Real
I didn’t attend Snowflake Summit this year, having attended the last two previously. This is purely as I’m trying to limit how often I travel and how far, and will definitely be on the west coast again later this year.
From what I’ve heard, the alleged data breach was a bit of a shadow coming into the event. Before I knew about what the data breach was, I was a bit surprised. I’m pretty familiar with Snowflake, having been an Account Admin for a number of Snowflake accounts and used Terraform with it etc. The RBAC support Snowflake has is comprehensive, sometimes to the point of being annoying (why does a file format have to have RBAC!!! Literally that this type of CSV has a blank row between the header row and the data…).
However, when I read about what had happened… it doesn’t seem like a true data breach at all. There was no issue with Snowflake’s security architecture, there was no backdoor, no-one at Snowflake had left their laptop on a train with everyone’s creds in an unencrypted CSV on their desktop. Really what had happened is that a few people (including some Snowflake staff) had their creds to accounts which didn’t have two-factor authentication (2FA) enabled, stolen with malware - therefore allowing anyone with the creds to use Snowflake credits and access data. Ransom demands were made due to this access.
Yes, this is PEBCAK, no, Snowflake is not responsible for the fact that you didn’t secure your creds with two-factor or rotation or otherwise. I don’t think they are to blame because they don’t force you to have two-factor. That’s a nanny-state way of thinking. Everyone who is an Account Admin to a Snowflake account is an adult and is responsible for securing it. If you aren’t capable of doing this, you shouldn’t have been made Account Admin. If you choose not to use things like 2FA, that’s a risk you choose to take. Yes, it’s not convenient and I remember when I first switched on 2FA for my first Snowflake account, but I did it because there was a real risk.
There was a risk of data loss, there was a risk of fraudulent Snowflake credit (the real alt-coin) spend. So many people just think this will never happen, so they don’t care too much about it. It never happens until it does. With many lay-offs having happened recently, it wouldn’t surprise me if people who had good processes for handling creds left and handed over to people who didn’t. Lay off platform folks at your peril!
The other reason people are so cavalier about these real risks is they almost certainly will face no consequences. Unless it’s a huge data breach that leads to a newsworthy story about their company, employees don’t get fired for this kind of mismanagement. They aren’t really liable for the risk, unless they mess up badly enough to get fired or cause company shut down. Companies regularly protect these staff members, too - often when a breach happens, the business doesn’t know which employee was responsible. IT as a whole takes responsibility, with only rumours within their closed ranks of who may have been responsible.
So we will continue to see this real risk being mismanaged for these reasons, but no, Snowflake is not responsible in any way, nor have they had a data breach. No real data (demo) was lost by fraudulent use of the Snowflake Sales Engineer accounts, just credit usage - these accounts didn’t have anything sensitive stored in them, which is probably why security policy wasn’t so tight. They could have actually just had warehouse spend monitoring in place and they could have known earlier about the fraudulent credit use.
Providing safe access to data is a challenge. However, it is often the case that creds are shared between organisations to enable 3rd party data access. Sometimes the sharing company makes a role with appropriate limited access (I’ve done this), sometimes they might just share the Account Admin creds (I haven’t done this). I’ve written about this before and I’ll write about it again - putting a semantic layer in front of the data warehouse and providing access this way massively reduces the risks of data breach, but also fraudulent credit usage.
When you give someone an inappropriate level of access to a cloud data warehouse like Snowflake, they can set up their own pipelines etc for their own purposes, using your credits (free for them, or as we saw above they could just threaten to). This just isn’t possible via a semantic layer: it massively constrains what a user has access to, who has been shared with in this way. They can only really do read queries on the entities you’ve given them access to. It’s not really possible for them to fraudulently use your credits - they could simply use more than you wanted them to use by accessing very frequently. But again, a good semantic layer will have a cache with cache expiration policy to reduce exposure to this, too.
Perceived
I’ve been lucky enough to speak or be on a panel at a few places over the last year. Sometimes I get to hang out with people before or after the session, and often when I tell them my story about founding, they ask: “Wow, how were you brave enough to take the risk to go found?”
The first time I was a co-founder, I was in an unusual position in that I had just been laid off with a relatively generous package. The company I was joining was a spin-out from an existing company I knew and I had known the founder there for a long time, who would become my co-founder. A lot of the risks about founding were mitigated. Lack of knowledge about founding was covered by my experienced co-founder, no risk of losing a good job - I wasn’t in a job. I started my role as co-founder the day after my last day at my previous role, so I didn’t even go a day unpaid.
The second time, I did leave a good role at Metaplane, but because I had been a co-founder before it didn’t seem so scary. I knew how to do company stuff, I knew how to run the fundraising process, I knew how to run a small, very early start-up. A lot of the perceived risk about founding is in fear of the unknown and fear of failure. I had experienced or mitigated all of this the first time round, so it didn’t feel like much to overcome the second time.
I remember, before being on a panel at Bumble, I was speaking to the team there and they asked me the question above. I answered in this way and I think it really crystallised what I think now: the risk in founding is really perceived, it’s not a real risk. If you read this blog, you most likely have a skillset that is scarce. If you quit a job and fail at a startup, you’ll just get another job and probably for more money than last time. One of the team suggested that, to think this way, I must be a psychopath! I’m not so sure about that part, although perhaps I find it easier to push emotion aside in favour of logic and evidence than others might, especially now.
Being a founder prepares you for your next role as an employee surprisingly well. You know when you have to answer those STAR framework questions? Well, your whole life as a founder is one situation to another that you have to deal with, often on your own, as your co-founder will be dealing with other situations in the meantime.
When they’re looking for “business acumen” and an “ownership mindset”… well, you’ve run your own business so you have these by default, and certainly much more so than before you were a founder. You’re forced to think about markets and consumers, GTM strategy, business cases... These are all facets of an individual that employers are looking for, that people who have only worked as employees can struggle to learn or develop. As a founder, even people with modest British mindsets have to learn how to sell - when you’re fundraising, you are the product. All of this makes getting your next role very much easier and probably better paid.
Founders have also told me that they prefer to hire people who have founded before for these reasons. Ex-founders have a will to get things done and drive things forward that employees who have never founded aren’t as likely to have. The network of founders that you have made will probably also mean that you won’t need to look very hard for a new role.
I’ve even made some estimations as to whether I’ve lost any money. In all honesty, I don’t think I have in the medium to long term. Working for lower money as a founder has resulted in commensurately higher money as an employee. The numbers don’t even take into account any money that is often available (equity/options/signing bonuses) when joining a new company, or any pay rises in employment after leaving a founder role. The pay rises that we may assume will consistently happen through taking the safe route may not happen, and you can still be laid off if your company struggles and you will be less valuable as candidate than if you’d taken the founding route.
I haven’t taken into account the cost of a likely return to office policy as an employee vs working at a remote startup, where all my travel expenses are covered - this is actually big. I haven’t taken into account that 2022/2023 were the hardest years for a long time to raise money, and founders in these years have typically had to accept leaner conditions. These numbers are also before tax and other deductions… once you’ve paid the piper, the deltas reduce sharply.
So, financially, there doesn’t actually seem to be any risk here1, it’s just perceived risk - fear of the unknown, fear of failure.
I must not fear. Fear is the mind-killer. Fear is the little-death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past, I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain. - Bene Gesserit Litany against Fear
I read an interesting post recently about how time speeds up as you get older and the reason being that you’re learning less. I feel sure that this is true, as when I’ve been an employee, I remember looking back and thinking that time had slipped by. Whole years disappear without you realising, when you do a role you mostly know how to do, and you don’t really learn much on a daily basis.
When I’ve been a founder, it’s felt like time has slowed down; it then speeds back up as an employee and I’ve experienced these shifts four times now. If you don’t want your time to slip away from you, I can confidently say that founding prevents this from happening. You are constantly learning new things, which is what causes the perception of time passing to slow.
I think, in hindsight, that a greater and real risk would be to want to found and not do it out of fear and perceived risk. Even if I never found another company again, I’ll never look back and wonder what that would have been like. I’ve minimised regret for my future self.
https://tomblomfield.com/post/750852175114174464/taking-risk?utm_source=hackernewsletter&utm_medium=email&utm_term=fav I think data folks have even lower risk than described here, because we have scarce skills.