dropped generic approaches back in 1999. It has been a while but security still focuses on the generic.
Engage with people intelligently and in a personalized way to achieve your desired outcomes.
Were you working on Windows Me at that time?
Yes, I was in the Office team. Where we are moving is towards a notion where at the center of security are people and identity. It’s joined at the hip and a system that allows us to engage intelligently with employees, our people, and the devices they use to dynamically protect them so that they can balance that equation that I keep saying, which is, “Keeping the business productive and the workforce secure.”
At the end of the day, the company that’s going to win is going to be the company that enables their business to move super fast on a paved path, which is secure but up seeing the protection when it’s needed. I don’t think that’s zero trust. A lot of people would say, “It sounds like zero trust.” No, it’s dynamic trust that is appropriate for the risk context. That’s different, and we are going to see more maturity around that. It’s probably going to center around identity, but it’s definitely an area to watch there.
Security went through this rapid-fire stretch, and it was a cloud. It was artificial intelligence and then blockchain. We had all of this foundational shaking new technology that was coming in, and it was fine. Everybody had things to put on their booths. We get to now, and we’ve gotten used to that. It’s not there. I always go back and make comparisons to music, and we had the Sex Pluses and the Ramones.
Pretty soon after that, we had Public Enemy and then NWA, and grunge happened right after. We were on the edge of our seats all the time because something we’d never heard before came out. It felt like security was doing that, and now, not so much. Why did I ask the question about tech that you see around the corner? Is it not how that works? Do we need to calm down and ice the cake first and think about what’s next?
What I see in the industry are two camps. One says, “We need to go back to the basics, and we need to get the basics right.” We, as a security industry, never got the basics right. That’s true, and it is. Going back to when I started at Microsoft, I was on the Outlook team, and we were dealing with some of the first social engineering attacks through email that was in the 90s. We are still dealing with the same types of things. You are phishing and malware and whatnot, and then you have the other side of the camp that says, “Security needs to respond to large technology and platform shifts to be able to support it. You have cloud, mobile, and other types of major technology shifts that don’t allow you to focus on basics, and these technology shifts.
From my perspective, we need to keep our eye on the basics and get as much value as we can out of those basics. There’s a tremendous tendency in security teams to buy shiny new objects and never fully integrate them together. There’s a challenge that I would put out to the vendor industry, which is, “None of these security programs are going to be mature unless we say everything is API first. Meaning we can connect these systems. Secondarily, we need these disparate systems to be able to communicate, share intelligence, and be knowledgeable about each other. We can build something that works together so that you don’t have 20, 30, 40, or 50 technologies that are completely disparate and disconnected.”
Keep an eye on the basics and get as much value as possible from them. There is a tremendous tendency in security teams to buy shiny new objects and never fully integrate them.
There’s nothing anybody loves more than coming in and being, “Awesome. I have 12 dashboards to manage 19 solutions.” It’s 12 for 19. It’s a couple of them you can plug the APIs into, and it will go from there. I would give a shout-out to a couple of companies but no free ads, and somebody might get beat by the bad guys tomorrow.
Last question on Leadership Corner. You are a Founder, and a very busy man, as we have seen trying to get you scheduled for this. I assume that when you are awake, you may not always be elevating. What’s on your playlist? Are you reading anything? Are you cooking? Is there a garden in the background? Do you unicycle? I hope you unicycle. That would be a great answer. It’s okay if you don’t unicycle.
There’s a funny side story to that. Reading Build by Tony Fadell. It’s a great book if anybody wants to check it out. Listening to Run the Jewels is at the top of my playlist.
Thank you. Many people do not ever reference what they are listening to. I’ve seen Run the Jewels Live.
Killer Mike’s the best. Cooking, I like simple dishes, so I’m always in this pursuit to get simple things to do and execute well. Could be something as simple as scrambled eggs. I make the best-scrambled eggs. What else? The unicycle question. We put it on a basketball court in my backyard. In my neighborhood, every couple of months, people take the garbage, I will call it garbage, things that they no longer want, and put them on the street. Other people in the neighborhood can grab it or it’s picked up by folks that donate to charities. My daughter picked up a unicycle, at which point we tried it out on the new basketball court, and scrapes, bumps, and bruises occurred.
I was going to say, how did that go?
Let’s say we are not unicycle experts yet.
You have one that you took from someone’s garbage thrown out at the side of the road. That’s amazing.
It’s sitting over there. It’s about 20 feet from me. I can say it is harder than it looks.
Did you get any furniture? Was there a television set sitting out there by chance, maybe a record player or just the unicycle?
I have a rule in our house that if one thing comes in, something has to go out, so I never bring anything in. It’s always my wife and kids who are bringing stuff in.
A proper founder and husband and father could always lay blame on someone else. That’s a good move.
Don’t get me started on our cats, rabbits, and dogs.
Shameless plug time. I know you are in demand. We are coming up on a hard stop. People that are looking for information about what you are doing and what Elevate is up to. I know that you are so heads down involved in customer stuff but every once in a while, you might post something out there in the world. If people are looking for you, where can they find you?
Our company is active on LinkedIn. You can find us at @ElevateSecurity on LinkedIn. Follow me or my Cofounder @MashaSedova. We are active on our posts, and you will find lots of interesting information posts on the employee side of risk as well as security in general.
I’m going to make this terrible joke. It’s going to be the name of the episode, and I’m sure that he suffered through it enough. I got to tell you, Robert Fly, pretty fly for a security guy. Shout out to the ‘90s. What are we going with the offspring there?
That is Offspring. You did have to finish on the ‘90s reference.
I did. It’s embarrassing. It’s terrible. From one bald man to another though, Robert, thank you for taking time with us. That is it for now. Thank you for joining us on Friendly Fire for more information on all that is good in the world of cybersecurity and insider threats both witting and unwitting most people are good. I don’t think they are acting maliciously. Make sure you come and find us. We are, as Robert said on LinkedIn and Facebook. The mothership is ElevateSecurity.com.
You can find me @PackMatt73 across all of social media. As far as the show goes, it’s Friendly Fire anywhere you go, that’s where we are, whether that’s Apple Podcasts, Google Podcasts or any of the other ones that you got them all on your phone. All we ask is to subscribe, rate and review, and you will never going to miss out on all the great folks who come on the show. Now we have both founders separately but imagine what happens when it’s team-up time. Coming soon to a network near you. Until then, we will see you next time.
- LinkedIn – Elevate Security
- LinkedIn – Robert Fly
- LinkedIn – Masha Sedova
- LinkedIn – Matt Stephenson
About Robert Fly
Robert Fly is co-founder and CEO of Elevate Security, delivering a first-of-its-kind platform that enables organizations to identify risky employees, reduce the likelihood of future incidents, and proactively defend their workforce while ensuring a productive business. Prior to Elevate Security, Fly was an executive at Salesforce and Microsoft building and maturing nascent security programs into world-class teams. Fly is an advisor to several successful security startups, helping them get to product market and go to market fit. He holds more than a dozen patents in security and was a founding member of the Cloud Security Alliance.