How to Secure Trust and Embrace Sustainability with Joey Stanford (Platform.sh)

Hello everybody, and welcome back to this episode of Build Amazing Things Securely. My name's Laura Bell Main, and I'm going to be your coaching guide for all things exciting. And today I am meeting with Joey Stanford. Now, Joey joins us from platform. sh, but I actually ran into his team in Wellington, New Zealand tiny place at a conference. Now I'm going to let Joey introduce himself as I do with all my guests. by asking him the following. Firstly, let's say welcome because we don't want to be rude. Hey Joey, welcome.

Thank you very much. Wonderful to be here.

It's great to have you. Now, Joey, who are you as a human?

Honestly, I think I'm nobody. That could possibly be impostor syndrome, but I have a little You know, a little bit of a list of security credentials and privacy credentials and a PhD in information security for whatever it's worth. But what makes me tick is that I like to help other people. That's what motivates me. That's what gets me out of the, gets me out of the bed every day. And then the second part I guess maybe it's because I'm older and I'm a parent, but I like to take care of my staff, my team. Make sure that they're happy, keep them engaged, and I do that with everybody. I mentor mentor children and I do search and rescue work and I'm involved with, fire, police and a whole bunch of other stuff. So I do have all these wonderful things I like to do. Unfortunately, I don't get paid for them. They're all volunteer but that security. Kind of fits in security and data privacy. So if I had to choose security versus data privacy, I would say data privacy is probably the thing that I'm most passionate about because it's, for me, it's about helping other people and securing and whether that's, your grandmother or your neighbor or your child it's really important to me. So it makes me tick,

that's it's all disgustingly wholesome, Joey. I'm going to be honest, like a team at home. You didn't, when we come onto these calls, we do a little bit of a hello and, say hello to each other. Cause that's a nice thing to do before you record something that's going to last forever. And Joey's sitting in an irritatingly beautiful location. There's vistas and views and now he's also telling me he basically volunteers and, you're going to tell me you rescue bunnies next. Okay, so you're a good human being. We won't hold it against you. And you, data privacy and protecting people. I, the theme of all of this, jokes aside, is you can see it. So it's in every aspect that you describe yourself as a person. That whether you were in tech or not, you would wired to be in something that helps other people. Now that brings us to what you do for a living, because, that's, what's brought us here today. So what is it you do, Joey?

So I work for a company that nobody's ever heard of called Platform. sh. They're a a startup, actually now a scale up based out of Paris, France. So I physically live in Colorado, they're in Paris, France. The commute is a bit of a problem, so thankfully they let me work from home, which is wonderful. And they So my role there up until a few weeks ago, actually, was Vice President of Privacy and Security and I've, worked with the security team over the years, built that up, and I've now just handed that over to engineering which is wonderful. So now I have a new title and it's Vice President of Data Privacy and the dreaded C word, Compliance.

Oh, no, I'm sorry. I was about to congratulate you on the new job, but it felt, feel like somebody gave you a spreadsheet for Christmas.

Yeah, but so I'm basically I look out for I make certain that we're we're compliant and me I mean, it's really my team and myself, right? They these days they do what I say the lion's share of the work And I think more strategically at this juncture as opposed to usually getting down in the nitty gritty But oftentimes I do you know, I was plowing through a whole bunch of laws for Australia just yesterday. So that's fun stuff. But yeah, so we work on all the whole data privacy schemes. So whether it's the EU GPR, pipetting Canada, Australia privacy principles, that sort of stuff as well as other legal requirements PCI SOC two, that kind of stuff all with the intent of. Basically, the way I phrase it is trust. I use a single word, trust. We want to instill trust. We want to instill trust in ourselves, as our teammates, and the company in general. But also we want to, present trust to our clients, because it, Think about it, you and I and everyone who's watching, right? We go off, we look at, we pick up a phone and we go visit a website or whatever. And if we're going to enter any sort of personal data we have to have some, usually most of us want to have some level of warm fuzzies when we do that, that, it's not going to be a Facebook and they're going to sell stuff. And, next thing we're going to be, Getting our identity stolen, which has happened to me several times. I might add Just because people credit card processors or something lose something and it's out there So that's what I want. I want to I want to present trust I want people to trust us because I think it's good business and I and actually I would argue that in order to be successful in This day and age that we actually need to do that, cause everybody's more and more people have less and less money. And so they become more discerning of what they do with their money. And it's, I don't know about you, but I researched these things and I only. Participate with people that I know it's going to do a good job for me and, it's not going to harm the environment and they're not, that kind of thing.

Absolutely. There's a few things to unpick here. So I'm going to set some context. So we're going to ask you a couple of little questions and then we're going to dig into some of the things you said, because there's some really interesting threads here. So let's get some context. One of the things we like to do is give a context to the size and the scale of the environment you're in, because whatever you're doing, it works for your size and scale. We've spoken to people from Twilio in the past and they're like. Giants, massive people everywhere. And then we've equally spoken to really early stage companies that are like six people in a basement. So how big is the company platform. sh?

But we fluctuate a little bit, but we're running somewhere around 300 people now.

Okay, perfect. And when you say you've got a team that's helping you, this is awesome. Good job you. How many people are in trust or security type roles, give or take? Just finger in the air stuff.

I need multiple hands for that. We

Oh my goodness, you really are showing off.

I have four bona fide privacy lawyers that work for me.

Far

day, I might say that I work for them, maybe at this point of the game, but it's wonderful. And then we have a separate used to be called security assurance. Now it's a risk and audit team that we're rounding out. And then we have a security team that's composed of security engineering and security operations. More than 10, less than 20. Yes,

Amazing. As a proportion of headcount size, that's pretty substantial for an early stage company the scale up as you say. Now I, this is why I have to ask you though, because there's going to be a lot of folks who don't know what your company does. And I think that's actually at the root of why this is so important. So what on earth do you do? This is not a sales pitch, obviously, but. Tell us the grassroots of what is the thing you sell.

That's an easy answer. We sell value.

Oh no. Oh no.

We're a, so platform. sh is a platform as a service company. So we're basically a cloud host for applications. So we. help teams principally web teams innovate faster. So we eliminate many of the tools and services that a team needs and remove the headache of managing all of that, infrastructure and the security requirements for the infrastructure side, the privacy requirements, et cetera. And we do that by providing a fully automated DevOps environment. We have a unified workflow across multiple languages and frameworks. We're we fast, we auto scale. We got a 99. 99 percent SLA at performance. I have some real world numbers. Can I share some real world

Oh, go on then.

Alright, great. Great. So we have, we usually make a customer five to five to 12 times more efficient with gains of up to about 20 times better performance when they use the black fire io monitoring, performance monitoring system. And the cool part that I like in addition to all that is that we can help a company reduce their CO two by up to 15 times, and you don't have to take my word for this, that number's been certified by Greenley. So

Oh,

completely. We've had customers that have completely blown past all of these things. We had one e commerce customer tell us about a year and a half ago that in addition to reducing their installation time by 75 percent that they reduced their support requests by 80%. And last year Forrester did a TEI report on us that showed an average ROI of get this 219 percent and over 1 million Euro net benefit in three years. And the payback time was only seven months. So it's an interesting place. So you've never

Yeah, breathe. Yeah, exactly. We, that was stunning. Like Joey, like kudos. That, that was an epic pitch. I'm going to, for the audience's perspective, say we have no commercial relationship with platform. sh and other cloud providers and SaaS platforms that do this do exist. You could go find them too. I'm sure they have numbers. But there's some threads here and it's an echo actually. You're echoed from your previous introduction. You mentioned that an environmental benefit of what you're doing. And you also mentioned in the little section before how having trust and security was essential to, in fact, you were using language that we. actually more commonly here in sustainability conversations. So it feels to me like there's a big link here between security and sustainability. Would you say that's the case? And how does that even work?

The answer is yes. I think it all started when we saw, we were, became a signer of the Climate Act. And we decided as a company principally because of our French roots that. We, we wanted to undergo a green audit. We didn't have to we thought, maybe there might be some commercial benefit, but the initial thought was, um, we know that investors and companies are slowly moving that way. We've seen some other big companies, other big players. So we started making, we hired an absolutely wonderful woman named Leah who. Became our green strategist. And her team have done a nice job putting together an ESG program getting our green audit going. We've got some other things I can't talk about that are in the works. And I think what's driving this is that okay, so this is going to sound really crazy. Cause it's, when I first heard it, it sounds funny, but our. very first company value is get ready for it. We care for one another. We care for each other. And when you first hear that you're perhaps you were like me, you're like, Oh goodness, that's another little startup thing. That's going to be great. But I found out that no, actually that's the way the company works. And it's about caring about each other. And when we extend that, we end up caring about our customers. And so we're view this. this green, this ESG sure, we look at it and we can be very businesslike and say it's good for business and right. But it really becomes part of the soul of who we are and what we're doing. And we've I think I'm allowed to talk about it. We have a new beta product that's out called upsun. com where we're trying to take it the next level where we can, we could make everyone as, the easier for people to sign on and to get this carbon benefit, like this green benefit where you can reduce your carbon even easier. So as a company, we really like it. And then, of course, there are as you mentioned there's actually some security benefits for doing this as well. Mostly, I think in the sustainability piece because when you're in, like for us, we're cloud and we rely on back end cloud providers, IASs. And, we're on a number that we're on the big three that everybody knows about and that a couple of people don't really have brand recognition that most people wouldn't think about. And when you think about sustainability, you're thinking about How do how do these centers are you know, are they environmental are they green but also where are they getting their energy from? Do they have you know, what are their backups? And are they polluting and so Just like any other company. We have a choice of where we spend money and typically and we're like this just like everyone else. We're going to first look and see, you know What's the cheapest and then we're also going to look to see can we? Can we convert that decision? maKe a small little play. Can we get something that's more sustainable, more green because we've, we've read a couple different studies that say, hey, when you look at somebody that has a company that has a very good ESG program, they tend to also have better security posture, oftentimes coming with that a better privacy posture as well. Strangely, it hasn't been the security aspect hasn't been the real focus on why we're doing it. It's just simply because we want to be good people.

I love this. And, I've been diving into this area a little bit over the last few months. So if our listeners at home have never really dabbled into this ESG type thing a good place to start is the UN sustainable development 17 goals, which is very high level, but it's the 17 things that contribute to us being, successful as a species and carrying on in a way that doesn't hurt us all in the long run. And I love that, we've got this focus on security and trust in your role, but this is much broader and it speaks to that company culture. Now, if we bring it back to what you actually do, that platform as a service thing that trust and security must be very important to your customers because of the part you play in their world. What kind of risks do your customers care about when they're, choosing a service like yours? And what are you aware of on your side that you, where are the important bits you need to focus on as somebody who's providing that key system to so many organizations?

I summarize this in by saying you don't have to take my word for it. Take our auditors word for it. So you can blow through all the marketing stuff, just, Our marketing people don't inflate anything unlike other companies, but you don't even have to believe that, we have, we go out and we do third party certifications. And so when I look at the commercial contracts that are bound by us, when I look at the legal regulations, because we operate around the world, which is. Really awesome. And it's wonderful experience. And it's one of the reasons why we all Love the job is because we get to work in different things all the time and see how one country handles it In a different country does something slightly different but the overlap is what's really interesting and how we see the maturity of The world basically moving toward a more secure more private I don't want to say environment, but that's, a posture. They're looking for that. So I've seen, personally, it started, I started seeing contracts requesting security certifications. And then came the privacy certifications. And then now we've got ESG requirements. It's so not only do we have them from we have customers. And so there's they're using like big tools like Ecovartis. There's also people have asked us for a Greenlee report. And then we also now have some investors that are on the bandwagon for ESG because they have seen data that says, if you do work with ESG, you have some sort of ESG program, then you tend to increase your profits. The company tends to be more profitable, so they're really excited about that. And then when we, when I sit down and actually talk with customers, forefront of their mind is, is cost. Can can you check all the boxes, but then, are you a slimy company or are you above board? And when they realize they can talk to a real person in that, Hey, we've done this and we've got some, we don't publicize it. We've got some initiatives on the backend and we tell them a little bit what's going on. They're actually generally surprised in the, and I hear this actually from customers, but I also hear it from employees, new employees that come in, they're not prepared. They are not prepared at all for the level of maturity we have around data privacy and what we're doing in the security space. And I'll be very frank, it was as I started out as a single person. It was the only one. There was no team and I had to figure out here I have a very large cruise liner and I have an oar and how do I change the boat and change the culture? And I challenged the company by saying we're paths, right? Platform as a service. And I said, Nope, we're actually a security and data privacy company that happens to have a path solution. And I think after saying that a few times, the light bulb started to come on and they realized where I wanted to go and then I can back that up with, and oh, by the way, we have some customers that are asking for this too. And the merging of all these requests at the same time allowed us to position ourselves in this mindset. And it's great. It's, I've had, we had really good reception from our board, really good reception from the customers.

This is really interesting because I try when we're having these chats with guests and we start talking about what kind of bad things could happen? And we're not saying they could happen to you particularly, but if we take platform as a service as a general category, like you've talked, if you talk to somebody who's just, they're building an e commerce platform or thing or whatever, their threats are very centric to them mostly. And the data they hold. Now you whole data, albeit using other services underneath for lots and lots of organizations. So how does threat modeling and risk assessment work when you've got so many different Organizations using your platform.

Thankfully, for us it's decidedly easy. If I had to do this for any other customer, any other company probably it would be significantly harder. We've taken the approach that We want to have, so we'd start there was two threads that happened in parallel. There was my thread, which was, I said, I, when you have multiple things you have to worry about different procedures, it becomes very complex. People forget it. People make mistakes. When you silo things in different countries, people make mistakes. They have different expectations. You're generating massive racy documents. It's just a mess. And I said, we're not gonna do that. We're going to, we're going to start simple and I'm going to implement something that I called it. The GDPR everywhere model. I'm going to roll out GDPR and it's going to apply worldwide. I don't care where they live. And boy, the marketing department at the time really fought me on that because couldn't let them do things in the United States, as an example, or in Australia or New Zealand, where they normally could because the law has allowed it. And I said, No, I want one process, one way of doing things. I don't want one offs. I don't want snowflakes. Prior to this our CTO and the engineering teams had the same idea, but they came about it from a different perspective. They're like we want one technical solution that we can use. to solve everything. We don't want to make one off. So we don't want to make exceptions. We want one process. And so where we ended up when we started going into audit was we had one way of doing things and one set of processes. And so when you try to risk model that, it becomes very easy because you don't have, server in somebody's backyard or under the desk or, a mom and pop shop. We were using very large vetted, audited, redundant services underneath us. We did a probably the hardest thing, I will absolutely tell you the hardest thing that I did in all of this was vendor management. It started with GDPR, but I put the entire company and through hell, honestly, because I went through and did duplication removal of duplications, a heavy privacy audit, a heavy security audit. People in our company were just so frustrated with me because it was slow. It was slow work because it took us a while and it honestly it wasn't. It wasn't my team. It wasn't me. It was a team. It was that we were waiting on vendors

Yeah, absolutely.

vendors hadn't caught up. So what GDPR came out people, we use a lot of vendors United States and the United States vendors are like, Oh, that's Europe, Carolina. And we hit the Fight. I fired a couple vendors like you're not gonna comply. Okay, we're not gonna use you. See ya. And we ended up moving with people that were more expensive was I was very unpopular for a long time because of these decisions. But ultimately, we ended up having this interestingly mature area. And our customers started seeing it and our board started seeing it. And we have partners. And so our partners were like, wow, this is actually cool. We didn't know you did this. So that was the beginning of when I realized that what I was trying to do for the company was to establish this trust. I was looking for that word. I just couldn't find it. And then suddenly I hit upon it about, yeah, it's not about compliance. It's not about. Protection. It's not about security. It's not about data privacy. It's about trust because trust encompasses everything because it's not just privacy and security. It's also going to trust the company is going to be alive. It's trust and handling of data. We can think about the CIA triangle, right? But it just goes beyond that, right? It's do you have the right mindset? Do you make the right decisions from the get go? Do you do privacy by design? You do security by design? Yeah. Are you and so like our biggest risk honestly is are you going to be profitable? Really that's any startup in any scale ups challenge

absolutely. The unspoken truth of all companies right now is the biggest monster in the room is going to be cashflow for the next 12 to 18 months. But I'm going to pull some things out for our listeners here because I really think some gems in what you've just said. What I love is, even though that you're relatively early, 300 people to my company is huge, but to other companies is tiny but choosing and opting into the most aggressive isn't the right word, but the most mature of the privacy frameworks or the one that is, going to cause you the most headache and then rolling out globally, while it might seem. counterintuitive, especially if you're trying to go fast, I can see the real benefits in that, especially as we're seeing around the world, other countries really desperately scrabbling to catch up. So that I think is really smart and it links very well with all of your company values. I don't envy you the vendor pain that is pain for everybody. But I think that's that approach and the solidifying on just one way of doing things. tHere's a beautiful minimalism there. That, in doing so, that simplicity has made it more achievable for you to get to that trusted state and to get there quick, which, there's many larger organizations who have not reached that as you saw in your vendor stuff. So that's really powerful. So the listeners at home, if you're looking to explore the space, perhaps look at the types of compliance schemes or frameworks that you might think you need to achieve one day and maybe go pick the scariest toothy one. That sounds like no fun at all, but go find it. Because that could actually set your rail for if we're going to get to that, then we may as well just go for it. So if you had to give a piece of advice, Joey, to anyone who is growing a company and they're going from, one person leading the charge with trust and security up to eventually having a team just like you, what's the most powerful thing that you have done or the thing you wish you'd done the first time?

Probably the most powerful one is successfully lobbying our ex co or executive committee to uh, make a minute change to our company value. anD I really wanted to get that message across early and we settled internally on the saying that we are good custodians of our customer's data. So this predates my epiphany for trust, but we're good custodians of our customer's data. And if you have that in place, when the entire company begins to make strategy decisions, they normally, if they're. If they're effective, they're going to make those decisions, business decisions, strategy decisions based upon their company values. And if one of your customer about company values is protecting everything, then that really sets the tone for getting approval for some things that you may not get approval for. What I often. I'm often asked on the side to help, startup companies with where do I go? How do I get into this space? How do I deal with this? Honestly, the simplest the simplest way for most North American and European customers specifically would actually be doing SOC 2, simply because it's, while it There is pain because it looks across the entire company. It's also relatively easy. You can set your own controls. It gives you experience going through auditors, dealing with auditors building up that confidence and then getting the company to align. It says, oh, we're going through an audit, so I need to have this done. And then the next step is the same thing that I did which is, Typically, you can only secure authorization to go to or to obtain security certifications to the extent that a customer is looking for it or there is some larger business plan for you to get it. For example, if you don't have a customer clamoring for ISO 27001, you're not going to, go shell out the 100, 000.

Yeah, that'll be a really strange hobby.

Yeah

really strange hobby.

But what I ended up doing is I said eventually I'd like to get there. So when we start building some, process policy controls let's use the ISO 27, 001 framework as it fits. So that way, as I get closer, as we get mature, as we get more demand, I've already done a lot of the background, I already have this, the horrible thing with ISO 27, 000 is the ISMS. And hey, I already got one. So that, that one's done. So you just pick, you pick at it. It's how do you eat an elephant? One bite at a time. Silence.

thAt's really good advice. And if you are listening out there and you've never looked at those frameworks, cause you're not ready to get audited yet, don't be scared of them. Go and have a look. They might just give you that guidance of direction or alignment until you're ready. And, hopefully, as John Gullsey said to us in a previous episode, plan on being wildly successful and that when your customers are finally clamoring for that certification, you'll be well prepared to get there. Thank you so much for your time today, Joey. This has been really lovely. I've enjoyed our chat. How are best, how are people best to contact you afterwards? Is there a way that we can keep in touch with you?

yEah, actually if you don't mind social networks, LinkedIn is wonderful. My, my short name is Rinchin, R I N C H E N. It's a little hard, but I'm out there. Feel free to shoot me a friend invite comment, whatever. You can also pop on to You can send me an email, joey at platform. sh. And platform also has a public Slack chat. So you can just join the chat and I'm at Joey. So pretty easy to

Wonderful. Thank you so much, Joey, for everything you've shared today. It was great to talk to you.

It's a pleasure. Thank you again. Really appreciate it.

Thanks. Everybody, you know the drill at this stage. This is a podcast. So if you haven't subscribed already, do that. If you haven't told your friends, do that too. It's like the cheapest Christmas present you'll ever give. And if you liked what you've heard or you've got a suggestion for a guest, use the comments, send us an email. We'd love to hear from you. Take care, everyone. We will see you very soon.