Playback speed
ร—
Share post
Share post at current time
0:00
/
0:00
Transcript

๐ŸŽง๐ŸŒ Building an Open Source Security Company | Bobby DeSimone, Founder & CEO of Pomerium

How an unsecured air conditioner led to the biggest security breach in history, the sneaky large problem of access control, how AI will change security, and why Meta's open sourcing its models

Bobby DeSimone is the Founder and CEO of Pomerium, the best way to authenticate, authorize, monitor, and secure user access to any application without a VPN.

Bobby explains why access control is so important, how it led to the biggest corporate hack ever, how its related to the day CrowdStrike took down the global economy, and how AI will change security.

Pomerium has a unique open source approach, and Bobby takes us inside the early days of building the product, how he got the first customers, lessons learning enterprise sales as a technical founder, and inside his funding rounds, including a recent Series A led by Eric Vishria at Benchmark.

For those that are terminally online, I released this episode of The Peel a few weeks ago. For those that arenโ€™t, Iโ€™m just now cleaning up the transcript and sending it out. Enjoy, and let me know what you think after listening!

๐Ÿ‘‰ Stream on Apple and Spotify


Timestamps to jump in:

  • 2:02 Access Control: a sneaky large problem

  • 7:22 How an unsecure air conditioner led to the biggest credit card breach in history

  • 10:23 Googleโ€™s internal security software inspiring Pomerium

  • 16:41 Making his first money online selling a WoW bot

  • 19:24 How CrowdStrike took down the global economy in July, 2024

  • 22:29 Deep dive on access control and security

  • 29:39 How access controls impacted Google vs Uberโ€™s self-driving lawsuit

  • 30:52 Why Zero Trust security is marketing bullshit

  • 32:09 Advice for building access control

  • 34:39 How open source built early trust with customers

  • 41:39 Missing a 7-figure deal because he didnโ€™t use LinkedIn

  • 44:52 Everything heโ€™s learned about sales as a technical founder

  • 50:06 Inside Pomeriumโ€™s Series A

  • 51:41 Advice on evaluating potential investors

  • 56:06 How AI will change security

  • 1:01:15 Getting in trouble at the first Pomerium board meeting

  • 1:02:15 How to hire good engineers

  • 1:04:00 When to scale back IC work as a founder

  • 1:06:56 Favorite new AI tools

  • 1:11:09 Why Metaโ€™s open sourcing its AI models

  • 1:12:32 Life lessons from Charlie Munger

Referenced:

Find Bobby on Twitter and LinkedIn.


๐Ÿ‘‰ Find on Apple, Spotify, and YouTube

If you donโ€™t want to miss an episode, subscribe to get new ones in your inbox each week.


Transcript

Find transcripts of all prior episodes here.

Turner Novak:

Bobby, welcome to the show.

Bobby DeSimone:

Yeah, thanks Turner. I really appreciate you having me on.

Turner Novak:

So I wanted to kick things off. Access control - you're an expert on it. I don't know anything. Tell me about access control. What does it mean?

Bobby DeSimone:

Yeah, as much as anyone can be purported to be an expert in access control, which is a huge nuanced topic, I think to break it down a little bit, it's pretty simple. Ad it's what you think it might mean, which is it's about who has access to what and under what conditions.

And so I think one way that's helpful to think about access control, is it has two main components, which is authentication and authorization. And often, authentication is used kind of incorrectly to mean both authentication and authorization

But authentication is really about asserting who you are. "This is who I think it is," is what authentication answers. And then authorization answers the question, "Can you do this?" And so combined is what I would say access control is. It's in service of letting people or things access the resources they're trying to access to. Not to get reflexive there, but yeah.

Turner Novak:

Yeah. So I'm curious then, why that's important? And then could you maybe give an example of worst case scenario of access control gone wrong?

Bobby DeSimone:

Oh man, there's so many on the latter part that a lot can go wrong. But I think this underlies everything we do all day, every day. And I think I happen to live in the cybersecurity and infrastructure land, but I think often we get pigeonholed into thinking about these concepts purely from a digital or cyber point of view. But in reality, we're just mapping these concepts onto just that space.

So, access control underlies everything we do all day, every day. And it's transparent to our lives, whether it's a credit card transaction, whether it's going through the airport, and it's very obvious there, or even just getting a drink at a bar, going to a club. So it's pervasive. And so that's where it is in the physical space.

In the digital space, it access drives everything from e-commerce to logging into your bank, Amazon, or where we tend to live, which is on access control to internal corporate resources. And if there is a dark web, there is definitely a dark web of access control, that where most of access control lives is not necessarily end user-facing, but instead internal to organizations themselves.

Turner Novak:

So, if I care about access control, or I'm trying to control my access, historically, what does that look like?

Bobby DeSimone:

It depends on the use case. I think for external-facing applications, we're all pretty familiar with going back to logging into Amazon or your bank account. We're very familiar with that flow. Which is like, you get a prompt, username and password, maybe you'll get challenged with a two or multifactor authentication key, SMS, security key, and so on. That's what it looks like mostly from the end user point of view. And we'll probably talk about this more, but somewhat bizarrely for corporate access control, that's not what it typically looks like.

Typically, what that would look like for years, is you have a client or a piece of software on your machine called a VPN or tunnel, and you log into that. You essentially make a connection to a server inside the perimeter or firewall of your corporate network. And from there, you're able to access your resources.

There's challenges with that, but I think in fairness to that model, for a very, very long time, your physical perimeter, where you happen to be, was a fairly good metric for whether you should, going back to authorization, have access to that thing. You checked in at the front desk, you jacked into the ethernet cable. It was fairly, I mean even then it had problems, but it was a fairly good chance you should have access to those things in those four walls.

Turner Novak:

So it was kind of like, we gated the digital with the physical, where you can't access the digital network because you've been boxed out physically? You literally can't get through the fence or the gate or something like that?

Bobby DeSimone:

Absolutely. What we really did is we said, "What you should have access to is largely based on where you happen to be on a network.โ€ And you can see where that'd be problematic. Just because you're on a network doesn't necessarily, you should have access to something. I think that's a lot of where my time has been focused recently, because it has some obvious problems.

You ask where some of this has gone really wrong. I think a good example of this is probably the biggest breach ever, I talk about this happened several years ago, which was the Target breach.

Turner Novak:

What was the Target breach?

Bobby DeSimone:

The Target credit card breach.

Turner Novak:

Yeah. I feel like I vaguely remember it, but what happened? Recap for us.

Bobby DeSimone:

Yeah, I think it's a great example. And not to point them out, this is very common, which is the biggest credit card breach in history was the Target breach. And it happened because a hacker was able to get on the internal network via the HVAC or air conditioning unit that also happened to be connected to the internal network. And so that's a great example of your digital security and your access control is only as good as finding a way onto that internal network.

Turner Novak:

And that's not even that hard. You could probably just go show up to any big corporation and find some way in. It's probably not that hard.

Bobby DeSimone:

That's right. That's the truth.

Turner Novak:

I'm not condoning it, but I'm sure if you really, really wanted toโ€ฆ

Bobby DeSimone:

Yeah. No, this is totally a thing. If you read back to, going way back here, Kevin MitNick, I think is the author who wrote The Art of Deception. A lot of early hacking was just social engineering, getting on the premises, dressing like someone who should be able to jack in. And then from there, it was somewhat trivial to get to the production database or whatever it is.

So, this perimeter-centric security model has been the de facto standard for internal corporate security for decades. And we probably, most information workers, whatever you want to call it, know this when they log into their VPN to start their day every day.

Turner Novak:

So let's just say you're a corporate employee at, we'll just keep using Target. You work on the finance team, you have your computer set up on your station. You press the button at the beginning of the day when you get in, and you just log into the network. And you don't think about it, but there's some access control parameters that are happening there.

Bobby DeSimone:

That's right. So I don't know what Target has done since this. I'm sure they overhauled their system quite a bit, but maybe to pivot a little bit, what a lot of I've been working on recently is a company that talked a lot about this experience of moving away from a perimeter-based security model to a security model that largely bases access on things that are kind of common sense.

If you close your eyes and go, "What would the perfect access control model look like?" You'd be like, "Well, I want to know who you are. I want to know if you're in good standing. I want to know what is the device owned by the company? Is it in good standing? And is what you're trying to do within your scope of responsibilities or should you be doing it right?" If you like the ideal version without imagining exactly what that would be, that's very much where I've been focused.

And then talking about a company that talked about their transition was Google, and they called this their BeyondCorp-style access model. And that's exactly what they did. They totally de-emphasize the perimeter as the sole indicator of whether you should have access to something, and brought in these other factors to say, "No, we're going to base access control on all these other factors."

Turner Novak:

Yeah, I think you were mentioning to me the other day, that's sort of the inspiration where you started working on the company, the first product.

Bobby DeSimone:

That's exactly right. Just to go a little bit of my background or what I'm working on today, not to break the lead, is a company called Pomerium, which is an open source identity and context-aware proxy.

And basically, what that means is exactly what I just said, which is, let's de-emphasize where you happen to be on the network as the only thing we're going to do for whether you should have access. And instead, use your identity and all those other factors to say, "Yes, Bobby should access the credit card system, or whatever it might be, based on those variables," as opposed to whether I just happen to be on the right network.

Turner Novak:

And then how easy or hard is it to build all this stuff? If I was like, "This sounds like a cool idea, I'm going to start working on this internally," what's the scope of getting that done?

Bobby DeSimone:

Like with most things, the long tail is the really hard part. And so to tell you, I think it's a continuous process.

Google's built their internal version called BeyondCorp. It's very much focused on, in very Google fashion, on Google's stuff. Pomerium is trying to bring that to the rest of the world and make it generic to every organization. And so that's got its own set of challenges.

But maybe to more concretely answer your question, it takes at least five plus years, which is how long I've been working on Pomerium and have a much, a very talented team working on Pomerium. I think the long tail, is if you think about that context piece of access control, the better the context sources you have, the better your authorization decisions can be.

So yes, for us, I think the easy part is that, hey, pull whatever is in your identity provider for identity information, like Okta or Azure, whatever, but the long tail is pulling in an arbitrary set of institutionally relevant data to also make access control decisions about.

And so a lot of organizations have a bunch of different possible sources from which to make those access control decisions. So I talked about, the big one is device identity and device posture. That's one of the main things. You want to know, "Not only is this Bobby, but his device hasn't been compromised." And there's a whole bunch of different systems for sourcing that information, and that type of integration definitely takes time.

Turner Novak:

What is, I don't know, one of your hotter takes on security right now?

Bobby DeSimone:

The front end stuff everyone shows and thinks about is in a good position. It's top standards, it's compliant.

But the reality is, most organizations, everything behind the firewall or on the backside, is just a hot mess. There's almost no authentication, no authorization. This is even more true if the company's more than a few years old. And I think that's really where the stakes are extremely high, and we're deluding ourselves to not recognize the state of security across a whole organization.

Turner Novak:

And that's where Pomeranians comes in, where you get in once and then there's no protection on the inside? That's essentially what you're doing, right, is you're protecting the back end?

Bobby DeSimone:

That's right. We're a centralized access control layer that will upshift everything behind the fold.

And I think that's the big thing, which is, it's no longer hard crunchy outside, soft gooey inside. It's hard crunchy outside, harder crunchy inside. And you can't move laterally between assets like you could on these perimeter-based tools like VPNs and tunnels.

Turner Novak:

How easy is it to use Pomerium?

Bobby DeSimone:

I would hope that you'd be able to install it and under five minutes. We have a hybrid cloud version of Pomerium called Pomerium Zero, which is directly aimed at being easy to get kicking with. Especially if you have a home lab and you want to share photos with your family and you want to add this pretty sophisticated security model to all that stuff, like if you have a NAS or something like that, that should take five minutes, less. If you're at all familiar with a standard reverse proxy, that's what Pomerium looks like under the hood, so like Nginx or HAProxy, what we look like on the infrastructure level.

Turner Novak:

And you said you've been building this for about five years. I think your relationship with coding and engineering goes back a little further than that. When did you first start coding? When did you first get into all this stuff?

Bobby DeSimone:

Yeah, coding as long as I can remember. It's one of those things where some people had their dad or mom was an engineer or something and that was their exposure. That was not the case for me at all.

I came from a family of jocks, so computers and technology was not even in the picture. But like a lot of people, I was fascinated with taking apart technology. This is a common story, I think, is you take apart the radio and try to understand it. And I think that's how I initially got into technology.

And then in terms of coding, I don't know what my first, I think C++ might have been my first language on my neighbor's computer. I used to tell my dad I was going over to play baseball with the neighborhood kid, but I'd actually go over and fire up Borland C++ and try to hack something together.

But yeah, I've been doing it for as long as I can remember, and I couldn't tell you why exactly. It felt like a superpower to just create things.

Turner Novak:

Yeah, I think for me, it was just a friend in seventh grade mentioned they have a website, and I was like, "Oh, cool. That sounds fun. I'll have a website, too." And I think that's when I really first, it was just like HTML. You use one of those WYSIWYG free editors and then you could insert your own code and you could change it. I was like, "Oh, this is so cool," and then went from there.

And then you actually bought your first car from a WoW bot that you built. What's the story there again?

Bobby DeSimone:

In the spirit of taking things apart, I followed that through throughout my whole career, and this is probably why I orient on the security side. Playing games, I actually had more fun not playing the games, but reverse engineering them. And though I was not a big World of Warcraft player myself, I had written automated bots to play these games, 'cause that was more fun for me.

And then realizing there was actually a monetary value behind them right around when I was turning 16, being able to realize that gold farmers and stuff like that would pay good money for a bot that could avoid anti-cheat.

And this is going way back, but at the time, this is when Blizzard had implemented something called, it's escaping right now. It's not Guardian, but it was a kernel-level driver to check if there was any code being injected into WoW to prevent these cheat systems. I had written my bot also at that level to avoid that detection system.

And so when there was a huge ban wave, my bar was the only one left standing. And people were desperate. There were Korean and Chinese gold farms desperate to replenish their stock or whatever, and I sold that code to one of these farms for enough money to buy my first car. So, I think it was a nice circumstance for me, and made me realize, "This is a marketable commercial skill I've inadvertently developed here."

Turner Novak:

Yeah. It might sound niche, WoW gold bots, but that was actually a big market, at least in the, I don't know, mid-2000s, late-2000s. It might even be bigger now.

Bobby DeSimone:

Totally. And what's old is new again. So it's kind of interesting, because probably the biggest period of downtime we've had in probably a decade, maybe ever, is the CrowdStrike issues that have come about from that update. And part of why that's so bad is because CrowdStrike is operating at that super low, ring zero kernel level. That gets into one of the things is unique about Pomerium, is there are no clients to use Pomerium.

So when I first talked about VPNs, you've got log into a client, go to the thing you're accessing.

With Pomerium, you just type the address into the URL bar of your browser and go directly to the thing. There's no client. Clients can be fairly invasive.

All tunnels and VPNs are hooking the network controls, and then CrowdStrike was even the lowest level of the operating system at the kernel level. And because there was a mistake there, it was catastrophic.

Turner Novak:

Yeah. Can you explain to us what exactly happened with the CrowdStrike thing? I think people are probably vaguely familiar. We probably all saw the memes and Delta being down, but can you just take us through maybe high-level and then go a little bit deeper and explain what happened?

Bobby DeSimone:

Yeah. They've since released a postmortem, which would be the best way to get the actual facts. So I might screw this up a little bit.

But my understanding is there was an auto update of CrowdStrike's client, and it contained a bug essentially at that very low level. And when that bug happens, its right when the operating system is initializing. And so what it would cause is, basically a crash loop at the most critical time of booting up. And so not only was that happening, but if you had full disk encryption with BitLocker enabled, it was non-recoverable, essentially. And so it was basically corrupting the operating system at its most critical path. Now, there's more nuance there, but that's essentially the concern around software running at this very, very low level.

Turner Novak:

So as they issued an update, everything restarted, and then it was kind of like a doom loop. It just wouldn't actually boot up properly, so just everything was down?

Bobby DeSimone:

That's right.

Turner Novak:

Interesting. Do you know, how did they fix it? Just curious if you actually know.

Bobby DeSimone:

I think they released a patch that did eventually fix it.

I think the real challenge was, if BitLocker was in the mix, I don't know that it was even possible to recover because of anti-tampering measures that Microsoft had implemented to prevent you from circumventing their disk encryption. So, I got to be honest, I don't know that there was a remediation for folks using disk encryption, which I speculate, is most corporate enterprises, I think there were some break-class procedures being run there.

Turner Novak:

So CrowdStrike probably had to push an update from their side to overwrite the Doom loop, basically?

Bobby DeSimone:

Yeah, that's right. I think the challenge is, if you're hitting the Doom loop immediately, how do you do that? It's just happening at the initialization phase, so how do you swoop in right before? And I'm sure they figured it out, but I think it's why it was just pure chaos.

It is interesting, because I definitely caused that myself when writing these drivers, writing these bots, so I'm very empathetic to that pain. It's just interesting that, to me, this is a little bit of a situation where we shouldn't really be needing to have to do this to get essentially device identity and device state, and I don't think we need to be hooking the kernel or hooking the operating system as much as we are with some of these tools that are really about access at the end of the day.

Turner Novak:

Transitioning more to Pomerium, what was the insight initially to start the company?

Bobby DeSimone:

My big contrarian point of view is Pomerium itself, which is if we fast-forward into the future, we'll look back at this time and previous times as being insane in what we were doing for access control. It won't make any sense. Like I said earlier, it's like if you close your eyes and imagine what a perfect access control solution would be like, you're trying to get to something on your internal corporate network, it would not include a client.

It would just be in the browser. Just ike you're logging into every other very high stakes thing you do day to day, like your banking or Amazon or whatever. And instead of using where you happen to be on the network, 'cause it'd very obvious what the downsides of that are from the Target hack, to use things like who you are, what state you're in, the device you're on, and whether the device is good position.

And one other thing, which is all these, they're called layer three or layer four tools, VPNs and tunnels, they're operating at a low level, they're not able to see the actual context of every request. And that's the biggest thing I would say about access, which is, if I don't know what you're trying to do, how the heck can you get context-based access? You're completely blind to the action a user is trying to take.

So my big contrarian maybe opinion about this space, is in 5 to 10 years from now, we're not going to tolerate that lack of continuous access control, the ability to take into account what someone's trying to do into making that authorization decision, and the usability of having to use a client. We don't need it, so why are we doing it? And I think that's what gets me kind of fired up to work on something for as long as I've been working on Pomerium. I think it keeps you mission-focused.

Turner Novak:

It's interesting that this even needed to exist in the first place. Do you know why this wasn't always the case? Was it a technology thing? Or did we build products the wrong way initially? How did it get to that point where this is even necessary to do?

Bobby DeSimone:

That's a really good question. I think just over time. I think it goes back to that it used to be that the physical mapping was good enough. And building fine grain access control capabilities around identity is challenging, and so a few things sort of had to happen first to make it easier.

One of those things is single sign-on capabilities had to be more diffused. Things like Okta, Azure, AD. I think that was the biggest thing.

Turner Novak:

Is that 'cause it just made it a simple integration, just get your Okta, you're good, you've approved, versus having to do a bunch of checks manually or?

Bobby DeSimone:

Well, it was just the first step you had to take, which is if you were going to get rid of where someone was on the network, you had to replace it with something else. And that something else, the first step, obvious step was who this person is, and then you try to build what they're trying to do and the context around it and what device they're on. So I think the first big step was getting that identity piece from a single sign on provider.

But to be totally honest, a lot of these internal tools, you're just trying to build as quickly as possible. I'm talking about dashboards, admin panels, support tools. There's this whole set of stuff that's under the iceberg that we kind of don't admit is there, that is honestly probably totally lacking access control, and still is. And this has gone on for generations, well, generations of employees at a company.

And so there's a big problem when it comes to access control, that most of these apps and services that have been built over time just totally lack any sort of authentication and authorization. And so these network-based VPN and tunnel tools are an attractive way to at least get some controls on those systems. Prior to Pomerium, that's why VPNs were so diffuse.

Turner Novak:

And then can you explain a VPN really quick? You've mentioned it a couple of times. I just want to make sure everybody understands that concept.

Bobby DeSimone:

Yeah. A VPN, or a virtual private network, is a tool that allows you to connect to inside the internal corporate network and almost appear like you're inside that network. That's what a VPN does. It transports you virtually inside the walls of some digital perimeter.

Turner Novak:

So this would be if I'm working from home and I log into my ABC corporation account and can access my Outlook and all that kind of stuff, that's essentially what it is?

Bobby DeSimone:

Yeah. It's a little crude to say, but it's the truth - it's poking a hole on the side of your network. You are not going in the front door when you're using a VPN and tunnel, you're using a side door. And that's what feels so janky about it. Most of traffic going into your network is going through the front door. Other than this VPN access, you're kind of coming around the back.

Turner Novak:

So then what are you doing differently? I know you've explained it a little bit. Basically, Pomerium is your contrarian opinion of the world.

So, can we kind of go a little bit deeper on just specifically, if I'm looking at how to do access control and I come across Pomerium, what, am I probably going to be like, "Oh, this is a different take on this, different point of view"?

Bobby DeSimone:

Yeah. Well, the biggest thing is we're no longer using locality or where you happen to be on the network for whether you should access something. But what that means concretely, is we replace it with identity, posture, and context to say, "Okay, Bobby should be able to access the internal wiki, the version control system," whatever it is.

And I think the big key is we're doing that without any sort of client, we're doing it at not that connection layer, but at layer seven, that lets you know what the person is actually trying to do when they're trying to access internal systems. And so being able to take that into account into authorization decisions is sort of the big difference here.

Turner Novak:

So you authorize individual actions, not just broad access?

Bobby DeSimone:

That's right. For VPNs and tunnels, there is some authentication authorization happening, but it's happening at the start of your connection. It's one and done. After that, it's almost completely blind to anything else that's happening once you're virtually transported inside the network.

Versus Pomerium, is constantly and continuously looking at every single action you're doing and going, "Should he or she be able to do this?" And creating, kind of important in the corporate environment, creating audit logs around those actions. Actually, I talked about Google earlier being one of the earliest people on this approach. If you look carefully at the Google-Uber lawsuit around, I think it's Levandowski.

Turner Novak:

Oh, yep. Their whole self-driving car division battle, that was a big thing.

Bobby DeSimone:

That's right. So almost all of the evidence that was included in that case came from their version of Pomerium. So those were the audit trails that were able to say, "We are very sure what allegedly this person did on their way out the door."

And so that's another really important component for enterprises, is you're not blind to what people are doing, in addition to being able to assert authorization for each action here. I don't think they would've had a case without their equivalent of Pomerium.

Turner Novak:

So the defendant in the case just could have said, "No, you can't prove that I did certain things at certain times." Well, Google could literally say, "We know this is the actions that were taken at this."

Bobby DeSimone:

"We knew every action you took on your way out the door." Versus they would've just said, "Hey, I know you logged in at 8:00 AM and logged out at 5:00 PM." And maybe the little disparate audit controls on each individual system, but they would not have the single thing tying it together.

Turner Novak:

Interesting.

And I know you have an opinion on zero trust. I've heard this word before. It's a big security word. What is zero trust?

Bobby DeSimone:

Yeah, it's unfortunate 'cause I feel like it did used to mean something. If you look at the NIST documentation around zero trust, there are some good concepts around zero trust. Unfortunately, it's become an absolute marketing buzzword.

What zero trust means is that we should not only use where someone happens to be or what their network locality is to authorize their access. That's it. It does not mean trust nothing. It does not mean whatever. Not to throw shade at every VPN and software-defined networking company, but they're all saying they're zero trust. If you go to RSA, and they're explicitly the opposite of zero trust if you actually read the source documentation.

So, I think the sad thing is, I don't often even bring up zero trust when talking to prospects and customers because people have become so cynical around what zero trust has become to me, which is essentially nothing.

Turner Novak:

Yeah. Well, so on that note, any advice for someone looking at some form of access control? What do you recommend just being aware of if you're out looking for a software to use?

Bobby DeSimone:

Yeah, I think first is start with where you are. Do an assessment of where you happen to be, what your internal corporate, internal apps and services. Map them all out. Just like you would with data and data classification, do that for access and access. And say, most people, especially companies that have been around a while, have a huge number of legacy applications that may have no access control and might be very critical to the business. So I think just mapping that out as step one, and then look at the best way to overall level up your entire infrastructure's access control story in as few moves as possible.

Turner Novak:

Why is that important?

Bobby DeSimone:

The most obvious one is if there's less software to maintain, there's less things that can go wrong. And I think being a little bit biased here, is looking at something like Pomerium. If you put Pomerium start with your entire legacy application or service base, you instantly have added single sign on, context-based access to the entire fleet of your legacy applications and services. And that is a five-minute upgrade that just could have brought your entire stack up two or three levels in security posture.

Turner Novak:

That almost sounds too good to be true, five minutes.

Bobby DeSimone:

I hear you. But no, it really should just take five minutes. Once Pomerium is in front of one asset, it's trivial to add it in front of other assets.

Turner Novak:

Interesting. And it's all open source, too. Correct?

Bobby DeSimone:

That's right. From the very beginning, Pomerium was open source, open core. You can check us out on GitHub, on Pomerium/Pomerium.

Turner Novak:

So then, I know that was a big decision. How did you get the confidence to just start putting all the code out there? What's the story there?

Bobby DeSimone:

I grew up in open source. I think it's always been a big part of how I philosophically think about software and giving back to the community in a way and what it's given to me.

But I also thought a lot about one of the biggest sticking points for companies, especially big companies thinking about adding critical infrastructure, is trust. And one way you can get people to trust your software is don't hide anything back. They can see right there in the code the quality of the code, the testability of the code. And I think that for me, I recognize as an important way to leapfrog those trust conversations, especially in the places that I'd imagine Pomerium being installed.

Turner Novak:

And I think open source is also maybe helpful, or not helpful in some cases with customer stuff. How did you get those first few customers transitioning from open source to signing some larger contracts?

Bobby DeSimone:

Yeah, this one, it's an ongoing thing to figure out. This is a really challenging thing. I think first I wanted to know it was possible. So I would say companies like HashiCorp were really inspirational for me in looking at what might be possible on the open source side to build a company around, especially for core infrastructure. So first huge credit to everyone who did this before Pomerium, but knowing it was possible to build a viable business around open source was step one.

I think in terms of Pomerium itself, learning the lessons from those other organizations, it was having a very clear view of what we were going to put in open source and what we were going to keep out of open source. And our sort of North Star there was anything that a hobbyist or a small team would want would be open source. Anything multiple teams or something that was clearly a big enterprise as, we would keep out of open source and put into enterprise.

To make this concrete, we were never going to charge for SSO. I'm sure you've seen that SSO tax website. We were never going to gatekeep security. That's paramount for product like our. Even controversial things like high availability, I still think we're critical to small teams as much as hobbyists.

But on the other side, any sort of governance control, who's watching the watchmen, centralized access policy, the ability to scale to maybe hundreds and thousands of users, all that is enterprise. So, I think the calculus was, "Give away as much as we can and then keep the compliance, governance, risks, auditing capabilities in the paid product. So when a customer advanced to that level, they'd be happy to pay us from the value they were driving out of Pomerium."

Turner Novak:

Yeah, I was going to say, that's probably my reflection on what you just said. Which is, you are making money on the things that other people are probably using to make money themselves. So if they're running a business on it, they're probably paying you in some sense.

Bobby DeSimone:

That's right. I think Pomerium is proportionally valuable to the things behind it. And so for us, we do want to incentivize Pomerium to be, like I said earlier, as easy to get in front of as many things as possible, because we genuinely feel we're upgrading everyone's security and usability, but also because it's how they'll view Pomerium as a valuable enabler of their business.

Turner Novak:

And you told me your first paying customer basically ran their entire business on that. What was the story there?

Bobby DeSimone:

Yeah, so this was super humbling and also a really great experience, where we had an open source user who was an early adopter, saw the value, and we grew organically within the organization. To the point of when we started having those commercial discussions, realized that we were in front of every single application and service that they were running, and all 20,000+ users at that organization were going through Pomerium every day to do every aspect of their jobs, which that is usually not your first customer.

Turner Novak:

That's a pretty big first customer. Yeah.

Bobby DeSimone:

For sure. I think that is, you talked about maybe the downsides of open source a little bit, but one of the downsides, is this is a somewhat common occurrence when I talk with other open source founders, which is you kind of really don't know who's using your product until they raise their hand. Especially with a security and infrastructure product, we are very careful not to include anything that would feel a little bit invasive like that.

But then what happens is, you find out two years in, a Fortune 50 company has been using you for years and your critical infrastructure for them, which is a great surprise, but not the ideal commercial relationship that other businesses have.

Turner Novak:

Yeah, but they are a customer now. They are paying you, correct?

Bobby DeSimone:

That's right. Yeah.

Turner Novak:

Yeah. So I guess it worked out at the end of the day.

Bobby DeSimone:

Would they have used Pomerium if we weren't open source that early? And I think the answer's no. So, there is benefits and trade-offs, for sure.

Turner Novak:

So, this is maybe a question for somebody who's not super familiar with open source, but why do people like using open source so much? If I'm like, "This is the first time I've heard of open source," or I'm just not super familiar with the space, what makes open source software so attractive compared to non-open source or closed source?

Bobby DeSimone:

Yeah, I think for a few reasons, especially in the security and infrastructure space. I think one, again, is trust.

Turner Novak:

So why is it trust?

Bobby DeSimone:

I think because there's nothing up your sleeve. You can't hide what something like Pomerium is doing. It's right there. You can go read the source code and know exactly what Pomerium is and isn't doing. If we say we do a feature and it's not doing it, there's a very short path to figure that out. I also think there's some aspect of many eyes make all bugs shallow, so it increases the overall dependability and security of a tool like Pomerium.

And I think another one is just, quite honestly, it's a distribution thing, which is there's almost no friction to trying Pomerium because it's open source, especially in something like Docker. You can write three lines of a Docker config and have Pomerium up and running in your cluster.

And I think it's a combination of those things that makes open source really compelling, especially in infrastructure and security. There's different reasons why open source is really popular in, say, the AI space and open source models and the front end space. But I think for infrastructure and security, I think one of the most important things is around trust.

Turner Novak:

You had a really big open source customer, or potential customer, that you missed. I think you mentioned it was like a seven figure deal that you missed because you didn't have a LinkedIn, you were offline. What happened there? What could we learn from that?

Bobby DeSimone:

Yeah. Well, I think what you can learn is you should have a LinkedIn, even if you're a natural recluse like I am. So, that was a little disheartening to hear.

But again, another situation where we had a huge open source user, global Fortune 50 company, powering their business and talking to their CTO and CISO, they just said, "Hey, yeah, we wanted to pay you for this, but we just couldn't get in contact with you. You weren't on LinkedIn, you had nothing to reach out to." So, I do have a LinkedIn now, but that was a little bit of a bummer to hear.

And it was a huge, like you said, seven figure deal. Especially in the security space, technical founders tend to orient on the reclusive side. But that does have a very real cost.

Turner Novak:

Yeah. Probably like the most valuable LinkedIn profile ever, closing seven figure deals because of it.

Bobby DeSimone:

That's right. And it came up early in my fundraising as well. I definitely got comments that the due diligence took a little bit longer, to say the least, 'cause I was just not on the grid. So, consider that if you're going to raise, as much as people can complaining about LinkedIn and what that's become, it does have value, especially when you're raising. And social capital is a big part of that process.

Turner Novak:

How did that go, the first round that you raised? I know we were introduced by Semil at Haystack. How did that all come together?

Bobby DeSimone:

Aashay at Haystack actually reached out. I was not looking to raise. At the time, I was getting paid to build Pomerium by some big large companies that had reached out that were interested in support contracts or feature contracts. This was my second startup, so any second time founders will tell you, you definitely think a lot harder about the second startup than the first, knowing what the experience is. And Aashay at Haystack was actually the first call I took.

Turner Novak:

Why'd you take his call versus I'm sure there's a lot of people reaching out?

Bobby DeSimone:

I think he just came off as really genuine, just wanted to ask about the open source project, the momentum, and it was more of a conversation than anything else. I don't remember specifically other than always that it was just a very genuine conversation.

Turner Novak:

Yeah, that's true. I also know Aashay. He's a very genuine guy.

So you were still reclusive, you were still anti-LinkedIn. Did you create a LinkedIn after the fundraise or how did that come about?

Bobby DeSimone:

No, I didn't create one until maybe two years ago, so well after the first fundraise. I don't know what the motivating factor was that actually got me to bite the bullet. I think my head of marketing, who was my advisor at the time, good friend, Nikhil Balaraman, he pushed me gently into that direction.

Turner Novak:

Yeah.

And I think you mentioned before, really everyone is in sales. How did you come to terms with that and then get better at sales as a founder?

Bobby DeSimone:

Yeah, I think there's some realization that, at least the founder role, at least one of the founders is sales, right? And it's probably true of what you do too, which is you are selling people on taking your capital, you are selling your LPs on your ability to make a return on capital.

And I think as a founder, whether you like it or not, your main job is sales. You're selling to customers directly. You're selling critically to your team and finding mission-driven people that are going to work on your passion with you. That's probably the most important part. Just the entire job is selling.

And to some extent, I'm selling right now, which is the main reason I'm on here. I have a view of the world I want to see happen faster, and this is an opportunity to pitch everyone on, โ€œwhy aren't we doing access control this way?โ€ And hopefully we can accelerate that.

But yeah, I think the main job of a founder is sales, whether you're a technical founder or not.

Turner Novak:

So, how have you gotten better at it over time? What have been some of the big learnings and things? Maybe you're already good at it or maybe you've learned over time?

Bobby DeSimone:

I wish I could say I know I'm getting better at it.

I think my gut is that, when I just try to be authentic to how I actually view the space, I'm more compelling as a salesperson, if you want to say that. I think the number one rule is just work on something you're passionate about. That's contagious. I think people feel that.

And so, I don't think you have to work very hard to sell if you are bought in yourself. And I think, if you're trying to sell someone on something you aren't just naturally passionate about and just exude that feeling, the skill might be, just to be a salesperson. And so hopefully I've gotten better at it by communicating more clearly and just increasingly being confident in the passions that I have.

Turner Novak:

So it's, just be really interested in something, understand it, something that you're passionate about, confident in your abilities.

Another way I've heard people describe it, is just you're solving problems for people. So, I guess in the context of Pomerium, someone's problem is access control, and you're like, "Okay." And if we reflect on the last 50 minutes of our conversation, you've kind of gone through some of the problems and you're like, "Here's how we solve them." So it's like you kind of tie all those things together and somebody says, "All right, I got to cut the check."

Bobby DeSimone:

Yeah. It's one of the most satisfying feelings there are, which is, you have a solution to someone's problems. It's very rewarding. Yes, there's a monetary aspect, there's business building. But at the end of the day, what gets you passionate is you see a future of the world that you have the solution to. That's, I think, maybe a unifying thing a lot of founders have. They have a version of the world they see and they want to get there, and they feel like they have the solution to the problem.

And some founders, Elon Musk I think talked about this with Tesla, which he realized he didn't even necessarily want to do it. He just knew he was the only one that could at the time. And so I think there's a sense that even if someone else did this, you'd be happy if the outcome is the version of the world you want to exist, if that makes sense? And I certainly feel that way as well.

Turner Novak:

So then in terms of sales outreach, favorite sales outreach maybe that you use or that you've had people use on you that's worked?

Bobby DeSimone:

Good question. I don't know if it's intentional this way, but I always just like asking people about the problems. If I know they're using Pomerium and open source, "What problems are we solving for you? How could we make it better?" And usually, that just starts a very natural dialogue around what we just talked about, which is the solution, what we're helping the organization do, and maybe how we can help them do it better and scale it.

I think something I'm really proud of is, if you look at our sales cycle and how we work, is we're always kind of a land and expand. It's like, we might be in front of 200 users one day, and then what I'm proud of is how quickly we can expand once the element happens, how quickly they're like, "We want to put this in front of everything." Because in fairness, what Pomerium does is really abstract, which is why we spent so much time even just talking about what access control is and the concepts around it.

But really what it's about is protecting what's important to your organization and enabling people to do their jobs, and keep those in balance and harmony as much as possible. But it only becomes concrete to people when you put access control in front of those apps and services, they need to do their jobs. Then it's concrete, then they get it, then it takes off, in my opinion.

Turner Novak:

Yeah, it sounds like the common thread, we've already kind of recapped this, but it's like, what's the problem? Know a lot about it, help them solve it. At the end of the day, pretty simple. I guess that could get pretty complicated, but it's also pretty simple at the same time.

Bobby DeSimone:

Isn't that life? Life is simple, but not easy.

Turner Novak:

Maybe this is a good way to segue into raising your Series A. I don't know, was there investor outreach on the Series A? How did that whole process come together from your perspective?

Bobby DeSimone:

I will tell you, I am a founder who does not love the process. Some founders just love raising. It's kind of like a metagame for them. Don't hate it. If you can enjoy that process, all for you.

I usually take it as an opportunity to, again, sell, take a moment in time. Usually it's around a milestone that we've hit, so it's something I'm usually proud of, and tell the investor community about what we're up to. Definitely have ongoing reach outs. But I think what was great about the process, is it gives you an opportunity to, in a short time, as much as you can, 'cause it feels a little bit like speed dating to get married.

Turner Novak:

Yeah, it's pretty crazy how fast it goes.

Bobby DeSimone:

Right. It's such a big commitment. I'm sure you talk about this with your VC friends, but it's like you're speed dating to have a 10-year relationship, especially on the Series A side, where you're probably having a board seat and so on. So, knowing that, what was really important to me was finding the right partner on that journey, as much as capital.

And not that the capital doesn't matter, but for me, I was indexing much more on who I thought would be helpful and us succeeding as a business and who would be really invested. And there were a lot of great people out there, but what you're kind of looking for is also a fit for who you are as well.

Turner Novak:

Yeah. So what were you looking for at the time, and any advice for finding the right fit for other founders out there?

Bobby DeSimone:

One big thing, when I got this advice, I think from Kevin Mahaffey, if you know Kevin, founder of Lookout, he gave me some great advice, which is imagine you're getting a call from that investor at 7:00 PM on a Friday.

And if your first reaction is like, "Ugh," don't do it. And if you're like, "Oh, I can't wait to genuinely pick this up," that's your person. And I think that has been such a good just gut check, just beyond... Because you can overthink that, right? This firm, this name, this whatever, this prestige, this amount of capital, it doesn't matter. Just start with that.

Are you going to be excited when the call comes in or kind of not so excited? Good and bad. Whether it's good news or bad news, do you feel like they're going to help you figure it out? And are you excited to share the win if it's a good thing? So that's one.

I think the other thing is, this is more general, but sometimes, especially if something's hot, you can feel a little bit like funds are almost like little mini index funds. Or they're almost making a sector bet. And I definitely didn't want that. I wanted someone who believed in our specific vision and our specific ability to execute on that.

And so those are the two things that were really important to me. I think a lot of it's founder fit. You've got to find someone who compliments what your skills are and will help make a better version of you, ask hard questions, and get right to it. I've been extremely fortunate that all the investors I've had the pleasure of work with I would put in that category.

Turner Novak:

So how would you suss that out? If I'm listening and I'm like, "Okay, there's almost high conviction versus index," how do I know who I'm talking to as a founder? How do you gauge that?

Bobby DeSimone:

It's similar to how you would evaluate a future team member. You talk to other founders that have worked with that investor. And they'll give you references, just like employees will give you references that love them when times are good, reach out to the portfolio companies where shit went wrong. What were they like? Were they supportive? And take it all for a grain of salt, and trust your gut.

Turner Novak:

Yeah, that makes sense. Pretty simple. To what extent, how do you fit in those kind of reference checks when you're getting to the finish line of a fundraise? 'Cause I've always actually been curious, founders will be like, "Oh, we did 20 reference checks on our lead." And I'm like, "That's a lot of time, especially in that short window." How do you do it?

Bobby DeSimone:

I would not say I've ever done 20 reference checks. I've done probably a handful when you were at that moment. And usually, just like investors are going to do it on you. And investors are usually totally understanding if you're like, "Hey, I need three or four days at the end of my process to just do some reference checking as part of my process."

And that's usually what I do. I set a timeline around it, and that's where the network and maybe LinkedIn can be effective, is see seeing who's had connection with that particular investor.

Turner Novak:

And people are probably pretty responsive. Right? And you probably get your answer from the response โ€“ if somebody does or doesn't respond, that might tell you something too?

Bobby DeSimone:

That's totally true. Something I will say that I love about the founder community, is in general, we all want to help each other. I can't overstate how unique that is to what we do, which is I think overall everyone has this view that it's not a fixed set pie. The pie is getting bigger, and that is not to be taken for granted.

And so founders, in my experience, have been very empathetic with each other and very willing to help each other, especially around things like this. That's what I love about, I don't happen to be in Silicon Valley, but sort of the ethos of Silicon Valley, is the ecosystem is very supportive of each other.

Turner Novak:

Yeah, I'm not either. I'm in Ann Arbor, you're in Oregon. So we've got the mindset, even though we're not there.

Bobby DeSimone:

Right. But you feel this in other sectors, it's definitely not the case.

Turner Novak:

And you ended up working with Benchmark. Eric Vishria, who's on your board, when I asked him he specifically wanted to know how you think about AI, and security, and open source. How is it going to change over the next couple of years?

Bobby DeSimone:

I think AI is a huge hype thing, but it's also real. I think there is-

Turner Novak:

Those can both be true.

Bobby DeSimone:

They both are true, right? There's going to be some big losers and there's some genuinely huge advancements. And so to put it concretely in what we do, I think there are some places where AI and machine learning can make it easier to adopt Pomerium, make it faster to deploy Pomerium.

So here, I'm thinking of, we were talking about getting a handle of just doing an inventory of your environment. Being able to intelligently build a report and automatically add routes and authorization policies on your infrastructure to just speed up that adoption process, I think is a huge win.

Step one, most people don't understand the scale of the problem they have, and I think AI and machine learning can help speed up that process and bring it right to the forefront, and have the solution auto adoptable. I think that's very exciting, if that makes sense?

I think there's another component where machine learning and AI can be very useful in the context of Pomerium, which is I was mentioning, part of Pomerium's unique value prop is we're able to authorize every single action and request. We're able to create an audit log of every single action and request. Now, if we consume all that data into a model, we are able to then also run inference against it and have a model detect potentially anomalous behavior or things that might not be caught in the more typical rule-based system that Pomerium is based off of. And so I think that's very exciting.

And I think the challenge and the nuance here is, right now, these models are not fast enough to put in line in those access control decisions. A lot of Pomerium's engineering is making sure we don't add hardly any latency to a request. These machine learning models are not fast enough to do that.

However, what we can do is we might be able to detect some bizarre behavior, like Snowden-esque stuff, or he's move a lot of stuff, or Levandowski, "Why is he dumping all this? This is a weird pattern, right? It's a cluster of behaviors. Maybe the individual behavior actions are fine, but the cluster is suspicious. Let's two-factor auth prompt. Let's inject that, this is suspicious." Or even escalate further, "Let's use the two-man rule, let's add someone to this process. Does this look like this user's doing something suspicious?"

And so I think those are two ways that machine learning and AI are going to really make access control more compelling and easier to adopt in the future.

Turner Novak:

Yeah, so I'm thinking, so if there's a bunch of documents that say confidential and you realize, "Oh, he is downloading every single document that has the words confidential mentioned on the page." Or something like, if you're in a bank account and you're sending a bunch of wires and you realize this is a common pattern that typically is what fraud looks like, levels that would trigger something and he keeps sending it to just below or frequency amounts.

Bobby DeSimone:

Totally. Classically, you think about this with fraud detection on your credit card. I think the real challenge for something like Pomerium, as opposed to fraud detection or anomaly detection is the field for credit cards, is you might be doing, well, I don't know, but you might be doing 20, 30 credit card transactions a day.

Turner Novak:

Oh no, definitely not. Iโ€™m maybe like two or three a day, maybe.

Bobby DeSimone:

Right. Right. So just on the extreme. If you have a false positive ratio of 1 out of 200 credit cards, it'll be annoying, but you won't be upset. You'll tolerate that, right? If your false positive ratio for Pomerium is 1 out of 200, you're going to be so annoyed you're going to throw us in the garbage, right? 200 requests, how the modern web works, will happen in the first 30 seconds of any day-to-day action.

Turner Novak:

30 seconds? Really? Okay.

Bobby DeSimone:

For a lot of these modern WebSocket-based applications, rich applications requests, if you open up Chrome and see what's flying across the wire, it's actually incredible how chatty they are. And so Pomerium is evaluating each and every single one of those requests. So A, we can't add any latency there, and then B, our false positive ratio has to be incredibly, incredibly low. And so I think that's where the fun and engineering and the long-term value is going to be for us.

Turner Novak:

Continuing with Eric and Benchmark, I think this is related. The first board meeting, you told me that you got in trouble for something. What happened at the first board meeting?

Bobby DeSimone:

I wouldn't say I was in trouble. And Eric, if you're listening to this, it was in good humor.

But the first thing that I got in trouble for was that we were making money. And so the number was going up in the wrong direction, not going down. And so it was something that I thought was a good thing, but when you're taking money, understandably, it's to deploy the capital. But we'd happened to had a good quarter and we're making and money and being profitable. So I thought that was kind of a funny, almost like Silicon Valley-esque scene, where first thing I got in trouble for was being profitable.

Turner Novak:

Yeah, we got to throw the Russ Hanneman quote where he is like, "No. No revenue, no profitability. Once you make money, people expect you to make more. We don't make money for as long as possible."

And then, well you mentioned another thing a little bit earlier, was just on hiring engineers and that kind of stuff. How do you hire good engineers? 'Cause it just seems so important, it's hard to do, what's your process for doing that?

Bobby DeSimone:

Yeah, I think my ace in the hole a little bit was I'm an engineer myself. And so I think having that technical background and being good yourself attracts other talent. And I think people are going to evaluate your code base, your technical acumen, and people want to work with other good engineers, quite honestly.

And so to bootstrap that problem, if you are a good engineer, it attracts other good engineers. And I don't know if I'm hands on keyboard very much anymore, but I would like to think that's part of why we were able to attract early engineering talent.

Turner Novak:

What does a good engineer look like, if I'm hiring and I want to get good at hiring or sensing good engineers?

Bobby DeSimone:

Man, it could be so many things. But ultimately, it's about people who are able to get shit done, to put it just direct. And people who are able to think outside the box. Especially early, you need people who can think outside the box and solve an abstract problem without incredibly strict requirements

ย And so I think especially early, where things are not clear at all levels of the business, including engineering, you need an engineering team that does well with an inherent amount of ambiguity in the product and what's being built, and is flexible enough to adapt to changing requirements all the time. I think that can understandably drive some engineers insane and you need to select for people who get shit done and aren't afraid of that ambiguity. And in fact, like it.

Turner Novak:

And then you mentioned something I thought was interesting. You said, you're not as hands on with the code anymore. What has that transition looked like and how have you done that, gotten slightly less involved with the day-to-day engineering?

Bobby DeSimone:

Yeah, I missed it to some extent. I like coding. I think the transition has looked like a necessary one, which is like I said, you're being pulled in so many directions as a founder and a CEO, that you're not a great IC anymore if you're not able to give at least some amount of your week to it that's dedicated. You're essentially probably contributing technical debt.

Turner Novak:

Oh no, that's the worst.

Bobby DeSimone:

Yeah, that's the worst. And so I think just recognizing that, and hopefully I did early enough, is the big thing. And honestly, this is something that Mitchell Hashimoto of HashiCorp told me early when I was asking him whether to start, he said, "You don't start a company to work on your passion. You start a company to get other people work on your passion." And I think that was really good advice and oriented me towards what eventually it would become.

Turner Novak:

Yeah, it's an interesting framework, of you almost do it 'cause you want the world. It's that famous quote, I forget exactly what it is. It's like, "To will what you want to exist in the world.

Bobby DeSimone:

That's right. I think there's just some recognition that to do this, you want this version of the world to happen as soon as possible, and you realize you've got to be in the highest scale position that you're most capable in to make that happen.

And so for me, that transition looked like identifying that you create a cracked group of engineers that will help you build that faster. And then you focus on where you can provide unique value to the company. And so that was the process for us.

Turner Novak:

Yeah. And then yeah, you kind of hinted, you mentioned timeline. I'm just curious then, so how did that look like for Pomerium? As you removed yourself, what was the steps of removal, that it seems to have worked to some extent, so what could we learn from it?

Bobby DeSimone:

Yeah, I think it's a gradual process. I wouldn't say there was an inflection point where I was like, "Okay, no more hands on keyboard," or whatever. It's just at a certain point, being able to dedicate less than, say, two full-time days on hands on keyboard, you realize that you're not helping, you're hurting the situation, and you're better off focusing on the other things that the team needs you to focus on. And ultimately, as you scale, it's about making the whole team operate better, as opposed to you individually or something like that. So it was more just gradual than any sort of process.

Turner Novak:

Interesting. And then so last question, I've been asking a lot of people over the past couple months, do you have a favorite new tool that you've discovered lately? Can be AI tool, we've gotten ChatGPT before, but do you have a favorite new tool or product, software, that you've discovered lately?

Bobby DeSimone:

Yeah, I think it would just be a broader category that I think using all these LLMs have been. It's in its infancy in understanding where they can be applied, so each one right now has different advantages. And so not to be boring here, but I would say these LLMs are the new hot thing, and for good reason.

Turner Novak:

Are there any specifically that you're using for certain things? What are you getting the most value out of?

Bobby DeSimone:

Claude is fantastic for coding, which I do, not to undermine myself, but yeah, Claude is amazing for coding. ChatGPT is interesting for long form or summarizing things, or taking unstructured data and making it structured. I think that's interesting.

Just quick anecdote, like I mentioned, my wife is a super specialized surgeon, very niche, and I was like, "Hey, ask things only you would know on your boards or your exams." And it gets it right. It is incredible what these systems are able to do from a knowledge perspective. I think from a reasoning perspective and what they can't spell strawberry or whatever or add,

Turner Novak:

I've seen that, yeah. That they don't know how many R's are in strawberry.

Bobby DeSimone:

That's right. There's definitely issues with these systems, but they're pretty incredible.

And I also think that they're a really interesting thing for Pomerium ourselves to secure. A lot of these models need to be deployed at edge. A lot of how they're trained has to be trained in a certain way that don't fit well with traditional forms of access control, especially the tools to build the models.

And so just from that point of view, I think this is a very interesting space for us as a company to protect something that is incredibly valuable. I think we've been seeing customers in this space with security models that supersede the security models of our most paranoid financial institutions, which that's wild and fun.

Turner Novak:

Can you expand on that?

Bobby DeSimone:

In general terms, I think if you spend billions of dollars building a model, you know right away how much that security is worth. And that's what security modeling is about, is you protect something proportional to the value of the thing it's protecting. And this has pushed that calculus so far to the right, that these companies are really investing in safety and security at a level I haven't seen in my career before.

Turner Novak:

Yeah, I guess to your point, Google basically just built all this internally, 'cause it's just so valuable to them. Hundreds of thousands of employees, possibly hundreds of billions of free cash flow? I don't know what Google's at today, but close to that. That's worth protecting.

Bobby DeSimone:

That's right. And it's a single locus now with these models. If someone leaks OpenAI's model, it's like a billion dollar leak in one moment.

Turner Novak:

And then we got some people like Zuck, has just giving his away for free, open sourcing it. What do you think is going to happen there? Have you noticed a lot of open source in AI or?

Bobby DeSimone:

Well, yes, definitely everyone's adding a component to their product that includes fine-tuning or using a component of AI, 'cause it's such a shift, so see it everywhere. I think it's great that Facebook is open sourcing. Obviously I'm biased here, but I think it'll move everyone forward to have a component or a major player, a foundational model that's open source.

Turner Novak:

You yourself have created a business model around open source. Do you have any hypotheses of what Facebook might do to make money around open sourcing their models? I know Zuck's has gone on podcasts and said, "I don't know." Personally, I kind of think that's what you would say if you did have a plan. I don't think he's just doing it for fun. How do you think they could make money?

Bobby DeSimone:

Especially Zuck.

Turner Novak:

Yeah, exactly. He's one of the most ruthless capitalists of all time. I don't think he's just winging it.

Bobby DeSimone:

I don't know what the long-term plan is here. I speculate that if you really want the answer to that, it's in how the subtleties of how those models are licensed. That will hint at where they think they're going to be able to monetize it. And so I think that's the big thing, is Pomerium is Apache 2.0 license, which is like essentially you can do whatever you want. There's no constraints on it.

The open source license that Facebook has, definitely has guard rails around it, especially from other big companies from using those models. And so I don't know the exact details, but I think the answer to that question lays in what the fine print is for what you can and can't do with those models.

Turner Novak:

So just the fact that there's fine print probably hints that there's a plan, that they've included it in the first place?

Bobby DeSimone:

That's right. I have the same intuition about Zuckerberg, is I don't think he's winging this one.

Turner Novak:

Yeah. So then last question, do you have a favorite CEO, leader, business investor, just someone that you've learned a lot from, get a lot of inspiration from?

Bobby DeSimone:

Yeah. I'm laughing 'cause it's always the same guy, Charlie Munger. Rest in peace.

He was just such an inspiration. Not as much on the investing side, but just common sense side of life. Always respected his outlook on investing and rationality being a moral duty. And earlier, I think I said, "Life is simple, not easy." And I think Charlie Munger was a huge influence in my thinking around a lot of aspects of investing, company building, and to life, to some extent.

Turner Novak:

Yeah, I think my favorite, I don't know, Mungerism, if that is what you'd call it? Is the, "Show me the incentive. I'll show you the outcome." So it's like, what are people incentivized to do, that is probably what they're going to do. It's pretty easy framework to apply to a lot of things.

Bobby DeSimone:

Absolutely. Yeah. There's just so much wisdom in someone who's lived that long of a life and at that level. So yeah, I'd definitely say Charlie.

Turner Novak:

Yeah. Awesome. This was a lot of fun. Thanks for coming on the show.

Bobby DeSimone:

Thanks, Turner. I really appreciate it. It was fun.


Stream the full episode on Apple, Spotify, or YouTube.

Find transcripts of all other episodes here.

Discussion about this podcast