Guest Appearances

Cyber Ranch: Board Reporting Metrics Pt 2

Andy Ellis, CISO at Orca Security, is back for part 2 of this series on Board Reporting Metrics. In Episode 1, Andy and host Allan Alford addressed some of the most common questions posed by the board and shared their perspective on what the board needs to know from a cybersecurity standpoint. In this episode, they continue the conversation by fielding questions from LinkedIn on topics such as:

-Vulnerability and threat hunting metrics

-Top 3 metrics to report to the board and why

-Breach reporting implications and much more!

Cyber Ranch: Board Reporting Metrics, pt 1

In this episode, Allan is joined by the CISO at Orca Security, Andy Ellis, to share his thoughts on board reporting metrics. What does the board need to know from a cybersecurity perspective? One of the questions is often: “Are we secure?” Is that even the right question? How much should you talk about compliance? Do you speak of IT assets? What about speaking to specific controls? Listen to this episode to hear the common questions posed by the board and how to answer them with metrics. In some cases, it is teaching them to ask different questions. This episode is a master class in board communication in cybersecurity, and the conversation went into such depth that a Part 2 is already being planned.

Securing Bridges

Breaking into Cybersecurity

FIRST Impressions: Andy Ellis

Chris, Martin, and Andy chat building teams, navigating within organizations, career change, and interpretive dance.

Cyberwire Pro: Andy Ellis, Former Akamai CSO & CSO Hall of Fame 2021, on transparency in cybersecurity initiative

Hacker Valley: There is No Skills Gap

Tech Talks Daily

1650: A Chat With Award-Winning CSO Andy Ellis From YL Ventures
Tech Talks Daily / Neil Hughes
YL Ventures funds and supports brilliant Israeli tech entrepreneurs from seed to lead. With headquarters in Silicon Valley and Tel Aviv, YL Ventures manages $260 million and specializes in cybersecurity. It accelerates the evolution of portfolio companies via strategic advice and U.S.-based operational execution, leveraging a powerful network of CISOs and global industry leaders.
Andy Ellis was recently named operating partner at YL Ventures, has been inducted into IDG's CSO Hall of Fame. The former CSO at Akamai Technologies will now be supporting YL Ventures' portfolio companies post-investment with product development, go-to-market strategies, and customer engagements.
In today's episode, Andy shares his story and insights from his career. We discuss why VC firms and investing in Israeli cybersecurity startups and why more CISOs are taking advisor/investor roles. I also learn what brings him to Israeli cybersecurity companies.

CISO Series: How Cisos Make it Worse for other CISOs

CISO Series / David Spark & Mike Johnson
(full transcript at link)

Cloud Security Podcast

Cloud Security Podcast / Ashish Rajan

Cyber Ranch

Cyber Ranch / Allan Alford
Clever Hiring Practices w/ Andy Ellis

With us today is Andy Ellis, operating partner at YL Ventures, former Akamai CSO and newly inducted member of the CSO Hall of Fame. We're here to talk about nonstandard hiring practices and how Andy has built an amazing team using nonstandard approaches.
Andy began his career in cyber ("I remember back then, you know, we didn't call it cyber, but I think we've all given up and, and that's now the name for our career field.") as an Air Force ROTC cadet, spent 20 years at Akamai, and joined an advisor program at YL Ventures.
Andy found a solution that addresses hiring needs and the talent shortage, while also building a very clever and very innovative team.
  • For new roles, look and see if you have somebody who's almost senior that you can promote to do that job. And backfill the almost senior person instead. Try not to hire senior people, try to hire the most junior person you can get away with and promote everybody up the chain. The real trick is to figure out how your HR and finance teams are going to operate and play them off against each other.
  • Now that we have covered your promotion from within strategy, let's talk about hiring some folks for certain roles on the team that at a glance would make no sense at all for a CSO. And yet is really, really effective and repeatable.
  • Andy’s flagship is hiring librarians. There is an entire career field dedicated to managing libraries and learning technical language to be able to do that.
  • Everyone is in the business of publishing a report about their data, right? This is just taking technical data and technical jargon and making it consumable to people who've never seen this data before. There's an entire industry that does that. We call it journalism. So, we hire journalists to come in and be those storytellers.
  • Hire teachers. Put a teacher in a position and to learn how deep do they need to go on a daily basis, and then make sure they get one level deeper. Because you're always going to have problems if you teach exactly to your domain knowledge. So, make sure your domain knowledge is always little bit deeper than whatever your job requires which is usually going to be sufficient to keep you out of trouble.
To wrap the show up, Allan asks, “Why aren't the rest of us catching on because this is some amazing stuff that every single hiring manager in cyber could benefit from.”
According to Andy, the simple answer is it's expensive, and it takes a lot of time to do right.
Allan asks, “What keeps you going in cyber?” Andy answers, “I've always seen myself as improving the systems that I walk through, that when I encounter a system, I want to tweak it and figure out what makes it work and make it work better."
Key Takeaways
1:24 Andy shares his background and how he got to cyber
3:12 Working for a venture capital firm
7:12 Hiring and building a team
12:26 The abnormal hires that just make sense
15:46 Clever role adjustments
17:10 More nonstandard hires
19:03 Confused? Whose confusion is it?
21:02 The academy
24:42 Putting a teacher in
25:21 Budget technique
27:09 Why isn’t everyone hiring this way?
28:30 What keeps you going in cyber?

Off the Record

Off the Record / Adam Janofsky
Ep 46: When Pipelines Run Dry
Levi and Adam discuss the latest news on the Colonial Pipeline attack, and what the future of ransomware might look like. Andy Ellis, the former CSO of Akamai, joins later in the episode to talk about advising and investing in cybersecurity companies.


Andy Ellis Shares Insights on Leadership (and DC Comics)

Cyber Professional Podcast

Cyber Pro Podcast
Andy shares his thoughts and experience with Jeff Chao on the role of Security Leadership


Andy Ellis returns

Andy Ellis, CSO of Akamai, joins Dennis Fisher to discuss the importance of setting priorities, how to assess your strengths and weaknesses as an organization, and the NFL draft.

Akamai SIRT: A discussion with CSO Andy Ellis

In this week's podcast, Steve and Andy talk about his recent Reddit AMA, and the best food to have on hand for a security incident. The topic is an off-shoot of the best wine pairing question from the AMA, and Andy adds to that answer with the story behind his choice of wine (1976 Chateau Gloria, Saint-Julien) for an internet meltdown.

However, the main topic of discussion that kicked things off was the question of: "Is too late for a career change at 43 to cybersecurity? If not, how can I start?"
The short answer is no, but Andy goes into more detail on the podcast, and his answer on Reddit is full of examples as to why it is never too late for a change.

Recorded Future

Recorded Future/Cyberwire (Dave Bittner)
An Ability to Execute and a Fantastic Amount of Luck

Our guest this week is Andy Ellis, chief security officer of Akamai Technologies. He shares the professional journey that led him to Akamai, along with his recollections of the early days of online data sharing when bandwidth was expensive and pipes were small, and the uncertainty of being part of an ambitious internet startup. We’ll learn about his management style, the importance of a company culture built on trust and communication, and, of course, we’ll get Andy’s take on threat intelligence.

Plaintext Podcast

Duo / Plaintext Podcast
Plaintext Podcast Ep. 4 Featuring Akamai CSO Andy Ellis

Welcome back to the Plaintext Podcast with your host Dave Lewis, Global Advisory CISO for Duo Security, now part of Cisco.

In this installment, I have the honour of interviewing friend and former colleague Andy Ellis, CSO of my previous employer, Akamai.

In this episode, Ellis and I chat about his career path, how to adjust to a remote (or distributed) work life and advice for security pros, or those who are considering a career in information security.

Security Stories

Security Stories (Hazel Burton)
Creating more opportunities for others, with Andy Ellis

In this episode we chat to Andy Ellis, who, on the very day we interviewed him, was celebrating his 20th anniversary as the Chief Security Officer for Akamai. We cover many topics - from taking down the "booth babe" culture at RSA, to fighting for more representation and diversity on cyber panels, to how he eliminated the password at his organization and built a Zero Trust network, before that became a thing.

Andy also shares one of the most interesting Star Wars theories we've ever heard, and has a fascinating take on heroes vs villains, and how the two overlap depending on who's telling the story. He then talks about why he hires librarians and journalists in his security team, and also, exactly how hard it is to train lizards. (The last two topics aren't related, btw!)

You can read Akamai's "State of the Internet" report here:

Technical Outcast

Technical Outcast (Steve Ragan)
Work-Life Balance (Andy Explains)

Andy Ellis (@CSOANDY), CSO at Akamai Technologies, joins Steve Ragan for a discussion about work / life balance, in this inaugural segment called Andy Explains. Today’s Andy Explains segment is an important one, as the balance between daily life and work has become central to people across the globe during the COVID-19 pandemic.

Some of the items discussed include distractions, and the importance of management providing multiple levels of support to employees. The key consideration is that most of us are not working from home, we’re working in crisis. This is not a normal work-from-home routine, but a situation that needs to be managed and navigated, because there are times when a “normal workday” just isn’t possible.

Security Voices

Security Voices (Jack Daniel, Dave Cole)
The Longevity Formula: CSO Andy Ellis’ Wit, Wisdom & Wine Advice From 20+ Years At Akamai

The average tenure of a CISO is 26 months due to high stress and burnout, according to a recent survey. In stark contrast, Andy Ellis has now been CSO at industry titan Akamai for over 20 years. Jack & Dave explore Andy’s longevity formula in a 70 minute interview that spans everything from his advice to young security leaders to the death of live events and why it’s perfectly fine if your favorite wine is a $16 malbec.

While most of our episodes gradually ease into a more focussed conversation, our discussion with Andy jumps straight into the subject of applied human cognition— a common theme of his presentations and writing. He explains how his understanding of human thought patterns and biases directly influences his approach to conducting risk assessments and dealing with especially thorny conflicts. Far from theoretical, Andy breaks down exactly how he and his team enable Akamai to self assess and internalize risk in a fashion that expedites projects where the security team might otherwise be a bottleneck.

From his vantage point at Akamai surveying a sizable amount of the Internet’s traffic, Andy shares their insights from both observing and responding to the pandemic, starting with their move to a ZeroTrust model. Some aspects of COVID-19, such as customers’ struggling to pay bills and how to best help them, are similar to past crises. Others are utterly unique. Jack and Andy explain the crisis likely permanent impact on live events (e.g., industry conferences) and what they may evolve to in the future.

We also discuss the fine line Andy, Jack and Dave walk in the cybersecurity community of being both a vendor and a practitioner. How does one remain objective when you also represent a company that has to sell products or services to exist? How can one neutralize the perceived bias or even the stronger allergic reaction that some have against vendors? While there’s no surefire solution to such a complex matter, each of us shares our tips and learnings as we (and the industry as a whole) aim to strike the right balance.

We wrap up with Andy taking us through how to pick a good bottle of wine. In the same manner as he tackles complicated cybersecurity issues, Andy breaks it down into simple steps that are illustrated with his own colorful experience.

CSO (pt 2)

CSO (Bob Bragdon)
Don’t Be Batman: Why CISOs Should Embrace The Sidekick Role, Part 2

In this second half, Akamai CISO Andy Ellis and host Bob Bragdon continue their talk about the good guy/bad guy dynamic in the infosec community and why it can result in you being marginalized in your organization. Ellis’ advice: Don’t try to be the hero; be the sidekick.

CSO (pt 1)

CSO (Bob Bragdon)
Don’t Be Batman: Why CISOs Should Embrace The Sidekick Role, Part 1

There is a prevailing attitude in the infosec community that security pros are the good guys and the bad guys are, well, just about everyone else — users, developers, senior leadership. This good guy/bad guy dynamic can result in you being marginalized in your organization, says Akamai CISO Andy Ellis. His advice: Don’t try to be the hero; be the sidekick.


Decipher (Dennis Fisher)
Decipher Security Podcast: Andy Ellis
Andy Ellis, CSO of Akamai, joins Dennis Fisher to talk about the process of planning to move tens of thousands of employees to remote work securely, the increased stress on Akamai's network, and what things might look like from a security perspective on the other side of the quarantine.

Security Conversations

Security Conversations (Ryan Naraine)
Akamai’s Andy Ellis On Gender Balance In Security

In an industry where 10-15% of staff are women, Akamai's security team is 40% women and growing. Chief security officer Andy Ellis joins the podcast to share lessons on practical things -- some subtle, some major -- that pushed real diversity on Akamai's security team.

Business of Software

Business of Software (Mark Littlewood)
A Conversation with Andy Ellis

Andy was one of the speakers at this year’s BoS Conference USA 2019 and talked about why humans were awesome at risk management and why humans were awful at risk management. It is good. Very good. At the speaker dinner, we got into a conversation about how people can take the same data to come to derive completely different meanings. He’d been thinking about this and explained how you can take the Harry Potter stories and come to some very disturbing conclusions. In this discussion with Andy, he explains, using both Harry Potter and the Star Wars trilogy as examples. Very entertaining and thought-provoking… Harry Potter fans might not like it.

The Secure Developer: You Own It, You Secure It

The Secure Developer (Guy Podjarny)
Ep. #38, You Own It, You Secure It with Andy Ellis of Akamai
In episode 38 of The Secure Developer, Guy speaks with Andy Ellis, CSO of Akamai. They discuss streamlining customer assurance, the role of an incidents coordinator, and the value of transparency between a security company and their associates.

Collective Intelligence

Collective Intelligence (Mike Mimoso)
Andy Ellis on Zero Trust Security Model

Flashpoint Editorial Director Mike Mimoso talks to Akamai Chief Security Officer Andy Ellis about the company’s implementation of a zero-trust security model.

As such, Akamai has evolved beyond traditional approaches to network security, authentication and authorization, to a model where users, devices and applications are treated as the perimeter. As a result, security controls are moved away from firewalls and virtual private networks to an architecture where an x509 certificate and push-based authentication are the preferred method. Andy says that Akamai can see a day in the not-too-distant future when passwords are no longer a thing at the company.

Throughout the discussion, Andy talks about how the 2009 Aurora attack inched Akamai toward zero-trust, how he got executive buy-in for this model, what the user experience is like, and how this compares to Google’s BeyondCorp implementation.


Decipher (Dennis Fisher)
Andy Ellis has your back (videos/article)
Walking into a sleek glass-walled conference room on a cold and wet December day, Ellis has the easy confidence and serenity you might find in a semi-retired professional golfer. It is not the kind of demeanor often associated with CSOs, and certainly not with the CSO of a company that handles a non-trivial portion of the Internet’s traffic on any given day…

IOT Podcast

IOT Podcast (Stacey Higginbotham)
IoT botnets and the Nucleus intercom review

Security was the big topic this week after a massive botnet comprised of connected devices disrupted many popular internet services. I hated the thought of all connected devices coming under attack, so I wrote a bit about the realities of IoT security here and also here. As part of my effort to understand what was going on I interviewed Andy Ellis, Akamai’s chief security officer about what happened last week, why it matters and the challenges of making people pay for security.