Security Voices

After 5 seasons, it’s curtain call for Security Voices. In this final episode, Jack and I reflect on half a decade of podcasting together through times that were both extraordinary for the world and for each of us personally. We discuss some of our favorite moments, most memorable guests, and the lessons learned from roughly 60 episodes of exploring the unique personalities and stories of cybersecurity. At around 40 minutes, our last pod is more short and sweet than long, tearful farewell. The Security Voices website will continue to be up for the foreseeable future so that it can be happily devoured by generative AI and any humans sticking around who want to know what things we’re like in the beforetimes. Jack and I hope that we left the industry a little better than when we started this project back in the winter of 2019. Thanks for listening.

The ascendancy of India in Silicon Valley is undeniable. From top executives such as Satya Nadella (Microsoft) and Nikesh Arora (Palo Alto Networks) to leading investors, we’ve become well accustomed to working with and often for people who have immigrated from India. Given the wave of immigration from India started decades ago, our Indian coworkers, investors and leaders are such an established part of the tech industry that we often give little thought to the cultural differences that underlie our daily interactions. Nonetheless, the move to remote work strips away much of the high fidelity, in person interactions that make understanding each other easier, even if we were raised on different continents, speaking different languages, etc. In simple terms, while the stakes for understanding each other have never been higher, our actual means of communicating have gotten worse.This episode of Security Voices combines the perspectives of two experienced security leaders, Ashish Popli of Spotnana and Jason Loo

The classic mindset of cyber security unmistakably originates from its early leaders: financial services, the defense industrial complex, and big companies that had too much to lose from ignoring what was called at the time “information security risk”. They tried to calculate largely unknowable risks to explain digital concepts to analog executives. They leaned on medieval metaphors such as castles and moats to make formerly arcane technology like firewalls understandable to people who just got their first AOL email address. And Sun Tzu quotes were used to make it absolutely clear that we were in a war against a shadowy, determined enemy that demanded our attention (and a generously sized budget).The cybersecurity landscape now bears little resemblance today to those early days, but far too much of how we reason about our industry is still clearly traceable back to those early days. Kelly Shortridge’s Security Chaos Engineering is a sneakily titled book that has less to do with testing technical boundaries a

Let’s say it’s 2012. And you're graduating Stanford with a comp sci degree. You could go to Google, Facebook or any of a number of well-paying emerging juggernauts. If you’re Frank Wang, you move across the coast and do your PhD in cybersecurity at MIT.Now you’re doing your PhD. And you make pals with a local VC. So naturally, you start a cybersecurity incubator as an academic (Cybersecurity Factory) which churns out companies such as Huntress Labs.Your PhD is in the bag now and you're ready to start making money. Time to apply all of that theory from academia in a company, right? Wrong. If you’re Frank Wang, you become a VC at Dell Capital.It’s the middle of the Covid pandemic and VC is going bonkers. Massive amounts of capital being allocated in a frenzy unlike anything we’ve seen in decades. If ever. Rather than joining in the party, Frank sees it as a clear signal that it’s time to move on and becomes a security engineering leader at modern data stack company DBT. Now that you’ve got a comfortable job at

This past weekend, the New York Times posted an article explaining the United States is scrambling to clean government systems from a deep, pervasive infiltration of the country’s infrastructure by the Chinese. Much like the Russian attacks on Ukrainian infrastructure, the intent appears to be to disrupt any U.S. action that would be a response to Chinese military action in Taiwan. The role of nation state actors in driving the threat landscape has brought us to a place where the lines between physical and cybersecurity are no longer blurry, but simply erased.Galina Antova, founder and Chief Business Officer of Claroty, shares her expertise in operational technology (OT) security with us in an hour long interview in the latest episode of Security Voices. We begin by walking through the recent industrial security threat landscape with an emphasis on INCONTROLLER/Pipedream and discuss the impact of the Russian/Ukrainian war, tracing its origins back to a landmark attack in 2015.Galina and Dave explain the uncom

"Any country that intervenes in Taiwan will face serious consequences, including cyber attacks."This statement in January by the Chinese Ministry of Foreign Affairs made clear that the United States must be ready to defend itself in what many assume to be an inevitable conflict over Taiwan’s independence. It begs the question, how will we defend ourselves from such a powerful adversary with one of the best cyber armies in the world?At the heart of the answer is the United States infrastructure: an interconnected web of both government and for profit companies that provide core services to the citizens. This public / private partnership is most evident where it matters most: energy and communications. Mary Haynes, Group Vice President of Charter Communications and industry cybersecurity veteran, has worked with presidential administrations across her multi-decade career to serve the twin goals of protecting her customers and making the country more resilient to attacks. Our 72 minute conversation with Mary sta

The breakaway success of ChatGPT is hiding an important fact and an even bigger problem. The next wave of generative AI will not be built by trawling the Internet but by mining hordes of proprietary data that have been piling up for years inside organizations. While Elon Musk and Reddit may breathe a sigh of relief, this ushers in a new set of concerns that go well beyond prompt injections and AI hallucinations. Who is responsible for making sure our private data doesn’t get used as training data? And what happens if it does? Do they even know what’s in the data to begin with?We tagged in data engineering expert Josh Wills and security veteran Mike Sabbota of Amazon Prime Video to go past the headlines and into what it takes to safely harness the vast oceans of data they’ve been responsible for in the past and present. Foundational questions like “who is responsible for data hygiene?” and “what is data governance?” may not be nearly as sexy as tricking AI into saying it wants to destroy humanity but they argu

Hidden bunkers, stacks of canned food and piles of artillery. Disaster preparedness has become an Internet meme and these are some of the “prepper” community’s showcase images. But most of us who have lived through the recent pandemic, the Capital insurrection on January 6th and more no longer take the threat of a major disaster lightly. For those of us not willing or able to dig out a backyard bunker, is there a rational middleground where we can feel well-prepared for whatever comes next?Software security legend Michal Zalewski (lcamtuf) answers this question and many others in his third book Practical Doomsday: A User's Guide to the End of the World. Using familiar threat modeling principles, Michal explores everything from evacuation gear and bulletproof vests to the genuine probabilities of civil war and a zombie apocalypse. In what can only be described as an unbelievable coincidence, Jack and Dave’s hour long interview with Michal was recorded the same day Silicon Valley Bank collapsed and was taken in

Continuing from our dialogue with Tomas Maldonado who has the unique job of securing the NFL, we have a conversation with Allen Ohanian whose day job is to protect the Los Angeles Department of Child and Family Services (DCFS). LA DCFS is the largest agency of its type in the United States, its central focus is its 10,000 social workers who help defend some of the most vulnerable people in Southern California. Allen’s role as CISO of the DCFS is to make sure that both the social workers– and all of the highly sensitive family data– stay safe and sound while they navigate some of the most complicated scenarios you can imagine. The army of people working in cybersecurity chartered with this mission? 5 people strong. Welcome to the government.When you’re outnumbered 10,000 to 5, the name of the game is leverage. Allen explains how his team harnesses cloud services in order to amplify their impact, such as migrating from their own facilities to services such as AWS Call Center. Beyond the cloud, his primary appr

After 2 decades of trying to make SIEMs work, security data lakes are a hot topic as they present an increasingly attractive alternative. The only hotter topic is ChatGPT and the game changing potential of AI. So in episode 52 of Security Voices, we mash the two together as Dave, Pathik Patel (Informatica), and Omer Singer (Snowflake) explore the many angles of security data lakes with an AI-assist from ChatGPT.From a functional definition to dishing on whether security data lakes signal the death of the SIEM, ChatGPT weighs in impressively early in the episode. Its later performance is much more suspect, seemingly gassing out under the pressure of harder (more poorly formed?) questions and likely a knee-buckling workload from millions of others testing the service simultaneously. The humans go on to discuss the real-time expectations for SIEMs vs. the “single source of truth” nature of security data lakes which lead to an exploration of product “suites” vs. specialized services and promise of the data lake

The winds of change are always blowing in cybersecurity, but there’s moments when they reach a gale force, When the landscape is reshaped dramatically by an event that hits us like a hurricane, changing how we feel about our jobs, our industry, and perhaps even shaking our resolve to continue on in the same career path. When Joe Sullivan, former head of security for Uber, was found guilty of concealing a breach in early October the effect was immediate. No matter how you felt about Joe or the court case itself, the implications for security leaders— and especially those at public companies— were clear: you could now face criminal charges for mishandling a breach. Fines, jail and likely never be employed again in cybersecurity.This episode of Security Voices is a roundtable format with Jack, Dave and 3 security leaders: Justin Dolly, Myke Lyons and Bob Fish. All have a broad range of experiences and represent together a combined 70+ years in cybersecurity. Our focus throughout the ~80 minute conversation is n

In cybersecurity, we have teams focused on managing vulnerabilities. We have SOCs who spend their days obsessing over threats. App sec teams. Data privacy teams. In the typical, modern cybersecurity team, we have exactly zero people focused on helping humans defend themselves and the organization in spite of a massive increase in scams and fraud that are squarely aimed at tricking people into making bad decisions. Are we really more at risk from a new foreign adversary or CVSS 9 vulnerability than we are from an executive or someone in Finance being deceived by a scammer? Enter Behavioral Engineering. A new-ish discipline introduced by forward leaning cybersecurity teams that recognizes the pivotal role that humans and key behaviors play as part of our overall security posture. What do we mean by key behaviors? How we share sensitive information. What we do when we authenticate. How we react when we see something suspicious. And so on.In this episode of Security Voices, Jack and Dave interview the Behavioral

Imagine you’re walking past the sports book in Las Vegas. People are betting on baseball, horses, and the usual fare. Something catches your eye, you look more closely and you can’t believe your eyes. People are betting on whether or not you're going to fail at doing your job this week!While this may sound far-fetched, this exact scenario played out for Tomas Maldonado, the then freshly minted CISO of the National Football League when the 2020 NFL Draft shifted to a virtual format unexpectedly due to the pandemic. Across Las Vegas, people were betting on the probability of a cybersecurity event disrupting the draft– the exact type of incident Tomás was hired to prevent. Our hour-long conversation with Tomás goes deep into the unique nature of “defending the shield” at the NFL, from concerns about drones at the games themselves to the elaborate planning that goes on before keystone events like the Superbowl. He gives us a window into the extent of information sharing across sports leagues that all face a comb

First, a confession: this is the last episode we would have envisioned when we started Security Voices. Compliance was as mundane as it is mandatory– where’s the fun in that? Where’s the untold, fascinating story of the person who summited the tallest mountain? Rose from ashes to improbable success? In the short years that have passed since we started in early 2019, the world has changed dramatically. And so has compliance. From driving cyberinsurance premiums to becoming the security baseline for even startups to achieve in their early days, compliance is now an undeniable juggernaut. While SOC2 defines the scope of many companies’ security gameplans, GDPR and its kin drives how we respond to breaches whereas industry specific mandates influence what data we have, how we defend it and even where we store it. In this episode, Jack and Dave welcome both Abby Kearns and Shrav Mehta to demystify exactly what’s happening in the world of compliance from 2 unique perspectives. Abby speaks from her work on software

For the second episode in a row, we’ve caught a seasoned entrepreneur at that perfect moment when they’ve started a new company but still have time for a conversation before their new adventure kicks into high gear. Oliver Friedrichs, founder of several security companies including Immunenet and Phantom, joins us to talk product strategy as he embarks on a new journey to disrupt the security industry once again with his new venture Pangea.The most critical, first question for any young company is “what are we making”? And equally important is the follow-on question of what category does the offering fit into or how should people think about it? Is it a better version of something that exists? A new type of something that’s meaningfully different? Or is it an entirely new category of product they’ve never seen before?Oliver and Dave discuss examples of each type of strategy from their own experience and the industry in general. The “better mousetrap” approach is covered with examples from antivirus and more re

2+ years to interview Alfred Huger wasn’t too long to wait. After spending 8 years at Cisco following the acquisition of SourceFire, Al recently departed the networking giant to do his 4th startup in as many decades. Unbound from the usual PR police, Al candidly speaks on a wide range of topics from why he has stayed at companies long past acquisition and how to distinguish between a miserable and a winning acquirer. Having raised venture capital funding in the 90s until now, Al’s experience charts a timeline of what’s happened to cybersecurity funding over the last 4 decades. From hardscrabble early days to today’s megarounds and eyepopping valuations, Alfred explains how he’s raising funding for his new company and why even a successful entrepreneur is not likely to bootstrap their business on their own funds alone.Al shares his playbook for spotting the right product ideas along with some blunt words of caution for those excited about the latest industry analyst report. While cybersecurity veterans critiqu

There are few people, if any, who have given more of themselves to the cybersecurity community than Lesley Carhart. Our conversation with Lesley came immediately after the 3rd annual PancakesCon, a free conference she conceived with a unique “20 on, 20 off” format that celebrates who we are outside of work as much as what we accomplish as security professionals. In the fashion of a person who is both an incident response expert and a community organizer, the conference was pulled together in a frantic 11 days after Omicron wreaked havoc on Winter conference schedules and there was a gap Lesley saw that needed to be filled.Having joined the Airforce Reserves just before 9/11 with the intent to become an airplane mechanic, Lesley’s career has been spent balancing military service along with “the usual” pressures of working in cybersecurity. She explains how she juggled her civilian and military life for 20 years up until her recent retirement as an Airforce Master Sergeant. Lesley recaps her 2 decades of serv

Your fledgling startup has just been sued by one of the most powerful companies in the world. How do you defend yourself?And keep your company afloat?This was the challenge faced by Amanda Gorton, CEO of Corellium, a company whose virtualization platform enables efficient mobile security research and quality testing across a massive variety of devices. Sued by Apple for both copyright infringement and violation of the Digital Millennium Copyright Act (DMCA), Amanda was thrust into an exhausting balancing act of defending and running her young business at the same time. In this episode of Security Voices, she shares the details of how she survived and successfully defended her company.Dave and Amanda go beyond the lawsuit and into the tricky territory of companies like Corellium who provide a service whose sales process must be governed by a clear sense of ethics to avoid it falling into the wrong hands. She shares the real world challenges of developing and applying such a policy in a company and while it ma

What if there was someone who could take all of the best security research over recent months and distill it down into the greatest hits? Sort of like a Spotify “Release Radar”, but for the best talks at conferences. There is. It’s not in Blinkist. It’s (back) at ThinkstScapes after a multiyear hiatus.And it’s now gloriously free.This episode of Security Voices covers the return of Thinkstscapes with Jacob Torrey who led the reboot of the now quarterly report. In the interview with Jack and Dave, Jacob explains how he and the team at Thinkst devour and summarize the very best security research from thousands of presentations and hundreds of conferences across the globe.Jacob starts with some of his favorites, which focuses on an innovative research project not from a startup or researcher, but from a multi-decade antivirus company that went all in on an industrial controls system honeypot project. From there we cover ground that ranges from speculative execution vulnerabilities to a spate of embedded vulnerab

Hundreds of inexpensive satellites are now regularly launched into space through SpaceX’s Smallsat Rideshare program. Some are sophisticated and commercial, others are DIY and experimental. They share space with now over 3,000 other artificial satellites orbiting the Earth. What could possibly go wrong?Frank Pound joins Jack and Dave for a conversation to answer the question of just how hackproof satellites really are and why it matters, starting with the Hack-a-Sat competition. Hack-a-Sat is an intensive capture the flag style competition currently in its second year where teams square off against one another to break into and defend satellite tech. And along the way, we learn that doing so requires encounters with strange software, hardware and not a small amount of hard math.The most known, visible satellite hack dates back to the 1980s and involves a broadcast takeover around Thanksgiving from a Max Headroom mask wearing man which ended in a spanking, but no real harm done. Jack and Dave explore the attac