A Conversation With Wolfgang Goerlich: Security Doesn’t Have to Be the Department of No

0:00 0:00
Advisory CISO Wolfgang Goerlich discusses how security disregards the human element, leading to a lack of compliance with security protocols.

In this episode, Mike welcomes Wolfgang Goerlich aka “Wolf” Advisory CISO at Cisco. Join us they discuss the tendency within security to disregard the human element leading to a lack of adhering to security protocols and working around those protocols. When this happens, we see a correlation to a human need not being met. If that is understood and considered, the result is the development of much better security products all around.


Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.

In this episode of In Scope, Mike Murray welcomes Wolfgang Goerlich, an Advisory CISO for Cisco. Having gotten his start in the industry in the 90s, Wolf brings almost three decades of security experience to his role in the product space.

Asked about his advice for staying employable, Wolf says that there is a lot of value in studying product developers at work as skills in security commodify incredibly quickly—and become obsolete just as quickly.

He theorizes that there is a two-year cycle between hype and panic. In other words, everybody is excited about witnessing innovation and the release of new products, but will eventually begin worrying about the fact that their organizations have become reliant upon a new and relatively untested technology. It is therefore important for security experts to recognize where today’s panic lies.

“Security,” says Wolf, “is the fine art of jumping from log to log on a running train that is going downhill as the logs are falling off and going over the ravine. And your goal is to go, ‘What log is going to be interesting next?’”

Wolf contends that security needs to be thought of as being a “craft” and that the foundational lessons of this craft must be passed on to industry “apprentices.” By understanding the foundations, they will be better equipped to adapt to ever-changing security challenges throughout their careers.

Mike asks Wolf about how design factors into product security. He recalls becoming inspired near the beginning of the pandemic to research design principles and what characterizes a good product, whether it be a watch, computer, or coffee pot. He concluded that the key lies in the user and understanding and applying an idea known as affordance—the properties that allow certain actions to happen. For example, an elevator button affords to be pressed.

“If you don’t meet those needs with affordances, people work around you.” It is not enough to educate users to do or not do something. Wolf reminds us that products should be designed around user needs, not vice versa. Most developers forget this. Mike concurs, saying, “Because so many of us are technology nerds, that’s not our first instinct.”

Talking about preparing the next generation of security professionals, Wolf believes that the passion for the industry is lacking. Unlike, for example, being an accountant, a security professional needs to essentially “reinvent” themselves every few years as industry needs change. Without passion, it is easy to burn out in such a fast-paced environment.

A big part of the equation is referring to the real world for examples, as opposed to staying purely in the academic sphere, where not only do concepts quickly become outdated, but much of the nuance and gray areas inherent in most real-world problems are also missing.

Finally, Wolf gives a few warnings to practitioners who are interested in becoming mentors. He offers two lessons that have helped him grow in his own journey of mentorship: 1) What got you here won’t get you there; 2) The language and ideas that resonate with you won’t necessarily resonate with them. Mentors need to ensure that they use tight feedback loops and constantly tailor their interactions with mentees to create a productive ongoing relationship with them.


– An introduction to Wolf.

– What makes a good career in security.

– Staying on the cutting edge of the industry.

– How to build a product securely from a design perspective.

– Defining affordance.

– Affordances as “human needs.”

– Teaching the next generation of professionals to think about user experience first.

– Keys to mentorship.

– How to connect with Wolf.

0:00:02.9 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.

0:00:17.8 Mike Murray: Hello and welcome to this week’s episode of In Scope, The Healthcare Security Podcast. As always, I’m Mike Murray. And as always, I’m excited to have a very cool guest today, somebody that I’ve known for a whole lot of years, and has been in the security industry as long as I have. So it’s gonna be two old guys ranting… Ranting, hopefully, coherently about all kinds of topics in security. So today I have with me Wolfgang Goerlich, who is most recently hanging out at Cisco on the Duo and virtual CISO team over there that many people know. But has done so many things, and wanna get into his career, but I’ll let Wolf introduce himself and talk a little bit about how his long career in security and… So Wolf, happy to have you here man, and love to have this conversation. Tell the audience a little bit about you, for anybody who doesn’t know you already, which is probably not that many people, but… Let’s tell them who you are.

0:01:21.8 Wolfgang Goerlich: [chuckle] Mike, thanks for having me on. And I love that idea of two old people. It’s like, “Pull up a rocking chair on the porch children, and listen to the old men ramble.” So yes, I got into security right in the ’90s when the movie, Hackers, was still in the theaters, which I thought was a really auspicious start. And I used to think, “Oh, that’s cool.” When Hackers started. But I was on… I was talking to a friend of mine, one of the people I mentor, he was like, “Hey, I never watched that movie.” I’m like, “What?” And he goes,” Well, I don’t watch a lot of older movies, so… ” I’m like, “Oh man, kill me.” So from there I went into healthcare, and I ran IT and IT security in the healthcare space for a number of years, did a stint doing consulting a couple of start-ups, and then went into financial services where I built a DevOps team, and did security and compliance for a money management firm. Coming out of that, I went back into consulting, where I ran an IM team, a GRC team, a Data Protection Team, a strategic advisory/fractional CISO team, and an apprenticeship, and didn’t sleep for five or six years. And yeah, and today I am with Cisco, with the great team headed up with Dug Song and Wendy Nather, and just trying to bring some of the lessons of security into the product space.

0:02:45.7 MM: That’s incredibly cool. And you and I have often gotten into conversations about careers in this industry, I think. And part of it is just getting to be an old person, and being around for a long time, you see a lot of the different careers, but… We were… You mentioned the apprenticeship program. And I think that that’s so fascinating. Like we have so many young folks coming into the security industry these days, and I think it’s a really hard career. I’ve always… I did an RSA talk many years ago that I titled, Security is the hardest career, because security… The issues in security are always at the front end of the technology life cycle, we are front-loaded, right? By the time a technology has been around for 20 years… And we’ll probably get into this. You and I both like to talk product security. But by the time something’s been around for a long time, a lot of the security issues are worked out. So in 2003, there was a burgeoning career in WiFi security. Remember there was WiFi security certifications and the whole thing? And if you’ve got a WiFi security certification today, you’d probably be pretty unemployable, right? And so…

0:03:53.5 MM: But that’s not true of Java programming, right? I learnt Java programming in 1995 on Java 1. And I’m not a good Java programmer anymore, but I can still understand it when I read the code. Talk a little bit about what you think makes a good career in security, as someone who’s managed to survive for over 20 years. How do you do it? How do you keep the longevity in this industry?

0:04:18.9 WG: So a few years back I posted this on my blog, because there was an article about top 10 dead or dying tech skills. And I went, “Yep, that was me in the ’90s. Yep, that was me in the early odds.” Yeah, I made money off that for a while. Oh, I think I did a consulting service for one of them, right? I mean every one of them. But I wanna challenge one thing you said there. One of the things that I find… And this week, this week, I should be at that conference, but pandemic, is there’s a lot of value in going and seeing what the developers are doing.

0:04:49.8 MM: Oh yeah.

0:04:50.2 WG: Because I’ve got this theory, it’s a two-year cycle between hype and panic. And what that means is, what I see in the developer conference circa 2022, is what security people are gonna be panicking about in 2024.

0:05:07.0 MM: Yes.

0:05:07.2 WG: And I saw that with Kubernetes, I said that with Docker, I saw… You just go down on the list. Why? Because they’re excited and they’re building it, and by the time enough of it gets out, then we’re like, “Wait a minute. Our entire company is reliant upon that.” And then someone breaks in, and then we all panic. We’re like “What did they do?” We try… And you’re right. And then two or three years after that, no one cares. The certifications are worthless, and we’ve moved on.

0:05:27.9 MM: Right.

0:05:28.8 WG: So part of it I think is, security is the fine art of jumping from log to log on a running train that’s going downhill, as the logs are falling off and going over the ravine. And your goal is to go, “What log is gonna be interesting next?” And jump to that before whatever you’re on, falls off the tracks. Because our skills can modify incredibly quickly, and they should. If we’re doing our jobs right, WiFi security should be a check box in the device and hopefully configured by default, and hopefully there’s a good design on it. But it should be that way. But the key to a good career is to recognize that, and realize, that whatever you know today, is absolutely worthless in a couple of years.

0:06:11.9 MM: But that makes it really hard for things like degree programs. One of the… I worked with someone about 10 years ago, who was trying to write a college class for exploitation techniques. And what he found was that the approval cycle for the syllabus was so long, was like 18 months, that by the time the syllabus for his class was approved, it was obsolete. So how do you do that if you’re a college student that just came out today and you realize you’re standing on a log that two years from now is now useless?

0:06:48.6 WG: Yeah. And I have had serious, similar experiences because I try to help out with different universities writing the courseware or framing up the questions, which I love writing questions. It’s a whole other story. There’s an art to that, by the way there’s a… And once you get the art, you can pass any test because it’s like, “Oh, I recognize how you… ” Anyways, I digress. You’re right. And so good courseware is courseware that says, “Here is a long-standing principle that has existed for 30 years that you should know Young one. And by the way, here’s how we’re gonna demonstrate it, and this is gonna be in a lab that’s gonna run forever and it’s probably on Windows 7 if you’re taking it today.” [chuckle] “And then, when you get to the real world, please remember that principle won’t apply it.”

0:07:30.6 WG: But that bridge is so difficult, and that’s why I think, in a very real way, Security has to be thought of as being a craft. It’s like, “We’re the craftsmen. We’re bringing in folks to apprentice under us.” We gotta say, “Alright, this type of cutting the wood, anyone could do. Start there, and then I’ll show you how to do the join.” Or if you’re a painter, think about how the masters like Da Vinci didn’t paint all those paintings. He outlined it and he had his apprenticeships paint in certain areas, and then he did the real hard stuff. We’ve gotta think about Security more as a craft to help people bridge that gap ’cause otherwise whatever you learned in college, that lovely principle, you’re not gonna recognize it when you hit it in the streets. You’re not gonna recognize the latest exploit technique.

0:08:17.8 MM: Yeah, completely agree and that’s been. For me, the only thing I ever got right, I think, in my career was that I’m good at learning principles, and part of it is just my own neuro-diversity. Anybody who knows me knows how bad my ADD is, and so the only way I can survive is by understanding the thing behind the… The question behind the question. To your point about writing questions, I didn’t go to most of my college classes. The only reason I got through college is because I had the skill that you’re talking about. I could figure out how to answer the question even if I didn’t know the answer, and I think that that’s the skill that is required to be long-term in Security because the rule… The technology changes but the rules don’t. And I think it’s the rules that are the most interesting part, the principles behind it, like you said, which kinda leads us into good product security. You and I were nerding out before we started recording about design and how you build products securely from a design perspective. Talk a little bit about that. I know you’ve been speaking on that lately, and that’s an interest of yours lately.

0:09:26.1 WG: Yeah. So this little thing called COVID happened, [chuckle] and I was…

0:09:32.3 MM: Wait, I don’t think anybody knows about that. [chuckle]

0:09:34.5 WG: No one probably knows about it. So I was traveling quite frequently. I was actually in Europe, going from country to country. As the countries shut down, we would go to a different country. We would hop on the train. And something in the back of my head should have been, “This is bad. There’s something bad happening.” But I figured, “Ah, it’s fine. Italy’s shut down. We’ll go to Munich, it’s no big deal.” And so we left on the last plane from Paris to the US on March 13th, before everything shuts down. We get on the very last plane, probably the very last ticket on the very last plane, and we land. And there’s that two weeks we’re just gonna do nothing and we’ll flatten the curve, and I did that. And then, the curve didn’t flatten. And a good friend of mine who knows me is like, “You gotta do something. You’ve gotta have a project or something you’re digging into, or you, my friend, are gonna go insane.” And like, “Oh, okay.”

0:10:24.0 WG: And so what started out as… Back to your point about neuro-diversity and diverse interest, what started out as an interest in 20th-century design, let me look at old cars and old coffee pots and old toasters and see what ways those were designed has really led into a multi-year effort by me to look at some of the design principles. What makes a good watch? What makes a good computer? What makes a good coffee pot or good mug? And what are some of those things and how do they apply to Security? And one of the interesting things is it always starts with a user. It always starts with an emphasis on how people work. As you and I were talking many times and before we started recording, we didn’t get into this because we liked people. We got into this because we liked machines and they would do what we said. And so thinking in design terms, it does not come easy for a lot of us.

0:11:22.6 MM: Yeah. So tell us about that. Truthfully, I haven’t ever dug into design at that level. What did you learn, man?

0:11:31.0 WG: Well, one of my favorite ideas in design is this idea of affordances. And so what an affordances is, is it’s effectively anything that gets you to do something. So one of the textbook examples was in Stockholm, Sweden. They wanted people to walk down the stairs, and I’m sure you guys have seen this video or gif, what they did was they were like, “Oh well, we’ll make the stairs into a piano, we’ll make it interactive, we’ll make it fun.” And now suddenly everyone’s using the stairs. And you’re like, “Alright. Well, that’s great. Dancing’s good. Dancing is fun. I guess that makes sense from a TikTok perspective. That can go viral.” But what does that have to do with Security? And yet, we saw something very similar with Epic Games, where Epic Games wanted people to do MFA. And so what is the Security answer to doing MFA? Well, we’re gonna turn it on. If they complain, they can go work somewhere else.

0:12:20.6 MM: We’ll force them.

0:12:23.0 WG: Right. We’ll force it. No problem. What Epic Games do is they have this Boogiedown Emote that you could get for your character that made your character jump up and down and dance, and you got that if you turned on 2FA. And everything they done to get 2FA barely moved the needle. The minute they gave people Boogiedown Emote, their MFA adoption went three, fourfold up. It was just incredible.

0:12:49.2 MM: You’re kidding.

0:12:50.9 WG: Yeah. Yeah.

0:12:52.1 MM: The number of times that I talk to Health Systems and they’re talking about, “Oh man, we’re trying to implement MFA and our doctors hate it and our nurses hate it and nobody wants to use it.” You started out in healthcare, you probably understand this particular population in that way. I’ve never once heard anyone do something like that. And we had this phase about five years ago where people talked about gamification for a hot minute.

0:13:18.8 WG: [chuckle]

0:13:21.2 MM: But you don’t ever hear about people doing that sort of thing. How have you brought that into actual practice?

0:13:28.5 WG: Well, so that’s just one example of affordances. And you can get, there’s multiples… There’s functional, Does it work the way I think it should? There’s emotional… That’s what I’m talking about here.

0:13:36.6 MM: Is it fun? Do I wanna do it?

0:13:38.5 WG: Gamification? Cognitive, Does it work like I want it to? Physical… Does it move like I think it should? Do I have muscle memory to move it? Sensory… There’s a whole bunch of different affordances. One of the ones that I thought was very interesting in the Duo space, and this was something that we talked about when I was interviewing [inadudible] that had a product, was I spent a whole bunch of time in the frowny face. So, if your software is out of compliance and you can’t get in, you get this a little frowny face, it says, You should… You should update your stuff. And they’re like, Well, if it’s too frowny, people think they’re getting judged, right? Now, they’re mad at their phone, but if it’s not friendly enough, they’re like, Oh well, I don’t really…

0:14:14.9 WG: There’s like this sweet spot with the users emotionally are at the right emoji to get someone to update their software. And I thought it was fascinating that they spent the time to go through and figure that out and encourage people. So that’s one very simple example.

0:14:31.8 MM: That’s a really cool example. And actually, now that you’ve said that, I mean, one of the reasons that… And I’m a big fan of Duo and have been for a long time, long before the Cisco acquisition and the like, because I always thought it was just a really nice product to use, and I never really thought about that level of detail about it. And I think that’s something we don’t do in our industry, we don’t talk enough about the human factor of what we’re trying to do. Like you said, turn it on and if they don’t like it, they can go somewhere else. That’s been our way… That I heard somebody once described security as the Department of No, because we say no to everything, and that’s just how we do it. And I don’t think enough of us think about how do we get… How do we get the outcomes from the people that we want? Whether you’re talking about how do I design security into a product? How do I design a security program? How do I design a security career? We don’t think about the human factors enough.

0:15:30.0 WG: No, and what happens there is, so you take those affordances, right? That’s the design that’s given affordance to the person. If you flip those on the head and think of those as like emotional needs, right? Or non emotional needs, ’cause that’s only one affordance. But a human need. Right, I need… When I pick up my coffee cup and I’m holding it to the screen, which no one can see, it is well designed and it fits my hand, right? There are ways that things work well and things that don’t. And if they don’t work well what do people do? What have we done since we climbed out of the cave and picked up the first stick and lit the first fire? If our needs are not met, we change our environment, and what that means in the security space is every time we see a security exception or people working around us, we think Aha, we just need to give them awareness training, that will solve it, which we know it doesn’t. Or Aha, we just need to punish them. If we fired everyone who didn’t follow our [inaudible] onboarding in this hospital, we would… And doctors are like, You’re what? [laughter] Did you hear what you just said?

0:16:32.9 WG: So… If you don’t meet those needs with affordances, people work around you. And if you look at any exception as a need that’s not met, as opposed to a user who doesn’t know what they’re doing, you can have much better conversations, much better products, much better security programs, much better training and opportunities in your career.

0:16:54.8 MM: And unfortunately, you mentioned it, because so many of us are technology nerds, that’s not our first instinct. So flipping that around and kind of coming full circle on both parts of the conversation that we’ve had so far… How do we teach the young folks this? How do we get the young folks, as two old guys sitting here who both started as tech nerds, how do we get the next generation not to be like us?

0:17:26.2 WG: [laughter] And not to be like us, and at the same time to still have some of the benefits we had…

0:17:33.7 MM: Of course, of course.

0:17:34.9 WG: I think one of the things that really seems to be lost at the moment, or getting lost and shrinking, is the excitement and the energy that a lot of us had for this field and this career. And now people are like, I took a high school test and they told me I should be a security person, and I went to college, and now here I am and now I’m doing my job. I’m like, No, if you’re just gonna do your job here, you should be accountant or whatever else. Enjoy what you’re doing. So we got… While we teach the next generation, we also need to preserve some of the weird… If that makes sense. [chuckle]

0:18:03.6 MM: Completely, and actually, I think you described why. Right? And I loved your description of the security career as literally jumping from log to log while the logs fall off… Right? That metaphor is so apt, because I’ve always believed that as a security person, you effectively have to reinvent yourself about every three years. And that’s not true of an accountant, right? The rules… If you’re an accountant, the rules of gap have been the same since 1907. And so things don’t change that much in accounting. Sure, there’s updates to the tax laws every couple of years and things change a little bit, but the general principles are the same. In our industry, you have to reinvent yourself, and I find that that’s what… If you’re in this without that excitement, you last past your first or second re-invention and then you’re like, I don’t really wanna have to re-learn some new technology, I’m gonna go be an SE or a product manager or some other security adjacent function, because you don’t have to keep reinventing. And I think that passion thing is a really hard one, because without it, how do you keep yourself jumping from log to log when you’re in your late 30s, 40s, 50s, and you have a family and a life, and you don’t wanna have to go read a book about Kubernetes, ’cause you’ve never heard of it.

0:19:31.3 WG: Yes, exactly. [chuckle] Or it is the holiday like we recently had, and you’re like, “I need to step away from my family and go up to my study and do a CTF,” which is what I was doing, “and knock off the rust and remember my Metasploit commands and everything… ” ’cause I never use that as a CISO, those sort of things. So we need to make sure that we’re preserving the excitement, and I think part of it is too is using the real world as examples. So, much of what is taught in the university is dated for the reasons we already discussed, is an abstract scenario for obvious reasons, and doesn’t take into account all the gray and the nuance that you get in the real world, so I loved when I was running the apprenticeships.

0:20:14.5 WG: So I did the apprenticeship for about four or five years. We interviewed 3500 people, believe it or not. There was a huge amount of interviewing. We hired and put through 67 folks, and it was a two-year program, and the pitch was, “We’ll give you three to five years of experience in two by coupling it with heavy training, heavy mentoring, lots of varied scenarios.” And the reason that worked well was because you can end a conversation… And one of my mentors when I was like just getting into this, maybe 15 years ago now, 20 years ago now, he would pull me in, this cedared, gray-haired guy, and he was in charge of all IT in this company, and he’s like, “I want you in this meeting.” I’m like, “Oh, what am I gonna… ” “Nothing. Just come and listen.” And he’d hang up the phone, and he turned to me, and he goes, “So what did you hear? Why did they say that? Alright, that is what they said, but what were they thinking behind it it?”

0:21:14.6 WG: Those types of questions like, “What did you see? What did you hear? What did you think?” And then providing the context such as affordances, like we talked about earlier, or such as the nuances of human psychology, the way corporate politics play out when you’re in a very large organization or a very small organization. So all those sort of things. I really think it has to be the senior craftsman pulling in the new guy and saying, “Alright, that’s a nice joint. Now, what do you see there?” And helping you see those things that you don’t see otherwise.

0:21:50.1 MM: Do you think that that’s… And flipping it around, I see so many of our contemporaries not doing exactly what you’re saying. I feel… And you and I, I think, lead in similar ways. I feel like there’s a… And this is gonna be a terrible way to say this… But there’s like a duty we have to those young folks to actually have the conversations you’re talking about to pull them aside and say all of the things that you’re talking about, because otherwise, how do you learn? I was very lucky to have the same kind of mentorship that you had from a couple of really brilliant people, and otherwise I think I’d still be clueless about most of those things.

0:22:34.3 WG: Absolutely. But I will add the caveat. So if you’re a senior person, you’re like, “Hey, I just heard what Mike said, and I’m about to go in the office,” or “I’m about to hit the WebEx,” when I see that junior person, I’m gonna pull him aside and say, “Look, you didn’t do that right, there is… “


0:22:50.6 WG: One of the things that I learned doing this apprenticeship was mentoring is a skill, and not everyone is cut out for it, and so much like we spend a lot of time building other skills, I spend time reading books on how to be a mentor. I just screwed up as a mentor. I can give you that story if you want ’cause…

0:23:09.4 MM: Oh, this is great. Yeah, I love those ones.

0:23:11.7 WG: I mentor more senior people now. Well, here’s a really good example. So I’m mentoring a gentleman and he’s running a team. It’s a reasonably complex team, and I was giving him some frameworks for how to lead this team. He’s like, “Oh, that’s great. Where does this come from?” I said, “Well, a couple of different places, but one of the places is a book that I read many years ago. I loved it. It has really had a good impact on me.” And so he reads it and the next time we get together, he was like, “Yeah, I saw that book.” [chuckle] Like, “What do you think?” He’s like, “Oh, you know, it was… ” I’m like, “No, you can tell me what you think.” He goes, “All the stories are about these superhero CEOs rushing in and saving the day and changing things, and it’s like none of that makes any sense to where I’m at. I’m not CEO of the company, I’m not in a start-up. This doesn’t… ” I’m like, “Oh, well, alright, so I can see that point. What books resonated with you?” He’s like, “Oh, this one, that one, the other, because these are more of my field and these are more of what I do.”

0:24:10.6 WG: And so I immediately bought ’em an Audible and I’m listening to them on the treadmill or wherever. So now when I have those conversations, I’m like, “Oh yeah, you remember this story pertains to this idea.” And it’s a thing as a mentor you learn over and over again, which is what got you here won’t get them there, and what resonates with you and the language and the ideas that resonates with you aren’t the ones that necessarily resonate with them. So mentoring is a skill and it’s something that you have to constantly be working on, and so we do have an obligation to reach out to folks, but we also have an obligation to do it well so that we don’t run people out of the industry.

0:24:50.7 MM: Yes. Very true. Well, actually, you just tied everything together with that, and I wanna hear what you think about this, but exactly what you just said about meeting your mentees where they are, kind of ties into what you were talking about with design. We have to meet the users where they are at the same time, right?

0:25:11.6 WG: Yeah, no, that’s a really good point. If you think about these stories we share as affordances that allow people to grasp knowledge and get things done, then making sure that we’re using the right affordances, and put differently, making sure that we’re meeting the needs of our audience… And that could be end users, that could be the people we’re coaching… Yeah, spot on. We’ve gotta make sure that we’re constantly adjusting and using tight feedback loops to make sure, “Did that work? No, it didn’t. Okay. Let’s try something else. Let’s do better.”

0:25:42.0 MM: Absolutely. Well, Wolf, thank you so much for coming on today. This has been so fantastic, and I always end by asking everyone, where can the world find more Wolf? Where can we find more of you? If the listener today wants to hear more of your wisdom and the things that you have to say, where will we find you?

0:26:03.0 WG: So, as already mentioned, I’m the Advisory CISO with Cisco Secure. So you can follow my blog at Cisco Secure. My personal stuff is at jwgoerlich.com which I blog there. You can also follow my YouTube, which I post talks, and sometimes short videos if I’m feeling in the mood. I haven’t done that as much as of late. And then on Twitter, I’m constantly on Twitter. It’s my decade long addiction now.

0:26:31.6 MM: Mine as well. What’s your Twitter handle?

0:26:32.6 WG: Jwgoerlich.

0:26:34.8 MM: Beautiful. Thanks again for being here, man. This has been fantastic. We need to do this again. I always love these conversations.

0:26:40.9 WG: Yeah. It’s so great to catch up with you, Mike.

0:26:44.4 MM: Thanks, Wolf.

0:26:52.2 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up, or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]

About Wolfgang Goerlich


J. Wolfgang Goerlich is an Advisory CISO for Cisco Secure. Prior to this role, he led IT and IT security in the healthcare and financial services verticals. Wolfgang has held VP positions at several consulting firms, leading advisory and assessment practices. He is an active part of the security community, co-founding and organizing security conferences and events. Wolfgang regularly advises on and presents on the topics of security architecture and design, identity and access management, data governance, secure development life cycles, zero-trust security, and more.