View Show Notes and Transcript

Episode Description

What We Discuss with Caleb Sima:

  • The security challenges in Enterprise vs Cloud built companies?
  • What are the challenges for migrating from on-premise to cloud?
  • The different tools you need for visibility of vulnerabilities when moving to cloud?
  • Should organisation’s look at Cloud Service Providers outside of Azure, AWS, GCP e.g Digital Ocean, OpenShift.
  • How important is security culture and how do you see it be part of the success of an organisation?
  • How skill sets are key for becoming a CISO?
  • And much more…

THANKS, Caleb Sima!

If you enjoyed this session with Caleb Sima, let him know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank Caleb Sima on Linkedin!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at ashish@kaizenteq.com.

Resources from This Episode:

Ashish Rajan: [00:00:00] Hey morning, Caleb or evening Caleb,

Caleb Sima: [00:00:03] Afternoon. I’m a West coast, so I’m to

Ashish Rajan: [00:00:06] afternoon. You know what it is my friend. Welcome to the show. Thank you for coming in, man. I was going to start with the obvious and your fan club might hate me for this, but for people who don’t know who is Caleb, I don’t think there is anyone who doesn’t know who Caleb is, but people, people don’t know who Caleb is.

Who is Caleb SEMA?.

Caleb Sima: [00:00:25] Is that my question?

Ashish Rajan: [00:00:29] How’d you get into cyber security. , maybe let’s make it easier. What’s your cyber security,

Caleb Sima: [00:00:34] how I got into it. and , I’m an old man in this industry, so . I originally got started into it. I guess I’ll do this. I got into computer. Yeah. Just because, cause this kind of feeds into that.

I was always, grounded. My parents were always restricting me from TV, going out with friends because I was a terrible kid. I could definitely say that now I was a bad kid. but my dad bought this computer and, and he was like, Hey, Hey, listen, man, you can, you [00:01:00] can play with the computer. You just can’t watch TV.

But if you’re on restriction, you can, you can go do that. And I was like, Oh, okay. That’s cool. But what he didn’t know is my friend. Had this game doom, that he played on his computer and I was like, okay, I need that game so that I can play that while restriction. And so I tried to play it on my computer only to find out I didn’t have a powerful enough machine to do it.

And so that drove me into figuring out computers so that I could figure out how can I play doom? On a computer that didn’t have enough CPU and memory to do it, which I, I successfully accomplished that. But then that led me into these things called bulletin board systems. Do you even know what that is?

Ashish Rajan: [00:01:42] I do know. Yeah. I do know that. I mean, I know that I’m not the young as well man. let me just put it this way. I heard about it. I never got a chance to go on it because by the time I started doing an IRC came in.

Caleb Sima: [00:01:55] Okay. Bulletin boards were like the old, old IRC, I guess. [00:02:00] And, and I found this, writeup, essentially on how to make free payphone calls.

And, that I did, I was like, there’s no way you can do that. I went to radio shack, bought the stuff. Put it all together, it worked and I was hooked. So I think I was maybe 12 or 13 at that time. And that was it. And then since then I’ve never left security.

Ashish Rajan: [00:02:23] Wow. Well, I must have the Asian , gene pool is doing a really good job.

Keeping it super young, man. Considering you were coming in from the bulletin board, by the way, sipping your coffee there reminded me I should have started with this. Cheers.

Caleb Sima: [00:02:36] Oh yeah.

Ashish Rajan: [00:02:39] What are you having?

Caleb Sima: [00:02:41] Espresso? , I actually don’t like coffee at all. So yeah, , my goal is give me the most amount of caffeine and the smallest amount.

Of liquid as possible. So

Ashish Rajan: [00:02:52] you’re one of those guys , who basically making all those caffeine capsules. Popular.

Caleb Sima: [00:02:57] Yeah. Or are these five hour energies?

[00:03:00] Ashish Rajan: [00:02:59] Oh yes. I thought, I feel like it’s a Cardinal sin to have it. Like, why wouldn’t you not enjoy by the way I’m kind of cheating as well. I suppose you to be Virtual coffee with Ashish, but it’s actually tea.

Cause my, because of the lock down in Melbourne, , my coffee already got lost in mail. Yeah. Finally, the mailing system has had a lot more demand or supply problem, whatever. Anyway, I get my coffee eventually, , , by the way, I think you is , quite more to support the fact that you’ve had three exits as well from your startups that you’ve done in the past, and which I would love to explore a bit later, but.

starting off with something which is probably benign, but I guess a lot of crowd would be curious about what does cloud security mean for you?

Caleb Sima: [00:03:41] I mean, cloud security is essentially, very much, how do you secure the computer? You don’t own. So, I guess that would be the very generic statement.

ha ha.

Ashish Rajan: [00:03:52] yup.

Caleb Sima: [00:03:53] Right? The application, you don’t own it if you really want to go into like SaaS services or, you know, like how do you [00:04:00] do that? You’re really kind of put at a, position where you rely a lot on what the provider can provide you and both transparency, control and capability. And a lot of times you had to kind of have to work within those means.

however, I do think that cloud security and when you say cloud, I think infrastructure, ? Like GC. AWS Azure kind of things. You know, I feel like they’ve actually taken a lot of the security brunt work and load away. And I actually think that’s a pretty fantastic thing.

Ashish Rajan: [00:04:34] I think to your point one of the unique perspectives that you kind of bring in which, some of the previous guests were kind of like, well, we weren’t able to cover in some of the previous guests was like the differentiation because you came from an enterprise bank to spend some time in the enterprise space.

And now you’ve completely moved into, , a cloud world, for lack of a better word, where, to your point, the machine that you don’t own. It’s everything. It’s not just the data centers, but. do you see, is that any different from where it used to [00:05:00] be? Cause you’ve had some history with CapitalOne you’ve had some history with other companies as well.

do you find that when you’re working in a cloud organization or an organization built in the cloud, is the perspective for security any different or is there like a different kind of challenge people look at at that point?

Caleb Sima: [00:05:18] Yeah, I think it’s way easier to deal with security in the cloud than it is dealing with security, with things that you own.

, let me give you an example. So, I’ve actually only been in this career of being in the defense, right? Like actually doing security operations for a company for a short amount of time. My first. Gig. And that was capital one, which was maybe, you know, two years ago. and so , I’ve only been, you know, in sort of a CSO, like a capability for four years.

and so when I joined capital one capital one, when it was in the shift from going from on prem to cloud, so. At the time that I joined, we are right around, , quote unquote 50%, [00:06:00] 50% there from we’ve moved 50% of our stuff from on prem to AWS. That was our goal. And by the time I left, which, you know was maybe even only two years, we were like 75%.

Almost 80% all cloud. and when you look at, the difference between having to secure on-prem old school architecture data, all of that stuff is a mess it’s unaccounted for. It’s forgotten about it’s, , not done well. , it’s like what happens to your closet? Five years into you living in your home.

? Like that’s what on-prem says to me. but yet in cloud, the thing about cloud is, you know, that’s how these guys make money. So there’s not going to be an asset that they don’t know about because you have to pay for it. . And so it’s going to be very clear. What you have, how much you’re using it, what it’s connected to.

And by the way, they take a lot of brunt [00:07:00] around management of those things, managing and identifying those things away from you. And so now it’s sort of your part of securing that, which is, again, going back to my beginning part is working with the things that you’re given. now, are there certain things that are way more complicated to secure, in the cloud than let’s say it is locally?

Yeah, for sure. I think they are. Are those the things that matter most in day to day operations for most companies? No, I don’t think so.

Ashish Rajan: [00:07:29] Oh, perfect. And I think it’s a good segue to kind of come in to some of the comments coming in as well. Of course. Yes. I think you should be able to see it on your own.

Oh yeah. Well, Vineet says, G’Day, G’Day is just an Australian slang for good morning. just saying hello. Uday, Vineet ,,Paul. Hello, welcome everyone. I’ve got a question from, Vineet here. What are the challenges you face when migrating from on premise to cloud?.

Caleb Sima: [00:07:56] Yes. so that’s, that’s a big one. , I think , the biggest, [00:08:00] , and here’s the thing is I think, depending on organization size , And rules and policies around. It makes a big difference. So let me give you an example, at least in my experience, there was , , a pretty aggressive date that was set for everyone moving from on prem to cloud.

And so what you had is you had in a large organization, you had, you know, tons of, in tons of teams essentially, you know, picking it up and then shifting it forward. Right. It’s just a lift and shift model where what you should do is you should take your old architecture. You should draw a line. Yeah. This is the proper way to do it.

You should rearchitect for the cloud. Right? What is the cloud going to allow me to do better? , , , how can I scale better? How do I really look at the architecture of my application or what I’m doing today and then sort of move and migrate , into that cloud sort of mindset and thought.

But when you’re doing this on prem to cloud shift, driven from, , a directive, [00:09:00] all that matters is the date. All that matters is there’s no more on-prem, let’s just shift it to cloud. So people lifted up exactly. Right. If I have a machine on-prem it will be an EC2 instance in the cloud.

Everything else would be carried forward and that’s how they did it. And so what happens is it creates. a lot of misconfigurations like things that were protected by firewalls on prem or routers or other kinds of things here are all of a sudden missing and gaps when they move it over here.

And then, so all of these things start happening where, okay. If I just lift and shift that were here before are no longer over here, . It just creates massive chaos, gaps, everywhere, things that weren’t working that were working before. and by the way, what happens is team one and team two used to communicate.

On prem when they move to cloud, they can’t. So then in order to communicate, they just open up everything. Cause they don’t know how to use it. Right. Because what happens is people don’t get, you know, what you hope is [00:10:00] like all these people get super educated about AWS. They take these courses, they learn what’s going on with.

That’s not what happens in this school. What happened? Okay. What, who in our team knows AWS? You do. Okay. Great. Move everything over. Yeah, right? Yeah. Don’t worry about it. Like, are we on too? Yes. Okay. Check, check, check, check. TeamA. Can’t talk to TeamB. Okay. We’ll make that work. Okay. Well, I think it has something to do with these security gateway.

They, I don’t know what they got. We’ll open it up. All right. Open it up. Okay. Now we can talk. Okay. We’re good.

Ashish Rajan: [00:10:34] It’s all. It’s all about speed guys. It’s all about speed. I want this done right now. Like, Oh, maybe this was supposed to be done yesterday. Yeah.

Caleb Sima: [00:10:41] Yeah. And so like, I think so, you know, to sum it up, I think education on the people who are used to on prem and about cloud is a big one, ? How do you educate the people to ensure that they know what they’re getting into when they’re doing cloud, making sure that you set reasonable timelines and goals so that an [00:11:00] engineering team or an operations, whatever it has to be can think about cloud and do it in the right way and do that lift and shift in a smarter way.

Not in a brute. Force sort of way. I think those are pretty critical.

So I think those two education, reasonable understanding and working through the teams around what does cloud mean and how does that change, what you do, in a better way. . I think are probably two of the biggest challenges that need to

Ashish Rajan: [00:11:26] be overcome. . I told you that you have a bit of a fan club, man.

someone said thank you for being honest, pretty much sums up the shared security model. one of a question here asking, What, was your experience with IAM policies in a VPC or AWS? Did you get a chance to kind of explore that a bit in your, as you were doing this.

Caleb Sima: [00:11:43] Well, I mean, that’s a very broad question, . So, okay. what is I think about IAM policies and VPCs.

Ashish Rajan: [00:11:49] I think that’s probably what he’s after. Yes.

Caleb Sima: [00:11:52] , I think I am policies are a fantastic and AWS has done a really great job at [00:12:00] understanding.

IAM, roles, permissions, assume role, like how they set everything up. You could run a pretty tight ship if you know how to use these effectively. I think the, sort of ramp up curve is tough, ? , because of the level of flex that creates complexity. And so people knew into cloud, especially when they’re trying to do that shift.

trying to understand I am and how does it work with resources? And what’s the difference is what is Assume roles and all of these other different kinds of things start becoming pretty complicated. And so this is where you see a lot of misconfigurations you see a lot of gaps and holes, because it’s a complicated thing, ?

It’s very difficult to really understand, and , you have to really start to do it well.

Ashish Rajan: [00:12:48] hopefully that answers your question Vineet, he agrees with your response.

I have a statement from Darpan as well. Doesn’t that initial target driven migration [00:13:00] often open up room for misconfiguration though.

Caleb Sima: [00:13:03] I think that’s yeah. I mean, that’s exactly what I said. Right? The misconfigurations that’s the, that is the biggest problem, right. Is again, education, right. Is a big one. So if you’re not educated, you don’t understand what’s going on or you don’t have the time then you’re, you’re clearly not going to be able to do it correctly.

And misconfigurations in AWS or in cloud, let’s just say cloud period. Are are pretty common because people are learning new technologies, and they can be pretty complex. And so it does open up a room for ton of misconfigurations.

Ashish Rajan: [00:13:37] you’re absolutely right as well. Right. And I think probably one more aspect that gets missed out is also the people involved as well.

To your point, they don’t really qualify for migration in most of the times they just like picking up the pieces or as someone. So they’re trying to replace the engine of the plane as they’re falling down, I guess,

Caleb Sima: [00:13:54] as they’re falling down, I like, it’s like, I guess it’s only removing, it’s like we’re falling.

[00:14:00] I’m going to try to replace the engine anyway,

Ashish Rajan: [00:14:05] is that an odd use? Because a lot of people have our data center closure deadline, and then they know that someone high level, someone has basically said. We not going to data centers, we go into cloud and you’re like, shit, either I lose my job or I think I need to make this happen.

Caleb Sima: [00:14:22] But you know, here’s the thing though. I will say this, you know, as management, you do have to set a date right at the end of the day. There’s never a perfect date or a perfect timeframe that can be set. You always have to set one. it’s just educating and managing the process effectively, through that is always going to be hard.

So,

Ashish Rajan: [00:14:44] . , I think just another one on like how many different tools did you need for visibility, as you’re tried to understand vulnerabilities moving to cloud

Caleb Sima: [00:14:51] that’s my favorite subject

. Visibility is okay. , so let me get us , to the audience.

I don’t know how to have that much background, but like [00:15:00] most of my career I’m an entrepreneur, . So I’m starting and creating cybersecurity companies. And when you, when you start a company, when you build a company, you’re usually focused on one thing at a very deep level, right? Yeah. And so like, capital one was my first sort of defensive job, right.

Where I walked into a company and my job was to defend a company and I joined capital one for a couple reasons. One, there were really, really supposedly the fast moving. Right. They’re a tech company, even though they’re a bank, they have unlimited budget. They have huge security teams. Right? 500 people was the team size, like when I came into capital one.

And so I had this assumption I would walk in and they would have all this amazing stuff like bill put together, all these crazy cool tech. Right. And because that’s just what I’m thinking, this is my first operations job. Right. So like I walk in there and I remember the first week, my first question was like, Hey.

Oh, where is everything? Like, how do I know? Like what [00:16:00] stuff we own like good example, like how many EC2 instances or how many firewalls do we have or, you know, what is even the architecture of our network? And nobody had that answer. Nobody had these answers. I was like, are you kidding me? And like, no, like nobody has this answer.

And so even as like, we’re moving to cloud, you would think, okay, well you do have that answer, right. Because AWS makes you pay for it. Right. Yeah. Well, , here’s some challenges with AWS, which is in AWS. Yes, you do have it, but in AWS, also anybody and their brother yeah. can spin things up, whatever they want.

. It’s speed of technology. Before, at least at capital one, there was like, There’s at least groups of operations. Like if you want an, a machine you had to go somewhere, some guy had to check a box, log it somewhere and like, right. And so that there’s some sort of ledger somewhere or multiple ledgers inside the company, at which like things are logged, but in cloud, if you have an AWS account, you just spin it.

. You just spin these things [00:17:00] up and what was happening in these companies. And by the way, I’m not just saying, see what I’m just saying. Any of these cases. And my experience at this point is very, very. Like every single one of these companies , is cloud. You can open it up with a credit card, right?

So everybody’s taking their corporate card, they’re opening AWS accounts or cloud accounts, GC, even Azure accounts. And they’re just spinning up infrastructure POC, ? Paying for it. And you have zero visibility into any of this anywhere. it’s things are sprawling all over the world and how do you get any level of visibility into it?

That was a massive, massive problem. And in fact, I left C1, joined Databricks, and my first question was, what do we have. And again, no answer. Nobody knew there was not a single person that knew visibility the assets, anything. So I went on this huge focus on, on how do we get asset level of visibility and not just assets, like as a network IPS.

Right. [00:18:00] Like, I want to know, like to me, yeah. Assets are objects. And so I kind of simplify this and sort of think about a simple stack. You’ve got network, let’s say you’ve got host, you know, O S you’ve got application and then you’ve got data. . So most people think the assets like. Oh, does this network have an IP address?

. And is it, does it have a port that’s listening? That’s true. . And so you need to know those assets and understand what they are, but then even at the host level, what operating system do I have? What version of operating system, what libraries are on that operating system?

What users are on that operating system? These are all like assets is objects, ? And then on top of that, you’ve got applications. What applications do I have? And even to the point of, am I running it? You know, do I run node JS 1.1 versus 1.2, ? Like these are all assets. . And then even at data at data level, PII is an asset.

Like I know that I’ve got SSNs over here and over here. And so there’s a stack. Of these assets. And so the goal, when I joined Databricks was I was like, okay, [00:19:00] I’m pissed off at this. I can’t believe nobody tracks these things. Like we gotta find a way to track these things. And so I started building, I hired a team to start building essentially a single.

next gen CMDB, which was a digital asset tracker that tracked assets as objects across these levels and the relationships between these objects. And then I stumbled during our research while we were building our essential, , Our PRD for this, we stumbled upon a small company called Jupiter one that did this exact thing, and they had built it into a product.

And nobody knew about these guys. And I was like, Oh, they’re building exactly what I want to build. And so we reached out to them and they brought a product that they basically exactly, that they integrate into all your cloud services, your SaaS services. They look at objects. As assets. So if it’s a github repo, to a user, to a firewall policy, to an EC2 instance to a Lambda, ?

All of these are [00:20:00] objects and they all relate to each other. So it knows the relationship from Caleb to laptop, to machine, to Lambda, to network traffic. Like they know these things and you can query them. And so Databricks immediately became one of their. First really large, customers. And I implemented that as sort of my universal source of truth.

And that gave us really awesome visibility around cloud services, objects.SaaS and we use that as a basis for a lot of the things we do in detection, response investigations.

Ashish Rajan: [00:20:33] that’s really interesting point as well. . And, I think hopefully that answers Garry’s question guys. You just mentioned Tufin is another one for hybrid cloud visibility.

I think I just wanna, okay. Quickly touch on what he has mentioned as well, because it’s, I think it’s easy for us to forget the fact that. Even though we are moving away from on prem, where , the conversation of the CMDB is very common on prem because they have a waterfall. You have to account for hardware that you purchasing, because [00:21:00] if you don’t purchase in time, you may run our RAM space of DISK space.

So someone somewhere had to manage assets, but that doesn’t exist. That problem. Technically, it doesn’t really exist in AWS because it’s auto scaling group or whatever. It just gives scales based on what you want. So that kind of, I feel got lost somewhere, but I’m glad there are companies that are bringing that back in because for people like you and I, it’s kind of like, , these are probably the basics.

, how do you protect something without knowing what you, what you have in the first base kind of conversation? I feel.

Caleb Sima: [00:21:30] Yup. But you know, , one thing I will tell you, you know, now being in this position for four years, and, you know, knowing all the others, there’s one thing. Yeah.

I think all CSOs and all security teams will all agree on is that the fundamentals and the basics are the hardest and are usually the gaps in every single company.

Ashish Rajan: [00:21:51] . Yup. And then some people just ignore it and . Keep kicking the can down the road, I guess.

Caleb Sima: [00:21:56] Yeah. It’s big fundamentals and basic, you know, why [00:22:00] call wiring and plumbing is boring.

Hard, usually involves a lot of process and politics. . And it’s very difficult to do well.

Ashish Rajan: [00:22:09] . well, I’m not even going to talk about, accountability here, which is the another conversation. I’ve got a comment from Paul. I think a gap happens in management sets a date for migration to begin, but then expects people with enterprise or security ops experience, but just know how to do the things in the cloud.

The biggest security gap is an architect that can spend 15 years on a firewall edge model that is suddenly thrown into a cloud model. Oh, yeah, that’s a bit of a gap there. don’t think that was the question. Does this really statement, do I don’t know if you want to comment on that?

Caleb Sima: [00:22:39] Yeah. Yeah. I agree.

Education, right? Like how do you get that? And , here’s the big question , as like, let’s say a manager or a business owner, how do you get that firewall guy? Like , he’s smart. Right? He knows what he’s doing. He understands all of this. Right. It’s just, how do you get that guy? Into cloud [00:23:00] in a short amount of time to where his level of expertise can be transferred and done well.

Like that’s the key and that’s, again, , that’s a hard thing to figure out.

Ashish Rajan: [00:23:09] Oh, yeah. . That’s why I started the whole cloud security Academy as well. Cause I think there’s definitely a gap and there’s nothing for you to transition to your point, the online courses.

Talk about the fact that this is how you host a website on S3 bucket by making it public. And the entire news articles, you watch it, you should not make it public. And you’re like, ah, who’s saying the right thing. And they want me to start with, so yeah, there’s obviously a gap.

question another one from a, I think there should organization only look at AWS Azure GCP. What stops people from going to digital ocean or OpenShift? The same as these three? Ooh, that’s an interesting one. I mean, depends on the organization, but happy for you to comment on this, if you want.

Caleb Sima: [00:23:49] Yeah. I mean, I think it’s, you know, it just depends on the organization, what they want to do, what their goals are, what their business is, what applications they need to build. I mean, [00:24:00] all of those contexts timing market takes into account. What. Type of technology. They want to use people. Like, let’s say if you found a company and you’re a bunch of ex Microsoft guys, you’re just going to use Azure.

That’s your knowledge base? No, I’m just going to use Azure. you know, so it, I think a lot of that, you know, the context of people, the market, it really is a difference. Like digital ocean is a fantastic. Hosting cloud provider. It just depends on the need. I don’t know where I’d do it, but like lots of people think about, well, what are the pros and cons?

And I do think AWS, Azure and GCP are obviously the three. That makes sense. There’s also Oracle cloud, right?

Ashish Rajan: [00:24:45] TikTok. IBM cloud

Caleb Sima: [00:24:48] IBM cloud tick tock, OCI. You know, over, over these other ones. So like, who knows, like what was cheaper costs, maybe like, you know, there’s a lot of different [00:25:00] reasons around it.

Ashish Rajan: [00:25:01] Someone who was talking about the Oracle cloud space, and I think they kind of brought in a unique perspective, you know, how they obviously have been known in the world for databases. everyone’s I guess I’m kind of an Oracle database and there are Oracle suite of some sort.

I think the way they approach it is the same way as Microsoft did. Well, you have office365 already. Why not use Azure? Here you go. $25,000 credit or credit. Yeah. That’s for the Oracle did that you are already have Oracle DB. Here you go. Another a hundred grand out there for you to just try out Oracle cloud.

I won’t be surprised if that’s the strategy they used, but.

Caleb Sima: [00:25:36] I definitely sure. That’s why zoom picked OCI. I think it was at least I read it. It was like a super, super good deal.

Ashish Rajan: [00:25:43] Oh yeah. I’m always surprised because that would make sense. I mean, cause that is an advantage being a big guy in a guy or gal, I guess in the previous on-premise world, because people still carry that legacy on.

They’re like, Oh, I’ve got this shit for 20 years already. So I don’t want to, [00:26:00] how do I make it easy transition for myself? And people will always take the path of least resistance as well, right? Yeah. I’ve got to recommend

Caleb Sima: [00:26:07] very complicated answer. That’s the sum up of that? Who knows?

Ashish Rajan: [00:26:11] That’s right. That’s a very complicated answer.

I think there’s an open source tool. Someone mentioned multi account view is also an open source for viewing assets. anyone who wants to give it a shot?

Caleb Sima: [00:26:21] Yeah, there’s a cartography is

Ashish Rajan: [00:26:25] I think

Caleb Sima: [00:26:26] it’s written by my, a very good friend of mine. Sasha Faust wrote cartography.

Ashish Rajan: [00:26:31] Oh, there you go. If anyone wants to check that out as well, anyone has already checked that out.

If they want to share their feedback about it. I do want to switch gears a bit as well. And I wanted to kind of ask you about. Obviously there’s security culture conversation is always there. And, the number of security people are never enough to just put it this way, because we are not, the guys who are putting the product out there, we’re just making sure the product is secure.

We’re just making sure the windows are not broken, of your house. how important is [00:27:00] security culture and how do you see it being driven? I guess successfully or unsuccessfully. What have you seen in terms of security?

Caleb Sima: [00:27:10] What do you mean by security culture?

Ashish Rajan: [00:27:11] I think it was more in terms of where I guess everyone in your organization is not just focusing on putting out products, but thinking about security as well as they were putting out products.

Caleb Sima: [00:27:22] Ah, okay. This is, a very, very deep problem and discussion.

Ashish Rajan: [00:27:29] I’ll get my therapist. I’ll get my,

Caleb Sima: [00:27:34] well, I mean, listen, I mean, I’m going to give the simple answer, right? cause I think you can go for hours. On the discussion of security culture and all of the subtleties nuances, context and situations.

But here I think is the simple. Answer to that. Security is never going to be number one priority in almost any company. Right.

[00:28:00] I’m pretty sure security is not the number one.

Ashish Rajan: [00:28:04] You can’t see this openly Caleb!. You need to be like, hello guys. I mean, just ignore that one. We’re going to skip now. You’re right, man. You’re right.

Caleb Sima: [00:28:14] however, I would say that, you know, generally, you know, you’re a good, spot. If you’re in the top five, you’re in a decent spot.

If you’re in the top 10, if you’re outside the top 10, maybe you should go find a company where you’re in, at least in the top 10.

But like, so generally speaking, I think what any company, you know, security culture wise, you know, , it’s never going to be top priority unless a breach happens, then you’re number one for like a quarter or two, which is great. So try to get in all your records after your breach. but then it goes back to being normal, somewhere in the top five or top 10.

Yup.

Ashish Rajan: [00:28:54] Yup. You’re right. Cause when I say this to people and [00:29:00] it’s like, what do you mean security is everyone’s responsibility. . I mean, it is everyone’s responsibility, but in reality, , I mean, I think the simplest example that I give is if you’re startup and, if you want to push something out the last, thing you worry about is security at that point.

You’re not really you’re thinking how secure my application needs to be. So like, how do I get this to a customer? So they can say they like this or not. Yeah. And last thing in your mind is I should get a SOC2 done because unless there is a customer asking for it? I don’t even think people would throw us off too.

In that case, they would just go, this is a product, use it. What do you think? Let me know. I want to do my second iteration. That’s I mean, that’s how I see it. And the product works out best, I guess.

Caleb Sima: [00:29:39] But I mean, look, listen, I think again, this is a very complex subjects. There’s a lot to say about this, but you know , I think it takes years and years of maturity of an organization before security starts becoming a fundamental backbone, same as quality.

Reliability scalability. I think, you [00:30:00] know, as you become a mature organization, a mature tech organization to a certain degree, security does over time become a backbone and a fundamental root core thing of these. So like for example, listen, you know, Companies like Google and others, like they definitely have, you know, no, one’s perfect, but they absolutely take security as a core tenant.

To a lot of the things that they may do. they do it way better than let’s say a startup that are doing things, right. Yeah. And I think it’s, as you know, over periods of time, you start learning that security does mean reliability. Right does mean scalability and you get burned lots of different times during those and you start finding better and better ways.

Yeah. We have engineering quality around security, and I think that grows with an organization which grows over time.

Ashish Rajan: [00:30:56] Yep. considering we’re at the halfway point of the episode, I did want to switch [00:31:00] gears and probably talk.

From a startup perspective as well for some of the folks who are joining in some of them have their own startups. And obviously I’m sure they’ll pour in their questions. I don’t know, people have read your series of the dues, dorms and myths of. Startups. I don’t know if you remember those because it’s a while

Caleb Sima: [00:31:18] ago.

I did I just write those awhile ago? I don’t remember. I can look them up.

Ashish Rajan: [00:31:25] No, I’m not going to ask you to go through them, but I was gonna ask, I guess since you’ve done this three times already, there’s three times or more. I don’t even know if you have any hidden, companies that you probably started, but didn’t go through all the way.

Caleb Sima: [00:31:38] no. There’s not any , hidden companies by any means. Well, actually there is a hidden company. I do have a little bit, I do have a, what I call a little bit of a lifestyle gig that, I’ve been doing for a couple of years, I have that it has very, very specific niche customers.

but I do have that, I do have something, I guess you could call that, [00:32:00] or I guess you could call that a hidden startup, , I can’t talk to it, but here’s what I can, here’s what I can sort of tell you the, the sum-up, is, it’s essentially like, you know, what the pineapple is, right? Yes.

The sort of wifi, hacker hack, five kind of hobby thing. so, a while ago, quite a few years ago, we got sort of an inbound on creating. A much more tactical. hardcore professional version of that. and so, I ended up doing it with another friend of mine as sort of a, you know, simple fund hobbyist project to essentially build a very, very tactical a version of that in a professional way.

And it ended up growing into something quite impressive. And so you can consider it as like, You know, the pineapple on steroids,

because a very good way to [00:33:00] put it. Yeah. Oh

Ashish Rajan: [00:33:00] my God. That brings back memories. I used to, walk around with that pineapple in our backpack, around, colleges. Yeah. It used to be one of those things that why can’t believe you , made like a full tactical, like a professional version of it.

It’s a script kitty thing. Okay.

Caleb Sima: [00:33:15] Yeah, because, well, because like it is right, , like take the pineapple. I will give you the, the basis for the first kind of version. the basis was, well, the pineapples are like wall of sheet, right? You walk around, you capture everybody’s stuff.

It’s it’s about anybody and everybody, but if you’re more tactical, you can’t do that. And you don’t want to do that. You want to pick a very specific individual or a very specific target, and you want to be able to. attack and track that target and nobody else. And so how do you do that in a way that is efficient and, with the right methods.

And so, you know, that was sort of the premise of, I

Ashish Rajan: [00:33:55] guess, probably without creating too much lines as well, I guess, as well.

Caleb Sima: [00:33:59] Yeah, [00:34:00] no, no.

Ashish Rajan: [00:34:00] Yeah, that was, cause I think that, that was like a thing where almost like the mitigation for how do you save us from pineapple also? I don’t know your Wireshark network and what, who trying to talk to you?

How many things you’re getting. And that was pretty complex. And, and to your point, it’s, it’s really fascinating when people kind of come into this space and I think probably shows our age here as well. I don’t know how many people actually know the pineapple cause they might literally be thinking,

Caleb Sima: [00:34:28] no, it’s, it’s still, it’s still a thing.

It’s pretty it’s. Yeah. It’s like, yeah. It’s kind of a thing these days

Ashish Rajan: [00:34:34] right? Oh, thanks Kayla. Bye. I don’t feel that world anymore. I just like that. I’m like, yeah. I’m like, wow. That’s been a while since I heard pineapple, but I’m glad it’s still there. I don’t feel old anymore.

Caleb Sima: [00:34:47] It’s still very hot.

It’s cloud-based now they’ve got all sorts of fancy stuff. I, although I had that years ago, but that’s the

Ashish Rajan: [00:34:55] all right. Okay. But yeah, , , I’ll book another episode for that one, then

Caleb Sima: [00:34:59] that’s my [00:35:00] hidden startup. That’s my

Ashish Rajan: [00:35:01] story. And, and so to your point, I don’t think you remember.

And I think thanks for posting the link to your do’s don’ts sparks that three-part phase. I definitely recommend people check out. They’re trying to get into the cybersecurity space, but I was gonna ask, has the view point from your perspective, I guess having done this a couple of times, has, has your viewpoint changed at all about startups and I guess cybersecurity startups specifically in terms of what makes one win over the other.

Caleb Sima: [00:35:32] well, that’s, again, that’s a very, very, complex question about, well, I mean, maybe, maybe there’s a couple of things that I’ve learned. and I think this doesn’t apply to cybersecurity and this is probably, I don’t know why this is going to sound like super generic advice, but it’s really important.

you just don’t start a company to start a company. Right. You start a company because you really, really [00:36:00] like what you’re doing or you really, really want to a problem. and I, and I truly believe that that is, is a key to anything, right. To be successful almost at anything, is it can’t be a job, right?

It’s gotta be something that you really, that drives you. and so I do believe that, like that sort of very generic advice, and I know everybody’s heard that, but it is true and be, and by the way, there’s, these are buyers large, generic advices that are true. There are lots of people who go and start companies who are very business minded that know the market, who to go eat, how to make money.

And they do great at it, which by the way, that’s just like, there are those people, The other thing I think is that I’ve learned after doing this is there’s no need to rush. I think I’ve learned over time that it doesn’t matter how fast you move in a startup, what matters is the quality of [00:37:00] what you do and how you approach things and the solution that you give.

and so to me, I think that that was a very big. Learning for me over these startups is because before, whenever you start a startup, you’re always, you’ve always got a constant panic going on around competition, getting to market executing, building this thing, getting it out there, doing it. Like there’s just like constant what’s going on.

What’s going on. We got to move faster and move faster. And I think like overdoing this a couple of times now, like, It’s not necessary. You don’t need it. You don’t have to have it. You don’t have to be first to market. You don’t even have to be third to market. Right? Like you just go to market, go to market with a vision that you have go to market with a quality and an intent that you want and then find the people that buy it.

Right. I mean, that is, is I think very, very key is building the things that you want. You want to build for people. Right. [00:38:00] And, You don’t have to be in a rush. and so I think that’s probably a big one.

Ashish Rajan: [00:38:04] Wow. And, I’ve got, AJ agreeing with you a hundred percent Caleb. You have to have the passion that passion and desire to solve something.

And I think it goes for everything that lives as well. Right. Because eventually after a while all the jobs also become monotonous as well. I’m sure you have exciting jobs, but I’d just say in general, after a while you. If you do want to continue doing something, which is like a lifestyle project, as you mentioned, it needs to be exciting enough ongoingly to keep continuing to drive you.

To continue to solve that problem. And , to your point,if Mona Lisa, I’m just going to use a random example. , I don’t know, it took one year to make, he would not have been going. I wonder who else is making Mona Lisa or what the color of my Mona Lisa is, has different kind of a color of Mona Lisa, just like what I want to make.

I’m going to make the best version that I know it should be. And I’ll just going to leave with that.

Caleb Sima: [00:38:55] Yeah. There’s lots of paintings of ladies.

Ashish Rajan: [00:38:58] Yeah.

[00:39:00] Caleb Sima: [00:39:00] Clearly he clearly wasn’t first to market with that.

Ashish Rajan: [00:39:03] Oh, actually that is true. He was definitely our first to market. I’m sure there were like a lot more people before him and, but something, Something about them, about that Mona Lisa and I made that, made that, I think, which made it so important that even if it’s a grown up, I don’t want to say it’s the grumpy lady.

I still always find expressions. Interesting. But I’m going to leave that there. I think it’s like a very, it’s a big organization. It’s like,

Caleb Sima: [00:39:25] okay, we’ll go with that on the next one.

Ashish Rajan: [00:39:28] I’ve got another question from Darpan here with evolution of cloud services. Do you think industry is adopting more?

Managed services or prefer self customization. That’s an interesting one.

Caleb Sima: [00:39:39] So this is a, this is also a very broad question. So, do you just mean a general managed services or do you mean security managed? Like it’s specific to security?

Ashish Rajan: [00:39:48] Probably. He’s probably referring more security. Yes.

Caleb Sima: [00:39:51] . . all right, so this is interesting, right?

Like the, and this is also a long, this is the long game answer. [00:40:00] I do believe in the long game managed security services are going to become massive, and huge. and here’s, here’s sort of why I think security talent, is extraordinarily short. and even as more and more people get into the field, I think that is still the talent is just very, very short.

and it’s complex. Security is a complex job. I will, I’ll make a slight joke about this. You gotta be a little nutty and crazy to be insecurity. Like, you know, like it’s not, it’s not like a job that people like appreciate you, you know? Thank God the security guys here. Like

Ashish Rajan: [00:40:42] yeah.

Caleb Sima: [00:40:43] You’re. You get your, you definitely have to be a little nutty to be in this industry for a long time. And so like, I do believe that, you know, it’s, especially when you look at the, like every T any SME, any small, medium business or enterprise [00:41:00] that has to do security, all have to do the same things. Right.

We got to focus on vulnerability. I focus on intrusion detection and response. We’ve got to focus on all of these things that compliance forces or things that these SMEs have to build are all the same thing. and so when it comes to those things, it makes sense to me that why would I not just outsource it?

Right. I think the issue has always been managed security service providers. Haven’t been that great in quality. but I think that’s changing, right? So there’s a lot of interesting startups, like expel, for example, who are doing some pretty, you know, they’re taking a really good, hard look at security services and doing it in a different technical way and that where you, I feel like you have more confidence in some of the things that they do.

And to me, it makes sense because why would I not just outsource all of the stuff that we know is [00:42:00] basics. Things that have to be done. And then that leaves me and my small team, the ability to do focus on really the stuff that can’t be done. Right. And so I do feel like that. Oh, again, long game over time will start growing.

However, no matter what, and this all is dependent on the industry, the type of company you are, et cetera, there will always be, you know, fortune 500, et cetera. And up that will always have their own security teams have their own investments in that have their own things to be able to go deal with it. but I do believe that MSPs in that are going to grow.

It just makes sense to me.

Ashish Rajan: [00:42:38] Interesting. And to your point, and it’s probably one of the questions that I had in mind as well, for someone who’s trying to get into a role like yourself, like a senior security leadership kind of role, cause I’ve got, I guess audiences from different sides. I’ve got people who are getting into cyber security as well, and they may look at your role and go, Oh my God, where does it take to get to that?

Like [00:43:00] what, what should I be focusing on? Like what, what kind, what kind of skill sets. Or I guess a recommendation would you have for people who are listening in, we’re probably quite new in the cybersecurity space. And once you get to that level, is that, and I, I’m sure there’s much more to it. You do need to be technical.

Do you not need to be technical? Like where do you see? I guess that skillset going for someone to come to your position, I

Caleb Sima: [00:43:24] guess. Well, I mean, so, you know, again, big question around, when do you come in? Are you, are you junior? And you’re just starting to get into the security field and you want to know how to get there?

Well, you know, it’s a long road, but here, here, , let me do this. I’ll give you two scenarios. I gave you the advice that I give to people wanting to enter the security field. So you’re young, you’re junior. You want to go figure it out. Right. and also very specific to more technical routes. And then maybe one who is okay, I’m already in a security team or Arnie, I’m already insecurity, but let’s say [00:44:00] I’m technical, but I want to be a manager or I want to be a leader.

Ashish Rajan: [00:44:04] Perfect scenario. Let’s go with that.

Caleb Sima: [00:44:06] Yes. So with the first bucket again, I’m going to focus on the technical road. There are lots of roads into security, compliance, roads, others, you know, don’t, you don’t have to be super technical, but here is my belief period. You need to be technical period. There has to be an area in your career at which you study the technology, understand the technology and learn the technology.

You don’t have to like live and breathe and eat it everyday. It’s not like you have to be an engineer and code constantly, but you have to be technical enough. To understand and to get it right. Like you, you may make it, you may be able to do it, but like, there’ll be other people who do understand the technology at that low level, who will surpass you.

Like, if you don’t have a good grip on some of these things, and it’s just going to make it a harder road for you. So I, anyone junior coming in [00:45:00] first, I say, you need to understand technology. So. Go learn about Golar and the basics like do as CIS, you know, basics, like learn about computers, learn how a compiler works, learn about like, just understand some of this, right.

Learn these basic go read TCIP illustrated book, right? Like just go like understand some of these basic foundations about what’s going on, on the things that you work on. Because I think understanding the, really lower base level stuff. Is really, really hard to do, but once you know it, you can always go up the stack, but it’s very difficult for people up here to understand what’s going on down here.

Right. Does that make sense? Yeah. The next thing always say, if you’re getting into security is go learn pen testing. and here’s, what’s amazing. You have to understand the mind of an attacker. The only reason why the security business exists is because of the attackers. Why do we have a multibillion dollar industry?

To protect from the [00:46:00] attacker. So the best thing for you to go do is understand how to attack, and that, that really brings you down to reality. And I think that’s really important because you can get lost in the world of compliance high level strategies. What’s the proper way to lock. X button versus Y switch.

But at the end of the day, yeah, it’s about how does this guy break into something, right. And you need to have been that person. And so, and what’s awesome about today. Cause when I started this, it didn’t exist. But today you could do this stuff and get paid for it. Anytime you want, even as a beginner ghost, go to cobalt, go to hacker one, like go to bug crowd, like sign up and do bug bounties.

You go in there and it takes you three minutes and you can start attacking real companies right away, which is like, and not get arrested for it. Like in my day, that was. Freaking unthought of, [00:47:00] yeah, I’m glad I just didn’t get caught. That was, yeah.

But like you could go do this and so you have to be an attacker. Like I just, if you’re junior and you’re getting into this and you want to get into security, go, go do bug bounties. Right. Go learn what it’s like to break into stuff and learn what the hacker high is. Hacker high. That’s what I call it. The hacker high.

When you break into something. That feeling you get that like it, that you have about your Foria, like you cannot believe, and it is awesome

Ashish Rajan: [00:47:31] and

Caleb Sima: [00:47:33] yeah. Yeah. It’s, it’s awesome. It’s an awesome, you got to do your first bug bounty and you really. Find something good. Like it’s, it’s a phenomenal feeling actually, during my interviews, whenever I interviewed like pentesters are ready, I always ask them every good pen tester, red GMR has a story about something that they did, where they got that hacker.

Hi, tell me that story and you get amazing stories, right? Like you got amazing stories out of that. So that’s my advice. So [00:48:00] junior and your technical comment. understand the basics, the foundation and fundamentals of computers, engineering code, right? Networking. Understand that stuff. Don’t just go straight to Python and write stuff.

Go learn TCP IP, CPS, go learn the basic fundamentals and then go do bug bounties. You’ll learn the attackers and learn how to attack and trust me. You do a year or two of just bug bounties and you were going to walk out of there and knowing more than most people. And you’re going to understand what you should protect, how you should protect it and why without you learning anything else.

And without me telling you about anything and

Ashish Rajan: [00:48:38] to put some context to it, as well as a lead leader, the kind of questions you get is also like I’m trying to put the service out there. What makes you nervous about this? Like what should I be thinking about? That’s the question that they’re actually asking you to be thinking like an attacker at that point I was asking like, what’s the best security standard for this.

Yeah. Nobody can quit.

[00:49:00] Caleb Sima: [00:49:01] Nobody wants that.

Ashish Rajan: [00:49:02] Yeah. Yeah. That’s right. Yeah. And I, I think, I feel like that’s kind of where, to what you said about pen testing is so accurate because I think to your point. it’s harder for people to kind of visualize that when you may not have the technical context, your identity, your point, you don’t need to be a developer.

You just need to know enough to go, okay. this is how to protect data, or this is how the foundation level would be perfect answer. Can you know about the, how the other bucket as well? People who are already in the cybersecurity space and want to get to that leadership level? What’s our advice for that?

Caleb Sima: [00:49:32] yeah, that’s a, that’s a great question. so. I think that, and here’s, so this is how I approach it with a lot of people. Most people want to be cyber secure, like they want to get to the management level because they believe that that is the track that you must take in order to get money and or respect.

so I think fundamentally, I would think long and hard. What do you enjoy? Do you [00:50:00] enjoy the technical? Do you really enjoy, like in the way that I think about is where do you get your energy from? Like, I will tell you right now, I do not enjoy management as much as I enjoy technical. Right. Like I can sit at a computer and then turn around and be, I am in the morning and not be tired because I’m like stuck in some code or stuck in some technical problem versus yeah.

Versus like, I’m reading about, you know, the next management book and I’m like sleeping like nine, 9:00 PM, right? Like there’s a, there’s a, there’s a level of energy around it. Around, you know, what is it that you enjoy? And so the first thing I would say is understand what that is. and by the way, where that energy comes from, right?

Like as you get older or more career, like these energies can transfer. But first, I mean, you need to think about what, where you are today. And then the second is, are you to become a manager because you think that’s the right career ladder, because that’s the only way at which you’re going to get more money.

Or [00:51:00] more respect. and then I would think very hard about that because I don’t think you need that for either. In fact, I would say, if you are technical and you stay on the technical track, you will get more of both of those then you would in the management. Right. Which is essentially meaning, like, I have a very good friend that I talk to every day.

Who is, he’s pretty much the, one of the smartest people I know. And he is a lead technical IC at this, you know, super, super hypergrowth company. And he has no people to manage, right? He’s not innovate, he’s not a manager. He is an IC is technical and he makes more money than I think the founders make. And that, and that the, all the upper exact

Ashish Rajan: [00:51:46] company.

Caleb Sima: [00:51:49] A individual contributor. Yeah. Not a manager. You know, you, you will make more money and you’ll be more respected with more power inside of your organization [00:52:00] than someone who’s a manager in a lot of cases. Right? Well, at least in technical companies, right in technical engineering companies, you can now, if you want to be a CEO and that’s your track, then my recommendation is go do a startup.

Like, like you can go fight the ladder to try to be a CEO if you’d like. Absolutely. That is a proper way of doing it. Although much, much more rare. Just go build a startup and I’ll tell you what you’ll do is you’ll build a startup. You’ll be a CEO for a couple of years and be like, man. Why did I want to be a CEO?

Ashish Rajan: [00:52:34] Yeah. Fair enough.

Caleb Sima: [00:52:36] . I was just going to say that I would just think about those two things and then make your decisions. Right. And so, and if you do want to go on the management track, They do it and I would go, go all in and figure it out and then go up the rack.

I would go up the route, but, you know, a lot of people, I think who I talked to just think that management is the only way that they can make more money or have more power.

Ashish Rajan: [00:52:58] So [00:53:00] I have quite a few caveats in there as well, I guess to your point. if you’re. The whole distinguished engineer field that came out or distinguish whatever the Google then was that it was all around the IC.

They were not supposed to people, managers, they’re just giving a direction to the whole company. And I thought that was, I think initially I met my mom. I must say I did not realize that you could be an Island. See, and still keep going down that part. and to your point about the age as well, what the older you get, you kind of realize, I think, I, at least I realize sometimes at 1:00 AM, I do feel sleepy and I feel like, Oh, I’m going to have to get a headache tomorrow.

So I do sleep sometimes, but I definitely get a high from technical. I’m just like, I definitely feel that, but I definitely have those moments and I’m totally a hundred percent, right. It’s a, it’s the age thing, because if you’re afraid four or five hours of sleep, it’s not enough for me anymore. I like if I sleep.

As a 15, 16 year old for five hours, I’ll be like up in the morning [00:54:00] again at exam, like, Oh my God. Life is so awesome.

Caleb Sima: [00:54:04] Yeah. Go, go ahead.

Ashish Rajan: [00:54:06] No, I was going to say like nowadays for three hours of sleep, I’m just like, I can barely have a decent conversation with people. Like what Kayla. Oh, yeah, dad. Oh, had a, sorry, man.

I have a headache right now. Can I talk to you later?

Caleb Sima: [00:54:20] You know, what’s, what’s pretty interesting is, I’ve been going to black hat Def con every year, since I was 16. Right. And so every year I’ve been going to black deck and what’s really interesting about that is through the years I can see because it’s the same time.

Same year, same place every year. I can see my energy levels as I get older dwindling in comparison to when I started. And it’s crazy, you know, like,

Ashish Rajan: [00:54:49] yeah, I know what,

Caleb Sima: [00:54:50] no, I can tell you when it, when it started, I was like, Oh, you know, on this day, I’m just going to hang out by the pool instead of go out normally.

And then it became less than that. It became, Oh, [00:55:00] I used to sleep fully three hours and then I’m sleeping. Five hours day. It’s really interesting to see that art that happened.

Ashish Rajan: [00:55:07] Yeah. I mean, so every security conference that I’ve been to as well, it’s used to be like a, like a, Ford bike, a late night drinking session.

I can’t do those anymore. Unfortunately, I feel, I feel like disappointed. I’m like all these young kids can come in and just like, they keep like,

Caleb Sima: [00:55:20] let’s have another

Ashish Rajan: [00:55:20] shot. I’m like, no, I don’t want them to show up. I just want to go to bed

Caleb Sima: [00:55:25] when I meet you in person I’m I’m saying let’s do tequila shots immediately.

Ashish Rajan: [00:55:30] Yeah, we should definitely do that. Man. Say, I’m going to switch gears yet again, because towards the tail end of our conversation, I’ve got a few, I’ve got three questions. It’s basically just to know, get to know you a bit more as well. and these are nontechnical. It’s just about Caleb as a person. three questions.

What do you spend most time on when you’re not working on technology?

Caleb Sima: [00:55:53] Oh, well, so, you know, these days I have a kid, so I have a, two and a half year old and I have a six month [00:56:00] old. So that’s what I spend my time on. if it’s not that, you know, actually these past couple of days has been figuring out how to get bad air out of my unit.

I’ve been spending a lot of time doing that.

We’ve got all these folk smoke and fires, but I gotta tell you, like I have been, I used to do, I’ve been searching for most of my life for a hobby that is not revolve around computers. And I haven’t really found it yet. I used to do motorcycles. I also used to do car racing. That was a lot of fun, but it takes, it takes a lot of ’em.

time and commitment to go do car racing. I started recently going gun shooting, skeet shooting, which is a lot of fun. but most of the time, I think it really does boil down to, it ends up being, doing something on computers. Like I do, like, let me give you an example. The only, only time I can stay technical [00:57:00] is on like weekends.

So I do technical projects to learn things, right. I needed to learn Terraform because I was really interested in it. And so I created a project out of Terraform and that just is my hobby. Right. Like, okay, go build something and go do something just because I enjoy it. And yes, I know it’s terrible. And I need to find a better, I need to find an actual hobby that doesn’t.

Yeah, it’s hard though. Like it’s I don’t know.

Ashish Rajan: [00:57:28] I wasn’t gonna say maybe let, let them leather making, I’ll give it a, give that a shot safety to work with some hackers. I know. Even bread making these days.

Caleb Sima: [00:57:36] I play Overwatch. That’s about, Oh

Ashish Rajan: [00:57:39] yeah. Fair enough. I mean, I’ll probably be online. and, the next one, what is something you’re proud of for this? Not on your social media?

Caleb Sima: [00:57:48] I don’t have a lot that’s on my social media, but something that I’m proud of, Man. I I’ll tell you. I, I’m married up, man. I, I got, I got a fantastic wife.

I would say. I’m pretty proud of that. you know, like, [00:58:00] like, like most of the time I, I, I feel like, you know, through, through a lot of my life in my day, you always are about like, who do you find and what do you, and all these other kinds of things. And is that person going to be good for you? And I don’t think I.

I don’t think I could have found anyone better. The person’s way. She’s way, like up my level levels. Like she’s here, go, go. Google. Happy thing. That’s my wife. she’s been on like chopped. Food network. She’s she’s like a two time chopped winner. She owns her own restaurant. She like does all that. She’s like super famous.

she’s like, she’s like 15 levels above.

Ashish Rajan: [00:58:41] When you get your earning your brownie points over here, just saying,

Caleb Sima: [00:58:45] she’ll probably know,

Ashish Rajan: [00:58:48] ignore this part. Did you do the dishes again?

Caleb Sima: [00:58:50] Like,

Ashish Rajan: [00:58:51] Oh my God. Yeah. I think that this is kind of like an answer to my last question as well. What’s your favorite cuisine or [00:59:00] restaurant that you can share?

Caleb Sima: [00:59:02] Oh, sushi. sushi by far is my number one favorite cuisine. and if you’re in San Francisco, there’s this place called Juni. which, you know, these days you can’t get really good sushi cause everything is delivery.

And I gotta tell you, like, The delivery experience versus the inhouse experiences, you know, very, very subpar. but I like my bed. Get me a Juni and get me some Saki and the sushi. And I’m at the top. I’m at the top. Like that is the

Ashish Rajan: [00:59:33] best

Caleb Sima: [00:59:35] cold. I’m a cold, I’m a cold, the clear. So

Ashish Rajan: [00:59:39] I’m going to say you and I can be best friends when we meet in person, but definitely having that site called psyche.

For sure. I’ve got a few people reaching out, asking question as well as let’s start a founder. How can one reach out to you? Caleb?

Caleb Sima: [00:59:55] My Twitter is probably the best. at seaside you can reach me on Twitter or my [01:00:00] LinkedIn. You can also reach me via my LinkedIn.

Ashish Rajan: [01:00:02] Sweet and I’ll, allowed them in the show notes as well.

I did want to mention about your wife’s restaurant though. I think I saw the post and she does, I think with the whole world while she’s doing something interesting. If you don’t mind sharing with the audience as well. Cause they’ve got, I’ve got a lot of us audience and run the world, but I’m pretty sure in a virtual world, I think we’ve had a post about earlier.

Caleb Sima: [01:00:23] So my, so my wife, has to a restaurant. So her family, she comes from her, her dad started this restaurant called house Nan King, which is here in Chinatown, in San Francisco. It actually just got declared a national landmark in San Francisco. It’s been around for over 35 years. I think. her dad started that she grew up in that restaurant and then she created, she started her own called Fang, which is here in Soma, right across from Moscone conference center.

And obviously. Restaurants are going through a pretty rough time. so ever since lockdown, you know, my wife has been unemployed, right. Because there’s just been nothing. And actually just this [01:01:00] week, they just opened up housemates for delivery only. And so my wife and her dad are, are going yeah, nuts, trying to get things ready and, and run a, an operation.

But in this timeframe, you know, she has started to do sort of virtual events. So, if you’re doing anything like hosting or you want her to con kind of come in and make a meal with your team, she also does these chopped events, which are pretty neat. Like you could do one where she’s chopped, which I thought was super interesting where the, the employees can vote.

Your employees can vote for secret ingredients. And then join, hop on a zoom call and then she’ll open up the box, the secret ingredients, and then cook the things out of the secret ingredients and then talk through what she’s thinking as she’s making things. So it’s almost like chops, but interactive version of it.

You’re on zoom. You can ask her, Oh, why did you, why did you blend the chips to make, add [01:02:00] that? And she’ll tell you, right? Like, Oh, you’re doing this. or they do an opposite where she’ll just, she’ll be a judge. And you do internal in your company, like a chop, slow cooking competition, and she’ll judge it by just, she can’t taste it obviously, but she can look and by how you’ve played at it and done the rest of those things.

And so she does these little virtual sessions. So if you’re interested in that, just message me on LinkedIn and I’ll connect you to her. If you want to, if you want to do something like that for your company.

Ashish Rajan: [01:02:26] Yeah, I think that’s a great idea, especially because a lot of people are looking at whorls, how else they could be doing team building the activities and how else do they engage the team while everyone’s read more?

I think that’s a great idea. So help someone else. I think all the more merrier and I don’t think time zones also your times, but location is a problem. Thanks to zoom though, because anyway, you can be zoned zoom anywhere. I’ll let people connect with you, but I think it’s a great opportunity for anyone who’s looking at team building activity.

dude, this has been awesome. And thank you so much for sharing such amazing nuggets with me. And [01:03:00] now I know you like soccer as well, so it’s great. I, well, I do appreciate it and thank you so much for coming in, man. And, yeah, I can’t wait to have you again.

Caleb Sima: [01:03:09] Okay. We’ll do talk to you later.

Ashish Rajan: [01:03:11] Thanks so much.