Episode 89: Simon Clark on Investigating the Key Man and a Billion Dollar Fraud

Allan Friedman is a senior strategist at CISA (the Cyber Security and Infrastructure Security Agency) where he coordinates all of their cross-sector activities on the topic of SBOM: The Software Bill of Materials.

Allan is widely known as a change agent in both the public and private sector. In government he led initiatives that created positive change in major community-wide initiatives around vulnerability disclosure and vulnerability management. He also championed efforts that made dramatic improvements in the ability to reduce risk due to the proliferation of Internet of Things devices including championing ways to keep these devices patched in the field. Now at CISA his SBOM efforts have produced action across a sector that few other initiatives have.

We discuss:

- What executive leaders need to know about SBOM and how to explain its benefits to any non-technical executive.

- How a small team can establish a vision and make change across government, industry and academia.

- What new initiatives may be coming that will support needs of the security and technology communities.

Related Reading:

Technology Convergence and Market Disruption: Rapid advancements in technology are changing market dynamics and user expectations. See: Disruptive and Exponential Technologies.

Corporate Board Accountability for Cyber Risks: With a combination of market forces, regulatory changes, and strategic shifts, corporate boards and their directors are now accountable for cyber risks in their firms. See: Corporate Directors and Risk

Geopolitical-Cyber Risk Nexus: The interconnectivity brought by the Internet has made regional issues affect global cyberspace. Now, every significant event has cyber implications, making it imperative for leaders to recognize and act upon the symbiosis between geopolitical and cyber risks. See The Cyber Threat

Challenges in Cyber “Net Assessment”: While leaders have long tried to gauge both cyber risk and security, actionable metrics remain elusive. Current metrics mainly determine if a system can be compromised, without guaranteeing its invulnerability. It’s imperative not just to develop action plans against risks but to contextualize the state of cybersecurity concerning cyber threats. Despite its importance, achieving a reliable net assessment is increasingly challenging due to the pervasive nature of modern technology. See: Cyber Threat

Joe Sullivan has been at the forefront of managing security risk in rapidly growing high tech companies over the past 20 years serving as the Chief Security Officer at Facebook from early start-up through the IPO, CSO of Uber and CloudFlare, and as a security leader at eBay/PayPal. Joe was also involved in a landmark legal case for a breach at Uber which resulted in a criminal conviction that serves as a precedent for executive liability in cybersecurity going forward.

In this OODAcast we discuss:

• Joe's early career and how he got interested and involved in technology and started his career as a federal prosecutor focused on cyber crime.
• The transition into serving as a technology company CSO and his experiences at eBay/PayPal, Facebook, Uber and Cloudflare.
• Lessons learned from building and managing highly functional security teams in dynamic environments.
• Frameworks for managing risk at companies like Facebook and Uber.
• His experiences being prosecuted and convicted surrounding circumstances associated with a 2016 incident at Uber.
• How the courts will handle future cases like this and the associated liability for C-suite executives.
• His current work focused on supplying technology for remote learning to displaced children in Ukraine.

Official Bio:
Joe Sullivan is CEO of Ukraine Friends and President of Joe Sullivan Security LLC. Previously, Joe had served as the Chief Security Officer of Cloudflare since July (2018 - 2022). Prior to that, Joe was employed as Chief Security Officer at both Uber (2015 - 2017) and Facebook (2008 - 2015). His first private sector experience was in senior security and legal roles at eBay and PayPal (2002 - 2008). He also held the position of Commissioner for the United States Presidential Commission on Enhancing National Cybersecurity in 2016 and spent the first eight years of his career with the US Department of Justice, including as a federal prosecutor focused on cyber crime. Joe also advises a number of companies on security practices and mentors a number of developing security leaders.

Recommended Books:

Russia: Revolution and Civil War, 1917-1921

Beneath A Scarlet Sky

Joe Tranquillo is a Professor of Biomedical Engineering at Bucknell University and a provost at the school.

He is also and author and speaker with a knack for helping make new and at times complex subjects understandable. In this OODAcast we discuss many aspects of the revolution in biological sciences with Joe including topics like:

• New ways of delivering medicines that target specific tissues
• Discovery of the structure of almost every human protein
• Methods to synthesize biomolecules, which can result in ways to manufacture a wide range of materials like therapeutics, flavors, fabrics, food, fuels.
• New ways of growing food that are more productive and take fewer pesticides and fertilizers.

We also discuss the concept of complex systems and lessons from complex systems theory that apply not only to biological sciences and engineering but to many complex human activities and creations. We examine ways leaders can improve their ability to think in terms of complex systems, ways that technologists can use systems thinking to better communicate with non-technical people, and insights for executives on where the revolution in biological sciences is taking us.

Charles Clancy has successfully led technology efforts in government, industry, academia and continues to lead and innovate in his current position as Senior Vice President and GM of MITRE Labs. He is MITRE's Chief Futurist. His role in technology leadership and his tracking of tech across multiple domains made for an incredibly insightful OODAcast.

We review Charles' insights into:

• Quantum Computing
• Quantum Security
• Artificial Intelligence
• Microelectronics and Friendshoring/Reshoring
• The March 2023 National Strategy for Cybersecurity
• Governance in the age of ubiquitous computing
• What corporate boards should know about technology and cybersecurity governance

Mark McGrath has applied the teachings of John Boyd to a career that began in the Marine Corps, included leadership positions in financial services firms and consulting with businesses with a need to learn to thrive in volatile, uncertain, complex and ambiguous (VUCA) environments. He co-founded the consultancy AGLX and serves as its Chief Learning Officer. He is the co-host of the popular podcast “No Way Out” which is dedicated to examining and advancing the use of the theories of John Boyd to help both individuals and businesses seeking to improve their capacity for free and independent action.

Mark is also a continuous learner. He has examined the works of John Boyd from as many perspectives as possible including visiting the archives of his books and papers at the Marine Corps University library at Quantico.

In this OODAcast we ask Mark for his perspectives on Boyd and OODA, resulting in some unique and at times surprising insights. We cover:

• Ludwig von Mises and Austrian Economics, the economic theories that many of us (myself included) believe to be the only economic theories grounded on reality. Mises cites the ancient philosopher Heraclitus: Everything is in a ceaseless flux, there is no permanent being; all is change and becoming.Doesn’t that sound like Boyd?
• The connection between Boyd’s approaches and realities of physics and biology
• How history impacted Boyd’s views on decision-making in competitive environments
• How leaders can continue to sharpen the saw and keep learning.
• Why treating the OODA Loop as the only concept from Boyd is just wrong. Study of Boyd may start with the OODA loop because it is the most famous of his concepts but it it one of many contributions. This scope of his work is so far beyond that.
• Regarding OODA, we discuss the critical aspect of the Orientation step. Mark considers Orientation as our internal operating system that needs to be constantly upgraded and updated to stay relevant for success.

Resources:

Mark McGrath on LinkedIn

The No Way Out podcast

Serene is a hacker in the truest sense of the word. She's applied a hacker mindset to learn coding, piano, and blend art and engineering in fascinating ways. You'll find her collaborating on-stage with Grimes one night and coding censorship resistant technologies the next day.

As a self-taught coder she was the first engineer hired into Google Ideas when she was just a teenager. At Google she pioneered work on WebRTC proxies that she continued as a fellow at the Open Tech Fund and was eventually released as a Tor-enabling tool called Snowflake.

Serene took a hiatus from working as a full-time engineer to pursue a career as a concert pianist where she quickly gained recognition for her incredible talent. She became one of the few self-taught concert pianists to perform Rachmaninoff’s Piano Concerto No. 3 (which I highly recommend checking out on YouTube). Serene is also known for the audiovisual artistry of her shows which is drawn from her own experiences with synesthesia that results in her seeing music as colors.

As the conflict in Ukraine started, Snowflake started to see exponential usage patterns as Russian citizens looked to circumvent state censorship and Serene decided to build a company around the technology to enhance development and build independent deployment models. That company is called Snowstorm.

With Snowstorm, Serene is focused on saving cyberspace from balkanization and censorship and ensuring that all global citizens have unfiltered access to the Internet. In this OODAcast, we explore Serene's career and then dive into ways we can preserve the original intent of the Internet with censorship resistant and privacy enhancing technology stacks that can be easily deployed and scaled.

Official Bio:
SERENE is a concert pianist from a most unexpected trajectory. Though she never attended conservatory, her solo performances have been described by The Paris Review as a “spectacle to match the New York Philharmonic”, and today Serene has become one of the most talked about young talents in classical music, and beyond.

Beyond concertizing, Serene enjoys other collaborations such as her role as composer for Kanye West’s Opera, premiered at Lincoln Center & Art Basel, as well as pianist & technologist with Blue Man Group’s founder, bringing futuristic innovations at the intersection of music and technology while also highlighting her own audiovisual synesthesia.

Previously, Serene was a computer scientist, Google Engineer, and senior research fellow on various projects, before leaving to fully focus on the piano. In the brief years since, she has cultivated a disciplined, personal, and spiritual approach to her music. With her intersections of many disciplines, plus the “ability to enthrall audiences”, she has grown an international following.

Serene is one of very few self-taught pianists who’ve performed Rachmaninoff’s Piano Concerto No. 3, which was described as “unprecedented” —Liszt Academy. Serene loves sharing the beauty and power of classical music with all audiences, everywhere, in all venues ranging from the Vienna Musikverein, to a full orchestra in Golden Gate Park, to a decommissioned Boeing 747.

Additional Links:

• Official Website
• Snowstorm
• Serene on Instagram
• Serene Rachmaninoff Concerto

Book Recommendations:

Andy Bochman is the Senior Grid Strategist-Defender for Idaho National Laboratory’s National and Homeland Security directorate. In this role, Andy provides strategic guidance on topics at the intersection of grid security and climate resilience to INL leadership as well as senior U.S. and international government and industry leaders. Andy is a frequent speaker, writer, and trainer who has testified before the U.S. Senate Energy and Natural Resources Committee on energy infrastructure cybersecurity issues and before FERC on the maturity of smart grid cybersecurity standards. He has had recurring conversations on grid security matters with the Senate Select Committee on Intelligence and the National Security Council.

In this OODAcast we discuss Andy’s most recent book, Countering Cyber Sabotage: Introducing Consequence-based Cyber-Informed Engineering. This book introduces INL’s new approach for defending against top-tier cyber adversaries.

Watch as we learn how a hockey player transformed into a cybersecurity champion and author of one of the most important books for engineering for critical infrastructure defense.

Spencer Ante is the author or "Creative Capital: Georges Doriot and the Birth of Venture Capital", which was on my Top 10 book list for 2022. In fact, I found Doriot's story so compelling that a portrait of him hangs on the wall at the Hack Factory start-up studio in Reston, VA.

Doriot is a compelling figure with an incredible story as told in Spencer's book.  He was a Harvard Business School professor, responsible for launching the modern American industrial management movement, served as a General in World War II where he solved critical supply chain and logistics issues while also inventing things like sunscreen, and then formed the first venture capital firm that operated with much success and launched the modern VC market.

In addition to discussing Doriot, we delve into lessons learned from his experiences and then a general discussion on innovative and disruptive technologies like AI, issues like privacy, and insights from Spencer's career in journalism, at Meta Foresight, and as a consultant. 

Official Bio:

Spencer Ante was recently Head of Insights within the Global Business Marketing group of Meta, where he led the editorial team for the thought leadership platform Meta Foresight. Previous to that he was Managing Director of FTI Consulting, heading up the content and creative team within the Digital and Insights practice of its Strategic Communications segment.

Mr. Ante is an editorial leader and communications marketing executive who specializes in driving integrated, omni-channel content programs and multi-disciplinary teams for top corporations that enhance corporation reputation and drive business results. He brings 15 years of newsroom management experience from leading media outlets to the field of communications and marketing, as well as deep expertise in video, digital, social, and mobile media. 

Prior to his consulting work, Mr. Ante was an award-winning journalist who most recently worked at The Wall Street Journal as a Senior Special Writer on its technology team, and as a Deputy Bureau Chief for the Journal’s largest bureau responsible for global business coverage. In 2012, he was part of a team of journalists nominated for the Pulitzer Prize in explanatory reporting for a series on privacy in the digital age. He is the author of Creative Capital: Georges Doriot and the Birth of Venture Capital.

Additional Links:

Creative Capital Book

Spencer on Twitter

Recommended Books:

Shoe Dog

Chip Wars

The Every

ob Zukis is a man on a mission to improve the ability of corporate America to succeed in a complex digital world, even when under constant cyber attack. Bob is the CEO and founder of the Digital Directors Network, the global pioneer in helping corporate directors advance their understanding of systemic risk. We consider Bob to be the world's leading advocate for improving cybersecurity governance. His many articles published in major business journals and impactful books on the topic make this case well.

Bob has worked with, studied, and been on corporate boards for years and now teaches corporate governance as an Adjunct Professor of Management at the USC Marshall School of Business. He is co-author of the book The Great Reboot. We examine the book and Bob's approach to helping corporate directors mitigate cyber risk in this OODAcast.

Topics covered include:

How the 1200 strong members of the Digital Directors Network collaborate together to seek to reduce systemic risk.

The creation of the Qualified Technical Expert (QTE) program and how the need for QTEs on boards is analogous to the need to have a Qualified Financial Expert (QFE) on boards when Sarbanes-Oxley drove that requirement.

The new SEC regulations on cybersecurity that will require corporate boards to designate cybersecurity experts.

How the new US Cybersecurity Strategy is helping create positive momentum in corporate America (Bob says "the White House has declared war on systemic risk with this strategy").

Actions directors can take to ensure corporate management is appropriately engaging to mitigate not just cyber attacks against the company, but broader systemic risks. Bob explains that "It's not just enough for board members to ask questions on cyber risk, as the questions are meaningless if corporate directors don't understand the answers." Very well put! Board members should continuously seek to improve their ability to understand. And then on top of that should ask the right questions. What is Bob's view of a powerful question boards should be asking? " What's the value of what we are trying to protect, and how safe is it for what we're spending?"

Bob provides information on an event that brings together the Digital Directors Network called Domino (16-17 May 2023 in Chicago). This is a gathering of 200 of DDN's corporate director, CIO and CISO members for a unique executive learning experience. This year's event will feature keynotes from experts like SEC Commissioner Jaime Lizarraga explaining the new cyber rules being rolled out by the SEC.

For more see:

The Great Reboot

The Digital Directors Network

Bob Zukis on LinkedIn

DDN Domino 16-17 May 2023

Adam Shostack is widely known in the cybersecurity world for his pioneering work on disclosing and discussing computer vulnerabilities (the CVE  (common vulnerabilities and exposures) list). He also helped formalize and train leading approaches to threat modeling and wrote the foundational book on the subject (Threat Modeling: Designing for Security).

In this OODAcast we seek lessons from Adam’s career and experiences (which range from startups to nearly a decade at Microsoft, as well as the Blackhat review board, as well as being an Affiliate Professor at University of Washington).  We then dive deep into Adam’s most recent book, Threats: What Every Engineer Should Learn from Star Wars

Just what does Star Wars have to do with security engineering? Turns out the movies are full of analogies that can really underscore the importance of good design and operational security.

The very beginning of A New Hope shows a space fight where the empire is seeking to recover data from a breach. The carrier of that breached data, R2-D2, makes it to the planet below. But somehow knows not to show a special recording to Luke, only to Obi-Wan. That is some high end identity management and authorization there.

From this lens Star Wars is not just a space western, it is a cyber espionage thriller. Adam uses the many analogies from Star Wars to make good engineering concepts more memorable and in doing so is doing us all a service.

For more see:

Adam Shostack on LinkedIn

Threats: What Every Engineer Should Learn from Star Wars

Threat Modeling: Designing for Security