The CTO Determined to Solve Cybersecurity

Archis shares the story of his experience of Spectre and Meltdown and the lessons vendors could learn from it. He discusses the importance of compliance but suggests organizations go further than the minimum bar. Finally, Archis reassures the cyber industry that it won’t become obsolete if it solves the cybersecurity challenge because there will always be more problems to solve.

03:25 Lessons from Spectre and Meltdown: The security role can be a very lonely one when bad things happen.

04:51 In a crisis, where are the vendors? Who is on the side of SecOps?

09:02 Business owners need to accept a cyber breach is inevitable and their security teams need to look for solutions that do more than just prevent.

10:44 Vendors must demonstrate customer empathy and build solutions that focus on the inevitable and varying bugs, breaches, and attacks.

12:24 Instead of focusing on compliance, organizations should take a proactive view of risk and impact. Then they will automatically become compliant because compliance is the minimum bar.

14:47 The concept of Demonstrable Trustworthiness – trust that must be earned in each transaction – is demonstrated by meeting expected behavior. AI and ML can never meet this.

15:57 Trust only happens when there is shared collateral.

17:22 Set minimum parameters for loss then build your system design around those.

18:17 VCs creating evermore cybersecurity unicorns is not solving our cybersecurity problems.

21:57 Solving, creating and innovating will not make cybersecurity obsolete. There are still billion-dollar problems out there. Maybe on Mars.

Archis Gore Interview Transcript

Security on Our Most-Used Device

Vincent discusses the neglected world of mobile security. He shares insights on how to get a government contract and offers sound advice to both vendors and practitioners.

02:06 We need to be able to trust the result that comes out of a security vendor tool.

04:05 Vendors need to be honest upfront, check their facts, and have substantiating evidence because trust and reputation are very important.

06:58 Just how hard is it to become a government vendor?

11:19 Mobile security is 100 percent underrepresented in the industry.

12:26 You have antivirus on your laptop; where is the endpoint protection for your phone?

14:10 BYOD or enterprise owned, how should app downloads be governed?

15:05 Ownership of security in the mobile landscape still belongs to the enterprise. IoT isn’t as smart as we think it is … yet.

18:16 Enterprises have got to do the basics: know how many devices they have and know how to protect them.

19:19 For CISOs managing tight budgets look to consolidate, look to leverage existing technologies; that will help save money and mature enterprise security overall.

19:35 Get ahead of the curve. If you’re in a regulated industry, those regulations will get updated. Make sure you’re protected upfront.

21:55 Vendors must be honest about their strengths and weaknesses because practitioners factcheck.

Vincent Sritapan Interview Transcript

The storytelling CISO who leads by example

Gary points out that a CISO’s hardest job is to help executives understand the value of cybersecurity and shares that storytelling is invaluable in gaining trust and promoting understanding.

02:34 In a breach the CISO does not own 100 percent of the blame.

03:46 CISO’s help manage risk, but they do not own it. Risk belongs to the company.

04:43 Companies are getting mature about dealing with risk, security is just another part of that.

06:13 Managing cyber risk is not a one-off, it’s a life cycle.

08:03 One of a CISO’s toughest jobs is getting executives to understand the value of what you are doing and spending all the money and resources on.

09:14 Take the security speak and put it in to stories that people can relate to. Use storytelling and laughter to win champions and support within the company.

10:14 Use storytelling to help the board see how security benefits the business. Share your strategies and forget the fear factor.

12:50 Vendors can use storytelling to build trust too, but they need to do their homework and get context to understand their customers.

16:36 The three-step process that smart cities can teach enterprise about security: assessment, remediation and enforcement.

17:34 Cyber is continuous, it’s a life cycle, but continuous is hard for organizations because it requires resources.

19:52 Unfortunately, in many companies, continuous security is not considered the norm, instead they ride the ups and downs of incidents.

20:30 Cybersecurity is never done.

21:56 Management is servant-leadership. Don’t just manage people, actually serve them, lead them, and mentor them.

24:11 Build training maps for your staff, so they can see where they are at and where they are going.

Interview with Gary Hayslip | 2

25:19 How to retain your staff: make it fun.

Gary Hayslip Interview Transript

Back to Basics

Scott shares his lessons from 30 years at the FBI. He states that 90 percent of cybercrime could be prevented with simple user education and cautions us all to know what our children are doing on the internet.

02:20 Nobody ever expects to be a victim of cybercrime. From large companies to individuals, too many are misinformed and underestimate the threat.

03:53 The bad guys do not care who you are, they just want the information you hold.

04:11 The bad news: The bad guys will steal your stuff, law enforcement won’t be able to retrieve it, and they won’t be able to catch the bad guys.

06:10 The good news: 90 percent of incidents could be prevented by simple user education, well-defined business processes, and two-factor authentication.

09:36 The more money we spend on cybersecurity and prevention, the more cybercrime there is. We’re just not doing this right.

13:24 Organizations do not understand the lack of sophistication that is required to pull off a major financial cybercrime.

15:16 Being compliant is not the same thing as being secure.

18:39 We need to train people on the risks and simple cyber protections at home because then they will bring those habits to work.

19:36 When an employee becomes a victim of cybercrime, the enterprise suffers too.

21:26 FBI versus FBE — somebody has to teach the basics.

24:19 Cybercrime extends beyond the corporate world to somewhere even more precious: if something happens to your children online, you can never get their innocence back.

Scott Augenbaum Interview Transcript

Operational Technology is Underrepresented in Cybersecurity

Jason talks about cyber crime in OT and the huge impact it has on human life, infrastructure, and energy resources. He discusses the importance of frameworks in encouraging good, ethical behavior and shares his thoughts on digital consumer rights being determined by geography.

02:41 OT is underrepresented and little understood, yet we use it ubiquitously every day.

05:00 60 percent more likely to see an engineering mishap than a cyberattack in OT, but they still happen.

06:07 Safety is becoming a more prevalent issue. Chernobyl, Bhopal, Piper Alpha all could and should have been prevented.

08:36 Frameworks provide a structure. They provide value for doing the right thing and discourage negative behaviour.

09:50 Exploits will happen. What is important is lessening the likelihood and the impact.

11:23 Every organization should deploy two-factor authorization. If you can prove your security capabilities you will increase customer trust and revenue.

12:32 Don’t just know your rights, exercise them.

13:51 What are your rights as a digital consumer and does geography determine how much control over your own data you are entitled to?

15:58 GDPR has had some unintended consequences for business.

17:30 If you do something wrong in OT, somebody gets hurt.

19:32 The challenge is in the proliferation of applications. Regulation is great, but remedy is more important.

22:54 We don’t need more cybersecurity people in OT, we need more OT people in cybersecurity.

24:26 Diversity in cyber is a problem, but don’t set a quota, set a goal.

Jason Haward Grau Interview Transcript

An Unusual Cybersecurity Creed

In a crowded security marketplace, Ben believes that people are happy to have multiple security tools but want fewer interfaces. He highlights the value of conversations with customers, points to the value of feedback, and shares his unusual corporate creed.

02:22   An unusual cybersecurity creed: Passion, Capacity, Humility.

06:02   The technology you’re building needs to address a real problem. How does it fit into the tech stack, the workflow, the trends?

07:50   Everyone wants to be the dominant platform, so who should you choose to be your dashboard?

08:37   People are OK with multiple tools, they just want a very small number of interfaces.

09:08   Your customers will be different, so you have to build a product that is extensible and flexible to serve all of them.

10:34   Having conversations with your customers is always extremely valuable. Gather as much feedback as possible.

13:09   Privacy and security is different to privacy and ethics. The distinction is are you facing customers or are you facing your employees.

13:33   The frustration that led to regulations like GDPR was born out of consumers not knowing they were the product, but we all have a data price.

14:04   Employee privacy is a tricky issue. We have to find the balance allowing people to work without friction, but be able to stop them as soon as there is suspicion of insider threat.

16:00   Obsidian is about partnership and catching the bad guys.

Ben Johnson Interview Transcript

Vendors Know Where Their Products Fail

In his second podcast with UberKnowledge Malcolm suggests the cyber skills shortage has been created by the industry’s own approaches. He believes security needs to be about protecting business outcomes and suggests the best way to do this is to factor security and privacy into the design of technology. He also reminds us that vendors know where their products fail, they are simply economically disincentivized to change.

01:52   The cyber skills shortage is real, but it’s been created by the approaches we’ve taken.

01:59   We’re in a reactive mode focused on detection and response, throwing bodies at the problem, and it’s ineffective.

04:05   We have to do a better job of applying a stringent security development lifecycle in the creation of technology.

05:33   Identify risk and reduce it by making it part of the product design goal.

06:48   The vendor community knows where its products fail. It does nothing about that because it can sell you six others to plug the gap.

07:33   If a product doesn’t do what it is designed to do in an effective, efficient fashion, get rid of it.

11:01   Security has to be about protecting business outcomes.

12:14   Three-fifths of companies claiming to use AI and machine learning aren’t. It’s just marketing hype.

14:04   The practitioner community needs to collaborate and provide better insights.

16:22   Younger generations want to do something that matters, and things that matter are hard.

17:09   If you have something to fight for, you have something to fight with. We shouldn’t be fighting each other on the approaches.  

Malcolm Harkins Interview Transcript

Diversity Generates Innovation

As a lifelong technical trainer, Linda shares her insights into the different ways people learn and believes training should accommodate them. She highlights the dismal statistics of women in cyber and talks about Palo Alto’s efforts to redress the diversity imbalance.

02:04 The evolution of the training world. There are two fields: how people learn and the engagement of technology.

03:16 The forgetting curve and how the industry is combating it.

05:17 People learn in different ways and technology has allowed us to enable that.

05:40 The learner decides how they want to learn.

08:05 Microlearning and macrolearning – we need both and have to build the training that people want.

10:35 A dismal statistic: 2019 should see 19 percent cyber jobs filled by women.

11:36 We have to do for cyber what STEM has done for maths — make it cool.

12:14 PAN’s partnership with the Girl Scouts on cyber badges

12:56 Cybersecurity does lack gender diversity, but less so in the training environment because education has always been a diverse field.

14:06 Confronting unconscious bias

15:57 Diversity begets innovation. It’s not always painless but it is worth it.

17:59 “Can you do” as well as “Do you know.”

20:17 Training can learn from gaming

Linda Moss Interview Transcript

As a lifelong technical trainer, Linda shares her insights into the different ways people learn and believes training should accommodate them. She highlights the dismal statistics of women in cyber and talks about Palo Alto’s efforts to redress the diversity imbalance.

Protecting the New Network

Rahul and Rudolph describe Awake’s approach to network security and explain the only way to earn credibility in the market is to be honest with your customers. They admit CISOs would love to see one vendor provide that single pane of glass but the fragmented nature of the industry prevents it. In an effort to balance the lack of diversity in cybersecurity, Rahul encourages every executive to mentor.

01:52 Network security has not really evolved.

03:57 The new network: cloud, data center, IoT.

05:33 Have to build a partnership with your customer. It’s not just about a product sale anymore.

07:16 As we learn about it, we automate it.

10:03 We have to make security more and more mainstream. Security cannot be something that only the elite can do.

10:43 Attackers are equal opportunity offenders.

11:39 There are so many good problems out there, but execution is key.

12:48 The reality is cybersecurity is a very fragmented industry.

15:12 Distinguishing yourself as a vendor is not about marketing or your AI, it’s about solving operational challenges and showing value.

17:59 If you want to earn credibility in the market, be honest with your customers because that’s what they really care about.

19:56 Education should be for everybody.

20:48 We are not educating children about cybersecurity early enough.

22:10 Give back and mentor. Change the landscape of cybersecurity one young person at a time.

Awake Security Interview Transcript