Making Compliance Suck Less with AJ Yawn

AJ Yawn is a seasoned cloud security professional that possesses over a decade of senior information security experience with extensive experience managing a wide range of cybersecurity compliance assessments (SOC 2, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers.

AJ advises startups on cloud security and serves on the Board of Directors of the ISC2 Miami chapter as the Education Chair, he is also a Founding Board member of the National Association of Black Compliance and Risk Management professions, regularly speaks on information security podcasts, events, and he contributes blogs and articles to the information security community including publications such as CISOMag, InfosecMag, HackerNoon, and ISC2.

Before Bytechek, AJ served as a senior member of national cybersecurity professional services firm SOC-ISO-Healthcare compliance practice. AJ helped grow the practice from a 9 person team to over 100 team members serving clients all over the world. AJ also spent over five years on active duty in the United States Army, earning the rank of Captain.

AJ is relentlessly committed to learning and encouraging others around him to improve themselves. He leads by example and has earned several industry-recognized certifications, including the AWS Certified Solutions Architect-Professional, CISSP, AWS Certified Security Specialty, AWS Certified Solutions Architect-Associate, and PMP. AJ is also involved with the AWS training and certification department, volunteering with the AWS Certification Examination Subject Matter Expert program.

AJ graduated from Georgetown University with a Master of Science in Technology Management and from Florida State University with a Bachelor of Science in Social Science. While at Florida State, AJ played on the Florida State University Men's basketball team participating in back to back trips to the NCAA tournament playing under Coach Leonard Hamilton.

Announcer: Hello, and welcome to Screaming in the Cloud with your host, Cloud Economist Corey Quinn. This weekly show features conversations with people doing interesting work in the world of Cloud, thoughtful commentary on the state of the technical world, and ridiculous titles for which Corey refuses to apologize. This is Screaming in the Cloud.

Corey: This episode is sponsored in part by Thinkst. This is going to take a minute to explain, so bear with me. I linked against an early version of their tool, canarytokens.org in the very early days of my newsletter, and what it does is relatively simple and straightforward. It winds up embedding credentials, files, that sort of thing in various parts of your environment, wherever you want to; it gives you fake AWS API credentials, for example. And the only thing that these things do is alert you whenever someone attempts to use those things. It’s an awesome approach. I’ve used something similar for years. Check them out. But wait, there’s more. They also have an enterprise option that you should be very much aware of canary.tools. You can take a look at this, but what it does is it provides an enterprise approach to drive these things throughout your entire environment. You can get a physical device that hangs out on your network and impersonates whatever you want to. When it gets Nmap scanned, or someone attempts to log into it, or access files on it, you get instant alerts. It’s awesome. If you don’t do something like this, you’re likely to find out that you’ve gotten breached, the hard way. Take a look at this. It’s one of those few things that I look at and say, “Wow, that is an amazing idea. I love it.” That’s canarytokens.org and canary.tools. The first one is free. The second one is enterprise-y. Take a look. I’m a big fan of this. More from them in the coming weeks.

Corey: This episode is sponsored in part by our friends at Lumigo. If you’ve built anything from serverless, you know that if there’s one thing that can be said universally about these applications, it’s that it turns every outage into a murder mystery. Lumigo helps make sense of all of the various functions that wind up tying together to build applications. It offers one-click distributed tracing so you can effortlessly find and fix issues in your serverless and microservices environment. You’ve created more problems for yourself; make one of them go away. To learn more, visit lumigo.io.

Corey: Welcome to Screaming in the Cloud. I’m Corey Quinn. I’m joined this week by AJ Yawn, co-founder, and CEO of ByteChek. AJ, thanks for joining me.

AJ: Thanks for having me on, Corey. Really excited about the conversation.

Corey: So, what is ByteChek? It sounds like it’s one of those things—‘byte’ spelled as in computer term, not teeth, and ‘chek’ without a second C in it because frugality looms everywhere, and we save money where we can by sometimes not buying the extra letter or vowel. So, what is ByteChek?

AJ: Exactly. You get it. ByteChek is a cybersecurity compliance software company, built with one goal in mind: make compliance suck less. And the way that we do that is by automating the worst part of compliance, which is evidence collection and taking out a lot of the subjective nature of dealing with an audit by connecting directly where the evidence lives and focusing on security.

Corey: That sound you hear is Pandora’s Box creaking open because back before I started focusing on AWS bills, I spent a few months doing a deep dive PCI project for workloads going into AWS because previously I’ve worked in regulated industries a fair bit. I’ve been a SOC 2 control owner, I’ve gone through the PCI process multiple times, I’ve dabbled with HIPAA as a consultant. And I thought, “Huh, there might be a business need here.” And it turns out, yeah, there really is.

The problem for me is that the work made me want to die. I found it depressing; it was dull; it was a whole lot of hurry up and wait. And that didn’t align with how I approach the world, so I immediately got the hell out of there. You apparently have a better perspective on, you know, delivering things companies need and don’t need to have constant novel entertainment every 30 seconds. So, how did you start down this path, and what set you on this road?

AJ: Yeah, great question. I started in the army as a information security officer, worked in a variety of different capacities. And when I left the military—mainly because I didn’t like sleeping outside anymore—I got into cybersecurity compliance consulting. And that’s where I got first into compliance and seeing the backwards way that we would do things with old document requests and screenshots. And I enjoyed the process because there was a reason for it, like you said.

There’s a business value to this, going through this compliance assessments. So, I knew they were important, but I hated the way we were doing it. And while there, I just got exposed to so many companies that had to go through this, and I just thought there was a better way. Like, typical entrepreneur story, right? You see a problem and you’re like, “There has to be a better way than grabbing screenshots of the EC2 console.” And set out to build a product to do that, to just solve that problem that I saw on a regular basis. And I tell people all the time, I was complicit in making compliance stuff before. I was in that role and doing the things that I think sucked and not focused on security. And that’s what we’re solving here at ByteChek.

Corey: So, I’ve dabbled in it and sort of recoiled in horror. You’ve gone into this to the point where you are not only handling it for customers but in order to build software that goes in a positive direction, you have to be deeply steeped in this yourself. As you’re going down this process, what was your build process like? Were you talking to auditors? Were you talking to companies who had to deal with auditors? What aspects of the problem did you approach this from?

AJ: It’s really both aspects. And that’s where I think it’s just a really unique perspective I have because I’ve talked with a lot of auditors; I was an auditor and worked with auditors’ hand-in-hand and I understood the challenges of being an auditor, and the speed that you have to move when you’re in the consulting industry. But I also talked to a lot of customers because those were the people I dealt with on a regular basis, both from a sales perspective and from, you know, sitting there with the CTOs trying to figure out how to design a secure solution in AWS. So, I took it from the approach of you can’t automate compliance; you can’t fix the audit problem by only focusing on one side of the table, which is what currently happens where one side of the table is the client, then you get to automate evidence collection. But if the auditors can’t use that information that you’ve automated, then it’s still a bad process for both people. So, I took the approach of thinking about this from both, “How do I make this easier for auditors but also make it easier for the clients that are forced to undergo these audits?”

Corey: From a lot of perspectives, having compliance achieved, regardless of whether it’s PCI, whether it’s HIPAA, whether it’s SOC 2, et cetera, et cetera, et cetera, the reason that a companies go through it is that it’s an attestation that they are, for better or worse, doing the right things. In some cases, it’s a requirement to operate in a regulated industry. In other cases, it’s required to process credit card transactions, which is kind of every industry, and in still others, it’s an easy shorthand way of saying that we’re not complete rank amateurs at these things, so as a result, we’re going to just pass over the result of our most recent SOC 2 audit to our prospective client, and suddenly, their security folks can relax and not send over weeks of questionnaires on the security front. That means that, for some folks, this is more or less a box-checking exercise rather than an actual good-faith effort to improve processes and posture.

AJ: Correct. And I think that’s actually the problem with compliance is it’s looked at as a check-the-box exercise, and that’s why there’s no security value out of it. That’s why you can pick up a SOC 2 report for someone that’s hosted on AWS, and you don’t see any mention of S3 buckets. You can do a ctrl+F, and you literally don’t see anything in a security evaluation about S3 buckets, which is just insane if you know anything about security on AWS. And I think it’s because of what you just described, Corey; they’re often asked to do this by a regulator, or by a customer, or by a vendor, and the result is, “Hurry up and get this report so that we can close this deal,”—or we can get to the next level with this customer, or with this investor, whatever it may be—instead of, let’s go through this, let’s have an auditor come in and look at our environment to improve it, to improve this security, which is where I hope the industry can get to because audits aren’t going anywhere; people are going to continue to do them and spend thousands of dollars on them, so there should be some security value out of them, in my opinion.

Corey: I love using encrypting data at rest as an example of things that make varying amounts of sense because, sure, on your company laptops, if someone steals an employee’s laptop from a coffee shop, or from the back of their car one night, yeah, you kind of want the exposure to the company to be limited to replacing the hardware. I mean, even here at The Duckbill Group, where we are not regulated, we’ve gone through no formal audits, we do have controls in place to ensure that all company laptops have disk encryption turned on. It makes sense from that perspective. And in the data center, it was also important because there were a few notable heists where someone either improperly disposed drives and corporate data wound up on eBay or someone in one notable instance drove a truck through the side of the data center wall, pulled a rack into the bed of the truck and took off, which is kind of impressive [laugh] no matter how you slice it. But in the context of a hyperscale cloud provider like AWS, you’re not going to be able to break into their data centers, steal a drive—and of course, it has to be the right collection of drives and the right machines—and then find out how to wind up reassembling that data later.

It’s just not a viable attack strategy. Now, you can spend days arguing with auditors around something like that, or you can check the box ‘encrypt at rest’ and move on. And very often, that is the better path. I’m not going to argue with auditors about that. I’m going to bend the knee, check the box, and get back to doing the business thing that I care about. That is a reasonable approach, is it not?

AJ: It is, but I think that’s the fault of the auditor because good security requires context. You can’t just apply a standard set of controls to every organization, as you’re describing, where I would much rather the auditor care about, “Are there any public S3 buckets? What are the security group situation like on that account? How are they managing their users? How are they storing credentials there in the cloud environment as well?

Are they using multiple accounts?” So, many other things to care about other than protecting whether or not someone will be able to pull off the heist of the [laugh] 21st century. So, I think from a customer perspective, it’s the right model: don’t waste time arguing points with your auditors, but on the flip side, find an auditor that has more technical knowledge that can understand context, because security work requires good context and audits require context. And that’s the problem with audits now; we’re using one framework or several frameworks to apply to every organization. And I’ve been in the consulting space, like you, Corey, for a while. I have not seen the same environment in any customers. Every customer is different. Every customer has a different setup, so it doesn’t make sense to say every control should apply to every company.

Corey: And it feels on some level like you wind up getting staff accustomed to treating it as a box-checking exercise. “Right, it’s dumb that we wind up having to encrypt S3 buckets, but it’s for the audit to just check the box and move on.” So, people do it, then they move on to the next item, which is, “Okay, great. Are there any public S3 buckets?” And they treat it with the same, “Yeah, whatever. It’s for the audit,” box-checking approach? No, no, that one’s actually serious. You should invest significant effort and time into making sure that it’s right.

AJ: Exactly. Exactly. And that’s where the value of a true compliance assessment that is focused on security comes into play because it’s no longer about checking the box, it’s like, “Hey, there’s a weakness here. A weakness that you probably should have identified. So, let’s go fix the weakness, but let’s talk about your process to find those weaknesses and then hopefully use some automation to remediate them.”

Because a lot of the issues in the cloud you can trace back to why was there not a control in place to prevent this or detect this? And it’s sad that compliance assessments are not the thing that can catch those, that are not the other safeguard in place to identify those. And it’s because we are treating the entire thing like a check-the-box exercise and not pulling out those items that really matter, and that’s just focusing on security. Which is ultimately what these compliance reports are proving: customers are asking for these reports because they want to know if their data is going to be secure. And that’s what the report is supposed to do, but on the flip side, everyone knows the organization may not be taking it that serious, and they may be treating it like a check-the-box exercise.

Corey: So, while I have you here, we’ll divert for a minute because I’m legitimately curious about this one. At a scale of legitimate security concern to, “This is a check-the-box exercise,” where do things like rotating passwords every 60 days or rotating IAM credentials every 90 days fall?

AJ: I think it again depends on the organization. I don’t think that you need to rotate passwords regularly, personally. I don’t know how strong of a control that is if people are doing that, because they’re just going to start to make things up that are easy—

Corey: Put the number at the end and increment by one every time. Great. Good work.

AJ: Yep. So, I think again, it just depends on your organization and what the organization is doing. If you’re talking about managing IAM access keys and rotating those, are your engineers even using the CLI? Are they using their access keys? Because if they’re not, what are you rotating?

You’re just rotating [laugh] stale keys that have never been used. Or if you don’t even have any IAM users, maybe you’re using SSO and they’re all using Okta or something else and they’re using an IAM role to come in there. So, it’s just—again, it’s context. And I think the problem is, a lot of folks don’t understand AWS or they don’t understand the cloud. And when I say, folks, I mean auditors.

They don’t understand that, so they’re just going to ask for everything. “Did you rotate your passwords? Did you do this? Did you do that?” And it may not even make sense for you based off of your environment, but again, is it worth the fight with the auditor, or do you just give them whatever they want and so you can go about your way, whether or not it’s a legit security concern?

Corey: Yeah. At some point, it’s not worth fighting with auditors, but if you find yourself wanting to fight the auditor all the time, at some level, you start to really resent the auditor that you have. To put that slightly more succinctly, how do you deal with non-technical auditors who don’t understand your environment—what they’re looking at—without strangling them?

AJ: Great question. I think it goes back to before you hire your auditor. Oftentimes, in the sales process, there’s questions around, “Who’s come from the Big Four on your staff?” Or, “What control frameworks do you all specialize in?” Or, “How long will this take? How much will it cost?” But there’s very rarely any questions of, “Who on your staff knows AWS?”

And it’s similar to going to the doctor: you wouldn't go to an eye doctor to get foot surgery. So, you shouldn’t go to an auditor who has never seen AWS, that doesn’t know what EC2 is, to evaluate your AWS environment. So, I think organizations have to start asking the right questions during the sales process. And it’s not about price or time or anything like that when you’re assessing who you’re going to work with from an auditing firm. It’s, are they qualified to actually evaluate the threats facing your organization so that you don’t get asked the stupid question.

If you’re hosted on AWS, you shouldn’t be getting asked where are your firewall configurations. They should understand what security groups are and how they work. So, there’s just a level of knowledge that should be expected from the organization side. And I would say, if you’re working with a current auditor that you’re having those issues with, continue to ask the hard questions. Auditors that are not technical—I have a blog post on our website, and it says this is the section your auditors are the most scared of, and it’s the logical access section of your SOC 2 report.

And auditors that are not technical run away from that section. So, just keep asking the hard questions, and they’ll either have to get the knowledge or they realize they’re not qualified to do the assessment and the marriage will split up kind of naturally from there. But I think it goes back to the initial process of getting your auditor. Don’t worry about cost or time, worry about their technical skills and if they’re qualified to assess your environment.

Corey: And in 2021, that’s a very different story than it was the first few times I encountered auditors discovering the new era. At a startup, the auditor shows up. “Great, how do we get access to your Active Directory?” “Yeah, we don’t have one of those.” “Okay, how do we get on the internet here?” “Oh, here’s the wireless password.” “Wait, there’s not a separate guest network?” “That’s right.” “Well, now I have privileged access because I’m on your network.”

It’s like, “Technically, that’s true because if you weren’t on this network, you wouldn’t be able to print to that printer over there in the corner. But that’s the only thing that it lets you do.” Everything else is identity-based, not IP address allow listing, so instead, it’s purely just convenience to get the internet; you’re about as privileged on this network as you would be at a Starbucks half a world away. And they look at you like you’re an idiot. And that should have been the early warning sign that this was not going to be a typical audit conversation. Now, though in 2021, it feels like it’s time to find a new auditor.

AJ: Exactly. Yeah. Especially because organizations—unfortunately, last year security budgets were some of the things that were first cut when budgets were cut due to the global pandemic, S0—

Corey: Well, I’m sure that’ll have no lasting repercussions.

AJ: Right. [laugh]. That’s always a great decision. So compliance, that means compliance budgets have been significantly slashed because that’s the first thing that gets cut is spending money on compliance activities. So, the cheaper option, oftentimes, is going to mean even less technical resources.

Which is why I don’t think manual audits, human audits are going to be a thing moving forward. I think companies are realizing that it doesn’t make sense to go through a process, hire an auditor who’s selling you on all this technical expertise, and then the staff that’s showing up and assigned to your project has never seen inside the AWS console and truly doesn’t even know what the cloud is. They think that iCloud on their phone is the only cloud that they’re familiar with. And that’s what happens; organizations are sold that they’re going to get cybersecurity technical experts from these human auditors and then somebody shows up without that experience or expertise. So, you have to start to rely on tools, rely on technologies, and that can be native technologies in the cloud or third-party tools.

But I don’t think you can actually do a good audit in the cloud manually anyways, no matter how technical you are. I know a lot about AWS but I still couldn’t do a great audit by myself in the cloud because auditing is time-based, you bill by the hour and it doesn’t make sense for me to do all of those manual things that tools and technologies out there exist to do for us.

Corey: So, you started a software company aimed at this problem, not a auditing firm and not a consulting company. How are you solving this via the magic of writing code?

AJ: It’s just connecting directly where the evidence lives. So, for AWS, I actually tried to do this in a non-software way prior, when I was just a typical auditor, and I was just asking our clients to provision us cross-account access to go in their environment with some security permissions to get evidence directly. And that didn’t pass the sniff test at my consulting firm, even though some of the clients were open to it. But we built software to go out to the tools where the evidence directly lives and continuously assess the environment. So, that’s AWS, that’s GitHub, that Jira, that’s all of the different tools where you normally collect this evidence, and instead of having to prove to auditors in a very manual fashion, by grabbing screenshots, you just simply connect using APIs to get the evidence directly from the source, which is more technically accurate.

The way that auditing has been done in the past is using sampling methodologies and all these other outdated things, but that doesn’t really assess if all of your data stores are configured in the right way; if you’re actually backing up your data. It’s me randomly picking one and saying, “Yes, you’re good to go.” So, we connect directly where the evidence lives and hopefully get to a point where when you get a SOC 2 report, you know that a tool checked it. So, you know that the tool went out and looked at every single data store, or they went out and looked at every single EC2 instance, or security group, whatever it may be, and it wasn’t dependent on how the auditor felt that day.

Corey: This episode is sponsored in part by ChaosSearch. As basically everyone knows, trying to do log analytics at scale with an ELK stack is expensive, unstable, time-sucking, demeaning, and just basically all-around horrible. So why are you still doing it—or even thinking about it—when there’s ChaosSearch? ChaosSearch is a fully managed scalable log analysis service that lets you add new workloads in minutes, and easily retain weeks, months, or years of data. With ChaosSearch you store, connect, and analyze and you’re done. The data lives and stays within your S3 buckets, which means no managing servers, no data movement, and you can save up to 80 percent versus running an ELK stack the old-fashioned way. It’s why companies like Equifax, HubSpot, Klarna, Alert Logic, and many more have all turned to ChaosSearch. So if you’re tired of your ELK stacks falling over before it suffers, or of having your log analytics data retention squeezed by the cost, then try ChaosSearch today and tell them I sent you. To learn more, visit chaossearch.io.

Corey: That sounds like it is almost too good to be true. And at first, my immediate response is, “This is amazing,” followed immediately by that’s transitioning into anger, that, “Why isn’t this a native thing that everyone offers?” I mean, to that end, AWS announced ‘Audit Manager’ recently, which I haven’t had the opportunity to dive into in any deep sense yet, because it’s still brand new, and they decided to release it alongside 15,000 other things, but does that start getting a little bit closer to something companies need? Or is it a typical day-one first release of an Amazon service where, “Well, at least we know the direction you’re heading in. We’ll check back in two years.”

AJ: Exactly. It’s the day-one Amazon service release where, “Okay. AWS is getting into the audit space. That’s good to know.” But right now, at its core, that AWS service, it’s just not usable for audits, for several reasons.

One, auditors cannot read the outputs of the information from Audit Manager. And it goes back to the earlier point where you can’t automate compliance, you can’t fix compliance if the auditors can’t use the information because then they’re going to go back to asking dumb questions and dumb evidence requests if they don’t understand the information coming out of it. And it’s just because of the output right now is a dump of JSON, essentially, in a Word document, for some strange reason.

Corey: Okay, that is the perfect example right there of two worlds colliding. It’s like, “Well, we’re going to put JSON out of it because that’s the language developers speak. Well, what do auditors prefer?” “I don’t know, Microsoft Word?” “Okay, sounds good.” Even Microsoft Excel is a better answer than [laugh] that. And that is just… okay, that is just Looney Tunes awful.

AJ: Yep. Yeah, exactly. And that’s one problem. The other problem is, Audit Manager requires a compliance manager. If we think about that tool, a developer is not going to use Audit Manager; it’s going to be somebody responsible for compliance.

It requires them to go manually select every service that their company is using. A compliance manager, one, doesn’t even know what the services are; they have no clue what some of these services are, two, how are they going to know if you’re using Lambda randomly somewhere or, or a Systems Manager randomly somewhere, or Elastic Beanstalk’s in one account or one region. Config here, config—they have to just go through and manually—and I’m like, “Well, that doesn’t make any sense because AWS knows what services you’re using. Why not just already have those selected and you pull those in scope?” So, the chances of something being excluded are extremely high because it’s a really manual process for users to decide what are they actually assessing.

And then lastly, the frameworks need a lot of work. Auditing is complex because their standards or regulations and all of that, and there’s just a gap between what AWS has listed as a service that addresses a particular control that—there was a few times where I looked at Audit Manager and I had no clue what they were mapping to and why they’re mapping. So, it’s a typical day-one service; it has some gaps, but I like the direction it’s going. I like the idea that an organization can go into their AWS console, hit to a dashboard, and say, “Am I meeting SOC 2?” Or“ am I meeting PCI?” I feel like this is a long time coming. I think you probably could have done it with Security Hub with less automation; you have to do some manual uploads there, but the long answer to say it has a long way to go there, Corey.

Corey: I heard a couple of horror stories of, “Oh, my god, it’s charging me $300 a day and I can’t turn it off,” when it first launched. I assume that’s been fixed by now because the screaming has stopped. I have to assume it was. But it was gnarly and surprising people with bills. And surprising people with things labeled ‘audit’ is never a great plan.

AJ: Right. Yeah, the pricing was a little ridiculous as well. And I didn’t really understand the pricing model. But that’s typical of a new AWS service, I never really understand. That’s why I’m glad that you exist because I’m always confused at first about why things cost so much, but then if you give it some time, it starts to make a little bit more sense.

Corey: Exactly. The first time you see a new pricing dimension, it’s novel and exciting and more than a little scary, and you dive into it. But then it’s just pattern recognition. It’s, “Oh, it’s one of these things again. Great.” It’s why it lends itself to a consulting story.

So, you were in the army for a while. And as you mentioned, you got tired of sleeping on the ground, so you went into corporate life. And you were at a national cybersecurity professional services firm for a while. What was it that finally made you, I guess, snap for lack of a better term and, “I’m going to start my own thing?” Because in my case, it was, “Well, okay. I get fired an awful lot. Maybe I should try setting out my own shingle because I really don’t have another great option.” I don’t get the sense, given your resume and pedigree, that that was your situation?

AJ: Not quite. I surprisingly, don’t do well with authority. So, a little bit I like to challenge things and question the norm often, which got me in trouble in the military, definitely got me in trouble in corporate life. But for me it was, I wanted to change; I wanted to innovate. I just kept seeing that there was a problem with what we were doing and how we were doing it, and I didn’t feel like I had the ability to innovate.

Innovating in a professional services firm is updating a Google Sheet, or adding a new Google Form and sending that off to a client. That’s not really the innovation that I was looking to do. And I realized that if I wanted to create something that was going to solve this problem, I could go join one of the many startups out there that are out there trying to solve this problem, or I could just try to go do it myself and leverage my experience. And two worlds collided as far as timing and opportunity where I financially was in a position to take a chance like this, and I had the knowledge that I finally think I needed to feel comfortable going out on my own and just made the decision. I’m a pretty decisive person, and I decided that I was going to do it and just went with it.

And despite going about this during the global pandemic, which presented its own challenges last year, getting this off the ground. But it was really—I collected a bunch of knowledge. I realized, maybe, two and a half years ago, actually, that I wanted to start my own business in this space, but I didn’t know what I wanted to do just yet. I knew I wanted to do software, I didn’t know how I wanted to do it, I didn’t know how I was going to make it work. But I just decided to take my time and learn as much as I can.

And once I felt like I acquired enough knowledge and there was really nothing else I could gain from not doing this on my own, and I knew I wasn’t going to go join a startup to join them on this journey, it was a no-brainer just to pull the trigger.

Corey: It seems to have worked out for you. I’m starting to see you folks crop up from time-to-time, things seem to be going well. How big are you?

AJ: Yeah, we’re doing well. We have a team of seven of us now, which is crazy to think about because I remember when it was just me and my co-founder staring at each other on Zoom every day and wondering if they’re ever going to be anybody else on these [laugh] calls and talking to us. But it’s going really well. We have early customers that are happy and that’s all that I can ask for and they’re not just happy silently; they’re being really public about being happy about the platform, and about the process. And just working with people that get it and we’re building a lot of momentum.

I’m having a lot of fun on LinkedIn and doing a lot of marketing efforts there as well. So, it’s been going well; it’s been actually going better than expected, surprisingly, which I don’t know, I’m a pretty optimistic entrepreneur and I thought things will go well, but it’s much better than expected, which means I’m sleeping a lot less than I expected, as well.

Corey: Yeah, at some point, when you find yourself on the startup train, it’s one of those, “Oh, yeah. That’s right. My health is in the gutter, my relationships are starting to implode around me.” Balance is key. And I think that that is something that we don’t talk about enough in this world.

There are periodically horrible tweets about how you should wind up focusing on your company, it should be the all-consuming thing that drives you at all hours of the day. And you check and, “Oh, who made that observation on Twitter? Oh, it’s a VC.” And then you investigate the VC and huh, “You should only have one serious bet, it should be your all-consuming passion” says someone who’s invested in a wide variety of different companies all at the same time, in the hopes that one of them succeeds. Huh.

Almost like this person isn’t taking the advice they’re giving themselves and is incentivized to give that advice to others. Huh, how about that? And I know that’s a cynical take, but it continues to annoy me when I see it. Where do you stand on the balance side of the equation?

AJ: Yeah, I think balance is key. I work a lot, but I rest a lot too. And I spend—I really hold my mornings as my kind of sacred place, and I spend my mornings meditating, doing yoga, working out, and really just giving back to myself. And I encourage my team to do the same. And we don’t just encourage it from just a, “Hey, you guys should do this,” but I talk to my team a lot about not taking ourselves too seriously.

It’s our number one core value. It’s why our slogan is ‘make compliance suck less’ because it’s really my military background. We’re not being shot at; we’re sleeping at home every night. And while compliance and cybersecurity, it’s really important, and we’re protecting really important things, it’s not that serious to go all-in and to not have balance, and not to take time off not to relax. I mean, a part of what we do at ByteChek is we have a 10% rule, which means 10% of the week, I encourage my team to spend it on themselves, whether that’s doing meditation, going to take a nap.

And these are work hours; you know, go out, play golf. I spent my 10% this morning playing golf during work hours. And I encourage all my team, every single week, spend four hours dedicated to yourself because there’s nothing that we will be able to do as a company without the people here being correct and being mentally okay. And that’s something that I learned a long time ago in the military. You spend a year away from home and you start to really realize what’s important.

And it’s not your job. And that’s the thing. We hire a lot of veterans here because of my veteran background, and I tell all the vets that come here when you’re in the military, your job, your rank, and your day-to-day work is your identity. It’s who you are. You’re a Marine or you’re a Soldier, or you’re a Sailor; you’re an Airman if that’s a bad choice that you made. Sorry for my Air Force guys.

Corey: Well, now there’s a Spaceman story as well, I’m told. But I don’t know if they call them spacemen or not, but remember, there’s a new branch to consider. And we can’t forget the Coast Guard either.

AJ: If they don’t call themselves Spacemen, that is their name from now on. We just made it, today. If I ever meet somebody in the Space Force, [laugh] I’m calling them the Spacemen. That is amazing. But I tell our interns that we bring from the military, you have to strip that away.

You have to become an individual because ByteChek is not your identity. And it won’t be your identity. And ByteChek’s not my identity. It’s something that I’m doing, and I am optimistic that it’s going to work out and I really hope that it does. But if it doesn’t, I’m going to be all right; my team is going to be all right and we’re going to all continue to go on.

And we just try to live that out every day because there’s so many more important things going on in this world other than cybersecurity compliance, so we really shouldn’t take ourselves too seriously. And that advice of just grinding it out, and that should be your only focus, that’s only a recipe for disaster, in my opinion.

Corey: AJ, thank you so much for taking the time to speak with me. If people want to hear more about what you have to say, where can they find you?

AJ: They can find me on LinkedIn. That’s my one spot that I’m currently on. I am going to pop on Twitter here pretty soon. I don’t know when, but probably in the next few weeks or so. I’ve been encouraged by a lot of folks to join the tech community on Twitter, so I’ll be there soon.

But right now they can find me on LinkedIn. I give four hours back a week to mentoring, so if you hear this and you want to reach out, you want to chat with me, send me a message and I will send you a link to find time on my calendar to meet. I spend four hours every Friday mentoring, so I’m open to chat and help anyone. And when you see me on LinkedIn, you’ll see me talking about diversity in cybersecurity because I think really the only way you can solve a cybersecurity skills shortage is by hiring more diverse individuals. So, come find me there, engage with me, talk to me; I’m a very open person and I like to meet new people. And that’s where you can find me.

Corey: Excellent. And we’ll of course throw a link to your LinkedIn profile in the [show notes 00:29:44]. Thank you so much for taking the time to speak with me. It's really appreciated.

AJ: Yeah, definitely. Thank you, Corey. This is kind of like a dream come true to be on this podcast that I’ve listened to a lot and talk about something that I’m passionate about. So, thanks for the opportunity.

Corey: AJ Yawn, CEO and co-founder of ByteChek. I’m Cloud Economist Corey Quinn and this is Screaming in the Cloud. If you’ve enjoyed this podcast, please leave a five-star review on your podcast platform of choice, whereas if you hated this podcast, please leave a five-
star review on your podcast platform of choice along with a comment that’s embedded inside of a Word document.

Announcer: This has been this week’s episode of Screaming in the Cloud. You can also find more Corey at screaminginthecloud.com, or wherever fine snark is sold.

This has been a HumblePod production. Stay humble.