Get IT Started Podcast

GISGID Ep 17 with Andrej Safundzic

Hello and welcome to Get It Started, Get It Done, the Banyan Security podcast covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer Den Jones speaks with Andrej Safundzic, CEO and Co-Founder of Lumos.

Andrej led Angela Merkel’s technology task force in the German government, and now he’s bringing that background to private sector security solutions. We hope you enjoy Den’s discussion with Andrej Safundzic covering everything from just-in-time access to what we can learn from aging footballers.

View Transcript

Speaker 1:

Hello and welcome to Get It Started, Get It Done, the Banyan Security Podcast, covering the security industry and beyond. In this episode, our host and Banyan’s Chief Security Officer Den Jones speaks with Andrej Safundzic, CEO and co-founder of Lumos. Andrej led Angela Merkel’s technology task force in the German government. And now he’s bringing that background to private sector security solutions. We hope you enjoy Den’s discussion with Andrej Safundzic, covering everything from just-in-time access to what we can learn from aging footballers.

Den Jones:

Hey, everybody, welcome to another episode of Get It Started, Get It Done. I am your host, Den Jones. This is Banyan’s adventure into podcasting, so if we suck at making software, maybe this is the Plan B, I guess. And every episode I’ve got some amazing guests, but today I am blessed to have the co-founder and CEO of Lumos Security, Andrej, and I’m not going to try and even screw up your last name. So Andrej, why don’t you introduce yourself, and we’ll get into some fun conversation?

Andrej Safundzic:

Hello, Den. Thank you so much for inviting me. I’m Andrej. I am, as you said, the CEO and the co-founder of Lumos. My background is I am the oldest of five. I grew up in Germany. That’s where my shitty accent is from. And how I found my way into security is I led Chancellor Merkel’s technology task force in the German government. And government is paranoid, so we built a security and IT tool for Chancellor at that time. And then I came back to the Silicon Valley, and now what we are building is an identity governance and a privileged access management tool to govern identities on the web again. So instead of doing this for the public sector, now building security solutions for the private ones. So I’m excited to talk about all of that today.

Den Jones:

Awesome, awesome. Hey, thanks and thanks for your time, as I know you’re a busy guy. So just for the Americans in the audience, a Chancellor of Germany is the equivalent of the President of the US, right?

Andrej Safundzic:

Exactly, exactly. So it’s called the Federal Chancellor in Germany. That’s basically the White House of Germany. So there is no president. There is a president, but less important. The most important person in the government is the Chancellor, which was Angela Merkel two years ago, and now it’s a person called Olaf Scholz.

Den Jones:

Awesome. And Angela, she was in charge for quite a while. Did she do several terms and stuff?

Andrej Safundzic:

Yeah, she did 16 years. So it’s not in the states where you can only be elected twice. Think about this. Some people, especially the generation that was born post-2000, grew up with one president, so to say. And that’s just terrific. And that’s just interesting to reflect on.

Den Jones:

That’s awesome. And Scottish guy, so I pay attention to some of the stuff that goes on in Europe, but she had quite an impressive tenure. She had done a lot of great stuff, so I was pretty impressed. Because I’ve done a lot of work in Germany over the years, and I just remember the country’s growth and stuff under her tenure is pretty stellar.

Andrej Safundzic:

No, and the US government actually just recently released their cybersecurity strategy. And what was interesting about Angela, for her last tenure, she said, “Freaking hell, the government is too old school when it comes to technology.” And instead of outsourcing everything to certain consultancies to build everything externally, she said, “Let’s bring in the smartest people that usually work for the Facebooks, the Googles, et cetera, so that they work within the government and create impact.” So that’s the initiative. It was called Digital Service for Germany. I and my two co-founders, Sonya and Christina were spearheading, and it was a lot of fun. We built a lot of interesting stuff for the government.

Den Jones:

Awesome. Now, let’s get into this. So why don’t you explain just a little bit about Lumos, the co-founders, and what made you guys decide to start your own company?

Andrej Safundzic:

Yes. So here’s the problem. There’s something what we call the app-ocalypse, or the cloud-ocalypse, where over the last 15 years, there are more and more apps, and there’s more and more access, both in corporate apps and in cloud applications. So the problem with that is, for example, Twitter, pre-Elon Musk, which is quite interesting, 51% of all Twitter employees had production access. Isn’t that crazy?

Den Jones:

Wow. Yeah, that is crazy.

Andrej Safundzic:

So it’s increasing, the access is increasing. So the problem is, how can we decrease access but not decrease productivity? Usually what a security person does is they put in some measures, but that decreases the productivity of the company. And so they’re usually the police officer, but how can we be an enabler and a protector at the same time? That’s the question.
And in the past, people used for this type of problem solutions like a SalePoint. What that usually is, what SalePoint helps you with is you can request access to, let’s say, they were usually on-prem to some on-prem database. You go there, say “I need this database.” Approvals are handled. You get access to it, and then you have those quarterly access reviews that are happening. And they were also going to a new solution. So the problem with that one is very old school, it’s not cloud native, and it was a very clunky UI, and people hated it.
Now what Lumos is doing is we are building a solution that automates access requests into corporate apps in the cloud, user access reviews and privileged access management to those applications. So what you can do is two things. A, you go into Slack or into a web app. You say, “I need this AWS permission,” or “I need this cloud secret.” We handle the approvals automatically in Slack on the web app. We log everything in an IT ticket, and then we automatically provision. After seven days, we remove your access because it’s just you need it just for a short period of time. So that’s one of the solutions that we offer. The main benefit of this, self-service. So the time to resolution for our tickets is four minutes on average, but admin [inaudible 00:06:57] also go down. You see what I’m trying to say?

Den Jones:

Yeah.

Andrej Safundzic:

Because [inaudible 00:06:59] have access to the same in two, three minutes.

Den Jones:

It’s really funny because in my Adobe days I had a team, and we basically built a self-service portal that sat on top of. So I resonated as SalePoint’s user experience was not delightful, and the self-service nature of it was not delightful. And I’m a big fan, SalePoint and CyberArk and all of these guys, but the problem was that whole self-service mindset wasn’t really built into the product or the service that they were delivering. So we ended up building some shit in front. And in the end, we had done the same as you guys. We were like, we can take a ticket. It was normally an access request that could take days or weeks in seconds and minutes. And believe it or not, we built the first version of this thing called eManager, we built it in about 2003.

Andrej Safundzic:

Oh really?

Den Jones:

Yeah. Me and this me and this guy called Venkatesh. Venkatesh was a Lotus Notes developer. Because it was all AD in those days, first run was batch files and Lotus Notes. It was shit, but instantly it was on the premise of, I’m going to add or remove you to and from a group. It was really simple. It wasn’t-

Andrej Safundzic:

Move into AD groups that what you built in a service portal to request access groups, right?

Den Jones:

Yeah, back then. And we would map folder structures in the file servers to AD groups. And then as you move forward and you’re using the Oktas of the world, you’re publishing an app, but you’re mapping that app to an AD group or to a closed group now. So it’s pretty cool. But I want to jump back because I’m going to ask you in a minute to do your three-minute elevator pitch on why a CSO should buy your stuff. But before we get there, the one thing I missed was, what made you guys decide to start a company?

Andrej Safundzic:

Yes, very good question. Many, many, many, many different points. So the first point is I love security. That’s what I’ve done in the government and protecting people. That’s what the government is there for, protecting people from harm. So now I missed the states, I did my undergrad here, went back to Germany to do work there, but I missed the states, and I missed the ambition. I missed the entrepreneurship that people display here. So I came back and I said, “How can I contribute to moving the conversation in the security world forward?” So because I’m international, I had to go back to school. So I did my grad studies at Stanford in computer science, and I found my two co-founders there, Leo and Alan. And at that time, COVID just hit, and we actually looked at this from a consumer lens first. Den, do you know how many apps as a consumer you signed up for? Do you know?

Den Jones:

I have no idea actually. If I look at my password manager, I can look to see how many apps I have or passwords I have stored there. And I guess that’s probably the closest I’m going to get, right?

Andrej Safundzic:

The closest you’re going to get, exactly. And so our question is, how could we protect? There’s no time-based access for consumers. You give your access once to a company, you give your authorization in Google, usually you sign in with Google, you authorize them to have access to your Google profile usually forever, and you give them all those other permissions. And we’re like, damn, how could we have some kind of time-based access for consumers for all the data that they have out there? But what we’ve seen is when it came to APIs and stuff like that, in the consumer world it was very hard to set up a solution when it came to that. And also companies usually have more sensitive data, I would say. So we just edited our consumer approach from protecting sensitive access for consumers to protecting sensitive access for employees. And why COVID? Because during COVID, suddenly we used all those collaboration tools, and we spun up all those new AWS accounts and were just hacking around. And so that’s when it especially became tough to manage that problem.

Den Jones:

Oh no, that’s awesome. So elevator pitch. I’m going to wear my CSO hat because I am a CSO, I guess. But in the Adobe days, my Cisco days, I’d have lots of companies like you guys come in and try and pitch and sell us your wares. So why don’t you jump in and just give us a two or three minutes, why Lumos? Why are you disruptive? Why trust you guys over somebody else?

Andrej Safundzic:

Great question. So number one is what is the problem. There are actually two problems on the security side. One is the more compliant side of things. Do you need to do user access reviews? Yes. If you’re a SOC or SOC2 company, is it a pain in the ass? Usually yes, with spreadsheets. So how can we just simplify? The first problem is, how can I simplify the pain of user access reviews? That’s the first point. It’s more a compliance piece. The second point is we’ve seen this with the CircleCI hack. There was a hack of CircleCI. What happened? The developer had a ton of access. Hacks will happen. We cannot prevent that. But the developer had a ton of production data access. So when this developer’s account got compromised, the hacker was able to pull customer secrets. So now why do developers and employees have so much sensitive access? Can we reduce it while keeping productivity high?
So basically, what Lumos is doing is two things. A, it reduces the number of admin privileges by giving out access only when they are on call or only an hour or a day, but not harming their productivity because they can go just into Slack on the web app and say slash request, AWS less cloud application. We handle the approvals and provision it automatically. So you get both more productivity and less outstanding and longstanding cloud or customer data access. And then as a benefit of that, packed together with this powerful self-service solution, you get a whole user access review solution. Just complete your annoying user access reviews that you need to do anyways for auditors and just square that away so that your security team can focus on more important things. So that’s the short pitch, if that makes sense.

Den Jones:

Awesome. Totally. And it sounds like there’s a blend going on there, so just-in-time access. And then from a disruptor perspective, why do you think you are going to be more disruptive than the SalePoints, the CyberArks, a lot of the traditional companies? What’s the pitch there?

Andrej Safundzic:

Yes, great question. So there are four answers to this one. The first answer is it took 100, I think, 34 days to build the Empire State Building, 134 days to build the Empire State Building. Why the heck does it take a year or two to deploy a CyberArk or a SalePoint? That number one is you have four or five security engineers, if you’re a bigger company working on such a tool, a year or two. They could have prevented other issues from happening. Lumos is usually rolled out within three months. It’s crazy. So that’s the first thing. A company like Postman, one of our customers, deployed Lumos in 30 days, which a smaller company’s got 1,000 employees and the companies that are bigger 10,000-plus deploy usually in 90 days. So number one.
Number two is the user experience. People will only go through … If the compliant path is the easy path, people will actually go through it. They need to be secure by design. So that’s because we are in Slack or in a nice web app, and it’s very simple to request access from an end user. Two.
Three, we have something called event-bound access. So basically what event-bound access means time-based access. So people don’t just request access, and you then need to do a user access review every three months. That’s not secure by design because everyone knows user access reviews, you don’t really do them well. You just do them. It’s click fatigue. What we do is we just give you access, either for seven days or while you are on call. That’s the event side. In that way, what we’ve seen, for example, segment has actually a public blog post about this. They had 700 AWS admin permissions before they implemented JIT, 700 AWS admin permissions. Because birthright access, I’m part of this role, I get this app now. When they implemented just-in-time access, they reduced it down to 70, I think. It was 80%, just at a given time, you just got it for us, a particular amount of time. That’s the third point. I think those are the three main things, to be honest. Time to roll out, user experience, and security by design through this new model of break class and just-in-time access.

Den Jones:

And when you’re doing the request workflow, do you have the concept of pre-approved? So basically if I’m already in the role, I’m an engineer and you’re pre-approved for the access, then that obviously can be streamlined versus requires managed approval. So it almost requires that every time by a human to click a button, or well, it’s that rule anyway, so the default answer is yes, so I can go through a pre-approved workflow. Do you have that concept?

Andrej Safundzic:

Exactly. And actually we have even more. Here’s why. So let’s talk about identity and access and management design and how to design it so that it’s secure by design. Usually what just people talk about is birthright or back access. That’s the first category. I’m part of this role. I am, let’s say, SecOps. I get this AWS permission. With that, the problem of that is it’s hard to maintain and people usually get too much access. Then on the other side and it’s not the pre-approval piece, it’s the self-service piece. I want to have this permission. I do it in Slack or whatever. I need this AWS permission. My manager approves. I get access to it for seven days. Now, the good thing about that one is we decrease over-provisioning by giving you access and letting you go through approvals. The bad thing is it might slow you down.
What about if you wake up at 2:00 AM in the morning and need to fix a bug? That’s where this pre-approvals comes in, which is this bridge between birthright access and just-in-time. What that means is, for example, if I request access to an AWS permission and I’m on call, it’s an attribute. I’m on call. You get access to it just while you’re on call. No approval needed because PagerDuty has configured that. Or if I request access to this permission and I will only ask for it for an hour, not for a whole seven days, just for an hour, I am pre-approving you just for that hour. So there are a few of those.

Den Jones:

So you can be granular in the configuration of the approval, the access, the time, things of that nature.

Andrej Safundzic:

And all of those three are important. When people talk about least privilege when it comes to the zero trust initiative, to really focus on, it’s complicated. Usually it’s a complicated approach, and that’s why you have smart security architects that try to do that. And so it’s important to have all those three things within one solution.

Den Jones:

And I hate to be a little controversial, but I will be for a minute. I think least privileged is bullshit. I think in the industry, it’s bullshit. It’s always been bullshit. And the reason for that is a couple of things. One is I give you birthright access. Second, and usually you’re getting birthright access because you’re in a role, but you didn’t need the access. And that’s the thing you guys have picked up on. But the other thing is we’re very good at giving access and we’re ridiculously shit at taking it away. We add you to groups and add you to groups, and eventually you’re in lots of groups that you don’t need to be in, and even if you change your role.
Now, my team at Adobe has done a stellar job on their deployment of SalePoint. And one of the more mature ones, they’d been doing it for so long, that we had this thing nailed to the point where change role, your title changer manage change could then trigger an event and da-da-da-da-da. But we evolved over years and years and years, and we had a really small team, but we had a consistent team. It was the same people for many years, and they were bright as shit. So we were, I’m going to say, a unicorn compared to a lot of the other companies out there. Because when I speak to people today, when I’m doing the conferences and the rounds and stuff, it is an industry, the whole identity and access management industry, and I’ll include the privileged stuff in here too, the industry, I think, has been living a bit of a lie for many years.
And the first thing is it’s too expensive to really do things like attestation every quarter. A company might have 50,000 groups. You’ve got 50,000 groups. Are you telling me you’re looking at those groups and going, “Yep, John needs to be in that group?” That’s bullshit. So I think the reality is a lot of companies are doing audits and audits and audits, but really deep down when you peel that back, it’s a very expensive proposition.

Andrej Safundzic:

Exactly. And if you architect your system well, so that goes back into being secure by design. If you architect your system, well, let’s say you have 500 roles in your AWS in your system. How can we make sure that, imagine there is no birthright access at all. Imagine this. No birthright at all, and everything is just-in-time access. We’ve seen our data shows that your access is reduced by 80-plus percent. So instead of doing attestations for 10,000 roles, you do them for 1,000, and it becomes more manageable, I would say.

Den Jones:

And actually, financially, I would suggest that you don’t need to do attestations any longer if you’re doing JIT. Because when you do JIT, what you’re really saying is, “John needs the access for that duration and then it’s removed.” That means you’re actually attesting in real time that John needs the access. So one of the things that we were doing, and I can imagine with your environment, it’s great when everything’s flowing through you, but I could in the background still go to some system and do some manual adding and playing around and fudging the system. So it would be great for you guys to look at log data. And what I built in Adobe was a team called Security Intelligence. And what they were doing was they were looking at all the data for authentications and access from the SIM. We were ingesting that.
We were doing some anomalous behavior, UBA stuff, looking for anomalous events. And that was cool for catching the bad person logging into you from Japan when you’re in the US, and they’re in a Windows box, and you’re in a Mac. And so those are the basics. At Cisco, we actually partnered with Exabeam, and we found the exact same thing. But the thing I added on top was, if you’ve not logged into an application, after 90 days, I’m going to remove you from the group automatically. And I’m going to email you and say, “I’ve removed you from the group. It looks like you’re not using it. In the future, if you need access, here’s the process to request access.” And then we have that self-service mechanism.

Andrej Safundzic:

By the way, yes. Yes, yes, yes, yes. So basically there are two things I’m hearing. One thing that you first addressed, we call it identity drift. So imagine one person doesn’t go through the Lumos process and they just open the AWS console and add it to this AWS group. How do we detect this, the identity driven, within the Lumos platform or within a SIM, both of that works. But then only other side, how to prevent that. Even if that happens, how can we prevent that? A, you could build a process around this detection, like detection remediation, or you could say, as you said, by default, we call it activity removals. So you have time-based access, but then you have activity removals, which is, I would say, a supportive security measure, where it doesn’t matter even how you got access. After 90 days, everyone loses access no matter what. Right?

Den Jones:

Yes.

Andrej Safundzic:

I love what you’re saying there.

Den Jones:

And it’s interesting because the reality is it’s an industry where there’s not very many players. Most of the players are brought up through the on-premise approach, and they are evolving to be cloud centric, but some of them, not name and chain, but some of them are just building some shit in AWS for their customers. And it’s a single instance for the customer, but they’re no different than if it was on-prem. It’s just they happened to build it in AWS, or name your favorite cloud. So I know some of the players that are doing that. I know some of the players that have taken the code that they had built over the years, and they’re cloudifying themselves really, but the reality is they’re just running shit in the cloud. And for me, that’s just a different data center. I could go into my data center ark and running AWS or GCP or OCI or whatever.
Now one of the things, I’m going to jump around a little bit here. When I think of integrations, one of the things that slows down a lot of deployments is the number of applications that you are managing as part of your platform. So do you guys do any tips or tricks to help accelerate? Because if you say, “Hey, we can deploy our stuff in 90 days,” that really comes down to not just how cool your team is, but ultimately how many applications am I going to integrate the access workflow into. So what is it you guys do that you think is making you faster to implement compared to the others out there?

Andrej Safundzic:

No, that’s a good question. So there are actually two problems there. Number one is the integrations, but then number two is all the approval policies, setting up the approval policies. And usually you need to code this. You need to write code usually to set all of that stuff up. So that’s usually the two things that slow things down. And then the third thing is if it’s a whole new process, so change management. So let me go through each of those.
First, let’s do the change management. We always say we have an augmentation. We call this omni channel. So we are just, like in Slack people, you already use Slack. Call it just your app store. And this is yet another, at least for starters. We call it a minimum viable rollout. You start small. Hey, here’s another channel for you to request access to Lumos. What we have as well is we have AI in your ticketing system. So when you create a ticket in your ticketing system, not through the Slack app or the web app, our AI says, “Can we kick off this workflow through this app search tool?” That’s A. That’s just user experience on how to roll this out easily. To the approval policies, the interesting thing about that one is it’s a very click dropping. It’s just a normal-

Den Jones:

Point and click to set it all up?

Andrej Safundzic:

Exactly. Thank you for helping a national here, but it’s point and click. And we have this nested approach. So you define policies on an app level, and then you can deviate them on a permission level, but you don’t need to deviate it for every kind of permission. Let’s say on by default, this app should be manager approval, but only those three sensitive permissions should have additional approvals assigned to it. So it’s less to configure. And the last thing on the integration side, it’s quite interesting. So A, you have just direct integrations to hopefully a lot of cloud. If it’s cloud, it’s always simple and more easy. You can have direct integrations. That’s A. B, a lot of those amazing IM tools now have SCIM. One login, AD, all of them have SCIM, and if I add you to this AD group, you automatically create access to this AWS group. So we just basically automatically ingest all those groups.

Den Jones:

So you’re not really as worried about the application API itself as opposed to really the group. Because what I mentioned earlier is if you use your directory based groups, and then the groups are the things that have the access to the stuff in the background, then the reality is you don’t need to connect to Salesforce. You can just connect and leverage the groups that Salesforce is going to use. And it’s really enforcing that architectural decision and implementation that something like Salesforce will leverage the groups, and they’ll replicate back and forth.

Andrej Safundzic:

At least for starters. For starters, we ingest all AD groups or Okta groups and let’s go. Let’s go. And then you can iterate from there. The learning of software engineering, as we know now, it’s like don’t ever [inaudible 00:30:53] code. Build a skateboard. Don’t build a car. Build a skateboard and a bicycle, then a car. And that’s going to be what we recommend.

Den Jones:

And so when we talk about things you integrate with, you mentioned Slack, but if someone’s a Teams shop, do you guys do Teams as well, or is that somewhere on your roadmap?

Andrej Safundzic:

Yes. So Teams, we have a couple customers that use Teams, and that should be out hopefully pretty soon. But right now, hopefully when people listen to this in six months from now, it’ll be out there, but you need Teams and Slack, both of those things and we just need to shift.

Den Jones:

Well, Microsoft’s a big ecosystem. So things like Teams and then Azure AD and Azure AD Groups and things of that nature, like the Oktas and everything else. So a couple of little divergencies here. So obviously running a startup is a busy game. So when you’re not working, what do you do for fun?

Andrej Safundzic:

Oh, good question. So what I love doing is, because I worked for the government, I believe that the power of words is so impactful, telling a story similar to as a company, honestly, or as an executive. And especially CISOs nowadays, how do they tell a story to executives of why things that they’re doing is important. In a similar way, what I just love doing is just reading fantasy books. Fantasy books is always a hero’s journey where this end, the hero, this weird guy or girl, Frodo, goes down an unbeaten path and goes through a transformation to hopefully save the day. And so I just read fantasy books left and right and run marathons. So that’s my second thing.

Den Jones:

Oh, awesome, awesome. I’ve not ran very often, and I hate reading books. It’s funny. I was talking to my-

Andrej Safundzic:

We are opposite.

Den Jones:

I was talking to my CEO yesterday, and I’m like, “Man, I hate reading books.” I’m doing a book review for one of my friends, and I just hate reading books. I’m like, “Oh geez.” So I’m going to be on a long flight tomorrow-

Andrej Safundzic:

[inaudible 00:33:10] Then I can see you are a young guy. You’re a TikTok person, right?

Den Jones:

I get bored. I’m like, “Yeah, shit.” I remember the first book I ever read start to finish, I was probably in my thirties, and it was How to Be a Millionaire. And it literally was about how do you start a business, do franchising, da-da-da. And that, for me, was fascinating because there was that whole entrepreneurial side of it. But it’s funny, for my job, I read when I have to, but just I get bored. My attention span is not good enough. It never has been.

Andrej Safundzic:

What’s your thing?

Den Jones:

Well, as you can tell with all the shit behind me, I’m a huge musician, electronic house tech, trans, that kind of stuff. Actually, the other thing I’ll put out there is I’m quite shit at it because you know I’m not talented at music when I’m doing this job, and I’m not doing the famous musician going around the world. So I think-

Andrej Safundzic:

At least you are a maker and I’m an observer, so you are the champ, and I’m observing you and not doing great things.

Den Jones:

And on the making thing as well, I’m a creative. I’m a left-handed person, and I’m totally creative. So I love to cook. So fine dining, little intricate bites and things of that nature. So I like to do that, which also means I like to eat.

Andrej Safundzic:

For all the listeners, when you are listeners, just send an email to Den’s email, and he’s going to give you a free dinner. He loves cooking for random people, so just send him an email.

Den Jones:

Go send me the email. At least if you’re going to be an RSA, we might add you to the RSA games night or dinner that we’re going to have. That’s probably a good second, and maybe you’ll get better quality food. Now, also coming from Germany, I’m going to assume that you either played football, and for the Americans that’ll be soccer, but played football or you follow football, probably big into the World Cup and all that business. So any gossip there for you?

Andrej Safundzic:

Yeah, so actually when I was growing up, I played, I would say, even professionally. I played in an academy. There’s a football team, a soccer team, called Red Bull Salzburg and Red Bull New York. Red Bull New York, but in the same kind of daughter team is in Salzburg. So I’m from Croatia, but I grew up in Germany, so it’s called Red Bull Salzburg. So I played there until I was 16. Sadly, I didn’t make it, and now my friends are playing in the World Cup. But anyways, but the cool thing about me is because I have a dual citizenship, Germany and Croatia, Germany won in 2014, Croatia became second in 2018 and third in 2022. So I always can hedge my bets in some way.

Den Jones:

I know. Whereas I’m coming from Scotland, which means we’re screwed.

Andrej Safundzic:

You are screwed. You’re screwed.

Den Jones:

I was going to say, so we are recording this, and just an hour before Real Madrid were playing Liverpool in the Champions League game. And one of the best midfielders, Luka Modric, it’s amazing. I don’t know how old he is now. He is-

Andrej Safundzic:

38.

Den Jones:

Yeah. And in football years, that’s like 110, but the guy is still absolute kickass and stuff. And it’s crazy to think that the guy is getting to an age where some of the new people, like junior kids that are getting into first teams at 17, it’s almost like they’re not much older than his kids probably.

Andrej Safundzic:

No, they are not.

Den Jones:

It’s crazy.

Andrej Safundzic:

And this is the beauty of, I would say, excellence. We see this also with Messi. He’s 35. We see this with LeBron James, who is just bringing in those … Luca Doncic as 21, 22. And then there’s LeBron, and LeBron still plays at this high level. Tom Brady played, this year wasn’t as good, but before. So it’s quite interesting how excellence for a human being can persevere over many, many years.

Den Jones:

There’s a consistency in your professionalism. The reality is, in the sports arena, to be that good for that long, not just takes dedication, but it’s consistency. And I’ll do that fake twist into our professional life and basically say, in order to be really successful in our business, you’re building a brand, you’re building a reputation, and that brand and reputation doesn’t happen overnight.
And especially in leadership, I look at leadership like it’s hard to build trust, and it’s really easy to break trust. And the people who will join you from company to company to company and hedge their bets with you as a leader, they’re not the ones you screwed over 10 years ago. They’re not the ones that you fumbled and made your shitty leadership mistakes with. They’re the ones that are like, “I trust what they’re doing.” And I take pride in the fact that I’ve improved over the years as a leader, and I’ve got people that have reported into my organization three times. So for somebody who wanted to work for me three times, they’re either crazier than two shits, or I’ve done something right along the way. And I actually think it’s a blend of both, to be honest.

Andrej Safundzic:

You have a squad over them many, many years that succeeds again and again. And in the end, here’s the thing at the end. Sometimes we take ourselves too seriously. So the most important thing, similar to let’s go back to books. We talked just about books about. Two things, going down an unbeaten path, but at the same time, the books is all about character development, where Frodo grows through Gandalf with other friends. And so the most important thing is smile from now and then have people around you at work that you feel like that you can trust and that you can have a fun with. And I think that’s sometimes something that we forget, and that’s why people like you have the people around themselves that they really enjoy seeing on a daily basis.

Den Jones:

And the other thing, as well, is I know where my deficiencies are now. So when I’m building a team, I always want to try and build my team with people that help make up the gap in where I fall short, so again-

Andrej Safundzic:

Only right-handed people, right? Only right-handed people in this case.

Den Jones:

Right-handed people and professional. Personally, people that can read a book, one that will read a book start to finish, and probably that can’t cook, so I can help with that. So Andrej, look, it’s been awesome getting some of your time. I know how busy a guy you are. If you want to leave the audience with, I’m going to say two things, one is a great takeaway from today’s conversation. And then secondly, how can you find out more about Lumos and why Lumos?

Andrej Safundzic:

Great. So one takeaway, for sure, is secure by design, I would say. That’s maybe the latter thing. How can you be secure by design and maybe not do those user access read in the first place? Build self-service and time-based access management in, so that you have more productivity and more security at the same time. And Lumos, just lumos.com or ping me at Andrej, A-N-D-R-E-J, the J is silent, @lumos.com. And personally, honestly, I think this was actually a good wrap-up. Surround yourself with people that compliment you and that you can have a blast with. Right-handed, left-handed people both. So I think that’s my learning for today.

Den Jones:

Awesome, awesome. Well, Andrej, thank you, first of all, for your time. I’ll wrap up by saying one thing, for me, in my time at Adobe I learned business partners are vitally important, and building relationships are critical to your success. So as someone who delivered services to large enterprises, it’s really important that you’re going to have people on your team that really enable you to deliver. So for me, finding people like Banyan was a really important piece of that story, especially my Adobe journey. And then for me, looking at people like Lumos would be part of that as well. So it’s really important to find, complimentary to your full-time employees, the extended team and the partnership with a company like Lumos, and also, I guess, Banyan as well because our shit is brilliant. So buy some of that stuff.

Andrej Safundzic:

Plus one. Plus one. I can plus one that. RSA is coming up.

Den Jones:

And that’s one thing. So actually before we wrap, RSA is around the corner, so you guys are going to be hanging around San Francisco for sure. We’re going to be around San Francisco. So definitely if you want to see the products or meet the teams, that’d be a great thing. And then Andrej, are you guys going to be at Black Hat or DEF CON or any other big events this year?

Andrej Safundzic:

We are just planning all of that, honestly. We know that we are going to be at RSA, and the rest, we are literally planning right now. AWS re:Invent, Black Hat, all those other things, I need to ask my marketing team. But you need to be everywhere, I guess.

Den Jones:

Awesome. You need to try and be everywhere for all people. So folks, thank you very much. Hopefully you enjoyed the show. Andrej, again, thank you for your time. Really appreciate it. And we’ll catch you again soon. Thanks, everyone.

Andrej Safundzic:

Thank you, everyone.

Speaker 1:

Thanks for listening. To learn more about Banyan Security and find future episodes of the podcast, please visit us at banyansecurity.io. Special thanks to Urban Punks for providing the music for this episode. You can find their track, Summer Silk, and all their music at urbanpunks.com.

 

Close Transcript

< Back to Resources

Free for 30 Days
Simple, secure, & free!

Quickly provide your workforce secure access to corporate resources and infrastructure.

Get Started Now