An Ability to Execute and a Fantastic Amount of Luck

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 187 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest this week is Andy Ellis, chief security officer of Akamai Technologies. He shares the professional journey that led him to Akamai, along with his recollections of the early days of online data sharing when bandwidth was expensive and pipes were small, and the uncertainty of being part of an ambitious internet startup. We’ll learn about his management style, the importance of a company culture built on trust and communication, and, of course, we’ll get Andy’s take on threat intelligence.

Andy Ellis:

I started working for my folks a long time ago as a construction site cleanup crew. I think of that as a security job, which probably most people don't because it's really sometimes just about hygiene. Making sure people don't step on nails is a big piece of what you have to do. And, on the bright side, you're always trying to get back to something normal, but that's not what most people would traditionally consider a first security job.

I've been a patrol guard, I walked for a condominium complex when I was living in Vermont. But my first cybersecurity job was in the Air Force, when I graduated from MIT with a degree in computer science with a focus on theory. My discipline was understanding all of the problems that computers couldn't solve, if computers really existed, which I think is a great grounding for security. I went into the Air Force, doing information warfare for Central Command. I was stationed in South Carolina, which is the headquarters for Central Command Air Force, deployed into Egypt for the Bright Star exercise, did a tour up at Hanscom Air Force Base here in Boston, doing test and evaluation, and then got out and came to Akamai where I've been for just over 20 years.

Dave Bittner:

Wow. What was that transition like going from the military to the private sector?

Andy Ellis:

I think for me, given I'd had a lot of jobs in the private sector before, it wasn't like I'd spent a career in the military and now I have to figure out how to be in the private sector. I'd been in the military for three and a half years, but it was still an interesting transition. And I'm transitioning like right as the tech bubble's about to burst. It hadn't yet burst. This is early 2000. But it's starting to happen.

And I remember during all of my interviews, most of the jobs in security were these consulting firms that were trying to massively scale very quickly. So, they didn't want to pay you anything. But when they heard you were a veteran, they were very excited because like, "Oh, you were paid nothing by the military. So, you'll be happy with slightly more than nothing." It was really fascinating. But they were body shops. They wanted people to go out and tell other people what to do following some script. And I wasn't really interested in that. With Akamai, I had a bunch of friends who worked there and they wanted somebody to actually help secure the platform that they foresaw being this planetary scale platform, and they were right.

Dave Bittner:

My recollection of Akamai, when you talk about going back 20 years or so from my broadcast days, was that in the early days of the internet, really pre-YouTube any time you summoned up any sort of digital video chances are somewhere in that link was buried the word Akamai. And we weren't 100 percent sure why, but it just came up time and time again, as being synonymous with having digital video served.

Andy Ellis:

Yeah, that's pretty accurate. The early days of Akamai, we were a very basic CDN, it was object delivery. So, instead of delivering a whole site, we would just deliver objects. And so, they all came off of our domains. So, people would do, it was called “Akamaizing.” You would take your URL and you would prepend to it. You'd put an Akamai host name and then a couple of fields, and then your normal URL. So, we knew where to go get the object from, which allowed people to steal service. They could just Akamaize their own stuff. So, in addition to protecting our platform and making sure that we were configured correctly, I started to take a role in securing our products. It was nice that people could instantly Akamaize. We got a lot of customers because they broke themselves, put their stuff on our platform, and then called us up and said, "How do we pay you for this?"

Which is a nice way to get business, because you sit there and you just saved them and you can be like, "Oh, here's what our normal rate card is, but here's what the discount is." But the thing I think people don't realize is how expensive bandwidth used to be. We used to talk about thousands of dollars per megabit per second. That was commercial grade bandwidth pricing. And so, you would print up a rate card, and a month later it was obsolete because we were driving prices down so fast. So, you could do deep discounts that people were really happy with.

Dave Bittner:

Yeah, that's interesting. I mean, what has it been like for you to have been witness to this transformation. To have been there when things were really ... I mean, that engine was just really starting to rev up. And I mean, it's been an interesting 20 years for you, I imagine.

Andy Ellis:

It really has been. And I think it really proves one of the things I've come to believe a lot about success in anything, which is it's a combination of being in the right place at the right time, and having an ability and a desire to execute with a great idea, and a fantastic amount of luck. And I think it's easy for people to look and only take credit for one of those. Your success you attribute to your hard work and your brilliant ideas. And other people's success, you attribute to the fantastic luck. But I think we had a bit of both. I think had we started the company a year earlier, I don't know that we would've survived. Somebody else might've come out of the ashes.

Our stock, after we went public, was over $300 a share. And at its low point was like 57 cents. We're the only company, I think publicly traded company in history, to survive a 600:1 stock price drop.

Dave Bittner:

Wow.

Andy Ellis:

Nobody does that because that's a sign that your company is doomed. But we survived that. And partly, I think a big piece of it is that while we do try to focus on solving solutions, we actually don't focus on lock-in. We really do want money. We want people to keep paying us. But there's a lot of solutions that I think really emphasize that you have to use only our service to solve your problem. And we've recognized that our customers are a very diverse customer base. And so, rather than trying to solve solutions only one way, we try to solve solutions through technology pieces that plug into whatever the customer is doing. And so, it means that customers have used our services in ways we never anticipated. And sometimes we turn those into products. We're like, "Oh, that was brilliant. Let's take that idea to market because they put together four features in a way we had never conceived of." And that's luck, but it's also execution.

Dave Bittner:

Yeah, I mean, it seems like it also points to company culture of a certain amount of risk-taking to be able to say, "Well, maybe there's a product here that we didn't see coming." But I'm also thinking about what that journey must've been like for you, when things were low, when things were at their worst to say, "We're gonna stick with this. We think there's a path to ride this out. There's a future for us here."

Andy Ellis:

Yeah.There's two different hats I have there. One is just as an executive, at the time, but also just as the employee, how do you decide to stick around? And it's interesting because actually my wife worked for Akamai for a while, and so did my mom. And we actually all shared a house. We had a two family house in Medford. And when Akamai stock was at 57 cents, my dad said, "We should just buy some more stock, if you guys are all in on this." And we all looked at him and said, "Are you crazy? Because if the company goes out of business three of us are unemployed." And when the stock hit $100, he was like, "Look that's $5,000 that's a lot more money these days," if we actually had invested that, that's $1 million.

Dave Bittner:

Wow. Yeah.

Andy Ellis:

Right. You look at that. Now, we probably wouldn't have held it that long, but it's really hard. And sometimes it's a little bit of faith. You don't have to be able to see the path out of the woods to know that you're on a path. And the path that might fail. But, at the same time, it might succeed.

Are you a football fan, by any chance?

Dave Bittner:

I enjoy watching a good football game. But, I have to admit that I don't get all that invested on which team is ahead. But I do enjoy the game itself.

Andy Ellis:

Okay well, it's no secret to anybody who knows me that I am a die hard Patriots fan. And I was at Super Bowl LI, which was the Super Bowl against the Atlanta Falcons. And for those of you who are listening, who don't remember that, that's the game where the Patriots were down 28 to 3 in the third quarter, you're near the end of the third quarter. Nobody's ever come back in a Super Bowl from being behind by more than, I think, 10 points. And the last team to have done that was the Patriots, who had come back in the Super Bowl two years prior from 10 down and barely eked it out. So, there's no victory possible at this point in anybody's mind.

Dave Bittner:

Right.

Andy Ellis:

But you're a fan sitting there, you could get up and walk out. And some of us don't forgive the celebrities who claim they had reasons to walk out of the game just to be very clear, Mr. Wahlberg. But you're sitting there and, in a sense, your job is to accept that failure is inevitable. And then, put that in a little box. Get over the emotional loss of failure and say, "But I'm here right now. And my job is to figure out how to help us succeed."

And, as a fan, that means you stand up and you shout when your team is on defense. And when it's on offense, you're quiet and you cheer for first downs. That's about the only thing you can do. And you don't invest yourself further, but you also don't de-invest yourself. You hold both minds of failure is inevitable, but success is possible. I'm going to live in the world of success, I'm going to do what I can to make success happen. But if it turns out that they're ultimately not successful, look, I've already processed the failure. I'll pull it back out of the box and move on. I'm not going to get worse because I tried to succeed. And I think that's a place where people have a really hard time further investing themselves when failure seems inevitable because they think the loss will be worse. But the loss isn't any worse unless you make it worse.

And that was how we approached that era. We said, "What do we have to do?" We were very transparent within the company, at the all hands, you could ask anything. And I remember at one of our all hands, as we were on the way down, one of our engineers, I still remember who it is, I'm not going to name them, don't want to either shame or celebrate them necessarily, asked the CEO because we all got this education in public company finance, how does the street measure us? Every quarter they're walking through it. And the CEO was asked, the question was, "Well, obviously when we go bankrupt," when, it wasn't even an if, it was a when was the question. But, "When we're going out of business, it won't be when we have no money left in the bank because we have to spend money to go out of business."

I think that's the thing a lot of people don't realize is that you don't wait until you have no money to declare failure because you have to pay the people who are going to close the doors for you. And you have to pay off some creditors. So, he says, "How much money is that trigger point? How much money do we need to wind down the business?" And the CEO and CFO were really up front and said about $100 million. Let me tell you a few quarters later, when we had $90 million in the bank, that was a really scary conversation. "We now don't have enough money in the bank to pay everything off. And we said, we'd start winding down."

Now, the reality is we hit 90 as we were making this inflection back up. We're now level, we're no longer bleeding money. It had been slowly coming down. It's sort of the local minimum. And everything comes back up after that all hands meeting. But it was one of those conversations because he gets back up and he says, "You said at $100 million we were going to wind down the business. We're now under it. What happened?" And it's like, "Well, let's walk you through the numbers and why that 100 was correct a few quarters ago, but now it's not the number. And now we can see that we're not going to crash and burn. We're leveling out and we're going to take off."

Dave Bittner:

But having had that culture of transparency and establishing, to the degree that you could, a level of trust with your employees, I would imagine, then you can have that conversation. You can say, "Okay, that's what we thought at that time. Here's what we think now. Here's why. Here's why we believe these things are going to happen now. And we're not lying to you."

Andy Ellis:

Yeah. And that's what's really helpful. I think a lot of companies and employees don't understand what it takes to not lie. We still get this question, probably every time people say, "Is there a reduction in force planned?" And they get the same answer every time, which is, "Well, we always consider whatever the options might be, and we'll do what's best for the company." And it's really a non-answer. The challenge is that any company that's planning a reduction in force, the moment they start planning it, technically they're not planning it they're merely considering an option because if it's a material, as soon as you plan it you have to announce it to the street within 24 hours.

So, you create these thoughts about what you might do. And then you approve a plan and execute on it sort of overnight. But you can't tell your employees that, not because you don't want to be transparent, but because the moment you tell them it's now material information. You've blacked them all out. You have to go tell the street, you have to execute on a thing that you haven't really thought all the way through yet.

So, there are questions that when I was in the Air Force as a cadet, we talked about improper questions because cadets had the honor code, we weren't allowed to lie. So, as a result, there's questions you're not allowed to ask a cadet.

Dave Bittner:

Ask me no questions, I'll tell you no lies.

Andy Ellis:

Right. So, imagine that you have like a squadron of cadets and somebody stole something, you can't walk around and ask each one of them if they did it. If you don't have a reason to suspect me, you can't use the honor code as a weapon against me.

Dave Bittner:

Interesting.

Andy Ellis:

And that's a thing that I carry with today that I think it would be interesting if more people understood that when there's material information in a company, don't try to pry for the answer and trap somebody in a question because you're creating an atmosphere where they have to not trust you as somebody that they can be honest with.

Dave Bittner:

How do you describe your own management style? With the team that you work with, what's your approach there?

Andy Ellis:

So, I think of management as being a form of stewardship. I think that's something that's sadly missing in a lot of corporate cultures and other cultures as well. People think of management as power, "I own these people. They do what I say. I only have to listen to my boss." I think of it the other way around. My job is twofold. It is, first of all, to maximize how productive my employees can be by getting the environment out of their way. And, second, it's to help them grow while they happen to work for me. And, at the end of the day, that's it.

There's a lot of details that come into that. But the mission that I have to make the internet suck less, or to ensure a safer destiny that's almost second to the make sure that the people who are executing on that mission are well taken care of. Because if I do that, then the mission gets taken care of as well. So, that creates an inclusive environment, I like to think. And surveys within my team tend to suggest that's true because if you're getting things out of people's way you're finding out what hurts them. You're reducing the energy cost that they have just to exist. And if you're doing that from a bureaucratic perspective, as well, you're going to also run into a lot of the inclusion, exclusion dynamics that can make a workplace problematic.

Dave Bittner:

But, I mean, it also comes right back around to trust again, too, because if they feel as though you have their back, you're going to hear from them. They're going to have those conversations with you, even if they're hard conversations to have.

Andy Ellis:

They really will. And look, it is hard, especially if you're a junior employee. We had an all hands where we were telling stories recently. And I was telling a story from 20 years ago, and I started to slip into that 20-year-old personality. And I said something that I probably shouldn't have. It was a throwaway comment. It wasn't horrific or the end of the world, but it was surprising to some of my junior staff. And they didn't know whether this was, were they the problem for being wound up about this because they were surprised by it? Should they say anything? They didn't want to be perceived as a problematic, troublesome person.

So, some of them went and did a reasonable thing. They went and they talked to other folks on my staff, who came and talked to me and said, "Hey, this bothered some folks." And I'm like, "Oh, I totally see how that did. I'll work on improving it. Let's not make it a big deal. I recognize that they don't want it to be seen as a big deal." But it's really important that you create that culture where asking the question, "Hey, this made me uncomfortable, am I wrong for that?" And 90 percent of the time, the answer is no, you're not wrong. But 10 percent of the time actually you were made uncomfortable and you probably need to think about whether that was on you versus the person speaking.

But even if it's not on the person speaking, they need that feedback. There are times where I've said things and somebody gives me feedback, and my first answer is, "I can't believe you care about this.” But my second answer is always, "But my job as a communicator is to make sure that doesn't get in our way." So I want to know that, look, if you don't like the color blue and my slides are blue I should know that you don't like blue. I might think you're a little odd for disliking the color blue. But if I'm going to brief you, maybe, next time my slides will be in green instead. That's not a huge cost for me.

Dave Bittner:

Right. Now, in this particular case I mean, was it important to you to get word back to those people who had their dander up a little bit, that you acknowledge that maybe you were in error here?

Andy Ellis:

So, I think the way that I did it was the person who brought it to my attention, we had a conversation and they went and they took that back and said, "Yeah, I've raised it. Under control." And sometimes I have done, "No, let me do a formal more public apology," following the rubric of the six elements of an apology. Partly so that other people can see it. But this one, I didn't partly because one of the sensitivities people had was they were concerned that they were making too big a deal out of it. So, I didn't want to make it a bigger deal.

Dave Bittner:

I see.

Andy Ellis:

I don't want to feed into the, "Oh my God, I can't believe I did this, and I made the boss apologize." Even though I personally think apologies are free. Really doesn't cost me anything to apologize. But other people don't always see that.

Dave Bittner:

I want to switch gears a little bit with the time we have left together and get your take on threat intelligence, and the part that you think that plays in an organization's security posture.

Andy Ellis:

So, threat intelligence is one of those phrases that is very dangerous to me because it means so many different things. I think that there's really valuable cases for threat intelligence. And there's some cases where there's information that is not intelligence. We probably get … Everybody who has a data feed, "Oh, we'll show you every attack we've ever seen. Or here's a list of IP addresses that are bad." And I'm like, there's no context, that's not intelligence. Intelligence is, "Hey, tell me, what's really going on in an actionable fashion. Tell me why you don't trust your own data. How good is your data?"

We've figured out from our perspective that IP-based data is only good for about 30 days at max. The internet moves just enough that after 30 days, you really can't rely on IP data. And at 30 days it's bad. It's not like there's a hard cutoff. It's a decaying out. So, that's sort of implicit in a lot of our data that we're going to look at. But even that's almost not the interesting thing. The real interesting thing is what is the threat? What are the adversaries doing sometimes to you, but sometimes just in general?

So, for a lot of our products what we do is, I'd think to myself is ... By the way, Akamai is like the shopping mall of the internet, this'll help for the rest of the analogy. What do you buy from a shopping mall? It's a trick question, aside from COVID-19, meaning you don't walk into a shopping mall anymore. You don't buy anything from a shopping mall. Stores buy from a shopping mall the ability to get closer to you. And that's basically what Akamai does for the internet. You, the end user, don't buy anything from us. Companies buy from us the ability to deliver that great experience close to you. That just makes me the mall cop. My job is to protect the shopping mall.

And, in that context, threat intelligence is really easy to understand. If you have a group of shoplifters wandering the mall and you're a store owner, you have no idea when these people walk into the building who they are. But the mall cop has seen them get kicked out of five stores already for shoplifting. So, when they show up and I flash you the sign that says, "Hey, that's the shoplifter. You want me to walk them out the door?" That's threat intelligence. Or if I say, "Oh, even though I haven't seen these four people before, I can tell you that the current tactic is four people come in, one's loud and obnoxious and asking you questions. Two of them are standing near the front. And one of them wanders off to the back where you don't see them to pocket stuff in their backpack. I've seen this pattern before." That's threat intelligence, where I can tell you, "Hey, here is actionable information that lets you make business choices about how to deal with adversaries in your world."

And that's the gold. And I think almost all of our products aim for that. And some of the better threat intelligence vendors tend to aim for that. Now, there's a separate angle of threat intelligence, which is sort of the historical briefings. "Hey, tell me what actually happened yesterday to me. I got popped, what happened?" There's some really good value in the forensic intelligence of what else is going on, who might be still targeting you. But the information that lets you make a decision, that's valuable. If it's just, "Oh, I can block some IP addresses because somebody else says they were problems," that's not really intelligence, from where I sit.

Dave Bittner:

Our thanks to Akamai's Andy Ellis for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.