What happens when an expert in economics ventures into the complex world of cybersecurity? Today, we bring you insights from John Linford, the Forum Director of The Open Group, Security Forum, and Open Trusted Technology Forum. We journey through John's unique transition from economics to cybersecurity, focusing on the quantitative risk analysis facet that piqued his interest. This episode delves into the significance of cybersecurity for businesses, highlighting the current industry trends with an emphasis on the Zero Trust realm.
Brace yourselves as we pivot the conversation towards the imperative of lifelong learning in cybersecurity. John underscores the necessity for ceaseless education to keep pace with the ever-evolving cybersecurity milieu. He offers rich insights on how automation and AI can liberate valuable resources, sharing his unique perspective on the best ways to stay abreast of cybersecurity developments. We also delve into how organizations can optimally leverage AI and automation in their cybersecurity strategies.
Lastly, we delve into John's personal learning strategies and the intriguing role of curiosity in mastering intricate subjects like cybersecurity. He shares invaluable lessons from his lifelong learning journey, stressing the importance of comprehending project basics. From attending webinars and virtual conferences to leveraging automation and AI, John offers a smorgasbord of strategies for listeners keen on professional growth in cybersecurity.
Don't miss out on this enlightening conversation that promises a treasure trove of knowledge on cybersecurity trends and learning strategies!
Copyright © The Open Group 2023-2024. All rights reserved.
What happens when an expert in economics ventures into the complex world of cybersecurity? Today, we bring you insights from John Linford, the Forum Director of The Open Group, Security Forum, and Open Trusted Technology Forum. We journey through John's unique transition from economics to cybersecurity, focusing on the quantitative risk analysis facet that piqued his interest. This episode delves into the significance of cybersecurity for businesses, highlighting the current industry trends with an emphasis on the Zero Trust realm.
Brace yourselves as we pivot the conversation towards the imperative of lifelong learning in cybersecurity. John underscores the necessity for ceaseless education to keep pace with the ever-evolving cybersecurity milieu. He offers rich insights on how automation and AI can liberate valuable resources, sharing his unique perspective on the best ways to stay abreast of cybersecurity developments. We also delve into how organizations can optimally leverage AI and automation in their cybersecurity strategies.
Lastly, we delve into John's personal learning strategies and the intriguing role of curiosity in mastering intricate subjects like cybersecurity. He shares invaluable lessons from his lifelong learning journey, stressing the importance of comprehending project basics. From attending webinars and virtual conferences to leveraging automation and AI, John offers a smorgasbord of strategies for listeners keen on professional growth in cybersecurity.
Don't miss out on this enlightening conversation that promises a treasure trove of knowledge on cybersecurity trends and learning strategies!
Copyright © The Open Group 2023-2024. All rights reserved.
Welcome to Open Comments with myself, ash, and me, oliver, where we'll discuss things openly with our guests from a variety of backgrounds and from different walks of life. Through this podcast, we hope to give you an inside look into a variety of topics with an equal mix of humour and candour In this series so far, we have touched on the following topics Healthcare, hr, diversity, access to technology, cybersecurity and lots more. We hope you enjoy our show and look forward to bringing more topics into the fold. Let's get started.
Oliver David:Thank you, Ash. So today we have John Linford. John Linford is the Forum Director of the Open Group, security Forum and Open Trusted Technology Forum. As staff of the Open Group, John supports leaders and participants in the Open Trusted Technology Forum in utilising the resources of the Open Group to facilitate collaboration and follow the Open Group Standards process to publish their deliverables. Prior to joining the Open Group in June of 2019, john worked as a lecturer for the San Jose State University teaching courses in economics. John is Open Fair Certified and was the lead author of the Open Fair Risk Analysis Process Guide, which offers the best practices for performing an Open Fair Risk Analysis with an intent to help risk analysis understand how to apply the Open Fair Risk Analysis methodology. So, john, welcome to the podcast. It's great to have you on.
John Linford:Thank you very much, Oliver and Ash ery glad to be here. Yes, so, as Oliver just said, my background is actually in economics, so I have an undergraduate degree in economics with a focus on money and banking and a master's degree in economics with a concentration on applied economics. I went straight from my master's degree to teaching undergraduate courses in economics at San Jose State, including introduction to micro and macro economics, as well as the upper division economic writing requirement course for the department. While I was actually completing my master's degree at San Jose State, I was introduced to the Open Group through a current security forum chair, mike Jerbic, who taught me what I needed to know about Open Fair to help him in the course that he was teaching, where he was actually requiring students to complete Open Fair analysis. So I learned Open Fair to help with teaching, fell in love with the quantitative risk analysis aspect of cybersecurity. That led to me participating as the lead offer for the Open Fair Risk Analysis process guide, and then that, in turn, led to me joining the Open Group as staff, as the security forum and Open Trusted Technology Forum Director Since June of 2019, that's been the role that I have filled, so I work with members of my forums to help them develop the guides, white papers and standards as well as accompanying certification program materials that they might need to produce for the topics that interest them.
John Linford:And that's involved, since I've joined so far, updating the Open Fair body of knowledge and putting out the Open Fair 2 certification, so an update on the original Open Fair Foundation certification program. We've also worked on updates to the Open Trusted Technology Provider Standard and our awaiting acceptance of this new version by ISO as a new version of ISO 20243. And then, of course, we've done a bunch of stuff around Zero Trust, including publishing the original Zero Trust course principles white paper, which means really heavily on the original Jericho forum commandments, as well as our Zero Trust Commandments guide, taking further inspiration from the Jericho forum commandments and evolving those original core principles into something practicable for organizations. And now we're at the stage of turning those commandments into a standard as well and producing a Zero Trust reference model standard, to name just a couple.
Oliver David:So, John, you mentioned you started as an undergrad in economics. What was the draw that brought you over to the cybersecurity realm?
John Linford:Really it came through the quantitative risk analysis. It clicked really well with my economic brain of being able to look at expected losses, estimated losses, and use that process of completing your quantitative analysis both to help you understand the story of loss that you're hoping to help solve but also to be very valuable in informing decision makers of their options and giving them solutions that are cost effective according to the requirements that they've set in place. So it was a very logical progression from doing economic cost benefit analyses to cyber risk analyses that are also quantitative, to sort of cyber security more broadly beyond just the risk analysis aspect.
Oliver David:And I guess more of a vague one for you, but in your eyes. Why is cyber security so important for businesses?
John Linford:I mean, without a solid, good foundation of cyber security in an organization, it would be pretty impossible for that organization to be productive. You know, if employees are spending their entire day just trying to get access to the resources that they need to do their jobs, if organizations don't know that their crown jewels, their trade secrets, are protected and kept safe so that they can actually use them in their products and create value with them, there wouldn't be a lot of reason for businesses to try to operate how they do, let alone work with each other. Right, we need those processes and policies in place, those controls in place, to allow interaction between business and customer, but also between collaborating organizations. So cyber security security more generally provides that basis for organizations to be able to operate and know that, or at least believe in some instances, that their actions aren't going to cause worse problems for them. They're going to be able to act securely and safely.
Ash Patel:And staying on the topic of cyber security, can you tell us a little bit about the latest industry trends around?
John Linford:it.
John Linford:Well, I mean right now, of course, zero Trust is remaining at the forefront of cybersecurity practitioners.
John Linford:Over the last few years, we've seen it evolve, thank goodness, from what was really just a buzzword that we were seeing slapped onto products to try to get them to sell, to organizations like, of course, the Open Group, but also NIST and the Cloud Security Alliance working to provide definitions and descriptions of what Zero Trust is, so that end users as well could understand what it was, how to implement it and whether the products and services they were looking at would actually help them reach that goal.
John Linford:So we've seen a lot of growth and evolution in the understanding of Zero Trust over the last few years, but given that that's really now the modern approach to security that organizations are adopting, I'd expect that we're going to see that keep evolving and that we're going to see improved and yet more guidance on actually implementing Zero Trust. We're, of course, also seeing a lot of interest in things like artificial intelligence and machine learning, as folks try to understand how those might be integrated, both into helping them secure organizations, but we're also seeing threat agents embracing those tools to try to get in view organizations. So both a very useful tool, but also something that organizations need to keep an eye on in case it's used to attack them. On the supply chain side of things, really, we're seeing a lot of emphasis on cyber supply chain security, on securing your software supply chain, so we're seeing the evolution of things like software bills of materials or S-bombs evolve.
Oliver David:Thank you. For those that are uninitiated, maybe, or for the likes of me, could you please define Zero Trust?
John Linford:Absolutely. Zero Trust gets its origins back from Jericho Forum and their emphasis on deparimeterization. So in other words, moving your security, or most of your security, or even the security that you really rely on, away from your perimeter and instead shifting it to securing assets, apis, data, the end users themselves or their devices. So pulling security away from the edge and more to the actual things that you care about. Previously, there used to be this notion of you know if somebody was inside your network, if they had access to what was inside your network, there was this assumption that you could trust them that they weren't going to act against you or cause you harm. Now, of course, that sort of discounts, the accidental harm that employees can do, the non-malicious you know, they accidentally trip over a power cord and shut down a data center. You know that's an exaggeration, but that's not necessarily what we're thinking about with Zero Trust. Instead, what we're emphasizing on emphasizing is a basis of no trust.
John Linford:To start that, then users, devices, you know, whatever it is that's trying to get access to your data, your assets they have to continuously verify that trust. So we're not just verifying once and letting them run about and do whatever they want. Instead, we're putting incremental checks every time they're trying to do something new, especially if they're trying to get to something they might not have a reason to need or if they're in a location where it might be a little bit more risky to allow them that access. So we expect to see sort of different levels of access for the same person based on whether they're using their organization's device, on their organization's network, within an actual physical building, as opposed to if they're on the other side of the world in a Starbucks on a personal device. So Zero Trust allows for varying that level of trust given to them based on any number of those inputs, so that we don't have somebody coming in and just getting access to everything all at once without those additional checks in place.
Oliver David:Okay, and is this how most companies are operating now, or is it still something that's being implemented?
John Linford:Definitely still something that we're seeing being implemented. Some organizations are much further along this journey than others, but we've seen Zero Trust named in US Executive Orders. The UK National Cyber Security Center has some guidance on Zero Trust. Canada also has some really good guidance on Zero Trust.
John Linford:So, although the idea has been around for a couple of decades now, it's taken some time to really understand what it looks like, to integrate it into an organization and accepting that it is. It's a journey. There is not a single state that you can get to where you can say I have achieved Zero Trust. Instead, it's going to be a constant evolution where you're shifting the tools that you're using, updating policies as they need to be, updating processes and also ensuring that your employees and staff at organizations have the training and understanding needed as things do change. So we're seeing progress there. We're seeing more and more organizations embracing it and we're definitely seeing continued growth and evolution of it. I wouldn't say that we're at a mature state for zero trust yet, but it's encouraging the progress that we've seen over the last couple of years.
Ash Patel:And are there any industry events coming up that you are most looking forward to?
John Linford:I always really look forward to Faircon, so it's a conference that the Fair Institute sponsors. The Open Group and the Fair Institute of course have a really good relationship since we're both based around the open, fair standard. So that's always a really exciting conference to attend to see just the passion of risk analysts and working to improve the cybersecurity of their own organizations and move them toward a quantitative risk program rather than a qualitative one, where decisions about what controls you might implement don't have to be based on a finger in the wind kind of test. It's based on emotional responses. So that's always a really fun conference to attend. But then of course we have the Open Group Houston Summit coming up in late October, early November. So that will be another really exciting event to attend and see multiple forms from the open group come together and swap ideas from their own perspectives with forms who might come at it from a slightly different angle.
Ash Patel:Nice. And now, moving on to mentorship, have you had any mentors and if so, what advice have they imparted to you over the years?
John Linford:I've already mentioned Mike Jurbeck, but I've got to mention him again. I've known Mike since I was an undergraduate student. He was actually one of my professors. So Mike's been a constant source of support and encouragement for me. He encouraged me to become Open Fair certified. He helped me get involved in the Open Group with the Open Fair Risk Analysis Process Guide and then has been forum-shared the whole time that I've been forum director. So he's been a really consistent source of encouragement and help and guidance as I've come into the cyber security the and supply chain security world. Even Another person that I should mention is on Josh's a call. When I joined the open group he was actually a member of the open, trusted technology forum and has since joined the open group as staff as well and he's he really helped me get up and running and up to speed with the open, trusted technology forum and the supply chain security side of things.
Oliver David:Thank you, john. So I'd like to just go circle back a little bit and touch on, well, your education. We talk about a lot on this podcast, things along the lines of lifelong learning and and just constantly Teaching yourself new things. Is that something that you do or something that you adhere to?
John Linford:Absolutely um. I of course have my open fair certification and open fair to certification when we launched that um. I also keep a close eye on webinars and trainings coming out of firm organizations like ISC, squared Uh, the fair institute puts on regular webinars that are excellent, as does the society of information risk analysts, sierra um. And then, of course, there's all sorts of things coming from NIST and the cyber security and infrastructure security agency, um. So I'm always tuning into webinars or, especially over the last couple of years, virtual conferences where you can, you know, listen to a bunch of different speakers from any number of organizations give varying perspectives on a topic, um. And then, of course, there's all of the excellent stuff coming from the open group. We have our certifications around toga, so that's going to be an area that I started to get Much more into here in the next couple of months.
Oliver David:I suppose in the area of cyber security, you're constantly having to learn.
John Linford:Oh yes, yeah, this cyber security is not a space that stays I'm gonna use the word stable, which isn't really the best word there. Even Um, it is constantly evolving. It is constantly changing. Right when you think you've got a really good solution in place, you learn that there's some threat actor out there. That's half a step, one step, three steps ahead of you and you've got to update and change and adapt. So, yeah, it's definitely not a space where you can Do something and then sit assured that it's going to be left alone for the next year. You're gonna have to watch that a minimum and realistically, it's probably gonna need to update and changes because things are evolving just so quickly.
Oliver David:And that's something you mentioned with um zero, zero trust and how you will constantly need to keep making sure that you know you're checking in on the right things and constantly monitoring it and it's not something that's always going to stay secured and you can trust it forever.
John Linford:Absolutely yeah, you definitely come into this space with an expectation that things are going to change and that's just going to be part of life.
Oliver David:So I've been reading a little bit. You've mentioned very briefly about security and and AI and automation. I was just wondering can you describe the link between security technology and and automation as well?
John Linford:Yeah, and this is this is an interesting one because we see, you know, increasingly organizations wants to automate a bunch of their IT processes. We, of course, see automation all the time in OT and operational technology, but then we also are seeing automation in the IOT space. So, from a security point of view, you know, automation is really useful in helping free up resources. If you can, you know, set up your policies and your endpoints in such a way that you can automate some of the decisions that grant trust, that grant access, you can free up resources of human beings to instead act on incidents and provide that input where they're going to be a bit more valuable. Um, at the same time, now, if you don't have your automation steps set up correctly, if you don't have those decision points set up correctly, then Automation can get you into trouble very quickly.
John Linford:So we're seeing, you know, ai coming into this and helping with some of these decisions, with helping with some of these access points. But you know that, again, that is still, you know, a point of caution. Um, what you put into the AI is going to be, you know, very, very important for what you get out of. It is probably the best way to say that. So there is still going to be very deliberate use of it, of AI, of machine learning. But, yeah, the end goal is definitely something that helps free up human time, human resources and energy for where those decisions require that level of nuance that human beings provide.
Oliver David:So I suppose that's where you see security automation heading is as you say. There will still be human input, but it's just a matter of freeing up their time so you can focus on other things.
John Linford:Exactly, yeah, and that's really where we're seeing, you know, zero trust, embracing automation as much as possible. We want it to be so that an employee of an organization is able to, as seamlessly as possible, log into their device, log into the network, get to the resources that they need and do their job with really minimal disruptions. Maybe, you know, maybe there's some multi-factor authentication in there somewhere. That's something that can be automated. You know, maybe there are some checks on location and network access. Those are things that can be automated. We don't need to have human beings involved at absolutely every single one of those steps.
John Linford:However, if we find that a threat actor, a threat agent, has gotten in through this process that the employee would have undertaken, you know that log into device, log into network, get access to the resources that you need then there's definitely going to be value of human beings in there helping understand or working to understand. How did they get access at each of these points? Where did things go wrong? What do we need to fix? So, yeah, definitely making better use of human time there, but then, as well, we also want to see automation as possible around some risk aspects, so, as OpenFair is continuing to see adoption as cyber risk quantification.
John Linford:More broadly, crq will be what you hear it abbreviated to, you know, as that is gaining adoption, we want to be able to integrate it into things like threat modeling, so that a threat modeler for a system is able to pull values for their open-fare analyses Rather than needing to do, you know, a very specific or a unique analysis Absolutely every single time they've got something that they need to model, which would be just a massive time sink and it would remove Good chunk of the value from that threat modeling activity anyway. So we're seeing automation starts to come into some of those steps as well, where you know you can automate the collection of some of that data, but you still want that human oversight to make sure that what's coming out is usable and, of course, accurate.
Oliver David:That's. That's something. We've talked about it a few times on the podcast before, especially on the subject of AI, of yeah, how do we, how do we now start to work with AI? And that's always the advice we're given is to, yes, work with it and by all means use it, but there needs to be that human supervision afterwards just to make sure.
John Linford:Absolutely. Humans are gonna remain a crucial part of the security world, and I mean ultimately, everything in the security space is working towards securing people. You know these, these impacts on organizations come back and impact people, human beings. So yeah, there is still a very human centric requirement for cybersecurity and supply chain security.
Ash Patel:I Think this actually leads on quite nicely to the next question, of advice. So for those you know who may be looking to work in security, what advice could you give them? Maybe courses to do, or where to start, or who to go to to discuss things with? Where would you, you know, start?
John Linford:Yeah, that's a good question. Isc squared has a really good introductory certification. They're certified in cybersecurity. It is a very straightforward course. They have it set up very, very logically and deliberately. It's not a huge time investment to get access to it and it's priced very reasonably. I'm not gonna give a number because I'm going to misremember what it is, but that's a great start for people who don't necessarily have a lot of background in security or Cyber security more specifically, or even potentially background in computer science or that kind of thing.
John Linford:It provides a lot of the basis. Otherwise, keeping up to date with. You know posts and stuff coming from, of course, the open group, but also NIST, cloud security Alliance, ferreants to toot, sierra. You know the list goes on and on just signing up for some of those newsletters or mailing lists, joining webinars, as you can, from reputable organizations, from standards organizations, and then you know Google Web searches. When there are concepts that you don't understand, when there are terms that you hear that you don't know what they mean, you know a quick search can clear up a lot of confusion very quickly and then that leads you to the next interesting topic and the next interesting topic and the next interesting topic and you're Quickly in the rabbit hole and in love with the topic.
Ash Patel:Cool. And Now moving on to learning, what do you like most about it and are there specific? You know strategies or Ways of learning that you prefer over the other, or that you go into a project with ah.
John Linford:Well, I'll say first of all that I am Always passionate about learning. I went straight for my undergraduate to my master's degree With no break at all. That was an immediate. I was in love with the subject and didn't want to waste any time between finishing one and starting the next. So I I have a deep passion for learning and for education and for me, the best way to learn is to do it.
John Linford:Dive into something that you don't necessarily know. Have conversations with people who've been doing it for five years, ten years, fifteen years, twenty five years in some instances, who Breathe the subject and are so intimately familiar with it that you you have to help them find the disconnect between what they take as common knowledge and what you're missing. And having those conversations with people are Always extremely valuable because you get to see the perspective that the subject has put on their world, that that, because of their involvement in the subject area, the topic, the profession, it's impacted how they see the rest of the world. And and Having conversations with folks like that let you see, you know what are those critical points that they use to distinguish. So that's always a really exciting thing, whether that be somebody who's been in industry for 25 years, or a professor Going into projects.
John Linford:Of course, you want to, you know, have a decent understanding of the basis of the ideas that are going to be formed as part of it. So, as forum director, in helping members initiate projects, that's always a very critical part of every every stage is what is it that we're going to be doing? What is the goal of this? What is the common understanding we expect of people who are going to be using this, and how can we make sure that that's conveyed to them from the beginning so that if there is an introductory document, we can point to it and make sure that it's clear. They should probably read it first and then building the rest of the publications around a very deliberate structure in that way.
Ash Patel:And would you also say that curiosity plays a part in how you learn as well?
John Linford:Oh, definitely. You know, if there's something that peaks your interest, if there's something that you know seems a little bit weird or funky or fun, those are definitely things worth spending some time at least taking an initial look at. And if you realize, you know rapidly it's only going to be so much use, you know, maybe you shift your interests elsewhere or you know if it's only going to be so much use, but it's still a very fun topic, by all means keep digging.
Oliver David:Someone like me, where cybersecurity is such a massive topic and I am Well little to no experience in within it, would you recommend to start small and expand or try and understand cybersecurity as a topic as a whole and then niche?
John Linford:That's a really good question because you could start at a very high level you know, sort of at a board level idea of managing risk that an organization is exposed to and you know, trying to get into the head of some of that thinking at a top level, organizational level. Or you could come in from the bottom up and get into some of the more specifics. Trying to dive into the middle might be a little bit more complicated. But yeah, with cybersecurity you could easily take a very specific, very small aspect. I'll use physical security because it's maybe an easier example here For physical security securing a building.
John Linford:You could start very small at what's your best deadbolt option? Why is one type of deadbolt better than another? Is it down to the mechanisms within the lock itself? Is it down to the type of key that's used? Does it depend on the interaction between the door that it's installed on and the door frame around it, or is it a lock between two doors? Or you could go to the higher level and think about you know we need to have doors in place If there are fires, we need to make sure that people can get out safely, and look at it from a higher level like that. So, yeah, you definitely could come in from either perspective. At the top level, you know, cybersecurity really is the means to the end excuse me of effective risk management, whereas at the much lower levels, you're starting to get into very specific mitigations and preventions.
Ash Patel:Now, before we end, we'd like to start with a short round of quickfire questions, so first one being what is your favorite holiday destination?
John Linford:Sorry, this first one's not going to be quick. I grew up in California, so of course I want to say beach. I strangely prefer cold, foggy beaches to warm, hot, sunny beaches. I'm also a redhead, so too much sun exposure for me is not necessarily a good thing, so that may influence it. But I'm also a keen cyclist, so I currently live in Colorado, so I also really want to say mountains, because you can get some really good exercise cycling in the mountains, hiking in them and just embracing or enjoying nature like that. But you also get that really good at the beach. So mountains at the beach maybe.
Oliver David:Okay, well then, bouncing off of that one then. Would you rather cycle through a mountain or be at a beach? Let's specify.
John Linford:Ah, probably cycle. Probably be out actively cycling as opposed to being sat on a beach.
Oliver David:So do you have any holidays planned or vacations planned?
John Linford:I don't have any specifically planned. I'm not sure when this will be released, but at time of recording here in a couple of days I'm completing what's called the triple bypass, which is a bike ride here in Colorado that goes over Juniper Pass, loveland Pass and Veil Pass, so it's 118 miles with not quite 11,000 feet of cumulative elevation gain over the ride. So that's something that I'm very much looking forward to.
Oliver David:Wow, how long do you expect that to take?
John Linford:I'm hoping it doesn't take me 10 hours, but I'm expecting it takes me at least 10 hours.
Ash Patel:From that note, we'd like to extend a big thank you to you for joining our show. It was very fascinating, not only learning more about you, but also about security and zero trust, and we look forward to you know hopefully having more discussions with you on those topics in the future. Now for those that would like to keep up to date with you and what you do how can they get in touch with you, for example, linkedin, other socials, website, et c.
John Linford:LinkedIn is a great way. By all means, please do connect with me on LinkedIn. Otherwise, email I keep an eye on email all day and get responses as quickly as I can. So those are both. Those are probably the best ways to get in touch with me. Otherwise, if you see me at an instant event or conference, by all means tap me on the shoulder and say hello and I'll be happy to chat with you and to all our listeners, also known as our open comments community, we look forward to bring even more topics and special guests into the fold for you, stay tuned.
Ash Patel:Thank you, and thanks again, John, for coming onto the podcast.
John Linford:Thank you so much for having me.