The Blue Lava Origin Story
Demetrios Lazarikos (Laz)
March 18, 2022
Voice Over 0:10
Welcome to the intersection of technology, cybersecurity, and society. Welcome to ITSP Magazine. Thank you for joining us for this conversation.
Blue lava is the first business platform for CISOs to manage their security program. Blue Lava guides security leaders to effectively measure, optimize, and communicate their security program with confidence and ease in one platform. Learn more at www.blue-lava.net
Sean Martin 1:19
Marco Ciappelli 1:20
Sean Martin 1:21
Do you like to win?
Marco Ciappelli 1:23
Oh, I love to win. I just never get to do it.
Sean Martin 1:28
Is that because you have no strategy or no plan?
Marco Ciappelli 1:36
I’m competitive. But I like Coubertin when he says the importance is to participate. There is the human side of getting together and performing. And eventually Yeah, if you get to win better, but I think you’re missing out if you’re only going to be happy if you win.
Sean Martin 1:55
I have loads of fifth-place trophies.
Marco Ciappelli 1:58
You did an event where they give you a trophy for fifth place?
Sean Martin 2:03
Everybody wins. That’s not true in everything. Right, Marco?
Marco Ciappelli 2:07
No, and that is that’s a good story too. But, it’s probably a story for another time. Today, we’re here with a bunch of friends and because we’re also on video during podcasts, people can see who they are. We’re gonna wave hello. We’re going to do a quick round of introductions. But the point is, Sean, this is one of those stories that you know I love. It’s the origin story. The origin story of a company and how an idea came together. Sometimes it’s actually quite magical and I think today is going to be one of those stories.
Sean Martin 2:42
It is and I’m honored to call each of our four guests friends. They are all friends with each other. They also happen to be co-founders of Blue Lava. You might be wondering, what the heck is Blue Lava? We’ll find out. We’re going to get into that but Laz, Julia Jonna, and Andy, it’s fabulous to have you on and I’m really looking forward to this origin story. I’ve heard snippets over the years, never the full thing, never together, never from the four of you all at once. This is gonna be cool.
Marco Ciappelli 3:19
This is going to be great. We got together before in front of a meal, which is always a good thing. Today we’re going to pretend to do the same thing. We want Laz to start by telling a story that I grabbed some pieces of here and there. I know that there is some kind of a walk on the beach, there are napkins, poems, and then you build something. I don’t know if you play with Legos too? Why don’t you introduce yourself a little bit, Laz, and dive into this story because I want to learn.
Okay, my full name is Demetrios Lazarikos. I’ll answer to Laz or Dimitri, either one, but I’m one of the co-founders and the president of Blue Lava. I’ve been in the security space for over 30 years. I don’t want to date myself. But, I’ve been doing this a long time. I had the opportunity…I was working on a project overseas. Yes, it’s true, I was skipping stones on the ocean and working on a project. When I returned back from the project and stone skipping, I had the opportunity to sit down with Julia Tran, who is one of the co-founders. I’ve worked with her on and off for over a decade. Julia says to me, “Hey, why is it you help the many? You know, you always show up for everybody? How do we go from one to many, Laz? Instead of one to one, traveling the world, and helping people with their cybersecurity programs.” I sat down with Julia and I said, “Well, what are you thinking?” She said, “Well, you know, we really need to build a business application to help security leaders measure, optimize, and communicate what they’re doing with their security program.” I said, “Alright, well, how do you do that?” Julia said, “Let’s think about who we know in our community that we could start working with.” We started working on projects with the CISOs and the security leaders in the community. It was insane because the minute we said, “We have this idea,” people showed up. There were projects coming in, and a lot of, “Hey, can you help us with this? Can you help us with that?” What we wanted to do was, we want to make sure that everybody understood the end goal was to build a platform to do those three things – measure, optimize, and communicate. What I was doing with my security program. The problem we were solving is, these security leaders…and I’m a three-time CISO, I look at this, and I think this is a tool…if I had the resources I would build this in-house. But, when we did it, we sat down, Julia and I,…then Jonna, and Andy…we asked, “How would you build this? How would you go to market with this,” because each one of us is an expert in different areas. We’ll talk about that throughout the podcast. When I say people showed up, it was not only Julia, Jonna, and Andy, but the community. The CISO community showed up. They incubated in our office over in Menlo Park and in Chicago. They were giving us free information about how to go and do this and think about this because it was a complex problem we were trying to solve. Personally, I wanted to make sure that it worked. The only way that we’re going to do that is to build it with, by, and for the CISO community. Julia showed up, Jonna and Andy showed up, the CISO community showed up – everybody started working in our office on this complex problem and how to solve it. For me, one of the best days was when this collective group of experts shows up and people are talking about it.
You know, there there is a rumor and you hinted at it. We’re just going to show it. I put together a little time capsule. It’s a Blue Lava time capsule. Nils Puhlman encouraged me to do this because he saw the original napkin…thank you, Nils. I gave this napkin to Julia. She said, “Oh, what is this?” I said, “This is my PRD – my product requirements document.” Julia said, “Hmm, okay, this is what I heard,” and then she mapped out the original platform making it a business application. What was fun about this, as we sat down to do this, Julia challenged all of us. She said, “If we’re going to do this, do we want to be the voice or the echo? Because we’re going to be pioneers building a business application that security leaders need globally – industry agnostic, these people need this.” The day it came together for us, there was a poem that was written.
And, umm, it still gets me. We’re having lunch on the Embarcadero in San Francisco and we’re talking about this. Julia said, “Hey, this is going to be fun.” It was kind of like a play on words but, the good guys win.
Julia Tran 8:08
So, before you read that, Laz, I just wanted to interject and say, thank you for striking us off and talking about how we began in those early days. But, I really think that we have a little bit of revisionist history here going on. Because at the end of this, we figured out what we needed to build, that there was so much about how to start with figuring out what the problem was in the industry. One thing I wanted to say about this was, I think on the shoulders of all Laz’s hard work and getting out there every weekend on his time off, putting his ball cap on, and getting on a plane and helping people all over the world with security issues and problems – that’s what this company was built on top of. Because then everybody came to us when it was time when we were looking to solve some of these problems. We were really trying to identify and figure out what the major issues were out there that we could help with…that led us to this conclusion. We’re super proud of and we’ll share a little bit more about it. As Laz mentioned, when we were sitting there, you know at on the Embarcadero, about to raise money, and that this is a whole other story. It could be a whole other podcast. My whole dream in Silicon Valley always has been to make sure that the good guys win. In any segment of the work that I do. We see often times people are out there and they end up winning, right? You think, “Why did they win,” right? They didn’t have the best product or they didn’t care the most. They didn’t have the heart that we have. But, looking at these three co-founders who are yet to start this incredible company, the rallying cry was, “Let’s make sure, this time, the good guys win.” That means multiple things with our customers, with our community, but also with us and the team that we assembled to build this company. There’s always a little bit of revisionist history here and we have this schtick, me and Laz, where usually he tells it one way and I tell it another. Who knows what the answer is? Somewhere in the middle. But, I’m, I’m going to bring it back to you where we walk outside of the Ferry Building in San Francisco, as we’re armed and ready to go get those funds to help build this company. Some miraculous things happen. So we’d love for you to share Laz. Sorry to interject.
No, no, it’s all good. It’s nice because sometimes I rewrite history and I’ve got to have my truth, right? Julia, Jonna, and Andy are always saying, “Remember when?” It was fun, because we’re all sitting there and we’re like, “Look at what we’ve done.” I mean, I think all of us come from different backgrounds and experiences. For all the hard work that we put in, and I think everybody knows, nothing comes easy. If it was easy, everybody would do it. We’re sitting there having lunch, we’re talking about the journey, and what we’re going to go do. We’re talking about this theme, “The good guys win,” because, there’s a play on words. It’s both with the good guys protecting against cyber activity and cybercriminal activity. We’re talking about the technology, the entrepreneurs, the business leaders that have this willingness to take a chance and take a risk and do something, but let’s go win, right? We’re sitting there and Julia comes up with that. We’re playing on words. Jonna has got a go-to-market strategy put together for “The good guys win.” Andy and I are talking about how you can fight cybercriminals. Julia’s looking at operationalizing and scaling. We walk out from lunch and there’s a woman on a Royal typewriter, right? Not the old school IBM Selectric, the ones before that, with the ribbon. She has a sign that says, “Poems.” We ask, “Can you write a poem?” She says, “Yeah, the good guys win.” So we started looking at, “What does that look like – the good guys win?” So, she writes this poem, and each of us has a framed copy of this. It was just really special to us. I’m not going to take the time to read the poem because I’ll probably cry because it’s a true statement. It’s a very touching poem but, it was also very timely for us, as we’re going through this early stage of building a company, and being pioneers in building a platform that nobody has ever taken off.
Sean Martin 12:33
So, I’m going to jump in. The cool thing with these kinds of stories, and it doesn’t happen often, is that you can see a problem and you can find a solution. But, this is a group of four people that came together and are living and breathing this entity. We’re going to get into what is a “Blue Lava” eventually. Jonna, I want to get your perspective on the feelings you had. What was going through your mind as some of this stuff was starting to form?
Jonna Melinauskas 13:04
You know, I think it gets emotional, right? I think a lot of us, we’ve been in security for so many years and you always see how they’ve done it wrong. I was always about building something and bringing everyone else in. This time, we had this incredible opportunity, as Laz alluded to, where he’s given so much to the community. Everyone showed up for us. They didn’t just show up, you’re actually being able to talk to people in the community about how we can change what’s going on out there. For me, it was very emotional to be part of something this early on, I’ve seen it too many times where products are built and how products are taken to market. This is an opportunity to start from scratch doing it differently, doing it the right way, doing it almost our way. So, that to me, was really incredibly special for us.
Marco Ciappelli 14:03
Yeah. So, I don’t want people to think that we’re rude and we’re not going to let Laz recite the poem. We’re creating a little bit of suspense here. I would like to hear the other truth – the one from Andy. Anything you want to add to this story before we get to the poem?
Andy Hoernecke 14:23
I think I agree with most of what everyone has said.
Marco Ciappelli 14:28
That’s good. That’s a good thing.
Andy, remember, you were coding on your kitchen table. You were mapping stuff out on the glass board in Zeus’ Temple. Then we were also at Julia’s table and Jonna’s table and everybody was baking food to feed us. You had your daughter coding with you. I’m sorry, I’m having a flashback to you know, the way it was.
Andy Hoernecke 14:56
Yeah, I agree. And I mean, it was a very kind of transitional time for me as well. I had spent a lot of years in security starting in consulting and moving internally to helping defend companies. Like Laz and Julia were saying, we kept seeing the same problems over and over again. This really felt like a chance to help solve a global problem in a more holistic way. And really, to try to step back from the problem and the tactical, the firefighting mode that everyone has been in, and try to look at it a little bit differently. That’s kind of what drew me to this idea and to this company. It was how do we try to approach this huge global challenge from a new and unique perspective? That’s really the angle that I wanted to bring to this and what really made it attractive to me…looking at it from that lens.
Julia Tran 15:57
One of the things that Jonna and I would do us torture him before we went out to raise money. We’d say, “Man, sit down. What was your life?” Tell us your story essentially. We made this “Life of Laz” also known as “LoL,” by the way, and he would stand up for the first time and actually talk about why the history of his life really led him to this moment, to bring this team together, to do what we’re still continuing to seek to do. I don’t want to dismiss that.
Sean Martin 16:32
No, I’m glad you brought that up, Julia, because it might be easy for listeners and viewers to think the good guys winning is this team. That is not what it’s about. I know Laz, I know each of you, this is about the good guys you’re helping win. Laz and I met many years ago. Andy, as well. I know, you’ve run around the world helping people and you build solutions that are super complex, solving super complex problems. It’s hard to scale both of those. I believe that you’re tackling both not just from “how do you scale” knowledge – bringing it to an organization, but then how do you bring that into an organization that has so many functions that make a business run. Julia, I want to go to you. How did you begin to unpack both of those things, because knowledge sharing and bringing Laz to life, “HyperLaz,” I’ll call it, and service, and also understanding the nature of the business, and then building a solution that doesn’t just look at security but how do we scale security culture? How do we secure the business?
Julia Tran 17:52
Yeah, thank you for that. These are great questions. Actually, Jonna and I, at her kitchen table, talked a lot about this. Because again, as I reflect back, yes, we’re now at this whole business application thing. We’re really, at the core of looking at what the fundamental problems were in the industry, and actually mapping that to a C-Suite member. If you have a “C” in front of your name, what’s the responsibility, right? Then, do they have the toolkit to be able to deliver on that? As an executive, through the years at different companies, and also coaching other executives, the key things are the same – no matter what functional area you represent. There are a lot of functions – more than there ever were. Businesses are more complex than ever and with technology as a bloodline, it is what breeds life to the global economy itself. It is how we are able to reach those individuals all over the world. The thing that we narrowed the focus down on is, as someone who’s been in the people and culture function and coaching executives through the years, fundamental is trust and confidence. Every single time you’re standing up and you’re speaking on behalf of your function, your job is to instill that. It isn’t to get down in the weeds. It’s to look for some sort of commonality, some sort of language around the business, that glues what you do – the impact of that to the business itself. As we broke things down, what we know is for this, the nascent stage of security, as a programmatic kind of solution for a company, that’s systematic and well understood…it’s not there yet. Some of the fundamentals are really around performance, right? At the end of the day, how do you measure your own? If you don’t actually know what it takes when you’ve been living in a sea of red tape that is regulation and defining your programs based on those things. Defining your performance based on meeting your audit. No other function in the company actually exists in this way. So, ultimately, we knew that the tribal knowledge from this community, this collective of CISOs, and technical leaders had to draw in knowledge and allow us to provide that out to the rest of the organization so that they could glue it to the business impact. Because everything you do is for those common goals for that business. How do you then look at the core competencies and capabilities that are necessary to figure out what kind of people you need to hire, what kind of expertise you need to help make sure you can instill that trust and confidence? Those are kind of the key things and at the end of the day, when it’s not well defined, what ends up happening is you’re accountable for everything. I say this to CISOs time and time again, “But you don’t own everything, right?” So, how do you actually start to look at that? These are all critical pieces. Having a trained and qualified group of folks out there where there’s not enough education and time for those who know to actually deliver that knowledge to the people that need to know for the future of security in the industry. Who owns what? So you can actually work with them effectively to the business as a business partner. Then at the end of the day, measure your own performance and stand up with confidence, and say, “We have what it takes to protect this business.” That’s how we did it. A lot of this is about those coaching conversations we’ve had. Years of that, for me, and marrying it and clipping it with years of knowledge from Laz. It’s really what we ended up formulating in our thesis for what needed to be built around a business application. We feel forever grateful for all those CISOs that sat for hours with us to talk about and to be vulnerable – which is not what you’re allowed to do. Vulnerability. If it was four letters, it would be a four-letter word, right? In the industry itself, no one wants to say where they’re vulnerable. Until you get there, you’re not able to fix the problem. So, that’s where I come from when I looked at it from my lens. I’m inspired by that. The intended consequence of this software, this product, this company, was to teach people how to build programs that they don’t know how to do just yet. They’ve been really focused on compliance and audit versus the security and security of businesses that they’re responsible for.
Marco Ciappelli 22:34
And that’s the big question that I want to ask Jonna and maybe and then Andy. In the details, how? I get great ideas, there is a “why,” there is a “what,” you see a “need,” that is a really big need in the industry. From the people that are living in their own skin in daily life with all the burnout and everything. You need something that can work as a program that merges the business side of things with the security side of things. So for me, it’s a herculean task, but it seems like you guys kind of found the way. How?
Jonna Melinauskas 23:13
How? I’ll build on that and a little bit on what Julia said and then Andy can go more into the specifics. It was exactly that. The “How” is really… there are these amazing people in the industry, time-tested CISOs. There are so many of them out there. Some are strong in application security, some databases, some in networks, some in all of these huge, vast, amounts of disciplines of security. Even within application security, there’s patching and vulnerability management – all these levels of complexity. When you come into Julia’s point, as a CISO, whether you’re new, just starting at a new company, or looking at a new potential mergers and acquisition opportunity, whatever it may be, we spent time finding the right person with the right knowledge and say, “Okay, what is the first thing you do in this subset of application security? What’s the next thing you do and how do you build this best-in-class program within these capabilities over time?” As I said, there are massive amounts of these capabilities that kind of roll up into these disciplines. That was the most amazing “Aha,” to hear people in the industry. We bring a lot of this working together and people would move things around and see things. Then, we as a team would look at things. That was the “How?” You’ve got to figure out how all those disciplines and capabilities relate to each other. Then you need to be able to use unique experts in our field to give us all that critical information Like Laz’s information and be able to make things even better. The one plus one of these people made it to a thousand. We took that knowledge and then harnessed it from this community to make it even better.
Sean Martin 25:16
Julia, I’m going to go back to you. You mentioned being vulnerable and that you can take that in a number of different ways. I know you were looking at it from your own team and being vulnerable in front of the investor community. But, I presume you’re also vulnerable with each other, to kind of think outside of what have you normally done to tackle this problem? Then, I’m going to go on a limb here, and maybe this leads up to the next question…how do you help the CISO community be vulnerable? They have to think differently as well and put themselves out there perhaps in a way that their peers may not expect them to. You said, “Vulnerability is not a four-letter word.” What’s the most ultimate vulnerability? Zero-day?
Julia Tran 26:12
Yeah, let me know if I’m answering your question, Sean. What I mean by that, I actually do mean the vulnerability of CISOs in the CISO community, They are not allowed. I think with engineering thinking and technology thinking, everything is really exacting, right? Business is fluid. When you raise something up, and you want to say, “There is no way anyone can get through these walls.” You want to be able to say that a 1,000%. You want to be certain. Usually, when you’re in business, and you’re actually putting something together, you have to prioritize the highest risk of how your business works and how you are securing those particular pieces. Telling somebody, the internal folks, your executive team, your board, who is responsible for the company, or if you think the bad guys are listening…that you think you might be vulnerable is massive. That’s something that most CISOs are not willing to admit out loud because they believe that it puts them, their organization, and their company at risk. The heart of risk is vulnerability, meaning, the ability to understand exactly what it is that is wrong, at stake, or connected to what. Being able to then learn from that, express it, create a strategy and a blueprint around it, and know that there are some areas you won’t be able to get to. That doesn’t seem to be allowable in the culture of security. What we did was we talked to a lot of folks who are either are at a later stage in their career, who have been here and have been holding the gate, or standing at the gate for many years. Laz came from the military through the ranks into security, where, again, vulnerability is not a good thing. To have them stand up, because now they’ve made a career of doing incredibly strong work in security, and to say, “Yeah, I probably should have stood back. I probably should have let people know and shared more about what we do. Because now we’re in a secret box and we’re not allowed to really open ourselves up.” Now that they’re at this latter stage, Sean, they’re actually able to talk about it. They’re willing because they know they’ve done a disservice to the ones who are behind them. They’re not giving out their knowledge base, they’re not talking about the vulnerability that they think in their head, or they only call each other to talk about underground. The whole thing I kept saying to CISOs was, “Let’s bring those underground conversations above ground. Let’s shine some light on these issues so we can serve you better and serve each other better in the community.” At the heart of it is that. Learning is all about vulnerability.
Sean Martin 29:22
Yep. The interesting thing for me and why I love this story so much, and the things you’re working on as an organization, is this human element. At the core of security, it’s all about technology. In recent years, we’ve begun talking about the business of security, gluing security to the business, we always forget this human element. And yes, we dabble in culture and that kind of thing. There’s nothing really been taken or no real steps have been taken to kind of pull all those pieces together. Andy, I want to bring this to you. Because what you’re building is that. It’s not just the tech stack, MTT-Xs. It’s not just what’s our risk posture and what’s our appetite at the company. How does a team led by a CISO on the shoulders of the CISO community do something meaningful for the business? That’s a hard job. How do you do it?
Andy Hoernecke 30:26
I think you’re exactly right. I think that’s part of the problem we wanted to help solve. In a lot of ways, the industry has it completely backward, which is…it’s all about technology, it’s all about automation, and you forget completely about the people aspect of it. When the reality is, you can buy whatever technology you want but, if you don’t have the people on the ground, that understand the output, that knows how to set it up, that know how to make it run, it’s not going to be successful. The people aspect is really the foundation of the security program. That’s why, when we built the platform, “people process, technology” was kind of the mantra that we said over and over again. It’s how do you measure those things? From there, you get a baseline to understand where you’ve made investments, where you need to make improvements, and where you go. The people aspect, whether it’s through being able to determine accountability for different parts of your security program, which as someone alluded to earlier, oftentimes, it’s not the CISO, or the CISOs team who is responsible or accountable for a lot of these things. You really need to be able to build that roadmap, or that organic kind of organizational chart of who are the people that matter in the industry, to protecting the business, to understand risks to the business, and how do you connect them together with the process, the technology, the metrics, and the policies that the organization has in place or needs to put in place?
Marco Ciappelli 32:03
Yeah, that’s so true. We try to redefine the relationship between technology and humanity. It’s nice and refreshing in a way to know that there is a group of people and many others…I’m not going to say that there’s a unique situation, everybody tackles a different side of the problem. But, if we don’t put humans first we’re going to fail. We’re not going to get the goal. We’re not going to win…as good as we may be, we’re not going to win. So Laz, how is this program used now? How is this company currently getting into a business and serving the business? How is Blue Lava part of this now?
Yeah, so in a number of ways. We hear from our customers and they love the platform. They’ve never had data represented this way. I think the team can talk about this. They can now speak in confidence and with ease. They have the data to represent what’s happening with their security program. What we do is we see customers using it to build a baseline. What they have, what they don’t have…Jonna mentioned this earlier, if you’re a new CISO, if you’re an existing CISO, if you’re a new CISO in a new industry, the platform is industry agnostic, but it understands security and program management. When you’re looking at performance, you can build your baseline – what I have, what I don’t have, and then it goes even further. The platform has proprietary algorithms that give you information on where you can start to build projects. Groups are using this to leverage for building, not only their program management and performance management around their program, but they are going to other business leaders inside the company, and saying, “This is how we’re doing. Are we doing good? Are we doing great? How do we get there? What matters to me as a business?” We’re seeing M&A activities, you know, people acquire a company, they have to go through the platform, and they’re leveraging it. It’s beautiful. For me, Julia said it best, it’s a dream come true. If I was going to build a platform, if I was going to build a solution, if I was to go back in-house again, as a CISO, this is the platform I would have built. This is the team that made it all possible. That’s why I’m very emotional about this. When you talk about bringing together thousands of people, of these great minds, and sitting down with the four of us who have this very unique background and experience to build a business platform…and you see it come to life, and people using your data to go to the board, to go to the audit committee, to go to the business units….it’s really profound to sit in those meetings and just watch it come to life. I remember the day we turned the platform on and everybody was just sitting there. It was turned on September 20, 2018. A week later, one of our customers was using the data in a board meeting. I walked out and cried. It was just like, really, really cool to see it. Then, to have it expand the way it has been across all those dimensions I just walked through, it’s really profound. Really unique use cases but, the theme remains the same – measure, optimize, communicate. I can talk knowledgeably about my program in business terms. Where’s the biggest risk to revenue in my business? I’m going to pause there. Julia, did I miss anything?
Julia Tran 35:52
No. I would say this helps. It’s so fun to remember the origins because usually, that’s where the answers live. When you get deep into the business and you get clouded by everybody’s opinion about what it is that you’re doing, and whether or not it’s the right thing, you forget sometimes what was at the core of why you started what you did. So thank you, Sean and Marco, for having us talk about this because one of the things that I think that is highlighted is there are two chronic things out there. One is that when you walk into an organization, and we used to call it a ransom note, somebody just left…the CISO…they call it the “Ghost of CISOs Past” roaming the hallways…whether they do a good job or not, they never actually wrote anything down that actually correlated and gave you a sense of what was there. The biggest time, and I don’t want to say this to cybercriminals, but I’m sure they do this already…that they would be extremely vulnerable when that CISO leaves and makes an announcement to go somewhere else. They’re kind of gashed open with not a lot of tools and understanding of this very complex security program that needs to be in place in order to protect all the things. The first time when I shed a tear was when some of those newer CISOs that actually didn’t know they were vulnerable enough, because maybe that generation of folks are a little more vulnerable to say, “I don’t know how to do this. I don’t know what’s here. I got this huge job.” Then they turned it on, and they disseminated the software out, and then they pulled the data back in, and then within days, they got a picture of what that looks like, and what was there. To me, that was so powerful. That’s what we’re looking to achieve, is to bring all that knowledge back so that there can be continuous improvement and performance. The thing I want to say is, let’s not keep saying, “What are the gaps? What’s actually there?” How about being proud. It’s such a negative. There’s the lack of vulnerability sometimes in the security community and then there’s the digging at you all the time around, what you know, what you aren’t doing. Actually, it can show your performance in a really positive way, too. To me, there are all of these emotional things. There are all these things that you don’t associate with security and technology. People, like you, said Sean, that are so important for the industry to be effective, for the CISO to stay in their spot and say, the reason why they leave every two years isn’t just for the big dollars. I see those articles all the time. It’s true, they’ll get paid multi-millions of dollars to leave a job. But, at the heart of it, I think, if any of us were to think about it, especially during this COVID time, when you’re thinking about what the world means to you, why you show up to Zoom every day, what you’re trying to stitch together in the world, is that they want this so that they can do better so that they can keep doing well, so they’re well understood and respected in the organization. When they find again that they can’t do that because they don’t have something like what we provide to help them build that relationship and that trust, then they leave. Yes, it’s big bucks but it’s also the lack of connection with the business that makes them feel like they’re not performing and good about their job.
Sean Martin 39:31
And Jonna, I want to know if you have any other examples, maybe something even more related to the community. As Julia said, there’s perhaps a lack of widespread vulnerability in this group and equally less of a desire to scream from the rooftops all the great things they did. We find that there’s a lot of heroism, right? “I worked ungodly hours and did this amazing thing that I couldn’t achieve unless I nearly killed myself to do it,” and that’s working not smarter but harder, right? So, any examples from the community where people are coming together and actually helping to shore each other up through the Blue Lava platform?
It’s interesting because one of the things that we’ve noticed with so many CISOs is that they’re very humble. I know we’ve talked about that and I think it’s really the community. It’s a couple of things. The community and Julia can allude to this as well, but, the community has always helped each other. They’ve always supported each other through the platform. As I said, it’s taking all these CISOs from the community and blending all this knowledge that can help everyone. It lifts the whole industry up. We’re actually leaving the industry better than where we started. We feel like, and I know we all hold this, we all have a piece of making the industry much better than where we started because everything was all about regs. Now we’re all about programs and performance. Giving a CISO his voice in a boardroom…that they can show across the year over year, how things are improving, how many in marketing are not doing their job, engineering could maybe pull up the reins over here…I feel like if anything, it’s this community that has supported our company that supports the product. Andy can vouch for this as well. I mean, how many times our customers want to contribute to our platform, give ideas, see how they’re using it, how they want to use it…to be honest, to me that’s golden. We don’t sit with these customers and they don’t say anything. They’re wanting to be vocal, our UX teams have shown them what the future will be like. They have input into that. We have this saying, it’s “with, by, for, the security community, and everyone has a piece of it in what Blue Lava is today. It wasn’t just about us building something that we thought there was a problem. Instead, it was bringing the industry to the problem and giving each one of them a voice, having some sense of ownership into “We’ve got to make this better.” They all, to this day, help. Anytime Blue Lava needs something they help. It’s extraordinary, to be honest.
Marco Ciappelli 42:34
So you build it with the community. Now you’re running it with a community. And I’m curious because I have to go into the future. So, Andy, I want you to take your crystal ball and tell me what do you see as the next few steps? How is the technology part going to help the community even more?
Julia Tran 42:56
That the role of Demetrios Lazarikos was just played by Marco because that’s what he always asks. He regularly turns to Andy with that same question.
Marco Ciappelli 43:08
He’s got the Mediterranean blood, right?
Yeah, it’s funny because Andy and I were on a call this morning. I called him right after that meeting and I said, “You know what’s next, right?” Andy said, “Yeah, these four things.”
Andy Hoernecke 43:22
I mean, I think I think I’m gonna pull it back to kind of our three pillars that we all always talk about, which are measure, optimize, and communicate. It’s all about those three things. On the measure side, we have found repeatedly that content is king. The information that we’re collecting, how we collect that information, is one of the most important things that we do. It’s as important as the technology and the platform that we’re building. Focusing on making sure that we’re collecting the right information, that we’re gathering it from the right places, the right people, and continuing to improve on that would be number one. Number two is the optimization component. There’s a lot of things that we’re doing in there. We are pulling in more information around risk and business objectives and really building out the features that, to Julia’s point earlier, help teach these CISOs and security practitioners how to do this themselves. It’s doing it in a new way that’s better aligned to the business by helping surface insights and you know, really deep information out of a data set that they’ve never had access to before. It’s a lot of information that they haven’t had the opportunity to examine. That’s number two – how do we continue to improve on that and pull more information out of the data we’re already collecting? The third thing is around communication, when we started I would say that we were really focused on communication up, you know, the board and the executive staff. That is critically important, don’t get me wrong, but I think that what we’ve come to learn is that it needs to go both ways. It needs to go back down the chain to the security practitioners on the ground, to the engineering team, and to the product team, etc. It is equally important that they understand their role in the organization and what they’re doing that matters to the business and how they are protecting or harming the business as it is to be able to report to the board. I think those are kind of the three areas I would say getting better about each and every one of those is what we’re striving to do every day.
Marco Ciappelli 45:47
Yep, sounds to me that all three are very important for the community. Again, the human element so that everybody can perform better. Before we end, I teased at the beginning that I wanted to know about Blue Lava and I couldn’t finish this story without knowing the reason for the name. So, Laz, Julia who is going to jump in on that? Why Blue Lava?
Julia Tran 46:15
Oh, this is Laz’s. I can not take credit for this.
Jonna Melinauskas 46:21
We had no input. Julia, Andy, and I had no input.
Marco Ciappelli 46:26
Laz, this is yours with the good and the bad. Go.
Okay, so there are two stories out there about the name. The first one is an urban legend. I’ll tell you that one first. I was at DEF CON and Blackhat or Blackhat and DEF CON, and somebody comes running up to me while I’m having a discussion. They’re like, “I love the name of the new company.” I’m like, oh, okay, and we didn’t really tell anybody the new name. I said, “Well, how did you find out?” They replied, “Oh, yeah, you know, I heard it from so and so.” I said, “Okay, well, what do you know?” They replied, “Well, I heard that you paid $50,000 to a marketing firm to come up with a name. Blue – confident, integrity, trust. Lava – because technology, cybercriminals, and security are always changing.” I said, “Wow, that’s an interesting story. Thanks for sharing.” Everybody turned to me, and they asked, “That’s not what really happened, is it?” I said, “No.” Now the real story. First of all, I don’t know how that story got started but you know, a random person came up, thanked me, and complimented the name. The real story is, I was standing at 200 South Wacker in Chicago and a customer said, “Hey, what’s the name of the new company?” I was looking around the room, and there was a bunch of Google lava lamps running – red, yellow, green, blue, and I said, “Blue Lava.” And he said, “That’s a cool name. I like it.” I said, “Yeah, so do I. I did a lot of thinking on that one.” But, that’s the true story about how it started.
Marco Ciappelli 48:05
And you saved $50,000 from a branding company.
Sean Martin 48:12
What I’m taking here from this group of four rock stars, is the thinking went to the right place. A focus on the human element here. It is clear to me that humans have to work in concert with technology and the process. It’s the support of the community that you’re bringing together on top of that, that really makes this shine. You’re giving them an opportunity to be comfortable in being vulnerable so they can think differently and communicate effectively with the business. I really liked this term, Julia, “how to glue what they do to the business.” I loved it when you said that. A fabulous origin story, with lots of mini-stories within it. Laz, Julia, Jonna, and Andy, it’s a pleasure to see you, to have you on this, and to hear you share your story with us.
Julia Tran 49:13
Thank you, guys, for having us. Thanks so much, Marco. And Sean. Always a pleasure.
Thanks, guys. Appreciate it.
Marco Ciappelli 49:19
You made it really easy to tell the story because you didn’t have to make it up. Thank you so much. Thank you.
Voice Over Speaker 49:35
If you enjoyed this podcast, share ITSP Magazine with your friends, family, and colleagues. Thank you for listening.