EPISODE 246: Marketer of the Month Podcast with Gregory Van den Top

The Big Questions!

Saksham Sharda: Now we’ll go on to the longer questions, which you can answer with as much ease and time as you like. First one is, How is the CISO’s role changing in today’s digital landscape? What is driving these changes in general?

Gregory Van den Top: If you think about the CISO’s role, it’s a relatively new role. It’s existed for maybe a little bit over  30 years now. Steve Katz was the first CISO in the US bank. It started with protecting office applications, office automation. If you ask the CISO, who’s responsible for securing your operational technology? Who’s responsible for securing your digital supply chain? Then the answer would be someone from engineering, someone from procurement. Over the past couple of years, all of that’s been included in the CISO’s remit. We’ll see more of that being included in their remit. We have artificial intelligence and new technologies coming up, like quantum computing. CISOs will need to consider that. But how these technologies change business is also very profound. Business profile changes. With that come new considerations for the CISO. They don’t just need to think about protecting and saying no when something is outside of policy. They now also need to consider how we can use these technologies in a secure manner. It’s not just protection, it’s also enabling the business to become more agile, more effective. Maybe changing towards what customers need. CISOs need to start building trust with their customers. It’s a very broad topic, but essentially it’s not just about that protection anymore. But also considering other types of risks, like what affects my reputation, what affects my organisational resilience. CISOs need to start acting more like business executives rather than technical protectors of an organisation. The CISO is becoming much more the CEO of their own security programme and needs to manage that accordingly. 

Saksham Sharda: How should CISOs go about balancing and reacting to external pressures with shaping long-term security strategies? 

Gregory Van den Top: We just outlined that the role is becoming increasingly complex and that’s not sustainable. One thing that CISOs need to be doing is simplifying their operations. It’s not about technology sprawl anymore, not about single-point best-in-class solutions. But rather, how can we simplify operations so that we focus on what’s really important and let the technology do the heavy lifting? I think that’s absolutely critical and we’ll see more complexity being included in the CISO’s role as we go forward. New things will come up, incidents will come up and they need to be managed. Another thing that CISOs also need to do then is have the right skills and capability available to them in their team as fractional part of their team or maybe outsourced. To appropriately respond. So the CISO’s remit is growing; it’s getting much wider than it was. And certainly from a development perspective they need to prepare their team, their organisation essentially for that future. 

Saksham Sharda: What technologies do CISOs need to be mindful of right now? 

Gregory Van den Top: The talk of the town is artificial intelligence. I’m sure somewhere in some hype cycle, it will show that artificial intelligence is downward trending. But it’s still a very profound technology that we can use to protect ourselves. But we also need to be mindful of the implications on threats and on the security landscape in general. As we use technology so do our attackers. And it’s absolutely vital that we’re aware of the changing threats to secure ourselves. Another thing that I think is critically important going forward is quantum computing. There are quantum computers out there and their speed and efficiency will only increase going forward. The real threat there is that you’re getting breached now but the data is encrypted later through quantum computing by attackers. So you want to think about how to secure yourself from those types of decryption attacks now. And have your roadmap ready for when quantum computing becomes widespread. 

Saksham Sharda: How do you go about approaching vetting new security tools? 

Gregory Van den Top: We do most of our design ourselves. At Cloudflare, we are customer zero. So, for most problems that we see in the world, we think of how should solve it. And once we find a solution, then we democratise those tools for our customers. So one example is we recently seen a widespread breach involving a third party on Salesforce. So how do you get that visibility of who’s connecting into your SaaS applications, what data is being shared. And this is something that at Cloudflare, we recently released as a new feature for early access to our clients. To provide you with that visibility essentially as a single point of access to all of your SaaS applications. So I think that’s really cool about being part of Cloudflare. It’s an engineering company and we solve problems. 

Saksham Sharda: So you talked about how CISOs should take on more leadership roles. How do you recommend CISOs build influence and credibility with their C-suite peers? 

Gregory Van den Top: I think it’s absolutely vital that CISOs move forward in the development conversation. So, as you talk about how the business changes and how the business model changes. The CISOs need to be part of that conversation up front. To make sure that it’s done securely and that what you do builds trust with your clients, with your partners. You need to be forceful as a CISO. You need to make sure that you are part of that conversation. Otherwise, you’ll be telling your colleagues afterwards, I told you so. And that’s not a great position to be in. I don’t think it’s for the lack of understanding about cyber risk that some CISOs are in the position that they are today. All the board members understand cyber risk is a major deal. If you suffer a ransomware attack, you go down, you lose your business, you lose your data. And some of that might be very sensitive. You get in trouble with your clients, with your partners, maybe even with the government. So this is something that we need to solve for. And as a CISO, you are in a prime position to solve those issues for your colleagues or business partners in your organisation. So that’s where you want to be. In the early discussions about how your business changes and how technology enables that. 

Saksham Sharda: What does your typical day at CloudFlare look like? You wake up in the morning and then? 

Gregory Van den Top: The first thing I do is open my email. And I’ll probably have a lot of them. Since a lot of my colleagues work from the United States, a lot of the work is being done overnight. And then I reach out to customers, see how they’re doing, make sure that they’re doing fine. I check how the internal things are going. If there are any important issues that we need to solve quickly. Sometimes I might attend an event like this one that we’re at today, here at TechX. And have conversations with everyone who’s here, some of the media. Just having a great day. 

Saksham Sharda: And how much of your daily time is taken up with meetings? 

Gregory Van den Top: Right now it’s about 50%. So I do get a lot of time to think about what needs to be done. Thought leadership is obviously an important part of what we do at CloudFlare. And I try to contribute to that as much as possible. But also strategising. So what does security look like in five to ten years? Where should our customers be going? What do we as CloudFlare think of the world as it changes? And hopefully tackle some of those larger issues that are currently troubling us. 

Saksham Sharda: So speaking of how CloudFlare thinks of the world, CloudFlare says it’s on a mission to help build a better internet. How does that vision influence your work as a field CISO? 

Gregory Van den Top: I think it’s critically important. It’s also one of the reasons why I work at CloudFlare. So the internet was never designed with security in mind. It started out as a project for sharing information in the late 60s. Security wasn’t a thing. I think it was two years later that the first worm was developed. Initially, to understand how many computers were actually on the network. But that started causing issues. So I think the lesson here is if you can build it, you can break it. And you need to build things then with security in mind. And that’s what we do at CloudFlare. So everything that we do needs to be secure. Obviously, we’re not flawless ourselves. But we do offer as much security as we can. And as things progress, we intend to improve. And I think that’s what any organisation should aim for. Being resilient is not just about being 100% secure. But being able to respond to incidents as they come along. Being transparent about them. And improving as you go along. 

Saksham Sharda: Are there any milestones or interesting stories of how CloudFlare has made the internet safer for users that people might not be aware of? 

Gregory Van den Top: There are many. Coincidentally, this week is our anniversary, our 15th anniversary. And one of the things that CloudFlare has been doing almost from the start is supporting individuals who might be under duress, stressful situations, or under siege, even. So journalists, human rights activists in specific countries. CloudFlare is offering those services to them for free. And this week, we’ve actually expanded that portfolio to provide even more security for those individuals. So that they can do their work, and maybe with a little bit more security. We obviously provide security on the internet. Which gives them the opportunity to use the internet anonymously and safely. Unfortunately, we cannot guarantee physical safety. But certainly, we’re trying to contribute to everyone’s safety. So if you want to look it up, Project Galileo. It’s a huge initiative for us, and it makes me proud to work at CloudFlare.

Saksham Sharda: Cyber resilience is a big part of your thought leadership. What does true resilience look like for an organisation? 

Gregory Van den Top: Well, it’s a very complicated topic nowadays. Some of it is even geopolitical. But really what I think it’s about is being able to respond to incidents and threats. In such a way that you experience little to no harm from it. And harms being downtime or liabilities, that kind of stuff. Things that would cause your organisation financial distress, maybe continuity issues. Like I said, there’s no 100% guarantee that anyone is secure. There is a lot of stuff that we, as a community in cybersecurity, still need to improve. But certainly being flexible and resilient is very much more important than it used to be. When we focused on building a moat and keeping everyone out. We work distributed across the world. And everyone is using their own tools, their own stuff. The internet is a very democratic place. But it also makes it very difficult to control. So having a safe place to work is paramount. And then being able to see what’s going on. Being able to respond to that and being able to recover is absolutely critical.

Saksham Sharda: How do you measure resilience beyond just time to recover? 

Gregory Van den Top: So one thing to look at is downtime from incidents. And you want to reduce that to a minimum. The other thing is what’s the perception of my clients and stakeholders in general of my organisation? And tied to that, I think, is the concept of trust. Resilience is one part of trust. But as an organisation, you need to be trustworthy for your clients. And so if something happens, you want to be open and transparent about it. And share your lessons so that others can benefit from them. The other part is doing the right things for everyone. So rather than using all of the data that goes through our networks, we ensure that everything stays private. And I think that’s key to being a resilient organisation. You should build that trust with your partners over time. And you don’t want to abuse that trust. So don’t change your business model because there’s suddenly an opportunity to use that data for other purposes. You’ve got to stick with what you believe is right. And therein, I think, lies true resilience. 

Saksham Sharda: Speaking of trust, then, AI-generated content like deepfakes, phishing is evolving fast. How can businesses prepare for a world where we can’t trust what we see or hear? 

Gregory Van den Top: Well, we need to get better at what we do. So everything that is being done on the internet always leaves a mark somewhere. And when considering building in security into products and designs, this is what you need to look out for. So what is it that has actually changed versus, let’s say, the original that you could use to flag to someone and point out this is not actually real. So I don’t think many organisations are actually doing this. If you use a video conference tool, it doesn’t automatically flag that the image has been changed or whatever. Maybe this will move into, let’s say, a completely new, different market for third-party tools to support that kind of capability. But I hope that this kind of capability becomes embedded in the tooling that we build and serve up to our clients going forward. 

Saksham Sharda: And so do you think technology will eventually solve the authenticity problem, or will we have to change human behaviour?

Gregory Van den Top: I don’t think you can change human behaviour. Maybe you can influence it. Oftentimes, we point to the human as being the source of the error. I think we need to set our standards a little bit higher as an industry, where if the technology does not fit human behaviour, the technology is not good enough. And so there’s lots of stuff for us to do to make technology more viable for human beings. And hopefully, that’s where we’ll take it. So, my firm belief, the technology needs to change. 

Saksham Sharda: So cybersecurity is often seen as a cost centre. How do you turn security into a business? 

Gregory Van den Top: I think, again, that relates to the topic of trust. So doing the right things for your clients, making sure that whatever you promised is being held up in practice. So if you offer reliable, secure, private services, you need to maintain that trust. And that’s what creates a sticky product. So your customers will stay with you if you don’t mess up, basically, or if you don’t go and change the script on them. Oftentimes, we have apps nowadays that, after an update, tell you, Hey, I’m an AI assistant now. That’s not what I want to see as a consumer. And that makes me think about, is this actually an app that I still want to use? It makes me want to investigate alternatives. So don’t screw up. Create trust with your clients and stick with that. And that’s what customers want to see. That will build the business case for your security in the long term.

Saksham Sharda: How can CISOs then shift boardroom conversations from compliance to competitive advantage? 

Gregory Van den Top: Certainly, you always need to be compliant. I mean, that’s not even a question. How I see it is, compliance is part of a societal conversation where society is, in fact, telling you as an organisation to step it up. You need to be better. And being compliant is part of being trustworthy as an organisation. So these concepts go hand in hand. And as you become compliant, as you improve your resilience, as you improve your cybersecurity, that drives your business and makes you successful. 

Saksham Sharda: So, compliance and AI governments are becoming critical. What’s the right balance between innovation and regulation? 

Gregory Van den Top: Innovation all the way. But seriously, as we’ve seen time and time again in technological developments, if you can make it, you can break it. Technology, I feel, is inherently… So technology is inherently neutral. It depends on the person, the organisation that uses it, and what outcomes are achieved. So you really need to consider your own strategy in terms of technological use. And what do you think is right to achieve what technology is meant to do? 

Saksham Sharda: So you talked about the risk from quantum, but are organisations overestimating or underestimating the AI risk today? 

Gregory Van den Top: They’re probably underestimating AI risk. Simply because most people don’t really understand what it is and how it works, what it does. That being said, it’s getting a lot of attention, which I think is a good thing. There are a lot of frameworks out there in terms of governance, in terms of security, which makes me think that if we don’t really have convergence of these frameworks, it’s probably something for everyone out there, but there’s also a lot of uncertainty about what to do exactly. This is a relatively new area of development, and we’ll see how it will be developed. I personally wish that some of the AI developers would take security a little bit more seriously, but we’ll see. There’s a lot of work to do, and it’s a brave new world. And I think what technology is doing right now is amazing. 

Saksham Sharda: From your vantage point at Cloudflare, what’s the most misunderstood part of internet security today? 

Gregory Van den Top: Misunderstood? I don’t think people generally appreciate the complexity of the internet. What it looks like, all of the hardware and software that is required to build it. We take it for granted, like water from the tap or electricity. But the underlying fabric, the foundations, they’re incredible. It’s something that we achieved as a community. I think it’s a shining beacon for what we can do as humanity if we all come together, agree on the way forward, and then we can do amazing things. I wish we had more internets, to be honest. 

Saksham Sharda: If you could give every business leader one piece of cybersecurity advice, what would it be? 

Gregory Van den Top: Think about it not just in terms of protecting, but in terms of creating trust. So what can you do to create trust with your stakeholders? Cybersecurity and protecting your organisation are fundamental to building that trust. And as we go forward, I think it will become even more important. Many organisations have a very wide array of risks. But as we go into the digital era, I think cybersecurity is going to be the most important one for most organisations. So have this on the top of your agenda and go out, build trust with your partners. 

Saksham Sharda: So, looking forward, then, what gives you hope about the future of the internet and cybersecurity? 

Gregory Van den Top: What gives us hope is that there are many organisations like Cloudflare that help to build a better internet, that help to secure organisations online, and that bring peace to the world. I hope that this is a symbol for not just the internet, but for the world at large. That if we band together, we can do amazing things. So yeah, this is a call out to everyone.

Saksham Sharda: So the last question for you is of a personal kind. What would you be doing in your life if not this? 

Gregory Van den Top: It’s interesting because we had a conversation about this yesterday on our stand. And I would be a forest ranger.

Let’s Conclude!

Saksham Sharda: Thanks, everyone for joining us for this month’s episode of Outgrow’s Marketer of the Month. That was Gregory Van den Top, who is the cybersecurity leader and the Field Chief Information Security Officer (CISO) at Cloudflare

Gregory Van den Top:  Great to be here. Thank you.

Saksham Sharda: Check out the website for more details, and we’ll see you once again next month with another marketer of the month.