Securing Sexuality Podcast Episode 15: Balls, Shaft, and Flippers

November 20, 2022

From it’s origins as outlaw entertainment to its modern iteration as a somewhat old fashioned family-friendly activity, join Stef and Wolf at the Seattle Pinball Museum as they discuss what lessons we can learn about life, love, and lust from a decades old game.

To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

The Imposter Syndrome Network Podcast

November 15, 2022

I’m on the Imposter Syndrome Network with Zoe Rose and Chris Grundemann this week. I’m emphasizing trust and relationships in the imposter syndrome conversation. “If they trust you, you can have a degree of freedom to interact, explore, to get it right. But if they don’t, it doesn’t matter how good you are. They are going to doubt you.”

I also cover my imposter syndrome coaching framework: good imposter syndrome, bad imposter syndrome, and systemic imposter syndrome. The good is where you’re feeling the pressure to up your game, where you’re in a room with many brilliant people. The bad is where you let imposter syndrome prevent you from taking opportunities and when it gets in the way of you going into that room. Finally, there is the systemic challenges where the reason you feel like an imposter is because the culture, the people in the room, are actively making you feel like you don’t belong.

“It’s intrinsic, as leaders, to help people move towards good imposter syndrome and recognize and address systemic. If everyone on your team is being a jerk to a few coworkers, doesn’t matter how much you can tell them ‘be confident, you’re okay, you belong here.’ They’re not going to feel it, and it’s really on you as the manager to address that.”

This is my advice to leaders helping people through imposter syndrome. Understand which of the three — good, bad, systemic — and act accordingly. There is always a reason someone is feeling the way they do, and if it’s systemic, it’s on us to address it.

Imposter Syndrome Network

Have a listen here:

To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

Cisco Rolls Out Duo Passwordless Authentication, Sees WebAuthn Usage Surge

November 2, 2022

Excerpt from: Cisco Rolls Out Duo Passwordless Authentication, Sees WebAuthn Usage Surge

Cisco plans to roll out its Duo Passwordless Authentication globally next Wednesday. This push is in line with the findings from Duo Security’s recent report which showed that passwordless adoption continues to climb.

“We’re starting to reach a tipping point where the hardware is ubiquitous, the standards are in place, and enough services support the standards, and that’s really driving that increase that we see in web authentications. So now … organizations can adopt them with confidence,” Goerlich said.

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

IDentity Now Podcast

August 31, 2022

I was a guest recently on the IDentity Now podcast, channeling Burning Chrome: When tech hits the streets.

“J Wolfgang Goerlich, Advisory CISO for Cisco joins us to discuss real-world security and how it translates into the field. Wolf uncovers the challenges he’s faced throughout his career, implementing security by design, looking at both the usability and defensibility use cases and how the cyber-physical threat environment has evolved. Finally, his advice to CISOs’s to improve their overall security posture.”

“When technology hits the streets, it doesn’t always get used the way that security people predict it will be.”

Have a listen here:

To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

Things Wolfgang Goerlich Says – Design Monday

May 16, 2022

Alright, alright. This feels a bit strange. But I’m collecting my folksy sayings on cybersecurity leadership and design in one place. I’ll update this over time.

Good Security

  • Good security is usable security.
  • Good security gets out of the way of users while getting in the way of adversaries.
    • Good security frustrates attackers not users.
  • Good security first delivers a business outcome and then, as a result, increases security.
  • Good security supports changing maturity.
  • Good security projects leave people hungry to play again

Cloud Security

  • Ownership is not a security control.
  • Security is not what we control, it is what they do.

Defense and Offense

  • When work looks like work, work gets done.
  • Risk isn’t the language of the business. Story is.
  • Security happens where mankind meets machine.
  • The more constraints placed on users, the more creative they become.
  • All a better mousetrap does is breed better mice.

Media Mentions

Always remember friends: The Cyber War will not be won with platitudes.

— Wolf

Securing Bridges with Alyssa Miller

March 31, 2022

Alyssa Miller invited me to join her on the Securing Bridges podcast. We talked about board conversations, building roadmaps, the power of storytelling, and the use of metrics. Somehow, security geese and free phish, wizards and alchemy, cottage core and goblin mode also came up. Somehow. But hey? What else would you expect when I’m on a coffee-fueled rant?

To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

On men named Wolf

March 25, 2022

A bit of fun…

MEL interviewed Men named Wolf on the Kardashians dragging their good name through the mud. After Kylie Jenner and Travis Scott announced they were changing their baby’s name to something more fitting than ‘Wolf,’ other Wolfs — Wolves? — started howling.


Goerlich: I think you need to grow into being “Wolf.” You’ve got to be a little bit scruffy, a little bit older, a little bit worn around the edges. Maybe there’s a chunk taken out of your ear — you’ve got to look like a fighter. You’re not going to look like that when you’re young, so I can see why they said, “He doesn’t look like a ‘Wolf’ yet.” But give the kid time. He’ll get there.

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Applying Public Health Risk Management to the NIST Risk Management Framework (RMF) – Introduction

March 13, 2022

Everyone has a pandemic story. Here’s mine.

Before the lockdowns, before we were all wearing masks, before travel ground to a halt, I was in Switzerland. It was a good time: I had a presentation to give about securing DevOps, and after a couple of days at the event, I took my wife on a rail trip around Europe. We were celebrating the completion of her recent book manuscript, which she had submitted to her publisher on our way out of town. Our plan was to travel through mid-March.

Then we got the call. We were in Budapest. My employer telephoned to say that there was a travel ban going into effect on midnight, March 13th. With very little notice, we returned to our hotel, threw our clothes into suitcases, rushed to the train station, and we took an overnight train to Prague. By the time we got to Prague, they had an idea of how to get us as far as Paris. So we took a flight to Paris. We landed in Paris and there was bedlam. Everyone was trying to get off the continent. Somehow? We were able to get the very last seat on the very last flight to the States. We made it home two hours before the travel ban.

After that, everything shut down. We did our part. We saw the risks and did our part to bend the curve. A month went by, then three months went by, then six months went by. And each time I was preparing for events, certain that things would reopen in a couple of months. Surely this was going to end. Surely this was going to wrap up.

And a weird thing happened to me. After watching the Covid numbers day in and day out, I found myself very habituated to the risk. After waiting for months, even though the numbers were frankly worse than they were in the beginning of the pandemic, I figured the risk must have subsided. Surely there was no longer a monster outside of our cave. It must have wandered away by now, right? There’s no way that we are still in danger. The caveman brain in all of us does curious things when it comes to risk management.

That sense, that nagging sense, that cognitive dissonance, that tension between logically knowing the risks but emotionally feeling everything must surely be fine, that led me to study how risk was being managed and communicated during the pandemic.

I’ve been the person providing numbers to the executive team from my security team. I’ve been the one to explain, “I know the numbers are the same and I know everything feels like it should be okay, but we really are in a bad spot.” But the pandemic gave me the experience of the other side: hearing the numbers and struggling to interpret the data to make informed decisions. There’s a great deal of overlap, I believe, in these two domains, cybersecurity and healthcare.

What can we learn from behavior science and from the psychology of our shared experience over two years? How can we take these lessons back to cybersecurity?

On the two-year anniversary of taking the last flight home from Paris, I’m going to look at risk management in a blog series. I’ll detail some of what we learned in the pandemic about how people process risk. I’m going to share here with you in the hopes that collectively, as information security and risk management practitioners, we can learn something about the nature of human psychology and thereby do a better job at protecting our organizations.

This is part one of a nine-part series. I welcome any and all feedback. Let’s learn together.

In Scope podcast: The Department of No

February 1, 2022

I was a guest recently on the In Scope podcast: Security doesn’t have to be the department of no.

“In this episode, Mike welcomes Wolfgang Goerlich aka “Wolf” Advisory CISO at Cisco. Join us they discuss the tendency within security to disregard the human element leading to a lack of adhering to security protocols and working around those protocols. When this happens, we see a correlation to a human need not being met. If that is understood and considered, the result is the development of much better security products all around.”

In Scope Podcast: J Wolfgang Goerlich

Have a listen here:

To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

Steps to take when there’s an active adversary

January 28, 2022

CISOs know they must respond quickly and effectively to an incident, yet surveys point to continuing challenges to deliver on that goal. These steps will help you respond quickly, without letting a crisis turn into chaos.

Excerpt from: 12 steps to take when there’s an active adversary on your network

3. Bring in the business

CISOs should be looping in business during the triage process, security leaders say, a point that’s often overlooked during active responses. As part of this, security teams need to immediately identify what impacted components are critical for conducting business, who owns those components and who controls them.

As J. Wolfgang Goerlich, advisory CISO with Cisco Secure, says: “This is a business problem. But in a security breach, a very technical person will be thinking, ‘I have to remediate.’ However, one of the things that CISOs need to remember is that a breach is a business problem not a technical problem. So there should be a secondary process that’s running business continuity and disaster recovery so that the business can keep doing what it needs to be doing.”

12. Stay calm; tend to staff needs

Goerlich says he has seen teams “run themselves into the ground” by working long hours without breaks and even a day or more without sleep. Although that grueling schedule shows a level of dedication, it’s likely to lead to mistakes.

“People get into their zones and work well beyond the times that they should,” Goerlich says, noting that CISOs should plan for clear lines of communications, caps for work hours, staggered schedules, and post-event time off. He adds: “As much as possible, organizations should think out in advance how to handle the human elements.”

Read the full article:

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.