From 9/11 to Salt Typhoon: Why Backdoors Always Betray Us | Secure Talk with John Ackerly

Justin Beals: Hello everyone and welcome to SecureTalk. I'm your host, Justin Beals.

In 2001, John Ackerly was at the White House briefing officials on federal privacy legislation the morning of September 11th. What followed shaped everything he believes about data security. Because what 9/11 revealed was a two-sided problem. Information that should have been shared wasn't. And then, through the Patriot Act, information that shouldn't have been broadly accessible suddenly was.

That tension sits at the center of today's conversation, and Salt Typhoon makes it concrete. The backdoors built into telecom infrastructure for law enforcement became the exact tunnels Chinese nation-state actors used to embed themselves inside Verizon and AT&T networks. We are still trying to get them out. When you build a door for the good guys, you build a door.

John's argument, and the founding idea behind Virtru, is that the answer isn't better perimeter security. It's cryptographic control at the data object level, so that it doesn't matter who has access to the tunnel, because the data itself is protected. And with AI agents now pulling sensitive information across dozens of systems simultaneously, that architectural shift has gone from interesting to urgent.

John Ackerly is the CEO and co-founder of Virtru, and a former lead technology policy adviser at the White House National Economic Council. Along with his brother Will, a former NSA engineer, John founded Virtru to unlock the power of data by maintaining control of it wherever it travels. John was named an EY Entrepreneur of the Year, and Virtru recently secured a Series D funding round, doubling its valuation to $500 million. Join me in welcoming John to SecureTalk.

—---

Justin Beals: John, thanks for joining us on SecureTalk today.

John M Ackerly: I’m very happy to be here today.

Justin Beals: Excellent. I'm gonna kick off with a question about an experience that I think that you had read about it as we were preparing for this.

John M Ackerly: Back of the way back machine. Yeah.

Justin Beals: You were briefing, I know, yeah, we'll start a little at the beginning, at least, John. We all have these moments in our careers, I think, where we're like, yeah, I was there when that kind of happened. And for you, you were at the White House providing a briefing on federal privacy legislation on the morning of September 11th. And then just weeks later, you were in the room for the Patriot Act negotiations. That must have been an incredible swing week to week.

John M Ackerly: It was an incredible period. Absolutely. And it was a really formative one. I mean, if you can only imagine, like literally 7:30 in the morning on September 11th, doing a briefing with the deputy chief of staff or an Oval Office meeting two days later, that was to put the final blessing on legislation we were sending to Capitol Hill that would have required things like opt-in consent before data could be shared with a third party.

And obviously, you know, the world changed a couple of hours later. And after the briefing, I was back at my cubicle on the second floor of the West Wing in the in the center of the action. And the Secret Service came and said, get out of the building and the ladies take off your high heels. And some and everything changed.

It was a really formative experience because the information that could have been shared to stop that attack wasn't. And then as we saw, you know, and again, so much, you know, it was in the fog of war, really, but t the other side of that coin also came into play where the data where there was not a real need to know ended up being accessible very broadly, and even if the actual abuses potentially weren't very widespread, the legal regime was such that the capability was there. And so, trust before the cloud, before Gmail really became a real challenge and we're still facing these issues today. So I saw both firsthand, and I completely understand the why of how it was about people, and was about systems. And you really need systems in place, legal systems and technology, so that you can give a data owner actual control over their information so that what needs to be shared can and what shouldn't be have actual guardrails around.

Justin Beals: Yeah, you know, it's interesting. think we want our brains want us to see a dichotomy in the discussion, right? Like we can have privacy or we can have security, but you can't have both. That's not necessarily the case, right? It's very nuanced, you know.

John M Ackerly: I think it's pretty, you know, it is interesting. I don't know if it's nuanced as much as it's an architectural shift in thinking that's required because traditional ways in kind of cybersecurity world of thinking about protecting data in a way does force a trade off between security and convenience, privacy and convenience. If you are really trying to enforce control in a way where a third party is the custodian of your data, it kind of changes everything because if you want the convenience of these systems, you have to trust a third party. Or if you want to control your information, you're kind of stuck in a silo. And in today's world, you're kind of forced into a trust model that can be extremely kind of productive from and we just felt it from, know, we found a Bertrude on 11.11.11, which my brother loves just kind of goes to the brain of my beautiful, my co-founder sort of in binary, but going all the way back then and the founding idea for the business going back to that 2001 was hold on, you there has got to be a better way where you can really flip a lose-lose situation to a win-win, which is about kind of granular actual cryptographic control over your information, but in a way that doesn't break down user experience.

So, I actually think it's not a nuanced thing, but it is a fundamental rethink. And it's taken the world a long time, all the way to like 2026 to actually start to come to grips that hold on, the old model is just broken.

Justin Beals: Yeah. In part of your work, you talk a little bit about a salt typhoon and, you know, backdoors that are developed that both good guys put together and bad guys put together. And to your point, you know, about this idea that the right infrastructure in place, the right tool set in place, but, you know, running good security around it is kind of the solution space that we're looking for.

John M Ackerly: Well, if you think about salt typhoon, it's a great example, but it goes both to the policy component, you know, that, where there was a real mess. And then from a technology perspective, having to think differently from an architectural perspective. So from a policy perspective, you know, the Patriot Act was certainly one thing, but the other piece, and it's something that in the Bush campaign, we really fought hard against initially, really up until 2001, very pro-privacy, pro-consumer control, which is no backdoors, right? And so, Kalea was a mechanism really used for wiretapping that, in 2004, post 9-11 in this new era was basically opened up for all digital communication. And what did that mean? It effectively backdoors for law enforcement, which are the same ones that obviously bad guys can walk through. And if you have this kind of networking infrastructure that's a hodgepodge, with like seams between all different kinds of routers and kind of networking equipment. And you have back doors put into this kind of environment. It becomes very easy for a bad guy to hop around and access data through these tunnels. And so you are exactly right. I mean, it is wild to me that Salt Typhoon didn't get more primary press coverage in the big media outlets, I guess in this environment, there's so much happening, probably, but this is pretty fundamental when you have nation state actors so embedded into the Verizon networks and to the AT&T networks, etcetera, that we are still trying to figure out how to get them out and how to secure data.

And at the end of the day, for sensitive communication, you probably wanna not just think about those tunnels that these folks have access to through having access to session keys, but actually, also protecting the data objects themselves, the video feed, voice, et cetera.

Justin Beals: It reminds me of some of the, it seems like a similar type of challenge as, you know, special boxes being installed in telecom buildings in San Francisco.

John M Ackerly: Yeah, we're going all the way back to those old clipper chip debates from back in the day. Now we are both dating ourselves, right? But yeah, 100%. 100%.

Justin Beals: That's right. Yeah. I'm, you know, so we, I think that one of the ways I like to describe US security is in a lot of ways a public private partnership. You know, we, there's a lot of industry involved in nation state security in the United States, a lot of back and forth.

The government, especially the DOD has released the new cybersecurity maturity model certification requirements. How have you seen that rolling out from your perspective in the marketplace?

John M Ackerly: Well, I mean, broadly around public-private partnerships, I mean, there are so many ways to kind of tackle this question. Obviously, you think kind of narrowly around the defense industrial base, right? There's something like 300,000 businesses that are part of the supply chain for every dollar that goes into the DOW budget. Something like 60 percent comes right back out into that install base. like foundationally, it's like completely intertwined.

And I do think there have been steps and, you know, you can argue it's too heavyweight to actually solve the problem, etcetera, but I think it's a good approach to hold the DIB, the Defense Industrial Base, accountable for certain standards for protecting CUI data. So like sensitive but unclassified information. And I think there are steps in the right direction here for sure.

You know, that is one aspect of the data sharing that, that like really kind of needs to be nailed. Obviously, virtue has a big part in that. It's a growing part of our business. That kind of collaboration between government and the dib and also within the dib. When you think about, you know, how many companies are involved in the supply chain or creating the next joint. So then a strike fighter, you know, thousands of companies across the world.

And those attacks can come anywhere on that supply chain, and that data can be leaked anywhere. And so that's important. There's also the collaboration that needs to happen in terms of sharing threat intelligence. And that's been a lot. And I think CISA moved the ball forward there in a big way. And frankly, Jen did a great job there and getting more of those mechanics in place hold into private sector to a higher standard as well.

There's a lot more that can be done and should be done there. And you really want to embed technology into that workflow so that no matter what the political environment is, you as a company, and I certainly feel this as the CEO of a virtual, you know you have cryptographic control over that information that you share. So it's not a force feed and a hope strategy, that that data is not going to be repurposed, but it's a verifiable event, if it is, and you can control access to that information. That's how you actually speed up information sharing. I think there's a lot more we can do there.

Justin Beals: Yeah, it does seem right up Virtus.Ally or Virtus.Ally where you're, know, so much is tied around where that controlled unclassified information is winding up or the FCI data, or even if you're running against a level three, just being able to understand where it's at and who has access to it is kind of fundamental to hitting some of those requirements.

John M Ackerly: It's also important for the parent who needs to share certain information about her child with a psychiatrist. mean, our first customer was a psychiatric professor. So there was a psychiatric professor. So the practice is up in New York. So it's the same underlying technology that can empower individuals, that can empower large organizations, an email, or it is structured data. into an analytic system. It kind of doesn't matter what the data is. It can be scaled up, but it can be deployed in a way that's really easy for the end user to just get started. I think differently about the information that they share with the third party.

Justin Beals: I'm curious about the business a little bit. I agree, I've built a lot of tech over my time and I've been like, an individual could use this or a company could use this, but how do you think about attacking the market? Because attacking both can be challenge.

John M Ackerly: Well, yeah, I mean, we've been doing this for 14 years. I think it's pretty straightforward though for us. Like, if you can make the technology so seamless that an individual can use it, start there. Like, put the human first in the workflow, and then you can build additional capability over time to solve very complex enterprise use cases. So, for example, JP Morgan Chase has deployed us something across. their entire global organization, 255,000 users. Well, that wouldn't have worked if we hadn't figured out how to sell into the SMB first, frankly. I mean, there were other companies that had a similar kind of mindset. Like our mission is to unlock the power of data through empowering people and companies to control it everywhere. Like that's a big mission, but you know, you have to deploy solutions that just work.

Other approaches were, and actually one company that will go nameless, sold a massive POC into, so the JP Morgan and it just broke. It didn't work because they tried to do it all at once. And so, you know, really our approach has been, and it's an overused term, but it's, you know, but I think Clayton Christensen had it right. You, you have got to be disruptive. And for us, it is disruptive around user experience and that kind of integration value. And then for the enterprise, the same platform, it can be your sort of decision point across all these applications. Now it's taken us a long time to get there. Just doing email and file sharing, right, took us from like, from the very beginning back in like 2012 to like 2017, right? So for these big ideas, sometimes you just have to be freaking persistent to get there. It all makes sense in the end, but I got it better. But I think it is.

Justin Beals: Are you giving me hope on our journey? I think we saw something very similar when we saw problems for SMBs around compliance and security. And then we were like, you know, how applicable are we at the enterprise? But what we figured out is that the enterprise is a bunch of SMBs, if you think about them the right way. And we had a solution that could work at the most granular level and grow into the reporting required at an enterprise level. Yeah.

John M Ackerly: Yeah. Mean, if you look at the, at the big or, you know, something at the big, for example, accounting firms, it's, it's a whole bunch of SMBs. It's a bunch of micro climates around the world. And in our case, it's about how do you stitch all that together and then provide a common interface from an administrative perspective to have insight and audit across all of these small businesses. You get it. Yeah. So the group in Singapore has has like real need for key control in the way that in the UK they don't, right? You know, for what we do, that strategy has worked. It does take patience, though, because you can also take the approach, all right, we're gonna whale hunt, and you can build ARR potentially very fast that way. I think it's riskier, and there's a lot of concentration risk. But anyway, that's how we got it wrong.

Justin Beals: Now at your company, your brother is your co-founder, right? Still getting along? my goodness, amazing. John.

John M Ackerly: Yes, yeah, and we still get along. Oh, we do actually. And we, and we still bore people at our final. So then at our Christmas dinners too, it's like, wait, hold on. We don't want to talk about data governance guys. And my middle brother is actually the smart acrolyte and he's a doctor. He's like, I do not want to hear about this anymore, but, but he's a customer. So it's okay.

Justin Beals: And then I think that I have this curious question. I read that Will, your brother, your co-founder, was running encrypted USB drives while deployed or in Iraq. Did he just get tired of running from one place to another and wanted to put it on the network?

John M Ackerly: Well, look, Will Ackerley cares deeply in all seriousness about the mission. Like when he was deployed in Iraq, he almost didn't want to come back in the first place. I he was like the inspector gadget working at the NSA, helping to empower special ops to go and do really important work. And at that time, 2008, 2009, Secretary Gates basically said, we need to fail open. We're not getting information where it needs to go.

So my poor brother, who is not the athlete in the family, literally would be in skiffs and take, know, some data onto a USB drive and like run a few hundred yards to get to a Schenick helicopter to load information into a laptop. That's bad security, but more importantly, it's really bad mission, really bad mission execution when that helicopter is revved up, ready to go to find the bad guys. And it's an extra 10 minutes an extra half an hour. And so that was one of the real inspirations behind the underlying technology and the open standard that he developed as part of the Galileo award process when he was at the NSA. So yeah, super real, super real.

Justin Beals: Yeah, also I think, you know, I family members that have served and currently support, you know, Nation Defense and nothing has brought it closer to home than to realize the work they do, how passionate they are, you know, about the mission and also, yeah.

John M Ackerly: Well, it is real life and death consequences. So I was with one of the SEAL teams and talking to the operator who was in Japan when it was on a training mission. But very tragically, the Osprey helicopter crashed. At the time, he didn't know whether the people on board were then alive or dead. It was in the ocean.

And he was trying to coordinate between the Japanese Navy that had ships in the area and the US Air Force. But he was on a network. He was on a coalition network called, I think, Centris or something, like getting information and reports and even using, you know, so the phone, like he was having a really tough time doing any coordination. He had to use his personal cell phone. He had to cut and paste documents from one system to another all while he didn't know whether his friends were alive or dead. It turned on, I mean, really sad that they all passed on, but at the time, who knew? I mean, that could have made a major difference. And his point to me was, look, we are highly trained people. The fact that we have IT getting in the way and adding stress for us to do our mission is just not acceptable. And I saw some data point that something like 50 million man-hours are wasted on these kinds of activities because you have 19,000 networks across the at the UW. Like it can't go on like this. And the good news is that the government is taking aggressive action now to, you know, to the really collapse networks, apply control to data, build that secure fabric. It is happening, but you know, it's got to happen even faster.

Justin Beals: It's a massive organization. I understand the challenges, of course, but agree from what I've read and spoken with folks, there is a move towards more common computing base, more ability to understand what you can access when, and the ability to also share data better between groups. One of the challenges during 9-11, John? Yeah, yeah.

John M Ackerly: Big time, big time. Yep, that is happening.

Justin Beals: Now, I think that one of the things that's interesting about what you all have worked on and the innovations you're doing is that, you know, you're one of the features of your system that help guards against insider threats, you know, so you're not just having to concern about the perimeter security, but obviously things are going on inside at the same time that you're concerned with. Is that correct?

John M Ackerly Yeah, I mean that's a big use case. goes to the win-win. Like if you solve that data sharing challenge through control over the object, you actually also get really excellent leak prevention as well. Because the whole point is that everywhere this data is shared, you have audit over where it is, can it be forwarded? You can expire access, or you can block where it can go at the object level when it's at rest within your system. That's where it starts. So you discover the data, you tag it, and then you connect to different identity systems. And we govern that of that place between tags of data and identity and enforce access control decisions. So then leveraging either logical or encryption.

And it's a massive help to stop, you know,not just nation-state actors in terms of reducing that blast radius, but also the disgruntled employee. If you think about the Discord data leaks, know, that was, that was a network administrator who just happened to have access to a repository of various sense of information that he had no need to know for, right? So that same person in this new architecture could have access to the repository, but not actually see the data in the first place, or if he does, it's all encrypted. And because he doesn't have the entitlements to access that data, it's safe.

So there is no silver bullet ever in cyber, and I hate snake oil. But definitely invest in your perimeter security. But don't worry about too much in this new model. Because it's the same thing in terms of the bucket problem when it comes to the public cloud, know, misconfiguring, and it's less of a problem now given some of the new tools out there, but still it's an issue where data just gets exposed into public repos that like shouldn't. It becomes less of a problem if the data itself is protected.

Justin Beals: We, in our particular little niche of the security market around compliance, recently, there was a pretty big breach. It wasn't a ton of data, but it was scary. And someone just left a Google Doc open on the web. But it was literally a folder of everyone's SOC 2 audits that a large audit firm had performed. And it was very damaging. Yeah, yeah. And even inside the market, well,

John M Ackerly: What a great example of like, moments. Yep.

Justin Beals: One of the wow moments was that everybody's audit looked the exact same and it was kind of like, wait a second, what are we testing?

John M Ackerly: Now my sales team would like kill me. It's also, think, you know, like some of the issue with like, with like CMMC important. There's enforcement, but I mean, really just focus on what matters, like reduce paperwork, get actual security in place that matters. then yeah, you know, we can help you check a lot of boxes, which is true, but sometimes I'm like, reduce this paperwork burden on these companies. Focus on few things.

Justin Beals: Yeah, I agree completely. Yeah, yeah. You and John are pretty aligned. And this is, think, why I feel an interloper in this particular work that we do is as a CTO, I'm kind like, no, I just want to I want to practice good security. And what you don't understand is that if my team is doing things that they believe makes them more secure, they will believe in them and do them. But you force me to think do things that don't matter. We lose the cultural aspect of we practice good security. We know how to secure things. We want to lean in and secure things.

John M Ackerly: Yeah, but we have testified on Capitol Hill about FedRAMP. I mean, we did it early, when we were much smaller, but it still cost us almost three, it was back in 2018, 19, it cost us something like, like a $3 million to do. And for us at the time, that was a big chunk. And a lot of the work really, we didn't think, move the needle that far forward in terms of actual, like actual upping our game.

Now, I will say on the flip side, it can be helpful in certain aspects and the right to our prior conversation about small business versus enterprise. For those of you who are listening who are contemplating models, if you are going to go enterprise first, find the right enterprise that will make you better. And JP Morgan, for example, made us stronger based on how they thought about how to globally deploy and kind of load balance key servers, all that, very sophisticated.

Other enterprise customers that we still have that may be in the ITAR space, we'll go nameless, set us way back because the amount of random stuff we had to do for them that did not help them or their users. But I think it was to make certain kind of network admins happy, like was really kind of productive. So be careful about which enterprises you sign up for.

Justin Beals: I will agree that having a baseline is helpful and kind of a measurement stick. How are we doing at meeting these lists of things? But I always tell folks, it's your security at the end of the day. It's not FedRAMPS. It's what you do that really matters. I think that some of your focus on the data and the insider threat work has come a little full circle. The UK Ministry of Defense and the US, a DOW are now treating data-centric security as a first-order principle. Think this feels like a lot that has gone in the cybersecurity maturity model certification where they are. Everything is about where that data is stored. Yeah.

John M Ackerly: Yeah, and it is about, you know, in a particular, so the UK has been a great partner with us. and really now for a number of years about driving thought leadership that it doesn't actually matter as much where the data is stored. It's where the locus of control is. If you have hardware security models, sorry, so the modules and you have cryptographic control.

That's a sufficient measure to enforce kind of data to enforce data location and data sovereignty, which has been super helpful. And if you do that, they've been driving in the five eye context, you know, you know, a common standard, taking what, what, what my brother invented and working with them to really build an ecosystem around this approach. And so I do think it's really encouraging what our partners are doing along with the Joint Chiefs of Staff, J6, to really move the needle. And there's work to do with NATO, for example. But it's happening. the moment, really important to us, and I should have mentioned this earlier, we have a robust open source project called OpenTDF. Because this is a foundational architectural shift, having other partners adopt it, and they are, it's amazing to see over the past year.

That's what it's all about. And then it makes you know, virtually more successful. It builds a bigger pie. Very different from what certain companies, much, much larger than us, do. That may go nameless out in Redmond or something, and it's all about in their ecosystem. So what they do with the UK is say, hey, foreign governments, just really, all you have to do is then create a user account in our system. Come into our system, we will keep you secure.

And what third parties are saying is that's not good enough. I need cryptographic control. We need a federated model, right? Very similar in terms of, you know, a lot of interest in what Palantir is doing, great company, but a lot of issues around, okay, how do I get my data back? How do I move data in and out? Is this going to become like Hotel California, right? It's like, it's all, you know. Our perspective, and we're very biased here, is data first and foremost has got to be interoperable. Control has got to be federated. That's how this new architecture takes hold.

Justin Beals: I'm a big fan of this because I'll go back to one of our things is it's your security, right? Like, you can't just outsource an enclave and be like, look, we're done. You know, it's something you're going to be expected to operate. You're actually on the hook for effectively operating it. And if you can't develop relationships with vendors, they give you that kind of control. Even if there's automation in there, then I think you're in trouble.

John M Ackerly: And how do you make it really easy to do it? In the, you know, that, you know, that is critical too, because I think a lot of companies are like, this is just impossible. Like, I don't know. This seems like too much. This seems like it's okay. What is the easy button? And for us it's okay. Let's go knock out these workflows. You have your policy decision point where you apply policy once across everything, etcetera, etcetera. And, know, and for our long, we have about 6,000 customers for the smaller folks, ease of use and ease of deployment to take control is absolutely paramount. For our larger government customers, ease of use is also paramount, but there is a forward-deployed engineer model there. These are wiring into so many different systems.

Justin Beals: I want to talk about some future topics a little bit, John, and kind of how you're perceiving the emerging market or challenges in security. One of them that I'm constantly curious about is quantum computing, of course. And I think one of the big tropes is quantum computing and encryption, and some of the challenges there. How do you think we're both doing in developing quantum computers and the security challenges that they're going to create for us?

John M Ackerly: Yeah, so the full disclosure, you were talking to the wrong accurately to go very deep on the current state of a quantum. I will say that our customers think that it's sooner as opposed to later where there really could be brute force. So then attacks onto, you know, onto data at rest where you can point those big guns. But, you know, really

The important thing for Virtue from an architectural perspective, the kind of easy answer is being crypto agile. What we're actually doing and we've proven is that NIST has four modules that are quantum resistant. And you can put into how we wrap all of our symmetric keys a quantum, so the resistant wrapper that at least meets the requirements of where the intelligence community is going in the NSA, as well as customers like JP Morgan.

Beyond that, I will leave it there, but I will say that it feels pretty real based on the number of times we get asked this question. It is certainly top of mind for folks.

Justin Beals: Certainly it's been kind of fun watching NIST develop some open standards and run the competition. I think, you you mentioned open source, my career wouldn't have been possible without open source tools at all. And so one of the things I love about computer science is that we kind of come together as a community, and then we also compete in the marketplace, but for the better of all. And that's been really exciting. Yeah.

John M Ackerly: I think it's just so important. In particular, when you're talking about something like data center security, when you're talking about mass amounts of data running across different systems, that ecosystem is important. think Databricks did such a nice job on that. And they're beating Snowflake for that reason, I think. Having the people who invented Apache Spark build this incredible business makes a lot of sense. And what they're doing with their Unity catalog is really excellent.

We are not as big as Databricks by any stretch, but it is analogous what we're doing with the TDF and the OpenTDF. Absolutely.

Justin Beals: And I did it back in the day in the education environment with, you know, Java web servers and then eventually open source learning management systems. There's a natural arc to building the business around that.

John M Ackerly: 100%.

Justin Beals: The second future thing, of course, it's on a lot of people's mind. We're all using these tools today or of course, the data. I'm using the old school language, John data science, machine learning, although we can call it AI.

John M Ackerly: Yes, yeah. Don't AI wash me there, Justin.

Justin Beals: That's right, John. Well, I told a friend once, said AI is just the user interface. Everything else is machine learning or data science. How are you guys seeing that roll out for you?

John M Ackerly: Yeah, look, I mean, I can take that many different directions, but I think the big, massively encouraging thing for the kind of data-centric world is that AI gets a lot of credit for changing people's mindset from, this is like topic number five on my list. It's been kind of creeping up from like 10 to seven. Now it's like one, two, one, it's usually identity and data security tied together.

And it's because unlocking value from data, which is our mission, becomes like a super hypersponic, know, massive speed when you're talking about data moving in and out of systems, whether it's through rag workflows, whatever proprietary data having to move in data being used for training, know, inference, how do you handle that? Like, ultimately, this kind of flow of data across systems is just so fundamental to this new world that we're now in.

And so it's a massive tailwind for Virtue as a business. I think where we see the business opportunity for us is we are not an AI company. We're not an AI security company, but we are a data governance company and we have a foundational role to play in governing data that is proprietary and really mediating access to that both to the model itself.

And then in this agentic world, tying identity just like we do to humans, but to non-human actors. And then how do you link the identity of the agent back to the human that is controlling that agent? So that whole workflow. If you think about in the intelligence context, have three different analysts that are trying to solve a problem, maybe two of them. To be really simplistic, they have the need to know about the Muslim. So the Brotherhood, all three have a need to know about something happening in China. As they're asking questions, different answers are going to come back based on what they need to know. The same use case in the healthcare context. And then how do you get, you know, it is called NC data in the government context, but the most sensitive data into a common operating view where you can have analytics around it. The only way to give organizations comfort sharing that kind of data is that all the data is cryptographically controlled. And so, it's all like a really exciting moment for Virtua as a company, a scary time, but an exciting time for the world too. And I think, you know, when we have our product managers talk to customers right now, the strategy commercially is hope. Just hope that things are not going to like, have to innovate. don't like it's a number two concern for them.

And so it's just super, super interesting. We are also innovating ourselves, leveraging our own technology so that we can really use these models at speed to sort of drive efficiency internally. Obviously a lot of pressure on our engineering team to be forward thinking in terms of, that, so that adoption there as well. But the most important thing is this kind of real sea change in terms of mindset from the cybersecurity world.

The downside is that everyone's talking about we are data-centric, and they're all talking about a back-end attribute-based access control. But I would ask if any identity provider says, yeah, we do data centricity. Like if you're a CISO probe, are they talking about actually control to the data or are they talking about access to endpoints and to buckets, which is really where all those guys are today.

Justin Beals: Almost all are doing the latter, not the tagging of the data. Having been in it, I worked in natural language processing for a while, so there was times where we stored a lot of data, there were times where I built models, not on the scale that we see, the size or amount of data that we see today, I didn't do that work. But then of course, post that, once we had a model, understanding how the model represented the data, because it's a synthesis of information.

I see it as a continuity of the original data set, developed algorithmically to query, to deliver probabilistic results. Yeah.

John M Ackerly: That's right. Yes, right on. So these are data sets really have like a shape and a form to them. It's absolutely fascinating. And then how do you search all this data in a secure way? Right? I mean, there are all these questions at this massive scale. And like, how do you make that privacy-preserving as well when you get to massive data sets to ensure there is not leakage there too?

Justin Beals: Think it's been to our disservice to call these models a black box. They are transformed from their original, and it costs a lot of computing power to back it back out, but they're not black box. We do need to understand what's in them.

John M Ackerly (39:14.592)

Yep. No. Yes. Yeah. For sure. For sure. And to be clear for us right now, we are not tackling the like training in the non-black box. It's more the proprietary data that gets kind of fed into answering a question to provide more context. Like that is really what we are productizing because there's a lot of value there and it's just such a natural, easy button for us. Eventually, we can move further down the stack. So like right now it's a form where it's really vector data. When you talk about transforming, it is really vector data and then how to do it in a privacy-preserving way.

Justin Beals: I mean, that's the most immediate concern. Wrong data in the wrong model, like the wrong question, the wrong copied file and uploaded in the wrong model, can be a breach. Yeah.

John M Ackerly: That's right, 100%.

Justin Beals: Well, John, we super appreciate you joining us today on SecureTalk. The work you guys have done, both you and your brother individually, as well as your company has been super exciting to watch. it's great to talk to someone that is not only a deep expert, but believes in solving problems in the marketplace in a kind of a point way. Yeah.

John M Ackerly: Well, it sounds like we are definitely peas from the same pod right there, Justin. And a big congrats to you as well and really appreciate the time today.

Justin Beals: Excellent. All right. Thanks everyone for joining us and we'll see you on the next episode of SecureTalk.