Security Voices Security Voices

After 5 seasons, it’s curtain call for Security Voices. In this final episode, Jack and I reflect on half a decade of podcasting together through times that were both extraordinary for the world and for each of us personally. We discuss some of our favorite moments, most memorable guests, and the lessons learned from roughly 60 episodes of exploring the unique personalities and stories of cybersecurity. At around 40 minutes, our last pod is more short and sweet than long, tearful farewell.

The Security Voices website will continue to be up for the foreseeable future so that it can be happily devoured by generative AI and any humans sticking around who want to know what things we’re like in the beforetimes.

Jack and I hope that we left the industry a little better than when we started this project back in the winter of 2019. Thanks for listening.

The ascendancy of India in Silicon Valley is undeniable. From top executives such as Satya Nadella (Microsoft) and Nikesh Arora (Palo Alto Networks) to leading investors, we’ve become well accustomed to working with and often for people who have immigrated from India. Given the wave of immigration from India started decades ago, our Indian coworkers, investors and leaders are such an established part of the tech industry that we often give little thought to the cultural differences that underlie our daily interactions. Nonetheless, the move to remote work strips away much of the high fidelity, in person interactions that make understanding each other easier, even if we were raised on different continents, speaking different languages, etc. In simple terms, while the stakes for understanding each other have never been higher, our actual means of communicating have gotten worse.

This episode of Security Voices combines the perspectives of two experienced security leaders, Ashish Popli of Spotnana and Jason Loomis of Freshworks along with Jack and Dave. Ashish has been working in the U.S. since he completed his Masters at Stony Brook in ‘02 whereas Jason took the role of CISO for the Chennai-based Freshworks a little over a year ago. Their combined perspectives provide a 360 degree view of both what it takes for an Indian security leader to adapt and how a Los Angeles-based security leader has navigated the unique challenges of having a team based in India. Jack explains how B-Sides conferences in India also bear the clear imprint of the country’s culture.

Over our roughly 60 minute discussion, Ashish and Jason share their stories of what works, what doesn’t, and perhaps most importantly, we explore the “why” behind those moments when something seems to be lost in translation. We hope you have a few “aha” moments like we did during the conversation and that this episode serves as a practical reminder that while much unites in the tech industry, we can go even further when we understand and respect our differences as well.

The classic mindset of cyber security unmistakably originates from its early leaders: financial services, the defense industrial complex, and big companies that had too much to lose from ignoring what was called at the time “information security risk”. They tried to calculate largely unknowable risks to explain digital concepts to analog executives. They leaned on medieval metaphors such as castles and moats to make formerly arcane technology like firewalls understandable to people who just got their first AOL email address. And Sun Tzu quotes were used to make it absolutely clear that we were in a war against a shadowy, determined enemy that demanded our attention (and a generously sized budget).

The cybersecurity landscape now bears little resemblance today to those early days, but far too much of how we reason about our industry is still clearly traceable back to those early days. Kelly Shortridge’s Security Chaos Engineering is a sneakily titled book that has less to do with testing technical boundaries and much more to do with modernizing our headspace to accommodate the new, incredibly complex environment we find ourselves in today. Sun Tzu quotes are replaced by Ursula K. Le Guin and Buckminster Fuller. Jurassic park analogies take center stage. Ice cream metaphors and decision trees supported by open source projects make the formerly esoteric approachable. Practical even.

Our 1 hour conversation with Kelly covers many of the core ideas in the book she recently published along with Aaron Rhinehart, centering on adopting a mindset of evaluation and experimentation. A common thread running through the dialogue is that of empowerment: we live in a privileged time where much of what we do now can be stress tested to build resiliency. And that this is a far more sane approach given modern complexity than attempting to comprehensively model risk and prevent attacks. Cat and mouse? No, we and our adversaries are peers on equal footing who are capable of both offense and defense. The future, and the present for those who lean into it, is much more Spy vs. Spy than Tom and Jerry. We hope this dialogue takes you at least one step closer to it.

Let’s say it’s 2012. And you're graduating Stanford with a comp sci degree. You could go to Google, Facebook or any of a number of well-paying emerging juggernauts. If you’re Frank Wang, you move across the coast and do your PhD in cybersecurity at MIT.

Now you’re doing your PhD. And you make pals with a local VC. So naturally, you start a cybersecurity incubator as an academic (Cybersecurity Factory) which churns out companies such as Huntress Labs.

Your PhD is in the bag now and you're ready to start making money. Time to apply all of that theory from academia in a company, right? Wrong. If you’re Frank Wang, you become a VC at Dell Capital.
It’s the middle of the Covid pandemic and VC is going bonkers. Massive amounts of capital being allocated in a frenzy unlike anything we’ve seen in decades. If ever. Rather than joining in the party, Frank sees it as a clear signal that it’s time to move on and becomes a security engineering leader at modern data stack company DBT.

Now that you’ve got a comfortable job at a high flying tech company, it’s time to take your foot off the gas pedal, right? Do your part and ride it out through a lucrative exit. Frank saw this as the time to step up his side hustle instead and start the popular blog and newsletter, Frankly Speaking.

The conversation is a little over an hour of Dave exploring the career arc of Frank to date and what he’s learned while blazing his own, unconventional trail through cybersecurity. The unique road he has traveled lends him perspective for those who want to better understand VCs, running a side business, or simply what happens when you ignore conventional wisdom and have the courage to make your own path.

This past weekend, the New York Times posted an article explaining the United States is scrambling to clean government systems from a deep, pervasive infiltration of the country’s infrastructure by the Chinese. Much like the Russian attacks on Ukrainian infrastructure, the intent appears to be to disrupt any U.S. action that would be a response to Chinese military action in Taiwan. The role of nation state actors in driving the threat landscape has brought us to a place where the lines between physical and cybersecurity are no longer blurry, but simply erased.

Galina Antova, founder and Chief Business Officer of Claroty, shares her expertise in operational technology (OT) security with us in an hour long interview in the latest episode of Security Voices. We begin by walking through the recent industrial security threat landscape with an emphasis on INCONTROLLER/Pipedream and discuss the impact of the Russian/Ukrainian war, tracing its origins back to a landmark attack in 2015.

Galina and Dave explain the uncomfortable truths about the current state of OT security, starting with the fact that, other than nuclear energy facilities, air gaps are as common unicorns and other mythological beasts. Galina explains why OT security teams necessarily have to operate with older equipment and more caution than conventional IT security teams. Further, while we have not seen massive infrastructure disruptions to date, the real reason behind this offers us little comfort.

In the second half of our interview, Galina describes her journey as a founder of Claroty and what it took to build a $100M ARR company over 8 years. For a category decades in the making with notoriously long sales cycles and risk averse buyers, she takes us through the playbook she and her co-founders used to establish a beachhead and expand into a global OT security juggernaut. We pinpoint why the pandemic was a breakthrough moment for OT security, catapulting solutions providers to new heights and why this had little to do with new threats and everything to do with enabling digital transformation.

We bring the episode to a close with a dialogue on gender equity in cybersecurity and specifically how men can do their part by adjusting a couple key assumptions when interacting with women in business.

"Any country that intervenes in Taiwan will face serious consequences, including cyber attacks."

This statement in January by the Chinese Ministry of Foreign Affairs made clear that the United States must be ready to defend itself in what many assume to be an inevitable conflict over Taiwan’s independence. It begs the question, how will we defend ourselves from such a powerful adversary with one of the best cyber armies in the world?

At the heart of the answer is the United States infrastructure: an interconnected web of both government and for profit companies that provide core services to the citizens. This public / private partnership is most evident where it matters most: energy and communications. Mary Haynes, Group Vice President of Charter Communications and industry cybersecurity veteran, has worked with presidential administrations across her multi-decade career to serve the twin goals of protecting her customers and making the country more resilient to attacks.

Our 72 minute conversation with Mary starts with how our communications industry is responding to the threat and the Biden administration’s somewhat unique approach. We explore two critical areas to mounting a credible defense: 1) Ensuring the security of consumer managed connectivity hardware and 2) Addressing traffic hijacking and route misadvertisements by shoring up BGP with RPKI. Throughout the conversation, we get a clear view into the combination of big picture thinking, technical acumen and diplomacy that have taken Mary to one of the top roles in defending the U.S. communications backbone.

While the first part of the conversation discusses her and the communications industry’s readiness to defend against nation state adversaries, the remainder of our interview serves as a brief career retrospective for Mary as she plans to start her transition into retirement later this year. On the topic of dealing with seismic technology shifts, she reflects on our response to the public cloud and how that should inform the cybersecurity industry’s response to the current advancements in artificial intelligence.

As we wrap up, Mary explains where we’ve made progress with regards to diversity and her advice for women considering a career in cybersecurity. Mary’s optimism and clarity of vision leave a strong impression throughout the dialogue; we wish her the very best as she moves from leader and practitioner to advisor and board member later this year.