Adversarial Content

— Browse our blog posts, articles, and episodes of The Adversarial Podcast
The Adversarial Podcast Ep. 11 - incoming Trump administration, Microsoft's leaked SaaS creds, and software liability policy

Introduction: * The episode opens with a discussion on securing devices for employees traveling to high-risk countries, like China, as a way to protect corporate data and maintain customer trust. * Hosts Jerry, Sounil, and Mario welcome listeners and discuss recent events, including the FS-ISAC Fall Summit in Atlanta and geopolitical implications of the recent election. Key Topics: 1. Geopolitical Risks: * The group explores China's espionage activities and Russia's geopolitical maneuv

The Adversarial Podcast Ep. 10 - the CISO job market, CRQ, beg bounties, cryptography...

The Adversarial Podcast Ep. 10 - the CISO job market, CRQ, beg bounties, and cryptography (00:00) Intro (5:15) The CISO job market: present and future (25:57) Handling beg bounties and VDP (41:30) Quantum cryptography – how important is cryptography, really? Stories: * “Chinese Researchers Reportedly Crack Encryption With Quantum Computer” - https://www.pcmag.com/news/chinese-researchers-reportedly-crack-encryption-with-quantum-computer Hosts: * Jerry Perullo: https://www.l

The Adversarial Podcast Ep. 9 - NIST password guidelines, CUPS vulnerabilities, breach vs. hack

The Adversarial Podcast Ep. 9 - NIST password guidelines, CUPS vulnerabilities, breach vs. hack Episode notes (00:00) Intro & NIST’s new password complexity requirements (13:19) CUPS vulnerability: critical or a distraction (31:26) Federal standards for cybersecurity in health care: should legal responsibility fall on individuals? (47:30) What constitutes a hack vs a breach? Stories: * “NIST Drops Password Complexity, Mandatory Reset Rules” - https://www.darkreading.com/identity-ac

The Adversarial Podcast Ep. 8 - Pagers and Supply Chain Attacks, GitHub stealers, “Founder Mode”

(00:00) Intro (02:24) Exploding pagers: are psychological attacks worse than breaches? (20:21) Are credit card breaches still a concern in 2024? (24:57) Infostealer delivered through GitHub Issues: how are trustworthy services being abused? (31:45) Founder mode: when is it time to switch from "founder mode" to "manager mode?" (44:02) Is open-source more secure than closed-source? The Adversarial Podcast Ep. 8 - Pagers and Supply | RSS.com Stories and books mentioned: * “Israel plant

The Adversarial Podcast Ep. 6 - SSN Leaks, Cloud Misconfigurations, and Passkeys

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they debate the impact of SSN leaks, discuss the effectiveness of recently implemented ransom payment bans in Miami, and recently reported AWS misconfigurations. Then, listen as they debate passkeys, vulnerability management, and board reporting. The Adversarial Podcast Ep. 6 - SSN Leaks, Cloud M | RSS.com 00:00 Intro 02:17 Social Security Number breach 14:48 Ransomware payment bans 21:47 AWS

The Adversarial Podcast Ep. 5 - Why Boards want more Joe Sullivans and Tim Browns and less CISOs - Jerry Perullo live at Evanta

Episode notes Speaking live at the Evanta CISO Summit in Atlanta in June 2024, host Jerry Perullo talks candidly about why CISOs are failing to land Board Director roles. The Adversarial Podcast Ep. 5 - Why Boards want mo | RSS.com

The Adversarial Podcast Ep. 4 - CrowdStrike Lawsuits, Overhyped Exploits, and Fake Remote Employees

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they discuss upcoming lawsuits related to the recent CrowdStrike outage, switching costs, overhyped security vulnerabilities and their effect on practitioners' responsibilities, fake employees from North Korea, the information stealers and the state of password managers, and the increasing threat of deepfakes. The Adversarial Podcast Ep. 4 - CrowdStrike Lawsui | RSS.com Stories * “CrowdStrike i

The Adversarial Podcast Ep. 3 - CrowdStrike, Wiz Acquisition Rumors, and SolarWinds

Episode notes In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the recent Crowdstrike outages, PR in the recent Wiz acquisition rumors, stakeholder value in Rapid7, and the SEC dropping charges in the SolarWinds case. Stories: - Activist Jana has a stake in Rapid7. There are two paths to bolster value at the cybersecurity company: https://www.cnbc.com/2024/06/29/two-paths-for-jana-to-bolster-shareholder-value-at-rapid7.html - Google Near $23

The Adversarial Podcast Pilot – Cybersecurity Investments, Secure Configurations vs. Code, and Risk Management

Episode notes Join former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu as they reflect on the state of cybersecurity investments in 2024, debate the importance of configuration vs. code security, and discuss the importance of governance in risk management. Stories: * ‘There’s A Lot Of Noise’ — VCs Trying To Find Clarity In Cluttered Cyber AI Landscape: https://news.crunchbase.com/cybersecurity/venture-funding-ai-wiz-ma-rsa/ * Wiz raises $1B at a $12B valuation to expan

The Adversarial Podcast Ep. 2 - Chrome Extension Vulns, Cyber Job Market, Mouse Jigglers, and the Ransomware Plague

Episode notes In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss malicious Chrome extensions, the cybersecurity job market, mouse jigglers and security policy, and the impact of the recent ransomware wave. They share insights from their experiences, exploring the challenges of managing browser security policies, job burnout, and banning ransom payments. Stories: * Millions under threat from malicious browser extensions — what to do: https://www.t

The Adversarial Podcast Ep. 1 - Snowflake, Shared Fate, and the Gili Ra’anan Model

In this episode, former CISOs-turned-founders Jerry Perullo, Mario Duarte, and Sounil Yu discuss the recent wave of cyber-attacks using Snowflake and the model of shared fate. They debate the effectiveness of banning ransom payments and explore the complexities of cybersecurity regulation, using recent events involving UnitedHealth and Jerry's former employer as case studies. The conversation also touches on the ethical dilemmas CISOs face when interacting with venture capital, highlighting pers

Season 02 Episode 02 - The Interim CISO

Joined by fellow Interim CISO veterans Yael Nagler of Yass Partners and Aurobindo Sundaram of RELX, host Jerry Perullo reflects on his experience as the Interim CISO of Silicon Valley Bank and explores the challenges of the role from hiring manager and candidate perspectives. Yael Nagler: https://www.linkedin.com/in/yaelnagler/ Aurobindo Sundaram: https://www.linkedin.com/in/aurobindosundaram/ 00:16:30 Why hire an Interim CISO? 00:21:00 Is there such a thing as KTLO in the CISO role? 00:30:3

The Risk Acceptance Myth

The notion of "Risk Acceptance" has always challenged me. For the uninitiated, Risk Acceptance is a concept often discussed in cybersecurity leadership when it comes to accountability for cyber debt. The idea is that cybersecurity leaders and other professionals identify risks and recommend mitigating actions that would reduce that risk, but recognize that it is always up to business leadership to weigh the costs and benefits of change and make a final decision. Risk Acceptance has always come u

Cyber Governance: What is Fair to Expect from Board Directors and Management? 3 of 4

Episode 3: Incidents In Episode 1 of this series I talked about oversight of cybersecurity threats and how a Board can engage with senior management to determine the mission of the cybersecurity department and prioritize testing and analysis. Next I moved on to cyber risks in Episode 2 and the idea of a Remediation Agility chart to guide a wide-ranging Board room discussion with a single visual. The next area that deserves a permanent spot on the Board agenda is incidents. Incident awareness a

Overrated? On TPRM, SBOM, Solarwinds, and Supply Chain Security

We've all run to the same side of the boat on supply chain security when it comes to cyber. Rather than chasing the Sisyphean (and antithetical to modern product-development philosophy) task of ensuring our suppliers deliver perfectly secure software, we should be expected to architect and deploy our dependencies with the assumption they will be compromised at some point, minimizing the amount of impact that could have and ensuring we could detect such an issue timely. To expound on it, I'll sa

Encryption is Overrated

Years ago I found myself in one of those awkward elevator pairings where you are unexpectedly face to face with your CEO. It's a particularly awkward spot when you are a CISO, as beyond the usual desperation to sound brilliant that most execs feel in that spot, the CEO these days also feels pressure to demonstrate "tone at the top", "executive buy-in", and "stakeholder oversight" when given the chance. In that particular vignette I doubled down on the awkwardness, as his quick cordial cyber com

Season 02 Episode 01 - Board/CISO Interaction

Returning from 6 months as the interim CISO of Silicon Valley Bank, host Jerry Perullo speaks about Board/CISO interaction on the FS-ISAC Insights podcast. Full video interview at fsisac.com/insights 00:04:35 Being the Interim CISO of SVB through the crisis 00:06:36 The CISO “seat at the table” 00:14:00 Board TRIC 1: Threats 00:17:30 Board TRIC 2: Risks 00:19:30 Board TRIC 3: Incidents 00:21:20 Board TRIC 4: Compliance 00:26:00 CISOs as Board Directors Season 2 Episode 1 - Board/CISO I

Network Egress and Ingress Fundamentals

There is a lot of confusion about network ingress and egress. This isn't limited to junior staff; I've witnessed this many times among software engineers and technology leaders alike. Often only network and firewall engineers really comprehend the topic fully, though this should not be the case. A network connection must begin with an "initiator". This is usually thought of as a "client" in a traditional "client server" model. The client is defined not by their intention, purpose, or operating

Bad CISO Archetypes

As part of my advisory work, I often help companies find and/or interview security leaders. While I'm a huge fan of screening quizzes, I realized that I should go a step further and help firms understand what I'm trying to detect or avoid during the interview process. In the process of discussing this with some peers, the Bad CISO Archetypes list was born. Look out for these when you are hiring - but more importantly steer your career to avoid becoming one! Chicken Little You don’t want someo

Season 01 Episode 07 - Bug Bounties with guest Casey Ellis

Bugcrowd founder Casey Ellis joins #lifeafterCISO to talk about bug bounty programs in the wake of the Joe Sullivan Uber trial. Whether you've been running bounty programs for years or just learned of them last week, this conversation will take you from basics straight into the most interesting and controversial bits. 01:25 The Joe Sullivan Uber trial and its impact on bug bounties 10:30 Clearing Assurance Debt: The initial wave of bounties 15:40 Ostrich Risk Management 22:55 Vulnerability D

Cyber Governance: What is Fair to Expect from Board Directors and Management? 1 of 4

With mounting pressure around cyber literacy in the Boardroom, Directors are looking for specifics around what will be expected of them. Likewise, organizations are wondering what is fair for Directors to expect of management. Drawing on experiences from both sides of the table, following are reasonable expectations that leverage Director talents to establish effective cyber oversight. I'll do this using a mnemonic to guide program governance internally and externally - TRIC: Threats, Risks, In

Season 01 Episode 05 - Deciding When It's Time to Go with guest Jason Chan

An essential part of moving on from a long tech career is just figuring out when the time is right. Join host Jerry Perullo and retired Netflix CISO Jason Chan for a discussion about picking your time, "Identity Management" after retirement, and the Psychology of Happiness. Links to the material discussed by Jason Chan include: https://arthurbrooks.com/podcast_show/the-art-of-happiness-with-arthur-brooks/ https://www.coursera.org/learn/the-science-of-well-being Episode 05 - Deciding When I

Vulnerability management is dead. But GRC is hiring...

I used to have a TVM team. Threat & Vulnerability Management. The individuals in there had the word "Vulnerability" in their titles. It's how a lot of shops roll. TVM seemed to become a default piece of the "build a cyber shop playbook". And if you survey big CISO organizations today, you'll still find a lot of TVM departments. I'm not sure how this came to be, but I can't think any of us ever organically decided that we needed an individual - no less a team - specifically tasked with managing

How much AppSec is too much?

I've been using the term "West Coast CISO" a lot lately. While it feels like CISOs used to be either network/infrastructure CISOs or risk manager CISOs, now the split is having to make room for the CISO heavily focused on code security. The image is one of a CISO born in the cloud, focused on delivering (security) bug-free code, and thus focusing architecturally on CI/CD, change control, and automation, to oversimplify. This emphasis on code is contrasted with network controls and discussion of

Season 01 Episode 04 - The CISO Professor

Episode notes In this Episode host Jerry Perullo talking about cybersecurity in higher education. A Professor of the Practice in the Georgia Tech School of Cyber Security and Privacy, Perullo thinks aloud on the challenges that have prevented cyber from taking off at the undergraduate level before focusing on specific steps you might take to pursue this career path. 00:00:55 A Brief History of Cyber in Higher Ed 00:03:11 The Archetype Cyber Curriculum 00:08:03 Enter the CISO: t-5 00:13:25 W

Season 01 Episode 03 - Angel Investing and Advisory Work

In this episode we are talking about Angel Investing, Advisory Work, and how they are essentially the same thing when you get down to it. Hear some details about evaluating opportunities, structuring "deals", and avoiding mistakes along the way. 00:05:37 Don’t Screw Up - Riding VC Paper, the FAST Agreement, Option Vesting,... 00:21:26 Win - Playing to your Strengths 00:24:11 Diversify - Frequency and Volume to Avoid Black Swans 00:30:17 Conflicts & Disclosure Episode 03 - Angel Investing

Season 01 Episode 02 - The CISO Board Director

In this episode, host Jerry Perullo explores the opportunities and challenges for retiring tech executives and CISOs in the Board room. Hear about how Boards need business leaders first and specialists second, and what you can do today to groom yourself in that very direction. 01:57 Background 07:45 The Traditional Board Director 09:50 Episode BLUF 10:19 Landing a Seat 14:32 Your Board Profile 16:08 t-3: What You Should do Now 28:40 Recap Episode 02 - The CISO Board Director | RSS.com

Season 01 Episode 01 - The Portfolio Life

In this introductory episode, host Jerry Perullo talks about the range of opportunities available to tech executives after the day job. Perullo leverages his 20 years of experience as the founding CISO of ICE and the New York Stock Exchange to discuss what you can do 3-5 years before leaving your post to get prepared. 00:08:43 Advisory Work 00:13:20 Consulting 00:16:00 Angel Investing 00:25:05 Board Directorship 00:35:12 Entrepreneurship 00:37:06 Teaching 00:39:12 Volunteering Episode

The CISO's Guide to Early-Stage Investing

Below are some things I learned as a CISO making angel investments into cybersecurity startups. I’m not a professional investor or financial advisor, and I’m avoiding discussions on whether you should pursue private investing or how to pick winners. My focus in this article is on the types of investments, customs, and definitions a CISO focused on cybersecurity startups is likely to see around 2021+, and helping you understand the terms you will hear if you decide to get involved. Basics Delib