Welcome to a special edition of Breaking Badness. In this bonus episode, you’ll hear from Chief Security Officer at Ordr, Jeff Horne. Co-hosts Tarik Saleh and myself sat down with Jeff to discuss trends in offensive security, career advice, and CISO scapegoating.
Here is a brief outline of our discussion with Jeff Horne
Tarik and myself had a lovely time picking Jeff’s brain during this special episode of Breaking Badness. Jeff brought an extra dose of energy to our conversation where we covered a number of topics including his background, trends in offensive security, CISO scapegoating, and career advice for security practitioners. It was clear right off the bat that Jeff is incredibly passionate about security. He came prepared with some wonderful stories and anecdotes. For starters, Jeff was a private investigator at the young age of 17. Not to mention Jeff’s passion for winning MySpace contests (I can’t do this justice, it’s imperative you listen to the episode to make sense of this sentence).
Another topic of discussion was around bug bounty programs and whether or not the payouts are generally appropriate for the work involved and the risks mitigated. This conversation quickly segued into the concept of Cobra Farming, named after some unintended consequences of a bounty for dead cobras to help diminish this delightful snake’s population. Next, Tarik and myself picked Jeff’s brain on some trends in offensive security. This discussion, not so surprisingly, touched on the impact of COVID, and how the pandemic has increased attack surfaces, and its influence on security budgets. From an information security officer perspective, Jeff is looking at tool consolidation, mobile device management, and automation he can put in place to handle investigations, breach analysis, and protection controls.
Before diving into career advice, Tarik and Jeff examined the concept of CISO scapegoating. As they say, a picture is worth a thousand words, so I am confident I can summarize this part of our chat with a simple image created by @ScrumWhat on Twitter. Finally, Tarik asked Jeff how security practitioners can make themselves invaluable assets to a security organization. Jeff provided some helpful advice:
“Regardless of position and level of security, one piece of advice I have is to keep on top of security issues, trends, exploits, and patches. This is critical. You don’t have to do deep dives on all of them. But, I’ve definitely been in situations where someone says, “hey, have you heard about so and so”, and because I spent the previous night researching, I can immediately provide some thoughts. Making yourself an invaluable asset is also knowing your limitations and knowing what you don’t know.”
It was truly delightful to speak with Jeff, be sure to listen to the full interview to learn more about Jeff’s metal band (and why they didn’t prefer is guitar solos), what I plan to name my first child, and much more.
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
