Listen Now

In this episode of the podcast, Maril Vernon joins Ron and Chris and discusses the importance of breaking down silos between cyber teams and inspiring individuals to drive their own careers in cybersecurity. Maril has been a key player in promoting the concept of purple teaming - the combination of red teaming and blue teaming to improve an organization's overall security posture. She discusses the importance of hands-on experience and practical knowledge over just having certifications. Maril's approach to her career has been driven by her passion for the work and her desire to break down silos between different cybersecurity teams. She emphasizes that individuals can drive their own success in the field and take control of their careers, regardless of the limitations their organizations or the industry may impose. Through her collaborations with organizations such as Cyber Queens and nonprofit foundations, she hopes to provide more educational material to high school and college students to inspire the next generation of cybersecurity professionals. Maril has big plans for the future, including starting a doctorate program in cybersecurity and working on several undisclosed projects that she promises to share in future podcasts. She hopes to leave a legacy of empowering individuals in the cybersecurity field and inspiring them to love their work and take control of their careers.  This cybersecurity podcast episode is a must-listen for anyone looking to pursue a career in cybersecurity and gain insight into the field from a successful professional.   -------------- Links: Stay up to date with Maril Vernon on LinkedIn Join our Patreon monthly creative mastermind Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

In this episode of Hacker Valley Studio, Rob Wood, Chief Information Security Officer (CISO) at CMS, discusses the challenges of data silos within organizations. Rob explains that security teams often operate in silos, with different departments focusing on various aspects of security, such as incident management, compliance, and penetration testing. One way to improve this is by flattening the organizational structure and finding ways to work together in the same data environments, using the same data tools. This would allow teams to collaborate better and share information, improving overall security. In the episode, Rob also highlights the importance of supportive leadership and culture in driving change and the impact of the mission in his work. Ron picks up on two key elements - people and communication - as important in cybersecurity and business, as breakdowns often happen due to lack of communication. Chris mentions how he is hard on leaders who create toxic environments or use fear and intimidation to lead their teams. He also notes that he is starting to see a different kind of leader in the technical space, one that knows a lot, and is intelligent but also knows how to talk to people and make them feel seen. The conversation then shifts to where this change in leadership is coming from. Rob Wood suggests that it is the next wave of leaders coming in, as there are more leadership opportunities available. He also notes that there are many people moving into security from diverse fields, creating a polymath effect of blended disciplines. This helps humble people and allows them to be more human. He also mentions that his own career path was not traditional, as he studied sports management in college and transitioned into an internship in cybersecurity. -------------- Links: Stay up to date with Rob Wood on LinkedIn Join our Patreon monthly creative mastermind Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Taylor Lehmann, Director of Office of the CISO at Google Cloud, has made it his mission to make healthcare and life sciences more secure and strategic for everyone. Joining our security podcast this week, Taylor talks about how security and strategy have to start with people— from properly managing them to realistically motivating them. Healthcare is in need of some serious security TLC and Taylor is ready to tackle the difficult questions about how personal medical data can stay safe in a constantly evolving environment.   Timecoded Guide: [01:47] Motivating your team & understanding your real cyber constraints [06:19] Creating a shared, measurable goal for every team [14:26] The haves and have-nots of healthcare security [22:08] Revolutionizing the security standard of healthcare [25:16] How to not fail your future self   You’re frequently brought into situations that are hard for security teams. Could you walk us through your process of dealing with interpersonal conflicts at work?  Rarely is a conflict amongst team members about the technology itself, but is instead about how a team is working together. To combat team conflicts at work, Taylor first focuses on kindness and thankfulness. When a team can create a kind environment, trust flows much easier and the team can focus more on what the real constraints of their situation are (i.e. time and deadlines) vs their perceived constraints and tension points (i.e. assumptions around budget). “What I end up finding out in more cases than not is it's not about a tool, it's not about a security control you don't understand, it's usually not a technical issue, it's almost always getting teams aligned to working together towards a shared outcome.”   What is the common slowdown or hiccup when it comes to security practitioners working together?  The biggest and most detrimental slowdown amongst team members in cybersecurity is the lack of a shared goal. Without a united effort towards security and a measurable outcome to achieve, team members throughout your organization won’t work effectively or efficiently together. When the goal to be more secure can be understood by everyone within the organization, team members won’t get stuck on the whys or hows of the work they’re doing. “Is the security department the only one who wants to be secure, or does everybody? The second you create a goal where teams are effectively working together to get that outcome, that's when you know you're there.”   When you look at the maturity of health organizations in being more security-minded, what are some of the things that you're seeing in the industry? Like many industries, security in healthcare is divided into “have”s and “have not”s. Large, sophisticated, extensive, public health organizations have a high level of security maturity, while smaller organizations fall behind in technology and cybersecurity. While organizations like the FDA are working hard to make the medical field a more secure place, modern tech platforms need to be integrated at every level to keep patients and practitioners safe. “It's tough to tell as a patient if a health system invests in security or not. No one is yet making decisions on where they go to get healthcare based on security. I think if they knew they would suffer something negative due to an under-invested system, that would change things.”   Was there a turning point in your life that made you the leader that you are today? After an extensive shoulder surgery left Taylor laid up in a hospital bed, he realized that some of the equipment being used on his own body couldn’t be trusted to keep information secure. Having such an eye-opening patient experience after working in security in the medical field, Taylor realized that other patients wouldn’t know how to verify or protect themselves from these issues. Something had to change, and Taylor understood that he had to become a leader and advocate in this space to make a difference in our current reality.  “This cannot be the standard of care. My life, in effect, depended on medical equipment that couldn't be trusted. I needed to do something about it, not just for myself, but for the next person who's gonna lie in a hospital bed.” -------------- Links: Keep up with our guest Taylor Lehmann on LinkedIn and Twitter Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Maxime “Max” Lamothe-Brassard, Founder of LimaCharlie, brings a tech-focused community perspective and a history of working at Google to the Hacker Valley security podcast this week. Inspired by the internal motivation to empower others and build what didn’t exist, Maxime created LimaCharlie to help security teams automate and manage security operations. In this episode, Max walks through his founder’s journey and points out the problems that are begging for innovative solutions from the brightest minds in cyber.   Timecoded Guide: [01:59] Improving community & empowering practitioners [06:04] Leaving Google for LimaCharlie [10:55] Unpacking the incentivization problem of cyber  [16:21] Targeted products vs massive suites of problem solvers [21:29] Looking at a red team-less future   Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.   Where would you say your passion for improving our community comes from?  From the moment Max opens his mouth to talk about cybersecurity, his passion for the global community of cyber practitioners is clear. It turns out, the community is Max’s passion because he’s been in so many cybersecurity roles and has experienced so many of the same issues in each position. Suffering pain and fatigue no matter the role shouldn’t be the reality for today’s practitioners, and Max wants to empower them to do their best, most enjoyable work.  “When I started, the goal wasn't to make the silver bullet that somehow was going to automatically save everybody, but really to just help people that were working and doing their jobs and empower them.”    How was your experience going from Google to having your own thing with LimaCharlie?  Taking the red pill of entrepreneurship wasn’t as scary of an experience for Max as one might think. Instead, the product idea behind LimaCharlie existed for years before Max left Google, and everything Max has done in his career prepared him to take that risky step into doing his own thing. When push came to shove, Max was comfortable taking the risk because he knew he would always have opportunities to support the industry, even if he failed. “Really, throughout my whole career, without necessarily knowing at the time, [creating LimaCharlie] was where I was heading. Looking back, I've always been trying to build the thing that didn't exist where I was and push those limits.”    What are there problems in the community or in the industry that you don't see anyone solving yet?  A major opportunity for growth and improvement in cybersecurity is incentivization, according to Max. The debate of what’s worth fixing and who should decide on prioritizing vulnerabilities leads to tension and confusion among practitioners. The key to this problem might just be finding that special someone to somehow access the information with the right types of models and protocols around risk evaluation. Insurance might be the easiest answer, but Max wants practitioners to explore their potential to solve these problems, too.  “The problem is that, as an industry, for us to make a risk-reward call on security vulnerabilities— it’s incredibly difficult for us that are in security every day. Fundamentally, we can't even make that call ourselves.”   What is one topic of division in cyber that you wish we could all come together on?  Division is inevitable in a field that grows as fast as cybersecurity. However, if Max could dream big about a major division to solve himself, it would be that of a red team’s purpose. In an ideal security world, people don’t need the red team to buy them into cybersecurity. Max hopes that, over time, the industry shifts more towards the blue team, where vulnerabilities are understood as important and worth protecting against without red team demonstrations.  “I hope that, over time, we're able to move away from having to drive this idea that these things are real and they're important because people are already bought into this idea that, yes, we need to defend everything.” --------------- Links: Keep up with our guest Maxime Lamothe-Brassard on LinkedIn Learn more about LimaCharlie on LinkedIn and the LimaCharlie website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Brian Haugli, Founder and CEO of SideChannel, brings his CISO expertise to the security podcast this week for a discussion about strategy and leadership in cybersecurity. Working alongside CISOs and fractional VCISOs, Brian has seen his share of leadership mistakes and has learned about the purposeful approach that security needs along the way. In this episode, Brian revises the mantra of “people, process, and technology,” to include the first and most important element in your security success: purposeful strategy.   Timecoded Guide: [02:01] People, process, and technology in your leadership strategy [05:12] Tenants of a strong security strategy [13:11] Setting up new fractional CISOs for success [18:29] Creating SideChannel & walking the line between CISO vs consultant [27:44] Thriving professionally by thriving personally   Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.   What has been your philosophy throughout the years when it comes to leadership versus technology?  The security adage of “people, process, technology” isn’t one combined concept. That is, in Brian’s opinion, why so many leaders make the mistake of prioritizing technology as a central part of their strategy. Strategy is not what technology you use, and you can’t buy your way out of every security conflict with a shiny new product. Ask yourself what problem you’re supposed to solve, not which tech is going to solve your problems.  “Strategy is not technology, it's figuring out what you want to look like when you grow up, in a sense. Everyone jumps to the shiny object. What can I buy to go solve this problem? You never stop and question: Was that the first problem I was supposed to solve?”   What are the tenants of making sure that you've done the work of creating a strong security strategy? The North Star of your security strategy should be the identity and purpose of your business, according to Brian. If you don’t have a current assessment of your current capabilities, assets, resources, and objectives, you aren’t positioning yourself for success. Strategy comes from a knowledge and understanding of where you are now, and where you need to be. When your company “grows up,” what do you want security to look like for you? Understanding that guides you towards your target state without wasting your time on the wrong problems or objectives.  “I think a lot of people throw strategy around as a grander concept and don't actually think about the elements that need to go into building one. You need to align to a definition that supports your business and outcomes, and that's what is strategic. The idea is not strategic.”   Let's say I'm a brand new fractional CISO and I have my first client. What are the top three questions I'm going to ask of this organization to set me on the right path? When dealing with a new client, fractional CISOs have to understand why they’re involved with this client in the first place. Why are you here? Who brought you here? And, most importantly, what is the reason security is being addressed now? A fractional CISO can’t defend what they don’t know exists, and they can’t meet a deadline without first understanding what this company’s unique security environment needs are.  “You don't jump into, ‘Okay, well, what's the budget?’ No, I like to understand what I have to actually defend and build to, how fast I have to actually make that happen, that then informs and sets up the much better discussion around, realistically, what you should be considering.”   What advice do you have for our audience that is interested in becoming a CISO? Although Brian jokes that he would advise anyone against taking on a CISO role due to the workload, he understands and loves the grind of cybersecurity leadership. To not only survive but thrive as a CISO, Brian believes a practitioner has to keep their love for problem-solving and protecting organizations at the forefront. Still, as passionate as someone might be, Brian also advises knowing when to unplug and unwind to avoid burning out fast in such a strenuous role.  “Look, just take care of yourself. I think exercising is huge. Eat right, sleep right. You've got to take care of your mental health, take care of physical health, you've got to take care of your spiritual health. You've got to do all that, or you're never going to be good professionally.” --------------- Links: Keep up with our guest Brian Haugli on LinkedIn and Twitter Learn more about SideChannel on LinkedIn and the SideChannel website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Allison Minutillo, President of Rebel Interactive Group and Host of the Rebel Leadership podcast, joins the Hacker Valley team this week to talk about her journey from individual contributor to company leader. With a leader’s mind and a rebel’s heart, Allison wants Rebel Interactive Group to break down barriers and say what needs to be said. In this episode, Allison talks about intuition vs insecurity, practitioners vs leaders, and burning out vs staying invested and engaged in the world around you.    Timecoded Guide: [00:00] Shifting from an employee to a leadership mindset  [07:44] Getting real about leadership struggles on the Rebel Leadership podcast [13:24] Rebelling for the great good of your company & yourself [19:40] Finding career inspiration as a business owner & company president [25:41] Struggling to realize your full leadership potential as an individual   Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this security podcast to life!  Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.   What went into that mindset shift from individual contributor to the leader for you?  Leadership was an appealing concept to Allison, but stepping into the role of President at a company was beyond her wildest dreams. Being close to Bryn, the former President of Rebel, opened her eyes to the qualities of leadership she wanted in herself. However, the true mindset shift from contributor to leader came from Bryn’s understanding of Allison’s skills. It wasn’t until he brought up her being his successor that Allison saw the leader she knew she could be.  “I set my sights on what I thought was high. I started over-talking to [Bryn, at Rebel] because I was so nervous, and he said, ‘No, I'm talking about you being my successor, about you being president of Rebel.’ I instantly stopped everything I was saying and it became crystal clear.”   What exactly is Rebel Leadership and how does it relate back to your philosophies? The term “rebel leadership” is a concept that existed before Allison’s Rebel Leadership podcast began, but it embodies what Allison hopes Rebel Interactive Group represents for all of its clients. Being a rebel isn’t just about breaking the rules or telling it like it is, it’s about making a difference. Being a rebel leader is about challenging the status quo for the greater good of your clients, your employees, and your industry. “It's not rebelling for rebels' sake, it's that we're not good with the status quo. We're not okay with it, but we're not careless. We rebel with purpose. It's informed. It's data backed, it's compelling, it's precise, it's meaningful. We are not afraid to state what needs to be said.”    What do you say to those leaders that approach leadership almost like being a martyr?  The hustle and grind of being a leader can feel like endless amounts of hard work. However, in Allison’s experience, overworking yourself and refusing to disconnect maximizes the pain, but minimizes what you gain. Burnout is real, and cybersecurity practitioners definitely know burnout can be fatal for your career. Allison advises resting and giving yourself the time to reflect at the end of a long day, instead of forcing yourself to be a martyr.  “Doing that next ‘to-do’ list on your couch at 10:30 pm when you're spent and you're drained is not going to make you the leader you want to be tomorrow. It's going to make you frustrated and tired and not able to perform at a high level the next day.”   How do you differentiate the good advice of intuition from your inner echo chamber of not-so-good advice? It’s easy to get caught up in the eternal inner echo chamber when trying hard to learn and reflect on your experiences. Allison has had this happen to her, too; getting caught up in reading online comments and letting self-doubt control her thoughts. However, Allison explains that the grit of a true leader can drive you through the setbacks of criticism, whether that criticism comes from outside or within. What matters most is choosing to believe in yourself as a leader.  “That's when grit and will come in, in those moments where you're at the bottom of the barrel. Do you believe in yourself? Are you going to choose to believe in yourself, or are you going to choose to believe the comments?”  --------------- Links: Keep up with our guest Allison Minutillo on LinkedIn Learn more about Rebel Interactive Group on LinkedIn and the Rebel website Listen to the Rebel Leadership podcast Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Cody Wass, VP of Services at NetSPI, brings his near-decade of experience to the pod to talk about longevity, development, and leadership. It’s no secret that cybersecurity is in need of people. Cody’s journey from intern to VP at NetSPI has shown him the importance of training employees, creating opportunities for new graduates, and engaging teams effectively, both virtually and in person. In this episode, Cody provides the roadmap toward intentional employee investment in the ever-changing cyber industry.   Timecoded Guide: [00:00] Cyber career longevity from NetSPI intern to VP  [07:51] Putting people before process & technology at NetSPI [15:33] Collaboration as the foundation of the cybersecurity industry [18:13] Understanding cyber’s entry-level position problem [24:12] Investing intentionally in employee development     Sponsor Links: Thank you to our sponsor NetSPI for bringing this security podcast to life! For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more. Detect and protect the unknown with NetSPI's new and free attack surface management scan! Check it out now at asm.netspi.com/    You’ve been at NetSPI for 9 years. When you think about a rewarding feeling in your journey at the company, what comes to mind? Starting his journey at NetSPI as an intern, Cody has had the rare but impactful opportunity to grow alongside the company. Now, as VP of Services, looks back at the lives he’s impacted himself and the opportunities he’s had to see others grow. Employee development is a huge part of NetSPI’s success. Cody is proud to have seen newcomers join his team and become amazing practitioners over the years.   “It's really rewarding seeing people come into this industry as a fresh face with a specific skill set, to watch them grow over and see them really spread their wings, and come out the other side stronger, better, and having a skill set that you never would have imagined day one.”   NetSPI has a very unique culture and philosophy about balancing that duality between technology and people. Could you tell us a little bit about that?  People come first, before process and technology, at NetSPI. While all three elements of this sacred cyber trifecta are important, Cody and his team believe that the balance should focus on making the lives, skills, and experiences of the people at NetSPI better. Process should be taught to the people, with a focus on prosperity and consistency. Technology should be implemented intelligently, with proper training and time given to the people for the best results.  “NetSPI’s differentiator is our people, first and foremost, and then, our process and our technology. We have a ton of really cool things we're doing with tech, but the focus is always on: How can you use that tech to make a person more efficient at their job?”   How important is collaboration for you and your team at NetSPI? Collaboration is built into the DNA of NetSPI, from how employees are trained to how NetSPI interacts with the industry around them. Cybersecurity thrives when teams, practitioners, and organizations work together for the sake of the greater good. Even though COVID and remote workers have increased the virtual footprint of NetSPI, Cody still emphasizes the importance of communication and collaboration with his team and to practitioners around the world.  “This industry we work in is super interesting. It'll never be finished; you're never going to learn everything there is about security and be able to call it done. We're far past the point where one person is going to be the expert of everything in cybersecurity.”   For anyone in a cybersecurity leadership position who wants to start to really invest in their people, what would be your recommendation on where to start? Intentionality is vital for the success of any leader trying to invest in their employees. Cody explains that it’s one thing for leaders to want to invest in training and professional development opportunities for their team, but another thing entirely when it comes to implementation. If a leader isn’t intentional, they won’t have clear goals for investment and will risk letting implementation fall to the wayside for the sake of a budgetary line.  “Yes, we are going to be making this investment. It is going to cost us. It will cost us time, it will cost us money, but we are committed to making that investment because we know the payoff in 12 months or 18 months or 24 months is going to ultimately be worth it.” --------------- Links: Keep up with our guest Cody Wass on LinkedIn Learn more about NetSPI on LinkedIn and the NetSPI website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Brad Liggett, CTI Intel Engineer Manager at Cybersixgill, puts on his improv hat and joins the pod ready for anything. After COVID pressed pause on daily life, Brad kept himself sane and gained some new skills by returning to his improv roots (a hobby he had in the ‘90s) and taking up Dungeons & Dragons. In this episode, Brad covers the importance of improv skills in the professional world, the opportunities to add elements of gaming into cyber, and advice for practitioners looking to be more agile.   Timecoded Guide: [00:00] Introducing the unique combination of improv & cybersecurity [05:57] Being a life-long learner in cybersecurity & in improv groups [13:20] Practicing improvisational skills for cybersecurity customer conversations   [18:17] Bringing in games & elements of play into cybersecurity environments [24:38] Advice for a more agile, improvisational tomorrow   Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.   Is there a skill that you called upon during an interaction with a customer where you really leaned on your improv muscle?  Improv often involves one phrase that Brad believes other industries should incorporate, too: “Yes, and.” In cybersecurity, Brad leans heavily on the “Yes, and,” phrase because it encourages conversations to move forward authentically. Meetings aren’t successful when customers and clients feel uncomfortable and unengaged. Being able to think on his feet and prepare for changes makes Brad a stronger, more agile practitioner and communicator. “The whole concept of moving the meeting forward and making sure that there are no uncomfortable silences. Be prepared, have an idea of what you want to talk about, but inevitably, the client you're talking to, everyone's going to be unique.”   What do you think is the glue that holds your interests in cyber and improv together? Being a life-long learner is something extremely important and valuable for Brad. For improv, research on the latest media, memes, and movies influences his work and motivates him to stay up-to-date and be involved in some fun research. Cybersecurity is the same way. Brad believes to be the best practitioner and leader for his team, he needs to be knowledgeable about vendors, threats, products, and all things new in the industry. “You always have to be reading, you always have to be aware of what's going on in the environment out there in the world, so that as those things come up, at least you can somewhat talk to them and start to put those pieces together.”   What has been your experience with bringing an element of play into cyber? Cybersecurity can’t be all work and no play. Instead, Brad believes that cybersecurity teams should continue to prioritize the gamification of training processes, as well as just letting their teams have a little fun. Sometimes, to build a strong, trusting team, there needs to be an outside outlet for problem-solving, puzzling, and creativity. Brad even brought his team at Cybersixgill to a Meow Wolf exhibition this year for that same team-building reason.  “We work hard, but we also should make sure that we play, and not only just do that individually, but even as teams, especially now. It's not always going to be about the training aspect, you also have to take that time to bring that team together.”   What is a piece of wisdom that people could take with them to work tomorrow to make them more agile and improvisational? When it comes to agility and improvisational skills, you have to have a strong foundation to build off of. For Brad, taking time for himself and understanding when and how he learns best has been vital to his success. Listening to podcasts at the gym, reading something new at hotels, and getting a good night’s sleep are all little things that help Brad consistently become more agile and improvisational at work.  “For me, it’s always having some sacred time at the end of the day. There's no TV in my bedroom, and my phone is telling me around 8:30, ‘Hey, it's wind down time,’ and that's when I'm getting in the mode for sleep, and then making sure I've got a good night's sleep.” --------------- Links: Keep up with our guest Brad Liggett on LinkedIn and Twitter Learn more about Cybersixgill on LinkedIn and the Cybersixgill website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Richard Rushing, CISO at Motorola Mobility, brings his decades of experience to the show this week to talk about leadership, communication, and perhaps most importantly of all: prioritization. After joining Motorola through a startup acquisition, Richard has been a leader in the company and a defining example of what a CISO should be doing: simplifying the complicated. Richard talks about how his role has changed over the last 10 years and what’s next for him and for cybersecurity.   Time Code Guide: [00:00] Ascending into a leadership role in cybersecurity & joining the Motorola team [06:28] Defining CSO & CISO at a time when no one understood cybersecurity [13:01] Communicating with the C-suite about cyber: best practices & tenants [24:37] Harnessing a proactive cybersecurity mindset with prioritization [32:13] Extending your cybersecurity career for decades   Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this security podcast to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.   What was your experience of being a Chief Security Officer in the early 2000s? Richard jokes that he became a part of the cyber industry before the industry was even called cybersecurity, but behind the joke lies the truth that cyber looked extremely different back then. However, no matter how much time passes, Richard is still used to the odd confused looks that come from saying he’s a CISO. People misunderstand the role, Richard explains, but at least more people than ever before understand the importance of cybersecurity. “There were a lot of other things that you had to talk about, you had to evangelize a lot coming into this [industry] because a lot of the cybersecurity industry was brand new. People were moving around and trying to figure these things out and everybody struggled.”   How many times would you say you feel like you've had a new job or a new role being in the same role for over 10 years?  Being a CISO has had its ups and downs during the 10 years Richard has spent in that role at Motorola, but the changes have been welcome and interesting. Every few years, the technology landscape changes, and with those changes in tech come massive changes in company ownership, leadership, and security. However, Richard is thankful that through these changes, his core team has stayed the same, giving him a trustworthy group to learn from. “It's always changing, but at the same time, there are some static components. When I came on to Motorola 15 years ago and established teams, most of my team, except for a very small portion of people that retired or left, are still with me today.”   What are your thoughts and best practices for proactive cybersecurity? Although “proactive cybersecurity” has become a buzzword we’re all paying attention to, Richard warns that most companies aren’t really being proactive with cybersecurity just yet. Instead, what the industry has shifted towards is prioritization. Understanding what’s important, prioritizing those aspects of a business, and knowing what you don’t have the resources to handle can make the security work you’re doing feel more proactive.  “Why do I need to prioritize? Because you're getting more alerts than you have people to be able to handle it or technologies to be able to handle it in an automated way. So, you have to prioritize what's important.”    What would you recommend people consider to extend their cybersecurity career life as long as you have? After nearly four decades in the industry and over ten years at Motorola, Richard has been in cybersecurity longer than most modern-day practitioners. When asked about his secrets for an extended cybersecurity career, Richard reflects back on his advice around prioritization over “proactive cybersecurity”, and emphasizes the importance of community. Cybersecurity is a collaborative field, and practitioners have to stay open to learning together to succeed.  “In the cybersecurity world, we will talk to our competitors and share what we're seeing. I think that community effort is one of the key things. You have to enjoy what you're doing, reach out and be collaborative with people. Don't be the security guy that people are scared of.” --------------- Links: Keep up with our guest Richard Rushing on LinkedIn and Twitter Learn more about Motorola Mobility on LinkedIn and the Motorola website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Kenneth Ellington, the Senior Cybersecurity Consultant at EY and Founder of the Ellington Cyber Academy, achieves his goal of being on the Hacker Valley Studio this week. From working at Publix in college to becoming an online course instructor, Kenneth’s journey into the cyber industry has been heavily influenced by online educators like Chris and Ron. Kenneth covers barriers to entry for cyber, SOAR vs SIM, and how much further we need to go for representation in the industry.   Timecode Guide: [00:00] Starting a cyber career at the Publix deli counter [05:16] Fighting through introversion to become an online instructor [11:02] Setting equitable & understandable prices for cyber courses [15:54] Looking into the future of SOAR vs SIM to see what’s next [19:27] Taking the chance on content creation as a new cyber professional   Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this security podcast to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive offensive security solutions. Visit netspi.com/HVM to learn more.   What areas do you feel confident in as a new teacher, and what do you still struggle to get your footing on?  As someone newer to online teaching, having only done it for 2 years, Kenneth is confident in his communication skills, but still struggles with fully grasping new technology. On the bright side, Kenneth believes those technical skills come with time and practice, something he’s 100% willing to do. What helps him stand out as a strong teacher is something harder to learn— communication with others and de-escalating stressful situations for students.  “I worked at Publix for four years in the deli, dealing with customers, and that forced me to develop those soft skills about how to talk to people and how to communicate and how to de-escalate situations. That's how I set myself apart.”   What are some of the things that you're thinking about when it comes to setting the pricing for your course content?  No matter how his prices change or how skilled he becomes, Kenneth still believes in fair and equitable pricing for his course content. Considering his experience and expertise, Kenneth charges at least half of what I vendor might charge for similar content and knowledge. However, Kenneth doesn’t believe in thousands of dollars being spent on his courses, because he wants entry-level students like himself to be able to afford to learn. “I'm very honest with myself, what my skill level is, and the value I bring towards it. Because I've been doing this for over two years, technically, I've gotten a pretty good gauge as to what people are willing to pay for and the value that I can bring.”   Do you have anything you’re looking to expand into with Ellington Academy?  While SOAR and SIM are Ellington Academy's bread and butter, Kenneth is looking forward to continuing to expand his expertise and scale his content. A future upcoming goal Kenneth has is giving back to the country of Jamaica, where his family is originally from. Through providing courses or recruitment opportunities, he wants to bring cyber skills to everyone. “From a legacy perspective, I want to leave a positive mark on this world, just to make it better than when I got here. One of my big goals, I don't know if it's gonna happen, but my family is from Jamaica, so I'm hoping I can maybe put ECA there someday.”   What advice would you give to a newbie in cybersecurity looking to start making content?  Kenneth got his start at the Publix deli counter, and he understands that the beginning of someone’s cyber journey can look just like his— inexperienced but hungry for knowledge. For newcomers to the industry, Kenneth wants to reassure you that you’re never too young to teach or too old to learn. Take courses, expand your knowledge, and give back to people with less knowledge than you through accessible learning content of your own.   “Take the opportunity to try to do something new because your knowledge is valuable, no matter how much or how little that you have. Everybody can learn something from everyone. I always try to help out however I can.” --------------- Links: Keep up with our guest Kenneth Ellington on LinkedIn Check out the Ellington Cyber Academy Learn more about EY on LinkedIn and the EY website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase an HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Lesley Carhart, Director of Incident Response at Dragos, takes some time off mentoring cybersecurity practitioners, responding to OT incidents, and training in martial arts to hop on the mics this week. Named Hacker of the Year in 2020, Lesley’s impact on the industry stretches far and wide. As an incredible content creator for cybersecurity, Lesley advises listeners on how to find their niche and who to be willing to educate along the way.   Timecoded Guide: [00:00] Giving back to the community through martial arts & cyber education [06:13] Being excluded from the cyber industry & turning to content creation instead [12:33] Comparing incident response in IT vs OT environments [19:46] Dealing with post-COVID problems with the wrong OT systems online [26:51] Finding your cyber niche & exploring education options within it   Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human-delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.   What inspired you to start creating cybersecurity content? Lesley’s cybersecurity content has vastly influenced and impacted many cyber practitioners in the industry, including Ron and Chris. Unfortunately, Lesley’s journey into content creation was inspired by the lack of mentorship they received from other professionals when they were starting out. Never wanting anyone to feel the way they did, Lesley created an online world of resources to warmly welcome and educate new practitioners.   “It's not a really glamorous story. When I got into cybersecurity, I wanted to do digital forensics and nobody would help me, nobody would actually take me seriously and give me a shot. Everybody should have a chance to get into cybersecurity if it's something they want to do.”   How has teaching cyber to a general audience been appealing to you? When not educating new cyber practitioners or tearing it up in the martial arts studio, Lesley likes to reach out to their community and give talks to audiences outside of typical tech and security groups. From churches to universities, Lesley loves meeting people outside of the cyber industry. These individuals always offer them a new perspective and a feeling of accomplishment for showing someone something new.  “It's enjoyable to me to find other people out there who want to learn about an entirely new topic and expose themselves to its problems and how it impacts society and things like that. I appreciate that. Cybersecurity is important and it impacts everything around us all the time.”   In your world, where does incident response start, and where does it stop? Like many of cyber’s most complicated concepts, the answer to where incident response starts and ends is subjective to certain resources and elements of an organization. Lesley explains that incident response has to be planned and that the planning process has to involve when to declare an incident and when to close the said incident. Without proper planning in advance, an organization is at risk for a crisis that could’ve been responded to quickly turning into an out-of-control attack.  “There's no perfect defense against an incident, everybody's vulnerable. You do your best to mitigate and avoid having a cybersecurity incident, but there's only so much you can do. Eventually, you have to assume that you're gonna have an incident.”   What piece of advice do you have for anyone looking to share more knowledge and make the cyber industry better?  Although everything in cybersecurity can seem daunting, expansive, and interesting to everyone, Lesley’s recommendation to new practitioners is to find a niche in cyber and stick to it for a while. Finding a niche doesn’t have to be permanent, but Lesley believes that niche will help you carve out extensive knowledge worth sharing and creating content around. When you discover that niche, don’t be afraid to reach out to other industry experts along the way. “Pick an area and then find mentorship in that and try to focus for a couple of years on a particular area. You can always change your mind later on, just like degrees, just like training programs, but it's going to help you a lot to focus for a little while.” --------------- Links: Keep up with our guest Lesley Carhart on LinkedIn, Twitter, and their blog Learn more about Dragos, Inc on LinkedIn and the Dragos website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase Hacker Valley swag at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Brian Kime, VP of Intelligence Strategy and Advisory at ZeroFox, talks about all things threat intelligence this week. Brian explains why he chose threat intelligence as his focus, where he’s seen opportunities for growth in recent years, and what challenges for cyber threat intelligence lie ahead. Using his intelligence experience developed first in the US Army Special Forces, Brian delivers his argument for intelligence-driven security, instead of the marketing-driven security industry we have today.   Timecoded Guide: [00:00] Diving into the VP of Intelligence Strategy role [05:25] Learning intelligence in the Army Special Forces [10:09] Seeing the past, present, & future of threat intelligence [19:31] Measuring efficacy & ROI of cyber threat data [25:18] Building your own cyber threat intelligence capabilities   Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.   A lot of folks shift from intelligence into other areas of cyber, what inspired you to continue down the intelligence route? After Brian graduated from Georgia Tech and the nation experienced the tragedy of 9/11, Brian felt called to enlist in the US Army Reserve. While the war in Afghanistan was not as short-lived as anyone expected, Brian found his calling in military intelligence, where he was inspired to put his experiences in IT and intelligence together. It turns out that fusion already existed in the form of cyber threat intelligence, and Brian wanted to focus on that completely. “I want to bring all these things together and really start pushing our customers and pushing the security community in general towards more intelligence-driven security. Mostly, what I see even today still just feels like marketing-driven security.”   Where are we today with threat intelligence technology, in terms of challenges and opportunities? Brian believes we’re already in a really exciting place today in terms of threat intelligence technology. What feels especially opportune for him at the moment includes opportunities and technology that involve internal data from previous threats, freely available external data from sources like blogs, and third-party vendors. However, the challenges facing threat intelligence now involve how to make that technology available for small and medium businesses. “That's what I would love to see become the standard, that big corporations incorporate threat intelligence to the level that they can start to actually extend that value into their supply chain. That way, the whole system becomes more resilient, more secure.”   How does a security team measure the efficacy and ROI of intelligence? In Brian’s opinion, most cybersecurity practitioners don't track the ROI of their intelligence vendors, or they fail to measure intelligence for effectiveness. The metrics cyber teams should focus on include number of new detections created, incidents discovered, adversary dwell time, and improved security decision making. Unfortunately, improved decision making is the hardest to measure because it requires practitioner feedback. “At the end of the day, if stakeholders are making security decisions based on intelligence that I'm providing, that's a really good measure of effectiveness. All the security decisions that were influenced by threat intelligence, that's what we're going for.”    When you don't have an intelligence capability and you want to create one, what is typically the first thing that an intelligence team member does? If you’re intending to collect data from your customers (which almost every company out there is trying to do), then Brian believes that privacy and security need to be considered from the start. Critical security controls and a solid framework are key to early success for even the smallest security team. The best place to start? Software and hardware inventory. If you don’t know what you have, you won’t be able to secure your technology properly.  “At the beginning of the critical security controls, it's always software and hardware inventory. If I don't know what I have, then I really can't do anything well in security. I can't do incident response because I don't know where my data is.” --------------- Links: Keep up with our guest Brian Kime on LinkedIn and Twitter Learn more about ZeroFox on LinkedIn and the ZeroFox website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Michael Piacente, Managing Partner & Cofounder at Hitch Partners, answers the essential question on many cybersecurity professionals’ minds: Where do CISOs find CISO jobs? As it turns out, Michael helps many cybersecurity teams find their perfect CISO match with the assistance of his own team at Hitch Partners. In this episode, Michael clarifies what the role of a CISO really is, explains the compensation and benefits, and reveals the many responsibilities a CISO may take on during their team in the role.   Timecoded Guide: [00:00] Defining the role of CISO & finding the right homes for each CISO [05:21] VCISO & fractional CISO as an alternative to a full-time CISO [11:49] CISO annual income, benefits, & non-monetary incentives [16:37] Explaining additional responsibilities & tasks taken on by the CISO [25:11] Giving advice to future CISOs looking for the next cyber executive opportunity   Sponsor Links: Thank you to our sponsor Axonius and NetSPIfor bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.   In your own definition and experience, what is a CISO? Although there’s many definitions of the role, Michael clarifies that defining CISO should always include being an executive. To have a CISO who makes a positive impact and fulfills an organization’s needs, that CISO has to be properly placed, properly sponsored, and be in an environment where they have the proper reporting processes. Michael also believes the CISO should always be looking over their shoulder to be diligent of the next threat. “In my version of it, a CISO is the executive— and that's the key term here— that has been properly placed, properly sponsored to handle all of the business information and data risk policy execution and operations in the company.”   What is the difference between a fractional CISO and a VCISO? In Michael’s opinion, a VCISO (virtual CISO) and fractional CISO can be used interchangeably in a situation where a company does not need a full-time CISO executive. Unless they’re looking to support a strong security program, Michael understands that many companies don’t need a full-time CISO in order to be successful. A VCISO makes an impact on an organization’s security without being an overwhelming role in a smaller organization. “Bringing in your starter package to implement the baseline or foundational building blocks of what will become a security program, in the form of a consultant or consulting firm, is often a wiser choice than going in building a security program around a full-time CISO role.”   Are there different types of CISOs, and have those types changed over time? Previously, Michael defined 3 different types of CISOs in his search for CISOs with Hitch Partners. However, a fourth type has emerged in recent years: the BISO, or Field CISO. This fourth type joins the ranks alongside other impactful CISO types, including the client (or governance) facing CISO, highly technical CISO, the IT-focused CISO, and now, our fourth type, the BISO, who focuses on the business side of the risk. “It's amazing that all of our CISO searches contain all these different types of CISOs. The fun part of that we get to figure out is: What's the priority [for the role]? What's the order? What does everyone in the organization think the priority should be?”    How would you direct someone to take that first step after realizing they want to be a CISO? Discovering the CISO role exists and being the right person for the role is an important distinction, and Michael encourages potential CISOs to take some time to research the job before getting involved in a job search. However, once someone knows they want to be a CISO, Michael advises finding a CISO mentor and diving into a passion. Each type of CISO needs an expertise and passion to propel them into the superpower status needed to be a CISO.  “I think it’s about finding a passion. I'm a big believer that you just have to know where your superpower is, or what your superpower wants to be. In other words, that thing that's passionate to you, that you probably know better than 99% of the population out there.” --------------- Links: Keep up with our guest Michael Piacente on LinkedIn Learn more about Hitch Partners on their website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Hacker Valley: On the Road is a curated collection of conversations that Chris and Ron have had during conferences and events around the globe. In this episode, NTT’s Dirk Hodgson, Director of Cybersecurity, and Adam Green, Senior Cybersecurity Executive, speak with the Hacker Valley team at CyberCon in Melbourne, Australia. Dirk and Adam cover the intersection of their roles at NTT, their experiences at conferences like RSA, their country’s cybersecurity industry, and their team’s cultivated trust with clients.    Timecoded Guide: [00:00] Reuniting at CyberCon after years of COVID limiting security conferences [06:30] Differentiating Australia’s cybersecurity industry from the rest of the world [10:48] Watching current cyber trends with CMMC & the Essential 8 frameworks [25:41] Creating interpersonal communication in a technology-driven industry [34:58] Building trust by knowing your clients & your adversaries equally   Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone How are Australian cybersecurity practitioners different from the rest of the world? According to Adam, the past 3 years have led to a massive shift in maturity for Australia’s cybersecurity industry. Previously, Australia relied on its physical isolation as a country as a means of security, but breaches have become more high profile and more impactful for Australian businesses in recent years. Now, Adam is pleased to see there be a greater understanding beyond the 101 of cybersecurity and more collaboration with security teams. “Three years ago, we used to say Australia was 5 years behind the rest of the world [in cybersecurity]. We used to think, because of proximity to the rest of the world, we were pretty safe, but it's definitely become more of a professional approach to security now.” — Adam   How do your roles as Director and Executive work together at NTT?  For Dirk, cybersecurity is the ultimate team sport— and Adam is an impactful element to his cybersecurity team. While Adam often focuses on strategic planning through his background as a practitioner, Dirk enjoys how his business-driven perspective contrasts with Adam and with other members of the team. With a variety of experiences and perspectives in the room, NTT can cover issues from all sides, instead of falling victim to tunnel vision. “Adam is the person on the team, who's great at that scenario planning piece. ‘Here are the things that are gonna go wrong.’ Whereas myself and a couple of the other people on the team, look at that go, ‘What's that going to cost the organization?’” —Dirk   Where are the strengths and weaknesses in communication in cybersecurity? Just like Dirk’s thoughts about cybersecurity being a team sport, Adam believes that you have to cultivate a team member-like trust with your clients. The client in an initial conversation might seem defensive of your advice or critical of your actions. However, Adam explains that establishing credibility, especially in the business-focused cyber industry in Australia, goes a long way to creating the opportunity for more casual conversations down the line.  “What we find is, in Australia in particular, it's about not just the company, but you as an individual. Do you have my back? Can I trust you? If I don't like you, will you at least mitigate my risk for me? You have to establish credibility real fast.” —Adam   What advice would you give to someone interested in cultivating more trust between clients and their team? Dirk loves a good James Bond villain, but the average hacker attacking the average business is nothing like the movies. Establishing trust with clients starts with not only understanding what they need, Dirk explains, but also knowing the most likely threats beyond the showstopping Blackhats of media fame. Being able to explain to and protect clients from the most common threats keeps their data safest and strengthens their trust in your team. “I think it's about making sure that you know what the worst case scenario is, what the most dangerous course of action that the attacker or a potential attacker could follow, but also, being able to talk credibly about what's the most likely threat.” —Dirk --------------- Links: Keep up with our guest Dirk Hodgson on LinkedIn Keep up with our guest Adam Green on LinkedIn Learn more about NTT on LinkedIn and the NTT website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Hacker Valley: On the Road is a curated collection of conversations that Chris and Ron have had during conferences and events around the globe. In this episode, Cloud Security Podcast’s Ashish Rajan and Shilpi Bhattacharjee speak with the Hacker Valley team at AISA CyberCon in Melbourne, Australia. Ashish and Shilpi discuss their respective talks on supply chain security and zero trust technology, SBOMs, and keynote speakers at this year’s Cybercon worth noting for the audience at home.   Timecoded Guide: [00:00] Connecting & conversing at a cyber conference post-COVID [06:50] Breaking down Shilpi’s presentation on supply chain threats & attacks [11:45] Understanding the paradoxes & limitations of zero trust with Ashish’s talk [26:13] Defining & explaining SBOM, or Software Bill of Materials  [33:16] Noticing key conversations & trends for those who didn’t attend AISA Cybercon   Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley Shilpi, can you talk about the idea behind the talk you had at CyberCon?  The inspiration behind Shilpi’s conference talk was supply chain issues. Titling her talk, “Who’s Protecting Your Software in Supply Chain,” Shilpi hoped to further educate and advocate for security in the supply chain process. An estimated one in two companies will experience a supply chain attack in the coming years. Instead of fearing such a statistic, Shilpi hopes her talk inspired further security action to protect our supply chains.  “One staggering fact that I read is that one in every two companies is going to have some sort of a supply chain attack in the next three years. So, who's going to look after the supply chain? Is it going to be the organization? Is it going to be your third-party vendors?” —Shilpi   Ashish, what about your talk at Cybercon? In contrast, Ashish’s talk was about the triple paradox of zero trust. When talking about and implementing zero trust, Ashish realized many companies don’t implement the cultural changes needed for zero trust and/or only talk about zero trust as a technology process. Zero trust has numerous layers beyond technology, and requires time and major changes in culture and technology to implement in most companies.  “I feel bad for bashing on finance, marketing, and HR teams. They're all smart people, but if you're going to add four or five layers of security for them, they almost always say, ‘I just want to do my job. I don't really care about this. It's your job to do security.’” —Ashish   Where would you recommend starting when it comes to trying to implement the ideas in your respective talks? When push comes to shove about where cyber companies can start first with supply chain and zero trust, Ashish and Shilpi agree that companies have to discuss business priorities. When company leaders can take the opportunity to look at and understand their cyber hygiene, the next steps might look very different from another company’s tactics. Knowing what a business has is the foundational piece that impacts any new process in cyber.  “If I were to go back to the first principle of what we do with cybersecurity professionals, one of the biggest assets that we're all trying to protect is data. You can't protect what you can't see, that's the foundational piece.” —Ashish   For anyone that wasn't able to make the conference, what is one thing that you would want to share with the audience at home?  There were a lot of conversations taking place at Cybercon this year. Ashish wants the audience at home to know that cloud native, zero trust, supply chain, and leadership positions like CISOs were the main themes in many talks, panels, and conversations. Shilpi wants those who couldn’t attend to watch out for more talks and conversations about cyber from those outside of the industry to understand that the issues impacting cyber influence the world.  “I think there's that interest about cybersecurity being more than just a cybersecurity problem. Cybersecurity is not just a technical problem, it's a societal problem, a cultural problem. I very much agree, because a lot of the things that we're dealing with impacts everyone.” —Shilpi --------------- Links: Keep up with our guest Ashish Rajan on LinkedIn Keep up with our guest Shilpi Bhattacharjee on LinkedIn Listen to Ashish and Shilpi’s Cloud Security Podcast Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Alton Johnson, Founder and Principal Security Consultant at Vonahi Security, automates his way out of his pen testing job in this week’s episode. An AOl hacking gone wild got Alton into defensive cybersecurity years ago, and now, as the Founder of Vonahi, Alton advocates for automation and efficiency in the pen testing process. Alton talks about his connection to defensive over offensive, customizing a pen test report to your audience, and finding that sweet spot between practitioner and entrepreneur.    Timecoded Guide: [00:00] Learning the importance of automation in defensive cyber [07:48] Connecting with automation & defensive cybersecurity over offensive [12:01] Showing the results that matter to the right people in a pen test report [15:27] Prioritizing exploitations in the world of vulnerability assessments [21:59] Maintaining the cyber practitioner & the entrepreneurial side of Vonahi   Sponsor Links: Thank you to our sponsors Axonius and NetSPI for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley For more than 2 decades, NetSPI has helped companies discover and remediate critical security issues through its platform-driven, human delivered security test. NetSPI is much more than a pentesting company, bringing you the most comprehensive suite of offensive security solutions. Visit netspi.com/HVM to learn more.   How have you seen automation change yourself and your role?  As a penetration tester, Alton explains that time is often not on his side. There’s a limited amount of time to do an assessment, and the measure of a good pen tester is often determined by fast, high quality reporting. Automating the repetitive tasks of pen testing not only saves time, but Alton believes it genuinely changes the role into something much more efficient, high value, and successful.  “Automation obviously plays a huge part in growing in the career too, because the more you can do, the more value you can provide, and the faster you can provide that value makes you a better pentester.”    How do you convey the story of a red team engagement in different ways so that message is received by everyone in the company?  At Vonahi Security, Alton’s team separates pen testing reports into an executive summary and a technical report. The executive summary is high level, demonstrating the impact and severity of what was discovered from a business point of view. Many business executives don’t need the technical play by play, which is why that is saved for the technical report. The technical report acts as a scene by scene story of what was done and how to technically fix it. “We separate the two conversations. Here's what we did at a high level to anyone that doesn't really care about the technical stuff, but only cares about how it impacts the business, and then, for the person that has to fix the issues, here's everything that they would need.”   What would you tell the newer generation of cybersecurity practitioners about the offensive side?  When Alton first started his cybersecurity journey, he was very into hacking and coding. That passion for code has served him well, allowing him to become successful enough to start his own business with Vonahi. For the younger generation of cyber practitioners, Alton recommends not skipping that coding education. As technically advanced and automated as cybersecurity tools are, practitioners should be prepared to code when something breaks or doesn’t work as intended. “I think coding is extremely valuable, because there's going to be many times that tools that you use don't work and you have to have the experience and knowledge to basically fix those problems with coding.”   What have you learned over the past few years that has helped you to maintain both the technical and business side of Vonahi? 21 Efficiency is the name of the game for Vonahi— and it’s the one thing that has allowed Alton to remain in a hands-on pen testing role while still being a business owner. Keeping it efficient is more than just technology and automation. Alton believes his success is a direct result of the efficient technology around him and the hardworking, intelligent, efficient team members working with him at Vonahi. “It is really just about efficiency. We look to all these other leaders, but for me, I like to learn from other people's failures. I don't want to take the same growth processes as the person who failed and didn't do well.” --------------- Links: Keep up with our guest Alton Johnson on LinkedIn and his personal website Learn more about Vonahi Security on LinkedIn and the Vonahi Security website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

John Hubbard, SOC consultant, SANS Sr. Instructor and host of the Blueprint Podcast, joins the Hacker Valley team this week to discuss SANS, SOCs, and seeking new hobbies. As the curriculum lead for cyber defense, John breaks down what makes a good SANS instructor and how to inspire passion in students when teaching for long hours. Additionally, John gives away his life hacks for pursuing passions outside of the cybersecurity industry, including podcasting, video editing, music creation, and nutrition.    Time Coded Guide: [00:00] Instructing for SANS & what it takes to be a good instructor [07:33] Exploring the potential of a SOC-less cyber industry [13:38] Teaching complicated topics with clear visuals & simple comparisons  [19:37] Podcasting his way to better SOC consulting skills  [26:12] Finding a balance between jack of all trades & single skill master   Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley   What do you think are the makings of a good instructor, especially for SANS?  Transitioning from the world of electrical and computer engineering, John’s journey to becoming a SANS instructor took over 3 years of study. Although he jokes that training to be a SANS instructor was the longest job interview ever, John is thankful for the mentorship and inspiration his training gave him. SANS courses require long hours and hard work, but John believes the best instructors bring a real love for what they do to each class.  “The technical aspect has to be there in a very strong way. Beyond that, you have to deliver this message not only with razor sharp clarity, but also with passion and energy. People are sitting there watching you talk for hours. If you aren't excited, they're not going to be excited.”   Cyber defense is a pretty broad topic. What makes you feel comfortable teaching a course on cyber defense? Cyber defense can be a topic that’s both broad and confusing for students, but John has been dedicated to building a curriculum that cuts through the confusion and inspires innovation. Teaching his students to focus on priorities, John wants to bring clarity to complex topics like SOCs, Kerberos, and related security issues. While the topics can be broad and debatable, John wants to equip his students with real world examples and simple comparable concepts. “If there was one word I was going to summarize both of the classes I teach with, it’s ‘priorities.’ It's getting the right stuff there first, and not getting distracted by all the other details that are potentially trying to pull you in the wrong direction.”   Have there been unintended benefits to being a podcast host, that either helps you as an instructor, or even someone that does consulting in the SOC space? Taking the chance to start the Blueprint podcast was inspired partly by John’s previous interest in podcasts like Security Now, but also by his pursuit of learning content creation. Starting a podcast, for John, was an exercise in testing his comfort zone. Learning the technical aspects as well as the creative aspects of content creation and podcast hosting continues to build John’s confidence in his storytelling and teaching skills.  “For me, a lot of things have come out of podcasting. Probably one of the biggest things is just flexing that muscle of doing things that are slightly uncomfortable and scary. Any time you think, ‘I don't know if I can pull this off. Should I do it?’ The answer should always be yes.”   What is one piece of advice or philosophy that enables you to do more and squeeze as much as you can out of life?  In the same way that he teaches his SANS students about priorities, John focuses on his personal priorities often in order to accomplish his well-rounded, jack of all trades lifestyle. Building new skills and cataloging new experiences feels vital for John. Taking full advantage of the time he’s been given and getting curious about expanding his comfort zone is an essential philosophy that has taught John not only about cyber defense, but about every hobby he enjoys as well. “I try to get up as early as I can manage to get up every day, well before I start getting emails and meeting requests and all sorts of stuff like that, and try to plan out my day and ask myself, ‘How am I going to actually approach doing the things that matter the most to me?’” --------------- Links: Keep up with our guest John Hubbard on LinkedIn, Twitter, and YouTube Listen to John’s podcast on the Blueprint Blog Learn more about John’s work on the SANS Institute website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Larci Robertson, Sales Engineer at Cyberreason and Board President of Women of Security, brings her expertise and experience in cyber threat analysis, community building, and networking to the pod this week. Larci talks about her time in the Navy, her desire for female friends, and how the combination of those two things led to her joining Women of Security (WoSec). In this episode, Larci walks through the importance of women-led cyber spaces and how mentoring gives back to the community in a ripple effect.    Timecoded Guide:  [00:00] Searching for friendship in Women of Security spaces  [06:56] Diving into the Dallas cyber community with WoSec  [14:00] Finding mission-focused purpose in threat intelligence analysis  [17:57] Transitioning from the military into security and technology  [24:10] Encouraging women to stay motivated in the cyber industry     Sponsor Links:  Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley How did you get introduced to Women of Security?  After leaving the Navy and moving to Dallas, Larci struggled to find community amongst other women in tech. She worried the women she knew outside of the industry wouldn’t understand her unique struggles, but the women she was meeting in cyber felt few and far between. Reaching out to Women of Security felt like an encounter with destiny, which inspired Larci to start her own WoSec chapter in Plano and find her voice as a community leader.  “I wanted to find those women and get more women into security, but also have somebody to hang out with that was in the same industry, same page, we're all kind of going at the same pulse of what we've got going on in our lives.”    What are the challenges for women transitioning into the technology field, whether they're coming from the military or from another industry?  As a woman in threat defense analysis, Larci understands the hurdles and complications that come with transitioning into the field. Originally gaining her security experience in the Navy, Larci explains that she, along with many women she meets in the industry, undermine their past experiences and doubt their full potential. This often leads to less job applications from women when positions open up, perpetuating the gap for women in tech.  “I want to tell women, and I do tell them all the time, don't look at that job title. Read through the actual like, what they want you to do, and maybe you understand it in a different way. Don't worry about that stuff. Let them tell you you're not qualified, don't do it to yourself.”    What comes to the top of your mind about the power of community when thinking about WoSec?  Community inspired Larci to be a part of WoSec, but it also left a lasting impact on her friends and her family. Not only has Larci witnessed many female friends achieve career heights they never dreamed possible, she’s also seen Women of Security inspire her own daughter. Initially believing her job was “too technical,” Larci’s daughter now better understands her own potential to succeed in cyber and tech, which has given her so much confidence in her future.  “I'm seeing people get their first jobs in cybersecurity, and it's really exciting. And then, they'll turn around and help somebody else. I feel like that's happening a lot more. I see it because my group is doing it, I think we're all emulating each other in that way.”    For any women listening right now, what would be that piece of advice that you have for them to keep them energized while they're in the field?  Money is a motivator for many individuals transitioning into the cyber industry. While Larci understands why she meets many women looking to make more money in cyber, she also encourages those women— and anyone else listening to this week’s show— to find a purpose and passion for their work. Money motivation doesn’t last forever, and Larci wants to build a community of women who understand and enjoy their purpose in tech.   “I feel like no matter what you do, if you have purpose in what you're doing, you're going to stay and you're going to have that drive. On top of that, you gotta have fun with this. If you're not having fun at what you're doing every day, I think you're doing it wrong.”  ---------------  Links:  Keep up with our guest Larci Robertson on LinkedIn and Twitter  Learn more about Cyberreason on LinkedIn and the Cyberreason website  Connect with Ron Eddings on LinkedIn and Twitter  Connect with Chris Cochran on LinkedIn and Twitter  Purchase a HVS t-shirt at our shop  Continue the conversation by joining our Discord  Check out Hacker Valley Media and Hacker Valley Studio 

Marrelle Bailey, Community Manager, Content Curator, and DEI Advocate, brings her multifaceted career experiences down to Hacker Valley Studio this week. Tapping into her past lives in yoga, bodybuilding, community managing, and cybersecurity, Marrelle explains the silo her career has taken into helping others find ease and peace of mind in their work. Marrelle also walks Chris and Ron through an exercise designed to help anyone feel more worthy, valuable, and like they belong.   Timecoded Guide: [00:00] Taking on career pivots with excitement & curiosity [06:23] Bodybuilding & yoga’s surprising presence in her cyber career [09:28] Finding black women in predominantly white tech communities [14:07] Being a jack of all trades, but a master of self worth & reflection [20:54] One key practice for feeling worthy, valuable, & like you belong   Sponsor Links: Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley What from your past in yoga and bodybuilding has stuck with you today? As someone who grew up feeling traumatized and uncertain, Marrelle believes that yoga genuinely saved her life. Yoga helped Marrelle feel confident and empowered, and also taught her the importance of self-reflection. Additionally, Marrelle’s continued health and wellness journey inspired her to take up bodybuilding, which has motivated Marrelle to work hard, to motivate others to engage in their health, and to recognize when she’s holding herself back. “My clients know I'm fixated on pushing them as much as I push myself, because I know we have greatness. I know for myself, I can be the best self-sabotager in the world when it comes to pushing myself professionally. I know what it feels like sometimes to hold yourself back.”   What has it been like doing all these different roles and how do they stack together? Marrelle is a true example of a jack of all trades, with experience in personal training, cybersecurity, content creation, and community management. Despite the differences, each role Marrelle has taken on has ultimately focused on compassion, authenticity, and perseverance. Marrelle never saw black women succeed in the areas she wanted to succeed, but now, she can set an example and show that she belongs in each opportunity she takes. “I feel like each job taught me, even though they were all so different, they all taught me about gaining compassion for people. Am I being authentic to the people around me? Am I giving people the ability to be themselves and for me to be myself, to grow, to persevere, to push?”   How would you describe yourself, being so multifaceted and dimensioned? Marrelle believes she is someone that just wants to help other people and support other people in their healing process and in knowing their importance. Many people, regardless of their profession, struggle with difficult feelings of unworthiness and exclusion, fearing that they won’t be taken seriously for who they are. Marrelle has struggled with these same feelings, and wants to create safe spaces for people to grow and nurture their confidence. “I just want to bring people's lives ease and peace and remind them how valuable they are, because I think all of us at some point struggle to know our worthiness and our value, and that we belong in the spaces that we're in, because sometimes we can really feel left out.”   What would you recommend for anyone who wanted to start feeling worthy, valuable, and like they belong a little bit more today? While anyone can struggle with feeling a lack of worth, value, and belonging, Marrelle wants to reassure listeners that these exist in abundance and can be built up with mindfulness exercises. An easy way to start practicing a better and more positive mindset is through inhaling the good and exhaling the bad. As you inhale deeply, think positively about who you are and who you want to be. As you exhale, get rid of negative and unfair thoughts about what makes you “not good enough” to feel worthy, valuable, and like you belong. “You are worthy, you are valuable, and you belong where you are. No one can question it, you are where you are because you got there. No one knows your backstory, no one knows your journey, no one can walk in your shoes, but you deserve to be where you are.” --------------- Links: Keep up with our guest Marrelle Bailey on LinkedIn, Twitter, and website Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio

Sheryl Anjanette, Author, Speaker, and CEO & Founder of Anjanette Wellness Academy, comes down to Hacker Valley to discuss and promote her new book. The Imposter Lies Within covers Sheryl’s work with the intersection between business and mindset, and invites professionals to reconsider and reprogram their brains away from imposter syndrome. Using her findings personally and professionally, Sheryl walks through the origins, explanations, and potential remedies for imposter syndrome in this episode.   Timecoded Guide: [00:00] Discovering imposter syndrome’s origin story  [05:04] External triggers vs the inner critic [13:59] Imposter syndrome & Neuro Linguistic Programming (NLP) [21:11] Reprogramming your brain to heal from the imposter phenomenon [27:34] Fearing firing as an unrealistic response to the inner critic   Sponsor Links: Thank you to our sponsors Axonius and Uptycs for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley Uptycs, analytics for the modern attack surface, observability for the modern defender. Check out Uptycs by visiting them at uptycs.com   What is the origin of imposter syndrome?  Defined and named in the early 1970s, imposter syndrome impacts each person in different ways depending on a variety of personal experiences, including gender, upbringing, and income status. Despite the experience varying from person to person, Sheryl explains the set of symptoms still remains strikingly similar, no matter who is suffering from imposter syndrome. This has made the phenomenon relatively easy to identify with, as many struggle with a lack of belonging, self worth, and self confidence. “In the early ‘70s…researchers called it the imposter phenomenon, but they had only studied women. For quite a long time, people thought only women experienced feeling like an imposter, but recent studies have shown that men and women experience this almost equally, just differently.”   Do you see imposter syndrome as a negative construct of Neuro Linguistic Programming (NLP)? Outside of the office, Sheryl incorporates Integrated Hypnotherapy in a large majority of her coaching work and explains that a large majority of that has involved delving into NLP, or Neuro Linguistic Programming. NLP emphasizes the importance of what people tell themselves. What someone actively lets themselves think has the power to become true to their brain. When someone thinks they are an imposter at work, they end up accidentally using aspects of NLP, which causes their brain to believe they are an imposter.  “Our conscious mind is only 10% of our reality, 90% is below the surface. When we can start to make the unconscious conscious, when we can do the deep dive and go back in and look at our programming, we can see where the code went bad and change that.”   What are the steps of reprogramming your mind away from these imposter thoughts? Reprogramming someone to actively deny and work against imposter syndrome thoughts requires a deep dive into emotions and an understanding of an internalized past. Sheryl explains that being present, taking deep breaths, and allowing your perspective to shift out of your head and into your body are all steps that need to be taken in this reprogramming process. This process is powerful and new, but Sheryl promises it doesn’t have to be difficult or uncomfortable.  “Get very, very present in the moment and then, just feel yourself drop into your heart. Feel yourself drop into your heart, it's only an 18-inch journey, but it's something we generally don't do very often. Get out of our head and into your heart.”   For anyone that's dealing with imposter syndrome, is there anything that you would want to tell them to help them understand the power within? Sheryl sees a large majority of professionals struggle specifically around the idea of not being good enough at work and being an imposter at risk of being fired. Imposter syndrome can convince anyone of this idea because it doesn’t rely on experience as evidence, according to Sheryl. Instead, someone suffering from imposter syndrome has to acknowledge that the idea of not being good enough and being fired is just an idea, not reality.  “As you go into your heart and into your observer role, ask yourself: Is this real? Where's this coming from? And then, tell yourself a different story. ‘I'm good. Everything will work out. I think that's just a pattern that I've had for a long time. I'm going to assume the best.’” --------------- Links: Keep up with our guest Sheryl Anjanette on her website, LinkedIn, or via email: hello@sherylanjanette.com Purchase Sheryl Anjanette’s book, The Imposter Lies Within, on Amazon and Barnes & Noble Connect with Ron Eddings on LinkedIn and Twitter Connect with Chris Cochran on LinkedIn and Twitter Purchase a HVS t-shirt at our shop Continue the conversation by joining our Discord Check out Hacker Valley Media and Hacker Valley Studio