Empathy, kindness, and behavior economics on We Hack Purple Podcast

Archive for the ‘Blogs’ Category

Empathy, kindness, and behavior economics on We Hack Purple Podcast

Posted by

Tanya Janca invited me onto her We Hack Purple Podcast to discuss vulnerabilities beyond code. Along the way, we cover behavior economics and the importance of empathy in cybersecurity design. “Kindness is the original security principle” makes an appearance, as we talk about how all this and more applies to building better products.

Our conversation was sponsored by the Diana Initiative, a conference committed to helping all those underrepresented in Information Security.


To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

Cybersecurity Maturity Model Certification (CMMC): considerations for self-attesting

Posted by

Suppliers who need to achieve Level 1, the most basic certification, may forgo seeking outside help and perform initial and annual assessments themselves.

Excerpt from: Navigating Cybersecurity Maturity Model Certification (CMMC) 2.0

“Suppliers with strong confidence in their audit and compliance teams, and suppliers with sufficient staffing, are ideally positioned should they decide to achieve Level 1 without external support,” added Wolfgang Goerlich, advisory chief information security officer, Cisco Secure, the portfolio of security products offered by San Francisco-based Cisco. “Such internal compliance initiatives can move quicker than bringing in a third-party when the people on the team have the relationships and understanding of how the practices are performed.”

The approach Goerlich describes may save money, but it won’t provide external validation and new perspectives.

“Achieving Level 1 with an internal project team answers the question, ‘What are we doing?’ but cannot answer the questions, ‘What are others doing, and what should we be doing?’” Goerlich said.

Read the full article: https://www.sme.org/technologies/articles/2023/february/navigating-cybersecurity-maturity-model-certification-cmmc-2.0/

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

IT security then and now, on IT and the D podcast

Posted by

Ten years ago, I was the first guest on IT in the D podcast. (I won’t go back and listen. It’s like looking at photos of yourself in high school.) I was there to promote the BSides Detroit conference. Now that I’m doing another conference this year, they invited me back to talk about what’s changed in ten years. Take a listen.

IT Security Then and Now, Securing Relationships with Wolfgang Goerlich, Cybersecurity Strategist. This week we met with Wolfgang Goerlich. Not only is he a well respected CISO, he was our guest on Episode 1 (and episode 112). We had fun catching up, talking about security then vs. now, changes in philosophy, and mocked marketing jargon for commonly used tech. We ended by talking about Securing Sexuality, his conference and podcast, prompted by his wife, who is a relationship and sexuality therapist.

To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

Tech trends for 2023

Posted by

Identity and access management solutions continue a hot streak for their capacity to improve operations.

Excerpt from: Tech Trends: Governments Express High Interest in IAM

At the Virginia Department of Transportation, a ransomware hack targeting the state’s traffic management system made it clear that it was time to beef up VPN security. For the state of Illinois, the issue was siloed technology operations within agencies that made it difficult for employees and residents to access tools and services.

The challenge for the city and county of Denver was what the government’s chief data officer described as multifactor authentication “sprawl.”

While each organization had to deal with its own problems, their IT teams all came to the same conclusion: They had to do better with identity and access management.

“I’ve never seen so much interest in this topic,” says Wolfgang Goerlich, Cisco’s advisory CISO for Duo, an identity and access management platform that both Denver and VDOT now rely on for protection from cyberthreats. “The big picture is that zero trust has become a mandate at multiple levels, and agencies are turning to identity and access management as one of the quickest paths to success.”

Read the full article: https://statetechmagazine.com/article/2022/12/tech-trends-governments-express-high-interest-iam

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

The Application Security Podcast — Security beyond vulnerabilities

Posted by

“Wolf joins us to talk about some security things that will stretch your mind, like security beyond vulnerabilities, how apps intended functionality can be misused, data privacy, and nudges and behavior science. Wolf challenged my thinking in this episode and pointed out a new area of threat modeling I had never considered. We hope you enjoy this conversation with… J. Wolfgang Goerlich.”


Have a listen here: https://www.youtube.com/watch?v=oZe0Sp9JU3s

To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.


The Imposter Syndrome Network Podcast

Posted by

I’m on the Imposter Syndrome Network with Zoe Rose and Chris Grundemann this week. I’m emphasizing trust and relationships in the imposter syndrome conversation. “If they trust you, you can have a degree of freedom to interact, explore, to get it right. But if they don’t, it doesn’t matter how good you are. They are going to doubt you.”

I also cover my imposter syndrome coaching framework: good imposter syndrome, bad imposter syndrome, and systemic imposter syndrome. The good is where you’re feeling the pressure to up your game, where you’re in a room with many brilliant people. The bad is where you let imposter syndrome prevent you from taking opportunities and when it gets in the way of you going into that room. Finally, there is the systemic challenges where the reason you feel like an imposter is because the culture, the people in the room, are actively making you feel like you don’t belong.

“It’s intrinsic, as leaders, to help people move towards good imposter syndrome and recognize and address systemic. If everyone on your team is being a jerk to a few coworkers, doesn’t matter how much you can tell them ‘be confident, you’re okay, you belong here.’ They’re not going to feel it, and it’s really on you as the manager to address that.”

This is my advice to leaders helping people through imposter syndrome. Understand which of the three — good, bad, systemic — and act accordingly. There is always a reason someone is feeling the way they do, and if it’s systemic, it’s on us to address it.

Imposter Syndrome Network

Have a listen here: https://www.buzzsprout.com/2016832/11567691

To see listen to other podcast interviews, click to view the Podcasts page or the Podcasts category.

Applying Public Health Risk Management to the NIST Risk Management Framework (RMF) – Introduction

Posted by

Everyone has a pandemic story. Here’s mine.

Before the lockdowns, before we were all wearing masks, before travel ground to a halt, I was in Switzerland. It was a good time: I had a presentation to give about securing DevOps, and after a couple of days at the event, I took my wife on a rail trip around Europe. We were celebrating the completion of her recent book manuscript, which she had submitted to her publisher on our way out of town. Our plan was to travel through mid-March.

Then we got the call. We were in Budapest. My employer telephoned to say that there was a travel ban going into effect on midnight, March 13th. With very little notice, we returned to our hotel, threw our clothes into suitcases, rushed to the train station, and we took an overnight train to Prague. By the time we got to Prague, they had an idea of how to get us as far as Paris. So we took a flight to Paris. We landed in Paris and there was bedlam. Everyone was trying to get off the continent. Somehow? We were able to get the very last seat on the very last flight to the States. We made it home two hours before the travel ban.

After that, everything shut down. We did our part. We saw the risks and did our part to bend the curve. A month went by, then three months went by, then six months went by. And each time I was preparing for events, certain that things would reopen in a couple of months. Surely this was going to end. Surely this was going to wrap up.

And a weird thing happened to me. After watching the Covid numbers day in and day out, I found myself very habituated to the risk. After waiting for months, even though the numbers were frankly worse than they were in the beginning of the pandemic, I figured the risk must have subsided. Surely there was no longer a monster outside of our cave. It must have wandered away by now, right? There’s no way that we are still in danger. The caveman brain in all of us does curious things when it comes to risk management.

That sense, that nagging sense, that cognitive dissonance, that tension between logically knowing the risks but emotionally feeling everything must surely be fine, that led me to study how risk was being managed and communicated during the pandemic.

I’ve been the person providing numbers to the executive team from my security team. I’ve been the one to explain, “I know the numbers are the same and I know everything feels like it should be okay, but we really are in a bad spot.” But the pandemic gave me the experience of the other side: hearing the numbers and struggling to interpret the data to make informed decisions. There’s a great deal of overlap, I believe, in these two domains, cybersecurity and healthcare.

What can we learn from behavior science and from the psychology of our shared experience over two years? How can we take these lessons back to cybersecurity?

On the two-year anniversary of taking the last flight home from Paris, I’m going to look at risk management in a blog series. I’ll detail some of what we learned in the pandemic about how people process risk. I’m going to share here with you in the hopes that collectively, as information security and risk management practitioners, we can learn something about the nature of human psychology and thereby do a better job at protecting our organizations.

This is part one of a nine-part series. I welcome any and all feedback. Let’s learn together.

Identify improvements as security matures – Design Monday

Posted by

In writing the book Rethinking Sitting, Peter Opsvik manages to do with chairs what we should do with cyber security: study the item in the wider context of how people interact.

Peter Opsvik’s critique is that furniture design isn’t “particularly concerned with the needs of the sitting human body.” Many rituals, he believed, are driven by a need to relieve people and compensate for poor seats; like kneeling to pray or standing to sing. Opsvik considered how the positioning of a chair, say in a kitchen or dining area, can make a person feel more or less connected, more or less important. He also spent considerable time thinking about how sitting changes as children grow into adults.

Design spans time frames: an experience lasting an hour, a stage in life lasting years, a lifetime. It spans contexts: personal, communal, societal.

We struggle with this in cyber security. Take, for example, break glass account. Right then. We setup an account with administrative-level access, write the password on an envelope, and stuff the envelop in a vault. But what happens when most administrators are working remotely? Fair point. Let’s move the password from a physical vault to a password vault, and share the vault with our backup person. But what happens when the vault goes down? How about when the person resigns and leaves for another company? How do we handle the longer lifecycle of this seemingly simple control?

Peter Opsvik’s answer to the lifecycle question is the Tripp Trapp chair. The chair is well-made, long-lasting, and stable. Simply change the seat and footrest, and the chair accommodates the user from infancy to adult. Five sets of adjustments as they mature.

The chair reminds me of the five stage maturity models. Security capabilities move from initial, repeatable, defined, capable, and finally, to optimized. To design a Tripp Trapp security control, think through how to reconfigure the control to support the evolving capability. Ideally, simplify these adjustments down to a small number of items.

What’s the seat and footrest in our break glass example? I suggest the credential storage and credential access. That is, how we set it up, and how the person handling the emergency breaks the glass.

Tripp-Trapp-Tresko is Norwegian for Tic-Tac-Toe. In the kids game, like chairs and like security, you succeed by thinking ahead. “The best sitting position,” Opsvik once said, “is always the next position.” Start with minimum viable security. Plan for future stages early, and identify the adjustments we can make. Good security controls support an evolving capability maturity.


The Tripp Trapp Chair from Stokke.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Adoption of hardware-based security keys

Posted by

Google last week revealed that it was coordinating efforts with global partners to hand out free USB security keys to 10,000 elected officials, political campaign workers, human rights activists and journalists, and other users considered to be at high risk of getting hacked.

Excerpt from: Tech giants encouraging adoption of hardware-based auth keys

“Whenever a major organization makes a major announcement bolstering their security controls, it sparks conversation and movement in the broader industry,” agreed Wolfgang Goerlich, advisory CISO at Cisco Secure. “Google’s announcement that it is enrolling 10,000 people in authenticating with strong security keys will make it easier to explain a similar need in other organizations.”

And this isn’t the first such corporate endorsement of hardware-based authentication. Among the companies using FIDO’s standards for Universal 2nd Factor (U2F) authentication keys is Yubico, which like Google has been working with DDC to provide its hardware-based authentication keys to campaigns from both major parties.

Read the full article: https://www.scmagazine.com/analysis/physical-security/tech-giants-encouraging-adoption-of-hardware-based-auth-keys

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Remote Work Drives Continued 2FA Adoption

Posted by

Seventy-nine percent of people used two-factor authentication at least once in 2021, with 72% regularly using the technology, as remote work, social media, and online retail spur demand.

Excerpt from: Security Fears & Remote Work Drive Continued 2FA Adoption

SMS texts continued to be the most-used type of two-factor authentication, with 85% of people using that 2FA technology. Verification emails are the second most common type at 74%, while passcodes issued by mobile authentication apps came in third with 44%.

Companies need to educate consumers more on the pitfalls of SMS text messages as a second factor, Goerlich says. More than half of people surveyed would choose SMS as the second factor for a new account, while less than 10% would choose a mobile passcode application and 7% would use a push notification. SMS tied with security keys, such as YubiKey and other technology, for highest perceived security and topped the list for usability.

“There is a clear mismatch between what the survey respondents are using in terms of security and what researchers have found and identified in terms of security,” he says. “It makes sense that SMS is rated high in usability, and there is a really strong familiarity with the factor, but a lot of issues have been identified by researchers.”

Attempts to educate people on security problems with SMS should be careful, however, not to dissuade them from using two-factor authentication at all, Goerlich stressed.

Read the full article: https://www.darkreading.com/authentication/security-fears-remote-work-drive-continued-2fa-adoption

This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.