There are great stories in the security industry that aren’t being told. Fascinating people who fly below the radar and aren’t being heard. We know because we encounter them in hallways, hotel lobbies and just about everywhere imaginable across the globe. Everytime we think “I wish I had recorded that conversation so that everyone could hear it…” Our goal with Security Voices is to provide a place for clear-headed dialogue with great people that’s unencumbered by the hyperbole and shouting that’s far too common in security circles. We don’t have anything against sponsors or sales pitches, but they run counter to our goal of cutting through the noise, so we don’t have either. We’re aiming for 100% clear signal.
Hard Knocks: Tomás Maldonado, CISO of the NFL
Imagine you’re walking past the sports book in Las Vegas. People are betting on baseball, horses, and the usual fare. Something catches your eye, you look more closely and you can’t believe your eyes. People are betting on whether or not you're going to fail at doing your job this week!
While this may sound far-fetched, this exact scenario played out for Tomas Maldonado, the then freshly minted CISO of the National Football League when the 2020 NFL Draft shifted to a virtual format unexpectedly due to the pandemic. Across Las Vegas, people were betting on the probability of a cybersecurity event disrupting the draft– the exact type of incident Tomás was hired to prevent.
Our hour-long conversation with Tomás goes deep into the unique nature of “defending the shield” at the NFL, from concerns about drones at the games themselves to the elaborate planning that goes on before keystone events like the Superbowl. He gives us a window into the extent of information sharing across sports leagues that all face a combination of physical and cyber threats unseen in most areas of the security industry.
Tomás explains how his pedigree at Goldman Sachs and 17 years in cybersecurity in financial services and beyond prepared him for his position at the NFL where he’s responsible for protecting all 32 teams who are equally customers and partners to his team.
Beyond his current work, Tomás and Dave discuss not only what makes a great career but how to leave a legacy that outlives your time in the field so that your fingerprints remain long after you’ve hung up your cleats.
The Compliance Episode - History, Theater & Industry-Reshaping Impact
First, a confession: this is the last episode we would have envisioned when we started Security Voices. Compliance was as mundane as it is mandatory– where’s the fun in that? Where’s the untold, fascinating story of the person who summited the tallest mountain? Rose from ashes to improbable success?
In the short years that have passed since we started in early 2019, the world has changed dramatically. And so has compliance. From driving cyberinsurance premiums to becoming the security baseline for even startups to achieve in their early days, compliance is now an undeniable juggernaut. While SOC2 defines the scope of many companies’ security gameplans, GDPR and its kin drives how we respond to breaches whereas industry specific mandates influence what data we have, how we defend it and even where we store it.
In this episode, Jack and Dave welcome both Abby Kearns and Shrav Mehta to demystify exactly what’s happening in the world of compliance from 2 unique perspectives. Abby speaks from her work on software assurance as CTO at Puppet (and beyond) whereas Shrav’s angle is that of a compliance startup CEO. Plainly stated: code on one side, standards and certifications on the other. Both increasingly important and horribly complex.
This 4 person dialogue traces the roots of compliance back to the early days of security and the inception of PCI DSS, one of the first widely impactful compliance initiatives to hit the industry. We chart the course of compliance to today and unpack where it has had meaningful impact… and where it is mere box-checking theater we could do without.
In a similar fashion, we examine the path to software compliance today and the inevitability of automation given the dramatic changes in release speed and frequency. Abby provides a sober take on where we are today including a dialogue on what it means for response to threats such as Log4shell.
If you’re a longtime listener, this episode connects back to so many of our past interviews, from Carey Nachenberg (supply chain security) to Andy Ellis (compliance perspective) and Nand Mulchandani who recently became CTO of the CIA. We hope you appreciate the references if you already heard this episodes, and if you haven’t, consider giving them a listen as they’re some of our favorites and pass the test of time with flying colors.
Designing Category Smashing Businesses with Oliver Friedrichs (Phantom, Pangea)
For the second episode in a row, we’ve caught a seasoned entrepreneur at that perfect moment when they’ve started a new company but still have time for a conversation before their new adventure kicks into high gear. Oliver Friedrichs, founder of several security companies including Immunenet and Phantom, joins us to talk product strategy as he embarks on a new journey to disrupt the security industry once again with his new venture Pangea.
The most critical, first question for any young company is “what are we making”? And equally important is the follow-on question of what category does the offering fit into or how should people think about it? Is it a better version of something that exists? A new type of something that’s meaningfully different? Or is it an entirely new category of product they’ve never seen before?
Oliver and Dave discuss examples of each type of strategy from their own experience and the industry in general. The “better mousetrap” approach is covered with examples from antivirus and more recently cloud security posture management. We discuss when it is a good time to “next gen” a category to revitalize it and return it to growth. Examples here include Palo Alto Networks firewall and Vulnerability Management (from its early days as vulnerability assessment). Oliver and Dave call out the fatal mistake so many market incumbents make that result in them missing out on a refresh cycle.
Creating new categories dominates our conversation and we explore Oliver’s case study of Phantom in depth. We start by explaining the core principles of a new category and lay bare some indicators that a product group hasn’t yet made the leap to a full blown category. Oliver then shares the spark of idea that led him to found Phantom as the first SOAR followed by how he built the boundaries for their product and ultimately the companies that followed their lead as the first mover. While most of our time is spent discussing what worked and didn’t from a product perspective, Oliver also shares his go-to-market playbook, including what he will avoid this time around and what he intends to do again with Pangea.
We wrap up with a quick look at the future of SOAR and Oliver shares an early peek at what he’s building now at his new company. This episode is perfect for early cybersecurity companies looking for product advice, product professionals wrestling with category questions, or anyone who wants to listen in on a dialogue between 2 industry veterans geeking out on product.
Friedrichs serves as Founder and CEO of Pangea. Prior to Pangea, Friedrichs served as Vice President, Security Products at Splunk, driving the vision and direction of Splunk’s security portfolio. With a record in building four successful enterprise security companies over the past two decades, Friedrichs founded and served as CEO of Phantom (creators of the SOAR category, acquired by Splunk), founder and CEO of Immunet (early innovators in the cloud EDR category, acquired by Sourcefire/Cisco), co-founder of SecurityFocus (creators of Bugtraq and DeepSight, the world's first Internet early warning system, acquired by Symantec), and Secure Networks (one of the industry's first vulnerability management solutions, acquired by McAfee). Friedrichs also architected and developed a prototype of the first commercial penetration-testing product, SNIPER, acquired by Core Security Technologies in 2001 and further developed into CORE IMPACT. He attended the University of Manitoba and is the co-author of three security books and a recipient of 33 patents.
Startup Straight Talk with Serial Entrepreneur Alfred Huger
2+ years to interview Alfred Huger wasn’t too long to wait. After spending 8 years at Cisco following the acquisition of SourceFire, Al recently departed the networking giant to do his 4th startup in as many decades. Unbound from the usual PR police, Al candidly speaks on a wide range of topics from why he has stayed at companies long past acquisition and how to distinguish between a miserable and a winning acquirer.
Having raised venture capital funding in the 90s until now, Al’s experience charts a timeline of what’s happened to cybersecurity funding over the last 4 decades. From hardscrabble early days to today’s megarounds and eyepopping valuations, Alfred explains how he’s raising funding for his new company and why even a successful entrepreneur is not likely to bootstrap their business on their own funds alone.
Al shares his playbook for spotting the right product ideas along with some blunt words of caution for those excited about the latest industry analyst report. While cybersecurity veterans critiquing reviews and analysts is by no means novel, we go beyond an explanation of the negative implications to a new development from an unexpected place that is improving transparency and the industry in general. And that marketing plan? Al explains how it starts with your product and not your website.
If you’ve ever thought about starting a cybersecurity company and wanted to sit down with a “been there done that” serial entrepreneur for a clear-headed, no nonsense dialogue, this episode is for you.
Pancakes & Machetes: A Dialogue with Lesley Carhart
There are few people, if any, who have given more of themselves to the cybersecurity community than Lesley Carhart. Our conversation with Lesley came immediately after the 3rd annual PancakesCon, a free conference she conceived with a unique “20 on, 20 off” format that celebrates who we are outside of work as much as what we accomplish as security professionals. In the fashion of a person who is both an incident response expert and a community organizer, the conference was pulled together in a frantic 11 days after Omicron wreaked havoc on Winter conference schedules and there was a gap Lesley saw that needed to be filled.
Having joined the Airforce Reserves just before 9/11 with the intent to become an airplane mechanic, Lesley’s career has been spent balancing military service along with “the usual” pressures of working in cybersecurity. She explains how she juggled her civilian and military life for 20 years up until her recent retirement as an Airforce Master Sergeant. Lesley recaps her 2 decades of service while laying out the good, the bad and the misconceptions for any who would follow in her footsteps.
Alongside her cybersecurity day job and military service, Lesley also actively practices and teaches martial arts to children. We explore what motivates her passion for serving those around her, focusing on her early difficulties breaking into the cybersecurity industry in spite of having had her first programming job at the age of 15. Lesley, Jack and Dave conclude with a hopeful dialogue on what more we have to do to create a truly diverse and supportive cybersecurity community– and how it might be the key to finally resolving the current staffing and burnout crisis.
Lesley Carhart is a Principal Industrial Incident Responder at the industrial cybersecurity company Dragos, Inc. She has spent more than a decade of her 20+ year IT career specializing in information security, with a heavy focus on response to nation-state adversary attacks. She is recognized as a subject matter expert in the field of cybersecurity incident response and digital forensics.
Prior to joining Dragos, she was the incident response team lead at Motorola Solutions. Her focus at Dragos is developing forensics and incident response tools and processes for uncharted areas of industrial systems. She is also a certified instructor and curriculum developer for the Dragos “Assessing, Hunting, and Monitoring Industrial Control System Networks” course.
She has received recognition such as DEF CON Hacker of the Year, a “Top Woman in Cybersecurity” from CyberScoop,“Power Player” from SC Magazine, and is a 2021 SANS Difference Makers award nominee.
In her free time, Lesley co-organizes resumé and interview clinics at several cybersecurity conferences, blogs and tweets prolifically about infosec, has served for 20 years in the USAF Reserves, and is a youth martial arts instructor.
Juggling Chainsaws: How Amanda Gorton fought Apple & the DMCA while building Corellium
Your fledgling startup has just been sued by one of the most powerful companies in the world.
How do you defend yourself?
And keep your company afloat?
This was the challenge faced by Amanda Gorton, CEO of Corellium, a company whose virtualization platform enables efficient mobile security research and quality testing across a massive variety of devices. Sued by Apple for both copyright infringement and violation of the Digital Millennium Copyright Act (DMCA), Amanda was thrust into an exhausting balancing act of defending and running her young business at the same time. In this episode of Security Voices, she shares the details of how she survived and successfully defended her company.
Dave and Amanda go beyond the lawsuit and into the tricky territory of companies like Corellium who provide a service whose sales process must be governed by a clear sense of ethics to avoid it falling into the wrong hands. She shares the real world challenges of developing and applying such a policy in a company and while it may be uncomfortable to trust a small company with such a weighty responsibility, they just might be the very best option we have.
We explore the complicated nature of DMCA in a world that has changed dramatically since its anti-Napster driven inception back in the late 90s. From the NSA’s release of Ghidra to Web3, we muse on the future of the DMCA whose relevance feels to be slipping into the history books.
Amanda Gorton is co-founder and CEO of Corellium, which provides an Arm-native cloud platform that virtualizes mobile and IoT devices across iOS, Android, and Linux. Corellium enables never-before-possible security research, development, and quality testing of apps, firmware, and hardware on Arm. Previously, Gorton co-founded and was the CEO of security startup Virtual, which was acquired by Citrix in 2014. She earned a degree in classics from Yale University.
Valuable insights from knowledgeable industry SMEs
Dave Cole and Jack Daniels host great subject matter experts with practical security insights based on their experiences in the industry. No filler. Useful without the boring fluff. Add to this that they don't accept sponsorship $ to muddy the waters: you get clear-headed discussion uncolored by product pitches.
Love this sample and initial launch of fascinating conversations. Keep them coming!!
Fascinating Infosec Stories
Excellent new infosec podcast with knowledgeable hosts and interesting guests.