The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

23. David M’Raihi: CPSO at Rivian, on Cryptography, Cars, and the Craft of Security

Hello, everyone, and welcome to another episode of the Security Podcast in Silicon Valley. I am here today with a very special guest, David Amrahi. Wow, that's nice. Yeah.

Welcome to the show, David. Thank you. I mean, many times that David just butchered my name, but no, no. Did I get it right?

David Amrahi? Yeah, you got it right. I hope so. We've worked together enough.

I better be able to say it. I think so. David is the CPSO at Rivian, the electric truck company. CPSO, for those of you who don't know, it stands for Chief Product Security Officer, which is a really nice focus.

Usually, I just hear CSO or CISO, but CPSO, well, it's a nice ring to it, doesn't it? Very nice ring to it. I like it. David actually received his PhD from École Normale Supérieure.

Did I say that right? Yeah, no. No, no, no, no, no. It's, yeah, no, it's fine.

I think most people would. . . My English butchering of this beautiful French school, which is, by the way, the top school in France.

Then graduate school. That's extremely good. It's extremely good. It's the top.

It's the best. It's like the French version of Harvard, right? Yeah, only better. But yeah, yes, of course.

Yeah, exactly. Okay. You were a director of technology at GemPlus. You were the VP of technology at ArcSine, the obfuscation company.

You were the principal architect at Verisign. You were a security architect at Apple. This is where we first met. Yeah, actually, we first met at that security conference, didn't we?

Yes, I didn't really. . . You actually reviewed one of the papers that I wrote as a graduate student.

I thought it wasn't so bad. I did review that paper. It's a small world, isn't it? You were the CTO and VP of engineering at Vario.

You were the chief security officer at Symphony Communications, a secure seamless communication company. We worked together there again when we sold all of our software to Goldman Sachs, the BlackRock, the JP Morgan's of the world. You were the engineering and technology leader at UnifyID. You were an advisor and investor at Swift Security, the head of product security at Pure Storage right after they had gone public, started their security team.

An advisor at Colsi, which actually sounds like a really cool company. An advisor at Lacework, a very respectable up-and-coming security company. Are they public yet, Lacework? No, not yet.

Not yet, okay. I know that you would know. And now everybody would know when it's public information, right? Everyone will know, that's right.

But I think you're keeping a special close eye on it, right? And then now the CPSO at Rivian. Tons of awesome experience all in the security world. 100% security, that's for sure.

It's a great pleasure to have you on the show, David. Thank you so much for joining us. Thank you, John. Really an honor.

So if you wouldn't share with our listeners, what was the initial nudge into security? How did you get sucked into this game? Maybe something in high school? Well, actually, it was funny the way it happened.

I was always interested, I would say, by some security aspects, but more like the other side. When I was way, way, way younger, I was, I would say, hacking a little bit, you know? There were things that I was curious about. How do you copy a program that actually, you know, is protected?

So that was something that was of some interest, you know, on Apple II and Commodore Amiga machines. And then, you know, from there, it was, okay, well, you seem to have some way of protecting an application, protecting some IP. But then I was more interested in kind of mathematics and computer science. But what happened is that there was.

. . You know, working on a few projects and there is this friend who was actually preparing his PhD in crypto. And so he starts, you know, explaining a little bit what crypto is about, and I was like, wow, that sounds kind of very cool, right?

I mean, it's kind of in between, I mean, it's not computer science, and there are some applications, and there is some theory. And but the way really, I mean, it got me that, you know, on his PhD thesis, he had this one sentence, La crypto, c'est rigolo, which in French means, you know, crypto is fun. And everyone was like, what is it? Crypto is fun?

It's fun. Fun. Crypto is fun. Yeah, yeah.

So cryptography is fun. And at the time, obviously, I mean, cryptography and, you know, cryptology, which is kind of the combination of building systems and attacking cryptanalysis and them. And at the time, I mean, there was no nothing like cryptocurrencies or anything. When we were using the word crypto, it was always for crypto algorithm or cryptographic actions protecting data.

Yeah, exactly. And things, things obviously changed a lot in the last 10 or 15 years. But then, yeah, I mean, it got me kind of hooked and actually started really working on that and completed my PhD with the same, same little advisor, Jacques Stern, a brilliant, brilliant man. And yeah, that's, that's how I went into security, more by the, I would say, the research angle.

And then things, you know, evolved. It's like everything, right? But I knew research and I'm moving to product and things like that. Yeah, you ended up in industry.

You have an impressive set of companies on your LinkedIn. So it was, it happened in a sort of a random way. Literally, I was in Paris at the time and I get a call from somebody I worked with in the past. And she was just like telling me, Hey, I'm, I mean, I'm in San Francisco now and we, we are starting, you know, this, this team and I will need somebody to deal with, with security.

And would you be, would you be interested? And I mean, at first I was like, well, I don't know exactly what you mean. And, but then thinking about it, it was more the kind of the opportunity of going to the U. S.

and I mean, worst case scenario, okay, you stay for a couple of years if you don't like it or it doesn't work out, then that, that's fine. I mean, you can, you can go back. And it was in 1998. And now we're in 2022 and I'm still here.

So actually next year it will be 25 years in the Bay Area. So congratulations. Almost anniversary. Almost.

Almost. That's a, that's a fun one. Amazing. I love it.

Now, thank you for sharing. Was that, was that happened to be Augustine Farusia? No, no, but somebody who actually Augustine Augustine knew. But at the time Augustine was still in Europe.

I mean, he went to the U. S. a little bit, but he was in Europe. And then I think he came back a little later.

But, but yeah, that person had some connection with, with Augustine, which is, which is funny now that you, you mentioned that. I mean, I, I, I don't, I don't have too much of a connection to Augustine, except he was the one who found my resume out of a pile of stuff when I was applying for graduate. It's good. It's good that finding a good resume.

So that's why he found yours, right? I mean, I think I'm higher that you're, you're much shameless, but I just count myself very lucky. No, I mean, you were just on the top of the pile and he picked you up. There we go.

Yeah, I was just the last one to have submitted a resume. And it was a big stack of a thousand and just, you know, at the last minute, I'm like, yeah, whatever. Here we go. I'll submit this.

We'll never know. It's not that important. No, no, it's not. It's funny how the universe has a way of working.

So what would you say your best day has been throughout your entire career here in the Valley? I don't know. I don't know if I can pick a little bit. Yeah.

Yeah, no, I know. And I was just trying to think about it. And I don't know if I can single, single out just, just one day, but. I do think there were a couple of days, definitely.

I mean, recently, when I think about it, I do think that what was happening at Symphony when we went from just being a small kind of startup, I'll see this Perzo company, and then the combination and creating, and that day when we were sitting, you know, in that big room with all the bankers, and you have that kind of this feeling that, okay, this is happening, you know? And that, I don't think at that kind of settings many, many times in my life, maybe like two or three times. That was definitely one. So tell the story a little bit, like, okay, so there was a company named Perzo, and you guys were building, and you were part of Perzo.

Yeah, it was a company originally, I mean, it was really focusing on one aspect of communication. It was this idea of how can you make communication, secure communication, efficient and private between not just two parties, but multiple parties. And also if you want to extend, you know, it's one thing to send a text message, but then what about you send a message and there is an attachment? Now you're talking also about what about the voice?

What about the video? And I think when it started, the founders, they had many things in mind, but the kind of the pivoting was about financial application because there is really a need for security and privacy and also compliance. And this is difficult. This is difficult.

So not that many companies were interested in doing that. So I think moving from just having the technology to having a product and then having a company, that's what makes a difference. And by the way, that's what is really, really hard. And I think personally, the reason why a lot of companies fail and I've been part of, you know, some failures as well.

And you learn actually quite a lot, you know, when you fail. I think you learn even more when you fail than when you succeed. Right. But when you succeed, it just goes right to your head and you don't learn anything.

I think the issue is that sometimes when, you know, when you succeed and particularly if you succeed very fast, I mean, all these things happen and you don't really have the time to kind of digest them and understand what's happening, right? It's just, and look, I mean, it's sometimes you can be lucky. I mean, or just the stars are all aligned and definitely you'll see the fact that you have been working for 20 years on something and then you're just at the right time with the right idea and then things go very fast. So I think there are also other configurations, but what's interesting is when you fail, you do have time.

You always pause because, pardon my French, but fuck, it did not work. And why did that, what did I do wrong or what my partners or, I mean, you start not feeling spiraling or anything, but you're like, okay, let's try to understand. And usually there is always a lesson to be learned. And that's something that helps you and you grow.

And then the next challenge is a little bit easier and then until you succeed, you succeed and you fail again, then you succeed. And I think it's kind of a mix of all these things, but you do learn a lot in these situations. If you want, I think, if you do some people. Yeah.

If you bring a growth mindset. Yeah, some people don't. That's right. Yeah, they don't.

And also, I mean, going back very quickly on the product, technology company, that's many times there is, you know, a lot of confusion there and people think that they have a company and actually they just have a technology. Or they think they have a company, but actually it's a product, but there is no market for that product. All you need to do. And it is actually very, very hard to build a company that has a real purpose.

And I think most of the times it's really because you have identified a set of problems and you bring a solution that, you know, is a better solution than all the solutions existing or just that there was no solution yet to that. That set of problems, and I think, if you don't have that kind of angle, it's very hard. It's very hard. You can do something, but it's not going to be very solid.

It's perhaps the difference between a company and a hobby. Yeah, I think, I mean, people don't really want to, you know, kind of accept that. I mean, they're like, hey, I'm building a company, and yeah, are you sure? And also, I mean, there is nothing wrong.

You can, you can have a great idea and build the technology that can be used by other people. And I think, to me, the open source movement and the capability of being able to offer some IP and some technology in that context, I think that's been very helpful because then you can see that a lot of companies who are creating the leveraging that technology. And it's, I mean, it's okay. Some people are very good business people.

Some people are very good researchers or scientists. You've got also some talented engineers, but if you tell them, hey, okay, now go and market your stuff or build a company, they will look at you like, not only I don't understand what you mean, but on top of that, I have zero interest in doing any of that, you know, it's really boring for me. So it's sort of what makes teams stronger than the sum of their individual parts when you bring people together and their strengths complement each other, right? Yeah, if anything, for any team of any size, any organization, I think the diversity aspect, that's also something that I think sometimes is misunderstood.

I mean, we use diversity these days in so many different ways. Yeah, but I think it's really the diversity in terms of the way you approach things and that's a result of your experiences and your background and who you are. So it maps pretty well with having people from very different backgrounds. And that does bring, I think, a lot of benefits to any team.

So when you build teams, you look for a high diverse, highly diverse backgrounds of candidates you're looking to complement. I mean, you're gathering first. No, because I'm more like, first I try to find people and it's so difficult to find, you know, quality people. And because I think, I don't know what's going to happen this year and next year.

I think the economic situation and the world also changed with everything that has been happening in Europe and all the disruptions with COVID. So honestly, I mean, in the last two years, there have been so many impactful events that being able to predict and say, oh, next year we are going to have like a big recession or there is going to be even something worse than that. And now people, you know, they can't decide. What I can observe at least, I can see that a lot of people have simply decided, okay, wait a minute, am I happy?

I mean, just, you know, very, some very basic questions that I think they did not have the time or they did not want to. And I see that even a lot more with young generations. And obviously it's, I mean, it's the W3, right? You don't have a family, you don't have any, you might have something.

So we'll not get into that because that's a very complicated topic. But I think that if you have a little more flexibility, of course, you're going to say, hey, why, why would I do that job or why would I there or why would I do it this way or with this person? And I think there were a lot of questions around that. And people were accepting a lot more a few years ago.

And today they simply don't. Is it going to last? I think, of course, you know, it's like, it's like everything. Like we went from an extreme where, you know, the power was on one side and then it completely shifted.

It's like everybody can do pretty much whatever they want. I think things are probably going to rebalance a little bit, but I do. I believe that most people will always now have this kind of, you know, thought at least in the back of their mind is, hey, am I really happy? Do I want to do that?

I mean, I think it's important to be that we lead lives that are deliberate and intentional and aligned with our own personal values. And sometimes for some people that that means, you know, solving a very difficult open problem. Maybe for other people, it means like working to live and working to provide for their families and the people that they love in their lives. And oh yeah, and there is, I mean, don't get me wrong, there is nothing wrong with that.

But I really think that it's very reflective, like in terms of reflection. It's just that I think a lot of people have, you know, the time to think about it and realize, yeah, you know what, I do like being at home two days a week because that way I can run some errands and then I remove some stress from my life and my spouse, my family or whatever it is. I can spend a bit more time with my family as well. But then I'm also happy to go into the office for three days because I can, you know, see my team and my co-workers.

And it's also a change of scenery. And I think for some people, it's just like, no, I don't want to do that at all. And other, I just want to be there all the time because I just, some people really enjoy being in an office. But until a couple of years ago, it was not even like an option, right?

You would not go and say, you know what, I'm going to do this. Monday and Tuesday, I think I'll be home every Monday and Tuesday, you know, like that was unheard of. You're right. And you'd be such an oddball if you had said something like that, you know.

Yeah, and also, you know, working remotely literally in a different country and with a time difference. And don't get me wrong, I mean, there are many jobs, it doesn't work. It just, it's not going to work. That's true.

But there are also a lot of jobs, a lot of positions that are extremely flexible and people can do that. And they also have probably the right mindset associated with that kind of job. And that works well for everybody. So I just think that it's, I think it's just more open, you know, it's like the horizon is bigger.

I don't know how to describe that, but yeah. So does Rivian have a flexible work policy that facilitates this? You work from home most of the time as a CPSO or? So I try to go in the office on a weekly basis.

I think when I think about that, I mean, at first I was like, okay, do I want to be there like four days or two days or one day? Or is there a frequency that, you know, is best? And I think there is a value meeting with your teams. Do I absolutely need that?

It's a good question. I mean, I think I can perform the vast majority of what I do remotely, but it's not just going into the office. For instance, I visited the plant a couple of times and I do feel that going at least, you know, twice a year or again, I don't know what is the right rhythm, but you need, you need to go there and to see and understand what it means, you know, making, you know, these vehicles. So in our case, I think a company that is not building anything tangible, that's probably slightly different when you think of, I mean, particularly not sealed and security.

Let's say that you're specialized in cloud security, right? And you are building all these things based on one of the cloud platforms, whether it's, you know, AWS or GCP. I mean, that's at the end of the day, since you're building things in the cloud, what does it mean to, you know, be in the office except the connection with the other people? Right.

And I noticed that it's sort of a kind of a creative space, right? Being in the office. Face and sitting together and going on the board and exchanging, it's easier. It's much faster, it's easier, you get to the chase a little bit more quickly.

And you can see how people react on everything, all these things. Oh yeah. Exactly, exactly. And the other thing, it's the same thing when there is a crisis or a big problem.

You can have a bunch of people in Zoom and at that situation as well, and you walk through, but it's a little dry. And I think that, you know, being in the room can help. Now, when you're more in a kind of execution phase and there is not really a lot of surprises and people know what they have to do, the benefit of being in the office is disputable because then you're interrupted and some people also have a hard time, you know, to do context switching. I know a person who's not like, oh, period, switching context.

I publicly announce it and not reduce my context switching. I'm like, you know what? I am a very slow context switcher. I can do one thing very well, but I need the focus.

Please make sure it's important if we're going to interrupt. So, yeah, I do. I don't remember that. And yeah, so I mean, in that case, being interrupted like 10 times during the day, I'm sorry, this is going to impact the productivity of the person in a very, very significant way.

So, but look, I think it's like, it's like everything, right? I always thought that, you know, I love my wine and I like whiskey too. But I think it's like everything, you know, it's a little bit of everything in moderation, right? Including moderation.

Including moderation. So sometimes you can go crazy, right? But sometimes, but don't go crazy every day. Don't do that.

No, please. Don't do everything. And I mean, it's the same thing with, you know, everything, whether it's, you know, drinking or working very hard or it's just, I think you need to cut everything out. That Goldilocks zone, just enough, you know, things are happy and just contributing and engaged, but not so crazy that you never want to go back again.

So again, I think it's the kind of the how you're happy as a kind of a tenet or something that you can really reference to because when you think about that, you know, there is this, I don't know if it's a definition, but you know, there are happy drugs, right? Okay, there are happy and then there are people when they drink too much, they are terrible and they react and, but the reality is just like, look, if you realize that, you know, two glasses of wine make you good, but three makes you miserable, don't drink three. If you enjoy really working 10 hours a day in a specific context, well, try to do that.

It doesn't mean that sometimes you won't have to do 12 hours, but there will be days where, you know, it will be only eight. So I think it's a question of really being able to decide that that's a big part. If you could pick out the worst day that you've had in your journey through Silicon Valley, could you share that with us? The worst?

I know you're an optimist. You only see things in the positive light, but. . .

Well, honestly, if I look, I don't really necessarily want to speak the known details, but yeah. The worst days were always because of personal things, never because of work or company or project or if I really look at everything. Now, if I focus on only work, but I think the reason I point that out is because in the end, when you think very hard, personal stuff is what matters the most. It's some people, it can be friends, it can be family, whatever it is, whatever you call it, you know, whatever you call it at home, right?

That's the thing that truly, truly matters. You know, in terms of really bad days, I would say that one day that was really hard and I really did not know what was going to happen. What happened after that is maybe three years after I moved to the valley and it's 2001 and there is this day, you know, Enron goes bankrupt. And of course, I have shares in Enron, like, I do not have a lot, but it just, I know, it was, yeah, well, just to like, oh shit, you know, there is that that is happening.

And, but then you really see that the market melting down. And the day that was very, very hard is, you know, the company I was associated with at the time, and they decide to, like many other companies, they reduce the footprint and it doesn't make any sense to have a presence, you know, in the area. And it is just, and you see, you know, people, like less and less people, and you really experience, and then you have this discussion with friends that tell, hey, you know, we are 15 in my office and today there are only two people left. And I'm like, you know, who's going to switch off the lights in this game or you or me?

And so, yeah, there was that really dark day of, you know, the kind of the fall of Enron and then that after that, really the day when, okay, the office is closed and what do I do? I mean, if I'm being like smart, I would just go back to France and, you know, the safety and, but you didn't choose. And I decided to stay. You chose to stay.

You wanted to get finished. That's true. Something, I don't think about the thing and sort of resonated with you. You got the Silicon Valley bug.

I think it was a combination of, okay, that can't be it. You know, it's been three years. I mean, there must be, there are more companies in the US. There is much of this.

The movie I have not read yet. Now, yeah, I don't know. I don't know what it is. Did you feel empowered to sort of just move on and build your own story or did you just want to see how this really ended?

I think, if I'm being honest, the first like couple of months, not having a job, not knowing exactly at all, not knowing anything at all. And also, I mean, you know, you do have some network, but it was very different at the time. I was saying, you know, three years is not a very long time to have a network. Exactly.

And also it was like, you know, 2001, right? And then the impact of social network and things like LinkedIn. I mean, you did not have all these tools. You barely have, you know, your phone and a few people email and you would go and, you know, have drinks.

But I was not, I was not scared or worried. It was more like, okay, what are the next steps, right? And it ended quite well in the sense that I did know a few people and then I connected with them and there was this project starting. And so I could kind of rebound.

And then, you know, after this one, there was another one and things get, you know, much, much easier because then you're connected and you have experience and it's just everything, everything starts clicking. But yeah, that was a little scary. Yeah, a little, little bit. Yeah, I could imagine, especially earlier, earlier on in your career, like you have a little bit less of a safety net and a little bit smaller network and you're in a different country.

And, and yeah, and then if it doesn't work out, then what do you do? I mean, you, do you really keep trying or, but fortunately, I did not have to ask myself all these questions. So yeah, no, that's great. I'm super happy for you that you decided to stay and that you, you found the, you know, just weather the storm a little bit and here we are and we got to meet and work together.

It's from a place of deep gratitude and appreciation that I share with all of our listeners that David here has actually been my mentor through my career, personally. You have helped significantly and I have learned leadership styles and security technologies and how to interact with customers. And you gave me my first opportunity to really lead a team here. That's true.

That's very true. I remember now. Yeah, that was, that I didn't remember before. Yeah.

So yeah, deep. An authentic thank you. No, you're way too kind. I learned a few things from you as well, so.

I appreciate that. Well, I guess we both have gotten a lot out of uh the way each other then. I think so. So we saw it to have this vegan dinner when, well, that's probably what happened again.

When Baia is done, you know, rebuilding after the fire or whatever has happened. Did you set the kitchen on fire or something? I love that restaurant and absolutely did not set anything in that restaurant on fire, but um perhaps someone requested a very good restaurant. For those who don't know, it's a vegan and all vegan Italian comfort food Michelin star quality restaurant, so.

Yeah, it's really good. It's an amazing restaurant. And even if you're not vegan, you'll you'll have your socks blown off. Very good.

I confirm. I confirm. The non-vegan is confirming and the vegan is is most happy with that confirmation. So that's perfect.

So if you, if you look into the future, David, and I'll let you decide how far into the future you'd like to look, and you say to yourself, yes, that is a successful security industry. Like I am proud of what the security community has done. What is it that you're looking at and how far into the future is it? One trend that I see as a very positive trend is, and there are a bunch of companies in that space, but it's everything related to sec DevOps.

Stack DevOps. Yeah, so security DevOps and it just, I think, I mean, it's a bit of a broad term, but I like the space because when you think about everything we do in security, there are always a lot of opportunities to, I would say, optimize certain things. And what we have been missing quite a lot is, how do we allocate our resources? How do we manage them the best?

When do we need a tool? When do we need a human? And particularly in the space of vulnerability management, there are a bunch of players, obviously, and you know, you can do some scans, you can do some pen testing, you can analyze the code, and you end up with. .

. It's kind of like what Lisk does, right? And then you get your auditing play and you trash everything. I think the space in terms of, in that case, it's, I mean, they do more than that.

I mean, it's really the kind of the cloud security aspect and how you can automate and detection, but the very specific kind of angle where I am a company, I am starting to build some products. I don't have a security team. What can I do? What is, I would not say the bare minimum, but what would be a good solution for me knowing that I can't hire 50 people, right?

But I see. . . You may not even be able to hire one.

Yeah, you may not even be able to hire one yet. Yeah, yeah. It's not necessarily. So maybe you can have one.

It's kind of like a lot of work. Yeah, I mean, security is a space. It's difficult to find people with experience and the right skill set and all these different things. And obviously that drive prices up.

But I really believe that at some point it was more like we are kind of brute forcing everything. And okay, I need 20 analysts and I need a SOC and I need these and that. And today I see a bunch of options where we can be a little smarter. And it doesn't mean that we don't need a team, but I see a lot of options where I can do today with 30, 35 people what 20 years ago would have required like 100.

Wow. Is that because of all of the services, the SaaS services in the security space that have been bubbling up? I think it's a combination of things. I think people, again in the industry, the skill set, the experience, the level of knowledge, and people are able.

. . to do multiple things. I think people were a bit more specialized.

Today, I see some engineers who can do infrastructure and operations and code a little bit and testing, and they have all these kind of this combination of skills and knowledge in security. And when you think about that, I mean, security is kind of, I would not say it's a brand new industry, but when you think of, if you look just at the encryption algorithms, right? I mean, the first time you had some public encryption algorithm, we're talking, you know, the 70s. And until the 70s, there was not a way before RSA and then some algorithms based on discrete logarithm.

I mean, there are different variants, but basically the concept of having the public key that, you know, you use to encrypt and then you have a private key that you use to decrypt. And then suddenly people start thinking, oh, that's nice because I can also do signature, right? And so it started like a bit organic and then you have a, but really in the industry, a few people mid-70s, of course, the military government, that's a different story, but what was available, right, for the public. Yeah, and you see that in the 80s.

And so you see a lot of security companies that also are going along with, oh, in the 90s, then people stopped having email. Then since you have communication, then there are security issues associated with that. Yes, absolutely. And yeah, so I think, I think it's also interesting to see that and be very humble because, you know, a lot of people are saying, oh, but it doesn't work yet.

And when you look at a car and I need a good place to see that, I mean, cars have been around for more than a hundred years, right? But the new kind of the new paradigm, when you think about an electric vehicle and the way they are built, then it's more like a connected object and also all the technology around that. That's a shift again. And people need, you know, to really understand, hey, what do we need to do for this venture to be successful again?

Do you think that we'll see the end or the break of boom RSA or Elgamal in our lifetimes? I think there is a question of, you know, this around quantum cryptography is one thing, but all the algorithms that are like the post quantum and I do think that certain things are going to be more vulnerable. I mean, it's not clear to me yet, hey, does these things really work and can you break things? So just to be totally clear, to be totally clear with all of our listeners, you're talking about quantum computing as being the thing that could potentially break RSA or Elgamal and public key cryptography.

I think it's more like there was a lot of work in recent years to build algorithms that are based on problems that are very different. It's just that there was this big kind of question mark around, okay, traditional problems which are based on the number theory and things like factorization, because that's what RSA is about. Like you have this big number, but there is no way to extract the two numbers that, you know, are kind of the product or you have a number, you can't extract the logarithm. I mean, there are many, many, many things that were built around that.

And then because of that, the internet security was built on those two problems and the difficulties to problems, right? Yeah. But the question was then, you know, okay, well, there are other people that are thinking about what would happen in a world where these problems are not as hard as we think, you know, that they are. And I don't think that today, you know, we have to worry about it.

Is it something that in 20 years, the reality is there are algorithms that have been designed and there will be more in the future. And I think I'm more interested in the aspect that these new algorithms and these new primitives, they give you in terms of functionality. And so. .

. To me, when I look at, for instance, homomorphic encryption and kind of this idea of, hey, now I have an encryption primitive, I produce some encrypted objects, and then I can operate on these encrypted objects without having to decrypt them. So then it's obviously super interesting, right? It's almost fascinating because then you have a way of really maintaining the security of everything.

So, yeah, that will be very exciting. That's what like Zama is working towards, the homomorphic encryption stuff. Benoit from our Apple days, you remember? Yes, yes.

So let me ask you something completely different here, and a very open-ended question. But when you're interviewing, you do a lot of team building there, Rivian, in the CPSO. I'm sure you get to meet a lot of very talented folks in the security world looking for their next adventure, professional adventure. When you're interviewing someone, what is it that you look for?

What's your favorite interview question? Look, the thing with interviews is most companies, I mean, there is a process, right? And because you want to be very fair and being able to compare the different candidates for a specific position, so obviously you're going to ask a set of questions and you want also to be sure that you have people in the panel that are different and so you have all these things. Yeah, and it's complicated, you know, to be fair and balanced, but I think most companies do that reasonably well these days.

But I always kind of stay away a little bit from the script. It's like, let's say I have 45 minutes, I will always use 30 minutes to be sure that, hey, I know that my talent team, they need answers to these questions and that's part of the evaluation. So I'm sure that I ask all these questions, but I always try to keep like 15 minutes out of 45, if it's an hour, like 20 minutes. I always carve out some time so I can ask more like personal questions to try to figure out how the person, you know, think and click.

And really, it's all about the fit with the company and the team, the organization values. Because when I look at all the people I work with and people I hire, then very rarely when it was not working as expected, it was because of some lack in terms of technical skills or knowledge. You can always, I mean, unless, you know, really make a big mistake and you hire somebody to bake a cake and he's actually a sailor and he doesn't know what a cake is. But most of these things, you think that the guy is, you know, is very good, let's say in C language and it's just good, but he wants to learn and improve.

And that's something that you can easily fix over six months or a year. But if there is a big discrepancy in the values and the way the person thinks and, you know, it doesn't click, it doesn't click, they don't click with the team and it just might be a very good person, but just not the best fit, perhaps. Exactly. Exactly.

And that's when I'm being very, very careful. When I hesitate, it's very rarely because I'm not sure the person, you know, is technically good. And I mean, of course, that's part of the evaluation. But when I hesitate, it will most of the times, like 80, 90% of the time, there is kind of this gut feeling that, is that a good fit?

And it goes both ways, you know, because there is, of course, a big deal. Yeah, because you had the person, but also it's a big disservice if you hire somebody you think and then the person is retrained the best that it just, it doesn't work and you don't want that to happen also as well. So that's the reason I'm really very, very careful when it comes to that. That's good.

No, I think cautious pays off, doesn't it? David, thank you so much for joining us on this episode of the Security Podcast. Silicon Valley. And thank you to all of our listeners who have tuned in for this episode.

David, would you like to leave our listeners with any final words of wisdom that you wish you had in your younger self, perhaps? Yeah, I think as soon as you can find your North Star and don't listen to people if they tell you it's not the North. Just ignore them and go after it. And the sooner the better.

That's right, don't hesitate. Be deliberate and intentional with those changes. And it's much better to make the big mistake than doing nothing. So yes, you will never regret an action.

No. You'll only regret not retaking an action. Exactly. And it's exactly what happens because you know that I love to collect stuff, right?

And it's always the books that you're deciding not to buy that you regret, never the books that you bought. So, but yeah, be careful, don't buy any book. Be careful what you read, huh? Exactly.

David, thank you so much. It was amazing. It was a pleasure. I was a pleasure and looking forward to listening to the podcast again and again and again and obviously seeing you soon.

I look forward to it too. All right, thank you again. Bye-bye, John. Bye-bye.

‹ 24. Aman LaChapelle, Early Engineer at Modular AI, on Redefining AI Infrastructure

22. Michael Crandell, CEO at Bitwarden Inc., on Open Source Security ›