16 JAN 2024 · After 5 seasons, it’s curtain call for Security Voices. In this final episode, Jack and I reflect on half a decade of podcasting together through times that were both extraordinary for the world and for each of us personally. We discuss some of our favorite moments, most memorable guests, and the lessons learned from roughly 60 episodes of exploring the unique personalities and stories of cybersecurity. At around 40 minutes, our last pod is more short and sweet than long, tearful farewell. The Security Voices website will continue to be up for the foreseeable future so that it can be happily devoured by generative AI and any humans sticking around who want to know what things we’re like in the beforetimes. Jack and I hope that we left the industry a little better than when we started this project back in the winter of 2019. Thanks for listening.

27 NOV 2023 · The ascendancy of India in Silicon Valley is undeniable. From top executives such as Satya Nadella (Microsoft) and Nikesh Arora (Palo Alto Networks) to leading investors, we’ve become well accustomed to working with and often for people who have immigrated from India. Given the wave of immigration from India started decades ago, our Indian coworkers, investors and leaders are such an established part of the tech industry that we often give little thought to the cultural differences that underlie our daily interactions. Nonetheless, the move to remote work strips away much of the high fidelity, in person interactions that make understanding each other easier, even if we were raised on different continents, speaking different languages, etc. In simple terms, while the stakes for understanding each other have never been higher, our actual means of communicating have gotten worse. This episode of Security Voices combines the perspectives of two experienced security leaders, Ashish Popli of Spotnana and Jason Loomis of Freshworks along with Jack and Dave. Ashish has been working in the U.S. since he completed his Masters at Stony Brook in ‘02 whereas Jason took the role of CISO for the Chennai-based Freshworks a little over a year ago. Their combined perspectives provide a 360 degree view of both what it takes for an Indian security leader to adapt and how a Los Angeles-based security leader has navigated the unique challenges of having a team based in India. Jack explains how B-Sides conferences in India also bear the clear imprint of the country’s culture. Over our roughly 60 minute discussion, Ashish and Jason share their stories of what works, what doesn’t, and perhaps most importantly, we explore the “why” behind those moments when something seems to be lost in translation. We hope you have a few “aha” moments like we did during the conversation and that this episode serves as a practical reminder that while much unites in the tech industry, we can go even further when we understand and respect our differences as well.

3 OCT 2023 · The classic mindset of cyber security unmistakably originates from its early leaders: financial services, the defense industrial complex, and big companies that had too much to lose from ignoring what was called at the time “information security risk”. They tried to calculate largely unknowable risks to explain digital concepts to analog executives. They leaned on medieval metaphors such as castles and moats to make formerly arcane technology like firewalls understandable to people who just got their first AOL email address. And Sun Tzu quotes were used to make it absolutely clear that we were in a war against a shadowy, determined enemy that demanded our attention (and a generously sized budget). The cybersecurity landscape now bears little resemblance today to those early days, but far too much of how we reason about our industry is still clearly traceable back to those early days. Kelly Shortridge’s Security Chaos Engineering is a sneakily titled book that has less to do with testing technical boundaries and much more to do with modernizing our headspace to accommodate the new, incredibly complex environment we find ourselves in today. Sun Tzu quotes are replaced by Ursula K. Le Guin and Buckminster Fuller. Jurassic park analogies take center stage. Ice cream metaphors and decision trees supported by open source projects make the formerly esoteric approachable. Practical even. Our 1 hour conversation with Kelly covers many of the core ideas in the book she recently published along with Aaron Rhinehart, centering on adopting a mindset of evaluation and experimentation. A common thread running through the dialogue is that of empowerment: we live in a privileged time where much of what we do now can be stress tested to build resiliency. And that this is a far more sane approach given modern complexity than attempting to comprehensively model risk and prevent attacks. Cat and mouse? No, we and our adversaries are peers on equal footing who are capable of both offense and defense. The future, and the present for those who lean into it, is much more Spy vs. Spy than Tom and Jerry. We hope this dialogue takes you at least one step closer to it.

28 AUG 2023 · Let’s say it’s 2012. And you're graduating Stanford with a comp sci degree. You could go to Google, Facebook or any of a number of well-paying emerging juggernauts. If you’re Frank Wang, you move across the coast and do your PhD in cybersecurity at MIT. Now you’re doing your PhD. And you make pals with a local VC. So naturally, you start a cybersecurity incubator as an academic (Cybersecurity Factory) which churns out companies such as Huntress Labs. Your PhD is in the bag now and you're ready to start making money. Time to apply all of that theory from academia in a company, right? Wrong. If you’re Frank Wang, you become a VC at Dell Capital. It’s the middle of the Covid pandemic and VC is going bonkers. Massive amounts of capital being allocated in a frenzy unlike anything we’ve seen in decades. If ever. Rather than joining in the party, Frank sees it as a clear signal that it’s time to move on and becomes a security engineering leader at modern data stack company DBT. Now that you’ve got a comfortable job at a high flying tech company, it’s time to take your foot off the gas pedal, right? Do your part and ride it out through a lucrative exit. Frank saw this as the time to step up his side hustle instead and start the popular blog and newsletter, Frankly Speaking. The conversation is a little over an hour of Dave exploring the career arc of Frank to date and what he’s learned while blazing his own, unconventional trail through cybersecurity. The unique road he has traveled lends him perspective for those who want to better understand VCs, running a side business, or simply what happens when you ignore conventional wisdom and have the courage to make your own path.

31 JUL 2023 · This past weekend, the New York Times posted an article explaining the United States is scrambling to clean government systems from a deep, pervasive infiltration of the country’s infrastructure by the Chinese. Much like the Russian attacks on Ukrainian infrastructure, the intent appears to be to disrupt any U.S. action that would be a response to Chinese military action in Taiwan. The role of nation state actors in driving the threat landscape has brought us to a place where the lines between physical and cybersecurity are no longer blurry, but simply erased. Galina Antova, founder and Chief Business Officer of Claroty, shares her expertise in operational technology (OT) security with us in an hour long interview in the latest episode of Security Voices. We begin by walking through the recent industrial security threat landscape with an emphasis on INCONTROLLER/Pipedream and discuss the impact of the Russian/Ukrainian war, tracing its origins back to a landmark attack in 2015. Galina and Dave explain the uncomfortable truths about the current state of OT security, starting with the fact that, other than nuclear energy facilities, air gaps are as common unicorns and other mythological beasts. Galina explains why OT security teams necessarily have to operate with older equipment and more caution than conventional IT security teams. Further, while we have not seen massive infrastructure disruptions to date, the real reason behind this offers us little comfort. In the second half of our interview, Galina describes her journey as a founder of Claroty and what it took to build a $100M ARR company over 8 years. For a category decades in the making with notoriously long sales cycles and risk averse buyers, she takes us through the playbook she and her co-founders used to establish a beachhead and expand into a global OT security juggernaut. We pinpoint why the pandemic was a breakthrough moment for OT security, catapulting solutions providers to new heights and why this had little to do with new threats and everything to do with enabling digital transformation. We bring the episode to a close with a dialogue on gender equity in cybersecurity and specifically how men can do their part by adjusting a couple key assumptions when interacting with women in business.

20 JUN 2023 · "Any country that intervenes in Taiwan will face serious consequences, including cyber attacks." This statement in January by the Chinese Ministry of Foreign Affairs made clear that the United States must be ready to defend itself in what many assume to be an inevitable conflict over Taiwan’s independence. It begs the question, how will we defend ourselves from such a powerful adversary with one of the best cyber armies in the world? At the heart of the answer is the United States infrastructure: an interconnected web of both government and for profit companies that provide core services to the citizens. This public / private partnership is most evident where it matters most: energy and communications. Mary Haynes, Group Vice President of Charter Communications and industry cybersecurity veteran, has worked with presidential administrations across her multi-decade career to serve the twin goals of protecting her customers and making the country more resilient to attacks. Our 72 minute conversation with Mary starts with how our communications industry is responding to the threat and the Biden administration’s somewhat unique approach. We explore two critical areas to mounting a credible defense: 1) Ensuring the security of consumer managed connectivity hardware and 2) Addressing traffic hijacking and route misadvertisements by shoring up BGP with RPKI. Throughout the conversation, we get a clear view into the combination of big picture thinking, technical acumen and diplomacy that have taken Mary to one of the top roles in defending the U.S. communications backbone. While the first part of the conversation discusses her and the communications industry’s readiness to defend against nation state adversaries, the remainder of our interview serves as a brief career retrospective for Mary as she plans to start her transition into retirement later this year. On the topic of dealing with seismic technology shifts, she reflects on our response to the public cloud and how that should inform the cybersecurity industry’s response to the current advancements in artificial intelligence. As we wrap up, Mary explains where we’ve made progress with regards to diversity and her advice for women considering a career in cybersecurity. Mary’s optimism and clarity of vision leave a strong impression throughout the dialogue; we wish her the very best as she moves from leader and practitioner to advisor and board member later this year.

6 MAY 2023 · The breakaway success of ChatGPT is hiding an important fact and an even bigger problem. The next wave of generative AI will not be built by trawling the Internet but by mining hordes of proprietary data that have been piling up for years inside organizations. While Elon Musk and Reddit may breathe a sigh of relief, this ushers in a new set of concerns that go well beyond prompt injections and AI hallucinations. Who is responsible for making sure our private data doesn’t get used as training data? And what happens if it does? Do they even know what’s in the data to begin with? We tagged in data engineering expert Josh Wills and security veteran Mike Sabbota of Amazon Prime Video to go past the headlines and into what it takes to safely harness the vast oceans of data they’ve been responsible for in the past and present. Foundational questions like “who is responsible for data hygiene?” and “what is data governance?” may not be nearly as sexy as tricking AI into saying it wants to destroy humanity but they arguably will have a much greater impact on our safety in the long run. Mike, Josh and Dave go deep into the practical realities of working with data at scale and why the topic is more critical than ever. For anyone wondering exactly how we arrived at this moment where generative AI dominates the headlines and we can’t quite recall why we ever cared about blockchains and NFTs, we kick off the episode with Josh explaining the recent history of data science and how it led to this moment. We quickly (and painlessly) cover the breakthrough attention-based transformer model explained in 2017 and key events that have happened since that point.

26 MAR 2023 · Hidden bunkers, stacks of canned food and piles of artillery. Disaster preparedness has become an Internet meme and these are some of the “prepper” community’s showcase images. But most of us who have lived through the recent pandemic, the Capital insurrection on January 6th and more no longer take the threat of a major disaster lightly. For those of us not willing or able to dig out a backyard bunker, is there a rational middleground where we can feel well-prepared for whatever comes next? Software security legend Michal Zalewski (lcamtuf) answers this question and many others in his third book https://nostarch.com/practical-doomsday: A User's Guide to the End of the World. Using familiar threat modeling principles, Michal explores everything from evacuation gear and bulletproof vests to the genuine probabilities of civil war and a zombie apocalypse. In what can only be described as an unbelievable coincidence, Jack and Dave’s hour long interview with Michal was recorded the same day Silicon Valley Bank collapsed and was taken into government receivership. In spite of the understandably dire subject matter, Michal’s equal sense of optimism and pragmatism steer us towards the middle path of rational risks and what a “normal” person should consider doing to be ready. It’s not nearly as hard as you might think and the peace of mind gained was well worth taking a hard look at the worst case scenario. This interview is nearly cleanly separated into two parts as we focus on the opportunity and threat of artificial intelligence around the 32 minute mark, starting with Michal’s approach to writing. The real threat of generative AI to drive truly deceptive attacks takes center stage as we explore how the ability to easily generate compelling documents, images, video, etc. may make it nearly impossible to distinguish between reality and a scam. No conversation on AI and threats seems to be able to avoid mention of the singularity threat, however, Michal keeps true to form and narrows in on the much more likely “paperclip problem” of mundane AI optimizing humans out of existence. This was one of our favorite episodes in ages, we hope you enjoy it and learn as much from it as we did. We also hope you got your money out of SVB, just like Dave did the week after this was recorded. Stay safe.

6 FEB 2023 · Continuing from https://www.securityvoices.org/episode/tomas-maldonado who has the unique job of securing the NFL, we have a conversation with Allen Ohanian whose day job is to protect the Los Angeles Department of Child and Family Services (DCFS). LA DCFS is the largest agency of its type in the United States, its central focus is its 10,000 social workers who help defend some of the most vulnerable people in Southern California. Allen’s role as CISO of the DCFS is to make sure that both the social workers– and all of the highly sensitive family data– stay safe and sound while they navigate some of the most complicated scenarios you can imagine. The army of people working in cybersecurity chartered with this mission? 5 people strong. Welcome to the government. When you’re outnumbered 10,000 to 5, the name of the game is leverage. Allen explains how his team harnesses cloud services in order to amplify their impact, such as migrating from their own facilities to services such as AWS Call Center. Beyond the cloud, his primary approach is treating humans as the first and last line of defense, aiming to ensure they keep themselves and their data out of trouble. Allen’s belief in this approach is deep enough to motivate him to pursue a PhD in psychology. He’s also no stranger to traditional security controls, having clamped down on USB drives and restricted the iPhones that power social worker data collection in the field. Lastly, partnerships with law enforcement and the major cloud providers also allow their small cybersecurity team to extend their reach. In this short interview, Allen describes the unique threat model of the DCFS and how ultimately it ends up with concerns that bear a strong resemblance to critical infrastructure where availability is the top priority. Urgent, critical calls from children and families in crisis simply have to get through. Social workers must be kept safe. No exceptions. We hope that his interview with Allen provides a much needed window into the practical challenges of running cybersecurity for a large-scale government agency. Mission-driven CISOs like Allen work long hours against seemingly impossible odds for pay that’s far less than their commercial counterparts. We owe them a debt of gratitude and where we can, a helping hand.

5 JAN 2023 · After 2 decades of trying to make SIEMs work, security data lakes are a hot topic as they present an increasingly attractive alternative. The only hotter topic is ChatGPT and the game changing potential of AI. So in episode 52 of Security Voices, we mash the two together as Dave, Pathik Patel (Informatica), and Omer Singer (Snowflake) explore the many angles of security data lakes with an AI-assist from ChatGPT. From a functional definition to dishing on whether security data lakes signal the death of the SIEM, ChatGPT weighs in impressively early in the episode. Its later performance is much more suspect, seemingly gassing out under the pressure of harder (more poorly formed?) questions and likely a knee-buckling workload from millions of others testing the service simultaneously. The humans go on to discuss the real-time expectations for SIEMs vs. the “single source of truth” nature of security data lakes which lead to an exploration of product “suites” vs. specialized services and promise of the data lake to potentially unify them all. The week prior to the recording was the announcement of both the Open Cybersecurity Schema Framework (https://github.com/ocsf/) standard alongside AWS’ new https://aws.amazon.com/about-aws/whats-new/2022/11/amazon-security-lake-preview/ offering built on top of S3. We discuss the implications of AWS entering the space and what it means for already entrenched companies like Snowflake and Splunk. Pathik explains the significance of OCSF for security leaders and his projection of how important it will be for alleviating vendor lock-in and ultimately boosting our ability to provide strong security analytics. The practical realities of building and running a security data lake are clearly described from Pathik’s experience at Informatica focusing on harmonizing and reporting on vulnerability data. He makes plain the amount of work involved– and the clear benefits of piggybacking off the company’s existing data lake. The episode wraps with ChatGPT refusing to say anything further while Omer and Pathik take turns doing some end of year crystal ball gazing.