Security Voices

Security Voices
Security Voices

There are great stories in the security industry that aren’t being told. Fascinating people who fly below the radar and aren’t being heard. We know because we encounter them in hallways, hotel lobbies and just about everywhere imaginable across the globe. Everytime we think “I wish I had recorded that conversation so that everyone could hear it…” Our goal with Security Voices is to provide a place for clear-headed dialogue with great people that’s unencumbered by the hyperbole and shouting that’s far too common in security circles. We don’t have anything against sponsors or sales pitches, but they run counter to our goal of cutting through the noise, so we don’t have either. We’re aiming for 100% clear signal.

  1. 11/27/2023

    Cultural Decryption: A Closer Look at Understanding the India/U.S. Relationship in Cyber

    The ascendancy of India in Silicon Valley is undeniable. From top executives such as Satya Nadella (Microsoft) and Nikesh Arora (Palo Alto Networks) to leading investors, we’ve become well accustomed to working with and often for people who have immigrated from India. Given the wave of immigration from India started decades ago, our Indian coworkers, investors and leaders are such an established part of the tech industry that we often give little thought to the cultural differences that underlie our daily interactions. Nonetheless, the move to remote work strips away much of the high fidelity, in person interactions that make understanding each other easier, even if we were raised on different continents, speaking different languages, etc. In simple terms, while the stakes for understanding each other have never been higher, our actual means of communicating have gotten worse. This episode of Security Voices combines the perspectives of two experienced security leaders, Ashish Popli of Spotnana and Jason Loomis of Freshworks along with Jack and Dave. Ashish has been working in the U.S. since he completed his Masters at Stony Brook in ‘02 whereas Jason took the role of CISO for the Chennai-based Freshworks a little over a year ago. Their combined perspectives provide a 360 degree view of both what it takes for an Indian security leader to adapt and how a Los Angeles-based security leader has navigated the unique challenges of having a team based in India. Jack explains how B-Sides conferences in India also bear the clear imprint of the country’s culture. Over our roughly 60 minute discussion, Ashish and Jason share their stories of what works, what doesn’t, and perhaps most importantly, we explore the “why” behind those moments when something seems to be lost in translation. We hope you have a few “aha” moments like we did during the conversation and that this episode serves as a practical reminder that while much unites in the tech industry, we can go even further when we understand and respect our differences as well.

    1 hr
  2. 10/03/2023

    Farewell, Sun Tzu: The Modern Security Mindset with Kelly Shortridge

    The classic mindset of cyber security unmistakably originates from its early leaders: financial services, the defense industrial complex, and big companies that had too much to lose from ignoring what was called at the time “information security risk”. They tried to calculate largely unknowable risks to explain digital concepts to analog executives. They leaned on medieval metaphors such as castles and moats to make formerly arcane technology like firewalls understandable to people who just got their first AOL email address. And Sun Tzu quotes were used to make it absolutely clear that we were in a war against a shadowy, determined enemy that demanded our attention (and a generously sized budget). The cybersecurity landscape now bears little resemblance today to those early days, but far too much of how we reason about our industry is still clearly traceable back to those early days. Kelly Shortridge’s Security Chaos Engineering is a sneakily titled book that has less to do with testing technical boundaries and much more to do with modernizing our headspace to accommodate the new, incredibly complex environment we find ourselves in today. Sun Tzu quotes are replaced by Ursula K. Le Guin and Buckminster Fuller. Jurassic park analogies take center stage. Ice cream metaphors and decision trees supported by open source projects make the formerly esoteric approachable. Practical even. Our 1 hour conversation with Kelly covers many of the core ideas in the book she recently published along with Aaron Rhinehart, centering on adopting a mindset of evaluation and experimentation. A common thread running through the dialogue is that of empowerment: we live in a privileged time where much of what we do now can be stress tested to build resiliency. And that this is a far more sane approach given modern complexity than attempting to comprehensively model risk and prevent attacks. Cat and mouse? No, we and our adversaries are peers on equal footing who are capable of both offense and defense. The future, and the present for those who lean into it, is much more Spy vs. Spy than Tom and Jerry. We hope this dialogue takes you at least one step closer to it.

    1h 3m
  3. 08/28/2023

    Choosing your own adventure: Frank Wang on academia, VC, sec engineering & side hustles

    Let’s say it’s 2012. And you're graduating Stanford with a comp sci degree. You could go to Google, Facebook or any of a number of well-paying emerging juggernauts. If you’re Frank Wang, you move across the coast and do your PhD in cybersecurity at MIT. Now you’re doing your PhD. And you make pals with a local VC. So naturally, you start a cybersecurity incubator as an academic (Cybersecurity Factory) which churns out companies such as Huntress Labs. Your PhD is in the bag now and you're ready to start making money. Time to apply all of that theory from academia in a company, right? Wrong. If you’re Frank Wang, you become a VC at Dell Capital. It’s the middle of the Covid pandemic and VC is going bonkers. Massive amounts of capital being allocated in a frenzy unlike anything we’ve seen in decades. If ever. Rather than joining in the party, Frank sees it as a clear signal that it’s time to move on and becomes a security engineering leader at modern data stack company DBT. Now that you’ve got a comfortable job at a high flying tech company, it’s time to take your foot off the gas pedal, right? Do your part and ride it out through a lucrative exit. Frank saw this as the time to step up his side hustle instead and start the popular blog and newsletter, Frankly Speaking. The conversation is a little over an hour of Dave exploring the career arc of Frank to date and what he’s learned while blazing his own, unconventional trail through cybersecurity. The unique road he has traveled lends him perspective for those who want to better understand VCs, running a side business, or simply what happens when you ignore conventional wisdom and have the courage to make your own path.

    59 min
  4. 07/31/2023

    Episode #57: Claroty’s Galina Antova on the global infrastructure war & building an $100M OT security juggernaut

    This past weekend, the New York Times posted an article explaining the United States is scrambling to clean government systems from a deep, pervasive infiltration of the country’s infrastructure by the Chinese. Much like the Russian attacks on Ukrainian infrastructure, the intent appears to be to disrupt any U.S. action that would be a response to Chinese military action in Taiwan. The role of nation state actors in driving the threat landscape has brought us to a place where the lines between physical and cybersecurity are no longer blurry, but simply erased. Galina Antova, founder and Chief Business Officer of Claroty, shares her expertise in operational technology (OT) security with us in an hour long interview in the latest episode of Security Voices. We begin by walking through the recent industrial security threat landscape with an emphasis on INCONTROLLER/Pipedream and discuss the impact of the Russian/Ukrainian war, tracing its origins back to a landmark attack in 2015. Galina and Dave explain the uncomfortable truths about the current state of OT security, starting with the fact that, other than nuclear energy facilities, air gaps are as common unicorns and other mythological beasts. Galina explains why OT security teams necessarily have to operate with older equipment and more caution than conventional IT security teams. Further, while we have not seen massive infrastructure disruptions to date, the real reason behind this offers us little comfort. In the second half of our interview, Galina describes her journey as a founder of Claroty and what it took to build a $100M ARR company over 8 years. For a category decades in the making with notoriously long sales cycles and risk averse buyers, she takes us through the playbook she and her co-founders used to establish a beachhead and expand into a global OT security juggernaut. We pinpoint why the pandemic was a breakthrough moment for OT security, catapulting solutions providers to new heights and why this had little to do with new threats and everything to do with enabling digital transformation. We bring the episode to a close with a dialogue on gender equity in cybersecurity and specifically how men can do their part by adjusting a couple key assumptions when interacting with women in business.

    1h 6m
  5. 06/20/2023

    Defending the U.S. Communications Backbone in the Age of CyberWar: Dialogue & Career Retro with Mary Haynes

    "Any country that intervenes in Taiwan will face serious consequences, including cyber attacks." This statement in January by the Chinese Ministry of Foreign Affairs made clear that the United States must be ready to defend itself in what many assume to be an inevitable conflict over Taiwan’s independence. It begs the question, how will we defend ourselves from such a powerful adversary with one of the best cyber armies in the world? At the heart of the answer is the United States infrastructure: an interconnected web of both government and for profit companies that provide core services to the citizens. This public / private partnership is most evident where it matters most: energy and communications. Mary Haynes, Group Vice President of Charter Communications and industry cybersecurity veteran, has worked with presidential administrations across her multi-decade career to serve the twin goals of protecting her customers and making the country more resilient to attacks. Our 72 minute conversation with Mary starts with how our communications industry is responding to the threat and the Biden administration’s somewhat unique approach. We explore two critical areas to mounting a credible defense: 1) Ensuring the security of consumer managed connectivity hardware and 2) Addressing traffic hijacking and route misadvertisements by shoring up BGP with RPKI. Throughout the conversation, we get a clear view into the combination of big picture thinking, technical acumen and diplomacy that have taken Mary to one of the top roles in defending the U.S. communications backbone. While the first part of the conversation discusses her and the communications industry’s readiness to defend against nation state adversaries, the remainder of our interview serves as a brief career retrospective for Mary as she plans to start her transition into retirement later this year. On the topic of dealing with seismic technology shifts, she reflects on our response to the public cloud and how that should inform the cybersecurity industry’s response to the current advancements in artificial intelligence. As we wrap up, Mary explains where we’ve made progress with regards to diversity and her advice for women considering a career in cybersecurity. Mary’s optimism and clarity of vision leave a strong impression throughout the dialogue; we wish her the very best as she moves from leader and practitioner to advisor and board member later this year.

    1h 15m
  6. 05/06/2023

    The Hidden Dangers of Generative AI: Who is Responsible for Protecting our Data?

    The breakaway success of ChatGPT is hiding an important fact and an even bigger problem. The next wave of generative AI will not be built by trawling the Internet but by mining hordes of proprietary data that have been piling up for years inside organizations. While Elon Musk and Reddit may breathe a sigh of relief, this ushers in a new set of concerns that go well beyond prompt injections and AI hallucinations. Who is responsible for making sure our private data doesn’t get used as training data? And what happens if it does? Do they even know what’s in the data to begin with? We tagged in data engineering expert Josh Wills and security veteran Mike Sabbota of Amazon Prime Video to go past the headlines and into what it takes to safely harness the vast oceans of data they’ve been responsible for in the past and present. Foundational questions like “who is responsible for data hygiene?” and “what is data governance?” may not be nearly as sexy as tricking AI into saying it wants to destroy humanity but they arguably will have a much greater impact on our safety in the long run. Mike, Josh and Dave go deep into the practical realities of working with data at scale and why the topic is more critical than ever. For anyone wondering exactly how we arrived at this moment where generative AI dominates the headlines and we can’t quite recall why we ever cared about blockchains and NFTs, we kick off the episode with Josh explaining the recent history of data science and how it led to this moment. We quickly (and painlessly) cover the breakthrough attention-based transformer model explained in 2017 and key events that have happened since that point.

    1h 4m
  7. 03/26/2023

    Threat modeling life: Prepping for the rest of us with Michal Zalewski (lcamtuf)

    Hidden bunkers, stacks of canned food and piles of artillery. Disaster preparedness has become an Internet meme and these are some of the “prepper” community’s showcase images. But most of us who have lived through the recent pandemic, the Capital insurrection on January 6th and more no longer take the threat of a major disaster lightly. For those of us not willing or able to dig out a backyard bunker, is there a rational middleground where we can feel well-prepared for whatever comes next? Software security legend Michal Zalewski (lcamtuf) answers this question and many others in his third book Practical Doomsday: A User's Guide to the End of the World. Using familiar threat modeling principles, Michal explores everything from evacuation gear and bulletproof vests to the genuine probabilities of civil war and a zombie apocalypse. In what can only be described as an unbelievable coincidence, Jack and Dave’s hour long interview with Michal was recorded the same day Silicon Valley Bank collapsed and was taken into government receivership. In spite of the understandably dire subject matter, Michal’s equal sense of optimism and pragmatism steer us towards the middle path of rational risks and what a “normal” person should consider doing to be ready. It’s not nearly as hard as you might think and the peace of mind gained was well worth taking a hard look at the worst case scenario. This interview is nearly cleanly separated into two parts as we focus on the opportunity and threat of artificial intelligence around the 32 minute mark, starting with Michal’s approach to writing. The real threat of generative AI to drive truly deceptive attacks takes center stage as we explore how the ability to easily generate compelling documents, images, video, etc. may make it nearly impossible to distinguish between reality and a scam. No conversation on AI and threats seems to be able to avoid mention of the singularity threat, however, Michal keeps true to form and narrows in on the much more likely “paperclip problem” of mundane AI optimizing humans out of existence. This was one of our favorite episodes in ages, we hope you enjoy it and learn as much from it as we did. We also hope you got your money out of SVB, just like Dave did the week after this was recorded. Stay safe.

    1h 7m
5
out of 5
29 Ratings

About

There are great stories in the security industry that aren’t being told. Fascinating people who fly below the radar and aren’t being heard. We know because we encounter them in hallways, hotel lobbies and just about everywhere imaginable across the globe. Everytime we think “I wish I had recorded that conversation so that everyone could hear it…” Our goal with Security Voices is to provide a place for clear-headed dialogue with great people that’s unencumbered by the hyperbole and shouting that’s far too common in security circles. We don’t have anything against sponsors or sales pitches, but they run counter to our goal of cutting through the noise, so we don’t have either. We’re aiming for 100% clear signal.

To listen to explicit episodes, sign in.

Stay up to date with this show

Sign in or sign up to follow shows, save episodes, and get the latest updates.

Select a country or region

Africa, Middle East, and India

Asia Pacific

Europe

Latin America and the Caribbean

The United States and Canada