Today, I’m talking with Cloudflare co-founder and CEO Matthew Prince. Cloudflare might be the most crucial net company you’ve never heard of, and that’s almost by design. It’s a network infrastructure supplier to more than 20 percent of the full web — it’s effectively what prevents bad actors around the planet from torpedoing any of the biggest websites on the planet with cyberattacks. But if Cloudflare is doing its job, you don’t gotta know it even exists.
Cloudflare is an absolutely fascinating company at the intersection of so many of the biggest ideas we talk about here on Decoder. That’s in no tiny part due to Matthew, who’s been at the helm for nearly 15 years and has had to make any of the most uncomfortable moderation decisions in the tech industry.
As an infrastructure company, Cloudflare is 1 of the only defenses — in any cases, the only defence — standing between websites and the people who want to take them down. That includes websites for social good, like news organizations around the world, but besides means unsavory or downright despicable ones, like neo-Nazi haven The regular Stormer and hatred and harassment breeding ground 8chan.
Listen to Decoder, a show hosted by The Verge’s Nilay Patel about large ideas — and another problems. Subscribe here!
Over the last decade, Matthew has had to make the call erstwhile to halt providing service to websites like those, even as he’s championed Cloudflare as a bastion of free speech and a tool utilized by journalists, activists, and dissidents in authoritarian regimes. It is simply a profound balancing act, and you’ll hear me ask Matthew how he thinks about making those types of decisions and the company values he says drives them.
Matthew and I got into beautiful much the full gamut of protecting speech on the internet. We talked about the contrast between speech in the US covered by the First Amendment and speech overseas that is very much not. We got into how governments might be able to regulate companies like Cloudflare and what that would even look like here in the US or possibly in a country like India.
And we discussed how Cloudflare looks at its function in war zones like Ukraine and how the threat of a splintering net — or 1 that’s just more restrictive and more aggressively under attack from bad actors — could undo the last 40 years of progress. no of this is theoretical for people like Matthew — seriously, he’s personally under sanction by the Russian government.
Some notes before we start — due to the fact that this conversation truly went places and you’re going to hear quite a few references to various political philosophers. Aristotle comes up, which Matthew explains, but then we talk about Thomas Hobbes, who believed that nature is cruel and anarchic and the intent of government is to enforce a social contract between citizens.
We besides mention John Locke, who expanded the thought of the social contract into what we call liberalism and whose work straight influenced the founding fathers and shaped the Declaration of Independence, and then we mention John Rawls, who moved distant from the thought of an unchanging natural law into fairness as the foundation of the social contract.
This is simply a lot for a conversation with a guy who keeps websites on the internet, but it is very much why I love doing Decoder.
Okay: Cloudflare CEO Matthew Prince, here we go.
This transcript has been lightly edited for dimension and clarity.
Matthew Prince, you’re the co-founder and CEO of Cloudflare. Welcome to Decoder.
Thank you so much for having me.
I am very excited to talk to you. It feels like the net is in a minute of deep and lasting change for a variety of reasons. Cloudflare is an underappreciated part of the net for most people. If you usage net services, you might not really know Cloudflare exists. But I think if you make net services, there’s nothing about Cloudflare that’s underappreciated. It’s an crucial method part of the internet. Can you just describe from the beginning what Cloudflare is for folks?
At the absolute simplest level, Cloudflare is simply a service that makes the net faster and protects it from bad guys. How we do that is we run present 1 of the world’s largest networks. Our customers are anyone who’s trying to put content online, anyone who’s trying to connect to the net in a safe way — businesses, not consumers, for the most part. And what they do is they put that content behind our network in order to make certain that it can be fast anywhere in the world. It can be reliable no substance what. It can be secure, private, and efficient so that it can scope as much of the net as possible.
Today, we operate that network in over 300 cities worldwide, in over 120 countries, and we’re within milliseconds of the vast majority of the users on Earth. And erstwhile we’re doing our occupation right, you don’t really know that we exist. You just have a better, faster, more reliable net experience.
Put that next to what most people think about as the internet. Cloudflare has a network of its own. It has data centers around the world. Those data centers are close to me physically specified that data might get from the data center to me in milliseconds, as you’re saying. But I think most people think about data centers and they think about Google or Microsoft or Amazon. Are you moving the same kind of data centers? Are you moving different kinds of data centers? Do you work with them? How does that go?
We tend to have lots of machines scattered in many, many places around the world. Whereas, what you’d think of as the conventional cloud providers — the AWSes, the Google Clouds, the Microsoft Azures of the planet — will have many, many computers but be more concentrated in individual places. We tend to cooperate truly well with those providers. They tend to be much more like the data stores, the kind of the database companies that are out there, whereas we’re the networking company that connects those things together.
You would frequently usage 1 of those conventional cloud providers plus Cloudflare in order to have the best possible experience. And somewhere between 20 and 25 percent of the web present sits behind us. So chances are, everyone who’s listening to this has most likely utilized us surely in the last 24 hours.
So, if I’m starting a website — it’s comic I say that, I run a website — but let’s say I’m starting another website, and I say, “Man, I want to make certain the stuff on my website can get to customers quickly. I want to make certain that I’m protected from DDoS attacks.” What do I actually buy from you?
First of all, we believe that our mission is to aid build a better internet. And that’s not just a better net for the largest companies in the world. They’re all customers as well, but I’m truly arrogant of the fact that even individual developers, startups, can adopt Cloudflare. We have a free version of our service, which is truly beautiful astonishing. We don’t believe that you should gotta have a immense budget to have top-grade security, performance, and reliability.
For all of those things, you can come up to our website, sign up, you effectively make any method changes to how your website is announced to the remainder of the planet that causes that traffic to go through us. Or, from the another side, if you’re a business and you want to make certain that your employees are connecting to the net in a safe way, we supply you software that you can install on your laptops or your mobile devices in order to make certain that, again, you’re utilizing that network. And so, regardless of whether you’re publishing content online or moving a business whose employees request to get online, we have a set of services and we effort to make them make sense for you, whether you’re tiny or, today, over a 3rd of the luck 500 uses Cloudflare in order to get those same benefits as well, and we have services for those large companies, too.
You’ve talked about safety a number of times. erstwhile I think about Cloudflare, I think about caching mostly. I’ve got any stuff on my computer or my server or my data center. I do want to put it closer to people so they can access it more rapidly around the world. That feels like the large thing that you guys supply to folks. But you’ve talked about safety a number of times. What is the circumstantial safety solution that you supply to your customers?
It’s interesting that any people think of us for things like caching. So the thought of caching is fundamentally just making a copy of something so that you don’t gotta decision it as far. The velocity of light is only so fast, so if we can make copies of the logo on a website or the images and decision those closer to people, then effectively, the online experience gets importantly faster. But that’s not where Cloudflare started. In fact, it’s actually kind of ancillary to what we did. We’re very good at it today. But the first premise of Cloudflare was: how could we make a firewall that was deployed without any hardware where you could just get it as a service?
The thing was that, early on, the objection that everyone had was, “That sounds great, you can service a much broader market, you can make it incredibly easy to use, you can learn from all the traffic that flows through you in order to get and make everyone more secure, but you’re going to add a bump in the wire. You’re going to slow things down.” And so Michelle [Zatlyn], my co-founder and I, as we were first starting to think about the business, we became obsessed with how to make things faster. And caching was 1 part of it, protocol optimization, just getting tremendous amounts of connectivity around the planet were all pieces of the puzzle, but they were truly servicing that end goal of how do we make everything more secure. But it turns out that, in most cases, safety comes with a compromise of slowing things down.
When we launched, we launched with the goal of just not slowing things down, and then we were a small bit better at it than we intended to be. So not only do we not slow things down but we besides actually importantly velocity things up. And so, today, there are people who may not be peculiarly worried about cyberattacks who besides usage Cloudflare. But the large news is you can be truly afraid about safety and you get performance, or you can be truly afraid about performance and you get security. And again, I think it comes back to how Cloudflare is surviving up to our mission of just making certain that everyone online can have the best net experience and that our mission is truly to aid build a better internet.
Who are your biggest competitors?
I think that there are quite a few companies that compete with us in individual areas. You do have companies that focus just on things like caching, the folks like an Akamai or Fastly, and we compete with them from time to time if people are just looking at that 1 thing. You have another companies that are truly focused on the VPN replacements of the planet — so the likes of Zscaler, Palo Alto Networks, Cisco for any of Cisco’s products — and we compete with them as well. But I think what’s unique about Cloudflare is that we offer that complete package: that we can make certain that your content is safe, that you can make certain that your employees are safe. If you look across that full thing, there truly aren’t that many companies that do everything that Cloudflare does. And what we see from our customers is they truly want to have that complete network safety package, and they’re sick of buying individual point solutions.
Cloudflare can deliver what we think of as a complete connectivity cloud, and that replaces quite a few the Akamai, Fastly, Zscaler, Palo Alto Networks, and quite a few the people who are doing what is traditionally network security. And then, of course, all of the box vendors, the checkpoints, and… I’ve forgotten the names of them. I guess that’s how much we focus on our competitors, but we truly are just saying, “How can we aid make the network experience the best possible thing it can be?” We compete with competitors in those areas, but there isn’t truly anyone that does the complete suite of things that Cloudflare delivers.
I just want to point out, if there was 1 individual in the planet who had learned the name of enterprise safety vendors from the advertising at the airport, it’s Matthew Prince, and you clearly did not gain that cognition from that. I always wondered who those ads are for, and I figured you would pay attention to them.
We spend a ton of time focusing on our customers, and we tend to spend a ton of time just focusing on how we build a better internet, even to my board’s chagrin. They’re always like, “We should talk more about competitors.” And I’m like, “I think if you just focus on your customers, you focus on building a large product, competitors will follow you as opposed to you having to follow them.”
If you hear that sound, it’s the price of airport advertising plummeting in the background. I want to talk about competitors along the way here. I think it’s a truly crucial point, due to the fact that I think there’s a lot downstream of whether you feel competition. quite a few people characterize Cloudflare as 1 of the most vital companies on the internet, or a required company on the internet, and a core infrastructure layer. Do you feel that way about Cloudflare — that you’re just part of the essential utility fabric of the net now?
When we were just getting started, 1 of the things that we would always ask ourselves — and this was erstwhile it was 8 of us above a nail salon in Palo Alto, California — “If Cloudflare ran the full internet, what would the right decision be?” And we asked that around method questions. We asked that around policy questions, around how we did client support, around everything. We’re just always asking ourselves what that was doing. And there was a certain absurdity to it, due to the fact that again, we were 8 people without a single client above a nail salon.
And yet, I think that we would gag that someday if we had an outage or something went wrong, it would be on the front page of the paper due to the fact that we would be that important. We have an incredibly robust reliability record. But erstwhile we’ve had challenges now, it is that level of news, but oftentimes, the news publications themselves are Cloudflare customers, so they’re offline as well. But we take the work that we have highly seriously, and we effort to be a very principled organization and think about what the long word is.
People do trust on our networks. There are aircraft that can’t take off if Cloudflare doesn’t work. There are cash registers around the planet that don’t work if Cloudflare doesn’t work. There are ATMs around the planet that don’t work if Cloudflare doesn’t work. And due to that, I think our full squad is truly focused on how we make certain that we are delivering the absolute highest-quality service that we can. And again, erstwhile we’re doing our occupation right, we’re that thing behind the scenes that’s just making everything work better, and most people don’t even always request to know that we exist.
Particularly in enterprise, the notion that you have a single vendor as opposed to multiple redundant vendors, that pendulum swings back and forth, right? Cloudflare is evidently the integrated solution. You supply all of it. You can get all the things you request to run your service across the network. Your competitors, it’s more mix and match. You can most likely go to them for pricing and competition, discounts, all that stuff. Why do you think your approach has won so definitively?
I think that people want to have 1 integrated network safety vendor. And there are times that that can supply a robust way of protecting your network that you can’t get stitching together a number of different solutions. Oftentimes, what we see in the safety space is that the seams that are created between vendors are frequently what the attackers exploit. And what we can do is give you a seamless experience where you can see traffic coming into your network, traffic going out to your network, see that all through 1 dashboard, give that visibility to all of your employees. That thought of a connectivity cloud that truly does connect all aspects of your business together truly resonates.
The another thing is that we can frequently deliver it in a much more cost-effective way than individual networks. There is simply a certain fixed cost to moving a network like ours, and the first service that a client buys from us costs us a certain amount of provision, but then, each additional service that we provision on top of that is actually very cost-effective for us to deliver.
And Michelle, my co-founder, had a mantra that we should always be delivering 10 times the value that we should be capturing ourselves. And I think we’ve truly done that. What that means is that oftentimes companies can just get a much higher return on their investment. They can save a crucial amount of money while at the same time having a better solution, a more integrated solution, by switching to us. I think, over time, it makes sense for you to have 1 network safety vendor. And I think we’re well positioned to be that.
There are things we don’t do. safety has another aspects. There are endpoint safety companies like CrowdStrike and SentinelOne. I think that’s a very different skill set and that’s somewhere where we’d be much more likely to partner. There’s identity, companies like Microsoft, Okta, and Ping Identity that supply those services. Again, I think that’s somewhere where we think it makes a lot more sense to partner. But in the network safety space, we think that 1 integrated solution is able to not only deliver the best experience but besides be able to deliver it in a way that is the most cost-effective.
Let me ask you any of the Decoder questions now. You mentioned 8 people in a nail salon. How large is Cloudflare now?
We’re about 3,500 people around the planet and very global. So we run what is an incredibly global service, and our squad is distributed very globally around the world.
And how is it structured? How do you think about how the company is organized?
There’s 1 P&L at Cloudflare. We effort to be as flat as possible. Generally, the metric that I pay quite a few attention to is: what’s the average number of direct reports that a manager has? We effort to get that number around 8 direct reports, which is on the advanced side. Most companies are around five, and that tends to make the structure a small bit flatter. Michelle’s our president and COO, and we divided the planet up. She handles quite a few the go-to-market and HR and support side of the business. I handle a lot more of the product engineering, finance, and legal side of the business. And those are kind of where we divide things up. We have not divided up into GMs yet.
I think the 1 thing that we’ve done, which is simply a small bit unique at Cloudflare, is we truly have 3 different product and engineering teams that have somewhat different mandates and have very different mandates, ultimately, around the time to marketplace and the timeframes that they’re reasoning around. So our conventional product and engineering organization, which is 80 to 90 percent of our R&D budget, is what everyone thinks of. They think in two-quarter roadmaps, spend a ton of time talking to customers, perceive to what they want, effort to deliver that, think about what our products are and how they can decision up and to the right in the Gartner or Forrester survey, and make what is incredibly crucial but very much sustaining innovation around the products that we already have.
We have a second R&D org — which is, approximately, call it 10 to 20 percent, it varies depending on the time — and that’s what we call ETI, or emerging technology and incubation. They don’t think in two-quarter timeframes; they think in two-to-three-year timeframes and very intentionally spend very small time talking straight to customers. They spend quite a few time reasoning about, with the resources that Cloudflare has with the network that Cloudflare has, if we look out over the horizon, what’s the thing that someone’s going to want 2 years from now that we can deliver? Their occupation is to take lots of shots on goal, and 80 or 90 percent of them never see the light of day, but any of them do. People can rotate in and out of the ETI group, but it’s almost like a small skunkworks squad inside of Cloudflare. quite a few the truly large leaps where we’ve provided things like our developer platform, quite a few the work that we’re doing around AI today, comes out of that group.
We have a 3rd group, which is the smallest. Often, it’s made up of quite a few people who are getting their PhDs in computer discipline or they’re taking time off to do an internship or any people who would almost be professors at quite a few universities. They are reasoning more in a five-year timeframe on fundamental net technologies. As we have things like TLS 1.3, which is the encryption protocol that protects how, erstwhile you put your credit card in, that it’s secure, or reasoning about things like quantum cryptography. They’re the squad that’s reasoning on that longer timeframe on what the internet’s fundamental protocols are going to request and then how Cloudflare can be contributing to those things. They’re very much not focused on shipping products but, instead, helping standards develop. They’re working with organizations like the IETF [Internet Engineering Task Force] on what the future of the net looks like. And again, they’re reasoning about something that almost has zero direct return on our business.
I think due to the fact that we have those 3 different engineering groups that have those 3 different timeframes, it’s allowed us to both deliver what our customers want but then besides deliver truly disruptive innovation from an organization like ETI — and then besides contribute back to the fundamental protocols of the net with our technology team, which is reasoning on that longer timeframe. For me, that’s 1 of the things that’s the most breathtaking about Cloudflare is I think we are 1 of the most innovative technology companies out there, and we built an org structure truly designed around how we can proceed to deliver innovation all single day that we’re doing the work that we do.
So you mentioned you have the 3 groups, and you actually just said something truly interesting, which is that the longest-term group doesn’t truly have a measurable return. But that’s the most crucial group, the 1 that’s working on the actual standards that make the net go, that protects against things like quantum attacks on cryptography. There are any truly long-term things that request to be invented. How do you think about allocating the margin from the day-to-day customers paying you to, “Okay, we gotta invent any stuff for 5 years in the future?”
I think that, again, we start with the mission, which is to aid build a better internet. That means, oftentimes, we’re doing things that don’t have any direct measurable return. possibly this sounds somewhat naive, but what we found is, if we do the right thing, that it pays off, but you don’t always know precisely how it’s going to pay off.
As an example of this, back in 2016, we saw quite a few abroad interference with the elections, and we thought, “Is there something that we can do to aid with that?” And so we launched something called the Athenian Project, where we supply our services at no cost to anyone originally in the US — although it’s expanded now — who’s helping administer an election. There was quite a few hand-wringing from our state, local, and national squad that, “Oh my gosh, this is going to cannibalize our business due to the fact that it’s something that they could sale and now we’re going to give it distant for free.”
But at the end of the day, we couldn’t have built the company that we did if we didn’t have a unchangeable and functioning democratic government. I think that we have a work and work erstwhile we have the ability to defend things, like how elections work, for us to not have costs be something that stands in the way. I’m arrogant of the fact that, today, a majority of US states, almost all of the battleground states in the US, the officials that administer elections there usage us in various ways and have been for rather any time. There was no direct return from that. It was just… it’s the right thing to do. But I think it’s helped us build goodwill with governments. It’s helped us build goodwill with quite a few businesses where people want to work with companies that aren’t just coin-operated. They want to work with companies that are principled and are trying to do the right thing.
As a consequence of that — even though it’s very hard to measurement the return of these things ex ante — ex post, they have paid off in spades. And so, the technology squad is like that. quite a few the work that we do volunteering our services is like that. For our team, possibly more than anything else, the key to building large companies is recruiting large people. People want to work for companies with a real mission that are doing any real good in the world.
So anytime that we do these things, whether it’s helping with the TLS 1.3 protocol or helping defend Ukraine before the Russian invasion in 2022, that pays off. But you can’t always see it and how it’s going to look in advance. So I guess the answer to your question is that we don’t so much think about, “Oh, we’re going to allocate precisely this amount of margin.” But we do make certain that we’ve got a structure in place that gives us the ability to build the things that customers want who pay us but besides builds the trust in the greater market, which again, has turned out to be any of the best marketing that we can do both for customers but besides for prospective fresh squad members.
Let me push on that a small bit, but I think this is simply a good time to ask the Decoder question. You have quite a few decisions to make. any of them are harder than others. any of them are more esoteric than others. How do you make decisions? What’s your framework?
I keep coming back to the mission of Cloudflare, and I’ll confess that I went to business school, and I remember sitting in classes where people talked about the importance of mission, and I’d never worked somewhere that was a truly mission-driven place. I’d never been in the military. I’d never truly done government service in any way. I hadn’t been in a company that I would describe as highly mission-driven, so I kind of rolled my eyes at it. I think that early on at Cloudflare, if you had asked, “What’s Cloudflare’s mission?” I would’ve said, “Our mission is to take advantage of this truly unique marketplace chance where the planet is shifting from on-premise hardware to the cloud, and clearly the network is going to take over that, and a full bunch of the things that were like firewalls and VPNs are going to turn into a service, and hopefully we’ll even make a small bit of money and impress our parents,” which is, by the way, why most people do the things that they do.
That’s a mission that inspires almost spiritual fervor.
We had a chicken-and-egg problem, where, in order to make any money and impress our parents, we had to sale to truly large companies that would pay us millions of dollars a year. But in order to do that, we needed to have something that was valuable to them. In order to do that, what they cared about was cybersecurity, so we needed to be able to foretell who the bad guys were and halt them. In order to do that, we had to have a full bunch of data. In order to have data, we had to have customers, due to the fact that the customers fundamentally would feed the data back into the system. And so we had this problem in a simplistic way that, in order to have customers, we needed to have data; in order to have data, we needed to have customers.
So being good small business students, Michelle and I said, “Well, what if we created a free version of our service, and we’d let anyone sign up?” And we expected it was going to be tiny businesses and individual developers that signed up, but that wasn’t what happened. And the reason why is if you imagine kind of a 2 by 2 and the X axis in the 2 by 2 is, call it, company size, and the Y axis is safety risk, it turns out that as companies get smaller, their safety hazard goes way down. There’s inactive any momentum that keeps people from signing up for even a free service. As companies get bigger, the safety risks go up, but they’re not going to trust free services. So no of those signed up. Who did sign up were the only organizations that are in what I would call the northwest quadrant of that 2 by two, which are smaller organizations that have truly large safety risks.
Those organizations tended to be civilian society and human rights organizations. So we woke up 1 day back in 2010, and it was like all human rights organization in the planet had signed up for Cloudflare. There was a part of me that was like, “Gosh, why do we care about this? due to the fact that they’re never going to pay us much, so we’re not going to make money, and we’re not going to impress our parents.” But they keep signing up, and they would compose in and say, “Hey, it’s so useful what you do.” And if you’re a human rights organization, you’re frequently pissing individual off and frequently individual powerful. And so the powerful people would effort to knock them offline, and we would defend them.
I remember there was a guy who ran an organization called the Committee to defend Journalists. His name was Jeffrey. He wrote to me 1 day, and he’s like, “Hey, I’ve got 3 Cloudflare customers that are in town. Would you like to meet them?” I rolled my eyes. Michelle was watching me. She’s like, “Matthew, just take the meeting. It’s 15 minutes. You never know what comes out of these things.” And Jeffrey brought into our office — we were on 3rd Street in San Francisco — these 3 African journalists. 1 was from Angola, 1 was from Ethiopia, and the third, they wouldn’t tell us his name or where he was from due to the fact that he was presently being hunted by death squads. It was the first gathering I’d always been in where the word “death squad” had been used. We’re fortunate to live in the West, but in most of the world, journalism is very dangerous and everywhere is an incredibly noble profession. In these cases, these journalists were covering mostly government corruption in their home countries and people wanted to shut them up.
They would endanger them physically but besides do things to knock them offline. 1 guy had tears in his eyes. By the end, we were all hugging, and they said, “We couldn’t do what we’re doing without you.” I remember it was expected to be a 15-minute gathering and it turned into 2 hours. Michelle somehow, at any point, comes and finds me and gets dragged into the meeting. We yet walk them all out and put them in a cab in San Francisco and look at each another like, “What in the planet have we gotten ourselves into?” That’s erstwhile the mission truly crystallized, and that’s erstwhile the mission became so important. I think erstwhile we started, erstwhile we said, “What are we doing?” we were making the net a small bit faster and more reliable and more secure. But today, as we think about things, it’s much more about, “How do we fight to make certain the net inactive exists?”
From the comfortable places that we sit in the West, that may not seem like a threat. But if you look at what Russia is trying to do, if you look at what Iran is trying to do, Turkey, Egypt — for different reasons, India, Brazil — you can’t overstate how disruptive the net was to the conventional sources of power, be those family, education, media, religion, government, . So the analogy that I’ve frequently utilized is it’s like Star Wars: Episode IV – A fresh Hope, the 40 years leading up to 2016, and then right around then, it flipped. Today, I don’t think we can take for granted that the net that we have known in our lives exists 40 years from now.
I think we’re very much surviving in a time erstwhile we gotta think about how we make decisions on what’s right for our business. But at the same time, we besides gotta think about how we make decisions to fight for the fundamental existence of the net overall. That, for us, comes back to, “What are our core values?” At Cloudflare, we are a very curious organization. We want to take on fresh challenges, never say, “It’s not my job,” always go in a bunch of different directions, frequently to a fault, by the way. I think the biggest criticism of Cloudflare can be that we’re a mile wide and an inch deep. We do a ton of different things. But again, I think that comes from curiosity. I think we’re a very transparent organization. erstwhile we make mistakes, we talk about it. We do that both externally and internally. After all board meeting, we present all the slides we presented to our board to our full company, which people thought after we went public, there’s no way we’d keep doing, but we have.
I think we’re a very principled organization, which, fundamentally, means we’re not going to sacrifice the short word for the long term. So I think coming back to the mission and coming back to those core values is simply quite a few how we, as a company and how I as a leader of the company, make decisions.
You’re talking a lot about values and mission. It’s interesting to hear the CEO of what is effectively an infrastructure company talk about moving that company on values and mission. Those things do come to a head. There’s a tension there that occasionally comes to a head. I think you can most likely guess I’m going to ask you about The regular Stormer and 8chan and Kiwi Farms. These are sites that relied on Cloudflare. They were Cloudflare customers. They hosted a bunch of hatred speech, a bunch of racism. They did a bunch of harassment. They were Nazis in any cases.
Then you said, “Look, you’re not going to be our customers anymore.” And Cloudflare is large adequate that erstwhile you say that, people do want to knock a bunch of Nazis off the internet, and their sites went down due to the fact that Cloudflare wasn’t standing in the way. Walk me through that decision due to the fact that there’s a real tension between “We are here to defend speech and the net that we know” and “We know that if we halt doing business with you based on our values, you will get DDoSed off the internet.”
I don’t want to dismiss that these are tricky issues, but they are not regular issues for us. For the most part, our business is beautiful straightforward. There are things that are illegal in various parts of the world, and in those places of the world, we comply with the laws. There are then things that are legal but may be gross in various ways. individual might say, “Oh, I don’t like that.” And for the most part, we say, “Well, that’s what the legislative process is for.” That tends to actually work amazingly well.
Cloudflare is 13 years old now, and we’ve had kind of 3 of these large incidents over that period of time. The mean time between incidents is simply a small over 4 years at this point. It’s not like all single day we’re wringing our hands and reasoning about it. I think that that’s different than if you’re Facebook or Twitter, who truly are all single day having to make these decisions, and they have a much harder occupation due to the fact that they are fundamentally the content. In our case, in order for individual to have gotten to us, it should be an individual makes a kind of gross decision to post something, which then doesn’t get taken down by a platform, doesn’t get taken down by a host, and falls all the way down to the network level, which there are quite a few layers that gotta have gone incorrect there.
But all erstwhile in a while, it is bound that that is going to happen. It tends to be places that are inactive technically possibly legal but are truly harmful and destructive. In any cases, places where we’ve actually worked with law enforcement, they’ve said, “We are very worried that if this site is inactive online, you might see a mass shooting or you might see something else.” It’s 1 of those questions where, if you’re surviving in an flat building, generally, it’s not cool to spy on what your neighbors are doing in the flat next door. But if you see individual whose life is in danger, then yeah, you break down the door and you go aid them. But that wouldn’t be what you usually do. all erstwhile in a while, we gotta do that.
I think the thing that is different about how we think about it than how most companies think about it… and I’ve had the privilege to get to sit in on quite a few the public policy chats that folks like Facebook or Twitter / X or AWS or Google or Apple have had. I think if you sat in on those, you would actually feel a lot better about the companies. I think that they are almost always incredibly thoughtful people that are behind this and that have tradeoffs that you might not imagine. But I think that what quite a few tech companies truly believe in is they trust their own interior bubble. They don’t trust the remainder of the world. So they have this almost militant secrecy about them, which I think is actually 1 of the real mistakes that the tech manufacture present is making. Whereas we truly take a very transparent view of this. I gotta confess that I didn’t anticipate that I would spend a crucial condition of the time that I talk to journalists for the remainder of my career talking about neo-Nazis due to the fact that it’s not truly a subject I actually spend all that much time reasoning about.
But I think that the thing that we’ve done is that erstwhile we have come to these hard issues, we haven’t just said, “Paragraph 13G of our terms of service, beyond that, no comment.” We’ve tried to walk through: here’s why this is hard and here’s why we conflict with it and here’s the good and here’s the bad and here’s why these are tricky issues. It just happens to be that neo-Nazis are about the grossest thing that you could imagine, and so people who are trying to be gross either are or pretend to be neo-Nazis. So you get tough conversations around this. What’s different about us than another companies is that we’re willing to talk about it, whereas most another companies don’t. The reason we’re willing to do that is that I think transparency is key to trust.
When this first of all went down with The regular Stormer, I tried to figure out how, erstwhile you get into these situations, do you show that you are being thoughtful and responsible. And I actually went back and pulled down a bunch of doctrine textbooks, and I started out reading James Madison due to the fact that I thought, “Okay, in the US, we have the First Amendment. Where does that come from and what’s behind it?” due to the fact that it turns out, if you go to Germany and you say, “Well, what about the First Amendment?” everyone rolls their eyes, and I think it’s the incorrect place to start.
I think the right place to start is actually around the regulation of law, and Madison was truly inspired by Aristotle so I went back and read all my Aristotle textbooks. Aristotle truly believed that there were 3 things that were inherent for a government to be trustworthy: it had to be transparent; it had to be consistent; and it had to be accountable. So you request to know what the laws were, they needed to be consistently applied, and then the people who applied the laws had to be subject to the laws themselves. So that’s fundamentally what government is. It’s truly amazing, around the world, even totalitarian governments that don’t truly follow the regulation of law pretend to. They pretend to be transparent.
We just had elections. Oh my God, Vladimir Putin got voted in 1 more time.
That’s precisely right! And it’s like, why does Russia go through the effort to do it? It turns out that it’s due to the fact that that’s where trust in these organizations goes to. And Cloudflare is not a government, and no large tech company is. But if you think about it, on a regular basis, more people interact with Cloudflare’s network than live in any country on Earth. And so, while we’re not a government, I think any of the principles of how large organizations build trust do apply to us. And so I think we effort to follow those principles of regulation of law, which are transparency, consistency, and accountability.
Wait, can I ask you about this though?
I believe you, and I think it’s fascinating that so many tech CEOs think about the demands of moving a state erstwhile they think about moving their company for their customers. And it’s true, I think that’s a function of scale. I just think it’s fascinating that we got to Aristotle in this conversation.
We’ll do [Michel] Foucault next, if you want.
Yeah, I’m ready, “nasty, brutish, and short.” That’s life on the internet. We’ll do the full thing. We’ll go all the way back to Hobbes. But the mechanics of “I’m going to halt doing business with The regular Stormer,” famously you said, “I woke up and decided that I was sick of it and stopped it.” That’s the transparency. But at the end of the day, you had the power.
But the way that the bad thing that happened was that a bunch of people were then able to do a DDoS attack. Your power is, in that case, contingent on knowing that there’s a universe of actors who will then immediately knock The regular Stormer off the internet. That’s the relation in your function specifically that I think is interesting. A hosting company has a different power, which is, “I’ll just delete your website.” An net service supplier says, “We’re just going to block your IP address.” You’re saying, “I’m going to get out of the way so the mob can teardrop you down.” That feels like a different kind of power or a different expression of accountability. How did you think about that?
There’s any fact to that. The thing about hosting providers is there are lots of them. The thing about Cloudflare is that there are very fewer companies that can supply the services that we do, and if you piss all of us off, it’s truly hard to inactive be on the internet.
Because there’s a mob of people who will take you down. But that’s the thing. It seems like it’s okay to say, “I’m not going to be your safety defender anymore.”
Yeah, I guess, although it turns out, if you’re moving something even completely innocuous today, there’s real hazard that’s out there. You request an immune strategy in order to just stay online, even if you’re posting cute pictures of kittens. And so it’s not just the neo-Nazis that get knocked offline. Everything, at any point, needs any level of a safety guard, or again, something like an immune system, to stay online. If you don’t have that, there’s just adequate badness out there looking for vulnerabilities that it’s hard to stop. And then, in addition to that, just the advantages that we’re able to supply in terms of performance, in terms of cost, just being able to make certain your content is available everywhere in a cost-effective way. If you should be in a planet without a Cloudflare, it’s just a lot more costly to operate.
So again, I think it comes back to that question that we asked ourselves erstwhile we were 8 people above a nail salon, which was, “If we ran the full internet, what would the right policy be?” And again, we will never run the full internet. That’s just never going to happen. But I think that that’s the right mentality to think about these questions from, due to the fact that I think it puts the right level of seriousness into the discussion. no of these sites paid us anything that mattered, right? If the only thing that we were motivated by was just money, I mean, it’s easy. Of course you should kick these things off. But again, I think we truly do believe that we are very principled, we’re very mission-driven. And I think that’s part of what sometimes gets us into these sorts of challenges. But I’m truly arrogant that the squad that we have is reasoning about them, and I hope it sets a good example for quite a few startups and besides companies that are a lot larger than we are.
It’s cool that today, regularly, companies that are much, much, much larger than Cloudflare that run into the same issues call us up and say, “Hey, we’d love your advice on this.” I’m arrogant of the fact that that’s a function that we’re playing, and I think that that’s an crucial bit as we think about how we are going to guarantee that the net inactive exists due to the fact that I don’t think that’s inevitable.
First of all, I want to point out, I think we did get to the Hobbesian state of nature on the internet. You were saying there’s adequate latent badness out there that you’ll just… red in tooth and claw will just come and kill you if you don’t defend yourself or build a society.
That’s fascinating to me, and I think most likely most listeners aren’t aware of this: that if you just put a server on the net exposed to the wider internet, individual will come and kill you.
Explain that essential truth, due to the fact that I don’t think that’s apparent to most people.
It’s become so efficient, if you’re a bad guy, to just be able to virtually scan the full net to have a catalog of all vulnerability that is out there to run through all of those. And then the value that you can derive from taking over a website publishing cute pictures about kittens due to the fact that you can make any subfolder that’s kid pornography or due to the fact that you can usage that server to hack another server and bounce across it. I mean, in all bad movie featuring technology, there are a bunch of FBI agents or whatever staring at a screen, saying, “Oh, he’s bouncing the connection through 10 different satellites so it’s truly hard for us to figure it out.”
That kind of happens, and that truly is how bad guys operate online. It is very hard as an individual, whether that’s just individual moving a kitten website or individual in a tiny region in Georgia trying to run an election versus the [Russian national safety Service], which is precisely what is going on today. Part of what we and a fistful of another companies do is make certain that you can have that collective immune strategy that can keep you safe and can make certain that, as the bad hacker comes, you’ve got the forces standing up to make certain that you can stay safe no substance what.
So this makes you even more essential infrastructure. You can’t even do business on the net unless Cloudflare or 1 of your competitors is there to defend you.
I think we have gotten to a point where it is very hard to operate if, again, it’s what I wrote erstwhile we kicked The regular Stormer off, there is simply a tiny group of people who make the decisions on whether you usage these services. And the comic thing about the post: that’s not the actual post that we posted. That was the interior post that I wrote. It was possibly a small bit brutally honest, but the point that I was trying to make when I said I woke up in a bad temper and kicked individual off the internet was, there is any aspect to that. There is individual that makes a decision. And in this case, if I go back, and I had been fighting with my at-the-time girlfriend, now wife, over whether we should do this, and I was always like, “Are even you not on my side? There are humans that are behind this, and you request to admit that that’s the case. And I think you request to set up structures.”
But the tradeoff here is usually as you go down the stack toward infrastructure, traditionally, we regulate those providers and say, “You cannot make these decisions.” The telephone network AT&T does not get to decide who gets to make telephone calls. Everyone can just make telephone calls due to the fact that that’s a public good. You go all the way up the stack to, I don’t know, Facebook, and the First Amendment is at play. And we say, “You can do whatever you want all the way here, consumer-facing. And if people don’t like your moderation decisions, Mark Zuckerberg, theoretically, they can leave.”
The consumer marketplace is vibrant adequate and transparent adequate that that’s fine. But all the way down at the metal, we’re arguing about telecom providers. We’re arguing about net neutrality, in a way. You don’t want to slow these bits down. Do you think there should be any level of regulation for a service like Cloudflare that says you can or cannot make these decisions?
I mean, there is regulation, but the tricky part is, you usage the example of a telecom—
You’re reading Aristotle! If you’re all the way back at Aristotle to come up with the first principles of the decisions, there’s not a regulation to follow.
Sure there is, but the tricky part is that there’s a different regulation to follow almost everywhere in the world. So your frame of reference, you talk about the First Amendment, you talk about network neutrality. I mean you, you’re very US-based. These are all actually comparatively easy issues in the US due to the fact that the US is radically libertarian in terms of freedom of expression. And I grew up in the US. I tend to think if you believe in innovation, if you believe in things like a free press, that does make sense. But the vast majority of the planet doesn’t believe in those things. And so there is regulation all around the world. What’s different is telecoms are inherently regional businesses. Like AT&T, large deal in the US, but you go to England, no one’s always even heard of it. Comcast, immense deal in half the United States. I mean, Orange, immense deal in France, right?
We can choice whatever example you want. What has been different about the net and the tension is that it is global from day one. And Cloudflare, erstwhile we launched Cloudflare, we had 8 employees. We had customers in 10 countries the day we launched, which we were like, “Wow, that’s amazing.” By the end of the first month, we think we had customers in all country on Earth, and we had 8 people. And again, that’s miraculous at any level, but I think it starts to show any of the tensions that are here. I think the question with regulation is, “Whose regulation?”
Think about another technologies that have come along. So think about television. tv comes out, and it is this wildly successful product. In that case, it was interesting if you think about what the hazard was, and let’s just focus on the US. The US, for reasons of physics, initially, there were only 3 networks: NBC, ABC, CBS. Yeah, they competed a small bit with 1 another, but they effectively had an oligopoly on this fresh technology that existed. And so where hazard would come from them was actually regulation.
And so they, as an industry, got together and said, “How can we fend that off in different ways?” And it’s led to all kinds of things. So the fact that all 3 of those networks inactive to this day cover both political conventions — the politician and the Republican conventions — with the same pool feed, basically, from beginning speech to balloon drop at the end, that the vast majority of anchors came from Kansas… way overrepresented due to the fact that it was the center of the country. Equal time laws weren’t proposed by the government. They were actually proposed by the networks to say, “This is simply a way to show that we’re radically neutral.”
That preserved the technology. In any cases, there are quite a few people who will say, “Well, that was great,” and I remember fondly watching Tom Brokaw or whoever increasing up as a kid. But there are quite a few voices, whether they were brown voices, female voices, or gay voices, that just didn’t appear on tv in the ’60s, ’70s, and ’80s. So there’s a tradeoff that’s there, and that’s erstwhile the regulation is set by Lawrence, Kansas. In a global network, if we start to think about what that regulation looks like, I think that the parade of horribles that we could go down is that we could actually get it set by the lowest common denominator of what all country on Earth wants.
In that case, we get to kind of a Teletubbies-like net where only the least possibly offensive thing is what can be anywhere online. And that sounds absurd, and yet, if you look at quite a few the regulation that’s coming out today, I think that that’s what we should be highly careful of. And it won’t be the US that sets the policy. It most likely won’t be Europe, either. My hunch is, if that’s the direction we go, that the country that ends up setting the policy is India. And that’s a place where we’re spending a ton of time looking at and watching. It is very telling, the amount of investment that the major technology companies are making in that country, due to the fact that they have the natural gravity and they have the political will to set that policy.
The good news is comparatively free press. The bad news is that it’s a beautiful scary planet in terms of net regulation and cryptography regulation. So again, is there a function for regulation? Absolutely. But you’ve got to think about who that is and what it looks like, and on a global network, there’s a real tension that is different than you had with telecoms.
But let me make that point more regionally. You’re saying globally, and I agree with you. I think the [Narendra] Modi government is the largest democracy, but the Modi government has any autocratic tendencies, especially around speech, especially on the internet. They’re asserting control over it in very direct ways. The average individual in Lawrence, Kansas, doesn’t feel that, right? They’re in America. They’re utilizing American networks.
I think a more direct question is, would you be more comfortable if the United States government passed a regulation that said, actually, Cloudflare can’t kick people off the service and just took that decision-making authority distant from you, which would preserve a more open net but possibly makes a different tradeoff in terms of speech? due to the fact that I think the Modi government is going to tell you who you cannot do business with.
They’re going to make certain that any things never arise, that any opposition parties never get access to the networks or the information ecosystem there. I’m saying here, it seems like we’d go the another way.
So, first of all, I don’t want to talk for the Modi government or others.
I don’t do any business in India, so I get to say whatever I want, but even here, right, you are being careful due to the fact that you don’t want to piss him off, and I think that’s notable.
I don’t actually know what the Modi government would do versus the opposition government in India or anywhere around the world. I know that we gotta operate in lots of places around the world, and we comply with the laws in all of those places. I don’t know that changing the laws in the US would actually change what we gotta do in another parts of the world, or if it did all of a sudden, then we just can’t be a global company. due to the fact that if you set up a set of rules where you can’t operate that way, then it makes sense. So we are beautiful good at following the law wherever it is, and I think clarity of law makes a ton of sense. What I’ll say is, I don’t spend a ton of time reasoning about this due to the fact that it’s an issue that’s come up 3 times in 13 years.
Fair enough. I’m just wondering due to the fact that I think your function in the ecosystem is so fascinating.
I think it’s worth talking about these things even if they’re not our most pressing issues due to the fact that I do think that we request to be long-term oriented as we think about this. And if the 40 years up to 2016 was A fresh Hope, the next 40 years is The Empire Strikes Back, and the AT-ATs have just landed on Hoth. What does Russia do erstwhile they take fresh territory in Ukraine? 1 of the very first things they do is they find the ISP and telecom headquarters, and they reprogram the routers to way the traffic back through Russia. Why do they do that? due to the fact that controlling communications is so critically important. That’s the another side of this, and it is not inevitable that the net exists the way it does 40 years from now. And I’m arrogant of the function that Cloudflare is playing in helping defend what I think is 1 of the large inventions of human past and 1 that’s worth fighting for.
You’ve mentioned Russia and Ukraine respective times now. You’re evidently supporting a bunch of customers in Ukraine. You have besides said that just disconnecting Russia from the global net would be a mistake. And the quote here is, “The consequences of specified a shutdown would be profound” and that “Russia needs more net access, not less.” This concept is broadly called the splinternet, the thought that all country is going to invent its own internet. We can see it here in this country. There are different state laws now that kind of find what services are available depending on age or pornography or what people think about protecting children. Do you see that coming here? Do you see the splinternet taking root in the US? Kicking TikTok off our net in any way appears to be in vogue. Do you see that coming here?
You can’t overstate how disruptive the net was to what are the 5 conventional sources of power in society that have been the case since we climbed out of whatever swamp we climbed out of thousands and thousands of years ago. Family, religion, government, media, and education are where power traditionally has come from, and the net disrupted them all in various forms, and they are trying to push back. It’s not that the net isn’t without faults, and we should be honest about those and talk about those faults, but we should besides be very careful not to quit on what is there. China is truly interesting and truly smart in that they never truly let the net in. They and North Korea are fundamentally the only countries on Earth that never let the net in.
A lot of another countries present are looking at what China has and saying, “That doesn’t seem so bad. possibly we can recreate that.” So I think the question is, can another countries get the horse back in the barn? We’re trying very hard to make that hard for the Russias and Irans of the planet to make it so that if they want to have access to the APIs that drive oil trading markets, that they besides gotta let the Anti-Corruption Foundation or Bellingcat be able to broadcast information about the corruption of the Putin regime. We’re truly good at making that a very hard thing for them to block. That’s earned us any challenges. I’m personally sanctioned by the Russian government, which is simply a kind of surreal thing to have happen. But again, I wear that as a badge of honor and think that that’s us doing the right thing fighting for the net overall.
I think that we should worry about the kind of TikTok bans and porn filters and things, but I think that those are tiny stakes compared to what are any of the truly big-stake efforts where Russia and Iran are fundamentally saying, “Can we recreate the same filtering engines that somewhere like China has?” And if they do, it won’t halt there. It’ll happen next in Turkey, it’ll happen next in Egypt, and it won’t halt there, either. India, Brazil, Canada, and eventually, governments want to be able to control how information is disseminated.
You mentioned a method capability there that feels like a policy, right? If you want access to these oil trading APIs, you request to make certain Bellingcat is available. That’s just a policy you’re enforcing. Do you see another method evidence of this inside the Cloudflare network that gives you pause?
I think we’ve made it very hard to block any 1 site on Cloudflare inside Russia without blocking all of Cloudflare. We are at a scale where blocking all of Cloudflare is tough. It’s interesting to look at what Russia hasn’t been able to block. So the fact that YouTube is inactive available, I think it’s actually a truly interesting point. I’ve spent rather a bit of time talking to policymakers and people who are much deeper experts about this. And they’ve said that, at the end of the day, a Russian household inactive relies on something like YouTube to entertain kids and that if Putin shuts that down, that he has a problem with the average Russian family.
In our case, there are just adequate things that the Russian economy depends on that run on Cloudflare, that you can besides have folks like Bellingcat. It’s very hard to block 1 without blocking the other. I think that these are the sorts of things that we don’t make any money off of but we think are crucial policy decisions to be reasoning about as a fundamental net infrastructure provider.
You mentioned Bellingcat, all these sites. You’re fundamentally mentioning websites, right? Or servers on the net in any way. I look at the web and I see this slow deterioration of web content due to AI. All the web is being flooded with C-plus AI-generated content, and all the action is on platforms. So it’s actually interesting to say they can’t block YouTube. due to the fact that they can’t go into YouTube and filter YouTube directly. Like, Google just runs that as a service. China might be able to filter the web more straight and block any sites versus others.
How do you feel about the state of the web today? I’ve been asking quite a few CEOs that, due to the fact that all of us built companies due to the richness of the web and our ability to meet customers right distant due to the web, and as things head toward platforms and the web gets overrun with AI, that might be changing in a immense way.
At the end of the day, it doesn’t truly substance how you’re consuming the content, whether that’s on your desktop or a mobile device, whether that’s through a browser or an app. Behind the scenes, a immense amount of what we see is processed through APIs. So APIs make up 57 percent of the traffic that we processed last year. And so that’s possibly not a conventional website. I think the web is most likely the easiest thing for most people to relate to, but at the end of the day, it’s just anytime you’re accessing content online, if there’s a network involved, then I think we play any function in that. I think these things evolve and change over time. The death of the web has been predicted many, many, many times, and again, it inactive keeps emerging.
There was a period of time in the early web past where the search technology that we had wasn’t good enough. That’s where Google came from. It was building something that was just a better way to filter through all of the garbage that was out there. So I guess I’m a small bit more optimistic that, fundamentally, people are trying to figure out how to communicate. People are trying to figure out how to find the answer to the problems that they have and find innovative fresh solutions. And there will be things that make that harder, and there will be things that make that easier. But over time, if you look at it, the growth in overall net traffic spiked enormously during covid, and then that slowed down. But in the last 2 years, it’s inactive grown almost 25 percent year over year, which is an extraordinary growth rate this far into the internet.
I think that if you started to see the utility of the net slowing down, you would see the usage slowing down. And that’s not just due to the fact that we’re bringing, I mean, it’s amazing, we’ve brought 4 billion people online. It’s disgraceful that there are 4 billion people who are not online. But it’s not just that. Even if you look at developed markets, you’re inactive seeing double-digit growth rates in net usage. I think that’s the best predictor of, is there inactive real value coming from it? So I think we can wring our hands about whether AI is going to destruct the web, but I’m inactive optimistic that having networks that connect people together, people are going to usage that to communicate and find answers to questions. If the current tools that we have, if Google isn’t adequate to kind the wheat from the chaff, then there will be a fresh Google.
I think Google hopes there’s not a fresh Google, but we’ll see how that goes.
And I would guess that whoever that fresh Google is will usage Cloudflare, so…
There you go. See, it’s all just customers for you. Let me bring this all the way back around. We’ve had what I would call a very idealistic conversation, and possibly we should get to John Rawls, although we have not done Locke, and I feel like you gotta do Locke. You gotta put Rawls in opposition to Locke. But we’ve had a very idealistic conversation.
I would cynically say idealism for a company like Cloudflare is simply a function of margin. You are able to invest in long-term net thinking. You are able to sit around reasoning about these truly hard decisions and supporting customers that you think are morally correct to support, even though they don’t pay you quite a few money. You’ve had to preserve those margins recently, right? You did layoffs. There was a very celebrated video of a individual being laid off.
No layoffs. We’ve never done a layoff.
You fire people. So you don’t think of those as layoffs?
No. I mean, if individual doesn’t do their occupation well, then we will fire a person. But a layoff is simply a very circumstantial thing where you’re saying we request to increase our margins. We’ve never made a determination on letting go of an worker for a margin reason.
Because quite a few tech companies have been doing this. They say we overinvested, we’re getting smaller. I guess you fired a bunch of people late due to the fact that you thought you were besides big.
Again, I don’t think we even fired a bunch of people. We fired about the same number of people that we usually fire. Covid had any truly interesting effects. I think 1 is that, in 2020, we truly stopped firing people due to the fact that we’re human and people were suffering and we wanted to take care of them. any people just expected that that would be the state of how things went on forever. We had people who for six months didn’t do a single thing as far as we could tell. At any point, you gotta get back to actually doing work. If you don’t do work, then we’re going to let you go. But again, that’s not due to the fact that we were besides big. That’s just due to the fact that you request to have people who are actually doing their jobs.
So I think we should focus on that. I think we’ve actually been unbelievably disciplined in the rate at which we’ve hired, and our margins have stayed kind of precisely the same for rather any time as a consequence of that. erstwhile you hire someone, it’s a large deal. It’s a work that you have. I’m incredibly arrogant that last year we had 1.2 million people apply to work at Cloudflare, which is just extraordinary. We hired about a thousand, a small over a 1000 of those. And we do a beautiful good occupation of that. But all erstwhile in a while, we make decisions or individual just isn’t the right fit or sometimes the occupation grows more than they do, and it’s not the right thing. erstwhile we do that, we — in as liable a way as possible — effort to let people go. But it’s a comparatively tiny part of the team, and I think we do a good occupation of it.
So I’m asking specifically about this video that you said was painful to watch with the individual being fired. You’re actually hitting on something that I was going to ask you about as well, which is last year you fired about a 100 people and you said they weren’t doing very well, and you’re saying that again here. You were criticized for that. People fundamentally said you shouldn’t disparage people even though you’re firing them for underperforming. You should just let them go live their lives. You seem to have a different approach. Even the culture of the company is extremist transparency. It seems like you’re carrying that through even to this minute at the end.
I want to be very careful. It would be incredibly unfair for me to talk about the female who posted the video. I mean, we have a much bigger megaphone, and we could walk through all the reasons for her being let go. That would be totally, totally, totally irresponsible. What I will say is that it’s incredibly costly to hire individual and then have them not work out. So it’s in our interest for everyone to work out. Not everyone does. And erstwhile they don’t, that doesn’t mean they’re a bad person. It doesn’t mean they won’t be an incredible worker somewhere else. They just weren’t the right individual for us. And sometimes that’s their fault. Sometimes it’s our fault. It can be a number of different things. I remember, I was at a job, and I got fired due to the fact that I wasn’t very good at the job, and I inactive remember it and it was super painful, but I learned from it.
With, gosh, at this point, almost 30 years of hindsight, they were right to fire me. But I’m a better worker present due to that. We can’t get to a point where we just say, everyone is large and everyone gets a medal and everyone gets a trophy. There are people who execute better than others, and we have a certain amount of work to get done. The worst thing that you can do as an organization is hold on to your low performers due to the fact that that not only is wasteful, but it actually is incredibly discouraging to your advanced performers. That doesn’t mean that anyone who we’ve let go won’t be a large individual somewhere else. Or even if we’d done certain things differently, if we’d trained them in a different way, possibly they would’ve been better. But for us, at that minute in time, they weren’t the right person.
I think that as you hire people, no substance what, you’ve got to be really, truly thoughtful around this. I remember in early 2022, all communicative was about how it was going to be the Great Resignation. all worker was going to quit. Meanwhile, we’re looking at the data, and we’re like, “Seems like the economy is going to slow down.” So all my peers are like, “We’re hiring as fast as we can.” And then it turned out no 1 quit. The large Resignation never showed up. I remember thinking, “Gosh, possibly we’re doing this wrong.” due to the fact that companies that I truly respect, I would talk to their CEOs, and they would say, “Yeah, we’re hiring as rapidly as we can.” We’re like, “Gosh, all the data kind of suggests that we’re about to slow down, so we’re actually kind of pulling back on hiring right now.”
That was a very scary and risky decision. But I think it’s part of what then has allowed us to not gotta do layoffs and to be able to proceed to invest due to the fact that it’s always incredibly costly and just disruptive and demoralizing if you gotta do this. On the another hand, if you don’t let go of low performers, that’s besides incredibly disruptive and demoralizing. So I think we should be very clear: it is irresponsible as a company to overhire and then gotta lay a bunch of people off even if they’re performing well. But it’s besides irresponsible as a company to have low performers who you don’t lay off as individuals because, again, that’s bad for the company, and it’s bad for the advanced performers that are there.
I agree with that completely. My question is simply a small bigger, and I want to end here. It’s about having the space to have your values. And quite a few the another large companies in tech preached their values for a decade or more. We’re connecting the world. We’re going to make the planet a better place, famously. And then the margin force did come, and they did overhire and they made layoffs, and now they’re kind of more ruthlessly focused on profitability, and the values seem to have gone away.
Is that something you’re worried about? due to the fact that so much of this conversation has stood out to me due to how frequently you come back to the values and the mission of the company in that I’m watching another large companies immediately make that tradeoff. I’m wondering if you always feel that force or how you think about it. due to the fact that it feels like that will find the future of Cloudflare as much as anything else.
Michelle and I are fundamentally focused on being just incredibly efficient business leaders. We frequently gag that we’re frightened squirrels at the end of the day, where I think that we believe that all dollar of investor capital that we’re trusted with, all dollar that a consumer pays us, that we gotta deliver a truly crucial return for that. And I’m super arrogant of the fact that we did that for all of our investors before we went public, and we’re way up from our IPO price, and we proceed to be able to deliver very consistent and long-term results. We have always focused on efficiency. We’ve never been the place that wastes money on fancy cafeterias or conference tables. We have very functional basic offices. I don’t live a peculiarly fancy life, and neither does Michelle, due to the fact that again, what we’re focused on is building what is simply a truly large business.
We’ve done that for a long time now. We’ve done that for 13, 14 years. Over that time, I think we’ve built quite a few trust with the investing community. If you look at, even as a public company, who our top 10 shareholders are, it’s been remarkably unchangeable over that period of time. You look at firms like Baillie Gifford that are a large investor in Cloudflare, their average holding period is 16 years. So they truly are focused on the long term. I think if you pursuit short-termism, if you look for that, and you run your business that way, then you will get investors that behave that way. But if you truly do think about the long term, if you are truly mission-driven, then you’ll besides get investors and customers who are focused on the long word and will let you do that as well.
I’m not saying it won’t come at any point, but I think both a combination of doing what we say and saying what we do, being incredibly consistent, truly focusing on long-term value creation for all 1 of the stakeholders that we serve, including the general public, that that has given us that freedom to be able to proceed to innovate. I think that it’s besides 1 of the real powers of being a founder-led company. The fact that Michelle and I are inactive showing up all day to work, that lets us do that, due to the fact that again, it’s a level of consistency, and I can’t imagine anything that I could do that would be more meaningful or more impactful. I think as long as we do what we say, we say what we do, hopefully we’ll always have the ability to build a large business. But besides do those things that are surviving up to our mission, which is again, to aid build a better internet.
I can’t think of a better place to end it, Matthew. Thank you so much for being on Decoder.
Decoder with Nilay Patel /
A podcast about large ideas and another problems.
