Tag Archives: podcast

[Podcast] The Security of Legacy Systems

[Podcast] The Security of Legacy Systems

Leave a review for our podcast & we'll send you a pack of infosec cards.


It’s our first show of 2018 and we kicked off the show with predictions that could potentially drive headline news. By doing so, we’re figuring out different ways to prepare and prevent future cybersecurity attacks.

What’s notable is that IBM set up a cybersecurity lab, where organizations can experience what it’s like go through a cyberattack without any risk to their existing production system. This is extremely helpful for companies with legacy systems that might find it difficult to upgrade for one reason or another. But we can all agree what’s truly difficult are the technologies that you can’t just fix with a patch, such as the Spectre and Meltdown attacks.

Other articles discussed: Hotmail changed Microsoft and email

Panelists: Kris Keyser, Kilian Englert

[Podcast] Who is in Control? The Data or Humans?

[Podcast] Who is in Control? The Data or Humans?

Leave a review for our podcast & we'll send you a pack of infosec cards.


Self-quantified trackers made possible what was once nearly unthinkable: for individuals to gather data on one’s activity level in order to manage and improve one’s performance. Some have remarked that self-quantified devices can hinge on the edge of over management. As we wait for more research reports on the right dose of self-management, we’ll have to define for ourselves what the right amount of self-quantifying is.

Meanwhile, it seems that businesses are also struggling with a similar dilemma: measuring the right amount of risk and harm as it relates to security and privacy.

Acting FTC Chairman Maureen Ohlhausen said at a recent privacy and security workshop, “In making policy determinations, injury matters. … If we want to manage privacy and data security injuries, we need to be able to measure them.”

A clearly defined measurement of risk and harm will become ever so important as the business world embrace deep learning and eventually artificial intelligence.

Other articles discussed:

Panelists: Kilian Englert, Mike Thompson, Kris Keyser

[Podcast] Security and Privacy Concerns with Chatbots, Trackers, and more

[Podcast] Security and Privacy Concerns with Chatbots, Trackers, and more

Leave a review for our podcast & we'll send you a pack of infosec cards.


The end of the year is approaching and security pros are making their predictions for 2018 and beyond. So are we! This week, our security practitioners predicted items that will become obsolete because of IoT devices. Some of their guesses – remote controls, service workers, and personal cars.

Meanwhile, as the business world phase out old technologies, some are embracing the use of new ones. For instance, many organizations today use chatbots. Yes, they’ll help improve customer service. But some are worried that when financial institutions embrace chatbots to facilitate payments, cyber criminals will see it as an opportunity to impersonate users and take over their accounts.

And what about trackers found in apps bundled with DNA testing kits? From a developer’s perspective, all the trackers help improve the usability of an app, but does that mean we’ll be sacrificing security and privacy?

Other articles discussed:

  • Australia government consider allowing firms to buy facial recognition data
  • Replay scripts to track cursor

Tool of the Week: Sword

Panelists: Kilian Englert, Kris Keyser, Mike Buckbee

[Podcast] The Challenges and Promise of Digital Drugs

[Podcast] The Challenges and Promise of Digital Drugs

Leave a review for our podcast & we'll send you a pack of infosec cards.


Recently the Food and Drug Administration approved the first digital pill. This means that medicine embedded with a sensor can tell health care providers – doctors and individuals the patient approves – if the patient takes his medication. The promise is huge. It will ensure a better health outcome for the patient, giving caretakers more time with the ones they love. What’s more, by learning more about how a drug interacts with a human system, researchers might find a way to prevent illnesses that was once believed impossible to cure. However, as security pros there are some in the industry that believe that the potential for abuse might overshadow the promise of what could be.

Other articles discussed:

Tool of the week: Quad9

Panelists: Mike Thompson, Kilian Englert, Mike Buckbee

[Podcast] Privacy Attorney Tiffany Li and AI Memory, Part II

[Podcast] Privacy Attorney Tiffany Li and AI Memory, Part II

This article is part of the series "[Podcast] Privacy Attorney Tiffany Li and AI Memory". Check out the rest:

Leave a review for our podcast & we'll send you a pack of infosec cards.


Tiffany C. Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes and speaks on the privacy implications of artificial intelligence, virtual reality, and other technologies. Our discussion is based on her recent paper on the difficulties of getting AI to forget.

In this second part, we continue our discussion of GDPR and privacy, and examine ways to bridge the gap between tech and law. We then explore some cutting edge areas of intellectual property. Can AI algorithms own their creative efforts? Listen and learn.

[Podcast] Privacy Attorney Tiffany Li and AI Memory, Part I

[Podcast] Privacy Attorney Tiffany Li and AI Memory, Part I

This article is part of the series "[Podcast] Privacy Attorney Tiffany Li and AI Memory". Check out the rest:

Leave a review for our podcast & we'll send you a pack of infosec cards.


Tiffany Li is an attorney and Resident Fellow at Yale Law School’s Information Society Project. She frequently writes about the privacy implications of artificial intelligence, virtual reality, and other disruptive technologies. We first learned about Tiffany after reading a paper by her and two colleagues on GDPR and the “right to be forgotten”. It’s an excellent introduction to the legal complexities of erasing memory from a machine intelligence.

In this first part of our discussion, we talk about GDPR’s “right to be forgotten” rule and its origins in a law suit brought against Google. Tiffany then explains how deleting personal data is more than just removing it from a folder or directory.

We learn that GDPR regulators haven’t yet addressed how to get AI algorithms to dynamically change their rules when the underlying data is erased. It’s a major hole in this new law’s requirements!

Click on the above link to learn more about what Tiffany has to say about the gap between law and technology.

Continue reading the next post in "[Podcast] Privacy Attorney Tiffany Li and AI Memory"

[Podcast] Bring Back Dedicated and Local Security Teams

[Podcast] Bring Back Dedicated and Local Security Teams

Leave a review for our podcast & we'll send you a pack of infosec cards.


Last week, I came across a tweet that asked how a normal user is supposed to make an informed decision when a security alert shows up on his screen. Great question!

I found a possible answer to that question at New York Times director of infosecurity, Runa Sandvik’s recent keynote at the O’Reilly Security Conference.

She told the attendees that many moons ago, Yahoo had three types of infosecurity departments: core, dedicated and local.

Core was the primary infosec department. The dedicated group were subject matter experts on security, still on the infosec department, but worked with other teams to help them conduct their activities in a secure way. The security pros on the local group are not officially on the infosec department, but they’re the security experts on another team.

Who knew that once upon a time dedicated and local security teams existed?! It would make natural sense that they would be the ones to assist end users on security questions, why don’t we bring them back? The short answer: it’s not so simple.

Other articles discussed:

Panelists: Kilian Englert, Forrest Temple, Matt Radolec

[Podcast] Rita Gurevich, CEO of SPHERE Technology Solutions

[Podcast] Rita Gurevich, CEO of SPHERE Technology Solutions

Leave a review for our podcast & we'll send you a pack of infosec cards.


Long before cybersecurity and data breaches became mainstream, founder and CEO of SPHERE Technology Solutions, Rita Gurevich built a thriving business on the premise of assisting organizations secure their most sensitive data from within, instead of securing the perimeter from outside attackers.

And because of her multi-faceted experiences interacting with the C-Suite, technology vendors, and others in the business community, we thought listening to her singular perspective would be well worth our time.

What stood out in our podcast interview? When others are concerned about limited security budgets, Gurevich envisioned more hands on deck in the field of information security. The reason is that there are more and varied threats, oversaturated vendors in the marketplace, and a cybersecurity workforce shortage.

“What I see happening is that there’s going to be subject matter CISOs across the company; where there will be many people with that title that become experts in very specific domains.”

Also, now that cybersecurity concerns are not as industry specific, Gurevich does recognize that there are certain industries that are more at risk than others.

She approaches all industries with varying degrees of risk and threats, compliance requirements, and disparate systems all in a strategic way – by giving organizations the visibility into their data and systems, what they need to protect and how they need to protect it.

Transcript

Cindy Ng: Long before data breaches became mainstream, Rita Gurevich, CEO of SPHERE Technology Solutions built a thriving business on the premise of assisting organizations secure their most sensitive data from within. And because of her multifaceted experiences interacting with the C-Suite, technology vendors and others in the business community, we thought listening to her singular perspective would be well worth our time.

Rita, you founded SPHERE in the wake of the 2008 financial crisis when you were just 25 years old. Can you tell us about the process behind how you started your business and what kind of services you provide.

Rita Gurevich: Absolutely, I started the company, essentially, on the collapse of Lehman Brothers. And after the bankruptcy, there were many different firms that bought different areas of Lehman. And I was put on a team to help figure out how to split apart all the different data and assets they owned.

So if you can imagine, up until that point. Lehman was super centralized. It was operating as one company, with lots of shared services.

And overnight, we essentially had to figure out who gets what.

So Barclay’s Capital bought a part of the business. Numera bought a part of the business. Neuberger bought a part of the business. All these different financial services firm that bought different business units from Lehman Brothers.

And what we had to do, was essentially a crash course on deep data analytics. We had to learn how to get a really quick understanding of who uses what, map that to different business entities, to figure out where it needs to go.

So that required a lot of tools, a lot of metrics. We built all these algorithms. And we had to do it almost overnight.

And soon after, slightly a traumatic time, in the history of our country, I had a bit of an ‘aha’ moment when decided to do some independent consulting.

I quickly built a business, and now we focus on cyber security. We have a niche around data governance, identity, and access management, as well as privilege access management. And a lot of the experience that I gained at Lehman was very relevant for what I do now, because you essentially had to figure out how do I capture the information that’s necessary from my environment to create metrics and analytics that are relevant to making sure my information is secure, understanding who owns what, and even potentially preparing myself for some M&A activities.

Cindy Ng: And so, can you describe your work at Lehman Brothers and how that you made the connection that it was important to start your business.

Rita Gurevich: Sure. So, during that time, during the bankruptcy, it was really all about data analytics. It was really about looking at all the different data, all the different assets that Lehman owned and figuring out, “Okay, who gets what?” So, if Barkley’s bought investment banking, how do you know what data belongs to investment banking? If Neuberger Berman bought investment management, the investment management business, how do you figure out what data belongs to investment management? So, it was all around going really deep into the data, and using the right tools to capture all the metadata, all the activity, so you can gain an understanding of who’s using it? Who owns it? and where does it need to go?

So, at that time, not a lot of companies were doing that, and there wasn’t really a lot of need to do that at the time. But around 2008-2009, there was just so much movement within financial services. And there was so much happening in terms of companies going bankrupt, being acquired by other companies, all these different businesses kind of spinning up, and changing, and moving hands that this concept became a lot more relevant. So, when I started the company, it really was around selling myself and my experience that I learned, which was very unique at the time. But over the course of not a very long amount of time, probably two years or so, the focus definitely shifted.

So, initially I was talking to infrastructure people, I was talking to operations people, and I was talking about data analytics. And while it was definitely a nice to have, and people cared about it. Budgets were really tight. We’re still knee-deep in one of the worst recessions in our country. So where are the budgets, where are people focusing, where are, you know, the executives and the board members, you know, allocating resources? And that was for information security. So around 2009-2010, I think the concept of data breaches became a lot more relevant. It became more, kind of, a commonly used word. Companies were starting to actually hire chief information security officers. They were starting to look at data analytics from a security perspective. They wanted to get a better handle to prevent data getting into the wrong hands, and that’s when I shifted the focus from data analytics to data security. And I think that was monumental for me, because really that’s the premise of what my company does today around the data governance program that we implement.

So I think that my experience at Lehman was definitely a blessing in disguise, but I think that probably anybody that was focusing on data analytics, even tangentially, started to think about data security as well.

Cindy Ng: You were 25 when you first started your business. A lot of your college cohorts they were still on their first, second, or third job. Was that relevant or you looked at the opportunity and ran with it?

Rita Gurevich: I think that my age was probably one of my biggest challenges when it came to starting my business and definitely in the earlier years. And you can only imagine, you know, a 25 year old walking into a managing director’s office, and essentially telling them that they can do a better job than his team can do. That’s a really difficult thing to say, and you gotta prove it. So, once you actually start working for them, you better do a good job, which luckily I did and my team did. But as I compare to my other college cohorts, I actually think that because I went to Stevens Institute of Technology, in Hoboken, New Jersey. My business is in Jersey City. My customers are international, but quite a few of them have headquarters in this kind of tri-state area. A lot of my college peers went on to work at all these different companies that could be potential customers at Sphere. So, I think actually it created an opportunity for me because it opened the door to have the right conversations with people in technology to explain, you know, what I’m working on, and what I’m doing.

And, you know, part of having a successful business is not just a good idea, but it’s having people that you can actually sell to, having a relevant problem that’s gonna help people in their professional careers and their professional lives. So I think that my relationship from school and being not so far off from graduating college helped more than hurt. But also from the Lehman bankruptcy, like I mentioned earlier, it was a time where there was a lot of movement, and a lot of people went to all sorts of different firms on the street. And it was different than how it used to be in the past, where people stayed at the same company for a really long time. That movement essentially for me, created an overnight network, where I was able to kind of leverage people that I knew and had worked with for a handful of years across all sorts of different companies within the demographic that I was targeting. So, yeah, I think that the age was definitely sometimes a challenge, but I actually found ways to have it be a benefit as well.

Cindy Ng: But in terms of age, it’s almost non-relevant as long as you have a value proposition, and people are interested.

Rita Gurevich: That’s a really, really good point. So, there’s kind of two aspects to it, right? So, if you have something interesting to say, that’s great, but the way you communicate that message is almost more important, and there has to be a confidence in the way that you present the problem that you’re solving and your solution that’s going to set you apart from others that are knocking on the same people’s doors, maybe for different areas, but are competing for the attention of the people that you’re trying to get in front of. So, I call that, you know, learn confidence. I can’t honestly say that at 25 I felt like I knew everything. I knew I didn’t, but you have to be able to present yourself in a way where the person on the other side of the table knew that, even if you don’t know the answer, you will figure it out, and the other part of that is perseverance. You have to make sure that you continuously have your goals in mind and push forward.

You know, I mentioned that my company focuses on security, and while that’s still relevant and even in 2008, 2009, 2010, it was also very relevant. You can imagine that the people that are in charge of security at these companies have lots of vendors, and lots of partners, and lots of even internal people, knocking on their door vying for their time. So you have to just make sure that your message comes across strong and that, again, there’s a confidence in your approach, and you will deliver when push comes to shove.

Cindy Ng: And when you talk about your learned confidence, when a meeting didn’t go as planned, or a presentation didn’t go as planned, what was your self-talk like?

Rita Gurevich: That’s a great question. So I’ve learned that you have to listen more than you speak. You’re going to learn a lot through osmosis. Just by being in a room, where the conversation is happening. You’re just going to learn and get better. Sometimes, it’s just echoing a common opinion or a common sentiment that the other person has on the other side of the table, and reaffirming them that you’ve also experienced the same problem that they’re sharing. Or you’ve seen it somewhere else. Or you’ve solved that problem with a peer of theirs. So I think that learned confidence isn’t necessarily about having memorized specific compliance requirement or a specific way of doing some task. It’s more about doing a thing more logically. And if you don’t know, it’s okay not to know. Just make sure your follow up and follow through is there. No one expects experts. Data security and cybersecurity as a whole is a very new area. Everyone is learning as we go. It’s all common knowledge. But it’s can you think of solutions in a creative way and that you’re solving the problems that people are having. And sometimes, it’s not reinventing the wheel. Sometimes it’s solving an existing problem in a smarter and more scalable, and a more efficient way. I’ve learned that by failing sometimes. You don’t have to come up with an idea that no one thought of. You just have to come up with a more practical way of doing things sometimes. And the other bit of advice and something that I really believe in is, is becoming kind of a master of some things. So, instead of the “jack-of-all-trades”, focusing in on something and becoming really good at it, and, you know, that’s what I did. So I call Sphere a cybersecurity company, but we’re actually pretty niche. We focus on internal threats, and we specifically focus on putting controls on your data, your systems, and your assets. So, it’s a very kind of narrow piece of the pie when you look at cybersecurity as a whole, but that allows my team, and that allows me to train new personnel really, really effectively because you can hone in on very specific topics. You can give real world examples of very specific things, and people can really start to grasp, you know, the complicated challenges that we’re solving, but also think of them in a more simplistic, logical way.

You know, all these technology challenges from data breaches and around, you know, hackers and all that, it feels very complicated. It really does, but when you break it apart and remove the technical jargon, the problems and the reasons these things are happening are not overly technically challenging problems. A lot of them are profits driven, they’re people driven. They’re not necessarily about, you know, the right configuration of a tool within, you know, this specific domain. It’s a much more kind of systematic issue. So, I think when you start to gain an understanding of this base, you start to figure that out pretty quickly.

Cindy Ng: On top of starting your business at a really young age, there aren’t a whole lot of females in the industry, and we talk a lot about women in tech, but, you know, I wonder how can men join the conversation, because they coexist with us on this planet, and I wanted to hear your perspective in how we can enlist men as allies in our industry?

Rita Gurevich: I definitely get asked a lot about this topic, because, you’re right, there’s not a lot of women in tech, and to be honest there’s not a lot of women CEO’s either, so you kind of merge women, tech, CEO. I guess, I’m a little bit of an anomaly, but I’m hoping that’s not for very long. I think honestly we need to stop caring that the person that’s joining the conversation is a woman, and we know that there’s going to be equality, and we’re not forcing that distinction. And I think more and more women are getting involved in technology early on. And technology is part of nearly every child’s life right now independent of gender, and I think that naturally maybe the next 10 to 20 years. It’s gonna cause dramatic shifts in ratios in the tech workplace.

And I really think that tech is going to be early adopters of inclusiveness of women and inclusiveness across the board. Technology is very interesting because it’s analytical thinking, it’s problem solving, researching. Definitely mixed in sometimes with creativity and out of the box thinking. Maybe I’m partial, but I think these are natural traits of women, and in the end if you work for a big company, managers want successful teams, and their managers want successful orgs, and women will rise through the ranks as there’s just going to be more of them in the running.

Unfortunately, I think that other industries are not as fortunate. And I bring up two specific women whenever I talk about this topic.

One, I met at a panel I was on, “Women In Engineering,” and she’s a civil engineer at a big company, and she works a lot with construction companies. And once she’s on a job site, she’s like they assume that she’s a secretary, and even when she explains herself they just don’t listen to her, and they won’t take direction from her. And she’s expressed how difficult it is for her to advance and these are challenges that have nothing to do with brains, with smarts, with experience. It’s really a people problem, and I don’t envy that. You know, I struggle with even thinking about how do you adjust that mentality.

Another example is a woman that I met as part of the EY Entrepreneur Of The Year Program, which I was on as to be recognized as well there. But she owns a liquor company and half of her job is in a warehouse, and the employees are chain-smoking, they’re, you know, a bunch of old men, no offense to old men, but they kind of act like they’ve never seen a woman with any level of authority before. And it’s sad, and, you know, I’m very fortunate that I work in an industry where technology is definitely going to be on the forefront of diversity and inclusiveness, but you look at some of these other industries, and you hope that they’ll follow suit. You know, hopefully sooner rather than later as more women in general are joining the workforce and taking on careers that aren’t traditionally careers that women participate in.

Cindy Ng: So, let’s go back to the technology, and you work with many different sectors, retail, energy, hospitals, financial. Can you speak to the different industries and what their concerns are regarding security?

Rita Gurevich: I think this is the first time ever that concerns are not as industry specific as they used to be. And I think that’s also due to just the times that we live in. I mean, everybody now cares about cyber security, people are starting to understand how this affects them personally, how it affects them professionally. You know, a year ago, nobody in my family understood what I did for a living, and now, even my grandmother gets it. You know, anytime that there’s like a breach in the news breach or on the front page of the paper, she’ll call me, and she’ll say, “Too bad they didn’t have Sphere”. It’s pretty cute, but I think that just shows that the concept of data breaches and cyber security is part of everybody’s lives. The expectation is that everybody’s going to be involved, and anybody is up for grabs to be affected. And I think the equifax breach is just a prime example. I mean, it was on every news channel we all know that half the country was affected by this. You think about how many people had to, you know, read their credit or react to that event. It’s becoming just common sense that every company, every industry needs to focus on this.

So, sometimes I think that the challenges experienced within the individual industries are scarier than others. So, we all know about financial firms. They’ve been the targets and on the front page of papers for a long time. But if we look at hospitals for example, that can be really scary. So, I’ll give you another anecdote, I love these examples. I use a lot of them, but this one specifically that comes to mind was a panel at an event that we sponsored, and we had a group of CISOs in the front of the room. One of them was a woman, and she was the CISO of a big hospital network, and she explained ransomware and how it affects hospitals differently than, you know, a bank or somewhere else. And she explained, “Imagine you’re a patient about to go into surgery, and the hospital has an attack, and your patient files are now locked down, and you have to now pay ransom in order to get them back, and you’re back going to surgery, the doctors need these records”, and this sounds like a very sci-fi example, and you’re like “that doesn’t really happen”, but it really happens, and that’s how it happens. It’s not even that our wallets are being impacted, it’s our health, it’s our lives, it’s how we receive healthcare is affected by cyber crime. It is so close to home for every single person in the world that I think the industry is just going to massively change. And I thing we’re gonna start to see that almost immediately because it’s just such commonplace knowledge. It’s industry wide, it’s not industry specific, and, again, it’s not just our wallets that are affects, it’s our health.

Cindy Ng: A lot of the problem previously and maybe even now that IT pros are having trouble connecting with the C-Suite, and I’m wondering after the breach, after the ransom, where are CEO’s and individuals in the C-Suite getting more involved in cyber security? What are your recommendations when you’re speaking with the C-Suite versus the IT pros, because you’re kind of like a conduit between the two different channels?

Rita Gurevich: I think the C-Suites, primarily the CISO, has a very different job now than maybe they used to. Honestly, I don’t envy CISO’s right now. You have a bad breach, your whole background is going to be on the front page of the paper. It’s not just that your company will get fined. Your background, your history, where you work, what your college major was is going to be out there for everyone to dissect and criticize, okay? That is not a position that most people are comfortable with. So I think CISO’s now more than ever recognize that the job that they chose and the career that they chose has to be proactive. They have to be on the front lines. They have to think about things in smarter ways. So, I think that we’re going to see a shift in CISO’s where it’s going to be the best of the best of the best. I think that a lot of companies took for granted the need for highly skilled leaders within information security, and they’re starting to see companies and what happens to them once a major attack occurs, and I think that is going to change.

Now, the other challenge was, I think with companies is that many of them placed one person at the helm, and they started to build out these teams, and honestly, it’s not enough. There are way too many threats. There are way too many options. There are honestly way too many vendors that are potentially offering options for one person to be making those decisions. So, what I see happening is that there is going to be subject matter CISO’s across the company, where there’s many people with that title that become experts in very specific domains. So, I think that information security is potentially in terms of employee count is going to eventually exceed all of just general IT, because I think that that’s becoming more of a priority than up time and availability of systems is making sure that the internal people aren’t doing things that they shouldn’t be doing, and that you’re doing everything in your power to prevent anybody from the outside getting in that shouldn’t be getting in.

Cindy Ng: It’s been said that information security is really just compliance but not security. Is that ball thrown out the window after people have realized how serious information security is?

Rita Gurevich: That’s a great question. I’m gonna give you another, another story. I was on the phone with a CISO, he’s the CISO of one of the largest manufacturing companies, and we were talking about his agenda for the year. And he recently started at that company and was told that his mandate was compliance, and maybe this is because the company struggled with compliance in the past, but he immediately said if my mandate is compliance, I don’t want the job. You know, that is not what I should be focusing on. And the challenge with focusing solely on compliance as he put it, is that actually leaves you more exposed. Compliance is about a checklist and often that checklist is very subjective, and often the people who are verifying whether you’ve completed that checklist are ranging in levels of expertise. I mean we have customers that are the 1000 person shop all the way to the 100,000 person shop, and we as outsiders can see the difference in caliber of the people that are coming in from the outside from the regulatory bodies checking on them is vastly different. Just because you’ve checked the box, it doesn’t mean that you have good security. And it’s good security that’s going to minimize your risk. And you have to think about security first. If you think good security will drive compliance and not the other way around, you’re still going to achieve the goal of good compliance, but you’re also going put the right preventative controls to minimize a data breach or some other cybercrime.

Cindy Ng: Lets talk more about your company, SPHERE. I wonder what the mission of your company is?

Rita Gurevich: The mission of SPHERE is to help companies take control of their data, their systems, and their assets. What that means is to give them visibility that they need, understanding what they have, what they need to protect, and how they need to protect it. Along with giving them a SWOT team approach, helping them remediate issues that they have. And also put tooling in place to allow them to manage their environments effectively, in house. A lot of companies have no idea where to start, in terms of looking at data governance. They have no idea what needs to be remediated or fixed or how IAM workflows work. Or they have no idea what threats privileged accounts are posing for their organizations because they don’t have threat level visibility. And once we get them the visibility. A lot of times, they need a one time SWOT team approach to clean up the environment. And it’s something that we also do. And we also partnered with different vendors, and obviously Varonis is one of the most strategic partners we’ve partnered with. We offer tooling to help people manage their environment on their own with their own resources long-term. We also have our own solution called, “Sphereboard”, which integrates with Varonis, along with a handful of other best of technologies to provide a single pane of glass to your data, your system, and your assets.

Cindy Ng: So, you don’t curate a list of vendors for your different clientele to meet their needs? It’s more like here’s what we know all companies need. Here’s what we can provide for you. Because sometimes your clients don’t know that certain technologies might exist, you’re essentially giving them one panel of “here’s everything you need to know.”

Rita Gurevich: Yeah, that’s exactly right, and we’re by no means a VAR where we have a portfolio of, you know, 100 different products, and then we switch them out as we need to. We really invest in the relationship that we built with our partner network, and with the companies that we’ve integrated our solution with, and that’s important because you need to have consistency. And if you want a solution to be sticky, it has to be relevant, and it has to answer the right, the right questions, and there has to be a history of that company doing things the right way. There’s going to be a lot of disruptions within this industry, and there’s going to be a lot of companies that are coming into the space. They’re offering really cool widgets and gadgets and all that good stuff that probably aren’t going to be around in a year or two. That’s just the nature of entrepreneurship and innovation, but they’re are going to be plenty of those that come around and stick around, but the relationship that we formed and the partners that we’ve worked with are ones that we’ve been working with now for a really long time, way before anyone even thought something like Equifax could happen. So, we’ve been solving this problem way before it was cool, and we’re gonna continue to offer that, and be more innovative, and continue to solve problems for our customers.

Cindy Ng: Have you ever figured out in speaking with, say like, after 10 vendors, you realize, “Oh, we’re missing X, Y, and Z products, and I’m gonna go find a vendor to see if there’s anyone I can work with?”

Rita Gurevich: Yeah, at times, but I think it happens a little bit more naturally than that. I think that it’s first about the problem statement, so I’ll give you an example. The last area that we’ve added to our portfolio more officially is privileged access management, and, you know, our focus was, of course, on the traditional challenges with password vaulting and the such, but really from a Sphere perspective, we were noticing challenges of deploying those solutions in terms of understanding what privileged accounts exist in my environment, whether it’s in my Unix environment, on my Window server, my databases, etc., and who owns those accounts, and who do I need to educate on a new way of working? So, it’s not necessarily about the products that will, you know, do password vaulting, or record recessions, or whatever the tools may do, it’s more about kind of the people on the process, and all the work that needs to be done ahead of that. So, I think out expertise comes with that. Now, there’s no doubt in my mind that CyberArk isn’t the leader in that space, and we decided to partner with CyberArk because of that. But, that being said, our solution for privileged access management is not just to recommend a tool, it’s to create a process, to create an end-to-end solution that includes a one time remediation effort. That maybe includes process change that maybe includes training that maybe includes, you know, health checks, and then, of course, there’s also the software element of this. Most companies cannot manage this manually. You need the right tooling, so there’s definitely tooling recommendations. So, I think looking at the problem end-to-end, the products and the vendors who we decide to work with for specific initiatives naturally fall into place.

Cindy Ng: What are upcoming plans for Sphere?

Rita Gurevich: Definitely growth in mind. I get bored easily, so, so growth strategy is always on the forefront of my mind. so, what we’re focusing on is a couple different areas. The first is geographical expansion. We opened up our London office this year. That’s going really well, and essentially just replicating the message here out there. There’s all sorts of requirements out there in terms of GDPR, and just overall data security that companies out there need just as much as they need here. Also, our products, so SPHEREboard is our baby. We came out with our product about two years ago, and it’s a culmination of just years of experience of being in the field from a services perspective, so just building more connectors, having more tools feed into that, and pumping out all sorts of really cool analytics for our customers to leverage. So, those are the two areas that we’re focusing on, and you’re gonna see a lot about Sphere in the next year.

Cindy Ng: Sounds great. Thanks Rita.

[Podcast] The Moral Obligation of Machines and Humans

[Podcast] The Moral Obligation of Machines and Humans

Leave a review for our podcast & we'll send you a pack of infosec cards.


Critical systems once operated by humans are now becoming more dependent on code and developers. There are many benefits to machines and automation such as increased productivity, quality and predictability.

But when websites crash, 911 systems go down or when radiation-therapy machines kill patients because of a software error, it’s vital that we rethink our relationship with code and as well as the moral obligation of machines and humans.

Should developers who create software that impact humans be required to take a ‘do no harm’ ethics training? Should we begin measuring developers by the functionality they create as well as security and moral frameworks they’re able to provide?

Other articles discussed:

Tool of the week: Assemblyline: Files go in, and a handful of small helper applications automatically comb through each one in search of malicious clues.

Panelists: Kilian Englert, Kris Keyser, Mike Buckbee

[Podcast] The Anatomy of a Cybercriminal Startup

[Podcast] The Anatomy of a Cybercriminal Startup

Leave a review for our podcast & we'll send you a pack of infosec cards.


Outlined in the National Cyber Security Centre’s “Cyber crime: understanding the online business model,” the structure of a cybercrime organization is in many ways a lot like a regular tech startup. There’s a CEO, developer, and if there are enough funds, an IT department.

However, one role outlined on an infographic on page nine of the report that was a surprise and does not exist in legitimate businesses. This role is known as a “money mule.” Vulnerable individuals are often lured into these roles with titles such as “payment processing agents” or “money transfer agents.”

But when “money mules” apply for the job and even after they get the job, they’re not aware that they are being used to commit fraud. Therefore if cybercriminals get caught, “money mules” might also get in trouble with law enforcement. The “money mule” can expect a freeze on his bank account, face possible prosecution, and might be responsible for repaying for the losses. It might even be on your permanent record.

Other articles and threads discussed:

Tool of the week: SPF Translator

Panelists: Mike Buckbee, Kilian Englert, Mike Thompson

[Podcast] How Weightless Data Impacts Data Security

[Podcast] How Weightless Data Impacts Data Security

Leave a review for our podcast & we'll send you a pack of infosec cards.


By now, we’re all aware that many of the platforms and services we use collect and store information about our data usage. Afterall, they want to provide us with the most personalized experience.

So when I read that an EU Tinder user requested information about her data and was sent 800 pages, I was very intrigued with the comment from Luke Stark, a digital technology sociologist at Dartmouth University, “Apps such as Tinder are taking advantage of a simple emotional phenomenon; we can’t feel data. This is why seeing everything printed strikes you. We are physical creatures. We need materiality.”

He is on to something. We don’t usually consider archiving stale data until we’re out of space. It is often through printing photos, docs, spreadsheets, and pdfs that we would feel the weight and space consuming nature of the data we own.

Stark’s description of data’s intangible quality led me to wonder how weightless data impacts how we think about data security.

For instance, when there’s a power outage, some IT departments aren’t deemed important enough to be on a generator. Or when Infosec is often seen as a compliance requirement, not as security. Another roadblock security pros often face is when they report a security vulnerability – it’s not usually well received.

Podcast panelists: Mike Buckbee, Kilian Englert, Mike Thompson