Dave: Hey, Frank, welcome to security voices. Hey,
Frank: Dave, happy to be here.
Dave: All right. So Jack is once again on the road gallivanting about the country here and couldn't make it today. And that gives us the opportunity to start a little different. So I met Frank, I believe back in the heady days of like 2019. teen or so.
I think I'd seen your name before on some things you've been writing for a long time. And, you know, even though like I was going through your LinkedIn, I was like, God, Frank's been around longer than this, but you've managed to carve yourself out a pretty, pretty big name and a pretty big brand in a relatively short period of time.
But the thing that really Struck me as I was, I think we were doing a, I was at a conference and talking to you. And then eventually, like we did, we did like an investor briefing with Dell capital where, when Frank was a VC. And the thing that I've always appreciated is Frank thinks really deeply about topics, going back to your academic background, going into your time as a VC, and even now with what you're doing with, frankly speaking, and so on.
And you have just such a great combination of. I'll say intellectual aggression and at the same time, mental plasticity and thoughtfulness. So I'll start by flattering you, I guess. I guess that's how this is going to start, Frank. That's great.
Frank: Thanks. I don't know if that's well deserved, but, but this is
Well, the beautiful thing is now that I've thrown that out there, like. The audience can judge through the remainder of the conversation, right? The listener can, can see if we've met the bar, if I've asked enough questions to tease it out of you and if you've landed there. But honestly, the body of work that's up on Frankly Speaking is really impressive.
And anybody, if anyone's wondering after this, we'll, we'll do the show notes first, where they can hear more, go up to Frank's sub stack. It's, uh, Frankly Speaking, and you can see a lot of his work there. And the one, actually, it's great timing. There's one that came through yesterday. Which Frank wrote, which is how to be an engineer that security people don't hate, which I believe is, is part of a series for
Yes, it is. Yeah. It's, it's part of a series where I saw someone talk about the relationship between PMs and, and engineers. And so he wrote both sides as an engineer and also as someone who's like worked with PMs and kind of have empathized with them. And I thought, Hey, this is like really relevant to, you know, a traditional organization with security people and engineering work.
Dave: and I think there's a whole, this is a bit of a non sequitur, but if you're looking for future ideas, I think there's a whole bunch of things happening with the dynamic between privacy and security right now. And increasingly between data teams and security where, you know, those relationships that are fairly new and still forming like a little bit of a guide path on those.
There's a whole bunch of work to be done. on just exploring the relationships between these functions that are really young in their own right and where there's natural tensions that pit us against one another that don't have to be adversarial but often like natural momentum would take you to an adversarial place.
Frank: Yeah, yeah, totally. I think this data and security thing is actually pretty new. And so I'm kind of like exploring a lot of these and I'm reading a lot. And so this is like an area that's like pretty interesting.
Dave: All right. So let's, let's back up a little bit. Yeah. You started your career deep in academia.
So there's a lot of people who enter security like yours truly. I did four years at Michigan, got out. You know, world was too big, too exciting, not to explore. And let's be honest, I'd lived the bulk of my life in Michigan and I wanted to get out. I got a taste of Los Angeles and said I needed to be there.
And I took the first job that would get me out. You stayed in academia for a long time, did some really interesting internships afterwards at Columbia. Google, Facebook emerged to become a venture capitalist and then switched into security engineering. That's my really gross summary. How would you describe it?
Like, take us back to first off, where did you grow up?
Frank: Yeah, I grew up in the Bay area. Actually, I grew up in Santa Clara and that's kind of where I got my exposure to tech and all things tech related, except back in the day when I grew up, it was really Silicon Valley. So it was mostly hardware, not so much software.
And I think when I went into college, it, you know, we had gone through the 2000 boom and people still have that hangover from all those software companies going bust. And actually, surprisingly, software, let alone security was not very popular. It was kind of going back into the hardware days around, call it like circa 2008, near the financial crisis.
Dave: Got it. And you went to Stanford. Is that right?
Frank: Yeah, I went to Stanford and then I, you know, did computer science. there. It was actually not a popular major. I think it was not even the top five when I joined. And I think when I left, you know, to give you a sense, Snapchat had not gotten started. I think Facebook had just gone public or was thinking about going public.
I don't remember the exact dates. I think they had just gone public. Google was kind of the place to be, but you know, some of these like tech companies and SaaS companies like hadn't existed at the time. Um, nor were they popular for students on campus. And so I think for me, I thought about it and said, hey, like, these companies are going to be around.
I talked to my computer science advisor and said, hey, I'm interested in doing security. Don't have a lot of like, interesting opportunities in terms of like, Being able to do very like technically deep work at a lot of these places, because you know, Facebook is still is primarily a product company. And so a lot of this like infrastructure platform work around security and DevOps kind of hadn't really come to be in my opinion at the time, especially for a new grad.
I think there was a lot of like deep technological stuff. And I said, Hey, the stuff is going to be around. He told me he said, Hey, I would be surprised if Facebook and Google. Are going to be gone even in 10, 20 years. So if you want a job there, like you can always have a job, but you know, if this is probably the time to like do a PhD and get into academia, do some research, learn a lot more, explore, you know, kind of be a little bit intellectually free.
And I said, Hey, great. You know, I've lived in the Bay area my whole life. I got a great opportunity to do a security at MIT and do a bunch of research because at the time security actually wasn't super popular. This is Sarkar. 2012. We hadn't seen all the big corporate hacks yet by then. And so I said, Hey, this sounds great.
I'll go there. My advisor said, I got a bunch of money to do security from the government. No one wants to do security, you can kind of come and do whatever you want, essentially, and, you know, learn whatever you want. And I think at the time I was very interested in kind of web security, application security in terms of like these larger web apps that were going mobile, that were like storing large amounts of data.
And there was really nowhere to do that outside of the big tech companies, which at the time were Google and Facebook. And so I said, Hey, look, I. I want to learn about a lot of this. And so I went off to Boston and little did, did I know, like two years into my PhD, kind of like the security world has started to explode with, with all these like hacks with Home Depot, Target, you know, and then just in general, the security industry, I think took an exponential
Yeah, it's funny how much of this is a matter of perspective, because I think for me, the inflection point for security is when kind of viruses turned into malware. Malware turned into crime wear, and probably like I'd say 2003 to like 2006 timeframe. And spam and phishing were all introduced in adware spyware.
But I get your perspective. I mean, really all the nation state hacking and the birth of EDR and the whole XDR stuff, and a lot of those big hacks, you're right. They did start literally at the beginning of the last decade. So, uh, matter, matter of perspective and the. First moment where you've made me feel old on this.
Frank: No problem. I mean, I feel like a lot of the cool stuff did start with EDR. And that's why what made it popular too. Right. And so, you know, this kind of have a ton of CrowdStrike. So yeah,
Dave: this is also a bit of a non sequitur, but it's also how these conversations go. I don't find EDR personally that interesting to me.
You've got a set number of events across the set number of operating systems, three, you know, let's call it that really matter. And one that matters disproportionately. And there's only so many ways in which you can express lateral movement and in which you can, you know, attack patterns, I think are fairly fixed.
You compare that towards the data world where everybody's data is different. The use cases are. are very different. You know, everything can go wrong. The different sizes, varieties of data sources and so forth. That is a intractable, big, interesting problem. The EDR problem set, it was challenging because of the volume of data produced.
But other than that, like the actual patterns around it were fairly static. We initially hard coded our behavioral patterns. We called indicators of attack in the Linux kernel. And while in the kernel. Yeah, in the early days of CrowdStrike, and it was painful, like we had to back that off, but it was more painful because the kernel started changing a lot at that time.
It wasn't painful because, oh God, we had to update, you know, the IOAs every other day, quite the opposite. It's like the patterns were the patterns were the patterns. And the funny thing with EDR is you have a natural backdrop in that you expect to have people hunting and actively using the data. You contrast that with like other areas of security.
Whether it's application security or data security where, you know, you're at a scale where just manual intervention just doesn't work and people aren't interested in having, you know, an intelligent person combing through it yet. You know, it's just EDR comparatively, like it took a number of years to get it right, but it isn't that hard compared to other areas of security.
I think for what it's worth,
Frank: it's interesting. I think that makes sense not to derail this conversation too much. I feel like the difference. between a lot of the EDR work and, and the data work is that I think the way we use data and the structure of data, there's just way more combinations and way less kind of data in general on how it looks.
Whereas like we have years and years of kernel data and like what happens and happens, like the way we've used data as. Just a tech industry or even any industry has this fundamentally changed. Right. And so just the evolution of it has made it like very difficult to manage and kind of find patterns in, whereas like, Hey, there are only so many system calls in a kernel that you can do, and only so many combinations it's, it's almost a finite site, whereas.
For data. It's, it's almost, it's unclear what the, at least we haven't gotten to a point where, what the bounds are for it. Yeah,
Dave: a hundred percent, a hundred percent. And, you know, part of the reason we're having this conversation is Frank challenged me a while ago. He wrote an article on why is all this money going into data security?
It's been kind of a backwater. I'm paraphrasing here generously, maybe egregiously, and it really. Frank was kind of questioning all the money that was going into data security, which he was right to do. I think it's, there was a time when too much came in versus the TAM that's there today. I don't think over the long haul, it'll be considered too much, but I think it was, I mean, even as someone in this space, I think it was too much at once, given what was available at the time and even what's available now.
But having said that, it really got me to thinking, I ended up writing an article kind of defending the space and saying what it was going to turn into and so forth. So if you're thinking. God is Frank and Dave going to meander through this conversation and touch on a whole bunch of points at once. Yes, yes, we will.
Fasten your seatbelt. Let's let, let me ask you this. So you could have taken any of a number of jobs rather and high paying. Good jobs coming out of doing like a comp sci degree at Stanford. Was it really just that, like, there wasn't, you figured you could delay entering the market and making money until anytime you want, because those companies were always going to be there.
But you had this, this intellectual curiosity on security that you really wanted to, you really wanted to satisfy and MIT was the best place. What took you there?
Frank: Yeah. I mean, I think that's a very nice way of saying it. I think for me, and I think many people would view it as a potentially financially irresponsible because most of the interesting SAS companies were started while I was doing my, my, my PhD.
And I could have picked any one of them and probably I definitely made more money than I was had doing my PhD. But I think for me, it was. I did security when a lot of people didn't want to do it because I thought it was very intellectually stimulating. And a lot of, I think the interesting work and technically deep work that was going on, these tech companies, you know, required PhDs or a good amount of experience in the space.
And, you know, I think everyone knows here, like getting a computer science degree from any university now, like it sets you up to do work, but then once you actually go in, there's a lot of. Design and technical decisions that you need a lot of experience actually have context to do and actually to, to do trade offs on.
And I think for me, like, I just didn't have that experience and I thought, Hey, like, I want to learn a bunch of things there's. You know, this professor at MIT who just had funding for me to explore, which is actually pretty rare. And nowadays, they're a lot more prescriptive about the projects you work on at universities that are tied to these grants, just because there's more PhD students, there's more professors, there's more funding.
And most of this funding is just more restricted in general to, to certain projects. And I think that was like a time where there was not that. And I thought, Hey, You know, I can try it out, you know, PhD is like a job, you don't have to do it for six years. I say this and people are gonna, every professor around the U.
S. is gonna, is gonna dislike it, but you can try a PhD for two years and decide you don't want to do it, right? It's like nothing is tying you to, to finishing that PhD. But, so that was kind of what I thought was like, hey, I've lived in Bay Area my whole life, go somewhere else, learn something new, go to a different university.
See how they do things differently and just kind of like get more perspectives and work with different types of people and I think that's always been my philosophy like, hey, I want to work on interesting stuff with what's very smart people.
Dave: You can kind of see that throughout your career arc, you know, like your recent transition out of VC, which we'll, we'll get to in a moment here.
What did you focus on? During your PhD, what were your, your kind of expressed areas of research? Where did you go deep and you finished it? You went full six years.
Frank: Yeah, I went full six years. I finished it. I wrote a thesis. I got my degree. So I have the whole cabang. So technically I'm a doctor for whatever that means.
Not that anyone has ever, I never used that salutation, but I. Ended up working on how to protect a large amounts of data and web services and kind of different angles on that. So some of my work centered around how do we protect kind of like third party scripts in, in, in applications? How do we protect data being transferred between applications, especially, you know, I was.
pretty obsessed with this idea of OAuth back in the day and kind of how to make that protocol more secure. Did some work around how to build secure data flows through applications and track data flows. So kind of a bunch of work around, you know, how do we, what are different problems we experience in applications and how data.
Flows both at the application level and at the infrastructure level and just looking at like a bunch of large scale systems. And I think the thing for me there was how do we deal with these problems in a practical manner at scale? Because a lot of the solutions at the time were, you know, very. security focus in the sense they said, Hey, here's a security model.
We want to try our best to restrict it. It's going to kill performance for everyone, but this is how we're going to do it. And, you know, I, I thought that was very impractical in the sense, like there was all this stuff around, you know, homomorphic encryption and all that. And I said, Hey, no one's really going to use this in the real world and it won't scale.
So how do we actually build scalable systems that, you know, achieve security properties, even though we might have to relax some of them?
Dave: Was there anything that you kind of, you feel like you called out or got like commercially applied after your time directly from your research or related to your research?
What is there anything you kind of hang your hat on from that?
Frank: I don't think so. Really. I think a lot of what I learned was. You know, the world has become more distributed. And so a lot of the security requirements we're looking at now are even more relaxed than the ones I was looking at during my PhD, which, which I think is important because, you know, I think there's just more risk than there are resources to mitigate, um, in general, in most, I would say like a vast majority of companies.
All right. So
Dave: how did you. You did internships along the way during your PhD, is that where you landed at Facebook and Google for short periods?
Frank: Yeah, I did some internships along the way.
Dave: Got it. And what did you learn about applied security and living inside two very different organizations seemingly?
Same geographic area, but different organizations. What did you take away from that experience?
Frank: Yeah, I think Google and Facebook were very different experiences. Google was still much was bigger at the time, had a mature security team and program. They had spent a lot of effort on it because they believed in trust.
Whereas Facebook was kind of still in somewhat of a startup mode in terms of people and how they. Worked and you know, there were this whole like move fast and break things kind of mentality and how to do security while still enabling, enabling their engineers to build product quickly without taking too many risks.
I think it was kind of a tale of 2 cities, but I think ultimately what I learned from both is that everyone's still trying to really figure out how to do security and no one, no one has the perfect plan. There's not an end state we want to be in. I think in general, in the security industry and saying like, well, you want to be here.
This is what we're striving for. I think a lot of it is actually building the train as people say, while, while it's still moving.
Dave: All right. So you had, you were doing your PhD, you got some commercial experience, both at Facebook. And at Google, but yet, so the, the logical thing to do would have been for you to go out and take a job with one of those big organizations that, you know, you watched grow up, you know, during your time growing up in the area and during your time at Stanford and so on.
But yet you became a VC at Dell capital. How did that
Frank: come to pass? Yeah, I was always really interested in startups. I grew up in the Bay area. I went to Stanford. When I wanted to go to the East coast and do my PhD, I wanted to get more involved in startups in general. And Boston at the time, the startup world wasn't super vibrant.
It was, it was okay. I would say. At best, there were a lot of consumer startups that came out of universities, namely Harvard and MIT. And there was actually a pretty vibrant security company slash startup community in Boston with Rapid7 and Pravada, Cyber Reason, kind of Akamai was getting into security at the time too.
And so I was trying to kind of explore around, there were still venture capital firms in Boston trying to figure out what was going on. And circa 2014, The security community started to grow and I think there was more renewed interest in investing in security companies. I went to a VC and kind of was Just talking about security and, you know, I think the idea of an incubator came up and I said, okay, great.
Like I'm happy to try this out. I learn a lot and we can incubate some security companies and both sides learns. And that was kind of my, my entry into VC. And, you know, I made a bunch of friends along the way, both in the VC world and in the security world. And when I graduated, one of them reached out to me and said, Hey, have you ever thought about doing VC full time?
It was nothing I actually. Was imagining that I would ever do initially. I actually said, no, I said, Hey, this doesn't sound great. But you know, I got convinced and said, Hey, VC is hard to break into. It's something I could try out for, for a year or two. And you know, a year naturally becomes three and a half years.
And then kind of that I went back into engineering back then, miss the technical technical work, but that was kind of how, how it happened where I said, Hey, look, this seems like an interesting opportunity. Let me try it out. And, you know, I spent three and a half years doing it.
Dave: All right. So let's, let's unpack your time as a VC coming out of academia and into, and, you know, you did, I think it was called security factory.
Frank: Cybersecurity factory. Yeah. Yep.
Dave: And there's some notable companies that came out of that. I was just looking at, um, at your profile on it, like Huntress Labs was one of those companies, any others that we would know potentially that came out of Cybersecurity Factory, your summer program?
Frank: Yeah, I think another notable one is called Akita.
Um, they just got acquired by Postman. They're doing API observability and security.
Dave: Cool. Cool. Cool. So it was, it was actually somewhat following directly, not from your PhD experience, but the summer program, this sort of muse that you followed with a gentleman who is former Meteor BC in Highland. Is that it?
Yeah. Yeah. Right on. And what was your, what was your biggest surprise as you came into VC having touched upon it during your time in academia? What was the big adjustment that you had to make?
Frank: Yeah, I think one of the biggest adjustments was that VC is really a sales job. There's a lot less technical work than you think there is, but there's a lot of like thinking about spaces and products.
But ultimately it's a sales job. You have to convince someone to take your money versus someone else's money and money itself is a commodity. And so how do you create an offering or a service offering from a commodity? And I think that was like a very Interesting mindset because I had been a technical person my whole life where the value came outta the technical work.
Dave: And I'll say, you know, being a founder who took the c e O job, I had the exact same revelation as like, oh God, I'm selling, I'm selling the company to investors, I'm selling the product, customers, I'm selling the company as an opportunity to potential employees. The sheer amount of like sales in this job as well was, was one of my big shockers and I've had to adapt.
And I think initially I didn't adapt nearly as well as what I should have to the product sales side of it and understanding how important that was to my role. Where were you able to adapt and where did you struggle?
Frank: Yeah, I think for me, a lot of it was kind of this balance of we had most VC firms sell themselves as like a platform.
The whole is better than the parts. And so how much do you use yourself versus is. kind of the resources of the firm to kind of sell the service essentially that you're providing to founders, right? Which is you give them money and then you and the firm. And so I think initially I started off a lot with the firm and I think later on it was more, became more about the value I provided.
And it's always been a tricky balance. It's like, how much do I contribute to the platform itself via like helping The resources that the firm provides versus actually just selling kind of my individual skills and like perspectives. And I think it's always an ongoing struggle. And I think you see this a lot of VC firms where.
Some people sell kind of their experience and some people sell the experience of the firm, and it's always easier to sell your experience. I think that's why I learned kind of like in the middle of my V. C. career is that it's always easier to invest in yourself than invest in a platform. It's kind of unfortunate truth.
I wish there was kind of like Better platforms. But that's, that's just kind of how it ends up working.
Dave: So which aspects of selling did you get comfortable with ultimately? And then what were the stuff that like, you just, you just never got to a good place on it and you were never comfortable with,
Frank: yeah, I think the aspects I got comfortable with were.
Selling kind of the idea that, hey, we were part like Dell was Dell Capital was part of the Dell conglomerate, but we were separate, uh, and independently operated, but we had kind of the network that a traditional VC would not have, which is like this corporation that has like Basically a ton of contacts, right?
And I think I got pretty comfortable selling the context I had and what was interesting to me and what I would bring, bring to the table. But I was always trying to figure out, because I think Dell was also going through a bunch of changes at the time. Like they had, they were trying to sell off VMware and RSA.
And it's like, how much of that could I actually promise people in the long term and like how, how much of the partnerships and kind of the resources we had there. So I never fully got. Comfortable and I think it would have taken me a while longer to like sell, sell kind of the benefits of the firm versus the benefits of working with me and a couple of my colleagues at Dell.
Dave: Yeah. All right, so this is commonly asked, so I'm guessing this is a softball question to you. But what's your favorite pitch story from your time as a VC? It could be the funniest, the best, the worst. Give us your favorite pitch story.
Frank: Yeah, I would say, well, there, there are just a lot of, I mean, VC is a spectrum.
I would say, I would say there's a lot more not good pitches than there. There are, I would say good pitches. I think that that's just not an indication of how well the company actually does. Right. And I think like a lot of the companies. At least in the Dell portfolio where the pitches were not that good, in my opinion, but they actually, the company does very well because the founders is so focused on developing a good product that almost kind of like the pitch doesn't matter because the product is, is so obvious.
And so I think there are a lot of these like insecurity. I think I saw the, I saw the Demisto pitch and initially. This was four months before they got acquired. I saw the Demisto pitch and I said, the numbers look amazing, but I don't really get what Demisto does or what the purpose of it is, but people love it.
And the numbers look amazing. And that's what they sold me. And I, I said, we got to invest in this company. Obviously we didn't end up winning the deal. Greylock won the deal. And then they got acquired four months later by Palo Alto Networks. But that was one of the pitches where I said, Hey, you could have just showed me, uh, the money slide and told me kind of your growth and you don't worry about anything else.
So, which is, I think very, a very common story people say is like, Hey, I don't believe in the product, but the numbers look amazing. And somehow that, you know, that that's all you'd really need to have. And sometimes you just got to look at the data. Got it.
Dave: Let's take a different tack. Now that you're a practitioner and you've gone back into being a, you know, Working in security engineering, first for DBT, now for Headway.
What do you wish you knew as a VC, that you now know after kind of working in the trenches? If you were to go back, what would you, what would you do different? Or how would you look at
Frank: things different? Yeah, I think I would focus a lot more. On understanding the product for a particular company, I, especially in security, I think the problem is a lot of these pitches are just not very well refined, but if you got hands on with the product, it becomes very obvious why this is a useful product, but it's hard to get that intuition without being a practitioner because you have all this.
context that you need to now absorb to understand why this product is important. Like kind of going back to DeMisto is, you know, if you had run an IR organization and really understood all the struggles that were going on there, the product becomes very obvious where, but it's hard to like describe that product in words and really feel like.
A strong intuition on why this is such an important product. And I, I would say like, this is true. People say this is true of a lot of other similar products. Like even the consumer space, like for a long time, people thought Snapchat was stupid, for example. Right. But it's like, Hey, wrong demographic didn't understand the use cases.
And you know, the. You got to just get hands on with the product sometimes and have more product depth. With that said, it's like, sometimes there are amazing products that just have terrible business models or won't scale, but I think both are important. I think I would have been more product focused for sure.
Dave: if you were talking to a young VC and they asked you for advice, would you tell them to get hands on with the
Frank: product? I would actually kind of. Do something that I didn't do myself. I'll tell them to work at a company first and work with someone, someone like me, who, um, who is kind of, I work at a startup with someone like me who knows how to navigate ambiguity and see organizations being built, because I do think there is a lot of value to understanding how.
An organization is built from scratch, whether it be a security organization or even the company itself. And I think another thing is that you learn a lot about the types of personalities that succeed well. I feel like it's very common. We hear stories about this all the time across the board where there are these like founders that are overlooked because they don't have great pedigrees.
And then these founders with great pedigrees who struggle because they just don't know how to build anything from scratch. And I think it ultimately doesn't, the pattern pedigree doesn't matter. It matters. What is the, what are the ingredients for this person to succeed? And you learn a lot of that just by working at a company and observing personalities.
And ultimately early on, if you're an early stage VC, the product almost doesn't matter as much as you know, it's like, you'll pivot so much. It's just. Who is the right person to be leading this company, uh, whether he or she is actually going to help you through hard times and navigate ambiguity. And I think you, there's no other way of learning that except through just direct experience.
I'm, I'm sure you'll learn it in VC, you'll just see a lot and kind of learn a lot about those people. And. Work with those people potentially, but I think you learn the most when you actually are in the trenches of some of these people on a day to day basis, you get kind of a much deeper look.
Dave: Yeah. What do you miss about being a VC?
Frank: I got to see so many interesting companies and I got to learn about different spaces and I didn't have to really worry too much about each individual company or like the business, whereas now as a practitioner, it's like, I have to be very, very focused. I have to kind of what people say, turn the, turn the blinders on.
It's like, I have to be focused on the business objectives and actually the organization. So I don't have as much time to go explore new spaces that aren't so relevant to me. All right.
Dave: And last kind of. Last couple, probably brief VC questions, but what advice would you have for, for vendors now that you're like you're out of it and you're not being pitched anymore by like entrepreneurs and so forth?
And you're a practitioner, like, what advice would you give to them? If someone came to you and said, Hey, I'm thinking about starting a company, I'm going to pitch, I want to, I'm going to pitch a bunch of VCs. Like, what would, what advice would
Frank: you give them? I would say that. Not everyone's going to believe in you and it's not, it's not a game to get the most number of investors.
You really need one investor and one strong investor, maybe two to create a competitive situation. But you don't need 20 turn sheets, you need two. And I think it's almost better in that case, because it means that you have kind of a disruptive enough vision that other people kind of find it somewhat controversial.
And I think those are the ones that end up doing very well or become bigger bets. I think the other thing is just to stay very focused and to like, you know, you'll get a lot of feedback and all it is, is that feedback, but no one knows the product and market. As well as like you do, because you've spent all that time researching it.
Um, and if other VCs know it better, then you have a problem. You need to kind of go back to the drawing board and do more research.
Dave: All right. So there's usually, it's always a progress when you go through a big change, when you decide to leave a company or start a company. Oftentimes it's, you know, it's kind of a slow burn.
You're kind of coming to these realizations, but sometimes there's a big moment where you're like, you know what, I'm done with this. I need to do something different. I don't know of anyone who's, I know plenty of people have been practitioners. Who have become VCs, my friend Zane Lackey, who's over at Andreessen.
Of course, Zane, you know, did that after Signal Sciences. You're the only one I know who's been a VC, who's become a practitioner. Take us through like the key moments along the way. Was it something that was kind of building up or was there one moment where you're like, screw this, I'm done trying to be a salesman.
I'm done with this aspect. Was it a slow burn? Were there a couple of key moments along the way? Take us through your
Frank: logic. Yeah, I think. VC was never my intended career path, but I think a lot of people say that of something they do. Um, and I would say for me, VC was always in this trial period and I, I, I got into it because the security industry just had so much kind of like activity during the period I was doing it.
I think like all the most interesting companies, which are even sustaining now were built then like Wiz. You know, lacework sneak, I think that was very interesting. And I think COVID was kind of a key moment for me where I thought, Hey, you know, there was a lot of activity and we were just chasing deals.
I think every BC was just chasing deals and dealing with activity rather than actually like analyzing companies. And I think a lot of the intellectual kind of like intellectual stimulation was kind of lost on me. And I think I was, you know, I had met a couple of the companies that had like. Look, also we had looked at companies in various spaces that were pretty technical and I had kind of a lot of like thoughts on them and I realized like I couldn't do anything because I was investing these companies and I said, Hey, look, I really have like pretty strong opinions about.
Technical products and tradeoffs, but those would never be realized if I invested in the company. And so I would say like, there was a series of these where I said, Hey, you know, I'm really a technical person by, by training. And that's what I'm passionate about. And so maybe it's kind of time to go back into engineering and see what it's like.
Dave: All right. So would you ever become a VC again, now that you're off getting the experience, would you go
Frank: back? Not anytime soon, unless. You know, I've thought about ways to kind of like Be in the middle, which is like, Hey, go work for a VC firm, help, help them do security engineering or their portfolio, do security engineering.
I thought about a lot of this, but I don't think anytime soon. I think the, just dealing, being in the trenches and working kind of with like a team and. around one business, the staying focus is like actually way more important to me. But maybe one day you ask me and maybe five or 10 years, things change.
Dave: All right. So when you were a VC, you would write a newsletter called frankly speaking, and it would come out. And I think it's part of the reason why I knew you and why we stayed in touch and so on. And you would do it. I mean, it was like once a month or somewhat. Somewhat regular. Yeah.
Frank: Yeah. Yeah. It was like I think every two weeks or whatever.
I don't remember. It was some cadence. I try to keep up with for sure. Yeah. And it was,
Dave: I'd say like plenty of VCs will do podcast or they'll write up notes and that sort of thing. So it wasn't like, it wasn't wholly unusual for you to kind of brand yourself like that and do it. I will say like, as you can imagine from the dialogue here, Frank would go deeper in topics and have it.
More things to say, I think that a lot of VCs would just given his academic background and even the time you spent at, you know, inside organizations like Facebook and Google, like you'd pepper in some of your experience. So it went a lot deeper, but you kick that into a higher gear. I think when you were over at, at dbt.
You kind of took it to another level and then you ultimately ended up doing a paid subscription. Take us through the evolution of the Frankly Speaking newsletter, and we'll spend some time here. Maybe the remaining time on your side hustle here, which is now a paid subscription on Substack for Frankly Speaking.
Frank: Yeah. Yeah. I mean, I think the blog goes way back almost to my MIT days. I ran a security seminar. And I think a big part of the security seminar was we invited academic speakers and just speakers in general to come once a week and just, you know, people would learn, I realized like people don't really like showing up at a designated time to a talk every week.
And a lot of times people were asking me for slides or asking me, like, what happened at the talk? Was it interesting? And I finally, you know, threw my hands up and said, I'm just going to write. A blog post on every talk so people would stop asking me, I could just send it to them and that actually got a pretty good following.
Not great, but it was pretty good and actually caused more people to show up for the security seminars. They said, wow, I didn't know, like. They're about this. It was kind of a form of marketing. And then when I went into VC, I kind of paused it for a little bit. And then, you know, part of being a VC nowadays, as we view many other VCs, like there's a marketing aspect to it on kind of like who you are, where you're interested in.
And I said, Hey, you know, A big skill you learn in the PhD is writing and so that's kind of what was one of my strengths around kind of like framing topics and trying to in a way sell them and kind of like say why they're compelling what's interesting or not interesting so I started that blog again and you know I ran to interesting people like you so I kept on doing it and I said hey here are my thoughts having like Talk to everyone, provided some transparency around various aspects.
And I said, Oh, this is pretty great. Like, I think I'd gotten more inbound. I know it was one of those things where people knew about it and no one was doing at the time. No security BC or even BC in general was willing to like, Dive into some of these more technical or like aspects of companies and products and organizations.
And so I kind of had found myself a niche and someone just told me, they said, Hey, like you have this, like, why don't you keep it going? And then, but when I went back to dbt, things were just so busy for the first two or three months, I paused it. But then a bunch of people emailed me and they said, Hey, what happened?
Where's all this? What's going on? And that actually compelled me to start it again. But I think when I started again, people said, Hey, look, like there's this thing called sub stack. You can get paid subscriptions. One of my friends has paid subscriptions and he now does sub stack full time, which is actually very interesting.
He said, Hey, look, like This is a way to kind of, you know, convince people to kind of support you on this. And for you, it's, it'll create a little bit of pressure in many ways to kind of keep going. Cause once you have paid subscriptions, it becomes real. You care a little bit more about the quality. You care a little bit more about the cadence.
And so I said, Hey, I'll try it out. Worst case, I don't get any subscribers and that's fine. I'll continue doing the free subscription stuff, but you can kind of like talk. Like there are some free subscriptions or some paid. And so I said, Hey, let me try this out. And then now we're
Dave: here. And when did you switch over from free to paid?
Frank: I switched over from free to paid when I was starting the newsletter again, when I was at dbt.
Dave: So it's been two
Frank: years. Yeah, about, about almost two years. Probably I looked about a year and a half. And just so
Dave: everyone gets a sense of the type of things that Frank writes here, I'll just read some of the recent, the recent topics.
I already read the, the recent one on how to be an engineer that security people don't hate. There's also how to be a security person that engineers don't hate. People are confused about cybersecurity. Let's see thoughts on the move it hack. So you'll do, you'll break down breaches. There's a really interesting series you did on how X company in this instance, Cloudflare fails where you go through, you know, the unhappy path of the company, you know, basically being minimized and failing over time.
And you take a lot of positions like this one here, why CISO turnover is good. And there's another one. The topic is AI as a blessing to security. And the fun things about these are like the topic sometimes they're well written enough to where they almost sound clickbaity, but the quality of the thought behind it, and you kind of argue real points in here and again, I think they're like their opinion strongly expressed, but loosely held.
It's it's great content. How do you keep generating ideas? And, you know, where does how much of your time do you put into this? What's what's the commitment and what are the hard parts?
Frank: Yeah. I spend about a couple hours a week on it. I would say usually on the weekend when I have most of my free time to kind of sit down and write.
I think it varies a lot. Sometimes, like, thoughts come to me during the day. A lot of, I think, this is generated just by me doing regular reading of various blog posts, LinkedIn. Things are going on as part of my, like, Ordinary job responsibilities. And, you know, kind of talking to you, I think even in this podcast, I kind of got some ideas of like things that people might be interested and we need to write in like EDR versus data security and kind of why data security.
Sorry. Like, I think there's these topics that kind of like pop up where I hear a lot of people talk about them, but people have these opinions that feel almost unsubstantiated and I think for me, it's like, I'm very interested in them. Like. Understanding more deeply why and I think the hardest part, honestly, is this like coming up with the content.
It's requires you to be like always on thinking, Hey, what is the what is an interesting topic? And so I think some weeks I do struggle with the content, but some some weeks I do have a list of ideas. And I've actually spent a lot of time talking to my friends who this who run sub stacks or do writing for a living.
And they say this is a very common problem, but it's important to just Some weeks you'll have more and some weeks you'll have none. And so you just have to keep a running list.
Dave: Yeah, and I think one of the clever things you did recently is you roped in people like yours truly. Yes. To write some content for you and be on there.
And you've built yourself enough of a brand where it's nice exposure. I had a kind person who actually offered to pay for my substack after, or for a subscription should I choose to keep writing after that. And I imagine that, you know, it kind of builds up over time. What is, I mean, realistically, Money wise after doing this for like, you know, 18, 24 months, having a paid sub, like how, how much money is it?
And, you know, I bring this up because there's plenty of people doing this now. And there may be somebody listening to this who thinks there'll be the next Frank Wang, it'll be the next Clint Giebler or Daniel Miesler, who does both advertising and paid. Um, and there's a few others I'm seeing pop up as well.
Marcos, um, cloud security lists. There's a bunch of. Of newsletters. Now it's become certainly fashionable again, but what should people really expect from a money expect from a money perspective? Is this like a little bit of pocket change? Is it significant for you? How do you reason about the actual financial outcome?
Frank: Yeah, I would say definitely pocket change for sure. Cause I'm not doing it for the money. And also I think. It's one of those things where I think it's true of most newsletter subscriptions. Like there's a long tail that make a lot of money. And then most on average make very little money. And I'm definitely in the average, if not below average, I think partially.
Because, you know, it's, it's a business, right? And for me, it's like more so I, the original purpose of it was for myself. And so I'm definitely not quitting my day job to write full time on Substack anytime soon. I'm doing that day.
Dave: So let's say you're, you're talking to a young version of yourself who is looking to get into this and do it.
What would you say to them? What would you tell them to do and not do? What are your accumulated learnings really since you started doing it?
Frank: Yeah, I think like content is hard. I mean, you see all these people on social media doing content. It's hard. It's. You have to hustle. Writing itself is a very good skill to have and I think it's important to do it, but you shouldn't be doing it for the money.
You should be doing it for something else and hoping that money will come as a result. But I think it's a good skill to have. I think doing the blog and doing the newsletter has helped me kind of make, it makes a lot of things easier just generally in my current job where we have to write a lot of strategic plans.
We have to write. A lot of planning docs and write a lot of like just technical docs and I think just Writing is a skill that you need to keep up with, similar to any technical skill. And, you know, it only improves over time. And I would say like the first couple of blog posts you write are going to be probably pretty bad.
Like I look back and some of the ones I write and I don't want, I pretend they don't exist. Um, but I think the hard part of it is like keeping at it. I think a lot of people get discouraged. And so the more you do it, the better you get. And it's one of those things where you won't see a lot of the.
effects early on, like when I started this newsletter, I was a little bit fortunate because I had some people who were my, who did this and followed me during my security seminar stuff. And I got some good press during my PhD around work I did. And that kind of seeded, seeded a lot of it, but, but that was actually very little.
So a lot of the, it's kind of a compounding factor. So you have to keep at it to kind of see results. And Sometimes you won't see anything for like six to 12 months. So
Dave: you just have to grind it out and keep
Frank: going. Yeah. And if you don't want to do that, then you shouldn't getting started is like very hard or you'll just get discouraged very quickly.
So it's, you just got to grind it out, keep with it, but it's okay to also try like a lot of people try and give up because it is.
Dave: Yeah. Yeah. And a lot of that, a lot of that holds for startup companies to where, you know, a lot of it is drudgery and you have to keep doing it even when there's not positive feedback there or a good feels to go around. You know, the difference between the winners and the losers is just who keeps going.
Yeah, so I do want to double click on one thing before we wrap up here. We'll get at least a little bit technical. You did your PhD on data sharing. Let's see if I can get this right and sharing data in large scale web services. And of course. You had some practical experience at large scale web services, and then you came in, you went into dbt, which is a really important company in the modern data stack.
Let's talk at least for a minute for how the modern data stack and what's happening there influences you and other. People as security practitioners, how are you reasoning about it, given that you did a whole bunch of thinking on it, and now you've really been in the heart of it as one of the pivotal companies at dbt, and now headway, presumably you're dealing with a lot of that data and so forth.
So I think you have a really unique perspective, and I'd love to hear how you're how you're thinking about it, how it's impacting your job.
Frank: Yeah, I think this, I didn't actually know much about the modern data stack until I joined dbt. I mean, I think everyone had heard about snowflake and how it was a highly anticipated IPO, but I didn't really learn much until I went to dbt where I was trying to really understand like, what is all this hype around the modern data stack?
Like, what is the point? And I think there, there are a couple of things that are pretty interesting. I think. The most interesting thing was that it put power back into data people's hands in the same way that like SAS products power back into the, the stakeholders hands, right? Like, you no longer needed to rely on like it to provision you infrastructure, you didn't need their approval.
So like this whole data stack, you can build a data stack. Without ever having many times without having a conversation with your it or DevOps team, because you can buy Snowflake, you can buy dbt, fivetran, like the suite of products. And then you can just start piping data through with very little programming knowledge or technical or engineering knowledge.
And that is pretty powerful because what Snowflake, the second thing that Snowflake brought to people was essentially what AWS brought to the world, which is. Unlimited elastic computing power on data, so you can now store data and do computations on it without kind of worrying about not having the resources other than money.
I mean, you didn't have to build any like hardware or like negotiate with anyone. You just had to pay money and you got it, which is kind of an amazing thing. And in SAS companies came out before you had to like. Build all this hardware. And this kind of realization came to data people through Snowflake.
And so now these data folks are enabled to do a suite of things. Whereas before they had to either go around infrastructure people or they were restricted. Right. And now kind of the possibilities are, are endless around the dashboards. They can make the computations. They can do the amount of data they get hold and analyze kind of that opens a world of possibilities.
And so that was all I thought. What was pretty interesting because a lot of the tech, large tech companies had that capability because that's so much infrastructure. But now this is available to like almost any company.
Dave: And what are the, what are the direct implications for you as a security practitioner working with those data teams, trying to keep things on the happy path?
Like what are the, what are the advantages that it poses and what are the things that are new challenges and risks?
Frank: Yeah, I would say the advantages here is that there's all these products that make it a little bit easier to configure security on or like do security with, and you know, they spend time doing security rather than engineering team spending resources to kind of like restrict data flows, etc, etc.
So I think like, In general, like having a product that someone else maintains and spends time on security is better than me spending that time and we can kind of like work on other things. But I think the big risk here, and I talked with a lot of people in the security engineering community about is that.
It's made data very independent in the sense that like before talking to infrastructure was good because we actually had visibility and now it substantially reduces our visibility and the products have become a little bit more technical in the sense and less it's more and less technical depending on your perspective, like it's a completely new data pipeline and the ways they work and how you operate.
Now, as a security person, you have to go and learn this completely new thing. And so a lot of like what you knew before doesn't apply. So you have to go learn about snowflake and how it operates and what dbt does and fire trend. And like, even people who did data before in the old world, like don't necessarily know how data is done in the modern data stack.
So this is. As a security person, the new skill set, less visibility, and, you know, the lack of visibility is always a problem. I, you know, you have to be very active and now dedicate someone to learning this. And that, like, opens up a host of risks.
Dave: Yep. Yep. And is there any, do you have a person focused on it at Headway?
Or is it something that you invest your personal time into? In practical terms, how are you dealing with it on your day to day?
Frank: I think it's just a skill set I'm learning myself and working with our infrastructure and data team on. I think it's just an area you have to go in and learn. And I think I would like to have a person dedicated to it in the same ways there's like a DevOps person dedicated to data infrastructure.
I think it's very important as part of a platform. And I think you just need to invest in it early. And I think it's hard because there aren't many. People who understand them on data stack in general, let alone the security implications. Yeah. You
Dave: know, when you think about what's happening with AI and the importance of the data sets that are, you know, that are being trained on and so forth, I think we probably over bias towards people who are training on public data sets, but a lot of the more interesting work is being done as fully with private data sets.
And outside of, you know, sensitive data, getting into training models and everything else, I think it kind of further ups the ante for the importance of data. And, you know, who knows, maybe at some point, Frank, all the money that, you know, that was poured in when you and I started going back and forth on the, on the thread a long time ago, we'll look at it and say it wasn't nearly enough.
Frank: Yeah. Yeah. Maybe. Yeah. I think like with this AI stuff, definitely. I mean, AI is a lot of the AI work is. leveraging the modern data sack. I think people don't say it as much, but you can kind of see this with like the increased interest in Databricks and Snowflake because this is a time we actually have that compute power to do all that work on the data.
Dave: It takes a lot more than GPUs. A lot more than GPUs. Awesome. This feels like a great point to stop. Thanks so much for coming on, Frank. This was a little meandering, but it was, it was awesome. I think we, I think we hit all the high notes. Yes,
Frank: for sure.
Dave: This is fine. All right. Thanks everyone for listening.
Uh, appreciate you listening in. Next episode will be likely focused on the one and only Kelly Shortridge. So tune in and it'll probably be, I think we're back on our, on our regular monthly cadence here. Not nearly as fast as Frank's, frankly speaking, sub stack, but pretty, pretty regular throughout the fall and through the winter here.
So thanks for listening.