Stop Saying No: How Security Leaders Enable AI Instead of Blocking It (with Pranava Adduri and George Gerchow)

Before we jump in, a quick note of who's behind this podcast. Imagine this. You're about to close this massive deal. You've been grinding for it.

You're pumped. And then your customer's legal team decides to make things interesting. What happens if you get hacked? How do you protect your data?

And then your brain just goes blank. That's the nightmare founders deal with all the time. That's actually what WhySecurity solves, the sponsor of today's show. There are 40-plus security engineers who've actually done security at Apple, Uber, Microsoft, Robinhood, Brex, and so many more.

And get this, you don't hire them. You rent them by the hour. No massive salaries, no expensive consultants, just real experts embedded in your company helping you get SOC 2, ISO, HIPAA, whatever it is that you need to close that big deal. Set a monthly cap, know exactly what you're spending, and close the deal.

Head to whysecurity.io slash startups and book your free strategy call. Your first eight hours are free. 40 engineers, one full working day, totally free. Go take it.

whysecurity.io slash startups. Hello, everyone, and welcome to another episode of the Security Podcast of Silicon Valley. I'm the host, Jon McLachlan, and I'm joined today with two very special guests from Bedrock Data. Pranava Adhuri, the co-founder and CTO, and George Gershaw, the chief security officer.

Welcome to the show, guys. Thank you. Good to be here. No, it's great to have both of you.

We were just chatting a little bit before the show, and George, it sounds like you're calling in from a hotel room here in the peninsula. And Pranava, you're in San Francisco? Yeah. For all of our listeners who are maybe not as familiar with Bedrock Data as we are, would you like to share a little bit about what we do there?

Absolutely. George, why don't I start, and then you can bring it home. But I was actually thinking about Bedrock when I was formerly an Amazonian. I was sitting at AWS.

AWS sees some of the largest customer environments in terms of data volumes. And oftentimes when people would ask us, hey, if I'm going to roll out a zero-ransomware strategy, we want to make sure that our most sensitive data is protected, how do we do that? Well, the answer is go back it up, right? Go make sure that there are resiliencies in place so that if it goes down, if the data gets ransomed, you can get back up and running.

But then the natural follow-up question is, if I have 100 petabytes of data, what data do I back up? I can't back up everything. So there has to be a risk-based approach to doing this. Except none of the technologies that were available at the time could handle those volumes of data at any reasonable cost or even had the ability to scale to those sizes.

And so we started the company because we felt that there had to be a better way with modern environments to keep up with that data, to make sense of that data so that at any given point in time, an organization can understand what data is most important to me and what are the correct ways to ensure that the organization can... At the end of the day, you want to be productive with that data, but you also don't want to shoot yourself in the foot, right? So how do we enable that? That's what we started Bedrock with the idea of doing.

George, I'll hand it off to you to kind of add more color to that. No, I think it's a great description. You know, data security in general and just understanding data has been a problem for a long time, John. That was like the attractive thing to the company for me, especially coming this early on was, you know, you go through a security incident.

What's the first thing that pops into mind is like, did any sensitive data ever get out? You know, is that data being misused, mishandled? And then business cases around data too. You want to use the power of data to be able to drive innovation forward.

So it was a super attractive opportunity. Great people like Pranava, Ganesh, and Bruno. So I'm super happy to be here this early on. Yeah, I know.

Thank you for that. I love the focus on data. You know, whenever I'm with an organization, we're talking about security, we're talking about threat models. It really is about the data.

Like all of those layers of security are to protect the most sensitive assets, the most sensitive data. And that's really the core of threat modeling. Like, what are we protecting? It's not the compute so much, right?

It's because if the compute is compromised, then the data can be compromised. And it's been more than one occasion where I've stepped into some roles and you can look around the ecosystem and you're just overwhelmed with how much data is out there and how much responsibility is really on your shoulders as a security leader, as a security professional, like trying to protect all of this data. So that problem can definitely be overwhelming. So I'm- You know that about it.

I have all the gratitude in the world that there are amazing, dedicated, smart, focused people like slugging through the details and the grit underneath the hood. But maybe Pranava, like being one of the co-founders, there must have been something or maybe an experience or a story that you bumped into that really instigated this entrepreneurial journey. Did you feel this problem personally in like in a past life or? In terms of where we saw the problem and kind of the inspirations slash the understanding for the need for something like this, it really was during my time at AWS where we would constantly be speaking to some of the largest companies out there, right?

Like, you know, every one of the Fortune 500s is there and the largest does a large. And so it really did, like, I think the idea really did start taking root when it came to thinking about how do you enable these teams to become more productive with that data, right? When they have these super large volumes, it gets siloed. There's different teams working on different things.

And in terms of being able to make sense of that data at scale and doing it in a way that's responsible, I think to answer your question, I think the idea that this was actually a big problem was taking root while I was there, right? And then once the business problem was clear, then it became a question of like, okay, well, what can we do from a technological standpoint to enable this, right? And how do we keep up with that data as we see the next order of magnitude of growth or multiple orders of magnitude of growth? I think the time at AWS was really formative in terms of seeing the largest of large customers and then the problems that they were dealing with.

And then I guess in terms of having the itch to do a startup, I think that's, I was there ever since college. I would say I'd mostly been at startups right after graduating. That was very formative in terms of like the culture that I'd wanted to bring to a company. And yeah, I think after the time at AWS and understanding the business case, that's when the time felt right.

Yeah, definitely. What's some most exciting piece about, you know, having the visibility of where all of your data is, what type of data it is and how to protect it? What does that feel like when you get to that place like as a CISO? It feels so good in the way that now it's not just about the security of that data, but I feel like I can also enable innovation by the business because who really owns the data?

It is not the CISO that owns the data. It is the business that owns the data. And the business needs that data to be able to make predictive decisions and drive innovation for customers to be able to leverage products better. And so it gives you like this, I wouldn't say peace of mind because we're paranoid people, you know, just by the nature of what we do.

Got my tinfoil hat, you know. I have it right over here. Put it on. Gotta put it on sometimes, yeah.

Exactly, but it gives you this level of confidence and risk reduction, which we've never had before. Like I said before, we've always tried endpoint, identity, perimeter, and all these things when you said it at the beginning, John, it's about the data. So why not look at it from a data first perspective? And then it's not gonna go away, right?

The volumes of data are gonna continue to come all the time. And I love having these conversations with laymen, like people who aren't in our industry. And I'm always like, how much email do you have? Like how much email do you accumulate?

How many pictures do you have on your phone? And just the amounts of data as an individual. It's embarrassing how much email I have, yeah. Totally, and so I'm like, you never go back and delete anything.

So I explain it to them that way, and I'm like, now stop and think about an enterprise. And now all of a sudden you have 100, 200, 500 thousands of people, and how much data just stacks up there. When you have visibility of that data, know the lineage, the entitlements of that data, how it works, what's sensitive, what's not, it's just a very powerful predicting. I think having that visibility, it's the foundation for being able to then build the right guardrails, right?

I like to think about this adage of like good brakes help you go faster. A lot of the conversations that we have now, they take on a similar tune to, we are rolling out AI. As we roll out this AI, we want to use it to be I saw it as well. In terms of knowing what data is going in and where that data came from upstream, I liken this to S-bomb in software, right?

You have your binary that you're inventing. There's the software dependencies of those binaries, and then there's the downstream dependencies of those binaries as well, and libraries as well. And so in that same way, models have a D-bomb, a data bill of materials. What data made its way into the training phase?

Where did that data come from? What sets of processing did that data go from? Original data to refined data to get it to a stage where it was training ready. Then in most organizations, they have controls or requirements that say that data has to be anonymized before it can get to the training phase.

But if it doesn't, that's a potential source of the model getting tainted. One example, like I just mentioned, is when it comes to sensitive data corresponding to your customers. But there's also other requirements. For example, in certain domains where the company might be procuring data from data vendors, there might be terms around what granularity of data can be used when training a model, right?

And so again, how do you know that all those controls are being adhered to? D-bomb is one way we think about that, right? So how do you start with the inventory of your AI workloads, whether it's agents, co-pilots, et cetera? How do you look at the data supply chain that's going into it?

And that snapshot is what we call the D-bomb. A D-bomb, I love it. I love it. And to what George was talking about, Argus was actually something that we launched right before reInvent.

And the idea is when you look at a model on the left side, compute the D-bomb, what all went into it, and on the right side, look at the guardrails to figure out what does the guardrails enable? What do they block? And what do they allow? And that gives you a gap analysis based on what's going into the model or the agent or the co-pilot.

You have this potential of what might be coming out, what do the guardrails block, and then what are they still let through? And it's a way of coming back to what I was originally talking about, which is responsibly enabling innovation. How do you let people run fast while monitoring the gap analysis and seeing where you might be getting in trouble? That's beautiful.

I love solutions to ginormous, extremely difficult problems that you could just drop into place. So taking a step back and looking at the bigger picture, I have all the gratitude in the world that there are incredibly talented, smart, focused people thinking through all of these problems. And it gives me hope that the future will be just filled with magical new technology that is not just magical and new, but it will actually be safe and secure. One of the things, too, to bring kind of that lofty statement back to earth a little bit, I don't think of innovation as just anything that's magical and can sort of do a magic trick up on stage.

It's like innovation, I think, in order for it to really be innovation, has to have the potential to change the world. If it doesn't have the potential to change the world, I'm hesitant to put it in the category of innovation. And that means, like, the new technologies that we're building, as folks really on that cutting edge here in Silicon Valley, we have to think about what it means for the technology, not just to work and to be magical, but to be adopted. And I think that adoption piece is where security and data providence and the controls and thinking about social impacts, maybe, even, of what's going on really comes into play here.

So it's a massive enabler to help everyone move fast. We love that. Enabling. We love it.

I mean, you need it. It needs to be done. And it's the same problem everywhere. We're all going to face it.

This is a community thing. And so building an entire company to just nail it just seems spot on. Right place, right time. Congratulations.

Thank you. May I ask, what's been the best day so far for both of you on your journey? I'll go first because Pranav's will probably be more profound than mine, most likely. But, you know, for myself, and I'll marry the two together, it's going to be just trying to set an example for a lot of my peers as to how to be more open minded, how to enable a lot of the technology that we're seeing today, how to have the gumption to stand up to the board when the board is saying, how are we using AI, which is the wrong question, and just like leveraging the right technology to solve hard problems.

And then I marry that with Bedrock data and just being around a lot of great people that are highly determined, like Pranav, to do the right thing and bring value to our customers in a responsible way. But those things are just so meaningful in today's day and age that that's kind of like where I see the future going. And I have like full confidence that that's what's going to continue to happen. I think for me, from a vision perspective, there needs to be a layer that understands what data an enterprise has so that they can use that data to be productive, so that they can use that to govern, so that they can use that to ensure that their customers' data is adhering to privacy law, so that they can ensure that all the contracts that they sign are being followed correctly.

All of that needs to be powered by something. And right now, it's human best judgment. So I think going forward, especially, I use the term data echo chamber. There's the data you have, goes into AI, people ask prompts, it puts out new data, and that will get you sort of back in as well, right?

As you enter into this rapid acceleration, there has to be a layer that's understanding what's going on at the speed of machine, not at the speed of human, to keep up with it. And kind of where I see this going is, I see Bedrock as being this invisible layer that understands your data, that injects that context into every aspect of a business, right? So if I need data to do a certain experiment, Bedrock can tell me, given the context of what I need to use it for, what's allowed, and gives you the right view of that data, not just whether it's allowed or not, right? So depending on every which use case that there is, something needs to know about the data.

And so I think that's the opportunity here, right? And it's not just about building another single source of truth, as beautiful as I think our product is, it's about meeting the customer where they're doing their work. So if they already have an existing gateway, or sorry, an existing, if they already have like an existing just-in-time portal for getting access to something, Bedrock's context should be integrated there so they get access to the right data. And if they have an existing data annotation process, Bedrock should be injecting its context there to meet them where they are, right?

If they have an existing security workflow, Bedrock's context should be injected there. So I see it as the invisible layer that permeates the business, understands what data is present, and helps turbocharge every single workflow that's there with that data context. I think that's how I see the future of enabling, you know, data in an AI world. Amazing.

No, I love it. That gives me a lot of hope for the future. If you could go back in time and meet your younger self, would you? And would you have any advice for yourself?

I would do it for sure. There's no doubt in my mind that I would do that. And the advice I would give myself would be more on the personal front than the professional front. And it would just be to have my eyes wider open, pull in the people that I love even more, you know, and just savor every single second and moment that I have with them, you know, more.

On the personal front, without a doubt, that's where I would do it, and I would do it. And that would be, like, my core value, would be to just try to get more time with my loved ones. It's really meaningful. Yeah.

Yeah. You know, I actually think, I actually think I would, first of all, yes, I would absolutely go back and meet myself. And beyond telling myself to buy more Apple and Google stock, I would, I actually think George said it really well, right? I think, I think at the end of the day, whatever you take on, whether it's spending time with your family, whether it's being very, whether it's building a project that you're super passionate about, being 150% there and doing it fully.

Because I think at the end of the day, that's actually what matters most, right? And if you are there fully in whatever pursuit you're doing, it will have fruit. Not necessarily by working harder, I would say it's about being more fully present. And at the end of the day, like, that is what will give you that exemplary result.

And so whether that exemplary result is then spending time with your loved ones and having meaningful time, or whether it's being heads down working on something, I think at the end of the day, productivity is an emotional output, right? And so really telling myself that in whatever pursuit I did take on, you know, bring it your 150, because at the end of the day, that's what you'll remember. I think that is what I would tell my younger self as well. Amazing.

Yeah. Very inspirational. Yeah. Show up, basically.

Yep. Be present. Be present. Yeah.

Be in the moment. Well,