Marten Mickos: Curiosity, Learning, Hackers, Transparency | Turn the Lens Ep29

Marten Mickos: Curiosity, Learning, Hackers, Transparency | Turn the Lens with Jeff Frick Ep29

Cold Open
All right, we're ready to go then.
So, Marten, I'll just count it down and we will go.
Okay. Sounds good.
In 3, 2, 1.

Jeff Frick:
Hey, welcome back, everybody. Jeff Frick here, coming to you from the home studio for another episode of ‘Turn the Lens.’ And I'm really excited about this next guest. I looked it up, last time we talked was April 2020. It was right when the pandemic was hitting. We had no clue what was going on and thankfully he had experience in remote work. So we talked about that. But that's not what we're going to talk about today. We're going to talk about much more interesting things. So, welcoming in through the magic of the Internet, he's Mårten Mickos, the CEO of HackerOne.

Marten Mickos:
Thank you, Jeff. Great to be back here with you. Really looking forward to it.

Jeff Frick:
So crazy, right? Four years already since that last time we talked.

Marten Mickos
Time flies, time flies, yeah.

Jeff Frick:
What a difference in the world, huh? So hopefully we're all adjusted to Zooms and remote work, but let's get into security and HackerOne. So before we get into HackerOne specifically, give us kind of your overview of where things are from kind of an info security space. You know, the attack surface is always getting bigger, the sophistication of the attacks is getting better. The grammar from the Nigerian emperors is getting better in their emails. What's kind of your take on kind of the state of info security, as you kind of sit at a really high level?

Marten Mickos:
In our observation, information security or cybersecurity is a giant, giant ship that's turning slowly, but it is turning. The market is $200 billion per year, lots of vendors selling lots of services. And when we discuss the business, we must always highlight the challenges, the problems, the threats, the calamities that can happen. So it looks like it's a terrible space and everything is getting worse. In reality, I would say cybersecurity is already improving our lives, already making us safer. But it's such a giant ship, so it will take a decade or two to fully turn it. But the changes are significant and we have. We are often reminded of the breaches, but we are not reminded of the breaches that didn't happen and there are many more of them. So I'm an optimist and I think there's data to back it up that actually it's better now and people are more accustomed to being on their guard themselves, being a little bit cynical when somebody is sending them a message, like my employees regularly get text messages from me, where I'm from, me, where I'm asking for gift cards and other things and they know that it's fake.

Jeff Frick:
What about this concept that we hear some time that everyone is going to get hacked eventually? It's just when you find out about it and how much time, you’ve, you know, how much time they’ve been in there before you find out. And then what. Then what you do about it. And then the other piece you said, we don't hear about the stuff that didn't go wrong. It's kind of like the offensive lineman. You know, he can block that defensive guy for 99 plays, but if he gets through on the hundredth and makes a sack, that's the only one that we read about in the newspaper.

Marten Mickos:
That is true. It's very important that we make sure that when bad things happen, that they are contained and have as little of effect as possible. And we do that by building zero trust systems where breaches can’t spread very easily. And we also do it by reacting very fast, because the sooner you react to, the better you can stop it. It's a little bit like like a pandemic. When it starts going, you have to declare an emergency situation immediately. Like San Francisco declared a COVID emergency even before they had their first case. And it's similar with cybersecurity that you have to take the strongest action very, very quickly. And then there's much less less of a downside, less of problems further down the chain.

Jeff Frick:
So tell us a little bit about HackerOne and give us kind of the 101. I think you've been there for about eight years now. It's a very different asset in a company's portfolio to combat cybercrime. So give us kind of the 101. What is HackerOne all about? You know, what's kind of your go to market? Give us the basics for people who aren't familiar with the company.

Marten Mickos:
Happy to do so. I'll now start from sort of a layperson's perspective so that anybody can see where we are. First of all, cybersecurity incidents happen basically of two reasons: gullible people and vulnerable software. We don’t deal with the people side. We deal with the software side. So we help our customers make their software resistant to all kinds of attacks. And we do that by finding the holes. So we come to you and hack into your systems until we break in, and then we show you, Jeff, how we did it and you can fix the hole. So this is called ethical hacking. We do it with the help of a freelance community of security experts. We have over 2 million of them signed up on our platform. You don't need that many for your program, but we need that army of ethical hacking to be able to always have the right skill at the right volume for anybody who needs us. We do this for the U.S. Department of Defense, for big tech companies, for Goldman Sachs, Capital One, Zoom, Salesforce, all of these know that no matter how well they build their software, they need the external unbiased scrutiny of it. So even if you have the smartest people in your company, they have bias, ownership bias of what they've built and deployed, an external person will be able to see the vulnerabilities more easily. And that is what we deliver to thousands of companies around the world. We have found about half a million of security vulnerabilities in our history, and there are more to be found, no doubt, but that pretty good results so far.

Jeff Frick:
So is this similar to we hear about penetration testing, which is oftentimes somebody might use that as a requirement to work with a company as kind of an external test as to the security of the system. Is it really just trying to penetrate? Are you going in during the development phase of the codes to find stuff before production where within the code's lifetime would a company employ HackerOne ethical hackers?

Marten Mickos:
It's a very good question. We do Pentests, so if you are used to doing Pentests, you can do it with us. The main distinction is we do it with the external freelance community that we have, that's much more powerful, much more skilled, much more up to date with their skills because they learn every day. We do Pentests, we do vulnerability disclosure programs, bug bounty programs, source code reviews. So we have an offering, a set of offerings that spans the entire software development lifecycle, and we can come in for a short term or for a long term or for a continuous program. So many, many more options than with a Pentest. But one of the offerings we do is very much a Pentest, like you have been buying them for decades already. Right?

Jeff Frick:
So I used to go to RSA (Conference) a lot and I used to always feel really sorry for the CISOs when I was walking around the halls because there's literally hundreds and hundreds and hundreds of vendors and a ton of them are new. And I always think, how as a CISO do you allocate your security budget? You guys again are an interesting niche in this portfolio of all these applications and hardware devices. How do you help CISOs think about budgets? Because they can't obviously lock everything down and how then they can incorporate your services to either extend the budget or, you know, cover an area that nothing else covers very effectively because, Oh my goodness, RSA is a whole lot of vendors.

Marten Mickos:
It is thousands of vendors, not hundreds. And that's the challenge of cybersecurity that it has so many dimensions and nuances that you need a lot of vendors, but nobody can keep track of all of them. What we do is very, very unique in this whole space. First of all, we are a preventative service, which is the best you can get, like get the service before anything bad has happened. You save money, you save time, you save stress, you sleep much better at night because you know you took the right actions. Within this world of preventative services, there are many ways to test your software. You can do your own Q&A, Pentesting, source code reviews, you can scan them. There's many, many things you can do, but there's nothing that reaches to the level of exploitability as ethical hacking. Because when our testers come in from the outside, they can only find holes that actually exist for the outside and they are paid more, the more serious it is. So they will find the most critical, most exploitable, most elusive vulnerabilities, those that otherwise would be exploited by nation-state hackers, criminal hackers, hacktivists, and others. So we're sort of at the top of the pyramid, finding the most critical ones. And therefore, for a company, we become the beacon of information. You look at what you find through your HackerOne program, and that instructs you how you should code, develop your code, test your code, how you should look at your other streams of vulnerabilities. Because what comes through our system is signal. It is the most critical vulnerabilities, and it's easy to decide what to take action on because here's another problem CISOs have. It's not that they don't hear about the problems, it's that they hear about hundreds of problems every day. So how do they decide which ones to take action on? You have to prioritize every queue. You have to prioritize and triage the incoming stream. And we do that for them. So we come to you and say we found 700 vulnerabilities, but here are two you must fix immediately. And that makes life much easier for the customer.

Jeff Frick:
And then you've talked about bug bounties and in some of your social media posts, you bragged about all the money that you guys have been able to pay the ethical hackers to find bugs. How does the structure of an engagement work between you, HackerOne, the company that's bringing you in, and this army of ethical hackers? What would be kind of a typical engagement or how does one kind of look?

Marten Mickos:
So a very typical one is a bug bounty program that runs continually and the company comes to us to sign up with us. They don't know the hackers typically. They don't know who they are, but we know. So we act as the bridge of trust. The hackers can trust us and therefore can trust the customer. The customer won't do any harm to them and vice versa. The customer, by trusting us, can trust the hackers that nothing bad will happen. And then we open up a program like we have a bug bounty program for Uber and we have one for Zoom and Salesforce and we tell the hackers to come in and look for ways in and we say, if you find a regular vulnerability, we may pay you $200 for a find. If you find a critical one, we may pay you $20,000, $50,000, even $100,000. So there's a meritocracy and a competitive competition for the most demanding the most exploitable vulnerabilities. And of course, the hackers are competitive spirits. They will go and look for the most exciting thing. And when they find it, they report it via us to the customer. They get paid. And of course, the customer has saved 100 times more, like if they pay out $100,000 for a vulnerability that could have led to a breach which on average costs $4 million many times much more. Of course, it's a no-brainer for the customer that this is one of the best-spent money they could ever do. And they pay when the vulnerabilities are found. So they don't pay for nothing. They pay for actual value that they receive. So that's what makes the model so powerful, you know, that what you're getting is true value. You're paying according to the value to you. And when our hackers have now received over $300 million in total in hacker rewards, that looks like a large number. You should compare it to the savings that we have caused by avoiding and averting breaches, which is difficult to assess, but it's on the order of hundreds of billions of dollars over our history of ten years now.

Jeff Frick:
And do just allocate a budget per month towards the bug bounty program? Is there some cap? Is there, you know, who's making the judgment between the $200 bug and the $20,000 bug? I assume there's some tricky nuance in there.

Marten Mickos:
As a customer, you decide. You can come to us and say, "HackerOne, can you handle all of this for me? I'll give you a fixed amount per year. You handle everything else for me," and we will do so. Some customers are very knowledgeable and progressive and they want to be part of the price setting and bounty setting themselves, which is fine, but you don't have to. We have so much data now at HackerOne; we have by far the largest database of vulnerabilities, bounties ever paid, hackers. We know them all. We can set the prices and we can operate the program in the most efficient way. So it actually like ten years ago when you started a bug bounty program, there was a lot of work for you. There still is work, but it's much, much less now because HackerOne as a platform vendor, has learned to automate the work and we benchmark it across the whole platform so we know we are paying the right price. Not unlike if you go to Airbnb and you rent out your apartment or your home, Airbnb will tell you how much you should charge. They know. Yeah, so it's similar with us. So it's much, much easier now than it used to be like years ago.

Jeff Frick:
Share a little of the experience of the bug bounty person, the person who's out there, you know, who are these people? Do they work full time on this? Do they work generally on one campaign? Do they work for you and other types of campaigns? You know, kind of who are these people? How do they get in the business? What's kind of their profile? How do they spend their days?

Marten Mickos:
The first thing to know is like with any community, it is a set of communities. There are many groups, many subgroups, many different types of personalities and career paths and so on. So there isn't just one type of ethical hacker. There are many, many types, but there are some things that are common for most of them. And the first one I must mention is they have curiosity more than most, like they are these thinkers who like to take their toys apart to see how they work, who try to outsmart the video game they're playing, who try to outsmart this, outsmart that. Their curiosity is driving them. Just that is the main reason why they are so good. And of the ethical hackers we have, many are seasoned cybersecurity experts. They could be software engineers, principal engineers. They've seen everything, but many are young. Half of them are 24 or younger. They do not have a college degree yet.

Jeff Frick:
And this is like half a million people because you said you have like 1 or 1.2 million hackers or whatever.

Marten Mickos:
Exactly.

Jeff Frick:
Wow.

Marten Mickos:
And this proves that the skill comes out of your curiosity more than it comes out of formal training. They are autodidact. They learn on their own, they Google, they read, they test, they try, and they figure it out on their own. So that is the most defining characteristic of them. And we had a live hacking event here a year ago where I participated. The winner was a 17-year-old hacker from Japan who had flown over from Tokyo to come and work on our hacking event. He won the whole competition. He was the best and he still struggled a bit with speaking English because he hasn't done much of it. You saw there, this raw curiosity and intelligence in this young person who was figuring out problems that nobody had seen before, like this hacker of ours really detected problems that others couldn't even imagine. And then you realize the power of ingenuity, the power of curiosity, the power of just figuring it out and trying to outsmart whatever you're dealing with.

Jeff Frick:
And I would imagine having a program like yours gives the opportunity for someone like that kid to actually build a career doing this full time, not have to get a real job, you know, on the side.

Marten Mickos:
Very, very much so. I have predicted a few years ago that within 15 years we will produce 500 CISOs for the world's corporations out of these ranks. So there we get entrepreneurs coming out. We have one hacker from India who with this friend started a company. They sold it for $100 million to SentinelOne (PingSafe). Like it is truly a start of greatness for you anywhere in the world. We have I know of a hacker in Egypt who applied to M.I.T. and had no other real credits than showing his hacking accomplishments at HackerOne. So he printed his profile page with all the scores and numbers and everything and sent it to them as proof of his capabilities. So it is a true equalizer on this planet. It brings out the best of people who have a knack for cybersecurity, and then we bring it to the benefit of any company that has software deployed in the world and connected to the Internet.

Jeff Frick:
So you said you were feeling pretty positive about things. And one of the things that you mentioned that's in the arsenal is this idea of pooled defense, and that the fact in security and you've already mentioned it a couple of times here that, you know, you guys document the bugs that you find, you document vulnerabilities, and that there's actually more good guys on the good team than the bad guys that are working in this pooled defense. So it's interesting coming from your open-source background that it seems like security is just another great opportunity for people to share information to the benefit of all like you did in open source, now in security, so that when one person finds a vulnerability, we can all share in the benefit of that. So I wonder if you can speak a little bit to pooled defense, what it's all about.

Marten Mickos:
A very important point here. And it often starts with the notion, sort of the cynical, sinister notion that the criminal has to succeed only once, but the defenders have to succeed every time in defending, and then it feels miserable. And we think, okay, it's just a matter of time before we get hacked by a criminal. But in those situations of an asymmetric threat where one small group can cause a lot of harm, it is also conversely true that pooled defense will always outrun them. There are always more good guys than bad guys. There are always more defenders than there are attackers. And if you can bring the defenders together, it's superior in speed, power, might compared to the adversaries you are defending against. And that is the mechanism we do here. So it's not enough to have one person who's good at finding vulnerabilities. We need to have all of them so that for every situation we just statistically overpower the enemy and the adversary coming at us. And as you said, we have over 2 million people signed up on our platform to hack. Not all of them are good hackers yet, but it shows the interest of the world of coming to help it. And the number of black hats in the world, the number of criminal hackers in the world, is order of magnitude, hundreds of thousands. If you take all the state-sponsored groups in all kinds of rogue nations, if you take all mafia groups, criminal syndicates, whatever they are, it won't add up to more than a few hundred thousand max. And we are in the millions. So we're showing that we have more positive power than there's negative power. We can outrun them, we can outsmart them, we can do all these things if we work together. So that's the fundamental mathematical model of what we do. But it does require this pooling of the defenses, learning from each other, defending together. And this is how mankind has always defended itself against asymmetric threats. It's not specific to cybersecurity. It applies to any similar situation.

Jeff Frick:
But it just seems like it's like for a lot of situations, people are going to want to hold back for their competitive advantage over the rest of the people out there. But it seems like security is one of those things where, you know, we do want to pool, we do want to share because, you know, we're not we may be competing out in the marketplace, but neither of us want to get, you know, kind of taken out from the back.

Marten Mickos:
True, but in old school cybersecurity, this was not the case. In the old world, cybersecurity was a secretive practice only for those with a clearance to do so. You kept the bad news secret so that it wouldn't spread. So the mindset was different. Now we are shifting, and then so cybersecurity is becoming a much more open and we're actually learning from aviation safety of all places. In aviation safety, every piece of safety information is shared freely among all airlines, whether they compete or not, because they know that safety stands above everything else and you must work together on it. So they have no worries there. They may keep competitive information from each other. They might be fierce competitors, but safety information they share freely. We are now getting it into cybersecurity as well, where customers and vendors are realizing that sharing is the only way to fight the threats and that there's just one way to do security. And it is together. So it's finally happening, which is great because it wasn't always the case. And there are still some pockets where they are thinking that you have to keep it secret and within just a small group. But the small group can never stand against the threats that we are facing.

Jeff Frick:

Okay, so that is then the segue that I'm going to take to get to open source, because you are a big open-source guy. But, you know, you tell a story in a podcast I listened to getting ready for this that when you were at MySQL (and I said it the proper way, so I don't have to give you a quarter), you were in a lawsuit against a big guy and you were the little guy and you guys used a strategy of radical transparency to win and you did it not only at MySQL but also in the story you tell where someone would ask a question and you guys would just answer the question in the documents and then return the answer back in the documents. So, you know, and you answered every query that everybody ever asked in the early days of really supporting that community. So this idea of radical transparency. And then when you talked about it in the lawsuit, when everyone else is trying to be secret and you're just putting it all out there, just here it is, make your own judgment. It's a really different way to think about information. It's a different way to think about competition. It's a different way to think about the world. But I think in the world where information is infinite and at our fingertips, it's really the application of the information and it's about sharing. It's not about being secret anymore. The power’s in the sharing.

Marten Mickos:
The power’s in the sharing. And I learned this in the open-source world. That's very true. But we do it for competitive reasons. We want to win. We want to beat the heck out of our competitors. There's no doubt about that. We just know that transparency is such a powerful tool that it in a way scares away many competitors. I do it even today with HackerOne, some of our most strategic discussions we have internally. We write up as blog postings and other texts and publish in the world, because our model is such that the more people understand what we are doing, the more powerful the model gets. And you must have a certain conviction to do it. But it's important to know that we're not doing it out for charitable reasons. We are not doing it for the love of this planet. Although we do love this planet. We are doing it to provide better cybersecurity and to advance HackerOne as the leading vendor in this space. But it is amazing what you can do with transparency because there are so few who are ready to go there. So if you go there, you get all the spoils, you get all the benefits from it.

Jeff Frick:
The other great story from that chapter that you shared was making MySQL bigger than it was by talking about bigger issues than the ones that you guys solved directly. And I think the one that you said you got famous for was you were the only person in open source that knew how to make money in open source. So if that's what people are interested in hearing about, that's what I'm going to talk about. And really blowing up the presence of MySQL between, you know, having a position on open source, which is kind of new and innovative, as well as this radical transparency to make MySQL and really change the dynamic of that evolution really in computing around the databases.

Marten Mickos:
This one I learned from others who have built categories in industries and who know that when you are a CEO or a leader of a business, you tend to look at your own interest and your own business. But what you should do is ask, what does your audience think about every day? What is their big problem? And their big problem is probably larger than what you represent. So if you can go into their world and address the topics they are thinking about anyhow, you get an audience in a way you wouldn't do if you're just sticking to your own value prop and product and you say, "Let me tell you about my technology." Nobody wants to hear about technology. They go to Wikipedia to read about the technology, but they do want to discuss the essential questions like today, an essential question is how do we govern artificial intelligence? Like, do, should governments take action? Should they not take action? Should it be liberal or open or governed or closed or what? And it turns out now that what I learned the hard way over 20 years in open source software, these principles are usable in the AI context. And we are, we have customers who come to us to hear our thinking about these things because me and many others have seen how it played out in the early days of open source. And now we see similar challenges in the world of AI and we need to get it right because otherwise companies will not succeed, societies will struggle. So this governance question is becoming an essential part for anybody who wants to be successful in either producing AI or making good use of AI. So that's an example. And I would recommend it to anybody. And I think like leaders do that, they know how to speak about topics that the audience is interested in, not topics they are themselves interested in or they are but.

Jeff Frick:
Let me follow up on that with the governance in AI because I think the governance of AI, it's interesting to look at governance in privacy and security because, you know, we fall back to this fundamental issue that we have in the States, you know, kind of states rights versus national rights where, you know, we don't have a national breach notification policy. And I just think it's interesting, if you look at Europe as a contrast, say, with GDPR, that they can actually organize as a set of countries more effectively than in the states we can organize as a set of states that come up with some consistency around rules. And I know kind of California (Consumer) Privacy Act (CCPA) is a little bit potentially taking the lead in setting some kind of a national benchmark for others to follow. But if we look at the governance in security, it does not bode well for trying to manage governance in AI until we get a little bit better at finding some consensus around some of these issues and not being quite so contentious around kind of the states versus national, you know, regulations.

Marten Mickos:
That is true. But the problem is global, essentially, and we have to reach global accords on AI even back in Viking times, the Vikings knew that you build nations through passing laws. They had a saying that with law you build a nation. And today when our lives are becoming governed by AI, we have to know that we will need regulation to govern AI because AI's governing our lives. So it's clear that regulation and governance will be very much needed. At the same time, we must leave room for the scientists to work on their science. And I use here a metaphor from natural sciences. It is very important that every not everybody, but those who can can learn about physics and nuclear physics. And we should not limit the availability of learnings about nuclear physics, but we should regulate the use of nuclear materials, the nuclear power plants, nuclear weapons, all of these, they must be tightly, tightly regulated. But physics as a science should be very open as it is. You can go anywhere and study technical physics today. So similarly with AI, we need to protect the science part of it, the evolution of that mechanism so we can build better and better machineries, automations, whatever we build. But at the same time, once it comes to how it is applied, we may need strict regulations to make sure that we are not harming mankind with this great innovation that we have produced. And that is a difficult contrast, and balancing act to know whether we where we should be open and liberal, and where we should have strict governance rules. So it will take a whole village to come up with those rules. I don't think Europe or U.S. is, either of them has the right answer or are ahead like we need the collective thinking of Europe, which is useful when you define regulations and accords. But we also need the individualism that especially in the San Francisco Bay Area represents. So I think we need both.

Jeff Frick:
Yeah, I do too. And I think we definitely saw I mean, Dr. Rumman Chowdhury, who used to be at Accenture, doing ethics there her great line is, you know, you can go faster if you have good brakes. You know, good brakes enable you actually to go faster. And I was like, that is genius because it's absolutely true. If you have good brakes, you can go faster. You can do more. Having some edge of a limitation.

Marten Mickos:
That's brilliantly said. It's so true. And we must move like there again we come to the competitive side that we are competing against other companies, maybe other nations, other belief systems. And we need to show how good we are at building out AI so that it can serve mankind, it can solve medical problems, it can solve many essential problems that society will need to have solved very soon.

Jeff Frick:
Very good. I want to shift gears a little bit and talk about some of your leadership philosophies. You've been at this for a while. We share, you’ve shared a lot of notes on LinkedIn, etc.. But one of the things you said that I think is just profound is in talking about learning. And, you know, we want people to learn. We need to learn. The world is changing. We all need to be lifelong learners and we want to create great conditions for learning. But the truth of the matter is we learn fastest when we touch the stove and we have to pull our hand back. We never touch a stove again. And it's this weird paradox that you want to help people and we want to help them learn. I almost think of it as parenting is like, the more you help your kid, the more you're hurting your kid and not letting them fall and scrape their knee and learn the lesson. Because I think, as you said in that quote, there's just some things you have to learn. The hard way. Wonder if you can you know, how do, how do we square that circle?

Marten Mickos:
Yeah, I wish I knew the full answer to the question because I love it when it's fun to learn. You get together and if you're kids, you build Legos and you learn, or if you're grown ups, you build companies. But it's sort of the same thing and you learn so fast in a positive environment and then you hit a major setback and it burns you so badly. And you realize in that moment you learned ten times more than you had learned from the positive interactions. And I don't know what universe intends with this mechanism other than we probably need both. Like, we probably should have this positive learning in everything we do, but then we should build our resilience so well that when the negative learning, the painful learning happens, that we really recover from it and take the learning and not suffering. Like when I was a kid and we had visitors from America visiting us in Finland. Our guest pointed out to my mother that me, I was maybe four years old, I was standing there holding a sharp big knife in my hand, and he said, "But Elisabeth, won't your son now cut himself?" And ostensibly she responded to him and said, "Only once." Whether that's true or not, I don't know. But it's a beautiful story that, like you must take a little bit of that pain and it burning to learn really really how something works. But if life is only that, then you become like it's miserable. If life is only learning in a fun way, then maybe it doesn't become as deep as it should be. So whether we like it or not, life must be hard at times. Life must be tough. And if you can't overcome those situations, then you won't feel the sense of accomplishment. Because when I go back to great things that have happened and like take MySQL which turned out so wonderfully and we remember the moments, we always remember the hard moments, and then we sort of smile and hug each other and they defined us. And so I'm realizing that it couldn't have happened without the setbacks and burning our fingers and making a really stupid mistake and having to sort of come back and step higher.

Jeff Frick:
And because last we spoke, you talked about a time where you made a strategic error as a CEO. It may have still been at MySQL. Was that yesterday or the day before yesterday or... No, it was a while ago. But she said you were waiting to get fired. You’re just like sitting in your office waiting for, you know, for them to come in and take you out. And instead, your team backed you up and said, yeah, you made a mistake, but that was yesterday. Now we need to still go forward. You're still our CEO, so pull up your pants and let's get to it. Really interesting moment. And I'm sure you look back at that quite often.

Marten Mickos:
Yeah, they did. They said, ‘Okay, Marten, you caused this problem, you messed up. But now you owe it to us to lead us to victory.’ And I couldn't argue against that like I was ready to give up. I thought, like, I better just disappear and let somebody else come in. But then I realized that they were like they had a demand on me that if I had hired them and I had promised them a great adventure, then I would keep leading. And it was really a pivotal point for myself, seeing that sort of support from my own team. Like it. It's a reminder that when you are doing something significant, you must have a lot of confidence in yourself. But there must be somebody else who has even more confidence than you. Because there will come a point where you feel like giving up and somebody else has to remind you that you shouldn't or you couldn't or you mustn't, or it's not an option. And it's, it shakes you really deeply when it happens, but that's the way you ultimately overcome anything.

Jeff Frick:
So talking about technology, you've been in it for a while, a few yesterdays. You've seen some major, major waves. So MySQL was, you know, change the way databases operate, change pricing on databases forever. Then you're at Eucalyptus, you're doing hybrid cloud before hybrid cloud was cool. Still early days of kind of public cloud really taking off. And now you're in security and the infosec side. So one of the things I was talking to someone the other day, I said, you know, it seems like every technology in Silicon Valley only lasts about three innings, two innings, before it gets some other wave, you know, kind of crashes over the top of it. When did you get here? What did you come to the Bay area? Did you come with the MySQL to SUN acquisition? And I'm just curious, your take, seeing all these waves of innovation for, you know, since 2000, you were there in 2000 when I was there.

Marten Mickos:

My spirit moved to Silicon Valley 30 years ago and I moved to Silicon Valley 20 years ago. Like my body followed ten years later, because back in the nineties, in Europe, I was like I was learning about Silicon Valley. I realized this is the place I have to be part of it. So I handled sales deals and business relations with Silicon Valley. So I've loved it ever since. But I think it is the beauty of specifically the San Francisco Bay Area that there's a sensibility for when a new trend becomes really significant. And of course, many start too early like at Eucalyptus we were far too early so that was one of the reasons it didn't flourish as it should have. But there's always somebody who gets the timing right and then everybody joins and everybody makes it a massive, a massive shift of industry like Web 2.0. That happened after the dot.com bust and we started building interactive web applications. It was a wonderful, wonderful time. We didn't know it was Web 2.0 when we did it. It was only called so a few years later, when Tim O’Reilly came up with the moniker for it. But you're right that these last ten years 20 years and then a new thing comes and takes over it doesn't replace the old one the old one still remains there but it's just not the main focus of things. And that is part that's what innovation is. You have to build it, package it such that, commoditize it so that it can be just a standard piece. And then you go onto the next and the next and the next. But if I'm sorry, I'm going so deep into this, but it's not just building on top of the previous layers. Sometimes you go back to a lower layer. Like back in the eighties and nineties, the microprocessor architecture was a big thing and building them was a huge business. And then it became commoditized and everybody had similar processors. Now we're back into the age where it matters what silicon you're running on and you can get a lot of benefit there and a lot of VC money for startups is spent on compute infrastructure today, so here we have going back to a situation where again silicon is the difficult part and it will attract more money, more attention, more solutions until it again gets commoditized. And our focus moves to another layer in the stack.

Jeff Frick:
Well, NVIDIA's doing pretty well with the AI Silicon for this round so what's your take on kind of the current thing both AI in general and GenAI specifically?

Marten Mickos:
Yes, so quickly to comment on HackerOne, the more new technologies, the more you need security. So it is a massive boost of our business. But let's first look at the main thing of AI and what it can now do. We see the early innings of amazing new services and we are just amazed and in awe, but actually it's a little bit like the first Internet browsers that we think they're amazing, but they're actually pretty primitive. So it will get much, much better. What I think is happening, fundamentally is that like we tend to think that an LLM is good at knowing things and having intelligence and doing things in the tech world, what it really is good at is understanding human beings. So we are finally getting to a point where you can speak to a computer and it knows what you mean. So an LLM is trained on training data, but in a way it's trained on human beings. It is being trained on how to interact with humans. So everything you and I have learned about computers, keyboards, coding, all these things may become like commoditized or become a niche. And the new thing to interact with the computer is voice and direct and for anybody, you don't have to be a computer educated person. You could be anybody of the 8 billion people living on this planet, that is a massive shift. And once you do that, you can have the LLMs call other functions. They could be other learning models. They don't have to be large. They can be small, they could be specialized. And suddenly there's one LLM that understands you. Maybe it's trained on you alone. Maybe that's what it does. All the LLM does is learns your behavior. And then you go to it and say, "Get me some food, get me some information, get me some program, get me some dates with other people," like whatever you do, and it will start doing it for you. That is a massive, massive shift in society that is difficult for us technical people to imagine because we are so technical. We would like to see technical benefits like we are bothered whether AI can calculate an equation correctly or not, but we forget that the real value is probably in regular human beings doing regular things faster or better or more thanks to AI.

Jeff Frick:
I think you're so spot on. I think that is so underreported in this current trend. Both the fact that that voice interchange is finally works for the way to interact with a computer instead of a QWERTY keyboard, which is designed specifically to slow us down, and two, not only do I have voice interaction, but I have voice interaction with a massive supercomputer somewhere. So like in an industrial application where they measure, you know, volumetric measure of a pile of coal at an electric utility plant, you don't fly, you don't have to fly it anymore. You just tell it, go do this and do it every day and charge yourself up and report back and we'll have longitudinal data. I mean, it's really different when these things when the democratization gets to the point where I can tell it what to do and it'll do it versus really, you know, controlling what it does, which is a different level.

Marten Mickos:
But the need for complex problem-solving will always exist. So when people say you don't have to learn coding anymore, that's not really true. A lot of people will need to do coding. A lot of people will need to do problem-solving that is akin to coding. It's just that this universe of what AI can do will explode. So maybe it's just 1% of the world, but the world will be so much larger than this there will be plenty of work for software developers or mathematicians or statisticians or whatever difficult work you are, you are being trained for. But I do think that the main impact on society will be in pretty mundane everyday things that now can reach anybody on this planet, and not just those who have grown up with laptops and computers and programming.

Jeff Frick:
Well Marten, we’re getting to the end of our time, I want to ask you a question we talked about briefly before we got started, which is your business problem, which is good news, bad news. So for your customers, it can be good news. We found the bugs. You can shut down that vulnerability and not get hacked. Or it could be bad news or good news I guess we didn't find any bugs. So, you know, you're kind of in this interesting position with the customers. You want to find bugs. You don't want to find bugs. They want you to find bugs. They don't want you to find bugs. What's the right amount of bugs to find? How does that, all work out in practice?

Marten Mickos:
Yeah, that's the eternal enigma of our business model that If I come to you and say, Jeff, I know all your vulnerabilities. Is that good or bad? And, when we find a lot of vulnerabilities in systems somebody might think short term that it's bad news. We think it's good news. And then after a while, when we don't find vulnerabilities anymore, that's even better news. And it reminds us of the fundamentals here. That's when you can trust the discipline and scrutiny of the testing, any result is good news If you can't trust the person or mechanism that's doing the testing, no results will help you, so So when you know that they are testing well, You will value it. It's like when you go to a doctor to test for something. If they find something you may be sad, but you're thankful that they found it right. If they don't find anything, you're also very happy because you know that they looked very hard. So similarly, in our business, we have to go in with this like Zen, like calmness as to whether we find or we don't find because we know that given we have the best people to test that can be found on this planet, it's good either way. It's good if we find it's good if we don't find. And the best customers will enjoy both sides. And know that is the essence of staying in shape, keeping the software in shape Sometimes you find something, you fix it. Many times you don't find anything and you can be happy, but you can't be happy if you don't test so hard that you also find some. So it's a weird, weird philosophical balance that I've had to learn and come to enjoy in my job at HackerOne And it's a wonderful like there's something very eternal, like there's some eternal truth about that, like learning by burning your fingers or learning in a fun way that you can't disassociate them they belong together, although they are contrasts and opposites.

Jeff Frick:
And you've spoken to another podcast that you know that it's ongoing and continuous. It's never over and you had this great line. you said, ‘If you can't beat them, keep beating at them’ which, you know, goes back to this kind of never ending 1% improvement, 1% improvement, 1% improvement. And you know, after a while you can make some pretty significant gains.

Marten Mickos:
Yeah, you can only the only goal you can set in cybersecurity if you're an end user, a customer is to be better than yesterday. That's the only thing you can wish for. You can't be fully secure. You can't eradicate all problems. You can't buy all the products you need. You can't buy all the services you need. There’s just It's not possible, but you can everyday get a little bit better. And when you do that, you will have less problems than everybody else and you'll come out a winner. But it's, that's how you do it.

Jeff Frick:
Well, Marten, your enthusiasm in this role is palpable through your posts and etc. So it really looks like you've found a great place and you're having a ton of fun in this cool kind of marketplace of people doing great work. So it looks like it's working out really well.

Marten Mickos:
I love hacking people. I love hacking you. It's a wonderful business. So thank you, Jeff. This was a really cool conversation. Great questions. I enjoyed them very much.

Jeff Frick:
Thank you, Marten. I always appreciate it. And we'll see you online.

Marten Mickos:
Thank you. We will.

Jeff Frick:
All right. He's Marten. I'm Jeff. You're watching Turn the Lens with Jeff Frick thanks for watching thanks for listening on the podcast. We'll see you next time. Take care.

Cold Close
Awesome.
That was great.
Thank you. Yeah, that was fun.
Well, thank you, sir.

----------------------

 © Copyright 2024 Menlo Creek Media, LLC, All Rights Reserved