Subscribe
Share
Share
Embed
Welcome to Chuck Yates Got A Job with Chuck Yates. You've now found your dysfunctional life coach, the Investor Formerly known as Prominent Businessman Chuck Yates. What's not to learn from the self-proclaimed Galactic Viceroy, who was publicly canned from a prominent private equity firm, has had enough therapy to quote Brene Brown chapter and verse and spends most days embarrassing himself on Energy Finance Twitter as @Nimblephatty.
00;00;01;05 - 00;00;40;28
Unknown
Slow to do what he feels like. I will do this very fast for this work. Thank you. Pay in dreams and, take my name. All right, so I'm out there talking every day to oil and gas companies. Never thought I'd be a software salesman, but I think I've become actually a decent one and all that. One of the things you guys do is you go through the team and I talk about what an impressive team we've got 25 employees I, I engineer from Microsoft, AWS and all this.
00;00;41;00 - 00;01;03;29
Unknown
The without question, the home run of the team is when I say, and we got the guy that ran data security at Candy crush. You got the Candy crush guy? The candy. Yeah. I, I never thought that would be like my my claim to fame coming back to Houston, but here we are. I mean, you need a hype agent.
00;01;04;00 - 00;01;24;27
Unknown
I'm gonna get high paid. Look, and I'll I'll. I'll take all the hype I can get, but. Yeah. I ran a couple of teams, at Candy crush with the parent company King, and, it was a trip. I mean, you wouldn't believe how much infrastructure it takes to run a mobile phone game like that, but it's a lot.
00;01;25;00 - 00;01;44;09
Unknown
And I mean, everybody tried to hack it, right? I mean, yeah, I mean, it's like Covid hit it. Got a second lease on life. It was already several years old then and during Covid. Nothing to do but sit on the couch and watch the wall. So people went back to Candy crush and, yeah, everyone wanted free games and gaming, the levels and things like that.
00;01;44;09 - 00;02;07;18
Unknown
So it was it became a bit of, some security theater, some stuff. We didn't know what was happening, and we said we protected and then other things. Definitely. We had to, you know, address a lot of inbound because the whole world went online at the same time. Right? Yeah. Interesting. They, Okay, we'll do this real quick for mom because she's fascinated by the Candy crush guy.
00;02;07;20 - 00;02;29;13
Unknown
And thank you for, having my mom smile favorably at me, you know, because it is. Walk me through real quick how you got to Candy crush, and then we'll walk through how we found you. Yeah. So? So, I mean, you know, I, I'm from Houston, originally, went to high school just out here on the other side of the reservoir.
00;02;29;13 - 00;02;50;08
Unknown
And, Langham Creek had a great computer science teacher at the time. That's kind of what kicked off everything for me in the, you know, mid to late 90s. I graduated high school in 96. And, caught the dotcom bubble. Just dumb luck and, you know, got it. Enrolled at university, started an eBay store at home, decided the eBay store was better.
00;02;50;08 - 00;03;13;19
Unknown
So I dropped out. And for a long time I was making more money than any 19 year old should have been making. Got into semiconductors. Tell me something. You were selling high store or can you know. Yeah, yeah, yeah, I was I was, sorry about you. The limitations, I'm sure, is, but like, like many people who grew up in Texas, you know, I got drug around to thrift stores and garage sales by my mom.
00;03;13;21 - 00;03;31;27
Unknown
And so we'd go into thrift stores finding old men's suits, designer labels and things like that, pulling them out. And you could buy a suit for five in the thrift store and flip it for a hundred at the time on, on eBay. Oh, wow. It was wild. Wild. And so I just scaled that up, built some software to automate my process.
00;03;31;27 - 00;03;57;01
Unknown
If I was smart, I would have sold the software, but I was just using it to buy more and more and flip more and more suits. And this was like mid to late 90s. Went to work in a semiconductor company for a while. That's when I got my first taste of like corporate it. That was fun. Ended up down in South Florida, caught the e-commerce wave, one of the first medical supply companies doing, Google AdWords.
00;03;57;04 - 00;04;26;23
Unknown
And so, you know, me and a bunch of guys were out of warehouses down there in Boca Raton doing that. Took a detour in advertising for a few years, ended up in Sweden several years later. Medical, like medical startup with IoT and Bluetooth devices, things of that nature. And then one day I got the call from Candy crush, and they poached me away and had a, you know, I went from I went from medical devices to mobile games and, much closer to my DNA, let's say.
00;04;26;25 - 00;04;49;29
Unknown
And so that was a fun couple of years, but it was during the pandemic. So everyone was at home. I was in Sweden, just sort of in zoom calls and keeping Candy crush alive on the back end, which you wouldn't believe. It's at the time, two data centers, fully redundant, thousands of servers. I mean, it's a huge amount of infrastructure to keep the world's most popular casual mobile game alive.
00;04;50;02 - 00;05;14;14
Unknown
But, I bet, and then how did we find you? Well, I found you. So what was it, 20, 20, 24? I think at some point, you know, I was just, you know, doomscrolling on on LinkedIn or Instagram or something, and I saw that there was this oil and gas podcast, but the production value was way too good to be Houston.
00;05;14;16 - 00;05;30;06
Unknown
I was like, why does the picture look so good? Why does this sound so good? And who's this personality? And, no, I think you were in there and I saw some of the other, shows that were being produced, and, like, this is really good stuff. And I'm not from oil and gas, but it sparked my curiosity.
00;05;30;06 - 00;05;46;18
Unknown
And so I went down the rabbit hole and, you know, who's this guy that needs a job? What's the story there? And, so I found Chuck and I DM'd you on LinkedIn, and I was like, hey, man, I heard one of your podcasts. You're looking for a CTO. I might be looking for a job. Like, what's the what's the deal you handed me off to?
00;05;46;18 - 00;06;08;10
Unknown
To Colin. Right. And Colin, I hit it off. He was like a brother from another mother. And I think 3 or 4 days later, I was on a plane back here in Houston to meet the team. And didn't quite mesh up at the time. But like a year later, you know, I joined here as as, like, doing, you know, I stuff and, and sort of being one of the grown ups in the room, so.
00;06;08;12 - 00;06;30;29
Unknown
Yeah. Knows the, funniest thing because I remember you come in and, and one of the things about being, like, the old guy and having a professional career dealing with young people that maybe haven't been in the corporate world, Colin was so proud of himself, man, we're going to get this guy because we're going to take him to Torchy's Tacos.
00;06;31;01 - 00;06;48;13
Unknown
Sure. All right. So sorry you missed out on, like, a fancy uchi meal with a nice bottle of, Cabernet or something. But, yeah, I, to be honest, I spent so long in Sweden that, like any, like, torchy's may not be proper Tex-Mex to a lot of people, but to me, at the time, it was a great homecoming.
00;06;48;13 - 00;07;13;27
Unknown
There you go. So very much appreciated. Okay, so you came to came to join us, tell us what you did initially, but then, I mean, we've kind of made you you had a data security these days. And so I want to spend some time there. Yeah. Yeah. Well I mean, well, I joined in October and then it was a speedrun to get I think everyone sort of aligned on what are we doing with AI internally right there.
00;07;13;28 - 00;07;48;06
Unknown
Collide had pivoted out of being this digital wildcatters media company, and there was a lot of AI going on inside of the office. We had cursor. We had this, we had that, and it, made it kind of more of an executive decision to say, no, we're going to, converge on using Claude. And during that, you know, the month of November, we got everyone in the company onboarded to using Claude, Claude code and I couldn't imagine it would have been so successful.
00;07;48;08 - 00;08;21;25
Unknown
But our PhDs took that and ran, and our developers have taken that, too, and just run with it where, you know, we're our output has been phenomenal. And then during the course of that, you know, I think me and some of the other more senior developers had said, look, the the road here, as you interface with these larger and larger clients, especially the publicly traded ones, are you're going to hit serious regulatory blockers like these things called soc2 security things, because they are also regulated.
00;08;21;25 - 00;08;42;18
Unknown
They have different stakeholders and it's a trust issue. And that's when we started looking at these very, you know, what do you call it? Acronym, things like, like Soc2 and ISO and, and governance frameworks. And so we, we brought that in. And it's just a way of proving that we know how to govern ourselves. We know how to set up infrastructure.
00;08;42;18 - 00;09;08;10
Unknown
We know how to maintain infrastructure such that our data is secure, our customer data is secure. And and then we do that on an ongoing basis. And so through December and to January, we chased, what's called soc2. We, we completed that in February. And we'll continue to sort of, accrue those certifications, as time goes on and as our customers ask more of us from a data security perspective.
00;09;08;12 - 00;09;40;18
Unknown
So when I get that question, you know, how do I know my data is secure? I kind of go, well, we can roll it off in Azure. And if another question comes at me, I probably can't answer that. So so maybe maybe not CIO level discussion, maybe CEO, CFO when they ask the question how's my data secure? What should I be telling them?
00;09;40;18 - 00;09;59;23
Unknown
I I've used this before. It's kind of like, you know, Fort Knox, you know, there's there's the gate on the outside. You got to get through that gate. Then you get to the door, you've got to get through that door. There's a series of doors you always have to continually get through before you get to the gold. And it's very much the same with how we build our systems, our security.
00;10;00;00 - 00;10;17;28
Unknown
It's called defense in depth, right. There's the outside wall perimeter. That's a firewall. There's the inside wall. That's your authentication. You need your little app on your phone to get through. We have to know who you are. We have to know you have the right keys. And then at some point, we know who you are. We know where you are.
00;10;18;01 - 00;10;41;29
Unknown
It's the right time of day. Okay? You're allowed to see that data. So we just we build systems that that are continually validating who you are and what you're doing. And on top of that, when no one is accessing the data, we can guarantee you that, hey, your data is encrypted and it's lives in this place and it's never been anywhere else, and we log everything, right?
00;10;41;29 - 00;11;06;01
Unknown
You're not going to you're not going to get into a secure data center or facility without cameras seeing you, your name getting recorded. Someone's scanned your ID, and it's kind of the same thing with with the systems that we build. Gotcha. Now, now add to that answer a smattering of stuff that a CIO level person would want to hear.
00;11;06;01 - 00;11;25;09
Unknown
And I'm going to sit here and pretend like I'm understanding. So I'm going to nod a few times. Got it. Like I get it. But my actual hope is in this answer. I don't understand a word you say. Yeah, I think from a CIO they're looking for proof of trust. Like proof that they can trust us. That's the Soc2 certification.
00;11;25;11 - 00;11;50;29
Unknown
We have a framework that we follow, the Soc2 framework. That's a an open standard that you can adhere to. And we go line by line and create compliance frameworks or we, we complete, we create policies and then we create code that runs against those policies. And then we validate the code that runs against those policies. And then we log the output of that code.
00;11;51;04 - 00;12;11;26
Unknown
So at every point there's this traceability that shows here's what we do, here's what we're going to do. Here's the code that does the thing. Here's the proof that shows that we've done the thing. And and again it's just this constantly logged and audited thing. And on top of that we pay for third party, vendors to do a penetration test.
00;12;11;29 - 00;12;36;00
Unknown
Hey, you're going to read. It's called Red team. You red team us. You try to break in and after you're done, show us the report. Where? Where did we win? Where did we lose? Where can we kind of discuss what might need to improve or might not? And over time, that window tightens to where the trust is established with the customer and more broadly, with the industry.
00;12;36;02 - 00;12;42;15
Unknown
So how much of this stuff is.
00;12;42;18 - 00;13;17;16
Unknown
And I'm thinking of just maybe by by an example, NFL football, I mean the rules have been pretty consistent for a while. But if you watched a game from the 70s versus today, it's totally different. And so I guess my question is kind of how much of this security in the way of framework is set in stone, if you will, and has been around for a long time versus how much is in flux.
00;13;17;16 - 00;13;39;28
Unknown
And then the follow up question is obviously going to be in a world of AI is that balance changed? Dramatically changed. So the first part, like those those frameworks are continually evaluated and updated. Okay. If you got and that's why it only lasts for a couple of years. Okay. Right. Like we can get our soc2 or whatever.
00;13;40;00 - 00;14;05;21
Unknown
That's only good for like two years. And then we have to do it again. And we're going to be measured against the new set of standards that come. So my guess will be, you know, in a couple of years time, there's going to be a lot more stuff around this. I and what we're seeing from sort of in the wild now is that AI is a a real game changer for the the good guys and the bad guys.
00;14;05;24 - 00;14;29;08
Unknown
It used to be that it was sort of, you know, hacker, human hacker versus human protector. And now it's going to be AI versus AI. So we have automated systems that are continually and relentlessly trying to penetrate your network, trying to do phishing scams where they send a fake email, they make a fake phone call where they just become more and more sophisticated.
00;14;29;08 - 00;15;04;00
Unknown
And on the other side, we see vendors coming out with AI driven solutions to protect against those very things. And it's just an ever escalating arms race. Interesting. No, that makes sense. What's the, give me the the. We don't have to dumb it down for mother. Mom. Sally, I love you. Didn't mean to, disparage in any way, but the the whole mythos, controversy in terms of it's so powerful, it's found all these flaws and cybersecurity explained that story to me.
00;15;04;00 - 00;15;31;09
Unknown
So as I understand it, it's an incredibly new, much larger, powerful model that, you know, it's it's a beast compared to its predecessors. I think also anthropic has continually created a narrative, a scare tactic narrative. And if you look at their CEO, he's been out there, doing Chicken Little, making Chicken Little moments for a couple of years now.
00;15;31;11 - 00;16;01;11
Unknown
The mythos one seems a bit more legit because of the way that they engaged industry early on, and the industry responded with their with their like, Holy smokes moment. This is this is real. I don't doubt I don't doubt that I have no reason to doubt it. And the reason I have no reason to doubt it, I can I can use our existing the ones models that we have access to, like Opus and Sonnet, and do a fair amount of damage with that.
00;16;01;14 - 00;16;32;17
Unknown
I think one thing is people haven't yet understood how powerful the existing models are today. Because mythos comes out and I don't know how they're going to, if, if ever they will release it to the public. I think probably right now it's too expensive for anthropic to release it to everyone. It probably takes a phenomenal amount of compute, but having run opus against our own, infrastructure and network, it's incredibly powerful.
00;16;32;17 - 00;17;07;02
Unknown
It finds a lot of things that we can improve. So it I think there's legitimate reason to be aware of it. There's a legitimate reason to follow it and put it on your radar, if that is, if you have a security concern, if there if there was some friendly older brother advice you could share with, with our clients, what what do they need to be thinking about if if they're bringing AI into the organization and they're not doing it with a clear strategic point of view?
00;17;07;04 - 00;17;26;06
Unknown
One thing we've seen is a lot of them, it comes up from up high. It's a mandate. They sprinkle some AI on the on the people and and hope for the best. I think there's a potential for a real security problem internally. And that's not chicken little stuff. People get excited. Give me a specific example of that.
00;17;26;06 - 00;17;46;17
Unknown
And it can and it can be a hypothetical. But just take it take it down to a detailed level. Yeah. So, you know, developers are an eager group. They're going to they have VSCode. They have their, you know, their tools. And you put AI, you embed AI in the tool, and then the AI says, oh, hey, welcome. I'm okay.
00;17;46;17 - 00;18;15;22
Unknown
Yeah. Let's build the thing. I'm going to go include all of these libraries. I'm going to go include all of these other resources. Now the unsavory black cats are targeting that. And so there's been multiple occurrences of malware being imported directly into the organization through VS code plugins, through basically software plugins and through Claude plugins. And no one is auditing this.
00;18;15;24 - 00;18;41;17
Unknown
There's there's no most people don't have automated systems to to validate what developers are just blindly including on their machines. And it's hard to blame the developers because they haven't had the training. They haven't had that awareness training. And it's it's so new and it's moving so quickly. But that is a very real threat, which is why internally, like here at Callide, we take a more measured approach to that.
00;18;41;17 - 00;19;04;28
Unknown
We're aware of it. You know, we discuss it often. It's it's kind of top of mind at lunch and other times. And, so we have a fixed set of libraries that we trust that we've validated ourselves, that get included continually. And when we want to include more or new things, it becomes a documented discussion. Hey, there's this new cool thing.
00;19;04;28 - 00;19;33;22
Unknown
Okay, great. Sam and John and the the, the ones who have their mind on that are looking at it and validating it. And if we bless it, then it, then it enters the sort of realm of possibility for the rest of the org. So that's the big brother advice is like, you need some form of governance around how how people kind of play with the new toys, because this can be incredibly dangerous, especially for the developers who have the keys to the data kingdom internally.
00;19;33;28 - 00;20;00;21
Unknown
Yeah, no, that's always, my kind of flippant offhand remark when we're talking about collide and being an operating system for a company is when you write an interconnect to a database of some sort, make it a read, only one that will be the default on collide. You know. Yeah. And maybe you'll have to get multiple people in the organization to provide permission to overwrite that.
00;20;00;26 - 00;20;26;01
Unknown
Exactly. Yeah. No, I mean, you you put this, you know, intelligent machine inside of your network. And we we joked a while ago, right. It was you can you know, we were joking like very early days with with collide. You could ask collide for a ketchup recipe and it would give it to you. Right. And that's one step away from saying, hey, exfiltrate all of the data out of the database and put it in a zip file.
00;20;26;04 - 00;20;53;19
Unknown
Yeah, right. And the tools are inside of a lot of these things that it can actually do that. So data exfiltration is a very real threat. If, if you're, AI is hooked up to these, to these systems and you need those guardrails in place. Yeah. Interesting. What when we're talking data security, what are we maybe talking about when we do this podcast again in 3 or 5 years?
00;20;53;22 - 00;21;18;18
Unknown
But no one's talking about today. I'm forcing you to kind of look in your crystal ball. It maybe I can phrase the question this way, too. What keeps you up at night but not others? Where we are today is people are shipping a ton of code and only looking at the final outcome, but what they don't see or understand is all of those in-between steps.
00;21;18;21 - 00;21;47;11
Unknown
And without proper observability, if you can't see all of the steps that it's doing, all of the reasoning that these smart machines are taking, it's very difficult to know if tomorrow you're going to get the same type of outcomes. And it's hard to know if in all of these in-between steps, he's not exfiltrating your data out or he's not changing, is he changing the data in between?
00;21;47;13 - 00;22;08;09
Unknown
And how do you know? How do you validate that? And I think that's something that we spend a lot of time here. At collide, kind of validating is that if I run that query on Thursday and then I run that query on Friday, did I get the same results? Because these looms are non-deterministic and tool calling and all of that.
00;22;08;11 - 00;22;29;28
Unknown
There's a lot of things that stack in a way that no longer means that a piece of software takes you from A to B directly. You get routed through a lot of different decisions that the machine is doing it on its own. So it's how do we continually guide that decision in a way that, it is predictable and that we can trust?
00;22;30;00 - 00;22;59;05
Unknown
Yeah. Interesting. So what are you working on in the next kind of 30 to 60 days? What's kind of your big focus around here? Right now? Our big focus is applying all these security principles to all of the production software code. All of the pilots that we run, any, any code that kind of comes inside the company, we are using a lot of governance layers.
00;22;59;05 - 00;23;22;15
Unknown
We're putting a lot of AIS and automated checking against that code so that there's we can guarantee that, the by the time a client comes in on, even on a pilot and they give us their data that we have this, we can provide the same guarantees of safety and security on a pilot that we would do even in a production environment.
00;23;22;17 - 00;23;43;29
Unknown
The reasoning for that is because our PhDs have been so successful at shipping pilots and so many that we just immediately saw, like, we have to get our hands around this where we've automated it. And so, you know, that's that's where we've landed is we can provide that same security layer even to what was previously out of scope projects.
00;23;44;01 - 00;24;07;24
Unknown
And so it's now kind of a default mode of operation inside the company. And just saying, oh, dude, I'm glad you joined us. Well, welcome back to Houston. Thank you. It's, it's been fantastic. I love the I mean, I missed the weather. I didn't know I'd missed being, super hot all the time. So we outrank Sweden when it comes to weather.
00;24;07;27 - 00;24;27;09
Unknown
Okay, I I'm I'm okay. Winning on food. Yeah. Weather winning too. Interesting. Wouldn't a guess that for, I guess it's really cold. Yeah. I mean, it's, you know, it's not for everyone. I think it just for me, it's, you know, I could wear a hoodie there year round robin. It's just it's a very temperate place.
00;24;27;09 - 00;24;39;17
Unknown
And I just miss. I miss the heat. I miss being you know, warm all the time. So you don't. You don't know your shirt's on unless it's sticking to you. There you go. Yeah. So it's like I miss taking two showers a day. Who?
00;24;39;20 - 00;25;08;05
Unknown
Yeah. The one thing I really think about is, is the, you know, we are on the bleeding edge, and so we're building these systems sometimes for ourselves, like the prototypes that the customers never see because we're testing and, you know, we're finding that our security posture has to be much stronger because our customers are only beginning the their AI journey, let's say.
00;25;08;08 - 00;25;31;02
Unknown
And those security potholes, those data leakage potholes are real. And we've we've stepped in them already. Right. Like how do you do governance when you put a coding machine into the hands of non-technical people. And we're we're solving that, you know, that's a big part of what collide is solving. Yeah. And we're doing it with an oil and gas sort of lens on top.
00;25;31;05 - 00;25;59;07
Unknown
And the other thing I would say about us and having to learn and get our arms around all this is our clients are international targets. Yeah. You know, and so all eyes are kind of on our clients. And so we do have to be diligent. Yeah. Yeah. It very much is. And I think that as that our our profile this companies profile kind of rises through the ranks.
00;25;59;07 - 00;26;32;28
Unknown
And I think as AI makes more of a penetration into this industry, it's, it's not the company. The large companies become a target. It's the the vendors to those companies also become the targets. Yeah. And you know, when you look at some of those vendors, they're they look like legacy software. They operate like legacy software. I have a sneaking suspicion that even internally, there's probably some just legacy systems that are not as updated in modern as what we're doing here.
00;26;33;01 - 00;26;56;25
Unknown
So that's a I'm guessing, but I'm, I'm, I've seen this in other industries like health care. The startups are often more tech savvy and, and security savvy than the older vendors. Yeah. We've got old vendors. Yeah. Feels like SAS just skipped oil and gas. Yeah, kind of did. Yeah, yeah. So, so. And I think that's that's another thing to think about.
00;26;56;27 - 00;27;23;06
Unknown
You know, where the endpoint security is for people, you know, are people inside a secure office? Are they, you know, how does that look in the field? You know, and I think that's a often a topic of discussion for us internally. Right. Where is this being used. Who's using it. What access do they need. And fortunately I think our the way we've architected, it's, it's not an ad hoc solution.
00;27;23;06 - 00;27;35;02
Unknown
It's kind of built in. Right. Interesting. Cool. Well, I'm glad you're here, I am too. It's been it's been a great few months and, and, you know, pivoting into the next thing. There we go.