Chasing cybersecurity Avalon: Is such a thing even possible? Artwork

The Catalyst by Softchoice

A podcast about unleashing the full potential in people and technology.

When people and technology come together, the potential is limitless. But while everyone is used to hearing about the revolutionary impact of tech, it can be easy to forget about the people behind it all. This podcast shines a light on the human side of innovation, as co-hosts Aaron Brooks and Heather Haskin explore and reframe our relationship to technology.

All Episodes

The Catalyst by Softchoice

Chasing cybersecurity Avalon: Is such a thing even possible?

November 08, 2023 • Softchoice • Season 5 • Episode 17

Is a cybersecurity utopia – where no CISO lies awake at night worrying about threats known and unknown – even possible? If you believe “yes,” how do you get others to share that vision?

That’s what we discussed with Lou Senko, Chief Availability Officer at global banking technology company Q2 on this episode of The Catalyst. First and foremost, Senko doesn’t believe in leading with the fear factor. Fear, he says, only frees up some of the wallet.

He talks with host Cheryl Stookes about his strategies for improving security posture and justifying security budgets, whether you’re a small business or a major enterprise. He also outlines his personal approach to getting the most value from security investments. And, with the security talent shortage showing no signs of abating, he shares his experience recruiting against giants Tesla, Oracle and Dell in the fast-growing tech hub of Austin, Texas.

Cheryl also signs off as co-host of The Catalyst, as she takes on a new and opportunity outside Softchoice. Thank you, Cheryl. We wish you all the best with your latest chapter!

Featuring: Lou Senko, Chief Availability Officer at Q2

Resources: Read Lou Senko’s white paper Demystifying Zero Trust and learn about Q2’s community initiative Spark.

The Catalyst by Softchoice is the podcast dedicated to exploring the intersection of humans and technology.

The Catalyst by Softchoice is the podcast dedicated to exploring the intersection of humans and technology.

[00:00:00] Cheryl: Welcome back to another episode of The Catalyst by Softchoice, the podcast dedicated to exploring the intersection of people and technology. I'm your host, Cheryl Stookes. Here's a question I've been asking myself recently. Is there such a thing as a cybersecurity utopia? You can't blame me for wanting one.

[00:00:21] Cheryl: With new threats emerging daily, major power grids are being taken out around the world, and AI is being used to mimic human speech and writing. Keeping company data safe is a daily challenge, not to mention that cyber security is expensive. Could it be possible, even if there were no limits on budget and talent, to reach a security utopia?

[00:00:43] Cheryl: This question is exactly why we thought it would be a great idea to chat with Lou Senko. He's a thought leader protecting some of the most sensitive data, personal banking data. Lou Senko is the Chief Availability Officer at Q2, an innovative technology company that provides online banking and lending solutions to banks.

[00:01:02] Cheryl: Credit unions, alternative finance, and FinTech. In fact, 47 of the top 100 American banks are Q2 customers. That all adds up to a ton of data to protect and Lou is responsible for every bit of it. Today, we're going to hear all about how he's helped Q2 become a leader in data security and a highly complex and regulated industry.

[00:01:25] Cheryl: We'll be discussing Lou's strategies for improving your own security posture and justifying security budgets, no matter the size of the company. And of course, we're going to get Lou to tell us more about the security utopia and just how feasible it is. Thank you so much for being here today, Lou. Good morning.

[00:01:41] Cheryl: Hey, thanks for having us. Where are you, where does this podcast find you this morning?

[00:01:46] Lou: Where our headquarters are for Q2 in Austin, Texas.

[00:01:49] Cheryl: Austin, Texas. I spent a lot of time down in Austin, Texas. I actually worked for SHI International for eight and a half years and, uh, spent a lot of time down there. I used to love visiting Austin.

[00:01:59] Cheryl: It was a lot of fun. So great to have you on the show this morning. Thank you. Thank you. Well, why don't we jump right in? I'd love to talk to you a little bit about another podcast that you did. I know you did a recent episode on the Austin Tech Connect. And on the podcast, you said that you grew up on a poor farm in Northern Alberta.

[00:02:18] Cheryl: Tell me more about that. So are you Canadian?

[00:02:21] Lou: I am Canadian. I'm not trying to represent all poor people, but we grew up on a farm. My grandfather was a Ukrainian immigrant. Came over, had to work better part of a year to earn enough money to bring grandma. And the, the first couple born over and then settled in a farming community up north in Alberta.

[00:02:39] Lou: 12 kids came outta that, my dad's one of them. And then dad left the farm when he was in grade 10 and made a life for himself. So fairly uneducated man, but uh, worked the land and, uh, now that dad's passed. If we ever flatten the world with nuclear war, whatever we're gonna do, we're gonna find where that man's buried, we'll dig him up and he'll help us rebuild it all.

[00:02:58] Lou: So just a lot of, uh, great ability and just common sense and things that maybe he didn't learn from school because he, he had to drop out, but just was able to do a lot of things with his hands. And, you know, we had a, we had a life. My life started a run or two up the ladder from where his was and, uh, got me into school and, and off I went. But, um. It was, uh, it was, uh, humbling beginnings, for sure.

[00:03:21] Cheryl: Well, it's, that's so interesting. And I think one of the most interesting things that I found about that podcast is you mentioned that the founder of Q2 also started out in a farm in West Texas. Is that just a coincidence? Are you two kindred spirits?

[00:03:35] Lou: No, totally a coincidence. I think when you look at Hank, Hank's story is, uh, he has a farmland. They lost it in the 80s. He had to go work at a local bank as a teller, spent the whole day answering the phone, telling people what their balances were, got tired of that, had a friend that was a programmer and said, Hey, let's go try to do something where they can make a phone call and the phone will answer and read them their balance.

[00:03:56] Lou: Seemed revolutionary at the time, right? And, uh, as they made their little business plan, they went into a bank of America and got turned down and, and Hank sat in the parking lot and shed a little tear and said, geez, you know, what am I going to do? This was my big break to get, get out of here. And, uh, Alan is drive home, he passed a local credit union, said, what do I have to lose?

[00:04:15] Lou: Pulled in and sure enough came back with a loan that started the company. And it's very mission aligned when you think about what Q2 really stands for. We really try to improve the communities that we all live in by helping that local financial institution that's within that community whose own mission is to invest back into that community.

[00:04:33] Lou: And so we just don't want to see a day where there's just four big banks or five big banks that get to decide, you know. Who can start a business, who can get a home, who can go back to school. And so it's the diversity of the regional and local financial institutions that make that all possible. You know, I live on a street with six homes and, uh, three of them bank it with one of our customers.

[00:04:54] Lou: So it's, it's, it's an important piece and it kind of, you know, brought the message home when the stimulus hit here during COVID. And the government had to find a way to get 175 million checks out to people. And if it was just four big banks, five big banks, there would be California and New York would be looked after, but all in between would, would have a hard time.

[00:05:17] Lou: And our customers saw a huge increase in logins and people really looking for that money. And so the team had to spend nights and weekends preparing for this and nights and weekends during those moments to make sure everything was up and ready to go. And so, you know, what they do matters. And even though, even though, um, Anybody can buy the software we use.

[00:05:39] Lou: Anybody can download it and learn it. It, it's, uh, it's really the people that put it together that are different and just being aligned to that mission where we're just not all here waiting to buy the CEO a third boat. We're, we're here because it makes a difference on our street. It is kind of one of the glues that kind of binds this talent that we have at Q2 together.

[00:05:58] Cheryl: It's fascinating talking about the humble beginnings of the company and I think about 2023 and where Q2 is today. So my understanding is that you work with over 1, 400 banks and credit unions and your clients move over 2. 5 trillion dollars a year in assets. That's just a staggering number. I also read that 10 digital banking customers in the US uses Q2 solutions.

[00:06:19] Cheryl: Can you tell us more about Q2 and what you all

[00:06:24] Lou: do? Sure, yeah. Thanks for the opportunity. You know, we have about 34 million users across the platform and about 34, 000 are logging into a Q2 solution every single minute. On the online banking platform, for example, we have about 23. 5 million users logging into just under 500 digital branches.

[00:06:44] Lou: And so Q2 is the white label underneath their label as they go to market. You know, they're accessing accounts on these 1, 400 banks and credit unions. As you said, they move about 2. 5 trillion a year. During peak, that's about 28 million a [00:07:00] minute. And so, um, lots of focus, lots of attention goes to it because that's payroll, that, that's, that's mortgage payments, that's child support.

[00:07:09] Lou: I mean, it's money that matters. And 28 million moving every minute at our peaks. We try to provide a platform that allows these brands to be very differentiated. So, Even though there may be a street with three or four, uh, banks and credit unions on and they're all using QT, you would never know. They're very, very different look and feel.

[00:07:29] Lou: They offer their customers very different services. And it's all just a part of us enabling them as they kind of take their brand to market, um, being very unique and different. And it's always one of the concerns we have where there's been consolidation of the number of banks and credit unions over the years.

[00:07:46] Lou: And there's fewer and fewer of them as the big ones buy the small ones. As it gets fewer and fewer choices, then there's a lack of diversity in the offerings because everyone tries to look like each other because that's what's working. And so we [00:08:00] really want to be the platform that allows people to be very differentiated in how they go to market, have their crazy ideas being enabled by technology to bring out to their end users.

[00:08:09] Lou: And let the underpinnings, the, the infrastructure, the security, the compliance, those type of things, we'll, we'll take that on because that's not differentiating in itself. It's just expected.

[00:08:19] Cheryl: It's interesting. We're talking about people's banking information, right? And so obviously keeping it all protected is, is critically important.

[00:08:27] Cheryl: I notice your title is Chief Availability Officer. I don't know if I've heard that title before, but tell me about data security and what that means for Q2 and what that means for you and your role as the Chief Availability

[00:08:39] Lou: Officer. Sure. You know, uh, Chief Availability Officer is the funniest title, but it's actually, frankly, the coolest job, right?

[00:08:45] Lou: So, uh, the team's responsible for availability, uh, performance and quality of the services that we host. And then because they come from hosting environments, we have 14 different hosting environments in a big, large distributed cloud. The security and compliance of those hosting environments fall under that same purview.

[00:09:03] Lou: So when we think about how do we be best of breed, I get the benefit or the curse, depending on how you look at it. I get 1, 400 CIOs, CSOs, and risk and compliance teams all judging, you know, just how well we're doing a job of looking after their digital branch. Their digital branch is their largest branch, so it matters.

[00:09:23] Lou: There's a healthy engagement with the security and IT teams at our customers who have all kind of different views and different lenses on this, pulling that all together to make us better. But then I have to show that not only am I doing a good job, but because I'm spending at levels that no one financial institution can spend at, that I'm helping them kind of punch above their weight class and we're bringing different solutions and different Different technologies, uh, are available to them because they're part of our platform and on, on Q2 solutions.

[00:09:54] Lou: You know, we do some really creative things with data obfuscation and blockchain, or we do some really cool things with, uh, mesh. And, and we, so we do some things that, that I get the benefit of spending a lot of money on a couple of applications where they have to look at a big ecosphere of things.

[00:10:10] Lou: Everything from physical security of, of a bank to, uh, ATMs that are down the street. To having to worry about tellers and data. And so, you know, for us, across our 14 environments, we have 41 petabytes of customer data. So that's 41 with 15 zeros after it. And we use that data not only to power the solutions that the customers use, but then, you know, it's all again, part of the AI and some of the machine learning that we bring in itself to, to enhance that customer experience.

[00:10:41] Lou: I know we'll talk more about that, but data security is the security that we are concerned about, right? So. How we think about protecting the data. We actually start with the data itself as part of the security. And I know that seems almost hot and ironic, but we do some really cool things where, for example, we pull sensitive data.

[00:11:01] Lou: As it's being written from the application into the database, we pull sensitive data out and replace it with a token. So if you get to our database, whether you're a bad guy or you're an employee, you get to the database, there's still sensitive data in that database, just a token. And then we take the data we took out, and we encode it.

[00:11:17] Lou: So we convert it to new data, pass it to a, a solution that then says, hey, I got this data coming. I encode it a second time, I chop it up into bits, I reverse fragment it, I send those bits down to a private blockchain that we host inside. And that blockchain says, Hey, I got these bits coming at me. I'm going to encode it for a third time and scatter across multiple blockchains.

[00:11:35] Lou: That's just an example of, if you, if you look into our database and bad guys get in there and they take it away, there's no sensitive data as part of that. Um, and if you can figure out how to get into a blockchain, that's, that's hard today. May, I'm assuming it's going to be easier tomorrow for bad guys to figure that out.

[00:11:51] Lou: Uh, the source data is not there either. It's been encoded three times, chopped it into bits and scattered. And so the secret is we can rehydrate and glue all that data back together and present the data to the application at near wire speed. And so. It's a really tricky way of being able to house all the sets of data, but de risk it because of some of these solutions we use.

[00:12:12] Cheryl: That's fascinating stuff, and I just would like to have it on the record that I think you and I have a different definition of fun. Because you talked about having the most fun job in the world while having 1400 CIOs, CISOs, and digital compliance officers judging everything you do. So, we'll just table that one for now.

[00:12:29] Cheryl: I'd love to go back and ask you a follow on question about the security. So I know that you had recently given a keynote speech at the InfoTech Austin IT and Security Conference, and you were talking about this idea, Lou, of a security utopia in which you called Avalon. Is it, is it possible to reach a security utopia?

[00:12:49] Cheryl: What does that mean?

[00:12:51] Lou: Good question. I, I don't know that the answer is ever going to be yes, right? We're always chasing. And, and being part of, uh, both availability and security, it has you looking at the same problem from different sides of the coin. On availability. We can do the math to say this thing has this much uptime in chain with this thing has this much uptime in chain with this thing has this much therefore the overall uptime of the solution is this.

[00:13:16] Lou: If we don't like that, we can spend more money and do things like clustering, redundancy, and you can do a math exercise where you just spend more money to get closer to perfect. Now, you'll never get perfect, but you'll spend all the money trying to get there. So that, that's a pretty easy math problem to kind of solve, and you can lay at the table of your partners and other executives saying, Hey, how much uptime do we want, and here's how we spend to get there.

[00:13:40] Lou: Security is kind of on the other side, where it's anything less than a hundred is zero. And so we're going to actually, instead of designing for uptime, we're going to design for failure. And so we know we're going to fail. We wrap everything in a layer of defense, but that's going to fail. Now, we don't know how the bad guys are going to do it yet.

[00:13:59] Lou: That's the whole point. They figure that out. So we have another layer underneath that, that has a different set of challenges. And then we have another layer and another layer and another layer. And so we, we try to present all these obstacles to make the cost of getting through very high. And eventually they go on to easier targets.

[00:14:19] Lou: So in security, we have to design for failure where on uptime, we design for availability. And so it's, it's a kind of a funny way to look at things, but anyways, driving value from our security investment, not just from our customer's eyes, which is important because the customers, again, if we're hosting their digital branch, they're taking their brand to market.

[00:14:40] Lou: And we're hooked at the hip with them, their end user, whatever device, whatever network, you know, whatever time of day that they expect to be able to get to their money and we're going to keep their money and their information safe. And so I'm hooked to that customer as they take their brand in. I'm the white label underneath that.

[00:14:59] Lou: So when you think about how we have to spend money, we have to empower that customer to have a great. Trust brand as they lean into their market. And then I also have to meet all the regulators and all the third parties that have to test us and assess us and go through that for the amount of, uh, cookies that we hold safe in our chest.

[00:15:20] Lou: So long story there, but we use an ecosphere of partners. We use an ecosphere of solutions to be able to bring together, to keep addressing this kind of moving target. That we'll never get to of what perfect looks like, but we're always chasing and as we've matured more and more we define kind of what we think we're good at and define some areas that need attention and Then as a company as the executives in this company, we share the risk with them.

[00:15:47] Lou: Here's things that we have Here's some risks that we have What do we want to address? How much do we want to address? And if something happens in the stuff that I say, no problem, we got, you should be upset with me. If something happens in the risk that we decided to take together, then hey, that's part of doing it together.

[00:16:05] Lou: So it's this balancing act of we'll never be perfect. We'll never be on Avalon, but we're always striving to get better. And because the target, the bad guys are always getting better, right?

[00:16:16] Cheryl: Yeah, for sure, and I know you've had some success stories as well. I think one of the stats in that same keynote was a 94 percent reduction in layer 3 and 4 attacks in just five months.

[00:16:28] Cheryl: Can you tell us how you did that?

[00:16:30] Lou: Yeah, that's, that's, um, it's, first of all, it's my team. I get to put the PowerPoint together, that's my contribution, and make sure that that great team feels empowered to go do these things. Um, yeah, there's a couple of stats I shared in that keynote. Um, you know, back in 2020, we had about 40 billion sessions that we blocked from reaching our applications, and we have layers and layers and layers.

[00:16:53] Lou: I think every session has to go through, I think it's 14 layers before. It's actually touching the application. So we have a bunch of different solutions that are kind of all stacked on top of the self. And then we've driven that down from 70, 000 blocks a minute down to, it's about 900 right now. So that's about a 98 percent reduction in kind of external attack defense.

[00:17:14] Lou: And then on the DDoS one that you're quoting there, when we moved to CloudFlare and that wraps all of our environments, as we got a lot more visibility into what, what's, what's happening at our edge. We were having just nearly 30, 000 denial of service attacks on one of our customers every month, that's about 37 an hour.

[00:17:34] Lou: And so we did a bunch of things to kind of tune, identify, uh, catch those things before they become an event. And, you know, it's not something you can do all at once, you kind of, you iterate your way through it. But now we're down to about two an hour, from 37 an hour to about two an hour. So again, the idea there is that you make the cost of continuing when you're not getting a result, it's not free to attack us.

[00:18:00] Lou: So if we make the cost high, you don't get something for your time, you kind of move on. So I think there's as many, if not more attempts, they just don't last very long and they kind of move on to the next thing.

[00:18:12] Cheryl: That's fascinating. Down from 37 to 2, is that what you said? An hour, yeah. Wow, that's incredible.

[00:18:18] Cheryl: Did you know that up to 37 percent of the software licenses purchased worldwide go unused? That's a total waste of 30 billion per year. That's a staggering amount of wasted budget. In a year where leaders across the board face immense pressure to show a higher return on investment, And to do more with less, inefficiencies like this are unacceptable.

[00:18:43] Cheryl: With over 30 years experience helping organizations manage software licensing and reduce wasted spend, SoftChoice is in a unique position to help your business compete to win. Find the sources of wasted spend. Reinvest in the people and the [00:19:00] projects that help you win with customers and with your people.

[00:19:04] Cheryl: It starts with speaking to a software asset management specialist. Follow the link in the description or visit softchoice. com forward slash Sam to explore a Sam assessment and lifecycle services or to schedule a free consultation. It's time to stop wasting spend and to start investing in success.

[00:19:26] Cheryl: Follow the link in the description or visit softchoice. com forward slash Sam to get started. And now. Back to the show. Okay. I'm going to pivot quickly, Lou, because I think it's in my contract these days. I can't host a podcast without talking to our guests about generative AI. So I'd love to go there next.

[00:19:45] Cheryl: With all the developments that we've seen, particularly accelerated in the last year, how do you see this impacting security? Does it get us closer to this utopia or does it make it harder? I would love your take on that.

[00:19:58] Lou: You know, I think our stance at Q2 and we're a software company, right? So we see nothing but opportunity with AI.

[00:20:05] Lou: Um, we, we started with a center of excellence. We, we, we have a, a, an executive leading a center of excellence for AI internally at Q2. They dealt with some of the trickier topics around governance and, and what we're allowed to use, what data are we allowed to use, how, how to do that. They created some training that every employee went through.

[00:20:24] Lou: And once we got to, you know, all the employees going through the training, then they opened the doors and said, let's go innovate. Because again, People choose Q2 for the innovation. And so, these are opportunities to come. We don't think AI is going to replace a bunch of people's jobs. What we, what we do think is that, or at least I think, uh, that people using AI will replace people who aren't using AI, right?

[00:20:45] Lou: And so, I think the internal use case of how we can make some things much more productive and Quicker and faster and better for our customers. That queue is super deep. We got lots of opportunity there and people are experimenting right now, either building it themselves or bringing vendors in to try something.

[00:21:01] Lou: So we've got a lot of PLCs going on right now. Everything from improving the support experience to reducing obviously copilots and code writing and QA and those type of things. Externally, the customers have high expectations of AI coming in and making the products all better for them. So, we've got everything from, um, embedded learnings to fraud detection and things like that.

[00:21:22] Lou: And, you know, we, we've used machine learning and AI, you know, for many years in some of our products. It's just now getting kind of the focus, I think, that it really deserved even years ago. For security specifically, almost every vendor's tools has AI as part of the tagline now. And when you think about some of the things we worry about, it's not the known stuff, right?

[00:21:45] Lou: We've got the known stuff kind of dealt with and handled. It's the unknown stuff, which is always like the next attack. The next attack is going to be something new, something different. Something not known and all of our standard defenses are going to, you know, probably not deal with that. Well, so it's, it's the ability to identify anomalies that I should care about and not, not amplify the noise.

[00:22:06] Lou: So finding out the things I should care about in the sea of noise is, is really the trick. And we have certain vendors that are really good and very good at identifying those things. And then those are the things we have to care about and those things we have to defend against. So I think it makes our tools smarter, it amplifies my team to be able to do new things that they're not prepared for, but they've got the right tooling and, and stuff to support around them.

[00:22:30] Lou: I think it also empowers the bad guys, as we all know, um, AI is being used now to weaponize many things and, uh, you don't have to even be good at code anymore, you can just, you know, it'll write the code for you. So, I think we're going to be just in an amplified duel of the bad guys trying something and us getting to defend and, It's just new tools to go faster and.

[00:22:51] Lou: That's why the teams, especially here at Q2, why the teams want to embrace AI as quickly as possible and start using it because the bad guys are. They [00:23:00] didn't have to worry about confidentiality and data integrity and privacy. They're using it to build tools to come attack us.

[00:23:06] Cheryl: Yeah, it's timely that you say that.

[00:23:08] Cheryl: We actually did a special episode of the podcast that went live last week and we actually called it from the bar to the boardroom because we talked about generative AI and we hosted it on our favorite local pub. And you mentioned that Q2 is embracing AI because the company is known for innovation and we're doing the same thing internally within Softchoice because We believe that it's, it's critical to attract and retain top talent is to leverage the tools and the technology, obviously in a responsible way with a cross collaborative team, but really embracing the early movers on this and leaning into it.

[00:23:40] Cheryl: Cause I think there's a, just a tremendous opportunity to provide value, certainly for our customers, but also certainly to make careers very interesting internally as well, and to continue to develop the skills of our people. So appreciate you saying that with Q2.

[00:23:54] Lou: I think we always worry about the kind of the obvious stuff around job displacement or role displacement and some of the things that are part of all of our days that could be easily automated and taken away.

[00:24:04] Lou: And that's always the first wave of this kind of new disruptive technology comes in. The next wave though should be new things that were possible before. And that, that will be the exciting stuff. You know, we just couldn't even do that stuff now. And now AI lets us go and dream it and execute on it.

[00:24:22] Cheryl: Yeah, it's exciting.

[00:24:23] Cheryl: Okay. I want to pivot quickly to some words that I hear often when we talk about security and maybe you can help me break them down. So things like zero trust, zero access, mesh, there's a whole bunch of them, but maybe we can start with zero trust. We use that term a lot in the industry, but I'm not sure that all of our users fully know what that means.

[00:24:43] Cheryl: Can you share a little bit more?

[00:24:44] Lou: Sure, and again, I'm not professed to be the voice of the industry on it, but at Q2, we broke Zero Trust into two tranches. One was Zero Trust network access, so the way things have to connect to things that we are using and hosting. And the other one is zero trust from a architecture application development point of view.

[00:25:06] Lou: So on the network, zero trust network access, which is what the infrastructure teams have most control directly over themselves. If you think about the layers concept I was talking about before, how we wrap all these applications and all these layers to keep the bad guys off. Well, that works great, but I eventually have to poke a hole in all that so that customers can get through and use the application and employees can get in and use the application.

[00:25:30] Lou: And so how do I make sure that as that customer or employee identifies themselves and I validate who they are and what the rule is and what they should have access to, then when they go do something next. That none of that is assumed again. I have to go revalidate. And so instead of zero trust, I think it's probably more appropriately called a continuous trust, right?

[00:25:53] Lou: So it's this re verification of who you are and is the thing that you're asking to do something that we're allowed and comfortable. So there's no permission I give you that carries forward to the next thing. You have to ask for it again. And then how do you do that in ways that just don't cripple the business?

[00:26:09] Lou: From having to re authenticate and re ask and re apply a hundred times a day because you're busy doing stuff. And so, that's the tricky part. We started that journey way back in 2018, believe it or not, as we were, again, being a very innovative company. We spent a lot of money on hosting our customers, DigitalBridge.

[00:26:27] Lou: That kind of reforming and reshaping and reintroducing new technologies. And so there's always an opportunity to try the next thing a little differently. And so we started the Zero Trust, uh, conversation way back in 2018 and coauthored a white paper for the International Security Forum, the ISF, on kind of just what our view of it was at the moment.

[00:26:47] Lou: Now, as you wind the clock forward, the industry has come a long ways. And now it's, as you said, Zero Trust is ambiguous across all of the talks and all of the statements, but. You know, NIST, one of the big regulating bodies that kind of has [00:27:00] the, what good looks like templates if you can read through thousands of pages.

[00:27:04] Lou: They've come back with great standards of what you should be thinking about and how you could go architect things to meet a very robust Zero Trust architecture. We are now moving into, now that we have kind of the access thing figured out, then how do we start looking at Zero Trust within our own application suite?

[00:27:23] Lou: If you think about 14 different hosting environments, I got a couple of active, active data centers in a private cloud. We have a big footprint at AWS, a big footprint in Azure. We bring our own orchestration software to it. So we have about 160, 000 containers floating across all these different environments.

[00:27:40] Lou: And with just a couple of lines of Terraform change, we can actually move workloads around. So we kind of pick where we want to start it. We can change our minds and move it. And what that allows us to do is be very nimble and flexible with kind of whatever the best, uh, has to offer. We can go there and change our minds and expect some changes.

[00:27:57] Lou: Um, but how these things all communicate together, come together to create a seamless, single end user experience is the tricky bit. And, and so how do we have... An API surface that is being called from another component of the solution from a different cloud provider, different environment altogether, we can't trust each other, even though we wrote it and it's all stuff I'm hosting, the zero trust has to go all the way down into how the application is working within itself.

[00:28:26] Lou: And so how do you, how do you just change your thinking around when you're developing this stuff that every component has to validate who they are, why they're making this connection? And they get to make that one connection and then it gets broken. And if they want to do it again, they have to go through that whole process again.

[00:28:41] Lou: And so that's part of kind of this whole being able to use this distributed cloud and all the advantages of having all these different spots.

[00:28:54] Cheryl: Yeah, no, it is. It's really impressive. And the other thing that I'll say is, it also sounds expensive, right? We know that these things cost a lot of money. They require a lot of resources. And I want to go back to something you said earlier. You know, anything less than a hundred is zero. Ultimately you're evaluated by the user.

[00:29:11] Cheryl: Nothing happening, nothing bad happening. And so when it comes into justifying spending money on security, a lot of our customers struggle with getting that budget improved because sometimes until you're breached, it's really hard to get the money for these things, which is a bit of a chicken and egg. So what advice would you have for other security leaders that are looking to implement more of a robust security posture and they're having a difficult time justifying the security spend?

[00:29:38] Lou: That's a great, great question. And just to add to that story that, hey, your budget before the breach and your budget after the breach, but usually it's a new person that gets the new budget after the bridge. So in fact, I'm doing a keynote for the Austin ISSA chapter for cybersecurity month here in two weeks on this exact topic, you know, the, the audience is going to be full of security professionals.

[00:29:59] Lou: They're much better at their job than I am. I'm kind of more of the business guy. So I can talk about how do we build the ROI on this? And we do it a couple different ways, um, we're not, I'm not a big fan of fear, uncertainty and doubts of throwing FUD on everything and trying to scare all the executives if they don't do something, then bad things will happen.

[00:30:20] Lou: So, cause fear only frees up some of the wallet and everyone gets tired to that because when it doesn't happen, it feels like you're just creating an echo of that same fear that will never be there. And at the end of the day, there's only so much money to go around. They have to be very careful and do justice where they spend the money and some of the money they spend creates return.

[00:30:39] Lou: And so a return of nothing, it doesn't, doesn't seem to make any sense. So what we try to do is show value in the differentiation of our products and services. So for example, Our security is a differentiator from us and our competitors. It's one of the reasons that we're selected, you know, the VP of digital experience at a prospect will select you to for all the wonderful things we bring to the market.

[00:31:02] Lou: But they also have to run this choice by their security department, by their risk and compliance department, by their IT department. And then those folks get to weigh in on whether they think we're doing a good job or not. And so by helping them amplify their concerns around security and uptime and quality.

[00:31:20] Lou: Through the solutions that we bring to power the digital experience helps us make more sales, helps us keep customers longer, helps us, uh, you know, back the kind of this whole community growth that we're trying to inspire, right? So we try to make our security a differentiator for our customers in the market.

[00:31:39] Lou: And again, they're a tough audience, so they all have budgets. They could all buy the stuff I could buy how we show. That by them selecting us, they made a great career move. So being very transparent in how we do things, taking their feedback on what they think the next future should hold, and inform our roadmaps of the security offerings we're going to bring, and then participating.

[00:32:01] Lou: But then now we have customers saying part of what we pay and choose QTool is for this differential security posture that we have. So that helps that, you know, so when you have the sales folks and the, and the, and the production folks and stuff in, in your camp going, there's value in this. The other part is we, we talk about maturity and, you know, we're a company, we're about 680 million.

[00:32:24] Lou: We plan to be at 1. 2 billion by 2027. So there's lots of growth happening and everything's either going to double or quadruple in size, right? So there's lots of growth still happening now. We got to do it profitably So we got to be watching the the spend on the people on the technology. So everyone's fighting for the same dollars there's a maturity and an expectation level of just what a billion dollar company has and does and and That's not just from a compliance and regulatory perspective, because I think those folks are always a couple of years behind where the market is, because they have to work with 12, 000 financial institutions and everything they recommend cost money and people.

[00:33:03] Lou: So they're always a little bit behind kind of where the market is. But when you think about what our brand wants to stand for, how do we keep growing? Things that could disrupt that growth would be a cyber incident, things that could disrupt that growth. So the risk. Not in the event itself, but the risk to our path of where we want to take this company.

[00:33:22] Lou: Those risks I've got to help mitigate and you know, there's people that understand the debt ratios There's people that understand how to make investors happy What I bring to the table is is around the security and the uptime of looking after our customers

[00:33:35] Cheryl: That's great. And you talked about a lot of folks fighting for the same dollars on that thread You're right in the thick of things in Austin, Texas And you've got a lot of tech companies fighting for the same talent.

[00:33:46] Cheryl: You've got Tesla, Oracle, Dell, the list goes on. Why do individuals choose Q2 and what goes into building just an incredible cybersecurity team?

[00:33:56] Lou: And not a great question. You're hitting me with all the good ones today, but you know, I'm [00:34:00] a big believer that people work for people. And what I do is I just make sure I have a quality management team that people want to come work for.

[00:34:09] Lou: And, uh, when I came to Q2, I was fortunate enough that 12 other folks decided to follow me here and help build Q2 12 years ago when I showed up. Our leaders are critical partners in our employees development, and it's not just their work lives, but their own personal development as well. So, you know, our mission matters.

[00:34:26] Lou: Now, we still got to do cool things, and we still got to do cool things with cool technology. So everybody, you know, this is a high tech company, and we're pushing the envelope on new things. So we got to be doing cool things. But that mission is not just for the stock price to go up, it's, it's actually making a difference in the communities that we serve, is not just our technology, but, uh, you know, employees last year donated 9,000 hours of their time.

[00:34:52] Lou: They raised hundreds of, of thousands of dollars of their own money and charit. The company as part of, [00:35:00] we have an internal program called Spark that our HR group is just really dialed in on where we really try to give back in, in many different ways to the local charities. And when I say local, that's local to wherever that office is all over the world.

[00:35:14] Lou: And then we also do things like DreamStarter where we actually fund, it's a shark tank thing where a young startups get in front of us, give a pitch, and then we, we give them some seed money. It's typically to underserved founders and inventors. And so we really walk the walk when it comes down to why people choose to come to work at Q2 and it is what the company does aligned with kind of their own personal beliefs and feelings.

[00:35:40] Cheryl: Well that is, that is truly inspiring and probably a great way for us to wrap things up. But I do have one final question for you, Lou. First of all, thank you so much for being here. Do you have any last words of advice to leave our listeners with? And actually two questions. I lied. There's two questions.

[00:35:57] Cheryl: And then how can people learn more about you, about Q2 and your work?

[00:36:02] Lou: Sure. Well, well, first of all, honored to be here, Cheryl. And I appreciate the invite. You know, the best way to follow all my crazy world is to hit me up on LinkedIn and I post quite a bit on LinkedIn and I have a great marketing team that's here to help support our amplification.

[00:36:18] Lou: Of Q two, the brand and, and, uh, pulls loose Sanko the brand along with it. But Q two, the brand and just how we think about things. When I think about advice, it's, it's about being comfortable with risk and of risk to try something, knowing that you're gonna fail to get back up and try it again. And you, you never learn anything that you already know.

[00:36:39] Lou: So it's being willing to get kind of outside that comfort zone of what you know. Which often, you've been rewarded for, you've been promoted for, and keep doing that, but as you keep doing that and you polish that, the expectations keep rising. So, how do you keep yourself learning, continuously learning?

[00:36:57] Lou: How do you keep yourself uncomfortable with, with things you don't [00:37:00] know? Knowing that you're comfortable in that if you fail, you can pick yourself back up and keep going and it's one more thing that you know not to do and it's on the path of learning what to do. And if we can just embed that in our culture, you know, for us, um, as technology rapidly changes, we rarely hang on to a piece of technology more than 18 months, it gets replaced with a new thing.

[00:37:22] Lou: And so, of course, we have to add talent that knows the new thing along the way. But we bring our team along and we have an OKR of 20 hours of learning per person per quarter, which 20 hours doesn't sound like a lot. But to do that every quarter is harder than it seems because we all work more hours than we should.

[00:37:41] Lou: And so it's just that continuous learning that matters. And every time we have an outage or a failure, we take it apart. What can we learn from this? And that's why it's better next year because of all of our learns and better the year after that.

[00:37:54] Cheryl: I love that so much. It's ironic for years. I had it on my email signature.

[00:37:59] Cheryl: Uh, there are no mistakes. There are only opportunities. That's actually the third rule of improv. I'm a big improv comedy buff, but it's so true, right? It's either going to work or we're going to learn something, but either way, it's a win. So I love that mentality. And I really appreciate you spending time with us today, Lou, and I hope you have a wonderful rest of your day in beautiful Austin, Texas.

[00:38:19] Lou: Thank you, Cheryl. appreciate it.

[00:38:21] Cheryl: Well folks, I'm disappointed to learn that a security utopia does not exist. However, I think there were some real gems that came out of today's discussion. First of all, when we're talking about security, anything less than 100 is zero. I also love how Lou reframed zero trust to talk about the importance of continuous trust.

[00:38:40] Cheryl: And last but certainly not least, Lou talked about the importance of developing and investing in his people. Because at the end of the day, this is a podcast about people and technology. That's it for this week's episode, but before we say goodbye, I have to share a bit of personal news. This is going to be my last episode as co host of The Catalyst.

[00:39:01] Cheryl: I'm beginning a new chapter of my own career as Chief Revenue Officer at ESource, which is a technology enabled services company in the sustainability industry. It has been an absolute honor and pleasure being your co host this season. I have learned so much and have really enjoyed all the conversations we've had with our incredible guests and hearing from so many of our listeners who enjoyed the show. Tobin Dalrymple. Angela Cope, Braeden Banks, and of course, my partner in crime and co host, Aaron Brooks. Who knows? Maybe I'll be a guest on a future episode. With that, thank you so much to our listeners, and have a great rest of your day.