The Risk Apogee

How Bob Lord Reframes Cybersecurity as a Software Safety Problem

The Risk Apogee Season 1 Episode 1

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 43:18

Most enterprise security spending goes toward bolting defensive tools onto software that was never built to be safe in the first place, and board conversations rarely question whether that's the right fight. Bob Lord has spent his career at the center of that question, serving as the first security hire at Twitter, Chief Information Security Officer at Yahoo, CISO at the Democratic National Committee after the 2016 hacks, and, most recently, helping launch the Secure by Design initiative at CISA.

In this episode of The Risk Apogee Podcast with M.K. Palmore, Bob argues that the industry's language itself has allowed vendors to offload risk onto customers, while the C-suite continues to approve budgets for tools that treat symptoms. He walks through what other regulated sectors did to dramatically reduce harm, why AI is a chance to finally apply lessons the industry has ignored for thirty years, and how leaders can use AI to do things humans never could like continuous threat modeling and prioritizing the scariest fraction of a code base.

Things You Will Learn:

  1. Why reframing "cybersecurity" as "software safety" changes how executives allocate budget and evaluate vendor accountability.
  2. How to apply lessons from aviation, automotive, and medical safety regulation to the way enterprises buy and deploy software.
  3. How AI can shift risk management from periodic threat modeling to continuous prioritization of the most dangerous parts of a code base.

Tools & Frameworks Covered:

  1. The Four V's: Bob's framework for reframing the security narrative: shift focus from Villains (the attackers we celebrate) and Victims (the organizations we shame) toward Vendors (who ship unsafe software) and Visionaries (who have been telling us how to fix it for decades).
  2. Secure by Design: The principle that the burden of staying safe should shift from software operators back to software manufacturers, modeled on regulated transformations in automotive, aviation, and medical safety.
  3. Continuous Threat Modeling with AI: Using AI agents to compare every code change against the threat model continuously, rather than treating threat modeling as a one-time design-phase exercise.
  4. The Security Vitamin: A proposed 15-minute weekly concept delivery model for building executive mental models around security risk over time, rather than attempting one-shot training sessions.

#SoftwareSafety #SecureByDesign #CISO #EnterpriseRisk #RiskApogee

🎙️ Thanks for tuning in to The Risk Apogee Podcast!
If you enjoyed this episode, don’t forget to follow/subscribe so you never miss an inspiring conversation.

✨ Connect with Apogee Global RMS for more leadership insights:
LinkedIn: https://www.linkedin.com/in/mkpalmore/
Instagram: https://www.instagram.com/apogee_rms/
X/Twitter: https://x.com/apogee_rms

💼 This episode is brought to you by Apogee Global RMS – experts in risk management solutions. Check out their website to learn more about how they can support your business.

Let’s keep growing and leading boldly. Until next time!



SPEAKER_01

Welcome to the Risk Apogee Podcast. If you've ever wondered who is actually in the trenches trying to keep our digital world from completely falling apart, our guest today is your answer. We are thrilled to be joined by Bob Lorde. When it comes to cybersecurity gravitas, his resume reads a bit like a high-stakes tech thriller. He's navigated some of the most complex security environments imaginable, from serving as the chief information security officer at Yahoo to locking down the political battleground as the chief security officer for the Democratic National Committee to his recent pivotal role as a senior technical advisor at the Cybersecurity and Infrastructure Security Agency, championing the secure by design movement. But he's not just about defending the digital fortress. He's also here to bust some myths. Today he's leading the charge against outdated zombie cybersecurity advice as the founder of Hacklore.org. He's a true veteran of the cyber wars and a leading voice in making tech safer for all of us. Please join me in welcoming Bob Lord.

SPEAKER_00

Welcome to the Risk Apogee, where we cut through the noise to get to the truth about risk. Cyber, physical, human. Every organization faces threats. What separates the ones that survive from the ones that don't, is the decisions their leaders make under pressure. Each episode, we go inside the arena with the operators and strategists, shaping how organizations defend, adapt, and lead. This is the Risk Apogee.

SPEAKER_01

Bob Lord, welcome to the Risk Apogee Podcast. Thank you for having me. It's an honor. I appreciate you coming in to have this conversation. The risk landscape, especially as it relates to cybersecurity, has been evolving quite rapidly over the past decade or so. It's an honor to have you in to have this conversation. You're one of the more experienced folks uh on the landscape. I remember when we first met. Uh you were at the time the uh CISO 4, a very large-scale tech firm, one of the first that I had the opportunity of meeting here in Silicon Valley. Uh and I think your observations uh in terms of the industry might be interesting to our listeners. So I appreciate you coming in. Yeah, looking forward to it. Yeah. So for uh for the handful of folks who probably are unaware of you and your background, tell us a little bit about how you got into the security space.

SPEAKER_02

Well, I don't want to go too far back, but I will share uh just to date myself a little bit that I was the person who connected Anderson Consulting to the Internet back in the day, back when you had to write a two-page business justification to do such an insane thing. Uh, and I really did have to write a two-page business justification for that. Probably more relevant are the experiences I've had both building products uh as well as defending networks. So I was the first security higher rate Twitter, went on to become the chief information security officer at Yahoo. I had enough fun playing with uh the Russians uh which you which you helped with that I decided, well, let me let me do some more of this. Let me uh let me join the Democratic National Committee after the 2016 hacks. So I joined in uh 2018. And so that's where I really started to figure out the level of of safety that we have in the software that we've all come to depend on. And unlike the other companies where I had dozens of people who could go off and fill in the gaps and do all of the things, it was me and a and a couple of uh IT folks trying to figure out how to keep the Russians out a second time. So that's where I became convinced that this was an unfair fight for smaller organizations and that given that most of the enterprises in the United States are small businesses of under 500 people, if you hadn't walked in my shoes, how would you have figured out what to do to keep the bad guys out? And that struck me as not fair. And uh, so I had the great opportunity to join CISA for uh for a few years and was able to kickstart the Secure by Design Initiative there to try to bring a spotlight onto the role that software safety plays in all of our lives.

SPEAKER_01

Yeah, I certainly think that uh folks who have had the benefit of seeing both the enterprise side of the house and the public sector side of the house bring a rather unique perspective to what's happening on the landscape. With that in mind, from your observation, what are s what are some of the things that we're getting right or that the industry is doing right uh as you've seen it evolve over time?

SPEAKER_02

Well, a few things that we're getting right. One is that we are starting to really think about systemic problems and systemic solutions. Sometimes we forget to celebrate our wins. So one of the things that I'll tell you is uh it used to be the case back when I was at Twitter, it was potentially dangerous for you to go to a cafe and look at your Twitter feed or your Facebook feed or uh go shopping online. But we've made so many strides in terms of the technology, the protocols, the browsers, the operating systems, the services, yeah, the Let's Encrypt uh Foundation, like all of those things have contributed to a world in which I don't worry about surfing the web from a cafe, that an evil barista is not gonna get my my data. I think that's something worth celebrating, but sometimes we forget that we can do hard things and that actually we have. So that's one.

SPEAKER_01

Another one Well for you go on, why do you think we don't celebrate those wins or why we don't take time to recognize that we have made advancements?

SPEAKER_02

Well, it's I think it's a human thing. People are drawn to the sensational, the negative. And as soon as I say it's safe for you to for the everyday person to go bank online in a cafe, they'll say, Yes, but somebody could still fish you. So we're always trying to look at the next threat, look at the next problem. But we should say, like, yeah, but you forced them to do those other things. You controlled enough of the landscape that they can't sit in the cafe and and spy on you anymore. And we forced them to retool. Now they've got to do something different. And that's all security really is, is changing the cost to the attacker. And when we do that, we should celebrate.

SPEAKER_01

In terms of this evolution, obviously, we probably couldn't get through this conversation while talking about artificial intelligence and its impact on the industry. What what's your sense of where we're headed with AI, specifically as it relates to cybersecurity? Because I have I have some thoughts about this as well, and I'm interested in your take.

SPEAKER_02

Well, I want to hear your take too, but I'll I'll start and then you can correct me uh since you you you've done a lot of thinking in this space. So AI, like a lot of technologies, is going to make some changes. But the one thing that we keep forgetting in this conversation is that AI is software. And what I see on a regular basis are really great, smart, amazing people who are treating this as something entirely new. Now, granted, there's a lot that is new, right? But at the end of the day, it's software. And if we try to build out new sensibilities for securing AI without having learned the lessons from the past 20, 30 years, it's going to be a rough road. And so the first thing I would offer is we need to start asking ourselves what you just asked me. What have we gotten right before AI and what have we not gotten right? And are those dynamics going to be changing when we move to the world of AI? And the answer is yes.

SPEAKER_01

So would it surprise you that I'm I'm particularly my opinion on that is we don't do a good job in our industry of looking at what we did wrong so that we can recalculate as we're moving forward and build in those lessons learned from mistakes? I think we're we're oftentimes maybe too bullish on just moving forward with this new piece of technology without thinking about how to make it better from past lessons.

SPEAKER_02

That's right. And I think one of the lessons uh and this is a good time for us to take stock of these things. So as we think about agents, we should ask ourselves well, you're going to want to provision the agents to go do certain things and not do other things. How well have we done with humans? Have we gotten to the point where most enterprises, for most people most of the time, that we've implemented truly's privilege, that we don't have problems of users accumulating provisions, uh, you know, capabilities. Have we done a really good job of that? Or do we still see stories of somebody who had privileges above and beyond what they should have? And therefore, when they entered their name and password or downloaded the thing, really bad things started to cascade. And so I think we should be taking taking stock of identity and access management as we just as one example, as we think about pivoting to the world of AI.

SPEAKER_01

Interesting that you bring up IAM because I I have always felt that it is essentially the keys to the kingdom. It's the king, it's the it's the beginning of the solution set. Uh, I think that we maybe don't pay enough attention to. And I wonder the example that you just iterated, if we're thinking hard enough about restricting, sort of in a role-based access um vantage point, how these LLMs or the uh agentic AI is going to be able to go out and do all these wonderful things that we task it with doing. You think is that even a thought at the moment, or are we just talking about like, okay, let's just figure out what they what these things are capable of doing before we start restricting their capabilities?

SPEAKER_02

Yeah, I see a lot of really risky behavior when I talk to friends. I see companies really leaning into the AI technology set, which makes a lot of sense. The capabilities are phenomenal, but then giving it access to your calendar and your mail, and then giving it access to HR databases, giving it access to a lot of other internal systems. That's a necessary part of allowing it to do what you want it to do. And yet, going back to asking pre-AI, how how good are we doing? How good are we doing separating code from data today? And the answer is well, go look at at some of the most common vulnerabilities in the wild today, and we'll see that command injection where is is prevalent, where the the attacker has submitted some data which then gets executed on the computer. So it's it's hard on a good day to do that really well. Right. And now we have this incredible commingling of data and execution in the world of AI. You know, you've probably asked AI to do things and you realize it didn't understand that that was a command, you were just giving it information, or vice versa. And you're like, oh no, no, you misunderstood me. I was I was giving you data so that you could help me. I wasn't asking you to comment just yet. And so because we see this sort of commingling of of data and and code, it's just kind of getting harder in a sense. So how that's gonna play out, I don't know. But uh it that's that's a that's a concern I have, especially as the security officers are being pressured to push this further and further into the rest of their architecture. If they haven't finished their zero trust modifications to date, I I don't know.

SPEAKER_01

Good luck. Oh, great uh good luck, great pivot. Because the my my next question for you uh is around, you know, we've seen, I have in the past decade, uh, a couple of pivot points. And zero trust is a great one to call out. I think that to your point in the conversation that organizations still aren't doing the basics and fundamentals. Zero trust gets you part of the way there. But as you indicated, there are organizations that still aren't, you know, following zero trust principles. So now we're in the age of AI where uh it takes the security paradigm, I think, to the next level. And it's my uh assumption that we're gonna see the security industry begin to evolve in a particular way that now, you know, securing AI uh will be a whole offshoot of the cybersecurity industry, which will evolve over time. I can't tell you the number of companies that um that I see on the landscape that are now just concerned with securing AI or folks in the consulting space that are uh venturing down those lanes. Any thoughts on how we're gonna get to a stasis where folks are using these tools and doing it in a relatively secure fashion?

SPEAKER_02

Yeah, so this is a movie that we've seen play out a bunch of times. And so I can tell you how this movie always ends. So one of the things I think we can do more of is learn from the huge gains in safety that you see in other sectors outside of technology. Right. Planes, trains, automobiles, medical safety, food safety, air and water. There are huge gains that we don't even take stock of those anymore because they're just kind of they're given today. And we should go back and take a look at how that happened. Didn't happen by accident. These were important changes that were controversial at the time. Think about this. So one of my favorite books is Unsafe at Any Speed by Ralph Nader. And the subtitle is The Designed in Dangers of the American Automobile. This book contained the first chapter, it was all about the Corvair. And the Corvair was implicated in what they called a one-car accident where you would just be driving down the road and for a variety of reasons, sometimes gusty winds, like literally gusty winds, your car would just spiral out of control and and flip over, causing catastrophic failure. Back then, catastrophic damage, if assuming that you lived. That's the bad news. The good news is that this was an understood problem. And there were companies that would sell you a solution to reduce the chances of that happening. So you could go buy what's called a camber compensator, which would reduce the amount of drift in and the angle of your wheels as you were either turning tight corners or traveling in gusty winds. So if you happen to know that your new Corvair or Porsche had this particular defect, it's a design defect, you could go to the store, buy a car magazine, and in the back of the car magazine, you would see ads for things like camber compensators. You could send your 1995 check to them, and six to eight weeks later, you'd get a thing in the mail, you'd be able to bolt on, assuming you knew how to do this and had the tools, you could bolt this camber company and survive during that six to eight periods while you were waiting on that to arrive. Exactly. So you bolt it on from some of my research on Reddit. It's not entirely clear that this thing did what it said it did, which is a perfect analogy for the cybersecurity market. And remember, I think of this when I we say cybersecurity, I think that's a conscious diversion when we should be talking about software safety. As soon as we say cybersecurity industry, we have allowed ourselves to forego the benefits of safer software, and uh we have just accepted a world in which we have to literally bolt on technologies to make us less prone to accidents. That's what we did with cars, and we don't do that anymore for a variety of reasons. We're doing that with software, and we've created this clever linguistic trick of calling it the cybersecurity industry to make us forget that the software could be much, much safer than it is today.

SPEAKER_01

So it's interesting how you identify that shift. We essentially have moved the solution to a different part of the chain rather than Which is you rather than going much further left and identifying the origin of the software is really where we probably need to be solving the problem.

SPEAKER_02

We don't make accidents less terrible by hiring more ambulance drivers and buying more ambulances, but that's the equivalent of what we do with software. You just go buy more tools. And so the questions that get raised within the C-suite and then the board is do you have enough money to go buy new tools to slap on to the existing infrastructure, as opposed to retooling your people, processes, and technologies to dramatically reduce the risks.

SPEAKER_01

You you you bring up an outstanding analogy. When I think about car safety, I think about airline safety. You're a heavy traveler like I am. Uh, you know, I think about the number of flights around the world that happen on a daily basis uh without incident. Um, you know, of course we we get hyper focused on the you know the one or two incidents that tend to make the news, and that brings fear in folks. You know, obviously there's life or death situations associated with that. But um I think that those industries, and we talked about this in the pre-conversation, those industries have gotten to where they are because of heavy oversight and regulation that demands from the manufacturers how to build these machines, how to make them safe for constant public use. I think we're a long way away from uh the kind of regulatory environment that may need to exist to really cut at the knees of the cybersecurity challenge.

SPEAKER_02

Yeah, I'm I'm of many minds on this because I do believe we've gotten where we are uh because of the freedom to build new things, to try things out. We of course have had some struggles along the way with software products directly leading to the harms of enterprises and individuals. So that's one of the costs that we haven't fully reckoned with. But you're right. Looking outside the world of software and technology, planes, trains, automobiles, medical safety, food safety, regulation has been a part of those transformations to one in which the harms that are possible for both the customers and the public have been just dramatically reduced to the point where we just don't even we don't even notice it today. We don't take stock of those victories. I don't think we have to wait for regulation, although folks on the uh on the podcast will probably know about the Cyber Resilience Act in EU. So what is coming is a form of regulation that's going to require that organizations who are making products that are being sold in the EU, that they have the they've done some threat modeling, they have to commit to notifying the government when their products have vulnerabilities that are being actively exploited. Some of that is creeping into the conversation. Uh, I was just on a call today uh with some folks around the CRA, and it just it's one of these things that is sneaking up for some folks. And uh if anybody's listening, if you make products that are sold in the EU, you're going to want to understand what the obligations are so you can get out ahead of ahead of that. It's going to be a mad scramble for some organizations, though, I fear.

SPEAKER_01

Yeah. Part of the challenge as I think about sort of the global uh ingestion of the software is that a lot of these uh advancements in software development happen here in the US, which lacks some of the regulatory environment that exists in other places around the world. You bring up the EU, I think is a great example uh of where they've I think they've taken much more of an affirmative, uh scoping hand uh at trying to reduce risk. Are there other examples uh uh around the world where you see actions by either regions or countries that um that seem to be headed, you know, they're they're skating to where the puck's gonna be. They they seem to be moving in the right direction before anyone else.

SPEAKER_02

I think the EU is the one that comes to mind, uh, although I'm happy to have listeners school me on on other places where where this is moving forward. But I also don't think we have to wait for regulation. I do think that there are things that we can do to improve our ability to measure the dangers and then use that to inform our actions. And I'm talking about the software companies. So, for example, there is no law that says if you are selling products in the United States, you have to be a member of the CVE program. The CVE program is the one that collects and stores information about software defects. So there's a standard form that people fill out when they're members. And if you have some sort of software defect, you can fill out the form, report that, and then that gets ingested all over the place. So there are all sorts of tools that will ingest that to help defenders understand of all the things I need to do, which systems do I need to patch today? What is the most severe? So the CVE program is one of the most important programs in the world of software and security. There's no law though that says that just because you're selling products in the US, that you have to be a member. There's nothing to stop you. You can absolutely become a member. You can join the CVE program and do what I think most customers would naively assume that you're doing, which is, oh, there's a system for notifying me if you you you have some reason to believe I may be in danger. Like I think you should, I think you should participate. So over the last uh 10 years or so, uh the number of of companies that have joined this is up uh over it's like 500 or something like that. So we're making good progress, but there's there's still room to grow. And I think very few people who make technology want to do a bad job. They want to do what's right for their customers. They may not necessarily know all of the right things, and so maybe podcasts like this will help them understand that uh that there are opportunities for them to participate in the overall, the overall process.

SPEAKER_01

Yeah. So why I you know I just came off of a stint last year with one of the big cloud service providers in this conversation about regional risk reduction, data uh balkanization, like data sovereignty is a big issue. What are your thoughts on data sovereignty? I always I and I'll tell you preemptively, I always thought it was a little bit of a red herring. Um, but I'd be interested in your thoughts on it.

SPEAKER_02

I don't know that I've thought as deeply about this as as other things. It does seem it does make me wonder what the outcomes are supposed to be and what they'll actually be based on the way that the the overall programs are are moving. But yeah, I I don't really have anything super intentful on that.

SPEAKER_01

There's so much emphasis that's placed on it globally, um, that you know the response of the cloud service providers has been to build data centers in those regions where they think they can generate enough revenue to justify building out those data centers. Um but it just it strikes me as a form of risk reduction. I just don't know if it's gonna achieve the intended result as you just indicated. And and I don't know what calculus has been involved in evaluating that. So um you spent time again in in both enterprise and in the public sector. I think that, you know, part of the conversations I've been having with security stakeholders continuously is this idea that uh folks who are brought up sort of born and bred in the security industry, don't talk business language. And I want to shift to a conversation around the language of risk and risk reduction, uh, which I don't think security practitioners do a very good job at. And in fact, I think there's an overemphasis on knowledge of technical skills and the ability to convey those verbally rather than the language of risk management. Right. How how far have we come as an industry on this on this topic?

SPEAKER_02

I think we've made some good progress. Okay. Uh but I think we have a long way to go. And I think part of the conversation needs to be how can we as security practitioners learn how to speak the language of the business more fluently? But we have so much self-loathing in this industry. I think we we stop we stop there because we think, well, that's true. We we do need to do that. I think the other thing that we need to figure out is how to bring everyone else along for the ride. Because what you don't want is for board members to say, a breach. Why would they want our data? Right. You don't want them to have those kinds of reactions or to say, Are we safe? How many layers of misunderstanding do you have to have in order for you to ask a question like, are we safe? And so how do we bring everybody into the conversation together? I think that's that's a better plan. Um, I I really like this uh this podcast called Heist, which is all about actual physical heists of banks and jewelry stores and and famous pieces of artwork. And what I like about this is it tells the same story that we do in cybersecurity, but it tells it in a way that's non threatening. So I often re recommend this to people say, let's just go listen to this or go watch Oceans 11. Or my favorite one is go watch this movie called Rafifi from the 1950s. It's a French film, you have to watch it with subtitles if you don't speak French, but it is all about an elaborate heist. And there's a segment that's over 20, 25 minutes with no dialogue. And you think, well, that's going to be very boring, but it's it is the heist, and they must remain absolutely quiet because of the kind of alarm that's in this jewelry store. It's absolutely riveting. And the thing is, once you see this and start talking to executives about this, they'll realize, like, oh, this is the same as the cyber thing. Oh, so those guys will spend six months planning before they start execute. Yes, that's exactly right. That's that's how some of the more interesting heists take place. And so bringing that into the conversation in a non-threatening way can be part of that conversation. But I think we need to acknowledge a little bit of self-loathing and figure out how to bridge the gap a little bit more than we have.

SPEAKER_01

Yeah. I I don't think we spend enough time thinking about the amount of effort uh and time and diligence that the adversaries use to actually plan these attacks and then accomplish what it is that they intend to accomplish. I remember as a FBI executive having conversations with folks about this, and I always pause and emphasize the quality of the adversary in terms of just their they are really, really sharp. And I think that um oftentimes we think of it in in a criminal sense. You know, people like to align when you think of criminals, you think of folks who maybe uh aren't the sharpest tools in the shed, or they're maybe they're, you know, they're engaged in their criminal pursuit uh because they don't have anything else uh that they could do. Whereas the cyber adversary, we're talking about folks with major intellect and capabilities who've decided to take their smarts and their uh and their excellent skills and and use them in an adversarial fashion. And I think that's just a whole different paradigm. So you then you have to elevate your sense of what it takes to defend against a very, very intelligent adversary.

SPEAKER_02

Yeah, and humbled many times by the the kinds of uh skills and effort that go into some of these hacks. I mean, there was one at at Twitter, and uh it was just amazing how many things they had to circumvent in order to accomplish their goal. It was and it was just a remarkable feat. So uh it I don't want to say you gotta hand it to them.

SPEAKER_01

But yeah, you do have to marvel at at some of the skill clearly involved in what they do.

SPEAKER_02

And you have to incorporate that into your planning process. And I think to your earlier point, how do we make that revelation clear to senior executives so that when security practitioners come and say, we'd like to talk to you a little bit about managing this risk, that that is viewed as an appropriate response for the way that the attacks really work and trying to avoid the the boom and all of the terrible things that happen right of boom? I I think that there's a lot that we can do to improve there. But I I think we have come. I don't know, what do you think?

SPEAKER_01

Um well, I I'll answer that with a question. Uh only because uh I, you know, I I did go back to school and get an MBA when I w when I was an FBI agent, when I didn't even actually need it. And I'm wondering, do you think that uh security practitioners need to go to a particular training set in order to acquire the skills and verbiage and lexicon necessary to talk business? Or are they expected to just sort of evolve into business enablers uh just organically? I I I mean, I don't know.

SPEAKER_02

What I'd love to do is to do both. What I'd love to do is see training on businesses that that are focused on security people, if we could also do the same thing for the rest of the the C-suite.

SPEAKER_01

Yeah, interesting. Yeah, so so like so like here's we've gotta learn, you've gotta learn.

SPEAKER_02

Yeah, I mean it's we we really have to figure out what are the metaphors that will work, what are the the mental models that really describe the world because people often walk around with the wrong mental model. And so in the middle of an incident or or or a potential incident, it is so easy for people to be very confused because they have the wrong mental model. So here's here's the here's the idea I had. I I didn't actually uh go through this, but I was thinking about doing this for as a consulting thing. Nobody has time to spend eight hours learning all the cybers. No executive has eight hours they can just blow on that. But also it wouldn't even work if they did. It would be like saying, I'm gonna exercise for five days straight, 24 hours, and I'll be good for the rest of the year. That's not how bodies work. And so the idea would be to have uh a weekly vitamin, a security vitamin. And so you would say, 15 minutes. Everybody has 15 minutes. I'm gonna spend 15 minutes a week with you, and I'm gonna give you a concept, and I'm gonna do this every week, and I'm gonna let your unconscious mind start to see the patterns in your daily life when you're in meetings, when you're hearing something from the security team, when somebody from this other team says, I want to go do this thing, you're going to have a different mental model, but it has to be built up over time. It can't be the sort of thing. Oh, has trademarked that.

SPEAKER_01

So once you're gonna see something called the security vitamin, uh jump up uh up on a landscape. I I I've got the domain. So if somebody wants to partner with me, let me know. Oh, very cool. In terms of um, I call you Mr. Mr. Secure by Design. I think that um that's been part of your persona for some time now. What's secure by design mean?

SPEAKER_02

So secure by design, uh it's really a reference to software. So I try to use it as an adject adjective. So secure by design software. And it's the idea that we need to shift the balance and the burden of using staying cyber safe away from the operators of software back to the manufacturer, just like we have with other sectors, planes, trains, automobiles, medical safety, all that stuff. And so it really is an acknowledgement that although we don't know how to make software that's perfectly secure, we absolutely know how to make software that's much more secure than it is today. And if we can have a more fulsome conversation about that shift of the balance, that's that's what this is about. And we start with our narrative today. We there's four Vs. I want to tell you about four Vs. Let's do it. Two words that the four words that start with the letter V. The first are the villains. In this industry, we sudden, we tend to celebrate the the bad guys. We give them fancy names. Fancy bears, fancy bear. Uh we give them cool names, we give them huge avatars of the trade shows. We marvel at their ability to overcome all sorts of challenges. And then we turn around and we shame the victims for not having overcome all of the things that the bad guys, the villains, can do. But what we need to do is move the conversation to the vendors who create the software that is not only possible to hack, but really where those kinds of intrusions are almost guaranteed. They're almost inevitable. And then the fourth V is we need to really give the spotlight back to the visionaries who have been telling us for decades how we can make software safer without really listening to them. So there are plenty of folks who have been really good at explaining what we need to do, and we really just need to listen to them.

SPEAKER_01

In my decade plus now of being immersed in the technology space, I feel like even just in that short period of time, we go through these phases where there's an overemphasis on one particular aspect of securing environments. I know we have we talked about zero trust as one of those. I think I I liken secure by design in a similar fashion. Is this something that is gonna stick? Or is this just another phase of something to overemphasize and then we move on to the next shiny object when that happens?

SPEAKER_02

Well, again, looking to other other sectors. So the idea of quality by design was uh pioneered by people like Joseph Tran, who worked in the post-World War II era to help the Japanese reconstruction efforts. And the idea around thinking deeply about the root causes of product defects became a whole thing. In fact, he uh turned into total quality management and ISO 9000, all sorts of other offshoots where you can get certified in in these things, but we we haven't done that yet in software. So you see this in other sectors. We haven't yet seen it in software. So I don't think that it is something that is just another buzzword for the day. I I do believe it's a it's just a core principle. The question is when are we going to fully embrace this? That's that's the only question. I'm convinced we will, but I'm hoping to push the uh the industry forward.

SPEAKER_01

It's almost like you're calling for a renaissance of sorts, right?

SPEAKER_02

Sort of, yeah.

SPEAKER_01

Yeah. Are there other examples uh though in the technology space where we've had that sort of light bulb go off and we and we recognize that we need to be doing business a different way?

SPEAKER_02

So there are obviously companies and open source maintainers who have been doing this for a long time. So it's it's not like we have to invent new things. There may be some things we have to invent along the way, but what we need to do again is take a look around and say, where are there places where we don't see these chronic security vulnerabilities? There was uh people may be interested in this, they probably don't know because almost nobody knows. MITRE wrote a paper in 2007 called Unforgivable Vulnerabilities. And in that paper, they described a series of tests to determine if a particular class of coding error is forgivable or unforgivable. And if you take a look at that list and you compare that against MITRE's 2025 list of the most dangerous weaknesses, you'll find that most of them are still there, all these years later. It's interesting. And so, and the reason that they called it unforgivable is because in 2007, the mitigations for those classes of coding error were widely understood and freely available. And yet the MITRE people said, why do we keep seeing these things if it's if it's relatively straightforward to never have them happen? Right. And here we are going on 20 years later, and they're still here. And so that's back to what I said before is we don't know how to make perfectly secure software, but we do know how to make software that's much, much safer than it is today. One thing that companies can do is who are making software, they can think about identifying these recurring classes of coding error and work to eliminate not just an individual vulnerability when it's declared to them, when it's when it's provided to them, but go back and say, how about we never have cross-site scripting before? Some companies have not had cross-site scripting vulnerabilities for a decade or more. In fact, Google wrote a paper called their secure by design paper. And strangely, if you go Google Google Secure by Design, you'd think you'd get a bunch of gibberish, but you actually get the paper as one of the top hits. That paper describes how they went through and reorganized the internal factory to build products where the software developers were empowered to do the things they needed to do, but without being given tools that were going to be sharp edges for the customer downstream.

SPEAKER_01

Can AI play a role in better coding, perhaps?

SPEAKER_02

Absolutely. Absolutely. So I think in the on the you didn't ask me about the bad guys, because of course the villains are going to use it to take a look at the tools and do some more advanced work. But there are already people doing things like uh, and there are companies offering these services, like doing threat modeling, for example. You know you're supposed to do a threat model. How often do the software companies do a threat model? Is it the beginning of the phase of the design and then they just kind of forget about it? Or do they do it continuously? Well, it's hard to do it continuously, but you know what a computer is good at doing? Doing it continuously. So imagine a world in which you have every time there's a change happening in your code base, it's compared against the threat model. So not only does this code work, not only does this have a particular class of vulnerability that it should not, but does this somehow defy the threat model or should the threat model be changing and evolving based on that? And evolving based on this. And this is the sort of thing that if you had a senior architect sit there and if you didn't give them other work, which of course is absurd, they would be able to intuit these things, but they don't have that time. And it's also very difficult for them to see every line of code. But an AI uh agent could do something like that.

SPEAKER_01

Yeah. Much much of my bullish nature about AI is around the time challenge that you just identified. Uh I I'm a believer that as this technology evolves, that it will help compress um the time involved in solutioning challenges uh in the cybersecurity space. Yeah. I don't know if that's going to come to fruition, but all indications are is that that's the direction that we're headed in. Any thoughts on that?

SPEAKER_02

Yeah, I I hope so. I do worry about the bad guys because they they seem to be doing a lot of really interesting work in in AI. But they get to fail fast. That's why absolutely. It's very, very well said. So but imagine the opportunity. So when I talk to people, I say, oh let's talk about secure by design. They say, Oh, but the cost. Okay, first of all, the cost to whom? That's the cost to you, the company. What about the cost to the to the customer? What about the cost when your product is implicated as is used as part of the attack path? Is that part of the cost calculus? And the answer is usually no. But imagine that you said, okay, I would do it if it were if it were cheaper. Great, assuming that's a good faith argument. What if you could use the AI to do things like take a look at my entire code base, think like a hacker, which libraries are most likely going to be part of an attack path? And so you say, like, I can't rewrite all of my code, that's in C and C. I can't write write all of that in Rust. What if you found the most scary 0.1%? Could you then do that? And you wouldn't even have to have the computer rewrite it for you because we don't know how to do that just yet. But what if you just had a human take a look at a couple of very scary libraries and then port those to a memory-safe language? That's just one example. But prioritization is something that it's very, very good at doing.

SPEAKER_01

And you have me thinking that makes me even more bullish. I think that AI might very well revolutionize the risk management space because the challenge around identifying probability, times impact, and then the prioritization piece. I think AI could play a significant role in perfecting that or at least moving towards some idea of perfection.

SPEAKER_02

So I so I'm of two minds with with Secure by Design software. I try to spend more time thinking about the great things that it can do. Uh, I don't have a lot of control over the bad things that it can do, right? So I spend my my energies trying to get people to think about things that they have never done before. Like how about continuous threat modeling, like literally seven uh by 24. Not possible with humans. It is possible with AI. It's not possible through other mechanisms. Maybe we could do that. How about finding the worst, scariest parts of the code base? That's something that would probably surprise people. If you take a look at it and you say, I really thought it would have been this other thing. But now that you mention it, AI, this part of the code actually is much scarier, isn't it? And so figuring out how to change those dynamics and the prioritization is something that I think could dramatically improve the safety of software.

SPEAKER_01

Oftentimes I think risk evaluators uh forget the people portion uh of risk management. Uh any thoughts on how we're doing in terms of developing our people, both from a competency standpoint, but also a big component for my team and I at apogee is around leadership development. Any thoughts about what you're seeing uh in the industry and whether or not we're appropriately investing in that?

SPEAKER_02

Yeah. So a few things come to mind. And and when we think about security incidents, we often blame the people and we talk about human error being the primary cause of security incidents. And again, taking a look at the world outside of software, that's I don't want to say it's settled science, but it's pretty close to settled science. That is, that human error is only a label you give to the beginning of an investigation. It's never the conclusion. So what we need to do is go back and figure out how do we think about the role that humans play, but more importantly, what is the role of the systems around them? How have we built a system? How we built a cockpit so that you're not likely to grab the wrong control when you're in a certain stressful situation. Those are the kinds of conversations we need to shift towards. Again, looking outside the world of software, you can go read plenty of books. I can send you a link, you can drop that in the show notes, plenty of really easy to read books that describe how other other sectors solve this problem. So I think getting human element out of the blame cycle, I think that's that's a big part of it. In terms of empowering people, that is, it's going to be an interesting challenge. Uh we have not done a great job of getting entry-level people into the sector. If you've seen all the job postings I have, and they all ask for a bajillion years of experience on cloud and desktop and a bunch of other things. So in terms of that pipeline, I think there's there's a lot of room for improvement.

SPEAKER_01

I I have a take on that that might be a little bit um unsettling to folks. I think we've worked our way out of entry-level positions uh in cybersecurity. And I don't think they're ever going to return. I I just think that the industry is evolving in such a way that entry-level positions essentially won't exist. And especially now that there is a way to address uh rapid iteration uh of uh attacking issues that heretofore would maybe require an individual to sit down and spend hours upon hours uh, you know, assembling information. You know, the GRC space comes to mind uh for me, which is often thought of as a great entry-level position, you know, now with LLMs like Claude and Gemini and otherwise, you can pull together documents, policy, and otherwise in like a split second. And I just think it's gonna move the industry towards um changing what it looks like to really jump into cybersecurity and ascend in the industry.

SPEAKER_02

Right. I was talking to a lawyer who said, you know, I came up through the ranks that meant that I was forced to sit in uh these conference rooms with huge boxes of of documents, and I'd have to go through them all looking for something that might maybe someday kind of be relevant to the case that I'm working on. And, you know, pulling all nighters and maybe finding one little fragment that you could use in your in your filing and in court. She said, Is that really the best way to learn the law? That's just not what humans are really good at. And uh that's what she had to do, and she's looking forward to the next generation not having to do that, but actually to dig into the meatier things right off the bat, right?

SPEAKER_01

No, I I think that uh that's an example of industries I think that will be highly disrupted by now this ability to summarize large reams of information and actually extract value and data from it and then move forward in some kind of workflow. Let's switch gears a little bit so folks can find out a little bit about uh uh about Bob Lord. Is there a book, film, or uh piece of art that's had an outsize influence on you?

SPEAKER_02

Well, I mentioned uh I mentioned unsafe at any speed. Yeah. You have to get those on eBay and they don't make it anymore. Okay. So that's that's one. The other book is much more about secure software. Um I normally don't recommend things that are about software, but but uh but Geekonomics by David Rice is a very clear description of all of the problems that we have, all of the incentives that give rise to the world of unsafe software today. If you go look for it, you'll find uh the it's the 2007 or 2008 version of the book. Don't worry, that's the latest version. His examples are stale, but the underlying problems still exist. So I I highly recommend that. Uh, I mentioned the movie Rafifi for understanding how heist movies. Heist movies are are just a brilliant way to help other people understand the things that we do every day without the creating the fear, triggering the fear about like the the bits and the bytes and and feeling overwhelmed. Like everybody loves a good heist movie. It turns out they have a lot more to teach us than we would think.

SPEAKER_01

What's a uh what's a skill that you have that has nothing to do with the technology space?

SPEAKER_02

That's well, okay. So uh I'm a I'm a certified clinical hypnotherapist. So a bunch of years ago, as a skeptic, I thought I'm just gonna go debunk this thing and I'm gonna take some classes. And I was blown away by the things that happened in the class, so I continued to to take more classes and then I got certified. So uh in a few uh in a couple months, uh I have to go to the annual convention so I can get my continuing education credits. So if I get really sick of all of this uh this stuff, I can go help people uh stop smoking and overcome their fear of flying.

SPEAKER_01

Uh that's amazing. If you could have dinner with one individual living or dead, who would that be?

SPEAKER_02

I I I think it would probably be Ralph Nader. I have sent him a few emails. He's still around and he still has a blog, but he hasn't responded to it. Ralph, if you're listening. I would love to have dinner with you. If I will fly, I will pay. Uh for the dinner, we can be it can be uh uh it can be a burger, it could be a fancy dinner, I will pay.

SPEAKER_01

All right. Outstanding. Bob Lord, you are outstanding. Uh I I appreciate uh having a you know collegial acquaintance with you and have watched your uh your career, and I think that uh your experiences are uh exceptional, uh which is why I asked you to sit down. I appreciate you agreeing to sit down and have this conversation with me. What what's something that you're working on right now that you want folks to know about and how can they find information about?

SPEAKER_02

So okay, one fun thing we have we haven't talked about is this hack lore project that I did. So I stood up this website called hacklore.org. It's a combination of hacking and folklore. And the idea is that often see people engaging in behaviors that are not really going to be effective against the way the bad guys really work. And so we've all heard these warnings to not use public Wi-Fi. We've all heard the warnings to not plug in your phone at the airport to get USB uh power. These are things that, if they were ever true, they they haven't been true for a while. And so I put up this Hacklure.org website to push back against these common bits of advice that don't actually help people stay safe. And we replace it with some advice that does stay safe. I asked uh a couple of friends if they would co-sign, they said yes, and and then all of a sudden I have a hundred uh signatures of my heroes, my literal heroes said that they would co-sign. So if you don't like my uh my word for it, hey, take one of theirs. Uh so that's they should they should take your word for it, but it's great that's a side request. It's been a lot of fun. And so if people want to join the mailing list, please sign up. That's cool. It's been a great conversation. Thanks for coming.

SPEAKER_01

Appreciate you. Thank you. Okay. That's it for this episode of uh the Risk Apogee, and we'll see you guys out on the landscape. Thanks, Bob. Thank you.

SPEAKER_00

Thanks for being here on the Risk Apogee. Every episode, we dig into what it actually takes to lead through risk. And that's the same work we do every day at Apogee Global RMS. Cybersecurity, physical security, organizational resilience, talent strategy, one integrated approach built around your people, not just your platforms. Are you ready to move from reactive to resilient? Visit apogeeglobal rms.io and sign up for a risk free consultation with our team of advisors.