Sept. 8, 2022

The Hacker Economy is ‘Booming and Robust’

Why companies get hacked and what that means for you


Nora chats with Corey Thomas, CEO of the cybersecurity company Rapid7. He talks about why nearly every company is a software company (whether they’re ready for it or not), and why we’re seeing so much investment in the cybersecurity industry right now. Plus: A breakdown of the booming hacker economy, and why it’s a lot like an Ocean's Eleven heist, but on the internet. For more info on our presenting sponsor, check out realvision.com/businesscasual

 

Host: Nora Ali

Producer: Olivia Meade   

Video Editor: Sebastian Vega

Production, Mixing & Sound Design: Daniel Markus

Music: Daniel Markus & Breakmaster Cylinder

Fact Checker: Kate Brandt 

Senior Producer: Katherine Milsop

VP, Head of Multimedia: Sarah Singer 

 

Full transcripts for all Business Casual episodes available at https://businesscasual.fm

Transcript

Nora Ali: From Morning Brew, this is Business Casual, bringing you convos with people you know, and some you may not know yet, to make business less intimidating. Because money talks, but it does not have to be dull. I'm your host, Nora Ali. Now let's get down to business.

Why does it feel like there are cyber attacks, hacks, or breaches nearly every day in the news? Crunchbase even reported that cybersecurity venture funding surpassed $20 billion in 2021, and saw a record-smashing fourth quarter last year. So if everyone is talking about it and investors are investing in it, why haven't companies figured out how to really protect customer information?

Enter Corey Thomas, CEO of the cybersecurity company Rapid7. He reminded us that there has been a massive shift in how much technology we use day to day over the past 20 years. Banking, retail, work, travel, healthcare, pretty much all of it is online, which means that nearly every company is a software company, whether they're ready for it or not. And the tricky part is, many companies don't really know too much about the technology that's in their environment. And if you don't know about it, you can't manage it. And if you can't manage it, you can't secure it and have a plan to maintain it.

What I found most interesting in this conversation is Corey's description of the hacker economy. In his words, it's “booming and robust.” Hacking experts are actively working together to maximize the amount of money they can steal from corporations, putting your information at risk. He describes the different fields and specialties within this booming underground economy, including people who specialize in how to monetize your stolen data.

We decided that this sneaky, thoughtful teamwork to exploit companies for millions of dollars feels sort of like a web of Ocean's Eleven heists, but on the internet. So who's addressing this? What are the fixes, and what does it mean for you at home? We find out from Corey Thomas next, after the break. Corey, hello. Welcome to Business Casual.

Corey Thomas: Nora, thank you for having me.

Nora Ali: Of course. A lot to get to on the topic of cybersecurity. I think we've all got a lot of questions for ourselves, for the companies that we work for and work with. But first, Corey, a fun segment, an icebreaker called Professional Pet Peeves. So Corey, if you could wave a magic wand and get rid of something annoying that happens at work—in the workplace, remotely, wherever, that you could get rid of, what would it be? What's your professional pet peeve?

Corey Thomas: I grew up having to actually do sales calls myself, even when I was an engineer. And I hate when people actually sort of call and don't do a little bit of homework first. And so not doing the homework is sort of just one of the pet peeves that bothers me.

Nora Ali: Why were you doing sales calls while you were engineering?

Corey Thomas: It's interesting is that I had the good fortune—I did not think it was good fortune at the time, because I was one of those technical elitists, but I had a good fortune of having a boss early on who told me that there was no success if you didn't understand your customer. And I was a little bit...had a chip on my shoulder about it. So he put me in the support group and made me answer support calls for a whole summer. And so it was the best thing in the world that ever actually happened to me.

Nora Ali: Yeah, totally. I used to be a product manager and would sit in on customer service calls, and I learned more on those calls than I could doing any other research on the internet.

Corey Thomas: Exactly.

Nora Ali: So it's super helpful. But that's also just good advice for general networking and any meeting that you have. Just look someone up on LinkedIn.

Corey Thomas: Exactly.

Nora Ali: If you know a little bit about them, that moves you miles ahead of other people who haven't done any preparation. I like that. All right, let's get to it. Rapid7. You are the CEO. You partner with corporate clients on the cybersecurity side. We've had some interviews, conversations on this podcast from the personal cybersecurity side. So let's start with some definitions. What is the difference between corporate cybersecurity and personal cybersecurity?

Corey Thomas: Yeah, so personal cyber security is the stuff you do to secure yourselves, your own personal devices, your computers, your home networks, your accounts, most importantly. It's things like the two-factor authentication. It's your passwords. We don't want any of your social media accounts to be compromised in the world. We don't want your bank accounts to be compromised. All of that is sort of like the personal security.

Corporate security is about, how do you actually secure organizations? I don't think about it just as corporations. It is hospitals, nonprofits, governments, healthcare organizations, but increasingly more and more of our society runs on technology. And there's lots of benefits, but there's definitely some risks to it if we actually don't secure that well and effectively.

And so Rapid7 is in the business of helping make sure that as we advance the technology and the digital economy in society, we do that with the lowest possible risk. We make sure that we actually are looking for, are your systems optimized and minimizing vulnerabilities? Are attackers attacking your systems? And how do we make sure that if they're attacking, we catch them as quickly as possible? And in general, securing that organizations have the best possible security posture.

Nora Ali: What is an example of some vulnerabilities, in the most basic terms? What are some of the big issues that you might see with companies that you work with?

Corey Thomas:  Yeah, the biggest issue is unfortunately we, as a society, deploy technology faster than we have the capacity to manage it well. And there's some very good reasons for that. I can't think of any segment of society that is not undergoing essential threats to their relevance. And so governments have to actually become more digitally enabled because citizens are developing it. And so what that really means is that the largest vulnerabilities comes from not patching and not updating systems and not properly configuring systems.

I'll use a commercial or consumer example, is you get your phone and you get the update on your phone. It says updated. Well, if you actually don't update it, then it's likely you have a vulnerability that's going to be exploitable and compromisable. And that actually transcends to corporations too. They have these significant vulnerabilities and many of them don't keep up with the updates, or they don't properly configure the systems so that they actually minimize the vulnerabilities and the exposures.

Nora Ali: Do you find that the companies you work with fundamentally understand their vulnerabilities, or are oftentimes your clients, you're starting from scratch and even explaining to them what a vulnerability is? How do those conversations go initially?

Corey Thomas: Most organizations understand the concept quite well. So that's not the issue. You can't even fix vulnerability if you don't know what you have in your environment. And so most companies don't even know the technology that's running in their environment. Why? Because people like you and I, we're out there trying to stay relevant. So we're buying technology, deploying technology, we're doing our thing. And if you don't know about it, you can't manage it. You can't secure it. And then you have to actually figure out like, all right, if I know about it, is it properly configured? And then do I have a plan to maintain it? And that's where most people fall down, is that it's not that they don't know that they should. It's just getting a handle around things that are not controlled.

If you go back 20 years, the technology environment was a hyper controlled, hyper centralized environment. That's not the world that we live in today. And so organizations are having to now develop new practices to figure out, how do I figure out what's in my environment on a daily, ongoing basis?

Nora Ali: When you say making sure that these customers, these businesses, have their technology systems properly configured, what does that mean? Just explain it to me like I'm five years old. For those who are not familiar with the terms in the world of cybersecurity, what does that mean exactly?

Corey Thomas: So a basic way to think about configuration is that when you go install any software in your environment, you're given a set of choices. Now we can have a whole 'nother conversation about why does the technology economy give people so many choices that they don't understand, but that's a whole separate issue. But you're given a set of choices about how you want to set things up. So here's the example that I'd actually give you, is that when you install your wi-fi at home, you have a choice. You can leave the default password, which by the way, used to be no password or "password123."

Nora Ali: Oh no.

Corey Thomas: And so that's a choice. And so you go set up your home password and you type in, and it says, "Do you want to create a custom password? No, I don't want to create a custom password, leave it." Now, some hacker comes along with your network and they say, "Let me log into the administrator. Let me try default password "password 123." Oh, it works. Now I can actually sort of monitor every single thing you're doing in your home. But that's a configuration choice. And so now part of what's happening is that technology providers have to get better at not giving people stupid choices. And so when you come out today, when you get a wi-fi router, they have a custom password that's sort of like some crazy esoteric long thing. And that's a good thing, because why? Because they know that people are going to probably make a bad decision, a bad choice. So don't give people an option, if you know it's going to be a bad option.

Nora Ali: That's great. Don't give people stupid options. Just take that extra step. Because oftentimes businesses will focus on what's fastest, what's the most seamless and frictionless for the customer. But having to type in that super complicated initial password is not the most fun thing as a customer, but it's better for you at the end of the day.

Corey Thomas: Yeah. And that's the eternal thing that we're looking at in the technology. This is not a cyber issue. This is a technology issue, is how do you actually make things easy but secure? And that's going to be something we're going to be spending a lot of time on for a long time.

Nora Ali: Yeah, for sure. So it sounds like there are a lot of companies now that are trying to make things easier and more secure, tackling the issues around cybersecurity. There's even a Crunchbase report that notes that cybersecurity venture funding surpassed $20 billion in 2021. That piece is titled "Fourth Quarter Smashes Record." Why are we seeing so much investment and growth in this area right now? Is it because hackers are just getting more sophisticated at a faster speed? Why do you think we're seeing this acceleration of investment?

Corey Thomas: So if you think about how much of our economy, first, and how much of our lives has become digital-enabled, it has been a massive shift over the last 20 years. And Covid only accelerated that shift in that transition. So one, that's where the action is. You can get your driver's license renewal online. You can do your banking without ever going to a bank. So that's where the action is.

Now you overlay that, is that we've improved our cyber security, but we have a fragile cyber security ecosystem. And so what that means is, if you look at the other economy, the hacker economy, that's incredibly booming and robust. You have places in Asia and Eastern Europe and in Russia that are booming economies that are saying, "Listen, all of this digital economy in the west has actually gone online. The cyber security has improved, but there's still lots of gaps and lots of holes. Let's actually use that as a way to actually target, compromise, and monetize." So that's one big sort of element there, is just that's where the money is.

The second element that we have to actually look at, which has not come to fruition, which is where you see lots of the concern is that cyber security is now a tool of nations. And before it was used primarily for espionage, and now we're shifting into the area where basically it's used as a way to actually manage geopolitical conflicts. So it's used to actually disrupt. It's used to destroy. An area where this is actually sort of in evidence is actually the Ukraine. Not just now, but if you actually go back, I think it was 2015, about some of the attacks that the Russians were doing against Ukraine as a way to express their displeasure about some of the political choices that Ukraine was making, that was absolutely a cyber sanctioning of saying, "Hey, you're doing something I don't agree with and I'm going to punish you for it." That's what it is, at the end of the day.

And there's lots of reasons to try to avoid that at all costs, but it is sort of part of our future that we have to navigate. The question is, can we actually make it not the default option? Can we make it sort of something that's at a higher order of escalation? And while we haven't seen a lot of that yet, that's one of the concerns that actually has the thesis of why we actually need robust investment in this area.

Nora Ali: I have so many follow ups. We are going to take a very quick break. More with Corey when we return.

You said this phrase "hacker economy," and I want to learn more about this. So who are these people? What are they asking for? What's the kinds of compensation that they're asking for when they hack into different systems, especially if it's a big corporation or even a government? Just tell me a little bit more about the so-called hacker economy.

Corey Thomas: Really when I talk about hacker economy is, we traditionally had this idea of hackers as these lone individuals in a very, very dark basement that were actually stealing your credit cards and using it, which is a nice idea. It's kind of cool. Made popularized by lots of movies. When we talk about the hacker economy, though, what we're actually talking about is an entire ecosystem. So here's what I mean by an economy, is it's the specialization and the cross section of different people that play different roles together to maximize the amount of money that they actually steal from individuals and corporations.

So there are specialists that specialize in just making technology that actually compromise the system. They build zero days, which is sort of the...think about these as exploits. And I'll define exploits: things that compromise your computer in your system that no one knows about yet. There's people that actually specialize in getting command and control systems. So when they actually...they go in, they take these exploits that are designed to compromise your system. And they actually specialize in getting control of your system in a footprint and then selling that access. They don't do anything with it. They just sell it to other people.

There's people that specialize in the ability, when you've stolen information, to figure out what's the best way to monetize. It's a whole marketplace at the maximum price. And so all of these things are areas of specialization. So when I talk about an economy, I'm talking about the specialization of people being extraordinarily good at a small set of things that come together to maximize theft in this case. You can say the same thing about espionage, for the record.

Nora Ali: This sounds like Ocean's Eleven or something.

Speaker 1:  Second task: power. On the night of the fight, we're going to throw the switch on Sin City. Basher, it's your show.

Speaker 2:  You want broke, blind, or bedlam?

Speaker 1:  How about all three?

Speaker 2:  Right. It's done.

Nora Ali: ...where you have someone who is an expert at the one thing to help you crack the code. I mean, this is so fascinating.

Corey Thomas: That's actually a fantastic analogy, the Ocean's Eleven. Because it is.

Nora Ali: Yeah.

Corey Thomas: But by the way, it's an economy analogy. We don't build cars where a single person builds a car. We actually have a bunch of people that specialize in different areas, and they come together and put it together.

Nora Ali: Yeah. Feel free to use that analogy for future explanations, Corey. You can take it.

Corey Thomas: I will.

Nora Ali: So what's being done to crack down on this hacker economy? Because companies like Rapid7 are helping corporations and organizations plug those holes, plug those vulnerabilities. But from the proactive standpoint of trying to figure out who these people are, is that happening? Is it even possible? Because I suppose they are experts at being anonymous on the internet.

Corey Thomas: I would say yes. And I'm actually optimistic here, but to be clear, the goal is not a steady state goal that this doesn't happen. The incentives are just too strong, just like there's no idea that robbery doesn't happen. Or if you run a retail store, you have an acceptable loss ratio. There's going to be some amount of theft that always happens.

Imagine your best city and imagine your Gotham, the worst possible city. Well, they both have crime. They both have murder. They both have larceny. They both have a lot of things. The question is, how often does it happen? And what's the impact of it? And what we actually want to actually get to a state with our digital economy is that it doesn't happen that often. And the impact is actually minimized. It's that acceptable loss ratio. So that's the first thing is, the goal is not achievable to be zero ,and that'll just be a sort of a fool's errand, so to speak.

Now, the question about how do we do it? There's actually, I would say, if you're going to simplify, there's two core elements of how we do it. We gotta better bastion our own house. We have unnecessarily compromisable, vulnerable technology that is poorly managed, and we run poor systems to actually monitor to hacks. And so we have to have the right security controls in place. There's a bunch of great security technologies to do that. We have to actually make sure that we're actually configuring and ensuring that we reduce vulnerabilities and maintain systems. Companies like Rapid7 and others do that. And we have to make sure that we're constantly monitoring for attacks and when attacks happen, we catch it fast, and we actually minimize any loss that happens there. And that's what we specialize in.

The second one, though, is the public-private partnerships. Governments play an essential and a critical role there. One, lots of our critical infrastructure runs on government technologies and services. But governments also play a key role in actually ensuring that we actually have a good robust ecosystem in general. So government can actually make sure that the cyber insurance ecosystem functions and works well, which then incentivizes and rewards companies for actually doing the right work.

I'm a big believer in cyber insurance and the impact that can actually have in helping customers invest in the right practices. Governments can actually do information-sharing, where they share critical threats that they find, but they can also facilitate information-sharing about attackers and attacker groups across the world.

These are the things that actually I think are essential to actually make it that we run our own house well. We collaborate well across the Western nations, and we collaborate well with the governments to make sure we minimize the threat and the risk from cyber hackers and attackers.

Nora Ali: Can you define cyber insurance? How does that work as an incentive for organizations?

Corey Thomas: So the basic way that cyber insurance works is that you pay a premium, just like you do for any insurance. And for that premium, if you're compromised, some portion of that loss will actually be covered by a cyber insurance form.

We're in what we call a very tight market right now, or hard market, where it's hard to get cyber insurance, for good reasons. I would say the market a few years ago, lots of cyber insurance lost lots of money. And so the way that we think about cyber insurance today is there's a few companies that are doing some extraordinary work. But what they're doing is they're saying, "Listen, we will give you higher levels of insurance at lower levels of cost, if we can ensure that you're running the right practices, you're updated and you're maintaining your systems, you're employing the right security controls that are the most highly effective, and you're monitoring for sort of attack and compromise." And that is a good incentive, because then I cannot only get insurance, which minimizes my risk in the future, I'm actually also being rewarded for actually doing the right things. And I think that's part of the solution that we actually have to have, to actually create the incentives to do the right work.

Nora Ali: And on that note of governmental contributions and responsibility, lawmakers have recently urged the Biden administration to strengthen the federal government's cyber defenses, specifically in the healthcare sector, amid a spike in attacks. I know you've spoken specifically on the healthcare sector before. Why are healthcare companies more vulnerable than, say, other sectors, even banks? And how has that maybe increased during the pandemic?

Corey Thomas: Yeah, it's a great question. So healthcare is one of our largest areas. And part of the reason that they're more vulnerable, frankly, is they have a more complex problem. So one way to think about it is the more margin constrained your business is, and the more complex your business is, the less focus you have for cyber.

And so let's just think about healthcare organizations. It's a very complex ecosystem. It requires lots of technology to make it work. Most healthcare organizations are running on very thin margins, and they got a really important mission. They're doing some important stuff.

There's two things. There's, one, the medical profession does have to realize that part of the care for their patients is ensuring that their patients' information records and all the other stuff that's affiliated with it is safe and secure. And I think there's lots of progress that's happening there. And almost every medical professional I talk to has actually got that. That was not the case five years ago. Definitely the case today.

The second thing is that the combination of the medical profession and the technology industry has to really do some deep investments to actually make it as easy as possible for hospitals and insurers to actually be secure. And I would say there's been some big advances there, and there need to be more, because I would say most of cybersecurity is not designed for thin margin businesses. And so one of the big things that we've been focusing on is not just how do you have the best cybersecurity technologies, but we have a specific goal of how do you actually lower the cost while improving the efficacy, and that we need to see more of in the cyber security industry in general.

Nora Ali: Do you mind sharing how your business model, your pricing model works for a client? Are they paying you up front for services? Is it monthly fees? How does that work?

Corey Thomas: We're a big believer in sort of like you pay for the value. You pay as you go. So they pay us for the assets that they actually have in their environment. We monitor those assets, we analyze those assets, and we provide automation services on top of those assets. And so they pay us for all the technology footprint that they have and they sign annual contracts, and it's a pay as you go.

The second that they don't think that they're getting value from our services, they can actually walk off. So we don't do that old school, big, sort of like five-year contracts, by and large. We really focus on, "Hey, we're here to actually do a job making your life easier. And if at any point we're not doing that job, we make it easy for you to get off," but we actually try to earn it so that they're expanding their adoption with us over time.

Nora Ali: Yeah. All right. We're going to take another quick break. More with Corey when we come back.

Okay, a bit of a newsy topic, Corey, that I'd love to get your take on is the Twitter situation. CNN and The Washington Post recently published this whistleblower disclosure that Twitter's former head of security had sent to Congress and federal agencies earlier this summer. So here are a few of the alleged complaints. There's allegedly significant security problems that threaten both users' personal information and national security on Twitter, that top executives at Twitter had been attempting to cover up the company's vulnerabilities, and that at least one employee might be working for a foreign intelligence service, et cetera.

What is your take on this, Corey? Maybe some context for our listeners. What kinds of vulnerabilities does a social media company like Twitter have, and what are your thoughts on these allegations?

Corey Thomas: Well, I think there's a couple different allegations in there. So let me just start by saying I have no intimate knowledge specifically of this situation. So I'm commenting based on things that were widely available. And I'm also commenting a little bit, I do know the researcher much and I think he's highly skilled, extraordinarily intelligent. So I know that he's qualified there. But again, I have no other substance in news here.

So one, on the vulnerabilities, it's like Twitter, like many things, they develop their own software. And so I think the allegations in some ways is sort of like two-pronged. Because one is, who has access to be able to do what? So there's this basic idea that you really want to actually build least privilege. That means that I, Corey, as CEO in my company, I have very low privileges. I can't create a sales order. I can't look at customer data. I have to go ask someone to do that. And there's a log and a record of that. So you want to actually minimize the data. So I think one of the things is sort of like who can actually do what in the environment.

And the other is that there's some serious vulnerabilities. And a vulnerability means that someone can actually monitor or get to or get access to or control something that they shouldn't be able to. And that wasn't publicly disclosed. And again, I don't have specifics there. I think from my take, the most serious issues are not the fact that there's issues. I just want to be clear. Every single company in the world and every organization in the world has issues. I think the issue here, if substantiated, is, was there a proper effort to actually identify and remediate issues?

And so it's not whether you have issues. It's what do you actually do about it? It's the old saying, "It's not the crime, it's the coverup," so to speak. And so if you have issues, are you doing good faith efforts to remediate it? Lying to regulators is a massive no-no. So if you actually lied to regulators, that's a big one.

And then on the vulnerability disclosure, look, I have taken a stance that's in contrast to some of the technology industry early, that's become more normalized, is that when my company has vulnerabilities, we publicly acknowledge it. There's...not every technology company is in that mode. And I think that any company today that does not publicly acknowledge their vulnerabilities when they actually have them and work to address them, it's going to be on the wrong side of history on this issue, because we can't fix things if we don't know about them as a society.

So yeah, again, there's a whole bunch of caveats that go there, but the allegations are...to me the most serious is that...not that they had issues. I don't think that's a big deal. They didn't actually act in good faith to fix them. They lied to regulators. And they hid stuff from their customers. That's the allegations. I have no clue whether they're true or not, but that's sort of like the way I see how the allegations stack up.

Nora Ali: Yeah. So it's about being transparent about what's going on and addressing it. But I guess if you are the leader of a company who does find there's vulnerabilities or there's issues with your customers' data, what advice do you have to communicate it effectively and make sure you're not going to lose customers at the end of the day?

Corey Thomas: First thing that I would say, the reason I try to normalize that there's issues is that this is a human dynamic that we're talking about, Nora. We're talking about shame. I've had this issue. You can go look at our blog. We've had it. We've had minor things before. I'm ashamed and I'm embarrassed. That is a human driver. It's fundamental. It happens to all of us. I can't think of a single person that's not found some level of shame and embarrassment before.

And so first we have to actually say, we have to acknowledge that we're embarrassed, because as business professionals we don't like to acknowledge that we are things like embarrassed. It's much easier to actually hide behind legal terms and all the other stuff.

The second one, we have to actually say that it's normal. Every single organization in the world will have some level of compromise. It may not be severe. We've disclosed something. And our customer's like, why are you bugging me with something that's actually a very minor issue? But every company in the world will actually be compromised at some level. Once you enter that, and then you say, what type of organization, what type of person do I want to be? And my argument is that you want to be an organization that people trust. Who doesn't want to be that?

Once you actually go through those steps, acknowledge your shame and embarrassment, acknowledge the fact that this happens to everyone, and then make a decision to be a trustworthy organization, I think everything is easy from there on out. It's not fun, to be clear, but it is straightforward.

Nora Ali:  That makes so much sense. And I think that mentality can also be implied to being a good coworker, being a good employee. If you admit your mistakes openly and transparently, then people will just trust you more. They're not going to fire you because you admitted to a mistake. So similarly for companies, you admit a mistake, your customer will trust you more.

So Corey, clearly you have a very admirable lens on leadership and communication. And your team at Rapid7 is also admirable in that you intentionally run a team that is 50% people of color and women, with an employee base of more than 1,000 people. So how did you get there? What is your DEI strategy? And you also have a first-ever 2022 social good report as well. So just give me the lay of the land from a DEI perspective at your company.

Corey Thomas: So we started this in 2015 as I was looking around. And like many organizations, we were so focused on actually building a great cybersecurity operations technology that we focused on the customer problem. We were not taking a step back and saying, how are we operating? And is this a way that we're going to be proud of?

So it started with that simple idea of, what would make us proud of ourselves in five years. That was the notion. What about our culture, what about our attitude, would make ourselves proud in five years? And when we looked at that, we decided that we should actually do two things, and one of them does not get enough focus.

So the one that's easy is that we should be representative of the world that we actually live in. And if we're not, we should be asking ourselves questions. We didn't do quotas. We didn't do anything else. But we said, "Listen, we should ask ourselves hard questions every day, if we're not representative of the world that we actually live in."

By the way, I would say, over the pandemic, there's been some advances in some areas and some regressions. So we're having that discussion right now as we're hiring. So you have to always ask yourself that lens in that question.

The second thing is that, and this gets lost, is we said, "We will be more diverse while raising standards." Now that second part is really, really important, because what we said is we will also be a better-performing organization. And the goal is to actually do both of those things, is to actually be more representative and inclusive, but also have higher standards and higher performance. And those had to go hand in hand.

And I would say it was a complex conversation at first, because there was lots of fear about like, what did it mean, as far as quotas? What does this mean for opportunities? But I would say that second part really made it work, because people were just like, "We're asking questions and we're raising standards." And so if we had areas where we didn't see women in any leadership roles, it was a question when we went through the interview loops. What are the loops? Where do you find the talent? What's happening? And over time, people saw that high-quality white men got promoted. They also saw that women and minorities who were underperforming got demoted or terminated. But over time, we built trust in the system that it was fair. And the way that we responded was by really looking at, how do we find the best talent? And so one of the mantras became is that, if we don't have a diverse team, we look at that as a sign of laziness. It's lazy because you're actually going through your same networks. It's lazy because you're actually not reaching out into new communities. It's lazy because you lack curiosity.

And so we leaned into this like, "Listen, if you're a hiring manager and you're building a team, you should be curious, but you should be engaged and not doing what's comfortable and easy." And by the way, that's a good mantra anyway, because if we spend too much time being comfortable, we're not growing. And so if we're a growth company, then we have to be uncomfortable all of the time. And by the way, we have a bunch of areas now that we're uncomfortable in, but that's an okay thing. That's a healthy thing, to sit with your discomfort and do something about it.

Nora Ali: What are the areas you're uncomfortable in right now?

Corey Thomas: We're uncomfortable with the fact that we actually really don't know how to develop young talent who actually doesn't want to go into the office that much. "That's not possible," but it ends up leaning a lot on skills. And it's true. People that are actually over 25 and have been working for four or five years, they're productive most anywhere. But we are seeing it's definitely not the same productivity for people that actually have no experience, because there's lots of teaching that actually happens. There's not just computer-based training and other stuff like that. There's lots of development. There's lots of mentorship. So we're working through that whole dynamic there.

I have serious concerns about, like, we've been very focused on actually playing a role in communities. As you have a more diverse workforce where people actually can live anywhere, corporate ties to communities lesson, and I think that's a real problem for society. So we actually think about that.

We think about, in this world, how do you actually make sure that people are actually giving high-quality and supportive feedback? And so I'm spending a lot of time saying like, "Okay, we have to make more effort at relationship-building." So what we find is that when you have high-quality relationships, you have more candid relationships. And so we spend time there. So these are just examples of some of the things that we're working through right now.

Nora Ali: You and the rest of us, Corey. It's about interpersonal relationships. It's how do you encourage communication transparency in this world where we're working remotely, we're working in person? All of that's changing. So it's actually refreshing to hear that someone who works in such a technical field and is solving the biggest cyber threats in the world also has the same issues as the rest of us. So it's good to hear.

Corey Thomas: Yeah, we're working through it.

Nora Ali: Working through it. All right. Well, Corey, we do have a special bonus segment for you before we let you go. It's called Shoot Your Shot. So I want to know, Corey, what your moonshot idea is. This is your biggest ambition, your wildest dream. It is your chance now to shoot your shot. It could be personal, professional, whatever you want.

Corey Thomas: In Massachusetts, where I live right now, we're having some real challenges with our public transportation. They're shutting down entire lines. I travel all over the world. If I'm shooting my shot, we are going to actually bring back to the US the leadership and innovation and the ability to actually build amazing cities with amazing connectivity and amazing transportation that's going to be technology advantaged. It's starting to feel like a backwater. And for me, that's just unacceptable. And so it's just topical, because it's on my mind.

Nora Ali: Yeah.

Corey Thomas: I'm competitive. And it's so frustrating.

Nora Ali: That's a big problem to solve. Do you think it's achievable in our lifetimes to fix our transportation, and mobility, and infrastructure issues in the US?

Corey Thomas: Absolutely. We have structural issues. We have skills issues. We have a whole bunch of issues. But is it solvable? Well, yeah. Go look at different countries around the world and what they've done in a 30-year period. You go to lots of cities in China, you go all over the world, you see some that are advancing and some that are not. Now, there's a bunch of issues. We can't do it the way other people did it. Not for the least reason is that the labor dynamics are different. But my only point is that this is something that is solvable, because we just do a lot of things that get in our way unnecessarily.

Nora Ali: We could do a whole interview on just this topic. So we'll save it for later. All right, last thing for you, Corey. We're going to play a little game. It is called Two Beats and a Miss, Cybersecurity Edition. So this is just our Business Casual version of Two Truths and a Lie.

Corey Thomas: Okay.

Nora Ali: So one of these things is not real. So which of these things is not a notorious cybersecurity attack? Are you ready?

Corey Thomas:  Okay, I'm ready.

Nora Ali: I'll go through all of them. And then you let me know which one is fake. Number one, in the year 2000 a Canadian high schooler launched an attack on several big commercial sites like CNN, eBay, Yahoo, resulting in $1.2 billion of damage. Number two, in 1999 a 15-year-old hacked the US Department of Defense and NASA, including computers connected to the International Space Station. Number three, in 2007 an eight-year-old hacked into their school district's entire network of computer systems and erased data for thousands of students as a prank.

So we got big commercial sites, we got the US Department of Defense and NASA, and we have a school network. Which one is fake?

Corey Thomas: Much to my shame, I have no clue which any of them are, but I'm going to go with number one.

Nora Ali: Number one. So Corey, that in fact is true. This Canadian high schooler was called Mafia Boy on the internet. And he has since written a tell-all book called How I Cracked The Internet and Why It's Still Broken. So I think you and I need to both read that tell-all.

Corey Thomas: I've got to read that tell-all book.

Nora Ali: Do you have a guess between the other two?

Corey Thomas: Well, I don't know. My eight-year-old can break all types of things, so I didn't go for that one because I just look at him. But I'll go with the eight-year-old, I guess.

Nora Ali: You're right. That is fake. That's fake. I made that up.

Corey Thomas: Okay. I tell you, my eight year old breaks lots of stuff and so that's the...I have an eight-year-old turning nine soon.

Nora Ali: Okay.

Corey Thomas: And I would not be doubtful that he could break a bunch of stuff.

Nora Ali: Like break into stuff like tech systems?

Corey Thomas: Oh yeah. I mean, yeah. Yes. He has actually gotten into his mother's phone and emailed his teacher and had whole conversations with her. It's the only time he can actually spell correctly.

Nora Ali: Seriously? That is so funny. This is a movie in the making. The CEO of a cybersecurity company raises a child who becomes a big well-known person in the hacker economy because he learned the secrets from his dad.

Corey Thomas: He did not learn that from me. He figured it out. These kids today.

Nora Ali: I love that. So a fun fact: Even though that one is fake, a fun fact is that this person named Kristoffer von Hassel is known for being, at the time, the world's youngest known hacker at five years old.

Corey Thomas: Oh wow.

Nora Ali: And he had exposed security vulnerabilities in the Microsoft Live Xbox system at five years old. Incredible.

Corey Thomas: That is just absolutely incredible.

Nora Ali: And the US Department of Defense and NASA thing, sadly that's true. He was known as Comrade on the internet and was sentenced to six months in jail.

Corey Thomas: That one I actually knew about. So that's why I stayed away from that one.

Nora Ali: Good. Good. Amazing. Okay, great. Well, that's it. I'm going to call that a win. Corey, this was such a fascinating conversation. I've learned so much. Thank you so much for joining us on Business Casual.

Corey Thomas:  Thank you, Nora. I really appreciate it. Thank you.

Nora Ali: This is Business Casual and I'm Nora Ali. You can follow me on Twitter @NoraKAli. And I would love to hear from you if you have ideas for episodes, comments and thoughts on episodes you loved, fun segment ideas. Shoot me a DM and I will do my best to respond. You can also reach the BC team by emailing BusinessCasual@MorningBrew.com, or call us. That number is (862) 295-1135. If you haven't already, be sure to subscribe to Business Casual on Spotify, Apple Podcasts, or wherever you listen. And if you like the show, please leave us a rating and a review. It really, really helps us.

Business Casual is produced by Katherine Milsop and Olivia Meade. Additional production, sound design, and mixing by Daniel Markus. Kate Brandt is our fact checker. Sarah Singer is our VP of multimedia. Music in this episode from Daniel Markus and The Mysterious Breakmaster Cylinder.

Thanks for listening to Business Casual. I'm Nora Ali. Keep it business, and keep it casual.