Security Voices

After 5 seasons, it's curtain call for Security Voices. In this final episode, Jack and I reflect on half a decade of podcasting together through times that were both extraordinary for the world and for each of us personally. We discuss some of our favorite moments, most memorable guests, and the lessons learned from roughly 60 episodes of exploring the unique personalities and stories of cybersecurity. At around 40 minutes, our last pod is more short and sweet than long, tearful farewell. The Security Voices website will continue to be up for the foreseeable future so that it can be happily devoured by generative AI and any humans sticking around who want to know what things we're like in the beforetimes. Jack and I hope that we left the industry a little better than when we started this project back in the winter of 2019. Thanks for listening.

The ascendancy of India in Silicon Valley is undeniable. From top executives such as Satya Nadella (Microsoft) and Nikesh Arora (Palo Alto Networks) to leading investors, we've become well accustomed to working with and often for people who have immigrated from India. Given the wave of immigration from India started decades ago, our Indian coworkers, investors and leaders are such an established part of the tech industry that we often give little thought to the cultural differences that underlie our daily interactions. Nonetheless, the move to remote work strips away much of the high fidelity, in person interactions that make understanding each other easier, even if we were raised on different continents, speaking different languages, etc. In simple terms, while the stakes for understanding each other have never been higher, our actual means of communicating have gotten worse.This episode of Security Voices combines the perspectives of two experienced security leaders, Ashish Popli of Spotnana and Jason Loomis of Freshworks along with Jack and Dave. Ashish has been working in the U.S. since he completed his Masters at Stony Brook in ‘02 whereas Jason took the role of CISO for the Chennai-based Freshworks a little over a year ago. Their combined perspectives provide a 360 degree view of both what it takes for an Indian security leader to adapt and how a Los Angeles-based security leader has navigated the unique challenges of having a team based in India. Jack explains how B-Sides conferences in India also bear the clear imprint of the country's culture.Over our roughly 60 minute discussion, Ashish and Jason share their stories of what works, what doesn't, and perhaps most importantly, we explore the “why” behind those moments when something seems to be lost in translation. We hope you have a few “aha” moments like we did during the conversation and that this episode serves as a practical reminder that while much unites in the tech industry, we can go even further when we understand and respect our differences as well.

The classic mindset of cyber security unmistakably originates from its early leaders: financial services, the defense industrial complex, and big companies that had too much to lose from ignoring what was called at the time “information security risk”. They tried to calculate largely unknowable risks to explain digital concepts to analog executives. They leaned on medieval metaphors such as castles and moats to make formerly arcane technology like firewalls understandable to people who just got their first AOL email address. And Sun Tzu quotes were used to make it absolutely clear that we were in a war against a shadowy, determined enemy that demanded our attention (and a generously sized budget).The cybersecurity landscape now bears little resemblance today to those early days, but far too much of how we reason about our industry is still clearly traceable back to those early days. Kelly Shortridge's Security Chaos Engineering is a sneakily titled book that has less to do with testing technical boundaries and much more to do with modernizing our headspace to accommodate the new, incredibly complex environment we find ourselves in today. Sun Tzu quotes are replaced by Ursula K. Le Guin and Buckminster Fuller. Jurassic park analogies take center stage. Ice cream metaphors and decision trees supported by open source projects make the formerly esoteric approachable. Practical even.Our 1 hour conversation with Kelly covers many of the core ideas in the book she recently published along with Aaron Rhinehart, centering on adopting a mindset of evaluation and experimentation. A common thread running through the dialogue is that of empowerment: we live in a privileged time where much of what we do now can be stress tested to build resiliency. And that this is a far more sane approach given modern complexity than attempting to comprehensively model risk and prevent attacks. Cat and mouse? No, we and our adversaries are peers on equal footing who are capable of both offense and defense. The future, and the present for those who lean into it, is much more Spy vs. Spy than Tom and Jerry. We hope this dialogue takes you at least one step closer to it.

Let's say it's 2012. And you're graduating Stanford with a comp sci degree. You could go to Google, Facebook or any of a number of well-paying emerging juggernauts. If you're Frank Wang, you move across the coast and do your PhD in cybersecurity at MIT.Now you're doing your PhD. And you make pals with a local VC. So naturally, you start a cybersecurity incubator as an academic (Cybersecurity Factory) which churns out companies such as Huntress Labs.Your PhD is in the bag now and you're ready to start making money. Time to apply all of that theory from academia in a company, right? Wrong. If you're Frank Wang, you become a VC at Dell Capital.It's the middle of the Covid pandemic and VC is going bonkers. Massive amounts of capital being allocated in a frenzy unlike anything we've seen in decades. If ever. Rather than joining in the party, Frank sees it as a clear signal that it's time to move on and becomes a security engineering leader at modern data stack company DBT. Now that you've got a comfortable job at a high flying tech company, it's time to take your foot off the gas pedal, right? Do your part and ride it out through a lucrative exit. Frank saw this as the time to step up his side hustle instead and start the popular blog and newsletter, Frankly Speaking. The conversation is a little over an hour of Dave exploring the career arc of Frank to date and what he's learned while blazing his own, unconventional trail through cybersecurity. The unique road he has traveled lends him perspective for those who want to better understand VCs, running a side business, or simply what happens when you ignore conventional wisdom and have the courage to make your own path.

This past weekend, the New York Times posted an article explaining the United States is scrambling to clean government systems from a deep, pervasive infiltration of the country's infrastructure by the Chinese. Much like the Russian attacks on Ukrainian infrastructure, the intent appears to be to disrupt any U.S. action that would be a response to Chinese military action in Taiwan. The role of nation state actors in driving the threat landscape has brought us to a place where the lines between physical and cybersecurity are no longer blurry, but simply erased.Galina Antova, founder and Chief Business Officer of Claroty, shares her expertise in operational technology (OT) security with us in an hour long interview in the latest episode of Security Voices. We begin by walking through the recent industrial security threat landscape with an emphasis on INCONTROLLER/Pipedream and discuss the impact of the Russian/Ukrainian war, tracing its origins back to a landmark attack in 2015.Galina and Dave explain the uncomfortable truths about the current state of OT security, starting with the fact that, other than nuclear energy facilities, air gaps are as common unicorns and other mythological beasts. Galina explains why OT security teams necessarily have to operate with older equipment and more caution than conventional IT security teams. Further, while we have not seen massive infrastructure disruptions to date, the real reason behind this offers us little comfort.In the second half of our interview, Galina describes her journey as a founder of Claroty and what it took to build a $100M ARR company over 8 years. For a category decades in the making with notoriously long sales cycles and risk averse buyers, she takes us through the playbook she and her co-founders used to establish a beachhead and expand into a global OT security juggernaut. We pinpoint why the pandemic was a breakthrough moment for OT security, catapulting solutions providers to new heights and why this had little to do with new threats and everything to do with enabling digital transformation.We bring the episode to a close with a dialogue on gender equity in cybersecurity and specifically how men can do their part by adjusting a couple key assumptions when interacting with women in business.

"Any country that intervenes in Taiwan will face serious consequences, including cyber attacks."This statement in January by the Chinese Ministry of Foreign Affairs made clear that the United States must be ready to defend itself in what many assume to be an inevitable conflict over Taiwan's independence. It begs the question, how will we defend ourselves from such a powerful adversary with one of the best cyber armies in the world?At the heart of the answer is the United States infrastructure: an interconnected web of both government and for profit companies that provide core services to the citizens. This public / private partnership is most evident where it matters most: energy and communications. Mary Haynes, Group Vice President of Charter Communications and industry cybersecurity veteran, has worked with presidential administrations across her multi-decade career to serve the twin goals of protecting her customers and making the country more resilient to attacks. Our 72 minute conversation with Mary starts with how our communications industry is responding to the threat and the Biden administration's somewhat unique approach. We explore two critical areas to mounting a credible defense: 1) Ensuring the security of consumer managed connectivity hardware and 2) Addressing traffic hijacking and route misadvertisements by shoring up BGP with RPKI. Throughout the conversation, we get a clear view into the combination of big picture thinking, technical acumen and diplomacy that have taken Mary to one of the top roles in defending the U.S. communications backbone.While the first part of the conversation discusses her and the communications industry's readiness to defend against nation state adversaries, the remainder of our interview serves as a brief career retrospective for Mary as she plans to start her transition into retirement later this year. On the topic of dealing with seismic technology shifts, she reflects on our response to the public cloud and how that should inform the cybersecurity industry's response to the current advancements in artificial intelligence. As we wrap up, Mary explains where we've made progress with regards to diversity and her advice for women considering a career in cybersecurity. Mary's optimism and clarity of vision leave a strong impression throughout the dialogue; we wish her the very best as she moves from leader and practitioner to advisor and board member later this year.

The breakaway success of ChatGPT is hiding an important fact and an even bigger problem. The next wave of generative AI will not be built by trawling the Internet but by mining hordes of proprietary data that have been piling up for years inside organizations. While Elon Musk and Reddit may breathe a sigh of relief, this ushers in a new set of concerns that go well beyond prompt injections and AI hallucinations. Who is responsible for making sure our private data doesn't get used as training data? And what happens if it does? Do they even know what's in the data to begin with?We tagged in data engineering expert Josh Wills and security veteran Mike Sabbota of Amazon Prime Video to go past the headlines and into what it takes to safely harness the vast oceans of data they've been responsible for in the past and present. Foundational questions like “who is responsible for data hygiene?” and “what is data governance?” may not be nearly as sexy as tricking AI into saying it wants to destroy humanity but they arguably will have a much greater impact on our safety in the long run. Mike, Josh and Dave go deep into the practical realities of working with data at scale and why the topic is more critical than ever.For anyone wondering exactly how we arrived at this moment where generative AI dominates the headlines and we can't quite recall why we ever cared about blockchains and NFTs, we kick off the episode with Josh explaining the recent history of data science and how it led to this moment. We quickly (and painlessly) cover the breakthrough attention-based transformer model explained in 2017 and key events that have happened since that point.

Hidden bunkers, stacks of canned food and piles of artillery. Disaster preparedness has become an Internet meme and these are some of the “prepper” community's showcase images. But most of us who have lived through the recent pandemic, the Capital insurrection on January 6th and more no longer take the threat of a major disaster lightly. For those of us not willing or able to dig out a backyard bunker, is there a rational middleground where we can feel well-prepared for whatever comes next?Software security legend Michal Zalewski (lcamtuf) answers this question and many others in his third book Practical Doomsday: A User's Guide to the End of the World. Using familiar threat modeling principles, Michal explores everything from evacuation gear and bulletproof vests to the genuine probabilities of civil war and a zombie apocalypse. In what can only be described as an unbelievable coincidence, Jack and Dave's hour long interview with Michal was recorded the same day Silicon Valley Bank collapsed and was taken into government receivership.In spite of the understandably dire subject matter, Michal's equal sense of optimism and pragmatism steer us towards the middle path of rational risks and what a “normal” person should consider doing to be ready. It's not nearly as hard as you might think and the peace of mind gained was well worth taking a hard look at the worst case scenario.This interview is nearly cleanly separated into two parts as we focus on the opportunity and threat of artificial intelligence around the 32 minute mark, starting with Michal's approach to writing. The real threat of generative AI to drive truly deceptive attacks takes center stage as we explore how the ability to easily generate compelling documents, images, video, etc. may make it nearly impossible to distinguish between reality and a scam.No conversation on AI and threats seems to be able to avoid mention of the singularity threat, however, Michal keeps true to form and narrows in on the much more likely “paperclip problem” of mundane AI optimizing humans out of existence. This was one of our favorite episodes in ages, we hope you enjoy it and learn as much from it as we did. We also hope you got your money out of SVB, just like Dave did the week after this was recorded. Stay safe.

Continuing from our dialogue with Tomas Maldonado who has the unique job of securing the NFL, we have a conversation with Allen Ohanian whose day job is to protect the Los Angeles Department of Child and Family Services (DCFS). LA DCFS is the largest agency of its type in the United States, its central focus is its 10,000 social workers who help defend some of the most vulnerable people in Southern California. Allen's role as CISO of the DCFS is to make sure that both the social workers– and all of the highly sensitive family data– stay safe and sound while they navigate some of the most complicated scenarios you can imagine. The army of people working in cybersecurity chartered with this mission? 5 people strong. Welcome to the government.When you're outnumbered 10,000 to 5, the name of the game is leverage. Allen explains how his team harnesses cloud services in order to amplify their impact, such as migrating from their own facilities to services such as AWS Call Center. Beyond the cloud, his primary approach is treating humans as the first and last line of defense, aiming to ensure they keep themselves and their data out of trouble. Allen's belief in this approach is deep enough to motivate him to pursue a PhD in psychology. He's also no stranger to traditional security controls, having clamped down on USB drives and restricted the iPhones that power social worker data collection in the field. Lastly, partnerships with law enforcement and the major cloud providers also allow their small cybersecurity team to extend their reach.In this short interview, Allen describes the unique threat model of the DCFS and how ultimately it ends up with concerns that bear a strong resemblance to critical infrastructure where availability is the top priority. Urgent, critical calls from children and families in crisis simply have to get through. Social workers must be kept safe. No exceptions. We hope that his interview with Allen provides a much needed window into the practical challenges of running cybersecurity for a large-scale government agency. Mission-driven CISOs like Allen work long hours against seemingly impossible odds for pay that's far less than their commercial counterparts. We owe them a debt of gratitude and where we can, a helping hand.

After 2 decades of trying to make SIEMs work, security data lakes are a hot topic as they present an increasingly attractive alternative. The only hotter topic is ChatGPT and the game changing potential of AI. So in episode 52 of Security Voices, we mash the two together as Dave, Pathik Patel (Informatica), and Omer Singer (Snowflake) explore the many angles of security data lakes with an AI-assist from ChatGPT.From a functional definition to dishing on whether security data lakes signal the death of the SIEM, ChatGPT weighs in impressively early in the episode. Its later performance is much more suspect, seemingly gassing out under the pressure of harder (more poorly formed?) questions and likely a knee-buckling workload from millions of others testing the service simultaneously. The humans go on to discuss the real-time expectations for SIEMs vs. the “single source of truth” nature of security data lakes which lead to an exploration of product “suites” vs. specialized services and promise of the data lake to potentially unify them all.The week prior to the recording was the announcement of both the Open Cybersecurity Schema Framework (OCSF) standard alongside AWS' new Security Data Lake offering built on top of S3. We discuss the implications of AWS entering the space and what it means for already entrenched companies like Snowflake and Splunk. Pathik explains the significance of OCSF for security leaders and his projection of how important it will be for alleviating vendor lock-in and ultimately boosting our ability to provide strong security analytics.The practical realities of building and running a security data lake are clearly described from Pathik's experience at Informatica focusing on harmonizing and reporting on vulnerability data. He makes plain the amount of work involved– and the clear benefits of piggybacking off the company's existing data lake.The episode wraps with ChatGPT refusing to say anything further while Omer and Pathik take turns doing some end of year crystal ball gazing.

The winds of change are always blowing in cybersecurity, but there's moments when they reach a gale force, When the landscape is reshaped dramatically by an event that hits us like a hurricane, changing how we feel about our jobs, our industry, and perhaps even shaking our resolve to continue on in the same career path. When Joe Sullivan, former head of security for Uber, was found guilty of concealing a breach in early October the effect was immediate. No matter how you felt about Joe or the court case itself, the implications for security leaders— and especially those at public companies— were clear: you could now face criminal charges for mishandling a breach. Fines, jail and likely never be employed again in cybersecurity.This episode of Security Voices is a roundtable format with Jack, Dave and 3 security leaders: Justin Dolly, Myke Lyons and Bob Fish. All have a broad range of experiences and represent together a combined 70+ years in cybersecurity. Our focus throughout the ~80 minute conversation is not dissecting the Joe Sullivan case, but discussing the implications for security leaders. Will CISOs insist on having their own outside counsel in the future? How much insurance is now the right amount and type for a security leader? Does this alter our approach to social media, knowing that everything we say could have very serious implications?A clear picture of the unsettling impact of recent events emerges from the dialogue: the conviction of Joe Sullivan makes us feel less safe as security professionals. For an industry that is often accused of tribalism and secrecy, this event raises the stakes of how we communicate profoundly, threatening to drive important conversations even further into ephemeral messaging and private Slack rooms. In these quiet locations we can ask honest questions such as whether the modern CISO is simply being set up to fail given perennially undersized budgets, too small teams and the now outsized consequences of data breaches.

In cybersecurity, we have teams focused on managing vulnerabilities. We have SOCs who spend their days obsessing over threats. App sec teams. Data privacy teams. In the typical, modern cybersecurity team, we have exactly zero people focused on helping humans defend themselves and the organization in spite of a massive increase in scams and fraud that are squarely aimed at tricking people into making bad decisions. Are we really more at risk from a new foreign adversary or CVSS 9 vulnerability than we are from an executive or someone in Finance being deceived by a scammer? Enter Behavioral Engineering. A new-ish discipline introduced by forward leaning cybersecurity teams that recognizes the pivotal role that humans and key behaviors play as part of our overall security posture. What do we mean by key behaviors? How we share sensitive information. What we do when we authenticate. How we react when we see something suspicious. And so on.In this episode of Security Voices, Jack and Dave interview the Behavioral Engineering (BE) team of Robinhood, Masha Arbisman and Margaret Cunningham, as well the CISO, industry veteran Caleb Sima. In this roughly 60 minute session we establish a clear definition for BE, explain how it works in the real world and how it contrasts with commonplace practices such as “name and shame” benchmarking of vulnerability remediation progress. We'll also clarify why security awareness training often sucks and how BE addresses historical security program deficiencies.Before wrapping up with practical advice of how and why to get started with your own BE program, we learn why you should never say that humans are the weakest link. And why you probably should actually click on things. Lots of things. And just tell someone about it afterwards it went funky.

Imagine you're walking past the sports book in Las Vegas. People are betting on baseball, horses, and the usual fare. Something catches your eye, you look more closely and you can't believe your eyes. People are betting on whether or not you're going to fail at doing your job this week!While this may sound far-fetched, this exact scenario played out for Tomas Maldonado, the then freshly minted CISO of the National Football League when the 2020 NFL Draft shifted to a virtual format unexpectedly due to the pandemic. Across Las Vegas, people were betting on the probability of a cybersecurity event disrupting the draft– the exact type of incident Tomás was hired to prevent. Our hour-long conversation with Tomás goes deep into the unique nature of “defending the shield” at the NFL, from concerns about drones at the games themselves to the elaborate planning that goes on before keystone events like the Superbowl. He gives us a window into the extent of information sharing across sports leagues that all face a combination of physical and cyber threats unseen in most areas of the security industry.Tomás explains how his pedigree at Goldman Sachs and 17 years in cybersecurity in financial services and beyond prepared him for his position at the NFL where he's responsible for protecting all 32 teams who are equally customers and partners to his team. Beyond his current work, Tomás and Dave discuss not only what makes a great career but how to leave a legacy that outlives your time in the field so that your fingerprints remain long after you've hung up your cleats.

First, a confession: this is the last episode we would have envisioned when we started Security Voices. Compliance was as mundane as it is mandatory– where's the fun in that? Where's the untold, fascinating story of the person who summited the tallest mountain? Rose from ashes to improbable success? In the short years that have passed since we started in early 2019, the world has changed dramatically. And so has compliance. From driving cyberinsurance premiums to becoming the security baseline for even startups to achieve in their early days, compliance is now an undeniable juggernaut. While SOC2 defines the scope of many companies' security gameplans, GDPR and its kin drives how we respond to breaches whereas industry specific mandates influence what data we have, how we defend it and even where we store it. In this episode, Jack and Dave welcome both Abby Kearns and Shrav Mehta to demystify exactly what's happening in the world of compliance from 2 unique perspectives. Abby speaks from her work on software assurance as CTO at Puppet (and beyond) whereas Shrav's angle is that of a compliance startup CEO. Plainly stated: code on one side, standards and certifications on the other. Both increasingly important and horribly complex.This 4 person dialogue traces the roots of compliance back to the early days of security and the inception of PCI DSS, one of the first widely impactful compliance initiatives to hit the industry. We chart the course of compliance to today and unpack where it has had meaningful impact… and where it is mere box-checking theater we could do without. In a similar fashion, we examine the path to software compliance today and the inevitability of automation given the dramatic changes in release speed and frequency. Abby provides a sober take on where we are today including a dialogue on what it means for response to threats such as Log4shell.If you're a longtime listener, this episode connects back to so many of our past interviews, from Carey Nachenberg (supply chain security) to Andy Ellis (compliance perspective) and Nand Mulchandani who recently became CTO of the CIA. We hope you appreciate the references if you already heard this episodes, and if you haven't, consider giving them a listen as they're some of our favorites and pass the test of time with flying colors.

For the second episode in a row, we've caught a seasoned entrepreneur at that perfect moment when they've started a new company but still have time for a conversation before their new adventure kicks into high gear. Oliver Friedrichs, founder of several security companies including Immunenet and Phantom, joins us to talk product strategy as he embarks on a new journey to disrupt the security industry once again with his new venture Pangea.The most critical, first question for any young company is “what are we making”? And equally important is the follow-on question of what category does the offering fit into or how should people think about it? Is it a better version of something that exists? A new type of something that's meaningfully different? Or is it an entirely new category of product they've never seen before?Oliver and Dave discuss examples of each type of strategy from their own experience and the industry in general. The “better mousetrap” approach is covered with examples from antivirus and more recently cloud security posture management. We discuss when it is a good time to “next gen” a category to revitalize it and return it to growth. Examples here include Palo Alto Networks firewall and Vulnerability Management (from its early days as vulnerability assessment). Oliver and Dave call out the fatal mistake so many market incumbents make that result in them missing out on a refresh cycle.Creating new categories dominates our conversation and we explore Oliver's case study of Phantom in depth. We start by explaining the core principles of a new category and lay bare some indicators that a product group hasn't yet made the leap to a full blown category. Oliver then shares the spark of idea that led him to found Phantom as the first SOAR followed by how he built the boundaries for their product and ultimately the companies that followed their lead as the first mover. While most of our time is spent discussing what worked and didn't from a product perspective, Oliver also shares his go-to-market playbook, including what he will avoid this time around and what he intends to do again with Pangea.We wrap up with a quick look at the future of SOAR and Oliver shares an early peek at what he's building now at his new company. This episode is perfect for early cybersecurity companies looking for product advice, product professionals wrestling with category questions, or anyone who wants to listen in on a dialogue between 2 industry veterans geeking out on product. BioFriedrichs serves as Founder and CEO of Pangea. Prior to Pangea, Friedrichs served as Vice President, Security Products at Splunk, driving the vision and direction of Splunk's security portfolio. With a record in building four successful enterprise security companies over the past two decades, Friedrichs founded and served as CEO of Phantom (creators of the SOAR category, acquired by Splunk), founder and CEO of Immunet (early innovators in the cloud EDR category, acquired by Sourcefire/Cisco), co-founder of SecurityFocus (creators of Bugtraq and DeepSight, the world's first Internet early warning system, acquired by Symantec), and Secure Networks (one of the industry's first vulnerability management solutions, acquired by McAfee). Friedrichs also architected and developed a prototype of the first commercial penetration-testing product, SNIPER, acquired by Core Security Technologies in 2001 and further developed into CORE IMPACT. He attended the University of Manitoba and is the co-author of three security books and a recipient of 33 patents.

2+ years to interview Alfred Huger wasn't too long to wait. After spending 8 years at Cisco following the acquisition of SourceFire, Al recently departed the networking giant to do his 4th startup in as many decades. Unbound from the usual PR police, Al candidly speaks on a wide range of topics from why he has stayed at companies long past acquisition and how to distinguish between a miserable and a winning acquirer. Having raised venture capital funding in the 90s until now, Al's experience charts a timeline of what's happened to cybersecurity funding over the last 4 decades. From hardscrabble early days to today's megarounds and eyepopping valuations, Alfred explains how he's raising funding for his new company and why even a successful entrepreneur is not likely to bootstrap their business on their own funds alone.Al shares his playbook for spotting the right product ideas along with some blunt words of caution for those excited about the latest industry analyst report. While cybersecurity veterans critiquing reviews and analysts is by no means novel, we go beyond an explanation of the negative implications to a new development from an unexpected place that is improving transparency and the industry in general. And that marketing plan? Al explains how it starts with your product and not your website.If you've ever thought about starting a cybersecurity company and wanted to sit down with a “been there done that” serial entrepreneur for a clear-headed, no nonsense dialogue, this episode is for you.

There are few people, if any, who have given more of themselves to the cybersecurity community than Lesley Carhart. Our conversation with Lesley came immediately after the 3rd annual PancakesCon, a free conference she conceived with a unique “20 on, 20 off” format that celebrates who we are outside of work as much as what we accomplish as security professionals. In the fashion of a person who is both an incident response expert and a community organizer, the conference was pulled together in a frantic 11 days after Omicron wreaked havoc on Winter conference schedules and there was a gap Lesley saw that needed to be filled.Having joined the Airforce Reserves just before 9/11 with the intent to become an airplane mechanic, Lesley's career has been spent balancing military service along with “the usual” pressures of working in cybersecurity. She explains how she juggled her civilian and military life for 20 years up until her recent retirement as an Airforce Master Sergeant. Lesley recaps her 2 decades of service while laying out the good, the bad and the misconceptions for any who would follow in her footsteps.Alongside her cybersecurity day job and military service, Lesley also actively practices and teaches martial arts to children. We explore what motivates her passion for serving those around her, focusing on her early difficulties breaking into the cybersecurity industry in spite of having had her first programming job at the age of 15. Lesley, Jack and Dave conclude with a hopeful dialogue on what more we have to do to create a truly diverse and supportive cybersecurity community– and how it might be the key to finally resolving the current staffing and burnout crisis.BioLesley Carhart is a Principal Industrial Incident Responder at the industrial cybersecurity company Dragos, Inc. She has spent more than a decade of her 20+ year IT career specializing in information security, with a heavy focus on response to nation-state adversary attacks. She is recognized as a subject matter expert in the field of cybersecurity incident response and digital forensics.Prior to joining Dragos, she was the incident response team lead at Motorola Solutions. Her focus at Dragos is developing forensics and incident response tools and processes for uncharted areas of industrial systems. She is also a certified instructor and curriculum developer for the Dragos “Assessing, Hunting, and Monitoring Industrial Control System Networks” course.She has received recognition such as DEF CON Hacker of the Year, a “Top Woman in Cybersecurity” from CyberScoop,“Power Player” from SC Magazine, and is a 2021 SANS Difference Makers award nominee.In her free time, Lesley co-organizes resumé and interview clinics at several cybersecurity conferences, blogs and tweets prolifically about infosec, has served for 20 years in the USAF Reserves, and is a youth martial arts instructor.

Your fledgling startup has just been sued by one of the most powerful companies in the world. How do you defend yourself?And keep your company afloat?This was the challenge faced by Amanda Gorton, CEO of Corellium, a company whose virtualization platform enables efficient mobile security research and quality testing across a massive variety of devices. Sued by Apple for both copyright infringement and violation of the Digital Millennium Copyright Act (DMCA), Amanda was thrust into an exhausting balancing act of defending and running her young business at the same time. In this episode of Security Voices, she shares the details of how she survived and successfully defended her company.Dave and Amanda go beyond the lawsuit and into the tricky territory of companies like Corellium who provide a service whose sales process must be governed by a clear sense of ethics to avoid it falling into the wrong hands. She shares the real world challenges of developing and applying such a policy in a company and while it may be uncomfortable to trust a small company with such a weighty responsibility, they just might be the very best option we have.We explore the complicated nature of DMCA in a world that has changed dramatically since its anti-Napster driven inception back in the late 90s. From the NSA's release of Ghidra to Web3, we muse on the future of the DMCA whose relevance feels to be slipping into the history books.BioAmanda Gorton is co-founder and CEO of Corellium, which provides an Arm-native cloud platform that virtualizes mobile and IoT devices across iOS, Android, and Linux. Corellium enables never-before-possible security research, development, and quality testing of apps, firmware, and hardware on Arm. Previously, Gorton co-founded and was the CEO of security startup Virtual, which was acquired by Citrix in 2014. She earned a degree in classics from Yale University.

What if there was someone who could take all of the best security research over recent months and distill it down into the greatest hits? Sort of like a Spotify “Release Radar”, but for the best talks at conferences. There is. It's not in Blinkist. It's (back) at ThinkstScapes after a multiyear hiatus.And it's now gloriously free.This episode of Security Voices covers the return of Thinkstscapes with Jacob Torrey who led the reboot of the now quarterly report. In the interview with Jack and Dave, Jacob explains how he and the team at Thinkst devour and summarize the very best security research from thousands of presentations and hundreds of conferences across the globe.Jacob starts with some of his favorites, which focuses on an innovative research project not from a startup or researcher, but from a multi-decade antivirus company that went all in on an industrial controls system honeypot project. From there we cover ground that ranges from speculative execution vulnerabilities to a spate of embedded vulnerabilities, including a Hollywood style attack using laser pointers to compromise voice activated devices such as Amazon's Alexa. In continuity from our last episode with Frank Pound, we also discuss a TCP timing attack that threatens to allow eavesdropping over satellite base station connections.Look for our next episodes to resume their normal, monthly cadence as we've found a means of streamlining our audio production and we now have a recording waiting in the wings. Enjoy the show!

Hundreds of inexpensive satellites are now regularly launched into space through SpaceX's Smallsat Rideshare program. Some are sophisticated and commercial, others are DIY and experimental. They share space with now over 3,000 other artificial satellites orbiting the Earth. What could possibly go wrong?Frank Pound joins Jack and Dave for a conversation to answer the question of just how hackproof satellites really are and why it matters, starting with the Hack-a-Sat competition. Hack-a-Sat is an intensive capture the flag style competition currently in its second year where teams square off against one another to break into and defend satellite tech. And along the way, we learn that doing so requires encounters with strange software, hardware and not a small amount of hard math.The most known, visible satellite hack dates back to the 1980s and involves a broadcast takeover around Thanksgiving from a Max Headroom mask wearing man which ended in a spanking, but no real harm done. Jack and Dave explore the attack surface of satellites with Frank to find out when the next attack happens, where it's likely to be. And along the way, we discover the Hubble Telescope's terrible secret: ancient Javascript in its belly that's likely kept on life support by some unfortunate government contractor. Throughout the hour-long conversation with Frank, one gets the impression that we're still in the early days of satellite hacking. However, the breakneck pace of satellites being launched and their considerable potential vulnerability to cyber attacks point in the direction of a lot more than simply Max Headroom interruptions and GPS whoopsies in the future.

A clear pattern is emerging of security leaders also being anointed with responsibility for privacy. Some of the origins of this movement no doubt can be found in regulations like GDPR who blend requirements for both security and privacy in mandates for data breach response. While this may seem like a logical pairing for lawmakers, it can be anything but a happy marriage inside an organization as they not only compete for resources but also have divergent needs in areas such as data retention.Whitney Merrill, founder of the Defcon Crypto and Privacy Village and current Privacy Counsel at Asana, joins Jack and Dave to untangle the complicated relationship between privacy and security. From shared ground in areas such as longstanding shortages in staffing to profound differences elsewhere, security and privacy are just similar enough to allow those who combine them thoughtlessly to make a mess of them both. Case in point, Whitney explains that privacy is often not a risk exercise at all, but instead a legal matter. We conclude with Whitney's clear, practical advice for CISOs who find themselves responsible for privacy for the first time to keep their head above water and a healthy distance from regulators.Our dialogue with Whitney also serves as a catch up session for anyone who wants to go past current headlines, from the latest on Clubhouse, Facebook and Grindr to mobile deanonymization and the unsavory business of data brokers. She explains just how hard it is to actually get an organization to properly respond to a data inquiry, but why she does it and how the visibility she provided on the struggle may have prompted the California Attorney General to recently take action against a very visible, repeat offender.

We've conditioned ourselves to look at our technology in a similar way we look at a box of tools: as instruments that passively do what we make them do. When we think of the future of artificial intelligence, it's tempting to leap to fully autonomous solutions一 when exactly will that Tesla finally drive by itself? In our interview with Jamie Winterton, we explore a future where AI is neither a passive tool or a self-contained machine but rather an active partner.Human/machine teaming, an approach where AI works alongside a person as an integrated pair, has been advocated by the U.S. Department of Defense for several years now and is the focus of Jamie's recent work at Arizona State University where she is Director of Strategy for ASU's Global Security Initiative and chairs the DARPA Working Group. From testing A.I. assisted search and rescue scenarios in Minecraft to real war time settings, Jamie takes us through the opportunity and the issues that arise when we make technology our sidekick instead of solely our instruments.The central challenges of human/machine teaming? They're awfully familiar. The same thorny matters of trust and communication that plague human interactions are still front and center. If we can't understand how A.I. arrived at a recommendation, will we trust its advice? If it makes a mistake, are we willing to forgive it? And how about all those non-verbal cues that are so central to human communication and vary person to person? Jamie recounts stories of sophisticated “nerd stuff” being disregarded by people in favor of simplistic solutions they could more easily understand (e.g., Google Earth).The future of human/machine teaming may be less about us slowly learning to trust and giving over more control to our robot partners and more about A.I. learning the soft skills that so frequently make our other interpersonal relationships work harmoniously. But what if the bad guys send their fully autonomous weapons against us in the future? Will we be too slow to survive with an integrated approach? Jamie explains the prevailing thinking on the topic of speed and autonomy vs. an arguably slower but more optimal teaming approach and what it might mean for the battlefields of the future.Note: Our conversation on human/machine teaming follows an introductory chat about data breaches, responsible disclosure and how future breaches that involve biometric data theft may require surgeries as part of the remediation. If you want to jump straight to the human/machine teaming conversation, it picks up around the 18 minute mark.

Communications professionals are often quiet coaches. They work their magic behind the scenes. They hold their opinions tightly and express them infrequently. In short, their influence is everywhere but their fingerprints are often invisible.Melanie Ensign is having none of that. And we’re all the better for it. In this 64 minute interview, you’ll have the pleasure of meeting one of the most influential and outspoken communications executives in the world of cybersecurity and privacy. We begin with her role as press department lead for DEFCON, a role she’s held for 8 years and explains is that exact inverse of what you think it is.In our next topic, Melanie breaks out the verbal chainsaw and applies it with vigor to the voice-based social network Clubhouse. From privacy mistakes to seeming indifference to community feedback on the topic, she explains in detail why she recommends her clients (and anyone else) avoid Clubhouse until they clean up their act.The remainder of the conversation is a mini-master class on how to succeed in communications for everyone from startups to new CISOs. Melanie dissects press releases and what to do instead of hitting Business Wire every Tuesday if you’re a young company. Young or old company, she shares why using fear uncertainty and doubt (FUD) to persuade people ultimately fails and how we can move past it as an industry.Much of Melanie’s work at her company Discernible is working with CISOs and their teams on their internal communications. Influenced by her time working at Uber and Facebook, Melanie offers a game plan for moving from reactive to proactive communications. Her advice is not for the weak-willed: she refuses to clean up anyone’s mess and doesn’t think you should either.This quickly has become one of our favorite episodes and there’s truly something for everyone in the dialogue-- except for those who dislike a little profanity to season their conversations. Note the explicit tag and enjoy the ride.

We’ve met and passed the 1 year anniversary of the COVID-19 pandemic and cases of burnout are off the charts. We’re tired of Zoom. We’re tired of masks. Far too many kids are stuck at home instead of at school. The list could go on but the result is obvious: we’re burned out. The effect can be all the more profound for beleaguered security professionals who often struggle with burn-out even at the best of times. Jack and Dave return in this mini-episode for a quick conversation about how to identify and respond when you’re feeling like you’re burnt. While often it’s Dave and a guest doing most of the talking, in this episode Jack is driving. He shares from his deep experience on the topic, starting with an explanation of Maslach’s burn-out inventory which provides a structured, clear guide for determining just how crispy you are. The inventory is tailored for different professions, and while there is not one specific to cybersecurity, Jack and Dave explore specific aspects of our industry that up the stakes for burn out.Importantly, Jack explains why getting help from a pro versus leaning on friends and family can be essential. We wrap up with some time-honored approaches to restoring yourself so that you’re ready to jump back in the action once again.Note: For this short episode we tested a new production service and you’ll also note we updated the website and our branding as well. And transcripts! We now have 100% more (raw) transcripts than before. We’ll be unleashing all this magic soon on a new full-length podcast we recorded this past week with the one and only Melanie Ensign.

This episode of Security Voices is different. Let’s say you sat down at the end of a long day and had a casual drink with a few industry friends before dinner. The conversation quickly turns to serious topics which are all discussed with thoughtful insight, biting humor and some well-placed profanity. Welcome to the latest episode of Security Voices where Jack & Dave wander off the beaten path with Abhishek Agrawal and Ryan Noon, co-founders of email protection company Material Security. This one isn’t for the easily offended or as the soundtrack to a drive with the kiddos.“How not to suck as a vendor” is our introductory question, prompting an earnest conversation that starts with “don’t be an active cancer”, covers The Market for Silver Bullets and ultimately explains why the pandemic has made already questionable cyber security marketing even worse.After exploring some of our top influences, from The Autobiography of Malcom X and The Origin of Consciousness to Joe Frank’s avant garde radio show, The Other Side, we talk email security. In a year that changed so many things, Abhishek and Ryan explain how truly little changed for phishing attacks. While the trend is not compelling, the reason why is. They walk us through what truly makes phishing attacks successful: distracted people reacting to well-timed messages. This hard truth confounds the market for anti-phishing training as ultimately our susceptibility has much more to do with our emotional state at the time than it does our factual knowledge or even our learned behavior.If you’ve wondered what the difference between phishing and business email compromise (BEC) is, this episode is for you. Abhishek provides a clear explanation of both topics before we forecast an ominous new threat on the horizon: Really Scary Phishing™. Our wrap-up eschews the usual speed round and instead asks “What can cybersecurity can learn from other industries?” Jack lays out how the service industry has much to teach us about taking care of our own while Dave explains what he learned about empathy and innovation from the advertising industry. We depart on a hopeful note, as Ryan relays a story reminding how small acts of kindness can have a large impact on others.We’ll be taking a short break before the next episode as Jack and Dave attend to some important “life stuff”. See you in the Spring!

In our 1st episode of ‘21, we cap off our cloud security series with a recap of the major milestones, key trends and surprises across 2020 through the eyes of cloud expert and podcaster, Justin Brodley.  If you think you might have missed a few things that happened in the public cloud last year while waiting for news on COVID-19 vaccines, hitting refresh on election results or wondering when the four horsemen were finally going to show up, this episode is your chance to catch up and look ahead through the lens of both a practitioner and a pundit.Recorded during AWS Re:invent, we examine the cloud service provider conferences across the year to find a clear absence of security topics making their way to center stage.  While there were some notable developments, such as services providing easier cloud traffic analysis, much of the attention was elsewhere. Multi-cloud, in particular, leapt to the forefront for even Amazon who had been reluctantly dragging their feet.Our comparison of the different cloud service providers (CSP) conferences gives way to Justin’s take on key differences in their security strategies. From Google’s cloud native approach to Microsoft’s gambit to compete with stand-alone security offerings seemingly inspired by their experience on-premises, we breakdown the CSP’s strengths and weaknesses in cybersecurity.We chart the big moments of 2020 in the cloud, starting with outages that began with pandemic-strained capacity at Azure to the longest AWS outage witnessed in years around Thanksgiving.  While security news didn’t penetrate the headlines in many instances, Justin mentions some noticeable developments and what we hoped to see, but didn’t. Justin shares his top advice for anyone moving to the cloud to shore up their defenses. Given the vast amount of phishing, social engineering and misconfiguration issues in the cloud, it turns out that this has a lot more to do with improving our humans than it does our technology.  Nonetheless, the threat landscape meaningfully advanced with more complex, serious attacks in 2020 which moved well beyond “S3 bucket negligence”  that's perhaps best exemplified by the sophisticated Capital One breach.In the waning moments of our 6 episode cloud series, we look to the trends that will define 2021 and end with a hopeful signal that us security types just might be starting to get the hang of this cloud thing.​About JustinJustin Brodley is an IT Executive with 20+ years in SaaS, Cloud, and IT operations. Most recently as VP of Cloud Operations at ICE Mortgage Technology (formerly Ellie Mae).  He has helped companies transform their SaaS business, adopt cloud-native practices, and drive the cultural change of DevOps and DevSecOps.  He is also one of the hosts of https://www.thecloudpod.net a weekly cloud news show covering AWS, GCP, Azure, DevOps, and more. 

Investors make their money seeing things others don’t. Making big bets based on both digging into painstaking detail and their ability to forecast what will happen many years into the future. In this 5th and (almost!) final episode of our series on public cloud security, we get deep into the mind of Bucky Moore from Kleiner Perkins to learn how the flow of funding is both responding to and shaping our industry’s transformation from protecting our own data centers to renting them from others.Bucky begins by laying down our mile marker in the global cloud journey, answering the eternal question of “Are we there yet?” with a clear answer of “Not even close.” We follow these remarks to a walk through the different corners of the cyber security industry to see how they’re keeping pace. While many fail to impress, one of the legacy behemoths stands out from the pack as having impressively galvanized their business to meet the cloud challenge.Setting companies aside, Bucky, Jack & Dave identify what technologies are the likely casualties are long-term cloud transition followed by a look at the obvious new areas to invest. Bucky describes a few more obscure tech opportunities he and Kleiner Perkins are watching that may produce a surprise hit in the future.We explore the eye-popping amount of money raised by managed security services companies in 2020 such as Arctic Wolf, Deep Watch & Pondurance and how they differ from the not-so-glamorous past of the MSSP market. Our discussion explains the hidden forces driving the new managed services opportunity and how we think it will play out over the years ahead.If you’re looking to understand the insanely high valuations of companies like Snowflake and CrowdStrike-- or wondering what a SPAC is-- Bucky weighs in on these topics as well as we also dive into the surprise investing frenzy of 2020. Spoiler alert: it has a lot to do with both money and investors having no better places to go.

As longstanding cybersecurity companies lumber their way into the public cloud and "born in the cloud" startups fight for attention, cloud observability titan Datadog entered the security market in 2020 with two new products.  This is far from the first time a company has used an adjacent market to make the cybersecurity leap. Oftentimes it fails, but Splunk immediately comes to mind as a crossover success. Jack and Dave interview Datadog’s Marc Tremsal in this episode to provide a view into what cybersecurity looks like from the lens of a company steeped in the world of cloud infrastructure.Datadog did not break down the doors of the industry, but rather was invited to enter by their customers whose needs were not being met by cybersecurity companies. Marc explains the mistakes that incumbents have made that have left a considerable opening for others— they have very little to do with technology and a lot to do with marketing and sales. From selling to CISOs rather than the people doing the work to overheated marketing claims, cybersecurity companies have alienated would-be cloud customers who openly wonder why they can’t buy protection the same way they purchase the rest of their infrastructure.Marc talks through the challenges of staffing a cloud security product team—  how much do you value deep domain expertise? Do you shrug it off and simply hire the best developers?  We explain how the hottest talent on the market will be cybersecurity veterans who take the time to retool for the public cloud as they will hit the “goldilocks” spot for a growing throng of potential employers.We wrap up a surprisingly optimistic conversation with a glance ahead to 2021 where Marc reckons consolidation of providers will be a key trend alongside a hard look at just how immutable some of our infrastructure truly is.

Our conversation with Rich Mogull was intended to provide an analyst view point on public cloud security. While Rich certainly delivered on this promise, the episode turned into something more important: therapy. If you find yourself wondering if you’re burnt out from cyber security and life in general, this is for you. Our conversation with Rich starts with the work he does in disaster response, focusing on his recent time responding to the COVID-19 pandemic as a paramedic.  He explains how key concepts of anti-fragility from responder culture such as “trench foot” and “changing your socks” also apply to the rough and tumble world of cyber security— especially in assessing yourself for burnout.If you find yourself drowning in work and straining to catch up to the rest of the organization's push to the public cloud, this is for you.  We discuss how this happens quite naturally in most places, resulting in a dysfunctional norm of security teams inadvertently being left behind but still responsible for protecting the public cloud. Rich lays out a recipe for getting back on track, starting with making sure it simply isn’t time to throw in the towel and find a better gig.If multi-cloud seems impossible to defend with the skills and resources you have, you’re probably right. Rich takes us through the mind-boggling complexity of what it takes to stay on top of a single public cloud environment, let alone several. He doesn’t mince words in his unflattering assessment of the challenges with all 3 major cloud service providers: Amazon, Google & Microsoft.We wrap up with a hopeful look at what lies ahead for protecting the public cloud. Rich and Dave share examples of how long standing problems such as re-architecting are now solvable and operational challenges can truly be simplified when mantras like “shift left” move from buzzword bingo to new reality.

In our 1st episode of this series, Teri provided an expert’s broad view of what’s happening with security in the public cloud. In this episode, Yelp’s Zach Musgrave does the opposite: we go into the trenches to understand what it takes to protect a fully cloud native business on a daily basis.While Yelp was born in ‘04, 2 years before Amazon launched its first AWS service, it started its cloud native journey in 2013. Their early transition makes the company one of the longest tenured organizations who have defended a cloud native business at scale. Zach shares the fundamentals of how they work, from security team org structure and success measurement to key relationships across the company. We dig into the 2 different but critical aspects of security: 1) protecting the infrastructure (people & systems) and 2) policing the Yelp ecosystem itself (defending business operations).Zach explains how DevSecOps at Yelp was adopted not out of buzzword compliance but plain necessity: the need to safeguard 500+ microservices in production simply breaks a traditional security model. We explore some of the misconceptions with DevSecOps and the amount of care and feeding it takes to make it successful. We also cover Yelp’s tooling which centers on generous amounts of open source and their own projects including their current work on the Enhanced Berkeley Packet Filter (eBPF).We wrap up with some strong feelings about multi-cloud and readiness for the zombie apocalypse (they’re related, trust us) alongside forecasting the future for security tech as the cloud native tsunami rolls on. Spoiler: there’s no reprieve for old school network security.

Initially led by software as a service (SaaS), the transition to the public cloud is one of the most important changes we’ve witnessed in information technology to date. From the early days of SaaS to the current stage where adoption of infrastructure, platform and function as a service (IaaS, PaaS, FaaS) are catching on like wildfire, there’s an increasing awareness that the end state of this shift few aspects of how we do our jobs will be unchanged. This Security Voices episode is the first of five where we dig into the details of how the public cloud is transforming cybersecurity.Teri Radichel joins us to explain key concepts in public cloud technology, the differences from on-premises, migration options and more. If you’ve ever wondered what is meant by “lift and shift” or “cloud native”, this is for you. Teri’s background as a trainer, author and researcher shines through as she describes both broad concepts in easily understood terms but she also doesn’t spare the details for those who are already cloud savvy.Beyond the core concepts, Teri compares and contrasts the security models across Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). As she walks us through the differences between the three platforms, you get a sense of the complexity faced by those straddling an on-premise environment as well as the public cloud – not to mention several clouds at once. From networking to identity and access management models, no cloud service provider is quite like the other. Moreover, the fierce competition between Google, Microsoft and Amazon is driving such rapid changes in their platforms that any grip you have on exactly how things are is a slippery one at best.In spite of the challenges, Teri explains her belief that one can achieve better security in the cloud than on-premises. Doing so requires thinking differently, however, such as Teri’s advice to handle data as we would handle money. We hope this episode lays the groundwork for you for understanding the current state of public cloud security as in the next show we dive into the trenches with a cloud security practitioner at Yelp.

If you’ve been laid off, furloughed or are just plain tired of everything, this episode is for you. Kathleen Smith, the longstanding cyber career expert at B-Sides (and beyond) joins us for a dialogue on what’s happening in the security job landscape. Lost your job? Kathleen explains a tried and true process for recovery, reflection and finding your next gig. Not to mention a few surprising options for those who aren’t afraid of a little adventure, such as the military reserves or a job in one of the often overlooked national laboratories.In a rare moment of good news this year, Kathleen explains how COVID-19 has driven an increase in cyber security jobs both in the government and commercial sectors in response to a recent increase in threat activity.  If you’re willing to put in the extra effort (and put down your cannabis), she also describes what it takes to score a government clearance and gain access to an entirely new pool of opportunities.Once a coveted perk, remote work has blown the job market wide open for all. Roles once restricted to those within a certain location are now broadly accessible. However, working far away from your colleagues in your house has serious implications for your social relationships, energy and health  that many are only beginning to understand. Kathleen breaks down how to recreate boundaries between one’s personal and professional life, a skill she learned the hard way during her time in non-profits such as the American Red Cross and World Wildlife Fund.Before wrapping up, Kathleen talks directly to leaders and how she has adapted her style in 2020 to meet the extraordinary challenge while avoiding burnout. We hope our hour plus conversation with Kathleen is a welcome break from whatever you’re facing right now, providing you with help in your current job or a fresh perspective on what to do next.

Discussing cryptography is usually a surefire way to end a dinner conversation. It combines two things that intimidate (and bore) many people: hard tech and complex math. In spite of this, cryptography is on center stage today as it is the very foundation of defending our privacy and perhaps unlocking how we can safely share health information in the midst of the pandemic. There are few people who both understand and can explain cryptography in plain English better than Dr. Zulfikar Ramzan, CTO of RSA.Our hour long conversation with Zully tackles how concepts such as zero knowledge proofs and multiparty computation might be applied during the current COVID-19 pandemic. Historically, sharing healthcare information has been an “all or nothing” affair with difficult privacy trade-offs being made in the name of ensuring we receive the right care at the right time. Zully takes us through how long standing encryption concepts, now made practical by advances in computing, may allow us to selectively share vital health information such as vaccination records or test results without sacrificing our personal privacy.Zully also explains how cryptographers are preparing for a world where quantum computers can make short work of our current encryption practices. He draws perspective from the mid-90s when the Advanced Encryption Standard (AES) was being developed and explains the road ahead for promising lattice-based methods that could form the basis of a new, post-quantum AES replacement.Beyond cryptography, we discuss Zully’s role as CTO at one of the most iconic brands in security. He takes us through “a day in the life” and explains his responsibilities beyond being the company’s spokesperson. Perhaps more importantly, Zully explains how he balances all of this with his family where making crispy cauliflower takes priority over factoring prime numbers.

The average tenure of a CISO is 26 months due to high stress and burnout, according to a recent survey. In stark contrast, Andy Ellis has now been CSO at industry titan Akamai for over 20 years. Jack & Dave explore Andy’s longevity formula in a 70 minute interview that spans everything from his advice to young security leaders to the death of live events and why it’s perfectly fine if your favorite wine is a $16 malbec. While most of our episodes gradually ease into a more focussed conversation, our discussion with Andy jumps straight into the subject of applied human cognition— a common theme of his presentations and writing. He explains how his understanding of human thought patterns and biases directly influences his approach to conducting risk assessments and dealing with especially thorny conflicts. Far from theoretical, Andy breaks down exactly how he and his team enable Akamai to self assess and internalize risk in a fashion that expedites projects where the security team might otherwise be a bottleneck.From his vantage point at Akamai surveying a sizable amount of the Internet’s traffic, Andy shares their insights from both observing and responding to the pandemic, starting with their move to a ZeroTrust model. Some aspects of COVID-19, such as customers’ struggling to pay bills and how to best help them, are similar to past crises. Others are utterly unique. Jack and Andy explain the crisis likely permanent impact on live events (e.g., industry conferences) and what they may evolve to in the future.We also discuss the fine line Andy, Jack and Dave walk in the cybersecurity community of being both a vendor and a practitioner. How does one remain objective when you also represent a company that has to sell products or services to exist? How can one neutralize the perceived bias or even the stronger allergic reaction that some have against vendors? While there’s no surefire solution to such a complex matter, each of us shares our tips and learnings as we (and the industry as a whole) aim to strike the right balance.We wrap up with Andy taking us through how to pick a good bottle of wine. In the same manner as he tackles complicated cybersecurity issues, Andy breaks it down into simple steps that he illustrates with his own colorful experience.

The misinformation spread during the COVID-19 pandemic has made what happened with the 2016 U.S. elections look like the “good old days.” Epidemiologists are on center stage trying to explain complex topics to billions of people concerned for their lives-- and sometimes politicians are aiming to do the same. The multiplier effect is how hopelessly entangled challenging technical issues like end to end encryption and contact tracing via bluetooth on mobile phones are now also being publicly debated.The most natural reaction? Confusion. Kenn White is here to help.During our 60 minute conversation with Kenn, Jack and Dave go past the headlines trumpeting Zoom’s security issues in an attempt to lay bare the real issues with their recent missteps.  Their initially misleading claims around end to end (E2E) encryption is our primary focus, but before diving deep into Zoom, Kenn explains exactly how hard it is to make it work by describing his 2 year journey to deliver E2E encryption at MongoDB. We pull apart the remaining concerns and Zoom’s impressive response to provide our take on just how worried you should be, from Johnson Elementary School to the defense industrial base.Kenn has a unique perspective on the idea to use contact tracing via Bluetooth to identify who infected people have been in proximity to in order to slow the spread of a disease.  Having spent 10+ years supporting clinical trials, he explains why using our mobile phones to make contact tracing during the COVID-19 pandemic is unlikely to be successful in the near future. We hope this conversation with Kenn brings you clarity and calm at a time when both are in short supply.​Note: We spend the first ~15 minutes talking about coping strategies during the pandemic. If you’d like to jump straight to the content focused on E2E encryption it begins right around the 15 minute mark.​About KennKenneth White is a security engineer whose work focuses on networks and global systems. He is co-founder and Director of the Open Crypto Audit Project and led formal security reviews on TrueCrypt and OpenSSL. He currently leads applied encryption engineering in MongoDB's global product group. He has directed R&D and security Ops in organizations ranging from startups to nonprofits to defense agencies to the Fortune 50. His work on applied signal analysis has been published in the Proceedings of the National Academy of Sciences. His work on network security and forensics has been cited by the Wall Street Journal, Reuters, Wired, and the BBC. He tweets about security, privacy, cryptography, and biscuits: @kennwhite.

In the midst of the COVID-19 pandemic, it’s easy for thoughts to stray to the apocalypse. Nowhere is this tendency more common than when we talk about robots. Decades of books, movies and television have explored the topic of “when robots attack” and the calamity that follows. Today, domestic robots struggle to make it up the stairs and Siri can’t reliably order take-out… or even take notes. It all feels very far-fetched. And it is. However, if we move past the science fiction and look more closely at developments between humans and robots, we can begin to see some startling developments. This is the domain of Straithe, a pioneering researcher who studies how interactions between humans and robots can be abused and manipulated. We know very well how email, phone calls and websites can be used as part of elaborate social engineering schemes, what happens when the attacker’s tool looks like a person and can physically interact with us? While domestic robots like the Jetson’s Rosie are not wheeling around our houses today, we are being implicitly trained to interact with digital assistants such as Amazon’s Alexa, Apple’s Siri and many others. While the privacy implications of having such assistants always listening is much discussed, we’re only beginning to understand how matters change when they take physical form such as Knightscope’s K5 or Softbank’s Pepper the Robot. Straithe explains how these robots not only create serious privacy concerns through passive collection and instant transmission of everything from license plates to MAC addresses, but also how people are likely to react for them if they are used for ill intent. She explains early research that indicates robots are effective at getting people to do things on their behalf. When you combine these factors with a spotty record of robot security vulnerabilities, the potential for genuine harm through robots goes from far-fetched to near future.Our ~60 minute conversation with Straithe is hopefully a break from whatever you’re dealing with during the current crisis. We hope you find this glimpse into a fascinating corner of cyber security research a diversion from whatever you’re dealing with presently and useful framing for what lies ahead.

In this episode we step far beyond the hype cycle and dive into the details of scaling a data science team in the security industry with Dr. Sven Krasser. Sven joined CrowdStrike in the early days and the initial part of the conversation with Dave is an incredibly timely conversation covering how to structure and work with remote teams effectively. The interview was recorded a week before the 2020 RSA Conference in San Francisco when the early impact of COVID19 in the U.S. was just starting to be felt.There are 2 dominant themes to our conversation. First, Sven covers the hard realities of machine learning (ML) and warns against both over dependence and hyperbole. There are many areas where a more simplistic approach is going to get the job done faster and cheaper without the need to maintain a costly ML model. Sven shares his approach to choosing the right tool for the job and a handy tip for determining where ML marketing has gone astray.The second theme is the attack surface of ML itself. Seemingly long gone are the days when companies boasted that ML was the coup de grace for the defenders in the endless game of cybersecurity 'cat and mouse'. Today, we know that there are tactics aplenty for both weakening and defeating ML-based defenses that are available to everyone and easier than ever. Our longstanding cat and mouse game isn't over, it's simply more complex than before. Our nearly 70 minute conversation with Sven serves as both a "102" exploration of applied ML in cybersecurity and a chat between friends.  We cover the less obvious advantages of being based in Los Angeles, the criticality of data quality to effective ML and exactly which marketing myths rankle data scientists the most.

The second half of our Day Jobs series is the very first Security Voices episode we recorded: Dave interviewing Jack on the origins, shenanigans and future of BSides. Jack charts the history of the conference from its inception at a rental house in Las Vegas with a couple hundred people to today where Security BSides is a global movement that has eclipsed 500 events (and growing).One of the most unique aspects of Security BSides is that anyone can create their own event. It is a nonprofit organization that has as its heart a single, potent principle: be good to and for your community. The flexibility of BSides to be molded to the needs of the local community wherever it goes, from Memphis to Riyadh, is a core ingredient of its success. Jack explains how they carefully walk the line of letting each organizer shape their own BSides conference while stepping in only as necessary to lend a helping hand or occasionally correct course when things have come off the rails. The “just enough” guidance approach extends all the way to allowing new events to change names completely and blossom into different conferences. Security BSides in Phoenix became CactusCon, an event in the Bay Area became Bay Threat and MiSec traces its roots back to a BSides in Michigan. All of these offshoots are not only encouraged but celebrated by Jack and the BSides crew who see this as yet another way of fitting the event to the personality of the local community.Security BSides often serves as the starting point of open dialogue on critical industry topics such as gender diversity and mental health that the larger conferences only address years later. Jack takes us through the first “Feathers will Fly” session in Las Vegas which served as a meaningful catalyst for future conversations on gender inequality and (the lack of) diversity in cyber security. We wrap up with Jack musing on the future of BSides and what it could become long past the year 2020.

Our February Security Voices episodes are a 2 part series where Jack and I focus on our “day jobs”, starting with the current episode on Open Raven. Part 2 will be the very first podcast we recorded, but never released where Dave interviews Jack on the origins and escapades of B-Sides. This is close as we intend to come to promoting anything explicitly on Security Voices and if you’re completely allergic to even the scent of such things, join us back in March where we’ll pick back up with an interview of the Chief Scientist at a high-profile security company. In the meantime, we thought you might appreciate a little background on what Jack and Dave do outside of Security Voices as it understandably colors our perspective, from the questions we ask to the stories we tell. Open Raven was officially founded in April of 2019 by Dave and Mark Curphey, whom some will recall was the focus of episode 5 of Security Voices. Rather than solely focus on the founders, something we feel happens entirely too much, we felt you might like to hear from the people building the product itself. Consequently, Dave emcees the episode as we interview the Open Raven team members on topics from the graph back-end to how the company is branded and thinks about UX. The content is at times a little technical but should still be approachable by most and it should give you a sense of the design decisions one makes in an early stage company.Throughout the episode you will hear the authentic voice of the team as they share the principles driving what Open Raven is building along with the pain and successes along the journey.

Could you create a fake cyber security company and rack up industry awards overnight? How about fabricating a founder and scoring them impressive job offers? Haroon Meer did both of these recently for a presentation titled “The Products We Deserve” as an exploration and commentary on the state of the industry. Jack, Dave & Haroon take on snake oil in security during an hour long conversation to determine exactly how someone could create a great company amidst the pressures that threaten to pull one in the wrong direction.The catalyst for Haroon’s presentation and our discussion is his personal experience at Thinkst where he has focused on building a “bottoms-up”, product first company that has grown steadily since its inception without venture capital. His thoughts, from how to deal with industry analysts to “ball pit marketing” at conferences, come from Thinkst’s direct experience aiming to not only grow the company, but grow it in a way that is true to their own values. How Haroon and Thinkst navigate challenges such as having a strong presence for the company at the RSA Conference (sans shenanigans) is an exercise in creative problem solving versus rejecting the experience entirely or simply following the crowd. While it would be easy for an episode such as this to be bleak or even angry, Haroon’s thoughtful approach and optimism give us a portrait of how we might emerge from our awkward adolescence as an industry into a better future.

Our 1st episode of 2020 is a story in three parts, beginning with hard fought wisdom of a veteran security practitioner, then diving deep into machine learning (ML) before wrapping up with how both security and AI apply to connected vehicles. The first part of our 74 minute conversation with Josh Lemos is the backstory of how he started his career in cybersecurity as a consultant... and left services to join ServiceNow as a practitioner. His time at ServiceNow lays out a solid formula for fixing application security inside a growth company who can little afford to slow down-- or suffer the pain of the inevitable breach if the situation doesn’t improve.​Jack & Dave’s conversation with Josh on ML lays down many of the basics and is intended to be a rough primer for future episodes where we will further explore the topic. We discuss how ML projects often take much more preparation than originally planned and topics that range from class imbalances, the differences between supervised/unsupervised ML, a starter’s toolkit and what to expect along with some rookie mistakes to avoid.As part of Cylance/Blackberry, Josh has recently been involved with connected vehicle projects where standard security techniques for detecting executable malware on laptops and servers can start to look like child’s play in comparison to effort required to properly diagnose events across the diverse hardware and software found in a modern car.  Before wrapping with our speed round, we look ahead at areas where ML may be able to make leaps forward in both vehicles and across cyber security.

While visions of sugar plums might be dancing in children’s heads as we close out 2019, the 2020 elections are occupying the head space of many adults in the U.S. In 2016, the importance of election security was made crystal clear. What’s happened since then? Are we ready for 2020? How do experts believe our defenses will hold up when tested by foreign and even domestic attacks?We spent an hour exploring election security (and more) with Camille Stewart, a cyber security attorney with experience working inside tech companies as well as considerable time spent on Capitol Hill in both the Department of Homeland Security and as a consultant. Camille breaks down the major aspects of election security and we discuss why it’s seemingly so fractured across municipalities-- and why that may not be such a bad thing after all.  Jack, Dave and Camille debate how election defenses might be improved, from the role of open source and private services to “defending forward” by taking out troll farms. While Camille declined to grade our readiness for the attacks in 2020 (which have already begun), Camille does make predictions about what will happen during the ‘20 elections, including the likelihood of domestic influence campaigns.Our ~75 minute conversation with Camille showcases the breadth of her experience in both the Silicon Valley and Washington D.C. She explains lessons learned from her time protecting brands at Cyveillance, breaking down the optimal way to get a social media company’s attention when you’d like to have something changed or removed. Camille also explains how State security might be modeled after progressive smaller countries who excel in cyber, leaning on her time working in foreign relations during the Obama Administration.  We wrap up with her recent investigation and resulting paper on how foreign nations, especially China, have been leveraging U.S. bankruptcy proceedings to acquire large amounts of American intellectual property on the cheap.

It all changed one day while Nand was sitting in traffic on the 101 freeway. Why am I doing this? Nand had experienced no less than 4 successful exits of cyber security companies where he was founder or CEO. He was one of the most accomplished cyber security entrepreneurs in the Silicon Valley. At that moment, Nand decided to leave corporate life and set course to start a new phase of his career in the government.His first step was to uproot his family and move them into graduate housing at Stanford where he would finally do that MBA degree he had considered long ago. Throughout Nand’s hour long interview with Jack and Dave, Nand explains how his family embraces the abrupt change from predictable Valley life and comforts to community living inside a small apartment on campus. While Nand is determining how to best complete projects with 19 year-olds, his wife Sarbani and children flourish, starting a non-profit as a result of their experience.Nand’s next step towards Washington D.C. is a one year stint across the country to the Harvard University John F. Kennedy School of Government where he aimed to learn “the art of politics”. His time spent amongst princes and fledgling politicians taught Nand important lessons in complexity, the power of good Queen ballad during karaoke and the occasional necessity of a Scorpion Bowl to wash it all down.After considering a run for Congress, Nand completes his plan to restart his career in government when by a series of unusual events (and a bit of start-up hustle) he becomes the CTO of the Department of Defense’s efforts in Artificial Intelligence. From his new vantage point, he shares what tech companies look like from the Washington D.C. perspective and answers heady questions such as “Who’s more trustworthy? A politician or a venture capitalist?” and we find out whether it’s easier to be in a government or a Valley boardroom.

The 2nd half of our conversation with Niloo focuses on her recent work in Washington DC where she holds several positions and recently (October 22nd, 2019) testified to Congress on the United State’s cyber security readiness. We begin with the topic of retaliation: What’s the proper response to a cyber attack if you want to discourage future aggression? Is cyber retaliation necessary to defend a country?With the 2020 elections on the horizon, Niloo explains her perspective on influence campaigns such as the highly publicized activities by Russia in the ’16 presidential elections. While often seen as election interference, she explains the broader goal of Russia’s strategy as an attack on the fabric of trust throughout a country— and how your phone and social networks can be complicit in this scheme.We end on a hopeful note: there are plenty of reasons to believe things will be better in the future in cyber security, starting with government restructuring from long outdated WW2 norms to a more modern organization design. And we learn why Niloo may not be your best choice as a new BFF on GoodReads.

There are stories, and then there are “epics”: tales of a journey so full of unexpected twists and excitement that you’re left wondering how all that could happen to a single person. Niloo Razi Howe’s life is such an epic. Whereas most epics feature men with swords, this one focuses on a woman with heels and a hockey stick.While Niloo’s story as an Iranian exile is well-documented, our primary focus is on her career which began as an author and quickly moved to becoming a McKinsey consultant and then attorney… until she founded one of the few modestly successful online pet supply businesses in the 90s. Moved by 9-11, Niloo found the cyber security market and made it her sole focus as an investor at Paladin Capital Group. We discuss her early learnings from investing in security which focus on her time working with a portfolio company selling the millimeter wave scanning systems that are now commonplace at airports everywhere. Niloo took subsequent roles transforming a startup and then tried her hand at transforming industry titan RSA as their Chief Strategy Officer. Niloo then left it all to focus on her terminally ill mother. This experience affected her profoundly and we wrap up this first part of our conversation with Niloo by exploring how she now structures her career on 3 pillars of different activities versus 1 job.

The Silicon Valley legend is the college dropout who made billions… but what if instead they stayed in the dorm room? This is the intriguing story of Marcin Kleczynski and MalwareBytes, told in a candid ~1-hour interview where he explains how his company was built in vivid detail. Marcin takes us through his formative moments as a Polish immigrant in Illinois helping his family’s cleaning business to his choice to remain in school at his mother’s insistence while MalwareBytes was making millions. Dave and Marcin discuss key product questions such as how much is too much product functionality to give away, how to work with the channel, whether or not you can effectively serve both consumer and enterprise markets and the future of endpoint protection. He also explains why it still makes sense to build a great office when the world feels like it’s shifting quickly to a remote workforce. We also find out why you should never send deep dish pizza to people in California...

Joel Fulton’s journey began in Alaska as a free range kid with dreams of becoming a fireman to ultimately find him in one of the most prestigious CISO roles in cyber security at Splunk. Our conversation twists through his time as a computer auditor, MMA fighter, an author, a salesman, a PhD student and a few other positions in between. Our dialogue with Joel showcases the breadth of his interests as well as his gift for taking seemingly unrelated concepts and connecting them to illustrate a point, from choke holds to The Philosopher’s Toolkit all the way to systematic dismemberment. Joel’s interview offers plenty of practical examples for aspiring and longtime CISOs, breaking down how he thinks about discovery, orchestration and security training. Even at 80 minutes, this episode feels far too short.

Since this Spring, Security Voices have been “following the money trail” to explore all angles of how security companies are funded and run. In our final 2 episodes of the series, we’re shining a light on lesser known companies and individuals whom have avoided traditional funding and taken a more unique approach to starting their businesses. This episode showcases Tozny, an encryption company with its longstanding roots in government contracts. Isaac, the founder and CEO, explains how he’s built a stable, steady growth business in Portland by harnessing one large customer after another… using entirely publicly available information and an open submission process. His conservative “staying alive” approach stands in stark contrast to the glitzy, go-for-broke mainstream security market.

Seemingly everyday a security company announces that it has raised a new, big round of funding. As we close out our investor series, Jack and I wanted to highlight the bootstrappers— those brave people who kickstart their businesses using solely their own resources. Our interview with Zack Schuler of Ninjio illustrates the experience of a company with a big mission to reinvent security awareness that began with no funding but a loan from his bank account. While Zack had the benefit of a previous exit (he bootstrapped his 1st company at the age of 21), his mentality and practices are that of someone who hustles for every deal, obsesses over each hire and makes painstaking decisions about how he uses his time and money. Zack explains his special formula of hustle, Hollywood and a little bit of luck to build a winning company with no investors looking over his shoulder.

Dark clouds seem to hang over the security industry, especially after Black Hat and DEF CON. Playing constant defense can be disheartening, especially after hearing about every new type of possible attack in Las Vegas. We felt everyone could use a little post conference pick-me up so we pulled together this short (~15 min) episode which focuses on all the positive things that are happening in the industry from past interviews. We’ve often reflected on how interesting and encouraging it is that every guest we’ve interviewed has always had something they thought was much improved from the past— and how everyone of these industry luminaries called out something different than the others.

Robocalls have plagued our phones in recent years, prompting many of us to no longer answer calls if we don’t immediately recognize the number. Ballpark estimates put the number of calls in 2018 at 48 Billion-- a 50% increase from the previous year. Ever wondered who was behind the flood of phone spam? How much they make? Where they’re from? How they got your number? We dig deep into the robocall epidemic with telecom expert TProphet, answering all of these questions and more before breaking down what telcos and legislators are doing to try and improve the situation. After comparing the North American robocall problem to the one in China, we take a look ahead at what the future holds for phone spam.