Security Voices

Our 1st episode of 2020 is a story in three parts, beginning with hard fought wisdom of a veteran security practitioner, then diving deep into machine learning (ML) before wrapping up with how both security and AI apply to connected vehicles. The first part of our 74 minute conversation with Josh Lemos is the backstory of how he started his career in cybersecurity as a consultant... and left services to join ServiceNow as a practitioner. His time at ServiceNow lays out a solid formula for fixing application security inside a growth company who can little afford to slow down-- or suffer the pain of the inevitable breach if the situation doesn’t improve.​Jack & Dave’s conversation with Josh on ML lays down many of the basics and is intended to be a rough primer for future episodes where we will further explore the topic. We discuss how ML projects often take much more preparation than originally planned and topics that range from class imbalances, the differences between supervised/unsupervised ML, a starte

While visions of sugar plums might be dancing in children’s heads as we close out 2019, the 2020 elections are occupying the head space of many adults in the U.S. In 2016, the importance of election security was made crystal clear. What’s happened since then? Are we ready for 2020? How do experts believe our defenses will hold up when tested by foreign and even domestic attacks?We spent an hour exploring election security (and more) with Camille Stewart, a cyber security attorney with experience working inside tech companies as well as considerable time spent on Capitol Hill in both the Department of Homeland Security and as a consultant. Camille breaks down the major aspects of election security and we discuss why it’s seemingly so fractured across municipalities-- and why that may not be such a bad thing after all.  Jack, Dave and Camille debate how election defenses might be improved, from the role of open source and private services to “defending forward” by taking out troll farms. While Camille declined

It all changed one day while Nand was sitting in traffic on the 101 freeway. Why am I doing this? Nand had experienced no less than 4 successful exits of cyber security companies where he was founder or CEO. He was one of the most accomplished cyber security entrepreneurs in the Silicon Valley. At that moment, Nand decided to leave corporate life and set course to start a new phase of his career in the government.His first step was to uproot his family and move them into graduate housing at Stanford where he would finally do that MBA degree he had considered long ago. Throughout Nand’s hour long interview with Jack and Dave, Nand explains how his family embraces the abrupt change from predictable Valley life and comforts to community living inside a small apartment on campus. While Nand is determining how to best complete projects with 19 year-olds, his wife Sarbani and children flourish, starting a non-profit as a result of their experience.Nand’s next step towards Washington D.C. is a one year stint across

The 2nd half of our conversation with Niloo focuses on her recent work in Washington DC where she holds several positions and recently (October 22nd, 2019) testified to Congress on the United State’s cyber security readiness. We begin with the topic of retaliation: What’s the proper response to a cyber attack if you want to discourage future aggression? Is cyber retaliation necessary to defend a country?With the 2020 elections on the horizon, Niloo explains her perspective on influence campaigns such as the highly publicized activities by Russia in the ’16 presidential elections. While often seen as election interference, she explains the broader goal of Russia’s strategy as an attack on the fabric of trust throughout a country— and how your phone and social networks can be complicit in this scheme.We end on a hopeful note: there are plenty of reasons to believe things will be better in the future in cyber security, starting with government restructuring from long outdated WW2 norms to a more modern organizat

There are stories, and then there are “epics”: tales of a journey so full of unexpected twists and excitement that you’re left wondering how all that could happen to a single person. Niloo Razi Howe’s life is such an epic. Whereas most epics feature men with swords, this one focuses on a woman with heels and a hockey stick.While Niloo’s story as an Iranian exile is well-documented, our primary focus is on her career which began as an author and quickly moved to becoming a McKinsey consultant and then attorney… until she founded one of the few modestly successful online pet supply businesses in the 90s. Moved by 9-11, Niloo found the cyber security market and made it her sole focus as an investor at Paladin Capital Group. We discuss her early learnings from investing in security which focus on her time working with a portfolio company selling the millimeter wave scanning systems that are now commonplace at airports everywhere. Niloo took subsequent roles transforming a startup and then tried her hand at trans

The Silicon Valley legend is the college dropout who made billions… but what if instead they stayed in the dorm room? This is the intriguing story of Marcin Kleczynski and MalwareBytes, told in a candid ~1-hour interview where he explains how his company was built in vivid detail. Marcin takes us through his formative moments as a Polish immigrant in Illinois helping his family’s cleaning business to his choice to remain in school at his mother’s insistence while MalwareBytes was making millions. Dave and Marcin discuss key product questions such as how much is too much product functionality to give away, how to work with the channel, whether or not you can effectively serve both consumer and enterprise markets and the future of endpoint protection. He also explains why it still makes sense to build a great office when the world feels like it’s shifting quickly to a remote workforce. We also find out why you should never send deep dish pizza to people in California...

Since this Spring, Security Voices have been “following the money trail” to explore all angles of how security companies are funded and run. In our final 2 episodes of the series, we’re shining a light on lesser known companies and individuals whom have avoided traditional funding and taken a more unique approach to starting their businesses. This episode showcases Tozny, an encryption company with its longstanding roots in government contracts. Isaac, the founder and CEO, explains how he’s built a stable, steady growth business in Portland by harnessing one large customer after another… using entirely publicly available information and an open submission process. His conservative “staying alive” approach stands in stark contrast to the glitzy, go-for-broke mainstream security market.

Seemingly everyday a security company announces that it has raised a new, big round of funding. As we close out our investor series, Jack and I wanted to highlight the bootstrappers— those brave people who kickstart their businesses using solely their own resources. Our interview with Zack Schuler of Ninjio illustrates the experience of a company with a big mission to reinvent security awareness that began with no funding but a loan from his bank account. While Zack had the benefit of a previous exit (he bootstrapped his 1st company at the age of 21), his mentality and practices are that of someone who hustles for every deal, obsesses over each hire and makes painstaking decisions about how he uses his time and money. Zack explains his special formula of hustle, Hollywood and a little bit of luck to build a winning company with no investors looking over his shoulder.

Dark clouds seem to hang over the security industry, especially after Black Hat and DEF CON. Playing constant defense can be disheartening, especially after hearing about every new type of possible attack in Las Vegas. We felt everyone could use a little post conference pick-me up so we pulled together this short (~15 min) episode which focuses on all the positive things that are happening in the industry from past interviews. We’ve often reflected on how interesting and encouraging it is that every guest we’ve interviewed has always had something they thought was much improved from the past— and how everyone of these industry luminaries called out something different than the others.

Robocalls have plagued our phones in recent years, prompting many of us to no longer answer calls if we don’t immediately recognize the number. Ballpark estimates put the number of calls in 2018 at 48 Billion-- a 50% increase from the previous year. Ever wondered who was behind the flood of phone spam? How much they make? Where they’re from? How they got your number? We dig deep into the robocall epidemic with telecom expert TProphet, answering all of these questions and more before breaking down what telcos and legislators are doing to try and improve the situation. After comparing the North American robocall problem to the one in China, we take a look ahead at what the future holds for phone spam.

Few topics capture our imagination like the Internet of Things (IoT); our concerns swing from how much Alexa is really listening to us all the way to doomsday scenarios orchestrated by a violent robot takeover. Our conversation with Shaun Cooley lays the foundation for a rational understanding of IoT risks, starting with its role in stopping rhino poaching in an African game preserve. After explaining the full IoT landscape, we explore how it is fundamentally different from “normal” IT security and how the coming IT/OT convergence could result in an epic clash of cultures-- not to mention a few breaches. No IoT conversation is complete without covering 5G and satellite internet, and nor do we spare you the musings on how it could all go quite wrong...

What happens when you take a longtime security pro and turn her into a venture capitalist? We find out in the 4th installment of our investor series when we interview Dr. Chenxi Wang, fresh off her 1 year anniversary starting Rain Capital. The beginning of our interview showcases the grasp of our market that makes Chenxi such a sought-after partner-- we go deep into the transformation of app sec, poking at fuzzing vs. static analysis, package vs. code level analysis and how the network-centric roots of the security may be impeding our progress. We do a brief retrospective on Kubecon before diving into her reflections on being a full-time investor, starting with what separates an angel from a true venture capitalist. Chenxi explains what sucks about being a VC (spoiler alert: it’s fund-raising) and how she’s using Rain to chip away at the longstanding diversity problem in the security industry. Before hitting our usual hype-o-meter and speed round questions, we discuss exactly how she ended up on the board of

Mike Reavey has quietly left his fingerprints on some of the biggest moments in security. He began as a Captain in the Air Force, locking down networks from attack by adversaries back when APT was still shorthand for “apartment”. Mike recounts his time spent battling the most destructive malware the industry has ever seen (Blaster, Slammer, Code Red, etc.) while leading Microsoft Security Response and how he later kept Azure out of the headlines while heading up cloud security in Redmond. He recently made a hard turn into gaming security at Electronic Arts where he’s been learning the many nuances of protecting a fast-moving entertainment company where creativity and speed are king. Mike, who regularly competes in body-building competitions, explains why you can’t outrun a pizza and how anyone can get a little more fit while balancing a hectic schedule packed with family, work and fitness. Mike’s stories are as pragmatic as they are colorful-- this interview is a recipe for anyone who wants to know exactly wh

Part 3 of our investor series offers a unique perspective on the security market as Jack and I interview Kara Nortman, partner at Los Angeles-based Upfront Ventures who balances investments in enterprise and consumer companies without an explicit focus on cyber.  Kara traces her roots back to a long ago meeting with the @Stake team when she was with Battery Ventures and we chart how security moved from an arcane art to a topic relevant to every startup no matter the industry. Our conversation covers a number of big questions: Will Silicon Valley continue as the heart of tech in the future? Is it better to have a killer insight or to know how to build a product? How exactly do VCs work in 5 minutes or less? Kara also reveals her “full family” approach to helping her portfolio companies, explaining why the key to unlocking product marketing success might actually be a curious 8 year old.

In a world not-so-long-ago, CISO’s fought for people to understand what they did and why it mattered. Fast forward to today, and the modern CISO faces a dizzying variety of challenges everywhere from the boardroom to explain 3rd party risk management to product design sessions where they might be debating anything from data anonymization to SOC2 compliance. Our guest in this episode, Justin Dolly, stands apart as a no-nonsense CISO who has covered a truly broad spectrum of problems such as negotiating consumer privacy trade-offs for fitness wearables while at Jawbone or diving headlong into the ransomware problem at MalwareBytes. During this episode, Justin weighs in on the future of identity, the death of passwords and whether moving to a ZeroTrust model is more aspirational than practical. This episode has something for everyone with the notable exception of people who love VPNs. Justin’s fiercely pragmatic approach and gift for storytelling make this one of our favorite episodes so far.

A goal of our podcast is to highlight people who don’t highlight themselves— but are every bit as deserving of the spotlight as those on the big stage. Noah fits this profile perfectly- he’s the smart guy you sat next to at an industry dinner whose perspective on network forensics and GDPR were as interesting as his weeklong isolated "vacation" on the tundra of Baffin Island. An understated yet up and coming security investor currently at Point72, Noah’s take on the security market is insightful and raw: he explains why there are too many security companies and why it matters. He details why the mid-market is underserved by security vendors. We cover how investors mistakenly overcapitalize security vendors and when is the right time to bootstrap vs. taking any funding at all.

Our latest episode features an 1 hour interview with iconic Silicon Valley CISO Justin Somaini.  He explains common mistakes made by investors and vendors, what it feels like to be a global CSO of a 90,000 person company, who the CISO should report to and how the CISO can win in the boardroom (often by staying out of it!) Sales people, this is one if for you: Justin explains how you can avoid stepping on CISOs' toes and what you can do to stand out from the crowd.  For aspiring or young security leaders, Justin shares generously from his playbook including what should be your focus in the critical first weeks of a new job.

We kick off our investor series with Ping Li of Accel who was recently named the #2 investor in the Silicon Valley and is one of the most prominent investors in the security industry. We cover the biggest mistakes security companies make, how to successfully pitch your company to a veteran investor like Ping and we play an inaugural game of buzzword bingo to see if there's truly a market for that AI-powered blockchain idea you've been kicking around.

Recently "retired" software security legend Gary McGraw joins us for an unfiltered conversation with Jack at his farmhouse in rural Virginia.  Gary's walks us through the history of software security with his characteristic sharp humor and insights, sparing no "poser or pretender" along the path to today (including the term "app sec" itself). Beyond his impressive career in security, any conversation with Gary uncovers his diverse interests from his life as a musician to his travels, from reading fiction to writing books. Jack's interview of Gary is no exception-- it paints a portrait as colorful as the man himself. This is the 4th and final episode in our app sec (er.... software) security series.