A (0:02)

You're listening to the Cyberwire network powered by N2K. And now a message from our sponsor. Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs. Yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface. Making apps and IPs invisible. Eliminating lateral movement. Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context. Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@zscaler.com Security.

B (1:31)

I am Dave Farrow. I am a senior Director of Information Security at Barracuda Networks and I am responsible for their entire internal security program. At the end of high school, my father was into technology. He was an early adopter, which is odd because he was in human relations HR all of his life and he had this Kaypro and he kept trying to get me to play with this Kaypro computer that he had and I wanted nothing to do with it. He thought he might lure me in with a Commodore 64 and I preferred to surf and ride my bike around Southern California. It wasn't until I spent a quarter at college doing a non techn. Non engineering course of study that I realized that I didn't, I didn't like that, that I really wanted something more concrete. And at that point I picked up and started studying electrical engineering. I chose electrical engineering because at that point I'd had a couple of classes in, you know, the prerequisite classes in physics and whatnot and all of the mechanical stuff sort of made logical sense to me. And I thought, I'm going to go with electrical because it makes absolutely no sense to me. And if I'm going to pay for this or my parents are going to, you know, put me through this, I should at least learn something that I couldn't learn on my own. And so I chose something that made no sense to me at all. You know, it's funny because, you know, my life is filled with doing a bunch of things I never said I would do. I swore I would never do software because at least in the electrical engineering school at Berkeley, there was this snobbery that said the only people that were in software were people that couldn't make it through the EE program. And it's funny because as soon as I graduated, I had an offer from an old aerospace company that's gone now called TRW that said, hey, we'll pay you to learn software. And something tickled in the back of my mind saying, this is an offer that you probably shouldn't refuse. And once I actually got into writing software, I just fell in love with it and realized that that snobbery was just that it was snobbery and I almost missed something great. I got into development, like I said, in aerospace. A couple years into that, I went out on my own as a contractor and did contract gigs in a lot of different industries, from telecom to data warehouses. Around the time that the dot com bubble burst back in about 2000, I had a contract that was winding up. Long story short, I ended up finding a contract gig in Fresno, California, which might be the least technically oriented city in California, actually. I did software architecture for probably the first 15 years of my career and then moved into building and developing teams. I was looking around for how else I could meaningfully contribute to Barracuda and just sort of backed my way into the security role. At that time, one of our lead architects on the email security team had been managing our privately run bug bounty programs. And so I offered to take on that job just so that this architect could focus on developing the product that he was the lead for. And that sort of blossomed into an internal security team over the course of the next couple of years. We do vulnerability management, network scans, logging and monitoring. We do incident response. And when I'm not supporting the teams that are doing those things, a lot of my time is spent in defining our security policies and communicating those with the rest of the company and really sort of communicating the good work that the team is doing to the leadership of the rest of the organizations. The people that we talk to are working in this space on a regular basis. You still have challenges because a team that does email security may not be as well versed in the nuances of network vulnerabilities, and a firewall team may not be versed in the nuances of web application vulnerabilities. The challenges that we run into are the challenges that I think everybody runs into, which is that I think that the real challenge in security is when you're Trying to interact with the business is recognizing that there are other threats to the business besides cybersecurity threats and being able to become part of the risk management conversation. If the security guy rolls in and says everything has to be fixed, you're going to take away resources that you might, that might cost you opportunities in the future. I think that's a problem that all of us in the security industry have to recognize, is that we're part of the economic strategy of the company. You're going to apply different security controls if you're worried about cyber vandals than you will if you're worried about nation states. Right? But the fear is that if I don't tell you about every single possible exploit that a nation state might throw at you if you get hacked, you might come back to me as a security guy and say, hey, what did you, what did you miss? It's a real challenge to correctly align the, the investment in security with the threat that you're protecting against. I hope to be remembered as the security guy that understood that cybersecurity threats were not the only threat that a business supposed. You know, I, I have stuck in my mind because I spent so many years as a developer. My picture of the security guy was that he was the guy that was always saying, no. And I want to be remembered as the guy that said, yes, we can do that if we do it in this responsible way.