Cloud Control: Q&A with Andy Ellis on Pushing Innovation with Apology Budgets

March 5, 2024

Want weekly newsletters featuring interviews with security and cloud leaders delivered right to your inbox? Sign up for Cloud Control here.

Andy Ellis, Chief Executive Officer at Duha, Advisory CISO at Orca Security, Operating Partner at YL Ventures

Andy Ellis on Pushing Innovation with Apology Budgets

Happy first Tuesday of March 🌸 For our readers also in New York, we're almost out of winter!

To warm ourselves up, this week's edition of Cloud Control features a cybersecurity hall of famer with a fiery career starting in the Air Force and eventually becoming CSO at Akamai, Andy Ellis. In our conversation, he dives into the transformative power of "apology budgets" in fostering a culture of risk-taking and innovation within teams. Ellis shares insights from his pioneering journey at Akamai, where he championed new security technologies and strategies.

Andy is a true master of leadership and risk management, and teaches how to pave the way for growth and innovation by encouraging your team to make mistakes. You'll also learn about his outlook on evolving technologies and his visions for the future of cybersecurity. The only way to learn how is to read the full interview, below👇

Question 1 💭

Andy, you've witnessed and led the evolution of cybersecurity at Akamai from its early stages to a billion-dollar business. What were the biggest challenges in pioneering new security technologies within an established company? How did you navigate these challenges?

Answer 1 🎯

The biggest challenge is often just dealing with the surprise factor – you want to do something that wasn’t in anyone’s plans, and even if it isn’t disruptive, it feels disruptive. That causes people to start minimizing the work as early as they can rather than embracing and extending. Learning to gradually tell a security story became a powerful tool.

Teach your team that it’s okay to make mistakes that affect other teams, because you’ve budgeted for that! If you never apologize, then they aren’t actually taking enough risk.

Question 2 💭

Throughout your career, you've played a leading role in developing Akamai’s cybersecurity products and steering the company into a cybersecurity leader. Can you share your approach to building new security solutions while ensuring they align with broader business goals? How did you encourage your team to take risks and push the boundaries?

Answer 2 🎯

Start with the second question first: apology budgets. Teach your team that it’s okay to make mistakes that affect other teams, because you’ve budgeted for that! If you never apologize, then they aren’t actually taking enough risk. Pioneering new solutions often just starts with observing people - how are they working around the process? What do they really want to do? Can we help them do it faster and safer?

Question 3 💭

Now, you're also author of an amazing book '1% Leadership'. I'm sure along the way you encountered many challenges, especially working with various stakeholders. Tell me about an instance where you encountered such a challenge. Did you need to adapt your leadership style or methods to effectively manage the team?

Answer 3 🎯

There is a simplistic approach you often hear advocated for to be more professionally inclusive: just ask everyone in the room to speak up! As an aside: “just” is the most dangerous word in leadership. Nothing is that simple. You’ve got folks with anxiety, or who don’t communicate well on the spot, or who are careful thinkers, or … you get the picture. The bigger your meeting, the more likely that you’re actually harming your team with a universal ”everyone talks now!” I’ve found that advance warning helps, but what helped even more was creating an electronic backchannel that everyone could use to share their questions and comments.

Question 4 💭

In our industry, diversity of thought is as crucial as technical skill. How do you challenge your own leadership biases and assumptions to stay effective and relevant for your team's needs?

Just because you find their current arguments incomprehensible, it doesn’t mean that you can’t learn something from them.

Answer 4 🎯

Always ask “How could I be wrong in this situation?” and “What could be true that makes someone else think they are right?” You’ll discover that people’s perceptions are often biased by their life experience and worldview, and just because you find their current arguments incomprehensible, it doesn’t mean that you can’t learn something from them.

Question 5 💭

Transitioning from the disciplined structure of military service to the fast-paced corporate world presents unique challenges and learning opportunities. Given your background, Andy, how has your time in both these environments shaped your perception and management of risk tolerance, especially when dealing with uncertain cyber threats?

Answer 5 🎯

It’s always important to remember that most organizations don’t articulate clearly their own understanding of risk tolerance – it’s a vague and emergent idea that arises out of each decision maker's belief about what risks they think the organization would tolerate (hint: as long as the blame doesn’t land on them, the risk tolerance is really high). The real key is to understand that humans are really good at adapting to a changing perception of risk, and the best way to get someone to avoid risk is to educate them in a way that resonates for them.

Question 6 💭

Reflecting on how internet policy has involved and its impact on cybersecurity, what lessons have you learned about effective policy-making? Does this impact your current approach when advocating for policy changes at both national and global levels?

Answer 6 🎯

Policy-makers rarely look at unintended consequences, even when they are obvious. Always look for the ways that a malicious actor might exploit a new rule. Adding an onerous compliance regulation? The large corporations that you’re targeting can easily absorb the cost, but the small players that might have disrupted their markets might find themselves boxed out by the rising cost of regulatory compliance.

Question 7 💭

Let's circle back to how internet policy has impacted cybersecurity. How do you envision the future landscape of cyber policy shaping up? What emerging technologies or trends do you think will gain significant attention or need major changes? What can we do as cybersecurity professionals to address these challenges?

Answer 7 🎯

As the boundary between cyberwarfare and cybercrime blurs more and more, I think we need to clearly articulate how a corporate victim can engage not just with law enforcement, but also with military decision makers. All too often we treat nation state attacks as “just another crime,” rather than applying diplomatic or military capabilities.

Corporations should never engage in offensive cyber activities; but all too often, they understand exactly how to disable an adversary capability, but don’t know who or how to engage someone with the legal authority to do so.

Corporations should never engage in offensive cyber activities; but all too often, they understand exactly how to disable an adversary capability, but don’t know who or how to engage someone with the legal authority to do so.

Question 8 💭

As someone who's deeply involved in shaping the future of cybersecurity through your roles as an investor and mentor, I'm really curious to hear about the key qualities you look for in a cybersecurity startup. What makes you think, "Yep, this one's going to shake things up"?

Answer 8 🎯

Execution. Rarely do you find a startup that has a truly defensible intellectual property moat, so a successful startup has to have a tight response cycle for listening to its market, developing and deploying capabilities, and delivering value to its customers. Articulating that value is hugely important, but maniacal focus on the customer’s problems is key.

The best startups aren’t looking at future risks, they’re looking at current challenges that have a growing risk awareness.

Question 9 💭

I'm curious to hear about how you mentor startups to navigate the evolving landscape of cyber threats. Particularly, how do you strike that balance between tackling the threats we face today and staying ahead of what's coming? Any standout examples from your mentoring that really encapsulate this approach?

Answer 9 🎯

You rarely see successful startups that truly “anticipated future risks;” your timing would have to be almost perfect as you stare into your crystal ball. The best startups aren’t looking at future risks, they’re looking at current challenges that have a growing risk awareness. As an example, Valence Security in our portfolio, which provides SaaS mesh security, listened to a lot of CISOs to tease out the pains those CISOs were feeling, even if those CISOs didn’t (yet) have a budget to solve the problem, or were using manual processes to tackle 10% of the problem. But they hit the market at the right time, as more and more companies became more and more SaaS-reliant … and the risk became better understood in the wider market.

Question 10 💭

From your vantage point, Andy, how do you foresee emerging technologies like AI, cloud computing, and quantum computing, along with the new threats they might bring, transforming the cybersecurity industry over the next five years?

Answer 10 🎯

Well, for my entire career, I’ve been asked that question about quantum computing, so I suppose predicting it’ll be disruptive is like betting against Tom Brady or Patrick Mahomes: you might be right one day, but you’ll be wrong a lot along the way. The biggest transformations from cloud computing are already underway, although I’d argue that SaaS has had a much bigger one, and AI is going to push that even further forward: the easier it is to outsource work to someone, the more companies will outsource, and the more risk you’ll have to manage.