The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

The Security Podcast of Silicon Valley

Episodes

About

Blog

Subscribe

68. From Netflix to Startup CEO: Travis McPeak Is Redesigning Security for Developers

Hello, everyone, and welcome to another episode of the security podcast of Silicon Valley. I am John McLaughlin, one of your hosts. I'm joined today with Sasha Sinkovich, the other host of the show. And we've got an amazing guest for everyone, Travis McPeak, who is the co-founder and CEO of Resourcely.

Hey, awesome to be here. Thank you. Welcome to the show. Great to have you, Travis.

Travis, just looking at your LinkedIn, you started your career, it looks like it's semantic. You spent some time at HP, then you went over to IBM. You're pretty focused on security. You sunk your teeth in at technical stuff at Netflix.

Then you led product security at Databricks. You spent some time doing some advisory work, some angel investing. You even have your own podcast as a co-host yourself. And now you are the co-founder and CEO of Resourcely.

What an incredible journey. I like to stay busy. We can tell. And now it, Resourcely, it looks like your tagline is simple self-service cloud infrastructure.

So I think in security, one of the things that we get wrong sometimes is we are too business-slowing, too adversarial with our developer counterparts. And doing this for a long time, we lose trust. People are incentivized to just keep security over there in the corner and not tell them about stuff because they don't want to slow down. They don't want to stop delivering value.

So the point of us is what if you could have good security and also you made life easier and faster for developers. Amazing. Amazing. Just to focus in on Resourcely for a moment here, it looks like you like to configure it right the first time.

What do you think is the main pain point that really like hooks people to pull them into Resourcely? That really difficult problem. Yeah. So we have started with cloud configuration and cloud configuration is very complex.

So first of all, many organizations are using multiple clouds. Those clouds each have tons of services. So I think Amazon has 250, 300, you know, similar story for Google, Azure, Oracle, whatever you're using. And then each one of those services, because the cloud service has to support their entire customer base, there's a ton of configuration.

And, you know, being in security, we've all seen misconfiguration on every top 10 list forever. And so then if you wonder, like, why does that happen? It's because the users of cloud services are generally not experts to the point where they know how to correctly configure it. You know, we see things like accidentally data goes on the internet and that happens all the time.

Like those are not developers or users, like trying to put their data on the internet or trying to do the wrong thing. They just didn't know how to do the right thing. So was there anything that happened that inspired this entrepreneurial journey for you to go down and try to tackle this like huge problem space? So at the beginning of my career, I started off in more traditional security environments, you know, where we had that kind of like touch point, we're going to get engaged threat model, like find vulnerabilities, review source code, all that kind of stuff.

And although it felt like we were doing a lot of work, it didn't feel to me like we were adding a lot of value. And I always noticed this kind of bummed out look on developers face when we were meeting, you know, they're like, this is two hours that we're going to spend in this meeting that I wish I wasn't in right now. And then like, I hope they don't find anything because then my launch is going to get delayed. And that's never made me feel good.

And then really like the lightning bolt for me was when I got to Netflix and saw that security didn't really do any of that kind of stuff. They focused their time on building tools that made developers not have to worry or think about security or even understand it very much. Where do you think the main pinpoint with developers not currently being engaged in the product security, infrastructure security functions? What is the main pinpoint?

Take any kind of like cloud security engineer, how long did it take them to become good at those things? And even today, like one cloud security engineer is probably focused on a cloud. They're not going to be have the equal coverage on all clouds. And all of that is just time, right?

You can ramp up and learn all of that stuff, but there's only so much that the human brain can hold. And then now you take a developer, it's not their job. They're really meant to write software and build products for the business. And now it's like, guess what?

We're going to teach you about all of the kind of Amazon cloud misconfigurations today. Like that's just occupying headspace for them and time that should go to other things. I started the company with a bet that security, kind of like being in a corner by themselves and having security tools that scan and advise you about risks in the environment, that would not move the needle. Like we're going to keep having breaches constantly as long as that's the interaction point between security and engineering.

And so my bet was five years from now, great security tools are going to look like engineering tools. And a side effect of using those engineering tools will be security. So the same tool that we use to make it easy for a developer to go and deploy a database or spin up a new account, that can also be used for, to solve DevOps concerns and really enable self-service for their customers as well. So you're essentially taking care of the DevSecOps.

Exactly. Yeah. We, some of the tools that you're talking about came from, you know, pure infrastructure engineering standpoint and then added security because they realized that's a good benefit of getting things done correctly. We went the other way.

We started with security and then realized that these are also DevOps tools. We have security and also the engineering teams that we were just talking about. And if you talk to an engineering team, you don't want this to feel like security geek stuff. You want it to feel like, you know, it's built for them.

So we, we messaged to both. We have a value prop for both that's clear and delineated. But often it will be, if it's a security team, it's typically like a, I would call it like a forward facing security team. They're thinking about like, how do we actually like partner meaningfully with engineering?

So I would call it the head of the pack in terms of our industry. And then if it's an engineering team, they're typically, the motivation for them is they have these customers that they're getting bombarded with requests for and just going slower than they want to. And we can take that load off their plate and help them take the easy requests off and focus on the more bespoke stuff that like really needs single expertise. I loved how you put it.

You started with security and then you came to the realization that, well, actually all of these things are DevOps tools as well. Did that put you in a position to realize anything special, let's say that you needed to really start with security in order to, to realize or to bring into the world as a zero to one? How did that turn into an advantage? Yeah.

So what we realized actually was if we have these conversations with security teams, they will often like the idea and, and this makes it easier for them, right? Cause today the whole premise in security, we have all these tools that tell us about issues after they're already deployed and prod. And then we have to do this JIRA dance where we go and like just rain JIRA tickets on all the engineers and ask them to fix it. A lot of these things don't get fixed.

A lot of teams actually now will not even file the JIRA tickets unless it's a higher critical, which is silly. But I get it. You know, this is, this is work for developers. It's annoying.

We're trying to be a better partner. So like filter out the noise for them. So in order to actually address this effectively, you need to go like directly to those engineering teams and like have a value prop for them. That's not, you know, security nerd stuff.

So the advantage was learning like what those teams care about. Like if you take a top 10 list, you know, security, like misconfiguration is going to be up there, but like engineering doesn't really like think in terms of misconfiguration. They think in terms of developer productivity and cost effectiveness and stability, availability, reliability. So it's different messaging.

It's the same kind of like overall product strategy, but it has to be messaged totally differently. You know, what's sad. So I think compliance moves so slow that a lot of it hasn't meaningfully kept up with the cloud at all. So if you look at all of these frameworks that we have today, SOC 2, FedRAMP, PCI, like FedRAMP and PCI have some stuff in there.

SOC 2 is very vague. There's really not a lot of cloud specific compliance requirements. There are standards. So you have NIST and CSF and things like that, that will kind of like mandate what good looks like, but that's not really being enforced by anybody.

And therefore a lot of companies just don't do it. Right. They're like, okay, we need SOC 2, but this NIST stuff seems like a nice to have. I mean, look at consumers.

We have these breaches all the time and like consumers are not generally educated about security and privacy and like the implications. Yeah. And I mean, how many times have you gotten an email or a letter recently where it's like, Hey, sorry, like your data was leaked and please have three years of credit monitoring on us. I probably have like 10 of these credit monitoring things concurrently right now.

I'm probably the worst kind of security person. Cause like, honestly, I've just given up on privacy. Like I care about security, but I don't really care about privacy. I assume that my data has been leaked and transferred so many times, you know, unbeknownst to me, like I've kind of just given up on the whole thing.

There's data, there's a huge data broker industry. You ever wonder like why you sign up for a service and they collect like all of this information that they make you do. It's because like a lot of times they're selling it and then there's data brokers. So you go and buy flowers for your partner and they collect all of this information about you and including your flower buying preferences.

And then they sell that to a data broker. Then you have no control. Like you haven't decided to do business with the data broker or not, but now they have your data and they can go sell it everywhere else and monetize it. So it's just like, I don't know.

It never ends. It's a big web. You don't have control in a lot of these cases. I mean, I was going to ask you if you ever felt like giving up, but it sounds like you have and that you gave up on privacy.

I have. Yeah. I've given up on privacy. I've not given up on security, but I have given up on privacy.

And how do you feel about the GDPR and our European counterparts who have like the law, you know, kind of like on their side a little bit, trying to move the needle in a more private direction? I appreciate regulation. I think our industry should do one of two things. We should either stop saying that security is important and just say like, okay, fine, we're just going to live in a world where stuff gets breached all the time.

Or we should actually make it like really important by having a similar regulation to GDPR that covers like real, like this is what you have to do for security. And if you have a breach, we're going to dig in and we're going to find out if you did all of those things. And if you said you were doing it and you didn't, there's going to be fines and like people are going to be personally liable for that. Like that would actually move the needle.

Should people go to jail for not taking security seriously? If you lie about something, then absolutely. And yeah, if you're an officer of a company, like chief security officer, and you say that you're doing something and that's found to be not true, then yeah, you should absolutely, absolutely be personally liable for that. Yeah.

And then, and then put that decision to the CEO, right? So chief security officer says like, we need to promise to customers that we're doing this thing. Let's say vulnerability management, we're going to patch every single thing within 30 days, right? Like, I don't know if you know any companies that are actually patching everything in 30 days, but it's not as common as you would think.

Customers are making us promise that we patch everything in 30 days. Like I know for a fact that we're not doing that. Then you as the chief security officer take that to the CEO and say, we're not patching everything in 30 days. I'm not going to tell anybody that we're not doing that unless we are.

This is what it's going to take to do it. And then let the CEO decide whether to fund that or not. Right. It's just risk transference, I suppose, from CISO to CEO.

Yes. Yes. Yes. Well, I'm not sure.

How big is resource-ly? We are 12 people. We're small. Okay.

So you're still a small shop. It's easy to manage a small shop, but like in a hundred person startup, a 150 person startup, but even if you've got all the right policies in place and you get the alignment and everyone agrees to everything and there's procedures in place, there still might be a few cases that slip through. Right. And the other problem is in security.

Like we've also lost trust by being too absolutist. Like these like password rotation policies are dumb and we've known that they're dumb for a long time, right? Like pick a strong, like pseudo random 16 character password stored in a password vault. You never need to rotate it, but somewhere somebody wrote down that we should rotate passwords every 90 days and it's completely pointless.

Exactly. Yeah. If you rotate it every 90 days, then you're definitely like bumping the number at the end, you know, every time you have to do it, like actually encourages bad behavior. Correct.

Correct. I want to take us back a little bit, a couple of minutes, a couple of minutes back. We talked about data, consumer data, GCPR. There is also an interesting act in EU, which is called EU AI Act.

And it's quite interesting, the intersection of AI and data, data privacy. In the EU, there's four levels of impact of AI on a life of a person. And there are certain functions that AI cannot perform in the EU because a human needs to make that decision. This goes back to the value of data and how data is being processed.

What you guys are in a great position to do is to ensure that the data that has a potential of a high impact on a human life is properly protected. The only way to ensure the data is properly secured is to make sure that the controls around the data is properly applied. Yes. Yeah.

We're in a great position for stuff like that. Obviously, if you're using like a platform AI model, you know, like an open AI, Microsoft, Google, or whatever, then it's going to be their controls and not our controls. But if a customer is going to be storing their customer's data somewhere, then we can help make sure that you're using the proper cloud controls to actually like meet your requirements there. You know, speaking of things happening, you know, in the news, like this whole noise around DeepSeq has just been like just overflowing.

For everyone listening, you know, this is recorded February 3rd, 2025. And so DeepSeq just happened. One of the things that I heard in all of the soundbites and news clips was like, oh, all of your data is being sent to China if you use DeepSeq. And I'm not sure that's exactly true.

I think it was more along the lines of you use their app, whereas hosted in China, you're sending your data to China. But I suppose like if you if we're just throw our hands up in the air as consumers and say, ah, whatever, like, do you make a distinction between sharing data that's going to leak in the US versus sharing data like in China? Well, convenient thing is we have a government playbook for this now. See what happened to TikTok.

So it's like, yeah, you're collecting very important data on US citizens. And like, we want to know exactly what's happening with that data. And like you have whatever 75 days now to comply. So what you're saying is the time is there they've got a clock.

Oh, yeah, that playbook has all the dust off of it. Everyone knows exactly how to enforce that kind of thing. But yeah, DeepSeq has the hosted version, which is in the app store, like that thing's almost certainly going to face extreme scrutiny, if not the exact TikTok thing. And then there's what they release is an open source model.

So you can go and run that thing on Amazon and whatever. And if you use that, it's not sending data back. There's no way for it to do that. Does Resourcely have the tools available to just spin up like private instances of LLMs?

Oh, yeah. Yeah. Oh, wow. All right.

You got 10 signups right there. Is it? Do you guys have a bottom up go to market strategy? So all of these founders listening to the show can just jump on and try it out?

So it's not bottoms up, but it is self serve. So the difference there, yeah, you can you can go get into our product, try it out, not talk to sales. But like, realistically, when I would see like bottoms up, it's like, oh, the individual developer is going to come in and do this. Like, that's probably not the way it's going to work.

Going back to developer incentives, like they just want the fastest way to do something like they're not going to care about like setting up blueprints and guardrails and all the stuff we do. Does Resourcely have a SOC 2 type 2 in place? Oh, yeah, of course. Yeah, we started on day one, like literally the first day of the company, we started working on SOC 2.

Like that's table stakes to sell to other companies. We do see a huge shift. Five years ago, security procurement used to be at the tail end of your negotiations. Today in 2024, and that started years ago, the security procurement is in the beginning of your negotiations and assessment whether or not this product is the right solution for the company.

What are your thoughts on this shift? That's smart. Because, you know, go back to like securities incentive, right? So we're a cost center.

You know, we're like, think about like people's eating habits, right? It's like, you shouldn't eat like fast food, right? It's going to clog your arteries, it's going to cause heart disease and whatever. Like that's a theoretical thing that might happen in the future.

Like that's what we sell in security, right? Like how this bad thing might happen to you. Like we're the team that can help you do it. But on a day to day, we're a cost center.

Like we cost money to prevent theoretical like bad thing from happening in the future. And like, meanwhile, if we come and we're annoying and we slow down the business, then we're going to get defunded. Like they're going to want less of us, not more of us. And so if you think about the procurement cycle, if you do it at the end, so like you've already done all this work with a vendor, like the business really wants it and security comes in and they're the wet blanket and they're like, no, it's not safe.

That's bad. But if you do it before you've done all this investment and you're like, okay, this thing's actually sketchy. Like we should not use that. Then you don't have all of that sunken cost in there.

So the emotional impact of the business is much lower. I think our job in security is to really well explain to whatever business leader is trying to like, let's say, adopt a new technology. It's like, okay, here's the problems that I see with it. Like we've promised to these customers that we don't do this kind of stuff.

We're going to have to add this to our data processors. And like, if it's a weird startup, then they're probably not going to like it. And they're going to ask questions that might cause us to lose trust. It requires a ton of access to our system.

And if it gets breached, then like all of us are going to be stuck in like a really bad, like few months here. And so like all of that being said, like, here's the context that you business leader now have, and you decide like whether all of what I just said is more important or like whether your need to like adopt this new product is more important. Yeah. I don't think security should really be blocking anything, honestly.

Like that's not, we have no like actual authority. Like all of these are going to be executive level business decisions. And our job is to like really thoroughly explain to somebody that's not a security and compliance expert. Like what is the trade-off that they're making?

And that's right. That's right. Like I hate the word trade-off too, because I believe 100% that you can nail security and move fast and innovate at the same time. What's the hardest thing you've ever done as an entrepreneur?

Geez. There's a lot of it. You know, I love to work hard and this job is freaking hard, like in a way that's like, you wouldn't anticipate ahead of time. So it never turns off, you know, as a, as a founder and like CEO, there's never like any minute awake or asleep where I'm not processing something about the company.

And that, that does just get tiring. So I have to be on top of my, my habits, like my sleep, exercise, eating, just to like keep up with it. It's definitely not for people that don't like stress for sure. Like if you don't like stress, like if you're stress avoid and you want to chill life, never do this job for sure.

As a technical person that started a company, like really getting into the sales mindset was very hard because it's like just totally different. Like I'll, I'll give you an example. I'm very type A. I just like to get to the bottom of stuff, you know, early.

And, and so we, we go on these customer calls and the good salespeople around me would spend five minutes, you know, talking about like, where'd you go to school? And like, what's the weather like there today? And like, so, so much so that like, I came up with like kind of a derogatory way of saying it internally. I'd be like, can we like cut down the size of the, like, how's your dog conversation?

But what I learned is like, that's the way that you do it. Like, that's actually what good looks like. They're right. And I'm wrong.

Like you have to do that. Otherwise people don't form a meaningful personal connection with you. And then they don't care enough to like go to the next step. So that's like, that was a big adjustment for sure.

I thought I would build this wonderful product that was so good that like, it would just fly out of my hands into the wind. You know, people would like demand it from me and like, didn't have to do any of this stuff. And so I used to think like products, sales, and then now I think it's the opposite. It's like, you want like great companies have a great product and great sales.

But if you have to pick one of those two to be good at, be pick sales all day, every day. Did you identify like a sales mentor or is one of your co-founders like a sales genius or how that growth happened? Yeah. So we had, um, we were lucky.

So we had, Andreessen is one of our investors and they have a lot of good people internally that can teach us, you know, like professional salespeople. They'll teach you how the sausage is made. Um, I read some books like from recommendations on other founders. And then, um, early on, we met this guy named Danny.

So Danny was working at a VC that had a, like kind of an operating model, like they'd like really dig in. And so I did something that at the time felt like really weird, but it ended up being great. So Danny got a resourceful email. Um, and then he started joining all of the sales calls with me, like every single one.

And, and the, just by absorbing wisdom from Danny, uh, like seeing how he operates and what he does, I learned a ton. And then when we got to this stage where like, we just needed somebody full-time, we got a really good zero to one salesperson. Um, Ryan, like he's done startups before is like, what's going to make you great as a VP of sales at a series D company is going to be like totally different than what you need in the beginning. At the end of the day, all businesses have a very common approach to the market.

You have to know your ICP. You have to know your top of the funnel. You have to know how to enrich your top of the funnel. You have to know how to drive the traffic through the websites, socials in order to increase the volumes of the funnel.

And, uh, it's important to have those people. Exactly. Yep. Yep.

Exactly. Yeah. And every step in that process can be, you know, analyzed and there's stuff and you just continually refine it and tune it. Yeah.

I'm glad that we have go-to-market experts in the world. Um, as a founder, I figure my job is to learn enough about these functions to know when they're being well done well, but we definitely want to have people that like live and breathe this stuff, doing it. You're still incredibly young and yet all right, already so successful, but have you thought about your legacy or what you would like to leave for your legacy? Uh, I'm not that young.

I feel, I feel like, uh, the last three years I've gotten 10 years older, but, um, yeah. So I, I believe that I will start a massive company and like make a dent in the world through the products that we create. If that's resourcefully, that's awesome. But I've got the entrepreneurial bug now.

I like the kind of like baseline level of stress and like also the responsibility that comes with that. So first day, like there's all these decisions, you know, when I first day of the company, there's all these decisions. And I remember thinking like, wow, these are big decisions. Like I need an adult.

And then I was like, oh no, I'm the adult. That's me. But, but then it like shifted. And now I feel like any kind of like normal job would just be so low stakes for me.

So yeah, I mean, the legacy that I want to make on the world is like something that generally changes the way an industry works. Um, that could be security, that could be something else and just build a company that gets successful enough to do that. Yeah. So between the business I create and then, uh, I have two, two boys, six and three.

So trying to teach them, you know, everything that I know that's good and how to avoid the stuff that, uh, that I know that's bad. That'll be the legacy. You sound like a wonderful father. Thank you.

If you could go back in time and meet your younger self, would you take that opportunity? So if I could go back and meet my younger self and tell my younger self one thing, actually I need two things. So what one would be, um, tell my younger self that I have ADHD. Cause like that was a revelation that I only got to when I started managing people with ADHD and like my whole life, you know, I've been like angled in a certain way.

Like I like certain things. I'm good at certain things. I don't like certain things. I'm bad at certain things.

And I never really understood why. And when I started managing people that also knew they had ADHD and like were declaring those traits, I was like, Oh wow, I have a lot of that too. And got tested. Now that I know I have it, I can manage it effectively.

So like sleep is like super important for me, for example, diet, um, exercise. And then the other thing that I would tell my younger self is start weightlifting. So I started weightlifting in 2019 and it's just been so good for my life. Like I feel awesome.

Just the whole thing is just like totally transformed. And so I wish I'd started that when I was like 12. Amazing. Yeah.

It's important to find something that works. Some, some like outlet for all of the stress that can accumulate. Amazing. So we have several entrepreneurs that do listen to the show and this is a little bit of a leading question, but is there anything that you just wish existed that if it did, it would solve a huge pain point that you experienced or that you have, um, something that you would happily like pay money to solve that you just don't have the time or the energy or the focus or whatever to, to go off and solve right now yourself.

You know, I really liked the, um, the model that I mentioned, Danny, like when he joined and like helped me learn about sales and like there's books and whatever, you're not really going to learn what you need to learn about books. And so I think, you know, like basically this pack of like really good go-to-market people that like will embed with you deeply and just teach founders everything they need, like kind of like a boot bootcamp or crash course or something like that would be extremely helpful. That's not going to be like a venture business or whatever. It was like consulting thing I'm talking about, but like that would just be useful in itself.

Um, and then in terms of like, what's actually like a venture scale business, like, so my friend, um, Caleb did, uh, some good talking about this in his keynotes at B sides, but I think we're at the point now where so much of the issue in an organization from a security standpoint is like just chaos, right? It's like, we don't know what's happening in the organization. Like things are, developers are doing stuff. People are making changes.

We don't have visibility, but now that we have this, you know, whole fleet of machines that, uh, operates at like a college level that can go and like check things for us. I think that's going to move the needle a lot in security. We're just going to have more visibility, more filtering out and like getting to the right important context. And that will enable security teams to be at the right place at the right time.

So there's definitely like one or more venture scale businesses that are going to be built in that space. Amazing. All right. There we have it.

Everyone, Travis McPeak, the co-founder and CEO for Sourcely. If any audience members want to get in touch or check out Sourcely, what would be the best way to do that? If you want to, uh, check out Sourcely, go to Sourcely, like resource, L Y. io, um, or just search it.

It'll come up and then you can, you can try it for free today. If you want to connect with me, just look at my LinkedIn, um, and put that you heard me on the show. Um, and I'm happy to answer questions or help anybody. Well, thank you again for joining for this episode of the security podcast of Silicon Valley, Travis.

Thank you. This is fun. Travis was great to having you. Thank you.

I'm one of the hosts, John McLaughlin joined today with my other host, Sasha Sinkovich. Uh, thank you to all of our audience for tuning in for another episode of the security podcast of Silicon Valley. This is a Y security production.

‹ 69. Cryptography and Web3 Expert: Security vs. Speed Is a False Choice

67. Gadi Bashvitz: How Bright Security Is Redefining AppSec for Developers ›