Q&A: Harry Moseley, CIO, Zoom

In mid-March, most people left their offices, went home and stayed there. Their work and social lives took a backseat to the pandemic — no more board meetings, birthday parties, after-work drinks or piano lessons for the kids. At least not in person. Gatherings — work and play — moved online and now everything from live TV shows to church services are being conducted by video conferencing platforms.

Canadian Security recently spoke with Harry Moseley, CIO at Zoom Video Communications, one of the companies at the centre of this global transformation. Moseley spoke about what it’s like to experience massive growth in only a few months, the cybersecurity challenges that come with that growth, and Zoom’s 90-day security plan. The conversation was conducted via Zoom (what else?) and has been edited for clarity and concision.

Canadian Security: How has your world has changed in the last couple months?

Harry Moseley: So the way I would describe how things have changed are as follows. Two years ago I joined this small tech company called Zoom based in San Jose with 800-plus employees globally — a private company relatively well known in the tech community, known in the U.S., sort of known in Europe not well known in Asia-Pacific. Then you sort of fast forward — here we are, two years later — boom! We’re now almost 3,000 people working out of 18 offices. There are 17 data centres around the world. We went public a little over a year ago. Now we are keeping commerce alive as we live through this pandemic in every industry under the sun and operating in something like 226 countries and territories out of 241. We’re supporting government agencies like the British Parliament, a 700-year-old organization, and over 100,000 schools in 25 countries around the world. And it is extraordinarily humbling to be in the middle of this.

We have one focus and that is making sure companies can be as productive as possible as they work their way through this pandemic and making sure that people can have some sort of life as they work through this pandemic, which includes things like birthday parties, yoga classes, cocktail hours. We hosted the Queen’s birthday party on Zoom a couple of weeks back.

We host church services. We do a variety of different webinars. Saturday Night Live has been running on Zoom. It’s just been a journey. I’ve never experienced anything quite like this in my life.

CS: At what point did you realize that your user base had grown exponentially and you would have to scale to accommodate?

HM: So as I reflect on the period from January through March and into April, we’re just going 100 miles an hour. Every day, new challenges were coming up and we just wrestle them to the ground. We have great culture at Zoom, which is based around, “What’s the problem? What’s the root cause? And what’s the solution?” And that’s how we treat everything. At the end of the day, we’re a bunch of techies.

We try to figure out, “Well, okay, that’s a problem. Okay, that’s the root cause and that is how we’re going to fix it.” And that’s what we do and we move on. And so I don’t think we ever sat back and really thought about what was actually happening because we didn’t have time. We just didn’t have time. We were working around the clock.

We saw the world was struggling and we only had one objective: How can we help companies maintain some level of business as good as they can be, and help people get through this pandemic.

CS: How has Zoom tried to meet cybersecurity challenges during this time? They must be unprecedented, given the scale.

HM: Daunting. That’s the word you’re looking for [laughter]. On April 1, we announced we were taking our entire engineering team and we were pivoting them to focus on security and privacy. And so since that time we added over 100 features to the platform. We’ve done a variety of different things. So let me just highlight a few. For example, we’ve always have great security controls in the Zoom platform. Now we’ve bundled them together and put them right at the host’s and the co-host’s fingertips on this icon that we call the privacy shield. This adds the ability to lock the meeting, restrict who has access to chat and restrict who has the ability to share content and things of that nature. We also introduced the regional data centre selection tool so you can select which geographies you want to have your meetings hosted in. And we enhanced our dashboard technology, so you can actually see where your calls are being routed. We also announced an upgrade on our encryption methodology to AES 256 GCM for Zoom 5.0. There were a bunch of other features … We introduced a “report a user” feature so you can report bad behaviour to our safety team so they can investigate it and bring the necessary powers to bear.

We also did an acquisition — we acquired Keybase, a cryptography technology company based here in New York City and advised that we will be sharing our plans around a true end-to-end encrypted service on Friday, May 22, which is very exciting. We are going to create a new standard around security for unified communications and collaboration. We are going to raise the bar and distance ourselves from all the other players out there from a security perspective and I personally find this extraordinarily exciting.

CS: Can you just circle back on the company’s 90-day security plan? You addressed that briefly.

HM: We went from 10 million daily participants in December, to 200 million daily participants in March to 300 million daily participants in April…. With that came a more immersive review by a variety of parties. And with that, came the different constituents that we now have to support and serve. The reason we established the 90 days was we wanted to focus on how do we support these different constituents that are now on the platform.

We built Zoom primarily for the enterprise. In enterprise environments, you have IT organizations which, besides doing the security review of a platform, are also responsible for the deployment of the platform, are also responsible for the training and setup and the defaults that go along with the platform. When you get into this consumer world or the education world — where we gave our software away for free — you didn’t have those robust IT organizations in place to do the necessary training, to set up the necessary defaults and so on. So, one of the things that we did — I think it was within the first few days of our 90-day plan, as an example — was to set the default for the education sector [which] was password control and only the host can share content, nobody can chat, nobody can rename themselves. That was part of what we did in our 90-day plan, but it was also to support all these different constituents out there and the different needs and requirements.

We also introduced the webinar with Eric [Yuan, CEO of Zoom] on Wednesdays, to give an update on what we’ve done and what we’re doing. And so there’s been a consistent flow of new features and functions that we enabled on the platform including things like for organizations to [be able to] select the complexity of the passwords that they want to use for meetings and things of that nature.

CS: Any closing thoughts?

HM: My closing thoughts are, Zoom is secure and Zoom is safe. I’m very proud of our track record in that regard. I’m very proud of how we’ve been innovating at speed and scale and the various different sorts of feature we brought to the unified communications and collaboration space.