No Priors: Artificial Intelligence | Technology | Startups - AI Threats & Opportunities in Cyber Security With Material Security Co-Founder Ryan Noon
Episode Date: October 26, 2023Cyber Security is going to change significantly in the era of AI, according to Ryan Noon, cofounder of Material Security, a security company that makes cloud-based Google and Microsoft email a safe pl...ace for sensitive data. Elad Gil and Ryan talk about how Material Security started to use LLMs, potential security threats from AI hacks, and the role of the government in securing the Internet. Ryan also shares his advice for founders. Ryan co-founded Material Security in 2017 after seeing high profile email hacks in the 2016 Presidential election. Previously, he led various engineering teams at Dropbox after it acquired his first company, Parastructure. Prior to Parastructure, he led engineering at a data analysis company spun out of Stanford by DARPA. He holds both an MS in Computer Networks and Security and a BS in Computer Science from Stanford. Show Links: Ryan Noon LinkedIn Material Security Website The Market for Silver Bullets by Ian Grigg Sign up for new podcasts every week. Email feedback to show@no-priors.com Follow us on Twitter: @NoPriorsPod | @Saranormous | @EladGil | @InternetMeme Show Notes: (00:00) - How 2016 Election Hacking Inspired Ryan to Start Material Security (05:00) - Generative AI Use Cases in Cyber Security & Fine Tuning (11:36) - Predictions on Effective Threat Levels from AI Hacks (14:45) - Democracy, the Department of Defence, DARPA and Cyber Security (20:14) - Is there room for startups in the Cyber Security industry? (26:40) - New Challenges On Horizon After 7 Years as Cofounder (32:30) - Advice to Founders
Transcript
Discussion (0)
So this week I'm joined by Ryan Noon.
He's the co-founder and chairman of Material Security, the cybersecurity company making cloud-based email a safe place for sensitive data.
He previously started peristructure, which was acquired by Dropbox, where he was an engineering manager prior to starting material security.
Ryan, welcome to no priors.
Hey, it's great to be here, man. Always lovely to talk to you.
It's always fun to chat with you.
So one of the reasons that's excited to be chatting with you today is I feel like you have
such a great perspective on both the broader security industry, various tech topics,
et cetera, but also specifically how this all starts to tie into AI. And I know that a material,
you were a very fast adopter, actually, of AI-related technologies as the first sort of APIs
really came out and you start playing around with them quite early and doing interesting things
with them. Do you want to first talk a little bit about how you started material and then
maybe we can touch on how you started getting involved with the AI side of it?
Yeah, sure. So we started material, I guess, 2016, 2017 or so.
I had left Dropbox and, you know, was living in Europe and fell in love with all the election hacking that happened year.
You know, that year it was pretty nasty.
Like every random Gmail account kept getting, like, dumped on the internet.
So I had an idea for, like, you know, how to protect a Gmail account, you know, just an ordinary personal one in like a fairly novel way.
I coded it.
It shockingly worked, the Gmail API, let you do it.
I brought it back home and showed it to some friends.
And we realize this is actually a special case of a broader way of thinking.
Now, seven years later, it's a, you know, whatever cybersecurity unicorn thing.
And we get to work with the coolest companies, you know, in the world by far.
And the stuff that you get to do at the scale is just mind-blowing.
It's wild to think just where it started and where it's come.
And what are the main products that material focuses on just for the audience?
They have a better sense.
Yeah.
So the broad thesis is basically we've all kind of got.
these Google and Microsoft accounts, you know, email is sort of where we started, but, you know,
since then we kind of just went deeper and deeper and deeper into sort of everything that you can
use, you know, a Gmail account or a Microsoft account for. The bread and butter of the business is
selling, you know, to companies, you know, mid-size and up with these kind of these big Google
workspace and Office 365 deployments. The product has a bunch of different modules that are all
kind of based around the main things people worry about.
The kind of the first big product that you mentioned in the intro was people have years and years of sensitive information sitting in these accounts.
If somebody, you know, gets into your Google account, they're just going to download all of your email and go through it later and your whole life is in there.
It's even worse, you know, in a corporate environment.
And so that product, what it can do actually is finds, you know, sensitive stuff that's just sitting around, kind of just sitting in your inbox and your archive.
whatever, and then it can basically redact it and then replace it with a clean copy so that if
somebody gets in and downloads the whole thing, they don't get anything good. But then if you happen
to need it, like I like having all this information in my fingertips, you can just press a button
and do have an extra face ID or a touch ID or, you know, more advanced policies and work, but just
something that's easy for you, but hard for the attacker. So we started there and then we expanded
it into antsy fishing you know people can send you tricky emails and get you to do things and
steal money from you uh we expanded into account takeover protection which is you know more of the
things that people do uh after they compromise the account and you know i try to reset all your
other accounts and steal your bank account and all of that just the the operative concept is
defense in depth which is just you know like just assume that the bad guy got in like what
do they want you know like they got over the wall there should be another wall and a machine gun you
know, it's like history has all these fairly basic lessons about resiliency that never really
always get applied the right way when it comes to computers. Yeah, so it's kind of like, I guess
the part of the impetus was the 2016 election where, you know, there is all the things around
the pedestrian emails and Hillary Clinton and everything else, and the basic idea is somebody's
able to hack your account, but it doesn't matter because your email is not accessible to them
or the sensitive information that you designate. Yeah, I mean, it matters, but we used to call the
company like seatbelts for email or whatever back in the day. It's like it sucks to crash your car.
It really sucks to go through the windshield. Google and Microsoft, you know, have a total
duopoly on all of this. And kind of whatever little thing that they missed from a security
perspective is, you know, world altering. You got like, I mean, there's a headline every couple
months. Like every cabinet secretary just got their email hacked because all of the eggs were
in Microsoft's basket, you know? And, and so we kind of just exist to fill the, you know,
gaps in whatever doors they leave open, that's, you know, it's very fragile having a duopoly.
Duopoly are stable in the market, but very fragile when it comes to security.
Yeah, that makes sense.
You were one of the fastest adopters, I feel, in terms of hands-on use of LLMs for security
applications.
How did you start thinking about the use cases where generative AI would be useful?
The second you give a coder, a REPL, you know, we will start iterating, basically, right?
And CHAPGT, if nothing, was not the world's greatest repel.
So, I mean, we just started playing with it.
And then we're like, there's a lot of security domain knowledge like baked into this thing.
It turns out if you feed, you know, precisely one internet to precisely a million GPUs,
it picks up a thing or two about cybersecurity.
And so, you know, it's it's the kind of thing that obviously, like, the bad guys are, are starting to figure out in earnest.
And, you know, it's not like you can prevent the stuff and getting democratized.
But we just, you know, you could do simple things.
Like you could feed it, you know, like a bunch of, you know, raw email headers.
Anyone who's coded with these things, it's like this weird wetware grafted into the middle of a computer.
You know, it's like it's squishy and stochastic and parity, you know, but you have to integration test and model around it.
I think the analogy I used at the time is like Shang Sung from Mortal Kombat.
Like it has eaten the souls, you know, of thousands of security engineers.
And so, like, you might as well use it because honestly, like, there's a lot of just raw operational work that happens in security of just like, we need to, you know, rareify this signal, filter out the noise and then honestly feed it through a human being who has some experience as to what the bad guys are trying to do.
And, you know, it turns out Lums are fantastic at that.
And so that was the first use case that we really kind of productionize.
But, you know, beyond that, it's kind of gone crazy.
So there's a lot of engineering you have to do that.
It's kind of amazing because if you look at modern LLMs,
they have this mixture to your point of sort of this deep knowledge base,
which is the internet and to your point,
sort of the souls of security engineers on the internet.
And then, you know, it has this sort of chain of thought
or sort of reasoning that is very useful to use in certain circumstances.
Is there any data that you feel is really missing
or a specialized corpus you need to provide
or anything else that really helps from a security perspective
that you need to augment or fine tune or do something with?
Honestly, like, you know, I've seen a lot of, you know, startup starting from scratch here and, and whatever.
And, you know, as an engineer, like, I know when I have headroom and honestly, even in like GPT 3 and a half, there was plenty to work with.
I'm seeing a lot of shovel selling, obviously, right now in the AI market.
And I'm seeing a lot of like, you know, I need to pretend that I have a moat.
So I need to, you know, fine tune all this stuff and whatever, whatever.
But yeah, no, I mean, so many things that were very.
very, very, very hard for computers, you know, 18 months ago are very, very easy for
off-the-shelf models. So, like, I think, you know, maybe chew your food first security
industry. Yeah. What do you think are the best application areas then for generative AI
and security? Is it pen testing? Is it fishing? Is it something new? Is it some form of, like,
supply chain? Yeah, I mean, it's obviously the offensive side is what you're not supposed to talk about
too much. But obviously the bad guys were talking about it. And security, you know, it does have
this arms racy sort of aspect to it. So like, you know, we need security LLM companies because the bad
guys exist. Honestly, like the order zero thing when I keep meeting with founders, because you hear
this, there's all these like kind of classic cliches in the cybersecurity industry, like
the cybersecurity skills shortage, like America needs, you know, to bring back the draft and
make everyone get a security certificate or something, okay, like, you know that you have like
90% of a human that you can use for like a penny and a half, right? Okay, start there.
You know? And so, like, there's just basic things like that. But it gets, it gets more
interesting, I think, from there. But like, let's go to Disney World collectively after we do that
and then we'll come back, you know? Do you see any CSOs actively using LLM tools today?
or is it still kind of early and it's like there's an adoption curve or is it going to just be in the hands of the vendors?
Well, I think the best thing about the security industry is that there's also the security cottage industry of like it's not the fancy security vendor who's, you know, buying the CISO steak and having them drive Ferraris around Vegas every August.
It's like just a strong like security engineer who's just hacking something together.
And so some of the best companies that I've seen, you know, are just that.
And so you're seeing all these, like, there are cool projects out there.
You know, I, you know, I don't want to name drop too many of my friends on this podcast.
But, like, you know, just like the stuff that Socket's doing, just like analyzing NPM dependencies, like, you know, even just like stack analysis, like looking for like, you know, hey, you drop sensitive information in the middle of your code base.
Like that's like such a messy, hard problem as any like computer science can, you know, person can tell you.
And like, these things are pretty good at reading code.
you know so like all sorts of just basic stuff like that is starting to to pull through so what do you think is the biggest um risk or cyber threat from this technology
oh i mean like it can be a human and i'm just i'm just talking about the text models right like so much as cybersecurity is just text
uh and there's nasty hacks you know that are that are reported you know where someone's voice was fake
very convincingly and they made a phone call and blah blah like humans you know trust humans through computers
that was, I think, the key mistake we made, you know.
Yeah, I guess there's a lot of APIs now that do voice cloning like LM&T or 11 or some of these
other folks, right?
And so basically, I guess, a threat is that somebody voice clones and then they can use
it to call you and pretend that they're your bank and ask for permission to do a wire
or spoof you on the other side where it doesn't even have to be that hard.
Like, as in the standard like, you know, new employee joins company receives text message
claiming to be CEO thing like it works at scale you know like so like it's you know the sheer amount
of like you know you go see these attacks at that random bad guys are sending to people and like
they're not even like using grammar properly like all they could do was like spell check the bad
guys and that's all you were using like whatever off the shelf you know open source lm for like
even that would make a difference materially on you know cybersecurity policy returns
How bad do you think this get at somewhat time frames?
So say we're at, you know, it's three years from now and we're at GPT6 or something.
Do you have any predictions in terms of the sort of effective threat level or the capabilities
or what might happen then?
Yeah, I think we all kind of like wonder about this.
I was talking to somebody from the White House who was like trying to figure out how to talk
about security in LNs a little bit.
Like, think the operative analogy that ended up helping was like bronze age versus iron age
kind of thing.
and that like if you're, you know, if you're a tribe or something and you have bronze weapons
and your neighbor next door gets iron weapons, then like you're going to have a bad time,
like you're going to need to go and get iron weapons.
And so all of this talk about like, you know, we need to, you know,
airstrike the data centers and prevent it from being aligned or not aligned or whatever
the current term is.
Like that's like saying, you know, well, this super high grade carbon steel from space, you know,
needs to be restricted, but honestly, like, if someone's got iron weapons against your bronze armor,
like, good night, you know? And so these all-al-un things, it's a step function. Like, you know,
forever often, you know, we used to whine that we only had, you know, 140 characters and not, like,
flying cars, like, technology does give you step functions every once in a while. And, like,
this is just that, you know, so it doesn't mean that, like, you know, we're all doomed now.
And I think we, getting a, like a sense of the scope of the threat is really hard in cybersecurity
because you could be like, you know, hey, you know, we're a Fortune 500 and we left the front door open for a year and no one walked in it.
Like hackers are fake.
Cybersecurity industry is BS, right?
Or you can be some like little no-name company and just get run over and you're like the barbarians are at the gate.
And it's like really hard to know exactly what you're up against, right?
but what's interesting is that like automation like it's like the you can be more human and you can
like one human can now supervise a thousand humans you know you don't need a room full of like
jerks trying to hack grandma or whatever when honestly like one jerk will now suffice you know it
with a for loop yeah yeah to that point it feels like there's a a few different types of actors
in the cybersecurity world right to your point there's sort of individual players sometimes
that's ransomware or sort of financially doing folks and then
there's state-based actors, right? And it seems like some of the attacks we had a year or two
ago on parts of our more physical infrastructure and supply chain may have been through state-based
actors. How do you think about that in the context of these things? Is that, you know, we must
continue to invest in LLMs at scale as a broader national security side of things. Does it
modulate your thinking at all? Yeah, I mean, fundamentally, like, you have to invest in cybersecurity.
Like, my moral basis for cybersecurity existing is that it is essentially,
like the the waste heat of all other innovation in computing and information, which is like,
you know, if a computer is doing something new for you that it wasn't doing last year, then like
the utility of that will drive adoption and then like cleaning up after it for whatever the
side effects of that are is what, you know, essentially cybersecurity, you know, does, right?
And so we are the cleanup crew for all other innovation, which is, you know, it's a, it's a
living. It's an honest living. So whenever innovation happens, like the entire world will adopt it
before they realize, like, oops, it messes up democracy or like, oops, whatever, you know, like,
utility drives adoption, not safety. Like, welcome to Earth, you know. And so, uh, so I think like the,
on the nation state side, like, it, it's, you know, you don't have to even be hyperbolic with like,
you know, it's the atom. It's the whatever. It's because like, you know, fundamentally, like,
intelligence is now a commodity that we can arms race, you know, like weird, you know,
it's not, you know, like atomic power can arms race. Like, no, like intelligence itself can now
go Red Queen. Yeah, that was the original premise under Open AI, right? The concern was that
Google and a few other folks had, you know, real advancements in AI and they were driving most
of it. And so Open AI, I think originally was meant to be kind of a counterbalance to that
so that there wasn't a single player that would effectively dominate all of AI or if it was,
it'd be under this sort of philanthropic guise, right?
And so it's interesting that even in the early days of this stuff,
a lot of the emphasis was on this.
Let's avoid some overaggregation of power within AI.
But if you have a lot of intelligence that is extremely online,
like you have a ton of power.
And, you know, the West I think is especially vulnerable to this.
Like open societies, I think, are extra vulnerable when it comes
infasex stuff because like we we put it all out there. We adopt these systems. We open them up.
We let the private sector totally handle them. You know, like we, we are early adopters of
every digital technology and we are very happy to wave our soft underbelly on the internet as a
society. We don't we don't lock it down. How does that differ from totalitarian states from a
cybersecurity perspective? Like you could literally, you know, if you're like North Korea, you're
going to say you're all going to use this Linux distribution. But it doesn't support, you know,
whatever I want. I'm sorry, we're in authoritarian state. Like, oh, oh, well, you know, like,
what if I get fished? Sorry, like, that's not how bank accounts work in our country, you know,
like, it's just like, you can control information, you know, you can't, this usually gets,
like, view through the lens of, like, social media disinformation. If you can, you know,
regulate and lock down, you know, the entire social media discourse, then, like, you know,
what election is going to get hacked and where would it get hacked, you know? But the same thing I
think holds true for all of all of cybersecurity the other interesting you know like way of looking at this
that's always kind of baffled me is that you know if if cyberspace is a space right like in like
u.s military terminology it is a command just like you know north africa is a command like
cyberspace is a command like William Gibson you know would be proud right but like in this space
like you are kind of on your own as an american like you know it's like if i if i was in
you know, like, the military protects Americans and guards are borders.
What does that even mean, you know, with, like, cyberspace?
Like, I hope you're hard to see so, you know?
Is there anything specific you think the DOD should be doing relative to these sorts of threats right now?
Or if you were magically in charge of it, like, what would you change or what would you do differently?
I mean, they do a fantastic job in a lot of levels.
Like, I'm, you know, it's like, obviously, like, we were all had to, the Valley had to deal with, like, Snowden
and everything, you know, 10 years ago and whatever.
And I'm not, I don't need to take a side on that one.
But the point is like we have some pretty incredible people, you know,
doing offensive stuff as well in cybersecurity and deterrence works pretty well a lot of
the time as what, you know, so I, when it comes to LLM specifically, I think everyone is
still figuring out what the hell is even going on, you know, like it's, it's going to
take them a while.
I think you see DARPA doing really interesting stuff, you know, like there are interesting
projects out there.
But I think, and this is maybe a motif that I see broadly with LLMs, is like, you know,
the, unless you go super, super deep on this stuff, you kind of see everything through the lens
of like the popular discourse of chat GPT.
Like whatever, you know, the, you know, the New York Times or whatever has said about
chat GPT or whatever experience you had the first time you used it six months ago when you were
on the free version is how you see everything.
And so they'll be like, we need to.
make sure it doesn't make stuff up. We need to, you know, have it generate. It's it's all kind
of like order zero stuff. I think people have yet to realize that like the computer can think
in like a much more salient way than like it ever could before. And so I think people are still
playing catch up. Yeah, that makes sense. Yeah, it feels very underappreciated. Yeah, I feel like
in general people are viewing AI as this continuum where it's like it's a CNN and RNN and now we have
transformers and it's just a straight line. And instead, obviously, it's a big discontinuity in terms
of capabilities, and I think most people still don't think about it that way, or at least I should
say many people, particularly outside of tech. And I actually think it's underhyped in all sorts of
ways, which may be a different conversation. Shovel selling is overhyped, but I think the
thoughtful discourse on what our society will be like in 10 years is probably underhyped.
Yeah, yeah, good point. So one of the big debates that people have in this area is what degree
of things will go to incumbents versus startups. And in security, the incumbents are really strong,
right? They are very good at buying things in bundling and cross-selling and sort of the traditional
enterprise playbook, which parts of tech have sort of forgotten for a while and maybe are coming
back to now that we don't have ZERP anymore. How do you think about the things that incumbents
will do versus startups? Is there any room for startups right now on the AI security side?
I mean, there's always room for startups. The cynical take here, or like the the take I can give
that is perhaps most informed and most cynical, whether this is whatever uninformed, informed
pessimism versus inform, whatever, is, uh, is that basically, you know, in the cybersecurity industry,
there's some basic economics, right? There's, if you care about this, like, there's a great paper that
is actually required reading for everyone who's ever joined material, which I've never enforced,
uh, but it's called the market for silver bullets, right? Like Ian Grigg wrote it. I think I've sent it to you
once. And it's like fundamentally, you know, there's, there's, there's like markets for lemons and
whatever, but there's markets for silver bullets, which is that like, fundamentally there's,
there's the buyer, there's the seller and the attacker. You know,
And so, like, the buyer cannot really be sure of the effectiveness of what they're buying and whatever, whatever.
And so you can't really, like, look at a solution and be sure that it will save you, right?
Like, you know, you could buy an insurance policy, you know, and there's a, you know, like a truism that all cybersecurity products are just, you know, complex insurance policies or whatever, right?
But the point is, like, that mushyness exists.
And so what has resulted in the free market here is these incredible distribution machines, right?
You have, you know, think like Cisco or Palo Alto networks or even, you know, Microsoft and Google to an extent, right, where they just, they have the Salesforce, they have, you know, the bundle.
They have, you know, the big conference with all the glitzy stuff or whatever, right?
But they don't really know, like, if you ask the product manager at that company or whatever, like, and they're being honest, like, they don't know.
what bad guys are going to be doing in five years any better than anybody else does,
right? And they don't know what's going to be effective. So why would they plant seeds from
scratch when they could just go harvest crops that are already growing and transplant them
into their yard and water them with all these salespeople and all this bundling and all this market
power, right? And so these these like paved roads, I think there's just a function of
the extra, you know, like technological and product uncertainty that is just compensated for
that risk must be compensated for with extra low market risk, you know, and so that's what
you see, you know, like Cisco just bought Splunk, but Splunk buys things. The whole market just
works this way. I think I wrote a blog post runs where I called it the cybersecurity industrial
complex, you know, and it's like their P.E firms, you know, dressed up as innovators, blah,
blah, blah, blah, blah. I was angry. I used to be very angry. But, but fundamentally this happens.
And so that means that we are kind of, you know, entrepreneurs, you know, at their worst. Like,
there can be new, great cybersecurity companies.
There are, there's still creative destruction that happens.
You know, some of the best cybersecurity companies, you know, didn't really exist 10 years ago.
And that's like, you can still build big ones.
Like VCs, you know, don't stop, you know, like VCs, you know, when it comes to cyber stuff,
will, will like, you know, just go for base hits constantly, the worst ones, you know.
And a lot of the best VCs like never, you know, make bets in cybersecurity because, you know,
at best you're going to get a $200 million takeout to Palatow networks or whatever, right?
That's the typical outcome.
But, you know, you can still build these big companies and, and, you know, people should still try.
But, you know, there's, but that, that farm system is still active.
Like, no one really knows, like, the innovation will happen.
And if the market's big enough and, you know, you don't, as a founder, you know, you don't want to stop the game on second base or whatever.
And you want to keep going.
Those opportunities are there.
And honestly, like, discontinuities breed new companies, you know.
And there's entire classes of things that are.
are unnecessary and obsolete now.
So much of security is emitting logs and alerts
and then parsing those logs alerts again and aggregating them.
I spent a lot of time doing data infrastructure
and analytics in my life before after my cybersecurity grad degree,
but before I started using that degree.
And it's just like serializing and deserializing data
and parsing some old firewall thing from 20 years ago or whatever.
And like an LLN can just eat that.
you know, like depending on volume and all that stuff. But there's just like a lot of spend,
I think is up for grabs as long as, you know, people have their expectations in the right
place. I guess outside of material, like, is there any larger scale security vendors that
you've, you know, publicly talked about rapidly adopting LLMs? I know material's been very
fast on it. I mean, obviously Microsoft had this, you know, top down mandate and had a year on
everybody. And so they've been, they've been making a lot of noise and marketing it.
but you know and that's theoretically cool but um i don't know how i haven't used it personally yet
um but i you kind of you probably saw this pattern which is that like uh you know kind of the
the growthy companies with the nerdy founders like immediately started integrating this into
the product right uh and then the like youngish public companies that like totally still got it
you know would do like a thinner feature a little bit later you know the big fortune 500s are
doing science projects god bless them you know uh and so i i think i'm saying that and i haven't
i've seen plenty of first bucket things that are very impressive uh i've seen you know like the
the look you can type in the box and if you have typos the lm doesn't care you know i've seen that
from from the public companies that totally still got it you know and then uh and then the science
projects, you know, are just really good for opening eyes revenue, I assume. Yeah, and that makes
sense. Yeah. And I guess there's also sort of the hybrid or overlap or partnership stuff. Like,
for example, last year, I know material did a partnership with Snowflake to support Office 365
in Google Workspace and provided sort of enhanced security benefits to joint users. And so there's
like, there's also that sort of approach where you partner with the large incumbents to bring
these new things to market in some sense. Yeah. Yeah. I mean, cybersecurity partnerships are
super, super, super important because like people, people hate to have to buy, like,
individual things in their cybersecurity stack, but they also hate when they buy a big bundle that
sucks. So like the right answer for the customer is to like just for the vendors to be grownups
and to work better together where possible. Yeah, I guess more generally, you know, it's been about
seven years since you co-found a material. What do you think are the biggest changes or
evolutions in security since then? That's a good question. Honestly, like, I don't know how much
has changed.
It's like, you know, people still send emails, people still reply to text messages.
I think, you know, there's always like the, but Slack is going to have all those problems
too or whatever, whatever.
And I think at the end of the day, like, if something's a walled garden, like, it will be
involved in a tax, you know, someone will go in and like own you because they compromise Slack
after they compromised this and escalated that whatever, but like entirely new attack surfaces
of like, you know, ways to get to users from across the internet, broadly speaking,
uh, like I think have, have a somewhat somewhat stable. What's the sad thing, I spend a lot of
time thinking about like mobile stuff. And it's, it's sort of this like tragic thing where
like locked these things down like hardcore now, right? It's actually like super limited
what like vendors can do. And, and the average employee, I think,
understands that their company probably owns their work email account or whatever, and has
has carte launched to protect that and protect the company. But, you know, like, do you have your
phone? Is it my phone? I brought it. I signed it in. Do I have MDM on it? All this stuff. And so
that ends up being the situation where, you know, even Apple, who's like so good at locking it down
to the extent that, you know, Zuck is super sad or whatever, like, will lock down the device
and prevent, you know, the most, you know, obvious forms of cybersecurity software being made.
But like, like, then we'll sit on the problem for years while, like, everyone gets run over, you know?
So it's people are usually, it's a sad thing in the tech industry that you probably see.
People are better at keeping people out of their territory than using their territory, you know.
It's this very, very nasty, sad thing.
So, so I think some of these problems, I think, have just gotten worse, you know.
I think there's always the infrastructure story of like, you know, the multi-decade megatrend of people getting rid of their data centers and allowing only a small handful of companies to buy all the semiconductors and then renting them from people.
That centralization, you know, it's not like the most interesting thing for a lot of us, you know, but it's you go to security conferences and it's, you know, I had to buy these seven things when I had a data center.
Now I have to buy this one thing, but it comes with Amazon, but it sucks, but I have to buy
this other thing.
So that trend is not done.
And there have been some great companies that have been built in that space in the last seven
years that, you know, like I, you'd think that like AWS and Google and Microsoft could
like keep this shit secure that they're renting you.
But no, you know, like, so that's, that's been one of my biggest probably misses as a, as a,
as an investor, not even independent of security. There's years of like, well, the AWS will bundle this
win, you know, and then no, they don't. You know, you're like, I did diligence on Snowflakes B
and told whoever asked me to pass because I'm like, revshift exists. Like, AWS is not
asleep at the wheel. And then, you know, AWS subsequently told me when I talked to them about
this, they're like, you know, we get paid either way. Like, we, they don't own any CPUs. Like,
we can be lazy. Yeah, yeah, yeah. Yeah, they're the platform. So it works. Yeah. Are there other areas,
I know that a lot of founders in both security but also an enterprise come to you for advice
as they first get started in terms of starting their companies. Are there other areas of
like enterprise that you're most excited or interested in right now? Oh, man. I have this love
hate things with security. If there's any founders listening to this, like security, like,
what's annoying is because it's very mushy, no one necessarily knows what products are
effective and whatever, whatever, you can kind of just like really put your head down and like grind
and sell and, like, build a beachhead with your company, you know, and it might be a totally
okay product.
Like, I was, I was talking to a great founder yesterday, and they're, like, thinking about what to
build and whatever, whatever, and it's like, take a step back and just, like, try and build
an incredibly useful thing that everyone should buy.
Stop thinking about the Gartner categories and, you know, whatever, Casby, UBA, SIM, whatever,
DNR, something, something, something.
like stop like trying to like look at this like big like and you see these like the some of the
cybersecurity you know ibankers and stuff will put out these big quadrants of everything and how
it all fits in the thing that consumer people make fun of us enterprise people for uh are our extra
make funnable uh in cybersecurity you know and so uh so i'm always just like you know like go and go in there
and like just like if it if it's a thing that connects to an API that everybody uses and say
them all a bunch of time and makes it way easier like just build that okay like stop worrying about
your garden category you got like five years uh to even like you know start paying gardener you know
stop it well you know how many people i've like sent your blog post of like what is a good
market like market is not the same thing as marketing you know yeah yeah yeah like that's a product
that should exist everyone should just buy that and like then we have to x-ray it with like
where distribution's going to come from and and like you know like is this going to be easy
to sell in a reasonable time scale and whatever.
I think my favorite companies, I'm spending the most time with, tend to be in security.
But if you want a grouchy yet somehow still optimistic guy on your cap table, just give me a call.
But I'm looking to do less stuff in security.
Is there any other advice that you tend to give people starting companies for the first time?
Oh, man.
Yeah, I mean, there's just the basics, like figure out your team.
you know like being a solo founder is actually totally okay it's way better than being like we had
three coffees together and we just got married you know so like like just start with the team
like everything is built on the team like it's the saddest thing in the world when you see like
a beautiful company and then like it's just the foundation has a has a crack in it and you have to
tear the whole thing down you know make sure you have the same like risk appetites and stuff like that
just those basic basic basic stuff like you know especially when you know we are irrationally exuberant
again in Silicon Valley. We had a solid six months of being depressed because of the end of
free money. I kind of wish it lasted a year longer or something. I think it would have been very
very healthy for everyone. I know. People step like all the Warren Buffett quotes came back. I think
like RIP good times like seven or whatever, you know, and now it's gone again. Yeah, it's back
to ZERP if you're in AI. Just honestly, like just pick a good market. Like look for a lot of dollars
and a lot of other shitty people that, like, you can take those dollars from.
The analogy that stuck for people was, like, the difficulty level of the game that is
starting a company is essentially just, like, the size of the market, like, the inverse of
that, you know, like, the bigger the market, like, you can eat mistakes, you know, you can,
you can burn time, you know, like, it's just play the game on easy if you possibly can, you know.
Yeah, it's kind of interesting. That's kind of advice that I tend to give people who are working
in AI right now because I feel like there's so much low-hanging fruit. And you see these people
doing these incredibly complicated things or incredibly hard things, and you're like, why are you doing
something so hard when it's an early industry? In the latter part of an industry, when things
have matured and sort of saturated, that's when you do the hard stuff. But in the early days
of a new market, you just want to do the easy stuff, because that's very tractable, it's faster,
it's easier, you know, higher velocity. Right. Like, I'm not the only one with this pet peeve,
but you see, like, you need, like, really talented technologists on founding teams. Like,
I really think it's like, we're in the technology industry. Like, you know, if you leave the
MBAs alone. They're going to do like Casper mattresses, but for mattress pads this time,
but they come with razors on them and stuff. Like they're going to follow the same templates.
God bless them. They need to exist. But like, the best companies have a technologist, like,
you know, maybe not in the CEO role, but like someone there. And technologists, like we love
to do what we know. And so there's this like massive, you know, like overabundance of engineering
recruiting companies and, you know, DevOps, but this time totally different, dev tooling.
like infrastructure monitoring, blah, blah, blah.
And it's like, dude, just like, get out there and like learn a market that's not your own, okay?
Like, it's just like the world needs your creative energy to paraphrase one of our slogans from Dropbox back in the day.
But like, you're going to have to like maybe leave your house sort of, at least on Zoom, you know, and talk to people and find like, find a market, you know.
And so, and I think with AI you're seeing just the overabundance of shovel selling, like the world needs.
next generation data dog for AI, but not that one, because there's already that guy.
This one's for testing, but not that kind of test, but mobile testing, that one.
Yeah, right?
And it's like, stop.
Like, comitorics will never let you down.
There's always going to be a way to cross these things, you know?
But, like, how big is that actual market?
How big is it?
You know?
Yeah, yeah, makes a lot of sense.
So, Ryan, thank you so much for joining us today on no priors.
Yeah, it was great a lot.
That was really fun.
Find us on Twitter at NoPriars.
podcast. Subscribe to our YouTube channel if you want to see our faces, follow the show on Apple Podcasts, Spotify, or wherever you listen. That way you get a new episode every week. And sign up for emails or find transcripts for every episode at no-dashfires.com.