HACKING, INFOSEC & CYBER INSURANCE

Robert Hansen

And you more or less became their Chief Information Security Officer. You didn't have that specific title but...

Jeremiah Grossman

I didn't have a title. I think I worked for the head of engineering at that time, the head of product or something like that. There was no CISO at the time. There was just the start of the security team.

I think my direct report at the time, it was a long time ago now, his title was the Paranoid Yahoo. For those that know, Yahoo, they know the security team is called the Paranoids. I predated that entire team. So that's what the job was to hack everything inside.

Robert Hansen

I was asked this question the other day and I'd love to ask you. You have the distinction of building the single largest private hacker army on the planet, which we'll get to in a bit. I want to spend a lot of time on that. But I think you are probably best of anyone that I know, to answer this question. What does it take to be a good hacker? What are the attributes do you think it takes?

Jeremiah Grossman

I don't know about anybody else, I just know for me. One is insatiable curiosity. How does all this work, is one. How can all this be made to work differently other than what was intended? To do the most monotonous and tedious tasks, pour over source code and white papers that are all wrong and read all the books.

Learn the things about a tech that no one else would ever take the time to learn. And most of it, you'll never use. Most of it will never matter, but you're just looking for that one gem.

I think when it comes down to is the grind. I'm going to hack this system. I'm not going to stop until this thing breaks. And sooner or later because we know security is not perfect, I'm not going to stop till I break it. That tenacity is probably is what it is.

Robert Hansen

I think a lot of people want the quick win. They want to be able to jump in and know the one thing it takes to hack and that's supposed to be what hacking is. But it's so much more complicated.

Jeremiah Grossman

Yeah, I've spent hours on hacks, days, weeks. I have sometimes spent years until it comes. I'm not going to stop. I'm going to break it. It will curse me forever. It will haunt my dreams until I break it and it will fall.

Robert Hansen

I have a similar feeling. If I know something's breakable, I might sit on it for months or years even until I'm like, "I get it now." Something pops in my head and I'm like, "Okay, I finally got it. I know how to do it now."

Jeremiah Grossman

It's like a riddle. You're not sure if there's an answer to the riddle.

Robert Hansen

And there might not be. You might just be banging your head on something that will never break.

Jeremiah Grossman

There's a name, David Litchfield, which you know. He said something to me a long time back. He goes, "The first time hacking something is hard. The second time is easy." Because it everybody knows how; everybody does the technique. It's really hard finding that first exploit, that first attack technique.

Robert Hansen

How do you think the average person gets into InfoSec these days? We have a very weird path, I think. But what do you think the average group of people coming up in the industry today, what do you feel like their experience is like?

Jeremiah Grossman

I'm almost jealous in a way. I go to a lot of conferences, talk to a lot of 20-somethings that are just out of school. I think a lot of them now are coming in straight out of Comp Sci. They took a minor or a major in information security and they studied it.

We had to explore it our time because there wasn't school for what we did. I looked at their material and their curriculum. It was really fascinating. I've never studied their curriculum so I got their textbooks and I looked at their curriculum. And it's littered with our white papers and stuff that we did.

Robert Hansen

I've run across it a couple of times. We'll go through school and their moms get in contact, like, "My daughter is learning something you wrote."

Jeremiah Grossman

It's really cool. But I think they have an unfair advantage. They have a structured. I guess it's good and bad. They get into it formally.

Robert Hansen

I used to say that I think it was like a mix. Some people got hacked and that's how they got in. They were like, "Oh, my God, I never want that to happen again." Some people were in it for the passion. They maybe saw a movie or something and just said, "That's cool. That's what I want to do."

Nowadays, I think it's just a career choice. It's no different than being a plumber or a lawyer. It's like, "They make good money. That's what I want to do.

Jeremiah Grossman

I think other people are conscripted, perhaps, against their will at a company. Like, "Can you help out on this security problem?" Or can you solve that issue, which may or may not be a security problem? Then all of a sudden, security chose them. They didn't know what they're getting into. I've seen a ton of that.

Robert Hansen

If you were to say to some young person who's coming up, like how would you get into security? What would you go learn? How would you start? Because I think a lot of people want to know. They're desperate to know.

Jeremiah Grossman

I get that question all the time. And the first thing I ask them is if they know how to code. If they do, great. Then there's probably a role for you somewhere. It's not always a popular opinion in InfoSec, but before you get into InfoSec, I highly recommend that everybody learn to code first.

Maybe you don't need to be a professional programmer, but learn the code first. Because it's going to give you, one, a deeper insight and understanding what we do and how the tech works. But also an unfair advantage against all your peers that you're going to be communicating with.

Because this world was made out of software. What works in securing, more than anything, is software. I think what's really hard, depending on the role is, how do you secure something that you don't truly understand or know how to build?

So when people want to get in, I go, "Learn to code first and then you have a choice. You can go down professional programming, software engineering. You could do that and then pivot to security or go right into security." But it gives you a lot more options than you would otherwise.

Robert Hansen

I like that answer. My answer is typically something along the lines of, go to build a website and build a sign-in flow, a forgot password flow, a send a friend flow, registration, search functionality, something. Maybe a shopping cart or something. Build it all from scratch, including the web server, get it all up and running. So SSL, TLS, the whole thing.

Then invite all of your friends and say, "No one can hack this, it's impenetrable." You'll very quickly get a very rough, but very important instructive experience on how to secure things. And if you know that that's coming, you're really going to do your job.

You're like, "Oh, geez, I know that the database is not secure. I don't have a firewall." You're going to start putting as many things as you can think of in a way you possibly can.

Jeremiah Grossman

And you're going to get hacked by the thing you didn't know you could get hacked by.

Robert Hansen

That's exactly where you start learning. You know it's coming. That's the dread that gets you up at night. But that's true of anyone who is on the Blue Team defense side. Anybody on the blue team side, they know it's coming.

Jeremiah Grossman

They've been they feel it and they live it every day. That Blue Team job is very hard. I never wanted that job because it's that hard. You know you're going to make that one mistake or someone on your team is going to make that one mistake and it's going to be an awful day or an awful week.

Robert Hansen

I mean, I've done both. One of the interview questions that I used to use quite often is, "Tell me about a time you got hacked." And if someone says, "I've never been hacked," they're out immediately. Because it's like, well, then you have no experience in what happens.

And, of course, everyone has been hacked. Everyone has had their email compromised, or had their credit card stolen or something. If you can't even be imaginative enough to remember that, you're probably not right for this job.

Jeremiah Grossman

It happens to everybody and leaves some scars, gives you some lessons.

Robert Hansen

I think, in a way, that should give people some comfort. It's such a common thing to happen that please don't be upset if it happens to you. Don't take it personally. Do you best.

Jeremiah Grossman

That's why in InfoSec we teach you that you're going to get hacked. Did you make the situation survivable? That's how you know you did your job. Did the company survive? Were the losses not too great? Did you keep your job? Then it was survivable and it's okay. Go back to work.

Robert Hansen

You have an interesting distinction in my mind of being the most innovative security person, not just a researcher, in general, in the entire industry. It's one of the reasons why I think...

Jeremiah Grossman

It's hard to live up to it.

Robert Hansen

Sure is. It's one of the reasons why I've gravitated towards you all these years. It's not just that you've got a work good work ethic, it's your ideas are genuinely interesting and unique and forward-thinking. Even I read a file early on of not believing how innovative you actually were.

I want to spend a little time talking about at least three different areas where I noticed that everybody, including myself, in the first case was way behind you. I knew that web application security was a thing. Obviously, it was the thing I was interested in. That's how we met was through web security. Web application security, like browsers and web applications for those who are listening.

But one of the things that you realized was it was all going to be turned into Software as a Service. I knew that that was a model, but I always felt it was a cheap, inferior, low-rent version of what I was doing, which was professional penetration testing — breaking into companies and showing what's wrong and finding these esoteric bugs — that would have been impossible for anything automated, defined.

I remember sitting in a conference one time listening to you speak, and I was just visiting. I didn't necessarily think I'd learn anything. I'm just here to support you as friends do. And you said something like, "What you guys don't understand is, one of these days, you're all going to be working for me."

I'm looking around the room and I'm like, "Yeah, you all will be." Then, sure enough, a couple of years later, I was working for you. I mean, I can speak from my personal experience, but I'd be curious to hear your take on it first. Why do you think the industry was so behind on Software as a Service model for dynamic web application security scanning and network scanning?

Jeremiah Grossman

It's all different kinds of possible answers. We could probably debate it, but I think one is that they didn't truly understand the problem of security, what we were trying to solve. Their understanding the problem lent itself to their solution; the high-end, one-off penetration test.

I'll give you two answers to this. One is let's say I have a software-as-a-service model and I'm going to try to scale across the industry. I'll sacrifice something on quality, but I'll argue it, but you'll be better. Let's just say that. They go, "Okay."

So I got into this discussion once with another Red Teamer. He goes, "My team of whatever is better than you guys." I go, "Sure. Let's say we tested a website, five websites, 10 websites, I'll use my team, you use yours. I'll grant you on any given day, you're going to probably find a little bit more and better vulnerabilities that we would."

"Next time, let's do it on 100,000 websites in the same time constraints. Let's do it in a week on 100,000 websites. You use your team of five, I'll use my army. Who's going to do better? Clearly, I'm going to find a lot more and a lot better bones in 100,000 websites"

Robert Hansen

And then keep doing it.

Jeremiah Grossman

And then keep doing it. So web security came to scale. You're going to be better on 10, I'm going to be better on 100,000 and a million. By the way, how big is the web again? So I was just solving a different problem. I'm trying to do web security. You're trying to do web security for one particular company. That was the difference.

So understanding that problem. I need to find all vulnerabilities in all websites at all times. The constraints are the technology is substandard, which means it's never going to find, in a purely automated basis, all these things. We're going to need a symbiotic relationship between people, process, and technology.

The technology is going to be not perfect so we need people. Where do the people come from and who gets to hire them? It's either going to be the customer, the enterprise, or the vendor. So someone's got to hire, train, and retain the best talent in the world to do this.

I get a lot of grief from the industry or even VCs that would say, "Well, if you add humans to your model, it won't scale." And I'll go, "Well, I think I can do it, but I know if you just give a tool to the customer, they can't scale because they can't hire it either." So the winning solution would be who can hire, train, and retain the best talent in the world? And I think it lends itself to my model.

Hence, the Software as a Service model took hold. I had technology that can scale and hack any number of websites on the web. I had assembly-line process and made assembly-line hacking and all the people that went through it. All of a sudden, that was the winning model.

Robert Hansen

I think my answer is very simple. I truly didn't understand the economics of, at that time, what it would take to solve this problem for everyone. I was looking at any given website, thinking about the nuances of how websites were built. And I'm like, I just don't see a way you're ever going to beat me. Like, never. I mean, unless I'm drunk or half asleep or something, I'm just going to crush you.

But when you try to scale me out and run that same test tomorrow, and then the next day, and then the next day, I'm going to get extremely bored, all kinds of errors are going to start creeping in. I'm just going to be totally uninterested in doing that. I'm never going to do well the second time, or 50th time, or 1,000th time for God's sakes.

Now you scale that out to 1000s of websites and I literally can't. Even if I wanted to, I can't. And I could never hire enough people to manage that. It's just not possible.

Jeremiah Grossman

So the customer comes to you and says, "Hey, I've got 10 websites. Can you assess them?" You're like, "Sure." My fun project, get it done. Let's say a different customer comes and goes, "I have 10,000 and I need them done weekly." I have the only answer.

That's what I was solving. That's what was different. And that business context is what my peers just didn't have at the time. They weren't trying to run a company in solving web security. They were solving something else.

Robert Hansen

Another one that I think people couldn't wrap their heads around initially was internet port scanning. You and I managed to build something together that the industry just seemed to not be able to grok that we had just completely gotten rid of the idea of firewalls almost entirely.

For those in the audience listening, basically, I can run JavaScript on let's say Jeremiah's browser and he's behind the corporate firewall. If that piece of JavaScript can make his browser do things inside the network, effectively, what's the difference between him being inside the network and meeting inside the network? So, you and I, but you actually wrote the code to do this, I think so.

Jeremiah Grossman

The way I remember the history is you have the concept and I was like, "Yeah, I think that technically could work." I think I knew more about JavaScript in that context to actually make it work. How do I detect this on the backside of the connections that are made?

And because I'd been doing web development for at least a decade by then, I was like, I knew what JavaScript could do. So I prototyped the first version of it using her idea.

Robert Hansen

But why do you think the industry, almost to this day, still thinks that firewalls are the answer? I think that people are moving away from that a little bit now with the concept of Zero Trust security, or cloud. But you still have people on desktops sitting behind corporate firewalls.

How is it that we're whatever it's been 15 years later, and people still haven't gotten the hint that firewalls don't do what they think they do?

Jeremiah Grossman

I don't think most people know how networks work in general, how networking works? I think that's a big one. The other one is, I think it's also willful ignorance, meaning firewalls have been around since... there wasn't InfoSec before the firewall. I don't think so.

So how do people get rid of the most quintessential security solution out there, the firewall?  It's been 30 years. They've been shown that they really don't work? I mean, does every company get hacked? Yeah. They all have firewalls, right? So what are they actually doing?

I think there's a lot of money flowing through firewalls and no one wants to give it up. No one wants to say they don't work. I think the InfoSec has a lot of baggage. Antivirus were the same way. All those signatures, no one wanted to get rid of them until AI and machine learning came out.

Robert Hansen

Okay, ransomware. That's another one where I was watching the industry. And very few people understood how bad this was, and how lucrative a business model it was becoming. You were, if not one of the very first, very quick to follow and say, "This is real, guys. This is a real business model. There's a business here for the adversaries, and it's going to hit us like a ton of bricks."

Why was the industry so slow to pick up on that?

Jeremiah Grossman

One of the skill sets I've had for a while is to be able to tell where the world is moving, like where the future is. I always terrible at timing. I knew I was right, but I didn't know when I was going to be right. I couldn't tell the speed of the world. I would overestimate the speed of the world. The world moves much slower than I usually get it credit for.

I left the White Hat in about 2015-2016 timeframe. Ans I read a ton. I read all the statistics reports from industry experts and different things like that. I came across this one stat from the NCSBI crime statistics where people report crimes to the FBI. And this little thing called ransomware; everybody knew ransomware was a possibility for years.

It certainly wasn't the first one, but it was a timing that was coming up. There were some missing parts of the business model from the adversary where they couldn't monetize it, one of which there was no cryptocurrency. Bitcoin wasn't a thing so you really couldn't monetize it in an easy way.

All sudden, there was an FBI crime report from 2015 that said ransomware tripled in one year. And Bitcoin was there and they were using Bitcoins for it. I was like, "It's time." Somebody is figuring it out.

So when I left White Hat, I immediately went over to SentinelOne who was doing endpoint security. They needed me for some other things. I'm like, "You're going to be necessary to stop this ransomware thing that's coming. I know it's coming. It's not going to be this year, it might not be next year, but it's going to happen."

So I started working with them on it. When we started, the numbers were climbing a lot. It was going to blindside everybody. I knew it was going to hit banking systems, healthcare industries, the industries that everybody would have their morals and go like, "No one should ever go after those."

I was like, "Those are exactly the ones the adversary is going to go after." So I started studying on kidnapping and ransom insurance. Those security models, how could they be reapplied to tech? I was studying those a lot.

Then I designed a ransomware warranty for SentinelOne that said, "Use the product as designed and we will cover the losses if you still get hit by ransomware." It was the first of its kind and everybody thought we were crazy.

But I knew we were right. I knew the stats. We had insured on the back end. All of a sudden, I'm in Ireland one day, and WannaCry hit. I'm onstage talking about ransomware warning everybody. All of a sudden, the health network across the UK went down. I'm like, " I gotta finish up this talk and I get in front of my computer like now.

So my timing was getting better. But that's really how. I was just following the stats.

Robert Hansen

Since you mentioned it, cyber insurance and warranties, that's another one that you were way ahead of everybody else. And even to this day, I still hear naysayers, talking about it as if it's not actually eating our industry. How did you get in front of that? And why are people still so hesitant about that one?

Jeremiah Grossman

I'll get back to why I think it's necessary. But the naysayers, when you really ask them, they don't want it to be true. If you press them on it, they know I'm right. They just don't want it to be true.

The way I go about it is like, "Does your security solution, whatever it is, work?" They go, "Yes, of course." "Like, "Statistically, do you know how well it works numerically, when it works, and when it doesn't work?" "Yeah, of course." "Great. Then you can warranty it."

Like when Sony does a warranty on a TV, they know it's failure and they give you a warranty on it when you buy it. For whatever reason, InfoSec doesn't do it. I said we can do it and we should do it because our interest must be in line with our customers.

Right now, in most of InfoSec land, you buy a product from a company. It doesn't work and the company security vendor effectively goes, "Sucks to be you. Sorry." That's just not good enough when an industry as important as ours is spending $150 billion a year.

So, for me, it was personal. So I'm running White Hat, assessing websites for a living. We're the best at what we do and I know it. Everybody knows it. But our competitors were able to lie and lie convincingly to the customer saying that they're every bit as good as what we do at half the price. And it's really hard to prove otherwise.

There was nothing I could build, say, or do that could counteract such a convincing mind until I say, "Let's bet on it."

Robert Hansen

They may not even have known that they were lying possibly.

Jeremiah Grossman

It's quite possible. But I knew they were wrong. I knew their solutions were substandard. I knew the stats very well. So I work with our customers, I work with the carriers. And I said look, "You fix the vulnerabilities that we find. And if you still get hacked by something we missed and should have found, we'll cover the losses."

I had a decade’s worth of data on 1,000 companies to go to the carriers and go, "Can you insure me against this risk?" And they said, "Absolutely." All of a sudden, it was the first time a warranty came to the market where we know we're good and we'll be right with you during the cost of yoodo.

I knew the whole industry had to do it. I think you and I helped design warranties for a dozen companies. I'll certainly be doing more of them.

Robert Hansen

And in cyber insurance, that's another one.

Jeremiah Grossman

Cyber insurance. Well, this one was much simpler. I was talking with a lot of CISOs. I saw the survey data where one of the questions was, "What do you think is the likelihood that your company will get breached in the next year?" And like 75% of everybody said highly likely they're going to get breached in the given year.

No matter what they do or buy, they believe they're going to get breached. I'm thinking about this. And this is Blackhat, heads of security, they're spending all this time, clearly smart people. And no matter what they do, they believe they're going to get hacked.

Well, they're not going to sit flat-footed. They're going to do something. If they can't prevent the breach, they're going to try to prevent the loss because the businesses want to do the loss. That was one.

It's like, if they can't prevent the breach or prevent the loss, how do you do that? Insurance companies. Now, how do you prevent the breach? Well, InfoSec doesn't have the right data, but the carriers do.

The carriers, at some point, are going to see enough claims data where they're going to tell InfoSec what to do. It just hit me like a lightning bolt. InfoSec doesn't have the right data and it doesn't make anything any better. But the carriers will.

So customers are going to buy insurance, carriers are going to keep claims data, claims data is going to lead to us making better choices. That's the way this world is going to work.

I brought that concept to Blackhat in 2016, or something like that. Everybody hated that idea because everybody hates insurance. I hate insurance too. The world doesn't care what I like, the world doesn't care what I hate. I'm pretty sure it's going to go this way. Everybody hated it, but no one could tell me why it was wrong.

Robert Hansen

I don't think you were wrong, I think you're absolutely right. And it's weird to hate insurance. It's like hating vehicle insurance or whatever. They're just telling you which cars are going to kill you. Like, if you have a very top-heavy car, you're going to die.

Jeremiah Grossman

People hate insurance companies so they don't want to bet on insurance companies doing well. They don't want insurance companies to be in our InfoSec world. I get it but it's gotta happen.

Robert Hansen

I get it too. But for normal, like health insurance, they want you to be healthy because they make more money. So they want you to not get hacked because they make more money.

It seems like the incentives are somewhat aligned in that way. If you do treat them more as your partner and less as your adversary, I think that's actually a good thing. Not a bad thing.

Jeremiah Grossman

Unfortunately, I think that friction is going to go up because the carriers are still five years off from being truly smart with their data. But they're going to start having the best data to tell InfoSec what to do and when because they're going to have the best data in the business.

We've talked about this before. One can seem intelligent if only they have access to valuable data that no one else has. Right now, InfoSec can be as smart and savvy as they want. But if we don't have the right data, carriers are going to be smarter even if they don't know our world. It's just going to be that way.

Robert Hansen

Well, it's funny, you said that they're possibly five years away from it. That's how far ahead because you've been talking about this for at least five years. Since you started talking about this, and now 10 years on before this thing becomes what it's supposed to be.

I think that's indicative, for anyone listening, of how far ahead you are. Then the last one I want to talk about is Bit Discovery, an asset management company you and I started together.

Asset Management was one of those things I knew you had your eye on. I too had my eye on it in a different way almost since the beginning of this industry. People still don't quite understand the value of it.

We get into conversations with them and we show them all the data that we know about them, which they don't have. And they're like, "Well, that's great. What do I do with that?" Like, what do you mean what do you do with it? Fix it.

Jeremiah Grossman

Yeah, there's all kinds of issues there. For me, it was week by week, I came across that problem first at White Hat where we're assessing companies' websites. We're doing 50 of them, 100, 200. And they go, "We want to assess all our websites."

We're capitalists. We go, "Great. Give us the list. We're going to hack them all." "We don't have a list. Is that's something White Hat can help us with?" "I guess we can try."

So we tried many times. We had some great tools. Our peers tried and failed. We tried to fail a number of times. But imagine that. The only thing standing away for us from doing 50 websites versus 1,000 is just knowledge of what they had.

All of a sudden, you have this lack of information that stands in the way between the vendor making a lot more money and the customer being a lot more secure. Clearly, we have to solve this Attack Service Management problem.

Isn't that supposed to be the first thing we do in InfoSec, learn what it is that we're meant to protect? We just didn't do that. Probably because it was really hard. So if we can get over the hard part and make a compelling solution, then the world would just adopt it.

I think the timing was always right for it. Just no one ever could figure out how to make the solution until we did.

Robert Hansen

Now that we've given the audience a bit of a tour of how forward-thinking you are, what is the next thing that you're talking about that you think people are fighting you or are not really seeing the importance of what you're saying?

Because of all the people I know, if people aren't paying attention to you, they're literally a decade behind. And that's a problem, I think.

Jeremiah Grossman

Cyber insurance will still be there, warranties will be, Attack Service Management will be there. I think we have the tools in place to start learning a lot. The carriers will have a lot of data. The ASM vendors will have a lot of data.

We don't know a lot about the Internet and what's on it. There's lots to be learned there and lots of values to be explored. So it's not so much anybody resisting compelling ideas now. I'm not on stage much over the last two or three years because I was just doing my work.

But, for instance, and we talk about it all the time, we have this adage, the world is moving to the cloud. We're pretty sure it's true. How do we know it's true? Is there any data out there that says the world is moving to the cloud? Who can tell me the average Fortune 500, how much do they have in the cloud? Do we really know the market share of F5 versus Citrix on the internet?

How distributed the environments are: like, when companies host on the internet, are they mostly in the US or mostly out? Is it going mostly out or is coming mostly in? What about on an industry level or a company level?

There's a lot we don't know and a lot we can learn. Now that we're with Tenable, those are the things I'm dead set on learning. So that would be one.

Robert Hansen

One thing I've heard you say a number of times, and I don't know if you've said this out loud. Maybe I'm spilling the beans here, I don't know. You said that we've hit peak prevention. Can you talk about that?

Jeremiah Grossman

This is how I got to that. It was just a mental exercise. Right now, we're spending about $150 billion a year on security, depending on whose numbers you want to believe, collectively. If we went from $150 billion a year spent on InfoSec to $300 billion, would we cut the number of breaches in half? I don't think we will.

If we cut the InfoSec budget in half, from 150 to 75, will the breaches double? I don't think so. I think very little of what we're doing in security is having a measurable impact on the adversary. We're working on the wrong things.

So this mental model, that's a game that's out. That means it's not a spending issue. We've been in the vulnerability-finding business for a long time. Only half of the vulnerabilities ever get fixed, and maybe less than 1% of them ever get exploited.

So we're looking for the wrong things, finding the wrong things, and fixing the wrong things. So I think the way we've been doing things is we've hit peak prevention. I don't know if we can get much more secure, at least move the needle. So back to the insurance.

If we can't prevent the breach, prevent the loss. Now imagine we can design security systems where we make the bad guy work very hard to make the breach happen. But we put security solutions and liability equations in place where they don't extract much of any value.

All of a sudden, now we've changed the economic model of it, making the adversary work 10 times as hard to make half as much.

Robert Hansen

I'm not sure if it's still that way, but you have a pinned tweet that shows maybe a couple of 100 different security companies' logo split across different subsets of the industry. And it's this absolute mess of color of all these little graphics.

And your tweet was very simple. It's like, are we secure yet? We have all of this different technology out there. Have we done it?

Jeremiah Grossman

It was like 800 pre-IPO security companies. We're buried in security technologies and cool stuff, and smart people. It doesn't seem to be making any difference. So we have to really ask ourselves, what are we doing wrong?

Everybody wants to keep fighting for the status quo because I just said it. $150 billion goes in. A lot of people are making a lot of money, myself included. No one really wants to change. They like this.

But for me, it's personal. I hate when people get hacked. I don't like when people suffer losses and this stuff is getting severe. It wasn't like 10 or 15 years ago where it was just a hack and people were embarrassed.

Hospital networks are getting compromised. Companies are going bankrupt. People are losing their jobs. We can't stand for this, we can do better than this. So there has to be some change.

Robert Hansen

I don't know if you would bet on this. But I bet that one of the next big things in information security is going to be find everything, scan everything, and then prioritize everything.

What do you think about that? Does that sound like a possibility even? Are there too many obstacles between there and here? Is that just another security company that's going to be dead?

Jeremiah Grossman

We're going to bet heavy on it. We're getting better at finding everything. When it's running, then we can find the vulnerabilities and then figure out which ones. Because all that's commodity now, and find out which ones should we fix?

We'll find all the webs, all the assets, what are they running, find all the vulnerabilities, Vulnerability Management commodity. What we really don't know yet is which columns we should fix in what order for two reasons.

One, we don't know the asset value of anything that we're scanning. Two, we don't know which vulnerabilities the bad guys are really going after. The carriers do. I think if we solved those two that whole model can go for.

Right now, I think we're expending a tremendous number of resources on finding and fixing bugs that simply don't matter. I think if we just had the last two bits, we can really move forward in a big way. So I think it's not only likely, I think it's necessary.

Robert Hansen

One of the things I think that makes you very different than the typical security guy is I think of you really more as a business guy than a security guy. Which is a bit strange because you and I grew up in the security industry hacking on stuff together. So it is a bit of a weird shift in my brain.

But I think you have moved away from the keyboard and into the boardroom, in a positive way. I don't mean you've lost your skill. I mean you've now gained a new one. What do you think the boardroom doesn't understand about the industry?

If you were to go off and start a new company with a board of people who knew nothing about InfoSec, what do you think you would be imparting upon them? What are the KPIs? How would you handle that?

Jeremiah Grossman.

Yeah, I did make that shift a while back on increasing my soft skills. Not public speaking or writing, but also more business savvy. I grew up in a very entrepreneurial family. The tech came later. But there was a point in my career, I was doing research papers and hacking cool stuff, and getting on stage and talking.

It was a lot of fun and I produced a lot of value. But I always want to make an impact and move the needle. If I found one more zero-day, one more tech, one more white paper, would it have made a lot of difference? For me, probably not.

What I found is that if I moved and tried to make these more business problems and technology problems, I can make much more impact. I could be a better manager, run bigger companies, solve bigger problems. We can't spend an infinite amount of time in everything.

So I sacrificed all the time that I was spending building tech skills and just learned other skills. I imagined I could be much more valuable in the world if I knew tech and the business side. So I did both.

I've been on boards for like 15, 20 years now. I've been on boards of my companies and other companies, listening to the conversations that the boards are most interested about. You can tell the board what questions to ask CISOs. That's pretty easy. What I try to help educate them in on is what answers they should be looking for and how to understand what's being told to them.

If I just tell them the question and they don't have the sophistication of the answer, what was the point? I go like, "You're looking for these KPIs. You're looking for these types of answers. And you know your security team is thoughtful and their interests are aligned with the business." That's usually when I'm on the board for.

Robert Hansen

Gotcha. What about those who would push you to say, "Let's just hire our way out of this problem, let's just get 50 more people inside the company, and that will fix it."?

Jeremiah Grossman

I think for any one company, maybe that's the answer. If I'm on a board of a company and that's what they need to do and that's the best solution to the problem, have at it. But I try to look at things from an industry and a world standpoint. We're terribly short of security experts, and I don't see anywhere where the cavalry is coming.

So if one company says, "I'm going to hire 50, high-end security people and move them over," all you've really done is move the problem. Now that company doesn't have a staffing problem but that company does. What did we really solve?

So we have to find new ways. If we have a personnel problem or personnel shortage, it's either we have to automate more or move more people into our industry.

Robert Hansen

Let's go back a little bit. What about the industry at large? Do you think the industry at large can hire themselves out of this problem?

Jeremiah Grossman

Oh no. Even if we started today, no.

Robert Hansen

I don't think so either. And especially the new blood that's coming into the industry, they seem to be much more tool-driven and less understanding of what's going on. That's a big problem if you're looking for innovation.

If you need more tool jockeys or more people to confirm what your artificial intelligence is telling you, fine. You're not going to get net new innovation that way.

Jeremiah Grossman

I look at it a different way. For instance, we got to Blackhat every year. What does Blackhat have? 15,000, 20,000 people show up. This is not a cheap conference to go into. It's like 15,000, 20,000 of our peers, and high-end people that really know this work.

If you look at Salesforce Camp training force, what do they have? 100,000-200,000 people show up there. I mean, the growth rate of our industry is tiny in terms of personnel. If I saw it's growing from growing Blackhat or any conference significantly, like 20%, 30%, 50% a year, then I would say, yeah, we could solve it that way.

But for whatever reason, our industry is not attractive. We're not attracting a whole bunch of new blood in the necessary volumes. Maybe we have a PR problem. Maybe we have a pay problem. I don't know. But I do know that for whatever reason, there's just not going to be enough people. We have to solve it a different way.

Robert Hansen

You are definitely innovative, forward-thinking, but what about the past? Where do you think our original sins were in our industry? If we were to go back in time and there was a couple of things you could change about the industry, is there anything that comes to mind that would be like, we really screwed up XYZ things? We could have saved ourselves a lot of trouble if X hadn't existed.

Jeremiah Grossman

You mean like JavaScript. I think we did the best job we could at the time of browser design because no one really knew what the problems were. Browser security is abysmal.

I think it's not a technology problem most the time. The advertising model got its clutches into the internet far too early. Right now, we're having to counteract the business model of big ads. And that's really hard to do.

Right now, whether it's Facebook, Google, or whoever, anybody that's making advertising on the industry, you cannot ask them to protect the data from themselves. Now what do we do?

Robert Hansen

How much would you say the entire security industry is?

Jeremiah Grossman

$150 billion a year.

Robert Hansen

So it's about the same size as just Google.

Jeremiah Grossman

Yeah. So that would be one; the advertising business model is probably going to be the biggest one. That's the one that I had a real tough time getting around. There's a clear problem. I can hack it this way, but fixing it would cost the advertising industry money, who controls all the browsers. They're not going to do it. They're not ever going to do it.

So you're stuck with a business model thing. And it's not like the engineers at Google or whoever is making these routers don't care. They really do. But no one's figured out a way to fix these certain characteristics without sacrificing their business model. So we're stuck.

Robert Hansen

Yeah, and it's not getting any better. It seems like every time there's a new innovation, it's more ads, not less ads. Now, when your browser pop up in Firefox, for instance, there's ads. There's not less ads, there's more ads.

Jeremiah Grossman

So that would be more like the original sin, probably the biggest one I can think of off the top of my head.

Robert Hansen

Fair enough. One of the things I think is missing is attribution. We really don't know who's doing what on the internet. It was never really designed into the internet at all. It was just designed as a communication protocol but with no attribution.

Like, "Hi, I'm the person sending this information across the internet. So if any bad thing were to happen, you can come arrest me or whatever." I think the internet would have been a much more civil place if we'd had that built in.

Jeremiah Grossman

Maybe. But I also don't know if anybody wants that. I think they wanted the anonymity. It might have been a feature, not a bug.

Robert Hansen

It's quite possible.

Jeremiah Grossman

That might be why we could never get federated authentication to get really working. I don't think anybody really wants it.

Robert Hansen

Quit possible. There is a lot of seedy underbelly in the internet. People are very happy with the way it exists.

Jeremiah Grossman

I think the only people that will sign up for federated identity would be the people we don't have to worry about.

Robert Hansen

All right. We talked a little bit about the next generation. If you were to tell the next generation, given all of this stuff that you now have talked about, where things are going in industry, if you were to say, here's where you should be spending your time thinking about after they get in the industry.

Let's say they're starting to get up and running. Would you say, "You should get into Sec DevOps or should they start doing some of the stuff that you did once upon a time and do the hacking roadshow? What path would you send them down to be successful?

Jeremiah Grossman

One is the skill sets. Knowing how to code is probably the single greatest skill that I have. I can automate things. I know generally how things work

Robert Hansen

Say, after that, let's say they're in the industry now, where should they go?

Jeremiah Grossman

It's finding that problem that matters to you, I would say. I talk with a lot of people and a lot of companies all the time. I will ask them very simple but very pointed questions. Whatever problems you have at work, if there was one problem that you could just shoot and never deal with again, what would it be?

And you can see their eyes go up into the left, really thinking about it. And they'll give you answers. If you ask enough people that question, you'll find some themes.

Robert Hansen

It's usually the manager.

Jeremiah Grossman

For me, I always wanted to make an impact. I want to find that one problem that I care about that if I solved it, it would solve that same problem for a lot of people. What are the biggest problems that I can work on?

And the only way I could ever find those problems was talking with a lot of people. I'm share with you some of mine that I think about. But I think other people are going to find much different problems, maybe containerization and cloud.

Cloud is not going to be around forever. We have mainframes, then we had workstations, and then we have cloud. Cloud is not going to be around forever. 10, 15 years, it's going to be so controversial to say, "We're going to move away from cloud one day." It's going to get cheaper to do it ourselves. How do you migrate away from the cloud?

Robert Hansen

I don't think anyone's going to like hearing that.

Jeremiah Grossman

Story of my life. But you it's going to happen.

Robert Hansen

For the people listening, anyone who's working in cloud right now is probably ready to crawl under their desk and die because you're saying stuff like that.

While I agree that there are trends and things move, people are not prepared to have their entire life upended and all the things they know become irrelevant.

Jeremiah Grossman

Well, can you make it easy so it gets cheaper? I'm not saying work on this today, maybe not tomorrow. But that future will come where all the major cloud providers and hosting providers are going to be, for whatever reason, stodgy and too expensive.

So how do you move all your environments out of the cloud to something that you self-host and save a bunch of money and have some control? How do you make that easy and doable? And if you find a way for someone to do it themselves at a fraction of the price, they'll listen.

Robert Hansen

I'm going to change the topic completely here. One of the things that you, probably for the first decade that I knew you, I thought you were full of shit in one very particular way. I find you're full of shit in the way that it seems like you just don't care what people think about you. And I never understood that. I never got it.

I don't know when it was, but sometime I flew out here and I was hanging out with you. We were just talking and I'm looking around. I think we were on a boat at the time.

Boats are somewhat dangerous. You can fall overboard or get hit by the pro. There's just inherent danger in being in the middle of water. But to me, it's not really a big deal. I've been on boats before.

You started talking about swimming between islands or something and being shipwrecked at one point. And cliff diving off not trivial tiny little cliffs but these enormous 50, 60 plus cliffs, and swimming under caves.

It suddenly occurred to me, you're not actually full of shit. This is actually how you actually are. You just don't care. Maybe it's not even caring about personal safety. Maybe you can extrapolate and say it's something much bigger than that.

What do you think about that? The reason I bring it up and the reason why it's relevant to this is people will come and say like, "I'm going to beat you up." They get personally invested in something and then they decide that you're an asshole and they're going to fight you.

Which is hilarious and of itself because you're a black belt in Brazilian jujitsu and you live 1000s of miles away. I just don't think you care.

Jeremiah Grossman

It's not that I don't care. It is they don't think they care

Robert Hansen

You think they're lying about their interests?

Jeremiah Grossman

They might care somewhat but I can't imagine that I'm so important to anybody's life that the whatever their dislike or disdain for me, will last more than five minutes. I just can't imagine why my life matters so much to them.

I'm just me, just a person. This is what I think. This is why I think it. If it rubs you the wrong way, I understand. It's cool. Hate me if you like, but you're not going to hate me in a year from now. You're not going to remember me five years from now.

And if that's the case may be, then why should I care? If they're not going to care how much they hate me, why should I care?

Robert Hansen

I know a number of times you've said to me, "Well, if they want to, they can play out and we can get in the octagon." You have an octagon at your house. Just come on over. We'll do this.

Jeremiah Grossman

It's happened from time to time and it's always fun. It's always been friendly. I've never lost a Virgo. I get invited to those Brazilian jujitsu events at Blackhat. Sometimes people take me up on it, but it's always fun. It's always in good nature. I don't mean anybody harm.

Robert Hansen

After they realize you could crush them. Sure.

Jeremiah Grossman

I think that's the point of being the type of person I want to be. I want to be the person that takes an impact and provides value. That is dangerous physically, economically, business, technology,. But also, I have a healthy respect for the knowledge I've earned over time.

To be a monster in that way, but be able to control it. It's hard for me as a person to give a pacifist credit for being who they are. They're passivists because they have no ability to inflict damage or harm on anybody.

I have way more respect for somebody that can inflict damage and a lot of harm on people who choose not to. That's a more moral, ethical person. Those are the people that I want to surround myself with.

Robert Hansen

We've really never talked about this, but I have probably 10 or 12 years of martial arts. And I feel pretty confident in my ability to handle myself against the average person on an average fight. But I can't remember the last time I've been in one. There's just no need.

Jeremiah Grossman.

It's not necessary. If it becomes necessary, fine. But that's not what I'm doing with my life. That's not who I want to be. I think everybody should keep increasing their power, not necessarily to exert it in a negative way, but that they could should they choose

Robert Hansen

You can extrapolate that to computer security, or in any business context.

Jeremiah Grossman

Yeah. We have the skills to break into things. I won't be breaking into banks or governments and causing people harm. I can see, but why? That's not what I want to do. And anybody who might, that's going to be their choice.

Robert Hansen

I think there's something too. Our industry seems to dovetail itself very well into these other types of security. You'll see a lot of security experts who are very into guns or very into wrestling or BJJ or some sort of physical protection .

Even if it's not that, it's prepping or some other thing that they're doing to prepare for some eventualities. I don't know the psychology behind it, but I suspect it's somewhat related to hypervigilance, which I talked a little bit on one of my other podcasts. Which means that a huge amount of our industry is somewhat traumatized.

I don't know if they're traumatized by virtue of just living a life or the amount of information they receive from doing this full-time. What do you think?

Jeremiah Grossman

I guess it could be. I can only speak from a personal perspective. Was I traumatized at some point? Probably. I have chopped up a lot of careers. I have faced death living in Hawaii doing stupid things as a kid a number of times.

I'm pretty sure the only reason I'm living and getting to talk to you now is because I was in shape and prepped for doing the stupidest of things. So I think a lot of times it's like making it out of adolescence in that way that I was prepared for the things that I do.

Yes, I will do dangerous things, but I don't do it negligently. I prepare for it. I think the other one is that a lot of people in the industry is we feel like protectors of other people. That's who we want to be in the world.

Like, I want to protect the internet. I find it to be the greatest invention we'll see in a lifetime. It's something worth protecting. I don't like to see, whether it's children or battered women harassed online. I want to be able to have the skills to help them.

So I think a lot of our industry wants to be and be seen as protectors of everybody else.

Robert Hansen

I agree. Even the adversaries feel that way. They're like, "Thank God you're protecting my bank account." That's always an interesting conversation.

I promised I'd keep this short. So let's get out to the beach or whatever. But first of all, where do people find you? How do they get in touch with you?

Jeremiah Grossman

Now you want to get in touch with me. How do people find me? Twitter.

Robert Hansen

Fly all the way out to Hawaii.

Jeremiah Grossman

Usually on Twitter, @jeremiahg. Pretty active there. I have a Facebook account but Twitter's where it's at or me@jeremiahgrossman.com would be my email address. Those are probably the two best ways. Or meet me at Blackhat.

Robert Hansen

I wouldn't recommend it unless you really know what you're doing.

Well, Jeremiah, thank you very much for doing this especially out here. This is a very beautiful spot. Thanks for inviting me to your town. I really appreciate it.