Security Unfiltered

The Future of Encryption and Digital Safety With Ameesh Divatia

Joe South Episode 158

Send us a text

What if you could unlock the secrets of a thriving tech career and learn how to safeguard sensitive data in the digital age? Join us for an insightful episode featuring our special guest, Ameesh Divatia, who shares his captivating journey into IT, sparked by reading tech articles in Time magazine and National Geographic. From his early fascination with electronics to pursuing electrical engineering and navigating the evolution of technology, Ameesh offers a unique perspective shaped by experiences in tech hubs like the San Francisco Bay Area.

Ever wondered how stepping out of your comfort zone could propel your career in tech? We explore this theme with personal anecdotes about embracing discomfort for continuous growth, inspired by my father's philosophy. Discover how Amazon, particularly AWS, has revolutionized modern life and shopping habits. Learn about the dynamic culture of Silicon Valley, where rotating between major tech companies brings fresh perspectives. The episode also features an intriguing story about hiring practices and the essential lessons drawn from past cybersecurity breaches.

Finally, we tackle the critical challenge of securing sensitive data in today's interconnected world. Dive into advanced topics such as cryptography, privacy-enhanced computation, and the looming threat of quantum computing. Understand the pivotal role of human factors in cybersecurity and how changing attitudes can enhance protection measures. This episode wraps up with insights on mastering encryption concepts and the importance of collaboration and simplification in the learning process, providing you with the knowledge to navigate the increasingly complex digital security landscape.

Support the show

Follow the Podcast on Social Media!
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
Patreon: https://www.patreon.com/SecurityUnfilteredPodcast
YouTube: https://www.youtube.com/@securityunfilteredpodcast
TikTok: Not today China! Not today

Speaker 1:

How's it going everyone? So, before we dive into the episode, I really want to say thank you to everyone that is listening in, that's tuning in, that's enjoying this content and getting value from it. I really love that. That's why I do it following the podcast, and I really want to encourage you to please follow and subscribe the podcast on whatever platform you are listening or viewing this on. It really helps out the podcast, it helps out the algorithm, it helps more people hear this content that you already find helpful and that they hopefully will as well. So, if you go ahead and subscribe or follow the podcast on any platform that you're listening on and please share it with your friends, that'd be great. All right, thanks everyone. Let's get into the episode. How's it going? Amish, it's great to finally get you on the podcast. We've been planning this thing for a while and, coincidentally, my kid just tends to get sick every time we do it, so thankfully, today she's finally not sick.

Speaker 2:

It's good to hear Joe Great meeting you and, yes, I'm looking forward to this chat.

Speaker 1:

Yeah, absolutely so why don't we start with how you got into IT right? Just IT overall. You know what made you want to go down that path. What was it about you?

Speaker 2:

that kind of interested you you know, in the field and whatnot. Well, growing up, um, I was always intrigued by what was happening around me as far as new things in technology. I remember a very clear memory of being in high school and this was back home in india. You know there was no internet back then, as it's difficult to imagine right now, but I distinctly remember Time magazine designating the computer as the man of the year, if you will Got my attention.

Speaker 2:

National Geographic carries this cover story about microchip being the most important innovation in a long time. So I started to get intrigued about what used to be referred to as electronics, if you will, and that got me into the whole tech game. So I studied electrical engineering and got interested in communication networks. Actually back then, actually um, back then. Um again was one of those um, really crazy moments when you know one of your alumni comes back to alumnus, comes back to and talks to you and said, hey, this is something that's cool and that's how we got interested in in networking and eventually um in in it.

Speaker 1:

Yeah, it's, uh, it's. It's fascinating how people got into it back then at that time, right, because it was kind of such a new thing Like today. You know the people that are starting to get into it today, right, that are at the beginning of their career, they've never lived without the internet. You know they've never really lived without a cell phone, like in the marketplace. You know, in their house. Like in the marketplace. You know, in their house, like at least when I was growing up, I mean, a cell phone like that wasn't even in our vocabulary. Basically Cell phone, what am I going to do with that? I have a house phone. Call my house if you want to get a hold of me, you know.

Speaker 2:

Yeah Well, I grew up in the rotary phone world where you know half the times you'll get the wrong numbers because the dial has dust stuck inside it. But anyway, fast forward. Actually thanks to an Uber driver I was once with who reminded me that the first app actually was developed in 2007. 2007 is not that long ago, you know. So the pace of change is definitely something that is extremely, extremely rapid, and that's what makes it exciting. I think that's what makes it exciting to be in this space, in IT and specifically in cyber.

Speaker 1:

Wow, the first app was developed in 2007. I didn't even realize that that is wild.

Speaker 2:

My Uber driver once told me that's wild.

Speaker 1:

I mean, I was in high school in 2007. You know that's crazy how quickly this field has kind of exploded. Did anyone from what you remember, did anyone back then kind of think that it was going to become what it is today?

Speaker 2:

Obviously not Even in magazines or anything like that I'm sure there were sci-fi writers who were thinking about, you know, flying saucers and augmented reality and all of that. But nobody ever thought that we would be in this age where, suddenly, you know you didn't have to write a paper, you know CatGPD wrote it for you, you didn't have to lift your finger and food shows up. And you know stuff shows up reliably, you know, within the hour of what is predicted. So we've come a long, long way from where we were. But I don't think when you don't have what you know, what you don't know, it's not like you miss it.

Speaker 1:

But obviously we're all better off with innovations that we've all developed together. Yeah, that's a really good point, you know, that you bring up and for some, I guess, maybe some interesting reason. My mind goes to like the uncontacted tribes in the Amazon, right, people that are still back in the Stone Age, essentially that don't want outsiders. I mean, I guess they have a very valid point for why they don't want outsiders because their immune systems are very vulnerable compared to ours and I. It's just, it's fascinating, right, because you would think injecting technology, injecting modern medicine and things like that would improve their lives. But it actually impacts them in different ways and they're kind of, you know, very against it, right, like they're pushing against that grain to say like no, we want to stay, you know, like this, you know. And they also don't know what they're, what they're missing. So if you don't know what you're missing, you're not missing anything. That's exactly it.

Speaker 2:

Right, it's a matter of perspective, and actually the the reverse of it is true. When it comes to people like us, who are in tech especially. You haven't seen anything until you've actually come to a place like the San Francisco Bay Area. Right, it's just something that I had read about it. I had, you know, thought about what it would be like, but it was completely different. The part that actually completely blew me away was, first of all, how small it was. Geographically it's such a small area.

Speaker 2:

And the other part that's always fascinated me is about how it's not a zero-sum game, right, everybody here is from somewhere, and everybody here got their start from nothing, so we sort of feel obligated to help others to get going as well. And that's the part that really got me into that whole idea of, hey, we've constantly got to push ourselves to build something better because somebody else did it before us. How do you start from nothing? It's amazing. You literally just walk down the street and you go to a leasing office. Back then I'm talking about today I don't think you would do that, but I literally just walked down to a place and said I need space. They did not ask me for my credit record. They did not ask me for references, they just said here, here's the suite, this is what you have to pay every month, and that's it. I had a place. Now I could get people over to start brainstorming.

Speaker 1:

Everything and that's it. I had a place. Now it's well. I guess it's it's less scary. The younger you are, I would say, right, like now I've. You know, I have a one-year-old at home. Right, I have a wife, I have a mortgage. I can't just quit everything and start over. You know, completely fresh, like even if I were to do that, it's like okay. You know fresh, like even if I were to do that, it's like okay. You know you need to empty out your retirement, utilize all of your savings. This is your burn period and all that. You know, uh, it's. It's a really fascinating area and time in someone's life when they're when they kind of identify that you know where it's like, hey, I have, you know, very limited responsibilities right now, so why don't I throw my whole self into this thing? And where it's like, hey, I have, you know, very limited responsibilities right now, so why don't I throw my whole self into this thing and see where it takes me?

Speaker 2:

Yeah. So, by the way, it's still scary. I mean, we're all responsible adults, right? Yeah, we don't want to depend on somebody else, but there's some secrets there that you need to unlock in order to get there. That you need to unlock in order to get there.

Speaker 2:

First of all, you know, get a partner in life that is more accomplished than you are. Number one, number two, somebody who you can depend on. So you know, when I decided to do that, I had two things going for me. First, you know, I had a wife who had a very steady job and I didn't have to worry about the mortgage or worry about the bills. And secondly, I had a boss who was extremely supportive. I still remember distinctly, you know, when I came to actually quitting and wanting to go and go down the entrepreneurial path, which I did about seven years into my journey I went to my boss and said I'm still scared, and he said you know what? Just go, take the chance, just go do it and if you don't like it, come back in a month, and that's all you need, right? That's a lifeline, and I never turned back after that. But again, I always feel very blessed to have all of those things that helped me get started.

Speaker 1:

Yeah, that's a very unique situation Maybe not too unique right when your boss told you take a month and give it a try and if it doesn't work out, come back right. Unfortunately, there's some bosses out there that would say that's never going to work, don't waste your time. I think when Jeff Bezos was starting Amazon, his boss and his friends were all telling him you have a good life, you're not going to duplicate it outside. Why are you going to create something from nothing? They were telling him not to do it, not to duplicate it outside. Why are you going to create something from nothing? You know they were telling them not to do it. You know not to take that risk.

Speaker 1:

Now, it's really hard to imagine a world without Amazon. I mean like AWS. It's hard to imagine a world without AWS. You know Jeff Bezos obviously didn't found AWS or whatever. The name. Aws is synonymous with Amazon. Now, you know you can't. I don't buy anything before I check it on Amazon first. Is it available on Amazon? Is it cheaper on Amazon? Do I get it faster on Amazon? And if it meets those things, you know I'm getting it on Amazon. Right, like, and I'm sure millions of other people do that exact same thing?

Speaker 2:

Yeah, but this is what I tell everybody that I happen to mentor. If it's somebody coming out of school, somebody starting their job, getting comfortable around having a job or sometimes uncomfortable and wanting to quit, you always want to challenge yourself. One of the things that I always done very early in life and I saw it being done right now I saw my father doing it all the time where if he felt like he was in a comfort zone, he was always trying to get out of it. We're all trained to actually fall into our comfort zones. You know that. Stay within that. But as soon as you do that, you are limiting yourself. So every time you feel that you are limiting yourself, so every time you feel that you want to break out of that mold and you want to challenge yourself. And it's amazing how, once you do that, you feel so empowered. You feel like you can do anything at that point Because you broke out of your comfort zone and you did something that was uncomfortable.

Speaker 2:

I mean, most uncomfortable thing that anybody can do is selling a product or selling yourself. First of all, it never comes naturally to anyone and no matter what your personality is. I know there are some people who are born salesmen. But if you really ask them, it didn't come with them. Naturally they developed it, but it is again. It's something that you have to do because it's the most difficult thing to do out there. Call calling, you know, approaching somebody at a party and just say, hey, what's up? But you have to do that, you have to break out of that comfort zone.

Speaker 1:

Yeah, that's. You bring up such a good point, you know. And I look at this in my own life and sometimes I try to almost check myself at the door right, like, hey, why are you getting uncomfortable right now? You have a good job, you have a good thing going on right now. Why are you trying to switch everything up?

Speaker 1:

And it's something about being comfortable for too long. It's okay to be comfortable in your current situation, right, for a certain amount of time. That certain amount of time can be different for for everyone. I give myself, you know, one to two years, right. But at some point you're not going to grow anymore, you know. And when you don't grow anymore, there are some people that get very comfortable in that situation. They stay because it's what they've always known, it's a stable job, you know, and they don't venture outside of that, right. But the people that when they, when they get comfortable and they start pushing themselves to learn new things, you know they tend to grow a lot more and they end their life, at the end of their career or their life right, in a very different place than where they ended up. And if you were to ask them if they regretted it, they would say you know more than likely that they didn't regret it and in respect of the outcome, right uh, of the outcome.

Speaker 2:

You may fail, but you never regret it, that's the.

Speaker 1:

yeah, I think I think even you know, even in failure, even if you, I think, even you know, even in failure, even if you put everything into something you know and you truly believed in it right, and it didn't work out, you know that's not a failure. You, you just learn something about yourself. You learn something potentially about you know, that industry that it didn't work in, or whatever it might be, failure isn't always, you know, as cut and dry as. Did I make money from this thing? Did I become rich from this thing, or did I not? You know, I feel like it's not as cut and dry.

Speaker 2:

And that's the other thing about a place like Silicon Valley right, you're not judged based on outcomes. I mean, to some extent, everybody gets judged based on some outcomes, but in a place like this, you always have another chance. You always have the ability to go to the next thing, having the lessons learned from the previous experience, good or bad.

Speaker 1:

Yeah, that's probably why. That's probably why, for a while there I mean, maybe it's still going on. Even like in the big tech Silicon Valley companies you know Facebook, apple, nvidia, microsoft their employees would rotate between those companies, typically like every six months even. And it was a very common, very common thing that I was, you know, reading about is because they, they, you know, as long as, like, you're not the culprit of a breach, you know that costs them a whole bunch of money. And now you're before, you know, congress, right, um, as long as that doesn't happen, which is far less than 1%, you know you're able to take those lessons learned and bring them over here and you can transform processes, you can adjust how the business is running so that those same mistakes are not going to affect your new company and whatnot.

Speaker 1:

And it's not as accepted everywhere else, even within the country, right, because I remember a time when I was working for a credit bureau, the CISO hired someone from a company that recently had a massive breach at that time and the company before that he was at, that large company that had the breach, also had a breach. So this guy went through two massive breaches. That you know, everyone in the country you know you, if you name the company, everyone would know it right, probably even worldwide. Everyone really kind of critiqued our cso for bringing in this guy. Um, because we're like what's he going to teach us? Like how to do it wrong. But everywhere else, or at least in silicon valley, that mentality is completely different.

Speaker 2:

Well, and it's spreading right, Even within tech. Now, all of that is spreading because we know that we are fighting a war where the adversary actually has unlimited budget and unlimited number of people that they can throw at it. Right, that's what nation-state actors are. So that's where we are always playing catch-up from a security perspective, and that's where we're always playing catch up from a security perspective, and that's where we feel that, you know, something needs to change. You're starting to see this already actually in security. Now. You know, sim was something that was considered to be the standard way to actually monitor threats and now it's being reimagined. You know, it's a new way of looking at threats. I think that's a good beginning because, as the industry evolves and we're at $100 billion, going to $225 billion in four years in terms of cybersecurity budgets, we'll have to reimagine how we are doing things, because the fact is, breaches are not stopping, and that's really something that A lot of the times they're increasing.

Speaker 2:

They're always increasing and getting more and more punitive as well. Right, they're becoming more difficult to manage even at the individual level, so we have to reimagine how we protect sensitive assets in the cloud?

Speaker 1:

Yeah, in security. We always say our job security is based on the last big breach. That was in the news, right? Because it's very easy for you to justify why you're there, what you're working on, the budget that you need, when you can point the finger and say, hey, look at that, they're our competitor, they're in the exact same space as us, they had a similar security stack as us and they got breached. See, this is why I'm asking for the additional $50 million to go and augment the security stack. It's a huge, huge selling point.

Speaker 2:

Yeah, well, you know, as solution providers, we tend to avoid a lot of that ambulance chasing. I'm sure this happens from an internal perspective, justify budgets. What we really believe is, from a design perspective or from an innovation perspective, we want to make sure that we enact proactive controls rather than continue to invest in reactive controls all the time. If we architect something right and we make sure that you have what is known as an assumed breach posture, which means that you're assuming that things are going to go bad and somebody is going to get into your network, we want to design the pipeline in such a way that the sensitive data, even though it is stolen, it's useless. That's what we really are trying to do from a, from a, from a data pipeline design perspective.

Speaker 1:

That's really fascinating. So let's, let's dive into it a little bit. You know, let's talk about you, let's talk about the company that you had to go in there.

Speaker 2:

I remember back in the day, you know, when I was first starting out in college. You know you had these mainframes and you had to go and punch cards, drop the cards off and come back the next day to pick them up. Now you know that those days are the most secure because there's nothing leaving that particular environment unless you had the ability to get inside the building and take things. Well, for good or bad, those days are gone and everything is everywhere. So the most important problem that we solve is that when you have your sensitive data in infrastructure that you don't control, you want to make sure that nobody else has access to that data other than yourself. And this is where cryptography really helps, because if you are able to secure your data by encrypting it with a key that you control, nobody else can see the data unless you authorize them or you go in there and actually use the key to retrieve.

Speaker 2:

The data is locked down, you cannot manipulate it, you cannot process it. So what's the use of having an asset that you cannot use, right? So that's where the second innovation comes in, where we have figured out how we can actually process that data without still revealing it in the data store environment where the administrator of that infrastructure can see the data. So the category is called privacy enhanced computation or the more simplistic term is data-centric security, because you're securing the data all the way down at the record level and you're keeping it secure so that it fails safe If something really bad happens. Somebody gets in there. They only get encrypted data. So encrypted data is useless from the perspective that you can see it. But, more importantly, it also does not trigger any kind of notification requirement, so you don't have to tell anybody you were breached because you only lost encrypted data. So it helps you from a lot of different perspectives, but most importantly, you're able to control your assets on infrastructure that you don't know.

Speaker 1:

So is this similar to homomorphic encryption?

Speaker 2:

In principle, yes, because of the fact that homomorphic encryption is really defined as being able to encrypt data and then discard the key. You can throw away the key, but you can still process it. It's a very fascinating technology. It's been around for a long time, in academia especially, but it's never been practical because it slows things down by a factor of a million sometimes and all the computers in the world cannot really do much to accelerate it, because cryptography is designed to make sure that it's very difficult to process data that is encrypted.

Speaker 2:

There's lots of optimizations that have been developed over time.

Speaker 2:

One of them is what we pursue.

Speaker 2:

We actually call our technique secure multi-party compute, where what we're really doing is taking a secret you know, a piece of data, for example and splitting up the operation or manipulating that data into multiple pieces. So if you steal one or a few of these call them shares you'd only get part of the secret, so you cannot reconstruct the data. You would have to compromise all of it, which just makes it so much harder compared to what it is today, where you can just go in there and steal a piece of data from a data store. So that's the whole race that we are in right. What we want to do is we want to make sure that the need and the ability to actually compromise secrets takes effort. That is a lot more than what it's worth. You always want to keep ahead in that race. That's really our job as security professionals to make the job of the hacker harder than it is and make it as unprofitable as it is development, a technological development that would, you know, potentially give hackers like the upper hand against this sort of technology?

Speaker 1:

right, because it's like a cat and mouse game, right, where you know the hackers, you know, find a new way to do something. They have more computation power, they have more, you know, zombie computers to do a larger DDoS or whatever it might be right, and then the technology side of it picks up and it eliminates all those threats, right, but then sometimes the hackers find a new way of handling it. Is there something like maybe supercomputers or quantum computers that you could think of, right, that may pose a risk to this, or is it more of a post-quantum resistant technology?

Speaker 2:

Yeah, let's talk about two things actually technology and people. Technology part is relatively straightforward. Quantum absolutely has the potential of breaking encryption. In fact, some people say it's already broken it from the perspective of breaking PKI Not necessarily symmetric encryption, but it does definitely affect asymmetric encryption. But now we already have algorithms that are quantum safe. We're trying to catch up in that race to make sure that that doesn't happen, because a lot of people are doing a lot of hackers are doing what is known as harvesting. They store encrypted data waiting for current control so that they can eventually decrypt it. I think we're mitigating a lot of those risks by developing quantum safe technologies and I think technologies will continue to always keep pace because there's a lot of incentive to go do that.

Speaker 2:

The part that is more difficult is people. Most of the hacks happen because people are irresponsible. They just take shortcuts for business reasons to ignore security practices like encryption, for example, until it is absolutely necessary to do it, to do it. And that's where compliance really really helps, because now you have another set of capabilities, another set of controls that come in to make sure that such things don't happen. You make sure you have to go through checklists and make sure that those particular data stores are encrypted, so that will change behaviors.

Speaker 2:

I think the other part that's also very interesting is and we talk to security practitioners all the time I think what is happening is investment in security are being perceived more and more as competitive differentiators. Back to this issue of oh, your competitor just got breached. You know, how safe are you? The fact that you are adapting to and adopting better controls is considered as a competitive advantage. Fear only goes so far. If it's a necessary evil to do something. People will always drag their feet. If we make them look better, there's a better chance that they will adopt those kind of controls controls so that's where I feel like you know well, technology will always be there and will always keep improving. The attitudes and the approaches of individuals or people are definitely changing, which tells me that we're going to do the right thing going forward.

Speaker 1:

Yeah, you bring up a very interesting point there that you know. I was having this conversation with someone else recently. They were saying that the technology or the security of these systems are significantly better than they used to be. Spend that much time trying to get in via old methods of doing a port scan and seeing what's available and trying to manipulate requests in certain ways. Right, they just go straight to the people and try to fool the people as best as they can to get access, because they'll spend so much time doing the technical route that it doesn't even make sense to spend that much time on it up front.

Speaker 2:

You're only as strong as your weakest link right, and in this case, people are the weak link. Yes, technology definitely has some weaknesses as well. Supply chain vulnerabilities are a big thing and they're well known, but everybody has really really good controls now, every time you release something, you go through all of those testing. It's becoming more and more automated. Ai is helping tremendously in that area as well. So I think it's about the people. That's where we need AI to really help. We can make sure that people get alerted about certain things that happen around them when they get phished, so I think there's a lot of potential there as well.

Speaker 1:

Is there any limitations with your solution with large data sets? I ask it specifically because you know, when you think of encrypting, let's say, a SQL server, right, you're not going to encrypt the entire hard disk of a SQL server because the performance is significantly degraded. Right, you encrypt, you know, rows and and sometimes a whole table, but you'll you'll typically do rows and columns of sensitive data and encrypt it that way, right? But maybe because this is a quantum resistant solution, it doesn't have the same problems as full disk encryption speed issues have. Have you seen anything like that?

Speaker 2:

So this is where the cloud really really helps, right? One of the biggest reasons why we exist is because of the cloud. Infrastructure is so much easier to obtain because of the fact that it's all on demand and the configuration aspect of it. Containerization is something that is really really important and useful when you're putting in this kind of capability, putting in this kind of capability. To answer your question about scale, the biggest reason why we believe we have no limitations of scale is because we use cloud resources. We are instantiated in the cloud, in the customer's environment. We are able to scale with the infrastructure as it is deployed and it's adaptive. You know network load balancing, you know containerization, failover. All of that happens because of cloud technologies that are now available at scale.

Speaker 2:

Full disk encryption actually had a different purpose. There was a reason why you would do full disk encryption back in the day because disks were getting stolen or lost. Nobody has a data center in their basement anymore, right? The data centers are centralized, they're locked down, they're physically very secure. So even if you had that capability, it is useless.

Speaker 2:

What you want to protect is the data while it is being manipulated, while it's being used, and that's where the column level and row level encryption is the way to go In terms of performance impacts and whether you want to do all of it or none.

Speaker 2:

Well, obviously, doing all of it is the easiest way to do it right, because you don't have a way about what part is sensitive and what part is not, but you know it has implications about how it is processed and everything else that goes with that, so it becomes a cost versus performance trade-off. What we like to suggest is find the data that is sensitive and then protect it using these scalable techniques, so that the volume of data from the number of rows you have shouldn't matter. If you talk about the other dimensions and the columns of data, there may be some data that is not sensitive and there's no reason to encrypt it, and that's where we like to make sure that the customers have control of granularity. It's not an all-or-nothing thing. You want to pick what you want to protect or what you are protecting. You want to protect it throughout its lifecycle, from creation, use to when it's discarded.

Speaker 1:

Now with, I guess, legacy encryption, it's highly dependent upon the usage of keys and the security of those keys. Is there any key usage that is dependent with your solution, or does this solution take keys completely out of the mix?

Speaker 2:

Now again, we're utilizing existing key management mechanisms which have been there, which have been standardized, which are extremely secure. The whole HSM KMSs that were created are very, very secure. It's just that nobody utilizes them to the full.

Speaker 1:

You know.

Speaker 2:

keys become dormant, you don't rotate them often enough, you don't put them in the right places. All of those things are what we have addressed very, very well. We also use envelope encryption, so you don't have to re-encrypt the data every time you are rotating the key. So what we are able to do really is to put security best practices into action without creating a tremendous amount of operational overhead. You set up the policies, you define what your sensitive data is, you say how often the keys are to be rotated. Everything happens automatically. We manage that whole process. You don't need to actually do it manually, and that's where, again, the operational efficiencies are. The most important benefit of using our solution is over the long term.

Speaker 1:

You know, I got to say it's really impressive that you're this technical, that you're this in the weeds, that you're able to, to speak to the solution this. Well, this is not an easy topic to talk about. Encryption is always, you know, maybe the last thing that I want to study for a test. Right, it's uh, it's, uh, it's the thing that I hope that I somehow get right. You know, um, that I don't have to learn it too much.

Speaker 1:

I remember when I was studying for my ISC squared certs, I spent the majority of my time on the encryption part, because it was just so difficult to conceptualize and understand what sources helped you learn encryption. Because what we're talking about right now is legacy encryption, something that everyone has done, and now we're talking about a new solution that is quantum resistant, right, that is kind of almost being invented as we create it. You know, like that's really what we're talking about here, and so that is extremely, it's extremely difficult to understand and, like, comprehend it. Right, like tomorrow, if you were to ask me what we were talking about, I would probably say I'm not sure, because, not because I forgot about it, but because I don't, like I stand it in the moment, right, but then regurgitating it and understanding it in a day is a totally different story. So how did you pick up this skill set and how did you learn it?

Speaker 2:

I highly recommend that you do that right. The regurgitating part and teaching somebody else is the best way to learn. Well, obviously, I give my team a lot of credit. My co-founder is a mathematician, you know. He's extremely, extremely knowledgeable about the space. And then, as we built the team, you know I always paid attention to how we were building it and I always wanted to break it down to how I can actually extend it to somebody else, especially a customer. So that's a skill that you always want to have, which is that you have to be able to regurgitate it and be able to field questions as well, because that's what happens all the time on customer calls.

Speaker 2:

Why is it important? How does it actually work? You don't have to get into the weeds, I don't have to write the formulas, but at least I need to understand the concept of exactly how we developed it, how it works. What I like to do is actually break it down to simple pictures that I draw and then validate it. I've always validated because I don't want to make anything up.

Speaker 2:

So it's been a fascinating journey. We've really built something that we're really proud of. But I can also tell you that you know, the core technology is something that you build in the early days. Most of the work after that is just about adaptation. You know there's so much change. Again, going back to what we talked about at the start of the podcast, which is the pace of change is just relentless. Every cloud has a slightly different variant of how they do orchestration, how they do key management, how they do containerization, and that's what we deal with a lot on a day-to-day basis. The core technology was something we developed in the early years and we are able to defend it quite effectively also.

Speaker 1:

You bring up your co-founder being a fantastic mathematician, right, and I remember getting into IT right and going down that path. I never, I never would have guessed that a mathematician would play such a pivotal role in IT right, in technology overall. But you know, truly they're kind of, you know, the unsung heroes of all of our underlying security and tech. Like, if the mathematicians get it wrong, right with the encryption protocols and whatnot, then there is no security, there is literally no data encryption. There's nothing you can do about it. You know.

Speaker 2:

Yeah Well, all of us going through high school always hated basic sciences, right? Math and physics is what drives tech for the most part. And again it goes back to the one thing that I always had which has helped me is I always want to know about the big picture. When you're learning about a math algorithm or encryption and you don't have the vision of, hey, someday I can prevent breaches if I learn this, it's boring, it's not interesting, and that's where media and, back in the day, printed media had such a big impact. You see, something like this is a magazine cover. This is cool. If I can be part of it, there's probably something that would be exciting. That's a very important thing to have. Always try to look for the big picture. Don't get mired in the details and forget about why you're doing what you're doing.

Speaker 1:

Yeah, that's extremely important For me as a cloud engineer.

Speaker 1:

It is very easy to get just thrown into the weeds and you know, you come up for air and it's like man, I don't even know what I'm working towards Like, I don't know why I'm doing all this stuff, and that's a very common thing on the technical side of security.

Speaker 1:

And I feel like it may even be the opposite problem for, like the architects, necessarily right, because I'll give you an example, my current architect, you know, created a fantastic reference architecture for the entire environment. You know where everything is positioned and everything like that, right, well, I was looking at it, and I was looking at it from a technical perspective, from an engineering mindset, and I'm just saying to myself when would I ever reference this? You know it's a reference architecture, right, but when would I ever actually reference this in any of the in the weeds sort of work? Right, and it's important to have that blend. It's important to be technical, to be able to handle the technical side of things but to also relate it in a overarching bigger picture sort of thing. And I guess that's where CISOs come in, right, they kind of take it from all the people that are in the weeds that don't really come up for air ever and they translate it into consumable PowerPoints right and consumable slides for the executives to understand what's actually going on at the company.

Speaker 2:

It will fly up and down right, go from NGA to the 50K level and back downs, and I think the biggest job to CISO is always to justify it from a business perspective. If they just put security up front as a good practice, it's not likely to get as much mileage, because the CFO doesn't really understand why they are doing certain things. They can clearly outline the business benefit, which, in this case, is very easy to do. Right, you're making your sensitive data consumable, especially in this AI era where you're required to share data now. Earlier it was a choice, now it's a necessity. You have to send your data to an LLM to be able to get better outcomes. Being able to justify it based on such business drivers is really the secret to making sure you get the budget that you want.

Speaker 1:

Yeah, and it's really interesting how seeing it from that 10,000 foot view enables you to be better in the weeds. You know, so to speak, right, Be better on the technical side of things and everything, and so it's just. It's an interesting perspective that I think people overlook. You know that they don't put too much weight into it, right, but it would really improve you, really improve their workflow and what they're doing and why they're doing it. Well, Amish, this has been a fantastic conversation, but we're at the top of our time here and I'm always trying to be very cognizant of my guests' time. We're all so very busy. So, before I let you go, how about you tell my audience where they can find you, where they can find your company, if they want to learn more and if they want to talk to you more about this?

Speaker 2:

First of all, Joe, it was a pleasure. I always love these podcasts because it goes so fast and I love the free-flowing nature of it, and I think we covered a lot of ground here. So I would love to hear from your listeners. The company website is baffleio and I am Amish D at Baffleio. I look forward to hearing from them.

Speaker 1:

Awesome. Well, thanks, amish, and thanks everyone for listening to this podcast. I hope you enjoyed it.

People on this episode