Chasing Entropy Podcast by 1Password

From a tank driver in the Gulf War to the founder of one of the U.S.’s largest regional cybersecurity conferences, Michael Farnum’s journey is a study in discipline, community, and curiosity. He shares how early exposure to cryptography, BASIC programming pranks, and first encounters with firewalls led him into security.We dive into how Farnum built the Houston Security Conference (HOU.SEC.CON) from 120 attendees in 2010 into a 3,000-person international eventHe also discusses the rapid rise of agentic AI, what excites him, and the risks of unauthenticated MCP servers, shaky credential governance, and invisible AI triggers. Despite looming challenges, Farnum is optimistic that security conversations are starting earlier this time around.He closes with timeless advice: don’t be overly cautious, advocate for your value and take the smart risks you might otherwise pass up.Key TakeawaysMilitary lessons: Encryption mishaps in the Gulf War taught discipline, planning, and after-action reviews that later informed his cybersecurity mindsetThe hook into security: First exposure to a Unix firewall showing live traffic convinced him this was the path to followCommunity builder: Founded HOU.SEC.CON to unite a fragmented Houston infosec scene; it has since grown into a national/international draw with thousands of attendeesAI & agentic AI: Rising volume of submissions at security conferences; risks include unauthenticated MCP endpoints, hidden triggers, and weak credential governanceCISO struggles:Data security remains the #1 challenge—knowing what you have, where it is, and who can access it.Application security continues to lag despite new tools.Modern infrastructure & APIs can help if applied well.AI-driven SOCs are already shifting MDR/MSSP models, often without customers realizingCareer advice: Be less cautious and ask for what you’re worth, take smart risks, and don’t undersell yourself

This week I got to sit down with Brian Levine who is a cybersecurity consultant and former U.S. DOJ cybercrime prosecutor, to unpack how security risks shape mergers, acquisitions, divestitures, and investments. We cover what really moves deal price and structure, why early cyber due diligence matters, and how to protect “Day 1” operations without blowing up the integration plan. Brian Levine, Cybersecurity consultant; former DOJ national coordinator for cybercrime prosecutors; founder of FormerGov, a directory connecting former government and military professionals with employers and recruiters.Key takeawaysIncidents move deals. Known or newly discovered breaches often pause negotiations, change terms, and drive down price—even if they don’t kill the deal.Do diligence in three passes:Inside-out (docs, policies, IR records, pen tests, insurance);Outside-in (OSINT, dark-web intel);Technical testing (when permitted pre-sign/close).Start early. The earlier you assess cyber risk, the more leverage you have to shape price, integration plans, and pre-close remediation.MFA, IAM, backups = table stakes. Missing basics can invalidate cyber-insurance claims and should be fixed before announcement to avoid “signal flare” attacks.Cloud reality check. Many targets lack visibility into their cloud posture; prioritize third-party assessments and guardrails that protect PII, IP, and operations.Vendor blast radius matters. Mature third-party risk management includes annual reassessments, contractual obligations, insurance checks, and vendor-involved tabletops, plus contingency (“backup vendor”) planning.Culture can be a blocker. If “everyone is an admin,” expect friction; design an identity plan that tightens controls without triggering mass attrition.Day-1 playbook, security-first. Run a compromise assessment pre-connect, harden the first systems to integrate (often O365), and sequence identity, segmentation, and logging before broad access.Boards should ask: What did we actually do for cyber diligence, what didn’t we do, and why? Reasonableness, and the paper trail, matters.Notable momentsUnearthing issues outside-in: spotting malware beacons and leaked data for sale before the target even knows.Regulatory context: Europe’s heavier regime (GDPR, DORA, AI rules) vs. U.S. patchwork, either way, negligence standards still bite.Real-world stakes: from payroll outages to healthcare delays, cyber incidents can rapidly become safety and livelihood issues.Resources & mentionsFormerGov, directory for former government and military professionals seeking roles in the private sector.Topics referenced: GDPR, DORA, MFA, IAM, immutable backups, zero-trust enclaves, dark-web monitoring, third-party risk management & vendor tabletop exercises.About the showChasing Entropy goes beyond headlines, no hype, no FUD, exploring the human decisions and systemic cracks that put security to the test. Subscribe, share, and send me your questions for future episodes.

In the 20th episode of the Chasing Entropy Podcast, Dave Lewis sits down with Trey Ford, Chief Strategy & Trust Officer at Bugcrowd and former General Manager of Black Hat, to explore the realities of modern cybersecurity leadership.From the pitfalls of annual penetration tests to the messy realities of vulnerability disclosure, Trey shares lessons from decades in the field. He explains why risk should be owned at the board level (not by the CISO alone), why disclosure remains the internet’s immune system, and what the rise of agentic AI means for governance and resilience.The conversation also dives into leadership growth: shifting from arguing to win, to arguing to understand, and how CISOs can transform into true business partners rather than gatekeepers.Key TakeawaysContinuous resilience matters. Annual pen tests don’t reflect reality—continuous measurement does.Risk ownership belongs with the business. CISOs shouldn’t carry it alone.Disclosure is essential. Research-first venues like Black Hat make it safer.Agentic AI raises new risks. Guardrails, explainability, and governance must be designed in.CISO success = trust. Build partnerships across the executive team, not walls.Memorable Quotes“If it’s accessible, it’s worth securing, scope is a convenience, not a defense.”“It’s not CISO vs. world; it’s the business deciding risk together.”“In the cloud you can ‘accidentally it all the way’, agentic AI just gives that accident agency.”Listen to Episode 20 now wherever you get your podcasts!

In this episode of Chasing Entropy, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Jacob DePriest, the newly appointed CISO and CIO at 1Password. Together, they explore the intersection of security, IT, and the human factors that shape how we defend and sometimes undermine our digital world.From NSA to GitHub to 1PasswordJacob traces his path from early engineering work at the NSA to leading security operations at GitHub, and now into his dual role at 1Password. With roots in engineering and open source advocacy, he shares how those experiences shaped his approach to building secure yet productive environments.Security and Development: A Necessary PartnershipA recurring theme is the relationship between security teams and developers. Jacob emphasizes that security cannot scale without deep integration into the engineering lifecycle. Rather than bolting on controls, he advocates for shared scoreboards, embedded guardrails, and empowering developers to focus on outcomes without unnecessary friction.Secrets, AI, and the Future of RiskThe conversation dives into secrets management and the rise of AI in security. Jacob highlights how smarter alerting and AI-assisted scanning can help reduce noise around exposed credentials. They also discuss the promises and pitfalls of agentic AI, where transparency, governance, and credential security will become defining challenges for enterprises.Balancing Productivity and ProtectionAs both CISO and CIO, Jacob is uniquely positioned to tackle the long-standing tension between IT enablement and security. He argues that these shouldn’t be opposing forces, the shared goal is enabling the business safely and responsibly. Hybrid teams and flexible models, such as customizable unlock experiences in 1Password, illustrate how to strike that balance.Diversity, Culture, and Psychological SafetyThe episode also touches on team culture: hiring for diversity of thought, encouraging dissenting voices, and building psychological safety. Jacob and Dave reflect on how recognition systems, open communication, and intentional leadership can foster stronger, more resilient security teams.Parting Advice for Security LeadersJacob closes with two guiding principles:Focus on outcomes and the big picture, don’t lose sight of the real problems in pursuit of perfect solutions.Appreciate the community of security professionals who face daily challenges in an increasingly complex landscape.Listen now to hear Jacob’s insights on navigating the evolving role of security leaders, the integration of IT and cybersecurity, and how to prepare for the next wave of challenges.As always, be sure to like and subcribe!

In this episode of the Chasing Entropy Podcast, host Dave Lewis, Global Advisory CISO at 1Password, sits down with Rob Fuller (a.k.a. Mubix), cybersecurity leader, Marine Corps veteran, red teamer, and technical advisor—to explore the twists, turns, and lessons from a career built at the intersection of curiosity, community, and defense.Early Sparks of CuriosityRob shares how tinkering with Game Genie and GameShark consoles in his youth planted the seeds of hacking and cybersecurity. From experimenting with memory manipulation in video games to dabbling in early online communities, his fascination with technology was clear—even if he didn’t yet have a name for it.The Marine Corps and Grounding in RealityHis journey took a pivotal turn in the U.S. Marine Corps, where Rob shifted into IT and found his calling at the Marine Corps CERT. There, he confronted threats at a national scale, battling nation-state adversaries and learning the importance of context, failure, and resilience. The high-stakes environment taught him perspective—what truly counts as critical versus what’s just noise.Red Teams, Purple Teams, and the Role of AIRob dives into his philosophy on red vs. purple teaming, how organizations misstep in their security approaches, and where AI fits into the equation. While AI can accelerate tasks like data analysis and content generation, he stresses that human judgment remains essential, particularly when weighing real-world risk.Maturity in Vulnerability Disclosure ProgramsRob outlines the evolution of Vulnerability Disclosure Programs (VDPs)—from a simple security@company.com email, to structured bug bounties, to advanced maturity where vulnerabilities are ballooned out, templated, and continuously scanned across entire infrastructures. Tools like Nuclei earn his praise as underrated game-changers in scaling this process.What’s Overrated, What’s UnderratedWhen asked about overrated tools, Rob jokingly points to Splunk, acknowledging it as a powerful log platform but often overhyped without the right people and processes behind it. In contrast, he champions Nuclei for its ability to empower teams with scalable, reusable vulnerability detection.Leadership, Curiosity, and MentorshipFor those entering cybersecurity, Rob emphasizes starting the leadership journey early—seeking credentials, mentorship, and experience beyond being just a technical contributor. For senior leaders, he advises fostering curiosity and root cause analysis across teams, and creating spaces for “show and tells” where junior staff can share passion projects that might blossom into innovative enterprise-wide solutions.Silicon Valley and BeyondRob also reflects on his experience as a technical advisor for HBO’s Silicon Valley, ensuring cybersecurity accuracy behind the scenes. From late-night calls to writer’s room debates, the role gave him a chance to influence how hacking and security were portrayed to millions of viewers—an opportunity to shift the narrative away from the usual Hollywood myths.Listen to the full conversation for Rob’s insights on community, resilience, and the underrated value of curiosity in shaping the future of cybersecurity.Don’t forget to like & subscribe to the Chasing Entropy Podcast wherever you get your podcasts.

In this episode of Chasing Entropy, Dave Lewis sits down with longtime friend and industry veteran Bill Brenner, Senior VP and Head of Content at Cyber Risk Alliance. Bill has been shaping the cybersecurity narrative for over two decades, from his early reporting days at TechTarget to his leadership roles at Akamai, Sophos, IANS, and now Cyber Risk Alliance.From Newsrooms to CybersecurityBill shares how his career began in traditional journalism, with a pivotal moment after 9/11 pushing him toward B2B reporting. A role at SearchSecurity marked his entry into cybersecurity, where he quickly established himself as a respected interviewer, writer, and—eventually—a storyteller within the security community.The OCD Diaries & Mental Health AdvocacyA major part of Bill’s journey has been his candid writing in The OCD Diaries, a personal blog turned community resource. What started as a therapeutic exercise evolved into a touchstone for many in security facing similar struggles. Today, Bill continues that advocacy through his work with CyberMinds, developing tools and resources to support the mental health of cyber defenders, who often face burnout, PTSD-like stress, and relentless alert fatigue.Storytelling, Security, and LeadershipReflecting on his time at Akamai, Bill discusses how being embedded in a security team during the Heartbleed and Shellshock era shaped his understanding of communication, trust, and leadership. He and Dave revisit their collaboration on reports, vulnerability advisories, and how content can influence both internal teams and the wider industry.AI, Content, and the Human ElementBill and Dave dive into the current disruption caused by artificial intelligence. While many companies mistakenly see AI as a replacement for people, Bill argues it must be used as an enhancer—freeing humans from repetitive tasks while preserving creativity, critical thinking, and authenticity. His own work at Cyber Risk Alliance now includes experimenting with AI to streamline workflows without losing the human voice.Looking AheadBill emphasizes the importance of resilience, humility, and staying focused on the human side of security. Whether through mental health advocacy, building stronger content strategies, or mentoring the next generation, his mission remains clear: tell stories that matter and help the community thrive in an increasingly chaotic digital world.👉 Where to find Bill:The OCD Diaries (archived blog with evergreen posts)Bill on LinkedIn (active writing and insights)SC Media / SC World (ongoing journalism and leadership work)

In this episode of the Chasing Entropy Podcast, host Dave Lewis welcomes industry analyst and long-time cybersecurity veteran Fernando Montenegro for a far-ranging and refreshingly honest discussion about the evolution of security, the realities of AI, and the human stories that shape our digital defenses.Fernando shares his origin story from math and fractals in Brazil to cryptography and bulletin boards, and ultimately to a career that has spanned consulting, sales engineering, and now research and analysis. Along the way, he highlights the importance of community spaces like TASK (Toronto Area Security Klatsch) and B-Sides as pivotal launchpads for industry newcomers.The conversation dives deep into artificial intelligence and its nuanced role in cybersecurity:Security for AI: Helping organizations safely adopt AI tools.AI for Security: Using AI to enhance defense mechanisms.Security against AI: Preparing for AI-augmented attacks and fraud.Fernando advocates for viewing AI through an economic and socio-technical lens rather than blindly trusting in its promise. As both he and Dave agree, AI isn't magic—it's math. It can augment work, but replacing human judgment, strategy, and contextual understanding is far from reality.They also touch on the dangers of layoffs fueled by AI hype, calling out examples like Klarna’s public misstep, and drawing parallels to earlier cloud-related downsizing miscalculations. Both stress the importance of understanding what workers actually do before trying to replace them with automation.As the episode wraps, Fernando delivers sage advice for those entering or pivoting into cybersecurity:Leverage your prior experience, whether from hospitality or marketing, it has value.Seek mentorship from peers 2–5 years ahead of you for tactical guidance.Don’t be discouraged by gatekeeping; curiosity and kindness go a long way in this relationship-driven field.Whether you're a seasoned professional or just getting started, this episode is a candid reminder that cybersecurity is as much about people as it is about technology and that chasing entropy means embracing complexity, not avoiding it.

In this special "Summer Camp" edition of Chasing Entropy, Dave Lewis sits down with longtime friend and cyber risk veteran Jeffrey Wheatman. From their early DEF CON gooning days to leading board-level security conversations, Dave and Jeffrey explore how cybersecurity professionals navigate entropy—when systems unravel, and chaos creeps in.Jeffrey, a former VP at Gartner and now a cyber risk strategist, brings 30 years of experience to the mic. They dive deep into the human and organizational aspects of risk management, effective communication with executive leadership, and how the security industry can stop "solutioning" with tech and instead focus on solving real problems.Key Topics That We Covered:From Hardware Store to Cyber Risk Strategist: Jeffrey’s unconventional path into cybersecurity and early lessons learned about clarity, communication, and not working in retail.Tech for Tech’s Sake?: Why the obsession with new tools misses the point—and how reframing security in terms of solving business problems is the real game changer.Communicating with Boards: Strategies for helping CISOs resonate with executives, plus tips on improving board-level metrics and engagement.AI in Cybersecurity: Cautious optimism, practical concerns, and philosophical musings. Both Dave and Jeffrey agree: AI is no silver bullet. But with thoughtful integration and strong scenario planning, it can be a powerful partner—especially for edge cases and pattern recognition.Speaking to Your Audience: Whether you're in front of a board or a DEF CON hallway track, Jeffrey shares hard-won lessons about adjusting your message, avoiding condescension, and using metaphors that land.Memorable Quotes“Technology is created and put in place to solve problems. Full stop.” — Jeffrey Wheatman“Your execs care about three things: money in, money out, and who gets in trouble when stuff goes sideways.” — Jeffrey Wheatman“AI is overblown and underutilized—both are true.” — Dave LewisWhere to Find JeffreyLinkedIn: The only “Jeffrey Wheatman”Speaking soon at: SANS Security Awareness, ISACA GRC, Black Hat, and PDA PRISM ConferenceFun fact: At DEF CON, you’ll know him as “Mnkey.”Listen now, share widely, and join us again next week as we continue Chasing Entropy in a world full of chaos and credentials.Don’t forget to like, subscribe, and spread the entropy.

In this episode of the Chasing Entropy Podcast, I am joined by Singapore-based cybersecurity leader Emil Tan, a man who wears many hats and wears them well. From government defense to grassroots community building, Emil’s journey is a masterclass in adaptability, curiosity, and community spirit in cybersecurity.Who Is Emil Tan?Emil is a cybersecurity polymath: a national defense contributor at Booz Allen, founder of the Singapore-based community Division Zero (Div0), co-founder of the hacker conference SINCON, advisor to the startup RedAlpha, and active participant in the non-profit CREST. His career arc spans R&D, operations, policy, and education—with a consistent theme of learning by doing.A Non-Linear Path to ImpactEmil shares his unlikely journey into cybersecurity, which began not with elite academic scores but with a love for math and curiosity about the digital world. After being part of Singapore’s first cohort in a cybersecurity diploma program, Emil embraced early challenges in capture-the-flag (CTF) competitions and informal meetups at McDonald's that eventually gave rise to Div0.From Operations to Policy and Back AgainWhat sets Emil apart is his transition from cyber operations to policymaking. Frustrated by policies that didn’t reflect frontline realities, he stepped into the policy arena to bridge the gap. He speaks candidly about the complexity of policymaking and the importance of being a "technical policymaker" who can translate between operations and lawmaking.The Power of Automation and AI (Without the Hype)Emil and Dave dig into the evolution of automation in security—from scripting away mundane tasks to the role of AI today. Emil’s philosophy? Automate the boring stuff so you can focus on meaningful work. He challenges the fear-driven narrative around AI, noting that rather than replacing jobs, it redefines them.Advice for Aspiring Security ProsWhether you’re new to the field or feeling stuck, Emil offers grounded, honest advice:Fall in love with your career, not just your jobStart anywhere, fail often, and learn deeplyTalk to people—war stories beat certificatesSeek community: Div0, SINCON, and beyondGet ConnectedWant to connect with Emil?LinkedIn Attend Div0 meetups (twice a month in Singapore)Catch him at the next SINCON conferenceListen now on all major platforms and don't forget to like, subscribe, and share. Thanks for joining me as we continue the Chasing Entropy Podcast, where chaos meets clarity, and security finds its human side.

Jack Daniel, a legendary storyteller and community-builder, shares his incredible journey from mechanic to cybersecurity strategist. He recounts humorous tales from his early days tinkering with cars, before navigating into tech by chance. The heart of the conversation focuses on the founding of BSides, a community-centered security movement that empowers local talent worldwide. Jack also discusses his unique presentation style with sock puppets, all while emphasizing the importance of community, mentorship, and authentic engagement in fostering connections.