Security Stories

Security Stories (Hazel Burton)
Creating more opportunities for others, with Andy Ellis

https://www.buzzsprout.com/926089/4502858-9-creating-more-opportunities-for-others-with-andy-ellis

In this episode we chat to Andy Ellis, who, on the very day we interviewed him, was celebrating his 20th anniversary as the Chief Security Officer for Akamai. We cover many topics - from taking down the "booth babe" culture at RSA, to fighting for more representation and diversity on cyber panels, to how he eliminated the password at his organization and built a Zero Trust network, before that became a thing.

Andy also shares one of the most interesting Star Wars theories we've ever heard, and has a fascinating take on heroes vs villains, and how the two overlap depending on who's telling the story. He then talks about why he hires librarians and journalists in his security team, and also, exactly how hard it is to train lizards. (The last two topics aren't related, btw!)

You can read Akamai's "State of the Internet" report here: https://www.akamai.com/uk/en/resources/our-thinking/state-of-the-internet-report/

Technical Outcast

Technical Outcast (Steve Ragan)
Work-Life Balance (Andy Explains)
https://technicaloutcast.com/podcast/2020/06/17/andy-explains-ep1-work-life-balance.html

Andy Ellis (@CSOANDY), CSO at Akamai Technologies, joins Steve Ragan for a discussion about work / life balance, in this inaugural segment called Andy Explains. Today’s Andy Explains segment is an important one, as the balance between daily life and work has become central to people across the globe during the COVID-19 pandemic.

Some of the items discussed include distractions, and the importance of management providing multiple levels of support to employees. The key consideration is that most of us are not working from home, we’re working in crisis. This is not a normal work-from-home routine, but a situation that needs to be managed and navigated, because there are times when a “normal workday” just isn’t possible.

Security Voices

Security Voices (Jack Daniel, Dave Cole)
The Longevity Formula: CSO Andy Ellis’ Wit, Wisdom & Wine Advice From 20+ Years At Akamai
https://www.securityvoices.org/29-andy-ellis

The average tenure of a CISO is 26 months due to high stress and burnout, according to a recent survey. In stark contrast, Andy Ellis has now been CSO at industry titan Akamai for over 20 years. Jack & Dave explore Andy’s longevity formula in a 70 minute interview that spans everything from his advice to young security leaders to the death of live events and why it’s perfectly fine if your favorite wine is a $16 malbec.

While most of our episodes gradually ease into a more focussed conversation, our discussion with Andy jumps straight into the subject of applied human cognition— a common theme of his presentations and writing. He explains how his understanding of human thought patterns and biases directly influences his approach to conducting risk assessments and dealing with especially thorny conflicts. Far from theoretical, Andy breaks down exactly how he and his team enable Akamai to self assess and internalize risk in a fashion that expedites projects where the security team might otherwise be a bottleneck.

From his vantage point at Akamai surveying a sizable amount of the Internet’s traffic, Andy shares their insights from both observing and responding to the pandemic, starting with their move to a ZeroTrust model. Some aspects of COVID-19, such as customers’ struggling to pay bills and how to best help them, are similar to past crises. Others are utterly unique. Jack and Andy explain the crisis likely permanent impact on live events (e.g., industry conferences) and what they may evolve to in the future.

We also discuss the fine line Andy, Jack and Dave walk in the cybersecurity community of being both a vendor and a practitioner. How does one remain objective when you also represent a company that has to sell products or services to exist? How can one neutralize the perceived bias or even the stronger allergic reaction that some have against vendors? While there’s no surefire solution to such a complex matter, each of us shares our tips and learnings as we (and the industry as a whole) aim to strike the right balance.

We wrap up with Andy taking us through how to pick a good bottle of wine. In the same manner as he tackles complicated cybersecurity issues, Andy breaks it down into simple steps that are illustrated with his own colorful experience.

CSO (pt 2)

CSO (Bob Bragdon)
Don’t Be Batman: Why CISOs Should Embrace The Sidekick Role, Part 2
https://www.csoonline.com/article/3516080/episode-10-dont-be-batman-why-cisos-should-embrace-the-sidekick-role-part-2.html

In this second half, Akamai CISO Andy Ellis and host Bob Bragdon continue their talk about the good guy/bad guy dynamic in the infosec community and why it can result in you being marginalized in your organization. Ellis’ advice: Don’t try to be the hero; be the sidekick.

CSO (pt 1)

CSO (Bob Bragdon)
Don’t Be Batman: Why CISOs Should Embrace The Sidekick Role, Part 1
https://www.csoonline.com/article/3516079/episode-9-dont-be-batman-why-cisos-should-embrace-the-sidekick-role-part-1.html

There is a prevailing attitude in the infosec community that security pros are the good guys and the bad guys are, well, just about everyone else — users, developers, senior leadership. This good guy/bad guy dynamic can result in you being marginalized in your organization, says Akamai CISO Andy Ellis. His advice: Don’t try to be the hero; be the sidekick.

Decipher

Decipher (Dennis Fisher)
Decipher Security Podcast: Andy Ellis
https://duo.com/decipher/decipher-podcast-andy-ellis
 
Andy Ellis, CSO of Akamai, joins Dennis Fisher to talk about the process of planning to move tens of thousands of employees to remote work securely, the increased stress on Akamai's network, and what things might look like from a security perspective on the other side of the quarantine.

Security Conversations

Security Conversations (Ryan Naraine)
Akamai’s Andy Ellis On Gender Balance In Security
https://securityconversations.fireside.fm/andy-ellis-akamai

In an industry where 10-15% of staff are women, Akamai's security team is 40% women and growing. Chief security officer Andy Ellis joins the podcast to share lessons on practical things -- some subtle, some major -- that pushed real diversity on Akamai's security team.

Business of Software

Business of Software (Mark Littlewood)
A Conversation with Andy Ellis
https://businessofsoftware.org/2019/10/harry-potter-star-wars-nobody-villain-story-conversation-andy-ellis-cso-akamai/

Andy was one of the speakers at this year’s BoS Conference USA 2019 and talked about why humans were awesome at risk management and why humans were awful at risk management. It is good. Very good. At the speaker dinner, we got into a conversation about how people can take the same data to come to derive completely different meanings. He’d been thinking about this and explained how you can take the Harry Potter stories and come to some very disturbing conclusions. In this discussion with Andy, he explains, using both Harry Potter and the Star Wars trilogy as examples. Very entertaining and thought-provoking… Harry Potter fans might not like it.

The Secure Developer

The Secure Developer (Guy Podjarny)
Ep. #38, You Own It, You Secure It with Andy Ellis of Akamai
https://www.heavybit.com/library/podcasts/the-secure-developer/ep-38-you-own-it-you-secure-it-with-andy-ellis-of-akamai/
In episode 38 of The Secure Developer, Guy speaks with Andy Ellis, CSO of Akamai. They discuss streamlining customer assurance, the role of an incidents coordinator, and the value of transparency between a security company and their associates.

Collective Intelligence

Collective Intelligence (Mike Mimoso)
Andy Ellis on Zero Trust Security Model
https://www.flashpoint-intel.com/blog/podcasts/collective-intelligence-podcast-andy-ellis-on-zero-trust-security-model/

Flashpoint Editorial Director Mike Mimoso talks to Akamai Chief Security Officer Andy Ellis about the company’s implementation of a zero-trust security model.

As such, Akamai has evolved beyond traditional approaches to network security, authentication and authorization, to a model where users, devices and applications are treated as the perimeter. As a result, security controls are moved away from firewalls and virtual private networks to an architecture where an x509 certificate and push-based authentication are the preferred method. Andy says that Akamai can see a day in the not-too-distant future when passwords are no longer a thing at the company.

Throughout the discussion, Andy talks about how the 2009 Aurora attack inched Akamai toward zero-trust, how he got executive buy-in for this model, what the user experience is like, and how this compares to Google’s BeyondCorp implementation.