Our Business Continuity Team is monitoring the situation closely and all company personnel are kept up to date via multiple internal communication channels including a live chat room. Customers and the public are encouraged to visit this blog post for the latest information.

You can check the status of our network at www.cloudflarestatus.com. For COVID-19-related questions that aren’t answered below, please contact our Customer Support Team.

Yes, Cloudflare’s Business Continuity Team is a cross-functional, geographically diverse group dedicated to navigating through a health crisis like COVID-19 as well as a variety of other scenarios that may impact employee safety and business continuity.

In addition to Cloudflare’s existing Disaster Recovery Plan we have implemented the following strategies:

• Daily Business Continuity Team meetings to determine if updates, changes, or communication need to be provided to customers, partners, and employees.

• Global monitoring of COVID-19 related events and impact.

• Tailored business continuity plans per office and function, including work from home policies and regional resources.

Fortunately the nature of Cloudflare business is digital and rarely requires in-person activity. At this time we do not anticipate significant impact to products or services. Some teams are adjusting to teleworking but at this time we have not identified a service-level impact.

Troubleshooting and maintenance of the platform is performed by Cloudflare employees in globally dispersed locations. On-prem support is not required for the vast majority of our products and services.

Products can be used without the need for manual interaction from Cloudflare employees.

Cloudflare does not have call centers. Our support personnel will continue to provide assistance 24 hours a day to customers no matter their location as usual.

Yes, Cloudflare has implemented travel restrictions to countries as recommended by government agencies. Employees are encouraged to postpone all non-essential business travel at this time including inter-office travel. We are monitoring regional guidance from health authorities and updating our requirements as needed.

Cloudflare has taken an extra step to work with critical business partners and suppliers to ensure that there will be minimal to no impact to the business or our customers.

Cloudflare offices in the US, EMEA, Sydney, and Singapore are physically closed and we have moved to a full teleworking model.

In Beijing, employees have been split into two groups. Each group will be alternating between working from home and working in the office.

Cloudflare’s business continuity team has worked with organization leaders to prepare for the challenges of COVID-19 and many other scenarios. We are confident in our ability to limit impact to services because of our preparation.

At this time we do not anticipate any service disruptions due to COVID-19. We are monitoring the situation closely and will update as information becomes available.

Due to the nature of the Anycast network, we have over 200 Points of Presence (PoPs) that manage failover traffic. Traffic would simply be rerouted to other locations. Learn about the Anycast network here: https://www.cloudflare.com/network/.

The Infrastructure and Engineering teams are working proactively to ensure that enough capacity is available at our most critical PoPs. We feel confident in our ability to service our most critical facilities with our approved partner.

Our Customer Support Team is fully operational and will reach out as they would with any other outage or incident. Methods vary based on contract.

You can check the status of our services at www.cloudflarestatus.com. Additionally, our Customer Support Team is fully operational and will reach out as they would with any other outage or incident. Methods vary based on contract.

For questions not answered above, customers can reach out to our Customer Support Team via normal means.

Competing for security talent in the tech industry - where every company is investing heavily on security - isn't easy. But, in 18 months, we have grown our team 400% from under 10 people to almost 50 (and still hiring). We are proud that 40% of our team are women and 25% are from an under-represented minority. We believe from experience, and the research shows, that more diverse teams drive better business results and can be a better place to work.

In honor of International Women’s Day this Sunday, we wanted to share some of our lessons learned on how to build a diverse team and inclusive culture on a modern security team.

• Our effort to build a diverse team starts from the moment we draft a job posting. We try to choose language that will resonate with a broad set of candidates, and question proposed “prerequisites” for a role such as college degrees or a minimum or maximum set of experience. For example, we choose language that invites people looking to grow, and avoid militaristic terms often seen in security job descriptions.

• We are open to considering multiple locations where a role can be based. Cloudflare has 13 offices around the world. We have been flexible in which office our team members can join.

• We don’t rely on one hiring source. We strive for multiple hiring sources. We appreciate employee referrals and do company-wide presentations frequently to keep our team’s open positions top of mind across our 1200-person company. We love candidates who apply through Cloudflare's online careers site because they read a Cloudflare blog post and find it interesting, or are a happy Cloudflare customer in some way. We help fuel this source of candidates by writing blog posts on a wide range of topics like here and here. We also believe in proactively reaching out to potential candidates (see more in the next point). Having three strong channels in which we are meeting candidates makes hiring a bit easier.

• Proactively reaching out to passive candidates can be hard for some hiring managers. We work hard to make everyone on our team better at this. We partnered with our recruiting team to train our security team on how to use LinkedIn and Eightfold to find potential people to reach out to, and we encourage our leaders to go to meetups and the networking components of conferences and to ask respected industry peers for referrals. Our hiring managers then reach out directly with a personalized message. Our response rate is over 10% when we take the time to personalize the messaging to fit the particular possible candidate.

• We think long-term about team-building and know that it might take six months to a year to close promising passive candidates. We build a relationship by sharing updates on the company as well as new problems we are trying to solve, and over time we have seen these candidates come to appreciate the company and work and then join our team.

• We do proactive engagement at a number of conferences and events such as the Grace Hopper conference, AfroTech, and the International Association of Minority Cybersecurity Professionals events. We also look to build relationships and hire through organizations dedicated to placing minority candidates such as Path Forward.

• We leverage our internship program to broaden our candidate pool and change perception about viable backgrounds for roles. It is easier to convince people to consider candidates from less “pedigreed” schools or with skills developed outside traditional educational paths through direct exposure to those who’ve taken different routes but share the same passion for security. We’ve found some amazing interns who’ve proven themselves on short intern stints with us, and already progressed into full-time roles.

• We make sure we put together the right interview panel for the candidate: that means not only evaluating the candidate thoroughly but also giving the candidate the opportunity to look across the table at someone they feel comfortable asking “can someone like us succeed here?” You are not just using the interview process to evaluate the candidate, you are showing the candidate who you are as a team.

• We hold ourselves accountable by reviewing metrics on hiring and retention. Our company leadership team gathers once a week to review data on how the entire company is doing, including looking at how we are doing at building a diverse workforce and what we can do to improve. And we don’t just look at diversity in general, we look at diversity across management, and for those in management, we also consider things like span of control.

• We also get great support from our co-founders and other executives directly in our hiring process. They are always willing to spend extra time introducing people to the company, our mission, and our values. One of them will always be the last person to meet the candidate on their final interview. You can’t beat a welcoming message from the top.

The work doesn’t stop with getting a great set of people with complementary skills to come work at Cloudflare. To us, diversity is a means to the end of developing a highly productive team, not an end in itself. And, it turns out that hiring a diverse team is not a moment to celebrate success, it is a moment where leadership responsibility increases. A diverse team - made up of people from various backgrounds who don’t automatically feel at ease with one another - is not a guarantee of success. To cultivate a truly productive team requires a culture of openness to differences and a willingness for people to share their unique perspectives with people who are different.

We obsess over making sure all these great people who decided to join will also decide to stay for the long-term. We identified a number of ways we could build a community that welcomes people from different backgrounds and celebrates open debate.

• We’ve moved on from the media-favored image of security professionals as “hackers” and instead focus on innovation and empathy as our core values. We believe our role is more akin to a scientist designing a cure for a disease, a teacher helping a student solve a hard problem, or a nurse responding to a person in need of treatment. While we still need the skill to be able to break things and consider the attacker mindset we are responsible for combating, we will not succeed if we cannot stand in the shoes of our customers and empathize with their plight when we roll out painful security requirements.

• We talk regularly about how team members must have a stronger than usual commitment to developing the “psychological safety” necessary for everyone to believe their opinions are welcome and valued and will contribute to the greater good.

• We counter the risk that security work can become very reactive by promoting a spirit of innovation. That has led to us already open sourcing multiple solutions, contributing to development of Cloudflare products, and presenting at security conferences. We are strategic about what solutions we should build ourselves and what we should buy from other vendors, always staying current on what’s new.

• Our team decided to pick a logo, and we ended up choosing an orange-to-pink hued phoenix because they represent resilience and optimism: A phoenix never dies; instead, she always rises from the ashes and becomes more majestic each time around. This embodies the security mindset -- we help Cloudflare bounce back from attacks and security incidents, reemerging stronger and more secure than ever. It's easy to feel like you never "win" against constantly evolving adversaries. Knowing that we are the phoenix, destined to bounce back from whatever setbacks we face, helps us stay optimistic no matter what we face. And of course, the image of a phoenix also fits well with the core Cloudflare name and brand. Not your typical security imagery, but something that we are proud to wear on our t-shirts because it represents our team.

• We encourage every member of our organization to work on something that is outside their sub-team’s subject area so they interact with the broader team and also have a sense of personal career development.

• We take our work very seriously and know when to say “Let’s get down to business” like Mulan in the Disney movie (which we’ve heard team members sing), but don’t take ourselves too seriously. We keep it light around the office.

• We change our seating arrangements regularly to encourage expanding relationship circles.

• We ask team members across the organization to lead meetings and give presentations to the whole group.

• We promote from within. Five team members have been promoted into first-time manager roles.

• We have open-ended manager round-tables to discuss vulnerable topics relating to growing a diverse team.

• We support our team members playing active roles in company Employee Resource Groups such as here and speaking up on topics outside our core areas of expertise.

• We take time for team-building activities. Some of our best practices are to keep the events during business hours and limit those that include alcohol.

• We celebrate success. In the security world, external recognition is more often given for failure than success. Most companies don’t celebrate the prevention of harm, they celebrate new products and new business. If you are not careful, a security team can feel isolated from the rest of the company because its work is not directly tied to generating revenue and even worse can be perceived as blocking progress.

One of our favorite meetings was an informal risk review session we had with our engineers during which we white-boarded what we all thought were our biggest risk areas. It was great in the moment because it was such a collaborative session where everyone felt comfortable speaking up about their fears. No two people saw things the same way, but all were open to hearing other perspectives and many of us in the moment changed how we thought about priorities. And what made it an all-time experience was how even though we may have left the meeting a bit discouraged about all we needed to do, within a week every team member had stepped forward and volunteered to work on one of the hardest challenges. Looking back a bit over a year later, we have made strong progress in reducing all the risks identified in that meeting, and we did it together as a team.

Security is hard work, and the work is never done. But bringing together a diverse team with a positive culture has helped our team get a lot of hard and stressful work done well. There is a lot more we can do to keep things moving in the right direction for our team members and company and we welcome additional suggestions for improvements in our approaches.

In 2016, while traveling the United States to conduct hearings on the condition of Internet security as a member of President Obama's cyber commission, my co-commissioners noticed I had fallen into a pattern of asking the same question of every panelist: “Who is responsible for building a safer online environment where small businesses can set up shop without fear?” We heard many answers that all led to the same “not a through street” conclusion: Most law enforcement agencies extend their jurisdiction online, but there are no digital equivalents to the Department of Transportation or National Highway Traffic Safety Administration and limited government technical contribution to building a safer environment.

I grew frustrated because I believe we need to invest as much in the upkeep of the sidewalks of the Internet as we do on making every street corner safer. The Internet may be the only context where governments spend less on preventing harm than they do on punishing misbehavior. It is certainly the only context where developing businesses are left to their own devices to fend off nation states—and then potentially chastised by regulators if they fail to do it well.

I've had the good fortune to serve on some of the best Internet security teams in the world at eBay, Facebook, and Uber—and have still fallen short of reaching an ideal state of security. Governments and larger companies have the resources and talent to face the daunting challenges of operating online, but good security is hard. If it is a challenge for them, small businesses and most individuals simply don't stand a chance.

With these conclusions weighing on me, my next step professionally had to be towards a team that pushes security out, proactively, to as much of the Internet as possible. It has to be a place thats mission is to help build a better Internet—so that people can step online confidently and launch their own businesses without fear.

I did not think I would find a company that matches my passion for securing the whole Internet—security is often an ancillary feature worthy of investment because strong security will drive brand loyalty and customer trust or differentiate a company from competitors. I've been lucky in the past to join companies with Internet-breadth challenges willing to work proactively and collaboratively on security, yet know those opportunities are few and far between. But when I met the leadership team at Cloudflare, I was amazed to learn how what had started with a focus on mitigating denial of service attacks had grown quickly into so much more—because their strong technology not only makes internet properties safer, it makes them faster. Their product innovation mirrors my physical-world streets analogy—helping to build a better online infrastructure creates better and safer opportunities for everyone in the community.

The team at Cloudflare seem to really embrace their mission of helping build a better Internet. They have certainly approached things differently—launching free versions of security products even in their earliest days to anyone operating a website, mobilizing Project Galileo to help those at risk of losing their voice online, and recently launching 1.1.1.1 to help everyone with better privacy and connectivity. For such a young company, they have done a lot of good already. I am so thrilled to join and learn from them, and hopefully help them continue to expand their efforts to prevent harm—at Internet scale.

Joe Sullivan

P.S. I would be remiss if I did not mention the security team at Cloudflare is hiring! If you too want to work on some of the most technically challenging and rewarding security issues the world can offer, let me know!