Episode 54: Building AI Security Infrastructure: From Cisco Engineer to Startup Founder with Jaz Lin

Narrator:

Welcome to 909Exec, the executive leadership podcast from 9 0 9 Cyber Where Cybersecurity intersects with Business Strategy. Your host is Den Jones, founder and CEO of 909Cyber for more than three decades, Den has led security at Adobe, Cisco, SonicWall and Banyan security, helping executives navigate risk, trust, and transformation. Each episode goes beyond headlines and height with conversations that matter to leaders shaping the world of technology. So please join us for 909Exec, episode 54 with Den Jones and Jaz Lin.

Den:

Hey everybody, welcome to another episode of 9 0 9 Exec. Hopefully your guide in your leadership journey. We think and we hope that our audience are leaders who are striving and breaking new ground and the revolutionary people and we love to therefore bring in guests that we feel are just like you, revolutionary people in some cases, founders and CEOs, and today is no different. I've got Jaz Lin, the founder and CEO of Skyrelis, Jaz. Hey, thanks for joining the show today. Why don't you introduce yourself?

Jaz:

Cool. Thank you. Thank you Den. I'm glad to be here. So my name is Jazz. I'm the founder and CEO for Skyrelis, and I am an engineer by training. Started my career in network network security. It spent 7 years at Cisco diver, deep in network network security. Got my CCIE after that, joined VMware and Rubrik and the RingCentral. Very much deep in cybersecurity. I'm glad to be here today to share with you my journey and my story.

Den:

Yeah, yeah. And both you and I, both you and I were at Cisco, although we missed each other by about seven years I think. Yeah, I was not there long and yeah, it was just actually during COVID I joined Cisco, which was a very strange time to shift a job, but nevermind. Nevermind. Anyway, let's dig into some of this. So, so Bay Area, you're a founder, you've got your business up and running. Why don't you share a little bit just about the journey, the couple of roles before Skyrelis, what were you doing and then what was the impetus for you to think, Hey, I'm going to start my own company. Here's the idea. What got you on that path?

Jaz:

Yeah, so I'm not a typical fund. I know that I want to be a fund from beginning. Actually, maybe I can take step back, just talk about my journey into security because I started my career in networking. I got to be honest with you, when I first started my career, I joined Cisco when I was an intern and my first thing here is I want to be a builder. I want to build, I feel like it's more productive if I can move fast. It's more creative. Security at that time was the last thing I want to pick because I always got the impression that security, the philosophy of security is prevent people from doing anything. At that time. I'm not deep enough, I wasn't deep enough, but then I got assigned to these VPN projects and I was the go-to person for the entire VPN portfolio as a technical product managers.

And the responsibility is big. You have to protect the entire network, define a boundary, and then that's not the first thing. But the deeper I go into there, then I get to appreciate more. And also because of the age, I guess that I get to appreciate more about the philosophy about security that you have to really, the knowledge I like the most. That really changed my perspective about security is more like security, like the brake on the car. So allow you to go safe, allow you to go fast safely, and it with competence. If you know that your car can run at 200 miles per hour, the road is open, there's no carpet run, there's no stop sign, but you know your brake's not good, you are not going to run very fast. So that mortality really then maybe appreciates security more. So that things about my journey is that, look, I'm not a typical funder. The reason I started the sky getting into the business is because my previous job I was acting CPO building the security solution for emerging emergency services and I just cannot find a tool for my team. And also we just don't have that. We just cannot build an entire operations team that node security, no agent tech. It really got me thinking that's how I get started at Sky Business.

Den:

It's interesting. I think of it, the most important thing I hear about why somebody would start a company is that they are passionate about solving a problem that they believe nobody else is either solving or no one's solving it in a way that they think is good for the industry. Right? Yeah. So were you thinking, well wait a minute, there's players here but we can do something and differentiate ourself or do you think there was just nobody doing this when you started?

Jaz:

Yeah, this is a really good question. Look, Skyrelis, this is AI infrastructure company will really laser the focus on agenda security. So there are a lot of vendor out there also talking about security. The reason I want to do something myself was my team is because that today's most of the solution solutions is actually built for developers, not built for security operations. I literally do the research starting bound end of 2023. The entire 2024 for me is I dive so deep. I wrote almost a book, like 57 pages about the market list of the solutions that why I cannot use it, what's the reason? So yeah, you're right. So we'd really need a solution built for security team, not so much for developers. That's the angle that we're focused on.

Den:

Brilliant. Now you guys, so you're also a new company. So what round of funding are you in and how do those conversations go as you're trying to speak to VCs or investors?

Jaz:

We're very, very early stage. We're in the seat round and right now we're not actually a fundraising, but we will be soon. Right now we're laser focused on the working with our design partners deployed in the production network. That's where we are right now.

Den:

So you're still working with design partners and stuff of that nature and even getting the seed funding, I'm guessing you're knocking on doors of investors and you're like, yeah, I got this idea. We think this is a winner. I had a conversation with somebody earlier and I was like, yeah, it's just really gambling for fancy people with money. When you think of VCs, what did you do to convince someone to invest and let them know the risk? The risk is a good one that they want to take?

Jaz:

So a lot of people, this is my first time to do fundraising. My co-founder had an experience. A lot of people kind of remind me that this is finding a partner in marriage because this you have to be in English together. I think that the part, I'm not trying so much to sell the idea to them, it's more like do you agree this our philosophy, are we aligned with the problem statement? Not so much about my solution. Me, me. So is the VC or investor, they're also in the ecosystem. To me it's more like building that alliance right now, even for the design partner, the team is so small, we are really picky on picking the customers who are in the journey with us that we can have the network effect, we can provide solution enable my customers, they can penetrate the enterprise market. You have to have a value, you have to believing in on the same page on the province statement that we're trying to solve and marching towards market together. This is true for finding a customer. This is also true from my perspective, finding the right investors.

Den:

And I think that's a really important takeaway for the audience, which is if you're starting your business and you're looking for investors and you're looking for design partners, it really is more about alignment on the problem that needs to be solved and the strategy or vision for how you solve the problem. The details of the features and functions I think come next. But those two pieces as you mentioned, I think those are vital. I like how you say you're selecting them as much as they're selecting you, right? I think there's a mistake that some founders make, which is they just see the dollar signs and they think, well that person's going to give me money. I'll do that, grab them. And almost a desperation. I don't get the sense, and we've spoken several times and recently and I never got the sense from you that you're desperately trying to pitch and sell and pitch and sell and you just seem really, and you've mentioned this word laser focused, but you do seem very focused on we know what we're building, we know why we're building it and we've got the right people around us. And I think of it, you said small team, I look at it, but a small but focused team can accomplish a heck of a lot more than a large team that doesn't have good leadership or good focus. So when you're motivating and rallying the team, how are you getting them on board with your vision?

Jaz:

Yeah, so again, everything aligned with the problem statement and one thing I make sure that we all align is that we deploy this agenda solution in our network. I have them using it. I have them feel the pain without the right tool to manage it. So we thought through our products since day one. So that's the best way I tell them that everybody are a leader. Everybody have to do the hands on even including myself, I do the by coding. So you are the ciso, you are a developer, you are the vendor. How would you managing your policy? So we then open other discussions. What's the best way to solve it? Look, I'm very logical person. As long as you have very clear defined problem, there's always a way to solve it.

Den:

Yeah. Do you know, I love that because one of the things that I've said anytime, so when I ran into price security at Adobe and Cisco, we were leading some big gnarly projects for the whole company. And I would remember people say, but this is a problem, but this is a problem. And they'd come and you'd list like 10 problems and I would turn around and I always say this, I'm glad that you shared the problems. I'm glad that you're thinking about them. If you turned around and you didn't have any, I'd be more nervous.

I'm less nervous because before we get hit by something, we're thinking about the things that might slow us down that might get in the way of success. The fact we're thinking about them means we've got an opportunity to address them before they become the problem. I love it when a team gets together and they're like, wait a minute. And to your point, there's two ways of doing this. One, you're eating your own dog food or you're drinking your own champagne. I think it's somewhere in the middle usually. Sometimes your champagne tastes like dog food and other times you're proud that your champagne tastes like grape juice. But yeah, I mean I think it's very important to run internally your own magic. If you are going to give yourself some advice, the younger jazz, because you're still early in the journey, but if you were going to give yourself some advice of one thing you would probably not have done or do differently, what would that be?

Jaz:

It's interesting when you just saying that I just can see that you have found security background, your thought process. That's why I have a smile on my face if I want to give myself advice. One thing I want to share with you how security shaped me personally, and I wish I started journey earlier is that because I working on security, I start doing the meditation and mindfulness practice because you say security thing, how we think. We every day worry about what am I missing, what's the case and what happen if this happening? 2:00 AM not in the demo. We're constantly thinking about what do I miss? What else is there? I don't know. Every day I tell my teams what really kills us is what we don't know. We don't know. Discover that you don't know soon enough to bring help. Is this relevant? Is it relevant to us? How are we going to solve it? That don't know. Don't know is top of my mind. So if my advice to my sales strategy may take early, I can tell you I'm the high energy type of person. It take effort for me to stay back to think it through. If you don't have that mortality, you'll be chasing the alerts rather than have the whole picture full picture. I guess that would be something I wish I start earlier.

Den:

Yeah, so it's funny you talk about mindfulness and meditation. I got advice. I mean my team was responsible for all the directory services and firewalls and all sorts of security stuff, but you couldn't log in at Adobe without using my team's services. And so we're basically always on type stuff and there's a lot of pressure that comes with that, right? And I remember one of our coaches turned around to me and said, Hey Den, you need to start meditating. I think this was about 15 plus years ago. She said this. And I never started meditating until probably the end of COVID or something pretty much like two years ago. And I just never thought about it. I mean I thought about it, but I just was like, okay, I'll do that one day. And I think pretty much at some point, and I'd went through some medical procedures and stuff, so you start to think of your own mortality and I was like, well, I'll start meditating.

I always like doing walking trails and stuff, so I'll do more of that. I took up yoga. I love doing yoga. It's a great fitness. I do hot yoga, which is even more fun sometimes hot yoga with weights. But I think the big thing is in our industry there is a lot of high stress and high pressure and high burnout and I think it's vitally important. We've had a lot of guests on the podcast actually that are mindfulness coaches, breath workers, I mean just all sorts of stuff, which I think for executives in tech, we need to take care of ourselves. So I love that. And I think if I gave my younger self some advice, I'd be like, don't take shit so seriously or personally and meditate and do mindfulness more, probably drink less, would also be another one. Probably had more hangovers than I care to think about, which I should give my younger self some advice on that. Where do you see, so you're at the forefront, the cutting edge of AI and AI security. Where do you see the industry going? What excites you about the whole AI topic and what scares you about it?

Jaz:

So let me start with what scares me about it and then I'll share with you my perspective. I would love to hear your perspective as well that you have been in so many interviews with the founder and also you guys, the fresh notes C. So you probably have your own perspective. I would love to hear your thought. So because I'm so deep in this urgent security, what scared me the most is that I see the market right now. They're pretty much attacking developer's identity. What I mean, right? If you look at gen security, pretty much everything is SDK based, building your security policy into your applications. But developers are developer, they don't sign up for to handle security compliance. I was in CSO office, evaluate security solution, deploy security solution. But it is very painful to every day you have a negotiate with developer on their priorities.

I can guarantee you their part is not wired in security into applications. Their job is to developer application to make money for the company. But the tool, the market right now is pretty much that direction. You order gent security policy need to be wiring in the applications. So that is the things that scares me the most. And that's also the problem. I'm soak keen, I want to solve it, right? So that is a problem I lived in the past in my previous job. So I think you also asked a question, what I see in the market market trend, look language model really just throw everybody off a little bit. So in the past naively I did not have my crystal ball. Now I lost it. Things move too fast. That's what I meant. It's like you think, oh my god, so, so brilliant. And the next month then the JGBT will HR become a new version, everything's solved.

But I don't think that going through the market trend, I think this is what I see. There will be a lot of commercial agents out there, open source and the office shelf agents. Some of the agent might not be hosted by you, but I see that organization, enterprise, they might have the agent hosts by themself, the build in-house for the employee to improve their productivity or the embed AI agent in the product. So to the customer, there will be a lot of good commercial open source agent that outsell, we deployed that in our environment. I want to use it very helpful. But the thing is, what I see here is that there will be a new market coming up that user, everybody can log into the centralized portal that you can fit. You can see all this agents you use in hosting house or host by someone else, and you can configure policy centrally on that portal.

You control your own journey, your policy. This already solved two problem. One problem is that you solve problem for vendors because that you can't provide different security policy, be wiring in application for different customers. It's very, very CICD pipeline nightmare. It's very, very challenge. The second thing is you solve a problem for end users. Now you can just easily log in, configure policy. So I would think that this will, you would be really, I think I believe that this market will create a new market for that solutions and that will make things really move forward in a very meaningful way that will increase the agen adoptions.

Den:

Yeah, I was wondering if we're going to see more and more companies just leveraging AI to build their own security products as opposed to buying security products. I mean is that something that you guys all talk about as founders and builders?

Jaz:

I love that question. I want to hear your thoughts. And I do have that conversation with my founder friend, my friends in business leader on the buyer side. So I think if organizations, I actually spoke to one big financial services organization, they are doing that. They're building it. So if an organization is big enough, they have a whole army of developer, they have a whole security operation, they can do that. The tools there, they can do that. But it's not easy. It is not that easy as you think it will be. I know that a lot of people build on top of NCP, but NCP is protocol not a security solution. But to answer your question, yes, organization might be able to build that. You have the money, you have a resource, you have the whole board members support you. You can do that. Be careful an ROI. But I'm also want to say that in the medium-sized company, so this market based on my observation is growing in a way that because AI increase the productivity, their revenue going up, they can afford, but they don't want the entire big army security operation team for this. You need a vendor to offer turnkey solution to solve their problem. That's my perspective and my prediction. You may say, what do you think then? I mean, what's your perspective?

Den:

So I think it's still that build versus buy. And to your point, you'll get larger companies that have the resources, they will typically still go build some of their own stuff. And then like you say, there's a whole lot of I, right? Is it possible that your dev guy Dave leaves and then all of a sudden the person who built that little thing and they were the AI expert in your team, they're gone and now you're screwed, right? So I think that whole build versus buy dichotomy is still going to be there. But I do think there's going to be a lot of companies that they're going to solve little small point problems with something that they can easily get off the shelf and open source and

Go that direction. I still think though the risk there is if they don't have, I mean as people talk about using AI to do all these magical things, the risk is is that you forego having an expert in the room to say to do the thing. So you'll leverage AI to go build something, but you're not a builder, you're not a coder. So you don't know really what the code's doing and your fingers crossed the thing works at the end of it. So I think there's brilliance of the, you don't need to be a coder and you can create an app. And I see a lot of that, especially in the marketing side of it. And I think it's nonsense. I think the reality is if you do that and you don't have skills in that space, we speak to a lot of clients that talk about using AI for doing compliance.

Speaker 4:

So

Den:

You can go down the traditional path of using avantas and nadas and these things here and then bringing in a team of people or a consultancy like us and we know what we're doing and we can go through that and we partner with auditors and pen testers and we've got the experience and then somebody will be like, well, I'm just going to use ai. And we're like, well, good luck.

Jaz:

Yeah. So absolutely. Two things I want to really add is that number one thing is that using AI to be a prototype is very easy. Production level is completely different. So I see that right now. You'll see that one wave of leadership now using AI to build the prototype, get a lot of traction, and now we'll see that second wave of leadership will come out to rescue it

Speaker 4:

Because

Jaz:

I've seen that already. So I want to say in my previous role, I try to debate which one, I do not want to build it. I use the partner solution because don't want, I might need someone to come out to rescue me in a prototype. That's the second thing. The first thing, second thing I want to comment here is so true that I feel that even more when I building company schedulers. The problem is not how the problem is what that is, that is a know-how, sorry, the domain knowledge is the key right now. It's not about how MyCode is very, is not hard, but it's about what you are going to build is the key, is the money maker ease the crown jewel no longer how people already solve it. That is already solved. That's why going through the per, they know what they're doing. It's just so critical.

Den:

Do you think, so evaluation of a lot of companies, it's all about your IP and the problem you're solving and speed to market and stuff. Do you think that people leveraging AI to build their products where there's maybe no real, there's really, the IP is a little bit diluted now, do you think? Or do you think that is still the same? I struggl to find the words, but I just think of it like shit, are we in a position where the value of someone's business is not as effective because they've leveraged AI to build the product?

Jaz:

Yeah, I think that's a very risky business. You're talking about ip. Look, we all want to have patent. You spend a lot of money, write a patent. What patent make money? I don't know anymore. I don't know anymore, right? So right now it's more like business sustainability. Sustainability,

Speaker 4:

Right?

Jaz:

It's not about ip because I was talking to the investment banker, they said that every time that GBT have a new version come out, but now 500, the AI native app company have closed. So that's what I mean a very risky business. So then I want to come back to, that's why I firmly believe that we need that AI infrastructure for gent security. It is not about using software to solve problem. Do you have the right infrastructure, compliance discipline did not change. But in AI security world, is it about the compliance behavior change? Because now compliance need to be at wrong time. Do you have the right infrastructure to allow you to say stop it? I mean now, two weeks later, that is the, I think that's a key.

Den:

Yeah. Yeah. I mean it's definitely going to be interesting to see the next 12 months because the AI game is, like you say, it's evolving so fast. All it takes is one vendor to release another widget that we didn't see coming, and then all of a sudden somebody else's game plan just goes down the tubes. And then I also think there's more money being invested in AI from VCs then there is money from the people purchasing solutions. So I can't remember what the numbers were, but it seemed to me like we're maybe 10 X the amount of investment dollars than we are dollars. People believe it in the market of the thing to solve.

Jaz:

That's very true. Right now, I'm not really very active doing the fundraising. So I actually talk to more friends and family or people in the industry. They're believing in this industry. It's more like individual investor rather than bc because BC they want to see, right now the C is today we're talking about seed round. It's pretty much a series in the past. They want to see 1 million or they want to see certain very high number before they want to come in. Yeah. So to answer your question, yeah, I agree with you, right? So yes, I lost my train of thought. Something that you mentioned I think that relevant. Yeah.

Den:

Well, I just think it's about the investment in the industry of AI security is more than the dollars on the table for people buying solutions. I mean, most VCs though, they know this, right? They sometimes know there's an imbalance, but they're still gambling on the fact that their bet's going to win.

Jaz:

Yeah, I agree with you. So in terms of adoption, everybody ask me this question. I think we're going to see it in flashing point very soon. Right now we'll see a lot of AI native company, they somehow using the AI agent in some way, but in a very, they still a very gingery make sure that hey, they have all security trust in there in terms of that adoption internally organization, at least for the medium-sized company, I feel like they are still preparing. They're still preparing. But I will really, if I can humbly provide some advice or suggestion is that start looking to your infrastructure. How are you going to really meaningful more cost effecti way to managing risk for these AI agents?

Speaker 4:

And

Jaz:

Everybody's already biting the value. AI will see how powerful it is.

Den:

And it's really interesting in the sense of there's so many enterprises and clients that we talk to all the time where they're still figuring out what is it they're going to do about ai. Most of the advice we give is let's start with some guardrails and guidance and then also what's your business philosophy on ai? Because a lot of our clients in the valley are building stuff with ai. They are leveraging more and more ai and they've got absolutely no idea what their employees are doing with ai. So there's this catch 22 where they're like, Hey, we want to be AI forward thinking and leverage it to accelerate our business and get the benefit from it and learn all about it. But they have not got any guardrails, have not got any protection. They have no idea really. So for us, we're like, well, let's start with getting some good guidance and guardrails documented and educated. So there's that piece of the puzzle. And then we're like, okay, now from a tech stack, what are the technologies? If you're looking for visibility into the AI that's being used and how are people using chat GPT or they using your instance or their own personal one or whatever, how are they coding? Then we want to then jump into saying, well, what is it you want to solve for? What risk do you want to reduce?

Not everybody's interested in whether there's data going out of their business as opposed to agents running, right? So you kind of go through that kind of methodology. But the problem, when you get down to that conversation, there's probably a hundred companies that we know of right now that could jump in and solve slices of all these problems.

Speaker 4:

And

Den:

There's not enough client money to go and buy a hundred technologies or even 20 technologies. They'll maybe pick one or two. And I think that's where when we speak with founders, and we do the flip side wearing all these hats, right? Founders, and we on the flip side, we're like, if that CSO could only solve five problems, why would your thing be in the top five? That for us is a big question. And a lot of founders have no idea why their thing would be in the top five.

Jaz:

Yeah. And are you saving money? Are you making money? Are you saving people's time? And I think this is all very good questions. And also I am dying to find someone. I can have a conversation discussion about AI governance. What does that even mean?

So to me, I have my own perspective about compliance. What does AI compliance mean, but what does AI governance mean? And I really would like, if anybody watching this episode, I would love to have the conversation if you have your perspective, I would like to have the conversation because once we have a better definition of AI governance, not just AI watch kind of terminology, how can I help to automate workflow process? Because right now you can't just expect the developer solved problem for you. That's the mortality right now. And how can we help security team to get a control in your own hand? Right now what I see is a lot of automation coming out because CICD pipeline nightmare. That's what I leave through. But that automation is solving the problem that we create ourself. So many things, so many things. I want to find the right person to have that right dialogue. Yeah,

Den:

I'm sure we've got a bundle of CISOs in our audience that are opinionated on that topic. So yeah, if they can message us, we'll get connected. Actually, I wouldn't mind doing a little round table discussion, closed door session with some CISOs and we can maybe set something like that up. I look at it, it's a problem that everybody is grasping, trying to wrestle right now. And some people have got great progress and forward thinking and others are just still going round in circles. So it'd be good to solve that. So you're going to be, I mean we're getting close to RSA, so I ask everybody this question, so I'm guessing you're going to be around the city for RSA this year. I mean, do you guys hit these events? Do you find value in these events? And what advice do you have for other founders? How do you approach things like RSA and black hat without blowing all your budget on doing some stuff that doesn't ring any ROI? What's your guidance there?

Jaz:

I love that question. Yes, we will be in RSA very, very, very excited. So that's pretty much what we focus on right now. I will tell you that my perspective changed before I was a product manager. I was like, yes, go there, spend the money. Now I'm the CEO, I have to watch out my budget. So now that's be smart. So I think that again, that right now we listed focus on building case study, so case study in a very meaningful way. So RSA black hat. I think when I go to RSA and black hat, I have different perspective, different attitude. Black hat is I connect with the engineer, security engineer hacker, you may say in RSA, when I go in there, I need to be ready to have two different conversation, the business conversation and also technical conversations. So we're so early on, right? So right now we are at a stage, it kind of break into the market. My advice to the founder is going there to be ready to have that conversations. Yeah,

Den:

And I think it also, I mean like you say, it really depends where are you on the journey of building this new business? Because seed round versus series A and B, the conversations are entirely different. And you guys, you're even pre founder led sales really, because you guys are still designing and getting design partners and problem solving and ideating. And then as you go through the series A, then you're like, okay, now we're selling selling because we believe we got this. So yeah, I think my advice to anybody going to RSA is, especially if you're a small startup, don't spend any money on being on the shop floor because that money is usually a lot of money and you might not get the ROI for that. I think some people get value in the startup showcase area or the AI kind of showcase area because that's less investment to get a little stand.

You're not doing a big booth, you're doing a little stand and stuff. So I think, yeah, I, you just got to be really thoughtful and recognize RSA is really a vendor shit show. And sometimes I think the more productive conversations are the ones that happen in the bars and in the hotels and the venues around the about as opposed to buying a booth. So yeah. Okay. Jazz, great to catch up. It's been a blast. I love what you guys are doing. I think you're tackling a problem, which is, I don't think it's clear to everybody really the problem yet, but I think in the next 12, 18 months, everybody's going to start to realize that this is something that we're lucky somebody like you guys are solving. So appreciate it and we'll have to get you back on in six months or so just to see where you're at and see where their journey taking you. So everybody, Ja, Lynn, Skyles, founder and CEO, and Ja, thank you very much. Pleasure. Thank

Jaz:

Show. Thank you for having me. Thanks.

Narrator:

That wraps up this episode of 9 0 9 Exec. If you found value here, subscribe and leave a rating to help others discover the show. To learn more about 9 0 9 Cyber, our advisory services and how we help organizations secure growth, visit 9 0 9 cyber.com. Thanks for listening, and until next time, lead with clarity, build trust, and stay secure.

‍