POPULARITY
In this episode of RAW STORIES LIVE, we sit down with Josh Bey, VP of West & APJ at Obsidian Security, as he shares the gripping story of how he turned a seemingly unwinnable deal into a game-changing success. Facing financial pressure, personal life challenges, and a skeptical leadership team, Josh breaks down the emotional investment, strategic pivots, and relentless determination that ultimately secured a massive win. This episode dives deep into the importance of resilience, the power of champion-building, and the art of navigating high-stakes negotiations.
Welcome to the Scale with Strive Podcast, the place where you come to listen to some of the worlds most influential leaders of the SaaS industry. I am your host, Adam Richardson and on today's podcast, I'm really pleased to introduce Ashraf Mohamed, VP of Europe for Obsidian Security. After completing a degree in aero-nautical engineering, Ash moved into the world of SaaS Sales and has had a hugely successful career spanning 18 years, working for companies such as Fuze, Confluent and Lacework. He has significant experience in building out GTM teams from scratch into global leaders following the MEDDIC playbook Some of the key takeaways from today:
Alfredo Hickman fought the war on terror in the early 2000s in the Marine Corps infantry in Iraq. He shares some intense stories from his military experiences overseas with Gene, as well as how he transitioned from the front lines to a cybersecurity executive. Alfredo is passionate about helping veterans and giving back, and this episode is valuable for anyone looking to enter this industry, military or not. He shares details about his life and journey, his thoughts on cybersecurity trends in 2023, how the SANS Institute has been a resource for him and can be for others, his thoughts on mentoring, and more.Alfredo Hickman is Head of Information Security at Obsidian Security. He previously held security leadership positions at Rackspace. Alfredo served in the US Marine Corps from 2003 to 2011. Alfredo Hickman on LinkedIn: https://www.linkedin.com/in/alfredohickman/ Obsidian Security: https://www.obsidiansecurity.com SANS Institute: https://www.sans.org #CyberMentoringMonday on Twitter and LinkedIn
On today's episode, we are joined by Oliver Linsley, our host and Network Consultant and Chris Fuller, Principal Product and Solutions Architect at Obsidian Security. During this episode, Chris discusses some of the biggest changes he's seen in the industry to date and how the transition to the cloud has given many cybersecurity organisations a lot of flexibility.He also shares what he thinks the most important thing to know is if you're just starting out your career in the security field.Learn more from Chris: https://www.linkedin.com/in/chrisfuller2/ Want to stay up to date with new episodes? Follow our LinkedIn page for all the latest podcast updates!Head to: https://www.linkedin.com/company/the-route-to-networking-podcast/Interested in following a similar career path? Why don't you take a look at our jobs page, where you can find your next job opportunity? Head to: www.hamilton-barnes.com/jobs/
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Apple to introduce user-encrypted backups, FBI is sad Twitter ices e2ee plans for DMs RackSpace is getting sued over its hosted Exchange ransomware incident Dodgy driving: Microsoft signs some shady stuff Japan to change laws, release the Shibas A look at the US NDAA Much, much more This week's show is sponsored by Obsidian Security. Obsidian co-founder Ben Johnson joins the show this week to talk through SaaS configuration security and visibility/monitoring. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes Apple Expands End-to-End Encryption to iCloud Backups | WIRED FBI Calls End-to-End Encryption 'Deeply Concerning' as Privacy Groups Hail Apple's Advanced Data Protection as a Victory for Users - MacRumors Apple Kills Its Plan to Scan Your Photos for CSAM. Here's What's Next | WIRED Elon Musk Wanted Twitter To Encrypt Messages. His New Safety Chief Says It's On Hold I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware | Mandiant Japan to amend laws to allow for offensive cyber operations against foreign hackers - The Record by Recorded Future Amid Outrage, Rackspace Sends Users Email Touting Its Incident Response New Ransom Payment Schemes Target Executives, Telemedicine – Krebs on Security Hackers Planted Files to Frame Indian Priest Who Died in Custody | WIRED Scammers Are Scamming Other Scammers Out of Millions of Dollars | WIRED Risky Biz News: Disgruntled member doxes and extorts URSNIF gang U.S. agency warns that hackers are going after Citrix networking gear | Reuters Police raid offices of Predator spyware seller Intellexa | eKathimerini.com $858 billion defense bill focuses heavily on cyber. These are some highlights. Australia and Vanuatu sign defense and cybersecurity pact - The Record by Recorded Future Fantasy – a new Agrius wiper deployed through a supply‑chain attack | WeLiveSecurity Ukrainian railway, state agencies allegedly targeted by DolphinCape malware - The Record by Recorded Future US Dept of Health warns of ‘increased' Royal ransomware attacks on hospitals - The Record by Recorded Future ‘Crisis situation' declared as two Swedish municipalities hit by cyberattack - The Record by Recorded Future Metropolitan Opera dealing with cyberattack that shut down website, box office - The Record by Recorded Future LockBit ransomware crew claims attack on California Department of Finance PLAY ransomware group claims responsibility for Antwerp attack as second Belgian city confirms new incident - The Record by Recorded Future Popular HR and Payroll Company Sequoia Discloses a Data Breach | WIRED Internet Explorer 0-day exploited by North Korean actor APT37 Four accused in business email compromise scheme which reaped millions from victims - The Record by Recorded Future JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs | The Daily Swig Log4j's Log4Shell Vulnerability: One Year Later, It's Still Lurking | WIRED
On this week's show Patrick Gray and Adam Boileau discuss the week's security news, including: Apple to introduce user-encrypted backups, FBI is sad Twitter ices e2ee plans for DMs RackSpace is getting sued over its hosted Exchange ransomware incident Dodgy driving: Microsoft signs some shady stuff Japan to change laws, release the Shibas A look at the US NDAA Much, much more This week's show is sponsored by Obsidian Security. Obsidian co-founder Ben Johnson joins the show this week to talk through SaaS configuration security and visibility/monitoring. Links to everything that we discussed are below and you can follow Patrick or Adam on Mastodon if that's your thing. Show notes Apple Expands End-to-End Encryption to iCloud Backups | WIRED FBI Calls End-to-End Encryption 'Deeply Concerning' as Privacy Groups Hail Apple's Advanced Data Protection as a Victory for Users - MacRumors Apple Kills Its Plan to Scan Your Photos for CSAM. Here's What's Next | WIRED Elon Musk Wanted Twitter To Encrypt Messages. His New Safety Chief Says It's On Hold I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware | Mandiant Japan to amend laws to allow for offensive cyber operations against foreign hackers - The Record by Recorded Future Amid Outrage, Rackspace Sends Users Email Touting Its Incident Response New Ransom Payment Schemes Target Executives, Telemedicine – Krebs on Security Hackers Planted Files to Frame Indian Priest Who Died in Custody | WIRED Scammers Are Scamming Other Scammers Out of Millions of Dollars | WIRED Risky Biz News: Disgruntled member doxes and extorts URSNIF gang U.S. agency warns that hackers are going after Citrix networking gear | Reuters Police raid offices of Predator spyware seller Intellexa | eKathimerini.com $858 billion defense bill focuses heavily on cyber. These are some highlights. Australia and Vanuatu sign defense and cybersecurity pact - The Record by Recorded Future Fantasy – a new Agrius wiper deployed through a supply‑chain attack | WeLiveSecurity Ukrainian railway, state agencies allegedly targeted by DolphinCape malware - The Record by Recorded Future US Dept of Health warns of ‘increased' Royal ransomware attacks on hospitals - The Record by Recorded Future ‘Crisis situation' declared as two Swedish municipalities hit by cyberattack - The Record by Recorded Future Metropolitan Opera dealing with cyberattack that shut down website, box office - The Record by Recorded Future LockBit ransomware crew claims attack on California Department of Finance PLAY ransomware group claims responsibility for Antwerp attack as second Belgian city confirms new incident - The Record by Recorded Future Popular HR and Payroll Company Sequoia Discloses a Data Breach | WIRED Internet Explorer 0-day exploited by North Korean actor APT37 Four accused in business email compromise scheme which reaped millions from victims - The Record by Recorded Future JSON syntax hack allowed SQL injection payloads to be smuggled past WAFs | The Daily Swig Log4j's Log4Shell Vulnerability: One Year Later, It's Still Lurking | WIRED
Have you ever just met someone that was so interesting that you just sat and gave them your full attention? On this episode of CISO Tradecraft, we have Bill Cheswick come on the show. Bill talks about his 50 years in computing. From working with the pioneers of Unix at Bell Labs, inventing network visualization techniques for the DoD, and creating the early best practices in firewalls and perimeter defenses. He was also the first person to co-author a book on Internet Security. So listen in and enjoy. Also special thanks to our sponsor, Obsidian Security. You can learn more about them at: https://www.obsidiansecurity.com/sspm/
Hello, and welcome to another episode of CISO Tradecraft -- the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader. My name is G. Mark Hardy, and today's episode is about how to better mentor your people (and in doing so, improve yourself as well.) Mentoring is an important part of being a leader, and I would venture that most listeners have achieved their current level of success with the insights of a mentor, along with a lot of hard work. Today we're going to give you a template for creating a personal development plan you can use with your team. I also want to introduce you to a booklet that I keep on my desk. It was written in 1899. Do you have any idea what it might be? Well, keep listening and you'll find out, and you may end up getting yourself a copy of your own. Let's take a moment to hear from today's sponsor Obsidian Security. Career success rarely happens independently -- it usually involves multiple milestones, promotions, and sometimes moves. But success shouldn't be a secret. As Tony Robbins said, "success leaves clues." One of the best ways to achieve personal or professional success, or indeed help others do the same, is through mentoring and sponsorship. But the right person rarely shows up at our doorstep offering us the key to the future -- we have to go out and make that relationship happen. Today we're going to talk about mentors, protégés, sponsors, and that little booklet that has a repeatable secret for success. Definitions Let's start with what is a mentor - the dictionary definition is "an experienced and trusted adviser." My definition is it's a person with more experience and WISDOM who is willing to provide guidance to someone else -- a protégé. Notice I didn't say anything about careers -- you can have a spiritual mentor, an academic mentor, and if you're a new grandparent you want to pass along some tips to help raise your grandkids. You may also hear the term "mentee" instead of protégé -- I see that used from time to time, but it makes me think of those big slow sea creatures that keep getting run over by speedboats. Mentor Let's talk about the who, what, when, why, and how of being a mentor. The WHO part is someone with experience and wisdom willing to share insights. Insights about WHAT, at least as far as we're concerned today, is usually career-related -- what jobs or assignments may be best, what personal characteristics are important, whom should you meet and why. The WHEN portion of mentoring is usually a condition of the type of relationship. A traditional one-on-one mentor relationship may be established formally or informally. We established a program at work where those willing to offer advice could volunteer as a mentor and those seeking advice could request the assistance of a mentor. I was asked by our most senior technical security expert if I would serve as his mentor -- an assignment which I was pleased to accept, and we held mentoring sessions quarterly. Of course, we worked together more frequently than that, but those sessions were specifically about what he could learn from me as a mentor, and what I could do to structure his experiences to help with his personal and career growth. [Irish whiskey story] The WHY can be either because there is a mentorship program at your organization (and if there isn't one, do your homework and consider proposing one) or because someone reached out and requested assistance. Mentoring is not like doing the dishes where anyone can do a competent job. It requires empathy, communication skills, wisdom, and time commitment. I'm at the point in my life and career where I actively try to help others who are not as old as I am. Many times, that's appreciated, but some people seem to prefer to make all of their own mistakes and resist the effort. Oh, well. As my Latin teacher used to say, "suum quique" -- to each their own. Finally, the HOW. Mentors should prioritize their sessions by preparing in advance and setting aside time without interruptions. Establish an agenda based upon specific requirements -- not just what the protégé wants but what the mentor believes he needs. Martina Bretous published an article on HubSpot where she points out ten ways to be an amazing mentor: Understand what you want out of the relationship. Set expectations together in the very beginning. Take a genuine interest in your mentee as a person. Build trust. Know when to give advice. Don't assume anything about your mentee – ask. Share your journey. Celebrate their achievements. Seek out resources to help your mentee grow. Be sure you have the bandwidth. In summary, if you want to be a mentor and seek out the right people in whom to invest your time, here's a short checklist. Look for protégés with a strong work ethic -- people who have built a reputation of delivering on time on budget. Select only those people of the proper character -- you don't want to be teaching a sociopath how to take over the organization. And you'll find you work better with others who share similar values. If you value hard work, honesty, humility, and perseverance, look for those characteristics, or at least the potential to develop those characteristics, in your potential mentee. We all know how hard it is to change ourselves. Think about how much harder it is to change someone else. In the end, you're just showing the way and it's up to the other person to take the appropriate actions, but you want to build a winning record of successful mentorships -- it doesn't help your own career if you're viewed as the incubator of failure. Protege As listeners of this show, you are likely in a position to be a mentor. But that doesn't mean you can't benefit from having a mentor yourself. Let's look at the who, what, when, why, and how of being a protégé. The WHO is someone who can gain insight from a relationship with someone farther along in a given path. Mentees may be assigned a mentor relationship, or they may seek out that relationship on their own. Both are valid paths, and even if a formal program exists it's often up to the mentee to select from available mentors. It doesn't always work the other way around [Navy mentor story.] The WHAT is the reason for participating in this type of relationship. Usually, it's to gain insight into career and professional goals, but as I mentioned earlier, it can be about most anything where you could learn from someone who's not in the role of a teacher or supervisor. WHEN should you seek the advice of a mentor? Well, there's probably never a time NOT to seek advice, but if you're heads-down in a long project that you enjoy or find yourself in a position where you're content and soon winding down your career, then I suppose you're fine going it alone. Otherwise, after you've been in a position for a year or so and you've figured out your current role and how you fit in, that might be a suitable time to start looking for a mentor. I think the WHY is obvious, but let's address it. No one knows everything, but someone usually knows what you need. Seeking a mentor is a rational way of gaining insights that can help move your career along. And HOW do you become a protégé? You need to a-s-k to g-e-t. Potential mentors are usually busy people -- they don't go looking for more things to add to an already overwhelming calendar. That said, the saying "if you want something done, give it to a busy person" is often true, because busy people are in the business of making things happen. If your organization offers a mentorship program, jump at the opportunity. Just make sure that the person with whom you are paired has the time, the expertise, and the interest to help you in your career. When searching for a mentor, remember that you should have a clear goal in mind. "Hey, I need a mentor" isn't very specific, and the Mr. Rodger's "won't you be my mentor?" isn't very compelling. Rather, start with a specific objective. For example, it could be, "how do I become fully qualified to become a first-line manager?" or "what does this organization look for when selecting a C-level executive?" Once you have your goal, you can start your search, but remember that you need to stay professional. You're not seeking a drinking buddy -- a mentor rarely is a peer (although technically I have heard of peer-to-peer mentoring, but that runs the risk of the parable of the two blind men who both fall into a ditch.) You want someone with relevant knowledge and experience. And ideally first develop a working relationship before you pop the question. A busy mentor will feel more comfortable working with a known quantity than being left to wonder if this person represents a reputational risk. Let's turn our conversation now to sponsors. Sponsors Executive coach May Busch recommends forming a career board of directors to advance your career. She points out that you need both mentors and sponsors -- sponsors are those in your organization with sufficient clout to put you into key assignments and can advocate behind closed doors for your career advancement. Wow -- sounds great; where do I sign up? The issue is that you typically can't recruit sponsors; they come looking for you. Like a mentee, a "sponsee" represents potential risk to sponsors -- they are putting their own credibility with peers on the line by advocating for you. If you crash and burn, you both lose. Like any sales effort, you shouldn't put all of your eggs in a single basket, so if you want to identify a potential sponsor, look for a couple of candidates. Now, where you work there may be exactly one person who controls the vertical and the horizontal, but in most matrixed organizations, there is a range of opportunities to find advocacy. Find out who is senior enough to influence the decisions that can affect your career and also whether they are "in on things" to ensure that recommendations move you in the right direction. There are people who continue to serve past their key roles -- often called "emeritus" as an honorary title, but they probably aren't keeping up with the details. Look for someone who is still actively "in the game." And, like finding a mentor, you must identify a natural link between their business interests and your interests. Now, the intersection of all these criteria might yield exactly zero people, and if so, it's up to you to figure out your own way forward. But if you do identify potential sponsors, you need to attract their attention. But how? Your potential sponsors need to see you in action. Find ways to deliver executive presentations where they are present or participate in working groups and let the quality of your work differentiate you from peers. Circulate innovative ideas that represent a step forward for your organization. The result of these efforts should be to get you noticed. Note also that you can do this for members of your team. You may want to sponsor them for bigger and better things but don't have the organizational capital to make it happen on your own initiative. By placing your best people in front of these more powerful decision-makers, you can facilitate their sponsorship when one of them decides this person should be going places. Now, it's not just about performance. During COVID, most of us got comfortable working in bunny slippers from home, but that's not going to differentiate you to a potential sponsor. If you want to convince executives that you're C-level material, then you need to consistently look the part. Check your appearance. Do you look like the other executives in your organization? I spent 30 years in the military, so part of that "look" was proper grooming, a pressed neat uniform, and being physically fit. I remember my last semiannual physical fitness test -- I scored 295 out of 300 points and the young Sailor taking scores remarked, "not bad for an old man." But looking the part is important if you are going to be present yourself as a leader. [story at CNL -- overweight memorandum.] Now, I suppose if you work in a dot com startup and the founders all wear t-shirts and jeans every day, then wearing a three-piece suit is not going to help. But find a way to align with the organization's senior leadership culture so that you don't look like an outsider, which translates into risk. Make sure your office space isn't full of junk and clutter and your home background on Zoom calls looks like a professional office space (or at least blur out the background.) Better yet, use a corporate-logo themed background which says, "I'm on the team." Okay, so let's say you've done all this and are now looking like you just came out of casting for The West Wing and you're sufficiently visible to senior executives. Beyond looking the part, you need to act the part. Sit up straight in meetings; don't fiddle with your phone when executives are in the room, no matter how boring the conversation may be at that moment. I remember back in 2000 when I was working at a startup, our CEO nearly lost our biggest client because she couldn't put down her Blackberry when we were briefing the client's head of security. He was a retired Navy captain and remarked to me privately (as a fellow Navy officer) how offended he was that this person couldn't be bothered to put down that phone for half an hour and focus on the conversation. Better yet? There is a superpower that few people have but you could master if you're a phone addict -- leave your phone on your desk when you go to a meeting. That's right -- separate yourself from your "life support unit." Now, in some circumstances you feel you need it because, "what if they ask who's available for a meeting next week and I don't have my calendar?" Bring your laptop or tablet instead, and only consult it when you're asked something that needs looking up to answer. Remember, even a CEO doesn't get a pass on distractions when your biggest client is in the room. In addition to looking the part and acting the part, you need to deliver. Make sure your work is exceptional and error-free. At the Pentagon we had a term -- "finished staff work." It means that what you turn in is correct, complete, and free of grammatical or typographical errors EVERY TIME. That's a tough discipline. I was a computer science and mathematics major at Northwestern, and there was nothing I wanted to avoid more than an English composition or writing class -- after all, I was going to be a technologist. Years later when I joined the staff of Booz|Allen, I saw the importance of mastering a professional writing style. As a consultant, you live or die by the pen -- how well you write proposals and deliverables. As I became more senior in both my civilian as well as my military career, I kept improving that ability to write well. A small but powerful book you should own and master is Strunk and White's The Elements of Style. It's the most succinct summary of writing rules I've read -- think of it as a syntax guide to the English language. Granted, some of these conventions are considered quaint or even obsolete -- the Oxford comma and two spaces after a sentence, but I still write that way. There's no reason if you can write a program that will compile (or if you're a Python programmer, not throw a Syntax Error) that you cannot write English with the same consistency. May Busch points out that there are four mistakes you can make that will ruin your attempts to attract a sponsor. One, which seems obvious, is that you're perceived as lacking potential. Note I said "perceived." I think all of us have slightly inflated expectations of ourselves -- that's called a healthy ego, but let's face it: some people are rightly classified as low potential, high achievers -- they work really hard to achieve mediocre results. "But I do consistently outstanding work at my current job!" Okay, I'll give you that. But remember -- we're talking about getting a sponsor for the NEXT job, and if you're not virtue signaling that you can perform at the next level, then a wise boss is likely to leave you where you are -- delivering consistently outstanding work. Remember my four-phase career model: technical, management, leadership, political? You can often move easily within one of those phases without sponsorship, but to get to the next level usually requires something or someone external to yourself. The second disqualifier is to be seen as "selectively motivated," meaning you only put forth full effort at the last minute. It's somewhat of a synonym for a procrastinator -- many of us know there's nothing like the last minute to make sure things get done. Sure, there are important things that are urgent, but if your MO is to goof off until just before a deadline and then rush out a finished product, that calls into question your long-term reliability for more responsible assignments. The third disqualifier is lack of self-confidence. If you present yourself as hesitant and uncertain, you do not inspire confidence. "Do you think, umm, maybe we might possibly consider doing this?" is not as reassuring as, "Here's what we're going to do." I'm not advocating for arrogancy here; but if you secretly worry about imposter syndrome or a belief that you're not as good as others perceive you to be, then that's likely to leak out in your words and actions and cause potential sponsors to pause. The fourth way you can discourage a potential sponsor is to be inappropriate. You say and do the wrong things at the wrong time to the wrong people. You put your feet up on the conference table or make inappropriate or even offensive jokes when no one was looking for that type of input. Walking up a senior executive and saying, "won't you be my sponsor?" is another example. It's fine for Mr. Rodgers to ask, "won't you be my neighbor?" but as you know by now, you have to become the one who attracts attention, not demands it. Being Inspirational One of the best ways to help others move forward is to show them an example of what represents success. I mentioned earlier the booklet that sits on my desk -- have you figured out what it might be? It's "A Message to Garcia" written by Elbert Hubbard, the founder of the Roycrofters in East Aurora NY. Hubbard was a writer, publisher, artist, and philosopher, who wrote that he sat down and penned this essay after dinner in under an hour. What started as article in his magazine grew rapidly. After receiving requests for a thousand copies of that issue, he inquired as to the reason. "It's the stuff about Garcia." The New York Central Railroad reprinted over one million copies in booklet form. The Director of Russian Railways was in New York, was so impressed that when he returned to Moscow, ensured a translated copy was given to every railroad employee in Russia. Every Russian soldier in the Russo-Japanese war had a copy, and when the Japanese officials noted Russian prisoners of war all carried it, they concluded it must be a good thing, translated it into their language and gave copies to every employee of the Japanese government. By December 1913, over forty million copies of A Message to Garcia had been printed. Tragically, Hubbard died on the 7th of May 1915 as a passenger onboard RMS Lusitania, which was torpedoed by a German U-boat. I have a number of his publications, but this is the one that I reread the most. It's not that long -- less than fifteen hundred words, and if you haven't heard it before, you should, and if you have heard it before and you're like me, you'll want to hear it again. Remember, the context is 1899. Here is… A Message to Garcia By Elbert Hubbard In all this Cuban business there is one man stands out on the horizon of my memory like Mars at perihelion. When war broke out between Spain and the United States, it was very necessary to communicate quickly with the leader of the Insurgents. Garcia was somewhere in the mountain vastness of Cuba- no one knew where. No mail nor telegraph message could reach him. The President must secure his cooperation, and quickly. What to do! Some one said to the President, "There's a fellow by the name of Rowan will find Garcia for you, if anybody can." Rowan was sent for and given a letter to be delivered to Garcia. How "the fellow by the name of Rowan" took the letter, sealed it up in an oil-skin pouch, strapped it over his heart, in four days landed by night off the coast of Cuba from an open boat, disappeared into the jungle, and in three weeks came out on the other side of the Island, having traversed a hostile country on foot, and delivered his letter to Garcia, are things I have no special desire now to tell in detail. The point I wish to make is this: McKinley gave Rowan a letter to be delivered to Garcia; Rowan took the letter and did not ask, "Where is he at?" By the Eternal! there is a man whose form should be cast in deathless bronze and the statue placed in every college of the land. It is not book-learning young men need, nor instruction about this and that, but a stiffening of the vertebrae which will cause them to be loyal to a trust, to act promptly, concentrate their energies: do the thing- "Carry a message to Garcia!" General Garcia is dead now, but there are other Garcias. No man, who has endeavored to carry out an enterprise where many hands were needed, but has been well nigh appalled at times by the imbecility of the average man- the inability or unwillingness to concentrate on a thing and do it. Slip-shod assistance, foolish inattention, dowdy indifference, and half-hearted work seem the rule; and no man succeeds, unless by hook or crook, or threat, he forces or bribes other men to assist him; or mayhap, God in His goodness performs a miracle, and sends him an Angel of Light for an assistant. You, reader, put this matter to a test: You are sitting now in your office- six clerks are within call. Summon any one and make this request: "Please look in the encyclopedia and make a brief memorandum for me concerning the life of Correggio". Will the clerk quietly say, "Yes, sir," and go do the task? On your life, he will not. He will look at you out of a fishy eye and ask one or more of the following questions: Who was he? Which encyclopedia? Where is the encyclopedia? Was I hired for that? Don't you mean Bismarck? What's the matter with Charlie doing it? Is he dead? Is there any hurry? Shan't I bring you the book and let you look it up yourself? What do you want to know for? And I will lay you ten to one that after you have answered the questions, and explained how to find the information, and why you want it, the clerk will go off and get one of the other clerks to help him try to find Garcia- and then come back and tell you there is no such man. Of course I may lose my bet, but according to the Law of Average, I will not. Now if you are wise you will not bother to explain to your "assistant" that Correggio is indexed under the C's, not in the K's, but you will smile sweetly and say, "Never mind," and go look it up yourself. And this incapacity for independent action, this moral stupidity, this infirmity of the will, this unwillingness to cheerfully catch hold and lift, are the things that put pure Socialism so far into the future. If men will not act for themselves, what will they do when the benefit of their effort is for all? A first-mate with knotted club seems necessary; and the dread of getting "the bounce" Saturday night, holds many a worker to his place. Advertise for a stenographer, and nine out of ten who apply, can neither spell nor punctuate- and do not think it necessary to. Can such a one write a letter to Garcia? "You see that bookkeeper," said the foreman to me in a large factory. "Yes, what about him?" "Well he's a fine accountant, but if I'd send him up town on an errand, he might accomplish the errand all right, and on the other hand, might stop at four saloons on the way, and when he got to Main Street, would forget what he had been sent for." Can such a man be entrusted to carry a message to Garcia? We have recently been hearing much maudlin sympathy expressed for the "downtrodden denizen of the sweat-shop" and the "homeless wanderer searching for honest employment," and with it all often go many hard words for the men in power. Nothing is said about the employer who grows old before his time in a vain attempt to get frowsy ne'er-do-wells to do intelligent work; and his long patient striving with "help" that does nothing but loaf when his back is turned. In every store and factory there is a constant weeding-out process going on. The employer is constantly sending away "help" that have shown their incapacity to further the interests of the business, and others are being taken on. No matter how good times are, this sorting continues, only if times are hard and work is scarce, the sorting is done finer- but out and forever out, the incompetent and unworthy go. It is the survival of the fittest. Self-interest prompts every employer to keep the best- those who can carry a message to Garcia. I know one man of really brilliant parts who has not the ability to manage a business of his own, and yet who is absolutely worthless to any one else, because he carries with him constantly the insane suspicion that his employer is oppressing, or intending to oppress him. He cannot give orders; and he will not receive them. Should a message be given him to take to Garcia, his answer would probably be, "Take it yourself." Tonight this man walks the streets looking for work, the wind whistling through his threadbare coat. No one who knows him dare employ him, for he is a regular fire-brand of discontent. He is impervious to reason, and the only thing that can impress him is the toe of a thick-soled No. 9 boot. Of course I know that one so morally deformed is no less to be pitied than a physical cripple; but in our pitying, let us drop a tear, too, for the men who are striving to carry on a great enterprise, whose working hours are not limited by the whistle, and whose hair is fast turning white through the struggle to hold in line dowdy indifference, slip-shod imbecility, and the heartless ingratitude, which, but for their enterprise, would be both hungry and homeless. Have I put the matter too strongly? Possibly I have; but when all the world has gone a-slumming I wish to speak a word of sympathy for the man who succeeds -- the man who, against great odds has directed the efforts of others, and having succeeded, finds there's nothing in it: nothing but bare board and clothes. I have carried a dinner pail and worked for day's wages, and I have also been an employer of labor, and I know there is something to be said on both sides. There is no excellence, per se, in poverty; rags are no recommendation; and all employers are not rapacious and high-handed, any more than all poor men are virtuous. My heart goes out to the man who does his work when the "boss" is away, as well as when he is at home. And the man who, when given a letter for Garcia, quietly take the missive, without asking any idiotic questions, and with no lurking intention of chucking it into the nearest sewer, or of doing aught else but deliver it, never gets "laid off," nor has to go on a strike for higher wages. Civilization is one long anxious search for just such individuals. Anything such a man asks shall be granted; his kind is so rare that no employer can afford to let him go. He is wanted in every city, town and village- in every office, shop, store and factory. The world cries out for such: he is needed, and needed badly- the man who can carry a message to Garcia. -THE END- In 2009 as president of the Association of the United States Navy, I wrote a short article entitled "A New Message to Garcia." There I called out the actions of a Sailor who went above and beyond what was expected without even being asked. I hope he went on to bigger and better things because he had the right stuff. Take Action Let's put all of this together. One of the best ways to formalize mentoring is to create a written performance development plan. We've included a sample template in the show notes. This is a way to memorialize conversations with SMART goals -- you remember, specific, measurable, achievable, relevant, and time-bound? If you are a mentor, you can use this as a template for your counseling sessions. If you are a mentee and there is no template in your organization, feel free to introduce this to your mentor -- you're showing initiative and creating potential value for more people than just yourself. By putting goals in writing, they experience a magical transformation. It was Napoleon Hill who wrote that "a goal is a dream with a deadline." Until you write it down, it's easy to find other things that seem more important or urgent at the moment. In addition, a written set of goals offers accountability -- it's a commitment between mentor and mentee that can be honored like a contract. Start with the manager's organizational priorities and goals that provide a context for the session. For example, if you are in the cybersecurity organization, these could be things such as, "create a cyber vigilant organization," "enable cybersecurity controls and compliance," and "safeguard the organization against major threats." Each of these could have subgoals that get into a little more detail -- awareness training for users, secure coding training for developers, establishing a governance structure around cyber risk. This requires inside knowledge, and if the mentor is within the same organization, it shouldn't be too difficult to ascertain. In addition, if the mentor is the supervisor, then even better -- this shows how the protégé's goals fit in with the boss's vision of what should happen. Better to find out early on that an idea isn't practical then to spend a year working on it only to find out it will never be implemented. Next, the protégé lists individual development goals. Not too many, especially if you are meeting quarterly. Two or three may be sufficient. If there are too many things to work on, the natural tendency is to go for those that are easiest, which may not be the ones that are the most important. Next comes the BHAG -- the big, hairy, audacious goal -- the one that will represent a signature accomplishment. Chances are, this won't happen in a month or a quarter, but it's perfectly reasonable for an annual cycle to align with performance reviews to specify a stretch goal. And by doing it in writing and knowing someone is holding accountability, it's more likely to happen. When it comes to making progress, actions can be separated into experiences, relationships, and learning. Most of our progress is done through experience, so list multiple experiences that one expects to accomplish before the next session. It can be part of a larger goal -- work on the team deploying a SIEM or complete a particular phase of a larger project. This is where the majority of the accountability will reside -- did you complete what you set out to do? It's helpful to be a bit aspirational, but this isn't another set of stretch goals. List at least two relationship improvement opportunities -- these can be key relationships or even potential sponsors. For example, it could include the head of a particular business unit that has specific security requirements -- that meeting would help address those concerns and provide an opportunity for the person seeking visibility. Lastly, include learning opportunities. Not all of us are going to school full-time, but we all should be working on self-improvement. For example, you might set a goal to complete the next course in your degree program or take the exam that grants a particular certification. What you have is a template for action and professional growth. The action comes from the accountability of a written document, and the growth comes from the joint goal-setting that takes place under the guidance of a mentor. Don't just file it away with the rest of your paperwork -- put it where you'll see it every day and challenge yourself to check off another accomplishment by week's end. By encouraging this culture of accomplishment, you'll significantly increase the probability of success. Conclusion Inside the front cover of my Garcia booklet is a short essay entitled "Initiative." Let me leave you with this as a final thought: The world bestows its big prizes, both in money and in honors, for but one thing. And that is Initiative. What is Initiative? I'll tell you: it is doing the right thing without being told. But next to doing the thing without being told is to do it when you are told once. That is to say, carry the Message to Garcia: those who can carry a message get high honors, but their pay is not always in proportion. Next, there are those who never do a thing until they are told twice; such get no honors and small pay. Next, there are those who do the right thing only when necessity kicks them from behind, and these get indifference instead of honors, and a pittance for pay. This kind spends most of its time polishing a bench with a hard-luck story. Then, still lower down in the scale than this, we have fellow who will not do the right thing even when some one goes along to show him how and stays to see that he does it; he is always out of job, and receives the contempt he deserves, unless he happens to have a rich Pa, in which case Destiny patiently awaits around a corner with a stuffed club. To which class do you belong? Thank you for listening to CISO Tradecraft; we hope you've found this show valuable. If you learned something that you like, please help us by leaving us a 5-star review on your favorite podcast platform -- those ratings really help us reach other security leaders. The more CISOs we can help, the more businesses we can protect. This is your host, G. Mark Hardy. Thanks again for listening and stay safe out there. References: https://blog.hubspot.com/marketing/mentor-tips-positive-impact https://www.businessnewsdaily.com/6248-how-to-find-mentor.html https://www.businessnewsdaily.com/3504-how-to-mentor.html https://maybusch.com/career-board-of-directors-advance-career/ https://maybusch.com/find-sponsor/ https://www.amazon.com/Elements-Style-4th-William-Strunk/dp/0205313426?&_encoding=UTF8&tag=-0-0-20&linkCode=ur2 https://www.nato.int/nrdc-it/about/message_to_garcia.pdf https://gmarkhardy.com/Navy_Articles/NRA-0909%20A%20New%20Message%20to%20Garcia.pdf Example: Individual Performance Plan Name: ________________________________ Date: ________________ Leadership's Cyber Priorities and Goals Create a Cyber Vigilant Organization Cyber Awareness Training, Secure Developer Training, and Proper Risk Approval and Governance Enable Compliance, Controls, and Cyber Security Controls (IT General Controls & SOX), Audits, and Cyber Maturity Frameworks (ISO 27001, NIST CSF, or FFIEC) Safeguard the Business against Key Threats Phishing and Ransomware, Software Vulnerabilities, and Third-Party Risks Individual Development Goals Goal: Goal: Signature Accomplishment My Big Goal is to accomplish … Actions I am taking this year (How) Experiences (70%) Experience 1 Experience 2 Experience 3 … Relationships (20%) Relationship Improvement Opportunity 1 Relationship Improvement Opportunity 2 Learning (10%) Learning Opportunity Support Needed from My Manager I need help with …
Special Thanks to our podcast sponsor, Obsidian Security. We are really excited to share today's show on SaaS Security Posture Management. Please note we have Ben Johnson stopping by the show so please stick around and enjoy. First let's go back to the basics: Today most companies have already begun their journey to the cloud. If you are in the midst of a cloud transformation, you should ask yourself three important questions: How many clouds are we in? What data are we sending to the cloud to help the business? How do we know the cloud environments we are using are properly configured? Let's walk through each of these questions to understand the cyber risks we need to communicate to the business as well as focus on one Cloud type that might be forecasting a major event. First let's look at the first question. How many clouds are we in? It's pretty common to find organizations still host data in on premises data centers. This data is also likely backed up to a second location just in case a disaster event occurs and knocks out the main location. Example if you live in Florida you can expect a hurricane. When this happens you might expect the data center to lose power and internet connectivity. Therefore it's smart to have a backup location somewhere else that would be unlikely to be impacted by the same regional event. We can think of our primary data center and our backup data center as an On-Premises cloud. Therefore it's the first cloud that we encounter. The second cloud we are likely to encounter is external. Most organizations have made the shift to using Cloud Computing Service providers such as Amazon Web Services, Azure, Google Cloud Platform, or Alibaba. Each of these cloud providers has a multitude of offerings designed to help organizations reduce the need to host IT services on premises. Now if you are using both on-premises and a cloud computing provider such as AWS, congratulations you are in what is known as a hybrid cloud environment. If you use multiple cloud computing providers such as AWS and Azure then you are in a multi-cloud environment. Notice the difference between terms. Hybrid cloud means you host on premises and use an external cloud provider, whereas multi-cloud means you use multiple external cloud providers. If you are using a Common Cloud platform like AWS, Azure, or GCP then you can look into a Gartner Magic Quadrant category known as Cloud Workload Protection Platforms. Here you might encounter vendors like Palo Alto Prisma Cloud, Wiz, or Orca who will provide you with recommendations for your cloud configuration settings. So let's say your organization uses on premises and AWS but not Azure or GCP. Does that mean you only have two clouds? Probably not. You see there's one more type of cloud hosted service that you need to understand how to defend. The most common cloud model organizations leverage is Software as a Service commonly pronounced as (SaaS). Frankly we don't hear about SaaS security being discussed much which is why we are doing a deep dive on its security in this episode. We think there's a real danger of SaaS clouds turning from a nice cloud that gently cools down a hot summer day into a severe weather storm that can cause an event. So let's look at SaaS Security in more depth. SaaS refers to cloud hosted solutions whereby vendors maintain most everything. They run the application, they host the data, they host runtime environments, middleware, operating systems, virtualization technologies, servers, storage, and networking. It can be a huge win to run SaaS solutions since it minimizes the need to have IT staff running all of these IT services. Example: Hiring HVAC folks to ensure we have proper heating and cooling for servers on premises won't add new sales revenue to the business. Now that you understand why SaaS is important you should ask yourself. How many external SaaS providers are we sending sensitive data to? Every company is different but most can expect to find dozens to hundreds of SaaS based solutions. Examples of external SaaS solutions commonly encountered by most businesses include: Service Now or Jira in use as a ticketing service, Salesforce for customer relationship management Workday for HR information G Suite or Microsoft Office 365 in use to send emails and create important documents Github as a source code repository for developers Zoom for virtual teleconferences Slack for instant messaging like conversations Okta for Identity and Access Management Once you build out an inventory of your third parties hosted SaaS solutions, you need to understand the second question. What kind of data is being sent to each service? Most likely it's sensitive data. Customer PII and PCI data might be stored in Salesforce, Diversity or Medical information for employees is stored in Workday, Sensitive Algorithms and proprietary software code is stored in GitHub, etc. OK so if it is data that we care about then we need to ensure it doesn't get into the wrong hands. We need to understand why we care about SaaS based security which is commonly known as SaaS Security Posture Management. Let's consider the 4 major benefits of adopting this type of service. Detection of Account Compromise. Today bad actors use man in the middle attacks to trick users to give their passwords and MFA tokens to them. These attacks also provide the session cookie credentials that allow a website to know a user has already been authenticated. If attackers replay these session cookie credentials there's no malware on the endpoints. This means that Antivirus and EDR tools don't have the telemetry they need to detect account compromise. Therefore, you need log data from the SaaS providers to see anomalous activity such as changing IP addresses on the application. Note we talked about this attack in much more detail on episode 87 From Hunt Team to Hunter with Bryce Kunze. In addition to detecting account compromises, we see that SaaS security posture management solutions also improve detection times and response capabilities. Let's just say that someone in your organization has their login credentials to Office 365 publicly available on the dark web. So a bad actor finds those credentials and logs into your Office 365 environment. Next the bad actor begins downloading every sensitive file and folder they can find. Do you have a solution that monitors Office 365 activity for Data Loss Prevention? If not, then you are probably going to miss that data breach. So be sure to implement solutions that both log and monitor your SaaS providers so you can improve your SaaS incident detection and response capabilities. A third benefit we have seen is improvements to configuration and compliance. You can think of news articles where companies were publicly shamed when they lost sensitive data by leaving it in a Public Amazon S3 bucket when it should have been private. Similarly there are settings by most SaaS solutions that need to be configured properly. The truth is many of these settings are not secure by default. So if you are not looking at your SaaS configurations then access to sensitive data can become a real issue. Here's an all too common scenario. Let's say your company hires an intern to write a custom Salesforce page that shows customer documents containing PII. The new intern releases updates to that webpage every two weeks. Unfortunately the intern was never trained on all of the Salesforce best practices and creates a misconfiguration that allows customer invoices to be discovered by other customers. How long would this vulnerability be in production before it's detected by a bad actor? If you think the answer is < 90 days, then performing yearly penetration tests is probably too slow to address the brand damage your company is likely to incur. You need to implement a control that finds vulnerabilities in hours or days not months. This control might notify you of compliance drift in real time when your Salesforce configuration stopped meeting a CIS benchmark. Now you could pay a penetration testing provider thousands of dollars each week to continually assess your Salesforce environment, but that would become too cost prohibitive. So focus on being proactive by switching from manual processes such as penetration testing to things that can be automated via tooling The fourth major benefit that we observe is proper access and privilege management. Here's one example. For critical business applications you often need to enforce least privilege and prevent the harm that one person can cause. Therefore, it's common to require two or more people to perform a function. Example: One developer writes the new code for a customer facing website, another developer reviews the code to detect if there's any major bugs or glaring issues that might cause brand damage. Having a solution that helps mitigate privilege creep ensures that developers don't increase their access. Another example of the importance to proper access management occurs when bad employees are fired. When a bad employee is fired, then the company needs to immediately remove their access to sensitive data and applications. This is pretty easy when you control access via a Single Sign On solution. Just disable their account in one place. However many SaaS providers don't integrate with SSO/SAML. Additionally the SaaS website is generally internet accessible so people can work from home even if they are not on a corporate VPN. Therefore it's common to encounter scenarios where bad employees are fired and their account access isn't removed in a timely manner. The manager probably doesn't remember the 15 SaaS accounts they granted to an employee over a 3 year time frame. When fired employees are terminated and access isn't removed you can generally expect an audit finding, especially if it's on a SOX application. OK so now that we talked about the 4 major drivers of SaaS Security Posture Management (detection of account compromise, improved detection and response times, improvements to configuration and compliance, and proper access and privilege management) let's learn from our guest who can tell us some best practices with implementation. Now I'm excited to introduce today's guest: Ben Johnson Live Interview Well thanks again for taking time to listen to our show today. We hoped you learning about the various clouds we are in (On Premises, Cloud Computing Vendors, and SaaS), Understanding the new Gartner Magic Quadrant category known as SaaS Security Posture Management. So if you want to improve your company's ability on SaaS based services to: detect account compromise, improve detection and response times, improve configuration and compliance, and proper access and privilege management Remember if you liked today's show please take the 5 seconds to leave us a 5 star review with your podcast provider. Thanks again for your time and Stay Safe out there.
With the move to the cloud, there has been a significant shift to SaaS and the recurring revenue model by software providers. While each software vendor implements security features, organizations cannot keep up with all of the security requirements for each application and the security risks involved with the interactions of those applications while maintaining compliance at the same time. Hasan Imam Obsidian resolves these issues. Hasan Imam, CEO of Obsidian Security discusses with Don Witt of The Channel Daily News, a TR publication, how “their platform proactively hardens SaaS posture to prevent configuration drift, overprivileged users and publicly exposing data.” While serving Fortune 2000 enterprise organizations, Obsidian addresses their challenges of posture and threat management. Hasan goes on to discuss the background development, market research and market need behind Obsidian's SaaS product. Listen in as Hasan describes the markets they are serving and the issues they are addressing for those organizations. About: Obsidian is the first and only comprehensive security platform designed for SaaS. From productivity suites and communication tools to HR systems and identity providers, organizations around the world entrust more data than ever before to their SaaS applications. Obsidian creates a comprehensive and contextual understanding of those complex, interconnected applications to make them safer and more secure. For more information, go to: https://www.obsidiansecurity.com/
A re-broadcast of our episode featuring Obsidian Security CEO and co-founder Glenn Chisolm, whose company just raised $90 million in Series C funding. Chisolm spoke with Greylock general partner Sarah Guo and New York Times cybersecurity reporter Nicole Perlroth in early 2021, shortly after the SolarWinds attack. In this conversation, they discuss the ever-evolving cybersecurity risk landscape and how businesses and governments can proactively protect their data.
Welcome to another episode! Today's guest is Jeffrey Ishmael. Jeff is the CEO and co-founder of CELLR, which is a consumer-centric wine app intended to help wine enthusiasts curate their wine life. CELLR was launched to provide an app that lives at the crossroads of Vivino, Cellar Tracker, and Wine Searcher. Jeff has been an avid wine enthusiast for almost 25 years and started his appreciation of wine in Paso Robles where he owned a home, but then started expanding his cellar holdings to include a wide variety of Napa and Bordeaux based wines. Jeff has over 20-years of successful finance and operations experience with a broad background that includes Technology, Retail, and Apparel. Currently, he is the CFO for RAEN Optics, which is a lifestyle optical brand in Carlsbad, CA. Previously, he was the founding CFO of Cylance, which was a cybersecurity company in Irvine that was subsequently sold to Blackberry for $1.4B. Jeff was also on the founding team of Obsidian Security. He has been involved in over $200m in funding with a selection of VC firms that include Khosla Ventures, Greylock Partners, Blackstone, DFJ Growth, GV, KKR, Citi Ventures, Wing Ventures, and more. In this episode, Jeffery shares with us his journey merging tech and wine. Let's dive in! [00:01 - 11:10] Opening Segment I introduce our guest for this episode and short bio Jeff describes how the idea of CELLR came about Developing a wine community through and app Connecting cellar owners directly Using data to match the preferences of wine enthusiasts Using accurate data to allow the community to have a good experience [11:11 - 38:13] From Wine Enthusiast to Wine Tech Jeff shares his experience working almost 10 years working with data scientists and software engineers, cyber security and tech finance The first stages developing the app How Jeff chooses his wines for his collection Experiences that lead to discovering new wines Getting familiar with wine regions The importance of on site tasting and bringing people in the same environment Jeff shares his latest and favorite wines and the stories that led to choosing them The challenges and opportunities for wine coming up on 2022 The ability to monetize assets in the Cellr Tarcker Cellr connecting cellar owners and aficionados directly The sense of community that brings people together around wine Bringing ideas from the community into individual use [38:14- 41:30] Closing Segment Favorite Wine Turtle Rock Westberg Ray Go to pairing Filet and Black Label from Maryland Branch Wine resource www.winebusiness.com Connect with Jeffrey Ishmael See links below Reach out to me for more wine conversations through the links below Subscribe and leave a review Final words Tweetable Quotes: “And that's what we implement, it's implementing ideas that are coming out of the community and developing a product for them to use individually.” -Jeffrey Ishmael “ I want to send you a bottle of wine in Kansas City, it's a federal offense to drop that in the mail, I mean, it's stupid” - Jeffrey Ishmael “It's being able to curate your individual, you know, Wine, lifestyle,, tracking the varietals that you you drink” - Jeffrey Ishmael Connect with Jeff through his accounts on Instagram: @cellrsociety & @Twitter! You can also check out his website at www.cellr.com Let's continue the Everyday Wine Conversations and connect with me through Instagram, Facebook, LinkedIn, or feel free to shoot me an email at kris@krislevy.co. You can also check out my website at www.klevywineco.com. TELL US WHAT YOU THINK! LEAVE A REVIEW + help us get the word out there! Share this podcast to someone who wants to join the wine conversations. Go ahead and take a screenshot, share this to your stories, and tag me on Instagram! JOIN THE CLUB through this link and handpick wines every month, from up and coming wineries, winemaker owned brands and wineries with unique stories while supporting those wineries directly. You can also join our Facebook Group to connect with other wine lovers, get special tips and tricks, and take your wine knowledge to a whole new level.
Greylock general partner Sarah Guo discusses the ever-evolving cybersecurity risk landscape and how businesses and governments can proactively protect their data. She is joined by Obsidian Security co-founder and CTO Glenn Chisolm, whose company protects SaaS and cloud services, and New York Times cybersecurity reporter Nicole Perlroth, whose book “This is How They Tell Me the World Ends:The Cyberweapons Arms Race” published in February 2021.
Bob Kruse is the CEO and Cofounder of Low Rider Security, an early-stage cybersecurity startup in stealth mode. Prior to starting Low Rider, Bob was CRO at Obsidian Security, Head of Sales at Demisto. If you’re a founder of a B2B startup and are of the mindset that “if you build, they’ll come”, you definitely don’t want to miss this episode.
In this episode, guest Ben johnson, co-founder and CTO of Obsidian Security, discusses how he got into cybersecurity (after seeing the movie "Enemy of the State"), got into US intelligence, got tired of the polygraphs, and ultimately ended up co-founding Carbon Black. It's a fascinating journey!Today, Ben is focused on continuous security monitoring of SaaS environments, and figuring out how a security team can protect their organization's SaaS accounts that they don't even have access to!Guest:Ben Johnson, Co-Founder and CTO, Obsidian Security Hosts:Malcolm Harkins, Chief Security and Trust Officer, CymaticChad Boeckmann, Founder/CEO, TrustMAPPSponsor: TrustMAPP (https://trustmapp.com)
The SolarWinds cybersecurity breach, known as Sunburst, made global headlines in December and drew widespread suspicion of being a Russian-based nation-state attack. Kicking off our new SON OF A BREACH! podcast series, we’ll shine a spotlight on state-sponsored cyber-espionage. Join host Randy Watkins, Chief Technology Officer at CRITICALSTART, as he welcomes industry guests Ben Johnson, CTO and co-founder of Obsidian Security, former chief security strategist and co-founder of Carbon Black, and former NSA computer scientist and cyber engineer for the intelligence community; and Quentin Rhoads-Herrera, director of Professional Services and leader of TEAMARES offensive and defensive teams at CRITICALSTART. Expert commentary and conversations will cover the implications of the SolarWinds breach and what’s next, including: The nature of nation-state attacks Ramifications for security policy Potential response to the Sunburst attack against the U.S. Nation-state exploits and how advanced they’ve become Additional perspectives on information security
Ben Johnson is CTO and co-founder of Obsidian Security. Prior to founding Obsidian, he co-founded Carbon Black and most recently served as the company’s Chief Security Strategist. As the company’s original CTO, he led efforts to create the powerful capabilities that helped define the next-generation endpoint security space. Prior to Carbon Black, Ben was an […]
In this episode, Chris, Jeremy and Al are joined by Glenn Chisholm, CEO of Obsidian Security to discuss cloud and SAAS security with the Obsidian CDR platform.Featured BeersJuicy IPA - https://threenotchdbrewing.com/Partly Cloudy - https://solacebrewing.com/beer/Luke's Original American Blonde - https://www.luckylukebrewing.com/El Valiente - https://braverybrewing.comKing Cobra - https://www.anheuser-busch.com/Pacifico - https://www.discoverpacifico.com/For More Informationhttps://obsidiansecurity.com/https://fortify24x7.com/https://fluencysecurity.com/https://beersandbytespodcast.com/Support the show (https://beersandbytespodcast.com)
Ben has an update on Baltimore’s spy plane, Dave wonders about the tension between free speech, disinformation and public health, and later in the show Dave's conversation with Laura Noren, NYU Visiting Professor of Data Science and VP of Privacy & Trust at Obsidian Security on who governs the cloud and what data protection regulations are actually enforceable. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Links to stories: Appeals court rules Baltimore “spy plane” does not violate privacy rights Tweet Dave discusses Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.
It’s the 2nd anniversary of the B2B Revenue Acceleration podcast! Our anniversary episode is dedicated to you — our clients, partners, and friends — who bring so much value to the work we do. We are privileged today to hear from 5 outstanding guests, Didi Dayton, Partner at Wing Venture Capital, Nathan Burke, CMO at Axonius,Bob Kruse, CRO at Obsidian Security, Timm Hoyt, Global VP, Partner Sales & Alliances at Druva, and Patrick Conte, VP of Business Development at Fortanix, about their best strategies for B2B revenue acceleration. What we talked about: - The best sales, marketing, & channel tactics for the global pandemic - What is & isn’t essential right now - Focusing on quality rather than quantity - Positioning yourself for B2B revenue acceleration in uncertain times To hear this interview and many more like it, subscribe to The B2B Revenue Acceleration Podcast on Apple Podcasts, on Spotify, or on our website.
Guest: Bob Kruse, CRO at Obsidian Security
With remote workforces accelerating digital transformation, security teams are shifting their mindset from controlling assets to managing access. This is not easy, especially in a cloud-first world where ease of install and free trials reign supreme. In episode #2 of the HIP Podcast, Ben Johnson, CTO and co-founder of Obsidian Security, discusses the new access-related problems that organizations face during COVID-19 and beyond.
This week, we talk Enterprise News, to discuss how Obsidian Security lets security teams monitor Zoom usage, Guardicore Infection Monkey now maps its actions to MITRE ATT&CK knowledge base, Trustwave Security Colony delivers resources, playbooks and expertise to bolster security posture, Netskope's security controls and protection now available for Microsoft Teams, Why You Need Both SIEM and SOAR Solutions in your Cybersecurity Ecosystem, and more! In our second segment, we welcome Gerald Beuchelt, Chief Information Security Officer of LogMeIn, to discuss the Security Challenges When Working Remotely and Enabling a Remote Workforce! In our final segment, we welcome Wim Remes, CEO & Principal Consultant of Wire Security, to talk about How to Build an Enterprise Security Team, including How to Find the Right People! Show Notes: https://wiki.securityweekly.com/ESWEpisode181 Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
This week, we talk Enterprise News, to discuss how Obsidian Security lets security teams monitor Zoom usage, Guardicore Infection Monkey now maps its actions to MITRE ATT&CK knowledge base, Trustwave Security Colony delivers resources, playbooks and expertise to bolster security posture, Netskope's security controls and protection now available for Microsoft Teams, Why You Need Both SIEM and SOAR Solutions in your Cybersecurity Ecosystem, and more! In our second segment, we welcome Gerald Beuchelt, Chief Information Security Officer of LogMeIn, to discuss the Security Challenges When Working Remotely and Enabling a Remote Workforce! In our final segment, we welcome Wim Remes, CEO & Principal Consultant of Wire Security, to talk about How to Build an Enterprise Security Team, including How to Find the Right People! Show Notes: https://wiki.securityweekly.com/ESWEpisode181 Visit https://www.securityweekly.com/esw for all the latest episodes! Follow us on Twitter: https://www.twitter.com/securityweekly Like us on Facebook: https://www.facebook.com/secweekly
This week in the Enterprise Security News, Obsidian Security lets security teams monitor Zoom usage, Guardicore Infection Monkey now maps its actions to MITRE ATT&CK knowledge base, Trustwave Security Colony delivers resources, playbooks and expertise to bolster security posture, Almost half of security pros being redeployed during pandemic, Why You Need Both SIEM and SOAR Solutions in your Cybersecurity, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode181
This week in the Enterprise Security News, Obsidian Security lets security teams monitor Zoom usage, Guardicore Infection Monkey now maps its actions to MITRE ATT&CK knowledge base, Trustwave Security Colony delivers resources, playbooks and expertise to bolster security posture, Almost half of security pros being redeployed during pandemic, Why You Need Both SIEM and SOAR Solutions in your Cybersecurity, and more! Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://wiki.securityweekly.com/ESWEpisode181
In this podcast Laura Noren, VP of Privacy and Trust at Obsidian Security, discusses the impact of CCPA on privacy and is disappointed that it’s very name, California Consumer Privacy Act, “assumes that everyone’s most important status in the world is as a consumer.” The challenge of managing consumer requests to see data held or request […]
Chelsea Strong, Director of Strategic Accounts at Obsidian Security, talks to Ashleigh and Kasey about cultivating relationships and successfully selling a highly technical product.SHOW NOTESWorking With the Engineering Team-Chelsea has to work very closely with the engineering team because she's selling a highly technical product. This relationship is incredibly valuable, but hard to cultivate especially as an organization grows and scales.-To be successful selling in this type of environment, never say anything you're not confident in. Check in with the SE's to clarify what you're planning to say and be sure that it's correct. You don't want to sell something that the product doesn't actually do and let the customer down.Selling a Highly Technical Product-It can be incredibly intimidating to work with a deeply technical product if you don't have an engineering background. Chelsea's background with language has been a massive help because part of the tech industry is essentially learning a new language.-When you're dealing with a technical audience, prospects are often wary of salespeople. Put in the work to know what you're talking about, especially if it isn't your specialty. Far too many salespeople and tems don't put in the hard and, oftentimes, monotonous work to learn the background and context in which they're working.Getting Into Sales-She fell into both sales and the technical sales niche she's currently in. Her first introduction was as a cashier selling candy at the Santa Cruz Beach Boardwalk and then began officially in outside sales with a job at Monterey Mushrooms.-After leaving that position she began as an inside salesperson at SurfControl covering companies that had only 50 employees. It was here that Chelsea really learned to decipher who was serious about the product and who just wanted to talk on the phone.Being a Mom-There's not much talk of personal lives in the sales world, but our personal lives have a massive impact on how we work and our career development. Before she became a mom Chelsea was very focused and becoming one has only increased this.-She's very selfish with her time and tries not to waste anyone else's so that she can maximize her time outside of work with her daughter.-Chelsea highlights planning in advance, ensuring you have a support system, and being transparent about your responsibility as a parent with your boss to successfully balance your work and personal life.Connect with Chelsea-LinkedInSend in a voice message: https://anchor.fm/othersideofsales/messageSupport this podcast: https://anchor.fm/othersideofsales/support
We're living in a time when so many companies have access to so much information about us that it is easier and easier to both predict and shape our behavior. How can we trust that our data is being used fairly and respectfully? This episode looks at the complex issues behind defining and enforcing corporate ethical behavior in the burgeoning field of data science. Host Sormeh Yazdi conducts a remote interview with Dr. Laura Norén, whose work focuses on employee data rights, capable data guardianship, and privacy compliance. Dr. Norén is a data science ethicist, speaker, and researcher currently serving as the Vice President of Privacy and Trust at Obsidian Security. She is a Visiting Scholar at NYU’s Center for Data Science and UC-Berkeley’s Division of Data Science and Information, has earned undergraduate degrees at MIT, and a PhD at NYU where she completed a Moore-Sloan Postdoc. Her work on data ethics been covered in The New York Times, the Toronto Globe and Mail, and American Public Media's Marketplace. On Thursdays, she publishes the Data Science Community Newsletter. If you are interested in more on this topic, check out "Scoping the OECD AI principles" as an example of a broad framework leaving details to the domains.
If you’ve been in tech long, you know about product marketers. But here’s the question: What do product marketers actually do? That’s the question we posed to Suda Srinivasan, VP of Marketing & CX at Obsidian Security. What we talked about: The 101 on product marketers in B2B tech companies Some specifics on a product marketer’s role A product marketer is a quarterback Product marketer coordinates with the technical team Product marketing is a leveraged function Product marketers are not simply content creators A product marketer should be a problem-solver The most successful product marketers To hear this interview, and many more like it, you can subscribe to The B2B Revenue Acceleration Podcast on Apple Podcasts, on Spotify, or on our website.
“We are seeing, the EU being an important leader in trying to advocate for consumers' rights, to some degree for employees' rights, although I wouldn't say that that's super strong. I would like to see students going through more data science training so that they have better data literacy and are better able to advocate for themselves out in the world about what can and cannot be done.” In this ISF podcast, Laura Norén, VP of Privacy and Trust at Obsidian Security sat down with Steve Durbin, Managing Director of the ISF, to discuss data privacy for employees, whether AI is suited for cybersecurity, and more.
On today’s show, host Chris Gorog speaks with Ben Johnson, the CTO and co-founder of Obsidian Security. He also is the co-founder of Carbon Black and got his start in the industry in the NSA. Ben talks about his experience and achievements/struggles as an entrepreneur and starting his own company. He also talks about what it takes to be in this industry and in certain positions. He assures the many people who might be interested in cyber/software engineering or already in one of these, that there are tons of jobs out there that are achievable. He encourages those who may be struggling to find a position to go out and create their own company or get their own product out into the world. Lastly, the two get into insider threats and what goes into protecting customers and their data. He gives insight into how his company Obsidian goes about handling these situations both effectively and efficiently. SAVE THE DATE:Our sponsors over at Jacobs Engineering are having a hiring event THIS Thursday, November 21st from 3-7 P.M at the S4 Inc. Center for Excellence in Colorado Springs! Learn more and apply TODAY by following the link. Visit our sponsors: TWFG - Darla Lindt, CyRmCyber Resilience InstituteInternet Broadcasting NetworkBlockFrame Inc.SecureSet AcademyMurray Security Services
An Unusual Cybersecurity Creed In a crowded security marketplace, Ben believes that people are happy to have multiple security tools but want fewer interfaces. He highlights the value of conversations with customers, points to the value of feedback, and shares his unusual corporate creed. 02:22 An unusual cybersecurity creed: Passion, Capacity, Humility. 06:02 The technology […]
Ben Johnson, CTO and co-founder of Obsidian Security, discusses a variety of different topics around the umbrella theme of shifting cybersecurity priorities in the face of an evolving threat landscape. Join us in the fight against cybercrime: https://www.infosecinstitute.com. Special offer for Infosec Cyberspeak listeners: https://www.infosecinstitute.com/podcast.
Today’s guest is Ben Johnson, CTO and co-founder of Obsidian Security. Ben is very knowledgeable and passionate about the process of a startup. He has great insight and gives us a glimpse of what he has learned along the way. You will want to jot down some notes as he goes through the journey of what it takes to start a new cyber company. The startup process is something he truly enjoys. His current startup Obsidian Security is about identity intelligence. You will want to hear about the fascinating objectives of this new company. Visit our sponsors: Cyber Resilience Institute Internet Broadcasting Network Logic Central Online SecureSet Academy
In today’s podcast, we hear about false flag cyberattacks that mimic state actors, especially Chinese state actors. Chinese intelligence services are prospecting US Navy contractors. Russia’s Fancy Bear continues its worldwide phishing campaign. ISIS claims the career criminal responsible for the Strasbourg Christmas market killings as one of its soldiers. And a bogus bomb threat is being circulated by email—call the technique “boomstortion.” Malek Ben Salem from Accenture Labs on smart speaker vulnerabilities. Guest is Laura Noren from Obsidian Security on data science ethics. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/November/CyberWire_2018_12_14.html Support our show
Laura Noren is a data science ethicist and researcher currently working in cybersecurity at Obsidian Security in Newport Beach. She holds undergraduate degrees from MIT, a PhD from NYU where she recently completed a postdoc in the Center for Data Science. Her work has been covered in The New York Times, Canada's Globe and Mail, American Public Media's Marketplace program, in numerous academic journals and international conferences. Dr. Norén is a champion of open source software and those who write it. Enjoy the show! Show Notes: [3:55] Laura explains how she produces the Data Science Community Newsletter, covering things like how the department of defense just got billions in funding to do AI research. How do you incorporate humor into such rigorous coverage? [10:22] How can you distinguish signal from noise in choosing a news source? [12:13] When and how to control your biases in your work when in the heat of the moment. [14:05] Laura’s interests in data science began as an undergraduate at MIT, surrounded by people who build. [16:10] Sociology in the context of people who build, since people are the *actual* most complicated systems. [18:00] What important things defines a profession? [19:30] What’s the difference between ethics and morals? [22:04] How ethics affects the field of data science, specifically. [25:35] The data science ethicist as person who is a creator, and not just there to put up stop signs. [31:40] How can companies strike a balance between hard stops in a product and more negotiated unique messaging for customers to address ethical employees? [38:53] How can smaller companies who can’t afford a Chief Ethics Officer monitor and address ethical issues? [48:30] Techniques that can be used by individuals and organizations to identify and address ethical issues in a company. [50:00] How data scientists can navigate non-black and white ethical issues in their own work. [55:15] Laura’s recommendations for ethics 101: Data and Society, AI Now Institute, and Open AI. [1:00:00] Laura ends off with a call-to-action to start conversations on ethics with your colleagues. If you enjoyed this episode of Data Journeys, the best way to support the show is by leaving a review on iTunes and sharing on your social medias using the hashtag #datajourneys. Laura’s Twitter: https://twitter.com/digitalflaneuse?lang=en
Ben is CTO and cofounder of Obsidian Security. He previously cofounded Carbon Black and most recently served as the company's chief security strategist. He has also has been a lecturer at University of Chicago’s Masters Program in Computer Science and a cybersecurity specialist at the National Security Agency (NSA) as well as serving on the board of a variety of security companies. Key Minutes 1:30 The first time Ben heard of Cyber Security 4:00 What does cyber security mean to you? 6:40 Starting Carbon Black 9:15 Carbon Black reaching a global audience 10:58 Staying in front of your competitors 13:00 Why did you leave Carbon Black? 14:47 Starting Obsidian Security 19:45 What’s unique about Obsidian? 24:17 Being a CTO 27:40 Learning from previous lessons 31:42 Hiring strategy 35:27 Retaining high level talent 38:48 Standing out from the crowd 42:27 Democratising cyber security 54:30 Biggest tips for founders or entrepreneurs 56:30 Ten Quick Fire Questions Key Points - Take the approach of people first - If you have 100 employees, that 100 people increases the risk because they are human - When hiring we emphasis culture fit. You have to focus on character. - If we don't retain our staff, its because we haven't created the right environment You can find: Conor on LinkedIn at: www.linkedin.com/in/conordsherman Obsidian on Twitter at: @obsidiansec Ben on Twitter at: @chicagoben Follow us: Twitter: @zero_hourpod Instagram: @zerohourexperience Website: www.karlsharman.com This podcast is sponsored by: BeecherMadden - www.beechermadden.com Cyber Security Professionals - www.cybersecurity-professionals.com
Ben Johnson is founder and CTO of Obsidian Security and formerly of Carbon Black and the National Security Agency. We met in San Francisco while Ben was in town for RSA 2018 and discussed his work, how the movie Enemy of the State inspired him to join the NSA, GDPR and other cybersecurity related stuff.
Today we are talking to Ben Johnson the CTO of Obsidian Security. We discuss the Equifax and Target data breech, The art of picking a cofounder, and how Ben sells the company vision as the CTO. All of this Right here, Right now on the Modern CTO Podcast.
Glenn Chisholm and Ben Johnson are CEO and CTO of Obsidian Security, an enterprise hybrid-cloud security startup. As former founding team members of Cylance and Carbon Black, Glenn and Ben have led multi-billion dollar organizations and delivering presentations all over the world. Hear their incredible journeys on this episode! Full Show Notes: https://wiki.securityweekly.com/SSWEpisode49 Visit http://securityweekly.com/category/ssw/ for all the latest episodes!
Glenn Chisholm and Ben Johnson are CEO and CTO of Obsidian Security, an enterprise hybrid-cloud security startup. As former founding team members of Cylance and Carbon Black, Glenn and Ben have led multi-billion dollar organizations and delivering presentations all over the world. Hear their incredible journeys on this episode! Full Show Notes: https://wiki.securityweekly.com/SSWEpisode49 Visit http://securityweekly.com/category/ssw/ for all the latest episodes!
Glenn Chisholm and Ben Johnson of Obsidian Security join us. In the news, how to keep your head without losing your heart, what aspiring founders need to know, supercharging sales, and how NOT to start a startup. Michael and Paul deliver updates from Callsign, Juvo, Awake Security, and more on episode of Startup Security Weekly! Full Show Notes: https://wiki.securityweekly.com/SSWEpisode49Visit https://www.securityweekly.com for all the latest episodes!
Glenn Chisholm and Ben Johnson of Obsidian Security join us. In the news, how to keep your head without losing your heart, what aspiring founders need to know, supercharging sales, and how NOT to start a startup. Michael and Paul deliver updates from Callsign, Juvo, Awake Security, and more on episode of Startup Security Weekly! Full Show Notes: https://wiki.securityweekly.com/SSWEpisode49Visit https://www.securityweekly.com for all the latest episodes!