Ep. 5 Michelle Zatlyn on Decoding Digital

Decoding Digital Security: Michelle Zatlyn on Protecting the Web

A CONVERSATION ON BEING A BETTER DIGITAL CITIZEN

45 min

Ep. 5 Michelle Zatlyn on Decoding Digital

45 min

Many of us worry about how secure our online lives really are. After all, the news is filled with stories of data breaches and denial-of-service (DDoS) attacks. As co-founder of cloud security company Cloudflare, Michelle Zatlyn has some advice: Be cautious, but engage with technology to become a better digital citizen. Hear her discuss how to safeguard the digital world.

"Technology's not going away, it’s not a fad… That doesn't mean you have to be the first to try everything, but I do think a digital citizen is willing to find the places where they are willing to embrace technology... The more we talk about it, the less scary it becomes."

Quick takes on...

Being Honest About Security Challenges


"I do think one of the good things about cyber security becoming more of a business agenda is that the media is covering more of these stories. And some of the large companies saying, 'here's what happened, here's what I'm doing about it' means that we are actually talking about it. So when you are that small business that experiences a breach, you don't have to feel so alone."


Being a Digital Citizen


"Being a digital citizen is not a special power. It's not hard. It's just, don't fear technology, embrace it, and find ways that it can make your life better. And the truth is, it really can make your life a lot better. It can make it easier to connect with people, which is so important, especially now."


The Importance of Leadership


"It turns out leadership matters. Whether you're an executive at a big company or at a startup, people notice and leadership can set you apart. Making consistent decisions, following through, how you communicate, how you treat people—I want to live in a world where these things matter."

Watch “Decoding Digital Security” with Michelle Zatlyn

 

Join our mailing list.

Meet your guest, Michelle Zatlyn

CO-FOUNDER AND COO, CLOUDFLARE

Michelle Zatlyn on Decoding Digital Security

Michelle is co-founder and COO of Cloudflare, a web performance and security company. A native of Saskatchewan, Canada, Michelle earned a degree in chemistry and now uses the scientific method to improve businesses. In 2019, she helped guide Cloudflare through a successful IPO. She has also won numerous industry awards and is a sought after speaker and mentor. Outside of the office, she enjoys yoga and working on the Sunday New York Times crossword puzzle.

Episode transcript

Michelle Zatlyn: [0:05] Go find a meaningful problem. Find a meaningful problem where you're actually solving a problem for somebody, and ask yourself, is there more than one person in the world that has the problem? If the answer is yes, a lot of people do, and it is meaningful, then I think you should go full force and do it.

Dan Saks: [0:20] This is "Decoding Digital," and I'm your host, Dan Saks. Every episode, we hear from someone who is working to build something new in the digital economy. Each guest has a unique perspective to share. Together, we work to understand or decode a trend that is shaping our digital world.

Announcer: [0:38] Every founder's journey is different. For Michelle Zatlyn, it involved a U‑Haul across country drive with her co‑founders, mom at the wheel, and a secret called Project Honey Pot. After arriving in Silicon Valley, Michelle and her team would turn that code name to Cloudflare, a billion‑dollar unicorn company with a success successful IPO in 2019.

From day one, Cloudflare has been recognized as one of the world's most inventive technology companies and has received numerous honors, including being named to CNBC's Disruptor 50 list, "Wall Street Journal's" most innovative Internet technology companies list two years in a row, and being selected as a technology pioneer by the World Economic Forum.

By any measure, Michelle is a tech industry veteran and has a wealth of experience and insights to share. Today, Michelle will be joining us to decode digital security. Let's decode.

Dan: [1:42] Michelle, we're so excited to have you on the show today. Let's jump in. I know that you shared that you wanted to be a doctor when you were younger. Clearly, you're on somewhat of a different path. Can you tell me about how that evolved?

Michelle: [1:54] Definitely. Thanks so much for having me today. Yes, I did want to be a doctor when I was in high school. Even the first part of college or university, that's really what I was all geared. I set all my sights on that. At some point, I had aha. I assumed I wanted to be a doctor, but I'd never tried anything else.

Instead of going straight to medical school after college, I said, "Hey, I'm going to go work for a couple years." The reasons why I wanted to be a doctor was because I wanted to help people and felt like I could play a role in doing that.

I ended up finding in the world of technology and feeling like you can work with a group of smart passionate people solve problems. Instead of one at a time, you solve problems for people around the world. I ended up finding the same characteristics of what I saw in medicine in the world of business and technology. Next thing I knew, I was full on pursuing my business career and eventually going to round out my education by adding an MBA.

Dan: [2:56] How did you come to founding Cloudflare?

Michelle Zatlyn: [0:05] Go find a meaningful problem. Find a meaningful problem where you're actually solving a problem for somebody, and ask yourself, is there more than one person in the world that has the problem? If the answer is yes, a lot of people do, and it is meaningful, then I think you should go full force and do it.

Dan Saks: [0:20] This is "Decoding Digital," and I'm your host, Dan Saks. Every episode, we hear from someone who is working to build something new in the digital economy. Each guest has a unique perspective to share. Together, we work to understand or decode a trend that is shaping our digital world.

Announcer: [0:38] Every founder's journey is different. For Michelle Zatlyn, it involved a U‑Haul across country drive with her co‑founders, mom at the wheel, and a secret called Project Honey Pot. After arriving in Silicon Valley, Michelle and her team would turn that code name to Cloudflare, a billion‑dollar unicorn company with a success successful IPO in 2019.

From day one, Cloudflare has been recognized as one of the world's most inventive technology companies and has received numerous honors, including being named to CNBC's Disruptor 50 list, "Wall Street Journal's" most innovative Internet technology companies list two years in a row, and being selected as a technology pioneer by the World Economic Forum.

By any measure, Michelle is a tech industry veteran and has a wealth of experience and insights to share. Today, Michelle will be joining us to decode digital security. Let's decode.

Dan: [1:42] Michelle, we're so excited to have you on the show today. Let's jump in. I know that you shared that you wanted to be a doctor when you were younger. Clearly, you're on somewhat of a different path. Can you tell me about how that evolved?

Michelle: [1:54] Definitely. Thanks so much for having me today. Yes, I did want to be a doctor when I was in high school. Even the first part of college or university, that's really what I was all geared. I set all my sights on that. At some point, I had aha. I assumed I wanted to be a doctor, but I'd never tried anything else.

Instead of going straight to medical school after college, I said, "Hey, I'm going to go work for a couple years." The reasons why I wanted to be a doctor was because I wanted to help people and felt like I could play a role in doing that.

I ended up finding in the world of technology and feeling like you can work with a group of smart passionate people solve problems. Instead of one at a time, you solve problems for people around the world. I ended up finding the same characteristics of what I saw in medicine in the world of business and technology. Next thing I knew, I was full on pursuing my business career and eventually going to round out my education by adding an MBA.

Dan: [2:56] How did you come to founding Cloudflare?

Michelle: [2:59] I was doing my MBA. I happened to go to Harvard Business School, and I was on a school trip in Silicon Valley. It was a week‑long, professor‑led trip. It was this amazing experience where there's a group of us, 40 of us, who came out to the Bay Area. During that week, it was January 2009. It was right after the financial crisis of '08.

We are here for the week. We got to meet all these entrepreneurs, small companies, at large companies. We met these investors, really prominent investors. It was just this amazing week‑long experience.

It was Wednesday of that week. We were at a startup accelerator down in Sunnyvale called Plug and Play, listening to a lot of early‑stage founders pitch their idea. At this point, we've been here for three days. I remember I walked out of that last startup pitch into the hallway, and I said to a classmate who's on the trip to me, "Wow, if that guy can start a company, so could I."

To my friend's credit or my colleague's credit, he said, "Of course you could." I just was this kind of moment where it demystified this idea of Silicon Valley and what it meant to build a technology company or a tech giant or be a success story as a tech founder. I had demystified being like, "These people are no different than me."

If you're passionate, you're smart, you want to pursue something, you can. That's what we were in the hallway discussing. My classmate had always talked about...His name was Matthew Prince. Matthew Prince always was proud of something he had started the last six years prior to business school called Project Honey Pot. Project Honey Pot was an open‑source project that tracks Web spammers online.

In that hallway conversation, we started to banter back and forth. Out of that conversation, we decided, "Hey, let's start a school project to see if there is a business idea here. "That business idea literally turned into Cloudflare. I guess the rest is history, they say.

Dan: [4:56] Tell everyone about Cloudflare.

Michelle: [4:57] Cloudflare is a service that helps protect any Internet property, whether your website and app small or large, from cyber attacks online. We help make sure that every Internet property is fast around the world. We help provide reliability services to those properties.

If you think about Cloudflare, we run a global network that makes Internet faster, safer, and more reliable for any business, large or small. Since that hallway conversation, we've moved up to the Bay Area to give it a go.

Today, we have over 1,300 people at Cloudflare working on this on behalf of our customers. We have 2.7 million customers around the world and 2.27 million Internet properties that we help make fast, safe, and reliable on a daily basis. It's been pretty amazing to see this idea come to life over the last 10 years.

Dan: [5:45] It's incredible to see how things have evolved. One of the things we're focused on here with Decoding Digital is understanding, as businesses transform digitally, what are the impacts? There's always questions around security, data residency, and how to safely and securely bring your business online in digital. From the exposure you have across the world, what are things that business owners need to be thinking about that could be potential concerns or pitfalls around security?

Michelle: [6:12] Sometimes, I say that I feel like security did itself a disfavor for the first 10 or 15 years of existence where security was a topic that got put into a corner for the information security, or the security experts, or the IT professionals to deal with. It wasn't really on the business agenda. I think that's actually changing. It needs to continue to change.

I had [inaudible] that was more like artificial intelligence. I actually think that's not relegated to a couple of people in the company. I think it's much more top of mind at the senior executive level. I think that's good. That's a positive development.

With security and cybersecurity, the truth is whether you're a small business, you're nonprofit, or you're a large organization, there are all sorts of attacks online. Even if I keep trying to quantify it, we are one service provider. Of course, we have a lot of customers, 2.7 million. Every day, our technology stops 45 billion cyber attacks on behalf of our customers. That's every day. We're just one provider. It's real.

If you're a business owner, and you feel like, "Oh my God, I'm always under attack," the answer is, "Yes." There's a lot of malicious bots and people trying to do malicious things online. The answer is not, "Oh my goodness, what can I do?" The truth is today the solutions are much better than they were five years ago. They'll continue to get much better.

While there are cyber attacks happening daily, I think that the good news, and I'm a very half‑glass‑full person, I am definitely an optimist, is it's not like the "Mission Impossible" movies we watch online or the James Bond where it's these really sophisticated attacks. It's not that.

Actually, if you're a business owner, and you do the ABCs of putting some security solutions in place, you will be for the most part in the top quartile of your peer group of being protected. A lot of those solutions are easier to use and a lot more cost‑effective today and very effective.

The cloud computing has made cybersecurity a much easier problem to solve on behalf of customers. We're one company where we use technology to be able to help protect our customers from all these attacks. It works pretty well.

Dan: [8:29] One of the questions we get a lot is around security brands. I know in the on‑premise world, there are brands like McAfee and Symantec. You'd buy them off the shelf. People would install them and think that that's security. Tell us about how things shifted in the cloud. Maybe you could go into the ABCs that you're recommending.

Michelle: [8:46] Definitely. I think that cybersecurity is a really big industry. There's lots of different pieces to it. Businesses need to be thinking about it at all levels of their infrastructure.

Let's take a website, a digital presence where I want to be able to go look up appdirect.com and to see, "What does this company do? How do I get in touch with them?" Almost many businesses, as I said, are like, "I have that. I have a website. It might get a little traffic. It might get a lot."

The step one is making sure that is always online and not subject to attack because, a, if it is taken down, it's embarrassing. It could be a brand‑damaging event. At the worst case, it can cause real damage to a business, especially if they're taking payments through that or doing sales through that.

The first step of a digital presence, especially if you have a public‑facing website that you use for marketing purposes, is put a simple firewall in front, like a Web application firewall. The best way I could describe it, it's like a bodyguard for your online storefront. That bodyguard is saying, "Hey, you're a legitimate visitor. Come on in, right this way." If you're not, it's like someone, "No, no, no. You're not legitimate. You're a threat to this business. No, you've got to stay out."

A cloud‑based Web application firewall can absolutely do that for you. That is one of the services Cloudflare offers. I would say that is part of the ABC. The other one that is part of the ABC is this idea. It's a word that comes up. Sometimes I think it sounds scarier than it is. It's called a DDoS attack, like a denial of service attack. The best way to describe that is if all of a sudden you have way more traffic coming to this public‑facing website than your website can handle. Let's take a digital world example.

Let's say you were going to a bank. You really need to take some money out of the bank at the ATM. A physical example of this could be somebody goes and organizes 500 people to stand in line at the ATM in front of you. None of those 500 people are really taking any money out of the ATM. You are back of the line.

You're like, "I need money, but I've got 500 people ahead of me. I'm sure none of these are legitimate customers. If they're legitimate customers, I might be a little bit more OK with it, but none of these people are legitimate. They're not taking money out. Can I cut to the front of the line?"

That's the same sort of thing. It's a denial of service. It's somebody taking up all the resources of either that ATM in a physical world or online. That is a type of attack that often makes the front page of the newspaper because it means you're often offline. It's a very violating experience as a business. You think, "How can somebody take me offline? I need to be there for my customers, or clients, or employees."

The answer to that before used to be very hard to solve. Now cloud‑based DDoS services have basically solved this problem and made it go away. I can say this because that's one of the things that Cloudflare does. We do it extremely well where you put Cloudflare in front of that website, and you will never get taken off by a DDoS.

Our pipes are bigger than that the malicious actors' pipes. They can never cut off access to the legitimate users. Some of that didn't exist 10 years ago, that our team has been able to build and make it easier, a problem that used to be a big problem for businesses go away.

If you're a business, and it's like, "I don't have any DDoS solution," go find one. They don't cost that much anymore. The pricing is really attractive. They're easy to scale. All of a sudden, it's a problem that you can say, "I feel like I'm protected well against that one."

Dan: [12:27] What happens when things do go wrong in this era? Obviously, there's some bigger companies when there's a hacker, when there's an attack, it makes the front page of the newspaper. Let's say you're a small or a medium business. What do you do? Where do you start to actually get protected or to fix what happened?

Michelle: [12:44] Back to what I said earlier about how I feel like security did itself a disservice for a long time where for a lot of times when that used to happen, businesses didn't want to tell anybody because they were really worried that customers would stop trusting them, and all their customers would leave. Or that their competitors would use it as a tactic to try and convince those customers to come to them and say, "Oh, that company doesn't know what they're doing."

I do think one of the good things about cybersecurity becoming more of a business agenda, and media covering more of these stories, and some large companies saying, "Here's what happened. Here's what I'm doing about it," actually means that we actually talk about it.

When you are that small business, you don't have to feel so alone. You can say, "I've read a little bit more about it, so I know a little bit more than knowing nothing about it." I do think that you want to talk to your team internally and say, "Hey, what happened? What can we do to mitigate what's going on so we can start to diagnose and figure out where the next best steps are?"

Step one is to mitigate what's going on with your team and saying, "What do we do, and where are we going?" Sometimes, you can do that all yourself, which is great. Other times, it means reaching out to either providers you're already using or looking for a new provider to come and help. I think it depends on the situation.

There are some examples where you're literally being knocked off by a DDoS attack. In those cases, what companies do, they're like, "Oh my God, let's use our current provider to get back online." If they can't, they're going to say, "Let's go find a provider that can get us back on as fast as humanly possible."

Another case where it's like, "Wow, maybe we had a security breach, but we don't know where the door was. We don't know how they got in." That's often a longer lead time. It's more of a partnering with a good service provider either internally or externally to go do that forensic analysis, and identifying it, patching it, and going forward.

I think that there's a wide range of outcomes. The other really common one, and this might resonate with you, is there'll be a new known software vulnerability. You're maybe using Microsoft software in your environment or Oracle software in your environment. There's a known vulnerability.

They say, "Go patch your servers against this vulnerability." Again, the ABCs of security means, "Great. Patch the servers within a relatively quick timeframe," but not every company is doing that, even small, medium‑sized businesses. That becomes a vulnerability for them. In that case, it's like, "How do I have a Web application firewall who can patch that for me in real time while I go update my servers on my side?"

There's lots of different things. I really think it starts with having a team internally that you talk about what happens. In some cases, it also means bringing outside service providers to help you.

Dan: [15:26] What advice would you give on external communication? You mentioned some of the fear in the industry today about announcing a release. What are the best practices you've seen in driving transparency and customer trust when something does go wrong?

Michelle: [15:39] What I like to say, don't be a turtle. Don't hide under your shell and think it's not going to come out. I think we've all seen that come back to haunt many companies. What I would say is a good gold standard is acknowledgment from the company and senior leadership at the company saying, "We had this incident. This is what we know. This is who was impacted. This is what we're doing about it. We take this seriously." That's the best.

People want authenticity and transparency now more than ever. I think our world is really craving that. Customers are craving that. That's ideal. For some companies, that's just not possible. It might be totally counterculture, like we would never do that. That's such a far departure. That's a gold standard, but you have to do what fits within your business and what's most natural to the leader. I think the more authentic, the better.

Sweeping it under a rug almost never works anymore. It's better for you to assume the news will get out if you have a security incident. Let's assume it's going to get out. If it does get out, think about, do you want to control it or do you want someone else to control it, and how that thinks.

Then you've got to figure out what's authentic to you. Gold standard is someone senior in the company acknowledging it, explaining what happened, explaining who is impacted, and what we're doing about it. I understand that there's some companies who they're like that, just so far of a departure of our company we can't get there. That's OK too.

I do think asking yourself, "If this became public, what would we do about that, or how would we react, or what would be said if it wasn't us telling the story?" is a good question to ask yourself and your team.

Dan: [17:21] Do you see any frameworks that are evolving on how you safely communicate something? For example, does it have to be a press release or Twitter? Or is there a more effective communication format?

Michelle: [17:32] It's probably not a press release. It's probably not Twitter. It's great if you have a presence on Twitter. That's a way to connect with people one to one. Maybe if you have a corporate blog, you may post it there. Or you might send an email to your customer base that was impacted. Those are two places that you could do.

This is just an idea. I'm not saying it's a good one. There might be some companies who say, "Well, I have a really close relationship with a reporter. Let's turn our incident into a business case and a learning experience that we can share with other like organizations around the world so it doesn't happen to them."

You imagine working with reporter. Tell the story. Then the story comes out through a piece of journalism. Again, it's both about diagnosing what went wrong but also learnings for others to learn. That could be another way. You got to fit to what your company's already doing.

I think what you don't want to do is, if you've never blogged in your life, as a company, I'm not sure this is where to start. You don't want to start...This is not the place. You want to take what you're already doing and lean into that.

You're probably sending emails to your customers, or maybe you're talking to your customers on a daily basis to your client facing team. Maybe, it's phone calls. You got to take how your company is connecting with your community and use that is a good place to start.

Dan: [18:49] Got it. You talked about bad actors and also how Hollywood gets it wrong. In the old world, it was obvious someone could smash the glass of the building, go take files, and that would be theft. Sometimes, it would be a random actor who steals cash from the door, or sometimes, it would maybe be a competitor potentially or someone else.

How do these bad actors translate virtually, and who gets it right? Do people have clarity on who they really are?

Michelle: [19:16] I love analogies, too. For the cybersecurity experts listening to this, give me a little bit of leeway because sometimes the analogies fall short. You said smashing the windows, taking the money out of the door. Examples are attackers will look for poor passwords. They'll be checking password fields where they'll have a list of emails.

Emails are fairly easy to guess or find. They'll check to see password123. They have a dictionary of attacks that they'll just write a program. They'll be able to go through literally an encyclopedia of common passwords and test against that. You think, "Well, if I've been using password123! As my password and then my email address, they can then log into something." They're looking for weak passwords. There's a lot of people around the world. You think there's a lot of people who have weak passwords. It becomes an attack vector.

I mentioned the InTouch Software. There's very few businesses that aren't using software from someone else. Those software's have vulnerabilities. We know that. It's OK as long as you're patching these known vulnerabilities. It turns out it's just another to‑do on somebody's list of "I have to go patch that."

If there's a known software vulnerability, and it goes unpatched, the data shows that as soon as the new software vulnerabilities out, attackers start trying to find companies that are using that software who haven't patched it within 30 minutes. Nobody is patching their servers in 30 minutes. It's just fast.

There's like a, "Okay, how do we drive that?" One of the ways to protect against that is using a cloud‑based Web application firewall that can patch it for you. Then you still have to do the server side, but you buy yourself some time.

It's like you still have the cash, but it's in a safe instead of the drawer. They might get through the window. There's nothing in the drawer, but then they go to the safe, and they got to now crack the safe before they can get the cash. It's the same sort of thing.

There's phishing targets. This one's common where there are people who make up companies and they try and say, "Well, I'm going to take one of the employees and send them a link with a malicious...Send them an email. Spoof it looking like it's coming from the CEO, send them a malicious link, and get them to type in credentials that go lead to some bad action."

This happens. I've known many businesses, especially certain times of the year, where somebody on the finance team gets an email saying, "Hey, can you please wire X‑number of dollars ‑‑ $200,000 ‑‑ from this account to that account," and they sent the link. The finance person clicks on the link and does a transfer. It turns out it wasn't coming from the CEO.

It was somebody who spoofed. They impersonated the CEO. It's like someone in your real‑world example. You have a twin evil brother who comes into the store, does something malicious, and then blames it on you. I would say it's like a bare website. If you're out there, especially if you're low or high profile, what you have a bare website with no DDoS mitigation in front, then you're a sitting duck.

It turns out it's easy for attackers to mount resources, to overwhelm most websites fairly easier, which is why you need some cloud‑based service, whether it's Auth or something else that sits in front and absorbs all that so you never have to see it. You need that bodyguard in front so that your club doesn't get too crowded. Those are some of the examples that will translate to the digital world.

Dan: [22:38] I love that and the bodyguard analogy. What are these people, bad actors, thieves, villains? What do they look like? Where are they, and who motivates them?

Michelle: [22:47] If you're a business owner, you're like, "Who are these people? They want to really focus on the who [inaudible] . I'll give you some examples. I would say that if I was a business leader in your shoes, that's not the question to ask your team.

I think the question you ask your team is, "Hey, where are the gaps from a security standpoint? What are the places? Where are we against closing those gaps? That's a good place to start. Here are the types of attackers.

Some are the Mission Impossible. Some are the nation‑state attackers. That happens online. There are scary nation‑state attacks that happen. That definitely happens. That's a minority, not the majority. It can be a competitor. It's one of those things where it's hard to believe, but it's true.

In some industries, competitors, it's such a competitive space that it's one of the tools they use to try and get ahead of each other. It's like a competitor launching an attack against their competitor to try and knock them offline. They're online for those few moments.

Some of them are criminals. They're literally profiting off this. I'll give you an example there. There was a well‑known online flower company. Four days before Valentine's Day, they get a ransom email saying, "Pay me $25,000, or else I will knock your website offline." It's Valentine's Day. That's, of course, a busiest season. They make a lot of money during that time.

This was not a large florist. It was a medium‑sized florist. They paid the $25,000 so their site didn't get knocked offline. That's a digital criminal. There's two other groups that I think are less known. The first is there's a group online of hackers where they think that there are some companies who haven't taken security cert seriously. They almost see it as their mission to go find who those are and make examples of them.

It's not about financial gain. It's almost more about showing that a large global company isn't taking security service as a service to all of the customers of that company to say, "This company isn't taking it seriously, so vote with your feet and wallet." There have been some cases in the past.

When the Xbox security breaches happened a few years ago, a lot of people said it was because of those sorts of things. That is the group. Again, those people or hackers are hacking in, but they're doing it to say, "This company isn't taking it seriously. Until you take it seriously, we're going to keep trying and finding your vulnerabilities."

You don't want to be on the bad list of the hackers because they become this real nuisance for you. You're just like, "Oh, my goodness." There's two other groups, and then I'll be done. Sometimes it's a group, especially if you do anything controversial. Controversial is not what you think it is.

It could be religion. It could be science. Science is controversial. It could be artistic. It could be controversial. It can be human rights, is controversial. It could be journalism. Journalism is controversial. You are a journalist reporting on human rights abuses in maybe a developing country. That is controversial to some people.

In some cases, attacker's saying, "I don't like what you're saying, and that should not be online. I don't agree." It's almost like, "I don't like that." In the real world, it might be a fistfight. Instead, they go say, "I don't like what you're doing, and so I don't want to see it." They're boarding it up.

The final group, which might scare some parents on the call, there's a lot of teenagers that are doing [inaudible]. They start to fall in love with computers and technology. They start to get the power of like, "Oh, my goodness. I'm learning a ton."

Instead of throwing eggs at houses and running away, which is what happened when I was in high school, they're throwing eggs online. Those eggs sometimes get a little bit more powerful than they think. They think wow.

It's curious teenagers who find themselves with using technology in a pretty powerful world and feeling like, "Wow, I know a lot, and that company knows nothing. Look what I did." Sometimes, it can get themselves into trouble going too far with that.

Dan: [26:49] What tangible advice would you have for our listeners? A lot of them being digital heroes are people at large organizations. That might be in spaces like automotive or manufacturing or more traditional industries that may, like you said, have this IT Pro, but majority of the employees are not digitally savvy.

What advice would you give them to start? Who do they speak to? How do they transform within their big company?

Michelle: [27:13] The most part is all those businesses, I'm sure, have already started. Some might be further along than others. If I'm a leader [inaudible] , first, I was just acknowledging. Where are we? Give yourself a grade. Are we getting Fs? We literally never talked about it as an organization or executive team. Are we getting Cs?

Because I think that there are differences, whether you're failing or whether you're getting a C or a grade of a B, or if you're like, "Well, yeah. Actually, we're doing pretty good," and there's some areas we have to work on.

You should acknowledge where is your readiness as an organization. It's not one person's job. In the company, I really think it's a management team or executive team discussion of like, "Where are we?"

Cybersecurity cuts across lots of different teams in lots of different ways. My website's, for example ‑‑ automotive website ‑‑ consumer‑facing. Maybe, your CMO cares about that. They care about making sure your website's online versus your CIO might much more care about our employees and making sure they're not getting phished.

I don't want that email example I gave, the phishing email or someone sending an email internally impersonating someone else. That's under the control of the CIO. It could be your engineering team shipping the next product that has bugs built into the software. How are you doing code review to help catch these things?

Our security is not one person within the organization. It's across your whole executive team. The first step is having conversation and saying, "Where are we?" Giving yourself a grade, a letter grade under 10, just something.

Then you start to say, "Where do we have to start? You can't do everything at once. Where are we starting?" I think you should start with the ABCs. There's ABCs on public‑facing properties and ABCs on internal practices. You start with the ABCs. Once you have the ABCs, the [inaudible] surrender, thinking and do all the advanced things.

You have to do the ABCs. All the advanced step doesn't matter. You're over‑complicating it because you'll get hung up on one of the small thing. I see it all the time with these large organizations where a company will do a ton to secure their most prominent Internet properties.

If you're an automotive company, and you're running many brands within that automotive company with many public‑facing websites, they'll put all the resources to the biggest ones. It makes sense. They're the biggest ones, and they want to get the most traffic. There'll be some that they'll say, "I don't have money left over to deal with these."

It's the ugly stepchild. [laughs] It's like the problem child over there, the little ones over there, the ones of the pack they get no attention. One of them gets compromised by an automated bot. This is not Tom Cruise in Mission Impossible doing...

It's just a bot that some high school kid wrote in their basement, and the bot can hack into this, take off this problem child or the small child over here. All of a sudden, the media story ‑‑ that's a very public‑facing thing ‑‑ is not all their main sites stayed up. It was just this one obscure site.

The story is enter global 2,000 automotive company is offline. It wasn't their main site, but it's this small site. If you're trying to explain as an executive, everything was fine, except for the site. It sounds like excuses.

You start with the ABCs. Acknowledge where you are. Put in the ABCs. Once you do that, then you can talk about the phase two and continue to build in the right people internally, bringing the DNA internally, and evaluating the right external parties to work with. It is really interesting that if you can't even have a conversation internally at you executive team, then you haven't done the basics.

Then the next step, which is also for the basics, is bringing in culture internally so every employee at these companies have some language about it. We all have to become better digital citizens. The world's going in that direction. Companies have a responsibility to help their employees be better digital citizens.

One part of being a digital citizen is understanding a little bit about cyber security, not be the expert, we have to understand a little bit, just like you need to understand a little bit about personal finance. Like there's a lot of things you got to understand, and just the Internet has introduced a whole new set of tools that all of us as citizens, employees and business leaders have to become better at. You can no longer outsource it to one person in your company. It's just like technology is everywhere. That's why we have these podcasts.

Dan: [31:39] I love it, and I love your content to digital citizen because it really aligns with what we've seen across our community, where we see digital heroes as being people who have the vision, the foresight, the tenacity, the energy to think differently and transition things online and digitally. That comes with a whole new culture and a new way of operating.

The reality is that would have been in 2009, a few people operating in the cloud. It's now fairly pervasive, but the speed of which people are digitally transforming, it's almost like you can't keep up with your training on how to be a good digital citizen, and that's when bad things happen.

I would love to hear from Michelle. You talked about the ABC's about cyber security, but what are the ABC's of being a digital citizen, and how do you think that evolves in the next few years?

Michelle: [32:25] I mean, being a digital citizen it's not a special power. It's not hard, and it's like OK, and it's like don't fear technology, kind of embrace it, and find ways in your life that'll make your life better. The truth is it can make your life a lot better. It can make it easier to connect with people, and I think this pandemic, that we're currently going through, really shows that.

I mean the true heroes of COVID‑19, and of course, are the medical responders and the first responders and the medical professionals' first responders. They're absolutely the true heroes. But the trustee's sidekick has been the Internet. I mean, could you imagine if you couldn't do a video call to your loved ones, who right now you can't see them. People are doing lessons online.

Just think about, it's all working behind the scenes and technology's making you feel connected to somebody, even when you physically can't see them. So don't fear technology, embrace it and find ways in your life that you can make it better.

Whether it's instead of making a phone call, maybe I'll make a video call so I can see someone. I can see their facial reactions and also I'm like, "Oh, wow, that was a different experience than just hearing your voice, for example."

Maybe, it's what you've been doing a lot by pen and paper, but it's hard to share with somebody, a list. Maybe try additional list, and sharing it, and seeing like co‑editing something, I mean like the spark of joy of like, "Wow, that's way better."

I'm not saying you have to be full techie all the time, but just like lean in and embrace it, and just say, "This is not going away. Technology is not going away. It's not a fad. It is here to stay. It's going to continue to accelerate."

That doesn't mean to be the first to try everything, but I do think a digital citizen is willing to find the places where they are willing to embrace technology. That doesn't have to be in everything. I mean, I work in the industry. There's many things where I still prefer the analog, but find the places where it does work for you, and then talk about that with your friends, because like, "Oh, wow."

It's almost like recipes you exchange in person when you meet up with folks, or your new favorite movie or whatnot. Talk about it, "Hey, I've been doing it this way, and it's amazing how much easier this is," or whatnot, and make it almost the top of the conversation, and that helps spread it among your friend groups, and they'll do that.

Again, it's almost like all tides rise. I think the more that all tides rise, the less scary it becomes and the more of finding the happy, good stories, and we need more, happy good stories.

Dan: [34:54] We definitely do. And speaking of that, you're an inspiration to so many, having been in that Plug and Play room, and saying, "I can be an entrepreneur too," and then creating a company, taking it public, impacting as many businesses you've done, and really safeguarding people from potentially terrible events. It's incredible what you've done and accomplished. What advice would you have for someone in your shoes?

Michelle: [35:17] One of the things that I like to say is go find a meaningful problem. If you find a meaningful problem that actually will impact people, and this kind of goes back to where we started being a doctor.

Find a meaningful problem where you're actually solving a problem for somebody, and ask yourself, "Is there more than one person in the world that has the problem?" If the answer is yes, a lot of people do, it is meaningful, then I think you should go full force and do it.

It's an incredible experience. I don't think you should ever do it just because you want to be an entrepreneur, and I definitely don't think you should do it if you don't have a meaningful problem. It really starts with find a meaningful problem like you're proud to work on, and then go right on it as fast as you possibly can because you will meet incredible people along the way.

You will go execute on this, solving this meaningful problem, which means you're going to meet customers or people or partners around the world who say, "Oh, my God, you changed my life because of this in this way." That will fuel you to keep going. So, that's what I say, go find a meaningful problem and assemble the team to go do it.

Dan: [36:18] You make it sound easy.

Michelle: [36:18] Again, I'm a half‑glass‑full person. It is a lot of work and that's why I say so I'll find a meaningful problem because it's a lot of work starting a company, especially the first four years. I mean it's always a lot of work.

We're 10 years in, but like the first four years, it's a lot because you think hiring the first couple of people to come join you is hard. You've got to find some way to fund this. You've got to get your first customers. You've got to build what you say you're building.

There's so many things. But try getting employee number three to come join us, 50 to come join. It's like, "Why would they join you versus, I don't know Up Direct, which is already a success story, and I can work with smart people, and you know you're not going out of business tomorrow." It's so hard. So one of the ways to make it a little bit easier is if you were solving a meaningful problem for a lot of people.

It's, I'll say you have customers telling you things that I heard early on. I remember, let me tell you the story. I remember early on when we were back at the campus of Harvard Business School, and we were working on this as a business plan, and we did a survey to people, to these small businesses that you mentioned actually. It was just the small businesses, not the global 2000, just the small businesses.

As a good business student does, I said to survey saying, "How much you care about, how big of a problem is cyber security for you?" I had like quantitative where you can like market, but then I had open text boxes so people could also kind of just leave comments, and the answers were things like this.

“Web spammers are the scourge of the Internet. They are criminals and should be locked up. One spammer is making me believe in the death penalty." They were just these very strong statements that you're just like, "Wow what's your problem here?"

That's was the first part. The second part of the survey said, "OK, what do you do to protect yourself against it?" What was really clear was these small businesses had no good solution. They all had home‑grown solutions that were kind of like duct tape that they had done.

They hired an IT consultant to do it, but they all felt very vulnerable and exposed, So we said, "Wow, there's clearly a problem here. Can we use technology to create the solution?" It turns out there's many, millions of small businesses around the world and developers around the world trying to build the next state companies.

Then we said, "Well, we can do the developers and nonprofits and small businesses. Why can't we also do the large enterprise?" That's how we really started to do this. When you have that vision and you have those Web spammers making me believe in the death penalty, it makes recruiting that employee a little bit easier, or getting a customer, a prospect actually try your service because they've a real pain point.

Find something meaningful because it helps you carry you through all the low points.

Dan: [39:01] We talk about those sacrifices. What do you go through as an entrepreneur, and you mentioned the four years being really tough, but obviously, even this year with having to deal with COVID and other challenges, the global economy, what goes through your mind?

Michelle: [39:17] Yeah. I mean there's highs and lows like 10 times a day and now there are highs and lows but they're much more spread out, maybe weeks apart. That makes it much more stronger foundation, which is great, which is what you want as business. You want the highs and the lows to be more spread out. I think that's a sign of maturity as an organization. The best part of my job were the people I get to work with.

I mean it is such an honor to have a team of people around the world who you don't care of showing up. Our mission is to help build a better Internet by helping our customers be faster, safer or more reliable. It doesn't matter how good you are, you're going to need a team.

I've had a lot of jobs in my life where I wouldn't have said that. Literally, the best part of my job I get to work with. They are so committed, they care so much. They're [inaudible] . They teach me so much and vice versa. I think I teach them.

We are all there to say, "Hey, let's go execute on this vision," again, this big, meaningful problem. The second-best part of my job are our customers because we're solving their problems. We're solving a meaningful problem for them. They tell you when you're doing a good job.

When you're working really hard and someone says, "Hey, I really love your service." It's almost the adrenaline you need to get through the next challenge, or they tell you, "You really felt short here." That's always hard to hear, but it's good to hear because then you can get back up and make it better.

I always feel like our customers are rooting for our success. They're like, "You're solving real problems for us. Please help more of my problems for me. I love that your team is so great to work with."

Again, if you're entrepreneur starting or wanting to start, or even if you're a big company thinking, "Hey, how do I partner with a smaller company?" I do think that people [inaudible] is huge. Whether you're a startup or a large company, you want to partner and have happy customers on either side of the coin. At the end, it really matters a lot.

Dan: [41:04] It's incredible, and I think that focus on vision and values is really what defines companies that succeed ultimately from ones that don't. I look at 2009, so many companies emerged to do great things, but I found that it was the leaders that had clear vision, solving a big problem, but also this sense of values that made sure that when they had to make a decision, that like probably a big one and tested their ethics and their morals and where they're at, they made the right decision. That allowed them to continue to scale and gain trust in the community.

Michelle: [41:33] Yeah, no, I'm used to that really well. I been saying it more recently than normal. It turns out leadership matters. Whether you're an executive at a big company or a startup, it's like people are noticing where leadership really matters and sets you apart.

Part of that is the values that you mentioned and making consistent decisions and following through, and how you act and how you communicate, how you treat people. There things all matter. I actually think that's a good thing. My kids need help for the future where those things do matter. I want to live in a world where those things matter.

Dan: [42:08] It's incredible. So the concept of future digital citizen really leans on leadership that matters. Where do people start when they want to become a better leader as a digital citizen in the future?

Michelle: [42:18] I think actually what Hadi is doing at code.org, Hadi Partovi is a incredible tech founder and executive who's built many amazing companies, and then part of many amazing companies. He started something call code.org, and it's basically kind of ever giving anybody, and I mean like literally anybody. Like my mother, my 10‑year‑old niece to myself have done that one‑hour online coding course.

You don't have to be a professional coder or developer, but just understanding it, and you're like, "Oh, wow, I can do this," and learning what it means and whatnot. So what Hadi has done at code.org with those people, taking the programming in schools, I mean he's really helped expose what I think when people say, "What is writing code?"

They don't even know what it is. He basically helps demystify it, and make it accessible, and it's free and anyone can do it for the first hour. Even, they can basically have some AT, like advanced computer science high school classes that they can people for [inaudible] for a really, very economically traffic business case.

I think, people like you, Dan, talking about it, showcasing it, I think it's services like code.org, again it's accessible to anyone, young or old to just feel like, "I'm going to do this. I'm going to tell you when I'm doing it."

Then, if you like it, next time you see your friends at dinner, you say, "Hey, I did this really cool thing called code.org, and I was able to build this thing." You go, "You should try it. Do you want to do it together or come over and let's do it together instead of baking together or crocheting together, let's do code.org class together."

I think things like that are places along the way. Of course, then there's the fortunes and medium posts. "Fortune Magazine" does a lot of great content. "Harvard Business Review" writes a lot about this.

There's also the traditional media publications where I think there's a lot of great content for leaders to say, "That's how I used to do it, and here's where it's going. Here's where the ball is going.

Or as a, I'm a Canadian, what Wayne Gretzky would say is, "Skate to where the puck is going." I think resources like Harvard Business Review and Fortune Magazine and other reputable organizations like that can help you go to where the puck is going."

Dan: [44:27] It sounds like the puck is going in the future wherever it needs to be a digital citizen and educated on things like security and Cloudflare is a great solution for that. Really appreciate you sharing your story and sharing your insights. This was so exciting. Thanks again, Michelle.

Michelle: [44:40] Thanks so much for having me.

Dan: [44:42] Take care.

Dan: [44:42] On the next episode of Decoding Digital.

Rich Aberman: [44:47] It's funny there are founders that can see the world 10, 20, 30 years out or [inaudible] really potent personal vision that they spend a lifetime kind of closing that universe. We did not fit in that category.

Dan: [45:01] Co‑founder of WePay, an innovator at JPMorgan Chase, Rich Aberman. Listen on Apple podcast, Spotify or your podcast player of choice.

[45:12] Thanks for listening to Decoding Digital. Make sure you never miss an episode by subscribing to the show in your favorite podcast player. To learn more, visit decodingdigital.com. Until next time.

Resources