Akamai SIRT: A discussion with CSO Andy Ellis

In this week's podcast, Steve and Andy talk about his recent Reddit AMA, and the best food to have on hand for a security incident. The topic is an off-shoot of the best wine pairing question from the AMA, and Andy adds to that answer with the story behind his choice of wine (1976 Chateau Gloria, Saint-Julien) for an internet meltdown.

However, the main topic of discussion that kicked things off was the question of: "Is too late for a career change at 43 to cybersecurity? If not, how can I start?"
The short answer is no, but Andy goes into more detail on the podcast, and his answer on Reddit is full of examples as to why it is never too late for a change.

Recorded Future

Recorded Future/Cyberwire (Dave Bittner)
An Ability to Execute and a Fantastic Amount of Luck

Our guest this week is Andy Ellis, chief security officer of Akamai Technologies. He shares the professional journey that led him to Akamai, along with his recollections of the early days of online data sharing when bandwidth was expensive and pipes were small, and the uncertainty of being part of an ambitious internet startup. We’ll learn about his management style, the importance of a company culture built on trust and communication, and, of course, we’ll get Andy’s take on threat intelligence.

Plaintext Podcast

Duo / Plaintext Podcast
Plaintext Podcast Ep. 4 Featuring Akamai CSO Andy Ellis

Welcome back to the Plaintext Podcast with your host Dave Lewis, Global Advisory CISO for Duo Security, now part of Cisco.

In this installment, I have the honour of interviewing friend and former colleague Andy Ellis, CSO of my previous employer, Akamai.

In this episode, Ellis and I chat about his career path, how to adjust to a remote (or distributed) work life and advice for security pros, or those who are considering a career in information security.

Security Stories

Security Stories (Hazel Burton)
Creating more opportunities for others, with Andy Ellis


In this episode we chat to Andy Ellis, who, on the very day we interviewed him, was celebrating his 20th anniversary as the Chief Security Officer for Akamai. We cover many topics - from taking down the "booth babe" culture at RSA, to fighting for more representation and diversity on cyber panels, to how he eliminated the password at his organization and built a Zero Trust network, before that became a thing.

Andy also shares one of the most interesting Star Wars theories we've ever heard, and has a fascinating take on heroes vs villains, and how the two overlap depending on who's telling the story. He then talks about why he hires librarians and journalists in his security team, and also, exactly how hard it is to train lizards. (The last two topics aren't related, btw!)

You can read Akamai's "State of the Internet" report here: https://www.akamai.com/uk/en/resources/our-thinking/state-of-the-internet-report/

Technical Outcast

Technical Outcast (Steve Ragan)
Work-Life Balance (Andy Explains)

Andy Ellis (@CSOANDY), CSO at Akamai Technologies, joins Steve Ragan for a discussion about work / life balance, in this inaugural segment called Andy Explains. Today’s Andy Explains segment is an important one, as the balance between daily life and work has become central to people across the globe during the COVID-19 pandemic.

Some of the items discussed include distractions, and the importance of management providing multiple levels of support to employees. The key consideration is that most of us are not working from home, we’re working in crisis. This is not a normal work-from-home routine, but a situation that needs to be managed and navigated, because there are times when a “normal workday” just isn’t possible.

Security Voices

Security Voices (Jack Daniel, Dave Cole)
The Longevity Formula: CSO Andy Ellis’ Wit, Wisdom & Wine Advice From 20+ Years At Akamai

The average tenure of a CISO is 26 months due to high stress and burnout, according to a recent survey. In stark contrast, Andy Ellis has now been CSO at industry titan Akamai for over 20 years. Jack & Dave explore Andy’s longevity formula in a 70 minute interview that spans everything from his advice to young security leaders to the death of live events and why it’s perfectly fine if your favorite wine is a $16 malbec.

While most of our episodes gradually ease into a more focussed conversation, our discussion with Andy jumps straight into the subject of applied human cognition— a common theme of his presentations and writing. He explains how his understanding of human thought patterns and biases directly influences his approach to conducting risk assessments and dealing with especially thorny conflicts. Far from theoretical, Andy breaks down exactly how he and his team enable Akamai to self assess and internalize risk in a fashion that expedites projects where the security team might otherwise be a bottleneck.

From his vantage point at Akamai surveying a sizable amount of the Internet’s traffic, Andy shares their insights from both observing and responding to the pandemic, starting with their move to a ZeroTrust model. Some aspects of COVID-19, such as customers’ struggling to pay bills and how to best help them, are similar to past crises. Others are utterly unique. Jack and Andy explain the crisis likely permanent impact on live events (e.g., industry conferences) and what they may evolve to in the future.

We also discuss the fine line Andy, Jack and Dave walk in the cybersecurity community of being both a vendor and a practitioner. How does one remain objective when you also represent a company that has to sell products or services to exist? How can one neutralize the perceived bias or even the stronger allergic reaction that some have against vendors? While there’s no surefire solution to such a complex matter, each of us shares our tips and learnings as we (and the industry as a whole) aim to strike the right balance.

We wrap up with Andy taking us through how to pick a good bottle of wine. In the same manner as he tackles complicated cybersecurity issues, Andy breaks it down into simple steps that are illustrated with his own colorful experience.

CSO (pt 2)

CSO (Bob Bragdon)
Don’t Be Batman: Why CISOs Should Embrace The Sidekick Role, Part 2

In this second half, Akamai CISO Andy Ellis and host Bob Bragdon continue their talk about the good guy/bad guy dynamic in the infosec community and why it can result in you being marginalized in your organization. Ellis’ advice: Don’t try to be the hero; be the sidekick.

CSO (pt 1)

CSO (Bob Bragdon)
Don’t Be Batman: Why CISOs Should Embrace The Sidekick Role, Part 1

There is a prevailing attitude in the infosec community that security pros are the good guys and the bad guys are, well, just about everyone else — users, developers, senior leadership. This good guy/bad guy dynamic can result in you being marginalized in your organization, says Akamai CISO Andy Ellis. His advice: Don’t try to be the hero; be the sidekick.


Decipher (Dennis Fisher)
Decipher Security Podcast: Andy Ellis
Andy Ellis, CSO of Akamai, joins Dennis Fisher to talk about the process of planning to move tens of thousands of employees to remote work securely, the increased stress on Akamai's network, and what things might look like from a security perspective on the other side of the quarantine.

Security Conversations

Security Conversations (Ryan Naraine)
Akamai’s Andy Ellis On Gender Balance In Security

In an industry where 10-15% of staff are women, Akamai's security team is 40% women and growing. Chief security officer Andy Ellis joins the podcast to share lessons on practical things -- some subtle, some major -- that pushed real diversity on Akamai's security team.