Hacker Valley Studio

In this episode of the podcast, Maril Vernon joins Ron and Chris and discusses the importance of breaking down silos between cyber teams and inspiring individuals to drive their own careers in cybersecurity. Maril has been a key player in promoting the concept of purple teaming - the combination of red teaming and blue teaming to improve an organization's overall security posture. She discusses the importance of hands-on experience and practical knowledge over just having certifications.

Maril's approach to her career has been driven by her passion for the work and her desire to break down silos between different cybersecurity teams. She emphasizes that individuals can drive their own success in the field and take control of their careers, regardless of the limitations their organizations or the industry may impose. Through her collaborations with organizations such as Cyber Queens and nonprofit foundations, she hopes to provide more educational material to high school and college students to inspire the next generation of cybersecurity professionals.

Maril has big plans for the future, including starting a doctorate program in cybersecurity and working on several undisclosed projects that she promises to share in future podcasts. She hopes to leave a legacy of empowering individuals in the cybersecurity field and inspiring them to love their work and take control of their careers. 

This cybersecurity podcast episode is a must-listen for anyone looking to pursue a career in cybersecurity and gain insight into the field from a successful professional.

 

--------------

Links:

Stay up to date with Maril Vernon on LinkedIn

Join our Patreon monthly creative mastermind

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase an HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio

In this episode of Hacker Valley Studio, Rob Wood, Chief Information Security Officer (CISO) at CMS, discusses the challenges of data silos within organizations. Rob explains that security teams often operate in silos, with different departments focusing on various aspects of security, such as incident management, compliance, and penetration testing. One way to improve this is by flattening the organizational structure and finding ways to work together in the same data environments, using the same data tools. This would allow teams to collaborate better and share information, improving overall security.

In the episode, Rob also highlights the importance of supportive leadership and culture in driving change and the impact of the mission in his work. Ron picks up on two key elements - people and communication - as important in cybersecurity and business, as breakdowns often happen due to lack of communication. Chris mentions how he is hard on leaders who create toxic environments or use fear and intimidation to lead their teams. He also notes that he is starting to see a different kind of leader in the technical space, one that knows a lot, and is intelligent but also knows how to talk to people and make them feel seen. The conversation then shifts to where this change in leadership is coming from.

Rob Wood suggests that it is the next wave of leaders coming in, as there are more leadership opportunities available. He also notes that there are many people moving into security from diverse fields, creating a polymath effect of blended disciplines. This helps humble people and allows them to be more human. He also mentions that his own career path was not traditional, as he studied sports management in college and transitioned into an internship in cybersecurity.

--------------

Links:

Stay up to date with Rob Wood on LinkedIn

Join our Patreon monthly creative mastermind

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase an HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio

Taylor Lehmann, Director of Office of the CISO at Google Cloud, has made it his mission to make healthcare and life sciences more secure and strategic for everyone. Joining our security podcast this week, Taylor talks about how security and strategy have to start with people— from properly managing them to realistically motivating them. Healthcare is in need of some serious security TLC and Taylor is ready to tackle the difficult questions about how personal medical data can stay safe in a constantly evolving environment.

 

Timecoded Guide:

[01:47] Motivating your team & understanding your real cyber constraints

[06:19] Creating a shared, measurable goal for every team

[14:26] The haves and have-nots of healthcare security

[22:08] Revolutionizing the security standard of healthcare

[25:16] How to not fail your future self

 

You’re frequently brought into situations that are hard for security teams. Could you walk us through your process of dealing with interpersonal conflicts at work? 

Rarely is a conflict amongst team members about the technology itself, but is instead about how a team is working together. To combat team conflicts at work, Taylor first focuses on kindness and thankfulness. When a team can create a kind environment, trust flows much easier and the team can focus more on what the real constraints of their situation are (i.e. time and deadlines) vs their perceived constraints and tension points (i.e. assumptions around budget).

“What I end up finding out in more cases than not is it's not about a tool, it's not about a security control you don't understand, it's usually not a technical issue, it's almost always getting teams aligned to working together towards a shared outcome.”

 

What is the common slowdown or hiccup when it comes to security practitioners working together? 

The biggest and most detrimental slowdown amongst team members in cybersecurity is the lack of a shared goal. Without a united effort towards security and a measurable outcome to achieve, team members throughout your organization won’t work effectively or efficiently together. When the goal to be more secure can be understood by everyone within the organization, team members won’t get stuck on the whys or hows of the work they’re doing.

“Is the security department the only one who wants to be secure, or does everybody? The second you create a goal where teams are effectively working together to get that outcome, that's when you know you're there.”

 

When you look at the maturity of health organizations in being more security-minded, what are some of the things that you're seeing in the industry?

Like many industries, security in healthcare is divided into “have”s and “have not”s. Large, sophisticated, extensive, public health organizations have a high level of security maturity, while smaller organizations fall behind in technology and cybersecurity. While organizations like the FDA are working hard to make the medical field a more secure place, modern tech platforms need to be integrated at every level to keep patients and practitioners safe.

“It's tough to tell as a patient if a health system invests in security or not. No one is yet making decisions on where they go to get healthcare based on security. I think if they knew they would suffer something negative due to an under-invested system, that would change things.”

 

Was there a turning point in your life that made you the leader that you are today?

After an extensive shoulder surgery left Taylor laid up in a hospital bed, he realized that some of the equipment being used on his own body couldn’t be trusted to keep information secure. Having such an eye-opening patient experience after working in security in the medical field, Taylor realized that other patients wouldn’t know how to verify or protect themselves from these issues. Something had to change, and Taylor understood that he had to become a leader and advocate in this space to make a difference in our current reality. 

“This cannot be the standard of care. My life, in effect, depended on medical equipment that couldn't be trusted. I needed to do something about it, not just for myself, but for the next person who's gonna lie in a hospital bed.”

--------------

Links:

Keep up with our guest Taylor Lehmann on LinkedIn and Twitter

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase an HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio

Maxime “Max” Lamothe-Brassard, Founder of LimaCharlie, brings a tech-focused community perspective and a history of working at Google to the Hacker Valley security podcast this week. Inspired by the internal motivation to empower others and build what didn’t exist, Maxime created LimaCharlie to help security teams automate and manage security operations. In this episode, Max walks through his founder’s journey and points out the problems that are begging for innovative solutions from the brightest minds in cyber.

 

Timecoded Guide:

[01:59] Improving community & empowering practitioners

[06:04] Leaving Google for LimaCharlie

[10:55] Unpacking the incentivization problem of cyber 

[16:21] Targeted products vs massive suites of problem solvers

[21:29] Looking at a red team-less future

 

Sponsor Links:

Thank you to our sponsors Axonius and NetSPI for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.

 

Where would you say your passion for improving our community comes from? 

From the moment Max opens his mouth to talk about cybersecurity, his passion for the global community of cyber practitioners is clear. It turns out, the community is Max’s passion because he’s been in so many cybersecurity roles and has experienced so many of the same issues in each position. Suffering pain and fatigue no matter the role shouldn’t be the reality for today’s practitioners, and Max wants to empower them to do their best, most enjoyable work. 

“When I started, the goal wasn't to make the silver bullet that somehow was going to automatically save everybody, but really to just help people that were working and doing their jobs and empower them.” 

 

How was your experience going from Google to having your own thing with LimaCharlie? 

Taking the red pill of entrepreneurship wasn’t as scary of an experience for Max as one might think. Instead, the product idea behind LimaCharlie existed for years before Max left Google, and everything Max has done in his career prepared him to take that risky step into doing his own thing. When push came to shove, Max was comfortable taking the risk because he knew he would always have opportunities to support the industry, even if he failed.

“Really, throughout my whole career, without necessarily knowing at the time, [creating LimaCharlie] was where I was heading. Looking back, I've always been trying to build the thing that didn't exist where I was and push those limits.” 

 

What are there problems in the community or in the industry that you don't see anyone solving yet? 

A major opportunity for growth and improvement in cybersecurity is incentivization, according to Max. The debate of what’s worth fixing and who should decide on prioritizing vulnerabilities leads to tension and confusion among practitioners. The key to this problem might just be finding that special someone to somehow access the information with the right types of models and protocols around risk evaluation. Insurance might be the easiest answer, but Max wants practitioners to explore their potential to solve these problems, too. 

“The problem is that, as an industry, for us to make a risk-reward call on security vulnerabilities— it’s incredibly difficult for us that are in security every day. Fundamentally, we can't even make that call ourselves.”

 

What is one topic of division in cyber that you wish we could all come together on? 

Division is inevitable in a field that grows as fast as cybersecurity. However, if Max could dream big about a major division to solve himself, it would be that of a red team’s purpose. In an ideal security world, people don’t need the red team to buy them into cybersecurity. Max hopes that, over time, the industry shifts more towards the blue team, where vulnerabilities are understood as important and worth protecting against without red team demonstrations. 

“I hope that, over time, we're able to move away from having to drive this idea that these things are real and they're important because people are already bought into this idea that, yes, we need to defend everything.”

---------------

Links:

Keep up with our guest Maxime Lamothe-Brassard on LinkedIn

Learn more about LimaCharlie on LinkedIn and the LimaCharlie website

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase an HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio

Brian Haugli, Founder and CEO of SideChannel, brings his CISO expertise to the security podcast this week for a discussion about strategy and leadership in cybersecurity. Working alongside CISOs and fractional VCISOs, Brian has seen his share of leadership mistakes and has learned about the purposeful approach that security needs along the way. In this episode, Brian revises the mantra of “people, process, and technology,” to include the first and most important element in your security success: purposeful strategy.

 

Timecoded Guide:

[02:01] People, process, and technology in your leadership strategy

[05:12] Tenants of a strong security strategy

[13:11] Setting up new fractional CISOs for success

[18:29] Creating SideChannel & walking the line between CISO vs consultant

[27:44] Thriving professionally by thriving personally

 

Sponsor Links:

Thank you to our sponsors Axonius and NetSPI for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.

 

What has been your philosophy throughout the years when it comes to leadership versus technology? 

The security adage of “people, process, technology” isn’t one combined concept. That is, in Brian’s opinion, why so many leaders make the mistake of prioritizing technology as a central part of their strategy. Strategy is not what technology you use, and you can’t buy your way out of every security conflict with a shiny new product. Ask yourself what problem you’re supposed to solve, not which tech is going to solve your problems. 

“Strategy is not technology, it's figuring out what you want to look like when you grow up, in a sense. Everyone jumps to the shiny object. What can I buy to go solve this problem? You never stop and question: Was that the first problem I was supposed to solve?”

 

What are the tenants of making sure that you've done the work of creating a strong security strategy?

The North Star of your security strategy should be the identity and purpose of your business, according to Brian. If you don’t have a current assessment of your current capabilities, assets, resources, and objectives, you aren’t positioning yourself for success. Strategy comes from a knowledge and understanding of where you are now, and where you need to be. When your company “grows up,” what do you want security to look like for you? Understanding that guides you towards your target state without wasting your time on the wrong problems or objectives. 

“I think a lot of people throw strategy around as a grander concept and don't actually think about the elements that need to go into building one. You need to align to a definition that supports your business and outcomes, and that's what is strategic. The idea is not strategic.”

 

Let's say I'm a brand new fractional CISO and I have my first client. What are the top three questions I'm going to ask of this organization to set me on the right path?

When dealing with a new client, fractional CISOs have to understand why they’re involved with this client in the first place. Why are you here? Who brought you here? And, most importantly, what is the reason security is being addressed now? A fractional CISO can’t defend what they don’t know exists, and they can’t meet a deadline without first understanding what this company’s unique security environment needs are. 

“You don't jump into, ‘Okay, well, what's the budget?’ No, I like to understand what I have to actually defend and build to, how fast I have to actually make that happen, that then informs and sets up the much better discussion around, realistically, what you should be considering.”

 

What advice do you have for our audience that is interested in becoming a CISO?

Although Brian jokes that he would advise anyone against taking on a CISO role due to the workload, he understands and loves the grind of cybersecurity leadership. To not only survive but thrive as a CISO, Brian believes a practitioner has to keep their love for problem-solving and protecting organizations at the forefront. Still, as passionate as someone might be, Brian also advises knowing when to unplug and unwind to avoid burning out fast in such a strenuous role. 

“Look, just take care of yourself. I think exercising is huge. Eat right, sleep right. You've got to take care of your mental health, take care of physical health, you've got to take care of your spiritual health. You've got to do all that, or you're never going to be good professionally.”

---------------

Links:

Keep up with our guest Brian Haugli on LinkedIn and Twitter

Learn more about SideChannel on LinkedIn and the SideChannel website

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase an HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio