The Art of Finding Winners- Dr. Chenxi Wang
Dr. Chenxi Wang is the founder and General Partner of Rain Capital, a cyber security focused venture fund. She is also a well-known strategist, speaker, and technologist in the cybersecurity industry. She also serves on the board of MDU resources and the open web application security project foundation. She was named by SC magazine, a 2016 women of influence. Chenxi is a longtime executive and women in tech advocate. She holds a PhD in computer science from university of Virginia.
(This is summarized sections of conversation with Dr. Chenxi Wang on our pod. You can hear the podcast here)
8:20 SolarWind Security Breach and the way forward– Some questions discussed here were -How can we stop the attacks from happening? What steps should the vendors be taking ? How can the customer protect itself, if the vendor is not doing the job right?
23:32 Policy as code– Apart from the infrastructure layer there are other things that needs to expressed as code such as access policies, such as configuration policies, such as user level policies. And if we’re able to express those constraints as code, then they can be statically declared, tested and then deploymene of policies can be scaled.
27:06 About Rain Capital– Rain Capital is an early stage VC firm. It helps the entrepreneurs take the idea to the market, help them get in front of the right set of customers. Rain Capital’s USP is having a very deep understanding of technology and also working with the entrepreneurs at a very hands-on level.
37:00 The need for boosting Women in Tech- Chenxi feels that since Women in Tech is an underprivileged group a boost in the beginning is required to level the playing field. Once we have people that are open-minded about getting different profile of folks the same type of opportunities, hopefully going forward quota system will not be required.
Listen to the episode on Apple Podcasts, Spotify, Google Podcasts, or on your favourite podcast platform.
Detailed transcript :
Chenxi: So I often have people ask me, why do people ask you to be on boards? What specific things have you done to get there? And the biggest thing is do a good job and be very proud of the work you have done in the past. And people will look at that work and say, yeah, we want someone who has done that.
Ankur: Hello everyone. Welcome to another episode of Zero to Exit. This is Ankur and Neelima, your hosts. In today’s show, we’re delighted to have with us Dr. Chenxi Wang, the founder and General Partner of Rain Capital, a cyber security focused venture fund. A well-known strategist, speaker, and technologist in the cybersecurity industry, Chenxi is a longtime executive and women in tech advocate. She also serves on the board of MDU resources and the open web application security project foundation. Previously, she was a chief strategy officer at Twistlock, a cybersecurity company that got acquired for over $400 million. She was a VP of strategy at Intel and VP of research at Forrester. She was named by SC magazine, a 2016 women of influence. Chenxi’s career began as a faculty member of computer engineering at Carnegie Mellon University. She holds a PhD in Computer Science from University of Virginia.
Hi Chenxi, welcome to the show.
Chenxi: Thank you for having me. Good to see both of you. I’ve worked with both of you in different companies. It’s great to be on the podcast together.
Ankur: Yeah, it’s really great to have you.We’ve been thinking about having you for a long, long time, and finally, I’m glad we connected. So just to kick things off, you did a lot of traveling for speaking engagement, board meetings and other things prior to the pandemic. How has it been for you personally and professionally over the last year? More importantly, do you have any survival hacks that you can share?
Chenxi: Obviously, last year is very different for everybody and not a whole lot of traveling like you said. Survival hacks, I don’t know. I got hugely into gardening and baking. Like many people have seen, my Instagram post is all about different breads that I baked from my oven. I’m a big baker of french bread and croissants and whatever you name it. So my family takes huge benefit out of that and having a garden where I can cook from farm to table is great. Even though this past year had been tough, I found some silver lining from it.
Ankur: That’s great to hear. I wish I had developed some of those habits as well because I for sure am going insane and can’t wait for things to get back to it all. So to kind of get things started, you’ve had an interesting career journey. You moved from academia to security research, did a few stints as an exec in small and large security companies, board members, now VC. Help us connect the dots.
Chenxi: I don’t know if there are dots to connect (Laughs). Well, if you look at what I have done, the good thing is I’ve gathered a lot of diverse experiences which is on any given day a good thing. I have sat on different sides of the table, so I can see different points of view. You can also look at this and say, “Hey, she really doesn’t know what she wants to do when she grows up” (Laughs). And that’s probably still the case. But honestly, one of the things that I found in my career is when I do something and if I was fortunate enough to do it well, then after a while I get bored. And I want to do something new because it’s not as challenging anymore. So I love things that keep me on my toes and I can learn. And that’s probably the underlying driving force of me going from one line of business to another? Yeah.
Ankur: Got it. So somebody who was at early on in the career with Forrester and then got into the industry and working, what are some big differences that you see? I mean, the security landscape has remained the same, but how were you able to morph into the role from an analyst who has to be objective to a company executive who focuses on one thing to now all of these startups that you have to invest in.
Chenxi: Oh well, so every job you do, it has a certain set of core capabilities that you need to acquire and attain and then there are a set of auxiliary things that you have to do, right? So for instance, as an analyst, one of the things that’s central to your work is being able to look at the market at a macro level. You’re very attuned to the macro trends, the macro development and nuances but going from that to an operating company that takes a back seat but it sets the context. What you want to do is you have a laser focus point of view on your position, your product and how you compare against your competitors. Now that macro view of the market helps you to set the context and help you look at things. Occasionally you move away from that laser focus and say, “Hey, am I still going in the right direction?” So I find that being able to cut from one point of view to another is a very healthy thing, for instance. And now being an investor and a board member, one of the things that I added to my point of view is this financial lens to things, which is another aspect of looking at the business, but they add another layer of richness I would say to what I would traditionally do, which is a more market or more technology focused.
Neelima: So Chenxi, that’s a great viewpoint. Did you go about these career changes consciously? Going from a PhD to then going to the marketing expertise then going to a Forrester kind of role. So it looks like you kind of planned it. Was it actually planned?
Chenxi: So a lot of people ask me this and I don’t think it was intentional. I don’t think it’s hundred percent intentional, let me put it that way. The intention has always been to look for rewarding and interesting work and work that I can learn things from but it wasn’t as intentional as two years from now I will do this or five years from now I’ll do that. So in lot of ways it’s accidental but it’s within the framework that I’ve laid out for myself in terms of intellectual development, career development and also personal interests.
Ankur: Your career trajectory reminds me of somebody who mentioned and which is pretty powerful, which is that “When you zoom in, you get insights and when you zoom out, you get perspective.”. And I think when you were at Forrester, you had a lot of outside perspectives. But over the last decade or so, you’ve been kind of getting your hands dirty with all kinds of insights. And now you can, I guess, take a step back and invest in a lot of these startups because you have both of those elements, which is a pretty incredible thing to have.
Chenxi: Yes. I really came to appreciate the multitude of experiences I’ve had, which gave me those different diverse viewpoints. And I would say as someone who sat on the entrepreneurial side and now I’m sitting on the investor side, I have empathy. (Laughs). I have empathy for both. And, I can understand sometimes the two sides point of view and how you can best work together.
SolarWind Security Breach and the way forward
Neelima: As someone who’s been in security for over two decades, I want to highlight one of the hottest topics that’s going on right now, which is the SolarWind breach. We spend so much on security and yet we hear the same story, 10 years apart target and non SolarWinds, state-sponsored and rogue actors. Why is that?
Chenxi: Well, so if you think about it, there are a number of different answers to this. We can take this as an isolated incident and then say what happened there specifically? How can we stop the same type of attack from happening? If you look at this specifically, really the software update server was compromised, right? So a rogue piece of code was downloaded along with the software updates and that piece of code was able to establish an Outbound connection to command control servers from inside the solorWind box that you’re running inside your enterprise and because you are already using this box so it’s trusted. So this box could see a lot of things and SolarWind had 80,000 customers or 180,000 customers.
Ankur: pretty close. Yeah.
Chenxi: and so widely used in the government agencies. So that obviously was a problem. Now if you look at security practices, where were the places that we could have stopped this? Obviously, running the update servers, the original vector of attack, maybe there was a vulnerability on the server. So vulnerability patch and vulnerability management monitoring has to be done better there. But as an organization that is a customer of SolarWinds obviously you don’t know what’s going on behind the scene in the update server. So you have this trust relationship with the vendor. You say- Hey, I trust you have managed your update server securely. And, I’m just taking the software update you gave to me.
How can I protect myself, if my vendor is not doing the job right? There are a number of things you can do. One is obviously, if this box is connecting out to a known IP address, that kind of thing should be flagged by your network monitoring devices, but in a lot of environments those are not flagged because there are so many things that are connecting out, right. So you don’t know which one to flag. So that comes down to, can you actually accurately describe what your security product and your security technology is supposed to do? What is expected behavior down to what IP address? What port should they be connecting out to? Right. So they should not be connecting to anybody other than maybe the vendor’s server that is doing the update or whatnot. Now this one is connecting to a third party IP address, so that kind of rules. But also that our industry consortiums are trying to come up with standards to describe what a product’s supposed to do. Right.
So are you guys familiar with the S-bomb work, the software bill of materials? So that’s one thing. And then there’s also the MUD work. MUD is another piece of description framework, which basically says this product does these things, right? And the minute this product doesn’t do these things it’ll be caught. But the only way we could do this is MUD being a machine readable piece of description where then your network monitoring thing can pick up. Now this is fairly detailed on what this one does, but if you look at the meta level, it really is about every single point in the software supply chain or in the technology supply chain has to do their security well. And how do you as a downstream recipient of the technology be able to establish that assurance and that confidence that is about doing your third party assessment better and being able to get the attestation that you have assurance of and then you can trust these different points of supply chain and that I think we are years away.
Ankur: Yeah. Speaking of assurance and confidence, do you not think that the security industry should take responsibility for some of this. I mean right now, what I see is that a lot of these vendors are salivating at the prospect of selling one more vulnerability detection solution on top of the gazillion that they’ve already sold to the customers. And customers are like, why should I trust you? You did not protect me against SolarWinds or anything. So, what can we do better as an industry? Because I mean, there are like a freaking hundred one scanning tools out there and we find yet another one.
Chenxi: I personally think if you are selling your security product, jumping on the bandwagon and say- Oh, we could have stopped it. I think that’s an ambulance chaser kind of behavior. So if I were a CSO, on principle I would not buy from you. If your marketing strategy involves you selling based on -Oh, we could have stopped this. I don’t believe anybody could have stopped this to be honest because the way it was done, it was very sophisticated without having something like MUD. So really describing what this product does is very difficult and to do a good whitelisting to say- Hey, this connection is not allowed. So we collectively, the security industry, should have learned the lesson from this and both from the specific technology, what we need to change to stop this kind of behavior and also the larger ecosystem, what we could have done, could have done better going forward to stop this type of supply chain attacks but I would say the idea of- Oh, just because there’s a new security attack, the whole industry is not doing a good job. I think that’s a very self-defeating attitude. The security industry has done a lot of good work but nobody can guarantee you a hundred percent security because one thing, software is complicated, architecture is complicated, the systems are becoming more and more complex and until we have a way to completely codify the system and can do formal verification of your system, there is no guarantee that nothing will go wrong, right? So we just have to build systems that you can monitor when things go wrong and are able to respond to incidents fast and recover fast.
Neelima: As an engineer who comes from the whitelisting world and was part of the zero trust on endpoint, I do see some of the companies come up to talk about the zero trust architecture around this because I think at the end of the day, if we have to go from reactive to proactive, it’s it’s responsibility on both sides because you have to be aware of what’s going on in your environment. And I see all kinds of customers in my conversations where some of them are very aware of what’s running to bits and bytes in their environment and a lot of them are ‘not a lot of aware’.
Chenxi: Yeah. You just take a random organization and ask them- Hey, give me a list of on any given day, which IPR addresses your environment is connecting out to. I bet they don’t have that list.
Neelima: Yeah. I understand. So follow up on that. Obviously because of this, enterprise security products spend in the company is about 60 billion in 2020, Morgan Stanley number. And they’re already predicting 4 to 5 billion more spin in 2021. You do this number of investments. On the other hand, speaking of sitting on both sides of the table, the number of investments in the security startup world is also probably going to go up. Give us your perspective on that side
Chenxi: I don’t have specific numbers in front of me but I think the growth in security investments outpaces the growth in purchasing front (Laughs) of the security technology or the growth of the market. So what that means is some of the investments just won’t do as well. And hopefully, at some point the market will stabilize because what I see right now is a huge rush to invest in all kinds of technologies. And whenever you see that kind of rush, there is a potential of a bubble. And hopefully it will correct itself. And we’ll actually see some reasonable valuation and reasonable growth and reasonable pace of investment that is in accordance with the growth of the demand.
Ankur: got it. So, if I kind of parse that you’re definitely seeing some froth in the market. Obviously the investments are going up to the right and it’s going to continue to rise as it has in the last couple of decades. And your career trajectory is a testament to the fact that I think in the security industry, you’ll do really well because you have breaches like these. Are there any specific categories within security that gets you excited where you are going to see some lion share of investments?
Chenxi: So I think again, if you take a step back from the specific products and look at the macro level, what are we doing these days? We have more and more devices in our environment. Our network is getting more and more blind. End to end encryption is getting more and more pervasive. And there are a lot more applications, a lot more users, a lot more IOT devices. So what that means is we have the complexity aside, the control points that we are able to control our users, applications and endpoints. And that’s it. Right. The network is really becoming more and more, a dumb conduit. You can probably collect metadata from it but that’s going forward, that’s about it. So where would tech security technology go? You have to be pushed into application, right? Rise up the level from the network layer and model going to layer seven or layer eight. Layer eight, think of users.
So you go into the application, go more onto the user front. So that means embedded in the application, embedded in the device before the network takes over and all these things which screens us building more intelligence into the application, getting closer to the user but with probably a cloud backend to be able to do analytics, to drive large scale deployments and things like that. So, I’m seeing the future as we have this very intelligent, distributed brain and becoming more and more powerful in the cloud. And that we have the edge computing touch points that is in our palms and in specific devices that littered next to us. So that is the backdrop of security. But the security industry has largely been network security heaven even now these days. So how do we transform from that kind of mindset to the edge computing plus that distributed the large cloud is where a challenge for us as technologists and as thinkers to think about how do we innovate and transform.
Ankur: Yeah, it’s a great, great point. Just for our listeners, the entirety of the security industry can be summarized in Netsec and applications and data, end points and then identity. And that is pretty much five or six big categories of $2 bn to $5 billion businesses. I think your thesis is that because the network as a perimeter is no longer relevant because everything is distributed, having security embedded on the devices on the application level is going to drive the future. So, which is what we call application security in our world. Are there in AppSec, do you have the imperva waf type of model, you have the RASP, then you have the shift left DevSecOps type stuff, so any specific areas of application security, that’s kinda..
Chenxi: So I think application security is slightly different than what I have just said or maybe traditionally, those are two different things. So the DevSecOps world isn’t really about how do we make sure we produce secure code? Right. So all the SDLC stuff, CIC D stuff , it’s really the mechanics of producing secure code. Now, pushing security technology into the application layer closer to the user is really more an application centric security as opposed to network centric security. And I’m a fan of application centric security and user centric security being the larger driving force of security technologies going forward. Now that being the umbrella, obviously application security is an aspect of it. We still continue to have the requirement to produce secure code, right? If you don’t have secure code, even security technology won’t work because your product’s written in code. So, that is sort of under horizontal to everything.
Ankur: That’s a great perspective. Thanks Chenxi. Within the application security itself, you’ve got the traditional runtime AppSec and waf and then you also nowadays talk about securing your core pipeline through SAS and DAS and other types of tools. How should the customer think about investing in application security? Should it be the entire application pipeline or is there any specific area that’s gaining more momentum over the other.
Chenxi: So application security as in the traditional software security front we’re seeing a lot of momentum to shift left and that momentum has been there for a while. But I really think with the advent of the CICD pipeline where we want security technologies to be more declarative. But you put in statically policies of what to do in the runtime, when those things are actually all in the pipeline. Then you’re able to actually put in not only statically declare your security policies but also statically check and test your security policies. And I think we might get into this concept a little bit more later as policy as code. But if we’re able to do security as code and policy as code then we can apply a whole set of application security software engineering principles, if you will to the concept security itself. And that brings very, very interesting characteristics to how we approach security as a whole and how we measure, how we set up the security goals and how we measure and how we monitor against that goal on an ongoing basis.
Policy as code
Ankur: Got it. I’d love to have you talk a little bit more about policy as code that’s gaining a lot of momentum. First of all describe what it is and then what are some of the companies that are taking some innovation in this area?
Chenxi: Yeah, I think policy as code is born after infrastructure’s code, right? So, places like Hashi Corp really innovated on the infrastructure as a code concept. You are able to specify what sort of infrastructure that you want in runtime for your environment, for your application. And you’re able to statically test that and apply a whole set of engineering principles against it which has a huge set of benefits. And we probably don’t have time to go into all of them. So policy as code basically says, look, infrastructure is one layer but there are other things that we need to also express as code such as access policies, such as configuration policies, such as user level policies.
And if we’re able to express those constraints as code, then we can statically declare them. We can test them. We can scale up the deployment of policies. We can also in any given time in that lifetime of the environment i.e. lifetime of production system, ask the question- Hey, are we still compliant with this policy? And then you’re able to extract the right amount of data right there and test against the policy, all things that are not easily done today. So if we can do everything, express all the things as policies and have automatic deployment and testing and monitoring of those policies then we have a way to do security policies at a system wide scale and being able to have in real time- insight and control of your security yeah. That’s why policy as code is so powerful and so, so exciting.
About Rain Capital
Ankur: It is. Yeah. And not to mention that if you can get your developers excited about this technology, the more trained they are the more aware they are and better off your application is going to be before it goes into runtime. So, definitely a powerful concept. Switching gears for a little bit, obviously you’ve seen, you’ve seen everything. And then, now jump into the VC world. Tell us a little bit about Rain Capital. How’s it different from other VC firms investing in security? How do you differentiate against the rest?
Chenxi: So at Rain Capital, we do early stage investments. That means we focus on the early stage of a company, when it’s really an idea that is being formed, being coded into a product. That’s where we come to partner with entrepreneurs. We help them take this idea to the market and help them go to market, help them get in front of the right set of customers When they’re at the cusp of building the business that’s where for me is the most exciting thing. Now for how they are different from others- We work with the entrepreneurs at a very hands-on level. I like to think we have a deeper understanding of technologies. I would invite folks to come in and look at our technology blogs on the Rain Capital website. We really try to understand innovative concept at a tech centric level and then put this market filter lens on it to say- Hey, does this technology really have the potential of being a market changing force and another thing I’m very proud of is we are a very diversity centric fund. 45% of our investment is where the founding entrepreneurs are women and that is a huge number comparing it, if you think about it, I think in Silicon Valley on average 2% of the investment goes to women. And so I’m very proud of that.
Ankur: Yeah. You’ve got the analysts at your fingertip. You’ve got the CSOs on your speed dial. I mean like other VC firms have no chance. Chenxi.
Chenxi: Oh, well, okay. I’m not sure that’s the case but we like to think we add unique value to these entrepreneurs and so far things have been working out very well. We were very happy with all the investments we made in the fund and are very much looking forward to this year and next year on how to continue to grow the portfolio companies and the fund.
Ankur: So, one of the key things in your new role you have to do is to identify the right company and right entrepreneur to invest in. And you did. Not too long ago, you were in container security. I remember meeting you four years ago, you were talking about container security and I was like what is that and what is Chenxi upto and then fast forward to today. And I mean that thing is the hardest thing and Twistlock has had one of the biggest exits. So obviously you saw something that the rest of us were still not seeing at all. So what are some of the leading and lagging indicators? Not just from Twistlock but from other companies of a company’s success, both in terms of identifying the founders, the market, the company. What have you learned? Give us your superpowers basically.
Chenxi: The container fund, the Twistlock company. It was both lucky and also the result of I would say is really my study of the market. And I remember we were working together at CipherCloud back then, right. Yeah. And so if you see GitHub, if you go on github and you see that this is the hardest thing everybody’s talking about and you have a gazillion GitHub stars and a ton of downloads. What was it? Back in 2015 was darker. And Docker was still in the beginning of being deployed but it was really the hardest thing and being entrenched in the technology field, you can’t help but wanting to know what that is. So I think I spent quite a bit of time looking into it. I went to some meetups and I was like this thing is awesome. And immediately the second question I was asking was who’s doing security for and nobody, right. Well, somebody ought to be doing this right. And lo and behold, I think two months later I got a call from a VC firm who had a few pitches of container security. And they asked me to take a look and Twistlock was one of those. And I had identified Twistlock to be the one proposal that has the most potential, if you will. And I think the founders really also saw the market the same as I did. And they identified the shape of the technology at that time that I thought would really have the potential and the rest is history as you know.
Ankur: Yeah, but I mean Kubernetes and containers are like a game changer like cloud is. It’s funny you should say and I know we’ll touch upon this topic, the first thing that came out of your mouth was -well, there was a little bit of luck and if we had some other guests, they would say, well, I saw this vision exactly how this would shape out. I guess that’s the difference between having women guests and men guests. We will have a lot of men talk about how they foresee the future but this is a multi multi-billion dollar industry and Kubernetes, et cetera. What are some early signs that you’ve picked up on? I know one of your superpowers is your network. Is it a big function of that? Like just talking to a lot of smart people and just understanding where the tech is moving.
Chenxi: Yeah. I mean you have to. Right? You have to talk to everybody as much as you can. One of the skills I picked up as an analyst is you just talk to everyone and you are doing market research all the time. Yeah. So I remember getting on a call with someone talking, I even forgot what the technology was but I would ask questions. Like, do you use windows? Do you use Linux in your environment? Right. And there were like, Oh, we use this. And I’m like, Oh, how many windows machines? How many Linux machines? And it’s sort of tangential to the discussion but I’m gathering data all the time. And so it’s the same thing as being able to identify, winning technologies. When I got into containers there were many different orchestration technologies. Do you guys remember MESA?
Ankur: Of course.
Chenxi: So, that was the big, big question of Mesa versus Kubernetes right.
And, so many people told me Mesa was the thing because there were so many enterprises using it. And yet I go to a Docker meetup and all the users wanted to know is about Kubernetes. Okay. So I used to run the Docker meetup at mountain view. So, I was the organizer and that’s how I got my foot on the ground and really know what people are looking for. And when I run a Kubernete meetup, I have 700 people show up and nobody’s talking about Mesa, right? So, sorry about Mesa. I’m not dissing. I’m just saying historically, that was the case. And so when I went on a panel and they were debating Mesa versus Kubernetes, I said Kubernetes, and that was 2015, early 2015. They were like how do you know? I’m like just watch me Kubernetes. And I was right because I was talking to everyone. And that’s how you do market research.
On boosting Women- in Tech
Neelima: I’m just taking it in because I do a lot of research as well but more on the customer side. So some learnings there. On the women’s topic, you mentioned that your fund has 45% of the investments in women founders and you are very very proud of that. So first of all congratulations. I’m extremely happy to hear about that. Clearly you are a big, big advocate of women in tech. Tell us more about the work you do around that side and also before you do that, like what’s the heart of the problem there? Why do we need a woman-in-tech group?
Chenxi: Yeah, so very good question and both men and women have asked this question, right? I think, if women are as empowered as men, then we don’t need any women-in- tech group. Now have you heard of men- in- tech group? (Laughs) No. Right. So I love to see a day that we didn’t need any women- in- tech group.
The reason we need it is because this group is not as empowered today, at least. And there are various reasons why that is the case. Typically there are two sides to this problem. One is, there are many barriers to women in other non traditional profiles, tech professionals, if you will, to attain a certain level of success. And as an executive, as an advocate, we need to identify what those points are and hopefully remove them.
The other side is there are things that women can do better ourselves. And we need to be conscious of what those are and do it better. So I try to approach things from both sides. We work with women professionals to try to identify places that we can collaborate and help better. And we also work with organizations to help them to really understand that maybe they are places within their culture that they need to change in order to have a more diverse and successful inclusive environment. And there are times you don’t even think about where those things are but they exist. So that’s a challenge I would say.
Ankur: Yeah. And a lot of the work you are doing is very grassroots level, but what I’ve observed personally in at least the Bay area and Silicon Valley is that a lot of companies have quotas for hiring under the name of you’re encouraged to hire this percent. So, what are your thoughts on that? Is that having equality of outcomes. Is that the right approach? What’s your perspective on that?
Chenxi: So ultimately what you want is equal opportunities, right? And however, when the different groups are not on equal playing level then it’s difficult to fundamentally give them equal opportunities. So you have to boost in the beginning. Boost- give that underprivileged group a boost by injecting equal outcomes as a short term thing to get them to the level where equal opportunities can actually make a difference. Right? The example I would give you is a California Senate bill about having women in the boardroom. Do you know how much difference that has made? It has made a huge difference since that bill was passed. I think in the fortune 2000, there’s now a minority of companies that do not have a woman on board, like single digit minority while maybe two, three years ago it was a single digit minority that had women on board. So it has made a huge difference. Now the argument against the quota that always says- Hey, if you’re a woman you get this position. Everybody looks at you like you’re the diversity hire. You’re not as equal. But guess what- those women who have been in the boardroom, they have performed. They are there. They are equal. Nobody looks at the women that they have recruited to the boardroom and say- Hey, she does not belong there. And once we are there, once they are able to give the voice and they perform, then it’s no big deal. Nobody would think about having a board without women anymore. Right. So, what an equal outcome gives you is it gives you that boost and then hopefully going forward, we may not need that quota system anymore. What we need is people just be open-minded about getting different profile of folks the same type of opportunities.
Neelima: This is a topic I’m also very passionate about as Ankur would attest to it. We discuss a lot of times about this and my point of view here is that you need the opportunity at the entry level as well as at the outcome level because once the perception changes, it just becomes way easier because women can pull in women and it’s just a way of thinking. I remember a very interesting anecdote about the time I think you were at McAfee, you were very vocal about removing booth babes from RSA. I did not even think about that. Actually I used to go to RSA. I used to hate it. I wouldn’t even get into a lot of booths because you could not even get in and look at the product because there were women standing outside but I saw how you and there was another person who kind of led that change. A lot has changed after that. Can you talk a little bit about that.
Chenxi: Yes, so thank you for asking that. That was 2014. I remember when I went to RSA and walked around the show floor and was dismayed at how many booths had scantily clad women as booth babes. And that was the year I think a lot of the discussions were centered around nation state threats. And I was talking about this with a friend of mine. We said- Hey, we are talking about nation state threats. Why are we having scantily clad women selling your trust? Right. Does it have anything to do with trust? No and so we kind of felt that we needed to do something about it and we wrote a blog and you probably have read it. And we sent you a few people and was very widely read and I think was eventually brought to the RSA organizing committee and it was read to them. So, we made a few points. One is I think it was not good for women at either entry level or at senior level. It’s a slap in the face for them. Right. It’s also a slap in the face for people who built these products and have to see that their company made a decision to essentially sell the product using that kind of tactics. I think it’s also a slap in the face to them. You know, if I were an engineer, I want the product to be selling based on its own merit.
Ankur: How do you differentiate it from what we see in TV advertising, where they’re promoting a product and using sexuality to do that. Are there similarities or it’s a different thing altogether.
Chenxi: I think if the product has nothing to do with sexuality and you are using sexuality to sell the product, it’s the same sleazy tactic. Right. And you should not have done it. And I understand why it works in certain scenarios. And the argument is it shall not work in the tech community and maybe even hurt your product. And that was the argument we made. And I think we made a sufficiently eloquent argument that I think many people in the community agreed.
Neelima: So you were a proponent of value based selling 10 years ago, which is coming now. (Laughs). So Chenxi, last question before we go into the rapid fire round. You are aVC, board member, investor. You’re helping women in tech and you are a mother of 11 year old and now you’re cooking as well. How do you manage your time between so many things?
Chenxi: Oh (Laughs). Time management continues to be a challenge for me and I suspect for many people. I’m not as organized as I’d like to be. I do have support, my husband is a big supporter of mine and we tag team a lot. So that gave me a lot of confidence and peace of mind that when I’m busy working, my family is taken care of. Also, I try to prioritize. I think I’m fairly good at dropping things (Laughs) sometimes unintentionally but I do focus on the important things and so that allows me to tap into the different aspects of work that I’m passionate about.
Ankur: And in your priority order, how do you decide the stack ranking? Is it where your natural curiosity and passion leads you to make it to the first? What do you delegate? What do you do yourself? Any time management hack, we’re all suckers for that. What’s at the top of the list and how do you rank it?
Chenxi: If I had good time management hacks, I’d be 10 pounds lighter and richer and more famous (Laughs) but I mean all joking aside I think, there are things I’m really passionate about doing and those things are easy to do but there’s always a list of things I have to do that I don’t really want to do. I drag my feet and I think that I continue to chain myself that every day I’ll do one or two of those i.e. things I really don’t feel like doing, but I just have to do them. And if I’m just better at doing those, then overall my productivity would be much higher. So that’s the one thing I’m training myself to do.
Neelima: So Chenxi is networking something that comes naturally or you have to work at it.
Chenxi: Networking comes naturally to me. I’m an extrovert.
Ankur: You clearly haven’t met Chenxi Neelima. She’s a natural.
Neelima: I have but I guess not in her natural avataar.(Laughs)
Chenxi: well, when I was younger, I loved throwing parties. I still like throwing parties. So networking comes naturally to me, fortunately.
Ankur: Yeah. And this is the last question before we go to the rapid fire. What advice would you have for somebody who wants to start a career in the cybersecurity space and be as successful as you are. What’s your advice for men and women out there?
Chenxi: I think, start small. Understand what you’re good at and maybe pick an area that’s aligned with your natural skills and get into it. If you’re a person that’s naturally curious, maybe, pick up some pen testing book and try to be a pen tester. It’s really about poking the system and finding weaknesses. But if you’re naturally inclined to be more organized, look at frameworks, maybe you should get into policies, maybe privacy. So there are different entry-level courses and places to go to gain those skills. And then once you get there, I would say the best thing to do is do the best job that you can. So I often have people ask me, why do people ask you to be on boards? What specific things have you done to get there? And the biggest thing is do a good job and be very proud of the work you have done in the past. And people will look at that work and say, yeah, we want someone who has done that.
Neelima: That was a great insight Chenxi. I’ve followed some of it in my career so I can attest to it. It works to some level definitely. (Laughs) So with that we’ll go into the rapid fire. Are you ready?
Chenxi: Oh, I’m as ready as it can be.
Neelima: Okay. What does the future of work look like?
Chenxi: Oh gosh. It’s hybrid. It’s some population central in population definitely remote
Neelima: Okay. Your favorite thing to do when you’re not thinking about cybersecurity and investments.
Neelima: Are you looking back to traveling once everything is normal?
Neelima: Which book podcast blog has had the biggest impact on your life.
Chenxi: So I’m reading this book called “The Gene”and I think it’s a book on Obama’s list or was on Obama’s list. It’s it’s fantastically written book. It’s about looking at the DNAs, how it impacts your personality traits and your family personality traits. And I learned a huge amount from it. I don’t have a lot of time reading and that’s the one that I’m reading right now.
Ankur: Siddhartha Mukherjee, I think, right? It’s incredible.
Neelima: Can WhatsApp recover from the recent privacy debacle or is it too late?
Chenxi: Oh, I think it’ll recover. So how many of you are deleting WhatsApp? Are you deleting WhatsApp from your phone?
Ankur: No way.
Neelima: But I do see a lot of my friends getting on Signal. So I think Signal is going to be the winner not as much as WhatsApp being the loser, right.
Chenxi: Yeah, Signal is growing. Definitely. Yes.
Neelima: Yeah. What advice would you give your 18 year old self?
Chenxi: Oh gosh. Play more. Seriously.
Neelima: And the final question- who should we invite next on the pod?
Chenxi: Invite the CEO of Duo security, Dug Song.
Ankur: all right. Perfect.
Neelima: We will. Okay with that Chenxi, thank you for spending your time with us. We really, really enjoyed our chat and hopefully we’ll be able to invite you in another 9 to 12 months.
Ankur: Yeah. Yeah. Once you have your next unicorn under your belt. We’ll have you again. It’s been a pleasure. Thank you, Chenxi so much. Appreciate the time.
Chenxi: Thank you. So good to speak to you again.
Listen to the episode on Apple Podcasts, Spotify, Google Podcasts, or on your favourite podcast platform.