Security Voices



There are great stories in the security industry that arent being told. Fascinating people who fly below the radar and arent being heard. We know because we encounter them in hallways, hotel lobbies and just about everywhere imaginable across the globe. Everytime we think I wish I had recorded that conversation so that everyone could hear it Our goal with Security Voices is to provide a place for clear-headed dialogue with great people thats unencumbered by the hyperbole and shouting thats far too common in security circles. We dont have anything against sponsors or sales pitches, but they run counter to our goal of cutting through the noise, so we dont have either. Were aiming for 100% clear signal.


  • From Tool to Sidekick - Human/Machine Teaming with Jamie Winterton

    07/06/2021 Duración: 01h01min

    We’ve conditioned ourselves to look at our technology in a similar way we look at a box of tools: as instruments that passively do what we make them do. When we think of the future of artificial intelligence, it’s tempting to leap to fully autonomous solutions一 when exactly will that Tesla finally drive by itself? In our interview with Jamie Winterton, we explore a future where AI is neither a passive tool or a self-contained machine but rather an active partner.Human/machine teaming, an approach where AI works alongside a person as an integrated pair, has been advocated by the U.S. Department of Defense for several years now and is the focus of Jamie’s recent work at Arizona State University where she is Director of Strategy for ASU’s Global Security Initiative and chairs the DARPA Working Group. From testing A.I. assisted search and rescue scenarios in Minecraft to real war time settings, Jamie takes us through the opportunity and the issues that arise when we make technology our sidekick instead of solely

  • Melanie Ensign Doesn’t like Clubhouse, Press Releases & FUDー & Neither Should You

    12/04/2021 Duración: 01h08min

    Communications professionals are often quiet coaches. They work their magic behind the scenes. They hold their opinions tightly and express them infrequently. In short, their influence is everywhere but their fingerprints are often invisible.Melanie Ensign is having none of that. And we’re all the better for it. In this 64 minute interview, you’ll have the pleasure of meeting one of the most influential and outspoken communications executives in the world of cybersecurity and privacy. We begin with her role as press department lead for DEFCON, a role she’s held for 8 years and explains is that exact inverse of what you think it is.In our next topic, Melanie breaks out the verbal chainsaw and applies it with vigor to the voice-based social network Clubhouse. From privacy mistakes to seeming indifference to community feedback on the topic, she explains in detail why she recommends her clients (and anyone else) avoid Clubhouse until they clean up their act.The remainder of the conversation is a mini-master class

  • Cybersecurity Burnout - Recognition & Recovery Mini-Episode

    31/03/2021 Duración: 31min

    We’ve met and passed the 1 year anniversary of the COVID-19 pandemic and cases of burnout are off the charts. We’re tired of Zoom. We’re tired of masks. Far too many kids are stuck at home instead of at school. The list could go on but the result is obvious: we’re burned out. The effect can be all the more profound for beleaguered security professionals who often struggle with burn-out even at the best of times. Jack and Dave return in this mini-episode for a quick conversation about how to identify and respond when you’re feeling like you’re burnt. While often it’s Dave and a guest doing most of the talking, in this episode Jack is driving. He shares from his deep experience on the topic, starting with an explanation of Maslach’s burn-out inventory which provides a structured, clear guide for determining just how crispy you are. The inventory is tailored for different professions, and while there is not one specific to cybersecurity, Jack and Dave explore specific aspects of our industry that up the stakes

  • Sh*t Talkin’, Deep Thoughts & Really Scary Phishing w/ Material Security

    07/02/2021 Duración: 01h04min

    This episode of Security Voices is different. Let’s say you sat down at the end of a long day and had a casual drink with a few industry friends before dinner. The conversation quickly turns to serious topics which are all discussed with thoughtful insight, biting humor and some well-placed profanity. Welcome to the latest episode of Security Voices where Jack & Dave wander off the beaten path with Abhishek Agrawal and Ryan Noon, co-founders of email protection company Material Security. This one isn’t for the easily offended or as the soundtrack to a drive with the kiddos.“How not to suck as a vendor” is our introductory question, prompting an earnest conversation that starts with “don’t be an active cancer”, covers The Market for Silver Bullets and ultimately explains why the pandemic has made already questionable cyber security marketing even worse.After exploring some of our top influences, from The Autobiography of Malcom X and The Origin of Consciousness to Joe Frank’s avant garde radio show, The O

  • Cloud Security Series Wrap-up w/ Justin Brodley: A look back at 2020, a glance ahead at 21's top threats & key trends

    17/01/2021 Duración: 01h06min

    In our 1st episode of ‘21, we cap off our cloud security series with a recap of the major milestones, key trends and surprises across 2020 through the eyes of cloud expert and podcaster, Justin Brodley.  If you think you might have missed a few things that happened in the public cloud last year while waiting for news on COVID-19 vaccines, hitting refresh on election results or wondering when the four horsemen were finally going to show up, this episode is your chance to catch up and look ahead through the lens of both a practitioner and a pundit.Recorded during AWS Re:invent, we examine the cloud service provider conferences across the year to find a clear absence of security topics making their way to center stage.  While there were some notable developments, such as services providing easier cloud traffic analysis, much of the attention was elsewhere. Multi-cloud, in particular, leapt to the forefront for even Amazon who had been reluctantly dragging their feet.Our comparison of the different cloud service

  • Winners, Losers & Long Shots: Kleiner Perkins’ Bucky Moore Breaks Down Cloud Security

    26/12/2020 Duración: 01h10min

    Investors make their money seeing things others don’t. Making big bets based on both digging into painstaking detail and their ability to forecast what will happen many years into the future. In this 5th and (almost!) final episode of our series on public cloud security, we get deep into the mind of Bucky Moore from Kleiner Perkins to learn how the flow of funding is both responding to and shaping our industry’s transformation from protecting our own data centers to renting them from others.Bucky begins by laying down our mile marker in the global cloud journey, answering the eternal question of “Are we there yet?” with a clear answer of “Not even close.” We follow these remarks to a walk through the different corners of the cyber security industry to see how they’re keeping pace. While many fail to impress, one of the legacy behemoths stands out from the pack as having impressively galvanized their business to meet the cloud challenge.Setting companies aside, Bucky, Jack & Dave identify what technologi

  • Cloud native invasion! An interview with Datadog’s Marc Tremsal in Public Cloud Security Series #4

    20/11/2020 Duración: 01h10min

    As longstanding cybersecurity companies lumber their way into the public cloud and "born in the cloud" startups fight for attention, cloud observability titan Datadog entered the security market in 2020 with two new products.  This is far from the first time a company has used an adjacent market to make the cybersecurity leap. Oftentimes it fails, but Splunk immediately comes to mind as a crossover success. Jack and Dave interview Datadog’s Marc Tremsal in this episode to provide a view into what cybersecurity looks like from the lens of a company steeped in the world of cloud infrastructure.Datadog did not break down the doors of the industry, but rather was invited to enter by their customers whose needs were not being met by cybersecurity companies. Marc explains the mistakes that incumbents have made that have left a considerable opening for others— they have very little to do with technology and a lot to do with marketing and sales. From selling to CISOs rather than the people doing the work to overheate

  • Public Cloud Security Series #3: How to catch up, survive multi-cloud & when to tap out with Rich Mogull

    25/10/2020 Duración: 01h07min

    Our conversation with Rich Mogull was intended to provide an analyst view point on public cloud security. While Rich certainly delivered on this promise, the episode turned into something more important: therapy. If you find yourself wondering if you’re burnt out from cyber security and life in general, this is for you. Our conversation with Rich starts with the work he does in disaster response, focusing on his recent time responding to the COVID-19 pandemic as a paramedic.  He explains how key concepts of anti-fragility from responder culture such as “trench foot” and “changing your socks” also apply to the rough and tumble world of cyber security— especially in assessing yourself for burnout.If you find yourself drowning in work and straining to catch up to the rest of the organization's push to the public cloud, this is for you.  We discuss how this happens quite naturally in most places, resulting in a dysfunctional norm of security teams inadvertently being left behind but still responsible for protecti

  • Cloud Security Series #2 - Yelp’s Zach Musgrave on Defending a Cloud Native Business at Scale

    27/09/2020 Duración: 01h04min

    In our 1st episode of this series, Teri provided an expert’s broad view of what’s happening with security in the public cloud. In this episode, Yelp’s Zach Musgrave does the opposite: we go into the trenches to understand what it takes to protect a fully cloud native business on a daily basis.While Yelp was born in ‘04, 2 years before Amazon launched its first AWS service, it started its cloud native journey in 2013. Their early transition makes the company one of the longest tenured organizations who have defended a cloud native business at scale. Zach shares the fundamentals of how they work, from security team org structure and success measurement to key relationships across the company. We dig into the 2 different but critical aspects of security: 1) protecting the infrastructure (people & systems) and 2) policing the Yelp ecosystem itself (defending business operations).Zach explains how DevSecOps at Yelp was adopted not out of buzzword compliance but plain necessity: the need to safeguard 500+ mic

  • Cloud Sec Series #1 - A Public Cloud Security Primer With Expert Teri Radichel (AWS, GCP & Azure)

    05/09/2020 Duración: 01h06min

    Initially led by software as a service (SaaS), the transition to the public cloud is one of the most important changes we’ve witnessed in information technology to date. From the early days of SaaS to the current stage where adoption of infrastructure, platform and function as a service (IaaS, PaaS, FaaS) are catching on like wildfire, there’s an increasing awareness that the end state of this shift few aspects of how we do our jobs will be unchanged. This Security Voices episode is the first of five where we dig into the details of how the public cloud is transforming cybersecurity.Teri Radichel joins us to explain key concepts in public cloud technology, the differences from on-premises, migration options and more. If you’ve ever wondered what is meant by “lift and shift” or “cloud native”, this is for you. Teri’s background as a trainer, author and researcher shines through as she describes both broad concepts in easily understood terms but she also doesn’t spare the details for those who are already cl

  • The Cyber Career Doctor Is In: An Interview With Kathleen Smith

    29/07/2020 Duración: 01h20min

    If you’ve been laid off, furloughed or are just plain tired of everything, this episode is for you. Kathleen Smith, the longstanding cyber career expert at B-Sides (and beyond) joins us for a dialogue on what’s happening in the security job landscape. Lost your job? Kathleen explains a tried and true process for recovery, reflection and finding your next gig. Not to mention a few surprising options for those who aren’t afraid of a little adventure, such as the military reserves or a job in one of the often overlooked national laboratories.In a rare moment of good news this year, Kathleen explains how COVID-19 has driven an increase in cyber security jobs both in the government and commercial sectors in response to a recent increase in threat activity.  If you’re willing to put in the extra effort (and put down your cannabis), she also describes what it takes to score a government clearance and gain access to an entirely new pool of opportunities.Once a coveted perk, remote work has blown the job market wide o

  • Transforming healthcare & protecting privacy in a post-quantum world with RSA’s CTO, Dr. Zulfikar Ramzan

    05/07/2020 Duración: 01h11min

    Discussing cryptography is usually a surefire way to end a dinner conversation. It combines two things that intimidate (and bore) many people: hard tech and complex math. In spite of this, cryptography is on center stage today as it is the very foundation of defending our privacy and perhaps unlocking how we can safely share health information in the midst of the pandemic. There are few people who both understand and can explain cryptography in plain English better than Dr. Zulfikar Ramzan, CTO of RSA.Our hour long conversation with Zully tackles how concepts such as zero knowledge proofs and multiparty computation might be applied during the current COVID-19 pandemic. Historically, sharing healthcare information has been an “all or nothing” affair with difficult privacy trade-offs being made in the name of ensuring we receive the right care at the right time. Zully takes us through how long standing encryption concepts, now made practical by advances in computing, may allow us to selectively share vital h

  • The Longevity Formula: CSO Andy Ellis’ Wit, Wisdom & Wine Advice from 20+ Years at Akamai

    30/05/2020 Duración: 01h23min

    The average tenure of a CISO is 26 months due to high stress and burnout, according to a recent survey. In stark contrast, Andy Ellis has now been CSO at industry titan Akamai for over 20 years. Jack & Dave explore Andy’s longevity formula in a 70 minute interview that spans everything from his advice to young security leaders to the death of live events and why it’s perfectly fine if your favorite wine is a $16 malbec. While most of our episodes gradually ease into a more focussed conversation, our discussion with Andy jumps straight into the subject of applied human cognition— a common theme of his presentations and writing. He explains how his understanding of human thought patterns and biases directly influences his approach to conducting risk assessments and dealing with especially thorny conflicts. Far from theoretical, Andy breaks down exactly how he and his team enable Akamai to self assess and internalize risk in a fashion that expedites projects where the security team might otherwise be a bott

  • Untangling Zoom's Security Issues, Contact Tracing & End to End Encryption with Kenneth White

    09/05/2020 Duración: 01h03min

    The misinformation spread during the COVID-19 pandemic has made what happened with the 2016 U.S. elections look like the “good old days.” Epidemiologists are on center stage trying to explain complex topics to billions of people concerned for their lives-- and sometimes politicians are aiming to do the same. The multiplier effect is how hopelessly entangled challenging technical issues like end to end encryption and contact tracing via bluetooth on mobile phones are now also being publicly debated.The most natural reaction? Confusion. Kenn White is here to help.During our 60 minute conversation with Kenn, Jack and Dave go past the headlines trumpeting Zoom’s security issues in an attempt to lay bare the real issues with their recent missteps.  Their initially misleading claims around end to end (E2E) encryption is our primary focus, but before diving deep into Zoom, Kenn explains exactly how hard it is to make it work by describing his 2 year journey to deliver E2E encryption at MongoDB. We pull apart the rem

  • Next Gen Social Engineering: Hacking Humans with Social Roboticist, Straithe

    18/04/2020 Duración: 01h03min

    In the midst of the COVID-19 pandemic, it’s easy for thoughts to stray to the apocalypse. Nowhere is this tendency more common than when we talk about robots. Decades of books, movies and television have explored the topic of “when robots attack” and the calamity that follows. Today, domestic robots struggle to make it up the stairs and Siri can’t reliably order take-out… or even take notes. It all feels very far-fetched. And it is. However, if we move past the science fiction and look more closely at developments between humans and robots, we can begin to see some startling developments. This is the domain of Straithe, a pioneering researcher who studies how interactions between humans and robots can be abused and manipulated. We know very well how email, phone calls and websites can be used as part of elaborate social engineering schemes, what happens when the attacker’s tool looks like a person and can physically interact with us? While domestic robots like the Jetson’s Rosie are not wheeling around our

  • Scaling Data Science & Defending Machine Learning with CrowdStrike's Chief Scientist, Dr. Sven Krasser

    22/03/2020 Duración: 01h11min

    In this episode we step far beyond the hype cycle and dive into the details of scaling a data science team in the security industry with Dr. Sven Krasser. Sven joined CrowdStrike in the early days and the initial part of the conversation with Dave is an incredibly timely conversation covering how to structure and work with remote teams effectively. The interview was recorded a week before the 2020 RSA Conference in San Francisco when the early impact of COVID19 in the U.S. was just starting to be felt.There are 2 dominant themes to our conversation. First, Sven covers the hard realities of machine learning (ML) and warns against both over dependence and hyperbole. There are many areas where a more simplistic approach is going to get the job done faster and cheaper without the need to maintain a costly ML model. Sven shares his approach to choosing the right tool for the job and a handy tip for determining where ML marketing has gone astray.The second theme is the attack surface of ML itself. Seemingly long go

  • Day Job Series | BSides Origins, Present & Future

    01/03/2020 Duración: 01h03min

    The second half of our Day Jobs series is the very first Security Voices episode we recorded: Dave interviewing Jack on the origins, shenanigans and future of BSides. Jack charts the history of the conference from its inception at a rental house in Las Vegas with a couple hundred people to today where Security BSides is a global movement that has eclipsed 500 events (and growing).One of the most unique aspects of Security BSides is that anyone can create their own event. It is a nonprofit organization that has as its heart a single, potent principle: be good to and for your community. The flexibility of BSides to be molded to the needs of the local community wherever it goes, from Memphis to Riyadh, is a core ingredient of its success. Jack explains how they carefully walk the line of letting each organizer shape their own BSides conference while stepping in only as necessary to lend a helping hand or occasionally correct course when things have come off the rails. The “just enough” guidance approach extends

  • Day Job Series | Launching Open Raven

    11/02/2020 Duración: 01h03min

    Our February Security Voices episodes are a 2 part series where Jack and I focus on our “day jobs”, starting with the current episode on Open Raven. Part 2 will be the very first podcast we recorded, but never released where Dave interviews Jack on the origins and escapades of B-Sides. This is close as we intend to come to promoting anything explicitly on Security Voices and if you’re completely allergic to even the scent of such things, join us back in March where we’ll pick back up with an interview of the Chief Scientist at a high-profile security company. In the meantime, we thought you might appreciate a little background on what Jack and Dave do outside of Security Voices as it understandably colors our perspective, from the questions we ask to the stories we tell. Open Raven was officially founded in April of 2019 by Dave and Mark Curphey, whom some will recall was the focus of episode 5 of Security Voices. Rather than solely focus on the founders, something we feel happens entirely too much, we felt

  • Security Snake Oil & the Products We Deserve - a Conversation with Haroon Meer

    20/01/2020 Duración: 01h09min

    Could you create a fake cyber security company and rack up industry awards overnight? How about fabricating a founder and scoring them impressive job offers? Haroon Meer did both of these recently for a presentation titled “The Products We Deserve” as an exploration and commentary on the state of the industry. Jack, Dave & Haroon take on snake oil in security during an hour long conversation to determine exactly how someone could create a great company amidst the pressures that threaten to pull one in the wrong direction.The catalyst for Haroon’s presentation and our discussion is his personal experience at Thinkst where he has focused on building a “bottoms-up”, product first company that has grown steadily since its inception without venture capital. His thoughts, from how to deal with industry analysts to “ball pit marketing” at conferences, come from Thinkst’s direct experience aiming to not only grow the company, but grow it in a way that is true to their own values. How Haroon and Thinkst navigate c

  • Machine Learning & Connected Cars with Security Journeyman Josh Lemos

    04/01/2020 Duración: 01h14min

    Our 1st episode of 2020 is a story in three parts, beginning with hard fought wisdom of a veteran security practitioner, then diving deep into machine learning (ML) before wrapping up with how both security and AI apply to connected vehicles. The first part of our 74 minute conversation with Josh Lemos is the backstory of how he started his career in cybersecurity as a consultant... and left services to join ServiceNow as a practitioner. His time at ServiceNow lays out a solid formula for fixing application security inside a growth company who can little afford to slow down-- or suffer the pain of the inevitable breach if the situation doesn’t improve.​Jack & Dave’s conversation with Josh on ML lays down many of the basics and is intended to be a rough primer for future episodes where we will further explore the topic. We discuss how ML projects often take much more preparation than originally planned and topics that range from class imbalances, the differences between supervised/unsupervised ML, a starte

página 1 de 3