June 17, 2021

CTO Talk: Q&A with PJ Kirner of cybersecurity firm Illumio

By Robert Scammell

PJ Kirner is the CTO of Illumio, a cloud computing and data centre security company.

Kirner co-founded Illumio in 2013 with Andrew Rubin. Its zero trust technology maps out and segments applications, containers, clouds, data centres, and endpoints to spot attackers moving around during a breach.

The California-based firm counts 10% of Fortune 100 companies among its customers and includes the likes of Morgan Stanley, Salesforce and the Bank of England.

In this Q&A, the 49th in our series of CTO Talks, Kirner reveals the “different types” of CTOs, explains why exchanging data for services is the internet’s “original sin” and shares what he’d be in another life.

Rob Scammell: Tell us a bit about yourself – how did you end up in your current role?

PJ Kirner: Before founding Illumio, I worked at Juniper Networks as part of the security team in the CTO office. This was when the public cloud was just becoming a thing and we were researching how this new technology would impact the business.

We were also seeing applications becoming more and more connected and as such, networks needed to be more powerful to support these applications and the accompanying dynamic workloads. The network was becoming flat to accommodate this connectivity, but with that came new security concerns – the core one being attackers moving laterally within the network.

Illumio was founded to address this concern. Creating Illumio wasn’t a light bulb moment, it was a process where the puzzle pieces slowly came together.

I met Andrew (my co-founder and Illumio’s CEO) through an introduction from a friend. In fact, our first meeting felt a lot like a blind date. We knew nothing about each other when we met, aside from a mutual interest in tech, but my friend told me that I had to meet him for lunch before he jetted off somewhere. We hit it off straight away and have been great business partners ever since.

Where did your interest in tech come from?

I got my first computer when I was young and spent a lot of time trying to figure out how to make it do what I wanted. I’m a practical person and was fascinated with it. I always wanted to know how computers worked and what more I could do with them.

I think I’ve always been interested in building or creating something, and technology has been an avenue that has allowed me to do that. Games inspired me, particularly when they went from having four colours on a screen to 16 colours, but I was never satisfied with someone else’s game. If anything, I wanted to write my own games. I relish the challenge and wanted to build and create my own vision — that’s what I’m most passionate about.

Which emerging technology do you think holds the most promise once it matures?

It’s not necessarily an emerging technology, but the amount of data being collected by video and audio is unprecedented. I’m sure over the next 10 years there will be some fascinating startups and innovations that come out of this area. I don’t know what people are going to do with it, but I’ve got to believe that something good and novel is going to come out of that data stream. If I were a VC, I’d fund a few of these technologies. I think the field holds a lot of promise.

How do you separate hype from genuine innovation?

I try to understand all technologies for what they are. Hype to me is just the misunderstanding and misapplication of what a particular technology is good for. I have this metaphor where technology has a box – what’s inside the box is the thing it’s applicable for and outside the box are things it’s not applicable for. Hype is simply somebody’s misunderstanding of the box – they’ve made it too large and put too many things in it.

When I look at technology, I draw my own box around it, and spend a lot of time looking at what that technology is not good at or can’t do.

I think what makes me a good technologist is that I search for that truth and then can apply the technology in the right way.

What one piece of advice would you offer to other CTOs?

There are different types of CTOs. On one end, let’s call it the “chief talking officer” CTO – someone who is out there talking about the future and things that don’t exist yet and being an incredible thought leader in the industry. At the other end of the spectrum, you have the “mad scientist” CTO – the person who is constantly tinkering and innovating. And then there’s everyone in between.

My point is that going into this role you need to ask yourself what kind of CTO you are and ensure that matches with the organisation you’re looking to work for. In my career I’ve found that knowing who I am and where I fit on that spectrum (I’d put myself right in the middle by the way), helps me do my job to the best of my ability. Good innovation doesn’t just come from tinkering with tech, it comes from having conversations, so I look to strike a balance between the two.

There’s no right or wrong here, but I fundamentally believe that understanding yourself is important to doing any job well and to being successful.

What’s the most surprising thing about your job?

One of the most surprising things about being a CTO at a technology startup is that the business around you changes over its life. What you need when the team has 10 people, is not at all what you need when the team has 100 or 1,000 people.

What the business needs out of the CTO is very different at each stage too, and I’ve been surprised by how dramatically the needs vary. I think that’s why in startups certain people often participate at different phases of the journey — when their technological strengths intersect the needs of the business at a peak.

What’s the biggest technological challenge facing humanity?

The other area I would invest in as a VC is anti-surveillance and privacy technology. There is a huge concern about how we’re giving our privacy away with tracking, surveillance, etc. There are plenty of privacy advocates and regulations out there, but I don’t believe we fully understand how much we’ve lost yet, and I don’t think we know how we’re going to take it back.  I heard someone say recently that this exchange of personal data for free services was the internet’s original sin.

Privacy is an important part of being human. Humans have imperfect memory – when you have a bad experience or a disagreement with a friend, over time those memories disappear. There’s psychological research that suggests we remember positive experiences for longer than we remember negative ones. I don’t know what all of the surveillance data does to that theory – it seems we’ll never get away from those bad events or mistakes in our lives.

What’s the strangest thing you’ve ever done for fun?

My brother and I bought a house and remodelled it when we were in our early twenties. It took us two years to do, and we lived in the house while we did the remodelling. What was really fun about it was at that point I was working in software, something I couldn’t touch or work on with my hands, but then when I got home, I was able to work with my hands, be that demolishing a room, or putting something back together. There was this nice harmony between working with software – something intangible – and demolishing and rebuilding a home.

It may not seem to be the biggest thrill-seeking event, but to me it was a lot of fun and rewarding to see what we can accomplish when we apply ourselves to the task.

What’s the most important thing happening in your field at the moment?

President Biden’s executive order mandating a Zero Trust architecture is a big deal for cybersecurity practitioners, and our collective security.

Particularly, the wording and subsequent implication is what I find most interesting. Typically, the security industry oscillates between detection and prevention. If you read the executive order there are a number of places where ‘prevention’ is mentioned as one of the first words in a sentence, and ‘detection and response’ in the latter part. It’s my opinion that they did that intentionally because we’ve been in a phase where we’ve over relied on detection and response and now, we’re entering an era where improving the prevention security controls is the key focus.

In another life you’d be?

A teacher. While teaching is a part of my job now, in another life I’d make teaching the main part of my career.

I remember being inspired by English and theology teachers at school. The ability to inspire others is a skill and an art that people hone over their entire career – being dedicated to that art is interesting to me. I actually did teach math and computers for a short period of time, about a year after college, so I know how influential that role can be in shaping our future generations.