Ashish Rajan: [00:00:00] Are you thinking of building a cloud security program with probably Gen AI? Yes, I did say that word because 2024 cannot be without the conversation of Gen AI. At re:Invent we got a chance to speak to Alex Jauch. He is director of product management at Outshift and we spoke about some of the things they're talking to customers about in terms of the complexity of the world we live in with CSPM, CNAPP and a lot of C acronyms that are being thrown around.

We also spoke about Gen AI, Amazon Q as a service that was released by Amazon at AWS re:Invent. What does that mean from a security perspective? What are they hearing from customers on the trend of cloud security? In terms of Cisco is a big company which is the parent company to Outshift. They get to speak to a lot of people so it was really good to get an insight of what are customers talking about as a general theme across cloud security, across a vast number of customers they have. We also spoke to them about what does that mean to have GenAI as the next frontier. And it's not something new as a spoiler alert, but we have been doing a lot of these things already.

But it was also interesting to find out the nuance of the [00:01:00] change that it brings in when you talk about GenAI. As always, we appreciate if you share this episode with someone who's probably trying to build a program or wants to. Just to know more about what the trends are in the cloud security space, just to understand that from a perspective of if you're trying to build a cloud security program, or if you're trying to keep an eye out for what would be that skill set that would help you in 2024 to get a new job or to do your job better.

So I hope you enjoy this episode. As always, I appreciate all the love that you show us on Apple Podcasts, Spotify and YouTube and , LinkedIn by following, subscribing and leaving a review. I will see you in the next episode. I hope you enjoy this episode, talk to you soon. Peace.

Welcome to another episode of Cloud Security Podcast. Today I have Alex with me.

Welcome, Alex. Thank you. Could you tell the audience a bit about yourself, Alex?

Alex Jauch: Yeah, sure. So I'm Senior Director of Product Management at Outshift. Our team is responsible for what we call modern apps, which is nice and vague, which is nice.. Yeah. And right now we're spending a lot of time working on a product called Panoptica, which is our CNAPP product.

And so my background is I've been in the industry a long time. Twelve years at Microsoft, seven years at VMware. I worked at HashiCorp for a while. Most recently I've come from Splunk. And at Splunk I ran Basically what we would call GDI, which is [00:02:00] the ingest business of Splunk. Oh, yeah. Okay. As a product manager,

Ashish Rajan: oh, how would you describe the cloud security landscape at the moment based on what you're hearing from the customers?

Alex Jauch: Busy. Busy. Yeah, it's interesting because the great thing is that everybody's super focused on this, right? Everybody knows this is really a problem. You don't go talk to a customer and they're like security, it's not like that.

The problem is that because it's such a critical space for everybody, Yeah. What's happened is there's this avalanche of things. Many of them are great, amazing, in fact, right? So it's really good. Yeah. A lot of energy, a lot of passion. But I talk to customers and they say, I've got 35, 40 tools securing my site.

I'm just, I'm drowning. I could literally have a tool that's half as good. Yeah, and it's okay, our strategy is a little different. Our strategy is look we think that unification of the picture provides an immense amount of value. Yeah. So we've taken the opposite approach.

We said we're going to be a little bit broader. Now what that means is that we're probably not going to be the best in this little thing. I'm sure there's somebody out there, if you pick any one of these discussions, I'm sure you can find somebody out there that's doing just an amazing [00:03:00] job.

Yeah. Because the industry is full of smart people. But unfortunately what that means is that the diversity and the explosion of things that are happening means it's almost impossible just to keep track of what the tools are. Let alone act on what they're trying to tell you. Yeah. And that's what people are telling me is, I'm drowning.

Can you please just tell me the thing? If there's one thing that I can do to make my site much more secure, what would it be? And that's what gets us up out of bed, right? It's we want to cut the noise. And say, look, these are the things you should be really concerned about. We're all living this agile lifestyle, we're all doing sprints, right?

So every sprint, every time you do sprint grooming, which tickets should I pull up in my backlog? Which ones? And why? Now, I wouldn't say that I'm perfect at that, but that's what I want to do. That's our objective as a team, is to go make that better because We want your live site to be safe. Yeah. That's what we all want.

Yeah. You want that? I want that. Everybody wants that, but it's a live site. How many changes are you checking into prod? Are you're probably , 20,30,40 PRs, a day. Who knows? Big sites, thousands of PRS a day, right? Every single one of them, every single PR [00:04:00] you pull. It's an opportunity to make your site better or worse.

So which is it? And if you don't know, that's the scary thing is when you don't know. I love that. It gets me out of bed.

Ashish Rajan: I think it's good to know because I think a lot of us don't get a good night's sleep because of that as well. So I'm glad someone's working on it. And also talking about, separating signal from the noise.

There's a lot of C acronyms and I think people who've been in the cloud security space for a while, they probably wouldn't know this, but I think we are obviously at reInvent and meeting a lot of people who are coming for AWS for the first time going. I love AWS, blah, blah, and then they are thrown with these acronym galore of CSPM, CNAPP, CWPP, and all of that.

Without going, and I'll let people Google the description of what that is, but where do you stand on the whole, the noise being created by all this?

Alex Jauch: I have to admit, and I'm sure my compatriots in the security business are going to yell at me, but I don't believe in the acronym soup thing. I think it's confusing.

I think it's shorthand that we use inside the bubble and it's very lazy for us to express that to customers. It's not their job to learn what I do. If I go to another security professional and I say [00:05:00] CSPM, they know exactly what I mean. Okay, it's very convenient for me, it's shorthand. But if I go to a practitioner and he's look, dude, I have a site that manages reservations for horticulturalists.

Yeah. And I'm like, yeah, CSPM. And they're like, what? No. No, look, your site, if you're not actively managing the security posture of your site, I am very concerned for you personally. As a friend, please. Actively manage the posture to site why because there's bad people out there.

So what does that mean? Unfortunately, that's not a trivial thing to do because the beauty of AWS is it does a million billion things problem Every single one of those things potentially could be attacked by a bad guy. If you've got EKS you have EC2 you have S3. How many AWS services are you consuming?

Yeah. Now, of course, AWS is a lovely partner. Very good company. They produce great software. But you have to do your part. Yeah. You have to administer it. You have to configure it correctly. You have to follow their best practice. You have to listen to their guidance. If you don't have a PhD in cloud security, maybe you're not great at that, right?

Yeah. And by the way, maybe so many people aren't. And if you have a very large team, some people are good, some people are bad, right? So you need some sort [00:06:00] of tooling. To watch the way the site is actually constructed, the parts of AWS you're consuming, cloud security, posture management, CSPM, right? The posture, the things you're buying from AWS, are they configured in an optimal way?

That's what we mean by posture management, right? It's a CSP, which is good. Let's say you do that. Let's say you do that amazingly well and you're an amazing guy. Now, you start up a Kubernetes cluster and you put a pod in that Kubernetes cluster. What's in that pod? I don't know. Don't worry about it. I got it really carefully configured. VPC, everything's fine. Really? Is that really true? Maybe not. What if that pod contains a container that you picked up from Docker Hub that was compromised, right? And there's malware in there. Whoops. You just invited the bad guys inside your castle. No fault of your own, perhaps, but you just did. Are you secure now?

Nope. Ah, shoot. Okay. Now I got to check the containers before I use them. Okay. Oh, by the way, how did you configure that? Terraform template. Oh, okay. Has anybody messed with your Terraform template? What? Why would they do that? Oh, because that's the easiest way for them to get in. Got to scan the Terraform template.

Oh, yeah, what made that [00:07:00] contain in the first place? Oh, I'm running CICD. Oh, okay. Is that thing secure? I'm sure it is. Did you check? So it quickly becomes super complicated, right? Yeah. So it becomes complicated all by itself. What we're trying to do is say, look, okay. Yes, you can look at each one of those components one at a time.

And our product does that. All my competitors do too. We all do. However, we think that if you look at it holistically, and look at things like attack path and say, look, here is a thing, an asset that an attacker is trying to get to. A credit card proprietary data, permission to create VMs by the way.

Attackers love that. Number one security attack threat. You probably know this by heart, right? Cryptojacking. Cryptojackers don't care about your data. They do not care about credit cards. They will happily delete all your credit card data if they can run crypto mining on your infrastructure using your AWS bill, right?

So something really simple like this process here has the ability to create, to do auto scaling. I gave a permission in IAM to create VMs. Woo hoo, baby, right? Yeah. That's gold. Yep. But that's sitting inside of a process that's sitting inside of a pod which is sitting inside a [00:08:00] cluster. It's over here attacker comes in how comes to API All the way yeah, but unless you get to this thing yeah through some viable pathway , is it interesting that you have this escalation thing here?

Yeah, you shouldn't have it, right? But what if you have ten of those two of them attackers can get to and eight of them? They can't we're in our sprint planning session. We're doing backlog grooming. I have ten things that are broken two of which lead to attackers getting access and eight of them don't.

I mean you don't have to be a genius, right? You're going to take those two, you're going to put them top of the stack,

Ashish Rajan: of course. That's right, yeah.

Alex Jauch: Of course you are. Yeah. If you knew that, hence CNAPP. Yeah. So all me and all my competitors, what we want to do is show that to you in context. This is important And most importantly, why?

Why this one? What does it do? Why is this one more important than the others? And it's all about the why?

Ashish Rajan: I would argue maybe adding on one more layer to the whole signal versus noise as you talk to more customers about what do you find as a like one that he called out that hey, unification of all this?

I'm drowning in tools. Is there any other team that comes out as you talk to more people about because nowadays, it's not as [00:09:00] simple as I'm just using AWS. No, I am using Azure, GCP, Kubernetes. It's that's a Pandora's box as well by itself. Tool explosion. Yeah, for sure. Anything more broader that you're hearing?

Alex Jauch: I would say that definitely the theme is that feature teams, product teams are dealing with more complex infrastructure than they ever have before. And that trend is accelerating. So for a while there, it was, hey, we're moving to cloud. Congratulations. We've got two clouds now. Oh, we got three. Oh, we're using EC2.

Oh, and all of a sudden now we're using EC2, ECS. Oh, we're using Lambda. And by the way, Gen AI, here we go again. Does Gen AI mean that you're no longer using Lambda? No. Do you stop using EC2? Nope. S3? Nope. EKS? Still there. So every time one of these things comes in, it just poof! I don't think that practitioners should expect that trend to slow down, pause, or change.

Because cloud, it's funny because I'm an old man. I'm very old. I've been in I can't tell. So when I joined this business, so my first professional IT job was 1990. So I've been in this business for a long time. [00:10:00] Yeah. So what used to happen was that you would try to introduce technology into a customer, but they couldn't adopt it fast enough.

And so what was happening is, it was so difficult to make something work, that you just forgot to pay attention to that other thing. And by the time you got around to it, either it became obvious that you should do it, or obvious that you shouldn't do it, right? And so there was just this friction, right?

That slowed things down, just because I had things to do. Cloud, that's not the case. Cloud If I wanted to fire up an EKS, I bet you I could do it during this podcast. Bang. Lambda even easier, right? And so what's happening is that the back pressure that we used to get in the old days, I used to be a practitioner.

I used to do this stuff, right? I don't anymore. I'm a manager now. I don't actually do real work. But that friction that happened when I was younger is not there now. And so when I talk to teams, I say, How long from when you think about using something to you use something? Days, weeks, right? It could be a very short period of time.

And of course, all my compatriots in the cloud business are like, let's make that time shorter, [00:11:00] right?

Ashish Rajan: Yeah, of course.

Alex Jauch: So everybody's doing the right thing. But the result to the practitioner, I think, is especially for the security practitioner, is this Exploding surface. And you're not, you're just not gonna keep up.

I'm just telling you right now. If you're feeling like I don't understand everything that's running in my infrastructure and I feel bad about that, please don't. There's no way. There's no way you could. You have to go get help. It has to be a community thing. You have to go to your peers. You have to work as a team.

You have to hunt in groups. You're not gonna do it yourself. You're just not. I talked to people and they're like, Ah, I'm just working my butt off and I'm working nights and I'm studying and I'm like, please don't do that. Yeah, this is a marathon. Yeah, not a sprint. Yeah, you're not gonna do it all.

Yeah, it's okay. Yeah, the beautiful thing about this community though is there's somebody out there that knows and so it's a matter of you know being a bit broader looking out taking guidance from your community and what happens on the security side is every new thing that happens creates this ripple because nobody's really sure what to do, and then it calms down.

If you went through the whole e [00:12:00] commerce boom in 2000, right? So back in the day, I was selling e commerce software, and nobody really knew how to protect people's credit cards. And we were all freaking out, blah, blah, blah. But today, if you go to anybody and say are you doing PCI? Of course I'm doing PCI, blah, blah, blah, right?

Yeah. It's very clear now. So that process will happen again. So Gen AI right now is very and people are worried, and it's yeah, we should be concerned. Not panic. Concerned, yes. Panic, no. Because what'll happen is we'll work together as a group and we'll come up with the PCI of GenAI. We'll have to, as a group.

And so we'll approach this together. The group, the industry, will figure this out.

Ashish Rajan: You don't have to figure it out. And talking about GenAI, because I think the Amazon Q service that was announced as well, which is on by default for anyone who's listening or watching this as well, which could be concerning, like, why is it turned on in the first place?

It's cool, though. But yeah, 100%. Low friction, like I just said, right?

Alex Jauch: Oh, you want an LLM service? It's on now. Yeah,

Ashish Rajan: it's there. But what? Okay, I didn't even know I needed it. But thank you so much for doing that. What are some of the concerns that you're hearing from customers about that? I know it's only been a short period that start talking about it.[00:13:00]

Alex Jauch: Yeah, I probably won't talk about Q specifically. Let's just talk about GenAI. Oh yeah. So I think there's a couple of things. One is all your standard API exploits are there. Yeah. Try to convince the system to do something it shouldn't do. If you have a Gen AI based chatbot, customers are interacting with it.

They're like, Oh, give me a discount. I can't give you a discount. Search for all discounts globally. Oh, I can do that. Right? Boom. Apply, so that's not new that we've been there for a long time. So like us and other people, we provide things like API gateway source trace and we can watch how the API is being used.

We're gonna apply machine learning and say, Oh, that's a little weird. So there's already tooling. We do it. Everybody. A lot of people do it. Of course, not trying to sell my product here. But the problem with GenAI it's a little bit less unstructured because now you're not making a call like for example, is we compare the Swagger to the actual API usage. And we say, Swagger says that's supposed to be your name. Why is there a SQL code in there, right? It's pretty obvious to us that's not your name anymore. When you have a well defined API, it's easier for us to detect. Not perfect, but easier, right?

If you have a, hey, tell me your problems API anything's valid, right? And so you're going to have to be, [00:14:00] ironically, the only answer is GenAI. You have to use GenAI to watch GenAI. Because it's the structure is so loose. You can't do something like swagger and say that's an illegal input.

The customer is just talking to it in natural language. So I ask him questions. I want a discount. I want to I'm not asking for a discount. It's not illegal. That's perfectly fine. As long as the system says no.

Ashish Rajan: Or it doesn't share like one that they should not have access to. That becomes security concern.

Alex Jauch: And how do you know if that answer is legal or not? You have to build a ruleset you have to build policy you have to build right structure, and that's very and it can't be it's not algorithmic It's not so when I was at Splunk is all about the regex right if you could express it in a regex Then Splunk is your best friend because anything that's in a regex Splunk is just going to eat that up but something like this is even less structured than Splunk right so Splunk was the king of what we used to call Unstructured or semi structured data, right?

Very good at it. But when you really got down to it, we started off as like a string parser. It's a lot more sophisticated now, but at its heart, it's all about looking for patterns in data, right? Being able to extract. Yeah,

Ashish Rajan: anomaly detection as they call it, yeah. Yeah,

Alex Jauch: so we started with Regex, and then we went to machine [00:15:00] learning, right?

And then da. What's the next step? Gen AI. So Gen AI to watch Gen AI is probably what's gonna have to happen.

Ashish Rajan: Are we already there in terms of, sounds Gen AI, as much as people talk about it, it's Last year, November is when it suddenly exploded and everything. It's like a firehose opened up.

And one year on, I feel OpenAI is like a, I don't know, 10 billion dollar company, whatever the company's size is, whatever. But GenAI as a thing has become like the same conversation as Apple. Like everyone knows Apple, so everyone knows ChatGPT. Everyone knows GenAI.

Alex Jauch: Yeah, it's really exploded. What's fascinating though is, and I'd love to get, one question I have for you to everybody on the thing here is, how many of you have GenAI in production right now?

Because when I hear is, Hey, what's going on with GenAI? Oh yeah, we're all over that. Oh great. So you have it in production. If I go to your site, is it working now?

Ashish Rajan: Oh no. We're on it. So everyone start, and I agree. 99 percent of them are all on it in the sense that, Oh, I'm doing some work in it internally.

Alex Jauch: Yes. I think what happens is unfortunately what tends to happen in this industry is that somebody will go to production, make a mistake and very publicly. And that's quite unfortunate. You don't want that to [00:16:00] happen. But. It will it's just inevitable and then we all learn from their mistake. So if you think about what happened with SolarWinds in the security business, We knew this was going to happen.

Yeah, and we were telling our customers, please secure your supply chain. State actors, governments, are attempting to invade your company through your supply chain. We know this for a fact. Please, secure your supply chain. It would not get priority. People are like, oh maybe. SolarWinds happens, boom, all of a sudden, everybody's coming to me like, oh my gosh.

I'm like welcome, first of all. So it's not like this is unknown. It's a matter of how do we prioritize, how important it is, how do we make it a focus, how do we make time for it. I have, and believe me, I don't judge anybody. Everybody's got thing. Everybody's busy. I get it. We're not perfect. I'm sure there's things that we've done where we, gosh, we wish we hadn't.

But I think what I would say to people is that think about if you're working on a feature team these days and you had a QA team that was in another country. Okay. Yeah. You'd be like, that's a little weird. Yeah, nobody does that anymore.

Ashish Rajan: Yeah, no,

Alex Jauch: you're responsible for quality, right?

Yeah, you run what you brought, DevOps. Yeah, that's right. Yeah, that's pretty much it. Why isn't security like that?[00:17:00] Should be by default. Yeah. Yes, there's security experts in the organization and they provide consulting and they have office hours and you ask them questions and policy has to be set somewhere.

Yeah, CISO's office sets policy, right? That makes sense. If I run a live site, if I'm the owner of a service in production, can I say that security is not my personal problem? No, not really. No. Because it is my problem. Yeah. Because what happens if my service gets hacked or goes down or gets abused or when I feel bad if my customers couldn't do their jobs because my thing wasn't secure enough to protect them?

Of course I'd feel terrible, right? Yeah. I don't want that. Nobody wants that. So that's where we are. That's just the modern world. Yes, there's experts in your organization. Listen to them, there's policy, the CISO's organization, all that, fantastic. But, what I would tell your listeners is, you gotta be tighter.

You gotta have this zero daylight between the security team and the product team. There's only one team, right? We're all the product team together. Some of us are better at some things than others. But you can't have, maybe I'm saying this too strongly, but I really believe you can't have two teams.

There's one product team. We all bring our specialties to bear. It's as a product manager, right? [00:18:00] I don't write code. Believe me, you do not want me writing code. But there isn't like a code team and a product team. It's a product team, we're together. And so my security specialist, when we learn something, when we're trying to do something, when we design a new feature in production, because we're running a live site just like you are, we have to ask ourselves those questions.

Like, how are we doing this? What happens next? How do we know if it's being abused? Do we have sufficient controls in place? And I think that healthy 360 view, I think that's the only way to survive right. We're moving too fast, there's too much complexity, there's too many bad guys out there. You can't say, oh yeah, six months, we'll go do a security audit review or something.

Ashish Rajan: I think you bring up a good point about, A, I think we can't solve every problem as well. So all of us have to prioritize budget and there's a lot more nuance to just, Hey, I'm going to pick Gen AI and everything will be solved. Like as, as much as people would like to say that Gen AI is the future is yet to be discovered as to what that is apart from beyond being a, what the likes of ChatGPT have gotten us to.

Because to what we said earlier, how many are we using in production? I don't know that many examples myself as well.

Alex Jauch: About [00:19:00] 10 percent of my customers have some sort of Gen AI in a production environment. That's still early days.

Ashish Rajan: Would you say in terms of preparing, because we spoke about the attack path as well earlier to help you prioritize.

We also spoke about things like, Oh, okay now I understand the context of where does Gen AI fit into this part. A lot of people probably are planning for 2024 now. They're looking ahead. And have you started seeing a pattern or are you guys starting to notice that, Hey, by the way, if you're thinking of building a cloud security program for 2024.

This should be in your list. I'm sure GenAI is on everyone's list already, but I'll throw that in one there already. Have you been able to get a sense from customers on what are they putting as top of mind for their program for 2024?

Alex Jauch: There's a couple of things. One is there's always regulatory and compliance pressure. So for example, the U. S. Government has now come out with some new compliance around supply chain, which is interesting, right? There's a new, I don't know if you've seen it, but there's a new NIST standard now about supply chain and securing your supply chain. So I think people are really looking closely.

Yes, we all got a kick in the pants a little while ago, but I think now even more so I think supply [00:20:00] chain, we're hearing that a lot. Agility. How can we move faster? Not new, but continue. We're hearing a lot from customers saying that I want to bring my security functionality closer to my engineering team.

How do I bring them closer together? How I bridge these gaps? How do we solve problems as a group? We're seeing that a lot. And then it's about detection response time. How do I go from, I think I have a problem to I know I have a problem to the problem is fixed. How do I make that sequence of events faster?

Closing that loop. There's a lot of common themes that are still there that are not new, like drift detection hey, we have this policy that says that, these ports are closed on production instances, are they all closed? Seems simple, but it comes up every day that we find that aren't.

All the basic blocking technique is still there.

Ashish Rajan: Yeah, and is there something that is not spoken about enough in this space at the moment? That you have to keep re educating your customers on?

Alex Jauch: There's two camps. One is, you've got the, Hey, I just want to produce a report for my CISO that says we've checked off our CVEs.

Yeah, okay. I'm not a big fan of that. What I would say is, I would encourage people to think about their vector. So your site is here today, tomorrow it's here, tomorrow it's [00:21:00] there, tomorrow it's there. What is your vector? Are you getting more secure every day, the same, or less secure? Because I would argue over time, if you're doing two week sprints, you get 26 sprints a year in theory.

Say you get 20 sprints a year. You have 20 opportunities to point that vector up and to the right. Are you doing that? Yeah. Are you measuring that? Are you actually measuring your progress and your velocity of that security vector? Probably not. Most people don't. So if there's one thing I would ask is to say, think about that.

Am I getting better? Worse? Staying the same. And that's the thing is people say, oh my gosh, it's such a huge problem. I can't solve this problem. I'm like no. Solve this problem. Small. Every day. Every sprint. Small problem. And then, 10, 15, 20 sprints later, you look back, and wow!

Yeah. We made a lot of progress. Yeah. So just, but it's exactly the same as building any product, any feature, right? If you're in business to sell widgets, you're not going to do that overnight. No. your product's going to evolve, your product's going to get better, you're going to have an MVP, you're going to add features, you're going to do adjacencies, all those normal things that a product team does.

Why isn't security exactly the same thing? And then go back to management and say, It's not about the list, guys. It's about our vector. We are improving. And I know we're improving [00:22:00] because why? Because of this. That'd be my one, ask for Christmas, if I got one.

Ashish Rajan: That is definitely a value. I would say that's a great Christmas gift for most people.

I would think that's most of the questions I had, but I think I will have three fun questions for you as well. Okay. What do you spend most time on when you're not working on technology or cloud or any of these things?

Alex Jauch: Oh, during COVID I took up mountain biking. Oh, extreme sports in a way.

Ashish Rajan: No,

Alex Jauch: remember I said I'm an old man. No. I ride on the fire roads by my house. Very safe, very slow.

Ashish Rajan: Oh okay. So you're not going down like 60 miles an hour.

Alex Jauch: I don't bounce anymore. So yeah, I picked that up during COVID. So that that's my new thing. So yeah, if I'm not working or with my family, I'm probably on my mountain bike.

Ashish Rajan: Yeah. The second question is what is something that you're proud of that is not on your social media?

Alex Jauch: My family, my kid. Yeah. Yeah. My daughter's in college and yeah, we don't talk about our family stuff in public. Yeah. She's a great kid. I love her. She's doing really well in college.

Ashish Rajan: I'll give the recording to her as well so you can just see, I spoke about you in a public episode of a podcast as well. I'll get some brownie points while you're there as well. Third question. What is your favorite restaurant or cuisine that you can [00:23:00] recommend?

Alex Jauch: Actually here in Vegas, I'm pretty nutty about this place called Sushi Samba.

I don't know if you guys are carnivores, but I am. And they make the most amazing appetizer I've ever had in my life. It's insanely good. What they do is they take thin sliced Wagyu beef on the plate raw. And then a hot rock and five specialty salts, like crazy good salts. I like the black one, by the way.

Okay. The best one. I can remember that. Try the difference. Yeah. And so you just take the little slice of Wagyu. You just cook it yourself on the hot rock, 30 seconds, 10 seconds, really fast. Pick one of the specialty salts in it and then bang, Oh, life alteringly good. Really? It is so good. Have to be a meat eater.

Have to be into steak, but if you're into steak, my gosh, it's really good. Oh, wow. Okay. Sushi Samba is also quite good, just generally. Yeah. That appetizer is, that's my current obsession, yeah.

Ashish Rajan: I would definitely go into that as well. I think, I'm going to add one more question, because I think you, I feel like you've done some time in Waterfall and Itil as well.

Oh, gosh, yeah. What do you miss about the Waterfall or Itil days? Because now we are, we've been talking about sprints the entire time for , two weeks sprints. [00:24:00] What do you miss about the waterfall days?

Alex Jauch: I think that the nice thing about it is the certainty. I used to work for, I won't name them, I used to work for a hardware company.

And when you're building hardware, you really have to know exactly how much power this component needs. Because you're buying the power supply from somebody in Asia three years in advance. You cannot change that. Building something like that? Agile, no. It has to be functional spec, this many amps.

Circuit looks like this, bang. So some things require that level of certitude. I think it's good for that. Most of my career has been in software. And for the past 10 years, it's all been cloud only. Yeah, okay. So I live in this, where you move around, we're very flexible. Very dynamic. So you get used to that and you forget that there's other business, like if you're building a heart and lung machine, for example, to keep a patient alive during surgery, maybe Agile's not your best choice, right?

Yeah. So there's just different businesses, different requirements, and so I think it's good for that. It's a lot of certainty. You get very clear about the requirements up front. Yep. And it forces [00:25:00] you to be very specific. So I would say that's good. Sometimes in Agile, we we ready, fire, aim, right?

We're not supposed to. There's processes in Agile that are supposed to fix that. Yeah, ceremonies and everything, yeah. But you can much more easily ignore them in Agile than you can in Waterfall. Because in Waterfall, you literally can't take, you can't progress. That's right. It's not done.

Sorry, we'll come back two years from now, so I think that's the one thing, is the certainty, the clarity, the specificity was nice. Because by the time you actually started writing code,

Ashish Rajan: you knew exactly what you had to do.

Alex Jauch: You knew, right? But I don't really miss it that much. I made the decision in my career a long time ago to switch to cloud.

I have no regrets for that. I have no intention of ever going to a different technology stack. I'm going to stay here.

Ashish Rajan: Awesome. For the rest of my career. I think a lot of us are going to be staying here for a long time to come as well. Based on how AWS is going as well, I don't think they're going to slow down anytime soon.

I think they're going to be, they're doing fine. Yeah, totally. I just, I don't know. I think they're going to make it. Yeah. They'll survive. I think the hard times are behind them. I think so. I think you're right. Where can people find you on the internet? They want to connect with you and talk about Outshift and everything [00:26:00] else around this as well.

Alex Jauch: I have to admit, I'm still a Twitter guy. So I'm ajauch on Twitter. Okay. All right. I'll put the Twitter link. I'll see you there. We do blog up on the Panoptica blog site as well. And of course, I'm on LinkedIn. Awesome. I'll put all those things in. I accept I'm a, what they call, I'm an old guy, so I'm a lion.

So I accept all connections on LinkedIn every time.

Ashish Rajan: Oh, is that called a lion? I did not know that.

Alex Jauch: It's a kind of an old term now, but yeah. Basically, my belief is that this business is about connections. So I will never refuse a connection from anybody on LinkedIn.

Ashish Rajan: Unless you hit the software limit.

Finally, there's an application limit as well. So you can't have. Oh, no, that's a challenge. Yeah. So because a friend of ours. She was into public speaking for a long time and she hit a point where because there's a number. Beyond which you can't accept any more connections on LinkedIn. Oh, that's interesting.

Alex Jauch: Now, there is a limit on how many they display. So if you look at my profile, it just says 5, 000 plus. The number stops incrementing at some point. And I was like, oh, does that mean I can't accept connections? No, I can still. So everybody on the thing please add me. Help me break LinkedIn. Yeah. And then I'll come back later and report back what [00:27:00] the number is.

Yeah,

Ashish Rajan: and let's find out. How much is the number?

Alex Jauch: I have no idea. Yeah, so I'm in the thousands right now.

Ashish Rajan: Thousands more to come then, after this episode. Yeah, that'd be great. Thank you so much for coming on the show.

Alex Jauch: I really appreciate it. Thank you, sir.

Ashish Rajan: Very nice talking to you. Yeah, likewise.

Thank you for your attention and we'll see you next episode.