00:00hi everyone and welcome to the a 16z
00:03podcast I'm Hannah and in today's
00:05episode we have our own ben horowitz
00:07moderating a session with octa CEO
00:09frederick carest and Dominic shine who's
00:13the CIO of News Corp plus Brad Peterson
00:15who's the CIO of NASDAQ on securing
00:19infrastructure from mobile to IOT and
00:21beyond this session was recorded as part
00:24of our inaugural a 16z summit all right
00:27so before we get into the real hardcore
00:30security stuff let's talk a little
00:31business and News Corp's an interesting
00:35position these days coming off of an
00:38election you're representing kind of one
00:40of the most important companies in
00:42traditional media how do you think about
00:44your role technologically and moving
00:47News Corp forward Wow what a question
00:51you might think Toob already I'm British
00:53so I can probably take the fifth on this
00:56one yeah it's an interesting time
00:57obviously nothing going on in politics
00:59here or in Europe either from a
01:01technology point of view what we find is
01:04more than ever the journalists are out
01:07and about their mobile they need access
01:09to systems anytime anywhere so I see my
01:12role is to enable that workforce to have
01:16the easiest time possible in a very
01:18pressurized environment to create that
01:20content to distribute that content
01:22well I'll steam them you know good
01:25security controls that don't make their
01:26lives too difficult and short follow-up
01:29on that or maybe not so short the other
01:31thing that having this election was
01:33apparently the Russians got involved
01:35were you concerned that a foreign entity
01:39or someone might actually hack the Wall
01:41Street Journal and try and change the
01:43news you know at the exact wrong time so
01:46I think we're always vigilant so that
01:49I think our concerns were more that we
01:52might have a repeat of the denial of
01:54service attacks of the previous weeks
01:55who might have disruption but we have a
01:57lot of safeguards around protecting
01:59those crown jewels those assets so one
02:02of the things that's got kind of
02:04tremendous technological momentum is the
02:07technology known as the blockchain and
02:10implementations such as Bitcoin and
02:12aetherium and you know it's been posited
02:16that the right place for us for a stock
02:18market exchange isn't Nasdaq so much as
02:22it would be the blockchain because then
02:24you could have software set the order
02:26handling rules and everything and get to
02:28a more kind of fair exchange in a much
02:31lower fee exchange when you look at that
02:34how present a threat is that compared to
02:37a future threat and then how are you
02:39thinking about that technologically and
02:41what Nasdaq has to do to go going
02:43forward before Nasdaq I was involved
02:46with PayPal which is a consumer based
02:48you know product and an Schwab which is
02:50the investor side so now with Nasdaq
02:53we're focused on the the list what we
02:55call the listing side which is really
02:57the issuer or the company what I always
03:00like to think about is the products for
03:03both ends and the products for both ends
03:06need a lot of change in modernization
03:08and maybe we'll get into the consumer
03:10side there's there's a tremendous amount
03:12that doesn't work for our existing
03:14banking consumer products and investment
03:16products so for specifically Nasdaq and
03:19in exchange I would say that on either
03:21end we will always have those two
03:24customers and everything in the middle
03:26is up for grabs for re-engineering the
03:29fact that we're in the middle means that
03:31we have to think about how we we rethink
03:34our role entirely I think the the main
03:37one that is really interesting is the
03:39physical world when you had trading
03:41trading was proximity yeah well you you
03:44were a disruption to really good New
03:46York Stock Exchange yeah we were the
03:48ones a group of people that got together
03:49and said you know these things that
03:50people do waving their hands and
03:52throwing paper on the floor at the end
03:53of the day and sweeps up seems to be a
03:56little outdated so you know why wouldn't
03:58we do these with computers that was
04:00although every city had a Stock Exchange
04:02and you know there were physical places
04:05so the the record-keeping was
04:08distributed that's why we have the DTCC
04:10which is a centralized securities
04:13depository centralized because mainframe
04:15technology was all you had at the time
04:17so I think the architecture was already
04:20in the 70s to be distributed but the
04:23technology the solution was only
04:24centralized I would say that we are
04:26going to go more towards a distributed
04:28record-keeping system because we can now
04:31and that's and that's what's really
04:33exciting about blockchain for us we
04:35build technology for CSDs outside the
04:37u.s. we see that becoming more of a
04:39distributed record-keeping and do you
04:41think that will make it it's more
04:43efficient it so it'll be lower it will
04:44lower costs and absolutely speed up the
04:47process and how about techniques such as
04:49high frequency trading and so forth will
04:51that become more complex and elevate it
04:54to only the the very best players or
04:56will it become obsolete in the
04:58distributed world well I like to look at
05:00her unpredictable no but I I think I
05:03think that you know I was in in New York
05:05City even though I lived in the west
05:06coast at the time during 9/11 and I was
05:09really surprised to hear that the
05:11industry financial services that had
05:12massive data centers on Manhattan and
05:15I'm going why do you have that and it
05:16was because they over index for speed
05:18and latency around trading that you
05:21needed to compute the Sun Microsystems
05:22that first were right there on a trading
05:25floor and then big reputable firms had
05:28major data centers in Manhattan if you
05:30think about why would you have a data
05:31center in Manhattan you would want to
05:34have it many other places where there's
05:36low taxes and low and low cost of power
05:39so what a lower chance of a terrorist
05:41attack if you look at consumer if you
05:43look at the investment space where
05:45Schwab have their data centers where
05:47Wells Fargo and B of a and MX have their
05:50data centers they're in these places
05:52that don't have natural disasters they
05:54engineered for risk whereas the
05:57exchanges move from Manhattan to New
05:59Jersey yeah you can look at it almost
06:01like skiing when you when skiing was
06:03going you had longer faster skis and
06:05then someone invented the snowboard and
06:08you changed what you are really
06:11designing for it's designing for a fun
06:13and performance so I would say speed has
06:15already been exploited and now it goes
06:18back to I think security fairness and
06:22resiliency are going to be balanced out
06:25so we probably won't end up with massive
06:27data centers in New Jersey and Chicago
06:29you would put them in other parts of the
06:31world that are safer and more so
06:33as that is re-engineered there's an
06:34opportunity to introduce slot chain
06:36technology so that's what I'm pretty
06:37excited about it that is interesting
06:40so given what both of you have to move
06:42towards in the future
06:44you clearly have to embrace the great
06:46Reap platforming to mobile there's a
06:50going to mobile because that would seem
06:53like a ridiculous question but what are
06:54the challenges as you widen the attack
06:57surface and you just introduce very
07:00different kind of technology for
07:02consumers to access your services and
07:05businesses to access your services and
07:07start with you done she will say from a
07:08security gonna be yeah you mean
07:10primarily well security or whatever we
07:12are you know big organization twenty
07:14five thousand people over ten major
07:16businesses the first challenge in any
07:18big change is how do you get the balance
07:20right between letting each individual
07:21business go their own way move at their
07:23own pace and bring all the advantages
07:25you can by working as a group that's the
07:28first thing with mobile so we try and
07:30you know allow the business units to
07:32really go at fast speed to develop their
07:34mobile products bring the best products
07:36to bear keep improving them but
07:38increasingly we're deploying common
07:40deployment platforms API frameworks to
07:43try and speed up how they deliver that
07:45reduce the cost so that we don't have to
07:47do the security testing over and over
07:50and over again the more you do that
07:52you're more than you open you up you're
07:53more you have to be vigilant and to make
07:55sure that you know you've got the
07:57security aspects right so there's a lot
07:59more vulnerability testing there's a lot
08:01more scanning of that thing for internal
08:04users everything we do now we would not
08:06buy a product for enterprise technology
08:08unless it had an excellent mobile app an
08:11excellent experience we want to enable
08:12our workforce to work wherever they want
08:15whenever they want again with that you
08:17need great user experience but we need
08:20good security so you know that that's
08:22been a key part of that architecture to
08:25really help us unify that and lock that
08:28down so that that takes away quite a lot
08:30of the headaches for us yeah so Freddie
08:32what what is Akhtar doing on mobile
08:34security and like how is your approach
08:36different than some of the things that
08:38people have to play I think that you
08:40touched on one of them which is people
08:41are just trying to innovate and create
08:43new applications and new experience
08:45they're doing that both for internal
08:46constituents but also externally so you
08:48just want a better interaction for your
08:49customers and your partners on a lot of
08:51this the operating systems have become a
08:53lot more powerful than the devices that
08:54everyone has in their hands so you can
08:56now leverage a lot of what's available
08:58in the iOS in the Android operating
09:00systems in terms of the profile which
09:02means you can provide a much richer
09:04experience that has a lot of financial
09:06implications because employees are
09:07showing up with with mobile devices that
09:10we all have which are basically super
09:11computers but they're expensive so you
09:12want to enable your workforce to take
09:15advantage of the tools that they have
09:16but you want to do that in a very
09:18seamless experience so that they can
09:20still use the business tools but do that
09:21in the form factor they're used to and
09:23make it very easy so just taking
09:25advantage of a lot of the new
09:26infrastructure and technologies that are
09:27available out there and Brad when we
09:30talk about mobile and mobile security
09:32given that you're dealing with
09:33transactions the user interface design
09:36security and the integrity of the
09:38transaction how does that changed when
09:40you go to mobile well it's going back to
09:43the Schwab days everyone really wants
09:45access to their money on their phone it
09:47because you don't lose it's kind of the
09:49old trick of ATMs what ATMs did when
09:52they first set them up as if the network
09:54was down you couldn't get money out and
09:56so they did some risk management and
09:57said without being able to check your
09:59balance well it will make you good for
10:01it there's some amount of risk
10:03management that you want to build into
10:04just making sure that someone isn't left
10:07with zero access to their money when
10:09when they're looking at their watch or
10:11their phone or their endpoint device
10:13being a replacement for the physical
10:15wallet eventually though you need to
10:17connect back into what is likely going
10:20to be the future of storing your bits
10:21that represent your assets or your money
10:24in a cloud those two are the new area
10:28where today all of all of our
10:30representation for our wealth and our
10:31and our money is sitting in a
10:33proprietary data center Financial
10:36Services has been slow you need to look
10:38at it both ways on the endpoint than the
10:40cloud and you really need you need the
10:43solution in both places so there was
10:45recently a rather dramatic security
10:49attack where apparently Chinese ship
10:55leaving manufacture very cheap chips for
10:59camcorders and DVR have a security flaw
11:03maybe accidentally maybe planned in
11:06their chip that was then exploited for a
11:08massive denial of service attack against
11:11basically a very large DNS provider of
11:13naming services on the internet
11:15resolving names to addresses and kind of
11:18basic functionality that you need for
11:20the internet to work what can you do to
11:22deal with that kind of attack where you
11:24potentially have a state actor with a
11:26very sophisticated attack rolled out
11:29over maybe a decade yep yeah was it a
11:32feature or a bug right of the IOT who
11:34knows that's a very good question I
11:36think a couple things first of all it
11:37showed that we've taken a lot of the
11:39infrastructure the way that we've
11:40designed things so far for granted the
11:43way that the original internet was
11:45designed and the way that people are
11:46using it today everyone's got to take a
11:48better look in terms of security and
11:49infrastructure and reliability on what
11:51we're doing and how we're doing and how
11:52we're gonna do it in the future because
11:54we're just talking about you know a
11:55billion people on the Internet
11:56we're not talking about all the devices
11:58that are gonna come out which is where
11:59some of this originated the other thing
12:01is this is basically a trial run I mean
12:03this is in very small form it's a
12:07diagnostic of what's gonna happen in
12:08this case it was some cameras at home
12:10that people are plugging in and using
12:12and it's broadcasting a lot of data and
12:14these folks are able to take this data
12:15and point it towards a specific service
12:17when you think about everyone in this
12:19room now has two three four devices
12:20everyone's carrying smartwatches just
12:23earlier this morning someone was telling
12:24them about their internet enabled crock
12:25pot and how you can control your you
12:28know you laugh but it's true right you
12:29want your chili to be warm too you know
12:31when you get home two hours from now
12:32people controlling the the light
12:34switches you think about utilities that
12:36are managing smart meters and the kind
12:39of attack that could happen when and if
12:41you know someone decides to turn on all
12:43the other initiatives in New York in the
12:44middle of the summer that's pretty
12:45serious and this is just the beginning
12:47of it it's a good trial run for everyone
12:49to take a look and say what are we doing
12:50today and how we're gonna improve it and
12:51there's always things that we can do
12:53better include including us or doctah
12:54but also it's a good wake-up call it's a
12:57good wave wake up call further for the
12:59industry and in particular the folks in
13:00this room to think about okay there's
13:03all these opportunities we talk about it
13:04you hear about IOT you read about it in
13:05the news everything is connected I can
13:07talk to my car that's all great but with
13:09I've changed come a lot of risk they
13:10come along that you have to think about
13:12dumb if you know one could imagine
13:14somebody launching that kind of an
13:16attack to shut down parts of the media
13:18during an election cycle like we just
13:20had how much do you think about what you
13:23have to do yourself versus how you rely
13:26on your vendors for security how do you
13:28yeah how do you balance that
13:29particularly on an attack like this
13:30which it's it's very difficult to be
13:32resilient against yeah no it's it's an
13:34excellent question I think you know
13:36Freddie got it right it was a wake-up
13:37call so for us for the things we
13:40directly control we did have a
13:42contingency plan we were able to switch
13:45to and ask very quickly we're in good
13:46shape but we were exposed to our major
13:49partners and really it crystallized for
13:52us a knowledge that you know you're only
13:53as good as your weakest link your
13:56weakest connection so I think for us
13:58it's ignited now a real passion to work
14:01with our partners to say okay let's look
14:04at their risk and make sure it's
14:05mitigated but now let's really think
14:07what are the other things that could
14:09occur have you thought through that
14:10prove to us that you've got a
14:12contingency plan you've rehearsed it so
14:14I think you'll see organizations like us
14:17taking a much more strong stance with
14:20those partners in doing due diligence
14:21around that when we select them and also
14:24monitoring how they work on the ongoing
14:26basis right and Brad do you have a
14:27similar view or do you see it
14:29differently or like what's even possible
14:31financially though these attacks
14:33escalate we have to worry that we're a
14:35big prize for just terrorism if you can
14:38take down what is represented you know
14:41New York Stock Exchange NASDAQ as
14:43capitalism so we have to work with the
14:46government because we're not going to
14:48outgun any any nation state were deemed
14:51critical infrastructure in the US
14:52everyone in the US that's deemed
14:54critical infrastructure has formed a
14:56group so that we can talk amongst
14:58ourselves very rapidly for the exchange
15:01itself it is not open to the internet
15:04directly so that's more of a
15:06permissioned environment so I think
15:09that's that's one clearly you've got to
15:12let applications and indirectly yes so
15:16and there are early days of the web
15:17actually because everyone wanted to be
15:20web enabled you know the exchanges were
15:23well been able directly and so you've
15:25since changed that yeah some overeager
15:29folks in the late 90s actually said well
15:32you know let's just bring access in from
15:35anywhere so I so that's changed but you
15:38know we have we have to think about it
15:39from a from a just it's it's not
15:41necessarily for economic gain or a crime
15:44but there's there's also just the
15:46embarrassment factor of the u.s. and in
15:48those critical infrastructure
15:49discussions you end up being privy to
15:52information about you know particularly
15:55state actors you know that are concerns
15:57there's there's a fairly frequent
16:00warnings about who might be the target
16:02but in general financial services
16:04institutions and do get early warning
16:07about campaigns and it usually is
16:09related to some event that is a reaction
16:13to a you know a foreign policy action by
16:15a group of countries and there's a
16:18retaliation right so it we are seeing
16:20that you almost can read the news and go
16:23uh someone's something be coming coming
16:26our way and hopefully you know it isn't
16:29effective the beauty of having having
16:32the ability if someone gets hit we can
16:34quickly share it then understand how you
16:36might sort it and definitely check you
16:40you get better ability to check where
16:42so there's early warning that way okay
16:45upon that happy note I will open it up
16:47for questions if anybody's got questions
16:50do you think about working with two or
16:53three top vendors that are really gonna
16:54provide the security that you need and
16:57maybe let go some of them you know the
16:59vendors you've been using that maybe I
17:00have higher vulnerabilities or just how
17:02do you think about consolidation of
17:04Enders in this world yeah so I don't
17:06think it's about consolidation of
17:08vendors I think it's about making sure
17:10that all our vendors and partners
17:12achieve the right standard they can be a
17:14unifying force to tie together some of
17:16that but I think we'll continue to use
17:18best-of-breed tools underneath that and
17:22we'll continue to monitor those make
17:24sure they're fit for purpose but
17:26security is very important but it's not
17:28the only consideration
17:29so we'll still look at it as a balanced
17:32portfolio things we assess so I don't
17:35see as saying you know let's just go
17:37with one major vendor because we like
17:39their security posture I think there's a
17:41de-risking actually in in having a
17:44broader suite and having options how do
17:47you see your security spend changing
17:49among the various sub sectors of
17:50security that you spend today is there a
17:52particular area that you can emphasize
17:53more than before I think you know
17:56overall terms we're spending more on
17:58security so over the last year 18 months
18:01we've been driving a big maturity
18:03improvement program across the business
18:05things like single sign-on have always
18:07been very difficult now they're they're
18:09good and easy to use we're spending more
18:12on data loss prevention endpoint
18:14management vulnerability scanning also
18:17you know in terms of services we use
18:20sort of Red Team testing approaches
18:22we'll do actually our own hacking
18:24internally to try and find
18:26vulnerabilities something those are some
18:27of the some of the major areas where
18:29we're investing more I would just add in
18:31addition to what what Dom said we're
18:34seeing more for the privileged access
18:36employee user behavior analysis in and
18:40it goes to some of those events like the
18:42pilot who drove the plane into the Alps
18:45really having a more dynamic view of an
18:48employee who may have been hired has
18:50gone into some type of stress or trauma
18:53in their personal life whether it's
18:55mental illness whether its financial you
18:58really had their certain roles in the
19:01company that you have to figure out how
19:04you look at them more more regularly so
19:06I think that I think that's an area of
19:08opportunity in addition to the ones Dom
19:09had all right well I would very much
19:11like to thank our guests Tom Brad and
19:13Freddie and thank you for joining us