John Downey - Chief Information Security Officer at GoFundMe | Your Company Isn't Safe From Hackers

You start to see more and more prevalent security threats and more complicated security threats. There's always been threats. You notice that more companies are creating dedicated teams. Is this more of a like a 2023? Is you have to have like a CISO in your organization? In 2013, there was a couple of major retailer breaches. It became clear that a security incident was not just going to affect the chief security officer. It was also going to affect other sea level executives. Fast forward to 2016, you had the election interference and the hack of the DNC. Fast forward to 2020, everybody went to work from home. You know, the joke of like which C word drove the technology innovation at your company? Was it the CTO, the CEO, or the COVID-19? Because everybody overnight went work from home. That's wild. That is absolutely wild. Today, my guest is John Downey, chief information security officer for GoFundMe in Classy, where he leads the security strategy and operations for both platforms. He has over 20 years experience in software development and security. He's worked for some of the most reputable and innovative companies in the world. On average, nonprofits do not have the expertise that the for-profit business world has. I'm interested. A case study is to what made you want to move into the nonprofit world? My passion is for payments and it's weird to say, but like, I learned a lot about how the banking system works, how messy it can be, but how... What are your thoughts on how do nonprofits build back trust and compete in a 2023 environment? I had a leader of the company I worked at many years ago who kind of talked about like, you know, you can... Welcome to success story. I'm your host, Scott Clary. The success story podcast is part of the HubSpot podcast network. They've supported the show for almost two years now. So I want to just give a shout out to them. HubSpot is an incredible tool for business leaders. If you've never tried it before, you obviously have to check it out. You've heard a lot about it on this show, but outside of just HubSpot being amazing, they're incorporating AI tools that as a business leader, you have to pay attention to, because right now we're living through the industrial age of AI. There are already tons of innovative ways to leverage AI tech to streamline and grow your business. HubSpot just launched two free AI tools that can help you automate some of the more tedious parts of marketing and managing the CRM. So content assistant and chat spot are brand new GPT-powered features that can instantly brainstorm blog topics, write ad copy, filter contacts, run reports, and so much more. They're like virtual assistants that never complain, never quit, that quickly dig through data dumps to find you the needle in the haystack. So to learn more about using AI to grow a better business, head to HubSpot.com slash artificial dash intelligence. Yeah, so I'm very fortunate that I can kind of remember very clearly what that moment was for me. So the moment that kind of set me down this path was my like 12th or 13th birthday, went over to my grandfather's house to kind of say hi to him, and he gave me a $20 bill. He's like half birthday, here's a $20 bill. And on the drive home, we stopped because we saw a garage sale. And I grew up in the Midwest, so very common to see garage sales all over the place. So we stopped saw a garage sale, figured we'd browse around. And up until that point, we had a family computer that had internet access through AOL, got the free CDs in the mail. But my parents were adamant because it was the 90s that I couldn't have a computer in my room that had internet. And so I really wanted the computer in my room, they said no. So we stopped at this garage sale, and they had a Commodore 64, which if you don't know what that is, it's kind of an older computer that was really popular in the 80s, CRT-TV clunky keyboard. And they were selling it for $20. And my mom was really concerned, she's like, well you can't have internet in your room. And the person's like, oh don't worry, it doesn't get internet. And so they're like, okay, so I brought it home. And like that, you know, started playing with that, you know, at first it was video games. But the thing that really kind of set me down this path was they gave me all the manuals and all of the books that they had about it. And I had all the software. And one of them was how to program computer games and basic. And it was just print out some source code for games that you could type into the Commodore and get it to go. And actually, I've since lost the book, but I went and found one on eBay years later, because I wanted to keep that as a memento. But that's kind of what set me down this path. Like I was really interested in software and computers. And like this moment has solidified that I wanted to do something with computers. And as you go down this career path, what makes you want to be responsible for the mission critical systems that are literally like the gate of all the bad actors in the world trying to sabotage a company. That is the most stressful thing I think anybody could ever want to do. And I mean, like there's a lot of different developer jobs and engineer jobs that can make a ton of money. And you can build and create a ton of great products that I mean in a larger company, you don't have to be responsible for this level of item in the company, but you went down this path. Because if I look at actually your background, you've been in information security for several of the past. This is not like something that you just did. Yeah, I had a later stage. Yeah, so I can, you know, for me, I was always really interested in security. And actually it was kind of a weird, I did kind of a weird flip thing, right? So I started developing software really early on late teens, like writing PHP and like sharing it out, you know, on forums. It was early 2000s, late 90s. And someone actually found a security issue in one of the things, and they reported it to me. And I thought that was so interesting that I really got into security for a while. And then it kind of flipped it around that I found like the most interesting security aspects to me were about software and the like bugs and software. And so I really went hard into that, stayed to computer science. And then I started off as a software engineer because it was the job I could get, but I was always really passionate about security. And it wasn't until I ended up, I ended up joining a startup called Brain Tree, which is a payments company. I was the 12th engineer, 40th person of the company, very small. I wrote software, I wrote banking software for, you know, we were powering, you know, companies like Uber and Airbnb and GitHub. So not small companies, very fast growing companies. And it was fascinating got to learn a lot about banking and finance and payments. But then I, you know, I was kind of looking around going, you know, I was still this passion for security. And you know, as we got bigger and bigger, I was like, we really kind of need a dedicated security function. And I, you know, proposed it to the CTO. And like, and you could leader, he was like, okay, that's not your problem. Go build out our security function. I'm like, okay, I go figure this out. And so I, you know, we did it. We started to hire, build that, build off the team. Then PayPal came and acquired the company in 2013. And then towards the end of my time at PayPal, I actually ended up leading security for all their acquisitions. So for Venmo and Paydient and Zoom with an X, as well as Brain Tree. So it was, it was a great experience, but like I end up going there because, you know, I, you know, someone found a bug in my software. Like I, I made a mistake that would, you know, or the kind of things that I'm trying to help our engineers here find your software. And set me down this path of like, this is fascinating to me. But you're right. It's lost stress. It takes kind of a personality like deal with it and like, kind of take the waves as they come and just sort of figure out what the best path forward is. Well, you know, in today's landscape, I feel like, and I'm not living in this world. So I'm just making assumptions based on news, which is a horrible way to make assumptions. But you, you start to see more and more prevalent security threats and more complicated security threats. And there's always been threats, right? But do you notice that more companies are creating dedicated teams? Is this more of a like a 2023? Is this like a, you have to have like a CISO in your organization as soon as you can get one because there's just so many bad actors and they're so sophisticated. Is this like the norm now? I think it's been kind of developing as the norm for a number of years. And so I kind of like in my career, I kind of see a few of miles. So it was 2013. There's a couple of major retailer breaches. So you saw like Target and a few others. And that was kind of the point at which it became clear that a security incident was not just going to affect the chief security officer. It was also going to affect other sea level executives at the company. So that was an interesting kind of development. And then, you know, fast forward a couple of years, you had 2016, you had the election interference and the hack of the DNC. That kind of, you know, was another big aspect. Fast forward to 2020. Everybody went to work from home. There's the, you know, the joke of like which C word major, you know, drove the technology innovation at your company was the CTO, the CEO or the COVID-19, because everybody overnight went work from home and that brings, you know, radically changed the security landscape. And then, you know, kind of, you know, fast forward to today, you know, these inflection points keep hitting. And then we have a big one for at least for public companies with the SEC rules that, you know, are currently a proposal, most likely going past that are going to require that you start to report on the cybersecurity expertise of your board, that the board has to acknowledge that they have cybersecurity oversight responsibility, kind of setting out rules and requirements for reporting of cybersecurity incidents. And then, just even a couple of days ago, the Biden administration putting out the national cybersecurity strategy from the, from the system, the critical infrastructure security administration as part of DHS, they set out kind of like, here's how, you know, technology is critical. Security issues in technology are, you know, kind of affect the entire American people. And here's what we're going to do to make sure that companies are taking responsibility for this because there's really an underlying current of, you know, kind of so what? Like, we have a security issue, the stock price rebounds, you know, maybe someone loses their job, but it's like not that big of a deal. Except for it has, you know, started to become a big deal. And companies are starting to realize it, but I think politically, the regulators are starting to say, look, we have to get involved and push companies harder and faster. So it makes a ton of sense that there has to be some more formalized security process regulatory oversight because I think it, you know, when you start playing out a big enough level, it is a lot more, it can be a lot more impactful than just the stock price, right? Like you just, like you just mentioned, but it's interesting. When you look at what the, the SEC is doing, your background, the SEC is not, is not a, is not the most forward looking organization in the world. And, and you even, you look at when we speak to tech leaders and we, and we bring them before the Senate and we're, you know, we're speaking to them and asking them questions and some of the questions are so rudimentary and silly. And it's just like, how do these people keep up with the most advanced threats in the world? So when you look at what the SEC is doing, is it enough? Does the SEC know what good looks like? Or is there more that has to be done? So I think that's a, that's a great question. I think where the SEC is largely, in my opinion, catching up with where highly regulated organizations, right? So like financial services, healthcare, places like that, had already had a lot of these kind of requirements in place, where the SEC is kind of coming in as it's clarifying that this isn't just those industries, it's all industries. And also clarity, you know, clarifying wise at, you know, SEC's goal is always we need to empower investors and protect investors. And so what, what requirements are there? You know, if you have an incident, but the incident maybe doesn't reach this, you know, this kind of mythical material level, well, what does that even mean? Like, it's the SEC's kind of laying out like, well, no, here's what that means. Here, you know, here's we have to put into your 8K, which is the form that you have to file when there's a, you know, material incident. And here's like specifically how long it's been going on and kind of like the criteria of it. You know, are they going far enough? I think that's, that's a great thing we'll kind of see over the next few, you know, over the next few years, if, you know, companies really start to increase the reporting and the visibility if it, if the sunlight actually, if the sunlight actually kind of acts as a, you know, acts as an agent of change. But I don't know, you know, I think the, a lot of the, a lot of the regulated industries were already this, or already this way, especially if you are regulated out of states like New York, where they already have very stringent requirements for financial services companies. You know, you're seeing a lot of these things are, things that you had to do already. And, and, you know, now I'm actually more curious about, this is going to be about your career path too and how you moved from one, like you were working with PayPal. I mean, you could not have picked a more important organization for there to be some sort of information security oversight. Like when you're working in financial industries, it's, I mean, a breach is just like it can be horrifying. But I've always found that on average non-profits do not have the expertise that the for-profit business world has. And I'm interested as to you as like a case study as to what made you want to move into the nonprofit world. Because somebody with the information security background from PayPal, I would say there's unlimited career opportunities, potential money out there that you could go chase after. And I think that's actually a problem that a lot of nonprofit have. I think that they do not know either how to or cannot afford to pay because the business model is suffering to some degree to pay the salaries of the people that can move the organization forward and not even just information security like sales, marketing, everything. But you made that conscious decision. And I think that like that's remarkable. So I feel safe with, with GoFundMe, I feel safe with Classy, but I think a lot of nonprofit suffer from this, which is why you see trust in nonprofits start to be great, to be quite honest. So what was that thought process for you? How did you make that jump? Why were you able to do that? Why did GoFundMe look towards somebody who was highly capable to bring into the organization? Yeah, so I spent, as you mentioned, I spent a number of years at PayPal and I knew my next steps. I wanted to stay in financial services. So I actually went to and spent a little bit of time in insurance, just to try out, try my hat on another financial services sector. But my passion is for payments. And it's weird to say, but I kind of got really good at it. I learned a lot about how the banking system works, how messy it can be, but how functional. In a lot of ways it is, and how important it is, you look at a lot of the last couple of weeks here with the Fed and the banks in the US. And so I wanted to stick to that. And so GoFundMe and Classy offer a way to for me, stay in payments, but also feel a lot better about what I was doing on a day-to-day system. Not that, obviously, I hold no animus towards any of my prior employers. We were doing great work, but it helps day-to-day. I feel they impact a lot more at GoFundMe and Classy. In terms of, you raised a great point around nonprofits and the whole government in geosector has a real deficit of talent in a lot of cases. There's recently been a case where the NSA and others have been like, hey, we want to do a talent swap with industry where they want to go to Google and Facebook and others and say, hey, we'll swap people with you. You can send your best security engineers to us and we'll train them to help us in our fight against whatever it is. And then they'll work for us for a few years and then we'll swap them back and as a way to maybe get talent. That's something they've floated recently. I think this just goes to show that there's a real issue here and a lot of that kind of stems back to just non-profits have a lot of the, from my experience, have a lot of the issues startups do. They're small, they usually have very limited resources, scrappy team, everybody's, the thing I love about being a startup is everybody did everything, right? My job is when I joined Brain Tree said that I maybe asked to take the trash out. I thought that was awesome because I was something I was really passionate about. I think the people who work at small nonprofits, small to medium sized nonprofits have the same passion, but maybe a little bit different mission alignment, right? They're very philanthropic like kind of looking to do the most good. And the key thing I see is sort of the funding, right? So in a startup, another dollar going towards AWS or GitHub or some developer tool can make sense, it's an investment that you're kind of making towards the future. When you're in a nonprofit, a lot of these dollars, you want to maximize your dollars going to programs. How can I deliver whatever help my nonprofit is trying to deliver? I want to maximize that, which means paying less on salaries, investing less on training, investing less on other things. Until you get bigger and you hit this inflection point, which you kind of have to make that risk based decision, but smaller organizations, green organizations, they're really trying to maximize the program, how much they can put into the program, which means they have to minimize a lot of other stuff. You all know the success story podcast is part of the HubSpot podcast network. They have incredible podcasts. So please go check out the roster. But one of my favorite shows is Nudge hosted by Phil Agnew. You just have to understand that some of the smallest changes can have the biggest impacts on your life and on Nudge. This is what Phil goes through. He speaks about evidence, back tips to help you kick bad habits, get a raise, grow a business. Every single episode is bite sized, 20 minutes comes packed with practical device from some of the most prolific entrepreneurs, behavioral scientists in the world. And it's the UK's fastest growing business podcast. I definitely recommend you go check it out. You should listen to Nudge wherever you get your podcast. And I've seen that a lot, but that means that there's a lot of vulnerabilities and liabilities in the nonprofit sector. So maybe speak to some of the things that you see as a tack vectors that could be a major issue if these are not more addressed and if people don't put more of an emphasis on information security. Because I feel like to your point before, private industry is taking it more seriously than they did before, but I feel like nonprofit is potentially still lagging. Now I think that's very true. And I think one of the things I always recommend to folks is, you know, you have a couple different types of attackers who may come after you, right? So you have people who are doing it just because they don't like you or they don't like what you stand for. They don't like someone involved with you. They kind of hacked us. You're going to have a hard time defending against them. And you know, if you're a nonprofit, like they're nonprofits that are politically motivated and they have, and therefore they're going to have someone with the opposite persuasion attacking them. But the vast majority of people that they're probably going to deal with are people who are financially motivated. So financially motivated attackers are, you know, they're usually at the at the lower levels at these kind of smaller companies. It's more of a drive-by issue unless of a targeted issue, right? So I always describe it to, you know, it's not Tom Cruise and Emission Impossible like breaking into the facility and like dropping down, you know, and like stealing the information. It's someone walking down the street and juggling the handles on the car doors, right? Like that's the kind of person. They're just, they're just looking for a car that was left unlocked that they can rob. And so what you need to do as an organization is do the things you have to do to lock your car doors and make sure that your employees are doing it. And so that's things like good password hygiene. So, you know, having strong passwords, unique passwords for website, using a password manager, turning on multifactor authentication, probably the best thing you can do is enable MFA everywhere you can. And then last thing is patching. So like patching your software, patching your phones, encouraging everybody to make sure like, hey, keep everything up to date. And then you're going to be, at that point, you're going to be pretty close to being the one who's had their car door locked. The one I've added that we're very recently is just double checking that all your laptops are encrypted. So this is something that, you know, is starting to come more of a norm out of the gate, but like if you get a new windows or Mac laptop, just make sure that it's the encryption's enabled. And this is where it kind of, you know, helps to have a partner to do this, right? Like if you're a nonprofit, if you can partner somebody, because I'm not expect an executive director at a local foundation to be an expert on technology, you know, how to turn on Bitlocker. But hopefully there is an organization they can work with, an IT consultant or someone who can do that. And the reason I kind of go into the laptop thing is because people like any mobile device, the mobile phones are very good. Like, you know, modern mobile phones are pretty secure. It's the mobile laptops just because you do lose them, you leave them in cabs, you leave them, you know, restaurants, like things happen. And when that happens, you want to make sure that you have fairly high confidence that the data on it is safe. So you're saying like from what I'm hearing that the majority of problems still, the majority of potential attacks are still human, are still focused on the human, are still focused on the human screwing something up basically or getting fished or losing something. Yeah. So the, you know, Verizon every year publishes a great report that kind of outlines data statistics. And it's something like 80 plus percent of attacks that are, you know, going to be like really wildly successful start with known credentials. So they start with someone, you know, it's not that like someone hacked the matrix and kind of broke in. It's like, no, they got scots using them in password. They logged in a scot. And I'm assuming actually, if you're, if you have a workforce that's not working from home, which is a reality post-COVID, then you, to your point actually. So you don't have, you don't have the proper encryption on the devices that people are working off of because they're taking something home or they're combingling the files from their work with the files on their personal computer at home. And every, all the, all the security requirements that in office, you could sort of control. Now it's like the Wild West. It's like craziness because everybody goes home and they can use whatever device they want and using their personal device, using their work device, using personal phone, work phone. Is that what you're dealing with right now? I mean, I think so. And I think a lot of folks have been dealing with it since 2020, you know, March of 2020. I remember talking to competitors at the time when I, where I was, where they were sitting people home with desktops because it was all they had. They didn't have laptops. You couldn't buy a laptop. I don't know if you, if you were in the mode of trying to buy a laptop in August or sorry, in April. It was like a selling panic. Yeah. You couldn't, and like, because all the students were going to remote learning, all the employees were going to remote. If they didn't already have these, the supply chains were immediately jammed. And so because of this, things were skipped. You know, efficiency was needed to get people up and running. And so I think a lot of companies in places are dealing with the fact that like they kind of, there's still this COVID fog of like, you have this technology out there. Now, fortunately, unfortunately, you know, it's a couple of years old. So maybe it's, you know, entering the place where it's going to be replaced. But you have a lot of technology out there that was kind of like rushed into production, if you will. And these kind of early days of COVID that maybe, you know, didn't get, you know, the firewalls didn't get configured or the laptops didn't get encrypted. If you're not a sophisticated organization, then, you know, has the remote management capabilities like a small nonprofits, you, you may have this risk out there. And so, you know, kind of going back to what I mentioned a little bit earlier is partnering with someone who can help you out with this. Like, I don't expect people to have this, you know, these people on staff at that level, you outsource it, you know, just like a kind of a how startup would for, you know, for, for things that aren't going to be core to what they're trying to build, you kind of have to outsource it to someone who's an expert. But also, like, so you're saying that a lot of this comes at, yes, so you're outsourcing some of the actual very technical items. But there's a, I'm sure there's a lot of education that can be built into an organization that probably also isn't there that could mitigate tons of these problems. So, I mean, let's talk about the human component and these breaches, because the human, that's, that's the fallacy, that's the weak point, right? That's the Achilles heel. So, outside of pure technical, what are the, for us, for a, for any, I was going to say small business owner, but for any business owner that doesn't have this knowledge in house, what are the like the best practices that you would teach over to your team or your employees so that they don't fall victim to this stuff? Because I'm even spouting off stuff like, don't get fished. Okay, maybe people don't even know what that means. You know, I, I get the, dude, I get these like scam emails all the time and they're getting actually quite complex and I can see it because I'm a technical person and I'm not, I'm not oblivious to this, but I get emails from my own team where they've like changed the name of the, of the email, but this, if you actually go into, or they change the name of the sender, but the email is this weird obscure email and it's like, hey, Scott, like, you know, oh, it's Patrick and it's like, changed my banking information on my payroll and I need my ACHFD. Yeah, exactly. So it's like, people also pay me in iTunes gift cards. Right, exactly. And it's like, oh, don't, don't, don't, don't call me. I'm in a meeting, just do this urgently, like stuff like that. So I mean, not everyone's going to fall for that, but yeah, no, so you say that, you know, the recent, so a few days ago, the FBI released their 2020 cybercrime statistics. And so they categorized that under kind of this thing called BEC or business email compromise. And it, for years and years and years was the number one thing on their cybercrime, always in, you know, a couple billion lost reported to them. This year actually dropped number two. The number one is now investments game, so the crypto scams. But it's still number two, it's still a huge deal. And it takes the form that you, you mentioned, which is, all, you know, often somebody will reach out, usually they'll impersonate an executive or CEO, CFO, president, someone. They'll send, we've been, we've actually been seeing a lot more text messages than emails recently, where they'll text our email and say like, hey, I'm the CEO. I have something really important. You can't reach me, but I need you to do something and it always involves like wiring money or changing and ACH information or buying gift cards or something for some reason. Anything that you can do to extract value out of the person or the organization. And you know, they're playing there a couple of things, right? They're playing to urgency, they're playing towards people's sense of wanting to help out, especially like the CEO, you know, hey, like I, you know, I'm special. They reach out to me because they thought I could handle it. I want to let them down. And, you know, and people unfortunately do fall for it. And that's that, yeah, to the tune of a couple billion a year that we know of so far, at least from the FBI, and in the US. And like that, I think a lot of that kind of goes back to creating a foundation of trust inside the organization to, you know, no, you know, basically, you have to make people where these are a big thing. So, you know, awareness and security, awareness and training is a big for organizations of all size. You know, make sure people have the feel, feel comfortable to kind of stop and say like, hey, this is weird. Like maybe I should like validate this. And so, yeah, how would I go about validating that the email that the email I just got from the CEO isn't correct. Like is the CEO even approachable at my company? So, you know, I'm very fortunate at the place where I work at GoFundMe. Our CEO is actually like, you know, come out and town halls and say like, I will never text you. I will never email you and ask you to do this. We will always use proper channels. And that's that's helpful. But for organizations that are a little bit smaller, they haven't seen this before. You know, I, I'm involved in an organization where they they had this and the person actually kind of went along with it for a little bit. This is at an organization I've consulted with in the past. What do you mean they went along with it? They were like down the street about to buy gift cards for long rains. When they stopped and said, wait a minute, this makes no sense. Why should I be doing this? Yeah. And they felt super embarrassed as you would. And they like didn't want to report it. Didn't want to talk about it because it's very natural. You know, you, you, you can be embarrassed. You can, and you know, you can find yourself like feeling like a fool. And that's why it's important to always create this like, you have to lead with empathy. You have to say like, look, this happened to anybody. I would feel embarrassed too. Here's what we can do to like make sure that we, you know, we're resilient to this in the future. And just sort of, you know, focus on improving the situation. There's, there's an aspect in security we call the human firewall, which is, you know, knowing that we could have the best security in the world. But we, you know, if we don't have humans out there kind of helping us out as well, like we're going to miss things. And the example I always go back to with this is the solar winds breach from a few years ago. So the solar winds got compromised. You know, the US has blamed the Russian government for doing this. And they, they were in organizations like Microsoft and the State Department and a company called Fire. I Fire is a very famous security company. It was actually an employee at Fire. I got a multifactor authentication reset email reached out to their security team said, I didn't do this. This is weird. Launched investigation found that they had this breach that hits them from solar winds. And that's how the whole thing was uncovered. If they, if this human hadn't kind of been aware, it felt comfortable going to their security team with this that the whole solar winds incident may have lasted for another few months of nine years. That's wild. That is absolutely wild. It's such a, it's such a, somebody who needs to feel psychologically safe to speak up. And that's really what stopped this from going on. Actually, I was just thinking, you know, as you're telling me that story, I actually do have a friend who ran a very large business. And I think, I think it was just under 500,000. And it was a payment. It was a payment for a service. And basically, there was an email sent to change the, the wire information or the ACH information. And it was gone. But that employee in particular, felt embarrassed, but like, spoke up immediately. And the founder and CEO of that company was like a very good friend and he's a good person. So like, obviously not, not an ass about it. But yeah, I could see that. And I could actually see this is, it's almost like a, a leadership lesson can do more for reinforcing the security of your organization than than anything really. Because if you create a psychologically safe environment and somebody's going to be willing to speak up and like raise their hand when they screw something up, that's great. That's a very healthy organization. If somebody screws something up and you reprimand them and you fire them, that is actually potentially going to do more harm to your organization than the long term. Because everybody who saw that action is going to be like scared out of their mind to ever say anything if they ever do anything wrong. And that's going to cause more repercussions. Yeah, it's very similar to in the DevOps world coming up at, see, there's this thing called blameless post-portals. I don't know if you're familiar with it, but the idea is, you know, so if you haven't incident the site goes down, there's an outage. Somebody, you know, somebody may be misconfigured something. And there's this idea that when you kind of get together to talk about what happened and find the improvements going forward, that you do in a blameless fashion. So you don't say, John pushed this update and John caused the site to go down. You'd be like, an update was pushed the site went down. Here's what we're going to do going forward. You don't, by not attaching blame, you're creating this, you know, this environment in which you can kind of lead with empathy, create this space for people to, you know, kind of, you know, be safe to share these things on it, not, you know, you kind of create this, you, you know, actually create a situation which they won't try to cover it up, ideally, like they, if you do go with blame first, maybe somebody's like, okay, I messed up, but like, I can fix it really quickly. I don't know if anybody has to help me and then nobody will know and then I'll be fine, nobody, I won't get fired. Instead, you can kind of stop and say, oh, I messed something up. I need to ring the bell, call for help because I can't fix this on my own. I love that. I love blameless post-mortems. I mean, I love, I love the concept. Okay. So we've kind of covered like best practices for somebody that has really not put any thought towards this, but I want to like take it up a notch and I want to understand maybe something that's innovative that could be like a step two. So look at, look at your own work, look at GoFundMe, look at classy. What are more innovative things that you're dealing with right now in this world that are just top of mind that somebody who is operating at a higher level and is operating with more complex threats should start to think about. That's a great question. I think a lot of it really kind of comes back down to like picking best in class partners, right? So we, you know, we have to operate a very, you know, kind of limited scale with our teams. We're, you know, doing the best we can, but a lot of this kind of comes down to really keeping our finger on the pulse of technology and trying to pick the best partners and the best platforms to build on top of, you know, I think in terms of like being truly innovative, like we, you know, I don't think we have like the light bulb that's going to like, you know, kind of flash and solve the industry's, you know, problems. I think for us are, you know, really worried with us, like we're trying to be empathetic, training big people where yeah, help our customers out and like, you know, a lot of that kind of comes down to like offering a lending hand, offering being, you know, kind of a someone who you can kind of offer consultation, kind of best in class support for. And you know, with that, like we can kind of like hope that we can lead organizations that aren't, you know, through this that aren't, you know, so they don't end up having some of these same issues. But you know, in terms of like, I want to talk about the Kelly Road show. I do not take my podcast recommendations lightly, but I have truly admired Kelly's journey from the get-go. She was a fresh employee at a Fortune 500 received seven promotions in eight years, all this while building a company that blossomed into an eight-figure empire. Today, she's a best-selling author, top-ranked podcaster, the proud owner and co-owner of six thriving companies. And let's not forget, she's an ink 500 awardee proving that growth isn't just a goal. It is a lifestyle. Now, her podcast, the Kelly Road Show, dies deep into business growth strategies, specifically targeted for those hitting these six and seven figure mark, but it's not all business. She also explores the habits, mindset and disciplines of the world's most successful people. It's a podcast. It's perfect whether you're just getting started, or you're trying to up-level your success game. But here's a deal kicker for me. She is a super mom and a wife. She embodies the truth that you don't have to sacrifice your home life for success. She believes in shows that life-changing wealth, wild success, a happy marriage, and fulfilling home can coexist. That is goal. So tune in to the Kelly Road Show on Apple Spotify. Wherever you get your podcast, trust me. It's time well invested. By the way, I don't mean like you're like changing the industry. I just meant like this stuff that like I know for factors like threats that you're aware of that are much more complex than just like the human element. Yeah, I think that's definitely true. I mean a lot of artists comes down to defending against actors who are against what's happening on our platform, right? So we have open-platforms where organizations are on many sides of many issues. And sometimes there are people out there who don't like what's happening. And they're not the jiggling the car door. Yeah, they're not the jiggling the car door. They're nation-states, they're activists, they're others. And so what they're doing in these cases, they're throwing whatever they can at us to help bring this down. And it's not always like the things that you would think of, like the big political flashpans, it's things like helping victims of earthquakes and stuff like that. Like some people just don't, you know, some people just like have eternal enemies and they don't want to like see people provide support. And so we're there to kind of help our organizations are, you know, the donors, all the campaigns and try to help make sure that we're providing a safe platform for them to provide as much help. So our goal here is to deliver help through whatever means we can and like we're providing that platform. And, and, you know, you're, you're actively going out on on podcasts and obviously speaking about this and I think it's super important. But just from what you've seen in the world of nonprofits, the role of trust and transparency, how does that impact the actual success, the confidence of the investor or the or the donor or the contributor? Because I don't see, you know, no, no other non-profit CISO has ever approached and wanted to speak about cybersecurity. But I do see the not just, I guess, a roting trust with nonprofits across the board. So what are your thoughts on how do nonprofits build back trust and compete in a 2023 environment? Yeah, I think, you know, it comes from a lot of different aspects. So I had a leader of the company I worked at many years ago who kind of talked about like, you have to build, you know, you can build trust kind of like in a football game. You inch the ball forward line, but, you know, you know, kind of yard by yard, but like one mess up and it's completely, it's completely gone. They're going to run the wall back the other direction. You've lost it all. And like, unfortunately, it's a slow slog. You got to build that trust back up by doing things that enable trust. And some of that is like, you know, there are like kind of some flashy things you can do like good design. We know is like great, is linked to like providing trust. Like if you come to a website and it looks like it hasn't been updated since 1999, you're inherently not going to trust that like that. Like who are these people? What are they doing? So good design, leading with empathy, you know, and then, you know, kind of attaching itself to a brand partnering yourself with best in class, you know, partners, like these are the things that you can have helped do it. But unfortunately, it's hard. Like you're building your guy build that trust up slowly over time. And then, you know, do the do all the things you can to make sure you're not going to lose it. I love that. And and and more on like on a on a product level, just to touch on this briefly, because I'm actually just like personally interested. What what is classy doing that go fund me is not doing? What's what was the actual and and listen? I know you're not like CPO and whatnot, but there's like, we can bring someone else on and go into the the finite, you know, mining details. But like what what are you what are you trying to build out with like the second platform? Yeah. So if you look at GoFundMe kind of historically, GoFundMe has, you know, works with both nonprofits and just individuals. So we know that, you know, we know that a lot of people are helping raise money for friends, family, especially after disasters. Medical emergencies were kind of, you know, in COVID, we kind of, you know, became mean worthy for helping out people with, you know, being kind of a backstop for the healthcare system. Trevor Noah mentioned that on one of his daily shows. And classy is hyper focused on helping nonprofits. So it's helping nonprofits, fundraise, you know, through all the different ways they can through live events, on platform, you know, recurring donations, everything about that. And GoFundMe had, you know, had done some things like this in the past, but we were really focused on this kind of crowdfunding platform, both for both individuals and nonprofits. And classy is there really there for if you're a nonprofit, if you're, you know, kind of a medium to large nonprofit and you want to raise money and have a fundraising platform, class is there for you. And, you know, we're doing our best to, you know, build a top class platform, best in security and privacy, trust and safety, working with the best partners. And then, you know, if you're if you're an individual and you need to like help raise money because you're, you know, there's an earthquake and you need to, you know, help your friend rebuild their house. Yeah. GoFundMe is there to kind of help you set up those campaigns. I got it. And I guess like, like, classy is solving a great problem. Like a lot of this is, a lot of the conversation is sort of evolved around nonprofits not really keeping up with or not, not, you know, being forward thinking or forward looking. So I guess like classy is more or less like another way to modernize the way that nonprofits function as a business unit, as an organization. And yeah, I think that's a great way to think about it. You know, if you're a forward thinking nonprofit, you want to, you know, continue to partner with great platforms. Classes here to be that platform, you know, we have, we have a lot of different other companies we partner with, like Salesforce to kind of help, you know, provide the donor management aspect of it. But, you know, kind of like we're here to help you with the fundraising aspect of it. Like we, you know, a lot of the charitable organizations that, you know, they kind of live and die based on how much money they can raise every year. Yeah. And class is kind of there to help fill that. I love that. So before we wrap up, is there anything that I didn't go into that you'd want to talk about teach over to founders, entrepreneurs, C-suite, nonprofits that you think would be very, very valuable that we should just sort of like capture on this? Yeah, I think, you know, something I, when I go and I talk to, you know, kind of unfortunate to consult with quite a few smaller companies. And, you know, it's always interesting because like everybody's, you know, everybody expects me to say like, okay, like, start with security early, which is true. Like you should think about security early. But there's actually, it's a balance, right? Like you want to make sure that you find product, you know, if you're in the for-profit space, you want to make sure that you're finding product market fit. And security can actually slow that down in some ways. So you got, it's kind of like this thing where it's like, it's the salt. You guys sprinkle on just enough for the dish to taste good. But if you dump too much security on to early, it's going to ruin the dish. And so you got to bring it with moderation. You got to do things like building in the culture, empathy, strong password, you know, using password majors. And all these things are easier to do when you have five employees than when you have 500 employees. And so, you know, starting off really early and kind of helping build that up from the start is, is my advice to people. So you have like a, almost like a day, day zero security best practices that will already mitigate a ton of problem in the future that is really frictionless to implement. And that's what you're saying like an entrepreneur should do, like literally right away. And then if you grow and you scale and you get more complex and okay. Yeah. I mean, and you know, if I'm actually talking this specifically to start up, I would say things like, uh, though, make sure you're writing down the serial numbers for your laptops. So like things that you own, like, you don't think about those until you really need it. But like, if you need, if it's lost, you need to file a police report, you need the serial number. And like, maybe you can go back to your, you know, your email from Apple when you bought it and things like that and grab it from there. But like, it's easier if you just have a Google sheet that has a serial number. You can say, John was assigned the serial number. Unfortunately, he left it in a cab and we don't know where it is. You know, we had to file a police report so we can like, you know, potentially get it back in the future. I love that. Um, if people want to, if people want to, I think a lot of people know a lot about GoFundMe. But if they want to go find more about GoFundMe, go find more about Classy, what you're working on there. Or if they want to connect with you, where should they go? The socials website, all that. Yeah. So I, uh, I have a personal blog, which I haven't written on it many, many years, but I know I got to like, I got to build that brand out. And I need to like, I need to, I need something to kind of kick me in the pants to like, hey, you need to get back to blogging. I have like 50, you know, one paragraph blog posts that I've started. Uh, man, so let this be the, let this be the, the, the inception of a personal brand. Yeah. So, uh, so, so JT downy.com. So, uh, uh, uh, John and then T downy. So JT downy, uh, then from there, you can find my master on link and my link didn't stuff like that. I've since gotten off the Bloomberg, uh, and moved on to, uh, there's actually a, a master on, uh, or a fediverse thing called InfoSec Exchange. There was a lot of great security content out on there. No, it's amazing. Okay, perfect. And, um, I ask everybody this to close it out. Uh, so you've had an incredible career, spent multiple companies, obviously, very successful. Um, but at this point in your career, um, what does success mean to you? Yeah, I mean, so for me, success is being happy with what I do, like day to day and like helping like make an impact. So I, you know, I think from me personally, like, the, uh, I, I was very fortunate to be at PayPal and, you know, kind of be acquired and be there during a terrific run up, uh, from in the company, uh, as kind of, you know, finances. So for me, a lot of what I want to do is have the best impact that I can to help people out. So, you know, and I, for me, I joined GoFundMe, like, I used to joke at people like, it wasn't a day they would go by that wouldn't leave, uh, just crying about something because it's, there's so much emotion wrapped up in the site. There's so many great stories, so many things that go on in the world. And GoFundMe is a place where you can find that and you can kind of find people to connect with who are in need and, you know, you can help them out. And like, that's, it's a great part of the website.