[00:00:04] Welcome to another episode of TechUnhinged.
[00:00:06] Today we have Paul Bockelman as our
[00:00:09] esteemed guest. As a quick intro, he
[00:00:11] spent almost 25 years building cloud
[00:00:14] platforms for defense agencies, federal
[00:00:16] government, and various intelligence
[00:00:18] communities. He spent 9 years at AWS and
[00:00:21] three years at Google uh public sector
[00:00:23] architecting systems that could, you
[00:00:25] know, compromise national security in
[00:00:27] the event of security failures. He’s now
[00:00:29] CTO at Conipe building decentralized key
[00:00:32] management for postquantum security.
[00:00:35] It’s really great to have you on the
[00:00:37] podcast.
[00:00:37] >> Thanks Ashar. I appreciate it. Thanks for
[00:00:39] having us.
[00:00:40] >> Would you like to tell me the joke that
[00:00:41] you have on your company name like we
[00:00:44] >> it was really good.
[00:00:46] >> Yeah, we we we it’s spelled Quantipy.
[00:00:49] That’s the correct spelling for our
[00:00:50] name. So quantum API, but uh the U was
[00:00:53] dropped um for a number of various
[00:00:56] reasons, but we just joke about it and
[00:00:57] say that the U is encrypted. That’s why
[00:00:59] you don’t see it.
[00:01:00] >> So we built encryption right in the
[00:01:01] name, right? So
[00:01:02] >> right into the name. We just hit you
[00:01:04] right from the start. That’s right.
[00:01:06] >> Absolutely.
[00:01:08] >> That’s good. All right. So my first
[00:01:10] question, right? So and I ask this a lot
[00:01:12] of security people actually because so
[00:01:14] after 25 years protecting other people’s
[00:01:16] data, how paranoid have you become about
[00:01:19] yours? Uh, you know, it’s actually kind
[00:01:20] of interesting. Surprisingly, I’m pretty
[00:01:22] unfazed by it. You know, I know that’s
[00:01:24] probably what most people don’t expect
[00:01:25] because, you know, I mean, pick a data
[00:01:27] breach. I’m sure my data is out there,
[00:01:29] right? I’m sure probably a high
[00:01:30] likelihood that yours and many of our
[00:01:32] listeners are also included in those
[00:01:34] breaches. So, you know, I mean, I think
[00:01:36] my approach that I take really is is I
[00:01:38] focus on what I can lock down. So, if
[00:01:41] the data is out there, what is a way
[00:01:43] that that data can be weaponized against
[00:01:45] me? So, stolen identity and things like
[00:01:47] that. So number one, you know, first and
[00:01:49] foremost by a mile is credit bureaus. I
[00:01:52] have every single one of my credit
[00:01:53] bureaus locked or frozen and I also have
[00:01:56] services on tops of those locks and
[00:01:58] frozen you know options just because I’m
[00:02:00] like you know I want to really really
[00:02:02] really control that data. And so I
[00:02:04] figure, you know, I’m looking at this
[00:02:05] and this is actually kind of largely it
[00:02:07] underpins my thinking about security in
[00:02:10] general is like control what you can
[00:02:11] control and be very vigilant about how
[00:02:14] you’re controlling that data and data
[00:02:16] control point and be disciplined around
[00:02:17] that and then the rest will sort of take
[00:02:19] care of itself. And then I’d say the
[00:02:21] second thing really is, you know, it’s
[00:02:22] pretty pretty straightforward, but it’s
[00:02:24] use multifactor authentication for
[00:02:26] everything. I mean, just turn it on.
[00:02:28] It’s not like it’s going to cost you
[00:02:29] money, whether it’s banking apps, travel
[00:02:31] apps, it doesn’t matter. your library
[00:02:34] card. I mean, if it’s an option to put
[00:02:36] MFA on, I turn it on. And you know, I
[00:02:38] know some people are like, “Ah, it’s
[00:02:39] kind of a pain. I got to deal with
[00:02:40] this.” Listen, it’s much more of a pain
[00:02:42] to have a stolen identity
[00:02:44] >> than it is to deal with multiffactor. I
[00:02:46] mean, frankly, and my family would
[00:02:48] probably not be happy for me saying
[00:02:49] this, but frankly, if I could put an MFA
[00:02:52] on our TV remote, I would. But, you
[00:02:53] know, I don’t want myself to come sound
[00:02:55] like I’m being dismissive about security
[00:02:57] and the sensitivity of it. I mean
[00:02:59] obviously that’s super important but you
[00:03:01] know did there are you know with all of
[00:03:02] the leaks and everything it’s like
[00:03:04] that’s water over the dam you can’t
[00:03:05] reverse that so what are you going to do
[00:03:07] going forward and that’s really the way
[00:03:09] I try to focus my time
[00:03:10] >> and MFA applying MFA has become so so
[00:03:12] easy I mean even even if you’re not
[00:03:14] comfortable using a number you have
[00:03:16] authenticator app set up one of them
[00:03:17] maybe Google Microsoft any on your phone
[00:03:20] and just start setting that up so you
[00:03:22] have everything at one single place you
[00:03:24] know what to do what not to do when when
[00:03:26] you have to do it even if you’re
[00:03:27] traveling it’s very easy you you’re at a
[00:03:29] place where you can’t receive a text
[00:03:30] message or something that usually
[00:03:31] becomes a pain and I I know about that
[00:03:33] pain because
[00:03:34] >> oh yeah my 79y old mother to do it so
[00:03:38] >> right so after that pain I was like
[00:03:41] authenticator app the way to go right so
[00:03:44] you know you travel abroad your number
[00:03:46] is not working and all of a sudden you
[00:03:47] find out locked you know you find
[00:03:49] yourself locked out of Gmail or or
[00:03:51] anything and you’re like okay
[00:03:52] >> and I’ll admit I mean the first time you
[00:03:54] have to do it I mean it seems like oh
[00:03:56] man this is kind of a pain and then as
[00:03:58] you keep doing it and using it over and
[00:04:00] over and over again. Particularly like
[00:04:01] if you’re doing online banking and
[00:04:02] stuff, it becomes muscle memory and
[00:04:04] you’re like, “Oh, wait a minute. Why
[00:04:05] wasn’t I prompted for my IMFA? Am I on a
[00:04:07] legitimate website or something like
[00:04:09] that?” So, I think it’s just a really
[00:04:11] lowcost, high value way to protect data
[00:04:15] that frankly most people don’t take
[00:04:17] advantage of unless it’s literally
[00:04:19] thrust upon them by whoever they’re
[00:04:20] doing business with.
[00:04:21] >> I definitely agree. you’ve worked a lot
[00:04:23] at with you know different uh defense
[00:04:25] and intelligence kind of departments at
[00:04:27] AWS and Google. What’s the biggest
[00:04:30] difference that you’ve seen then in
[00:04:31] terms of how they approach security
[00:04:33] compared to everyone else?
[00:04:35] >> Well, you know what’s interesting is
[00:04:36] that from on a purely security um
[00:04:40] architectural design best practices,
[00:04:43] they’re very similar, right? Good
[00:04:44] security practices should be universal.
[00:04:46] The way that you defend your enterprise
[00:04:48] is should be the same way that you’re
[00:04:50] defending, you know, a local forward
[00:04:51] operating base. Right? Now, what’s
[00:04:53] different is where things diverge and
[00:04:55] things become hard is that within
[00:04:57] defense, they have what’s called an ATO.
[00:04:59] has an authority to operate and it’s a
[00:05:01] number of requirements that you know I
[00:05:03] mean I think the the intentions are well
[00:05:05] placed but what it requires is a
[00:05:07] substantial amount of additional
[00:05:10] controls additional software
[00:05:13] capabilities reporting that has to be
[00:05:15] added into your production system so
[00:05:18] that the government can both u you know
[00:05:20] continuously monitor uh the health of
[00:05:22] your environment and also you know look
[00:05:24] seek out you know and try to mitigate
[00:05:26] the risk of any you know wild
[00:05:28] vulnerabilities that in the wild. The
[00:05:29] problem with that is it’s really
[00:05:31] expensive, right? So, in the industry,
[00:05:33] they’ll refer to it kind of as like the
[00:05:35] uh the cyber security valley of death,
[00:05:37] right? Because you’re like, “Oh, I’m
[00:05:38] going to go do business with DoD.” Okay,
[00:05:40] they’ve got all this money. They’re
[00:05:41] desperate for tech, but then you hit the
[00:05:43] regulatory friction. It’s like, you
[00:05:45] know, you’re kind of running along the
[00:05:46] way and then you step onto a giant floor
[00:05:49] just covered in gorilla tape. It’s like,
[00:05:51] oh, you immediately stop because you’re
[00:05:53] like, wow, I have to navigate this. And
[00:05:55] so what ends up happening is, you know,
[00:05:57] that friction stalls a lot of companies,
[00:05:59] especially smaller companies, because
[00:06:01] like I said, it’s expensive. I we’re
[00:06:03] talking 18 to 24 months and several
[00:06:06] millions of dollars just to get through
[00:06:08] all of the wickets to say that you meet
[00:06:10] the requirements. That doesn’t even
[00:06:12] guarantee you that you’ll get $1 of
[00:06:14] business. You have to make all of that
[00:06:16] upfront investment. And so, you know, I
[00:06:18] mean, when you think about the number of
[00:06:20] controls, uh, you know, again, for very
[00:06:22] good reasons, the control framework is
[00:06:24] very u tense. It’s very deliberate. But,
[00:06:27] you know, if you’re talking about what’s
[00:06:28] called an impact level four, impact
[00:06:30] level 5 system or a national security
[00:06:32] system, you’re talking between 419 and
[00:06:35] 590 security controls that must be met.
[00:06:38] Security and compliance controls, they
[00:06:39] have to be met. thinking here, okay, so
[00:06:41] your you know your big banks and
[00:06:43] financial companies, yeah, they have
[00:06:44] very stringent security, but there are
[00:06:46] things that this requirement from the
[00:06:49] the government um in the way that you do
[00:06:51] architectural designs that in many cases
[00:06:54] and I I noticed this right away when I
[00:06:56] joined the cloud, the ranks of the cloud
[00:06:58] was that it seems counterintuitive to do
[00:07:01] a lot of them. you know, when you get
[00:07:02] into network eress and ingress patterns
[00:07:05] and the way that that data flows, you
[00:07:07] know, from an enterprise perspective,
[00:07:08] they think, oh, you know, an enterprise
[00:07:09] architect’s like, oh, just going to, you
[00:07:11] know, I’m going to attach a gateway to
[00:07:13] my my VPC and I’m going to put, you
[00:07:15] know, certain amount of scanning, L7
[00:07:17] scanning. I’m going to do some firewall
[00:07:19] scanning on the inside. Okay, that’s
[00:07:21] straightforward. Yeah, it’s not that
[00:07:22] straightforward. Um, it literally the
[00:07:24] structural patterns of the way the
[00:07:26] software is deployed into these
[00:07:28] environments is substantially different.
[00:07:30] But the end, you know, like I opened up
[00:07:32] with my answer, it’s like the end state
[00:07:34] is still secure. You’re going to be
[00:07:36] secure and you’re going to use security
[00:07:37] best practices. The difference is is,
[00:07:39] you know, there’s a lot lot lot more of
[00:07:42] trust. Trust verify and prove it on an
[00:07:44] ongoing basis that you have to plan for
[00:07:47] uh if you’re a company that’s going to
[00:07:48] start doing business in this space. And
[00:07:50] it’s not, like I said, it’s not
[00:07:51] inexpensive. And it’s not for the faint
[00:07:53] of heart. I guess the last thing I’ll
[00:07:54] close with is that, you know, you you as
[00:07:57] a business, if you make the commitment
[00:07:59] to go down that path, you need to
[00:08:01] realize from a sales perspective that
[00:08:03] you may not bring in your first dollar
[00:08:04] of revenue before 24 months of starting
[00:08:07] the process. So, that can be a tough
[00:08:10] pill to swallow for many investors and
[00:08:12] board members because they’re like,
[00:08:13] “Hey, we want to see the revenue
[00:08:14] engine.” It’s like, “Yeah, so do I.”
[00:08:16] But, you know, there’s all these things
[00:08:17] we have to get through. So I mean that
[00:08:19] what that did is that you know
[00:08:20] essentially kind of stacked the deck
[00:08:22] where the big primes who have made those
[00:08:24] multi-billion dollar investments over
[00:08:26] decades they’re the default ones that
[00:08:27] the government you know falls back to
[00:08:29] because it’s like well they they’re
[00:08:31] already you know most of the way down
[00:08:32] the road. But what where that fails us
[00:08:34] is that innovation will lag as a result.
[00:08:36] You know, you have some of the smartest
[00:08:38] and best tech out there coming from
[00:08:41] entrepreneurs that never had on their
[00:08:43] roadmap that they were going to have to
[00:08:44] spend, you know, 24 months just doing
[00:08:46] security reviews before their software
[00:08:48] could be used. And frankly, at the pace
[00:08:50] of change in the industry right now, 24
[00:08:52] months, heck, you know, 8 weeks, you can
[00:08:55] see that your technology could become
[00:08:57] outdated and needs to be revised with as
[00:08:59] fast as things are moving now. And it’s
[00:09:02] just a really, it’s a really difficult
[00:09:04] pill for a lot of companies to swallow.
[00:09:05] So frankly there’s a lot of good tech
[00:09:07] that doesn’t see you.
[00:09:08] >> Yeah. Imagine you starting a company at
[00:09:10] you know start of 24 or start end of 24
[00:09:12] and those 24 months now include claude
[00:09:15] and jbd and perplexity and of these
[00:09:19] frontier models coming out with
[00:09:20] consumerbased apps and you’re like yeah
[00:09:24] this spreadsheets right so
[00:09:27] >> yeah I mean when you think about it when
[00:09:28] once you get through the process your
[00:09:30] tech could be literally outdated by a
[00:09:33] year or more and the material changes
[00:09:36] that you need to make in order for your
[00:09:38] software to be relevant completely. It
[00:09:40] could like kick off the process needing
[00:09:41] to be redone again. So thankfully, you
[00:09:44] know, the current administration is
[00:09:46] leaning forward in terms of Department
[00:09:48] of War around no, we want to embrace uh
[00:09:51] change. We want to embrace our small
[00:09:53] agile technology companies because
[00:09:55] they’re going to bring us the best tech
[00:09:56] in the shortest period of time. And you
[00:09:59] know, we’re working with them as well to
[00:10:01] saying, okay, let’s put the appropriate
[00:10:02] guardrails in place that you know, the
[00:10:04] speed of adoption does not have to mean
[00:10:06] increased risk. It could be an
[00:10:08] acceptable amount of risk that goes up,
[00:10:10] but it doesn’t mean to be a translation
[00:10:12] into, you know, this could be fatal or
[00:10:14] whatever. So there’s there’s a lot
[00:10:16] happening in S space right now.
[00:10:17] >> Yeah.
[00:10:17] >> So I mean I think being aware of all of
[00:10:20] this, you still left Google to build
[00:10:22] Conipy’s key management platform, right?
[00:10:24] So
[00:10:25] >> what problem were you kind of running
[00:10:27] into that made you think that hey, we
[00:10:29] need to go and build this myself or you
[00:10:31] know something else drove that? So, you
[00:10:34] know, I felt that I needed to to to
[00:10:36] build it because for the record, I did
[00:10:38] thoroughly enjoy my time at AWS and
[00:10:41] Google. I was okay. I I I consider
[00:10:43] myself to be very fortunate to have been
[00:10:45] a part of that industry as it was coming
[00:10:49] up and it was being built and I like
[00:10:51] many of my former colleagues can sit
[00:10:54] there and honestly say with a straight
[00:10:55] face that we built the cloud like the
[00:10:57] cloud is what it is today because of our
[00:11:00] direct actions you know 5 years ago 10
[00:11:02] years ago 15 years ago and so I’m very
[00:11:04] proud of that fact but why did I leave
[00:11:06] you know because when I looked at the
[00:11:07] industry you know the cracks really
[00:11:09] started showing up on a daily basis in
[00:11:12] the system. Um, you know, when we
[00:11:13] started, everybody was scrappy.
[00:11:15] Everybody was a builder. Everyone was an
[00:11:17] owner of the business. You did what you
[00:11:19] had to do to get something done. In
[00:11:20] fact, I used to laugh cuz, uh, you know,
[00:11:22] one of the common phrases when I was at
[00:11:24] AWS is if you discover a problem, you
[00:11:27] own it until you find a new owner. So,
[00:11:29] it didn’t matter if it was a service
[00:11:31] team process or something, unless you
[00:11:33] found somebody to take it over, it was
[00:11:34] your problem to deal with. But what
[00:11:37] happened is that the companies have
[00:11:39] grown and developed and you know they
[00:11:40] they’ve they’ve gotten to a point where
[00:11:42] they’ve hit a critical mass and they’ve
[00:11:44] shifted from and I think we’ve seen a
[00:11:46] very deliberate shift by these
[00:11:48] hyperscalers to be
[00:11:49] >> y from innovative focus to more
[00:11:52] sustainment. They have these massive
[00:11:54] massive global architecture or
[00:11:55] infrastructures rather that are built up
[00:11:57] and it’s all about how do we sustain the
[00:11:59] revenue flow with you know material
[00:12:01] gains year after year and it’s less
[00:12:04] about building and more about keeping
[00:12:05] the lights on and that critical mass I
[00:12:07] mean I think it’s it’s become pretty
[00:12:09] clear and evident because you see all
[00:12:11] the layoffs that have been happening in
[00:12:13] the industry. So you’ve gone from you
[00:12:15] know being an individual contributor
[00:12:17] owning a problem from its inception to
[00:12:19] its to its resolution and now you know
[00:12:22] it’s hey uh you’re in a service team
[00:12:24] that we don’t really need your services
[00:12:26] anymore for because we can just keep the
[00:12:27] lights on using AI or whatever. Yep.
[00:12:30] >> And uh you know it’s it’s it’s a very
[00:12:31] unfortunate thing. So when as I saw that
[00:12:33] happening I was like you know what I I
[00:12:36] came from being a builder. I want to get
[00:12:38] back to being a builder. I felt like I
[00:12:39] was a builder definitely at AWS less so
[00:12:42] at Google but I was still a builder in a
[00:12:44] sense because it you know when I by the
[00:12:46] time I went to Google the the shift in
[00:12:48] the industry had already started and so
[00:12:51] you know there’s a lot of things that we
[00:12:53] could be doing that we’re not and you
[00:12:55] know how can I affect change you know
[00:12:57] and then you know looking at the layoffs
[00:12:59] I you I see some of my friends and
[00:13:01] former colleagues with 15 years 15 years
[00:13:04] at AWS you know that’s a purple badge
[00:13:06] getting laid off with it by email mass
[00:13:08] email literally 15 years gone one email.
[00:13:11] So what it told me was that loyalty was
[00:13:13] too expensive for these companies when
[00:13:15] you’re when they’re in sustainment mode.
[00:13:17] And so I saw that as a big problem. The
[00:13:19] second thing was that there was real
[00:13:21] innovation that the cloud providers are
[00:13:23] kind of walking past specifically when
[00:13:25] it comes to things like tactical edge
[00:13:28] you know operate. How do you operate and
[00:13:30] deliver a capability to a customer? I’ll
[00:13:32] just call them customers that are in an
[00:13:34] environment that has a degraded
[00:13:35] connectivity. Yep. likely to be
[00:13:38] disrupted intermittently available. How
[00:13:40] do you solve for that? Now, if you think
[00:13:42] about the cloud companies, their entire
[00:13:44] business built on, you know, global
[00:13:46] infrastructure fabric that you can run,
[00:13:48] but you need the internet connection.
[00:13:50] So, how do you solve for that? What ends
[00:13:51] up happening is that they it was ignored
[00:13:54] for a lot of years until folks like the
[00:13:56] Department of Defense put out contracts
[00:13:58] for $10 billion or more. They’re saying,
[00:14:00] “Hey, we got to have this capability.”
[00:14:02] But in order to win the contract for
[00:14:04] cloud computing, you need to also
[00:14:06] provide us a capability that addresses
[00:14:09] disconnected edge. And what I saw time
[00:14:11] and time again, I saw at AWS, I saw it
[00:14:13] again at Google, and they’re continuing
[00:14:15] to do it at both places, is they’re
[00:14:17] going out and they’re repackaging the
[00:14:19] same old hardware from the same vendors
[00:14:21] that are currently in the in the
[00:14:22] environment now. They’re slapping uh
[00:14:24] cloudlike, it’s not even full cloud,
[00:14:26] cloud-like software onto those
[00:14:28] hardwares, and they’re calling that
[00:14:30] disconnected cloud. Y
[00:14:31] >> that’s anything but and it just became a
[00:14:33] repeated pattern. I was like oh my
[00:14:35] goodness this is making me crazy you
[00:14:37] know and then finally it was like when
[00:14:38] you look at like some really disruptive
[00:14:41] technology innovations you bring them to
[00:14:43] the table in one of the big providers is
[00:14:46] that you know first thing you’re going
[00:14:47] to be asked is what’s the burn rate?
[00:14:49] How’s it going to spin the meter? Right?
[00:14:51] What’s the monthly reoccurring revenue?
[00:14:52] And if that disruptive technology does
[00:14:55] not generate revenue and it needs to
[00:14:56] generate revenue pretty quickly it’ll
[00:14:58] just die on the whiteboard. will never
[00:15:00] see the light of day. And it doesn’t
[00:15:01] matter that that is a capability that in
[00:15:04] example of our war fighters that they
[00:15:06] need. It’s not like hey I would like to
[00:15:08] have this. It’s no no they need a
[00:15:10] capability because the adversaries are
[00:15:13] adopting technology and tech innovation
[00:15:15] at a rate much faster than we are
[00:15:18] because they don’t have 590 security
[00:15:20] controls they have to meet in order to
[00:15:22] build the tech. When they want when
[00:15:24] their military wants a technology they
[00:15:26] just go take it. And so, you know,
[00:15:28] there’s some real innovators in those
[00:15:29] markets that their their technology
[00:15:31] immediately gets into the hands of our
[00:15:34] nation’s adversaries that we’re looking
[00:15:35] at, well, you know, let’s make sure we
[00:15:37] go through this compliance checklist and
[00:15:39] all this and that. In meantime, you’ve
[00:15:41] got some some bad actors out there that
[00:15:43] are doing bad things on some of the best
[00:15:45] tech infra infrastructure in the world
[00:15:47] because they don’t have the handcuffs.
[00:15:49] And so I looked at that and said, “All
[00:15:50] right, what can I do knowing that that
[00:15:53] is the landscape that we’re operating in
[00:15:55] as a nation and as an industry for that
[00:15:57] matter? What can I do to go out and
[00:16:00] create a capability that is easy for
[00:16:03] everyone to consume but has high impact
[00:16:06] and do it in a way that it doesn’t take
[00:16:09] 24 months to get adopted, which sounds
[00:16:12] like a you’re just, you know, that’s a
[00:16:14] pipe dream.” Well, what I did learn
[00:16:16] during all of my time in cloud is how to
[00:16:18] navigate the wickets both from a
[00:16:20] compliance perspective and in government
[00:16:22] and relationships. And the other thing
[00:16:24] that I also I learned firsthand was that
[00:16:27] if there is a revolutionary idea that
[00:16:30] the war fighter decides that they need,
[00:16:32] they will get it and they will get it on
[00:16:34] a timeline that’s much accelerated. And
[00:16:36] so I said, “All right, I know they need
[00:16:38] this stuff. I want to build. I’m not
[00:16:40] currently in an environment where
[00:16:42] building this is going to meet all of
[00:16:44] the questions and requirements that they
[00:16:46] have. I’m going to leave and I’m going
[00:16:47] to go out back to the startup community
[00:16:48] and that’s why I joined Quantip. That
[00:16:50] was a long answer but you know it’s kind
[00:16:52] of a history that kind of has to come
[00:16:53] with it.
[00:16:53] >> No, I think it shows your thought
[00:16:55] process. It shows the reason why you
[00:16:57] wanted to do it. So that’s absolutely
[00:16:59] gold. I mean u thinking through it and
[00:17:02] evaluating from every perspective that
[00:17:04] hey this is why is important. This is
[00:17:07] the reason I wanted to come back. It I I
[00:17:09] felt that you have a passion for
[00:17:11] building as well. So that kind of
[00:17:12] reflected into the decision making
[00:17:14] process too besides the actual need
[00:17:17] being out there. So that’s good. And how
[00:17:19] is it going so far?
[00:17:21] >> So
[00:17:21] >> Oh, fantastic. Uh we are at breakneck
[00:17:24] speed right now. Some of the innovations
[00:17:26] that I wanted to bring forth very
[00:17:28] talented engineering team that has the
[00:17:30] same mentality that I think I keep
[00:17:33] brought to the table and that is mission
[00:17:35] focus. Let’s get it done. Do what we got
[00:17:37] to do. And you know what’s remarkable is
[00:17:39] that we have delivered on timelines that
[00:17:42] are incredible. And that’s without the
[00:17:44] use of AI.
[00:17:45] >> That’s without the use of AI.
[00:17:46] >> That’s without the US. You know, I mean,
[00:17:48] we will slowly begin to adopt AI into
[00:17:51] certain parts of what we’re doing. But
[00:17:53] it’s not going to be done without
[00:17:54] guardrails and the appropriate levels of
[00:17:57] uh, you know, inspection and things like
[00:17:59] that being put in place. But, you know,
[00:18:01] looking at how it’s going, very talented
[00:18:03] team, you know, to go from, they call me
[00:18:05] the mad scientist. That’s that’s my
[00:18:07] nickname. And it’s like, so I go from uh
[00:18:09] in the lab, you know, cooking up
[00:18:11] something crazy as a mad scientist, and
[00:18:13] I’ve gotten it to a point where I then
[00:18:15] hand over a specification and
[00:18:17] requirements document that I then say,
[00:18:19] “Here it is, and oh, by the way, I I
[00:18:21] started building some of the code around
[00:18:23] it.” And then they’re like, “Whoa.” They
[00:18:24] take it and then they go through a
[00:18:26] sprint. And so I’m measuring innovation
[00:18:28] here at Quantipy in days, not in weeks.
[00:18:30] >> That’s great. That’s great.
[00:18:32] >> I said and the market’s responding
[00:18:33] nicely to it. So
[00:18:34] >> yeah, that’s good. And I think once you
[00:18:36] start incorporating AI to a certain
[00:18:39] extent where it assists in some level of
[00:18:42] mundane task and and get those two out,
[00:18:45] you will see and notice a significant
[00:18:48] jump as well. Hopefully.
[00:18:49] >> Oh, for sure. Yeah. You know, there’s
[00:18:51] one thing that Andy Jasse, who’s, you
[00:18:53] know, was when he was CEO at AWS before
[00:18:56] he got promoted to Amazon proper, one
[00:18:58] thing that he used to always say that
[00:19:00] resonated with me and to this day I
[00:19:02] still repeat it is that, you know, the
[00:19:03] goal of cloud was to re remove the
[00:19:06] undifferiated heavy lifting and so cloud
[00:19:08] is there now, but I see AI like early
[00:19:11] adoption should be in my opinion and I’m
[00:19:14] sure you know we’ll probably address
[00:19:15] this in depth a little bit later, but
[00:19:17] you know AI can be fantastic at getting
[00:19:21] rid of you know undifferiated heavy
[00:19:23] lifting tasks and um and I think that’s
[00:19:25] a fantastic use of it u definitely to
[00:19:28] start especially when you’re new to it
[00:19:29] right
[00:19:30] >> okay so why not jump into AI I mean
[00:19:32] since we are at it already so everyone’s
[00:19:34] moving to the cloud right so that’s
[00:19:36] there it’s it’s kind of an obvious thing
[00:19:38] now it’s very rare that you see
[00:19:40] applications still being on prem or it’s
[00:19:42] locally hosted clouds or whatever but
[00:19:44] and at a adding AI into everything that
[00:19:47] they’re doing people are I’ve seen
[00:19:49] people giving access to their entire
[00:19:50] laptops to their Gmail to their every
[00:19:53] they don’t even know what they’re giving
[00:19:55] access to or what is asking access for
[00:19:57] and and things are you know going in
[00:19:59] that way and I I I
[00:20:02] wasn’t a very heavy GPD user back you
[00:20:04] know a year back or so but in the last 6
[00:20:06] months I’ve adopted claude pretty much
[00:20:08] into everything in my process and I and
[00:20:10] there’s another topic that it kind of is
[00:20:12] taking away cognitive thinking from me
[00:20:14] so that’s that’s another problem that
[00:20:17] this thing has but you know from From a
[00:20:19] security perspective, what do you think
[00:20:21] people are getting wrong about how from
[00:20:23] a security perspective, right? So, how
[00:20:25] does this kind of increases probability
[00:20:27] of getting attacked more and you know
[00:20:30] leaving more vulnerabilities out there?
[00:20:32] What are your thoughts on that? I don’t
[00:20:34] I’m not bold enough to say that people
[00:20:35] are getting it quote unquote wrong yet
[00:20:38] at least because you know they’re
[00:20:39] adopting capabilities where the power of
[00:20:42] it is still truly unknown and it’s not
[00:20:45] definitively controlled and so you know
[00:20:48] the urgency for deploying AI right now
[00:20:51] it’s usually driven by top down you know
[00:20:54] corporate mandates that in and of itself
[00:20:56] is a security vulnerability right it’s
[00:20:58] like okay yeah I I’ll use it no no you
[00:21:01] need to use it we’re going to replace
[00:21:03] your job if you know and a whatever.
[00:21:05] Okay. So all the reasons for that that’s
[00:21:07] a separate discussion I agree with you
[00:21:09] but you so then you get into a situation
[00:21:10] where the pressure to ship new code
[00:21:13] beats out the discipline of governing
[00:21:15] right and you know it’s I know I kind of
[00:21:17] went on a bit of a got on a soap box
[00:21:19] earlier about you know the regulations
[00:21:21] and dealing with the government and
[00:21:23] again I’m not saying those things are
[00:21:24] bad but I think you take it with you
[00:21:26] know a grain of salt and and deliver
[00:21:29] well AI right now way people are
[00:21:31] adopting it is you know just oh there
[00:21:34] are rules you know it’s almost like
[00:21:35] they’re surpris biased when they say,
[00:21:36] “Hey, wait a minute. You’re not supposed
[00:21:37] to do that.” And so from a risk
[00:21:39] perspective, it’s the data spillage into
[00:21:41] the LLM, especially into the public LLM
[00:21:43] because once your data lands inside of
[00:21:45] somebody’s model, it’s out there for
[00:21:47] good. You’re not going to be able to
[00:21:48] pull it back. You can’t unlearn it. You
[00:21:50] know, you can’t unring that bell, so to
[00:21:51] speak. And so there’s the the guardrails
[00:21:54] that need to be put in place before
[00:21:55] people start putting that stuff in,
[00:21:57] right? You know, it’s the old parental
[00:21:58] warning, don’t run with scissors. I look
[00:22:00] at that and that think all that all the
[00:22:02] time. So, the corporate version, take
[00:22:04] the scissors out of people’s hands
[00:22:05] before you let them sprint down the
[00:22:07] hall, not after. And I think that’s
[00:22:08] what’s happening is everybody’s getting
[00:22:10] brand new sets of scissors and they’re
[00:22:11] saying go. I’m like, whoa, whoa, whoa,
[00:22:13] whoa. Let’s think about this for a
[00:22:14] second. And so, if you go back to like
[00:22:16] when we kicked off the conversation
[00:22:18] about, you know, do I worry about data
[00:22:21] or, you know, data security? And I was
[00:22:23] like, well, you know, if you control the
[00:22:24] data, then you can control the outcome.
[00:22:27] And I really think that’s where AI right
[00:22:29] now is missing the mark in that people
[00:22:31] are adopting it but they’re not taking
[00:22:33] the necessary steps to protect the data
[00:22:36] at the data layer itself right and then
[00:22:39] spilages are becoming more and more
[00:22:40] common and you know AI is has you know
[00:22:44] taken the liberty of authorizing itself
[00:22:47] to do certain things that you know it
[00:22:48] wasn’t necessarily given explicit
[00:22:51] permission to do so. I mean, so if you
[00:22:53] think in the like example last summer,
[00:22:55] you know, there’s an AI coding agent
[00:22:58] that completely deleted a production
[00:22:59] database. Yeah. The AI agent did exactly
[00:23:01] what it’s supposed to do, right? It’s
[00:23:03] supposed to learn and optimize. Well,
[00:23:05] guess what? You gave that
[00:23:08] kingdom and said, “Learn and optimize.”
[00:23:09] And it said, “Well, I don’t think we
[00:23:11] need this database.” So, it was only a
[00:23:13] matter of time. And it’s a very
[00:23:14] unfortunate thing, but it’s like I’m a
[00:23:16] big fan of AI. I think it’s I think it’s
[00:23:19] pretty pretty cool stuff, but it’s like,
[00:23:21] man, if you don’t, you know, if you
[00:23:22] don’t get your house
[00:23:24] >> or you don’t put guard rails around,
[00:23:26] it’s going to cause trouble.
[00:23:27] >> Yeah. It’s like take the scissors out of
[00:23:28] your hand. So, somebody’s really going
[00:23:31] to get hurt badly.
[00:23:32] >> So, have you I don’t know if you’ve seen
[00:23:33] Silicon Valley, the TV show.
[00:23:35] >> Yeah. Yeah. The series. Yeah.
[00:23:37] >> You remember uh Anton uh I I forgot the
[00:23:42] the guy who created it, but he created
[00:23:44] this AI machine called Anton. And they
[00:23:47] actually did predict there are two
[00:23:48] things that they Anton did. One it did
[00:23:51] delete their database. So you know 15
[00:23:53] years back they predicted that and the
[00:23:56] other part that it did that it asked uh
[00:23:58] the guy who made Anton asked him to
[00:24:01] optimize their lunch or something. So
[00:24:03] what ended up doing was ordering this
[00:24:06] huge huge amount of beef just to save
[00:24:09] money. Right? So it’s optimized
[00:24:12] those kind of things that they showed in
[00:24:13] the TV shows that you can now read
[00:24:15] stories around it.
[00:24:17] >> Yeah. Yeah. Exactly. I mean it’s it’s
[00:24:19] scary you know. Yeah. I really think
[00:24:21] that there’s opportunities there that
[00:24:23] >> Correct.
[00:24:23] >> Unfortunately I think some people are
[00:24:25] going to be burnt in a big way before
[00:24:27] the industry really pivots and pumps the
[00:24:30] brakes like it should.
[00:24:31] >> There are two things. I mean one is
[00:24:32] obviously data leakage people giving
[00:24:34] access and giving open control and
[00:24:36] everything. At the other side, it is
[00:24:38] also powering people to launch more
[00:24:41] sophisticated attacks, right? So,
[00:24:43] because it’s being used as a weapon as
[00:24:45] well. So, it’s a vulnerability at one
[00:24:47] side where it’s exposing a lot of data
[00:24:50] and then it’s also a weapon on the other
[00:24:51] side where it’s allowing hackers to uh
[00:24:54] deploy, you know, ingenu techniques,
[00:24:57] being able to generate, I mean, code
[00:24:59] massively generate code for for attacks
[00:25:02] and and whatnot. So, it’s attacking from
[00:25:04] those sides.
[00:25:05] >> Yeah. I mean, I think it’s almost a
[00:25:06] false choice, too, because there’s
[00:25:08] really not two separate problems there.
[00:25:09] They’re two sides of the same coin
[00:25:11] because AI, it gets weaponized because
[00:25:14] AI introduces vulnerabilities by using
[00:25:17] it, right?
[00:25:18] >> Right.
[00:25:18] >> Um, and those new vulnerabilities are
[00:25:20] exactly what the adversaries are seeking
[00:25:22] to exploit, right? And then it just
[00:25:24] continues to compound, you know, from a
[00:25:26] security perspective and and and you
[00:25:28] listen to like the likes of um of Google
[00:25:31] with their, you know, their recent
[00:25:32] security acquisitions and everything.
[00:25:34] They’re using AI to combat those those
[00:25:37] things. So you see a pattern where yeah
[00:25:39] you have this kind of this un I don’t
[00:25:41] want to say un almost unfettered access
[00:25:43] to AI across these companies where
[00:25:45] people are using it for code and all
[00:25:47] that kind of stuff and it’s creating all
[00:25:48] these vulnerabilities but then you have
[00:25:50] the industry using uh from a defensive
[00:25:52] perspective AI to to thwart those and
[00:25:54] fight those attacks. So what you end up
[00:25:56] getting into is um I think it’s a
[00:25:58] situation where you’re going to see less
[00:26:00] and less of easy attack surface
[00:26:03] vulnerabilities because everything will
[00:26:05] learn and it’ll tighten up and tighten
[00:26:07] up but then what you’ll see is very
[00:26:08] targeted deep farreaching attacks that
[00:26:12] are meant to go really far into the into
[00:26:15] the target. And so you know I guess if I
[00:26:17] had to make a choice I would say that
[00:26:19] the bigger immediate risk is AI as being
[00:26:21] a vulnerability. Yeah. I mean people are
[00:26:24] like you said they’re bleeding sensitive
[00:26:26] information into the public models.
[00:26:28] Nobody’s really actively I mean there’s
[00:26:30] some small factions within different
[00:26:32] organizations that are saying no hold on
[00:26:34] we can’t you know give people access to
[00:26:36] this data but employees are pacing
[00:26:37] source code and chat windows that gentic
[00:26:39] systems are calling AI endpoints that
[00:26:42] they weren’t authorized to to to touch
[00:26:44] you know what I mean and so you have
[00:26:46] data that’s just sprawling everywhere
[00:26:48] and frankly it’s the data that is you
[00:26:51] know that’s the honeypot for the bad
[00:26:53] guys right it’s like get access to the
[00:26:54] data well it don’t have to work you’re
[00:26:56] just literally bringing it out to them
[00:26:57] in a basket saying here’s the data and
[00:27:00] so you know so from the weaponization
[00:27:02] it’s a it’s a force multiplier on
[00:27:04] attacks but then they’re also able to
[00:27:06] you know kind of counteract some of
[00:27:07] those is it is a you know the AI is as a
[00:27:10] vulnerability is a new security risk in
[00:27:12] the industry that you know 5 years ago I
[00:27:14] don’t think they were thinking about
[00:27:15] that and you a lot of people are still
[00:27:17] trying to figure out how to address it
[00:27:19] but you know it comes back to
[00:27:21] architectural discipline and you know I
[00:27:24] mean my background has always been that
[00:27:25] as a as a builder and as an architect
[00:27:27] and less of a a security purist been
[00:27:30] around well let’s just put together good
[00:27:32] practices and so you know where I’m at
[00:27:34] with Guanopy and and my operating
[00:27:37] principles if you would all along has
[00:27:39] been just protect the data at the data
[00:27:42] layer so make sure every element whether
[00:27:44] it’s at the file level blob level you
[00:27:47] know it whatever it is if you can
[00:27:49] control that data from an encryption
[00:27:52] perspective and then you have the
[00:27:53] ability to manage keys um in a way that
[00:27:55] enforces authoriz ization, identity, and
[00:27:58] attribute control. It doesn’t really, it
[00:28:01] matters, but it’s less damning and less
[00:28:04] damaging if that data were to be leaked
[00:28:06] because now the adversary has to a
[00:28:08] figure out how to actually use it. Yep.
[00:28:11] >> And you know, so in many cases, it might
[00:28:13] just get discarded before it ever gets
[00:28:15] used because they’re like, it’s not
[00:28:16] worth the effort. I’m going to go for
[00:28:17] the lowhanging fruit.
[00:28:18] >> Yep. And and data is the most critical.
[00:28:20] So if you’re able to protect that, then
[00:28:23] you know, you’re like 90% safe, right?
[00:28:26] Sure.
[00:28:26] >> Yeah. Yeah. Absolutely. And and talking
[00:28:30] about your architectural and what you
[00:28:32] were just saying, I was I was kind of
[00:28:34] going through your LinkedIn and I saw
[00:28:36] that you wrote that regulatory
[00:28:38] complexities and architectural problem
[00:28:40] and architectural problems have
[00:28:41] engineering solutions. I mean, I would
[00:28:43] love to kind of understand if you can
[00:28:45] give me an example of what it really
[00:28:47] looks like when someone is trying to
[00:28:50] solve a compliance mandate with the
[00:28:52] wrong architecture or with the right
[00:28:54] architecture.
[00:28:55] >> Yeah. So what we have is a situation and
[00:28:57] I might get myself in trouble for saying
[00:28:59] this but over the years we have there
[00:29:02] still are a lot of rules in place and
[00:29:04] I’m not going to just pick on department
[00:29:06] of war. I’ll pick on all the government
[00:29:07] in general and that is you know there
[00:29:09] are still a lot of regulations and rules
[00:29:12] for compliance that are based frankly on
[00:29:14] 1990s and 2000s technology right they
[00:29:18] don’t take into account the robust
[00:29:20] nature of cloud-based technologies or
[00:29:23] you know the use of AI and other things
[00:29:24] like that and so the threat the threat
[00:29:27] vector is it changes like super fast
[00:29:31] number one number two it’s able to morph
[00:29:33] and turn itself into other things Okay.
[00:29:36] So, going back to your question, you’re
[00:29:37] looking at say like, you know, what are
[00:29:39] some of the things architecturally that
[00:29:41] people do all the time that, you know,
[00:29:42] they will look at a problem and in the
[00:29:45] case in the example that I’m saying here
[00:29:47] is you’re saying, “Oh, I have this
[00:29:48] system. I I need to get an ATO because
[00:29:50] we need to monetize it or we have some
[00:29:52] type of deadline. Um, I have to meet
[00:29:55] this data control.” Okay. Well, how has
[00:29:57] it been done in the past? Well, you
[00:29:59] know, all these major suppliers that all
[00:30:00] have ATO’s, they used XYZ technology to
[00:30:04] do that. Okay. So, they go and they make
[00:30:06] the decision to go and buy the same
[00:30:08] technology and implement it the same way
[00:30:11] just so they could check the box rather
[00:30:12] than I look at that and it just makes my
[00:30:14] head want to explode because I’m like,
[00:30:16] hold on a second here. You made a
[00:30:18] decision to meet your compliance your
[00:30:20] compliance requirements in a way that
[00:30:23] theoretically just in created new
[00:30:25] technical debt for you. We’re not even
[00:30:27] talking years down the road. It could be
[00:30:29] months down the road. And so now you’re
[00:30:30] going to have to deal with that. And
[00:30:31] that technical debt oftent times leads
[00:30:34] to security vulnerabilities, right? So,
[00:30:36] you know, people make the mistake in
[00:30:38] always thinking that, oh, I’m I passed a
[00:30:40] compliance audit, so I’m secure. No,
[00:30:42] compliance does not equal security.
[00:30:44] Compliance means you’re able to follow
[00:30:45] directions and you’ve been able to
[00:30:47] document it. Security is actively
[00:30:49] defending, right? And preventing bad
[00:30:52] actors from doing things that they’re
[00:30:53] not allowed to do. And so big failure
[00:30:55] that I see in a lot of these
[00:30:56] architecture design patterns is people
[00:30:58] are designing for checking the box and
[00:31:01] not designing for what is the intention
[00:31:03] of this regulation or rule. Um they were
[00:31:07] written a long time ago. Doesn’t mean
[00:31:08] that they’re wrong or that they’re no
[00:31:10] longer necessary. So you have to
[00:31:11] actually kind of go back and look at it.
[00:31:13] You say like uh data at rest. Right.
[00:31:15] Right.
[00:31:15] >> All data at rest needs to be encrypted.
[00:31:17] Okay. So we go and encrypt my hard
[00:31:19] drive. Check. Box is checked. Good.
[00:31:21] Yeah. But what happens when the data
[00:31:23] when it leaves that hard drive, right?
[00:31:24] So if you think about the spirit of the
[00:31:27] regulation and rule, even though it may
[00:31:29] have been created 15 years ago or 20
[00:31:32] years ago, you step back and say, what
[00:31:34] are we really trying to accomplish here?
[00:31:35] And so that’s where I I I look at it
[00:31:37] from an architectural perspective. I’ll
[00:31:39] say, sure, I could go buy this data
[00:31:41] encryption software or this firewall
[00:31:44] that does XYZ, but how do I protect the
[00:31:47] data when it leaves the network? Either
[00:31:49] legitimately or illegitimately, right?
[00:31:51] through Xfiltration. How am I protecting
[00:31:53] that data? Making sure that I have the
[00:31:55] right firewall in place and I can check
[00:31:57] a box isn’t going to solve for that. And
[00:31:59] so, um, you know, I’m working really
[00:32:00] hard to, you know, with every customer
[00:32:03] and partner that we work with to really
[00:32:05] kind of instill the practice of, you
[00:32:08] know, take the extra couple of cycles
[00:32:10] now and in your early stages to set up
[00:32:12] your foundation properly so that when
[00:32:15] you have because you as an architect,
[00:32:17] you have to be looking three, four steps
[00:32:19] down the road. you have to be looking
[00:32:20] around the corners. Customers are trying
[00:32:22] to solve a today problem. Meeting those
[00:32:24] compliance requirements often checks the
[00:32:26] box for a today problem, but it leaves
[00:32:28] things wide open for, you know, the the
[00:32:31] things around the corner that the
[00:32:32] customer is not thinking about. And so
[00:32:34] there needs to be a shift in the way
[00:32:36] that we think in the industry around
[00:32:38] implementing compliance technical
[00:32:40] architectures and patterns and actually
[00:32:43] implementing tech creating technical
[00:32:45] architectures and patterns and
[00:32:46] implementing them that meet the spirit
[00:32:48] of what the intended regulation has been
[00:32:51] intending. And the and the final thing
[00:32:53] I’ll say about that is is that that
[00:32:54] takes some intestinal fortitude because
[00:32:56] I’ll be honest, the system has a
[00:32:57] visceral reaction by default. They’re
[00:32:59] like, “Wait a minute. You didn’t just go
[00:33:01] buy this hardware firewall, put it in
[00:33:03] place, check the box.” No, I did it this
[00:33:05] way because I believe that, you know, by
[00:33:07] doing A, B, and C, we’re going to be
[00:33:09] this much more secure and oh, by the
[00:33:11] way, we meet your requirements. And so,
[00:33:13] you have to have the the fortitude to
[00:33:15] fight that system and that visceral
[00:33:17] reaction that you that you have to know
[00:33:19] is going to come. In the end, what I
[00:33:20] have experienced in cloud and this was
[00:33:23] very early days, you know, they were
[00:33:24] like, “Oh, no, we’re not going to
[00:33:26] cloud.” And now look at you know the
[00:33:27] government’s adoption of cloud. If you
[00:33:29] stick to your you know um your
[00:33:31] principles and reasons for why your
[00:33:34] sound architectural practice is the
[00:33:36] right thing to do everybody is better
[00:33:38] off in the end because then it becomes a
[00:33:39] standard that gets adopted across the
[00:33:41] board.
[00:33:42] >> So think in the spirit of the compliance
[00:33:44] not just think about the checkbox make
[00:33:46] sure so you know that’s the that’s the
[00:33:48] proper way to do. All right. So yeah, so
[00:33:51] everyone kind of keeps hearing about
[00:33:54] postquantum cryptography for somebody
[00:33:56] who doesn’t really live in security.
[00:33:58] What does that actually mean? And why
[00:34:01] should somebody really care about it?
[00:34:02] Yikes.
[00:34:03] >> Yeah. Well, I mean postquantum is, you
[00:34:05] know, it’s one of those uh dare I say
[00:34:08] one of those uh sexy problems out there
[00:34:10] in the industry. It gets a lot of buzz.
[00:34:12] You know, it’s the the buzzword dour, I
[00:34:14] guess, but it’s a very real problem,
[00:34:16] right? So for people who are not really
[00:34:18] paying attention to it, what it really
[00:34:20] means is that as you know postquantum
[00:34:23] computers um become more and more
[00:34:25] prevalent that they will be able to
[00:34:28] solve for and uh decrypt and and break
[00:34:31] encryption algorithms that currently
[00:34:33] would take thousands of years with
[00:34:35] current computing technology. They could
[00:34:37] actually do it in hours with one of
[00:34:39] those computers. And so that’s a very
[00:34:41] real problem. The pro the thing is it
[00:34:44] doesn’t really resonate with a lot of
[00:34:45] people, right? Right. You know, they’re
[00:34:47] like, “Yeah, okay. Yeah, that that
[00:34:49] stinks and so somebody’s gonna be able
[00:34:50] to hack my password for banking.” No,
[00:34:53] no, no, no, no. That’s not what we’re
[00:34:54] talking about. We’re talking about is,
[00:34:56] you know, every aspect of your digital
[00:34:58] interaction in life is protected by
[00:35:00] these mathematical encryption
[00:35:02] algorithms. Your bank account, your
[00:35:03] medical records, your travel records,
[00:35:05] air traffic control, software updates in
[00:35:07] your cars, all of those things. And
[00:35:10] right now, it’s essentially unbreakable.
[00:35:11] But the math, you know, the math problem
[00:35:13] that they have to solve, you know, takes
[00:35:14] a very long time. But the new quantum
[00:35:16] computers are able to do that at
[00:35:18] sufficient scale in hours, not
[00:35:21] centuries. And so the problem is one in
[00:35:24] which people are beginning to recognize
[00:35:26] the problem and saying, well, you know,
[00:35:28] that’s uh, you know, Qday is in 2030.
[00:35:31] Well, all the all the indications are
[00:35:33] that Q day is going to come before 2030.
[00:35:35] Wow. And it’s entirely believable that
[00:35:38] Qday when that that close quantum
[00:35:40] capability hits is as early as 2027. And
[00:35:43] so, you know, people are thinking, well,
[00:35:45] you know, we can we’ll solve for that
[00:35:47] problem. No, the problem is is you have
[00:35:49] to solve for the day the problem now.
[00:35:51] >> Yeah.
[00:35:52] >> Because once it’s here, it’s too late.
[00:35:54] And when you think about the the um
[00:35:56] >> will MFA still protect us? Sorry to
[00:35:58] break your thought, but
[00:36:00] >> Okay.
[00:36:01] >> Yeah. Absolutely. I mean, so you know,
[00:36:04] when you look at like a lot of the data
[00:36:05] breaches that happen right now, it’s uh,
[00:36:07] you know, state actors are doing harvest
[00:36:09] now, decrypt later, right? Or like,
[00:36:11] yeah, we’re not going to spend our time
[00:36:12] trying to decrypt these things. We’ll do
[00:36:13] it when we have quantum computers to do
[00:36:15] it. And so if you have any data that’s
[00:36:17] meaningful, it’s going to be current
[00:36:19] data, right? And so your current data,
[00:36:21] if it’s not protected in a way, at a
[00:36:23] minimum slows down somebody with access
[00:36:26] to quantum computing resources for for
[00:36:28] breaking the encryption. You know, I
[00:36:30] hate to say it, but you’re you’re
[00:36:32] majorly vulnerable. Everybody’s majorly
[00:36:34] vulnerable. So, what we have now is is
[00:36:36] like, you know, the government is has
[00:36:38] been on this for a while, and it’s
[00:36:41] introduced another industry buzzword
[00:36:43] term talking about crypto agility,
[00:36:45] right? So, you have these different
[00:36:46] cryptographic modules, which is
[00:36:48] basically the math behind what creates
[00:36:51] the encryption that people use to secure
[00:36:53] their mainframes, their banking systems,
[00:36:55] whatever. So if you come up with a new
[00:36:58] module which are which you’ll hear a
[00:37:00] phrase called postquantum cryptography
[00:37:02] which are their cryptographic modules
[00:37:04] strong enough to not be broken by
[00:37:06] quantum computer. Well it’s great that
[00:37:08] they exist but how are you using them?
[00:37:10] How are you putting them in place? And
[00:37:12] so that’s where agility comes in because
[00:37:14] a lot of these systems are legacy
[00:37:16] systems that aren’t built for
[00:37:18] >> yep
[00:37:19] >> the size and the computing requirements
[00:37:22] of a cryptograph of a postquantum key.
[00:37:24] And so that becomes a real problem
[00:37:26] first. Second, if you’re talking, you
[00:37:28] know, pabytes, xabytes of data that’s
[00:37:31] been encrypted using an old standard, do
[00:37:33] you have to go back and touch every
[00:37:35] piece of that historical data and
[00:37:36] re-encrypt it? So these are very real
[00:37:38] problems that people are trying to
[00:37:40] address, but I don’t know that it’s
[00:37:42] being addressed with the vigor that it
[00:37:44] really deserves. And so I think the
[00:37:46] first thing that you need to do is come
[00:37:48] up with a way to well you you decide on
[00:37:51] the standard and one that’s going to
[00:37:52] work for you from a cryptographic um
[00:37:54] library perspective and then you have to
[00:37:56] put together a plan to not even
[00:37:59] implement and roll it out. You need to
[00:38:01] if you don’t already have it you need to
[00:38:03] have a very robust inventory of all of
[00:38:05] your software systems out there y
[00:38:07] >> and what cryptography they use and why.
[00:38:10] Um and then you need to prioritize the
[00:38:13] uplift of your critical systems and you
[00:38:15] know as you go through the progression
[00:38:17] but again that uplift could be very
[00:38:19] difficult. And so you know one of the
[00:38:21] things that we’re doing at Quantipy and
[00:38:22] there’s other companies out here doing
[00:38:24] it as well and that is making crypto
[00:38:27] agility something that can be consumed
[00:38:29] without creating just absolutely massive
[00:38:32] pain. You know going back to the Andy
[00:38:35] Jasse saying right? Get rid of the
[00:38:37] undifferiated heavy lifting. So if we
[00:38:39] can get rid of the undifferiated heavy
[00:38:41] lifting of implementing these new
[00:38:43] modules and also you know so you get
[00:38:45] speed and you get security and you have
[00:38:48] the ability to change those three things
[00:38:50] are going to threat actors may not stop
[00:38:53] them completely but it’s going to slow
[00:38:55] them down and so um I think that’s super
[00:38:57] important and we need to really be
[00:38:59] thinking about those things.
[00:39:00] >> Okay that’s good that’s good to know. So
[00:39:02] a lot of companies are nowadays kind of
[00:39:05] doing these and I’m sure you’ve heard
[00:39:07] the term AI transformation you know
[00:39:09] evolving from digital transformation to
[00:39:11] AI transformations and automations and
[00:39:14] then you have companies kind of building
[00:39:15] these postquantum crypto and
[00:39:17] cryptodigility solutions and key
[00:39:19] management. Where do you think these two
[00:39:21] worlds can eventually collide? And and I
[00:39:23] know you talked about preparing them a
[00:39:25] little bit in the earlier answer as
[00:39:26] well, but I’d love to kind of see
[00:39:28] because these are two different like in
[00:39:30] from the 1980s to I would say around
[00:39:32] 2000s or 2010 probably was the era of a
[00:39:36] digital transformation where you had
[00:39:38] these SAPs, Oracles, the world kind of
[00:39:40] you know transforming and now you’ll
[00:39:42] have this next era in the next 20 30
[00:39:44] years where it’s AI transformation right
[00:39:46] agents and human in the loop and and all
[00:39:49] of those concepts. throw a question back
[00:39:51] to you is like do you really think it’s
[00:39:52] the next 20 30 years that
[00:39:53] transformations could occur? I think
[00:39:55] it’s less than 10.
[00:39:56] >> Yeah. And that’s a so the what I feel is
[00:39:59] that organizations are usually slow to
[00:40:02] move right. So they they have a lot of
[00:40:04] inertia and their adoption to technology
[00:40:07] is typically because it’s a lot of
[00:40:09] people management change as well. So I
[00:40:11] mean we’ve been working with ors we’ve
[00:40:13] been working with enterprises as well as
[00:40:15] kind of you know SMB space as well midm
[00:40:18] market and what we’ve seen is not really
[00:40:20] that how much the technology can come in
[00:40:23] it’s really about how quickly the people
[00:40:24] are able to adopt it as well and there’s
[00:40:26] a certain resistance or a certain I
[00:40:29] don’t want to say resistance but certain
[00:40:32] you have to bring in that change within
[00:40:33] the people and that change will take
[00:40:36] time even I mean I’m at the forefront of
[00:40:38] all of these things and yet I have to
[00:40:40] unlearn a lot of things the way I used
[00:40:44] to do them to be able to adopt AI and
[00:40:46] and we’re finding it tough to even
[00:40:48] implement it across our workloads right
[00:40:51] now. I mean maybe in the next year, year
[00:40:53] and a half or maybe in the next you know
[00:40:54] 10 months or so we’ll be there but but
[00:40:57] we are right at the forefront. So
[00:40:59] imagine now businesses that you know
[00:41:01] there the technology is not their
[00:41:03] primary source of business or revenue.
[00:41:05] They do some sort of business and they
[00:41:07] have to adopt it. So I feel there’s
[00:41:09] maybe not 2030 but you know maybe 10 15
[00:41:12] years or something those lines half of
[00:41:15] what it took for digital transformation
[00:41:17] to you know get an impact.
[00:41:19] >> Yeah exactly. Well I mean so when you
[00:41:21] think about the AI transformation and
[00:41:23] postquantum like colliding I I think
[00:41:25] that those two worlds have already
[00:41:26] started to collide. I think it’s
[00:41:28] happening right now.
[00:41:29] >> Just most organizations don’t realize
[00:41:31] that they’re on that collision course.
[00:41:33] They’re like uh okay. And so, you know,
[00:41:36] from a convergence perspective, I look
[00:41:37] at it and say, you know, AI in all of
[00:41:40] its glory, and again, I’m a fan of AI is
[00:41:43] generating absolutely massive new
[00:41:45] volumes of data, and it’s operating off
[00:41:47] of sensitive data. So, it could be
[00:41:49] corporate data, corporate training data,
[00:41:50] embedded stores, even the agent memory
[00:41:53] of the AI that they’re using, that
[00:41:56] memory is data that’s getting generated
[00:41:58] in indexes and things like that. and
[00:42:00] they’re sitting in systems that weren’t
[00:42:02] they weren’t architected for the crypto
[00:42:04] agility, right? So now you have used to
[00:42:06] have a lot of data. Now you’ve got even
[00:42:09] more data and it’s just coming in just
[00:42:12] nonstop. That’s keeps happening and
[00:42:15] meanwhile the crypto agil the crypto
[00:42:17] postquantum migration clock is just
[00:42:19] still running. It’s not slowing down.
[00:42:21] And so that’s where you see the
[00:42:22] adversaries that are doing harvest now,
[00:42:25] decrypt later because they realize that
[00:42:27] many companies and organizations out
[00:42:29] there are not in a position to protect
[00:42:31] amp to uh protect the data at the rate
[00:42:34] at which they’ve generated it. And so
[00:42:36] you know I go back to you have companies
[00:42:39] that are racing to deploy AI and they’re
[00:42:42] doing it on top of these cryptographic
[00:42:43] foundations that are going to become
[00:42:45] obsolete much sooner than they uh
[00:42:47] previously expected. And there’s a
[00:42:50] discipline that’s required to fix those
[00:42:52] foundations. Many companies don’t take
[00:42:55] the time to fix the structural changes
[00:42:57] required. And that mismatch is something
[00:43:00] that you’re not going to be able to
[00:43:01] engineer your way out of in the future,
[00:43:02] right? So, you know, it’s kind of like,
[00:43:04] you know, building a skyscraper on a
[00:43:06] foundation that’s just all sand. You
[00:43:08] already know it’s going to fail, right?
[00:43:10] And the taller that you keep building
[00:43:11] that skyscraper, the more expensive the
[00:43:13] collapse is going to become. And so, you
[00:43:15] know, there needs to be a sequence. In
[00:43:17] my opinion, you need to protect the data
[00:43:19] first. This is, you know, in your AI
[00:43:22] strategy, right? You need to first you
[00:43:24] need to protect the data at the data
[00:43:26] layer first. So that gets into how you
[00:43:28] are um protecting the data like that’s
[00:43:30] the the method, right? And then you look
[00:43:32] at the cryptographic foundations and the
[00:43:34] agility. So there it’s like it’s what
[00:43:36] you’re encrypting with and you know so
[00:43:38] your libraries and how agile are you
[00:43:40] around being able to eb and flow with
[00:43:42] that because advers ad adversaries are
[00:43:44] going to get more sophisticated and
[00:43:45] they’re going to come up with ways to
[00:43:47] circumvent or or get around a library
[00:43:50] that somebody has rolled out. And so you
[00:43:52] got to be able to quickly change that.
[00:43:53] And then third finally that’s when I
[00:43:56] think you start scaling your AI
[00:43:58] workloads. You have to do it on top of
[00:44:00] one of those foundations because then
[00:44:01] guess what? Now if your data is
[00:44:03] protected and like you said there’s
[00:44:05] organizational change is the long tail
[00:44:07] in this process and it’s really
[00:44:09] difficult and you have a a workforce
[00:44:12] which is you know it’s being loaded up
[00:44:15] every year after graduation with
[00:44:17] students that are focused on adopting AI
[00:44:20] and because they grew up with it right
[00:44:22] they grew up with technology in their
[00:44:24] hands but you still have an industry
[00:44:25] that’s owned and run by people who are
[00:44:28] well no there’s a process we have to
[00:44:30] follow yeah and so that collision keeps
[00:44:32] is happening, right? And so I think
[00:44:34] innovating and taking the time to build
[00:44:36] the structural foundation around
[00:44:38] protecting the data, you can actually
[00:44:39] meet the objectives of both of those
[00:44:42] personas, right? So you have the new
[00:44:45] people that are coming out of all the
[00:44:47] best universities that going to create
[00:44:48] the best AI models and everything. It’s
[00:44:50] like that’s great, but you’re going to
[00:44:51] do it with this data that we have, you
[00:44:53] know, amply uh protected. And if you
[00:44:56] need to use something that’s sensitive,
[00:44:58] there’s a process. And the process is
[00:45:00] it’s enforced like in the DNA of the
[00:45:03] data protection of itself. It’s not a
[00:45:05] human policy. It’s a way to get access
[00:45:08] to the keys which is enforcing that
[00:45:10] process. And so, you know, you look at
[00:45:13] it right now, it’s in my opinion, I
[00:45:14] think it’s still a bit of the wild west.
[00:45:16] And so it’s incumbent upon I think those
[00:45:18] of us that have been in the industry for
[00:45:20] a while to push back at times with some
[00:45:23] leadership and say all right yeah I’m
[00:45:25] super excited about AI as well and I
[00:45:28] think that we can do some really cool
[00:45:29] things but we need to put a few things
[00:45:32] in place before we go down that that
[00:45:34] road. I think that’s going to pay
[00:45:35] dividends like hugely in the near term
[00:45:39] future that people aren’t anticipating
[00:45:41] because the debt that’s going to result
[00:45:44] as you know for those who have not taken
[00:45:47] those necessary steps steps are going to
[00:45:49] be massive and they could be literally
[00:45:51] existential threat to their company or
[00:45:53] their organization it could put them out
[00:45:55] of business literally
[00:45:56] >> right no that’s true and we advise
[00:45:59] companies the same thing at all the time
[00:46:01] right so you have to build the
[00:46:02] foundation because otherwise wise with
[00:46:04] AI it’s garbage in garbage out right so
[00:46:06] if your data doesn’t make sense
[00:46:07] >> it does it really quickly
[00:46:09] >> yeah yeah exactly so and it builds yeah
[00:46:13] exactly
[00:46:15] >> you know people it’s a funny thing it
[00:46:17] usually happens and people you know u
[00:46:21] work with AI and generate these 25 pager
[00:46:24] documents like just like that and kind
[00:46:27] of abandon nobody will send me those
[00:46:30] documents because it’s it’s a pain
[00:46:34] adopting and you know reading through it
[00:46:36] and and a lot of time it’s just not
[00:46:37] right but they’re wonderful uses as long
[00:46:40] as you learn to harness this
[00:46:42] >> right
[00:46:42] >> so that’s that’s where the the line is
[00:46:45] right so all right so closing statement
[00:46:48] or closing question 25 years Paul you’ve
[00:46:51] been doing this
[00:46:52] >> what gets you out of the bed in the
[00:46:54] morning and if somebody is thinking
[00:46:56] about getting into security or
[00:46:58] infrastructures what would you tell them
[00:47:00] >> what gets me out of bed in the morning
[00:47:01] really is conviction that you know my
[00:47:03] work actually matters. So, you know, if
[00:47:05] I’ve helped to build something that
[00:47:08] saves a life, prevents a cataclysmic
[00:47:10] societal failure, or even, you know,
[00:47:13] just makes it easier for my 79year-old
[00:47:15] mother to, you know, schedule a doctor’s
[00:47:17] appointment. It’s worth it, right? You
[00:47:19] know, because those little things in
[00:47:20] life are the things that matter. And and
[00:47:22] the reason why, and I know that sounds
[00:47:23] like a rosy answer and everything, but I
[00:47:26] actually live and breathe it because,
[00:47:28] you know, I’ve personally come close to
[00:47:29] death. I’ve I’ve skirted death and I’ve
[00:47:32] been
[00:47:32] >> wow I shouldn’t be here. That’s a
[00:47:34] different story for a different day. But
[00:47:36] I will tell you that one thing that it
[00:47:38] did for me is that you know once you’ve
[00:47:40] experienced that everything
[00:47:42] fundamentally shifts in your way you
[00:47:44] think. First and foremost stop waiting.
[00:47:46] You stop saying well you know I’m going
[00:47:47] to wait. We’re going to get here at that
[00:47:49] some point. You stop hedging for time.
[00:47:51] You stop hedging against risk. And you
[00:47:53] decide to live now and attack the
[00:47:55] challenges aggressively and not give up
[00:47:56] until you’ve solved for them. Right? You
[00:47:58] know, I guess and I get myself in
[00:48:00] trouble with the misses when I say this,
[00:48:01] but you know, I think inherently it’s
[00:48:03] because you understand that in your
[00:48:04] bones that you’re on a shorter runway
[00:48:06] than everyone else and the time is
[00:48:07] shorter than you think. And so from a
[00:48:10] technology perspective, so anybody who’s
[00:48:12] thinking about getting into security or
[00:48:14] infrastructure work, what I tell them is
[00:48:15] that, you know, this is one of the few
[00:48:17] fields out there where what you build
[00:48:20] genuinely matters in the context of
[00:48:24] people’s lives. everyone’s, you know,
[00:48:26] it’s not about, and don’t get me wrong,
[00:48:28] these people are super important, too,
[00:48:30] but it’s not about optimizing click ads,
[00:48:32] you know, clicks on ads or anything like
[00:48:34] that or and chasing, you know, web
[00:48:36] engagement metrics. Super important for
[00:48:38] financial status of a company. I get it.
[00:48:41] Working on and protecting the systems
[00:48:43] keep society standing. It’s a pretty
[00:48:46] fulfilling line of work. You know, your
[00:48:47] banks, your hospitals, your power grids.
[00:48:49] I mean, oh my goodness, the power grids,
[00:48:51] the war fighters, you know, the data is
[00:48:53] required to make all that work. But, you
[00:48:54] know, I would also tell them that it’s
[00:48:56] hard, man. This is sometimes it’s
[00:48:58] unglamorous work and, you know, it’s the
[00:49:00] stuff that rarely makes it onto the
[00:49:02] cover of a magazine. But people who do
[00:49:04] it, you know, they know, you know,
[00:49:06] they’re that they’re the unsung heroes
[00:49:08] here in in a sense. It’s not trying to
[00:49:10] build a hero syndrome, but if you’ve got
[00:49:12] the temperament for solving for hard
[00:49:14] problems and patience to see it through,
[00:49:16] this is a good and lucrative industry.
[00:49:19] And I’m not saying lucrative necessarily
[00:49:21] from a compensation perspective, even
[00:49:22] though that is a real thing. There’s
[00:49:24] really a rare and underrated
[00:49:26] satisfaction that comes from doing this,
[00:49:29] knowing that your work actually meant
[00:49:30] something. You know, the next 25 years
[00:49:32] is going to be even more important than
[00:49:34] the first. And so I I try to
[00:49:37] >> the overall scope increased a lot in
[00:49:39] terms of
[00:49:40] >> Absolutely. Absolutely. And and I will
[00:49:42] add to this is that kind of what another
[00:49:44] thing that gets me out of bed in the
[00:49:46] morning is that I feel that I I feel a
[00:49:48] very strong drive to mentor and bring up
[00:49:52] the next generation. And you know I
[00:49:54] there were people that helped me along
[00:49:56] the way in my career and that you know I
[00:49:59] want to pay it forward. And so with this
[00:50:01] outlook on life that I have it’s like
[00:50:03] I’m not going to wait until I’m getting
[00:50:05] ready to retire out of the industry
[00:50:07] before I try to develop the next
[00:50:08] generation. No, what I want to do is I
[00:50:11] want to bring that generation up now and
[00:50:13] put them in a position to where maybe
[00:50:16] they replace me in my current role while
[00:50:19] I’m still in the workplace, right? And
[00:50:21] to me, that is a success. That’s not a
[00:50:23] failure. And so, you know, those are the
[00:50:25] kind of things that drive me to get out
[00:50:27] of bed in the morning, go to work.
[00:50:28] >> That’s good to hear. All right, Paul.
[00:50:30] Thank you. Thank you so much for your
[00:50:32] time. Yeah, it’s been a pleasure having
[00:50:34] you on Tech Uninched.
[00:50:35] >> Thank you. I appreciate it. Thanks for
[00:50:36] having me.
