FUTUREPROOF.

Enterprise Security in a Post-COVID World (ft. Josh Hixson, Squarespace)

May 07, 2020 Jeremy Goldman Season 1 Episode 70
FUTUREPROOF.
Enterprise Security in a Post-COVID World (ft. Josh Hixson, Squarespace)
Chapters
FUTUREPROOF.
Enterprise Security in a Post-COVID World (ft. Josh Hixson, Squarespace)
May 07, 2020 Season 1 Episode 70
Jeremy Goldman

Happy 70th episode to us! Given the fact that it’s May 7th as we record this, and we’re still in the middle of a major pandemic, let's face it: information security is expected to continue to be a major challenge for companies and business professionals for a long time to come. That’s why I wanted to sit down with Josh Hixson, Squarespace’s Enterprise Security Lead, a well-respected information security professional who’s not afraid to speak his mind about all things security. We talk about how well businesses were prepared for the challenges offered up by COVID-19, the societal impact of working from home en masse, how security professionals have to reprioritize projects on the fly when “black swan” events happen, and even what he thinks about personal security and Zoom. We cover all that and much more, so we think you'll enjoy this conversation.

As always, we welcome your feedback. Please make sure to subscribe, rate, and review on Apple Podcasts, Spotify, Stitcher, and Google Play.

Show Notes Transcript

Happy 70th episode to us! Given the fact that it’s May 7th as we record this, and we’re still in the middle of a major pandemic, let's face it: information security is expected to continue to be a major challenge for companies and business professionals for a long time to come. That’s why I wanted to sit down with Josh Hixson, Squarespace’s Enterprise Security Lead, a well-respected information security professional who’s not afraid to speak his mind about all things security. We talk about how well businesses were prepared for the challenges offered up by COVID-19, the societal impact of working from home en masse, how security professionals have to reprioritize projects on the fly when “black swan” events happen, and even what he thinks about personal security and Zoom. We cover all that and much more, so we think you'll enjoy this conversation.

As always, we welcome your feedback. Please make sure to subscribe, rate, and review on Apple Podcasts, Spotify, Stitcher, and Google Play.

spk_0:   0:00
I've you Enterprise Securities kind of police officer waving people through. Eventually, they develop traffic signals. The traffic signals work for the cars there for the police officers. And that's kind of situation we have now. Hi,

spk_1:   0:11
I'm Jeremy Goldman, and this is futureproof. So given the fact that it's May 7th, as I record this and we're still in the��middle of a major pandemic, information security is expected to continue to be a major challenge for companies and business professionals for a long time to come right. That's why I wanted to sit down with Josh Hickson. Square Spaces, Enterprise Security lead He's a very well respected information security professional who's not afraid to speak his mind about all things security. We talk about how well businesses were prepared for the challenges offered up by COVID-19. The societal impact of working from home on mass. Have security professionals have to re prioritize projects on the fly when black swan events happen and even what he thinks about personal security In Zoom, we cover all that and much more so let's jump right in. So, Josh, welcome to future proof.

spk_0:   1:10
Thanks. Very happy to be here

spk_1:   1:11
So you know, the first thing I like to ask people in general is you know, who the heck are you and what do you do in a day to day basis?

spk_0:   1:19
Yeah. So my name's Josh Hixson, and I am the enterprise security indeed, at Squarespace, and I think it's important to clarify what Interfax security is. First and foremost, eso My team is specifically focusing on protecting the assets of the company on that could be anything from contracts in a file cabinet, somewhere to the laptops that are engineers used to security cameras and the offices toe. You know, maybe some spreadsheets of the finance team is using their stored on Google Drive. So it's really looking at the what the company owns, what company has and the employees of the company and protecting those assets.

spk_1:   1:54
Yeah, and I think which is really such an important thing these days because, you know, companies are really thinking in terms of what assets do they have toe You keep going and keep performing to the best of their capacity, given how dislodged a lot of people are from the general way that they've been working. And, you know, one thing I was curious for you is you know, how can people do remote work? You know what I mean? Just, like act and operate on behalf of their businesses and keep themselves protected in this brave new world that we're living in.

spk_0:   2:25
Yeah. I mean, it's something that a lot of people aren't very used to having toe work from home. And the usually get that break from your home life in your work life and there's a separation. But now everything's integrate. I think a big thing is toe realize that, you know, the work you do isn't gonna be any different. The location you are. But especially if we're talking from a security sense of threats that our president round, you're gonna be much different. You don't have the protection of that office network. The security guards at the front door. No teams inside the office watching the network traffic around the WiFi access points. You're on your own. WiFi, which maybe you set up five years ago. You don't know what else is connected to. It could be your smart fridge. So there's a different threat environment that you have to deal with and be cognizant of what could happen in that space.

spk_1:   3:08
It's true. I mean, I think that also, a lot of companies that I've spoken to were not necessarily 100% prepared for this. And I mean, who could be who expects this specific type of situation where you don't have a little bit of a ramp up period and you're, you know, supporting everybody, going removed simultaneously aside, just based off of the challenge that all of us faced. I mean, from your perspective, how would you say that the technique community was ready for Cove it, you know, on a 1 to 10 scale?

spk_0:   3:40
Yeah, I would say Maybe like, Ah, five or six. I would say that most companies that have any type of business continuity and incident response plan disaster recovery program, especially ones that are located New York, have ah, very vivid memory of Sandy. And I think there's a lot of planning around sandy type of vets, and I think what we're seeing now is a sandy type event, like on another order of magnitude. We two weeks, everybody working from home. I think it's something that most companies could probably have handled tech and I think most of handled, you know, one or two weeks, we want to get to the months now we're talking about new licenses for VPN appliances. Now we're talking about entire business processes and projects that we're supposed to start in the office, you know, now have to be done remotely, and it's your planning and scoping has just kind of been thrown out the window. And so now you're looking at okay, we were going to do this thing that was going to use the resource is that we had here and build on that to create the security posture for the environment that we operated. But now that environment is gone and we don't know what we're getting that back. So how do we look at this now? And we put enough resource is in this and to this new work from home paradigm that are we going toe overload our work here and go back to the office, and all of a sudden all that work is not as relevant anymore. Or maybe we've missed out on things that needed to do in the office. But I think generally anything that we do in this this domain is only gonna help in the future. I think

spk_1:   5:04
that why I wanted to talk to somebody you know in your background was because it's such a conservative leaning job function where your job is to kind of assume that things are going to go wrong. And I feel it's it's very interesting to me even, you know, like your honest assessment of that five or six in terms of overall preparedness as an industry, because think about people who weren't, you know, untied toe towards, you know, disaster. Preparing this in any way like they were ready on. Ah, you know, one on their scale of 1 to 10. And I think, short of basically lawyers, I feel enterprise security is probably one of the most conservative job functions possible.

spk_0:   5:44
Yeah, I definitely think that's the impression. But I have, ah, a slightly different view of it because I think that assumes a lot about the employees that assumes that the employees don't know what to do. That assumes that the employees are going to try to do things that they're not supposed to dio. I like to assume that my employees act in good faith, and I think especially with our generation, I T and security professionals need to realize that maybe these employees do not have the resource is no matter what job accompanied toe have their own personal equipment at home. So maybe they have been spending their living their entire lives off their company laptop, and you just don't know their situation. So I think that's there's something that we need to have. That they're already that has only become more prevalent right now is to realize Wow, we give these people computers to use for their job functions and they go home with them and we monitor them. We got the anti virus on them. We got, you know, different monitoring software to check this performance update packages. But sure, that could be, you know, booking their travel, you know, on Twitter, doing their emails and finances and everything. But some people might be living their lives because they just never had the opportunity toe, have another laptop or have another computer. And and to have these policies in place of what is acceptable use, especially now that these computers are no longer in the office and they're not even on company networks are on per people's personal home networks, where we have integrated our I T equipment with these people's lives. And maybe they were Dittemore deeply integrate already than we ever knew.

spk_1:   7:15
And that's a good point. I think that I mean, frankly, it almost brings me to the idea of, you know, my daughter happens to go to a private school where I think the kids air well, enough off that you know, often well enough off to assume that they've got the proper equipment at home. But, you know, for a public school to do remote learning if somebody just doesn't have the right technology, then there at a completely, you know Ah, huge disadvantage. And they might not have even had the chance to even if they had the money. But they didn't have that, you know, proper attack at home. They can't be ready. And then I'm thinking, you know what? What is the impact on? You know, society. If you have a whole lot of people who missed out on six months of solid schooling, I mean, you know, like you start to think of about that that has, ah, you know, multiplication effect on our society.

spk_0:   8:06
Yeah, definitely. I see this all the time. Even people in my generation, the where what resource is they had going through their education, Really, you It shows when they're doing their work. It shows with their familiarity with technology, their comfort with it and kind of looking at. I think people who grew up with it mawr and had that resource while they're in their early education, especially see it as more of ah extension than rather that's device that you have to figure out. It's something that is more natural, and it's it's that kind of extended memory that people who are all about the cybernetics and then singularity like to talk about but people who who didn't have that familiarity with it. It's almost like an adversary there. It's confusing. It's magic. There's black smoke that comes out when it breaks. I don't know how it does anything their files inside, but they have to figure how to work with it. And I think there's a couple of different types of awareness has that we need to take a little bit more empathy. We need to have people situations around what we expect as people who have used technology are making these rules what we expect our employees to do with the technology we're giving them.

spk_1:   9:09
So when we're talking about companies that are doing a good job, you know, in having a plan in place for remote work from a security perspective Ah, I mean, I know most people draw a little bit of inspiration from the world around them. Are there any particular companies that have done a part particularly commendable job in terms of being ready for this crisis?

spk_0:   9:32
Well, I think Google of its hard not to say Google just because they put out this paradigm a while ago that is particularly relevant these days around zero trust networking. And I'm sure that this pattern has been in the literature before that, Google was one that really formalized into something that other companies been implemented. A bunch of companies have, and I think that's is such an important paradigm right now, because it is true that we cannot trust any network our employees is operating on anymore because they are at home. They are on their own. WiFi, they do not know, you know. They don't have enterprise grade firewalls sitting next to their time. Mortar modem. That's not happening. They don't have monitoring software of all the different. All the different devices are connected to their network in their house. They don't know. They don't have to do that. They should know how Have to know how to do that. That's an unreasonable expectation and burden to put on employees for their own personal Yuri. So we have to assume, as I t people security people, that the operating environment, the network that our devices on is no longer to be trusted. We just And that's a paradigm of how I t, uh, remote work and remote access could be implemented for large enterprises.

spk_1:   10:39
Well, you know, if you if you think about it I mean, this is something I just kind of thought about, which is, you know, you said it was an unreasonable burden, but now what I'm wondering is, let's just say if this is the new normal ish for the next 18 24 months, and at that point, you know our companies just going to be hiring for the types of employees that they think they can trust a little bit more Teoh get the principles that people like you were laying down and is there a you know, like, Is there a natural need to get people who you know are more likely to understand enterprise security And, you know, network security and how toe, you know, properly protect themselves at home and even for people in your rolls does you know, like I know that there's that stereotype of the nerd who doesn't have any type of social skills, But, you know, I know often that's not the case, but do you seriously start to find more people in enterprise security who are good communicators and good trainers in training employees to, you know, work more securely from home? If that's the kind of world that we're gonna be living in for a longer period of time?

spk_0:   11:46
Yeah, definitely. I when I'm when I'm looking for candidates and I've been lucky enough to be ableto double the size of my team from 2 to 4 while in quarantine because of the need for for this I was definitely looking for people who who could communicate, who could empathize. Who could understand that, you know, employees are not trying to make our lives difficult. They're just trying to do their jobs to the best of their abilities, and we're gonna tell him to do things, are gonna get in the way, and that's you know that sucks. But it's necessary. That's that's like the real world. That's traffic laws and all these other regulations that you have to follow that are inconvenient for you at the time. But it's for it's for the overall good. It's for everybody's safety and security. But people who can really empathize that, and I like to find people who who don't like to say no who, even if they see a solution as insecure rather than just saying no, no, we're not gonna do that or no, you can't do that. Find a way to work with the person to understand what they need cause I might what their needs might be. Whatever they need, there might be a better solution that there's not aware of. And it should be our job to help educate not only in the security awareness for for the employees, but also on the different solutions that are out there to help them do their job safer whether or not we built them for them,

spk_1:   13:04
So as someone who works in enterprise Security, how do you re prioritize projects when life throws you a curveball such as Cove it Because I think that you probably imagined or you probably had a set of projects that you were working on that you know, maybe some you can talk about, some you can. But you know that you imagine you were gonna be spending mid march working on all through when we're recording this and, you know, towards the end of April and this was such a curveball. So how did you kind of go about that process of just read prioritizing on the fly?

spk_0:   13:37
Yeah. Luckily, I I first got permission from R S V p of engineering to kind of do things outside of the normal project management track where things had to be documented. I was able to work a little more nimbly and roll roll out solutions. So we were looking toe support remote work anyway, and and are big project around. That was to have better asset management. Better endpoint detection, monitoring on the laptops and the other devices in computers and cellphones were sending up two employees for their job functions. just having visibility and be ableto update software when security patches come out, be able to detect when maybe a file that they downloaded from an email might have something malicious that the email filters didn't catch. Originally, maybe we could get detected trying to do something on the end point. Uh, having that control of endpoints and other devices that aren't in your office was something we're going to anyway. But we were able to really prioritise that. Get out solutions quit rather than going through the whole architecture, planning and building, building out our design documentations. We'll just go in and start deploying things and get things up and running. And we're really excited about some of the capabilities that we're getting from that need and the amount that we're goingto be ableto both support our employees in that in their efforts to tryto function securely but also to give our come. The rest of the company is expected the executives the comfort that you know we're on top of things, and we're able to tell them the information they need for them to feel comfortable that were, you know, handling things the way they want to be handled.

spk_1:   15:10
Yeah, I think that you touched upon something that I find really interesting that actually, when I was talking toe Eric fight holding a few episodes ago, he touched on also, which is that the moment calls, you know, for a little bit more agility and nimbleness than you would otherwise allow. And I think that it's important for everybody to know that your standard operating procedures should be different based off of the, you know, particular moment you're in. So it's great that you guys were you aware of that? And we're able to kind of act more appropriately rather than, you know, act as if we were in the world that we were, you know, one month prior.

spk_0:   15:47
That's that's definitely something that we always try to stay cognisant of when we're building out our processes and policies and special security side. I know that the first thing I did when I got to Squarespace was I worked on our new identity in access management program that we wanted to implement. And sure, we have a ton of documents about how you request access to certain systems, how access is granted, how the approval process is work with the segregation of duty Matrix works. Looks like all that wonderful stuff. True that, you know, we're following a principle of least privilege. But at the end of the day, at the very bomb, the document just says exceptions, you know, by at the God just ignore all that. Do whatever you need to do to get the job done. Because what, are we really going to sit here and go? Well, it doesn't really match on this segregation of duties matrix that person Go spend about server right now. Toe. Deploy some software. No, it's an emergency. It's a pandemic. Get it done. We needed to. You know, we can't just We can't always do things perfectly. We can always have all the documentation. It can always be Chinese. Sometimes it's got to be sometimes got, get your hands dirty and just do things manually.

spk_1:   16:47
Yeah, and I think that sometimes you just kind of make decisions on the fly. And I think that, you know, company is obviously or used to doing that. They're doing it on behalf of the company. What's interesting to me is that sometimes consumers make one decision on the fly for themselves, and then because their network effects, you know of a few other consumers making a similar decision before you know it, everybody's using Zoom, for instance, Right, Like that was something that I noticed, which was interesting. That Zoom was previously used largely for business networking meetings, and it felt kind of right for what, what it was trying to do. It was the solution I knew about. But I knew that a lot of people didn't, and then all of a sudden everybody was using it. And, you know, I'm curious. You know, there's been a lot of criticism of Zoom lately, but you know, should should. Is that a platform that people should trust? What are the things that people should just like on a broader sends, be concerned about or not be concerned about when they're making these personal security decisions about like, I'm going to go sign up for? You know, this this platformer, this app on the fly because I didn't expect to be living in this world. And now I need to go, you know, download something new to make my life easier.

spk_0:   17:59
Yeah, I think that very I think the key part of that is that it is a personal decision and is dependent on your personal circumstances In your personal situation. My threat landscape is much my my attack surface, my threats that I'm worried again about against myself and my accounts. And my things are going to be so much different than somebody who works in a completely different industry than me than somebody who isn't insecurity, even somebody who doesn't have access toe data because of their job or or some other effect like that. So when we think about, do I trust a solution, it's the question should be. Do I trust this? It's Do I trust this for whatever I am doing right now? And if what you're doing right now is just having a happy hour with some friends, Okay, Yes. I mean, my jump in and say some shit, but thats happens on to me on the streets and in the subway every day. It's I know that that's diminishing it. But is that really Is that really enough for you to say this isn't a good solution for me just because that one thing can happen If you are running a meeting with clients? Absolutely. That's a problem if you're if you're trying to coordinate something about about trying coordinated audit, of course, that's a problem. So it's really all dependent, like what you are trying to do, what that threat landscape looks like. And are you able to say, Hey, it doesn't really matter if those things happen because it won't materially affect me. But that takes awareness. And that takes the type of training that I think security's get get better at about communicating to, especially the employees of the company's where they really care about the security. They need the employers another.

spk_1:   19:34
Yeah, and I think that circling back on, you know, the consumer. There's this interesting juxtaposition between all these people were consumers who are making their own personal decisions and then, you know, like having these employees responsible to some extent for their own technology stack and security when working from home. And I'm wondering, is that a good thing? You know, like, what type of guidance do you give your people so that they can make decisions about, you know, do download these things? Don't download these things. Contact us if you have a particular question. You know, like How do you, you know, balance That and when you didn't hire these people to make these types of decisions for themselves necessarily. But now there, placed in that type of world for, you know, who knows how long

spk_0:   20:19
the analogy I like to use is, ah, traffic laws. And I look at enterprise security policy a lot like traffic laws, um, and that we're kind of in the emergence stage of automobiles. Traffic laws were always something that was control when cars developed and cars were moving around the road before There is the right of way and people figured out by themselves like, Oh, you go ahead of me, I'll go ahead of you. Cars were too fast. It couldn't do. They put police officers their toe wave. Amman I've you Enterprise Securities kind of police officer waving people through. Eventually, they develop traffic signals. The traffic signals work for the cars there for the police officers. And that's kind of situation we have now. We're We are deploying this stuff onto the corporate devices in the people's homes to detect the threats against them, detect when malicious things are happening on their devices, not necessarily network. We don't care about. That's what was happening on the device. So were the traffic cop looking at that traffic signal, and where we need to get to is how do we put that traffic signal in front of the employees? How do we How do we socialize? Thes security monitoring and detection tools that we're using behind the scenes all day, every day to keep them safe? How do we socialize? These were putting that stuff up front away that is understandable to them, is consumable to them, taken action on it and make decisions based on it. And it doesn't cause them fear and anxiety that this type of thing is going on. So it's about being able to build that awareness in the employees, to the point where they're comfortable with the reality that things are happening constantly and that there is really a you have to measure in balance the risks and we and the cost versus risks of not spending that cost when it comes, especially the security, and so that only comes through. Awareness only comes to experience Andi. Anything that we can do to help our employees get their way. We teach our employees how to think like Attackers so that when they go home, they can look around and think, Well, what would a malicious actor tried to do to compromise my network or equipment? So we try to we try to get ahead of that so that weaken instead of just saying, Do this, do that, do this, do that. Don't do those things we say these are people gonna do. Do you think about if you were going to do those things, Now go into your situation and trying to stop yourself. You know the second lesson that we like to give them rather than just list of Do's and dont's, that's a

spk_1:   22:37
good way of thinking about it. It's interesting to me because you mentioned risk, and I think that a lot of people and this is just known about humanity were not so good at assessing risk in general. So there, for instance, certain things that can happen, you know, on your computer on your devices that would be really, really bad. But at the same time, the odds of it had are so incredibly low. And then there are things that happen all the time that you know, we're just not good at assessing risk in general, you know? And I mean, given that what recommendations would you have for people who are concerned about their own digital security? Is it just a simple is ask somebody who knows more than you, or I mean, that's obviously helpful. But how do people get better at assessing the risks to their own personal security?

spk_0:   23:23
Well, you're never gonna be able to assess the risks until you understand what the what the threats are. And I think people either don't want some people don't know, because why would they think about that stuff? They don't intend to do anything bad. Why would they think about the bad things that can happen? People don't want to think about it, and some people do to make something anxious or s'more worries them. It's like I just want to deal with that. I think it's a little I don't want to say that so crassly, but people just kind of got to deal with it that you know these you're not being attacked by other people. People of programmed robots just sit online and just throw attacks at anything they can find. This is just happening constantly. Not It's not necessarily case. If there is somebody in a room somewhere going, I am targeting you. I'm coming after you and your bank accounts. No, it's just about trawling and use bad password On one account. It wasn't a list somewhere, and now they're in your account and start a day. It's just it's just it's just Ah, just some code that somebody wrote that just continuing to run on some server somewhere. So once we once we dehumanize this and bring out the kind of the emotion of somebody's after me, somebody's trying to get me somebody's attacking me and go This is just kind of like, you know, the the steady state of the threats in our environment. We think about, you know, coat the croquettes. A great example. Now the Corona viruses just kind of out there, you know, it's it's not. We can't we can't see it. It's not sitting somewhere. It's not. It could be in the air, could be on a surface. And that's kind of like threats against devices online. Right now, the threats are just kind of flow, and they're free flowing across the network and We try to stop them everywhere we can. Bunch of a bunch of people try to stop them in different places. But this they're there, they're gonna hit you. They hit us constantly. We have the mitigation to make sure they don't do anything, but people don't and being real about that and knowing that it's nothing personal. It's just how the Internet works now, and that's really sad to say. But that's it's kind of what happens when you have an entire society built on something that was designed in the eighties and never updated the underlying questions like this. This stuff was it was seventies eighties and like we just kind of kept adding stuff and adding stuff and adding stuff. And we're we've kind of expanded so fast, far past the original operating paradigm. Does it, you know, to question now would be, Oh, impossible.

spk_1:   25:40
But you know, it's interesting, though I think that, you know, like you mentioned that it said, and I think it said, because I I can remember before we had to worry to the extent that we do have to worry and it got me thinking about, well, jobs like yours be more prevalent or less prevalent in the future just because for me it's like I can see a world where b get a little bit more secure, get a little bit less secure. But ultimately, I don't see the paradigm changing that much just for the simple reason that there are incentives on both sides. You know, like they're going to be incentives for people to automate attacks, to try to get access to information and to find vulnerabilities. And as long as that incentive is there, even if you ripped up all of the architecture and started a new and tried to build something better, If you have an incentive for people to get it, certain information, you're gonna have those bad actors who are going to be doing things and you're gonna be forced to hire people with your skill set and then educate people in colleges about going into the profession. And I don't know for me, it just looks like this is the world that we are going to live in, and there isn't a way out, and there isn't a better paradigm for the future. But I mean, please tell me that I'm wrong. If you disagree? I haven't curious. Like what you think is is gonna be coming up in the text security world.

spk_0:   27:00
Yeah, I think. Unfortunately, there's always gonna be kind of a cap on on the size of the security team within a company in the amount of in the amount of security jobs there are. Because security is ultimately insurance, it's very similar. You're spending a lot of money on on these employees and all the tools they use Teoh prevent one thing to happen one time that might cost you a $1,000,000,000. And that never happens then it's never really hasn't ever really proving its worth it since it's a question that the business people always ask me, I think, um, you know, in order to get to a point where we see that there is intrinsic value in operate and operations, maintenance, security Ah, and that the driving force of a business shouldn't solely be growth and profit, that there is a strong value of investing heavily in the health in the organization. In the structure of of things, this is kind of the paradigm, and I think at that point we're looking at it, you know, kind of the different economic belief that these business owners have to have about what is the point of a business, is it too? So we make money? Or is it to build something and survive?

spk_1:   28:21
You know, in some ways, as you're talking about it that way, it really makes me think that your role is akin to insurance, right, because everybody has insurance for a number of different things in their life. And that's because there are actors that, just like, you know, a robot might be programmed to automate a particular task. You've got the same thing with insurance where you have a soulless, you know, thunderstorm that could had knocked down your house, not down a tree onto your house. And that's why you have to have that insurance, which might not be fun for you. But it's the thing that allows you to rebuild or to protect yourself and your family. And if I look at, you know, roll like a text security role, that's really what you're trying to do is protect something that you bought. If you, you know, put everything into acquisition, marketing and you, you know, get rid of your entire text security team. In order to higher performance marketers, you might build something that might grow a lot faster and be much more vulnerable to, you know, being taken down.

spk_0:   29:20
I've seen it, you know, in cos I've worked at, I'm not gonna name names. And maybe I was bad because we've been looking upon Lincoln. But no, I've seen it. I've seen it. Time and time again are I've had conversations where people have said what We need to get this out tomorrow it's going to 10 x This this revenue stream, what is the minimum out security that is acceptable for compliance? And can we just say that we're doing that later? And how do we dance around these things? That's all. And security becomes this thing that you try to you try to game when you're when you're going after the profits. Because there is no monetary value to the business, to the investors, to the shareholders, when you invest in security until something happens, and how do we convince people to change their mind on that? We show them the what we do is we show them what has happened to other companies and we try to do in a way that doesn't say, Hey, this you should be afraid of this. This is gonna happen us. But I think a great example is at Home Depot breach Back in the day, if I remember correctly, one of the root causes was they had, ah, high turnover rate on their security team ended up losing a lot of a lot of it. And they had were down to a much smaller group of people who were relatively new to their team. And there was one system that was just not really paid attention to with an old version of some software or an operating system. Don't remember which, and there's a known exploit for it. A security team that had been in place have been stable, would have had some processes to cover systems and monitor them even the old ones. Maybe it's because they were knew they didn't know about that old thing that maybe it's a mound because it wasn't relevant at that time. Teoh. You know, different projects in different discussions happening then it was just some system that had been set up a couple years ago, which is doing its thing and so to lose. The institutional knowledge from the high turnover rate tend to lose sight of all the assets that you're supposed to manage and then toe have the breach come through. Not patching an unknown asset because you didn't have that foundational security posture in place is something very real. I think a lot of engineers can resonate that when they see TechNet in the source code of whatever website are out there working on. But it's it's even more real for security when you just go wait. There's this whole other infrastructure that I wasn't aware of. So no one's talking about three years and we have been looking at it.

spk_1:   31:35
That's I mean, that's a pretty good example of all the things that people I knew. A lot of people you know, on the creative side and other parts of the business don't like thinking about these things. And I think you're explaining really well why these things are important to simply they allow you to recover if something goes wrong or to avoid that problem in the first place. You know, it might not be necessarily the sexiest thing for some people to work on, but that doesn't really matter because I don't think a lot of people thought that epidemiology or pandemic response was such a sexy thing Toe work on until it was an important thing to work on. So I know we gotta let you go in a minute or two. But I wanted to ask you at that. I saw Squarespace had done something really interesting with its ah acuity scheduling acquisition, right? You know, tide towards the coverted, you know, response and trying to help out businesses. So I don't know what you know about that. I know that's on a different team, but I thought that was pretty interesting what you guys were working on.

spk_0:   32:30
Well, at Enterprise Security happens to be pretty involved with the emanate process. So I know the security guys. I know something, You guys Well, they're doing some cool in our neck of the woods where we're in New York based company square spaces and security is providing Coben screening scheduling for Middlesex County in New Jersey. They're offering as faras the pin tweet on on their twitter tells me they're offering ah free scheduling services through their products for any municipalities looking for it. so great thing that they're doing out there, I just I think there's a lot more than a lot of other companies can do as well. I know that, squarespace, that every company, including square spaces, is putting out support material for the for their users. How you know they can, you know, utilize services and features on on their platforms better toe help out. But I think it's gonna take a lot more than people offering what they already have for free. I think it's gonna take people you know, doing things that they had building things that haven't been built yet for really solve this.

spk_1:   33:33
But in all seriousness, I think that your right to kind of, you know, point out like, what else can we do? But I think even the very fact that you know your core product I got to say, I know businesses that had very little use for anything digital from a depressant standpoint, and they had something. A simple is, you know, a Facebook listing not even you know, a yelp for their local business and then have gotten up on squarespace and become customers. Even in the last month, six weeks simply because they all of a sudden, you know, like the landscape shifted on them and they were ableto get up and running with something that was very intuitive to them. So not at all commercial for squarespace. But I do think that, you know, having something that's turnkey and even having the product out there where there are some people who are just signing up and paying for it, you know, and providing a service. You know, even when it's being who even when you're making money on it, you know, is actually can be a very good thing and can be a positive impact on the economy right now. So hats off to everything you guys were doing

spk_0:   34:37
that made me think of something real quick. Um, you mentioned how people who didn't need that digital presence didn't need those features. Now have this. You know, as you said, the easy, simple way to get up and running. That's exactly what we need in security. There is really no consumer did cyber security suite of tools for somebody to download and say I am saying there's various anti viruses. There's this and that, but a full turnkey solution like you said is that, you know, because squarespace kind of lives in that middle ground between I know how to be. I know have built a website I can just put up on some hosting provider. And I am just literally on Facebook making a page. Where is that middle ground for security products?

spk_1:   35:18
Yeah, and I think that that's a good ah, called action for somebody. Ah, for hopefully a date. That's not that far in the future. Brainwave. Gosh, this was fantastic. And I think that's really going to make things a lot clearer for people who don't normally think they have a lot of appetite for talking about enterprise security. So you've got a way of communicating this. So I really wanna appreciate your time. Thank you so much for making the time and keep doing all the great work you're doing. Obviously, from home.

spk_0:   35:48
Thank you. Like, I really appreciate it. And I hope that you know, people who listen to this, uh, well, think that maybe security isn't as owner is a topic to really delve into making people in your company security team. That might be a little more friendly than you think.

spk_1:   36:03
Thanks again, Josh, for making the time and for speaking his mind and answering. You know, a few questions that a lot of us are thinking about where things were going to go in the future and whether or not security is going to be more important. Sounds like we have the answer. And if you like what you just heard and this is your first time here, be sure to subscribe. Apple podcast. Who will play stitchers? Spotify? The choice is yours. And if you're a long time listener, please remember to rate and review future proof as that's the number. One way we get this show in front of people just like you special thanks this week to associate producers Chase and stack and be court Yukio Once again, I'm Jeremy Goldman and you've been listening to future proof.