SHOW NOTES:
Michael and Phil were joined at CYBR.HAK.CON. by John Kindervag, Chief Evangelist at Illumio and the creator of the Zero Trust Framework, for a wide-ranging conversation on risk vs. danger, personal resilience, and the future of AI.
Things mentioned:
• Rise of the Machines: A Project Zero Trust Story by George Finney - https://www.amazon.com/Rise-Machines-...
• Agentic AI + Zero Trust: A Guide for Business Leaders by Josh Woodruff - https://www.amazon.com/Agentic-AI-Zer...
• Right Into the Danger Zone: The False Comfort of Risk Management by John Kindervag - https://www.ft.com/partnercontent/ill...
• HOU.SEC.CON. 2024 Keynote - • Opening Keynote - John Kindervag
Do you have a question for the hosts? Reach out to us at media@cscgroupllc.com
Timestamped summary:
[00:00 - 02:37] Welcome to CYBR.HAK.CON
Michael Farnum and Phillip Wylie welcome John Kindervag, Chief Evangelist at Illumio and creator of the Zero Trust Framework. The conversation opens with reflections on the state of hacker conferences, the evolution of events like DEF CON and Black Hat, and how AI is beginning to influence traditional hacking activities, including capture-the-flag competitions.
[02:37 - 08:21] The Personal Story Behind "Danger Management"
Kindervag recounts the experience that reshaped his thinking about cybersecurity. His nephew was diagnosed with neuroblastoma, a rare childhood cancer, and given only a 2% chance of survival. That experience led him to question cybersecurity's dependence on probability-based risk calculations. He argues that traditional risk management is fundamentally flawed because defenders cannot reliably calculate probabilities in complex environments. Instead, he advocates for "danger management," noting that people instinctively act against danger while often accepting risk. He shares the emotional story of his nephew surviving cancer and shaving Kindervag's head on stage during a fundraiser that raised more than $20,000 for childhood cancer research.
[08:21 - 09:16] Why Risk and Danger Are Different
Using the example of a baby crawling toward an electrical outlet, Kindervag illustrates the difference between risk and danger. Parents do not calculate probabilities before installing outlet covers; they simply recognize the danger and eliminate it. He argues cybersecurity should adopt the same mindset, especially as organizations confront increasingly complex AI-related threats.
[09:16 - 12:01] Zero Trust and the AI Era
Kindervag explains why he believes Zero Trust is uniquely suited for AI security. Unlike traditional security approaches that focus on products, Zero Trust focuses on protecting data, assets, applications, and services through policy. In a properly implemented Zero Trust environment, default-deny policies prevent unknown resources from introducing software or accessing protected systems, regardless of how sophisticated an attack may be. He argues that AI security is ultimately a policy problem more than a technology problem.
[12:01 - 14:34] IoT, Smart Meters, and Protecting What Matters
The discussion shifts to IoT and operational technology. Kindervag describes designing a Zero Trust architecture for a national smart-meter deployment involving 50 million devices. Because the devices themselves could not run endpoint controls, the focus shifted to protecting the systems that managed them. He emphasizes defining protection surfaces and mapping transaction flows to identify where security controls should be placed.
[14:34 - 17:40] Flat Networks, Segmentation, and Making Attackers Look Bad
Kindervag argues that flat networks remain one of the biggest security failures in modern enterprises. He cites the Nortel compromise as an example of attackers living undetected inside a network for years. He explains how Zero Trust segmentation protects critical assets rather than attempting to secure everything equally. He shares a story of a penetration test where a tester was given domain credentials but still could not access protected resources because no policy had been assigned to those credentials. His goal, he says, is simple: "Make the attackers look bad."
[17:40 - 19:40] Security Failures Are Often Intentional Decisions
Kindervag challenges the common practice of blaming breaches on "misconfigurations." He describes a case where broad access to a sensitive cloud storage bucket was not an accident but a deliberate decision made to reduce friction for developers. The conversation connects this pattern to excessive administrative privileges and other convenience-driven shortcuts that continue to undermine security.
[19:40 - 21:33] The Real Problem: Incentives
The discussion closes with a broader examination of organizational behavior. Kindervag argues that many security failures stem from poor incentives rather than incompetence. Employees are often rewarded for avoiding disruption and punished when change introduces risk, causing them to optimize for personal downside protection instead of organizational improvement. Referencing investor Charlie Munger's famous observation – "Show me the incentives and I'll show you the outcome" – Kindervag argues that cybersecurity's biggest challenge may be cultural rather than technical.
Key Takeaways
- Cybersecurity should focus on managing danger rather than attempting to quantify uncertain risk.
- Zero Trust's policy-driven model is well-positioned for the AI era.
- Protecting critical assets matters more than protecting everything.
- Flat networks continue to enable lateral movement and long-term compromise.
- Many major breaches result from deliberate business decisions that prioritize convenience over security.
- Bad incentives often create bad security outcomes.
In this episode:
• Host: Michael Farnum - / mfarnum
• Host: Phillip Wylie - / phillipwylie
• Guest: John Kindervag - / john-kindervag-40572b1
• Production: Bill Brenner – / billbrenner
• Editing: Lauren Andrus - / laurenmandrus
Keep up with our events:
• LinkedIn - / cybrseccon
• X – / cybrseccon
• Facebook - / cybrseccon
• Instagram - / cybrseccon
Keep up with CYBR.SEC.Media:
• LinkedIn - / cybr-sec-media
• Facebook - https://www.facebook.com/profile.php?...
• X - https://x.com/CYBRSECMedia
• Instagram - / cybrsecmedia
• YouTube - / @cybrsecmedia
• TikTok - / cybr.sec.media
Check out our other shows:
• CYBR.SEC.CAST - https://www.cybrsecmedia.com/tag/cybr...
• CYBR.Minded (coming soon)
Check out our Conferences and Events:
• CYBR.SEC.CON. - https://www.cybrseccon.com
• OT.SEC.CON. - https://www.otseccon.com
• CYBR.HAK.CON. - https://www.cybrhakcon.com
Support CYBR.SEC.Careers Non-Profit Efforts
• CYBR.SEC.Careers - https://www.cybrseccareers.com
Thank you to our Media Partners:
• Barcode Podcast - https://www.barcodesecurity.com/podcast
• Cyber Distortion Podcast - https://cyberdistortionpodcast.com
• Kill Chain Radio - https://www.linkedin.com/posts/len-no...
• The Phillip Wylie Show - https://thehackermaker.com/pws-podcast/
