Login

Promote Your Company       |     Contact

Independent Cyber News.

The Voice of Cyber®

KBKAST
Episode 298 Deep Dive: Grant Bourzikas | Future-proofing Security
Leadership
First Aired: February 26, 2025
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here
Click Here

In this episode, we sit down with Grant Bourzikas, Chief Security Officer from Cloudflare, as he shares what lessons he learned from 2024. Grant emphasizes the industry’s need to move beyond outdated technology to enhance security postures and reduce complexities. He discusses the impact of artificial intelligence on security, the challenges of leveraging AI, and the necessity for organizations to embrace it strategically. Furthermore, Grant highlights the importance of modernizing security infrastructures, simplifying environments, and the critical need to cultivate new talent in the field to tackle the evolving landscape.

Grant Bourzikas joined Cloudflare as the Chief Security Officer in 2023, where he is a driving force in helping the company achieve its mission to build a better Internet. As a critical component within Cloudflare’s ecosystem, Grant’s primary role is to protect the company from sophisticated adversaries to stay ahead in today’s cybersecurity landscape. He oversees Cloudflare’s threat intelligence services, which successfully mitigate 170+ billion attacks daily, in addition to acting as “Customer Zero” to help foster innovation across all Cloudflare products and services.

Grant is a seven-time CSO with over 20 years experience leading global security programs that span the private sector, having worked at a Fortune 500 critical infrastructure company, an online trading organization and within the gaming space. Most notably, Grant spent several years in the financial services industry at both HSBC and Silicon Valley Bank. Grant holds a Master’s in Data Science and Artificial Intelligence from Southern Methodist University, and a Bachelor of Science in Accounting from the University of Missouri in St. Louis. He is a CPA (Certified Public Accountant) and CISSP (Certified Information Systems Security Professional).

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Rate KBKast

Other Recent Podcasts

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Grant Bourzikas [00:00:00]:
You can’t let a vendor hold you back from your security posture because you’re worried about the change. This is stuff that we have been, as an industry, done shy of doing. It’s hard to replace your endpoints. It’s hard to replace your WAF. It’s hard to replace your IT. So we continually invest in technology that’s twenty years old when there’s a lot better stuff that’s out there that will seamlessly integrate, make your life easier, and you’re gonna be in a lot better spot.

Karissa Breen [00:00:50]:
Joining me today is Grant Bourzikas, chief security officer from Cloudflare. And today, we’re discussing lessons learnt from a global CSO in the year of elections. So Grant, thanks for joining, and welcome.

Grant Bourzikas [00:01:02]:
Thank you, KB. Wonderful to be here. Happy happy to be finally get this on the schedule and do it.

Karissa Breen [00:01:08]:
So I know we are coming towards the end of the year. So maybe share a little bit more about your thoughts. What do you sort of learned this year as you sort of reflect back now in this interview?

Grant Bourzikas [00:01:18]:
Yeah. So it’s a great question. I think as as we look back into 2024 and I think about, you know, how we’re gonna transition into 2025, the big lesson that I’ve taken away is that systems are facing very similar challenges, but we’re all dealing with it a little bit differently. And I think the the challenge that I’m hearing consistency among all the answers I get is this, you know, how do we lower cost within our operating environment, and and how do we reduce complexity? And those things I’ve seen a lot, and I I’ve talked to just about a 50 CISOs over the year, and that’s loud and clear, the number one thing I hear. Number two things that I hear is around artificial intelligence and what are we doing with AI, LLMs, machine learning, deep learning. But those are the two things that I think as I look at we’re all we’re all facing similar challenges. We’re just we’re just opting to handle them a little bit differently, and I think sharing knowledge with each other is something that we’re all looking to do because these are monumental tasks that we’re all facing.

Karissa Breen [00:02:29]:
So what do you think we are doing with AI? Because I know there’s a lot of hype around it. I know that companies are now focused on beyond the hype. What does this actually mean? What’s your view?

Grant Bourzikas [00:02:38]:
I always answer, you know, what what is AI? Right? That’s the first thing I always answer because there’s a lot of different discussions around what AI is and what are the risks around AI. And I I was need to clarify how we think about this. I I was just at the World Economic Forum, the security meeting in Geneva, and this was the big topic. And so are we talking about models? Are we talking about business and how the business is using AI? Or are we talking about what we’re doing with data classification, data sensitivity, data localization, how we’re protecting data. And so I think all of those topics are on the table. And depending on which conversation you’re having, I think it’s always good to know where you’re driven. I do think, and this is something I, I talk regularly about is, you know, AI from a security practitioner is about data in most simple terms. And it’s something you’ve tried to solve for fifteen years around how do you protect data from leaving the organization.

Grant Bourzikas [00:03:45]:
And so when I think about a lot of the conversations around model governance, how we’re building that all in, you know, how are we keeping our data outside of public models? This is just another conversation. Like, I could have had fifteen years ago at any of the banks that I worked at in really trying to, you know, protect data. And so that that’s a very common one, and I think it’s a really good perspective to start, at least from an AI standpoint.

Karissa Breen [00:04:15]:
Yeah. And look, that that is a that’s a great question on what is AI and what what does it actually mean? Do you think that now with 2025 and there’s you know, and AI has probably and I know it’s been around for a long time. I get all of that. But in terms of it being more ubiquitous in the market, probably since the end of twenty twenty two when Chatt GPT really came into the market and it started to take a massive turn in terms of the conversations, do you think people are sort of embracing a little bit more and are looking at ways on how they can leverage it in their organization? Because, again, like, you can reduce a lot of heavy lifting with automating things and leveraging AI. So what is some of your key predictions then on that front?

Grant Bourzikas [00:04:57]:
So, you know, when I think about 2024 I’ll start with 2024. One of the things I thought would be super interesting was, you know, having some predictions around AI. One of the prediction was that you would you would see our first model breach. And I thought that was a little no. It would take some time before we saw that. I thought it would come true with 2024. And I think it was two weeks later we started to see it. And so when I when I think about what we’re seeing from a security standpoint, it’s another vulnerable vector that we should pay close attention to.

Grant Bourzikas [00:05:27]:
What I think in 2025, you know, we’re still not really using AI at this point. I always think, well, to to kind of the the first question, you know, what is AI? I think a lot of people are talking about LMS. Right? And and how how are we using LLMs? I think there’s some advantages. You know, we’re seeing all this Copilot and, you know, all these autonomous socks and all of these things that we think we’re getting great benefits, we’re gonna see great benefits. I I don’t still think we’re gonna see the benefits in 2025. I think it’ll roll into the out years. And I think it’s primarily due to, you know, the thing that I’m consistently hearing from all the CISOs, which is how do I address cost? How do I, you know, decrease complexity in my environment? And now I have this AI thing that I’m trying to do and invest, and it’s really forcing us into what I’ll call a security transformation component of you know, I’m a CISO, and I have fifty secondurity tools. Well, I can tell you you probably don’t have the people, the resources, the dollars to be able to support it and take on new efforts with AI because you your the environment’s just too complex.

Grant Bourzikas [00:06:37]:
And so when I think about where we’re headed from a AI standpoint, and and and I think it’s, you know, from a CloudFlare perspective versus, you know, a traditional Cisco that’s in a banking or insurance organization or retail manufacturing, It’s a little bit different view because I take it from a CloudFlare standpoint, we’re using machine learning, we’re using neural networks. You know, we’re using the LMS as part of our products. You know, from a Cisco standpoint, it’s a lot harder to build a data model that I can run, you know, an LOM on and gain tremendous efficiency. That isn’t really packaged from a vendor. Some of the large organizations have done this. I’ve done this in some of the large organizations I’ve been, but it gets to be costly from an R and D standpoint. And so one of the things I think is as we we look into 2025 is this adoption of machine learning, deep learning products into our organization that, you know, from a third party standpoint. But I also think it’s worse there because we don’t know what these models are doing.

Grant Bourzikas [00:07:44]:
Right? The the fundamental component or difference between machine learning and deep learning and and LMs is that machine learning, I know exactly what you’re doing and and what the models are doing. I can understand feature importance. I can understand what the features look like and how they’re being manipulated. Deep learning in LMS, I don’t. And I think this is gonna be something as we look at is how do we adopt new models? Which models do we adopt? Where’s the data training from? I think there are to be all key elements of 2025.

Karissa Breen [00:08:16]:
So is it fair assumption to say companies are still in this reconnaissance phase around, like, you know, whose models they’re worried about? Hallucinations. They’re worried about what data it’s being trained on. Like, are we still trying to navigate this chartered territory? And it’s gonna take a little bit of time, right, before people feel comfortable on understanding exactly where they sit. Because at at the moment, I think there’s a lot of conversations. Even I can’t even keep up all the conversations that are being happening at this in this space. So do you think it’ll take a few years before people are comfortable with the state of play from an AI perspective?

Grant Bourzikas [00:08:50]:
So I think you’re right on, Katie, on it’s going to take some time for adoption and AI. You know? And I I draw parallels even into the cybersecurity industry. Now I started, you know, doing pin testing, and I’ll call it firewall management in the late nineties. And I think of AI as in a very similar state where the first five, six, seven, eight years of my career, you know, like, oh, you can’t have to be, you know, security. You’re not needing security. And we’re at the same infancy of where there aren’t a lot of skills in AI. They’re still being developed. And with with where we were twenty five years from a security standpoint, then I even look at it from an advancement in technology.

Grant Bourzikas [00:09:35]:
Even when I finished my master’s, I spent three years coding Python overnight. You know, the technology’s gotten even more advanced. You know, there were very little LOM stock when I was doing this, and now LOMs are the big thing. And so I think, you know, two things is the industry is moving forward very quickly, and people cannot stay on top of it. And then I think even more importantly from a security standpoint, how how do you stay up with cybersecurity and AI? It it’s a tough thing. We already have a shortage of talent and skills in the cyber workforce and, you know, tag data science, machine learning skills on top of it. And I think we’re at a big loss here. And so I think as we look forward for this, we’re gonna be very dependent on vendors like CloudFlare to help protect our environments because they’re gonna have resources and machine learning resources that are going to be able to help.

Grant Bourzikas [00:10:31]:
You know, I’m lucky having the Mesosil here that I get to leverage the technology and all the things that are there. But I think it’s it’s gonna be something unique as how do we learn about what AI is or what’s the difference between an LLM and deep learning and machine learning and are, are gonna be very fascinating things as we kind of venture forward in the future.

Karissa Breen [00:10:51]:
The only thing that’s interesting in terms of observation that I hear from people is people out there saying, oh, if you don’t adopt AI, like, you’re not gonna be around. There’s a lot of that. Maybe it’s fear mongering. Maybe there’s truth to it. Like, there’s, you know, there there’s a bit in both camps. But do you know then that just overwhelms people? And then maybe they just do nothing as a result of it.

Grant Bourzikas [00:11:09]:
You know, I did our keynote in Sydney in August when I was down there and and this was the topic this was my third topic, you know, when I talk about cost and complexity and AI. But the thing I tell people is you have to embrace it. And I do think that there are companies that don’t get involved in AI, and they’re going to be short circuiting their capabilities in the future. And and the companies that are using data and using AI right will be the ones that are more successful. And, you know, that may not be in 2024. That may not be in 2025. We are seeing some fascinating organizations leveraging AI. But I think for mainstream organizations, we’re still learning through this.

Grant Bourzikas [00:11:50]:
And so what I tell every security practitioner is something that has to be near and dear to what we’re doing, you know, partnering with the business, helping drive the business from an AI, thinking about the risks that we’re facing, and that will help us get through it. You know, I I think when we ask, you know, if the business wants to do this and we say no, I think that’s a problem. Right? Like, how do we enable the business to move forward in a secure AI model? There’s a lot on the practices, you know, just thinking about open source, you know, models, LLMs that we already know how to manage. We don’t always think about it that way, but it’s the same way we’ve been managing open source today. We just aren’t thinking about that. And and so I I think it’s something as Cisco security leaders has to do is embrace AI, help the business move it forward, and not be scared of it.

Karissa Breen [00:12:43]:
Do you think people say no because they don’t understand it? And there’s also so many different opinions and thoughts and, you know, there’s still people out there saying, you know, we’re not gonna have any jobs left. Like, there’s, you know, there’s so many varying opinions that perhaps that clouds their judgment. And then they’re like, oh, no. I don’t wanna go down that path. You You think there’s a bit of that in there?

Grant Bourzikas [00:13:00]:
I think there’s always that in cybersecurity that there’s a little bit of no because we don’t understand what it is. And and I think this is a point of inflection because I do think in the next five years, we’re going to see major advancements. I have a six year old. I think about it. I think about this every day. Like, what is the job force gonna look like when he comes out in fifteen, you know, seventeen years from, you know, the university? What does that look like in an AI world? And so I I think that this is something and this this is why I went into a full master’s program in this AI is because I didn’t understand it. And it did scare me. Right? It’s it’s okay to be scared of something.

Grant Bourzikas [00:13:41]:
And cybersecurity is hard enough as it is that I gotta learn AI. And how do I think about AI risks? And what are they doing with my data? And these are all things we’re gonna just have to hide down and learn, and that’s gonna help us get through it. The CISOs that always say no and are embracing what the business those are doing should go extinct. Right? There are a lot of people that have a lot of ambition, curiosity to learn this. And if you don’t know it, you know, that may be part of the journey you’re on with the organization to learn and experiment on things that will help the business, you know, move forward. And and that’s that’s the opportunity that I hear, you know, in every, you know, kind of CISO forum is, well, how do we become on par with the CIO? How do we report to the CEO because security is important? Or how do I, you know, and peers with the CTO? And what should have my reporting structure? We get hung up on that stuff. But I think it demonstrates, like, especially AI, that if we wanna be business leaders and lead an organization forward, this is an opportunity for us to do it with AI and show the value of what systems can do.

Karissa Breen [00:14:54]:
So I wanna switch gears now, and I wanna talk about future proofing security in an uncertain economy. Now people are gonna have different versions of what their definition of an uncertain economy is, but I’m curious to know how how do you see it? Talk me through your thinking here.

Grant Bourzikas [00:15:11]:
When I think about future proofing, security, and how do we think about this, the thing that always comes to my mind is, like, we have to simplify this. This is the first year I’ve seen CISOs unanimously say things are too complicated in my environment. I worked on some major breaches this year that that I I got lucky to kind of be cast and ask for help. And I’ve I’ve dug into a couple of these and unanimously, every single one of them is, I don’t understand how your network works. I don’t understand what your security posture is. You know, things are so complicated with multiple endpoints, you know, multiple firewalls, multiple, you know, 25 different egress, ingress points that the only way that I I think from a future proof is really to simplify what it looks like. And so this was something that I was on a panel in the World Economic Forum about this. It’s we have to go through a security transformation, and we have to be part of the business as we move forward because business is making transformation.

Grant Bourzikas [00:16:19]:
But if I think about ten years of systems and the last twenty years, we’ve bought product after product, after product, after product, and it’s not working. We’ve seen more breaches over the years. You know, the adding more products is not a good idea because what ultimately ever happens every single time is you buy a product because it’s supposed to protect us, but we never configured it, enabled it, set it up. Right. And I think this is what I think about this is, you know, to get to a spot where we can be nimble and future proof our security to to even start thinking about how do we do detection at scale, how do we do validation and posture at scale, we have to have a simplified environment that we can control.

Karissa Breen [00:17:04]:
That’s a good observation because I think when you were speaking, what was coming to my mind is so many people have gone out and just bought these point solutions. Right? And then to your point, haven’t configured it, haven’t done this is, you know, lack of interoperability. So do you think that now people are probably seeing the complexity and they’re now trying to find a way to reduce that, reduce the tooling? I mean, I would say the main undertone of the interview at the moment is this. We’ve gotta reduce tooling. We gotta consolidate. We gotta do all these things. But how do people do that so things aren’t going by the wayside? Because, like, oh, we just removed something that we probably shouldn’t have and then keeping the lights on. How do you find that equilibrium from your experience, Grant?

Grant Bourzikas [00:17:44]:
You know, the one thing we see I see this with every customer, and I get involved with a lot of customers that ask me this exact same question of, I have all these priorities. The business is saying, you know, AI and, you know, we have all these complicated regulations, you know, but I got five web application firewalls. Like, how do I think about transformation with this? And so priority is I gotta, you know, I gotta help the business move forward, which is the right answer. But I also, like, think we have to stop and think, like, are we going to be able to transform the business? There was a big organization in Australia that we just wanted the deal, and and it was around how CloudFlare can help streamline DevOps to be able to get it at the speed that the organization wants because we can shift left, use all the buzzwords, everything’s in Terraform because we’re really the only vendor that could do that. When I think about these things, we gotta be thinking about our own business. Right? We we need to help the business, but we have to transform it. And I’ll I’ll use I mean, I’ll give you a little inside ball even with us. Like, we’ve switched our IEP.

Grant Bourzikas [00:18:54]:
That is tough. We did it in eight weeks. We switched our IEP in eight weeks. We swapped our entire EER platform and we just swapped our SIM. We did that all this year. And, you know, we’re under 10 tools for CloudFlare because I’m focused on how do we modernize our architecture, how do I build immutable infrastructure into our edge network? And when I think about these things, these are tough decisions. You know, is there any value in me swapping out an IDP other than from a supply chain risk? That’s the biggest one because I’m hosting it ourselves. And I I think, you know, from this perspective, I feel a lot better with the simplicity that we’ve created than, you know, that can enable our business to go forward.

Grant Bourzikas [00:19:41]:
And I, I think that’s something that I think we have to be conscious in our transformation budgets. We have to be honest with ourselves and really put in a, you know, kind of an architecture view of how do I want this network to look like? Because I mean, for us, for a lot of people that have been in this business twenty years, thirty years, thirty years ago, networks were all over the place. You know, with map problems, routing l two and l three problems, and we just inherited it. It never really fixed it. And now we’re we’re kinda stuck in the spot of the business wants to go faster. We wanna use AI, but we just don’t have control over our existing environment. And I think, you know, my biggest worry with AI is just that the confidential data gets in the public models. And secondary, like, well, our data protection’s never been good from a a world perspective, you know? And so how how are we gonna do this? We get our fundamental controls in place.

Karissa Breen [00:20:40]:
Another thing that’s come up in my interviews as well as platformization. So everything that you just said, would you say that there’s a shift more now towards platformization to, you know, reduce the complexity, make things a little bit more simple, etcetera?

Grant Bourzikas [00:20:53]:
Marketing has caught on to that. Right? Like, everything’s become a platform. I talk a lot about this at CloudFlare because, you know, we standardize on a couple of vendors and leverage them. But just because I pick a company, company a, and, you know, they’re marketing as a platform, That doesn’t mean that they got five different operating systems and five different interfaces because they’ve rolled up a bunch of companies, and now I got basically a platform of m and a activity. And so I think you gotta be careful of what a platform is in a kinda marketing standpoint. And this is one of the things I I talk. And and one of the primary reasons I came to Cloudflare because I was so impressed that every piece of software runs on every server and every data center and controlled through one interface. That’s a platform.

Grant Bourzikas [00:21:43]:
And that’s something you can get behind. But I think what I worry about, you know, the question you asked me as well, should we think about platforms or technology? Yes. We absolutely should be, but don’t be fooled by company a that has done seven roll ups or seven acquisitions. And now I have this big mass of stuff that doesn’t integrate in different interfaces, and it’s made it more complex because company a is trying to invest into integration of these products, and and it’s really hard to do that. So I think that’s the gotcha because marketing is something that we see all the time. It looks good. And then we look under the hood and say, well, this product has, you know, all of these things, but then it’s like you got three interfaces and three agents. And we’ve just created one one purchase order, but we still have this complexity issue that we’re facing.

Grant Bourzikas [00:22:41]:
So

Karissa Breen [00:22:41]:
just to extend on this a little bit more, because this is interesting. So as you would know, it started off with companies outsourced to, you know, IBM and friends back in the day, then we saw Wave with point solutions. Now people are saying, well, we gotta reduce things. We wanna do platformization. So what I’m also hearing from people, and can you get your thoughts, is well, they’re like, well, yes. Since certain incidents have happened this year, people are now worried about, well, I don’t wanna put all my eggs in one basket because now that’s a risk. So how do you manage trying to reduce risk, ensure that you’ve got uptime, not complicating things, making sure things are integrated, things are talking to one another, and try to reduce your cost?

Grant Bourzikas [00:23:21]:
It’s a good factor. And this is something this is another one I I think is, you know, you’re right on point. And you say, well, do I want best to breed? Right? Or or what do I wanna look at it? My personal belief on this, right, is you gotta manage costs. You you know? So how do you aggregate engineers? You got reduced complexity. I mean, at a minimum, you have to know what goes in and out of your organization. And then I I think you you have this best of breed thing. And I I always think if, you know, looking at an architect and sometimes I think what I as a CISO is a little bit of a I don’t know, enterprise architect is I think about how do I piecemeal this thing together in a aggregate view that makes sense. And so just because let’s pick on, you know, use use us as an example.

Grant Bourzikas [00:24:07]:
Hey. We’re gonna use CloudFlare. We’re gonna put your zero trust in. We’re gonna put your web application firewalls and API protection. They’re all the lead us in. Right? Well, you’ve over pivoted on you. And what I would say is there’s a lot of endpoint solutions. Right? So now you have, you know, you could pick a CrunchStrike, a SentinelOne, a Microsoft, just to name a few, You know, in the conjunction with CloudFront, now you’re still down this path of, well, I need a vulnerability scanner.

Grant Bourzikas [00:24:34]:
Pick one of the the big three or four vulnerability scanners. Now you get into your IBP. And so when you start to piecemeal these altogether, well, now I need a token. Right? And so you’re down this path. And when I look at this, even in a simplified environment, you’re still eight to 12 vendors that you’re reliant on. And I had been a big believer in almost every organization that I’ve ever been in. I go in and I start checking, you know, endpoint configurations, and they’re always a % of the time configured well. We never actually leveraged it.

Grant Bourzikas [00:25:08]:
And so I think the more technology that you put in, the the the bigger the chance on misconfiguration is. Keeping it simple, configuring it right is the best option because I think if you can you have a good, you know, zero trust deployment. You have a good IDP deployment with MSA, right, and good governance around access controls. You have a good endpoint deployment or, you know, or or Internet provider WAF protection. You’re in good shape, but I think you gotta make sure that you understand the control and the posture that you have. And so that if something fails, you still have another level of protection that is independent of just one vendor.

Karissa Breen [00:25:51]:
And I guess 12 is better than, like, a 50. I heard tools peep some companies have some enterprises, which is a lot. So I guess even going from one fifty down to 12 is still a massive reduction. But then as you were talking, what I and this is what was coming in my mind in terms of an analogy is, like, okay. We’ve got a problem. Now we gotta find another point solution. We keep buying that. Keep buying that.

Karissa Breen [00:26:11]:
I don’t know. Sometimes if you’ve been to someone’s renovated house, you know that just keep extending on a room because it just doesn’t look good and you know that it wasn’t engineered at the beginning to have this house. So do you think that now we’re at this point in security or IT more broadly, it’s like, okay. We’ve got all these things that are added on, and now we really have to, like, knock tear down the house and sort of start, you know, proverbially tear down the house and sort of start start again to make things make sense because they just kept adding on because new problems would start too much. And I I don’t blame the industry. It’s just an observation.

Grant Bourzikas [00:26:45]:
You’re right on at this point. I I think as people buy houses, you’re like, well, that kitchen’s beautiful, but then you’re like, oh, that dining room. And they’re like, well, that doesn’t even make sense in the house. Or, you know, the bedroom is, you know, from 30 years old to see, you know, and, and then when you take a step back and you look at this house and you say, Hey, this doesn’t even make sense. Right. It made sense thirty years ago, twenty years ago, ten years ago, but not today. And I think this is the point I make is you you add a point solution. I mean, I I always think, you know, I I watched and I was a big believer in McAfee twenty years ago when Dave DeWalt was, you know, in the antivirus.

Grant Bourzikas [00:27:22]:
And then he bought Intercept and InterShield, and he was buying all these amazing tools and integrating them. And, you know, I’m just buying the stuff like it was cookies. And it seemed like it was the right thing to do. Now twenty years ago, there wasn’t a lot of options. But now, you know, some of that infrastructure still lives. And so I hear this all the time. Like, I I can’t replace, you know, when I, when, you know, we really wanna use solid flow, but I can’t replace our existing vendor because it’s too complicated. That’s the point that you have to change.

Grant Bourzikas [00:27:53]:
You can’t let a vendor hold you back from your security posture because you’re worried about the change. Yeah. You know, when you you redo your kitchen or, you know, you build a house, then, yeah, it’s gonna be a a very stressful thing. But at the end of the day, you’re gonna be ecstatic with it, and and you’re gonna see what modern technology can bring you. And I think this is stuff that we have been, as an industry, gun shy of doing. You know, it’s hard to replace your endpoints, hard to replace your WAF. It’s hard to replace your IT. So we’ve continually invested in technology that’s twenty years old when there’s a lot better stuff that’s out there that will seamlessly integrate, make your life easier, and you’re gonna be in a lot better spot.

Grant Bourzikas [00:28:38]:
You know, the other thing I’ll say about this is, and I see this with my team, they get excited about doing doing new technology. In in every organization. If there’s like an urgent project with some, I think every organization does very well. There’s an urgent project where we need to rally around something and do a kick ass job. It always goes well. I could have swapped our EDR platform, our SIM platform, and our ID key all in twelve months if I didn’t have a team that was excited about this. And, you know, you’re using the technology or knew these many things, and we’re in a much better spot for where this goes. And and I I just think this is something the security industry is scared of because it might break something.

Grant Bourzikas [00:29:20]:
Well, if if it breaks something, work with change windows. You know? Work with an IT organization. Work with a business. Work with the engineering teams. There’s some brilliantly smart people out there that could do this, and we just never give them the chance. And I think when you get out at the end of the the day, if you, you know, you’ve got a house that complete rehab, it’s a lot of work. But when you get done with it and you have this beautiful new house that has, you know, the right chi in it, you’re in a good spot. And I think this is something we need to do is clean up our house so that we can focus and enable the business to move forward.

Grant Bourzikas [00:29:54]:
So I

Karissa Breen [00:29:54]:
wanna move forward now on to an interesting topic. Now people can obviously, I’m assuming, detect that you’re from The US. Now there was an election this year, as you know. So I’m curious to sort of get your view, Grant, on how do you sort of see global events like US election, impact cybersecurity? I think that sort of is going back into, you know, the economy question as well. Like, I’m I just wanna get a little bit your lay of the land.

Grant Bourzikas [00:30:20]:
Yeah. You know, this is something I’m very proud to be part of Cloudflare with, and I I, you know, I think about, you know, just the election. You probably could tell that I’m I’m not from Australia, and I have a US accent. And we’ve protected and and, you know, or protecting over 400 different election websites with our project, Athena. We protect these major events. You know, I think everybody in The US, if you go back, it’s almost a month. A month ago when we had the election, everybody was worried about cybersecurity. Everybody was worried about what would happen in the election and the tampering and and, you know, nothing happened.

Grant Bourzikas [00:31:03]:
And I and I think this is kudos to the government, you know, spending time and this is all governments. Right? Spending time thinking about this. You know, we’re offering free services to protect because we want, you know, a free Internet. We wanna be able to make the Internet a better place, or that’s the mission of Cloudflare. And I think it’s something that we need to pay close attention to. I’ll even talk about, you know, the Olympics. We, you know, we we had a big say in what goes on with the Paris Olympics, and we didn’t see anything from a cyber attack. And, you know, as you look at this, these major world events are major targets.

Grant Bourzikas [00:31:41]:
And and whether it’s, you know, somebody wants to disrupt operations, they wanna do something, you know, there’s always cyber warfare included, and it’s something we all have to pay attention to because it’s just too easy to disrupt operation from a cyber standpoint if people aren’t paying attention. And it’s easy. It’s super easy to make a mistake for these major events that, you know, they’re focused on bringing millions of people or millions of viewers or billions of viewers into these sites that they’re just not used to this. And this is something that we’ve tried to really do is you need help, let’s help you. Right? Like, that’s you know, we’re doing it for free. Right? Like, this is the best charity work that we can do, and it was something he talked with the government in Australia and many not for profits of, you know, if the organizations that need help, like, we have this project Galileo for not for profit organizations that get attacked because they may be controversial, but they’re needed in the world. And these are things that I think are important for, you know, humanity to keep protected.

Karissa Breen [00:32:51]:
Do you think as well because, like, example, US election was just so high profile. Right? Like, it’s the most high profile election, like, in the world. Like, I I don’t even watch the Australian election, but I watch The US One. So do you think that maybe people get absorbed into that? Like you said, with the Olympics, like, people get absorbed into that and then they sort of lose focus for a little bit?

Grant Bourzikas [00:33:09]:
I think with the election, you know, it was so polarizing here with all of the things that had happened. And and, you know, whether you were Republican or Democratic, whether you were for Trump or whether you for Biden or Commonwealth. And it was very polarizing and people were worried, you know, about, well, was this election gonna be close? And, you know, was there gonna be fake balloting? And, and even from a Southland perspective, like I was so proud to be part of protecting the elections. And there was not a bleep of anything. Right. We saw DOS attacks. We saw DDoS attacks, but we mitigate them just like we do in real time. And I think there were even some speculation that, you know, websites we might be defaced and would distract around, you know, an election win nothing.

Grant Bourzikas [00:34:00]:
Right. I just think that was, you know, that was a waiting for cybersecurity. That was a win for democracy. I never thought would happen because you know, you gave us the daily topics, You know, even on Zoom and Teams and Google Meet, it was a daily topic about the election and what we were seeing, and and you people were very sensitive. And you just watch, you know, what happened to where we are today. It was non cyber related. And I think, you know, even the US government learned over the last eight years how to protect the ballots. You know? We got they got help from companies like CloudFlare to protect, and it turned out to be a very, you know, good situation.

Grant Bourzikas [00:34:45]:
And, and whether it’s in The US, whether it’s in Australia, whether it’s in Europe, these are things I think are important is to protect the sensitive matters, the sensitive events, because, you know, one inclination of a cyber attack in any, you know, election will cause, you know, chaos. And I just, you know, I was proud to, to watch this and proud that it was a non event, which was pretty cool.

Karissa Breen [00:35:11]:
So where do you think we go from here now as an industry? We discussed obviously, you know, the election, The US, the landscape, the consolidation, what, how people are moving towards leveraging AI and embracing it. What do you think happens now, Grant?

Grant Bourzikas [00:35:23]:
Yeah. I think all these things that we’ve talked about is, is really where we have to focus, right? As we go from an industry, like we really have to play catch up and like in, in simple terms. And so when we talk about monitoring, you know, security, modernization, we talk about reducing complexity. And why I say this is I I wrote an article that talked about the difference in in the gap of where the world is going and where we are as a security industry at least fifteen years. And and, you know, the thing I always think about this is, you know, I’m thinking about AI, how we’re using algorithms to parse data, how are we thinking about using machine learning and deep learning and and true artificial intelligence to get better, you know, autonomous, as I quote it, you know, security operations and detection. You know, that stuff I’m thinking about three years, five years. Yet every security operations, everybody listening to your podcast is still trying to collect data into their SIM and still trying to collect the logs into the SIM, which is the same thing I was doing in 2010, in 02/2005. And so I think as an industry, we really have to think about this as how do we move the needle quick? You know, AI is gonna outpace us.

Grant Bourzikas [00:36:41]:
How do we start to leverage AI? How do we modernize our infrastructure? But if we can’t even capture our server logs, our Linux logs, you know, our router logs, we’re never gonna get there. Right? And so I think this is this kinda, you know, view of we need to play catch up. We need to think about how to modernize our architecture and move forward from from an industry. So so I think that’s one big component. The other one I I think highly of is, you know, how do we continually build and develop talent? I don’t think there’s a lot of surveys on this one. Like, there’s a shortage of people wanting to get into cyber or there’s a shortage of jobs. I think we could fill every job in cybersecurity tomorrow if we wanted to, but they don’t have the skills. And so, you know, I I watch it.

Grant Bourzikas [00:37:30]:
For every job I post, we have between 5,000 applicants. And, you know, there are people that want jobs, but we don’t think they have the experience. And so I think this other big component is how do we think outside of the box where we can actually develop people? And I also think some of the early in career people are the best because they work, they work hard, they learn, and we’re not even giving them a chance. And so I think this is something of how do we do this? And I talked to my team about this every day and it’s like, well, no, I have to have somebody with five years of experience. I have to have somebody with ten years experience. I’m like CloudFlare can hire the best people in the world and we get, you know, that’s that’s an advantage. But when I worked at our company, I couldn’t hire the best people in the world. And I invested into early career people, and it was successful.

Karissa Breen [00:38:26]:
So, Grant, do you have any some closing comments or final thoughts you’d like to leave our audience with today?

Grant Bourzikas [00:38:31]:
I think the first thing I think is have the courage to make big change. Right? Like, this is something we see in every organization is to have the courage to make big changes, take chances, and trust your people. Right? So I think as we talk about this, we know we have a cost problem. We know we have a complexity problem. We know AI is a good or bad thing based on our perspective, and we know that we have to embrace it. And so, you know, trust your teams, trust your people. I’ve seen amazing results from people when you empower them and challenge them to do major things. And so, you know, use that superpower that I think cybersecurity people have to to make those big changes your organization has.

Grant Bourzikas [00:39:16]:
And it’s funny. We have to do these things to to go faster. Right? And so Right. I think as we look at this, you know, we we have to modernize our our portfolio to be able to catch up to 2024, ’20 ’20 ‘5 technology when you really should be thinking about 2030. So I think that’s something that I always encourage because, you know, we’re we’re often scared by these changes and the what if scenarios because that’s what we do. We what if everything as cyber professionals trust our people and let them show all of us how solid they are.

Share This