Striking the Right Notes - Protecting Music Royalty Shares

can you hear me okay great I I promise I will not yell into the headphones great great so first of all very glad to be here um you know this is my first time besides Philly and amazing you know audience amazing uh speakers my name is madav gopal I'm the Caesar of a fintech plus a music company called jukebox right uh it is spelled JK BX but it's pronounced jukebox right I've been in the Philly area for about 18 years now right really love the Philly area um and you know as I said so glad to be here with you you all today lots of familiar faces in the crowd so thank you for coming everybody so the

way I look at things is you know I look at everything as a series of Journeys right and and that's really important because a lot of times people think hey we are getting to a destination the destination is important but to me the journey is as important and probably more important than the destination right so I'm going to be talking about three Journeys today right and kind of share through what I went through you know what my perspectives were right so the first journey is going to be about my career right how I got into cyber security and you know I was not in cyber security all throughout I did so many other things uh and then also how I

landed from a fortune 30 company to a 40% startup right so that's Journey number one Journey number two is going to be about music copyrights right and my company and you know the model that we have the business that we are in right so kind of walking through you know the history and the kind of the forward looking aspect there and then the last piece that I will talk about is probably you know one of the most interesting things here for you guys is how do you build Security in right you're talking about a music company you're talking about a company where people are you know working constantly with artists with com composers right how do you make sure that security is

part of everybody's culture everybody's ethos so that's kind of the nutshell this is not a very technical topic I'm likely not going to do the full hour so if you have questions please raise your hand I will you know pause for questions at the end as well great great so let me jump in so about me right and I kind of put these two Graphics right so the first graphic is obviously a map of you know our country right but I the reason I put it in there is because my career started first as a software developer but very quickly after that as a consultant right and I was in 25 different States before I knew it I was

working on different technology projects mainly in the Telecom industry and what really kind of shaped my career was at some point I was like okay you know this traveling is great but I really want to kind of do something at one place kind of build my experiences right and that brought me to Comcast about 18 years ago right and at Comcast I had six different six or seven different rols I did all the way from technology audit to engineering operations to you know business operations to syndication and my last role there was as VP of cyber security operations right and and that you know becomes really interesting because when you think of Comcast a fortune 30 company obviously but you

have this gigantic Network the largest Network in the world that you're trying to protect you have data for 30 million customers right so there a really you know eye open opening concept to hey how can you you know use the right processes the right people the right technology to protect this network but at the same time move your team forward right so that was kind of you know for the most of my career and then in the last year I kind of pivoted a little bit and I said look I've been working at large companies for a while I've been doing this Fortune 30 thing right it is time for me to do something different right

and you know there was this complete coincidental but I came across this company which is basically as you can see right it's trying to build this you know platform for music royalties right and you know if I can get get a show of hands how many people here listen to music on a daily if not hourly basis most of you right so every time you listen to music whether it's on Spotify whether it's on a radio station whether it's a music that's getting played there there is a royalty that kind of comes back right and it typically goes to who what are people who are known as the rights holders right people who own the

copyright to the music right so from that perspective it's a very interesting company and I'll get into a little bit more details but for me the whole concept was hey you know I'm someone who is working you know in an ISP and now I'm shifting and working with people who know Adele by first name basis people who know Beyonce go to Beyonce's parties right so it's a completely paradigm shift for me but a very interesting opportunity to build my skills right so kind of you know the it's important for folks to understand what really defines me right when I when I took this Ro for me one of the main reasons was hey look you know I have the opportunity to build

something from the St scratch right and this is my son my 11-year-old son planting a tree right so I think this a great example of saying that it is such a important aspect to be at the beginning to be able to build something out and to make that investment right and to look at security as an investment as something that can really take things to the next level right and and really you know not just look at it from hey look I'm building something that is you know and in the infancy but also I'm building it for the long term it's an investment that I'm making in my time and effort so that it really Grows Right

and one of the values that really defines me servant leadership right how can I not just build my function but also Empower my team to constantly you know do the next thing and next thing and and build some of those experiences that will take them forward so that was my first journey right my journey to Comcast and from Comcast to a much smaller company but really kind of building those skills as I move forward right the second Journey kind of goes back all the way to 1846 7 and this is a cafe in Paris right so there were I I think three or four musicians who are having a drink you know enjoying some you know really

amazing French food cheese wine you know all of those things right and suddenly they realized that the music that was playing was their music right the band was playing a beautiful song but it was music that they had composed right and they decided not to pay the bill and that became a whole legal dispute cuz the whole thing was look you know I'm sitting in this Cafe my music is being played but I'm not getting any you know income from that right and and they got into this legal dispute with the owner of the cafe and that was kind of the Genesis of the modern music copyright industry right to really say Hey how do

we make sure that composers musicians you know songwriters get p paid fairly for the you know creative work that they do right and you know if you kind of uh take it to the Future right if you look at what music copyrights are today it's very simply these are you know the two things that are primarily there right first is you have the concept of what is known as a composition copyright right so anytime the music is created whether it's a lyrics whether it's actual composition right it it can be the song writer it can be you know the studio where the music is created right so that is a composition copyright and then that

com copyright um that piece of music when it gets played by a m by an actual artist right let's say you know um Taylor Swift writes a song but then Taylor Swift doesn't record it but somebody else records it right then you have the concept of the recording copyright so those two copyrights are really what kind of Define modern Day music right and anytime you hear a song right both of these copyrights have a royalty that is associated with it right so someone is getting paid and it it does not have to be in a on the TV it does not have to be on the radio it can be in a hospital it can be in a public

venue such as this right where those music copyrights go in and you know from uh industry standpoint you know royalty play a crucial role right because they're supporting you know artists songwriters Publishers right uh they're supporting the record labels right but you're also looking at this as $40 billion in annual revenue right so it's a pretty big deal right and just if you kind of look at how fast it is growing between 20 2017 to 2022 you know the size or the number of streams of music that were played went up by more than 2 and 1/2% right so it's a pretty large increase as it kind of goes through it's also fairly lucrative if

you look at music that's been around for 10 years or more you know it's constantly getting played there's uh steady royalty stream associated with it so one of the things that is important here is my company kind of comes into the play here what we are trying to do is we are trying to take this you know part of the industry part of the music industry and say that a lot of these music royalties are only going to record labels to you know um private Equity how can we open it up to ordinary investors to music fans to you know people who care about the music the easiest example that I like to use is hey you have an

Apple iPhone right but you can actually buy Apple stock and anytime anybody buys an Apple iPhone you benefit from it so that's what we are trying to do we are trying to build this regulated platform that will really help and you know if you look at how a business is set up right they're basically three components the first component is the actual music so you know what jukebox my company has done is that we have worked with the record labels we have worked with the right holders to say Hey you have this music you know let us put it on the platform you will get the equity back right you'll be able to unlock that

Equity right and at the same time ordinary investors music fans can benefit from the royalty stream that is associated with that that's number one number two is saying okay we got to build a marketplace right obviously it won't look like that right but it'll be a digital Marketplace just like your Fidelity or Robin Hood where you can buy and trade music and that's important right so it's not just the buying of assets or buying of you know music royalty shares but also being able able to trade it being able to exchange it for something else let's say you know you bought a Dell right you know um one of her songs and then you want to swap

it for you know um hallo by Beyonce right you could do that right so so that's a appr that we're taking but for all of that to work you know what is missing here right you know and this is something that the crypto industry never really caught up to right they were like okay we're going to build this but they didn't really care about the regulation they didn't care about the framework that you need right you don't you know the laws that we need to follow right from a cyber security standpoint making sure that we are building a platform that you know uh secures customer data both pi and financial information right but also at

the same time getting the right qualifications from the Securities and Exchange Commission because we are going to be a regulated entity right and from Fina which is a broker dealer you know license to make sure that hey we can trade some of these assets right so that's how kind of jukebox is set up the easiest way to think of us is if Spotify and Robin Hood had a baby we would be it right so you take a you know exchange and then you couple it with music and you really take that approach so that's you know from a business perspective that's my second Journey right and then the third journey is security right okay you know as part of the

founding team last year I had to convince the team hey why is security important what really why should we really look at security in the concept in the context of jukebox and there were three things that I put out there first is this concept of fear uncertainty and doubt and that was the best graphic I would find so if you guys have anything better please feel free to share right but there's so much you know Panic around security everybody's like oh you're going to get get get popped you're going to get hacked any email that comes my CEO like literally every day he's like is this a fishing email I'm like no it's not a fishing email the

domain looks authentic right so first is hey really saying that we got to move Beyond a fud and talk about what's the actual risk does is it even a risk is it something that we need to care about today or is it something that we need to address down the road right number one number two look you know our ecosystem is constantly changing right even Within the music space there's a lot of innovation going on right Spotify is going through you know all kinds of things going you know changes but from a technology standpoint with generative AI over the last you know year or so right it's so much easier for people to use that to attack us to do so many

different things right so really you looking at security as a dynamic concept and saying okay what can we do to protect the company as we pivot and we try out different things right and then the last piece you know which no surprises here for a regulatory and you know whether it's cyber security regulation right whether it's privacy regulation obviously we are a startup so we don't need to worry about the SEC you know the recent announcement that came out hey you know we are looking at potentially having companies report breaches in you know within what 48 hours right but at some point we have to kind of include those things and say as we build company that is going to stand

for you know a long long time how can we make sure that we are in compliant with privacy and cyber security regulation but most importantly you know my story was hey security really moves the business forward right if you want to grow security is a strategic imperative right especially you know the industry that we are in we are a fintech right right would you go into Fidelity or you know Charles sh and log in with a 8 digigit password yes you might but you will still need to do MFA right you know your session will time out in what like 15 minutes right so C consumers like you like anybody out there view security as

a given they want their finax their trusted providers to provide that high bar of service from a security perspective so it's not an option it is something that you have to do to move the business forward and then the question would then be how do we do this right what are some of the things that we can do here so I think the nor star that we chose and Chris who is on our team as well as a contractor you know knows this very well is to say hey we have to build Security in right we have to build Security in how employees do their day-to-day work right how you know developers do their work right so

adopting secure development life cycle right and last but not the least how customers interact with us right and that is probably one of the most important things because once you lose that trust you you are not able to get it back so really kind of focusing on that and with that in mind you know basically we had three things first is to take a proactive approach to work with developers make sure that you know if we find a security defect you know my team is doing the pull requests kind of giving them the information that's needed to fix it right to really meet them you know from where they are at right not wait for people to come to the

security team and say hey what do you need right that's number one number two you know going back to what I said earlier right really looking at security as an investment and saying okay how can we build Security in everything that we do you know our team interacts with art artists we have information about artists you know across the board how do we secure that information right you know what we are obviously 100% on cloud we are serverless what are some of the things that we can do to make sure that we have the right visibility going forward and then last but not the least is you know we can't take a one- siiz fits-all approach we have to take a

risk-based approach right some things might work for certain things others may not we might we don't need MFA and you know uh very aggressive timeouts in staging we just need it in production right so really taking that risk-based approach and saying okay where is the most risk what can we do to address that and then you know from a challenges perspective we really had three big things that we are looking at right so the first is visibility right whether it's from a performance standpoint whether it's from a security perspective right even though we are small we are already collecting a lot of data we got to make sense of the data we got to figure out okay is this an actual attack

right our CEO is based out of UK is he you know why is he suddenly showing up in Italy right whether it's impossible travel right so those are the kind of things really taking a look and saying okay how do we make sense of the data how do we build that Foundation to give us the insights that we need from a security perspective the second one is you know we are constantly under attack almost on a daily basis team members receive like a fishing email receive a text saying hey you know send me gift cards or give me a password right so understanding that that's always going to be the case and how do we protect our

team members whether it's endpoint security whether is you know using OCTA to authenticate them to make sure that if they are coming from a suspicious IP we block their access right and then last last but not the least we are a startup we can burn money like anything right so we have to be really prudent about hey before we get to revenue how do we conserve our Runway how do we make sure that we are not to the point where we are you know running out of funds doing the right things building the team but investing the right

way so you know former security perspective you know I wanted to introduce this concept of micro versus macro um there's a lot of background noise you guys can hear me still right can okay great great thank you I just want to make sure so yes exactly I don't have the headphones so so the micro is hey you know as I said we are constantly an attack this is an actual fish that have a head of Music receipt so saying hey I'm the CEO right I need you to go and buy me gift cards go buy it now and she was like yeah I can I can go get these AMX gift cards right and then obviously she had the

presence of mind to say this is a this is not normal this is not something that makes sense right so that's a micro approach making sure that people are aware making sure that we have fishing you know protections but we also have fishing campaigns to excise that and then the macro is hey you know we are going to have hundreds of thousands of customers on right how do we make sure that we are protecting them how do we make sure that their information is not being sold right or or stolen right making sure that we are not being attacked by ransomware right so really taking that holistic approach not just on on our end points but also on our AWS

footprint and kind of moving forward and you know I'm pleased to say from an outcomes perspective right you know these are basic stuff that we've been able to achieve first is you know your oldfashioned scanner right but the reason I put it up there is because we are able to scan code we are able to check for any vulnerabilities whether it's using GitHub Advanced security whether it's using verell which is allowing us to deploy our front end right and be able to really say okay what's going on and one of the advantages that we have as a startup is because we are so small we are able to use variety of different tools whether it's for sast or Das to really say okay

how does a code look how can we address it and and really move forward that's number one number two we are constantly running fishing campaigns we are constantly evaluating our team and checking hey are they doing the right thing right and then doing it in a way that's you know um in a non-intrusive way right but it it's an engaging way right and really taking that approach and last but not the least we are very being very upfront about security to our customers so if you go to a website which is very simple uh jkb x.com you will see that there's a security Center there's information for customers about what we do internally but also what can they do

to protect the information protect the data moving forward so feel free to kind of look at a website if you guys have feedback I'm always open to feedback and then last but not the least you know a few concepts for me in closing right you probably heard this in the beginning but you know careers are jungle gems they are not like ladders you don't keep doing you know one rung to another rung right you're moving you know in different directions but it's always important to pick up those skills It's always important to say okay I've been doing this for a while I'm going to do go do something else right I'm going to try in a different setting right and

that's where I think your experience really matters because you're able to apply that across different Industries different segments right whether it's large company whether it's smaller companies right number two is really this concept of we got to build things in and this is not a you know New Concept this is you know been around for a while but it's you know easier said and done but it is really important to dedicate time to say okay as you are laying the actual Foundation as you are putting up the scaffolding it's important to really start thinking about security well is your you know weak points how can you reinforce things right and finally you know you got to step out of

your comfort zone for me you know for a long time I was in the blue comfort zone and then for the last year or so I'm somewhere between orange and red right but that's how you learn right you come out you go into the Learning Zone you go into the danger zone and you're really pulling and stretching yourself right because that will move you forward that'll give you skill that kind of go a long way so that's all I had folks you know didn't have too much more but I'm happy to stay on for any questions that uh you all might [Applause] have cool yeah go ahead

please yeah yeah yeah yeah so I'm going to repeat your question right just so that everybody can hear uh his question was what are the big thing that you guys are protecting right and it's all of those it's customer data right because when customers sign up because we are a financial services firm they need to do kyc which is social security number driver's license right so so that's that's number one number two yes business information you know we know how much Taylor Swift makes from different song right so it's PR business confidential information and then three is employee information right you know again employees are using a number of tools so that's kind of the standard

what what you would see in any other company but because of our industry slightly different any other

questions great if not thank you so much for your time and enjoy the rest of the besides