We’ve conditioned ourselves to look at our technology in a similar way we look at a box of tools: as instruments that passively do what we make them do. When we think of the future of artificial intelligence, it’s tempting to leap to fully autonomous solutions一 when exactly will that Tesla finally drive by itself? In our interview with Jamie Winterton, we explore a future where AI is neither a passive tool or a self-contained machine but rather an active partner.
Human/machine teaming, an approach where AI works alongside a person as an integrated pair, has been advocated by the U.S. Department of Defense for several years now and is the focus of Jamie’s recent work at Arizona State University where she is Director of Strategy for ASU’s Global Security Initiative and chairs the DARPA Working Group. From testing A.I. assisted search and rescue scenarios in Minecraft to real war time settings, Jamie takes us through the opportunity and the issues that arise when we make technology our sidekick instead of solely our instruments.
The central challenges of human/machine teaming? They’re awfully familiar. The same thorny matters of trust and communication that plague human interactions are still front and center. If we can’t understand how A.I. arrived at a recommendation, will we trust its advice? If it makes a mistake, are we willing to forgive it? And how about all those non-verbal cues that are so central to human communication and vary person to person? Jamie recounts stories of sophisticated “nerd stuff” being disregarded by people in favor of simplistic solutions they could more easily understand (e.g., Google Earth).
The future of human/machine teaming may be less about us slowly learning to trust and giving over more control to our robot partners and more about A.I. learning the soft skills that so frequently make our other interpersonal relationships work harmoniously. But what if the bad guys send their fully autonomous weapons against us in the future? Will we be too slow to survive with an integrated approach? Jamie explains the prevailing thinking on the topic of speed and autonomy vs. an arguably slower but more optimal teaming approach and what it might mean for the battlefields of the future.
Note: Our conversation on human/machine teaming follows an introductory chat about data breaches, responsible disclosure and how future breaches that involve biometric data theft may require surgeries as part of the remediation. If you want to jump straight to the human/machine teaming conversation, it picks up around the 18 minute mark.
Communications professionals are often quiet coaches. They work their magic behind the scenes. They hold their opinions tightly and express them infrequently. In short, their influence is everywhere but their fingerprints are often invisible.
Melanie Ensign is having none of that. And we’re all the better for it.
In this 64 minute interview, you’ll have the pleasure of meeting one of the most influential and outspoken communications executives in the world of cybersecurity and privacy. We begin with her role as press department lead for DEFCON, a role she’s held for 8 years and explains is that exact inverse of what you think it is.
In our next topic, Melanie breaks out the verbal chainsaw and applies it with vigor to the voice-based social network Clubhouse. From privacy mistakes to seeming indifference to community feedback on the topic, she explains in detail why she recommends her clients (and anyone else) avoid Clubhouse until they clean up their act.
The remainder of the conversation is a mini-master class on how to succeed in communications for everyone from startups to new CISOs. Melanie dissects press releases and what to do instead of hitting Business Wire every Tuesday if you’re a young company. Young or old company, she shares why using fear uncertainty and doubt (FUD) to persuade people ultimately fails and how we can move past it as an industry.
Much of Melanie’s work at her company Discernible is working with CISOs and their teams on their internal communications. Influenced by her time working at Uber and Facebook, Melanie offers a game plan for moving from reactive to proactive communications. Her advice is not for the weak-willed: she refuses to clean up anyone’s mess and doesn’t think you should either.
This quickly has become one of our favorite episodes and there’s truly something for everyone in the dialogue-- except for those who dislike a little profanity to season their conversations. Note the explicit tag and enjoy the ride.
We’ve met and passed the 1 year anniversary of the COVID-19 pandemic and cases of burnout are off the charts. We’re tired of Zoom. We’re tired of masks. Far too many kids are stuck at home instead of at school. The list could go on but the result is obvious: we’re burned out. The effect can be all the more profound for beleaguered security professionals who often struggle with burn-out even at the best of times.
Jack and Dave return in this mini-episode for a quick conversation about how to identify and respond when you’re feeling like you’re burnt. While often it’s Dave and a guest doing most of the talking, in this episode Jack is driving. He shares from his deep experience on the topic, starting with an explanation of Maslach’s burn-out inventory which provides a structured, clear guide for determining just how crispy you are. The inventory is tailored for different professions, and while there is not one specific to cybersecurity, Jack andDave explore specific aspects of our industry that up the stakes for burn out.
Importantly, Jack explains why getting help from a pro versus leaning on friends and family can be essential. We wrap up with some time-honored approaches to restoring yourself so that you’re ready to jump back in the action once again.
Note: For this short episode we tested a new production service and you’ll also note we updated the website and our branding as well. And transcripts! We now have 100% more transcripts than before. We’ll be unleashing all this magic soon on a new full-length podcast we recorded this past week with the one and only Melanie Ensign.
This episode of Security Voices is different.
Let’s say you sat down at the end of a long day and had a casual drink with a few industry friends before dinner. The conversation quickly turns to serious topics which are all discussed with thoughtful insight, biting humor and some well-placed profanity. Welcome to the latest episode of Security Voices where Jack & Dave wander off the beaten path with Abhishek Agrawal and Ryan Noon, co-founders of email protection company Material Security. This one isn’t for the easily offended or as the soundtrack to a drive with the kiddos.
“How not to suck as a vendor” is our introductory question, prompting an earnest conversation that starts with “don’t be an active cancer”, covers The Market for Silver Bullets and ultimately explains why the pandemic has made already questionable cyber security marketing even worse.
After exploring some of our top influences, from The Autobiography of Malcom X and The Origin of Consciousness to Joe Frank’s avant garde radio show, The Other Side, we talk email security. In a year that changed so many things, Abhishek and Ryan explain how truly little changed for phishing attacks. While the trend is not compelling, the reason why is. They walk us through what truly makes phishing attacks successful: distracted people reacting to well-timed messages. This hard truth confounds the market for anti-phishing training as ultimately our susceptibility has much more to do with our emotional state at the time than it does our factual knowledge or even our learned behavior.
If you’ve wondered what the difference between phishing and business email compromise (BEC) is, this episode is for you. Abhishek provides a clear explanation of both topics before we forecast an ominous new threat on the horizon: Really Scary Phishing™.
Our wrap-up eschews the usual speed round and instead asks “What can cybersecurity can learn from other industries?” Jack lays out how the service industry has much to teach us about taking care of our own while Dave explains what he learned about empathy and innovation from the advertising industry. We depart on a hopeful note, as Ryan relays a story reminding how small acts of kindness can have a large impact on others.
We’ll be taking a short break before the next episode as Jack and Dave attend to some important “life stuff”. See you in the Spring!
In our 1st episode of ‘21, we cap off our cloud security series with a recap of the major milestones, key trends and surprises across 2020 through the eyes of cloud expert and podcaster, Justin Brodley. If you think you might have missed a few things that happened in the public cloud last year while waiting for news on COVID-19 vaccines, hitting refresh on election results or wondering when the four horsemen were finally going to show up, this episode is your chance to catch up and look ahead through the lens of both a practitioner and a pundit.
Recorded during AWS Re:invent, we examine the cloud service provider conferences across the year to find a clear absence of security topics making their way to center stage. While there were some notable developments, such as services providing easier cloud traffic analysis, much of the attention was elsewhere. Multi-cloud, in particular, leapt to the forefront for even Amazon who had been reluctantly dragging their feet.
Our comparison of the different cloud service providers (CSP) conferences gives way to Justin’s take on key differences in their security strategies. From Google’s cloud native approach to Microsoft’s gambit to compete with stand-alone security offerings seemingly inspired by their experience on-premises, we breakdown the CSP’s strengths and weaknesses in cybersecurity.
We chart the big moments of 2020 in the cloud, starting with outages that began with pandemic-strained capacity at Azure to the longest AWS outage witnessed in years around Thanksgiving. While security news didn’t penetrate the headlines in many instances, Justin mentions some noticeable developments and what we hoped to see, but didn’t.
Justin shares his top advice for anyone moving to the cloud to shore up their defenses. Given the vast amount of phishing, social engineering and misconfiguration issues in the cloud, it turns out that this has a lot more to do with improving our humans than it does our technology. Nonetheless, the threat landscape meaningfully advanced with more complex, serious attacks in 2020 which moved well beyond “S3 bucket negligence” that's perhaps best exemplified by the sophisticated Capital One breach.
In the waning moments of our 6 episode cloud series, we look to the trends that will define 2021 and end with a hopeful signal that us security types just might be starting to get the hang of this cloud thing.
Investors make their money seeing things others don’t. Making big bets based on both digging into painstaking detail and their ability to forecast what will happen many years into the future. In this 5th and (almost!) final episode of our series on public cloud security, we get deep into the mind of Bucky Moore from Kleiner Perkins to learn how the flow of funding is both responding to and shaping our industry’s transformation from protecting our own data centers to renting them from others.
Bucky begins by laying down our mile marker in the global cloud journey, answering the eternal question of “Are we there yet?” with a clear answer of “Not even close.” We follow these remarks to a walk through the different corners of the cyber security industry to see how they’re keeping pace. While many fail to impress, one of the legacy behemoths stands out from the pack as having impressively galvanized their business to meet the cloud challenge.
Setting companies aside, Bucky, Jack & Dave identify what technologies are the likely casualties are long-term cloud transition followed by a look at the obvious new areas to invest. Bucky describes a few more obscure tech opportunities he and Kleiner Perkins are watching that may produce a surprise hit in the future.
We explore the eye-popping amount of money raised by managed security services companies in 2020 such as Arctic Wolf, deepwatch & Pondurance and how they differ from the not-so-glamorous past of the MSSP market. Our discussion explains the hidden forces driving the new managed services opportunity and how we think it will play out over the years ahead.
If you’re looking to understand the insanely high valuations of companies like Snowflake and CrowdStrike-- or wondering what a SPAC is-- Bucky weighs in on these topics as well as we also dive into the surprise investing frenzy of 2020. Spoiler alert: it has a lot to do with both money and investors having no better places to go.
As longstanding cybersecurity companies lumber their way into the public cloud and "born in the cloud" startups fight for attention, cloud observability titan Datadog entered the security market in 2020 with two new products. This is far from the first time a company has used an adjacent market to make the cybersecurity leap. Oftentimes it fails, but Splunk immediately comes to mind as a crossover success. Jack and Dave interview Datadog’s Marc Tremsal in this episode to provide a view into what cybersecurity looks like from the lens of a company steeped in the world of cloud infrastructure.
Datadog did not break down the doors of the industry, but rather was invited to enter by their customers whose needs were not being met by cybersecurity companies. Marc explains the mistakes that incumbents have made that have left a considerable opening for others— they have very little to do with technology and a lot to do with marketing and sales. From selling to CISOs rather than the people doing the work to overheated marketing claims, cybersecurity companies have alienated would-be cloud customers who openly wonder why they can’t buy protection the same way they purchase the rest of their infrastructure.
Marc talks through the challenges of staffing a cloud security product team— how much do you value deep domain expertise? Do you shrug it off and simply hire the best developers? We explain how the hottest talent on the market will be cybersecurity veterans who take the time to retool for the public cloud as they will hit the “goldilocks” spot for a growing throng of potential employers.
We wrap up a surprisingly optimistic conversation with a glance ahead to 2021 where Marc reckons consolidation of providers will be a key trend alongside a hard look at just how immutable some of our infrastructure truly is.
Our conversation with Rich Mogull was intended to provide an analyst view point on public cloud security. While Rich certainly delivered on this promise, the episode turned into something more important: therapy.
If you find yourself wondering if you’re burnt out from cyber security and life in general, this is for you. Our conversation with Rich starts with the work he does in disaster response, focusing on his recent time responding to the COVID-19 pandemic as a paramedic. He explains how key concepts of anti-fragility from responder culture such as “trench foot” and “changing your socks” also apply to the rough and tumble world of cyber security— especially in assessing yourself for burnout.
If you find yourself drowning in work and straining to catch up to the rest of the organization's push to the public cloud, this is for you. We discuss how this happens quite naturally in most places, resulting in a dysfunctional norm of security teams inadvertently being left behind but still responsible for protecting the public cloud. Rich lays out a recipe for getting back on track, starting with making sure it simply isn’t time to throw in the towel and find a better gig.
If multi-cloud seems impossible to defend with the skills and resources you have, you’re probably right. Rich takes us through the mind-boggling complexity of what it takes to stay on top of a single public cloud environment, let alone several. He doesn’t mince words in his unflattering assessment of the challenges with all 3 major cloud service providers: Amazon, Google & Microsoft.
We wrap up with a hopeful look at what lies ahead for protecting the public cloud. Rich and Dave share examples of how long standing problems such as re-architecting are now solvable and operational challenges can truly be simplified when mantras like “shift left” move from buzzword bingo to new reality.
In our 1st episode of the cloud sec series, Teri provided an expert’s broad view of what’s happening with security in the public cloud. In this episode, Yelp’s Zach Musgrave does the opposite: we go into the trenches to understand what it takes to protect a fully cloud native business on a daily basis.
While Yelp was born in ‘04, 2 years before Amazon launched its first AWS service, it started its cloud native journey in 2013. Their early transition makes the company one of the longest tenured organizations who have defended a cloud native business at scale. Zach shares the fundamentals of how they work, from security team org structure and success measurement to key relationships across the company. We dig into the 2 different but critical aspects of security: 1) protecting the infrastructure (people & systems) and 2) policing the Yelp ecosystem itself (defending business operations).
Zach explains how DevSecOps at Yelp was adopted not out of buzzword compliance but plain necessity: the need to safeguard 500+ microservices in production simply breaks a traditional security model. We explore some of the misconceptions with DevSecOps and the amount of care and feeding it takes to make it successful. We also cover Yelp’s tooling which centers on generous amounts of open source and their own projects including their current work on the Enhanced Berkeley Packet Filter (eBPF).
We wrap up with some strong feelings about multi-cloud and readiness for the zombie apocalypse (they’re related, trust us) alongside forecasting the future for security tech as the cloud native tsunami rolls on. Spoiler: there’s no reprieve for old school network security.
Initially led by software as a service (SaaS), the transition to the public cloud is one of the most important changes we’ve witnessed in information technology to date. From the early days of SaaS to the current stage where adoption of infrastructure, platform and function as a service (IaaS, PaaS, FaaS) are catching on like wildfire, there’s an increasing awareness that the end state of this shift few aspects of how we do our jobs will be unchanged. This Security Voices episode is the first of five where we dig into the details of how the public cloud is transforming cybersecurity.
Teri Radichel joins us to explain key concepts in public cloud technology, the differences from on-premises, migration options and more. If you’ve ever wondered what is meant by “lift and shift” or “cloud native”, this is for you. Teri’s background as a trainer, author and researcher shines through as she describes both broad concepts in easily understood terms but she also doesn’t spare the details for those who are already cloud savvy.
Beyond the core concepts, Teri compares and contrasts the security models across Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP). As she walks us through the differences between the three platforms, you get a sense of the complexity faced by those straddling an on-premise environment as well as the public cloud – not to mention several clouds at once. From networking to identity and access management models, no cloud service provider is quite like the other. Moreover, the fierce competition between Google, Microsoft and Amazon is driving such rapid changes in their platforms that any grip you have on exactly how things are is a slippery one at best.
In spite of the challenges, Teri explains her belief that one can achieve better security in the cloud than on-premises. Doing so requires thinking differently, however, such as Teri’s advice to handle data as we would handle money. We hope this episode lays the groundwork for you for understanding the current state of public cloud security as in the next show we dive into the trenches with a cloud security practitioner at Yelp.
If you’ve been laid off, furloughed or are just plain tired of everything, this episode is for you. Kathleen Smith, the longstanding cyber career expert at B-Sides (and beyond) joins us for a dialogue on what’s happening in the security job landscape.
Lost your job? Kathleen explains a tried and true process for recovery, reflection and finding your next gig. Not to mention a few surprising options for those who aren’t afraid of a little adventure, such as the military reserves or a job in one of the often overlooked national laboratories.
In a rare moment of good news this year, Kathleen explains how COVID-19 has driven an increase in cyber security jobs both in the government and commercial sectors in response to a recent increase in threat activity. If you’re willing to put in the extra effort (and put down your cannabis), she also describes what it takes to score a government clearance and gain access to an entirely new pool of opportunities.
Once a coveted perk, remote work has blown the job market wide open for all. Roles once restricted to those within a certain location are now broadly accessible. However, working far away from your colleagues in your house has serious implications for your social relationships, energy and health that many are only beginning to understand. Kathleen breaks down how to recreate boundaries between one’s personal and professional life, a skill she learned the hard way during her time in non-profits such as the American Red Cross and World Wildlife Fund.
Before wrapping up, Kathleen talks directly to leaders and how she has adapted her style in 2020 to meet the extraordinary challenge while avoiding burnout. We hope our hour plus conversation with Kathleen is a welcome break from whatever you’re facing right now, providing you with help in your current job or a fresh perspective on what to do next.
Discussing cryptography is usually a surefire way to end a dinner conversation. It combines two things that intimidate (and bore) many people: hard tech and complex math. In spite of this, cryptography is on center stage today as it is the very foundation of defending our privacy and perhaps unlocking how we can safely share health information in the midst of the pandemic. There are few people who both understand and can explain cryptography in plain English better than Dr. Zulfikar Ramzan, CTO of RSA.
Our hour long conversation with Zully tackles how concepts such as zero knowledge proofs and multiparty computation might be applied during the current COVID-19 pandemic. Historically, sharing healthcare information has been an “all or nothing” affair with difficult privacy trade-offs being made in the name of ensuring we receive the right care at the right time. Zully takes us through how longstanding encryption concepts, now made practical by advances in computing, may allow us to selectively share vital health information such as vaccination records or test results without sacrificing our personal privacy.
Zully also explains how cryptographers are preparing for a world where quantum computers can make short work of our current encryption practices. He draws perspective from the mid-90s when the Advanced Encryption Standard (AES) was being developed and explains the road ahead for promising lattice-based methods that could form the basis of a new, post-quantum AES replacement.
Beyond cryptography, we discuss Zully’s role as CTO at one of the most iconic brands in security. He takes us through “a day in the life” and explains his responsibilities beyond being the company’s spokesperson. Perhaps more importantly, Zully explains how he balances all of this with his family where making crispy cauliflower takes priority over factoring prime numbers.
The average tenure of a CISO is 26 months due to high stress and burnout, according to a recent survey. In stark contrast, Andy Ellis has now been CSO at industry titan Akamai for over 20 years. Jack & Dave explore Andy’s longevity formula in a 70 minute interview that spans everything from his advice to young security leaders to the death of live events and why it’s perfectly fine if your favorite wine is a $16 malbec.
While most of our episodes gradually ease into a more focussed conversation, our discussion with Andy jumps straight into the subject of applied human cognition— a common theme of his presentations and writing. He explains how his understanding of human thought patterns and biases directly influences his approach to conducting risk assessments and dealing with especially thorny conflicts. Far from theoretical, Andy breaks down exactly how he and his team enable Akamai to self assess and internalize risk in a fashion that expedites projects where the security team might otherwise be a bottleneck.
From his vantage point at Akamai surveying a sizable amount of the Internet’s traffic, Andy shares their insights from both observing and responding to the pandemic, starting with their move to a ZeroTrust model. Some aspects of COVID-19, such as customers’ struggling to pay bills and how to best help them, are similar to past crises. Others are utterly unique. Jack and Andy explain the crisis likely permanent impact on live events (e.g., industry conferences) and what they may evolve to in the future.
We also discuss the fine line Andy, Jack and Dave walk in the cybersecurity community of being both a vendor and a practitioner. How does one remain objective when you also represent a company that has to sell products or services to exist? How can one neutralize the perceived bias or even the stronger allergic reaction that some have against vendors? While there’s no surefire solution to such a complex matter, each of us shares our tips and learnings as we (and the industry as a whole) aim to strike the right balance.
We wrap up with Andy taking us through how to pick a good bottle of wine. In the same manner as he tackles complicated cybersecurity issues, Andy breaks it down into simple steps that are illustrated with his own colorful experience.
The misinformation spread during the COVID-19 pandemic has made what happened with the 2016 U.S. elections look like the “good old days.” Epidemiologists are on center stage trying to explain complex topics to billions of people concerned for their lives-- and sometimes politicians are aiming to do the same. The multiplier effect is how hopelessly entangled challenging technical issues like end to end encryption and contact tracing via bluetooth on mobile phones are now also being publicly debated.
The most natural reaction? Confusion. Kenn White is here to help.
During our 60 minute conversation with Kenn, Jack and Dave go past the headlines trumpeting Zoom’s security issues in an attempt to lay bare the real issues with their recent missteps. Their initially misleading claims around end to end (E2E) encryption is our primary focus, but before diving deep into Zoom, Kenn explains exactly how hard it is to make it work by describing his 2 year journey to deliver E2E encryption at MongoDB. We pull apart the remaining concerns and Zoom’s impressive response to provide our take on just how worried you should be, from Johnson Elementary School to the defense industrial base.
Kenn has a unique perspective on the idea to use contact tracing via Bluetooth to identify who infected people have been in proximity to in order to slow the spread of a disease. Having spent 10+ years supporting clinical trials, he explains why using our mobile phones to make contact tracing during the COVID-19 pandemic is unlikely to be successful in the near future.
We hope this conversation with Kenn brings you clarity and calm at a time when both are in short supply.
Note: We spend the first ~15 minutes talking about coping strategies during the pandemic. If you’d like to jump straight to the content focused on E2E encryption it begins right around the 15 minute mark.
In the midst of the COVID-19 pandemic, it’s easy for thoughts to stray to the apocalypse. Nowhere is this tendency more common than when we talk about robots. Decades of books, movies and television have explored the topic of “when robots attack” and the calamity that follows. Today, domestic robots struggle to make it up the stairs and Siri can’t reliably order take-out… or even take notes. It all feels very far-fetched. And it is.
However, if we move past the science fiction and look more closely at developments between humans and robots, we can begin to see some startling developments. This is the domain of Straithe, a pioneering researcher who studies how interactions between humans and robots can be abused and manipulated. We know very well how email, phone calls and websites can be used as part of elaborate social engineering schemes, what happens when the attacker’s tool looks like a person and can physically interact with us?
While domestic robots like the Jetson’s Rosie are not wheeling around our houses today, we are being implicitly trained to interact with digital assistants such as Amazon’s Alexa, Apple’s Siri and many others. While the privacy implications of having such assistants always listening is much discussed, we’re only beginning to understand how matters change when they take physical form such as Knightscope’s K5 or Softbank’s Pepper the Robot.
Straithe explains how these robots not only create serious privacy concerns through passive collection and instant transmission of everything from license plates to MAC addresses, but also how people are likely to react for them if they are used for ill intent. She explains early research that indicates robots are effective at getting people to do things on their behalf. When you combine these factors with a spotty record of robot security vulnerabilities, the potential for genuine harm through robots goes from far-fetched to near future.
Our ~60 minute conversation with Straithe is hopefully a break from whatever you’re dealing with during the current crisis. We hope you find this glimpse into a fascinating corner of cyber security research a diversion from whatever you’re dealing with presently and useful framing for what lies ahead.
In this episode we step far beyond the hype cycle and dive into the details of scaling a data science team in the security industry with Dr. Sven Krasser. Sven joined CrowdStrike in the early days and the initial part of the conversation with Dave is an incredibly timely conversation covering how to structure and work with remote teams effectively. The interview was recorded a week before the 2020 RSA Conference in San Francisco when the early impact of COVID19 in the U.S. was just starting to be felt.
There are 2 dominant themes in our conversation. First, Sven covers the hard realities of machine learning (ML) and warns against both over dependence and hyperbole. There are many areas where a more simplistic approach is going to get the job done faster and cheaper without the need to maintain a costly model. Sven shares his approach to choosing the right tool for the job and a handy tip for determining where ML marketing has gone astray.
The second theme is the attack surface of ML itself. Seemingly long gone are the days when companies boasted that ML was the coup de grace for the defenders in the endless game of cybersecurity 'cat and mouse'. Today, we know that there are tactics aplenty for both weakening and defeating ML-based defenses that are available to everyone and easier than ever. Our longstanding cat and mouse game isn't over, it's simply more complex than before. Sven explains what that feels like to a data science leader for a top cybersecurity company who observes advanced attacks on a routine basis. And also why attacks on ML in cybersecurity may be the least of our worries in a future of self-driving cars.
Our nearly 70 minute conversation with Sven serves as both a "102" exploration of applied ML in cybersecurity and a chat between friends. We cover the less obvious advantages of being based in Los Angeles, the criticality of data quality to effective ML and exactly which marketing myths rankle data scientists the most.
The second half of our Day Jobs series is the very first Security Voices episode we recorded: Dave interviewing Jack on the origins, shenanigans and future of BSides. Jack charts the history of the conference from its inception at a rental house in Las Vegas with a couple hundred people to today where Security BSides is a global movement that has eclipsed 500 events (and growing).
One of the most unique aspects of Security BSides is that anyone can create their own event. It is a nonprofit organization that has as its heart a single, potent principle: be good to and for your community. The flexibility of BSides to be molded to the needs of the local community wherever it goes, from Memphis to Riyadh, is a core ingredient of its success. Jack explains how they carefully walk the line of letting each organizer shape their own BSides conference while stepping in only as necessary to lend a helping hand or occasionally correct course when things have come off the rails.
The “just enough” guidance approach extends all the way to allowing new events to change names completely and blossom into different conferences. Security BSides in Phoenix became CactusCon, an event in the Bay Area became Bay Threat and MiSec traces its roots back to a BSides in Michigan. All of these offshoots are not only encouraged but celebrated by Jack and the BSides crew who see this as yet another way of fitting the event to the personality of the local community.
Security BSides often serves as the starting point of open dialogue on critical industry topics such as gender diversity and mental health that the larger conferences only address years later. Jack takes us through the first “Feathers will Fly” session in Las Vegas which served as a meaningful catalyst for future conversations on gender inequality and (the lack of) diversity in cyber security.
We wrap up with Jack musing on the future of BSides and what it could become long past the year 2020.
Our February Security Voices episodes are a 2 part series where Jack and I focus on our “day jobs”, starting with the current episode on Open Raven. Part 2 will be our very first recorded, but unreleased episode where Dave interviews Jack on the origins ands escapades of B-Sides. Look for it later this month.
This is close as we intend to come to promoting anything explicitly on Security Voices and if you’re completely allergic to even the scent of such things, join us back in March where we’ll pick back up with an interview of the Chief Scientist at a prominent security company. In the meantime, we thought you might appreciate a little background on what Jack and Dave do outside of Security Voices as it understandably colors our perspective, from the questions we ask to the stories we tell.
Open Raven was officially founded in April of 2019 by Dave and Mark Curphey, whom some will recall was the focus of episode 5 of Security Voices. Rather than solely focus on the founders, something we feel happens entirely too much, we felt you might like to hear from the people building the product itself. Consequently, Dave emcees the episode as we interview the Open Raven team members on topics from the graph back-end to how the company is branded and thinks about UX. The content is at times a little technical but should still be approachable by most and it should give you a sense of the design decisions one makes in an early stage company.
Throughout the episode you will hear the authentic voice of the team as they share the principles driving what Open Raven is building along with the pain and successes along the journey. The episode sequencing is as follows:
Could you create a fake cyber security company and rack up industry awards overnight? How about fabricating a founder and scoring them impressive job offers? Haroon Meer did both of these recently for a presentation titled “The Products We Deserve” as an exploration and commentary on the state of the industry. Jack, Dave & Haroon take on snake oil in security during an hour long conversation to determine exactly how someone could create a great company amidst the pressures that threaten to pull one in the wrong direction.
The catalyst for Haroon’s presentation and our discussion is his personal experience at Thinkst where he has focused on building a “bottoms-up”, product first company that has grown steadily since its inception without venture capital. His thoughts, from how to deal with industry analysts to “ball pit marketing” at conferences, come from Thinkst’s direct experience aiming to not only grow the company, but grow it in a way that is true to their own values.
How Haroon and Thinkst navigate challenges such as having a strong presence for the company at the RSA Conference (sans shenanigans) is an exercise in creative problem solving versus rejecting the experience entirely or simply following the crowd. While it would be easy for an episode such as this to be bleak or even angry, Haroon’s thoughtful approach and optimism give us a portrait of how we might emerge from our awkward adolescence as an industry into a better future.
Our 1st episode of 2020 is a story in three parts, beginning with hard fought wisdom of a veteran security practitioner, then diving deep into machine learning (ML) before wrapping up with how both security and AI apply to connected vehicles.
The first part of our 74 minute conversation with Josh Lemos is the backstory of how he started his career in cybersecurity as a consultant... and left services to join ServiceNow as a practitioner. His time at ServiceNow lays out a solid formula for fixing application security inside a growth company who can little afford to slow down-- or suffer the pain of the inevitable breach if the situation doesn’t improve.
Jack & Dave’s conversation with Josh on ML lays down many of the basics and is intended to be a rough primer for future episodes where we will further explore the topic. We discuss how ML projects often take much more preparation than originally planned and topics that range from class imbalances, the differences between supervised/unsupervised ML, a starter’s toolkit and what to expect along with some rookie mistakes to avoid.
As part of Cylance/Blackberry, Josh has recently been involved with connected vehicle projects where standard security techniques for detecting executable malware on laptops and servers can start to look like child’s play in comparison to effort required to properly diagnose events across the diverse hardware and software found in a modern car. Before wrapping with our speed round, we look ahead at areas where ML may be able to make leaps forward in both vehicles and across cyber security.
While visions of sugar plums might be dancing in children’s heads as we close out 2019, the 2020 elections are occupying the head space of many adults in the U.S. In 2016, the importance of election security was made crystal clear. What’s happened since then? Are we ready for 2020? How do experts believe our defenses will hold up when tested by foreign and even domestic attacks?
We spent an hour exploring election security (and more) with Camille Stewart, a cyber security attorney with experience working inside tech companies as well as considerable time spent on Capitol Hill in both the Department of Homeland Security and as a consultant. Camille breaks down the major aspects of election security and we discuss why it’s seemingly so fractured across municipalities-- and why that may not be such a bad thing after all. Jack, Dave and Camille debate how election defenses might be improved, from the role of open source and private services to “defending forward” by taking out troll farms. While Camille declined to grade our readiness for the attacks in 2020 (which have already begun), Camille does make predictions about what will happen during the ‘20 elections, including the likelihood of domestic influence campaigns.
Our ~75 minute conversation with Camille showcases the breadth of her experience in both the Silicon Valley and Washington D.C. She explains lessons learned from her time protecting brands at Cyveillance, breaking down the optimal way to get a social media company’s attention when you’d like to have something changed or removed. Camille also explains how State security might be modeled after progressive smaller countries who excel in cyber, leaning on her time working in foreign relations during the Obama Administration. We wrap up with her recent investigation and resulting paper on how foreign nations, especially China, have been leveraging U.S. bankruptcy proceedings to acquire large amounts of American intellectual property on the cheap.
It all changed one day while Nand was sitting in traffic on the 101 freeway. Why am I doing this? Nand had experienced no less than 4 successful exits of cyber security companies where he was founder or CEO. He was one of the most accomplished cyber security entrepreneurs in the Silicon Valley and his origins trace back to writing compilers for Sun Microsystems. At that moment, Nand decided to leave corporate life and set course to start a new phase of his career in the government.
His first step was to uproot his family and move them into graduate housing at Stanford where he would finally do that MBA degree he had considered long ago. Throughout Nand’s hour long interview with Jack and Dave, Nand explains how his family embraces the abrupt change from predictable Valley life and comforts to community living inside a small apartment on campus. While Nand is determining how to best complete projects with 19 year-olds, his wife Sarbani and children flourish, starting a non-profit as a result of their experience.
Nand’s next step towards Washington D.C. is a one year stint across the country to the Harvard University John F. Kennedy School of Government where he aimed to learn “the art of politics”. His time spent amongst princes and fledgling politicians taught Nand important lessons in complexity, the power of good Queen ballad during karaoke and the occasional necessity of a Scorpion Bowl to wash it all down.
After considering a run for Congress, Nand completes his plan to restart his career in government when by a series of unusual events (and a bit of start-up hustle) he becomes the CTO of the Department of Defense’s efforts in Artificial Intelligence. From his new vantage point, he shares what tech companies look like from the Washington D.C. perspective and answers heady questions such as “Who’s more trustworthy? A politician or a venture capitalist?” and we find out whether it’s easier to be in a government or a Valley boardroom.
There are stories, and then there are “epics”: tales of a journey so full of unexpected twists and excitement that you’re left wondering how all that could happen to a single person. Niloo Razi Howe’s life is such an epic. Whereas most epics feature men with swords, this one focuses on a woman with heels and a hockey stick.
While Niloo’s story as an Iranian exile is well-documented, our primary focus is on her career which began as an author and quickly moved to becoming a McKinsey consultant and then attorney… until she founded one of the few modestly successful online pet supply businesses in the 90s. Refusing further capital for a business she did not consider long-term viable, Niloo moved on to become a venture capitalist herself.
Moved by 9-11, Niloo found the cyber security market and made it her sole focus as an investor at Paladin Capital Group. We discuss her early learnings from investing in security which focus on her time working with a portfolio company selling the millimeter wave scanning systems that are now commonplace at airports everywhere. Our conversation detours here into the truly unusual: 3 Americans (Jack, Niloo & Dave) attempting an informed conversation on international privacy.
Drawn back into the action, Niloo took subsequent roles transforming a startup (Endgame) and then tried her hand at transforming industry titan RSA as their Chief Strategy Officer. In yet another twist, Niloo then left it all to focus on her terminally ill mother. This experience affected her profoundly and we wrap up this first part of our conversation with Niloo by exploring how she now structures her career on 3 pillars of different activities versus 1 job.
The 2nd half of our conversation with Niloo focuses on her recent work in Washington DC where she holds several positions and recently (October 22nd, 2019) testified to Congress on the United State’s cyber security readiness. We begin with the topic of retaliation: What’s the proper response to a cyber attack if you want to discourage future aggression?
With the 2020 elections on the horizon, Niloo explains her perspective on influence campaigns such as the highly publicized activities by Russia in the ’16 presidential elections. While often seen as election interference, she explains the broader goal of Russia’s strategy as an attack on the fabric of trust throughout a country— and how your phone and social networks can be complicit in this scheme.
We end on a hopeful note: there are plenty of reasons to believe things will be better in the future in cyber security, starting with government restructuring from long outdated WW2 norms to a more modern organizational design.
The Silicon Valley legend is the college drop-out who made billions… but what if instead they stayed in the dorm room? What if they actually finished school *while* building the business? And if the soul of the business itself was helping people rather than harvesting every last penny from their pockets?
This is the intriguing story of Marcin Kleczynski and MalwareBytes, told in a candid ~1-hour interview where he explains how his company was built in vivid detail. Marcin takes us through his formative moments as a Polish immigrant in Illinois helping his family’s cleaning business to his choice to remain in school at his mother’s insistence while MalwareBytes was making millions. Marcin’s retelling of what it was like, many years later, to take his mother through the MalwareBytes office to meet the hundreds of employees in his company is one of our favorite moments in any Security Voices episode.
Our Interview with Marcin balances his journey as a founder/CEO with an in-depth conversation on the endpoint security business itself. Dave and Marcin discuss key product questions such as how much is too much product functionality to give away, how to work with the channel, whether or not you can effectively serve both consumer and enterprise markets and the future of endpoint protection. He also explains why it still makes sense to build a great office when the world feels like it’s shifting quickly to a remote workforce. Somewhat less importantly, we also find out why you should never send deep dish pizza to people in California.
Joel Fulton’s journey began in Alaska as a free range kid with dreams of becoming a fireman to ultimately find him in one of the most prestigious CISO roles in cyber security at Splunk. Our conversation twists through his time as a computer auditor, MMA fighter, an author, a salesman, a PhD student and a few other positions in between. As far as origin stories go, even the late Stan Lee would be impressed.
Our dialogue with Joel showcases the breadth of his interests as well as his gift for taking seemingly unrelated concepts and connecting them to illustrate a point. Choke holds and incident response? School grades and asset discovery? The application of Philosopher’s Toolkit to breach analysis? Systematic dismemberment as a means of determining priorities? Somehow Joel pulls off all of these analogies and more in a narrative that is as insightful as it is colorful.
Joel’s interview also offers plenty of practical examples for aspiring and longtime CISOs, breaking down how he thinks about discovery, orchestration and security training. And yes, he weighs in on how to be successful with Splunk, including reducing the cost. The episode is our longest to date at 80 minutes and it still felt far too short.
Note: Our interview with Joel took place at the Los Gatos Cigar Club this past Summer at the same time the US Women’s Soccer team was playing England in the semifinals of the World Cup. This was completely unintentional and resulted in a fair bit of background noise. While we edited out as much as we could, the result is a little like listening to 2 people chat at busy café. Not ideal, but we think it’s ok. Grab a latte (or a cigar) and join us!
Since this Spring, Security Voices have been “following the money trail” to explore all angles of how security companies are funded and run. No small part of our rationale has been that if you understand where the $$$ comes from, you can better understand the people, company & their motivation. Given the breakneck pace of the security industry and ceaseless transactions that reshape its terrain, our investor series lays bare the forces that are fueling the cyber market itself and the fascinating personalities driving it. In the meantime, one of us has even started a company and funded it… with one of our guests of course!
In our final 2 episodes of the series, we’re shining a light on lesser known companies and individuals whom have avoided VC funding and taken a more unique approach to starting their businesses. Our last episode with Zack Schuler at Ninjio highlighted his low burn, hands on approach as they aim to disrupt security awareness with killer content.
Our final episode showcases Tozny, an encryption company with its longstanding roots in government contracts. Isaac, the founder and CEO, explains how he’s built a stable, steady growth business in Portland by harnessing one large customer after another… using entirely publicly available information and an open submission process. His conservative “staying alive” approach stands in stark contrast to the glitzy, go-for-broke mainstream security market. And especially the recent controversy with another encryption company...
This episode also serves as a capstone to the investor series as we move on to explore the careers of some of our favorite CISOs and CEOs in the months ahead as well as not-so-distant rumblings in the legal landscape.
Seemingly everyday a security company announces that it has raised a new, big round of funding. While taking venture capital to fuel a company is normal, it’s certainly not the only way to get started. As we close out our investor series, Jack and I wanted to highlight the bootstrappers— those brave people who kickstart their businesses using solely their own resources. Our conversation with Zack Schuler of Ninjio illustrates the experience security awareness training company that began with no funding but a loan from his bank account. While Zack had the benefit of a previous exit (he bootstrapped his 1st company at the age of 21), his mentality and practices are that of someone who hustles for every deal, obsesses over each hire and makes painstaking decisions about how he uses his time and money.
Ninjio’s story is unique - it is first and foremost a content business in a city, Los Angeles, where he has access to a Hollywood talent pool others may have a hard time finding elsewhere. Zack’s approach to equity is also very different than what you would typically see in a security software company-- especially in the Silicon Valley. We enjoyed this interview exactly for this reason: it does not offer a conventional model that others can follow but rather an example of the success one can find off the beaten path with a lot of hard work and a little bit of luck.
Dark clouds seem to hang over the security industry, especially after Black Hat and DEF CON. Playing constant defense can be disheartening, especially after hearing about every new type of possible attack in Las Vegas. We felt everyone could use a little post conference pick-me up so we pulled together this short (~15 min) episode which focuses on all the positive things that are happening in the industry from past interviews. We’ve often reflected on how interesting and encouraging it is that every guest we’ve interviewed has always had something they thought was much improved from the past— and how every one of these industry luminaries called out something different than the others.
Don't worry, we have a bunch of new episodes around the corner. This is a little interlude to chase away the Summer blues while we re-gather after a flurry of activity w/ B-Sides (Jack) and Open Raven (Dave). We have great interviews with the CISO of Splunk, CEO of MalwareBytes & the wrap-up to our investor series all ahead of us.
Sound familiar? Robocalls like this have plagued our phones in recent years, prompting many of us to no longer answer calls if we don’t immediately recognize the number. Ever wondered who was behind the flood of phone spam? How much they make? Where they’re from? How they got your number? We dig deep into the robocall epidemic with telecom expert TProphet, answering all of these questions and more before breaking down what telcos and legislators are doing to try and improve the situation. After comparing the North American robocall problem to the one in China, we take a look ahead at what the future holds for phone spam.
We wrap up the episode with a glance ahead to DEF CON / Black Hat where TProphet will be hosting the annual TeleChallenge and attending Queercon as founder emeritus. We also cover how the community has lent a helping hand to a few overseas security professionals through TProphet’s site, AwardCat. He’s one of the most colorful, interesting people in security-- we hope you enjoy getting to know him as much as Jack and I did.
Few topics capture our imagination like the Internet of Things (IoT)-- our concerns swing from how much that Alexa in the kitchen is really listening to us all the way to doomsday scenarios orchestrated by a violent robot takeover. Our conversation with Shaun Cooley lays the foundation for a rational understanding of IoT risks, starting with its role in stopping rhino poaching in an African game preserve. After explaining the full IoT landscape, we explore how it is fundamentally different from “normal” IT security and how the coming IT/OT convergence could result in an epic clash of cultures-- not to mention a few breaches. No IoT conversation is complete without covering 5G and satellite internet, and nor do we spare you the required musings on how it could all go quite wrong when no one is looking. This is our longest episode so far-- and an instant favorite.
What happens when you take a longtime security pro and turn her into a venture capitalist? We find out in the 4th installment of our investor series when we interview Dr. Chenxi Wang, fresh off her 1 year anniversary starting Rain Capital. The beginning of our interview showcases the grasp of our market that makes Chenxi such a sought-after partner-- we go deep into the transformation of app sec, poking at fuzzing vs. static analysis, package vs. code level analysis and how the network-centric roots of the security may be impeding our progress. We do a brief retrospective on Kubecon before diving into her reflections on being a full-time investor, starting with what separates an angel from a true venture capitalist. Chenxi explains what sucks about being a VC (spoiler alert: it’s fund-raising) and how she’s using Rain to chip away at the longstanding diversity problem in the security industry. Before hitting our usual hype-o-meter and speed round questions, we discuss exactly how she ended up on the board of directors for a logistics company based out of North Dakota.
Special thanks to Chenxi for doing this not once but twice with us due to tech errors with the initial recording.
Mike Reavey has quietly left his fingerprints on some of the biggest moments in security. He began as a Captain in the Air Force, locking down networks from attack by adversaries back when APT was still shorthand for “apartment”. Mike recounts his time spent battling the most destructive malware the industry has ever seen (Blaster, Slammer, Code Red, etc.) while leading Microsoft Security Response and how he later kept Azure out of the headlines while heading up cloud security in Redmond. He recently made a hard turn into gaming security at Electronic Arts where he’s been learning the many nuances of protecting a fast-moving entertainment company where creativity and speed are king. Mike, who regularly competes in body-building competitions, explains why you can’t outrun a pizza and how anyone can get a little more fit while balancing a hectic schedule packed with family, work and fitness. Mike’s stories are as pragmatic as they are colorful-- this interview is a recipe for anyone who wants to know exactly what it takes to succeed in a big, high pressure cyber job.
Part 3 of our investor series offers a unique perspective on the security market as Jack and I interview Kara Nortman, partner at Los Angeles-based Upfront Ventures who balances investments in enterprise and consumer companies without an explicit focus on cyber. Kara traces her roots back to a long ago meeting with the @Stake team when she was with Battery Ventures and we chart how security has moved from an arcane art to a topic relevant to every startup, no matter the industry. Our conversation covers a number of big questions: Will Silicon Valley continue as the heart of tech in the future? Is it better to have a killer insight or to know how to build a product? How exactly do VCs work in 5 minutes or less? Kara also reveals her “full family” approach to helping her portfolio companies, explaining why the key to unlocking product marketing success might actually be a curious 8 year old.
In a world not-so-long-ago, CISO’s fought for people to understand what they did and why it mattered. Fast forward to today, and the modern CISO faces a dizzying variety of challenges everywhere from the boardroom to explain 3rd party risk management to product design sessions where they might be debating anything from data anonymization to SOC2 compliance. Our guest in this episode, Justin Dolly, stands apart as a no-nonsense CISO who has covered a truly broad spectrum of problems such as negotiating consumer privacy trade-offs for fitness wearables while at Jawbone or diving headlong into the ransomware problem at MalwareBytes. During this episode, Justin weighs in on the future of identity, the death of passwords and whether moving to a ZeroTrust model is more aspirational than practical. This episode has something for everyone with the notable exception of people who love VPNs. Justin’s fiercely pragmatic approach and gift for storytelling make this one of our favorite episodes so far.
A goal of our podcast is to highlight people who don’t highlight themselves— but are every bit as deserving of the spotlight as those on the big stage. Noah fits this profile perfectly- he’s the smart guy you sat next to at an industry dinner whose perspective on network forensics and GDPR were as interesting as his weeklong isolated "vacation" on the tundra of Baffin Island. An understated yet up and coming security investor currently at Point72, Noah’s take on the security market is insightful and raw: he explains why there are too many security companies and why it matters. He details why the mid-market is underserved by security vendors. We cover how investors mistakenly overcapitalize security vendors and when is the right time to bootstrap vs. taking any funding at all. This is the 2nd installment of 5 in our investor series exploring how security companies are funded and how it impacts our industry.
Note: We did a lot of work on the audio on this episode but it just didn’t turn out the way we hoped. It’s not bad, but it’s not up to our normal “crisp and clear” standard the whole way through.
You'd be hard pressed to find a security leader with a better pedigree than Justin Somaini, especially in the turbulent tech market. In an hour long interview, Justin explains common mistakes made by investors and vendors, what it feels like to be a global CSO of a 90,000 person company, who the CISO should report to and how the CISO can win in the boardroom (often by staying out of it!) Sales people, this is one if for you: Justin explains how you can avoid stepping on CISOs' toes and what you can do to stand out from the crowd. For aspiring or young security leaders, Justin shares generously from his playbook including what should be your focus in the critical first weeks of a new job.
We kick off our investor series (and bid adieu to our app sec series) with Ping Li of Accel. Ping was recently named the #2 investor in the Silicon Valley and is one of the most prominent investors in the security industry. He is remarkable not only for the success of his many investments, but for his candor and approachability. In a wide-ranging interview, we cover the biggest mistakes security companies make, how to successfully pitch your company to a veteran investor like Ping and we play an inaugural game of buzzword bingo to see if there's truly a market for that AI-powered blockchain idea you've been kicking around.
Recently "retired" software security legend Gary McGraw joins us for an unfiltered conversation with Jack at his farmhouse in rural Virginia. Gary's walks us through the history of software security with his characteristic sharp humor and insights, sparing no "poser or pretender" along the path to today (including the term "app sec" itself). Beyond his impressive career in security, any conversation with Gary uncovers his diverse interests from his life as a musician to gardening, from reading fiction to writing textbooks. Jack's interview of Gary is no exception-- it paints a portrait as colorful as the man himself. This is the 4th and final episode in our app sec (er.... software) security series.
Mark's interview is the 3rd episode in our application security series where we discuss OWASP's origins & present state, the complicated relationship between security teams and developers, open source and a bunch more. Mark shares what worked (and didn't) while building SourceClear and what he sees happening to security when software finally eats the world.
Jack's conversation with John is another episode in our app sec series exploring John's unique perspective from his time advising companies at the Denim Group to his work with the Air Force and the State of Texas. Jack and John riff on software security trends, the security industry in general and John's famous "no purchase authority" t-shirt.
Dave's interview of Carey is for anyone who ever thought they might want to write a book, be a professor, know what it was like in the early days of antivirus when the days samples arrived by Fedex... or was simply curious as to what Google X has cooking in security. We also explore Carey's super power: an uncanny ability to make tech topics approachable to anyone
We take a dive into the state of application security to explore what happens to security when developers run the infrastructure. Zane shifts left back to his days in the pastures of Central California to his time in NY helping to shape DevSecOps for Etsy. This is the 1st of a series where we explore what's happening in the red hot app sec market.
Wendy Nather is a former CISO in the public and private sectors, and past Research Director at the Retail ISAC (R-CISC) as well as at the analyst firm 451 Research.