Interview Conducted by Christy Smith
Joseph’s fascination with codes and ciphers dates back to elementary school, and his career trajectory includes in-depth experience with security operations and threat detection. I sat down for some Q&A with Joseph to find out how this background translates to his mission to improve the power and flexibility of the products we build at Ionic.
Christy: You transitioned from sales engineer to product management relatively early on in your career. What is it about the discipline of product management that fascinates you?
Joseph: Sales engineering was great because I was able to help practitioners figure out how to solve real problems and pain on a regular basis. At the same time, I had to make do with the puzzle pieces I’d been given, and sometimes those pieces weren’t able to solve the problem in front of me. Product management was really the next step in that problem solving evolution, as I was able to direct the entire solution and solve new problems that in some cases hadn’t been solved by anyone else. The art of product management really does boil down to solving problems for groups of people better than anyone else. That’s a challenge that appeals to me on many different levels.
Christy: Why Ionic? What attracts you most about Ionic’s product?
Joseph: From my perspective, Ionic’s platform provides two primary dimensions of value: security and control. What I mean by “security” is that Ionic can prevent individuals and organizations from harming our customers, and by “control” I mean that organizations which use Ionic can ensure that their data follows the paths and processes it’s supposed to, which of course can improve efficiency, ensure compliance, and in many cases even protect their customers’ privacy.
Christy: What problems do you believe we are solving in the marketplace?
Joseph: My previous professional experience has been centered directly on the security axis, and over the years I’ve seen breach after breach, almost all of which could have been prevented if the data had been secured at the elemental level as is possible with Ionic. The concept of protecting the data at the object or element level with the addition of an easy to use and understand policy engine allows extremely granular control over an organization’s data while reducing the actual management overhead of the data protection scheme to almost nothing. This means that, with Ionic, it’s now cost-effective to adopt the security controls that will actually prevent the losses organizations are experiencing every day.
Christy: Your product experience includes automating incident response for security operations teams at Cybraics and advanced persistent threat detection at Damballa. How does this background inform your understanding of Ionic’s own offerings?
Joseph: As I noted in your last question, my positions at Damballa, Cybraics, McAfee, etc. gave me a ringside seat to watch how companies and governments tried first to keep the bad guys out and then how to find them and stop them as quickly as possible. And while, given enough resources and enough disruption to business processes, it’s hypothetically possible for threat prevention and mitigation strategies to work, they virtually always failed on a practical level. The threat actors can attempt a penetration thousands of times, and in order to successfully abscond with the data they’re after, they only have to succeed once. The security teams, in order to prevent the breach, have to be literally perfect, forever, while often it’s hard to tell if they’re even under a directed attack. With this obvious imbalance in power, it’s pretty clear why breaches are now being considered virtually inevitable at even the most security-conscious organizations.
Of course, if you could just lock the data itself down to where it couldn’t be accessed except by very specific people or applications, and even when accessed by authorized groups the data was limited in how much could be retrieved, and it could even be set to self-destruct after a limited amount of time… then you’d have made the classes of attack that are used by virtually all of the attackers and which succeed every day useless. That’s a massive, earth shaking change from how organizations attempt to protect themselves today.
Christy: Where is your attention focused right now? What are you most looking forward to delivering or changing over the next 6-12 months?
Joseph: Ionic has done a great job of making a powerful and flexible solution that works well in the most sophisticated organizations. What I’m focusing on over the next 6-12 months is making the Ionic solution more accessible to other organizations so that everyone can easily get the value that we provide. This will include making it easier to get started on the platform in the first place, simplifying the user experience, and pre-packaging use cases that can be deployed almost instantly.
Christy: The first time we sat down to chat, I remember that we discussed tin foil hats in some detail. Can you tell us a little about that?
Joseph: From at least third grade where my group of friends communicated for an entire year using codes, ciphers, and artificial languages we created, I’ve had a stronger-than-is-probably-healthy stance on privacy and security. (I also received a good lesson about trust and Op-Sec when one of my teachers paid my younger brother $10 to “borrow” and photocopy one of my codebooks.) This has some pretty obvious correlations to my career, but even before I was out of college, I was running and maintaining my own network and communications infrastructure because I saw it as a matter of principle that other people (including unknown sysadmins) shouldn’t have access to my unencrypted personal correspondence and data.
Christy: How has this translated to your own personal network and services setup?
Joseph: Jumping ahead to today, I’m currently running my own infrastructure including email, web servers, firewall, IPS, DNS, file hosting, NAS, directory services, internal wiki, database cluster, code repository, and packaging systems. They’re fully HA-replicated across two different sites, one at my residence, and the other of which may or may not be located in an undisclosed location in the North Georgia mountains. All of the software I’ve used is either open source or self-created (barring the ethernet switches and Ubiquiti access points), and of course I keep it all patched and up-to-date with a mostly-automated ansible playbook.