Screaming in the Cloud - President Biden’s Advice in Action with Dan Woods
Episode Date: December 28, 2021About DanDan is CISO and VP of Cybersecurity for Shipt, a Target subsidiary. He worked previously as a Distinguished Engineer on Target’s cloud infrastructure. He served as CTO for Joe Bide...n’s 2020 Presidential campaign. Prior to that Dan worked with the Hillary for America tech team through the Groundwork, and contributed as a founding developer on Spinnaker while at Netflix. Dan is an O’Reilly published author and avid public speaker. Links:Shipt: https://www.shipt.com/Twitter: https://twitter.com/danveloperLinkedIn: https://www.linkedin.com/in/danveloper
Transcript
Discussion (0)
Hello, and welcome to Screaming in the Cloud, with your host, Chief Cloud Economist at the
Duckbill Group, Corey Quinn.
This weekly show features conversations with people doing interesting work in the world
of cloud, thoughtful commentary on the state of the technical world, and ridiculous titles
for which Corey refuses to apologize.
This is Screaming in the Cloud.
It seems like there's a new security breach every day.
Are you confident that an old SSH key or a shared admin account isn't going to come back and bite you? If not, check out Teleport.
Teleport is the easiest, most secure way to access all of your infrastructure. The open-source
Teleport access plane consolidates everything you need for secure access to your Linux and Windows servers. And I assure you,
there is no third option there. Kubernetes clusters, databases, and internal applications
like AWS Management Console, Yankins, JitLab, Grafana, Jupyter Notebooks, and more. Teleport's unique approach is not only more secure,
it also improves developer productivity. To learn more, visit goteleport.com. And no,
that's not me telling you to go away. It is goteleport.com.
Writing ad copy to fit in a 30-second slot is hard, but if anyone can do it, the folks
at Quali can.
Just like their Torque infrastructure automation platform can deliver complex application environments
anytime, anywhere, in just seconds instead of hours, days, or weeks.
Visit qtorque.io today to learn how you can spin up application environments in about the same amount of time as it took you to listen to this ad.
Welcome to Screaming in the Cloud. I'm Corey Quinn.
Sometimes I talk to people who are involved in working on the non-profit slash political side of the world.
Other times I talk to folks who are deep in the throes of commercial businesses,
and I obviously personally spend more of my time on one of those sides of the world than I do the
other, but today's guest is a little bit different. Dan Woods is the CISO and VP of Cyber Security at
Shipt, a division of Target, where he's worked for a fair number of years, but took some time off for his,
you know, side project, the side hustle, as the kids call it, as the CTO for the Biden campaign.
Dan, thank you for joining me. Yeah, thank you, Corey. Happy to be here.
So you have an interesting track record as far as your career goes. You've been at Target for
a long time. You were a distinguished engineer,
not to be confused with extinguished engineer, which is just someone who is finally,
the fire has gone out. And from there, you went from being a distinguished engineer to a VP slash
CISO, which generally looks a lot less engineer-like and a lot more, at least in my experience,
of sitting in a whole lot of executive
level meetings, managing teams, etc. Was that in fact an individual contributor or IC move into a
management track? Or am I just misunderstanding this because these are commonly overloaded terms
in our industry? Yeah, yeah, no, that's exactly right. So IC to leadership, to, you know,
distinct tracks, distinct career paths.
It was something that, you know, I've spent a number of years thinking about and more or less
working toward and making sure that it was the right path for me to go. The interesting thing
about the break that I took in the middle of target when I was CTO for the campaign is that
that was, you know, a leadership role, right?
I led the team, I managed the team, I did performance reviews and all of that kind of
managerial stuff, but I also sat down and did a lot of tech. So it was kind of like a mix of being
a senior executive, but also still continuing to be a distinguished engineer. So the natural path out of that for
me was to make a decision about do I continue to be an individual contributor or do I go into a
leadership track? And I felt like for a number of reasons that my interest more aligned with
being on the leadership side of the world. And so that's how I've ended up where I am.
And correct me if I'm wrong, because generally speaking, political campaigns are not usually my target customers, given the fact that they're turning the entire AWS environment off in a few months, win or lose.
And yeah, that is, in fact, remains the best way to save money in your AWS bill.
It's hard for me to beat that.
And but at that point, most of the people you're working with are in large
part volunteers, I would imagine. So managing in a traditional sense of, well, we're going to have
your next quarterly review. Well, your candidate might not be in the race then. And well, we're
going to put you on a pip and, and what exactly? You're going to stop letting me volunteer here.
You're going to dock the pay. You're not paying me for this. It becomes an interesting management challenge, I would imagine, just because the people you're working with are passionate and volunteering.
And a lot of traditional management and career advice doesn't necessarily map one to one.
I would have to assume.
That is the best way that I've heard it described yet. I try to explain this to folks sometimes and, you know, it's kind of difficult
to get that, that message across that, like there is sort of a base level organization that exists,
right? There were full-time employees who were a part of the tech team, really, really great
group of folks, you know, especially from very early on willing to join the campaign and be a
part of what it was that we were doing.
And then there was this whole ecosystem of folks who just wanted to volunteer, folks who,
you know, wanted to be a part of it, but didn't want to leave their, you know, their nine to five who wanted to come in. One of one of the most difficult things about, you know, we we rely on
volunteers very heavily in the political space and very grateful for all the folks who
step up and volunteer with organizations that they feel passionate about. In fact,
one of the best little tidbits of wisdom the president imparted to me at one point,
we were having dinner at his house very early on in the campaign. And he said,
the greatest gift that you can give somebody is your time. And I think that's so incredibly true. So, you know, the folks who volunteer,
it's really important, really grateful that they're all there. In particular, how it becomes
difficult is that you need somebody to manage the volunteers, right, who are there. You need
somebody to come up with work and, you know, check in that that work is
getting done, because while it's great that folks want to volunteer five, 10 hours a week or, you
know, whatever it is that they can put in, we also have very real things that need to get done and
they need to get done in a timely manner. So we had a lot of difficulty, especially early on in
the campaign, utilizing the volunteers to the extent that we could because we were such a small and scrappy team.
And because every everybody who was working on the campaign at the time had a lot of responsibilities that they needed to see through on their own. to this, it's quite literally a full-time job having to sit down and, you know, follow up with
volunteers and make sure that they have the appropriate amount of work and make sure that,
you know, we've set up our environment appropriately so that volunteers can come and go
and, you know, all of that kind of stuff. So, yeah. It's always an interesting joy looking at the swath of architectural decisions and how
they came to be.
I talked on a previous episode with Jackie Singh, who was, I believe, after your tenure
as CISO, she was involved on the InfoSec side of things.
And she was curious as to your thought process or rationale with a lot of the initial architectural
decisions that she talked about on her episode, which I'm sure she didn't intend it this way, curious as to your thought process or rationale with a lot of the initial architectural decisions
that she talked about on her episode which i'm sure she didn't intend it this way but i am going
to blatantly miscategorize as justify yourself what were you thinking usually it takes you know
years for that kind of i don't understand what's going on here so i'm playing data center archaeologist
or cloud spelunker this was a very short window how did decisions get made
architecturally as far as what you're going to run things on you it's been disclosed that you
were on aws for example was that a hard decision no not at all not at all you know we we started
out the campaign i i in particular you know when I was one of the first employees hired onto the campaign.
And, you know, the idea all along was that we're not going to be clever.
Right. We're basically just going to develop what needs to be developed.
And the idea with that was that a lot of the code that we were going to sit down and write or a lot of the infrastructure that we were going to build was going to be glues, not AWS glue, right? Ideally, but just glue that would
bind data streams together, right? So data movement, vendor A, you know, produces a CSV file
for you and needs to end up in a bucket somewhere. So somebody needs to write the code to make that
happen. Or, you know, you need to find a sufficient vendor who can make that happen.
There's a lot more vendors today, believe it or not, than there were two years ago that are doing much better in that kind of space.
But, you know, two years ago, we had the constraints of time and money.
Our idea was that we were going to the code that we were going to write was going to be for those purposes. What it actually turned into is that in other areas of the business, and I will call it a
business because we, you know, we had formalized roadmaps and different departments working on
different things, but in other areas of the business where we didn't have enough money to
purchase a solution, we had the ability to go and write software.
The interesting thing about this group of technologists who came together, especially early on in the campaign, to build out the tech team, most of them came from an enterprise
software development background.
So we had the know-how of how to build things at scale and how to do continuous delivery
and continuous deployment and how to operate a cloud-native environment
and how to build applications for that world.
So we ended up doing things like writing an API for managing our donor vetting pipeline,
right?
And that turned into a complex system of Lambda functions and continuous delivery for a variety
of different services that facilitated that pipeline,
we also built an architecture for our mobile app,
which there were plenty of companies that wanted to sell us a mobile app,
and we just couldn't afford it.
So we ended up writing the mobile app ourselves.
So after some point in time, what we said was,
we actually have a fairly robust and complex software infrastructure.
Right. We have a number of microservices that that are doing various things to facilitate the operation of the business.
And something that we need to do is we need to spend a little bit of time and make sure that we're building this in a cohesive kind of way. And what part of that means was that, for example,
we had to take a step back and say,
okay, we need to have a unified identity service.
We can't have a different identity
or we can't have every single individual service
creating its own identity.
I really wish you could pass that lesson on
to some of the AWS service teams.
Yes, I know. I know. Yeah. So, so there
were some questionable choices you made in there. Like you started that with the beginning of,
well, we had no time, which is fine and no budget. So we chose AWS. It's like, oh, that looks like
the exact opposite direction of a great decision given my view on it on it stepping past that entirely there you are also dealing with challenges
that i don't think map very well to things that exist in the corporate world for example you said
you had to build a donor vetting pipeline it's in the corporate world i inhabit it's one of those
why in the world would i get in the way of people trying to give me money. And the obvious answer in your case is federal law. And it turns
out that the best outcome generally does not involve serving prison time. So you have to
address these things in ways that don't necessarily have a one-to-one analog in other spaces.
That's true. That's true. Yes, correct to the federal law thing. Our more pressing reason to
do this kind of thing was that we made a commitment very early on in the campaign that we wouldn't take money from executives of the gas and oil industry, for example.
There were another bunch of other commitments that were made, but it was inconceivable for us to have enough people that could possibly go manually through those filings.
So for us to be able to build an automated system for doing that meant that we were literally saving thousands of human hours and still getting a beneficial result out of it.
And everything you do is subject to intense scrutiny by folks who are willing to make hay
out of anything. If it had leaked at the time, I would have absolutely done some ridiculous nonsense thing about, ah, clearly looking at
this AWS bill, Joe Biden supports managed NAT gateway data processing pricing. And it's,
but absolutely not. But that doesn't stop people from making hay about this because
headlines are going to be headlines. And you have to also deal with the interesting aspect that
industrial espionage is always kind of a thing, but by and large, most companies don't have to also deal with the interesting aspect that industrial espionage is always kind
of a thing but by and large most companies don't have to worry that effectively half of the
population is diametrically opposed to the thing it is that they're trying to do to the point where
they might very well try to get insiders there to start leaking things out everything you do
has to be built with optics in mind, working under
tight constraints. And it seems like an almost insurmountable challenge, except for the fact
where you clearly pulled it off. Yeah. Yeah. Yeah. We kept to saying that the tech was not the story,
right. And we wanted to do everything within our power to keep the conversation on the candidate and not on emails or
AWS bills or, you know, any, any of that kind of stuff. And so we were very intentional about
a lot of the decisions that we ended up making with the idea that if the optics are bad,
we pull away from the primary mission of what it is that we're trying to do. So what was it that qualified you
to be the CTO of a, at the time, very fledgling and uncertain campaign, given that you were coming
from a role where you were a distinguished engineer, which is not nothing, let's be clear,
but it's an executive level role rather than a hands-on level role as CTO. And if we go back in
time, you were one of
the founding developers of Spinnaker over at Netflix. And I have a lot of thoughts about
Netflix technology and a lot of thoughts about Spinnaker as well. And none of those thoughts are,
this seems like a reasonable architecture I should roll out for a presidential campaign.
So please don't take this as the insult it probably sounds like, but why were you the CTO that got tapped?
Great question.
And I think in some ways, right place, right time.
But, you know, in other ways, probably needs to speak a little bit to the journey of how
I've gotten anywhere in my career.
So going back to Netflix.
Yeah.
So I worked at Netflix.
I had the opportunity to work
with a lot of incredibly bright and talented folks there. One of the people in particular who
I met there and became friends with was Corey Bertram, who worked on the core SRE team.
Corey left Netflix to go off. And at the time, he was just like, I'm going to go do a political startup.
The interesting thing about Netflix at the time, this was 2013. So this was just after the Obama
for America 12 campaign. And a bunch of folks from OFA world came and worked at Netflix and
a variety of other organizations in the Bay area. Corey was not one of those people, but we were,
you know, very well connected with folks in that world. And Corey was not one of those people, but we were very well connected
with folks in that world. And Corey said he was going off to do a political startup. And so after
my non-mutual departure from Netflix, I was talking to Corey and he said, hey, why don't you
come over and help us figure out how to do continuous delivery over on the political startup.
That political startup turned into the groundwork, which turned into essentially the tech platform
for the Hillary for America campaign.
So I had the opportunity working for the groundwork to work very closely with the folks in the
technology organization at HFA. And that got me, you know, more exposure to what that
world is and more connections into that space. And the groundwork was run by Corey, but was this
CEO or I don't even know what he called himself, was Michael Slaby, who was President Obama's CTO in 2008 and had a bigger technical role in the 2012 campaign.
And so for his involvement in HFA 16 meant that he was a person who was very well connected for the 2020 campaign.
And when we were out at a political conference in late 2018. And he said, hey, I think that Vice President Biden is going to run.
Do you have any interest in talking with his team?
And I said, yes, absolutely.
Please introduce me.
And I had a couple of conversations with Greg Schultz, who was a campaign manager.
And we just hit it off.
And it was a really great fit.
Greg was an excellent leader.
He was a real visionary, exactly the
person that President Biden needed. And he brought me in to set up the tech operation and get
everything to where we ultimately, you know, won the primary and won the election after that.
And then as all things do, it ended. And the question then becomes, great, what's next?
And the answer for you was apparently okay i'm
going to go back to target ish although now you're the cso of a target subsidiary shipped and
targets relationship is again i imagine i have that correct as far as you are in fact a subsidiary
of target so it wasn't exactly a new, but rather a transition into the previous organization you were in in a different role?
Yeah, correct.
Yeah, it's a different department inside of Target, but my paychecks still come from Target.
So what was it that inspired you to go into the CISO role?
Because obviously security is everyone's job, which is what everyone says, which is why we get away with treating it like it's nobody's job, because shared responsibilities tend to work out that way.
And you've done an awful lot of stuff that was not historically deeply security-centric, although there's always an element passing through it.
Now going into a CISO role as someone without a deep InfoSec background that I'm aware of, what drove that?
How did that work?
You know, and I think the most correct answer is that security has always been in my blood. I think
like most people who started out... They have medications for that now.
Yeah, good. I might need them. I think like most folks who are kind of my era, who started
like seriously getting into software development and computer system
administration in the late 90s, early, early thousands, you know, cybersecurity, it wasn't
called cybersecurity at the time. It was it wasn't even called InfoSec, right? It was just called,
I don't know, dabbling or something. But, you know, that that was kind of a gateway for getting
into Linux system administration, network engineering,
you know, so forth and so on. And for a short period of time, I became when I was getting my
RHCE certification way back in the day, I became pretty entrenched in network security. And that
was a really big focus area that I spent a lot of time on. And I got whatever the supplemental network security certification from Red Hat was at
the time.
And then I realized pretty quickly that, you know, the world isn't going to need box operators
for very long.
And this was just before the DevOps revolution had really come around and, you know, more
and more things were automated.
So we were still doing hand deployments. I was still dropping war files onto a file system and restarting Apache. That was our deployment
process. And I saw the writing on the wall and I said, if I don't, if I don't dedicate my,
myself to becoming first and foremost, a software engineer, then, you know, I'm,
I'm not going to have a very good time in technology here. So I jumped out of that and I got into software development. And so that's
kind of where my software engineering career evolved out of. So when I was CTO for the
campaign, I like to tell people that I was, you know, 100% a CTO, I was 100% a CIO, and it was 100% a CISO for the first 514 days of the campaign or whatever
it was. So I was 300% doing all of the top-level technology jobs for the campaign. But cybersecurity
was, without a doubt, the one that we would drop everything for every single time. And that was by
necessity. We were constantly under attack
on the campaign. And I spent a lot of my headspace during that period of time was dedicated to
how do we make sure that we're doing things in the most secure way. So when I left, when I came
back into target and I came back in as a distinguished engineer. There was there were some areas that that they were hoping that I could contribute positively and help move a couple of things along.
The idea always the whole time was going to be for me to jump into a leadership position.
And I got a call one day from Rich Agostino, who's the CISO for Target.
And he said, hey, ship, you SHIP needs a cybersecurity operation built out.
And you're looking for a leadership role.
Would you be interested in doing this?
And I, believe it or not, I had missed the world of cybersecurity so much
that when the opportunity came up, I said, yes, absolutely.
I'll dive in headfirst.
And so that was kind of the path for getting there.
This episode is sponsored by our friends at Oracle HeatWave, a new high-performance query
accelerator for the Oracle MySQL database service, although I insist on calling it MySquirrel.
While MySquirrel has long been the world's most popular open-source database,
shifting from transacting to analytics
required way too much overhead and, you know, work. With HeatWave, you can run your OLAP and OLTP,
don't ask me to pronounce those acronyms ever again, workloads directly from your MySquirrel
database and eliminate the time-consuming data movement and integration work, while also performing 1,100 times faster than Amazon
Aurora and two and a half times faster than Amazon Redshift at a third the cost.
My thanks again to Oracle Cloud for sponsoring this ridiculous nonsense.
My take to the cybersecurity space has been a little, I think, different than most people's
journeys through it.
The reason I started a Thursday edition of the Last Week in AWS newsletter
is the security happenings in the AWS ecosystem
for folks who don't have the word security in their job titles.
Because I used to dabble in that space a fair bit.
The problem I found is that as you move up the ladder
to executives that are directors, VPs, and CISOs,
the language changes significantly. And it almost becomes a dialect of corporate speak that I find borderline impenetrable versus
the real world terminology we're talking about when, OK, let's make sure that we rotate credentials
on a reasonable, expected basis where it makes sense, etc., etc. It almost becomes much more of a box-checking compliance exercise slash layering on as much as you possibly can for plausible deniability for the inevitable breach that one day hits.
And instead of actually driving towards better outcomes.
And I understand that's a cynical, strange perspective.
But I started talking to people about this, and I'm very far from alone in that, which is why people are subscribing to that newsletter. And that's the corner of the market higher up you go, the entire messaging and purpose change,
or is that just someone who's been in the trenches for too long and hasn't been on that
side of the world? And I have a certain lack in perspective that would make this all very clear,
which I freely accept if that's the case. No, I think that you're, you're right for a lot of
organizations. I think that's a hundred percent true. And it is exactly as you described a box
checking exercise for a lot of, a lot of organizations. Something that's 100% true. And it is exactly as you described, a box checking exercise for a lot of organizations.
Something that's important to remember about Target is, you know, Target was the subject of a data breach in 2012.
And that was before there were data breaches every single day, right?
Now we look at a data breach and we say, that's just going to happen, right? That's the cost of doing business.
But back in 2012, it was really a very big story and it was a very big deal.
And there was quite a bit of activity in the Target technology world after that breach. So,
you know, it reshaped the culture quite literally. New executives were brought in,
but there's this whole world of folks inside of Target who have never forgotten that.
Right.
And work day in and day out to make sure that we don't have another breach.
So security at Target is a main central centrally thought about kind of thing.
So it's very much something that is a part of the way that people operate inside of Target.
So, you know, coming over to Shipt, obviously Shipt is it is a subsidiary.
It is a part of Target, but doesn't have that long history.
And, you know, it doesn't hasn't had that same kind of experience.
The biggest thing that we really needed at Shipt is first and foremost to get the program established.
Right. So I'm two, three, three or four months onto the job now,
and we've tripled the team size.
And you've stayed out of the headlines,
which is basically the biggest and most accurate breach indicator
I've found so far.
So far, so good.
But the thing that we want to do, though,
is to be able to bring that same kind of focus of
importance that Target has on cybersecurity into the world of engineering at Shipt.
And it's not just a compliance game, and it's not just a thing where we're just trying to
say that we have it.
We're actually trying to make sure that as we go forward, we've got all these best practices
from an organization that's been through the bad stuff that, you know, we can
adopt into our day to day and kind of get it done. When we talk about it at an executive level,
obviously we're not talking about, you know, the penetration test done by the red team
the earlier day, right? We're not, we're not calling any of that stuff out in particular,
but you know, we do try to summarize it in a way that makes it clear that the thing that we're trying to do is build a security minded culture and not just check some boxes and make sure that, you know, we have the appropriate titles in the appropriate places so that our insurance rates go down.
Right. We're actually trying to keep people safe.
And there's a lot to be said for that.
I mean, the target breach back in, I want to say 2012,
was it,
it was,
I mean,
again,
it was a wake up call.
And the argument that I've always seen is that everyone is vulnerable.
It just depends on how much work it's going to take to get there.
And for credit where due,
there was a complete rotation in the executive levels,
which whether that's fair or not,
I,
people have different opinions on it.
My belief has always been you, you own the responsibility regardless of who's doing the work. in the executive levels, which whether that's fair or not, people have different opinions on it. My
belief has always been you own the responsibility regardless of who's doing the work. And there's
no one as fanatical as a convert on some level, and you've clearly been doing a lot of things in
the right direction. The thing that always surprises me is that when I wind up seeing
these surveys in the industry, that, what is it is it 65 of companies say that they would be
vulnerable to that they would be vulnerable to a breach and everyone said oh we should definitely
look at those companies my argument is hang on a sec i want to talk to the 35 who say oh we're
impenetrable because spoiler you are not no one. Just a question of how heavy is the lift and how much work is it going to take to get there?
I do know that mouthing off in public about how perfect the security of anything is,
is the best way to more or less climb to the top of a mountain during a thunderstorm,
hold up a giant metal rod and curse the name of God.
It doesn't lead to positive outcomes basically ever. In turn,
this also leads to companies not talking about security openly. I find that in many cases,
it is easier for me to get people to talk about their AWS bills than their InfoSec posture.
And I do believe incidentally, those two things are not entirely unrelated, but how do you view
it? I mean, it was surprisingly easy to get ships CISO to have
a conversation with me here on this podcast. It is significantly more challenging in most
other companies. Well, in fairness, you've been asking me for about two and a half years pretty
regularly to come. And I always say, I will stop bothering you if you want. You said, no, no,
ask me again in a few months. Ask me again after the election.
Ask me again after, I don't know, like the one day delivery thing gets sorted out, whatever
it happens to be.
And that's fine.
I follow up religiously and eventually I can wear people down by being polite, yet persistent.
So persistence on that on you is actually the credit here.
No, I think, you know, to your question, though, I think that there's a good balance, right? There, there's a good balance in being open about what it is that you're trying to
do versus, you know, over, oversharing areas that maybe you're, you're less proficient in, right?
So it wouldn't, it wouldn't make a lot of sense for me to come on here and tell you
the areas that we need to develop into in security.
You know, but on the other side of things, I can I am very happy to come in and, you know, talk to you about how our incident response plan is evolving.
Right. And what you know, what our plan looks like for for doing all that kind of stuff.
Some of the best security practitioners who I've worked with in the world, you know, will tell you that you're not going to prevent a breach from a motivated attacker.
And your job as CISO is to make sure that your response is appropriate, more so than anything.
So our incident response area is where today we're dedicating quite a bit of effort to build up our proficiency.
And that's a very important aspect of
the cybersecurity program that we're trying to build here. And unlike the early days of a campaign,
you still have to be ultra conscious about security. But now you have the luxury of actually
being able to hire security staff because it turns out that please come volunteer here is not
presumably Shipt's hiring pitch.
That's correct. Yeah, exactly.
We have a lot of buy-in from the rest of leadership to build out this program.
You know, SHIP's history with cybersecurity is one where there were a couple of folks who did a remarkably good job
for just being two or three of them for a really long period of time who ran the cybersecurity
operation very much was not a part of the engineering culture at Shipt. But, you know,
there still was coverage. Those folks left earlier in the year, all of them simultaneously,
unfortunately. And that's sort of how the position became open to me in the first place.
But it also meant that I was quite literally starting with
next to nothing. Right. And, and from that standpoint, it made it feel a lot like the
early days of the campaign because I was having to build a team, you know, from scratch and having
to get people motivated to come and work on this thing that had, you know, kind of an, kind of an
unknown future roadmap associated with it and all of that kind of stuff.
But we've been very privileged to, because we have that leadership support,
we're able to pay market rates and actually hire qualified and capable and competent
engineers and engineering leaders to help build out the aspects of this program that we need.
And like I said, we managed to, we weren't exactly at zero when I walked in the door. So when I say we were able to quadruple the team, it doesn't mean that we just
added four zeros there, but you know, we've got a little bit over a dozen people focusing on
all areas of security for the business that we can think of. And that's, that's just going to
continue to grow. So it's exciting. It's a challenge. But having the support of the
entire organization behind something like this really, really helps a lot. I know we're running
out of time for a lot of interview, but one more question I want to ask you about is when you're
the CISO for a nationally known politician who is running for the highest office the risk inherent to getting it wrong is massive
this is one of those mistakes will show indelibly for the rest of well we'll argue u.s history could
you could arguably say that there will be consequences that go that far out on the other
side of it once you're done on the campaign you're now the the CISO at ship. And I'm not in any way insinuating that the security of your customers and your partners and your data across the board is important.
But it does not seem to me from the outside that it has the same.
If we get this wrong, there are repercussions that will extend into my grandchildren's time. How do you find that your ability to care as deeply
about this has changed, if it has?
My stress levels are a lot lower.
I'll say that.
But you can always spot the veterans on an SRE team
because, when I say veterans,
I mean veterans from the armed forces
because no one's shooting at me.
We can't serve ads right now.
I'm really not going
to run around and scream like my hair's on fire because this is nothing compared to what stress
can look like. And yeah, there's always a worse stressor. But so on some level, it feels like it
would be an asset. And again, this is not to suggest you don't take security seriously. I
want to be very clear on that point. Yeah, yeah. No, I you know, the important challenge of the role is building this out in a way that we have coverage over all the areas that we really need. Right. And that is actually the kind of stuff that I enjoy quite a bit. I enjoy starting a program. I enjoy seeing a program come to fruition. I enjoy helping other people build their careers out. And so I have, you know, a number of folks who are at points in their earlier at points
in their career who I'm very happy that we have them on our team because I can see them
grow and I can see them, you know, understand and set up what the next thing for them to
do is.
And so when I, you know, when I look at the day-day here, I was motivated on the campaign by that reality of like, there is some quite literal life or death stuff that is going to happen here.
And that's a really strong presser to make sure that we're doing all the right stuff and not having the stress of like this could be the end of the world if we get this wrong means that I can spend time focusing on making sure that the program is coming together as it should.
And getting joy from seeing the program come together is where a lot of that motivation is coming from today.
So it's just different. Right. It's, it's a different, it's a different thing, but at the end of the day, it's, it's very rewarding and I'm enjoying it and, you know, can see this,
continuing on for quite some time. And I look forward to ideally getting you back in another
two and a half years after I begin badgering you in two hours in order to come back on the show. If people want to hear more about what you're up to, how you view about
these things, potentially consider working with you, where can they find you? Best place, although
I've not been as active because it has been very busy the last couple of months, but find me on
Twitter, Dan Veloper, find me on LinkedIn. I posted a couple of blog posts about the technology choices that we made on the campaign that I think folks find interesting. And periodically, I'll share out my thoughts on Twitter about whatever the most current thing is, Kubernetes or AWS about to go down or something along those lines. So yeah, that's the best way.
And I tweet out all the jobs and post all the jobs that we're hiring for on LinkedIn and all
of that kind of stuff. So usual social channels, just not Facebook. Amen to that. And I will,
of course, include links to those things in the show notes. Thank you so much for taking the time to speak with me. I appreciate it.
Thank you, Corey.
Dan Woods, CISO and VP of Cybersecurity at Shipt, also formerly of the Biden campaign,
because wherever he goes, he clearly paints a target on his back. I'm cloud economist Corey Quinn, and this is Screaming in the Cloud. If you've enjoyed this podcast, please leave a five
star review on your podcast platform of choice. Whereas if you've hated this podcast, please
leave a five star review on your podcast platform of choice, along with an incoherent rant that is
no doubt tied to either politics or the alternate form of politics, Spinnaker. If your AWS bill keeps rising
and your blood pressure is doing the same,
then you need the Duck Bill Group.
We help companies fix their AWS bill
by making it smaller and less horrifying.
The Duck Bill Group works for you, not AWS.
We tailor recommendations to your business and we get to the point.
Visit duckbillgroup.com to get started.
This has been a humble pod production
stay humble