Titan Talks - Ep 2 - Casey John Ellis with @thecybermentor
I've watched Heath's journey as a education and community powerhouse, and more recently as an entrepreneur with tcm-sec with much interest and respect and was super excited for this conversation. We covered a lot of ground about entrepreneurship, founder DNA, competition, priorities, and the cybers all around.
Transcript from Rev.com:
Heath:
Casey, how are you doing today?
Casey:
Good man, how are you?
Heath:
Doing well. Thanks so much for joining me. You're in Australia, right?
Casey:
Correct, yeah. I'm down in Sydney at the moment. So I'm sitting here, it's 8:00 AM, I've got my coffee. Happy to be having a chat, so yeah, we're good.
Heath:
Appreciate it. Living in Australia, how do you stay safe from all the spiders and snakes and anything else that wants to kill you out there?
Casey:
I mean, look you grow up used to it. The drop bears, fortunately they only attack tourists. Nah, look, it's interesting, I think it's a thing that Aussies get asked a lot. I feel like Americans think about dangerous animals and stuff in Australia in the same way that Aussies think about guns when we come to America for the first time. It's more the fact that the risk is unfamiliar, it kind of freaks us out. You've got to either be unlucky or doing something dumb to actually have a real problem but it's sort of a similar kind of thing. So we just learn about that stuff from a young age and just mitigate it, which is kind of the same as a lot of risk I think.
Heath:
I figured I'd ask, I've always been curious and never really get to sit down and talk with an Australian that much.
Casey:
No, most definitely. I think the only thing that we're better known for than the dangerous animals is making crap up about dangerous animals to spin to people that aren't from Australia so there is that too.
Heath:
So today I kind of want to talk about your journey and your life and I've done some [inaudible 00:01:48] on you, we'll see how well I did, but I just kind of want to talk about your upbringing and getting into starting Bugcrowd and starting your own business. I know you've had some kind of businesses before that. And getting into where you're at now, so kind of the journey along the way.
Casey:
[crosstalk 00:02:06] let's do it.
Heath:
We'll start at a young age, so your parents are musicians right? Your dad's a teacher, your mom's a musician?
Casey:
Yeah, so my mum now, she actually went through and did her master's in clinical psychology, she's an entrepreneur as well in that sense. These days, back in the day, she was looking after myself and my sister. But yeah, they're both musos, to your point, they actually met on the road, which is kind of cool.
Heath:
Oh really? That's cool. So when you're growing up you have access to your dad's drum kit, is that pretty accurate? Or how do you actually learn to play the drums?
Casey:
Yeah, so it starts with, for me, and actually I'm watching the same thing happen with my kids now which is kind of cool, it starts off pots and pans and banging whatever's around, just to see if there's interest when you're two or three, like that kind of deal. Like oh look, you're playing a drum kit just like dad, and that whole thing. That's pretty much what I did, there's photos of me doing that when I was little. But then the interest seemed to stick and then I wanted to get behind a kit, so started doing that. My dad started putting deliberate time into teaching me rudiments and the different kind of, the primitives and the fundamentals of drumming, and then it kind of just went from there.
Casey:
I think having, like growing up in a musical family you just... you always have it around, so regardless of what you end up doing, like you end up playing something, you end up just really appreciating music or writing or whatever else, it's just sort of something that's almost part of the environment as you're growing up so it just becomes a bit of a part of you, I think, which is definitely what I feel happened to me.
Heath:
Yeah, and there's some research out there, that as you're growing up if you have a musical instrument in your hands I think your cognitive abilities are better than those without. And I feel like, I don't know if it's just me being observant but I feel like there's a lot of musicians in the hacker space or the tech space, I don't know if there's a correlation there or not but it feels like there definitely could be.
Casey:
Yeah. I nerd out on this one a little bit because you're not the first person to observe that, there's definitely a correlation between musicians. The hacker scene, I think even the security scene just in general, people that interact with tech but do it in a creative way and they've got, in our domain, like this adversarial mindset that they kind of bolt on top.
Casey:
My theory on that is that music is actually like math when you break it down. So there's a component of it that's really, really logical and really, really scientific in a lot of ways. That's not the side of it that most people ever see or get to interact with but it's kind of the construct of what music is.
Casey:
So as people that learn that stuff growing up or if it becomes very much a part of who you are, you end up with this ability to think about the creative side and the human side of things as well as the very functional mathematical almost computer science-y side of things. I think that's part of where the crossover into security comes from. Like that's at a guess but this is a... it's a conversation that I've had with folk in the industry, like it predates Bugcrowd. It's like wow, there's tons of bass players and tons of drummers and tons of keyboard players and whatever else, we all seem to... It's not so much that musicians gravitate to InfoSec, it's more that InfoSec has a lot of musicians in it. So it's like okay, why is that? Is there a mental wiring thing that draws us in that direction?
Heath:
Yeah, I think it's really interesting, I think you touched on a lot of points on the math and the logical thinking. When you do break it down it is all math. With that, that sparked a question. I wanted to ask you about influences, but before we get there, were you into math metal ever as a drummer? Did you get into that kind of space?
Casey:
No, not really. I mean, look, I kind of grew up on everything other than country. I think once I moved to the US I learned to try to appreciate country but I didn't quite get there, and no offense to the country music fans but it's just-
Heath:
It's not me either, my friend.
Casey:
Yeah, and more power to you if you can enjoy that stuff but I don't. But pretty much everything else. So the big one was '70s jazz, like the really technical fusion type stuff, like odd time signatures and things, switching around, dissonance and all this other stuff. Artistically I just always really appreciated that and then you kind of go listen to a pop tune and you're like that's really different, so you start to try to figure out why is it different? And that's when the math starts to show up. It's like oh, that's 11/8 as a time signature instead of 4/4 and all that. Like a seventh note, kind of fairly dissonant chord change that's a key feature of the song, you're not going to hear that on the radio so why is that? Those were the sorts of things that really intrigued me about music early on.
Casey:
And yeah, it's been interesting. You see that sort of stuff creeping into all sorts of different... I love Radiohead for example, which is not metal in any sense of the word but they're a popular band that use a lot of those really complicated, weird musical concepts and actually make them sound good. That's the other thing I like about music and how I do think it does translate well. It's ultimately about communication, because you're writing a song and you're doing that to basically almost bypass the intellect and speak directly to a person's self, that's kind of what music does.
Casey:
There's a communication aspect to that that I think's very important, definitely in our field, I mean just in general, but InfoSec's kind of confusing so the better you can communicate, more power to you. But also the leadership side of it as well in terms of here's where we're going, this is where the song starts and ends and rock on.
Heath:
Sure, yeah. I remember growing up, so I was trained on the trumpet and I played that for a long time.
Casey:
I was going to ask, do you play, yeah.
Heath:
Yeah, so I started doing guitar when I was in my teens and just sort of self-taught there, and I gravitated kind of instantly to more of the harder stuff, the more technical stuff, because I felt like it was something more challenging, better to learn, something that challenged my skillset.
Heath:
It's a lot different going from high school band, even jazz band or any of the bands, where you're doing a 4/4 most of the time, 3/4, maybe some weird stuff in there, 8/6. Then you go and you start playing bands like Tool and Tool changed the time signatures up throughout the song into these weird mathematical breakdowns.
Casey:
Suddenly you're playing 46 and 2 and you're like whoa.
Heath:
Yeah, so it's like this mental challenge and it comes back to logic and I think wanting that mental challenge and that stimulation and being able to figure those things out. I think it does correlate quite a bit when it comes down to this industry.
Casey:
And to have it come out coherent, too.
Heath:
Yes.
Casey:
I think that's the part, in terms of being a geek, I think who figured out how to be an entrepreneur, communication really I think is a lot of what unlocks that. Like the ability to not just know that you can solve things but then to be able to communication the importance of that, how you're going to do that, the fact that that's possible, the fact that you should to people that don't necessarily have a lot of history thinking about that same subject. It's a similar thing, like Tool, their music is so technical and there's so much math deliberately built into it but you don't really notice that until you start to unpack it because they put so much work into making it sonorous and to make it communicate in a way that you're just enjoying the tune.
Heath:
Exactly.
Casey:
There's something in that. It's a fun thought.
Heath:
It's beautiful when you dive into music theory and actually begin to appreciate what they're doing and how they're making it seem so simple from an audible perspective.
Casey:
There's a lot of work that goes into that aspect of it.
Heath:
Yeah. So growing up, besides the drum kit do you have computer in hand, are you a techie kid, do you have aspirations to do stuff with tech or what is your dream? Did you go through the whole process of I want to be a musician, do that sort of road too, or where does your mindset as a child, where are you planning on being?
Casey:
Yeah, that's a good question. Inventor I think would probably summarize it best, that was my consistent one. Honestly, these days I still don't really know what I want to do when I grow up, so there is that. It's kind of been this continuous... I mean, I do, sorry, that was overly dramatic for the listeners there but in principle the idea of there's always something new and there's always this process of self-discovery around what am I capable of, where are the areas that I can be most effective, most impactful.
Casey:
What I've really learnt is that there's always the next boundary to push or glass ceiling to break in your own sense of pursuit of potential, that for me I find that really compelling. Like the whole idea of oh, what else can I do? How much more can I expand what I'm able to learn, how I'm able to build things, how I'm able to create influence, create positive impact, generate wealth off the back of that, in the case of the capitalist stuff.
Casey:
That's just kind of always been true and I put that back down to invention as a kid, so the whole idea of like oh wait, lightning has power in it, I wonder if you could harness that to do renewable energy? That was a track I got on really young and that's still actually a thought that keeps me up at night in terms of renewable energy and the different ways to do that from the environmental standpoint.
Casey:
But yeah, it's that kind of invention streak was really the thing that I think was dominant. And my old man was a science teacher as you pointed out before, so I've always got toys and tools and whatnot hanging around the house, like he's encouraging me to tear stuff apart and put it back together.
Casey:
And I was doing that and then realizing this is really fun and oh by the way if you put it back together you can do that differently, in a way that gets it to do more of what you want then what it might have been built to do, so that I was I think the beginnings of the hacker streak. Then eventually he brought a computer home. I'm of the age where I started life from an education standpoint without computers and they kind of popped up halfway through, so I still remember when that happened and it was awesome because all of the stuff that I've been doing with radios and lasers and other just random tech, once a computer showed up on the kitchen table I just started doing it with a computer and kind of went from there.
Heath:
Now, at this age, are you creating any kind of tools or... I know you said you're modifying tools. Are you thinking about businesses at this point? Any sort of inventions like you're talking about or any kind of startups as a kid?
Casey:
It's funny, I actually didn't realize that I liked business actually until I got married. To me it was more about the pursuit of the solution and trying to do that sort of thing. So I was intellectually attracted to the idea of solving problems that haven't been solved yet.
Casey:
I got married. My wife, she's an entrepreneur, that's very much her DNA, it's what she'd been studying, all these different things. We kind of had this Vulcan mind meld thing happen where she actually is now studying cybersecurity at university and I feel like I caught some of my realization that I actually really enjoy... The idea of solving the product market fit problem, how do you... I mean, in the bounty space, how do you convince people that hackers aren't horrible, evil people that you should just shun? How do you convince an organization to accept the idea that having their baby called ugly every now and then is actually a good thing, right? Like there's work to that and that's actually a business problem.
Casey:
I kind of learnt that from her and in hindsight I always had that intrigue and that kind of competitive streak, I just hadn't really connected it to wanting to build a company or be an entrepreneur. That didn't happen until mid-2000s or so.
Heath:
Sure. So growing up, I guess you graduated-
Casey:
I mean hindsight it was always there, it just needed oh that's a thing, oh okay cool, and then off we went.
Heath:
Yeah. Actually, now that we're there, something that you brought up, I listened to another interview of yours with [inaudible 00:16:34] and you were saying stuff about people being cogs and people being levers, and I thought that was an absolutely brilliant statement because I'm equally as guilty of having gone into the grocery store, going through a restaurant or something and seeing somebody from high school or seeing somebody that's of old age and you're like wow, you haven't done anything with your life? And that's not the right mindset to have. Some people are, like you mentioned, the cogs, and then some people are the levers who the wheel's always spinning, they're thinking of how they can change things.
Casey:
And the cogs can be perfectly happy having done that for the last few years. The thought of it makes me twitch. Like for me, no. No way. But for them, all right, cool, maybe they found their thing and that's awesome.
Heath:
Yeah. I feel like there's different levels of cogs, too. I know plenty of people that are high functioning in the sense that okay, I've got a friend that has been in the same job, same space, very beginner IT level for years, like almost 15 years. Happy as can be, doesn't want to move up, doesn't want to earn anymore money, great for him. Then you've got people who are the hacker types or the cybersecurity mindsets where they've always got that personality where they've got to learn the next thing, they've got to do it, but they're still not going out and starting their own business, they're still being a part of a system but they're more high functioning as a cog. So I think you have different levels of levers and different levels of cogs at the end of the day.
Casey:
Yeah. I think that's right. I wrote a post on this, gosh, six or seven years ago when it first happened. Because literally it was that experience, like I walked into the... I was back in Australia, I walked into the supermarket, that was my first job and my supervisor when I was a 14 year old, still there. And the whole thing was like oh, wow, that's sad. Feeling like what I'd done was inherently superior to what they'd done.
Casey:
But then catching that thought and realizing no, you're being kind of a jerk right now, that can't be how this should work. It just doesn't feel right, I'm a big believer in just the intrinsic value of humans, period, regardless of what they're doing. So that violated a core belief and I caught it.
Casey:
Yeah, that's when all this kind of came out. Maybe folks that just want to find the thing that they can do, do it repeatedly, to your point around different sizes of cogs. Maybe the opportunity is to climb a corporate ladder or go from a checkout operator to being a supervisor or whatever that might be. And that's kind of changing the size of the cog that you are as you go through your career.
Casey:
Switch it over, if you've got a lever, really it's about having more cogs and more other levers reacting as a function of you changing state. So the whole thing in that blog post was cogs without levers just continue to turn forever and eventually they become irrelevant, so that's where people that come in and think disruptively I think play a really critical role in the future of basically everything, and that's historically true so that's not really a new idea.
Casey:
But with levers we need cogs otherwise we're just making clicking sounds, do you know what I mean? We're just like oh, this should be a thing that changes, well great, no one cares. And nothing really improves or is modified as a result. So there's really this symbiosis of all types that come together to make the machine and the machine sitting there actually gets the work done. That was like the moment trying to unpack that whole thing.
Casey:
It was really interesting because that was during a really heady period of Bugcrowd. The venture thing, you get funded, TechCrunch are writing about you, all these different things. And it's fun, it's exciting. I think the ability to get over your skis on how good you think you are is very real, through that process. So I was starting to become aware of that and looking for opportunities to bring myself back into line in a way that's practical. It's like, how does life work? I enjoy being good at the things that I do but I don't want to become so disconnected from reality and everyone else that I become ineffective so how do I try to balance that out?
Heath:
Sure. I just thought it was, listening to that and hearing that story, I thought it was an interesting perspective that I've never put into before and it's interesting to think of life like that and everybody has their purpose and just because somebody's working at a grocery store doesn't mean they're unhappy. They can be completely [crosstalk 00:21:42] with their life.
Casey:
I think a big part of the reason for writing that too on the other side of it, again, almost informed by the Bugcrowd perspective where we've got, at that point in time, more and more people looking at us and looking at the space saying, "That's what I want to be when I grow up," is to contextualize some of the pressure of that. It's like you don't all have to XYZ. The goal from my perspective is pure to potential, trying to connect to the thing that you're best wired up and I think ultimately here to do, and that doesn't look like me and it doesn't look like you, it doesn't look like my supervisor at Woolworths, it looks like whoever the person is so what's the journey of discovery in finding those things?
Casey:
And how can you remove pressure that's counterproductive from that process? That was really the idea. It's like being a lever is great, I love it, it's my preference, but not everyone has to be. Figure out if it's the right thing or not and then start to think more about what you actually want to do and what you're good at.
Heath:
Yeah. That's great insight. I want to pivot here just a little bit. So, we'll skip over a little bit of the high school years. You graduated high school, you go into IT, right, and then at some point, correct me if you're wrong, you're laid off of work. Is that back against the wall type mentality what finally unlocks the entrepreneurial mindset for you in the sense that you go from being this hey I'm an inventor to now oh shit, I don't know what I'm going to do, time to start producing it and being this entrepreneur?
Casey:
Yeah, you caught that, that's exactly how that went down. The whole idea of oh wow I actually really like business, turns out I'm good at it, I didn't realize that, that was under duress. Learning that was kind of a forced thing, pretty much yeah, as you said, my wife and I got married, we went off on our honeymoon. My plan, I actually quit my job to take our honeymoon because they wouldn't give me the leave so I'm like I don't want to work here anymore.
Casey:
She had a plan to cover that and then we were going to go forward from there but then she got retrenched when we returned. So all of a sudden we're like yay, marriage is awesome, how are we going to pay the rent? A little freakout moment. At that point in time, we had... Like, I'd been building the ability to do audio recording and different things like that, going back to the muso stuff before that. I had gotten some practice in sourcing audio equipment to do recording, like bringing it in from the US, converting it to Australian power and upgrading the components and different things like that.
Casey:
So I'd started selling some pieces of that off and what I noticed was when I sold it, it sold for four or five times what I bought it for. Which was completely by accident, it was like oh, wow, I didn't think that would happen. And trying to solve the problem of what are we doing to pay the rent and just do the very practical, newlywed, keep the lights on things. It's like maybe I could do that again. And it kind of went from there, like that turned into this accidental fairly decent import business around audio gear in Australia, that was really my start I think in entrepreneurship.
Casey:
The interesting thing that also taught me I think was when 2008 rolled up, which was a couple of years later, and all of a sudden the US currency and the US economy kind of drops, the Australian dollar actually went way up from a parity standpoint switch, like how do you take advantage of arbitrage and just the prevailing conditions in a way that's supporting your needs as a businessperson and as someone who needs to, again, keep their lights on, but is also providing something that's good?
Casey:
That was one of the things that I learnt from that process, eBay was kind of the main vehicle and they were really good at reinforcing this at the time, it's basically don't be a jerk, you only get one reputation so if you're going to do a thing don't put your name on something that sucks. That is a viable way to make money and build a business. I think it's wrong but I also think it's fragile because eventually you get called out and you don't tend to get to do that twice. So that helped instill that principle in me at that point in time as well.
Heath:
Yeah, it's funny because I think there's some similarities between us, having heard some of that backstory before in the sense that when I was a freshman at college I had figured out that the US book prices were insane, it was like $250 per book for every class you were taking. I figured out that in Europe the books were like a quarter of the price. Same book, same everything, different cover. That's all it was.
Heath:
So I came up with the brilliant idea of okay, I'm just going to put these books online for sale and then I'll order them from a third party, have them shipped to somebody's door, they're not going to notice the difference, and pocket some money really quick doing that while I'm relying on other suppliers and vendors, but it's like seeing the market as what it was where you can make this profit off of identical book.
Casey:
Yeah. And practically, the thing that I realized, I mean I was doing modification stuff, so Australia's on 240 volt AC out of the wall, North America's 110, so you've got to make that work. Then going through old components, seeing if anything needed a replacement, different things like that. It wasn't a lot of work but I was trying to add value in the middle there. That was my original I'm just selling someone else's stuff here, this doesn't quite feel right, justification.
Casey:
But then I also realized at that point in time people weren't comfortable shipping across the pacific, so the idea of buying something in North America and having it arrive at your doorstep in Australia, that was still a really risky idea for most people. Like today, it's just normal but it wasn't like that at that point in time. So I was taking that risk and I went ah, okay, so if I take that risk and put processes in place and connect it with the buyer in a way that gets them what they need, and I'm taking on that overhead for them, that's where the value is. If I can bridge that gap in a way that solves all of the different problems that are in play, and then really do that in a way that's repeatable, good service, all these different things, then yeah okay people are going to pay extra for that. I get to keep that because that's the value that I've added and it kind of goes from there. Same for the books, right? Probably a similar thing in Europe.
Heath:
Yeah, exactly. And transitioning too, I know you mentioned eBay. So with the eBay business that you started, is that a tool that you built or is that a storefront or what were you running with eBay there?
Casey:
It was a tool so somewhere in this process I read The 4-Hour Workweek by Tim Ferriss which is like this go be awesome entrepreneur book. There's some really good stuff in there, I think, and I said this on the thing with Luke as well, it's, as a business manual, really incomplete. It's more like hey, go do stuff. But it had that effect on me, I got inspired to go off and figure out how outsourcing worked, figure out how to build development teams that could build platforms, different things like that.
Casey:
The gap I saw with eBay at that point in time was the fact that there were no analytics on why someone found what you were selling. So okay, which part of my SEO, my listing title, my listing content, how was that relevant to the buyer? So this is me trying to think through marketing funnels and different things like that. The data just didn't exist for you to be able to optimize that. So we basically built Google Analytics for eBay, and that was that project you were referring to there I think.
Heath:
Gotcha. So backtracking just a tiny bit, I've had friends and I've read even entrepreneurs talk online about having the back up against the wall kind of mindset, like literally I had one friend tell me, "I want to move to this big city, have no money to my name and just have that back against the wall mindset." Then the flip of that too being that entrepreneurs talking about reinvesting every single dollar that you have so that you remain hungry, not taking any sort of profits back or any sort of salary.
Heath:
Having gone through it and not necessarily gone through it intentionally, is that something, like a mindset that you recommend to people or does it vary or would you not wish that upon anybody or what's that opinion there?
Casey:
So that was when we got our start. The reality is even at that point in time as newly weds doing the eBay thing, all right if it really didn't work out we could go stay in our parents' back room which neither of us wanted to do but we knew if it became an issue of survival we had that option.
Casey:
I think that's always been true in different ways, like being able to see what your safety net or what your keep lights on option looks like. Being able to stare that in the face until you get comfortable and then going forward on that basis. That was a really I think powerful principle.
Casey:
I was learning intuitively at that point in time but I had other people mentoring me to some degree and actually calling it out. Because you don't want to take unnecessary risk. I think the thing I see entrepreneurs get into is this idea of oh cool I can just hype the market up, go out and raise funding and do all those sorts of things and then everything's going to be great. They don't consider the work that goes into that or what they're going to do if failure actualizes, which it does literally 98% of the time. So making a plan for that's smart, right? I don't think that's...
Casey:
A lack of confidence in yourself or anything like that, I think that's actually one of the reasons people tend to avoid it. They're like, "I don't want to think about the downside because then I'm not going to be jazzed about doing the thing that I want to do, it's just kind of a bummer." Which I get, but it's unwise, to be able to say, "Here's this very practical assessment of what my fallback states look like, I'm going to get comfortable with those and then work really hard to avoid them." It helps and I think to your question that idea of having enough duress to force you in that direction, I think that is a good thing.
Casey:
I had kids when I started Bugcrowd, we kind of did the whole live in hostels and my co-founder and I actually slept literally in abandoned factory in San Francisco for a couple of weeks while we were fundraising, like there's all those wacky stories that you end up with, doing this type of thing. It's crazy, right? And people asked me at the time, "Are you nuts? You're doing this with a family, what about them?" My wife and my kids were on board. They understood what was going on, they were willing, I wasn't dragging them, and that was another thing that I made sure of because that's a keep lights on thing too.
Casey:
I actually think that some of that pressure was productive for me, because I couldn't afford to screw around. It wasn't just playing with an idea, I actually had a family to support and there was this need to get it at least mostly right for their sake. That provides accountability to me as I'm like ideating and coming up with random stuff and getting distracted over here and whatever else, like there's a focus that brings.
Casey:
I'm not sure that's true for everyone, to be honest. I think that's just my own kind of neuro diversity and understanding of how I operate, recognizing that that was actually a useful thing for me to have, that's kind of what happened there. I think some people, you put too much pressure on or any pressure and they crumble. That's just who they are. Like okay, I think it's good to get better at handling that sort of thing but understanding what's actually useful to make you most productive and then expecting that you'll get it half wrong but then be able to learn from that and improve over time, I think that's the goal.
Heath:
Yeah, and let's transition with that conversation, I think into Bugcrowd. I think this would be a good place here. So you create Bugcrowd in 2012, but with that where does the idea spark, where does it come from? Because what, almost 10 years ago nobody's thinking really about the hacker space, companies are not really bought into okay hackers are good people or there can be hackers that are good people. They're not thinking about security assessments or bug bounties in general. It seems like such an obscure idea. So where does this come from? What sparks this and what was the process moving forward?
Casey:
For sure. So we talked about the tech origin side of things. The other thing, I've just always enjoyed thinking like a criminal. I'm not sure if it's an Australian or what it is but there's this sense of appreciation for mischief, I'm known for being a bit of a provocateur and a troll and that's always been true. It's just something that's like if you want to push on things and move them forward, looking for the edge and poking on it sometimes is the right thing to do.
Casey:
But also, this idea of criminal creativity. Criminals are entrepreneurs without rules. I don't want to be one, like that was the thing that was interesting. I really appreciate this way of thinking and this kind of creativity and just being able to get whatever you need to do done. I'm intrigued by the idea that they do it without respect to morals or rules or harm, because that ultimately nets out to a more open playing field for them, but also I really don't want to hurt people. I'm not comfortable to actually do that myself.
Casey:
So trying to figure to how to reconcile all that, that was interesting. I think getting into pen testing, that was my first job out of high school. I'm like oh my god, I get to do this and actually help people, get paid for it, get talked about as someone who's actually a legit contributor to society and make things better, this is Christmas. Realizing that was a thing was pretty cool.
Casey:
But then the whole way through that I was trying to connect in with community, like back at that time it was BBS and then IRC and eventually Twitter showed up and we all kind of did that. So I was always aware of this incredible what I felt was latent potential that existed in the capacity of the community that just would really probably do this stuff for fun, ideally let's turn this into a career, but honestly these people most of the time are doing it because they just love it and that's the starting point.
Casey:
So it's sitting out there kind of unplugged and in the meantime technology's growing at a million miles an hour, we're not doing it very well, like the bad guys are having a party and as a pen tester I'm recognizing the fact that there's not enough people with an adversarial mindset to actually answer all the questions that are being formed on the defender side.
Casey:
So really the origin of Bugcrowd was just being vexed by that problem. It's like, we need to do better. If we're tasked with basically outsmarting on a creative level this army of adversaries and our attack surface is created by this army of engineers who are awesome but they screw up occasionally because that's what humans do, Bob and Jane the pen tester, they might be really good but they're kind of screwed because of the math. Automation's not going to do it, it will provide leverage but until we're worried about stuff like Skynet it's not going to come in and actually replace the role of creativity in that process. So how do you make that better?
Casey:
And really around the same time that was when people were starting to look at what eBay and sorry, PayPal specifically, and Facebook and Google were doing with their VRP and saying, "Oh, that's cool, that sort of makes sense." So that was really the origin of Bugcrowd and the coalescing of these thoughts, was when I had literally a business trip to Melbourne, met with a bunch of customers, I think Facebook had just done some press around their VRP, everyone wanted to talk about it. They were like, "What do you think about this? It seems cool, it's like this neat Silicon Valley thing that's just intriguing because Silicon Valley things are but it's more than that, it actually seems to make sense as a way to balance the equation and more reliably solve this problem into the future. What do you think?"
Casey:
My answer to that was why aren't you doing it? If the hackers are at the door and they're waiting for an invitation just invite them and go. And really it was the reasons that people gave me not to do that that kind of forms... it was literally the flight home from that trip where the light bulb went off and I'm like wait, they all said the same thing. If I can solve those problems in context of a platform and a business then all of a sudden we get the opportunity to plug this stuff in and maybe we can do something really cool here.
Casey:
That's my phone. And that was kind of when the light bulb went off, so it's like oh yeah, Bugcrowd, that sounds like a good name, and came up with the original crowdsourced pen test model at that point, all these different things. Got in the car, drove home as quickly as I could to register domains and Twitter handles and all that sort of stuff. You can actually see the day that happened if you do a whois lookup on the domain because it literally came together like that.
Casey:
But those were like the precursors, this idea of we're not very good at this, humans are interactively critical to this whole domain of cybersecurity. It's not a technology problem it's actually a human problem that goes a lot faster now that we have the internet, like how do we make the humans go faster and give the defender the ability to be smarter than the adversary? Then yeah, that's kind of how it all came together.
Heath:
So are you in Australia at this time or are you in the US at this time when the idea comes to you, like living wise?
Casey:
Here, yeah. I was actually in Australia at the time. So probably the other thing going on there as well was there was the eBay platform, I'd actually at that point quit my job, started a consultancy with the view of doing startup-y things. I was running a white label pen test, basically consultancy into some of the SIs and VARs in Australia that had the ability to sell this type of work but didn't have the people to do it. So we kind of white labeled into that, and that was the business precursor to Bugcrowd.
Casey:
The problem I had with that was the idea that I kind of called it out before, like one person versus everyone, they're going to eventually lose so how do you improve that? But also the fact that there's just so much, and there still is, so much like snake oil around how services get solved in our space. Like we're masters of the dark arts, so just trust us that we're totes legit, pay us a bunch of money, we'll come in, do something that you can't really tell whether it's good or bad because you don't actually really understand what we're talking about in the first place, and then we're going to put this huge margin on top.
Casey:
As a business it's great but the question is, is it solving the problem with the user at the end of the day? Because it's grandma that ends up messed up by that if it goes on for too long. So that was the other side, just looking at the pen test industry and thinking there are folk that do this well but there's a lot more folk that are just exploiting what's possible. I kind of want to call bullshit on that.
Heath:
Sure. So when the idea comes and you go home, register all this, and you're working your job. What's the next thought process there? Is it hey, I'm going to quit this job and I'm going to on the road, we're going to go to establish this thing and I know you mentioned going to San Francisco and maybe Silicon Valley and living out there, but what was the step to having the decision to living in an abandoned place for a couple weeks to getting to that place in time, trying to pitch your company?
Casey:
Yeah, for sure. And just to be clear, I'd already... So I'd broken bad, so to speak, from salaried employment probably about three years before this. And honestly that was the hardest thing, like from a career standpoint going from relying on that and just having that be how I did stuff, to now I have to catch and kill what I eat. That was probably the scariest decision. I think all of the things that happened after that got easier because that one was such a shift.
Casey:
But yeah, heading into this, my wife and I were always intrigued by the idea of living somewhere else. We were really intrigued by San Francisco and Silicon Valley and just this kind of cradle of innovation, what's it called, incubation in that sense. We wanted to see how that worked and see on the inside of it.
Casey:
So we already had this idling desire to get over there at some point. With Bugcrowd you're asking about the process, I think the decision to actually go to Silicon Valley was really looking at how it would potentially grow and realizing this is going to move quickly. It's either going to catch on fire and fail or it will move really fast. If it does the latter, we want to be in a place where we've got as much access to resource to be able to move fast, as we can make it available for ourselves. Sydney's awesome but it's not Silicon Valley. Silicon Valley is kind of like Hollywood, if you're an actor. There's nothing special about it other than the fact that it's been doing it the longest. So you end up with this critical mass of all these different things you get to take advantage of there, and that's why I wanted to go.
Casey:
But yeah, really from there it was a whole bunch of testing. Are hackers going to turn up and actually participate in this type of thing, like are they interested? Pretty quickly validated the answer to that was yes. I put a tweet out and a landing page up and said, "Hey, try this thing out if you want to maybe hack on some cool stuff. Go sign up." And it went viral, we onboarded a couple of thousand users within a month and this was before bug bounties were a thing and before bug bounty platforms were a thing. We were actually the first to go out and say we want to jump in the middle and try to help make this work.
Casey:
So from there it was, is the market going to accept this? Actually no, the next one was does it work? So I put out a bounty on an app that I'd written, it promptly got completely destroyed so I'm like okay, this works. I'm not a... I can build things to break other things but I'm not a platform engineer by any stretch of the imagination so that was kind of fun.
Casey:
The validation of that was just the level of creativity that people put in to trying to find exploit chains on this system, because I'd seen pen tests for 15 years before that and I'm like whoa, this is a step up. It's less a function of the amount of money or whatever else, it's more the fact that if you get the right people thinking about the right things as they approach a target, that's when the magic happens, so how can we do that more?
Casey:
Then it was really about trying to see if the market would accept it or not, and that was the interesting part. Because the early answer was a very resound yes around the fact that the companies that were trying to figure out how to better defend themselves felt like they didn't have the people or the skills or even the tooling to do that, and what they had available at that point just wasn't working. So that was a quick yes, we were able to do a deal with Google in the early days, we worked with one of the largest retailers here. There was a whole bunch of very early proof that yeah there's pain in this market and there's something there in the solution.
Casey:
So really from there you package all that up, you talk to a VC, you talk to an accelerator program. For us we wanted to get funding, that was another thing that I kind of decided to do because of that projected growth ramp. And it was really a matter of getting all that information together and saying, "I think this is going to be a thing, would you like to invest in it?" And it all kind of went from there.
Heath:
Yeah. That was my next question to us, is the decision to get seed funding, because... And at this time, so I don't know much about the background but in 2012 HackerOne spawns up too. So is there ever pressure in the sense that your kind of now in an arms race with another bug company and first to market, first to capitalize kind of thing? Is there any decision with the seed funding behind that too?
Casey:
Yes. In the sense that going back to what I said before, this is either going to catch on fire and fail or move really quickly. If it moves really quickly you're going to end up with competition. So there was that sort of thought in the back of my head, and honestly I actually think this is such a ubiquitous solution and such a global problem that still, I don't even really feel like we scratched the paint off the potential of this idea at this point in time. We've been talking about bounties now for nine years.
Casey:
The reality is that most of the internet still doesn't do it. So okay, what does that say about who's going to come in and help make that happen? So competition's a really good thing in that sense because basically it helps you establish the category. Like that was step zero for us. The whole idea of hey this is a thing now, articulating that, getting people to understand it and buy it. I think as the subtext to that, change the opinion of hackers in general. It's like I thought these were bad people, you're telling me they're good now, that's weird, help me through that. That took a lot of work in the early days. But to your point around competition and seed funding and different things like that, it takes capital to get that done. I honestly think that the biggest thing that us, HackerOne who popped up probably nine months later, and Synack who popped up probably three to six months later, achieved in that period of time was actually basically convincing the market that hackers could be a part of the solution and weren't just part of the problem.
Casey:
That was a lot of work and they probably said the same things. I know a lot of people that worked for and have worked for both of those organizations and in some ways we were competing for deals and different things like that but in other ways we were all kind of fighting the same fight in terms of trying to make this thing real. On behalf of ourselves as companies but also on behalf of the hacker community and the internet itself.
Casey:
So yeah, seed funding, you need money to do that. If you have to sell everything before you get to spend the money to try to grow it, this really wasn't compatible with that approach just because of how quickly you needed to go and how large it is.
Heath:
So was there buy-in pretty quick or were you... How many presentations did you have to go do in front of different VCs or were you getting buy-in pretty quick from the VCs?
Casey:
Yeah, we just had proof. Professionally I'd moved from... I mentioned the whole thing around the accidental eBay import export thing and all this other stuff. The other thing that happened for me at that point in time is my wife sat me down and said, "Hey, you computer good, you people good too, you probably don't realize that not everyone can do that, like bridge that gap."
Casey:
She actually suggested I get into solutions architecture and sales and things that are more towards the front of the house. Which I did because I thought it was a good idea and it worked. So I had, at that point, a decent amount of experience in sales and problem solution fit in market and different things like that. That was really a lot of what got the early traction for Bugcrowd, it was going back to folks that I knew how to speak to, because I'd been selling them pen test or helping them to design defensive solutions or whatever else.
Casey:
Going back and saying hey, I've got this idea, it's kind of alpha and it's a little scary but if you trust me and if you trust the logic behind the idea and you're willing to containerize it to an extent that any kind of unintended consequences is okay, would you be willing to give it a go?
Casey:
Literally most people that we spoke to in that really early stage, they said yes to that because the precursor question was are you happy with how you're doing security assessment today? Do you feel like you know as much as the adversary does about your environment? No one ever says yes to that. That was even more true at that point in time. So that was kind of the leading. Here's the solution we've got, do you want to try it out? Yes, it worked, oh my god, this is crazy.
Casey:
And packaging all that proof together and then going back to the VCs and saying, "I think this is going to work," and then looking at it, I think looking at me and my co-founders at the time. Realizing that we were pretty motivated to try to get this done. At that point as a seed stage investor you're trying to answer two questions, like do I care about this market and do I think these people can do it? It's all a bet but you have to satisfy those two things and I think we satisfied them fairly convincingly, especially in those early stages.
Casey:
So yeah, we had a bunch of Australian VCs jump in even before we left to go to America. My plan was always to try to get American capital into the business because I wanted to execute the next stage in America and be able to basically connect more quickly with people that understood how to do that over there because I get enough of it to be dangerous from Australia but also assume that it's a different country, I don't necessarily understand how this works.
Casey:
And got over there, promptly realized that Americans and Australians don't pitch the same way, there's a lot of communication quirks that I needed to try to figure out to be able to get the value message across. I don't think either a right or wrong there, they're just very different because I'm doing and saying, "This is awesome," they're like, "Yeah, we like it but..." So that was like the pitch Americano learning bootcamp that I did when we first arrived. But it worked eventually and we closed the seed round, spent the rest of that year figuring out how to immigrate and kind of went from there.
Heath:
Awesome. Was there any point from either starting up seed funding, even to years later, any point of concern of failure, any point that you thought that hey this might not work out?
Casey:
I mean yes, definitely. Being the leader of a thing like this and being an entrepreneur just in general, you get this, it's a rollercoaster. You're on the top of the mountain in the morning, you're in the bottom of Death Valley at lunchtime, you're back up on the mountain in the afternoon. That's just a normal day.
Casey:
So that sense of how dynamic it is and that converting into a fear of failure. I think once we got moving I was never concerned about the category. Like the idea of this is going to become a thing now. I was convinced of that and the fact that that wouldn't fail probably about six months in. Which was good, that was my primary objective. Downstream of that it's like how is Bugcrowd going to be able to execute into this, can we succeed or fail at this particular initiative, our ability to convince the market that this is even a good idea in the first place as a business. There's definitely some moments in there where it's like oh, crap, this is a lot or this is a bit freaky or whatever else.
Casey:
I hesitate to call it fear of failure because honestly failure's just how you learn stuff. I kept doing a lot of this, operating on this idea that 50% of what I assume is going to work is going to be probably kind of wrong, and the only way I'll learn where there's opportunities to iterate and improve is if I test.
Casey:
So this idea of things not coming together exactly according to the plan you'd set, that's just, to me, a normal feature of innovation. So I'm not really afraid of that, I guess is what I'm saying.
Heath:
Did you have any fears of I guess delegation early on? Like Dave Kennedy and I talked about this last week in the sense that-
Casey:
[crosstalk 00:57:49]
Heath:
Yeah, he said it took him four years and it's your baby like you're talking about, you want to touch every little piece, but once you grow to a certain size it becomes impossible to have your hands in every single bit of every jar, right? So you struggled with that early on and how did you end up getting over that?
Casey:
I actually, I had some conversations with Dave about this. As I was becoming aware of that phenomena and trying to navigate it and it was just as he was starting to do or thinking about starting to do Binary Defense, so roughly in that era. And you're exactly right, I think the way that... I do a fair bit of startup mentorship and advisory type stuff now, and one of the things that I'll talk about with founders is as founder your job is to basically do everything. You're the expert, part of the reason you're doing everything most of the time is because you just love it, it's interesting, like you're kind of passionate and you get drawn to it anyway. But the role of a CEO ultimately is to kind of do nothing. Your business shouldn't depend on your hands being on the tools. Like as CEO your role is to make sure everyone knows where the north star is, make sure the right people are doing the right things and make sure there's enough cash in the bank, and that's it.
Casey:
So the whole idea of the journey of extracting yourself from how does payroll work and oh that's a really cool bug and all of this stuff, to this kind of fairly abstracted management role, it's hard. It's super counterintuitive, especially as you get really jazzed about what you're working on in the way that I do, and probably you would have heard similar things from Dave because that's kind of the conversation that he and I had as well. That's not an uncommon thing.
Casey:
I think being aware that management and the execution of scale is a completely, in my view, discrete skillset to being a competent technologist and even being a competent leader. I think the leadership and management, they're closely related but they're fundamentally different at the same time. I think realizing that, like keeping check on that, this is the role of mentors to give input on where they feel like your gaps are and actually being humble enough to listen to that stuff, that's something that I've always placed priority on, like done well and poorly at various points along the way but I think that's a lot of how I figured that out, as well as just recognizing that it was a thing that I needed to stay ahead of and thinking about it as something that's really important.
Heath:
Yeah. And being able to delegate, I feel like allows you to get so much more done. You find what your purpose is how you can become more efficient. For me, the biggest, scariest part when I was first starting with the delegation was I had built all these clients and this company and everything up by reputation. So if I'm doing the pen tests and I'm doing everything, and my reputation is everything in the industry, bringing somebody else on and saying, "Here, you go do this, now I'm not even going to touch it," it's hard.
Heath:
But you become so much more efficient if somebody's working on that then you could be working on other sales or new ideas or bringing something else to the table that otherwise your time would have been so consumed with doing this technical work. Once you learn to step back, which is a very difficult thing to do, I feel like you get to see the bigger picture and you get to be more of an effective leader and really help the organization grow.
Casey:
Yeah. You get to act in service of the company's mission more, as opposed to just your own, if that makes sense.
Heath:
Absolutely.
Casey:
That's how I characterize that because you're exactly right, this whole idea of ah, I'm going to give this thing over to this person over here, I know that they wouldn't do it as good as I would. Which is very deliberate air quotes there, because in reality if you've hired them it's probably because they're better at the particular thing you're delegating to them than you are. But you've got to get through this dip where you kind of handing off that responsibility and ultimately the output. And basically betting on the fact that they'll pop back up above net neutral and that, and end up actually bringing scale to the company. The way I think about that is that you can't scale unless you do this. I also do think that scale is a choice.
Heath:
Yes, absolutely.
Casey:
I get asked this all the time, how do I go to Silicon Valley and raise a bunch of money and do what Bugcrowd did, like why the hell would you do that? Like it's hard. Literally that's the response I give most people because their assumption is that's what you need to do and part of what I'm trying to do there is to challenge that assumption and get them to actually be mindful about where they're going because it's like don't get caught in the current on that stuff, like you don't have to scale. If you want to, then rock on, because I think that's how you end up doing big stuff, but it's more of a choice that you make than the thing that you necessarily get dragged into doing if that makes sense.
Heath:
Yeah, so this whole time what I've been thinking in the background is you and Dave are opposites in the sense that he started and still 100% owns TrustedSec and half owns I think Binary Defense, in the sense that he grew that but he grew that in the sense that he incubated that from a very slow grow until it started rolling and rolling and snowball grew.
Heath:
I think there's so much with the sense that everybody wants instant satisfaction and instant growth and I think there's times where you need seed funding, especially if you have competition and you are first to market and you want to really dominate that market. But if you're doing something like this, like having 100% ownership is better than having 5% ownership at the end of the day, but it depends on how you want to grow and what market you're in and there's so many variables there that yeah, like you said, rushing to seed is not necessarily the best strategy depending on how you want to grow and what market you're going to end up being in.
Casey:
Exactly, and the counterpoint to that, when people come to me for advice on this stuff, I am very, I'll rarely tell someone what I think they should do. What I'm more interested in doing is helping them create a mental model that can fit into how they're thinking about it so they can make informed choices because if I do that then it stays their vision, it's not oh Casey told me I should do this, like he was wrong. You retain ownership if you operate like that on their end. The flip to it is 100% of nothing is still nothing.
Heath:
Yes.
Casey:
So if you need to grow then okay, like dilution, having a board, learning how to do all that stuff, learning how venture financing works and pitching. There's a lot to it, like I think anyone who goes this far in entrepreneurship venture backed becomes kind of a VC finance nerd, and it's this very weird subset of overall financial stuff. But it's incredibly valuable if you want to do things that grow quickly or that need to grow quickly.
Casey:
I think in the case of our market and in Bugcrowd's case, it's that last bit that was actually true. It's like if this gets going, we're going to end up in a position where we're basically running to keep up with it, which was validated within a year of starting the company, that was spot on. So at that point in time we didn't really have the option to do the slow burn bootstrap thing because it wasn't the nature of the thing that we were doing.
Heath:
Right.
Casey:
That said, we've got Mike Cannon-Brookes and Scott Farquhar from Atlassian, they've been mentors and advisors the whole way through. They bootstrapped for 11 years before they raised their first round. Now they're whatever it is, $30 billion publicly listed company. So there's all sorts of different roads to Rome. It's really, again, coming back to what is the thing that you're actually setting out to do, like how clear as the leader and the founder can you be on where the north star is? How much conviction do you have around that so that if stuff comes in that's not quite in the right direction you're going to be able to make a choice to line it back up? If you can get that stuff right then I think a lot of the rest of it falls into place underneath.
Heath:
Yeah. You touch on a good point there with 100% of nothing is still nothing in the sense that I've seen a couple of my friends go out and start different pen test companies. One started with a group of guys and organically grew over the first three years, just taking the money, reinvesting the money and putting into Google Ads and marketing and really just getting every single penny of revenue that they earn went right back into the business.
Heath:
They've grown. Slow grow but the snowball started growing, word of mouth grows, the more clients you get on year over year revenue, it's a snowball but it works. Where you've got somebody that's a seed funded. I know another friend that's seed funded and he gave up quite a bit, I'd imagine, of the company, but in a year they're landing Fortune 100s and they're getting all kinds of business. And it's hey, do I own 100% of this business and yeah we've got 100 clients, or do I own 25% of this business but we've got 10 times the revenue?
Heath:
At the end of the day, it depends on what your goals are, what your strategy, who your target is, and everything else. There's so many different variables that come into play.
Casey:
Exactly. For me on that standpoint with Bugcrowd because in terms of how things have grown and all that kind of stuff, the math is worked out there. To the mission thing, really the big driver for me was to start a revolution in a sense. It's like I want this to become normal. It's been straining, the idea of security research as being productive contributors to everyone's safety, for developers to realize like I'm not perfect and that's okay, how am I going to get feedback on that so I can improve and to keep my users secured regardless of where it comes from?
Casey:
Like all these different ideas that still have a ways to go in 2021, but are completely on another planet back in 2012 to 2013. Like, my core goal was to start a revolution, like push a snowball down a hill that would just keep going. I feel like we've basically achieved that at this point, which is great.
Casey:
That was really a lot of the motivation for getting funding, just moving it a million miles an hour from the get-go. Part of it was to build a business that was viable, keep the lights on, all this stuff we talked about before. But also it's like this is a pretty audacious goal, how do we make sure that we hit it? Because if we don't, what are we doing? Like just do something else that will actually work.
Casey:
So yeah, it's really... it's a good one, I think probably the other thing I'd say about venture for listeners that are in cybersecurity, like we have a seat at the table now. The other thing that was different in 2012 is that no one really cared about cybersecurity in the way that they do today. You'd go to Thanksgiving and, "Oh, did you hear about that hack and how do I protect my password?" That wasn't true 9 or 10 years ago, so we're in this place now where the relevance of cybersecurity to just life is pretty obvious to most people, and we're the experts, we're the ones at the bleeding edge of figuring out how that stuff works. That buys us a seat at the table.
Casey:
So for people that are thinking about entrepreneurship, thinking about stepping out, it's a bit of a bell that I ring consistently around just get going. There's never the right time, just start. But also with respect to venture and different things like that, it looks like this very mystical black box that you throw pitch decks at and one day a check spits out then you're on Shark Tank or TechCrunch or whatever.
Casey:
It's just another business, you just literally, learning the rules of their game so you can find a way to partner so they can help you do your thing. If you can figure that part out then it's just a normal part of how you operate. And by the way, hackers are pretty good at that. It's just like rocking up to a new target for the first time, how does this thing work, I'm here, I want to be there, there's all this crap in my way and here's the limited set of tools I've got to get to there. It's the same mental model, I think. So yeah. That's my soapbox on entrepreneurship and siloing. I guess I'm kind of passionate about that.
Heath:
No, it's great. So if you could give one piece of advice to somebody who's listening in the sense that they want to be that lever, they want to be the entrepreneur, they've done their basic research, they've got spousal approvals, they've got their funds together, they're not worried there. What would be a lesson learned or a piece of advice that you could share with somebody that would be of value?
Casey:
Yeah. Gratitude is the force multiplier, so there's all these people that come along, alongside you along the way. I'm grateful for the opportunity to have a chat now with you, right? I'm on your show, you're getting something out of this, I'm getting the opportunity to connect and have this conversation. There's all of these different examples of that that happen along the way and I think taking the time to step back, even though it's peaks and lows and all these different things and it's moving at a million miles an hour, to stop and be grateful to the people that come along and do that.
Casey:
Even if they're jerks, because some of the best lessons I think get taught by people that you probably wouldn't go back in history and say, "I really like that guy." But you learn stuff from it that becomes formative in how you operate in the future, and that's how you grow. We can be very good at the things that we're good at but then there's everything else, and those gaps are ultimately filled by the people that we surround ourself with.
Casey:
So I think gratitude is a really important key to unlocking that. And it's an easy one to forget, too. You get busy, you get stressed, you get whatever else, like as a thing that you remind yourself to do as you go along I think that's a really powerful idea. Yeah.
Heath:
Yeah, I think that's a great answer in the sense that you have to be thankful for the people that you meet, but I'm equally thankful as you mentioned the people that are jerks, the people that tell you this is a stupid idea, you're not going to make it. That's more motivating than anything else.
Heath:
It comes down to you never know what a relationship's going to turn into or how a seed that you plant or that person that you meet and shake their hand, who they might be in 10 years or what opportunities they might have for you, what opportunities you might have for them. Every interaction that you have-
Casey:
Or the fact that in the argument you're having you might look back on that in five years and realize oh, you're actually right. Maybe at the time you had the conversation was wrong but I kept that in mind and it's actually influenced what I've done, and as it turns out you were right, you were just ahead of your time. You reach back out to that person and say thank you. It's kind of just fun, too, so there is that. But I think this whole idea of just being able to unlock humility, like Cyber Mentor I love. I think mentorship's one of the most underrated kind of enablers of impact, period. Especially in entrepreneurship but I think that's just generally true. And really, to be able to take that kind of input and use it, whilst retaining your sense of what you want to get done, it requires humility. And humility in and of itself is a difficult thing to tell people to just do or be.
Casey:
This is why I go to gratitude, gratitude is super practical, it's easy to remember, it's easy to do, like you can recognize it. And to me, it kind of unlocks this basis of a humble approach to the things that you're like... if I go to the mat with you on these three things, I'm going to win, but then there's everything else. So if you can help me with that stuff, that would be great.
Casey:
Keeping that whole idea open as you progress and especially as things start to succeed, because I mentioned this before, it gets heavy, it gets exciting, you can get wrapped up in feeling like you're god's gift to everything.
Casey:
I think patting yourself on the back is a good thing but reminding yourself that you only know what you know and really it's your team and your community and the people that surrounds you as mentors and facilitators, they're the ones that are going to unlock what you're capable of. So as practical and as kind of standard operating procedure as you can make that, I think the better.
Heath:
That's awesome. Yeah, I 100% agree there. Getting towards the end of time. Anything that you're up to, anything that you want to plug?
Casey:
Yeah, for sure. As always, Bugcrowd's, I think this kind of... I covered this off. We didn't start the company to be a bug bounty company. The market didn't have a bug bounty problem, it had a I need to outsmart the adversary problem and bug bounties were the expression of that at the time. Bug bounty as a concept caught a pretty massive tailwind and that was actually one of the things that kind of oh now we're hanging on to the back of this because it's just off rolling down the hill now.
Casey:
But you know what we've been doing with Bugcrowd ever since the get-go is figuring out how many different ways can we connect the latent potential of the research community and everyone who wants to be a part of that with this ginormous, very relevant and growing problem of cybersecurity and defense, that looks like pen test, it looks like attack surface management, it looks like VDP, it looks like proper bug bounty in the way that listeners would probably think of that. And we're going to be adding more and more of those things over time as well.
Casey:
So signing up for Bugcrowd, it's bugcrowd.com/try-Bugcrowd. That's definitely the plug for folks that want to either participate as a hunter or look at what we're doing there as a potential solution for their organization. The other one is disclose.io, which is really kind of a passion project that I've run or been a part of on the side for probably six years now. The goal of that is really just to change the law. This shouldn't be illegal by default. I think if you use a computer to commit a crime then you've committed a crime and there should be laws that provide recourse for that.
Casey:
I think the idea of being able to do naughty things to a computer in the first place being inherently illegal is really holding the internet back, and disclose.io really is on a mission to change that. So that's just disclose.io, it's an opensource project, we're actually in the process of going through 501(c)(3) certification, which is kind of cool.
Casey:
And people that want to figure out what we're doing over there, figure out how they can contribute, figure out if just literally aligning their legal language in their VDP, if you happen to run one or be responsible for one, it's a language that makes it safe for folks that are operating in good faith to do their thing and to help you and kind of normalize that idea across the internet in the process, that's the other big thing to plug.
Heath:
Yeah, I think that's such a great idea, too. I heard about it maybe three years ago, I was at a conference in Chloé Messdaghi was there presenting and she was giving out Bugcrowd stickers and I was really new and she gave out a disclose.io sticker and you see it on Twitter a lot, like does anybody know anybody at this company? And you see the negative press with the AT&T [inaudible 01:19:28] and the things where people could go to jail for hacking into a company and not having the right resources or companies taking the wrong approach.
Casey:
Yeah. Companies using, I think one of the things that still happens a lot is companies using this backdrop of you're a naughty hacker person, I'm going to lawyer up and provide legal pressure to make you go away. Mostly kind of triggered by the fact that they don't like what they're being told. So it's not so much you've done an illegal thing or whatever else, it's like ah, this is... you just called my baby ugly, I don't like that, stop it. The law shouldn't be a tool that's available for that, that's a business problem, not a legal one.
Heath:
I feel like there's some sort of [crosstalk 01:20:18] Go ahead, sorry?
Casey:
Go ahead.
Heath:
I was just saying I feel like there's some sort of Streisand effect there too when you have that kind of negative press, you're just attracting the wrong kind of people.
Casey:
And this is the beauty of it, I think it's becoming... it's another one of those snowballs. I think it's a thing that the more people do it well, the more people will want to do it well, and the more obvious doing it badly becomes at that point, which is to your point around Streisand effect. I feel like that snowball's running down the hill. A lot of what disclose.io's trying to do, aside from push that snowball, is to try to steer it in the right direction as well. Like, how can we make this as standardized, as easy for people coming in from India for example, who don't have English as a first language, and are presented with this wall of legal text? Like, that's just a bad solution for them so how do we do better?
Casey:
How can we make stuff as easy and as standardized to follow, and really the core of it is the internet's immune system, how do we standardize and promote that in a way that makes it as functional as it could possibly be?
Heath:
Yeah, it's great. I mean, I've been a fan ever since I met Chloé and I think it's a great project, I'm a full backer of it.
Casey:
Thank you.
Heath:
Well, sir, I will give you the rest of your Saturday back. I do appreciate your time in hanging out with me today and chatting. It's been eyeopening, it's great to have a conversation, and I think you're a really deep thinker and it's nice to be able to talk to somebody on that level. So I appreciate you being here.
Casey:
Absolutely man. Yeah, I really appreciate the invite on. Likewise, it's one of those ones where it's like I can't believe we haven't really... Because we've met and exchanged briefly at different points of time in the past, but to sit down just get to jam, I've really enjoyed that too. So thank you.
Heath:
Yeah, thank you, I appreciate that.