I love working as a Chief Security Officer because every day centers around building something that makes people safer. Back in 2002, as I considered leaving my role as a cybercrime federal prosecutor to work in tech on e-commerce trust and safety, a mentor told me, “You have two rewarding but very different paths: you can prosecute one bad actor at a time, or you can try to build solutions that take away many bad actors' ability to do harm at all.” And while each is rewarding in its own way, my best days are those where I get to see harm prevented—at Internet scale.
In 2016, while traveling the United States to conduct hearings on the condition of Internet security as a member of President Obama's cyber commission, my co-commissioners noticed I had fallen into a pattern of asking the same question of every panelist: “Who is responsible for building a safer online environment where small businesses can set up shop without fear?” We heard many answers that all led to the same “not a through street” conclusion: Most law enforcement agencies extend their jurisdiction online, but there are no digital equivalents to the Department of Transportation or National Highway Traffic Safety Administration and limited government technical contribution to building a safer environment.
I grew frustrated because I believe we need to invest as much in the upkeep of the sidewalks of the Internet as we do on making every street corner safer. The Internet may be the only context where governments spend less on preventing harm than they do on punishing misbehavior. It is certainly the only context where developing businesses are left to their own devices to fend off nation states—and then potentially chastised by regulators if they fail to do it well.
I've had the good fortune to serve on some of the best Internet security teams in the world at eBay, Facebook, and Uber—and have still fallen short of reaching an ideal state of security. Governments and larger companies have the resources and talent to face the daunting challenges of operating online, but good security is hard. If it is a challenge for them, small businesses and most individuals simply don't stand a chance.
With these conclusions weighing on me, my next step professionally had to be towards a team that pushes security out, proactively, to as much of the Internet as possible. It has to be a place thats mission is to help build a better Internet—so that people can step online confidently and launch their own businesses without fear.
I did not think I would find a company that matches my passion for securing the whole Internet—security is often an ancillary feature worthy of investment because strong security will drive brand loyalty and customer trust or differentiate a company from competitors. I've been lucky in the past to join companies with Internet-breadth challenges willing to work proactively and collaboratively on security, yet know those opportunities are few and far between. But when I met the leadership team at Cloudflare, I was amazed to learn how what had started with a focus on mitigating denial of service attacks had grown quickly into so much more—because their strong technology not only makes internet properties safer, it makes them faster. Their product innovation mirrors my physical-world streets analogy—helping to build a better online infrastructure creates better and safer opportunities for everyone in the community.
The team at Cloudflare seem to really embrace their mission of helping build a better Internet. They have certainly approached things differently—launching free versions of security products even in their earliest days to anyone operating a website, mobilizing Project Galileo to help those at risk of losing their voice online, and recently launching 220.127.116.11 to help everyone with better privacy and connectivity. For such a young company, they have done a lot of good already. I am so thrilled to join and learn from them, and hopefully help them continue to expand their efforts to prevent harm—at Internet scale.
P.S. I would be remiss if I did not mention the security team at Cloudflare is hiring! If you too want to work on some of the most technically challenging and rewarding security issues the world can offer, let me know!