The Cyber Ranch Podcast

That's All, Folks, and THANK YOU!

Wed, 08 Jan 2025 05:00:00 -0600

Every trail ride ends at the, well, end of the trail.

This is the end of the trail for The Cyber Ranch Podcast.

Drew and Allan offer final parting thoughts and conduct brief interviews with 3 folks whose presence was vital to the show: Chris Cochran, Ron Eddings, and Rich Salim.

It's been an amazing journey and we thank ALL of you who ever listened to even just one snippet of one episode.

Y'all stay good now!

Why We Need To Rethink All of It

Wed, 01 Jan 2025 08:35:21 -0600

Howdy, y’all, and welcome to The Cyber Ranch Podcast. Today we tackle WHY?
Why do we have this show? Why do we ask the questions we ask and host the guests we host? Why does any of this matter?

More importantly, WHY do we all keep doing the same things over and over, saying the same things over and over, and expecting better results?

WHAT can we change?

Join Allan Alford, many times CISO, and cybersecurity podcaster of many years now. Joining Allan is Drew Simonis, who has been co-hosting the show now for 21 episodes, and a guest a few times before that.

This show is a chance to understand the premise of the show better, to understand Drew better, and to find out why we're all here. Drew's bonafides:

CISO @ Juniper Networks
Former CISO and Deputy CISO @ HPE
CISO @ Willis
And various other roles including an industry role at Symantec

Drew joined as co-host because he’s a deep thinker, and because he applies that deep thinking to challenging the status quo.

Allan's WHY? Is very simple. We’ve not grown or progressed as an industry in years now. Which means we are clearly doing something wrong. Mostly, IMHO, resting on our laurels, making the same assumptions, trying the same techniques, and not questioning any of it.

Drew offers a more nuanced take on the idea of "speaking the language of the business". It's a great show. Y'all be good now!

Narrative Intelligence with Joe Stradinger

Wed, 18 Dec 2024 05:00:00 -0600

We have all had a vague sense that our world is being manipulated, informed and fed by various conscious manipulation tactics - influence on political campaigns on social media, culture wars, class wars, etc. But we can glean out the facts and figure out who is telling what story if we embrace a new discipline - Narrative Intelligence.

Our guest this week is Joe Stradinger, Founder and CEO of EdgeTheory, who are out to understand and leverage the conversations that shape our world. Specifically, social media campaigns and presences. Think threat intelligence but at a global/sociopolitical level. Joe has been an investor, he has worked in DC, and he has a lot of academic ties as well. His knowledge in this space is immense, and we are tickled pink to have him here at the ‘Ranch.

We ask Joe:

What are the goals of a robust threat intelligence program?
What is narrative intelligence and why does it matter?
Compare and contrast this to traditional threat intelligence?
How do adversaries influence the narratives? Is this the realm of bots and deepfakes?
Does narrative intelligence replace, complement, or improve on traditional approaches?
How can narrative intelligence enable you to get in front of problems?

It's an excellent conversation, well worth a listen.

Y'all be good now!

CISO vs. CTO with Jon Green

Wed, 11 Dec 2024 06:47:57 -0600

Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Jon Green, an experienced CISO but also an experienced CTO. Jon is currently the CSO and CTO at HPE’s Aruba. He’s also a DefCon goon and a Team8 Villager. He’s done the marketing engineer side, the network engineer side… Quite a storied past. We are thrilled to be talking with him about the differences between CSO/CISO and CTO. Jon, thank you so much for joining us at the ‘Ranch!

Tell us about your early career, did you start in security or as a technologist?
What are the key priorities for someone with a CTO title?
As someone who has held both CTO and CSO titles, how does the pressure to deliver revenue impacting products differ from the pressure cyber leaders face?
What does it feel like to be on the receiving end of security requirements which are often developed in the abstract or for the general case?
When you are assessing future trends and technology shifts, what are the different lenses you use to make the security evaluation vs the more functional and integration-oriented evaluation?
What is something you have learned which surprised you? What do you wish other CSOs understood better? What is a piece of advice…
You’ve been involved in Defcon and other cyber events for many years, what changes have you seen during that time?

Y'all be good now!

Industry Introspective with Thomas Krane

Wed, 04 Dec 2024 06:19:07 -0600

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest is Thomas Krane, Managing Director at Insight Partners. If you go to Thomas’ LinkedIn page, you will also see that he works with a number of cybersecurity scaleups (we'll define that term). As such, Thomas is uniquely qualified to speak to some trends in the industry. Drew asked Thomas to join us here at the ‘Ranch to discuss quite a few facets of the industry. Thomas, thank you for coming on down to the ‘Ranch!

We see consolidation and platform creation, but also continued development and evolution of point products. Are we better to view cyber as a single market or is this a combination of several related but distinct markets?
It looks like money is flowing into startups again, is that so? If so, what factors are driving the renewed interest in cyber products? And what is the difference between a startup and a scaleup
Is VC money leading the development of new solutions or is it in a phase of fast following?
Aside from AI, what types of solutions are heating up and where is it seeing more stable maturity? Any areas that have fallen off the map?
Speaking of AI, are you seeing predominately new solutions or reframing of existing solutions to fit the new challenges that AI poses?
Two ends of a spectrum, security using AI and securing AI. Which is most interesting? Which is more likely to produce a big breakthrough? Which is a more solvable problem?

Y'all be good now!

Hybrid Identity Protection - Amazing Interviews with Many Guests

Wed, 20 Nov 2024 06:29:52 -0600

This week Allan attended the HIP Global conference in New Orleans, which happens to be Allan's favorite city in America.

The conference was outstanding - no sales pitches, no nonsense, just many experts speaking on the topic of securing identity. Entra ID, Okta, AD folks all were present, and it was amazing.

Allan got to interview some AMAZING guests from all walks of identity life, including one gentleman whose pedigree includes a rather critical national role right out the White House...

Listen in as Allan asks the following questions (one of which Drew answers too!)

Why does identity matter?
How do we protect the intersection of identity and data?
How do you protect uptime (availability) of identity?
What should be the single source of truth in identity?
Who should own identity? CISO? CIO? CTO?
What is the role of cybersecurity in identity?
What is the best directory services of all time?
How do you manage identity sprawl?

Y'all be good now!

Practical GenAI and LLM with Tim Rohrbaugh

Thu, 07 Nov 2024 05:59:24 -0600

In this episode Allan and Drew consult Tim Rohrbaugh, who has done quite a lot of research and work on the practical applications, deployment, use cases and limits of GenAI and LLM.

Flavors and incarnations of AI - GenAI, Expert Systems, ML...
Biomimicry and Allan's weird sea cucumber references
Practical LLM deployment - Tim's maxims
Offline or online? Open or proprietary models?
Precision, accuracy, asking the right questions in the first place
Your smartest employee as your limiting factor
Probabilistic vs. deterministic outcomes
Hallucinations - not necessarily a negative term
How long before we get the person out of the loop?
The actual skills required to be a "GenAI engineer"
Getting started at home - hardware and models
Fabric AI and patterns

It's a great show and you will most definitely learn a lot! Thank you Tim, thank you, listeners! Y'all be good now!

Cyber Civics and Voting with Kirsten Davies - SPECIAL EDITION!

Wed, 30 Oct 2024 05:09:29 -0500

Howdy, y'all! With American presidential elections already under way, Allan and Drew decided that scrambling to get Kirsten Davies on the show for this week's show (the last one before formal Election Day) was paramount. Kirsten has been on our potential guest list for years now, as she is a multiple-times Fortune 500 CISO.

But now Kirsten is CEO and Founder of The Institute for Cyber Civics, a non-partisan non-profit aimed at empowering poll workers and poll volunteers to recognize and deal with cyber attacks on the voting process.

Hear about Kirsten's charter, mission, vision, goals and capabilities in this SPECIAL EDITION! episode!

Y'all be good now!

Social Media & Community Engagement with Technically__Rose

Wed, 23 Oct 2024 05:00:00 -0500

Our guest today is Babbette Jackson, aka Technically__Rose of YouTube and Instagram fame!

Babbette is in DLP and Insider threat analysis. She has worked in places as far flung as Edward Jones, Juniper Networks, and Bank of America. More importantly, Babbette is quite involved in the intersection of social media and community engagement.

How do we use social media to engage others across generations and to and encourage community participation?

Allan, Drew and Babbette discuss:

We’ve been talking to others about how they arrived in and either struggled or flourished in Cyber. What is your story?
What inspired you to embrace social media as you have? What kind of results are you seeing from this engagement?
We’ve seen your content on LinkedIn and on Instagram, it’s very creative but also very relatable. How do you decide what topics to cover, how to frame them for the right audience, come up with the structure of your messages, etc.? How many times do you re-do them?
You’ve mentioned social capital. Tell us about that concept, how you build it, how and when you use it, etc.
What is something established leadership in the field should understand about dealing cross generationally that we often get wrong?

It is a wonderful show, and Babbette is a wonderful guest who is willing to share the insights behind her success. Y'all be good now!

You Don't Own "You", and "You" Are Being Altered with Sam Rad

Wed, 16 Oct 2024 06:16:35 -0500

Who and what you are, your personality, your style, your thoughts... That’s all about to change. For one thing you are already a product on “free to use” social media. You don’t really own things you think you own (We're looking at you, Steam!) Even your intellectual property is up for grabs now in ways you can’t see coming. Hollywood actors are selling the rights to their digital likenesses, and meanwhile, others are stealing such rights via technological loopholes. All media exists, according to Drew, to draw you towards the advertisements… And your deepfake could be used to do just that to others. Some of these fakes are good enough to fool yourself even.

Join Allan and Drew as they interview Sam Rad, a premier futurist and humanist, who freely admits that there is now an inherent tension between those two philosophies.

The conversations about the governance, ethics, and security of all this new media and technology are woefully behind the curve.

Many members of the TikTok generation has a 4-second attention span and require multiple simultaneous input streams at any given time to feel satisfied. Is this a deliberate attack on the Western human nervous system? Cyberattacks are certainly killing people already, why not go straight for their brains?

Are the peasants coming with pitchforks and torches to destroy Frankenstein’s newest monster? How about the striking dockworkers? The terrorists destroying 5G towers? Do peasants with pitchforks ever win? Ned (mistakenly called “Jason” by Allan) Ludd and the Luddites failed in a big way to stop technology from replacing their jobs in the late 1700s (mistakenly referred to as the having happened in the Victorian era by Allan)

This show is peppered with others such historical and cultural references such as the cultures and economies in Second Life, Picasso’s mass production of his own paintings, Rousseau’s evolving concepts of property, Mary Shelly and her Frankenstein’s monster, Hegel’s model of “thesis, antithesis, synthesis”, the Butlerian Jihad from the “Dune” series, and William Gibson’s maxim that, “The street finds its uses for things”.

We’re not even coping with all of this, and now we have the AI conversation thrust upon us as well… Your content is training data, and can be mimicked with uncanny accuracy as well.

Check out Sam’s book, “Radical Next” and her docuseries “Illicit Economies of the Shadowverse” to learn more about the positives and negatives of all of these trends in humanity.

Good luck out there. Stay safe. Who you are and what you own is irretrievably altered at this point. Cybersecurity is really just “security” now. But hopefully all this mess will create the next cultural and creative Renaissance.

Y'all be safe now...

A Cybersecurity Program to Emulate? A Powerful Formula with Jason Shockey

Wed, 09 Oct 2024 05:06:25 -0500

Jason Shockey, CISO of Cenlar FSB, and 25 year veteran of cybersecurity, has a formula for running an excellent cybersecurity program.

He studied a great deal in his various cybersecurity roles before leaping into a CISO role, and the studying paid off!

Jason and Allan and Drew discuss the following:

Identifying Common Pitfalls
Promoting Team Well-Being and Efficiency
Engaging and Education the Board
Strategies for Effective Program Design

ALL in the span of one rapid-fire show! Do give it a listen, as you will learn about many valuable approaches and resources to help your program succeed.

Y'all be good now!

Cyber and Social Media as Warfare with Dave Schroeder

Wed, 02 Oct 2024 05:32:24 -0500

Cyber as precursor to kinetic warfare? What about cyber AS warfare? And social media infiltration and propaganda? Join Allan and Drew as they invite Dave Schroeder, a renowned expert in this field, to discuss the active use of cybersecurity and social media as warfare between the Western World and China, Iraq, Russia and North Korea. They cover:

Insertion of fake IT employees into key companies
Political influence operations (divide and conquer)
Precursors to kinetic war being the smallest tip of the iceberg
Philosophical differences between nations and governments serving themselves
Cultures of trust in the West, and how those are not so self-serving

This one is very sobering and perhaps the most important show of the year...

Y'all be good now!

The Case for Regulation with Tim Brown

Wed, 25 Sep 2024 05:00:00 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest today is Tim Brown. If you don’t’ know who Tim Brown is, he is the CISO at SolarWinds, and as such, is one of us.

Or maybe in a way, he is all of us, really. Tim advises and has held various other roles in the past, including product roles, which our listeners know are well-respected skills down at the 'Ranch.

The topic today is cyber regulation. It can range from self-regulation to associations, principles, practices, lobbying – all the way up to full government regulation. What works? What’s required?

Topics covered:

What is the case for regulation?
What are the basics rules to provide us coverage and clarity?
Not knowing the rules makes people nervous and afraid...
Document your own processes, procedures, JDs, what you do, what you don't do. Make it clear!
Rigorous banking industry regulations exist already. How onerous are they? How badly would they fit the rest of us?
Perhaps a GAAP (generally accepted accounting principles) equivalent is desired?
Process/procedure vs. 'Thou shalt never have a vulnerability!'
Heavy-handed governmental oversight - defining standard of care and turning that into something people can stand behind?
Remember that Sarbanes and Oxley were people. Real people.
Is regulation required to create a more positive environment in the way SOX does?
What does the public-private partnership need so that the rules created are good and realistic and improve cybersecurity for the world?
REGULATION IS COMING! THE CISO COMMUNITY MUST BE A PART OF THAT REGULATION!
Have we had a cyber Enron, and do we need one? That was the real catastrophe that launched SOX...
Regarding GAAP, accounting is deterministic vs. dynamic - Can a cyber GAPP ever exist given how dynamic we are?
The compliance world: principles based vs. rules based regulation - a more practical model. It may not move the bar enough, but it's a good starting point.
Should a whole field of security auditors existing like accounting auditors do?
We are youngsters in this craft still...
Is the accounting world really the best metaphor? Auditors, forensic accountants, etc.?
Another model is the medical world - malpractice, specific rules and regulations on specific surgical practices?
What about a national CISO board or association like the NACD or the American Psychological Association?
What about boards like medical review boards that approve specialties?
Lobbying
How to fund this?
Who should be doing the doing? Inclusivity vs. sound gatekeeping.
A barber has to be licensed to cut hair - should we get licensed?
This conversation was around with software engineers long before it was with cyber folks. We learned that self-policing did not really work...
The challenge is one of not shackling the business, or at least not appearing to, and the subsequent pushback.

The call to action is ultimately this: If you don't have a seat at the table, folks will do things to you rather than with you. So get involved!

Y'all be good now!

You're Hiring Wrong! with 3 Guests New to the Industry

Wed, 18 Sep 2024 06:06:52 -0500

What can we established cybersecurity practitioners ACTUALLY do to help those new in the field besides blathering back and forth about the problem in the echo chamber that is LinkedIn?

Drew got the clever idea of inviting three folks who are brand new to the field or barely started on their cyber journey, and, get this: ASKING them what they're experiencing and what they need! Clever, huh? It's an eye-opening show for a CISO.

We are join on this week's episode by Amé Venter, May Ferreira, and Bryce Hill, who share their perspectives from their early stages in this field. It's a sobering perspective.

To a certain extent, they've all been lied to and led on, and that's all of our faults.

Key takeaways:

Prodsec/Appsec might get you out of being a cost center in cybersecurity, but no intro programs seem to show folks how to get there.
Certs aren't enough. Education is not enough. It is HARD to get started.
Internships sound great, but even after you have secured one or two of them, entry-level positions remain elusive. Especially "entry-level" positions that require experience.
Innovative programs like the one Bobby Ford is doing over at Hewlett Packard Enterprise are a huge leg up, but such programs are few and far between.
There are a lot of folks standing outside the doors to our industry who were told this was the promised land. But there they are, still standing and peering in, waiting for an invitiation.

CISOs, please listen to this show. Please re-think your hiring strategies!

Y'all be good now!

Data-Driven Cybersecurity with Wade Baker

Wed, 11 Sep 2024 05:44:34 -0500

Howdy, y’all! Our guest today is Wade Baker, cybersecurity researcher, entrepreneur, professor… Wade is a Board of Directors member of the FAIR Institute, was an Advisory Board Member at the RSA Conference, was VP of Strategy & Risk Analytics at ThreatConnect, and is now Co-Founder of Cyentia Institute, which aims to advance cybersecurity knowledge and practice through data-driven research. Wade joins Drew and Allan to talk about (go figure!) data-driven cybersecurity. The three smash through a lot of assumptions and get to the heart of what is really going on in cybersecurity.

Questions covered:

What is the Information Risk Insights Study (IRIS)? (cyentia.com/iris/)
What is a good summary of the IRIS Ransomware report?
How organizations out there can be more data-driven?
Analyst whitepapers vs. real data research – what are the differences?
Who else can mine data like this?
What truths do people resist or what do they fail to embrace?
What are the sacred cows and the “inflatable cows”?
Is the cyber job shortage a real, data-backed problem?
The desire for “flat math” vs. curves (the 5x5 grid) …
Measuring the problem side vs the solution side…
Actual best practices vs. common practices…
Insurance industry data and why they don’t share it…
Much of what we do does not affect the realities of our cyber risk.
Stepping back from all of this, what is the value in data-driven industry analysis of this sort?
How does one sponsor IRIS publications?

Y’all be good now!

Successful Clarity & Successful Communication with Michael Santarcangelo

Wed, 04 Sep 2024 06:06:33 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest is Michael Santarcangelo, Founder and President at Security Catalyst. He’s a former podcaster – co-creator of Business Security Weekly, he even did a stint on Down the Security Rabbit Hole with Raf and James. True fact, hearing Santa (as his friends call him) and Paul Asadoorian on Business Security Weekly is what inspired Allan to become a podcaster in the first place! But "Santa" (as his friends call him) has done the practitioner and the leader things as well, and got his start way back on the Global Security Team at Andersen Consulting… Santa joins Drew and Allan to discuss effective communication…

The communication problem we’re trying to solve is not the one we think it is!
“Communicating the value of cybersecurity” - What doe that mean really?
Clarity vs. Communication, Message received and understood... It’s clarity of thinking, action, and outcomes that create the ability to communicate effectively.
If that is the case, then what matters is how do OTHERS measure our success and how is that aligned or not with our own perceptions?
How do we measure success in communication? Is is how they measure it?
What is the goal of communication? (And why do we say that instead of ‘the goal of good communication’?
How do we get perspectives? (We ask).

Y'all be good now!

What Is In Your Commercial Software? with Sasa Zdjelar

Wed, 28 Aug 2024 06:43:48 -0500

Your organization runs on commercial software far more than it does open source. But all you are delivered is binaries. What is your technical control to ensure that you are safe from this software?

Such software is composed of:

Open source libraries
Proprietary code
3rd-party proprietary libraries

You need to be able to see it, understand it, probe it for malware, backdoors, corruption, CVEs, KEVs, etc. Well now you can. SBOMs are just the beginning...

Allan and Drew are joined by Sasa Zdjelar, Chief Trust Officer at ReversingLabs, who have spent 15 years solving this highly specific and highly challenging problem in cybersecurity.

The show is not sponsored by ReversingLabs. Allan and Drew wanted the world to know that they exist, and that this capability is now in-hand...

Y'all be good now!

People, Process & Technology: Technology with Ross Young

Wed, 21 Aug 2024 06:04:08 -0500

This is our third and final episode of this miniseries. In this episode we are joined by Ross Young, a well-established member of the cybersecurity community with a storied background and penchant for giving back via various means. Ross joins Allan and Drew in exploring the role of technology in the People, Process and Technology triad.

Questions covered:

The traditional triad of people, process, technology has been with us since 1964, from an era when digital systems were in their infancy and computing as we know it today was science fiction. Is PPT still the right way to look at business problems?
Has technology taken its place as "first amongst equals", or are we still right to say "cyber isn't a technology problem"?
Given the evolution of technology and even more so with what is on the horizon with AI and other autonomous systems, are we moving past "technology enables humans" to "technology replaces humans" for some parts of the cyber challenge?
How do you see the technology portfolio developing over the next 5 years?
What is the future of data science?

Thanks as always for listening. Y'all be good now!

People, Process & Technology: Process with Malcolm Harkins

Wed, 14 Aug 2024 06:01:36 -0500

Howdy, y'all! In part two of our three-part miniseries, we tackle Process with Malcolm Harkins. Malcolm is former CISO at Intel, a good friend of Allan's, former Cylance Chief Trust and Security Officer, member of the board of director over at TrustMAPP (where Allan used to be COO), and is now at Hidden Layer, working to secure AI. Hidden Layer did not sponsor this show.

Allan, Drew and Malcolm discuss the following:

People, process technology – what is the role of process in that triad?
How do we craft good process? What part of process definition is capturing the as-is state vs. being aspirational?
How do we ensure good process is followed?
When should technology drive process vs process drive technology? Where does process traditionally fall short?
What would you improve about process in general?
Tell us a bit about Hidden Layer, as this is some very new technology...

Thank you for listening! Y'all be good now!

No Show This Week - Black Hat 2024 Is Afoot!

Wed, 07 Aug 2024 07:35:20 -0500

Thanks for listening, y'all! Our next show is all about Process (we already did a show on People) and after that comes Technology.

Y'all be good now!

People, Process & Technology: People with Jeremiah Roe

Wed, 31 Jul 2024 05:49:08 -0500

Jeremiah Roe has held many roles in cybersecurity: Field CISO, Red Teamer, Advisor, Consultant, Etc. He currently advises for OffSec, who provide quality cybersecurity training. Drew Simonis and Allan Alford determined that Jeremiah would be a great guest for launching a 3-part mini series - each of the three shows exploring People, Process and Technology respectively.

The three cover the following topics in a lively conversation that journeys into several aspects of People as they relate to cybersecurity:

People, Process, and Technology - Which is most important?
If they knew what we knew about cybersecurity, would they behave differently?
How to leverage training budges for a win-win-win.
People gonna peop, businesses gonna biz.
Incentivization, Positive Reinforcement and Deputization
Enabling camaraderie - not just good culture
Groupthink and Tribalism

Join the three as they ride the cyber trails of "People" in the PPT triad!

Y'all be good now!

Practical Security Architecture with SABSA with Andrew Townley

Wed, 24 Jul 2024 05:44:20 -0500

Drew and Allan were skeptical about SABSA, as it is a model one CISO friend described as being "only good for a graduate student writing a paper!" Another CISO pointed out that SABSA was designed long before modern engineering practices.

Andrew Townley, a long-term SABSA consultant, on the other hand, gets straight to the practicality of it. There is indeed an academic and theoretical foundation behind SABSA, but it is most definitely leveraged for one purpose - to achieve desirable business outcomes.

Drew and Allan ask:

What is SABSA's purpose?
Is Andrew's specific practically applied methodology a deviation from the official SABSA cannon?
How can prove its effectiveness? What are the practical business outcomes?

Both Allan and Drew walk away with enough curiosity to dig into SABSA more.

Note that Andrew several times also cites the work of Russell Ackoff, another academician who enjoyed a rather brilliant career as a business consultant - grounding his systems theory into meaningful business practicality.

Corporate Social Responsibility - The New Model for Cyber? w/ Drew Simonis

Wed, 17 Jul 2024 05:00:00 -0500

Hang on to your saddle for this one! Drew Simonis joins Allan as his new co-host in a show where the two of them explore alternative models for selling and funding the cyber mission!

You probably know about corporate social responsibility initiatives.

Did you know that it's not a a new idea in the history of capitalism, but rather a throwback?

Before shareholder capitalism, there was stakeholder capitalism:

Stakeholder capitalism proposes that corporations should serve the interests of all their stakeholders, and not just shareholders. Stakeholders can include investors, owners, employees, vendors, customers, and the general public at large. The focus is on long-term value creation, not merely enhancing shareholder value.

Drew walks Allan through some very compelling arguments in favor of this model, and Drew and Allan together tie it to how CISOs can implement and fund cybersecurity...

Random highlights:

1. The short-sightedness of quarter-over-quarter thinking

2. Comparison to the Chinese Communist Party, who gets a big thumbs down from both Drew and Allan, but who do get credit for being able to enact truly long-term plans.

3. Jack Welch and other prominent CEOs advocating for aspects of stakeholder capitalism

4. Random tie-ins to cybersecurity all throughout.

Allan is stoked to have Drew join him as co-host, and this show is most definitely one of the more philosophical episodes, while still grounding itself in the practicalities of running cybersecurity programs.

Y'all be good now!

Managing Threats Throughout the SDLC with Tomer Schwartz

Wed, 10 Jul 2024 05:51:10 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest toda is Tomer Schwartz, co-founder and CTO over at Dazz Yup! He’s a vendor! And OMG he’s a sponsoring vendor too! Whatever will we do? But wait, y’all know Allan's rule: Vendors are allowed on the show if and when they can add more value on a given subject vs. any practitioners in The Cyber Ranch network. Tomer fits that bill perfectly! Tomer has worked in the Microsoft Security Response Center, he’s the former Armis co-founder & CTO, current co-founder & CTO at Dazz, who is a leader in the Application Security Posture Management space. Tomer is also a coffee aficionado. Now what does Dazz do and why did we ask Tomer to be on the show? Dazz is in the Application Security Posture Management space, which is relatively new around here, but they also collate and track threat exposure realtime, and also secure the SDLC in a DevOps’y way...

Questions

The elephant in the room is Gartner’s newest category in this space. Some say ASPM fits into: CTEM, which is Continuous Threat Exposure Management for those behind on eating their alphabet soup. Tomer, what’s your perspective on that?
Let’s talk about the problem in the ASPM/CTEM space: noise / too much data, no context, limited visibility from code to cloud and everything in between. For real, most solutions suck, as their single pane of glass is a very, very dirty pane of glass, and no amount of Windex is going to help. And our listeners know we believe in 3-4 “single” panes anyway. Is there such a thing as a single pane of glass in the ASPM space? Do we want a single pane? How does it play nicely with my “single” panes from other spaces?
Here comes the can of worms: Can AI help with this?
Gartner says by 2026 40% of enterprises will have an ASPM solution - do you agree?
And then there’s good ol’ UVM - Unified Vulnerability Management. Feels like a past promise that didn’t deliver. And it hasn’t addressed DevOps or even Dev very well at all IMHO. What’s your take?
How should CISOs be thinking about all of these technologies and practices? It can get very complicated very fast and if it’s not done right the devs will run screaming.
Where is this all headed? What’s the ideal future state in this space?
Here’s your chance to tell thousands of CISOs and other high-level practitioners what you want them to know. What do you want them to know?

Check out Dazz at https://dazz.io

Measuring Leadership (And Followership!)

Wed, 03 Jul 2024 04:40:57 -0500

If leadership exists in good and bad forms, so must followership.

Leadership can exist both by designation, and dynamically, as manifested by folks who may not have an official leader title.

And yet we don't measure followership, and our measurements of leadership leave something to be desired...

Join Allan Alford as he flies solo this week exploring these topics and suggesting a better way forward.

Y'all be good now!

There Is No Such Thing As Security with Nathan Case

Thu, 27 Jun 2024 04:05:37 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest is Nathan Case, who is a previous guest from a multi-guest show. Nate has been a CISO, CTO, Strategist, consultant, CEO, and all kinds of other things. His career is as colorful and varied as Allan's – maybe even more so. Nat's chosen topic is “There is no such thing as security!” So without further ado, let’s dive in!

What do you mean when you say “There is no such thing as security!”?
1. Nate outlines declares it as way to judge risk
If security is a way to judge risk, then what about the judging? There are metrics there, and some kind of end state, yes?
So you’re saying our feelings about managing the unmanageable is really where the sense of security comes from? That ‘security’ = ‘feelings about risk management results’?
How do I know what I don’t know? How does that relate to this definition of security?
Let’s get concrete – What changes are needed for tools and tech to get past this false sense of security?
If security is a description of a thing, or a specific action, where does this leave us?

21 Questions LIVE! at RSAC 2024 - 3 of 3

Wed, 19 Jun 2024 05:14:38 -0500

In this show, Allan interviews seven guests and asks them questions from a list of 21:

Omkhar Arasaratnam
“How do we leverage LLMs for our own use in cybersecurity?”
"How do you challenge your own precepts and assumptions to stay current in your role?"

Ofer Klein
“How do you describe what you do in cybersecurity to someone at a cocktail party who knows nothing about cyber?"
"How do you explain to the business the value you bring and the risks you solve?"

Rick Doten
"What message do you have for your fellow CISOs?"
"In this cybersecurity community there is hostility between vendors and practitioners. What is your best moment with a vendor?"

Sahil Agarwal
“How do you measure and articulate the risk that AI represents to the business?"
"Governance, Risk Management and Compliance - Where should the priority be?"

Roger Brotz
"What would you like your fellows CISOs to know?"
"What are we still getting wrong in cybersecurity?"

Tyson Martin
"How do we take on more accountability as business leaders?"
"How do we overcome our defaults, precepts and assumptions? How do you get past your own biases and blind spots?"

Sponsored by our good friends at Semperis.

It's a great series of a guests, and a great series of answers. Y'all be good now!

21 Questions LIVE! at RSAC 2024 - 2 of 3

Wed, 12 Jun 2024 06:13:55 -0500

In this show, Allan interviews seven guests and asks them questions from a list of 21:

Chris "Cpat" Patteson

“Why do so many CISOs think cybersecurity insurance is snake oil?”

Johann Balaguer

“People, process, technology - Which is the most important and why?”

"What do you want your fellow community of CISOs to know?"

Lee Krause

“What are we still doing wrong in cybersecurity?"

Ken Foster

“What are we still doing wrong in cybersecurity?"

"How do we articulate risk to the business?"

Marty Momdjian

"Walk me through how to solvie the nightmare of repeat incidents?"

Michael Calderin

“IA&M: Who should own it, and why? CIO? CISO?”

"What is the definition of progress in cybersecurity? Is there an end state?"

Mike Britton

"People, Process, Technology: Which is the most important?"

"I&AM: Who should own it? CISO or CIO?"

"What's your favorite part of the RSA conference?"

Sponsored by our good friends at Semperis.

It's a great series of a guests, and a great series of answers. Y'all be good now!

21 Questions LIVE! at RSAC 2024 - 1 of 3

Wed, 05 Jun 2024 06:18:13 -0500

In this show, Allan interviews nine guests and asks them questions from a list of 21:

Dr. Deanna Caputo

“How do you measure and articulate risk to the business?”

“People, process or technology?”

Carlos Guerrero

“How do we foster community in cybersecurity?”

Elliott Franklin

“Governance, Risk Management, and Compliance – Which of the three is most important?”

“What does progress look like in cybersecurity?”

Corey Bodzin

“With regards to AI & LLM, what is the impact to infrastructure?”

Evgeniy Kharam

“How integral is Identity & Access Management to the cybersecurity mission?”

“How well is traditional DLP technology meeting its mission and what else can we do?”

Gary Hayslip

“What does RSA mean to you?”

Kelly Shortridge

“What does progress mean to you in cybersecurity?”

“What is the end goal of cybersecurity?”

George Kamide & George Al-Koura

“What are you getting out of RSA?”

Kevin Jackson

“What are we doing wrong in cybersecurity?”

Sponsored by our good friends at Semperis.

It's a great series of a guests, and a great series of answers. Y'all be good now!

The Positives of Cybersecurity LIVE! at CISO XC with Dani Woolf and Guests

Wed, 29 May 2024 05:00:00 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast… AND The Audience 1st Podcast! What you are about to hear was recorded LIVE! at the CISO XC conference in Dallas-Fort Worth, Texas (my very favorite conference!) I am your host, Allan Alford, CEO of Alford & Adams Consulting. I have co-host on this episode, Dani Woolf, of the Audience 1st podcast! On her show, Dani interviews security buyers so vendors can more efficiently market and sell to them without ruffling their feathers (or piss them off). What we’re doing on this joint endeavor is interviewing various CISOs and other folks about their roles in cyber. This week’s show focuses on the pros of cybersecurity – we covered the negatives last week, and this week we cover the positives. My listeners should know by now that I like to end on a positive note…

WARNING: Some naughty language

The Negatives of Cybersecurity LIVE! at CISO XC with Dani Woolf and Guests

Wed, 22 May 2024 05:00:00 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast… AND The Audience 1st Podcast! What you are about to hear was recorded LIVE! at the CISO XC conference in Dallas-Fort Worth, Texas (my very favorite conference!) I am your host, Allan Alford, CEO of Alford & Adams Consulting. I have co-host on this episode, Dani Woolf, of the Audience 1st podcast! On her show, Dani interviews security buyers so vendors can more efficiently market and sell to them without ruffling their feathers (or piss them off). What we’re doing on this joint endeavor is interviewing various CISOs and other folks about their roles in cyber. This week’s show focuses on the cons of cybersecurity – the beefs, gripes, grumps, complaints and fears about cybersecurity. Next week we’ll end on a positive note, but this show as an opportunity for CISOs to scream into the void. Without further ado, here we go…

WARNING: Some naughty language this episode.

When It's Good To Deprioritize Security with Drew Simonis

Thu, 16 May 2024 05:09:52 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Drew Simonis, CISO @ Juniper Networks, former CSO @ Hewlett Packard Enterprise, former CISO at Willis – you get the idea. Drew’s posts on LinkedIn are pure fire – not in the hot takes way, but because of the quality of the thinking behind them. Drew has also been on the show a couple of times now, and we keep inviting him back because he’s always worth hearing from. Drew and Allan were chatting this afternoon about the idea that oftentimes cybersecurity does not matter – and that that’s okay! So we decided to record a show on that topic.

Drew and Allan share some real-world stories where they put security on hold for the benefit of the business:

VP of R&D had been told he had to get a new product off the ground that was only quasi-planned for. He had properly allocated headcount, but realized his cloud costs were going to rise dramatically. At the time Allan had a big security initiative he was pushing for out-of-bandwidth. They met and talked. His out-of-bandwidth need was stronger than Allan's in terms of benefits to the business. Allan backed him AND also made sure that his extra cloud spend included a few more security features in AWS. Win-win. Drew has a similar tale.
Flat-out, Top line was declining and we could not figure out specifically why. New competitor explained some of it, but not all of it. Market fatigue? But that was not all of it. CRO wanted more sales folks to throw at the problem. CISO backed him and agave away project budget to support him.
Company had a mismanaged an expansion. Building was paid for, but nobody had thought about the IT costs and headcount. CIO was trying to figure out where to get bodies to populate the new site. Allan gave up 2 headcount for 2 more quarters.
Startup: CISO took on Marketing department temporarily when head of Marketing left. Slowed down the security focus, but Marketing needed some hands-on attention beyond what the CEO could give. It paid off for the business.
CISO Joined forces with head of Pro Services to push through a security initiative that benefited key customers for him (contracts he could now secure), but also gave me some more generalized security comfort.
Spent huge amount of what could have been security operations time training sales teams on security as differentiator in the market. Benefited top line.

Drew and Allan share many more stories and break down why in each of these cases, deprioritizing daily security operations was the right thing to do!

Y'all be good now!

Driving Business Growth with Ankur Ahuja

Wed, 01 May 2024 06:13:39 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest today is Ankur Ahuja, 2x CISO, Ted-X Speaker, Startup Investor, Board Advisor, etc. etc. Ankur is currently SVP and CISO at Billtrust, and he’s got some Big 4 in his DNA too (ten years, in fact!). Ankur wanted to chat about how CISOs can drive business growth, so I asked him to come on down to the ‘Ranch and have a chat with me.

It's more than attending sales calls.

It's more than security questionnaires

Listen for some clever new tips on driving business growth!

Properly Prioritizing Cybersecurity with Melanie Ensign

Thu, 25 Apr 2024 05:00:00 -0500

Melanie Ensign is a communications strategist and corporate anthropologist for cybersecurity, privacy, and risk organizations. She is founder and CEO of Discernible, a multi-disciplinary Center of Excellence for security, privacy, & risk teams. Her team includes experts in communications, product development and management, compliance, security and privacy engineering, and behavioral science.

Melanie is here at the 'Ranch to talk specifically about the fact that so many CISOs feel they are in organizations that simply don’t care about cybersecurity. She’s got some good insights into this one, and it’s the perfect topic for her expertise.

Allan asks Melanie:

Allan put up a LinkedIn poll asking folks “Do you feel organizations properly prioritize cybersecurity?” The results were pretty sobering. What are your thoughts?
Is the problem really the organization or is it us? Probably a mix of the two, or maybe one or the other depending upon the environment and the individual CISO?
Assuming it’s the organization, how can a CISO avoid such organizations in the first place? How do you vet a company for its commitment to cybersecurity?
If you find yourself in a company that does not seem to care about cybersecurity, what should be your next steps?
Allan has emphasized over the years that all CISOs are salespeople times two. We sell the problem, then we sell the solution. Is that a fair perspective in your mind? How many other leaders have to sell their mission in general? I think we all end up selling specifics…
What communication skills can improve the situation for CISOs?

Selling The Mission

Wed, 17 Apr 2024 06:59:27 -0500

In this episode, Allan tackles the idea of selling the CISO mission.

He deconstructs the types of CISOs and the "selling" they must do. Sometimes you really are selling, but most of the time you should be solving business problems.

Allan speaks to:

Business objectives met
Business risks reduced
Maturity

And also deconstructs the art of selling itself.

Hint: Business Impact Analysis is a valuable tool in this whole process.

Special thanks to Helen Patton and Melanie Ensign for prompting this exploration.

Y'all be good now!

SecDataOps with Jonathan Rau

Wed, 10 Apr 2024 05:00:00 -0500

Our guest this week is Jonathan Rau, VP and Distinguished Engineer over at Query, and a proponent of what he calls "SecDataOps". Jonathan is quite active on LinkedIn and his takes, though often spicy, tend to be spot-on. Allan has come to enjoy following Jonathan's posts, and he was excited to have Jonathan come on the show and share his insights.

Allan asks Jonathan, in a VERY lively conversation:

What is SecDataOps?
What is its focal point?
Who should be in charge?
What skills are required to participate?
Who has those skills?
What about the trifecta of people/process/technology?
What is wrong in the community with our approach?

Y'all be good now!

Neurodiversity and Women in Cyber with 3 Guests

Wed, 03 Apr 2024 06:38:27 -0500

This is part two in our neurodiversity series. Our guest roster this time also includes Dr. Ursula Alford, a psychologist who routinely works with the neurodiverse populace.

The lineup of guests covers ADHD, Autism, challenges unique to women with neurodiversity, how leaders should manage neurodivergent team members and more.

Y'all be good now!

CISO Communications with Geoff Hancock

Wed, 27 Mar 2024 05:34:00 -0500

Geoff Hancock is Deputy CEO and CISO for Access Point Consulting, Former Global Director and CISO over at World Wide Technology. He’s also a Senior Fellow and Adjunct Professor at George Washington University and has held various C-suite and executive roles at Verizon, CGI Federal Advanced Technology, Microsoft, and Advanced Cybersecurity Group. He is back at the 'Ranch this week to talk about CISO Communications.

Allan asks Geoff:

You say the first step is prioritizing clarity in communication. What does that mean to you?
Your next step is developing strategic storytelling. Can you elaborate on that one?
How do we enhance crisis communication?
How do we engage stakeholders proactively?
What about data? How do we leverage it in decision making?
How does one bolster their leadership presence?
How do you implement a feedback loop?
What practical tools and strategies can be utilized for effective communication?

It's a fantastic show full of great insights, and you will thoroughly enjoy listening to it.

Y'all be good now!

What Does Zero Trust Mean to You? with 12 Guests

Wed, 20 Mar 2024 06:16:15 -0500

Join Allan LIVE! at Zero Trust World in Orlando as he asks 12 guests "What does Zero Trust Mean to You?" and a wide variety of other questions.

Conference highlights are discussed as well, including hacker activities, hacker demonstrations, incredible talks, etc.

Allan also learns all about The Tech Degenerates, and organization furthering partnership and comradery amongst cybersecurity vendors, MSPs, MSSPs, CISOs, etc. (Allan has since joined their Discord group!)

Another great highlight is a chat with Carlos Rodriguez about the vCISO life.

This show is sponsored by our good friends at ThreatLocker - visit https://threatlocker.com and tell them you heard about them down here at the 'Ranch!

Y'all be good now!

The 4 Horsemen & Zero Trust with Dr. Chase Cunningham

Wed, 13 Mar 2024 07:48:11 -0500

How does cybersecurity relate to the four horsemen of the apocalypse? Famine, Pestilence, War, and Death? In this episode, Dr. Chase Cunningham, renowned Zero Trust expert, author, instructor, Chief Strategy Officer, advisor, etc., examines the 4 conditions on our planet represented by the four horsemen, ties it all to cybersecurity, and then solves it all with Zero Trust. It's quite a ride and an adventure you should listen to!

Allan tries to keep up in this episode that jumps from topic to topic, but all with a zero trust underpinning.

It's another LIVE! episode recorded at Zero Trust World 2024 in Orlando.

Sponsored by our good friends at ThreatLocker.

Y'all be good now!

Incident Response Done Right with James Keeler

Wed, 06 Mar 2024 05:00:00 -0600

Howdy, y'all! Allan went down to Orlando, Florida and recorded three LIVE! shows at Zero Trust World, a conference sponsored by ThreatLocker. This is the first of those three shows.

James Keeler of LMT Technology Solutions has a steady hand on the incident response wheel and a lot of experience under his belt as well. After seeing James speak on a panel at Zero Trust World, Allan asked him to be on the show.

Join Allan as he asks James to walk us through his philosophy of incident response, the underpinnings, the steps and just about everything else about Incident Response as well.

This show is sponsored by our good friends at ThreatLocker - visit https://threatlocker.com and tell them you heard about them down here at the 'Ranch!

Neurodiversity in Cybersecurity with 3 Guests!

Wed, 28 Feb 2024 08:20:55 -0600

This week Allan is joined by Leigh Honeywell (CEO of Tall Poppy) Nathan Case (Federal CISO at Snyk), and Ryan Macababbad (Currently looking. HIRE HER!), three cybersecurity professionals with broad backgrounds in cyber, and all three of whom are neurodivergent.

Allan in fact, has been recently diagnosed as being on the autism spectrum, albeit 'high functioning' (as the diagnosis indicates) or 'low support needed' (as the autism community prefers to call it).

With his recent diagnosis, Allan decided to reach out to friends in the neurodiverse community to discuss:

The positives of neurodivergence
Neurotypical responses and stereotypes about the ND community
Cybersecurity-specific benefits to being ND
Tips/Advice/Support for those who suspect or know that that they are ND

Below-the-OS Security with Yuriy Bulygin

Wed, 21 Feb 2024 05:08:29 -0600

Fun fact: There are more vulnerabilities and exploits below the OS layer than above it!

CPUs, BIOS, Firmware, embedded Linux, FPGAs, UEFI, PXE... The list goes on an on. What are we supposed to do about that?

Allan asked Yuriy to come down to the 'Ranch to discuss this issue with him. Yuriy is CEO at Eclypsium, member of the Forbes Technology Counsel, Founder of the open source CHIPSEC project, former head of Threat Research at McAfee, form Senior Principle Engineer at Intel… He is uniquely qualified to discuss these issues.

Full DISCLAIMER: Allan is CISO at Eclypsium. Note that he asked Yuriy to come on the show, not the other way around. Nobody knows this space like Yuriy and his team.

Allan asks Yuriy about:

The history of CPU exploits
Unauthorized code in chips in network gear
The various hacks available at this layer
The role of SBOM in all this
The open source CHIPSEC project

It's an eye-opening show to say the least.

Y'all be good now!

Ownership of Risk and Accountability

Thu, 15 Feb 2024 05:41:49 -0600

In this episode, Allan flies solo, as he is finally willing to speak on an issue he has been mulling and fussing over for some time: the two-fold CISO laments of:

"We have all the accountability and none of the authority!"
"We don't own the risk - we advise the business"

Allan is refuting both of these claims.

Allan calls up examples such as project managers, contract lawyers, CFOs in his argument.

He also demonstrates that we have far more authority than we think, and also that we can earn even more.

As to advising the business, and the business owning the risk, we have here two contradictions to one of the show's mantras: "BE the business!"

You will hopefully come away from this show with some different perspectives on these two claims.

Y'all be good now!

Get That Seat at the Table! with Jim McConnell

Wed, 07 Feb 2024 05:00:00 -0600

We declared a while back that 'not having a seat at the table' was a tired CISO topic. So we decided to solution the complaint.

Hopefully we pulled it off.

Join Allan and Jim McConnell, Principal at Ask McConnell, LLC and former Fellow in Corporate Security Protection Operations at Verizon, as they take on the challenge of solving this common lament.

There is a fierce round of "answer pong" as they throw out suggestions on how to earn that seat, but they also cover:

What does it mean to have a seat at the table?
Ownership vs. advising
Bridging the chasm between the two
Supplier/Vendor to the business - is that a good model?
BE the business (yes, that always comes up!)
How to become a business expert

And of course, the aforementioned game of Answer Pong as to how to earn that seat.

Y'all enjoy the show, and y'all be good now!

Getting a NACD Directorship Certification with Pat Benoit

Wed, 31 Jan 2024 05:00:00 -0600

Pat Benoit, CISO at Brinks, returns to the 'Ranch to visit Allan and to chat about his newest achievement - Pat got a NACD Directorship Certification!

Allan has often thought about doing this as well, so he got Pat on the mic to talk about his whole experience:

Why did you do it?
How hard was it?
What was involved?
What do you hope to get out of it?
Did you farm around for alternatives?
Is there more you plan to do?

As topics for shows go, this one is short and sweet. But Pat, as always, spins a very human tale that will keep you engaged.

Y'all be good now!

Integrating with the Business with Ayman Elsawah

Wed, 24 Jan 2024 06:33:40 -0600

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest is Ayman Elsawah, who, like Allan these days, is a fractional CISO and founder of his own security company. He has done the fractional CISO thing many times. He has also been a professor, a security consultant, and a cloud-specific security consultant. His tenure includes eBay, NCC Group, Justworks and Masterclass. Ayman and Allan are talking about how cybersecurity teams can integrate themselves with the rest of the business.

So we talk about the role of the CISO in business enablement all the time. Allan argues, based on the wise words of Scott McCool, a friend and mentor, that we are not here to enable the business. Rather we are here to BE the business. The distinction is that enablement still puts the CISO off to the side of the goings on. Being the business means that the CISO is part of the process, in there with sleeves rolled up alongside CRO, CMO, CFO, CEO, COO, etc. So let’s ask the question twice:
1. In a B2B context, what are three things a CISO can do to enable the business?
2. In a B2B context what are three things a CISO can do to BE the business?
  1. Presumably one of these involves being part of the sales cycle?
3. Let’s drill in on the company’s products/services. Not talking about sales, but rather the products and services themselves, how can we as security practitioners be an integral part of products and/or services? What are three ways we can be the business there?
4. What about the relationships? How do we strengthen being the business with regards to relationships with our peers?
5. What about customer-facing activities beyond sales? How do we be the business with regards to our customers?
6. Challenge round, what about B2C? Melanie Ensign in a panel she was part of said that one way Cybersecurity can help B2C is by reducing support tickets. This is pure genius. Any other B2C tips?
7. You have your own podcast, and a newsletter, book…. Tell our listeners all about what you offer the cybersecurity world...

Y'all be good now!

Leadership Conflicts with Tom LeDuc

Wed, 17 Jan 2024 05:00:00 -0600

This one was recorded LIVE! in Podcast Alley at the CyberMarketingCon 2023 put on by the Cybersecurity Marketing Society in Austin, Texas.

Marketing!?!!? Say what!?!?

Yup! Allan went down to Austin to catch up with industry players and to participate in the conference as a "creator", i.e., podcaster.

While there Allan ran into his friend Tom LeDuc, CMO at Semperis, and he got Tom to hop on the mic with him to discuss leadership challenges such as conflict, territorialism, jurisdictional disputes, startup mindset vs. bigger mindset... The two of them cover quite a lot of territory.

Some of Tom's story is obviously CMO-specific, but Allan and Tom both universalize the topics and get to the heart of what matters for all leaders.

This show is not sponsored by Semperis, but Allan wants to clarify and be transparent about the fact that he is an advisor to Semperis.

Allan says: "Tom is just a great guy and is fun on the mic!"

Y'all be good now!

Alternative CISO Lifestyles with Andrew Wilder

Wed, 10 Jan 2024 05:52:25 -0600

Howdy, y'all, and welcome to The Cyber Ranch Podcast! Our guest is Andrew Wilder, Retained CISO at Community Veterinary Partners, Member of the Board of Directors at Washington University in St. Louis, Advisory Board Member, former Global CISO, former Regional CISO... He's got a real history in this game. What we're talking about today is retained, fractional, virtual, and part-time CISOing... Topics addressed: Challenge of vCISO - do i have a job 6 months from now? Marketing and sales - building pipeline OR work for someone else - they get a big cut? Life insurance in the US is normally employment-based, and paid time off is a thing. Allan's cancer scare brought all of those risks to light. Tax benefits to 1099 Work/Life balance - or should that be life/work balance? Two fulltime vCISO roles at the same time? Possible... Fractional, one-offs, consultations SEC and SolarWinds - a vCISO is not an officer of the company Andrew calls himself 'retained CISO' - he got that term from our friend Steve Zelewski Fractional vs. virtual vs. retainers - everyone says retainer is the path to victory, but how does that really work?

A Zero Trust Case Study with John Checco

Wed, 03 Jan 2024 05:54:21 -0600

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest this week is John Checco, aka "Checco", who is overdue for being on the show we freely admit! John is a presence on LinkedIn and in our industry. He’s the author of “Zero Trust: From Aspirational to Overdue”. He’s also involved, as you can imagine, in many other things – various advisory roles, ISSA roles, Infraguard roles… He’s been resident CISO at Proofpoint, for example. He’s also a fire instructor! But we asked John to the show specifically to talk about what he calls “The Misfits of Zero Trust”. John, thank you so much for coming on down to the ‘Ranch!

Questions Allan asks John:

Without revealing any secrets, what was your experience investigating the Zero Trust model for such a large organization?
What are the misfits of Zero Trust?
What’s are some examples of what you have dubbed as “2nd world affectations”?
What’s are some examples of what you call “3rd world affectations”?
Where do we go from here?
Where would you suggest highest priorities?
Is Zero Trust here to stay?
What comes next?

Thank you, listeners, for dropping by the 'Ranch! Y'all be good now!

The SaaS Attacks Matrix with Luke Jennings

Wed, 20 Dec 2023 07:24:08 -0600

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest is Luke Jennings, VP of Research & Development at Push Security, former Chief Researcher at Countercept, Principle Security Consultant at MWR… He’s been around the industry. Luke is passionate about tracking the evolution of attacks – how are the bad guys morphing and changing their game in response to our new defenses, and more importantly, new technologies that we use in the first place. Luke, thank you so much for coming on down to the ‘Ranch!

Questions Allan asks Luke:

What is the difference between traditional attacks and the new SaaS cyber kill chain?
Where is the new perimeter in a fully SaaS/remote company? Is it cloud identities?
What is it we’re actually protecting in a fully SaaS/remote company? The data landscape is very distributed now…
You’ve mentioned that certain protective technologies are so good that they have inspired new methods of attack. This is the classic arms race metaphor. What drove the bad guys into attacking SaaS-native companies?
Walk me through the modern kill chain in a SaaS-native company. I’m thinking in terms of recon, access, lateral, escalation – the old model has changed, has it not?
Let's pick specific attacks from the matrix and review them

Sponsored by our good friends at Push Security.

Check then out at:

https://pushsecurity.com/ranch

Identity as the Perimeter with Adam Bateman

Wed, 13 Dec 2023 07:00:45 -0600

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest is Adam Bateman, CEO and Co-Founder at Push Security, based in the UK. Another of our cyber friends from across the pond! Is a former director at the security consultancy MWR who were renowned in the industry for their specialist research and red team capability. Adam started off as a red teamer himself, and then went on to build and lead the detection and response division of MWR, where they specialized in defending organizations against state-sponsored attacks. Adam came up in the world of offensive security, and it shows in his thinking. He co-founded Push to protect SaaS-native companies, whose data resides in a bazillion places, protected by a bazillion identities. Or maybe just by SSO. But probably a mix. ½ a bazillion known SaaS apps using SSO and another ½ a bazillion using who knows what identity methods?

After our first chat with Adam, Allan really got to thinking about this idea we bandy about that “identity is the new perimeter!” Is that the right model? Is it a complete model? Are there better models to describe our SaaS sprawl security problem? Allan posted his ideas on LinkedIn and LinkedIn got very vigorously into the conversation. We thought Adam and Allan could record a show and hash some of these concepts out, and Adam agreed, so here we are!

In one sense, vulnerable Internet-facing credentials have ALWAYS been a problem. In other words, Identity is not the new perimeter, but is a rather old one. What are your thoughts?
What is happening in the wild? What do the attacks actually look like?
Allan Alford Consulting subscribes to over twenty SaaS applications, and Allan is literally a one-man company. How many SaaS apps are used by the average enterprise? What percentage of those are in the SSO fold? This is truly scary.
How do we get everything behind SSO? How do we get SSO locked down and secure?
What’s our best possible world? Everything behind SSO with a Yubikey? Next best is everything behind SSO with Smartphone MFA app?
Back to this perimeter thing: J. David Christensen agrees with the idea that identity is not a new perimeter. He says it has always been THE perimeter! Jamir Fisher agreed. Robert Mithcell points out that if and identity provider can be compromised, then identity is the M&M defense after all (hard shell, soft center). Our friend Abhishek Singh says authZ and authN combine to form Zero Trust. Once you have zero trust, he says, like it or lump it, identity becomes the attack surface. What are your thoughts on that formula? We found it to be a rather tidy summation, as did our other friend Dan Holden. Thoughts?
Lastly, when we talk identity, we always feel the need to point out that humans are just some of the identities crawling our digital world. Are the solutions we’re crafting for humans using SaaS also good for machine accounts? Application accounts? API-to-API connections?

Sponsored by our good friends at Push Security.

Check then out at:

https://pushsecurity.com/ranch

CSF 1.1 and 2.0 with Geoff Hancock

Wed, 06 Dec 2023 06:04:48 -0600

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest is Geoff Hancock, Deputy CEO and CISO for Access Point Consulting, Former Global Director and CISO over at World Wide Technology. He’s also a Senior Fellow and Adjunct Professor at George Washington University and has held various C-suite and executive roles at Verizon, CGI Federal Advanced Technology, Microsoft, and Advanced Cybersecurity Group. Yup! Another well-established guest. But wait! There’s more! Geoff has been involved in the creation and maintenance of the NIST CSF – the cybersecurity framework whose current version (1.1) dictates more security programs on Planet Earth than any other framework, and whose new version (2.0) will soon be ratified and finalized. 2.0 DRAFT and request for comments have already come out and the comments period is now closed. I asked Geoff to join us here at the ‘Ranch to talk CSF 2.0 with us:

Tell us about your history and relationship with NIST CSF
Let’s talk briefly about the role of frameworks in cybersecurity. I’m thinking of the “compliance != security” mantra here.
0 vs 1.1 – what are the highlights?
1. GV (Govern) Function added
2. Implementation Examples (Long overdue IMHO!)
3. What else?
Changes to categories – 2 less overall, but other changes as well…
I was glad to see supply chain called out in specific. That was overdue. What else was overdue?
What should have been in there that is not?
Describe the process if you would for generating a CSF – we have already seen draft and call for public feedback. What’s next?

Y'all be good now!

SPECIAL EDITION! Charity, Community, Collaboration @ CISO XC w/ 3 CISOs

Mon, 04 Dec 2023 06:33:24 -0600

In this SPECIAL EDITION! Allan interviews the 3 CISOs who created the CISO XC series of conferences:

Cecil Pineda
Jaimin Shah
Randy Potts

CISO XC is the only conference for CISOs (and their reports) that is put on my a team of 3 CISOs and an awesome all-CISO advisory board.

And the amount of money CISO XC gives to charity is MIND BOGGLING. Hint: This years's goal is greater than some CISO's salaries!!!

In this brief SPECIAL EDITION! you can hear more about CISO XC, its take on it's 3 priorities: Charity, Community and Collaboration.

AND you can learn how to sign up for the biggest event yet in March, 2024. That's right! CISO XC is going nationwide!

https://registration.socio.events/e/cisoxcspring2024

This spring you can meet Randy, Jaimin and Cecil as well as Allan and a host of other Dallas-Fort Worth security folks. Practitioners attend free, and the conference will be a blast!

Allan will also be giving out a limited number of cowboy hats to those who can answer trivia questions about CISO XC (hints will be provided).

Y'all be good now!

12 Questions for 12 Guests LIVE! at CISO XC

Wed, 29 Nov 2023 05:57:23 -0600

Allan takes the show on the road again, this time at his all-time favorite conference: CISO XC!

He asks a unique question of each guest, who represent a great deal of breadth in our industry:

Dave Belanger, CISO at Bestow Insurance - What is the most effective way to demonstrate and communicate security program progress to the board?
Tera Davis, CEO at CyberOne Security – How does a vendor forge relationships with a customer to be a strategic advisor and not just another vendor?
Andrew Woolen – Account Executive at Semperis – What do you wish CISOs knew about the vendor side of the fence?
Fred Clayton – Vice President Information Security at GI Alliance – What are you doing to develop talent in your teams?
Mickey Disabato – vCISO at Booz Allen Hamilton – What are the big differences between vCISO and CISO?
Alain Espinosa – Global Director Security Operations at Upbound Group – What is the one thing you would change in cybersecurity today?
Josh Kleen - Enterprise Solutions Architect at Rubrik – As a vendor, how do you see your role in this whole “We’re here to fight the bad guys” thing?
Pat Benoit – Global CISO at Brinks – Why are you sleeping well?
Russell Swinney – CIO & CISO at Infrastructure, Inc. – What is your secret for good staff retention?
Richard Weiss – CISO at AccentCare, Inc. – What are the most unusual, nontraditional cyber skills you have on your team?
Sam Baxter – Global CISO and Data Privacy Officer at AppSpace – What are your favorite sources for staying up to date in this industry?
Michael Anderson – CISO and Deputy CTO at Dallas Independent School District – Outside of the security space, there are inspirations to be had everywhere. What is the one that has most inspired you in cybersecurity?

Y'all be good now!

American Thanksgiving Holiday

Wed, 22 Nov 2023 04:51:37 -0600

Howdy, y'all! Allan is taking this week off to spend time with family and to give thanks for all the wonderful things in his life - including y'all!

For those who don't track it, there is no Cyber Ranch Podcast four times a year:

American Thanksgiving week
Christmas week
Black Hat week
RSA week

That gives Allan enough breaks throughout the year to preserve his sanity.

Y'all be good now!

Cybersecurity Awareness Month CALL TO ACTION - The Conclusion!

Wed, 15 Nov 2023 05:00:00 -0600

Warning, there might be some naughty language in this one!

The challenge was issued!!!! Allan teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who won???

"Won"?

That's right! Allan, along with George K and George A from Bare Knuckles & Brass Tacks joined forces with Aaron Pritz and Cody Rivers of Simply Solving Cyber!

Together, this trifecta of podcasters weighed in on the October bonanza that is Cybersecurity Awareness Month. While the month started humbly to raise awareness for the general public, it has now become an excuse for vendors to inundate infosec professionals' inboxes with inane messaging.

Introducing: The Cyber Community Month challenge!

Vendors: we challenged you to come up with campaigns that give back to the customer community rather than sending awareness spam.

Client-side practitioners: We asked you to show us how you engage local communities, volunteer at schools, help nonprofits, etc. to spread cyber knowledge!

This is the conclusion and awards ceremony!

Shout-outs to our winners, all of whom did something special for the community.

Carlos Guerrero (deserves special note as a truly committed community builder!)

Gerson Rodriguez

Guidepoint Security

Bugcrowd

Enjoy the show, and y'all be good now!

SEC/SolarWinds Legal Analysis w/ Evan Wolff

Wed, 08 Nov 2023 05:01:48 -0600

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest today is Evan Wolff, partner at Crowell & Moring, and Allan's favorite cyber attorney. Evan has led and managed 100s of investigations including cybersecurity, data breach, insider threats, security incidents and suspected terrorist incidents. Evan also teaches a class at Columbia University in New York City on “Great Hacks in Cybersecurity”. Evan and Allan are good friends and Evan is friends with many other CISOs as well. Evan has never lost sight of his cybersecurity roots, and is still worthy of the title “hacker”. Evan is our go-to whenever the intersection of law and cybersecurity arises. As such, he was the first one we thought of to chat about the latest SEC/SolarWinds situation. Evan, thank you so much for coming on down to the ‘Ranch!

What kind of lawyer is Evan and why can he speak on this topic?
What does disclosure mean, how does this change disclosure?
What is the role of the CISO in all this?
Key Takeaways?
What countries do not have extradition treaties with the USA? (Obviously a tongue in cheek question!)

Defining Budgets with Tim Rohrbaugh

Wed, 01 Nov 2023 06:41:35 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Tim Rohrbaugh, Founder/Principal at DefaultDenySec, former CISO for JetBlue Airways, advisor, investor: yup! Another Cyber Ranch guest with an awesome history! Tim and Allan were chatting a while back about budgeting cybersecurity programs, and they found out that they disagreed on a rather key point. In true Cyber Ranch fashion, Allan immediately asked Tim to come back to the show and to dig into the issue with him. They are starting with disagreement, which always makes for a better show...

Allan maintains that the cybersecurity budget should be tied to specific risks identified vs. specific business processes and/or assets as determined by Business Impact Analysis. In other words, we identify WHAT we care about, use BIA to tell ourselves HOW MUCH we care, and then we chart the risks to those processes and assets. We then stack rank the risks based on impact but also plausibility (see prior show with Andy Ellis and Chris Roberts as to why Allan uses plausibility and not probability). We then can sit down with the business and say:
1. For $x we can address these top 5 risks
2. For $y we can address these top 7 risks
3. Etc, etc.
4. Budgets are tight? Lower the risks addressed. It’s that simple!

NOTE: Allan is cheating here with this simplification. Run rate matters. Our existing tech stack is already in play before we address specific risks. So there is accretion there that must be acknowledged. And the question is also begged: How much does the already established run rate actually tackle specific risks vs. broad strokes? EDR, for example, should already be present. Do we say that EDR addresses the ransomware risk or the data leakage risk of HR data or the data theft risk of customer data, and/or… You get the point. Allan's model is not perfect. But what Allan has ALWAYS stood against is the idea that the cyber budget should simply be expressed as percentage of revenue or percentage of IT budget or percentage of anything external to cybersecurity, really.

Tim, disagrees and finds flaws in Allan's model:
1. Should we be tied to IT budget at all? Tim says YES!
2. Should we only be a percentage of revenue or overall organizational budget? Tim says YES!
What is the value in capping budget via external measures like %age of IT spend or %age of revenue?
How do we tackle run rate vs. specific projects in your model? How does one choose what remains and what gets cut from the to-do list when budget tightening occurs?
What other benefits exist to Tim's model?
Is there a way to reconcile the two models? Is that reconciliation even necessary?

The New SEC Regulations with Jack Powell

Wed, 25 Oct 2023 05:00:00 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! We're joined today by Jacqueline (AKA “Jack”) Powell, CISO at Allianz Life and former Deputy CISO at Hanes. She has also consulted, and has worked at Chevron, General Dynamics, and SACI. Jack has an illustrious career! Jack is here today talking with Allan about the new SEC regulations about cybersecurity. For our listeners, the final version of the SEC ruling came out in late July, and publicly traded companies in America have 5 months to comply. Mid-December is when the switch gets thrown…

Topics covered in this show:

The new ruling and tell me its highlights
1. Disclosure
2. Risk Management
3. Board expertise
What are the implications of the disclosure rules? What are the challenges businesses face? What tools can be leveraged?
It seems that “materiality” is the key term upon which all of this pivots. That term has definition and precedence in financial circles, but how is a cybersecurity professional to interpret it?
What are the implications of the Risk Management rule? If you work with a cybersecurity framework like NIST CSF, for example, you’ve already got at least the basics in place?
And now we get to Board Expertise… CISOs are all anticipating getting board roles overnight, but it’s not that easy. NACD in conjunction with CISA put some material together.
How should CISOS prepare themselves to be ready for a possible board role?

Building Excellent Teams w/ Kymberlee Price

Wed, 18 Oct 2023 05:54:02 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! That’s Kymberlee Price, strategic security consultant, Black Hat content review board member, former Sr. Director of Product Security at New Relic, former Principal Security Manager at Microsoft – Kym has held a variety of roles in our industry, but with one common theme: Kym is an outstanding team builder. She has moved around the various facets of cybersecurity over her career, but always with an eye towards turnarounds, creating new teams, and most importantly, integrating those teams with the rest of the business. Kym is the sort of professional whom companies design job roles for, as what she does is both amazing and necessary. Kym, thank you so much for coming on down the ‘The Ranch!

What are the hallmarks of an excellent team?
How do you measure results?

Bad Behaviors: A Better Way LIVE! with Chris Tillett

Wed, 11 Oct 2023 07:09:22 -0500

Chris Tillett is a well-known figure in our industry. He is in product management and R&D at Palo Alto Networks. He is also a great guy, funny, and can wield the snark quite well. He is the perfect foil for Allan Alford as the two of them take the gloves off, pick on one another, and tear apart bad vendor and bad CISO behaviors. LIVE! At Black Hat!

The two tackle some of the most sensitive pain points on both sides of the fence, and get into solutioning some of the most common CISO/vendor problems. All while donating to Black Girls Code whenever a buzzword gets used.

Their ultimate conclusion? We'd better figure out how to lock arms, as the bad guys have no problems coordinating with each other.

Come together. Right now. Over The Cyber Ranch Podcast.

Permissions Management w/ Ron Nissim

Wed, 27 Sep 2023 06:14:26 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Joining Allan this week is Ron Nissim, CEO @ Entitle. Yes, this is one of our rare shows with a vendor as a guest. Why? Because in this case, the vendor was more highly informed than any of Allan’s practitioner friends he was able to query about the subject. And what is that subject? Permissions Management. One that we’ve never done a deep dive into on this show, and one that’s overdue. So without further ado, enjoy hearing Ron chat with Allan.

What are the fundamental tenants of proper permissions management?
What are the goals?
What does the tech stack look like? different categories you're going to pursue?
What are the differences between mid-market and enterprise when it comes to permissions management?
What is missing still in permissions management?
What does next 3-5 years look like?
How does permissions lifecycle tie into identity lifecycle?
What is broken with RBAC?

The Cybersecurity Efficacy Gap w/ AJ Grotto

Wed, 20 Sep 2023 06:30:57 -0500

Allan is joined by AJ Grotto: William J. Perry International Security Fellow and Founding Director of the Program on Geopolitics, Technology and Governance at Stanford University. He also serves as the faculty lead for the cyber policy specialization that the university offers through its master's in international policy program . He’s also a visiting fellow at the Hoover Institution. He’s talking with me today about Cybersecurity spend vs. cybersecurity efficacy. AJ, thanks so much for coming on down to ‘The Ranch!

The below points are mostly followed, but the pair also get into CISOs embracing risk, CISOs owning risk, and buying 'lemons' in the cybersecurity market:

So Cybersecurity Ventures says 2023 spending is growing 15% year over year. Between awareness training and tech stack, they are estimating $198+ billion in spend this year on cybersecurity. Techcrunch analyzed the estimated shrinkage of budgets this year based on economic conditions: 45% of budgets remain unchanged or even increased. 3% of budgets were cut by an average of 21.2%. So these figures hold close to steady despite the economic downturn. We spend more and more on cybersecurity every year. When does this end?
Conversely, InfoSecurity Magazine says ransomware attacks surged by 74% in 2023. Wired reports an increase for 2023 as well. We can dig into Verizon and IBM annual reports to see generally trends of year-over-year increases as well. Verizon shows 13% increase with a curve that’s trending upward more quickly each year. What gives?
How do we solve this? How do we bridge this gap?
Tactically, we have tech stacks and awareness training and GRC. What is our spend story there vs. this looming threat landscape?
Is the solution to spend less, but more intelligently? In other words, crafty rationalization where we still get full coverage, but spend less?
If we can never close the gap between spend and threat, what are we to do?

Sponsored by our good friends at Seraphic Security.

Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.

Cybersecurity Awareness Month CALL TO ACTION - The Podcast Trifecta!

Wed, 13 Sep 2023 06:35:10 -0500

Warning: Some naughty language in this show, but well placed naughty language!

Challenge issued!!!! Allan has teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who among you will win???

Win?

That's right! Allan, along with George K and George A from Bare Knuckles & Brass Tacks joins forces with Aaron Pritz and Cody Rivers of Simply Solving Cyber!

Together, this trifecta weighs in on the October bonanza that is Cybersecurity Awareness Month. While the month started to raise awareness for the general public, it’s now become an excuse for vendors to inundate infosec professionals' inboxes with inane messaging.

Introducing: The Cyber Community Month challenge!

Vendors: we’re challenging you to come up with campaigns that give back to the customer community rather than sending awareness spam.

Client-side practitioners: Show us how you engage local communities, volunteer at schools, help nonprofits, etc. to spread cyber knowledge!

We’re awarding prizes in November. Share your efforts on social media with the hashtag #CyberCommunityChallenge

Sponsored by our good friends at Entitle.

Entitle is how cloud-forward companies provide employees with granular and just-in-time access within their cloud infrastructure and SaaS applications. Whether it's providing access to production for on-cal engineers or granting access to customer data when a support ticket is opened, Entitle easily integrates with your stack, offering self-serve access requests, instant visibility into your cloud entitlements and making user access reviews a breeze. Learn more at entitle.io

Protecting Small Organizations w/ Georges Merchak

Thu, 07 Sep 2023 05:58:54 -0500

Nearly 43% of cyber-attacks are on small businesses.
82% of ransomware attacks were targeted at companies with less than 1000 employees.
61% of SMBs were the target of a Cyberattack in 2021.
37% of companies hit by ransomware had fewer than 100 employees.

And yet...

36% of small businesses have no concern whatsoever about cyberattacks. Another 59% of small business owners who have no cybersecurity believe that their company is too minuscule to be targeted.
47% of businesses that have less than 50 employees don’t allocate any funds towards cybersecurity. While 51% of small businesses don’t utilize any IT security measures.

The threat is real, but preparedness is not. Join Allan and Georges Merchak as they tackle the nuances of protecting small organizations. Georges is an industry veteran who has held many full-time practitioner roles, but also consulting roles. Georges has served small business.

Together they address:

Vs. bigger businesses, what are the challenges and benefits for the small guys? Are there any benefits?
Is there value for a CISO to consult with these guys?
What is different about their attack surface?
So security is their least concern, and yet it sure seems like it should be a big concern. How do we educate them?
What’s the maturity rollout? There is no way you can tackle a small business’ entire cyber problem in one go…
What are the low-hanging fruit? Some very practical steps?

Y'all enjoy!

Sponsored by our good friends at Seraphic Security.

Nowhere to Hide w/ Chris Roberts

Wed, 30 Aug 2023 05:03:28 -0500

You know you're being watched, right?

Imagine for some reason you needed to bury a treasure where nobody would ever find it. In today's society, how could you even do that? How can you get from Point A to Point B without being observed or tracked in some way?

Did you know that you can be listened to through smart lightbulbs?

This episode features the infamous and always gracious Chris Roberts, back again on the 'Ranch during this LIVE! recording from the HIP Global 2023 conference in NYC.

Chris and Allan talk about these subjects and more in an eye-opening show about just how much folks can see you and hear you.

Join in and become just a little more paranoid...

Sponsored by our good friends at Seraphic Security.

Cybersecurity in Popular Culture w/ George Finney LIVE!

Wed, 23 Aug 2023 05:20:37 -0500

In this LIVE! show at Black Hat, Allan and his friend George Finney (recurring guest, CISO @ SMU, multi-times author and CEO of Well Aware Security) discuss cybersecurity in popular culture. They talk about the impact on real-world cybersecurity practices of such non-fiction gems as Clifford Stoll's book The Cuckoo's Egg and such cheesy fictional accounts as the movie Swordfish.

It might have made you grown, but it might have inspired you and others.

It might have represented what we do well enough that you can refer people to it who ask after our craft. Or maybe the portrayal was so bad it was laughable.

Join Allan and George LIVE! at Black Hat as they pick apart their favorites and take suggestions from the audience as well... Hack the Planet!

Sponsored by our good friends at Seraphic Security.

Allan Interviews EVERYONE at Black Hat

Wed, 16 Aug 2023 05:00:00 -0500

Did you miss Black Hat this year? Well you won't miss the great conversations that were had, as Allan captured so many good ones for this special Black Hat retrospective episode.

Did you get to attend Black Hat this year? See if your experience was as amazing as Allan's! This show is LIVE and untarnished. It's the real Black Hat experience!

In this episode, Allan talks to (in alphabetical order, with timestamps):

1:02 - Dani Woolf, Founder & CEO at Audience 1st

3:06 - Daniel Blackford, Manager of Threat Research @ Proofpoint

6:48 - Dean Sysman, CEO @ Axonius

8:19 - Deepen Desai, Global CISO & Head of Security Research @ ZScaler

15:39 - G. Mark Hardy, host of the CISO Tradecraft Podcast

18:42 - Glen Pendley, CTO @ Tenable

23:54 - Kayne McGladrey, Field CISO @ Hyperproof

24:52 - Leigh Honeywell, CEO @ Tall Poppy

25:52 - Masha Sedova, CEO @ Elevate Security

28:47 - Nate Warfield, Director of Research @ Eclypsium

31:43 - Rich Berthao, Cybersecurity Leader, Planner, and Innovator

32:41 - Rob Labbé, CEO and CISO in Residence for the Mining and Metals ISAC

This show captures an amazing week!

Sponsored by our good friends at Seraphic Security.

Allan is at Black Hat

Wed, 09 Aug 2023 05:00:00 -0500

A brief thank you to our listeners and a request for feedback on the show.

We'll catch y'all next week!

The Open Source Security Foundation with Omkhar Arasaratnam

Wed, 02 Aug 2023 06:16:11 -0500

The OpenSSF is doing invaulable work for the cybersecurity community. And their new managing director happens to be Omkhar Arasaratnam, whose appearance on the show a while back created one of our most popular episodes ever! Omkhar is back to talk about the OpenSSF:

What is the OpenSSF and how does it relate to the Linux Foundation?
What is the organization's mission?
What is the organization's vision?
What exciting projects are taking place (and a sneak peek about some upcoming announcements at Black Hat!)
What mark do you want to leave on the OpenSSF as Managing Director?

Omkhar is an expert in DevOps and CI/CD. He is an expert in security. His passion is supply chain security. You can see where all of this can come together in his new role and make amazing things happen for your industry. Y'all enjoy, and y'all be good now!

Cloud Security Remediation w/ Tunde Oni-Daniel

Wed, 26 Jul 2023 05:50:08 -0500

Cloud security remediation can be a daunting task that impacts Dev, Sec and Ops teams all. And it can be a huge, manual, pain in the... You get the idea. But there are techniques to navigate it and to overcome many of the common traps and hurdles.

Tunde Oni-Daniel is a grizzled veteran in our industry who has managed to maintain his enthusiasm, passion and energy for the job. Tunde is an expert on cloud remediation and together he and Allan discuss:

Cloud lifecycle
Challenges when findings happen
Drift management
Bugs vs vulnerabilities
Sec/Dev/Ops relationships with regards to remediation
What works, what's fast?
The next 3-5 years of cloud remediation

This one is a phenomenal show packed full of practical tips and high energy.

Sponsored by our good friends at Dazz:

Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Things We Believe But Cannot Prove w/ Drew Simonis

Wed, 19 Jul 2023 05:00:00 -0500

In this episode, Allan and Drew tackle and interesting subject that was suggested by Drew and that Allan posted for the LinkedIn community to gather around: things we believe in cybersecurity that we cannot prove.

The LinkedIn conversation was phenomenal, and Drew and Allan do a great job of summarizing it and calling out the underpinnings behind much of what we believe in this industry.

Questions Allan asks Drew:

What inspired this topic?
What were some of your favorites from the LinkedIn thread?
What are the underlying themes here?
Is BYOD security really a thing?
Are third-party risk assessments useful?

Special thanks to LinkedIn posters:

Peter Schawacker
John Prokap
Duane Gran
Brian Campbell
Matthew Dimmick
Graham Lewendon
Marcus W.
Dmitriy Sokolovskiy
And everyone who participated in a very lively thread...

Sponsored by our good friends at Dazz:

Board Reporting with Kate Kuehn

Wed, 12 Jul 2023 05:14:56 -0500

Kate is a legend in our industry, is a multiple times board member herself as well as having reported to boards in a wide variety of roles. She is currently Chief Trust Officer at Aon. Allan and Kate have intended to get her down to The Cyber Ranch for some time, but the stars finally aligned in this fantastic episode jam-packed with great advice.

Do please forgive the sound quality on this one. It was recorded on the road, and the conversation was too amazing to re-record despite the quality issues.

Kate and Allan cover:

Best human approaches in board communicating – everything but the presentation itself
How to get to know your board both individually and collectively
What to present
What not to present
Best tips and tricks overall

Sponsored by our good friends at Dazz:

Allan Answers LinkedIn Questions

Thu, 06 Jul 2023 11:34:14 -0500

This week Allan flies solo and tackles a variety of questions that came in from LinkedIn - including his origin story.

Allan tackles the following questions:

How does a CISO protect themselves from prosecution?
How does one get value from a cybersecurity assessment?
How should one pick a cybersecurity solution or company?
How do you "disconnect" from cybersecurity?
How to start and sustain a cybersecurity podcast - why and why not?
Allan's orgin story
Allan argues with himself over two issues

NOTE: Allan states: "I have no idea why anyone would want to hear my origin story, but here it is. You can skip it if you like. It runs from roughly 19 minutes to 24 minutes."

Sponsored by our good friends at Dazz:

The Real Implications of Contemporary Exploits with Anne Marie Zettlemoyer

Wed, 28 Jun 2023 05:00:00 -0500

The MOVEit breach has been top of mind, especially with Solar Winds and Colonial Pipeline and log4j and all the others having been so recent. It is easy to blame the victims. It is easy to make excuses that nobody can defend against a Zero Day. There are a lot of easy responses to these kinds of affairs.

But what Allan and Anne Marie Zettlemoyer get into in this episode is a variety of questions around the assumptions:

Start with a quick summary of the MOVEit exploit and Clop.
How does this attack compare to SolarWinds?
What can we do to prepare for zero-day exploits?
Is society (and the business world) getting jaded to ransomware attacks and breaches? Is this affecting their investments in cyber?
Is a post-breach CISO really rolling in the assets and resources the way so many assume?
What are the long-term implications for a business, its stock prices, and its CISO investment?

This is another episode that strives to get deeper than the surface. We hope you learn something from it, and we hope you enjoy it as well. Y'all be good now!

Sponsored by our good friends at Dazz:

Zero Trust & DSPM with Claude Mandy - SPECIAL LIVE EDITION

Thu, 22 Jun 2023 11:03:44 -0500

This episode was recorded LIVE at the 2023 Symmetry Systems Unconference on Zero Trust, adjunct to RSAC 2023.

Allan is joined by his friend Claude Mandy, former CISO, former analyst, and now Chief Evangelist at Symmetry Systems. Like Allan, Claude is a Zero Trust enthusiast. The podcast was the capstone to a long day of Zero Trust presentations, panels, book reviews and other great topics and conversations.

Join Allan and Claude at this live recording that covers:

- How does DSPM fit into Zero Trust?

- Allan's victory at a recent Digital Fight Club event where he championed Zero Trust

- Overcoming Zero Trust marketing hype

- Is Zero Trust a framework, an architecture, or something else? Hint: Claude says it's something else.

- What are the biggest challenges in implementing Zero Trust?

- What are the benefits to the business of Zero Trust?

- Security is about the intersection of Data & Entities - not about Assets

- What are the most exciting aspects of RSAC 2023 for Claude and Allan?

Money with Nick Vigier

Wed, 21 Jun 2023 06:59:54 -0500

Money is the hardest thing for a CISO to acquire. As with last week's show on Time, Money has to be spent wisely as well. Perhaps the tricks to spend it wisely directly relate to how we can acquire more the next cycle to achieve the mission we know we need to achieve. In this episode we cover:

- What are the best methods for securing a budget?

- How do you structure your budget to align with business costs (COGS, R&D, CAC...)?

- What are some good ways to save money as a CISO?

- How do you best lower vendor costs for the long term?

- How can a CISO help make money for the business?

Sponsored by our good friends at Dazz:

Time w/ Paul Robinson

Wed, 14 Jun 2023 05:00:00 -0500

Time is one of our most precious commodities as security practitioners. And yet we have traditional time sinkholes where we waste time, lose time, and spend time. Join Allan and Paul Robinson, Founder and Managing Director at Tempus Network, as they explore several of these areas and give concrete tips on how to save time as security practitioners:

- Keeping up with industry trends

- Managing cyber incidents

- Third-party questionnaires (both directions!)

- Vendor onboarding

- Work from home vs. going into the office

Sponsored by our good friends at Dazz:

FedRAMP, StateRAMP, TX-RAMP with Jay Adams

Wed, 07 Jun 2023 07:02:18 -0500

Join Allan and his guest Jay Adams, CISO @ Enchoice and former security architect for several large private and public sector efforts - from M&A activities to massive public portals.

Jay is going through TX-RAMP right now, and both he and Allan have done research on FedRAMP and StateRAMP as well.

What are the differences? Why might you choose one over the other? What are the gotchas?

This is a great show and you'll get to learn a bit about Allan's brief foray into state government as well...

Sponsored by our good friends at Dazz:

RSAC 2023 Special Edition Campfire Chats - Part 2

Mon, 05 Jun 2023 13:02:17 -0500

This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023. Guests include:

Gary Hayslip, CISO @ Softbank Investment Advisers
Michael Calderin, CISO @ YAGEO Group
David Cross, CISO @ Oracle SaaS Cloud
Audra Streetman, Security Strategist @ Splunk
Adrian Peters, CISO @ Vista Equity Partners
Robin Sundaram, CISO @ RELX
Merritt Baer, Office of the CISO @ AWS
Rob Wood, CISO @ Centers for Medicare & Medicaid Services
Bryan Green, CISO Americas @ ZScaler
Stephanie Derdouri, Sr. Manager, Information Security and Technology Risk Management @ Capital Group
Andres Andreu, CISO @ 2U
Paul Love, CISO & Chief Privacy Officer @ Co-op Solutions
Royce Markose, former CISO
Bob Schuetter, CISO @ Ashland
Susan Thomas, CEO @ 10Fold
Brian Markham, CISO @ EAB
Ken Foster, VP of IT GRC @ FLEETCOR
Elizabeth Martinez, Account Exec @ ThreatLocker
Josiah Dykstra, Senior Fellow, Office of Innovation @ The NSA
Kevin Brown, CEO @ Innit
Brent Deterding, CISO @ Afni
Audra Streetman, Security Strategist @ Splunk
Wendy Whitmore, SVP, Unit 42 @ Palo Alto Networks

I ask my guests several questions including:

How do you impact the top and bottom line?
What topics are you tired of in cybersecurity?

There are also some special interviews at the end - discussions about the RSA conference itself, tech stack sprawl, and personal branding and marketing for CISOs. Oh - and a question about how vendors and CISOs can work better together AND a conversation about how government and industry can work together in cybersecurity.

Give this one a listen! It's jam-packed with great insights!

1% Leadership with Andy Ellis

Wed, 31 May 2023 06:09:59 -0500

This week's show is exciting because Allan has been waiting for Andy's book on leadership to come out for quite some time. The book is called “1% Leadership – Master The Small, Daily Improvements That Set Great Leaders Apart”, and it consists of 54 chapters - each of which presents a specific facet of good leadership in a nearly "buffet style" manner. You can pick and choose topics that resonate with you and dive right in.

Allan picked 6 chapters that resonated with him in particular and got Andy to elaborate:

Chapter 1 - “Personal improvement is a prerequisite to leading professionally”
Chapter 6 - “Gift kindness where it isn’t expected”
Chapter 8 – “An uncompelled apology unburdens everyone”
Chapter 13 - "Your wellness is one of the greatest assets you control" (Listen as Andy hits Allan straight in the feels on this topic)
Chapter 24 – "People need to see versions of themselves to feel welcome"
Chapter 35 - "In general, be vague"

The book is amazing, these particular chapters are amazing, and Andy's expounding upon them is amazing as well!

Y'all be good now!

Will LLM AI Close The Bad Guys’ Skills Gap? with Adrian Sanabria

Wed, 24 May 2023 05:00:00 -0500

This episode is a bit scary. Adrian Sanabria, who on an earlier show busted many cybersecurity myths, is back again, this time analyzing the impact of Large Language Model Artificial Intelligence on a hypothesized skills gap on the bad guy side.

Premise One: Given how many organizations that are vulnerable and that have NOT been breached, the bad guys are suffering the same skills gap we are.

Premise Two: Exploit attacks (think of exploits as ransomware, data hostage situations, threats to publish breached data, etc.) can benefit from LLM AI.

It's really that simple a connecting of the dots. Adrian and Allan deconstruct the steps of an exploit attack, analyze the capabilities of LLM AI and cross-reference the two.

If they are right, then we have a burden of leveraging and learning LLM AI ourselves, as quickly as possible...

Sponsored by our good friends at Dazz:

RSAC 2023 SPECIAL EDITION Campfire Chats - Part 1

Mon, 22 May 2023 06:01:34 -0500

This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023. Guests include:

Chris Kennedy, CISO @ Citadel
Gary Hayslip, CISO @ Softbank Investment Advisers
Michael Calderin, CISO @ YAGEO Group
Reet Kaur, CISO @ Portland Community College
Rob LaMagna-Reiter, CISO @ Hudl
Matthew Lang, vCISO
David Cross, CISO @ Oracle SaaS Cloud
Audra Streetman, Security Strategist @ Splunk
Vishal Amin, General Manager of Security Solutions (Federal) @ Microsoft
Adrian Peters, CISO @ Vista Equity Partners
Kelly Shortridge, Author of “Security Chaos Engineering: Sustaining Resilience in Software and Systems”
Robin Sundaram, CISO @ RELX
Merritt Baer, Office of the CISO @ AWS
Tim Rohrbaugh, former CISO & Industry Leader
Rob Wood, CISO @ Centers for Medicare & Medicaid Services
Bryan Green, CISO Americas @ ZScaler
Stephanie Derdouri, Sr. Manager, Information Security and Technology Risk Management @ Capital Group
Andres Andreu, CISO @ 2U
Paul Love, CISO & Chief Privacy Officer @ Co-op Solutions
Royce Markose, former CISO
Bob Schuetter, CISO @ Ashland

I ask my guests several questions:

What is the best part of RSAC 2023 for you?
What is the single most critical skill a security leader needs?
What's missing in cybersecurity?
What is your take on Purple Teaming and MITRE ATT&CK?
How do you co-lead the organization?

There is also a VERY special interview with James Stanley, Chief of Product Development at CISA at the end. Don't miss it!

Two Founder CEOs with Merav Bahat and Mickey Bresman

Wed, 17 May 2023 06:26:56 -0500

Leadership skills, technical skills, cybersecurity skills, pluck, drive and determination are all on display as Allan interviews Merav Bahat, CEO @ Dazz and Mickey Bresman, CEO @ Semperis.

Dazz has completed a Series A investment round. Semperis a Series C. It turns out that the skills each CEO needs are still remarkably the same.

Saddle up for another episode, where Allan asks his guests:

What’s the coolest thing that has happened for you or to you as a startup CEO?
What has been the biggest single challenge?
What are your top 3 tenets of leadership?
What is the purpose of vision and how clear must it be?
What is the purpose of mission and how clear must it be?
What is your advice to those who would want to become a startup CEO?

Sponsored by our good friends at Dazz:

Security Chaos Engineering with Kelly Shortridge

Wed, 10 May 2023 06:12:53 -0500

What is security chaos engineering? You may remember Kelly Shortridge, our very first guest, who came on the show to talk about behavioral economics and cybersecurity. Well Kelly is back to talk about her new book, "Security Chaos Engineering: Sustaining Resilience in Software and Systems".

Security chaos engineering is derived from chaos engineering, a relatively new discipline in software development that seeks to test distributed computing systems to ensure that they withstand unexpected disruptions. It's all about resilience, in other words. Security chaos engineering seeks to do the same for the security of such software systems.

Kelly breaks down her book during a lively conversation featuring an opinion or two her cat, Link (yes, a Zelda reference!):

Who should read this book?
Resilience in software and systems
Systems-oriented security
Architecting and designing
Building and delivering
Operating and observing (Allan's favorite chapter as it intersects with one of his Zero Trust tenets)
Responding and recovering
Platform resilience engineering
Security chaos experiments (a very fun chapter!)
Case studies

Note that the book is peppered with references and quotes from other disciplines. We would expect no less from Kelly.

Sponsored by our good friends at Dazz:

The 9-Layer Cybersecurity Program Cake with Bryan Liebert

Wed, 03 May 2023 05:29:07 -0500

Bryan Liebert is one smart cookie. Who bakes cybersecurity cakes. But seriously, Bryan has been a CISO, consultant, architect, and has served many other roles in cybersecurity. His specialty is creating simple to digest (we could not help it, sorry!) models for managing and reporting on cybersecurity programs and practices.

Join Bryan and Allan as they serve up (we're still doing it!) a lively and informative episode!

Sponsored by our good friends at Dazz:

Four Problems with Cybersecurity with Adrian Wright

Wed, 26 Apr 2023 05:00:00 -0500

Adrian Wright, "The Cynical CISO" of LinkedIn fame, joins Allan to discuss four areas where cybersecurity is perhaps getting it wrong:

Cybersecurity viewed as a necessary evil, related to The Twilight Zone
Ownership, Authority, Accountability: Inventory and Means of Control
Are WE the baddies?
(Largely) Forgotten Security Principles

Allan and Adrian dissect cybersecurity practice in this great episode!

Sponsored by our good friends at Dazz:

The Cloud and the Big Bang of Data with Cecil Pineda and Gene Moore

Mon, 24 Apr 2023 05:00:00 -0500

Join us for a SPECIAL EDITON! episode of The Cyber Ranch Podcast LIVE! from CISO XC in Dallas-Fort Worth, Texas!

The topic is data security: its challenges and how to overcome them.

Joining Allan are Cecil Pineda of R1 ("Cecil the CISO") and Gene Moore of Securiti.

The conversation is live and lively, recorded as-is and delivered to you.

Enjoy!

Sponsored by Securiti - https://securiti.ai/

The Blurring of Personal & Corporate Security with Leigh Honeywell

Wed, 19 Apr 2023 06:09:59 -0500

We always think of cybersecurity startups as companies who contribute to the tech stack in an organizational environment - usually the enterprise. We also think of personal cybersecurity in terms of protecting Grandma or our kids from the bad guys. But these two worlds intersect far more than you would think, and the techniques for addressing these problems intersect as well.

This week Allan is joined by Leigh Honeywell, CEO at Tall Poppy, to discuss these intersections. Leigh is uniquely qualified, as her non-traditional startup addresses "personal security outside the firewall", which includes executive protection...

Sponsored by our good friends at Dazz:

Design Partnerships with Emily Heath

Wed, 12 Apr 2023 04:49:47 -0500

Emily Heath is a well-known and well-respected figure in cybersecurity. She has been a CISO three times in a variety of industries, including software and a major airline. She has been in law enforcement, is a partner at a VC firm, and serves on boards of directors as well.

With this wealth of experience she has come to value design partnerships - working with small startups to help craft their solutions to meet hers and their needs.

But what are some of the challenges in design partnerships? Allan and Emily tackle the following questions:

What inspires one towards design partnerships?
How can a practitioner design partner help a first-time founder?
Where does the innovation come from in this model?
Does the vast amount of cyber vendors help or hinder the design partnership model?
What are the pros and cons of alternatives to design partnership?
How does a practitioner get started with design partnership?

Sponsored by our good friends at Dazz:

All About Advisory Boards with Karla Reffold

Wed, 05 Apr 2023 05:01:00 -0500

This week Allan is joined by Karla Reffold, COO at Orpheus Cyber. Yes, that makes her a vendor, but, yes, she follow's the show's rules: She is a friend, not a sponsor; she is not all vendory; and most importantly she is a subject matter expert on this week's topic: advisory boards!

In fact, Karla has written an ebook on the subject which is available here:

https://karlareffold.co.uk/advisory-boards-guide-book

Topics covered in the show:

- The ethical entanglements of being on an advisory board

- Paid vs. unpaid advisory board roles (and cash vs. equity)

- Advisory board roles as kickbacks (yes, it happens)

- Advisors who are customers vs. advisors who are not

- Do advisory board roles help or hurt a CISO's career?

Enjoy! Y'all be good!

CISO vs. Individual Contributor Perspectives w/ William Klusovsky

Wed, 29 Mar 2023 05:34:07 -0500

Becoming a CISO means changing a lot of perspectives. Individual contributors need to learn this, and the CISO is the best one to teach them. "They're never going to get it!" is a mantra used by both sides of that dialogue, and that is not a solution. Will and Allan discuss:

- What precepts really are "obvious"

- How does one onboard leadership and business perspectives?

- What should CISOs do to ensure their teams gain those perspectives?

- What can individual contributors do to ensure that they gain those perspectives?

- The value of self-teaching and mentorship

- Beliefs we should get rid of

It's a great conversation! Ya'll enjoy it!

How to Trust Your Vendors - A Scary Case Study with Paul Moreno

Wed, 22 Mar 2023 05:12:04 -0500

This episode is a story about an entire vendor encounter gone horribly wrong. Allan is joined by Paul Moreno, VP of InfoSec at Catawii, formerly SVP of Cybersecurity at Adyen, investor and advisor. Paul found a cybersecurity vendor. Paul found good references. Paul got referrals from peers. Paul did a PoC. And after that, it all went downhill. Paul was kind enough to share his story as he and Allan pick apart the failings and deliberate on ways we can all avoid such encounters.

Topics covered are:

- How to spot lies

- Vetting the vendor's internal security landscape

- ISO 27001 Statement of Applicability

- Breaches and whistleblowing

- GDPR violations in charging to delete data

It is a story you will want to hear, and the analysis just might save you some pain down the road...

Sponsored by Allan Alford Consulting https://allanalford.com/about

Tech Teams, GRC Teams, and the CISO with Dr. Mike Brass

Wed, 15 Mar 2023 05:42:08 -0500

Join Allan and Dr. Mike Brass (whose degree is in archaeology!) as they jointly explore the technical side of the house vs. the GRC side of the house, noting that GRC can be a great path to CISO.

Hear Mike's journey from IT technician to GRC to CISO.

Topics Allan and Mike cover:

The tension between tech teams and GRC teams, and how a CISO can bridge the two teams
Reasons why GRC makes such a great background for the CISO role (and how to get there)
What engineering/architecture folks should know about GRC
What GRC folks should know about the tech side of the house
What the rest of the business should know about GRC

You also get to hear Mike's journey, which has spanned small and large companies, government think tanks and more!

Sponsored by Allan Alford Consulting https://allanalford.com

How Do We Embrace Imperfection with Robin Sundaram

Wed, 08 Mar 2023 05:25:58 -0600

We have this idea that we can be perfect. And we know that idea is unsound. So we settle for imperfection. But are we doing that purposefully? Do we have a conscious plan for embracing imperfection? How can we, as cyber professionals, embrace our imperfection meaningfully and with intent?

Join Allan and Robin Sundaram as they explore this topic, covering areas such as:

NIST CSF is all about imperfection
Embracing CMDB imperfection
Vulnerability Management and Patch Management
Product/Project Rollouts
Dev teams and the pipeline
Imperfection and GRC

It's a great conversation and you are sure to learn a thing or two!

Sponsored by Allan Alford Consulting: https://allanalford.com

Technical Case vs. Business Case with Omkhar Arasaratnam

Wed, 01 Mar 2023 04:47:27 -0600

In this episode, Allan is joined by Omkhar Arasaratnam, a force in the industry and an expert in the intersection of software and security (you may remember Omkhar from an earlier show about supply chain security).

They challenge each other to a game, "Technical Case vs. Business Case", where they must provide both arguments for a given technology deployment. The real subtext here is that whenever these two get together, they always lean towards a technical conversation, so they are challenging themselves.

Topics Covered:

MFA
Service Accounts
Refresh Cycles
Token Expiration
Recovery Emails
Regulatory Mandates
Biometrics
SBOM

It's a lively conversation and we hope you will find value in it!

Sponsor Links:

Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs. Find out more at https://trustmapp.com

The Implications of ChatGPT and AI with Shaun Marion and ChatGPT

Wed, 22 Feb 2023 05:22:06 -0600

Join Allan, Shaun Marion (CISO of McDonald's) and ChatGPT itself for a lively conversation about the implications of this new tool, AI in general, and nuances about ChatGPT's usage.

Even after controls were put into place to prevent ChatGPT from helping the bad guys, Allan and Shaun were able to trick it into giving up details on hacking, authoring phishing emails and more.

Shaun and Allan explore the potential for abuse and the positive promise and excitement that this new era of AI is ushering in.

What are the societal implications of ChatGPT?

What are the positive advances of AI?

Should we be cautious with what we feed ChatGPT?

Hear answers to these questions and more on this week's lively episode.

Sponsor Links:

Breach Communications with Heather Noggle

Wed, 15 Feb 2023 05:22:32 -0600

How important are communications after your company has been breached? They can make or break customer perception, and the perception of the world. Bad communications are perceived as bad intent.

Joining Allan this week is Heather Noggle, owner of Codistac - a company that specializes in cyber communications, advocacy and awareness. She studied communications in college, and takes this stuff very seriously.

The pair cover LastPasss, Okta and Reddit breaches, comparing the bad to the good.

Topics covered:

Poor editing of communications
Willful non-communication
Obfuscation
Apologies
Letting the lawyers have their say - but not the last say
The balance between speed and accuracy

It's a great conversation and a great show.

Sponsor Links:

BISO Bonanza with Ann Hines, James Binford and Matt Winkeler

Wed, 08 Feb 2023 05:37:09 -0600

Do you want to be a CISO one day? Are you a CISO today who wants to strengthen your ties into the rest of the business? The Business Information Security Officer (BISO) role is one you should explore.

The role can vary quite a bit, as you will hear on this episode with not one, not two, but three BISOs joining Allan Alford to discuss the role and its nuances: where it fits, what is required, how it is best positioned and managed.

Allan has been a BISO himself and has managed BISOs as well, so the conversation is rapid and productive.

Join Allan along with Ann Hines (BISO @ USAA), James Binford (BISO @ Humana) and Matt Winkeler (BISO @ Equifax) as the explore the BISO role.

Sponsor Links:

Developing and Fostering Good Leadership with Joey Rachid and Scott Moser

Wed, 01 Feb 2023 04:57:35 -0600

Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations. Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory boards, has worked for the Big Four, and more importantly is a former US Marine (although all the Marines will tell you there is no such thing as a former Marine!)

Scott Moser is SVP and CISO at Sabre Corporation, has also been a CISO for Caesar’s (the gaming and hospitality company), and has held some very interesting military roles of his own. In a joint branches capacity, Scott has been a CIO in Alaska. For the US Air Force, Scott has been a Commander and an IT Director, all over the world. He has also worked for the Joint Staff in Washington, DC as a branch chief.

These two gentlemen speak about leadership holistically - how to exhibit excellent leadership yourself, how to train for good leaderships, and how to foster it in others.

Sponsor Links:

Are We Protecting People, Data, or Business? with Nipun Gupta

Wed, 25 Jan 2023 04:55:04 -0600

This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor.

The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as well as the interrelationships.

Is "protect the business" a guardrail statement while "protect data and people" is the mission?

How do we tie protecting people to protecting the business? For the people? For the business?

How do we map data to the business mission?

How far do we go to protect data?

What about this new DevOps, application-centric world?

Enjoy this conversation! It's a lively one.

Influences from Outside of Cybersecurity with Peter Schawacker

Wed, 18 Jan 2023 05:00:00 -0600

This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc. Another one of Allan's illustrious guests with 25 years in cyber. (https://www.linkedin.com/in/schawacker/). The topic started as all that the two have learned outside of cybersecurity that has helped them in cyber. But it gets way more esoteric than that, and quickly. Detailed show notes and links are provided below because this show is all over the place!

02:11 Point MOOt, Texas: MOO-based virtual city with virtual economy, virtual stock market, various political models of governance and high preponderance of highly interactive bots used for practical and administrative purposes.
http://linguafranca.mirror.theinfo.org/9405/moo.html
https://archive.nytimes.com/www.nytimes.com/books/first/l/leonard-bots.html

04:49 A fast tour of the the age of the universe, Planet Earth, and humans' presence on the planet, industrial revolution and the Internet

05:45 The Annex BBS in LA
https://annex.net/about-us/

05:28 IRC
https://en.wikipedia.org/wiki/Internet_Relay_Chat

06:12 - Arthur C. Clarke - "Any sufficiently advanced technology is indistinguishable from magic."
https://lab.cccb.org/en/arthur-c-clarke-any-sufficiently-advanced-technology-is-indistinguishable-from-magic/

07:12 - Iranian refugees, educated folks who spoke 5 languages and had 4 passports

07:49 - Dungeons and Dragons
https://dnd.wizards.com/

08:05 - Life demands more of us than just having a job

08:16 - Karl Marx, Shakespeare, Julius Caesar, Poetry

08:43 - TI-99 4A and the BASIC language on the Commodore PET
https://en.wikipedia.org/wiki/TI-99/4A
https://en.wikipedia.org/wiki/BASIC
https://en.wikipedia.org/wiki/Commodore_PET

09:02 - Earthlink
https://www.encyclopedia.com/economics/encyclopedias-almanacs-transcripts-and-maps/earthlink-inc#:~:text=Earthlink%20Network%20was%20founded%20in,would%20be%20providing%20customer%20service.

09:24 - Tech Writing and List Making

09:41 - Running a SOC for Citi

10:20 - Jack of all trades and the value of curiosity and love, surprises and exploration

11:04 - There is no one cybersecurity - we don't even know what it is yet

11:40 - Cyber as nascent field with great opportunity to leverage other disciplines

13:02 - TOGAF and the CIO's organization and functions and the CISO reporting into the CIO
https://en.wikipedia.org/wiki/The_Open_Group_Architecture_Framework

14:02 - Nobody knows what a CISO does

14:39 - We can't have it both ways - to have a seat at the table we must own risk and have accountability. Authority can't exist without accountability.

15:13 - Do CISOs know how to buy stuff? Lack of budgeting process.

15:45 - Eff around and find out - security incidents - order out of chaos - crisis management

16:34 - Pen testing as games (game theory):
https://en.wikipedia.org/wiki/Game_theory

17:11 - The influence of playing music

18:48 - Wagner's invention of instruments
https://www.californiasymphony.org/2018-19-season/epic-bruckner/whats-a-wagner-tuba/

19:12 - The influence of getting sober

19:30 - Chuck Anderson - Best guitar teacher on the planet?
https://truefire.com/educators/chuck-anderson/e4187

19:45 - Dissonance and consonance; inverse ratio between complexity and power

20:17 - Entrepreneurial spirit in the music business and an illegal booking company

20:48 - Everything applies everywhere; metaphor and the origins of ideas

21:21 - Marx and Engels - revolutions get stuff done

21:43 - Rothko's artwork compared to The Ramones
https://en.wikipedia.org/wiki/Mark_Rothko#:~:text=Mark%20Rothko%20(%2F%CB%88r%C9%92,a%20Latvian%2DAmerican%20abstract%20painter.

22:14 - The subconscious produces genius; we are all geniuses

22:51 - The mathematical concept of Aleph-0 and George Cantor as inventor of discrete math
https://mathworld.wolfram.com/Aleph-0.html#:~:text=is%20often%20pronounced%20%22aleph%2Dnull,spelled%20%22aleph%2Dnought.%22

23:40 - Wittgenstein's refutation of Cantor despite computing being based on discrete math
https://en.wikipedia.org/wiki/Ludwig_Wittgenstein

24:05 - Divine revelation or bipolar disorder?

24:33 - "The Aleph" short story by Jorge Luis Borges
https://web.mit.edu/allanmc/www/borgesaleph.pdf

25:13 - "Weaving the Web" by Tim Berners Lee and Borges foreshadowing hyperlinks
https://www.amazon.com/Weaving-Web-Original-Ultimate-Destiny/dp/006251587X

25:51 - We need heroes - mentoring without heroes is not possible

27:08 - Learning from the masters in cybersecurity; maybe we will be in history books

29:42 - Gaining sobriety, learning to reach out for help - valuable in cybersecurity

31:10 - Raising children; paternalism and cyber careers

32:32 - Edward de Bono - Lateral Thinking
https://www.amazon.com/Lateral-Thinking-Creativity-Step/dp/0060903252

33:13 - "Flow" by Mihaly Csikszentmihalyi
https://www.amazon.com/Flow-Psychology-Experience-Perennial-Classics-ebook/dp/B000W94FE6

Managing Careers with Luis Valenzuela

Wed, 11 Jan 2023 04:46:36 -0600

This episode is jam-packed with wisdom that is delivered at a rapid pace. Some folks will find themselves rewinding and taking notes. Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to talk about managing careers - how to manage your own, and, for leaders, how to help your team manage theirs. Topics include:

- Pivotal career transitions

- Is a plan _really_ required?

- Principles, foundations, and successful behaviors

- Practical steps and resources

- Is the power of envisioning enough?

- Tactical and other tips

Y'all enjoy this one, now!

100th Episode Call-In Special with 21 Guests!

Wed, 04 Jan 2023 05:01:12 -0600

To celebrate the 100th episode, Allan decided to let the audience participate in the show. 21 people called in and answered a wide variety of questions about cybersecurity. It is a fantastic show and it is very fun to hear all the different perspectives from folks who have just about every role in cybersecurity you can imagine:

00:00:58 - Brent Deterding - What can practioners do to show more love to vendors?
00:03:07 - Evgeniy Kharam - How important are soft skills in cybersecurity?
00:03:54 - Evgeniy Kharam - What are we doing wrong in cybersecurity?
00:05:17 - Andy Ellis - what are we doing right and what are we doing wrong?
00:07:15 - Nipun Gupta - What needs to happen to get cybersecurity practitioners to trust cybersecurity vendors?
00:10:29 - Brent Forest - What is the value of mentorship in cybersecurity?
00:13:48 - Heather Noggle - How do you get small organizations to take cybersecurity more seriously?
00:17:34 - Karla Reffold - What piece of advice would you give somone trying to get into cybersecurity?
00:19:16 - Will Lin - Where do you think this whole cybersecurity thing is headed?
00:22:37 - Jack Powell - What are we doing in cybersecurity that we should not be doing?
00:29:17 - Dutch Schwartz - What is missing in cybersecurity?
00:36:13 - Kevin Pope - What is your best piece of advice for those entering the cybersecurity field?
00:42:42 - Julian Cohen - How do we prioritize our defenses?
00:45:22 - Benjamin Corll - What do you love most about being in cybersecurity?
00:47:05 - Special Appearance by Chis Cochran and Ron Eddings of Hacker Valley Media
00:50:07 - Chris Patteson - How worried should we be about post-quantum cryptography?
00:54:03 - Peter Schawacker - What are we doing right in cybersecurity?
01:01:45 - Adrian Sanabria - What is it we are not doign in cybersecurity that we should be doing?
01:08:38 - Chris Foulon - Where is this whole cybersecurity thing headed?
01:13:52 - Claude Mandy - What are we getting wrong in cybersecurity?
01:18:25 - Gary Hayslip - What is the trend towards a data-centric security model?
01:26:17 - Kirsten Davies - What is going to change with threat intelligence in 2023?
01:30:58 - Special Appearnce by Dr. Ursula Alford (Allan's wife)

Can We Even Measure Risk? with Andy Ellis and Chris Roberts - EXPLICIT

Wed, 14 Dec 2022 04:57:21 -0600

This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'? Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventures, former CISO at Akamai), Chris Roberts (CISO at Boom Supersonic) joins the stage with some fine whisky and his own clever takes on measuring risk.

Join Allan, Andy, and Chris as they deconstruct risk, extolling its virtues, and hopefully change the way you think about risk altogether. Is likelihood times impact valid? Is the 5x5 grid valid? What is plausibility vs. probability? Find out on this great LIVE! episode!

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

Is It Even Our Job to Make Them Care About Cybersecurity? with Yaron Levi

Wed, 07 Dec 2022 04:35:27 -0600

In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk tolerance.

Allan posted this topic on LinkedIn and it created quite a buzz. The show features quotes from Simon Goldsmith, Kevin Pope, Malcolm Harkins, and others.

Listen to hear a deconstruction of this position, and hear some great arguments both for and against it. We'll give away the ending - the argument is ultimately refuted - but it is a great thought exercise and a wonderful journey getting to that conclusion. Hint: The show's ending is more apt than ever: "Ya'll be good now!"

Sponsor Links:

Building Cybersecurity Community with Scott Schindler

Wed, 30 Nov 2022 04:57:37 -0600

Scott Schindler, veteran CISO, vCISO, and adjunct professor joins Allan at the ranch to talk about how to build, strengthen, participate in, contribute to and benefit from a cybersecurity community. Allan chose Scott for this show because of his incredible community focus and the high level of participation and engagement he demonstrates in his own career.

How can we, as privacy and security professionals, overcome our paranoia in order to build community?

How do we, as new members of cybersecurity, break into the community?

How do I start a local community?

How do we welcome others?

What is wrong with the cybersecurity community today that we need to fix?

Sponsor Links:

Geopolitics, APTs and Cybersecurity with Dan Holden

Wed, 16 Nov 2022 05:00:18 -0600

Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture. Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-cursors to WWI, Regan-era cyber doctrine, cyber and modern warfare, lessons learned from the COVID economy (hint: GDP is now part of critical infrastructure), famous APT heists, modern global imperialism... This show ties these threads together into a forward-looking vision for cybersecurity that includes shifts in global prioritization of cybersecurity, federal regulations, and changes to the VC investment landscape. Saddle up and get ready for a wild ride!

Sponsor Links:

3 Very Practical Tips with Duane Gran

Wed, 09 Nov 2022 04:41:10 -0600

This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes:

Eliminating the culture of "No!"
Managing Third-Party Risk
Building a "No Blame" Culture

The common thread behind all of these themes is relationship building and goodwill - but the details are well worth the listen!

Sponsor Links:

Should the CISO...? with Andy Bennett

Wed, 02 Nov 2022 04:49:54 -0500

In this week's show, Allan and his guest Andy Bennett (a very clever CISO with a heck of a pedigree) decide to tackle some thought exercises with a series of questions that all start with "Should the CISO...?"

Should the CISO be the one to decide whether to report breaches?
Should the CISO own the SOC?
Should the CISO report to the CIO?
Should the CISO have an MBA?
Should the CISO be mentoring individual contributors in their team?
Should the CISO be sharing the political realities of “upstairs”?
Should the CISO own Identity?

Enjoy this fantastic conversation that goes to a lot of surprising places!

Sponsor Links:

Tired Topics in Cybersecurity - Part Two with Michael Santarcangelo and Rich Mason

Wed, 26 Oct 2022 05:18:42 -0500

Once again, Allan, Rich, and Michael dissect topics in our community that are, well, tired. Topics are brought up to spur online debate, but for which a conclusion is never reached. Topics that bifurcate our community without moving our industry forward. Topics that cause us to overly rotate on the wrong areas.

In this show we address:

Defining terms: zero trust, ML, AI, hacker vs. cracker, cybersecurity vs information security

How to pronounce "CISO"

Work from home vs coming to the office

Do we deserve a seat at the table or is it earned?

Hopefully, these three are stepping beyond the tired answers to these topics and are raising the bar on how we should approach the information security profession. You be the judge...

Sponsor Links:

Tired Topics in Cybersecurity - Part One with Rich Mason and Michael Santarcangelo

Wed, 19 Oct 2022 05:00:00 -0500

We have all seen the conversations on LinkedIn where someone starts with a hotly debated topic, and the debate goes on and on, nothing is concluded, and then the next week, someone else posts the same topic and starts the gerbil wheel spinning again. We have seen this phenomenon with common complaints too. These are, in short, tired conversations.

Join Allan Alford, Rich Mason, and Michael Santarcangelo as they rope in some of these tired topics and propose alternative ways of looking at them.

This one runs a bit longer than usual because the conversation is that good. Also, there are a few naughty words...

In this Part One episode they offer some alternative takes on the following tired topics:

Who should the CISO report to?
Users as the weakest link
Talent Shortage
CISO Burnout
Imposter Syndrome
Awards Marketing
Bad Vendor Behavior

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

One Tool to Rule Them All with Derly Gutierrez

Wed, 12 Oct 2022 04:32:56 -0500

CISOs and other security executives have relied on spreadsheets to perform a great deal of the management functions of their programs. What if there was a better way? Derly Gutierrez is back on the ranch for a third time now to discuss his alternative - the humble ticketing system. It might seem obvious in some cases, but Derly has pushed the use cases far beyond what you might imagine. Topics Derly and Allan cover include:

Risk Management Lifecycle
Vendor Management Lifecycle
Personnel Onboarding/Offboarding (Joiners, Movers, Leavers)
Data Governance Lifecycle
SOC2 Audits
Internal Audits
UI Considerations
Organizational Familiarity with the Tool
Automation & Integration

In this short but sweet episode, a lot of very practical tips are addressed. Y'all be good now!

Links:

Thank you to our sponsor Axonius for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

Cybersecurity Myths & Misconceptions with Josiah Dykstra

Wed, 05 Oct 2022 04:00:00 -0500

Josiah Dykstra, Cybersecurity Technical Fellow at the NSA and Author, kicks up the dust off some previous topics discussed on the Ranch and deepens the conversation on cybersecurity myths and behavioral economics. Prior to the release of his latest book, Cybersecurity Myths and Misconceptions, Josiah breaks down some biases, fallacies, myths, and magical thinking that cybersecurity practitioners fall victim to. Josiah taps into cyber’s psyche and exposes the errors behind practitioners playing make-believe.

Timecoded Guide:

[00:00] Researching cybersecurity psychology & other exciting industry mashups

[09:22] Security logical fallacies: straw man, gambler’s, & ad hominem

[15:19] Cyber cognitive biases: confirmation, omission, and zero risk bias

[19:24] Perverse incentives & cobra effect: security vendors, bug bounties, & cyber insurance

[25:55] Creating an accurate measure of how secure we really are

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

In the context of cybersecurity, what are some examples of magical thinking?

Magical thinking, or the belief that thoughts can influence the material world, appears alongside the most common assumptions in cyber, according to Josiah. Recognizing the harmful practice of cyber practitioners blaming users for bad decisions, Josiah uncovered that many security pros believe the user will make the right choice without any additional training. Unfortunately, this magical thinking only leads to users being unprepared and uneducated.

“We assume users will pick good passwords without providing them education. We can't just think in our heads that things will go right, that never happens. We need to make careful decisions, whether it’s how we configure systems, or develop software, or conduct training.”

Can you walk us through common fallacies in cybersecurity, like the gambler's fallacy?

While the straw man fallacy and ad hominem are often easy to identify in the cyber industry, Josiah explains that the gambler’s fallacy is just as pervasive and detrimental. The gambler’s fallacy involves seeing trends and “hidden” meanings in independent events. Most often, in security, cyber practitioners will believe a breach won’t happen if a company recently had a breach, even though these breaches would have nothing to do with each other.

“Imagine you’re flipping a fair coin, like a penny, and you get heads, heads, heads. Your brain starts to see an error, like, ‘I'm due for tails, if I had so many heads in a row.’ The fact is, the penny doesn't care about the last flip. These are all independent events.”

What about common cyber biases, such as zero risk, confirmation, and omission bias?

The cyber industry is ripe with biases. In fact, over 180 cognitive biases exist. Josiah’s book tackles a select few that appear time and time again, including zero-risk bias. Zero-risk bias is extremely common in cybersecurity. Security is about risk— understanding it, preventing it, and reacting to it. Many cyber companies will put all their eggs in one expensive basket, such as encryption, believing that this will create the impossible scenario of them having “zero” risk.

“We talk in the book a little bit about how you can never get risk to zero, right? Cybersecurity is always about risk management. There is somewhere between more than zero and less than 100% chance that your computer will get infected today.”

“The goal of a security vendor is to keep you secure.” Why is that a misconception?

Just like biases and fallacies, cybersecurity misconceptions can be costly mindset mistakes that lead to easily preventable errors. Josiah wants us to consider that security vendors are not altruistic, they’re running a business and making a sale. While many vendors have a goal to keep customers secure, that will not be the only goal they have. Josiah recommends taking precautions and never assuming the vendor will always put security first.

“The goal of any business is to make money. That's why that business exists. You could argue with me that it isn't an ‘either or.’ They can make money and we can be secured, we can have both, but that's an ideal world. I think, in reality, it's a little bit bumpier than that.”

----------

Links:

Learn more about Josiah Dykstra on his LinkedIn and his website

Check out Josiah’s book, Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls That Derail Us

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Entrepreneurship After the Golden Handcuffs with Christian Espinosa

Wed, 28 Sep 2022 04:00:00 -0500

Christian Espinosa, Author, Speaker, and CEO, comes down to the Ranch to talk about the journey of starting, growing, selling, and moving on from the business he created, Alpine Security. From correcting the problems with his high IQ staff to unshackling himself from the golden handcuffs of a business sale, Christian breaks down the specific conflicts he faced on his entrepreneurial journey— and reveals how these experiences have inspired two books about cybersecurity, business ownership, and life itself.

Timecoded Guide:

[00:00] Finding business coherency in the one-page strategic plan

[08:39] Selling Alpine security & transitioning from leader to participant

[13:46] Escaping the golden handcuffs & embarking on a new career journey

[17:35] Outlining seven steps to emotional intelligence in cyber with his first book

[20:34] Embarking on appreciation of life’s little moments with book number two

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour

What were the challenges in growing the business you started, and how did you overcome those?

Christian’s inspiration for Alpine Security, his first business, was actually the stress of a conflicted relationship with a CEO he worked with. Feeling misaligned with the company he worked for, Christian left and began his journey towards entrepreneurship, thinking that his work ethic and willingness to do it all would lead to his success. Instead, refusing to delegate and lack of focus on leadership created conflicts between himself and his employees.

“I had to get over myself. Initially, I thought I’d do everything. I thought I could brute force this and make this work. I just tried to do it all myself. If my staff was having problems with something, I would jump in and help, but there's only so many hours in the day.”

Was your intention to sell your business from the beginning? What was the process of selling like?

Although he advises every entrepreneur to have an exit strategy, Christian admits he didn’t initially create one with Alpine Security. After agreeing to a deal with Cerberus, Christian learned the hard way that the process of a business sale can be like a pair of golden handcuffs. Struggling with a lack of control and feeling constantly under scrutiny, Alpine Security eventually lost its founder as Christian embarked on a new journey in his career.

“In my company, I was in charge of the culture, the core values, the emotional intelligence, the touchpoints, the clients, all of that. Now that I was part of the larger organization, I wasn't in charge of that. I had to approach things differently.”

Can you tell us about your first book and the seven-step process it outlines in cybersecurity?

Major struggles during Alpine Security’s founding were due to a lack of emotional intelligence and people skills amongst staff, in Christian’s opinion. These conflicts inspired the 7 steps of emotional intelligence for cybersecurity practitioners that Christian outlines in his first book, The Smartest Person in the Room. These steps include: awareness, mindset, acknowledgement, communication, mono-tasking, empathy, and Kaizen (continuous improvement).

“My first book is really about all the challenges I had in the company I started. 99% of the challenges I had were because of my staff, who were super bright, super high IQ penetration testers that didn't have emotional intelligence or people skills.”

What are you going to do with your new book? Is that also cybersecurity related?

In contrast to his first book, which focused solely on cybersecurity professionals and the struggles they face with people skills in the workplace, Christian’s second book dives deeper into mindset. Focusing more on the value of life and the ideas around mono-tasking, Christian inspires his readers to care more about the micro moments. This second book is all about slowing down, seeing what’s happening around you, and seriously absorbing the information we take in every day— from the big moments to the little moments and everything in between.

“I think a lot of us go through this zombie state in life, going from one thing to the next thing, and we're distracted with our phones and everything else. We're missing a lot of things that are right in front of us.”

----------

Links:

Learn more about Christian Espinosa on his LinkedIn, Twitter, and website

Check out Christian’s book, The Smartest Person in the Room: The Root Cause & New Solutions for Cybersecurity

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

How APIs Expose Business Logic Flaws with Chuck Herrin

Wed, 21 Sep 2022 04:00:00 -0500

Chuck Herrin, CTO at Wib, came down to the Ranch to explain the risks and threats currently facing APIs, or application programming interfaces. Simply put, APIs facilitate people and applications in communicating with other applications, but Chuck sees the lack of protocols, regulations, and security plans laid out for these APIs as a massive security threat. Breaking down the process using an API hack he performed as an example, Chuck talks about what the state of API security is and where it needs to be headed.

Timecoded Guide:

[00:00] Bringing a background in finance into the cybersecurity API world

[05:25] "Hacking" a bank’s API using business logic instead of hacking

[12:17] Implementing standard API protocols and processes

[14:27] Flipping the API language and preparing injection threats

[19:03] Evolving defenses overtime to meet both new needs and new risks

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

What does your current role look like and how does it relate to API security?

Chuck began his career in tech and security in the banking industry, and felt particularly concerned over time with the lack of security around APIs and related technology. Now, with his CTO position at Wib, Chuck works with Wib to focus on providing continuous visibility into API attack surfaces. Outside of just the newness and the tech of APId, Chuck explains that there are critical infrastructure and national security ramifications for API security.

“The basic premise is: If you could do it differently, knowing what you know now, what would you build in an API security platform? What I'm bringing to the table is 20 years as a defender in US financial services, where I know what we need from a governance perspective.”

Akamai recently ran a study of internet traffic. What were their findings about APIs?

As someone well researched in his work with APIs, Chuck pays close attention to recent studies, like one from Akamai, that recently claims 91% of their global internet traffic is API traffic. Chuck explains that this is a huge development in the popularity and impact of APIs on global security, especially when relating it to a separate study that estimates 50% of APIs are actually unmanaged. Although this stat seems shocking, many in the industry believe even that estimate is low, and the issue might be even worse than studies are showing.

“91% of the traffic that Akamai handles is API traffic. So, 91% of global internet traffic is API traffic. Another stat which is a little harder to prove estimates that roughly 50% of API's are completely unmanaged.”

You actually performed a hack live on an API, but it wasn't even a hack at all. Can you tell me that story?

At the most recent Black Hat, Chuck dissected and presented a few case studies, one of which was a bank’s API, hacked using a logic-based attack. Using the errors in business logic present within the banking API, Chuck’s team was able to bypass the front-end system and transfer fees, managing to convert money into more valuable currency over and over again. The wildest part, to both Chuck and to presentation attendees, was that this didn’t require tech hacking, it only required exploiting business logic.

“We didn't tear apart the mobile app and find the stored credentials, the API keys, which are probably in there. We didn't crack any passwords. We just abused the logic, and it responded in the way it was designed and here we are.”

If we can’t anticipate every possible business logic flaw or abuse case, how can we reduce the impact and blast radius of API threats?

Reducing the impact of API security threats feels daunting, but Chuck explains that security has to go back to the basics in order to identify and acknowledge what has to change over time. You can't protect what you can't see and our teams have to evolve over time to defend against the changing attackers we might end up facing with APIs. When push comes to shove, Chuck firmly believes in having a defense strongly informed by the offenses and threats around you.

“This was cloud security 10 years ago, and it's API security today, right? History doesn't repeat, but it rhymes. It's the same basics and same fundamentals. Now, you need to change tooling. The attackers evolve over time, and your defenses have to evolve over time.”

----------

Links:

Learn more about Chuck Herrin on LinkedIn and the Wib website

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

What Is (And Isn’t) a CISO with Matthew Lang

Wed, 14 Sep 2022 04:00:00 -0500

Matthew Lang, former CISO at SECU, former CISO of 3D Systems, and former Chief Petty Officer in the US Navy, comes on down to the Ranch to talk about what it really means to be a CISO. Many folks wear the title of CISO, but the role itself is still often considered a confusing mixed bag when talking about what it entails and who should have this role. Matthew walks through what a CISO is, what a CISO isn’t, and where the bridges between the CISO role and other roles in the company should be.

Timecoded Guide:

[00:00] Defining what a CISO isn’t in order to discover what a CISO is

[06:45] Finding the bridges between CISO & other company roles

[12:12] Getting things clear between CISO, COO, CIO, and CEO

[16:20] Understanding a CISO’s peers & meeting with security points of contact

[24:49] What the CISO role should be & solidifying the CISO definition

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

What is the CISO not?

The role of CISO, or Chief Information Security Officer, is nuanced and occasionally complicated to define. However, in Matthew’s opinion, the things that a CISO absolutely is not is (1) a BISO, or Business Information Security Office, and on the other hand, (2) someone with no experience in information security. The strongest CISOs Matthew has come across know how to combine information security experience with an understanding of business, all while being guided by a desire to protect the company and prevent incidents.

“The CISO is a preventer of something bad happening at the organization. You can't prevent every breach, it's never going to happen, but if the CISO is involved, he can possibly prevent a merger or acquisition that is not in the best interest of the company.”

Who should the CISO be interfacing with as we bridge in and out of that defined role?

To be an effective CISO, Matt believes that you have to build strong relationships with individuals in departments like legal and HR. Referring to them as security points of contact, Matthew explains that keeping in touch with these individuals can give the CISO the full scope of the company. Additionally, Matthew says that a CISO should always be friends with the COO, or Chief Operating Officer, because those roles have essential communication between one another.

“If your company is large enough to have a chief operating officer, the CISO and the COO should be the best of friends, because they rely on each other more than they realize.”

How does the Board of Directors shape and influence what the CISO is and isn't?

The Board of Directors’ involvement with a company’s CISO can be just as nuanced as the CISO role itself. Matt explains that the largest gaps between a CISO and the Board they have to report to are due to either a weak board structure or a misunderstanding of security amongst Board members. In Matthew’s experience, being thorough in security explanations with transparency about topics that members may not know helps to bridge the gap and develop a stronger and more positive relationship between the CISO and Board.

“I think, personally, CISOs struggle a lot with their presentations to the Board of Directors, because they don't really know what information the Board wants and the Board won't ask them questions.”

What should be the role of the CISO?

While a large majority of the conversation in this episode is about what a CISO isn’t, Matthew defines what a CISO is using the words “preventer” and “leader.” A CISO should prevent risky behaviors that are not in the best interest of a company, and they lead the cybersecurity division of a company through establishing security and governance practices. Overall, CISOs help a business to meet goals and go where it wants to go safely and effectively, like a good brake system on a high-end car.

“There's a lot of different responsibilities a CISO could have, but I'm gonna say the role is cybersecurity leadership. They should be responsible for establishing the right security and governance type practices, and a framework to scale the business.”

-------------

Links:

Learn more about Matthew Lang’s work with the SECU

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Fighting the Increase in Cyber Attacks with Leon Ravenna

Wed, 07 Sep 2022 05:40:20 -0500

Leon Ravenna, CISO & CIO at KAR Global, former VP of Security & Compliance at Interactive Intelligence joins Allan this week to talk about the increases in cybersecurity threats and risks - increases in breadth and depth of various attacks and increases in our own problems in dealing with those attacks. It has implications for all of us, as we have not necessarily seen an increase in the right defensive capabilities to maintain parity. COVID and work-from-home have not helped either...

Questions covered this show:

1. You mentioned firewall attacks, social engineering, HR/interview/job fraud. Of course there is ransomware. What else is on the rise?

2. How much has COVID and work-from-home impacted the landscape?

3. What are the vendors doing wrong about this landscape?

4. What are they doing right?

5. So what are the real solutions to these problems? Let’s break it down, starting with ransomware, my personal favorite.

-Firewall attacks

-HR/Interview/Job Fraud

-Phishing

-Insider Threat (another one possibly impacted by work-from-home and COVID)

-Credential Stuffing

-Zero Day Exploits

-1,000 Day Exploits

6. If everything is on the rise, and if spending in cybersecurity is steadily on the rise (it is a rapidly growing industry), then why aren’t we solving the problems?

7. If you could change any one thing in cybersecurity, what would that thing be?

-------------

Links:

Keep up with Leon Ravenna on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Understanding SEC’s Proposal for Cyber Risk Management with Yaron Levi

Wed, 31 Aug 2022 04:00:00 -0500

Yaron Levi, current CISO at Dolby and former CISO at Blue Cross Blue Shield in Kansas City, comes down to the Ranch to talk about the March 2022 proposal from Securities and Exchange Commission (SEC). Titled the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure, this report has huge implications for cybersecurity in any publicly-traded company. Yaron walks through his research into this report and explains what this means in the future for real-world cyber practitioners.

Timecoded Guide:

[00:00] Introducing the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure

[08:45] Explaining filing 8-Ks and 4-day turnaround disclosures

[14:03] Debating the obligations of a third party in an incident (i.e. supply chain)

[16:04] Comparing SEC’s cyber proposal to accounting’s GAAPs

[25:33] Involving the Board of Directors in cyber risk management

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

This is a proposed set of amendments and not a ruling. What does that mean, in terms of the real world?

Although the proposal was initially released in March 2022, Yaron explains these current rulings have been floating around the industry since 2018 and aren’t expected to become solidified until October 2022. In the meantime, many in the industry are curious about what these regulations mean for any and all cyber practitioners. Yaron understands the concerns many have, but also emphasizes that this is a maturity progression for the cyber industry.

“With everything happening around us over the last several years, we see security becoming a higher priority and a higher maturity in many organizations. By and large, organizations understand that security is not a luxury anymore, or something that doesn't apply to them.”

Is this proposal starting to put some real pressure on organizations to not just give lip service to cybersecurity?

Lip service to cyber is an unfortunate commonality among publicly traded companies that want to look safe without putting the effort or expertise into security. Thankfully, Yaron believes this SEC proposal will accomplish a great deal in encouraging companies to develop and mature their cybersecurity teams and protocols. As cyber management roles and board integration becomes a must, lip service will give way to real strategic change and a better understanding of the impacts and implications of security.

“I think, as we mature as an industry, and as we more and more understand the implications and the impacts of security on everything we do, strategy is something that will be very important for us to have. I would assume that every company will need to have one.”

Is this the right time for people to be excited about if there's gonna be a lot more CISO jobs open up, or if there's gonna be more board seats opening up for CISOs?

Yaron believes this SEC proposal will elevate processes and initiatives already in place to continue to elevate the expertise and opportunities within cyber. While many may see an increase in CISO roles and board opportunities, it's important to note that it is not just about roles and jobs, it’s about cyber’s maturity. Our community, not just in cybersecurity but throughout the world, has become dependent on technology and its vital to have individuals leading with maturity and competence to keep these technical processes secure.

“Overall, I think these strategies are a really positive move, in terms of elevating the conversation, educating, providing more expertise, providing more knowledge, which ultimately, all of us will benefit from. All of us, and community and society in general.”

Do you have any closing thoughts or comments on this SEC proposal?

While Yaron breaks down individual elements of the Securities and Exchange Commission proposal with Allan, he understands that the most essential impact of the proposal is the potential it has to elevate the industry. Maturity and legitimacy is desperately needed in order to create cybersecurity’s own version of generally accepted practices. In the same way that accounting has GAAP, Yaron hopes this SEC proposal is a sign of the cyber industry growing up, coming into its own, and creating more secure processes in risk assessment.

“These proposals are part of our maturity progression and are part of our growing up as an industry and as a practice. This is something that we have to evolve into. We can probably look at other industries and figure out what we can learn and leverage from them.”

-------------

Links:

Keep up with Yaron Levi on Twitter and LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Ask CISO Allan Alford Anything pt. 2

Wed, 24 Aug 2022 05:00:00 -0500

Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, resumes his session of AMA, or “ask me anything,” to cover the remaining questions left by curious cybersecurity practitioners on his LinkedIn. Previously, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, Allan continues to walk through every topic under the cybersecurity umbrella and give further insight into what it means to be a CISO.

Timecoded Guide:

[00:00] Avoiding FUD (fear, uncertainty, and doubt) in your next cyber risk discussion

[06:10] Facing stressful ransomware situations without proper preparation

[12:11] Hiring hackers as team members & debating the ethics of black hat hackers

[21:20] Addressing cyber risk in an accessible way for your organization's board

[26:41] Understanding the past, present, & future of cybersecurity insurance

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Are you comfortable turning on the light in a dark room so we can see what we’re really dealing with? [from: Karen Andersen]

There’s a perception (and not a wrong one) that the CISO’s role is to turn on the light in a dark room and show a company what their biggest cybersecurity risks truly are. However true this may be, Allan wants to point out that explaining and socializing team members to the risks has to be done without inspiring FUD. FUD, also known as fear, uncertainty, and doubt, creates panic around the risks an organization faces every day and only succeeds in unnecessarily stressing out practitioners without a solution in sight.

“It’s very important not to fall into the trap of FUD: fear, uncertainty, and doubt. There’s a difference between socializing what’s wrong, and scaring people with what’s wrong. If you’re going to bring up the risks, at least bring up the beginnings of a solution.”

How effective do you think it would be to hire an actual hacker as a team member? [from: Jaden Turner]

With open positions, skills gaps, and labor shortages in cyber, the answer to the industry’s problems might either fall into the category of people outside of the industry or people who were once on the “wrong” side of it. Although Allan has worked with black hats in the past, he explains that hiring former black hat hackers is still a morality question for a lot of c-suite executives. Their work is often highly skillful and impactful, Allan explains, but many still question what it means to hire professionals that have moved from black hat to white hat.

“I think the bad guys probably have honed their skills better than the red team or the white hats, but then, you get into the morality questions. Do I want to support somebody who was once on the wrong side? Do I believe in reform and giving people a second chance?”

What’s the most difficult decision that you’ve had to make as a CISO that was not directly security related? [from: Brad Voris]

As Allan has gone through five different positions now as a CISO, he has seen it all on the cybersecurity side and the business side. While the cybersecurity decisions are stressful and high risk, Allan explains that there are very difficult decisions to make from a business point of view. Sometimes, a CISO has to make a choice to do what’s right for the business, even if that means that budget, personnel, or materials will be taken away from their security team.

“As a CISO, treating the business as a separate entity makes no sense to me. You have to be part of the business and actively accept that part of your role. There are business decisions that I've had to make that were right for the business and wrong for the security side, per say.”

How do you help other board members make sense of the cyber threat landscape? Why is addressing cyber risks crucial to any company? [from: Ulrich Baum]

Although reporting to a board is an often essential responsibility of any CISOs role, Allan explains that making sense of the cyber threat landscape relies on you being flexible— not your board. The board of your company requires a certain level of reporting and often responds best to a specific format. Instead of fearing a change, embrace the current board you have and learn what makes them tick. Addressing cyber risks is crucial to any company, and having the board understand you fully ensure success for your security team.

“There’s a board that was there before you were there, and you need to learn their ways and means. You need to learn what their concepts of risk are and you need to tailor your cyber risks to fit into that model.”

-------------

Links:

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Ask CISO Allan Alford Anything

Wed, 17 Aug 2022 05:00:00 -0500

Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, changes things up this week with a session of AMA, or “ask me anything”. Instead of hosting a guest, Allan takes center stage. On LinkedIn, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, he walks through every topic under the cybersecurity umbrella and gives further insight into what it means to be a CISO.

Timecoded Guide:

[00:00] Seeing the best of the job in the often thankless role of CISO

[06:04] Building teams through learning strengths vs the negative perception of employee poaching

[09:50] Starting out in IT & transitioning to CISO through consistent skill-building

[15:18] Learning from past CISO mistakes & embracing business first, risk second, cyber third

[27:23] Understanding the industry with a technical CISO point of view & a hacker’s mindset

[38:06] Managing the many highs and lows of becoming a CISO

Sponsor Links:

Axonius gives his customers a comprehensive, always up-to-date asset inventory, helps uncover security gaps, and automates as much of the manual remediation as you want. Give your team's time back by checking out Axonius at axonius.com/platform/cybersecurity-asset-management

What skills and education level helped you land your first CISO position? [from: John Rosario]

Although he’s taken numerous CISO roles since his first position, Allan is quick to admit that he never applied for his first CISO gig. Instead, he was tapped on the shoulder and asked. Beginning his career in IT, Allan found opportunities when the company he was working for seemed to be lacking in the security space. Diving into product security after his roles in IT, Allan found himself asked by a CIO to combine his backgrounds and become a CISO.

“I was always the guy that played with the security stuff back in those days. I had a good product security background, and ultimately, parlayed those into a combined role when I became a CISO.”

Talking to your younger self: What’s the most important thing you would do differently after the knowledge you have from five gigs? [from: Ori Stein]

Compromise is king, even in the C suite, but Allan didn’t understand this as an early-stage CISO. Instead, Allan feels regret in recalling his lack of willingness to see other business concerns beyond security. He feels as if a successful, impactful CISO needs to not only prioritize security as their mission, but also needs to see the bigger picture of why a budget line or resource has to be used for something other than security at certain points in time.

“I think that was probably my single biggest failing as an early CISO: taking the security mission to be the penultimate mission of the company and refusing to acknowledge there were other business pressures and needs, where perhaps security had to take a backseat.”

What keeps you going in the field beyond passion for security, amidst the talent shortage, lack of cultural understanding, internal corporate budget challenges, and high stress? [from: Stephan Timler]

Cybersecurity is already a high-stakes, high-stress industry. However, pressures from staffing shortages, skills gaps, and budgeting challenges (all of which got worse during the pandemic) create an environment that burns out employees, including CISOs. For Allan, keeping himself going relies on a combination of his calling to help others, his love for the industry, and his own hacker-mindset curiosity to find out not only how something works, but also how to make it work in his favor.

“Number one, for me, is that it truly is a noble calling. I don't think we should ever lose sight of that. We are the good guys doing the right thing for the right players and the right people. It's a noble calling.”

What's the best and worst thing about being a CISO? [from: Ofer Shaked]

There’s a great deal of ups and downs that come from being a CISO, but thankfully, a major positive has been being able to answer the noble calling to help organizations become more secure. When a CISO can look back and see how well an organization has done because of them, Allan describes this feeling as invaluable. On the unfortunate flipside, being a CISO for an organization that doesn’t understand the role and only wants someone to check boxes can be extremely disheartening. Allan warns that he’s yet to meet a CISO that hasn’t encountered that at some point in their career.

“When you can look back on your body of work, and see that it had a meaningful impact; you can look at this organization and know this place is more secure than it was when you walked in the door…that’s probably the best feeling [for a CISO].”

-------------

Links:

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

When a CISO Writes a Book with George Finney & Robert Pace

Wed, 10 Aug 2022 04:00:00 -0500

Cybersecurity practitioners give back to the community by recording Youtube videos, interviewing in magazines, or creating podcasts— just like this one. However, books remain a fantastic method of delivering info and impacting lives that shouldn’t be forgotten with the rise of social media. Allan tallied it up and thus far, nine of his friends have written books. He has been approached about writing one himself, and he wanted to get the inside track on the process. George Finney, CISO at SMU, and Robert Pace, CISO at Invitation Homes, explain the ups and downs of writing books from a cyber perspective. This interview with George and Robert was recorded LIVE! at the CISO XC 2022 conference.

Timecoded Guide:

[00:00] Introducing the cybersecurity and the personal books George and Robert write

[08:28] Overcoming writing challenges in order to help others with your book

[15:16] Understanding the monetary gains and losses of book writing

[23:59] Being purposeful, intentional, and useful with the book you write

[30:02] Advising potential writers on if they should write their book or not

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour

What made you choose books as your way to give back to the cyber community?

There’s numerous ways to give back to the cybersecurity community, including more modern methods of online videos and social media posts. However, books offered George and Robert a means of expressing their feelings and beliefs about cyber and about life that felt unique and special to them. For George, writing books fulfills his dream of being a writer, a passion he’s had since he was a kid, and allows him to combine that dream with his passion for bettering the cybersecurity industry.

“My passion is really around cybersecurity. I really wanted to bring these two things (cybersecurity and writing) together in my life, and do something that I think only I can do, from my unique experiences, my unique perspective." — George Finney

What were the biggest challenges you faced while writing your book?

Writing a book takes time and requires vulnerability. George and Robert are very familiar with those challenges. Facing these challenges often involves facing yourself, your wants, and your experiences. Robert especially felt challenged in writing his book because it was a personal story about losing his mother. Stepping out of his comfort zone to write about his personal life felt like a massive leap of faith, but he’s enjoyed impacting others with this story.

“Writing necessarily means that the time you dedicate to it is going to be spent in isolation. If you're spending 10 hours or 20, that's time you're not with your family, that's not time where you're going out, having fun. That's time you're on your own alone.” — George Finney

When you look at the time and effort that went into it, was writing a book worth it?

As Allan shares, podcasting with the Cyber Ranch podcast has offered him an avenue of success, but book writing does not always pay off monetarily. George and Robert have found other ways of seeing the value in their work, but as George especially explains, there are a lot of costs associated with writing a book that many aspiring writers don’t consider. Marketing especially requires a high volume of costs that many don’t expect when writing their first book.

“Mine has not proven to be successful to where I can retire from the job, but there is a feeling of richness that you can get from helping folks along the way. That has been a very fulfilling point.” — Robert Pace

If somebody wants to write a book, what's the best piece of advice you have for them?

If you want to write a book, Robert and George genuinely believe you should go for it. A writer doesn’t have to know everything to write a book, but they do need to understand their audience and intentions with the book they want to author. Aspiring authors, according to Robert, need to be especially cautious of how pride can negatively impact the writing process. Don’t be afraid to ask for help, Robert says, but don’t let pride get in the way of accepting that help, especially from editors and other educated writers.

“I will say when you want to write a book, remove your pride because it will get hurt if you keep it out there. Everyone is not going to like what you write. We're coming from a cyber perspective, we don't write like the guys that have majored in English.” — Robert Pace

-------------

Links:

Learn more about George Finney on LinkedIn and buy George’s books, Well Aware, No More Magic Wands, and Project Zero Trust

Keep up with Robert Pace on LinkedIn and buy Robert’s book, I Understand… You Forgot to Say Goodbye.

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Doing More by Doing Less with Drew Simonis

Wed, 03 Aug 2022 07:55:06 -0500

Drew Simonis, CISO at Juniper Networks, discusses the debate of doing more by doing less. So often in cybersecurity, practitioners think they have to do it all and view themselves as the smartest people in the room. The fact of the matter is that none of us are the smartest in the room and we have to learn to trust each other. Drew believes a collaborative, trusting environment will bring us to a place of doing less and seeing better results because of it.

Timecoded Guide:

[00:00] Introducing the foundations of Drew’s “do more by doing less” mindset

[07:03] Doing more by doing less, specifically in tech stack and GRC teams

[15:00] Revamping the cybersecurity and IT vendor ecosystem

[20:43] Understanding consumer and CISO impact on the cyber vendor market

[32:34] Reshaping the command and control security mindset

Sponsor Links:

How can security teams be more successful by enabling good decision making, versus trying to keep everyone from falling off a cliff?

The cybersecurity industry is stuck in a helicopter parent mindset, where practitioners don’t trust their colleagues in IT and feel the need to do the work for them. Drew explains that this is a low trust environment, where more work is created and no one thrives. If the industry works towards a high trust mindset, individuals are able to do their jobs and make decisions based on their knowledge, and even face normal consequences for their decisions, too.

“[We think] we're the smartest people in the room. There's always this very dismissive, very condescending approach to our colleagues, who have very important jobs to do on their own. In a low trust culture, you get to the point where you have to be watching over everybody.”

How do vendors do more by doing less? How do they fit the trust and parenting model?

The bifurcation of the cybersecurity vendor system into cyber and IT has created more work for everyone involved, and has produced a lot of unideal results. With a lack of integrated solutions, organizations and departments suffer from simply not being able to have products that do everything they need them to do. There’s little cross-functionality and there’s often too many products happening at once to have one vendor making their intended impact.

“Why can't it all just work together? I think the whole notion of security as a buying center, separate from IT, created this opportunity for vendors to pursue a separate budget pot. In my opinion, it disincentivizes them from creating integrated solutions.”

What are we doing wrong as consumers that's encouraging this “do less by doing more” system instead of doing more by doing less?

Sometimes, the only thing that can be done is starting over. The current system thrives off of an “us” vs “them” mindset and a business vs technology mentality, where trust is low and doing more results in actually doing less. Roles need to be rethought and reconsidered in cybersecurity organizations and executive leaders need to step out of the ivory tower of leadership to re-educate themselves and better understand their own roles.

“The whole separation of the cyber technologists from the IT technologists comes back to that trust issue as well. I can't trust IT to do the right things, I can't trust them to patch, so I've got to sit over here over their shoulder and scan.”

What's the revenue and business argument for everything we've discussed?

There’s always the pressure of revenue metrics and tangible results, especially if a process or role has to change within a cybersecurity team. How does doing more by doing less show up as a tangible result and outcome? It turns out, that all depends on transparency. Knowing the outcome that’s being looked for allows for a better understanding between practitioners and business leaders when the business argument for doing more by doing less has to be made.

“As CISO, I can't take your problem and try to make it my own and then solve it. I've got to trust you to solve it, and I've got to empower you, with the right tools, the right processes, the right policies, so that you have safe guidelines to solve that problem within.”

-------------

Links:

Learn more about Drew Simonis on LinkedIn

Check out Juniper Networks on LinkedIn and the Juniper Networks website

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Getting Back to the Basics with Sonja Hammond

Wed, 27 Jul 2022 05:13:35 -0500

Sonja Hammond, Vice President & CISO at National Veterinary Associates, brings her love of animals and more importantly her love for security basics down to the Ranch this week. The buzz around new cyber technology and security protocols can easily warp our perspective on what’s most important for CISOs. Sonja spends some time in this episode explaining why cybersecurity organizations instead need to focus on simple tech and strong security processes and training protocols.

Timecoded Guide:

[00:00] Breaking down basics of people, process, and technology

[06:59] Where tech stack is failing us and how to keep the vendor community on hold

[10:31] Building a good GRC team with a focus on NIST CSF

[14:13] Training the right way for GRC and cyber professionals

[19:30] Understanding the end user and setting your cyber team up for success

Sponsor Links:

What does that mean to you, in cyber specifically, getting back to the basics?

Getting back to the basics is a common theme no matter your industry, but Sonja’s focus on it feels especially surprising when so much of the security world isn’t simple at all. Sonja explains throughout the episode that NVA strives for simple yet effective, not for something shocking or eye-catching. Especially considering Sonja’s work contains sensitive client data, she emphasizes that a basics-centric approach keeps the animals in NVA’s care and the people who love these animals safe. Although it may not be flashy, Sonja is proud of the well-oiled machine of her team and the security of their data.

“You have to get rid of your tech debt and bring your environment to current. You want modern, supportable technology. That's really key in order to keep everything secure.”

What's the opposite of your "get back to the basics" vision there?

Cybersecurity technology is often far from simple, but adding unnecessary bells and whistles only succeeds in further complicating things. Sonja’s back to the basics mindset encourages tools that cut out the unnecessary and strive for a streamlined approach. Sonja sees the appeal of a fun product to add to any protocols, but warns that fun rarely means secure. When there’s too much focus on the new and the shiny, that often means that focus is turned away from what’s most important: keeping data safe and preventing vulnerabilities from being exploited.

“There are groups that are implementing some security tools that are shiny, new, and lots of fun, but they still have those basic security holes, so they get compromised.”

What are we doing right when it comes to the people in our organizations, and what aren’t we doing right?

Sonja is happy to separate NVA from the pack by explaining their focus on involving cybersecurity practitioners in the everyday operations of their organization. Many companies keep these roles separate, letting tech and cyber professionals remain in their own roles without context of what their end user might be experiencing on their end. Instead, NVA strives to put cybersecurity employees in the shoes of their end users and day-to-day employees, giving them further context around the people they impact and the roles they influence, as well as providing them further insight into potential security risks that might be slipping through the cracks of daily operations.

“Get the cybersecurity people exposed to what really happens in the day-to-day, because if they can walk in the end users’ shoes, then they can understand where there are security implications.”

For the people that are checking in the patients and taking them back, how much do they learn about security?

It’s one thing to train security professionals in the day-to-day of an organization, and another to train other employees about the world of cybersecurity. To combat the often frustrating process of checking security compliance boxes, Sonja tries to change up training tactics with employees by sending playful videos and short informational emails. Keeping things short highly raises your chances of the content actually being read, Sonja explains, and it also limits the monotonous moments in the training process for employees who have very little experience in cyber protocols.

“We try to make it not quite so obvious that [our employees] are always getting training. We certainly do the traditional online CBT type stuff, to check the compliance boxes, but then we try to do some other things, like funny videos…Just simple things to remind them.”

-------------

Links:

Learn more about Sonja Hammond on LinkedIn

Check out National Veterinary Associates on LinkedIn and the NVA website

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Debunking Cyber Myths with Adrian Sanabria

Wed, 20 Jul 2022 04:00:00 -0500

Adrian Sanabria, Director of Product Management at Tenchi Security, arrives at the Ranch this week to debunk cyber myths and expose industry lies. Using his background running Security Weekly Labs at Cyber Risk Alliance, Adrian explains the lack of cohesive product testing happening in the cyber world, and delves into the research he’s done to get to the bottom of cyber’s most elusive statistics. Do 60% of small businesses go out of business after a breach? Adrian has an answer that just might surprise you.

Timecoded Guide:

[00:00] Introducing Adrian and his journey with Cyber Risk Alliance

[06:47] Buying awards and lying about customers

[13:24] Finding the source of fake cyber statistics

[24:28] The lies of vulnerability management and security awareness training

[30:58] Explaining Adrian’s It’s Time to Kill the Pen Test talk

[40:41] Creating a money-making concept for debunking cyber myths

Sponsor Links:

Can you tell me about your product testing lab with Cyber Risk Alliance?

We often hear the startup motto of “fake it ‘til you make it,” but Adrian wasn’t aware of how pervasive that concept was in cyber until he began his work with 451 Security. After encountering numerous professionals that expressed complaints and confusion with products on the market, Adrian wanted to break into the world of product testing— and the Security Weekly Labs were born. With a focus on external attack surface management and network vulnerability scanners, Adrian sought to find the truth behind the product vendors were selling him— and what he discovered strongly influenced his future.

“When we talk about myths and lies, it's not just straight up lies, right? At some point, they're faking it till they make it, and they get to a point where it's just too late to turn back. And then, it starts to get a little bit more insidious.”

Are vendors going far enough to fake customers and awards?

Not only are vendors “faking it” in a startup sense, some vendors have gotten right to the point of lying about the awards they’ve received and the high profile customers they’ve worked with. Adrian explains that buying and lying about awards has become a common practice within the cyber world, where certain businesses have let the marketing of winning an award override the legitimacy of their own success. While some companies may ignorantly feel drawn in by meaningless awards, more insidious industry liars have already mastered pulling out their credit card to buy what they want to win

“You can actually even fill in the name of the category you want to win an award for, you can just make up your own category. You drop a credit card and they send you a trophy. Some of these fake awards even have award ceremonies.”

Where do these cybersecurity statistics come from, and how do we validate them?

60% of small businesses go out of business after a breach— but do they really? Adrian’s exposition of cyber lies leaves no stone unturned, even when it comes to mystery statistics. Where did these numbers come from, and why would millions of businesses be more impacted by security breaches than fraud? After interacting with statistics like this with a shocking frequency, Adrian has even taken to Twitter on numerous occasions to call out companies marketing with fake stats and reveal his own research findings.

“There are people that have just hinged their reputations and their careers on some of these myths…And it's not that companies don't get hurt by breaches, but it benefits no one to make up stats, or to push this narrative.”

Is it time to kill the pen test?

There’s a lot of things done in cyber that might not have a place for everyone. Pen testing is near the end of Adrian’s list, but he’s quick to point out that the pen test process needs to change. Unfortunately, the bulk of what any organization is paying for when they run a pen test are vulnerability scans and report paperwork. Explaining a concept he developed with his friend and co-founder Kyle at Savage Security, Adrian explains that the modern-day pen test needs to look more like purple teaming and focus on prioritizing what really needs to be fixed.

“A lot of companies have pen tests, because they don't know what else to do with their security budget. You could apply that more broadly. A lot of people have a security budget, and they buy what they see their peers buy and do what analysts tell them to do.”

-------------

Links:

Learn more about Adrian Sanabria on LinkedIn and Twitter

Check out Tenchi Security on LinkedIn and the Tenchi Security website

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Privacy Professionals & Regulatory Headaches with Adam Stone

Wed, 13 Jul 2022 04:00:00 -0500

Adam Stone, Chief Privacy Officer at TrustMAPP, brings his decades of security and privacy knowledge to the Ranch this week to talk about the disciplines of security and privacy. Where do they intersect? What makes security professionals and privacy professionals different? And, maybe most important of all: How can these two disciplines work together within an organization without being perceived as useless regulatory headaches?

Timecoded Guide:

[00:00] Comparing and contrasting security and privacy responsibilities

[08:30] Privacy, GRC, and building trust with stakeholders

[15:28] Coordinated and cooperative efforts of security and privacy teams

[20:57] Security awareness training vs the lack of awareness of privacy

[27:26] Drawing the line with privacy laws for security professionals

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Where do privacy and security intersect? Where don’t they intersect?

Privacy professionals need the security professionals within their organization to make privacy work and implement a certain protocol within a privacy policy. Although each group may want to draw division, there needs to be a healthy and divided dose of both privacy and security within a company, and they cannot just be handled by one person tagged in for both. The main reason this shared responsibility of privacy and security under one roof doesn’t work is the differences in priorities. While Adam points out that both seek to serve stakeholders, security professionals are protecting property with technology and privacy professionals are protecting individuals with processes.

“Information security professionals are in place to protect property. Namely, they are in place to protect the property of their sponsor, usually a corporation…The privacy professional is protecting the individual from the accesses of a corporation, or from a larger entity.”

What does an information security professional need to know about privacy?

Within the world of security, privacy regulations and laws are often seen as a headache. However, according to Adam, privacy is misunderstood by many security professionals, who group privacy policies with the same technical protocols they use throughout their work. Privacy is administrative and reliant on how someone behaves within their workplace. Although technology may aid in privacy policies, the steps companies have to go through to maintain privacy for their customers is dependent on individuals and on the ways they are able to enforce strict protective privacy protocols on these individuals.

“What security professionals need to understand about privacy is that many, if not most, of the solutions to privacy problems, are not technological. They are process. They are administrative.”

If security awareness training is a norm, why isn't there privacy awareness training?

There are a lot of perceptions about privacy, and Adam admits that many of them are unfortunately negative. Between the headache of privacy law and the lack of privacy awareness within companies and organizations, what are people supposed to think about privacy? In Adam’s opinion, the perspective on privacy needs to shift and companies need to better understand that privacy is a customer service concern. Caring about how you market to someone, how you sell your wares, and the impact you have on your customers is a way to build trust with them and to provide them a higher quality of customer service, and all of that falls under the umbrella of privacy.

“In my view, [privacy awareness] is awareness of how you are communicating, how you are selling, how you are marketing, that potentially endangers the privacy of the individual.”

How do you keep up with the myriad of privacy laws that are constantly coming out and changing?

Adam has heard from security and privacy professionals alike about the anxiety of changing privacy laws, but his answer to the concern is to point out that someone simply can’t keep up with these privacy law changes on their own. Whether relying on the International Association of Privacy Professionals, or IAPP, or calling in the counsel of a legal team or privacy lawyer, there are numerous resources available for privacy and security professionals to learn about privacy laws, study them, and come to the conclusion of where to draw the lines and what decisions to make about privacy policies.

“There’s a line to be drawn between interpreting and operationalizing statutes and regulations, versus interpreting a given statute or regulation for purposes of defending oneself in court. That is where we really need the expertise and the authority that a lawyer brings to the table.”

-------------

Links:

Learn more about Adam Stone on LinkedIn and the TrustMAPP website.

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

The Overrated in Cybersecurity with Jerry Perullo

Wed, 06 Jul 2022 04:00:00 -0500

Jerry Perullo, former CISO of the NYSE, former chairman of the board off the FS-ISAC, founder, professor, and host of the Life After CISO podcast, comes down to the Cyber Ranch to discuss the many roles he’s had throughout his career and the many highly unique opinions he has on the cyber industry. Together, Jerry and Allan break down what’s overrated in cybersecurity, from patching to dark web to vulnerability departments, and every detail and concept in between.

Timecoded Guide:

[01:53] Taking on a variety of roles in the cyber industry and breaking down which elements of cybersecurity are overrated

[08:48] Recognizing when encryption is needed and when it is overrated or overemphasized as something you need in cybersecurity

[15:43] Service-level agreement timelines, addressing critical risks, and engaging with the 80/20 rule

[24:17] Understanding when to separate data about different vulnerabilities and attacks, and when to report on them in the same conversation (i.e. board meetings)

[29:58] Other overrated elements of cybersecurity, such as IoCs, dark web, and, of course, what Jerry would change in cyber if he had a magic wand...

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Manual asset inventory just doesn't cut it anymore. That's where Axonius comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour

Why is patching overrated?

While Jerry acknowledges the importance of patching in certain contexts, he also explains that it’s often overemphasized in its ability to provide cyber solutions. For patching to make an impact, the vulnerability has to be known and understood. In Jerry’s experience, patching doesn’t solve many of the problems in cybersecurity and can instead create a false sense of security, especially in the case of in-house coding errors. Although patching can create a long-term solution, you may only overcome that weakness for a moment and end up coming back to the same issue a few months later.

“When I say it's overrated is, first of all, patching is to address a known vulnerability in a piece of software, right? That means that the vulnerability has to already be out there, has to be profiled, has to be understood, and the manufacturer has to have actually created some kind of fix for it.”

What about encryption? Is that also overrated?

The idea of encryption comes from the idea of keeping information and vulnerabilities out of your enemies’ hands. However, too much focus on encryption blinds us to other issues and other tools that can be used against us. Although certain vulnerabilities around encryption are exploited, Jerry points out that you rarely, if ever, hear about the threats that we’re warned about when we’re sold on the concept and idea of encryption. With so many other ways to be hacked and exploited, Jerry says our focus on encryption keeps us in the dark about what the reality of online safety is.

“In any event, we spend so much time worrying about encryption and encrypting things, and whether it's encryption at rest, or whether it's in transit, or anything else like that, that I think sometimes we blind ourselves, especially on internal tools.”

Are short SLAs (service level agreements) for addressing critical risk overrated?

In Jerry’s mind, the timeframe of your SLA doesn’t matter if you need a problem fixed immediately. Whether it’s a 48 hour turnaround, a 29 day, or a 364 day window, critical threats need immediate fixes and your service team should understand that. If the response to a necessary and urgent request is for your team to inquire about the SLA, you have a much bigger problem than the time it will take. Instead you have a toxic culture problem, something that cannot be fixed with simple tweaks to your SLA.

“I always would just preach that you don't want to ever undermine your credibility. You don't want to bring weak sauce. Gotta be able to reproduce everything, have a video, all of that, and if you don't, then yeah, you people are gonna abuse your SLAs and push it to the edge.”

What’s your thoughts on departments with “vulnerability” in their name?

Although Jerry has had vulnerability departments and teams in previous companies he’s worked with, adding vulnerability to a department name rarely has the impact beyond specifying that they run the vulnerability scanners. Beyond running the scanners, processing these results and reporting them is a completely different beast. Rarely is a vulnerability department able to process and report these results without making data ten times more complicated and time consuming for your board to understand. They’re tool-focused, it’s in their name, but it may not be what you really need when you’re assessing risk.

“I think it's really important that you just speak about them all collectively, in a tool agnostic fashion. So, I feel the vuln scanner results, the bug bounty results, the attack service management results, the employees raising their hand and volunteering info…they need to be portrayed in parallel in one communication.”

-------------

Links:

Learn more about Jerry Perullo on LinkedIn and listen to his podcast #lifeafterCISO

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Better User Awareness Training with Tim Silverline

Wed, 29 Jun 2022 04:00:00 -0500

Tim Silverline, VP of Security at Gluware, joins host Allan Alford on the Ranch this week for a discussion about user awareness training and the latest and greatest (as well as not the greatest) methods around phishing simulations. Tim and Allan get into the nitty gritty of how your company can improve user awareness results through avoiding basic click-through models, considering advanced warning for certain training exercises, and understanding risk quantification when evaluating employee metrics.

Timecoded Guide:

[04:30] Running the right phishing simulation for your user base and gauging your results appropriately

[10:08] Pushing boundaries in the tactics used in phishing exercises and making employees pay attention more closely to their everyday emails

[15:10] Calling out unlikely and unhelpful phishing strategies and simulations, including the harm of impersonating employees without any warning

[21:04] Realizing which methods of user awareness are no longer effective and shifting away from the mindset of just “checking the box” in these training exercises

[25:54] Changing security for the better with increased awareness and a better understanding around the value of risk exposure amongst employees

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

What, to you, are the biggest highlights, the high points, the critical bits of user awareness training?

Tim has seen the good and the bad of user awareness training, and has found the best results for his users in interactive training sessions, especially when paired with gamification. Allan compares this method and approach to modern virtual escape room sessions, and Tim agrees that the more interactive and hands-on a training can be, the better the learning experience will be. Instead of framing our user awareness and phishing exercises around checking boxes for cyber insurance companies, we should be striving for active learning engagements that demonstrate the value of security to our users.

“After those trainings, users have come up to me and talked to me about how they weren't aware of this particular risk and hearing about it in a real-world use-case was very effective for them to really understand why it's important and why they should be behaving in a slightly different manner.”

If the users never fall prey to attacks, is there a reason to continue performing them?

Hearing Tim talk about his success, Allan was curious about how he chooses to approach successful user bases. If someone isn’t falling for Tim’s phish, does he still see the need to perform these exercises? The short answer was yes, but Tim explains that user awareness training should be customized to the needs of a user base. Testing new employees is a must, along with refreshing successful users on their skills a few times a year. Additionally, scheduling out different exercises that hone in on different phishing simulations exposes employees to a variety of learning opportunities and encourages them to see this beyond just a yearly test where they might as well “get it over with.”

“If you've tested all your existing employees, and they haven't fallen or been susceptible to it, that doesn't mean that the next employee you hire is also going to be of that same mindset.”

What ineffective methods are there in security awareness?

Throughout the episode, Tim and Allan keep coming back to the simple fact that checking boxes no longer works. Having employees read or watch through videos and take “common sense” knowledge tests makes user awareness training a distracting activity that feels more like grunt work than a learning experience. While you never want to disrupt the workflow of your employees, stepping outside of the box with interactive activities that are explained in advance shows the value of these exercises to your users instead of making them feel that you’re yet again wasting their time with another gift card scam.

“I find that there's the typical thing a lot of people do to hit compliance, which is having their users watch videos, and answer questionnaires. My feeling is that most people just try to get that done. Their goal is really to get it completed, so they can check the box and their company stops bothering them to complete it.”

You are given a magic wand and you are told you can wave it and change any one thing in cybersecurity you want to change. What do you change?

There’s so much in cybersecurity that Tim and Allan would love to change, especially when we look at cutting edge approaches to user awareness training. However, Tim makes one thing clear: if he could change anything, he would change our mindset. Instead of seeing security as just someone’s job, we should encourage our users to see themselves as an instrumental part of their company’s security. When everyone concerns themselves with following the right protocols and caring about security beyond simulations, companies will find themselves in a much stronger, less vulnerable place.

“I think ultimately, a lot of the weaknesses inside of our organization are our users. If I could just increase the level of carefulness, or the level of interest that everybody has in keeping their own companies secure, I think we would overall improve the posture of all companies.”

-------------

Links:

Learn more about Tim Silverline on LinkedIn and the Gluware website.

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

The Founder-Angel Investor Connection with Sameer Sait & John Stewart

Wed, 22 Jun 2022 04:00:00 -0500

Allan invites a founder and an angel investor to the ranch this week to talk about how founders and angel investors really connect. Meet Sameer Sait, former CISO at Amazon Whole Foods and now founder of BalkanID, and John Stewart, former CISO at Cisco and investor at Talons Ventures. Together, these gentlemen offer a lot about both sides of the investment story, from evaluation to the decision to work together, and what a mutually beneficial founder and angel investor relationship looks like.

Timecoded Guide:

[01:23] Exploring John and Sameer’s backgrounds in cyber and how they developed their own unique founder-angel investor connection

[04:53] Understanding the triggering aspects that caused someone like John to become an angel investor in BalkanID and how BalkanID selected their investors

[08:20] Delving into the uniqueness of different founder-investor relationships and how John (vs other BalkanID investors) makes his impact on Sameer’s work as a founder

[13:30] Giving expert advice and explaining lessons learned in founding your first company and in investing in startups

[22:12] Exploring how other experiences in life, outside of cybersecurity and investing, has informed John and Sameer’s work with BalkanID and with solving cyber issues

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at axonius.com/simone.

What inspired you to become a founder of BalkanID, Sameer?

As the former CISO of Amazon Whole Foods and an investor at numerous cybersecurity companies, Sameer has a great resume to show off. However, his work with BalkanID offered him the opportunity to be a founder, something that Sameer had never done before. When asked what inspired him to be a first-time founder, he tells us that he continuously encountered the same problems over and over again, and wasn’t seeing anyone coming up with the right solution. Continuing to move forward with so much at stake with this issue of entitlements felt like a missed opportunity, and with the right investors and co-founders on his side, BalkanID was born.

“I knew that we could do better, right? And I knew the existing solutions were not scaling. And I think the last inspiration was really finding the right co-founders to go at this with. That was the biggest inspiration of all.” - Sameer Sait

John, what were the triggering factors that made you decide to invest in BalkanID?

Just like Sameer, John has some incredible experience to show off in the tech world and in the investment world. But why BalkanID? A simple answer would be the connection between these two men, having met numerous times throughout their careers, developing a strong working relationship. However, John sees so much potential in BalkanID and in Sameer beyond just their work friendship. John believes that you don’t invest in tech, you invest in people, and the qualities he sees in Sameer as a founder and a leader in the tech world excites him and he felt he could lend his expertise to BalkanID in a beneficial way.

“Sameer is very self-aware. These things matter. He knows what he knows, he knows what he doesn't know, he's comfortable bringing in people that complement his skills and make a stronger team around him. In the end, that's why I say you bet on people, not on tech.” - John Stewart

What advice do you have for potential investors looking to get involved in startups, John?

Being an investor isn’t always easy, and John has made some mistakes that taught him the hard way about how to be a good investor. With a hands-on approach and now tons of projects under his belt, John is asked to give some advice to future investors. A hugely important piece of advice from John is to know your founder, know their wants and needs, and to see ahead of what their future holds. You’re an investor, but it is their company, and you have to be aligned in order to produce a mutually beneficial relationship.

“As an investor, I follow out and look for all of those things. I look at how optionality is, how CEOs think, how many chances they have, what directions could they go. Are they strategically capable of looking beyond today's decision and thinking about what might happen in the future?” - John Stewart

Sameer, what advice would you give fellow founders?

Despite his experiences at other companies, BalkanID is Sameer’s first founding experience so far. His biggest lesson to date? Not getting caught up in the buzz and the hype. BalkanID’s approach to their audience and their product has been to focus on their customer and work backwards to find their problem and their ideal solution. This takes time, and it’s easy to fall into the trap of comparing your revenue, launches, products, and marketing tactics of other companies. This only hurts your brand in the long-run because you’ll no longer be focused on your customer’s problem.

“As an early stage, first-time entrepreneur, a part of me would get nervous. ‘Oh, my God, look what's happening out there. Oh, we're so slow.’ I think of taking a step back and saying, ‘Well, we are on our journey,’ right? We have supporters, we have backers, we have a real problem we're solving. The fact that other people want to solve the same problem is validation that it's a real problem.” - Sameer Sait

-------------

Links:

Stay in touch with Sameer Sait on LinkedIn and the BalkanID website.

Stay in touch with John Stewart on LinkedIn.

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Open Door Security w/ James Allan-McLean

Wed, 15 Jun 2022 05:00:00 -0500

“When people come to Security and tell you everything they are doing, that’s a real win.” - James Allan-McLean

Allan is joined by James Allan-McLean, Group CISO at Soletanche Freyssinet and former Information Security Manager within the British military, to talk about his ‘Open Door Security’ method and the benefits of transparent, no-strings-attached approach to security. In this episode, Allan and James take a deep dive into this methodology and address questions such as:

-What is Open Door Security?

-What does a successful Open Door Security program look like?

-How to go about tackling security implications within your org

-The philosophy behind James’ ‘handrail’ metaphor

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Guest Bio:

James is a highly effective and motivated information security leader with extensive experience in a range of sectors. He is a Group CISO at Soletanche Freyssinet and former Information Security Manager within the British military.

Links:

Stay in touch with James Allan-McLean on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

DevSecOps w/ Chris Hughes

Wed, 08 Jun 2022 05:00:00 -0500

Allan is joined by Chris Hughes, CISO & Co-founder at Aquia and adjunct professor at UMGC, to talk about all things DevSecOps (Development, Security and Operations). They explore the DevSecOps phrase itself, as well as why security should be treated as an integral component and not a separate entity. In this episode, Allan and Chris take a deep dive into the subject and bring clarity to questions, such as:

-What roles help achieve security in DevOps?

-What are the cultural barriers to implementing secure DevOps?

-What are some common mistakes as well as best tips?

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Guest Bio:

Chris Hughes is a proven Cloud/Cybersecurity leader with nearly 20 years of experience in both the Federal and commercial industries. Chris has a dynamic skill set, with a blend of IT, Cyber/Cloud Security and DevSecOps experience. He enjoys working across interdisciplinary teams to solve complex organizational and industry-wide problems to achieve technological transformation securely.

Additional Resources:
Google SLSA framework: https://slsa.dev/
CSCRM – NIST Appendix F : https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdfOpen SSF – OSS Mobilization Plan: https://8112310.fs1.hubspotusercontent-na1.net/hubfs/8112310/OpenSSF/White%20House%20OSS%20Mobilization%20Plan.pdf?hsCtaTracking=3b79d59d-e8d3-4c69-a67b-6b87b325313c%7C7a1a8b01-65ae-4bac-b97c-071dac09a2d8
Sounil/Andy Debate: https://www.securityweek.com/video-civil-discourse-sboms

Links:

Stay in touch with Chris Hughes on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Board Reporting Metrics Pt. 2 w/ Andy Ellis

Wed, 01 Jun 2022 04:59:27 -0500

Andy Ellis, CISO at Orca Security, is back for part 2 of this series on Board Reporting Metrics. In Episode 1, Andy and host Allan Alford addressed some of the most common questions posed by the board and shared their perspective on what the board needs to know from a cybersecurity standpoint. In this episode, they continue the conversation by fielding questions from LinkedIn on topics such as:

-Vulnerability and threat hunting metrics

-Top 3 metrics to report to the board and why

-Breach reporting implications and much more!

Check out part 1 of Board Reporting Metrics here

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Guest Bio:

Andy Ellis is a visionary technology and business executive with deep expertise in security, managing risk, and leading an inclusive culture. A graduate of MIT and former US Air Force officer, Andy designed, built, and brought to market many of Akamai’s security products, leading the Fortune 1000 company from its start as a content delivery network into an industry powerhouse with a billion-dollar dedicated cybersecurity business. In his twenty year tenure, Andy led Akamai’s information security team from a single individual to a 90+ person team, over 40% of whom were women. In running Akamai’s security program, Andy designed systems, governed risk management, implemented policy, and supported go-to-market functions. Widely respected across the cybersecurity industry for his pragmatic approach to aligning security and business needs, Andy regularly speaks and writes on cybersecurity, leadership, diversity & inclusion, and decision making.

Additional Links:

Stay in touch with Andy Ellis on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Board Reporting Metrics Pt. 1 w/ Andy Ellis

Wed, 25 May 2022 04:00:00 -0500

In this episode, Allan is joined by the CISO at Orca Security, Andy Ellis, to share his thoughts on board reporting metrics. What does the board need to know from a cybersecurity perspective? One of the questions is often: “Are we secure?” Is that even the right question? How much should you talk about compliance? Do you speak of IT assets? What about speaking to specific controls? Listen to this episode to hear the common questions posed by the board and how to answer them with metrics. In some cases, it is teaching them to ask different questions. This episode is a master class in board communication in cybersecurity, and the conversation went into such depth that a Part 2 is already being planned.

Check out Andy’s previous episode here

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Guest Bio:

Additional Links:

Stay in touch with Andy Ellis on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Getting a Seat at “The Table” w/ Brent Deterding

Wed, 18 May 2022 05:00:00 -0500

“Having a seat at the table doesn’t mean getting your way all the time. It means having a seat and I think that is very important to understand.” - Brent Deterding

In this episode, Allan is joined by the CISO at Afni, Brent Deterding, to explore how CISOs can earn and keep their seat at the executive table. Brent was a fan of the Learned Helplessness episode of The Cyber Ranch Podcast with Steve Mancini, and furthered the conversation as it relates to the often espoused topic of CISOs needing a seat at “the table.” Brent discusses the power of shifting your mindset, how lack of confidence has created a cycle of self sabotaging, and ways we can collectively improve our current standing.

Sponsor Links:

Thank you to our sponsor Axonius for bringing this episode to life!

Guest Bio:

Brent is an Executive CISO whose mission is to enable Afni and its global workforce to support their customers securely and confidently. Prior to being a CISO, for over 20 years, he was a security practitioner with a security vendor specializing in threat detection, incident response, and security strategy. His efforts helped hundreds of organizations detect, respond to, and mitigate attacks.

Additional Links:

Stay in touch with Brent Deterding on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

All About SBOMs w/ Chris Castaldo

Wed, 11 May 2022 05:00:00 -0500

“Knowing what’s in your software, in your organization, can help you quickly determine if you are impacted by a new vulnerability.” - Chris Castaldo

In this episode, Allan is joined by author and CISO, Chris Castaldo, to share his knowledge on Software Bills of Materials (SBOMs) and their potential implications and use. Chris explains the concept and purpose of SBOMs, his tips for signing and securing SBOMs in terms of the CI/CD pipeline, and his thoughts on SBOMs being a roadmap for “bad guys.” Lastly, he shares advice on managing and understanding contracts.

Listen to Chris Castado’s previous Cyber Ranch episode here and be sure to grab a copy of his book!

Guest Bio:

Chris Castaldo is the author of “Start-up Secure: Baking Cybersecurity into your Company from Founding to Exit”. He is an experienced and industry recognized CISO with over 20 years of experience in cybersecurity. Chris is an expert in building cybersecurity programs from the ground up and specializes in applying cybersecurity in start-ups from seed to exit. He is also a Visiting Fellow at the National Security Institute (NSI) at George Mason University's Antonin Scalia Law School.

Links:

Sponsored by our good friends at Axonius

Stay in touch with Chris Castaldo on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Total Greenfield Innovation w/ Guillaume Ross

Wed, 04 May 2022 05:00:00 -0500

What would you do if you could build your security program from scratch?

In this episode, Allan is joined by the Head of Security at Fleet, Guillaume Ross, to talk about his time building out an innovative and out-of-the-box security program and the steps he took to make it all happen. Guillaume walks us through how he developed and maintained a serverless, container based environment, his tips for securing PCs and Macs within a serverless environment, and how to establish department and business buy-in and overall cooperation. Lastly, he details steps to ensure resilience in an ‘everything as code’ security model.

Some of what he builds might seem obvious – other parts will genuinely surprise you!

Guest Bio:

Guillaume Ross is the Head of Security at Fleet Device Management. He likes securing organizations, clouds, products and more, by refusing to implement the same things that have been tried and failed thousands of times already.

Links:

Sponsored by our good friends at Axonius

Stay in touch with Guillaume Ross on LinkedIn and Twitter

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Continue this conversation on our Discord

Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast

Securing Cryptocurrency and NFTs w/ Nick Percoco

Wed, 27 Apr 2022 05:00:00 -0500

What are the security implications of cryptocurrency and NFTs and what do we need to know in order to transact safely? In this episode, Allan is joined by the Chief Security Officer at Kraken, Nick Percoco, to talk about securing the cryptocurrency and NFT spaces. Allan and Nick reflect on the events of the Mt. Gox bitcoin breach of 2013, address some of the most common misconceptions about crypto assets, and explore the biggest security challenges users and retail investors face when navigating the space. Lastly, Nick considers what cybersecurity lessons can be drawn from the security practices within the cryptocurrency ecosystem.

Guest Bio:

Nicholas Percoco has more than 25 years of security & technology experience, and is the Chief Security Officer at Kraken - a global digital asset exchange - where he is responsible for Security, IT, Technical Project Management, Operational Resiliency and Engineering.

Links:

Stay in touch with Nick Percoco on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

”Playing Well With Others” - The Tech Stack w/ Tommy Todd

Wed, 20 Apr 2022 05:00:00 -0500

Allan is joined by the Vice President of Security at Code42, Tommy Todd, to talk about how the tech stack can “play well with others”. In this episode, Tommy takes a deep dive into exploring how APIs and automation can help solve our needs in cybersecurity – from incident response to the tech stack. The two discuss how to evaluate security products during a Proof Of Concept (POC) for integration capabilities and tips on addressing ROI concerns.

Guest Bio:

Tommy Todd has over 20 years of cybersecurity experience, primarily focused on data privacy and data protection strategies. Prior to Code42, he served in security roles at Symantec, Ionic Security, and Optiv as well as many other firms. Throughout his career, he has acted as a leader, mentor, engineer, architect, and consultant to solve difficult data protection challenges.

Links:

Stay in touch with Tommy Todd on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

Thriving In A Male Dominated Industry w/ Ashley Rose

Wed, 13 Apr 2022 05:00:00 -0500

Allan is joined by the founder and CEO of Living Security, Ashley Rose, to speak about her experiences as a female entrepreneur and leader in a male dominated industry. She details the story behind her non-traditional route into cybersecurity and how she leverages her unique skills and vision to disrupt and transform the community. Ashley shares how she overcomes bias and business challenges in the field as well as the inspiration behind her creative marketing strategies. Lastly, the two highlight the lack of diversity and representation in the space and give advice to young entrepreneurs and females in, and breaking into, cybersecurity.

Guest Bio:

As the CEO of Living Security, Ashley has been the driving force behind the company’s rapid growth. Since its founding in 2017, Living Security has raised more than $20 million for growth and product development and accelerated revenue growth for three consecutive years. Ashley is also continually working to build a diverse and inclusive organization around the belief that the team should reflect the community at large.

Links:

Stay in touch with Ashley Rose on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

Why CISOs and CIOs Don’t Get Along w/ Nick Vigier

Wed, 06 Apr 2022 05:00:00 -0500

This episode of the Cyber Ranch Podcast was recorded LIVE on stage at the CISO 360 Conference in New York City, hosted by Pulse Conferences. Nick Vigier, a seasoned CISO and former CIO, joins Allan in addressing the elephant in the room: Why don’t CISOs and CIOs don’t get along?

Nick draws on his experience in both positions to share his unique perspective on the CISO and CIO relationship. In this episode, Allan and Nick highlight the operating differences between the two positions and explore the opposing interests that exist around topics such as budgets and reporting structure. Lastly, Nick shares why engaging in empathetic conversations around metrics, business impact, and risk management is the ultimate key to a more harmonious relationship.

Guest Bio:

Nick is a technology and security leader focused on innovation to drive business results. In his 18 years of security leadership, he has focused on building high performance teams to ensure security is a business driver rather than a cost center. His focus on all areas of security ranging from physical security to risk management through to application security, infrastructure security, and operations gives him a unique perspective on how security can positively impact an organization.

Links

Stay in touch with Nick Vigier on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

Learned Helplessness in Cybersecurity w/ Steve Mancini

Wed, 30 Mar 2022 05:00:00 -0500

This topic couldn’t be more relevant given recent events in the security community. Allan Alford is joined by Steve Mancini, CISO at Eclypsium, to have a refreshing conversation about the negative messaging, thinking, and tropes in cybersecurity - not just the stuff that the press says about us, or even the stuff we say about each other - but the self-defeating stuff we think and say to ourselves.

Steve addresses the reinforcement of negative catchphrases and how it affects the psyche of the community and explores how burnout is creating a culture of sleepless nights and masochistic badges of honor. Lastly, they emphasize the importance of empathy and support within the community and remind us that humans are our greatest asset, not our weakest links.

Guest Bio:

Steve Mancini is the CISO at Eclypsium, former Deputy CISO at Cylance, and an advisory board member for several cyber companies.

Links:

Stay in touch with Steve Mancini on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

Leveraging Employee Strengths for Cyber Roles w/ Nick Vigier

Wed, 23 Mar 2022 05:00:00 -0500

There are numerous personality tests available to help identify personality traits, but many of them have very little scientific validity or reliability. Such tests often aspire to explain what you are good at and what you are bad at, and miss the mark. In this episode, Allan is joined by his friend and owner of Rising Tide Security, Nick Vigier, to explore CliftonStrengths – a personality measurement that focuses less on ability, and more upon your predilections - what energizes you, and what and drains you - and with a pretty good degree of scientific validity and reliability. Nick and Allan explore what makes CliftonStrengths different from the other personality assessments and how Nick leverages that information to better understand his team and colleagues, and to help folks find the right role in cybersecurity. The two sit down to dissect Allan’s own assessment results to identify his top 5 energizers, as well as his top energy drainers. And lastly, Nick shares why he favors the idea of personality development plans vs professional development plans in the workplace.

Guest Bio:

Nick Vigier is the Owner of Rising Tide Security and former CISO at ID.me, DigitalOcean, and former CIO at Gemini. Nick is a technology and security leader focused on innovation to drive business results. In his 18 years of security leadership, he has focused on building high performance teams to ensure security is a business driver rather than a cost center. His focus on all areas of security ranging from physical security to risk management through to application security, infrastructure security, and operations gives him a unique perspective on how security can positively impact an organization.

Links:

Stay in touch with Nick Vigier on LinkedIn and Twitter. Take the CliftonStrengths assessment here

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

A Full Data Approach w/ Paola Saibene

Wed, 16 Mar 2022 05:00:00 -0500

In the episode, Allan is joined by the Principal at Teknion Data Solutions, Paola Saibene, to bring clarity to an often misunderstood topic: data governance. Paola helps to distinguish the difference between data governance and data management, examines the intersection between data ethics and cybersecurity, and explores the best methodology for applying risk frameworks. Lastly, she takes time to express the importance of being people focused and “humanizing” cybersecurity.

Guest Bio:

Paola Saibene is the Principal at Teknion Data Solutions, Former CISO, CEO, VP of Enterprise Risk Management, Data Privacy Officer, Strategy Officer, CTO, and CIO.

Links:

Stay in touch with Paola Saibene on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

The Great Resignation & Cybersecurity w/ Jessie Bolton

Wed, 09 Mar 2022 05:00:00 -0600

With a looming skills/people gap in cybersecurity and retention at an all time low, it begs the question: Where is everyone? In this episode, Allan Alford and guest Jessie Bolton sit down to discuss the elusive “Great Resignation” and how it is affecting the cybersecurity community. Tune in to get the answers to the questions we are all asking ourselves, like: why are people resigning, how has the pandemic shifted our perspectives on work and boundary setting, how is the “great resignation” impacting security organizations, and how can we attempt to solve this issue?

Links:

Follow Jessie Bolton on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

How Old is Data Risk Management? w/ G. Mark Hardy

Wed, 02 Mar 2022 05:00:00 -0600

In this episode, Allan is joined by the President at National Security Corporation, Navy veteran, and host of the CISO Tradecraft podcast, G. Mark Hardy. This show takes a fascinating dive into the origins of data risk management, measurement, and quantification. G Mark explores the stories and advice given from some of the greatest leaders in this space – whose advice still rings true today.

Key Takeaways:

01:52 G Mark’s bio

06:43 FIPS-65 - the “grandaddy” of risk management

11:34 The ALE method, explained!

14:35 Oldies, but STILL goodies

18:12 A stroll down risk management memory lane

28:56 Revering “the greats”

37:22 What do you value and what’s your currency?

Links:

Stay in touch with G. Mark Hardy on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

CISOs as Caretakers w/ Randy Potts

Wed, 23 Feb 2022 05:00:00 -0600

In this episode of The Cyber Ranch Podcast, Allan is joined by the CISO at Real Time Resolutions, Randy Potts. The two sit down to have a refreshing and raw conversation about the caretaking, responsibility, and code of ethics for CISOs - or lack thereof, and how to get back in touch with our “why” and mission.

Disclaimer: This episode briefly mentions pornography and gambling within an important and relevant context, and has therefore been categorized as explicit.

Key Takeaways:

01:43 Randy’s bio

03:08 Caring for “the people”

09:08 Stewards and custodians of data

14:10 Servant leadership

16:57 CISOs as caretakers

18:53 Doing the right thing

21:18 CISO code of conduct - or lack thereof

24:55 How do we fix this?

29:06 It’s nice to be nice

Links:

Stay in touch with Randy Potts on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Cyber Mentoring w/ David Belanger

Wed, 16 Feb 2022 04:00:00 -0600

In this episode, Allan is joined by David Belanger, CISO at Maxor National Pharmacy, to talk about the challenges of breaking into cybersecurity. David discusses the importance of establishing mentor/mentee relationships in the community, why building a personal brand and expanding your network is a must when finding work, and tips for newcomers looking to break into the field. Lastly, the two touch on the power of visualization and staying humble throughout your career journey.

Key Takeaways:

01:27 Bio & CISO life

02:57 Let’s define Mentor/Mentee

04:21 What makes cybersecurity mentorship unique?

07:10 Developing a long & short-term strategy

13:16 Mentors are essential

18:05 Formal vs. organic mentorships

22:10 Get out of your comfort zone

25:55 Advice for newcomers

30:15 Visualizing your success

32:00 Staying humble

Links:

Stay in touch with David Belanger on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

Rationalizing the Tech Stack w/ Mark Butler

Wed, 09 Feb 2022 04:00:00 -0600

In this episode, Allan invites Mark Butler, an Advisory CISO at TRACE3, to talk about tech stack rationalization and how to get the most out of your technology investment. Mark shares advice on everything from how to properly analyze, identify, and consolidate your tools, both in the stack and cloud environment, to coaching your application specialists on embracing change.

Key Takeaways

01:10 Bio

02:36 What is tech stack rationalization?

03:46 Where to get started

06:20 Evaluation - a 3 prong approach

08:08 The security architecture alignment

10:51 What about contractual obligations?

13:18 The “best of breed” strategy

17:37 Rationalizing the cloud

21:00 Data analysis - tooling, extraction, metrics

25:24 The 3rd party tool conundrum

27:50 The future of cloud rationalization

29:40 How to resolve tech overlap?

32:19 Embracing change

34:37 Mark’s advice on emotional intelligence

Stay in touch with Mark Butler on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

Penetration Testing Programs LIVE w/ Phillip Wylie

Wed, 02 Feb 2022 04:00:00 -0600

In this episode, Allan is joined LIVE on stage at FutureCon Dallas 2022 by U.S Bank Senior Cloud Penetration Tester, co-author of The Pen Tester Blueprint, podcast host, and college instructor, Phillip Wylie. Phillip journeys into his past to share how he went from pro wrestler to pentester, gives writing advice to future authors in the field, explores the art of pentesting, and the best starter certifications for pentesters. Lastly, Phillip explores the best advice he’s ever received and the dangers of burnout.

Key takeaways:

01:27 Phillip's origin story - wrestling men and bears

03:04 The Pwn School Project

04:47 The Hacker Factory Podcast

06:55 Always a way to cyber

10:18 An opportunity to write

14:08 The Art of Pentesting

17:19 Getting square on terminology

24:42 The limitless child

27:25 The skinny on certs

30:23 Mentors

35:06 Back in the pentesting lab

37:14 When does threat modeling factor?

43:50 Coloring in purple

Follow Phillip Wylie on LinkedIn and Twitter

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

What We’re Doing Wrong in the SOC w/ Yaron Levi

Tue, 25 Jan 2022 20:00:00 -0600

Allan is joined by Yaron Levi, CISO at Dolby, to talk about the SOC and why we are going about it all wrong. Allan and Yaron identify and examine the three main areas of concern: the data, the analyst, the analysis – and how to improve upon them. Lastly, Yaron shares his thoughts on what steps and approaches need to be taken in order to successfully accomplish the SOC’s goal.

Key Takeaways:

01:35 Bio

02:36 What are we doing wrong in the SOC?

06:54 Hypothesizing

11:22 How much gets left out when we make a hypothesis?

13:42 Anti-fragility & business outcomes

16:30 Business objective + threat model example

21:09 Lead with the why/ downstream applications

27:06 What outside influence has helped you inside cyber?

Learn more about Yaron on Twitter and LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

Cybersecurity Centers of Excellence w/ Rafal Los

Wed, 19 Jan 2022 04:37:14 -0600

Allan is joined by Rafal Los, industry innovator, strategist, and personality. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Additionally, Rafal is a founder and host of the Down the Security Rabbithole Podcast - an industry podcast delivering a weekly take on cybersecurity since 2011. Join Allan and Rafal as they discuss cyber security centers of excellence, metrics, marketing and acceptance in this conversation between two friends.

Key Takeaways:

01:56 Bio

04:27 Goals for Cybersecurity Center of Excellence (CoE)

06:44 How do you birth a Cybersecurity CoE?

09:45 Selling your service

15:18 Cost - who pays in the end and how?

17:10 Getting management on board

24:22 It’s not all about cost – but it is.

26:37 Metrics

31:05 Quality metrics

34:33 Your mess for less

38:02 What is something outside cyber that helps on the inside?

Links:

Follow Allan on LinkedIn and Twitter

Follow Rafal Los on LinkedIn and Twitter

Check out his podcast

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

Investing in Cybersecurity Startups w/ Kathy Wang

Wed, 12 Jan 2022 05:11:17 -0600

Join Allan as he discusses investing in cybersecurity startups with the perfect guest for the subject: Kathy Wang, CISO at Very Good Security, investor at Silicon Valley CISO Investments, investor at Firebolt Ventures, and former founder as well!

Allan and Kathy talk about investment goals, the process from start to finish, how to get started, the buy-in costs, returns, what to expect, partnering, etc.

Join them as they dive into this fascinating topic:

DISCLAIMER: NOBODY ON THIS SHOW IS A FINANCIAL ADVISOR OR PLANNER, AND NOTHING SAID ON THIS SHOW CONSTITUTES FINANCIAL ADVICE. OPINIONS EXPRESSED ON THIS SHOW ARE JUST THAT – OPINIONS – AND YOU SHOULD NOT USE THEM TO CONDUCT YOUR FINANCIAL AFFAIRS. CONSULT A LICENSED EXPERT INSTEAD OF US!

Key Takeaways:

02:14 Bio

02:54 Getting into cyber security investing

05:28 Spotting good investments

09:13 What’s the process?

15:15 Ranging investments | partnerships

22:35 29 no's and 1 yes – is that reality?

26:20 Seeking investment? Start here.

29:31 Be willing to work with other people

30:57 What is something from outside of infosec that helped you in infosec?

Links:

Follow Kathy Wang on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

50th Episode Special w/ Many Guests

Wed, 05 Jan 2022 05:05:44 -0600

In this special episode, Allan invites a few familiar voices back to the show, conducts a countdown of his Top 5 most popular shows, and reviews some of the most common guest responses. Lastly, Allan issues some important thank you's and shares a few comments and feedback from the listeners.

Highlights:

Top 3 guest answers to "What keeps you going in cybersecurity?"

Top 3 guest answers to "What surprises you the most in cybersecurity?"

Top 5 shows by download

Visits from:

Tim Rohrbaugh, CISO - Jet Blue

Chris Cochran & Ron Eddings - Hacker Valley Media

Drew Brown, who has held many security leadership roles and who is an avid user of the FAIR methodology of risk measurement

Richard Seiersen, former CISO, famed champion of measuring risk, and author of "The Metrics Manifesto: Confronting Security with Data"

Accidental CISO of Twitter fame

THANK YOU to all of our listeners, Hacker Valley Media, our fantastic guests, and to everyone who helped get us to 50 shows!!!

Links:

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Axonius

Minimum Viable Security w/ Chris Roberts & Cecil Pineda: EXPLICIT CONTENT

Wed, 22 Dec 2021 05:00:00 -0600

Allan hosts a live podcast at the August, 2021 CISO XC event in the Dallas-Forth Worth area. He is joined by Chris Roberts, chief geek at Hillbilly Hit Squad, and Cecil Pineda, then head of the vICSO and GRC programs at Critical Start. The topic is Minimum Viable security, tactical frameworks, the challenges with large frameworks, and the challenges of competing frameworks.

This show was recorded after happy hour and the audience and participants both imbibed. It's a rowdy show and features some explicit content.

Key Takeaways:

0:00 Allan’s holiday greeting

0:39 Allan introduces the live show, guests and issues a disclaimer about naughty language

2:02 Chris Roberts on Minimum Viable Security

2:42 Cecil on his love/hate relationship with compliance and the need for weighting controls

4:25 Allan proposes “tactical frameworks”

5:38 Chris challenges the crowd on their asset management successes

7:43 Allan introduces “See it, manage it, secure it.” (Which he flagrantly stole from Steve Williams @ NTT DATA Services)

8:53 Cecil says: data discovery comes before DLP

10:17 Chris challenges Allan’s idea that MFA should “just happen” in order to capture at least 90% of ransomware threats

12:07 Cecil proposes a compromise – 30% of controls meet a higher CMMI requirement than the 70%

13:48 Chris says even the 30% are not even being met in most environments

14:56 Allan’s full proposal on a tactical framework (that includes Chris’ emphasis on asset management)

16:07 Chris states that we have to agree on the subset frameworks in order to achieve success. Diverse frameworks actually harm the industry.

17:56 Chris challenges the crowd to hire interns and those new to the industry

20:02 Allan misattributes the total control count in NIST CSF. We mentioned whiskey, right?

21:35 Barring regulated environments, Allan doubles down on his tactical framework idea

22:13 Chris says we must challenge the authors of all these frameworks

22:50 Allan points out that frameworks are implicitly behind the fast pace of the industry after going through committee

23:53 Chris criticizes the notion that compliance = security

24:57 Insurance carriers insist now upon framework compliance and are getting smarter

26:53 Chris says full compliance with a framework even still is useful only as a point in time exercise

28:22 We have to simplify compliance

28:59 Allan proposes SBOM, CMMC-like maturity awareness, and the shared responsibility model as the solution to the compliance problem

30:57 Chris says that will take ten years to sort out

31:49 Chris says “take the money out of compliance”

35:37 Cecil talks about self-attestation and standards that are needed on auditing processes

36:41 Allan says frameworks exist in the first place with the goal of getting secure

37:14 Chris disagrees and states (using naughty metaphors) that frameworks compete out of hubris

38:26 An audience member suggests “trust but verify” as the reason frameworks exist in the first place

41:24 Cecil deconstructs the practicality of shared responsibility, extending it into the business

43:28 Chris proposes working with insurance companies to create a consolidated or tactical framework

Links:

Chris Roberts - LinkedIn

Cecil Pineda - LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at AttackIQ

Organizational Resilience w/ Marnie Wilking

Wed, 15 Dec 2021 05:08:26 -0600

In this episode, Allan is joined by Marnie Wilking, CISO at Wayfair. Marnie has directed Information Security and multi-discipline Risk Management Programs for more than 15 years -- providing a unique set of skills and experience to manage operational risks and improve risk management among diverse businesses. Join Allan and Marnie as they define organizational resilience, discuss its goals and enablers, and analyze the COVID pandemic through its lens.

Key Takeaways:

01:26 Bio

03:42 Organizational resilience

06:40 COVID benefits; business enabling?

09:47 Building hybrid work environments

11:11 Virtual offices and home fatigue

17:14 Bullets dodged in organizational resilience

20:51 Tabletop exercises

27:16 Office conflicts and mailing troubles

30:38 Communication in resilience

32:29 What surprises Marnie in cyber security?

Links:

Learn more about Marnie on LinkedIn and Crunchbase

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at AttackIQ

The vCISO Life w/ Dan Doggendorf

Wed, 08 Dec 2021 05:00:23 -0600

Welcome to another live show of the Cyber Ranch! Allan is joined by Dan Doggendorf, a creative cybersecurity leader with a passion for simplicity, efficiency, accountability, common sense, and honesty. The duo discusses the ins and outs of being a VCISO, how one walks the path and what the industry can do to make this role better. This show was conducted at the Cybersecurity Conference 9 (CSC 9) conducted by the North Texas Chapter of ISSA. All proceeds from the event went directly to scholarships for the Collin College cybersecurity program.

Key Takeaways:

01:47 - Bio

02:33 - vCISO life

04:18 - The path to an independent contractor

07:46 - Should you specialize?

10:46 - Strategizing experience in cyber security

14:26 - Challenges of being a CISO & vCISO

19:04 - Staying connected as a vCISO

23:17 - Victories as a vCISO

27:06 - The bad times and mistakes made as a vCISO

29:52 - What should change for vCISOs?

30:51 - Advice for future vCISOs

34:09 - What surprises Dan in cyber security?

Links:

Learn more about Dan on Zintro and LInkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at AttackIQ

GRC: ”Now What?” w/ Security & Compliance Weekly

Wed, 01 Dec 2021 05:21:31 -0600

This week, Allan is joined by Frederick Lee aka “Flee”, Chief Security Officer and Head of IT at Gusto, Jeff Man, host of Security & Compliance Weekly, and notorious infosec curmudgeon, and by Kat Valentine, Security and Compliance Weekly co-host. A few weeks ago Allan appeared on their show to discuss “GRC: ‘What?’ and ‘So What?’. In that episode, found here, they take a deep dive into GRC in terms of understanding is purpose and value.

In this crossover episode, the group continues the conversation to talk about “GRC: ‘Now what?’ (The cultural impact and implementation, risk register, achieving actionable results and much more).

Join Allan and the Security & Compliance Weekly team as they dive into overcoming cultural barriers, a continued conversation on the order of priority (“RGC” vs. “GRC”, for example), and enlisting allies in the business.

Key Takeaways:

2:20 Implementing GRC culturally – Flee's take

4:13 Jeff’s take

6:16 Kat’s take

10:43 The CISO – Turning compliance data into actionable results – Jeff’s take as an assessor

13:56 Kat’s take as an assessor

15:41 Flee’s take as a CISO

21:13 Understanding perspectives from all parties

28:10 Sharing problems upstream/Audits vs. Assessments

34:48 Flee’s take on “governance vs. doctrine”

37:43 Risk register – training for self sufficiency

42:40 Get in touch!

Links:

Check out Security and Compliance Weekly!

Follow Flee on LinkedIn and Twitter

Follow Jeff Man on LinkedIn and Twitter

Follow Kat Valentine on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at AttackIQ

The CMO‘s Perspective w/ Nathan Burke and Julie O‘Brien

Wed, 24 Nov 2021 05:01:26 -0600

CISOs complain on social media about bad marketing – when they are targeted inappropriately, or with messages that don’t resonate, or with messages that outright lie. This week Allan Alford decides to hear from the other side, and invites his two favorite CMOs to the show. Julie O’Brien, CMO at AttackIQ, and Nathan Burke, CMO at Axonious, sit down with Allan to send a message to cyber security professionals about the vital role marketing plays in the industry, what is good marketing and bad marking, and how marketing affects all of our careers more than we know. Hear different perspective on topics like buzzwords, cold calls, and the difference between good and bad marketing practices. Backed up with proven experience, this episode is packed with useful info for all cyber practitioners and aspiring practitioners.

Key Takeaways:

02:00 Julie Bio

03:13 Nathan Bio

04:00 Standing out as a marketer

10:15 Emphasizing what you don’t do as a company, rather than what you do

15:56 A message to CISO’s - Julie

23:00 Nathan’s message to CISO’s

25:55 Allan touches on why innovation occurs on the vendor side

27:45 Buzzwords

33:50 What surprises Nathan and Julie in cyber security?

Links:

Learn more about Nathan on LinkedIn and Twitter

Check out Julie on LinkedIn and Twitter

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at AttackIQ

Practical Working (And Hiring!) from Home w/ Brian Castagna

Wed, 17 Nov 2021 04:59:38 -0600

Brian Castagna (CISO at Seven Bridges - a genomics company) is a CISO with a proven track record of successfully building information security programs at cloud technology companies. He is on a mission to humanize the new work environment - our own home. Join Allan and Brian as they touch on transitioning from an office environment, both mentally and physically, hiring remotely, work/life balance and much more.

Key Takeaways:

01:33 Bio

02:22 Remote work

03:00 Hiring a remote workforce

10:50 What’s the human side of working from home?

17:38 Transitioning from work to home

19:54 Mental transitioning

21:00 Collaboration & strategy

24:30 Layering the human back in

27:19 What surprises you in cyber?

Learn more about Brian on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at AttackIQ

Threat-Informed Defense, CISA, CVEs and ATT&CK w/ MITRE Engenuity

Wed, 10 Nov 2021 05:07:30 -0600

This week, Allan is joined by some serious heavy hitters in cyber. Richard Struse (Director for the Center for Threat-Informed Defense at MITRE Engenuity), Jonathan Baker (Director of Research & Development, Center for Threat-Informed Defense at MITRE Enginuity), and Jonathan Reiber (Sr. Director for Cybersecurity Strategy and Policy @ AttackIQ). The four are here to have a conversation about CISA's new BOD that outlines 290 key vulnerabilities that require focus, the coincidental mapping of the CVE database to MITRE ATT&ACK, and the implications for all of us. Of special note is the fact that ATT&CK is already mapped to NIST SP 800-53, meaning that we now have an opportunity to move bi-directionally from a threat-informed defense or to start with a framework and back into vulnerabilities. The implications for our industry are huge.

They also discuss briefly an overview of the bi-partisan work in both the Executive and Legislative branches to further cybersecurity interests and the release of CMMC v 2.0. This show is packed.

Key Takeaways:

01:58 Backgrounds

04:02 CISA – BOD 22-01, highlighting the key 290 known vulnerabilities

07:45 Helping organizations prioritize vulnerabilities

11:31 Starting with either framework or threats: Which is better?

14:18 Seeing through the politics - What is actually happening behind the scenes?

19:07 Developing the mapping

23:54 Since the invention of CVE

26:14 CMMC v 2.0

29:37 How do we change the game?

31:09 Getting a large organization to agree with vulnerability prioritization

Links:

Follow Richard Struse on LinkedIn

Keep up with Jon Baker on LinkedIn

Follow Jonathan Reiber on LinkedIn & his website

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Attack IQ

A Day in the Life of Two CISOs w/ Mustapha Kebbeh

Wed, 03 Nov 2021 04:49:46 -0500

Mustapha Kebbeh, CISO at Brinks and heavy-hitter in the Dallas/Fort Worth Cyber community, joins Allan again this week as they cover a topic Mustapha noted was absent so far in the series… Namely, “What is a day in the life of a CISO?” Mustapha and Allan get into details of what they do and don’t do, what their teams do and don’t do, what bits are boring, what bits are surprising, and what bits are the most fun. Join them as they talk about real situations and practical solutions while describing the very best and worst parts of the job.

Key Takeaways:

01:41 Bio

03:00 A day in the life of a CISO - examples from the last 3 weeks

07:30 Being a CISO in a company that knows its risk appetite

11:49 Product Security

13:53 The most surprising part about being a CISO

15:33 The most boring part

22:30 The most fun part

26:08 What do you wish you could do as a CISO?

29:42 Mustapha shares what surprises him the most in cyber security

Links:

Learn more about Mustapha on LinkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Uptycs

Practical Trust-Centric Security w/ Omar Khawaja

Wed, 27 Oct 2021 04:36:34 -0500

Omar Khawaja is an experienced CISO with a strong technical background, who managed to find some very creative ways to manage his security program that go against his engineering instincts. Join Allan and Omar as they discuss why trust-based security is the more suitable option to have a fundamentally better security program and team. Hear why Omar and Allan believe that investing in people will pay far more dividends than the latest tech tool. And more importantly, gain some very practical and concrete tips for managing and measuring your security program.

Key Takeaways:

01:19 Bio

03:26 What is wrong with tech-centric security?

06:00 Using tech tools as nothing more, and using them appropriately

12:22 Trust, then risk, then control

14:30 Customer first, always

19:02 Helping foster a trust-centric culture

28:40 Culture = mindset = best measurable quality

29:33 What surprises Omar in cyber security?

32:50 The “change agent network”

Links:

Learn more about Omar on Twitter and LInkedIn

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Uptycs

CISO in the Supply Chain w/ Emilio Escobar

Wed, 20 Oct 2021 04:50:00 -0500

Allan is joined this week by Emilio Escobar, CISO at Data Dog and former VP of Information Security at Hulu. He is also a long-term developer of Ettercap, a comprehensive suite for man-in-the-middle attacks.

Like many of us, Emilio started his journey in infosec as a hacker kid, exploring the world through modems and BBSs. Emilio is not a security vendor CISO, but is a CISO for a company that is in the supply chain for many other companies. He has to balance internal and external duties as a result.

Come listen as Allan and Emilio discuss the B2B CISO life, the skills required, business alignment, facing customers, and how all of these skills just might define "the modern CISO".

And, yes, they even tackle the age-old question, "How technical should a CISO be?"

Key Takeaways:

01:27 Bio

03:10 Security questionnaires and interactions

05:49 Is there a fix to solving vendor risk?

07:17 Utilizing machines for questionnaires

09:33 Leveraging skills

12:50 How technical should a CISO be?

18:01 Understanding other roles in the business

23:48 Balancing internal and external customers

28:17 What surprises you the most in cybersecurity?

Links:

Learn more about Emilio on LinkedIn, and Twitter, and learn about Ettercap

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Uptycs

Is Resilience Even the Goal? Antifragility w/ Sounil Yu

Thu, 14 Oct 2021 05:00:00 -0500

Allan is joined by Sounil Yu, one of cybersecurity's most well-known contributors. Sounil has a long history in cybersecurity, and is also the inventor of The Cyber Defense Matrix and the DIE Triad.

Sounil and Allan discuss cyber resilience and contrast it with "antifragility", a notion introduced by Nassim Nicholas Taleb. Sounil argues that in cybersecurity, antifragility should be the goal, and not resilience.

Antifragility allows for stronger data protection, as it does not just survive stresses and attacks, but actually encourages them. Sounil explains how antifragility also neatly dovetails with his DIE (Distributed, Immutable, Ephermeral) Triad of data protection, which he contrasts with the CIA (Confidentiality, Intregrity, Avaiability) Triad in the context of the "pets vs. cattle" model.

Join Allan as he learns a great deal in a short amount of time from Sounil...

Key Takeaways:

01:23 Bio

02:20 Cyber Defense Matrix

03:10 Is cyber resilience the wrong idea?

04:17 Backups do not equal resilience

05:58 What is antifragility?

09:31 The DIE Triad

14:32 Pets vs. Cattle

18:12 Practical implementation?

20:40 Focusing on recovery

24:28 The Barbell Strategy

27:58 What surprises you in cyber security?

Links:

Learn more about Sounil on LinkedIn, and Twitter, and learn about the Cyber Defense Matrix

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Uptycs

Is the SOC Dead? w/ Erik Bloch

Thu, 07 Oct 2021 05:15:00 -0500

Allan's guest this week is Erik Bloch. Erik Bloch is a cyber security leader, influencer, and pioneer. He currently sits as Senior Director of Detection and Response at Sprinklr, but has held many rolls in cybersecurity, including being a product manager for SIEM products more than once.

This last point is relevant, because it makes it even more surprising that Erik is convinced that the SOC's utility has passed...

Join Allan and Erik as they dive deep into why he thinks SOC is failing, the alternatives, what it takes to make an impactful change in incident response, and who to aim it towards.

This conversation began when Allan read Erik's article on LinkedIn, “RIP SOC. Hello D-IR".

Key Takeaways:

01:16 Bio
02:18 Erik’s article: why is SOC failing?
05:01 What is the alternative?
07:29 Implementing fundamentals where it counts
10:15 Cloud Integration
17:45 Cloud agnostic tooling solution
23:27 The inevitability of a one-stop solution
27:20 Targeting the right audience
28:17 What surprises Erik in cyber security?
30:24 Letting go is not easy

Links:

Learn more about Erik on LinkedIn, and Twitter, and read his LinkedIn article
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

The Value of Threat Intelligence w/ Samara Williams

Wed, 29 Sep 2021 05:00:00 -0500

Allan's guest is Samara Williams, Manager of Threat Operations at Cardinal Health, speaker, advocate and passionate member of the threat intelligence community.

Samara broke into cyber via a rotational program, sampling many cyber jobs at many cyber companies in a short order - a fantastic start in cyber that turbocharged her maturity and experience. She quickly developed a passion for threat intelligence, and has worked in that space ever since.

Join Samara and Allan for a deep dive into threat intel, its pros and cons, its value, and its potential...

Key Takeaways:

01:28 Bio
02:56 The love/hate relationship with threat intel: yay or nay?
06:07 The steps to threat intel – breaking it dow
15:14 How threat intel can help bridge tactical & operational Practices
19:57 Having a successful SOC program
22:18 Managing the unknown and practicing the fundamentals
26:17 Making a case for prioritizing threat intel
27:55 What surprises Samara in cyber security?

Links:

Learn more about Samara on LinkedIn, and check out her TedX talk
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Practical Realities of Ransomware Management w/ Bryan Hurd

Wed, 22 Sep 2021 07:50:00 -0500

This week, Allan is joined by Bryan Hurd. Bryan is a multi-talented cyber security professional who has founded and operated programs dating back to the early nineties. Currently Chief of Office for Stroz Friedberg (AON Cyber), he started his career in NCIS, founding the Navy’s first ever cyber counterintelligence program in 1993.

Join Bryan and Allan for a masterclass on ransomware, incident response, and preparedness. Having both consulted on ransomware situations many times, they offer a wealth of practical tips, do’s, don’ts, and gotchas. You can also hear their perspectives on the roles and processes in taking appropriate action when crisis hits.

This is a longer than usual episode, but that is because it is filled with practical advice based on a great deal of experience.

Key Takeaways:

01:20Bio
02:58Is ransomware still the #1 threat to an organization?
07:30Having your incident response team ready and prepared
12:16The roles, processes, and fundamentals of incident response
22:57Modern ransomware extortion components
25:01Encryption & decryption – dealing both strategically
27:10Using software provided by attackers
30:18Response as an executive – being transparent
35:02Public communications
38:41What surprises Bryan in cyber security?

Links:

Learn more about Bryan on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

WHY We Measure Risk w/ Sameer Sait

Wed, 15 Sep 2021 05:00:00 -0500

In this episode Allan interviews his friend Sameer Sait, former CISO at Amazon, Forcepoint and Arrow Electronics, who joins Allan for a discussion about WHY we measure risk.

It is about more than just asking for money. (And who are you actually asking money from? Hint: It is not the Board).

How does risk measurement change in the beginning of the CISO’s journey vs. later when the program is more mature?

What is the goal of good risk metrics? What is the role of cyber insurance in all this? What about business traction and cooperation with other department’s goals and objectives?

And finally, how does measuring risk affect disposition or risk?

Key Takeaways:

01:20 Sammer's bio
02:30 Asking for money - it's not from the Board
05:58 Measuring risk: inside-out vs. outside-in
11:20 Approaching management with an objective, not a story
12:38 Working with your team, as a team
14:12 The effects of measuring risk
18:36Analyzing the priorities and their consequences
24:36 Good governance vs. good management
26:22 Transference, remediation, and acceptance
30:57 What surprise Sameer in cybersecurity?

Links:

Learn more about Sameer on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

What Comes After the CISO Role? w/ Helen Patton

Wed, 08 Sep 2021 05:00:00 -0500

Host Allan Alford interviews his friend Helen Patton, advisory CISO at Cisco, and former CISO at Ohio State University. Helen and Allan discuss the career path of the CISO – specifically what comes after the CISO role has been fulfilled - and how there is not a clear path defined for the post-CISO career.

Allan and Helen discuss several models for post-CISO life that they themselves have explored, and that other CISO friends have as well, such as: shifting back and forth from CISO to vendor, shifting back and forth between CISO and advisory CISO roles at VC’s and other entities, becoming CIOs or CTOs, etc.

Helen explains how there is no clearly defined path for a post-CISO life, how no mentors are available to aid with that transition, but also how CISOs can decide to simply change their roles as a CISO. She explains a little bit more about her advisory CISO life and the internal and emotional differences between it and a conventional practitioner CISO role.

Key Takeaways:

0:26 – Intro
1:12 – Helen briefly explains about her background in cyber and about her day job.
2:55 – Helen explains what is the post-CISO life?
5:54 – What are Helen’s thoughts on the different roles of CISOS?
9:21 – How many people are changing from CISO to a consultancy role?
11:04 – Has Helen seen anyone making such transitions and being successful over time?
12:48 – Hypothetically what would happen if there was a major technology shift, but a CISO wasn’t there to supervise it due to being in a non-practitioner role at the time. Would she be missing out on it on critical CISO skills?
15:12 – Helen explains a little bit more about her advisory CISO life.
18:07 – What happens when Helen gets approached by startups who want feedback? Does she see them as competition? Are they up for having conversations with her?
20:47 – Can a CISO become a CEO?
22:37 – Who should the CISO be reporting to and why?
25:34 – What other post-CISO activities are there for CISOS that may not be a fulltime role, such as boards, teaching, writing, speaking?
28:32 – What surprises Helen the most in cyber security?

Links:

Learn more about Helen on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Humans Are Not the Weakest Link in Cybersecurity w/ George Finney

Wed, 01 Sep 2021 05:00:00 -0500

Allan is joined by George Finney, CSO at Southern Methodist University and author of the book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future.

George’s mission is clear: unite the cybersecurity community through proven strategy, and help preserve and leverage the humanity within cybersecurity.

He believes that the community as a whole under-plays the human role, and he and Allan discuss potential changes to the way we view security awareness training and the role of users in general.

Key Takeaways:

00:18 Intro/Bio

01:25 George’s story

04:27 Humans are not the weakest link in cybersecurity

07:17 How habits affect security awareness

08:30 The 9 habits and forming your cybersecurity personality

14:05 How secret keepers build a community

17:30 Potential improvements to security awareness training

22:22 The origin of the nine habits

26:50 What surprises George about cybersecurity still?

Links:

Learn more about George on LinkedIn and on Twitter and buy his book!

Follow Allan Alford on LinkedIn and Twitter

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Uptycs

Does SOAR Meet Its Promises? w/ Benjamin Corll

Wed, 25 Aug 2021 05:10:00 -0500

Host Allan Alford interviews Benjamin Corll, VP of Cybersecurity and Privacy at Coats, about security orchestration, automation, and response (SOAR).

Bejamin and Allan critique SOAR's promises and premises, what else it could be doing, its pricing and overhead, and lack of standards as well.

But it is not all negative - Benjamin does share stories as well of SOAR's successes in his shop, and of the things it does do well...

Come on down the ranch and give this show a listen!

Key Takeaways:

0:09 – Intro
0:55 – Benjamin's background and day job
3:46 – The premise and the promises of SOAR
6:32 – What else could be automated?
9:25 – Benjamin explains about the trouble ticket system and the change management system
11:57 – The standards for SOAR today
17:19 – How do we improve the cyber posture of all our organizations, making them more secure?
19:34 – Has SOAR managed to stay affordable for those who need it?
22:54 – What SOAR does well, the benefits and the value
26:35 – What has surprised Benjamin the most in information security

Links:

Learn more about Benjamin Corll on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

The Modern CISO w/ James Azar

Wed, 18 Aug 2021 05:35:00 -0500

Host Allan Alford interviews guest James Azar, host of the CyberHub CISO Talk Podcast, and CISO in the financial services space. James and Allan discuss the techniques and approaches of the modern CISO, and contrast this with some of the older approaches of the job. James defines the cultural shift between the old and new as having taken place since September, 2017 (the Equifax breach).

James and Allan discuss the impact on the team, business, clients, customers, and shares their thoughts and experience on how to stay modern. “What keeps you going in cybersecurity?” as the signature final question for each guest has been replaced with “What surprises you the most in cybersecurity?” James is the first guest to answer that question, and his answer is a bit of surprise itself…

Key Takeaways:

0:16 – Intro
1:04 – Bio
2:00 – The modern CISO contrasted with the older CISO
4:46 – What does the modern CISO mean to the team, business, clients and customers?
7:10 – How to interact with the business: building relationships, teams, meetings…
11:18 – How James Azar puts forward a message of security for the company
11:52 – Security Questionnaires and what is wrong with them
12:20 – Picking on SOC 2
12:39 – Operationalizing security within a client customer relationship
14:11 – Shared responsibility model (cloud) and CMMC replacing SOC 2 and SIG and other older standards: 5 or 6 questions
17:50 – How the word “no” keeps the business and team from moving forward
18:06 – CISO choosing business over security and ignoring the subsequent notions of career risk
19:40 – Automation on the technology front and how it changes the modern CISO’s perspective
20:30 - COVID-mandated lockdown and the implications for workers in countries around the world
23:19 - Automating all entry-level positions and bringing entry-level people up
25:45 – What surprises James Azar the most about cyber security

Links:

Learn more about James Azar on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Frameworks Over Time w/ Derly Gutierrez, Mustapha Kebbeh and Patrick Benoit

Wed, 11 Aug 2021 05:20:00 -0500

In this, the very first LIVE episode, Allan Alford interviews guests Derly Gutierrez, Head of Information Security at 1010Data, Patrick Benoit, BISO at CBRE, and Mustapha Kebbeh, CISO at Brinks, as they discuss the use of security frameworks in general and over time.

Regarding framework compliance, do we choose one or do we choose many? Do we embrace them fully or partially? What changes our approach to frameworks over time?

Security strategies are explained throughout the episode, along with the notions of business adaptation and adoption, regulation and other requirements, and "minimum viable security" approaches that don't require frameworks at all.

Key Takeaways:

0:43 – Intro
1:53 – Question to Mustapha: pick and choose from a framework or embrace a framework all in one go?
2:47 – Patrick discusses his own approach to Mustapha’s statement
3:26 – The evolution of CFS adoption briefly discussed and the importance of protection
6:59 – Discussion of a possible "least viable security" approach that doesn’t depend on the frameworks at all
9:50 – Maturity models
13:32 – Security strategies
19:56 – The guests answer: What were the toughest challenges working with a framework?
21:56 – The guests share their best success story with frameworks
23:51 – The guests share their journey on business integration
27:56 – The influence of regulation and other requirements

Links:

Learn more about Derly on LinkedIn and Twitter
Learn more about Mustapha on LinkedIn
Learn more about Patrick on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Burnout, Toxicity, and Overcoming Obstacles w/ Marilise de Villiers

Wed, 04 Aug 2021 05:48:00 -0500

On this episode, Allan invites Marilise de Villiers, Founder and CEO at ROAR! Coaching & Consulting, to come on down to the ranch and discuss how to deal with toxic situations, how to overcome obstacles in the workplace, how to avoid burnout, and how to spot our own negative behaviors that interfere with our success.

Marilise and Allan cover toxic workplaces and bosses, share personal stories, and discuss the internal mechanisms which allow external toxicity to harm us, as well as the internal behaviors to prevent that.

They discuss obstacles, and how big obstacles should be embraced. They also talk about "exercising the resilience muscle".

This is a fantastic show with some open and vulnerable moments, as well as with some very practical advice for avoiding burnout and dealing with problems most of us have faced or will face in our information security careers.

Key Takeaways:

1:11 How Marilise got into information security
2:29 About her coaching and consulting practice for information security professionals
3:53 Avoiding CISO burnout despite our intrinsic challenges
5:08 External forces but also our own self-defeating behaviors
7:01 Clarity on who you are and why you are here
9:31 "I am" is the first negative step towards internalizing toxicity around us (neuro plasticity)
11:03 Allan's former toxic boss who "showed him a carnival house mirror" and led to negative internalization
12:21 Marilise has a similar story
14:29 Facing futility and hopelessness in information security
15:19 Caring too much vs. business problems as a control and communication problem
18:23 How to perceive our biggest obstacles
19:28 Get professional help to strengthen your resilience muscle
20:17 Shout-out to Chris Cochran of Hacker Valley Studio and his 'find your super powers' coaching (and other trusted coaches)
21:49 Your best life is on the other side of your biggest obstacle
21:59 There is always another obstacle
23:22 Living your best life TODAY
24:15 The value of resilience and embracing big obstacles
24:57 Marilise's reason for being in cybersecurity

Links:

Learn more about Marilise on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Migrating from Monolithic to Cloud w/ Greg Rogers

Wed, 28 Jul 2021 05:50:00 -0500

In this episode, Allan interviews Greg Rogers, CISO at Legal & General America, about migrating legacy, monolithic, internally facing, manually tested, waterfall applications to Cloud, CI/CD with automation, customer-facing applications, all with modern development languages and environments.

Greg migrated just about everything legacy to just about everything modern across a series of monolithic applications. In this episode he gives tips on the technical aspects of his journey, tools and techniqes for overcoming cultural barriers as well.

Greg outlines what he did in-house, and what he leveraged from out-of-house - from code to services.

Ultimately, Greg was able to pull of this transition piece by piece, and he shares how he was able to do it.

Lastly, Greg closes with what keeps him going in cybersecurity...

Key Takeaways:

1:19 How Greg got into cyber
4:12 An overview of the challenge
6:39 Greg's biggest security challenges with the project, both cultural and techincal
8:06 The value of engagement and relationship building
8:41 Targeted security awareness training
9:10 Make security fit with what they are already doing for their day jobs
9:25 Regulation as a driver for change
11:32 The challenges posed by regulation
12:06 The challenges of remote access
13:50 How to eat the elephant one bite at a time
14:11 VDI to migrate portions to the cloud
15:29 Identity & Access Management, CASB, SASE, etc.
16:53 Leveraging outside help
18:13 Selecting and settling on a good MSSP
20:21 In-house development vs. off-the-shelf and leveraging external developers
22:43 What the CISO provides in this scenario
24:02 Focusing on the 'gray' areas of security over the black and white
25:25 Improving the security culture and CISO relationships
26:49 What keeps Greg going in cybersecurity

Links:

Learn more about Greg on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Credential Stuffing w/ Dr. Sam Small

Wed, 21 Jul 2021 05:50:00 -0500

In this episode, Allan's friend Dr. Sam Small, CISO of Zero Fox, joins us to chat about credential stuffing, its implications and the defenses against it.

Several statistics are given from a few industry reports on credential stuffing, including the Verizon DBIR and F5's report.

Several techniques to foil credential stuffing are explored, as well as common traps when combatting credential stuffing. OWASP provides some guidance in this area.

The criminal's abilities vis a vis breach sharing and botnet as a service are discussed as well.

Finally, Sam explains what keeps him going in cybersecurity...

Key Takeaways:

1:08 Sam's background and education in cyber
2:41 Sam defines credential stuffing and explains why we should care about it
4:17 The origins of the term 'credential stuffing' vs. its history
4:39 Is ransomware the end goal of every single kind of cyber attack?
5:22 Botnets as a service to drive credential stuffing attacks
6:33 Allan cites statistics from the Verizon Data Breach Incident Report
7:23 The DDoS aspects and related cloud costs of credential stuffing
8:48 Sam's theory about F5 report statistics on credential stuffing being interestingly somewhat contradictory
10:43 Anecdotally anyway, password reuse appears to be a huge problem still
11:51 Comabating credential stuffing and common traps in doing so
13:23 Credential stuffing and data breaches are not the same thing
14:17 Getting credential stuffers shut down by way of their service providers
15:25 Practical tips from OWASP for preventing credential stuffing in your environment
19:10 The difference between a comprehensive defense and not
20:32 Are obscure usernames useful in the fight?
22:06 Proposal for user-centric federation to monitor account usage everywhere
23:06 Obligations of those who suffered a breach of credentials
25:14 Criminals share data on their side
26:09 What keeps Sam going in cybersecurity

Links:

Learn more about Sam on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

”Ugly Exits” w/ Naomi Buckwalter

Wed, 14 Jul 2021 05:00:00 -0500

On today’s episode with Allan, we talk “Ugly Exits” with Naomi Buckwalter, Director of Information Security. Of course, to start the episode, Naomi answers Allan’s question of how she got started in cyber.

They circle back to the topic at hand, “Ugly Exits”. Under this umbrella are: being fired, laid off, "burning bridges", or being encouraged to leave in a "voluntary" manner. Allan shares statistics for some of these categories, including a substantial statistic on those who have been outright fired.

When it comes to burning bridges, so many people walk away from a company that is behaving in an unethical manner and putting their employees in unethical situations. To Naomi, this is a frightening common thread. It’s scary how many unethical employers are out there.

Naomi shared a personal story of her ugly exit, and the fact that it was deserved to some extent. She has owned that experience, has learned from it, and has grown as a result.

Allan shares his personal “burned bridge” story which continues to follow him through the industry here and there. He feels his reputation is sullied with a certain small segment of the industry, and that it most likely won’t ever change. But he also takes ownership for how he mishandled the situation.

Rounding out the show, Naomi and Allan talk about earning their stripes and realizing it is all about growth, resiliency and grit. In fact, as humans, they feel sometimes we don’t appreciate the bad things that happen to us, so we can appreciate the grown and the improvements we have made throughout our lives. Reflect back and think about all that you have survived in your past. Out that self-awareness comes the opportunity to improve.

A large portion of growth, whether personal or work, comes from self-reflection. One can learn from it, grow from it and figure out how to navigate the situation should it arise again. Could it be that thinking we are the hero of our own stories is hurting us?

Key Takeaways

1:25 Getting into Cyber
3:22 Burning Bridges
8:56 Mismatches
14:18 Reflecting
19:43 Humanity
23:28 The Firing and One’s Value
28:45 What Keeps You Going

Links:

Learn more about Naomi on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Uptycs

Agile for Security Programs w/ Tim Rohrbaugh

Wed, 07 Jul 2021 05:20:00 -0500

On today’s episode with Allan, we have Tim Rohrbaugh, CISO at JetBlue, here to talk about Agile methodology and how it can be applied to an entire security program.

Tim got into cyber through the military. From the military he went into consulting and ended up at JetBlue. At JetBlue that he is always trying to find ways to invest dollars in security programs to balance what is going on. Along with that, he strives to keep his team motivated and moving forward.

Agile is a software programming methodology, and it replaced Waterfall. Waterfall was the traditional model of development, where large chunks of code had to flow from developers to QA, back to developers several times, and finally to release.

Agile, on the other hand, works off user-centric stories, which roll up to bigger stories called epics. Stories are small, discrete goals, met with smaller, discrete chunks of code released in what are called 'sprints'. QA is very rapid as well, leading to rapid release. Agile is characterized by daily 'standup meetings' where literally nobody sits in an effort to keep the meetings as short as possible.

In Agile, product owners come up with ideas and thread those through marketing and development. In appplying this paradigm to running a security teamm, Tim replaces product owners with threat intelligence folks.

This unique approach towards managing a security program means that all decisions are threat-informed, and that small incremental wins are a constant.

But Tim does not stop there. Anyone on the team can create and manage a story to address any specific and immediate security need...

Key Takeaways

1:10 Tim’s background and day job
2:08 JetBlue
2:39 Introduction of Agile
3:57 Tim’s approach
6:15 How Agile is used
8:31 Threats addressed
9:46 Story sourcing
11:03 Creating the story
12:48 Narrative skill
14:08 Metrics
15:53 Risk management aspect
19:00 Not using risk
21:38 Positives
23:20 What keeps Tim going in cyber
24:42 What Tim is looking forward to in cyber

Links:

Learn more about Tim on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

All About Analysts w/ Christina Richmond

Wed, 30 Jun 2021 05:20:00 -0500

With us today is Christina Richmond program Vice President at IDC. She's an industry analyst, and she's here to talk to us all about the analyst lifestyle.

Allan starts the episode asking Christina to share all about how she got into cyber and what her day job is like. Christina actually began by working in the storage space, and discovered security. To her it was like a drug. What does she do throughout her days? Partakes in hundreds and hundreds of calls with companies who need help with launches and marketing, specifically in growing areas of cybersecurity. In essence, there is a lot to being an analyst. But to be successful, you have to be curious!

The best way to put Christina’s job in words, is “learning the whole from the parts.” She talks with individual players, studies market trends, and then circles around again to piece it together. One big feedback loop.

On a side note, Christina would like everyone to know she is looking to hire at the director level! If you know anyone, send them her way. There are certain aspects necessary, and they are: First, understanding the technology. Next, either having been an analyst before or being in market research of some kind. Finally, the soft skills or executive presence.

Christina admits she is not a technologist, but she also says there's a benefit to having a non-technologist covering this space. She thinks it's important to know that analysts take all shapes and sizes, and there is a benefit from bringing in somebody who thinks about the market differently.

In one word, she describes the plight of the analyst as “overwhelmed”. There aren’t enough people, and some people just don’t have enough skills. The skills gap is real. One of the top skills that is missing for practitioners is cloud security, and that is true for analysts as well.

The bottom line for Christina is helping; it is her favorite thing to do. When it comes to changing things, Christina wouldn't throw anything out but would have more people doing more of the work. Because really, there is a resource shortage in the analyst realm.

Finally, Allan as the one question he asks of all his guests, “What keeps you going in cyber, why do you hop out of bed in the morning, jump in your shoes and say, all right, another day of cyber.”

Christina responds, “Every day, there's a new breach, every day someone is suffering because a Florida Water system was poisoned or because the oil the gas pipeline has been interrupted, and we're not going to have gas at our gas stations or because you name it. There are so many reasons to get up every morning. And, I think every cyber security person needs a mission. I'm here to help, I'm the one helping make sure the message gets out. And that's really important to me.”

Key Takeaways

1:17 Christina’s background
3:02 An analyst’s day job
6:02 Learning the whole from the parts
7:46 We’re hiring
11:02 Staying informed and in the game
13:05 Non-technologist
14:22 Plight of the analyst
16:38 Favorite part of the job
18:44 What would Christina change
19:35 How to get the best engagement
23:11 Storytime
25:55 What keeps Christina going

Links:

Learn more about Christina on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

The Journey to Passwordless Authentication w/ Derly Gutierrez

Wed, 23 Jun 2021 05:20:00 -0500

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran. Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods.

Allan and Derly refer to studies and surveys about the problems with passwords and the challenges of implementing passwordless approaches.

Derly emphasizes the need for other complementary technologies such as Role-Based Access Control (RBAC), Privileged Access Management (PAM), and system-to-system communications.

The two discuss corporate and personal use of passwordless solutions, talk about legal precedence and the future of passwordless approaches.

Key Takeaways

1:14 How Derly got into cyber
1:58 About Derly's day job as Head of Security
2:34 Allan quotes the 2017 Verizon DBIR on how many breaches involve weak or stolen passwords
3:35 Allan cites NIST 800-63b
4:15 Derly talks about CAC cards in the US DoD
4:50 Derly sides with vendor innovations over NIST guidance
5:56 Allan clarifies the distinction between PINs and passwords
6:52 Derly points out the flaws with biometrics in terms of reliability and assurance
9:09 Allan cites a survey regarding WHY organizations choose passwordless
9:52 How many 'passwordless' solutions still include shared secrets
10:38 Derly talks about corporate vs. personal passwordless solutions and shared secrets as backup for reliability issues
11:37 Derly emphasizes a lack of RBAC and PAM foiling all authentication approaches
13:06 Allan points out the value of Identity and Access Management solutions
13:44 Allan references three vendor approaches towards passwordless for legacy systems such as RADIUS
14:50 Derly takes these methods apart
16:05 Many companies are not doing Role-Based Acces Control, system-to-system communication and Privileged Access Management correctly
17:02 Allan brings up the presence of push attacks
17:38 Allan's definiton of true passwordless authentication
17:56 Derly's definition of true passwordless authentication
21:29 For personal use of biometrics, Allan brings up a disturbing precedent of law enforcement accessing an individual's phone with forced facial recognition
23:17 Derly emphasizes that applications on your phone should have a different authentication factor than access to the phone itself
23:47 "Your home is your castle" has become "Your phone is your castle"
25:06 Allan cites one last survey as to how many of us really are passwordless
26:02 How long before we got to passwordless?
28:06 What keeps Derly going in cyber

Links:

Learn more about Derly on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Application Security w/ Taylor Lehmann

Wed, 16 Jun 2021 05:07:00 -0500

With us today is Taylor Lehmann, former ciso several times over in the healthcare sector, and currently Americas leader for security, networking, identity, and compliance solution architecture at AWS.

Taylor and Allan talk about application security: why it's important, who are the personas, the value of threat modeling, infrastructure as code, how to get started, and relationships with developers.

Taylor, a Boston boy, starts the show trying to say, "Howdy!" correctly. Taylor started at PWC and grew into a healthcare CISO. He has now transitioned to AWS.

Key Takeaways

1:40 How Taylor got into Cyber
2:58 Taylor’s day job
4:30 Appsec Defined
5:49 Taylor's favorite appsec frameworks
7:48 Why appsec is important
8:55 The personas and roles
11:22 Security training in appsec
12:27 Threat modeling
15:11 Infrastructure as code
20:46 How to get started in appsec
24:12 Devs already know and care about security
25:38 Where does the trope come from that devs don't care?
26:52 Why "DevSecOps" is a bad term
28:00 What keeps Taylor going in cybersecurity

Links:

Learn more about Taylor on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Solving The Global Cyber Problem w/ Ian Thorton-Trump

Wed, 09 Jun 2021 05:00:00 -0500

With us today is Ian Thornton-Trump, Chief Information Security Officer at Cyjax and an ITIL-certified IT professional with 25 years of experience in IT security and information technology.

Ian shares his background which started back in the Canadian military. During those times, "IT" was called "automated data processing", and it is quite clear how far this has advanced. He joined the Royal Canadian Mounted Police and spent a year working on criminal intelligence. Soon after he became a consultant and made his way to the UK in 2015.

Oftentimes organizations have not planned or prepared for risk, and that includes cyber. In that sense, cyber can be compared to the environmental landscapes and infrastructure, which Ian finds eerily similar. A lot of problems created in cyber mimic a lot of the environment problems we face in today’s world. One example is the recent failure of the Texas power grid during a very harsh winter. Investment in cybersecurity is critical.

Allan feels there are a lot of environmental laws, but there are also already some pretty strict cyber laws as well. However, they seem more aimed at the anonymous or extrajurisdictional perpetrators and end up useless when their anonymity is involved. And some cyber laws seem to punish the victim as well - after suffering ransomware you are now penalized for not being prepared for it in the first place? How can we get laws in place that are helping the situation and not blaming the victim?

Ian suggest that positive incentives are the answer. If we can just get companies to do a bare minimum cyber hygiene, by incentivizing them through tax breaks, Ian thinks we could move the ball up more forward, without making it too onerous, to meet some sort of regulatory standard. How do we possibly extend our stretch? Because at the end of the day, the root cause is the “bad guys”, so how do we get to them? America is already doing a lot, but other countries need to put their money where their mouth is.

Ian and Allan discuss President Biden's Executive Order on Cybersecurity. This can enforce behavior in the government, but only suggest behavior in the private sector. To sum up, we're nowhere, and we need to get somewhere because what we've done, at the federal and state level in the United States, is taken a lot of dollars, put them in parking lots, and set fire to them. And then after we finished that exercise, we asked for more dollars. We have to change the entire system from the ground up. And we have to incentivize cyber security.

Key Takeaways

1:10 How Ian got into Cyber
2:21 Ian’s day job
4:18 Issues with infrastructure and environment
7:38 Meaningful laws
12:47 Getting to the bad guys
16:35 Catching “Fred Smith” or someone like him
17:43 Rewards
21:17 Preparedness and helplessness
23:43 Einstein program
26:24 What keeps Ian going

Links:

Learn more about Ian Thorton-Trump on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

FAIR from the Trenches w/ Drew Brown

Wed, 02 Jun 2021 05:00:00 -0500

With us today is Drew Brown, IT Security Manager at the Commonwealth of Pennsylvania. Drew is here to talk about FAIR and his real-world usage of it and testing it in the trenches.

Drew shares a little bit about his background in cyber, and a little bit about his day job. He spent 15 years in IT. That opened the door then for him to be the CISO for one of the state agencies. Now his title is IT Security Manager but essentially he is responsible for communicating security and risks and working within a law enforcment agency to make sure that what is implemented is secure, it's compliant, and it meets all of the agency objectives.

With FAIR, you start by asking some very basic questions: What is the asset? What is the thing of value that you're trying to protect? Once you understand what that is, you then ask who is going to come after that asset: cyber criminals, nation state, some kind of industrial espionage, hacktivist, or whatever. Or maybe it's Doris in accounting. Either way, you start to work through who might come after that information.

The probability of a guy sitting in his basement, ordering pizzas on your credit card is a different probability than a nation state. On the impact side, we look at six different categories of risk, there's loss to productivity, there's losses in terms of response, how much money are we going to spend? Or do we have to spend to resolve that loss event that incident?

The six forms of loss are productivity, response, replacement, fines and judgments, competitive advantage and reputation. We start looking at what those dollar amounts actually are. But we want to concern ourselves with the most likely and what's the loss magnitude at that most likely value? Now we can go to that executive and say, “Okay, do you want to build a new parking lot? Or do you want to resolve this risk?” Then we can have a business conversation about it.

Allan asks, “What drove you to FAIR?” Drew states that one of the biggest arguments against FAIR that he always hears is, “We don't have enough data points to do this." Drew decided FAIR can help make better decisions about risk. And that is the goal of FAIR anyway - to make better business decisions, better risk decisions.

Digging a little deeper, Allan asks, “Are you confident that it achieved the goals you set out to achieve with it?” In short, the answer is absolutely!

Where FAIR falls shorts comes up. After reflecting, Drew says that it is in the controls analysis piece.

Allan asks Drew what keeps him going in cyber. With a laugh, Drew gives a quick answer of "coffee" and then follows with, “I enjoy that a relationship with my counterparts and then also establishing those relationships with the business and seeing the problems solved.”

What’s coming over the horizon? According to Drew, it’s seeing the normalizing of cybersecurity and making it less of a burden to hire new and diverse talent.

Key Takeaways

1:15 Drew shares his background and day job
2:20 FAIR model
2:56 How FAIR works
5:13 Probability
8:45 What drove you to FAIR
11:42 Goal of FAIR
13:30 Selling to the board
18:16 The honest hat
22:17 RSA announcement
23:32 What keeps Drew going
24:49 What Drew looks forward to

Links:

Learn more about Drew Brown on LinkedIn Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

Clever Hiring Practices w/ Andy Ellis

Wed, 26 May 2021 05:00:00 -0500

With us today is Andy Ellis, operating partner at YL Ventures, former Akamai CSO and newly inducted member of the CSO Hall of Fame. We're here to talk about nonstandard hiring practices and how Andy has built an amazing team using nonstandard approaches.

Andy began his career in cyber ("I remember back then, you know, we didn't call it cyber, but I think we've all given up and, and that's now the name for our career field.") as an Air Force ROTC cadet, spent 20 years at Akamai, and joined an advisor program at YL Ventures.

Andy found a solution that addresses hiring needs and the talent shortage, while also building a very clever and very innovative team.

For new roles, look and see if you have somebody who's almost senior that you can promote to do that job. And backfill the almost senior person instead. Try not to hire senior people, try to hire the most junior person you can get away with and promote everybody up the chain. The real trick is to figure out how your HR and finance teams are going to operate and play them off against each other.

Now that we have covered your promotion from within strategy, let's talk about hiring some folks for certain roles on the team that at a glance would make no sense at all for a CSO. And yet is really, really effective and repeatable.

Andy’s flagship is hiring librarians. There is an entire career field dedicated to managing libraries and learning technical language to be able to do that.

Everyone is in the business of publishing a report about their data, right? This is just taking technical data and technical jargon and making it consumable to people who've never seen this data before. There's an entire industry that does that. We call it journalism. So, we hire journalists to come in and be those storytellers.

Hire teachers. Put a teacher in a position and to learn how deep do they need to go on a daily basis, and then make sure they get one level deeper. Because you're always going to have problems if you teach exactly to your domain knowledge. So, make sure your domain knowledge is always little bit deeper than whatever your job requires which is usually going to be sufficient to keep you out of trouble.

To wrap the show up, Allan asks, “Why aren't the rest of us catching on because this is some amazing stuff that every single hiring manager in cyber could benefit from.”

According to Andy, the simple answer is it's expensive, and it takes a lot of time to do right.

Allan asks, “What keeps you going in cyber?” Andy answers, “I've always seen myself as improving the systems that I walk through, that when I encounter a system, I want to tweak it and figure out what makes it work and make it work better."

Key Takeaways

1:24 Andy shares his background and how he got to cyber
3:12 Working for a venture capital firm
7:12 Hiring and building a team
12:26 The abnormal hires that just make sense
15:46 Clever role adjustments
17:10 More nonstandard hires
19:03 Confused? Whose confusion is it?
21:02 The academy
24:42 Putting a teacher in
25:21 Budget technique
27:09 Why isn’t everyone hiring this way?
28:30 What keeps you going in cyber?

Links:

Learn more about Andy Ellis on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Measuring Risk w/ Richard Seiersen

Wed, 19 May 2021 05:35:00 -0500

Today we talk with Richard Seiersen, co-author of “How to Measure Anything in Cybersecurity Risk”.

Richard shared that at his first CISO position, he was challenged with addressing prioritization of risk, which led to his authoring a book with Doug Hubbard.

What can cyber learn from older risk disciplines? The life table used broadly to measure time-to-event data goes back 500 years.

Businesses keep falling back to the classic 5x5 "likelihood and impact" matrix which is an inconsistent, non-math-based method.

Without math it is really just casting spells in the board room. There are no ratios or explanation of differences, for example.

CISOs are called upon to make a bet about something. We will use subject matter expert opinions, and can make them measurably better. Consistency is key.

Wild guesses can still help constrain the forecast. There are existing models in cyber such as FAIR that provide a more mathematically applied approach.

Statistics came about because people needed to make bets with limited data. Dirty data can be worked with.

Embracing uncertainty is okay. Executives are actually very used to uncertainty.

Cybersecurity as a practice is in its adolescence with a high mortality risk. We need to adopt the grammar of science.

Key Takeaways

0:25 Richard is introduced
1:20 Richard talks about his cyber journey and his day job
3:02 Book talk
5:19 What can cyber learn from older style risk tactics
8:04 5x5 risk matrix
10:05 Improving accuracy
17:00 Gathering an accurate view
19:20 Monte Carlo simulations
22:04 The belief
25:17 Board-ready presentations
26:58 What keeps Richard going in cyber security
28:09 Why statistics were invented

Links:

Learn more about Richard Seiersen on LinkedIn and Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Becoming a CISO w/ Accidental CISO

Wed, 12 May 2021 05:10:00 -0500

With us today, is a very special guest, Accidental CISO, of Twitter fame. His anonymity on Twitter, allows him to be a little more “truthy” about the CISO game than a lot of us can afford to be on social media. We have distorted his voice a bit to protect that anonymity.

“Accidental” shares how he got into cyber, and that is a culmination of being in a career where he had to fill “all” the hats. He stepped away from his CISO role a few years ago and is now in consulting where he has the opportunity to help other people realize they need to build security programs when they have never done it or know how.

How did he become the “Accidental CISO”? Simply by trying to help during the course of going through an audit. They had to identify who was the CISO, and he made the mistake of asking who the security officer was for the company. The answer was, “That’s you.”

Accidental CISO doesn’t think becoming a CISO accidentally is all that uncommon. When going through audits, etc., someone has to be named, someone ends up drawing the short straw.

The role is different than what people think. You can draw on your technical background, but you have to be able to focus on the “why” for the business and all the nuts and bolts that come with it. One must understand this is not a technical role.

Allan shares his pivotal moment in becoming a CISO and realized all he had to do was recognize the business as the system he was hacking.

When Allan asked Accidental CISO about guidance for building a team and getting started, Accidental had one word, “Pray.” In reality, you need to know the skills you need.

Allan and Accidental CISO discuss “selling the functions”. It is tied to the business objectives in so many ways, and companies need a human to seal the endpoints. As they close this discussion loop, Accidental shares how to get the practice off the ground and the importance of relationships.

Sometimes, believe it or not, not having all the knowledge and knowing all the details is a benefit. In addition, being the first CISO for a company is all about educating, communicating and painting a picture.

And of course, Accidental CISO answers Allan’s final question, “Why are you motivated to get out of bed and do more of it?”

Key Takeaways

0:30 Introduction of Accidental CISO of Twitter fame
1:37 How Accidental CISO got into cyber
2:14 Accidental CISO talks about his day job
3:33 The background of Accidental CISO
4:49 The security tool Accidental CISO embraces
5:20 Accidental CISO is not an uncommon “thing”
6:37 Advice to becoming a CISO
9:28 Allan shares a pivotal moment
10:15 Guidance on building and getting a team started
13:58 Selling the functions
16:55 Getting the practice off the ground
20:13 Importance of relationships and letting go
22:24 Being “their” first CISO
26:47 Building a security council
27:49 Why Accidental CISO is motivated to get out of bed each day and do more of it

Links:

Learn more about Accidental CISO on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Breach & Attack Simulation w/ Marlys Rodgers

Wed, 05 May 2021 04:00:00 -0500

Today we talk with Marlys Rodgers, who has been in cyber for over 20 years. She currently is CISO for CSAA Insurance Group and is running security for the company as well as running governance risk and compliance for technology. She shares that it feels like she is constantly balancing assessing with preventing.

Allan brings up breach and attack simulation (BAS), and when it is most appropriate to implement in the context of the maturity of a security program. Marlys feels BAS is most effective when some, or most, of the intended controls are in place so you can focus on areas you need to strengthen. For her company, she was glad they did it earlier rather than later. They had a pretty good lead time to get systems to integrate.

The way you use BAS, especially along with threat intelligence, is really important. If you don’t have a purple team, or a red and blue team how does one start or how do you reorganize? Hear how Marlys did just that. Tag-teaming works best!

How has BAS helped in conversations with the audit team as well as the GRC team? More data gets shared with Audit and they become strong allies. Everyone is happy when fed real-world, real-time information.

BAS is truly changing mindsets, and will ultimately alter prioritization and enhancing and inter-team communications as well.

To wrap up the show, Marlys shares what about her job keeps her getting up in the morning and what she is looking forward to in cyber.

Key Takeaways

0:21 Welcome Marlys
1:13 Short comical discussion on how one should pronounce BAS
1:29 Marlys shares her background and day job
3:35 When BAS comes into the picture
5:00 The trick
6:05 Allan asks Marlys how she stays up with it
8:52 Marlys explains why more time should be spent on extending capabilities
9:38 Suggestions are shared to roll out BAS
12:21 Importance of human elements
13:45 If you don’t have teams, what happens?
16:18 How BAS affects conversations with teams
20:00 Importance of transparency
21:27 Changing people, process and technology with BAS
25:00 Marlys shares the reason she is motivated to stay in cyber
26:01 Marlys shares when she is looking forward to in cyber

Links:

Learn more about Marlys on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

Enterprise Security Architecture: A $110b Case Study w/ John Petrie

Wed, 28 Apr 2021 07:40:00 -0500

With us today is John Petrie, Counselor to the NTT Global CISO. He is responsible for managing the growing internal security challenges for the NTT operating companies across the globe.

Retired in 1996 from the Marines John began his career in multiple security positions. He shares that his major responsibility of today is creating the enterprise security architecture (“ESA”) for NTT.

Allan used to work for NTT DATA Services, and shares that John is working for the ultimate parent company of the NTT global conglomerate – a full 3 companies of inheritance between John’s company and Allan’s former company. John shares just how big NTT really is throughout 180 countries. Altogether there are 986 companies worldwide, generating over $110 billion in revenue each year. NTT is #62 on the Global Fortune 500.

John shares the full gamut of what an enterprise security architecture really is, how important it is and what it does. There are nine principles to building his ESA, and John outlines them while acknowledging that it is different for every company. Nowadays, the systems designed are for mobility, usability, management, and innovation around the core. Simplicity and resilience are a must!

Further on down the show, Allan and John discuss the 3-year cycle of both technology and business planning, and that not everything is a “one size fits all”. In addition, they talk about mixing and matching popular ESA models, and what that means to the framework.

There is a bit of discussion surrounding what it means to “have a seat at the table” as an information security executive. Everyone needs to be on the same page, to have business buy-in and to create strong business relationships. Security is one of those business voices, and everyone is in it together.

In closing, Allan and John talk about how the focus is not only on technology but on governance and training to get ready for implementation. Along with this, there are fundamental strategic decisions to be made, but ultimately on the large scale it is all about execution and governance.

Key Takeaways:

0:24 Introduction of John Petrie
1:27 How John broke into cyber and how his job looks today
3:08 We get the lo-down on how big NTT really is
4:55 Everything you need to know about ESA
6:46 John shares the 9 principles that provide a foundation for his ESA
6:55 “Aligned Independence”
7:44 “Standards-Based”
7:53 “Manage the Risk”
8:15 “Platform-Based Architecture”
9:49 “Design for Mobility and Usability”
10:00 “Innovate Around ‘The Core’”
10:32 “Simplicity and Resilience”
10:36 Global Remote Work at nearly 100%
11:30 “Supporting Digital Transformation & Strategic Plan”
13:04 Allan and John discuss 1-, 3-, and 5-year cycles
14:40 Not everything is one size fits all
17:02 Length of the process John is currently in
19:15 What occurs during this process
20:44 John shares the plan goal
22:33 The one directive from their CEO
24:16 Fundamental strategic decision
26:41 The large scale
27:31 The key takeaway from this entire discussion according to John

Links:
Learn more about John on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Programs for Women & Veterans in Cyber w/ WiCyS - SPECIAL EDITION

Mon, 26 Apr 2021 04:00:00 -0500

With us today are Lynn Dohm, Executive Director of Women in Cybersecurty (WiCyS) and Martha Laughman, Veterans Iniative Lead at WiCyS and Director of Workforce Development at Smoothstack. Lynn and Martha are here to talk about the amazing programs for women and women veterans at WiCyS.

WiCyS is so much more than a conference for women in cybersecurity. Its presence spans the globe and its programs are myriad. Mentorship, student scholarships, training, special interest groups, job boards, veterans' assistance, and apprenticeships are all available.

Smoothstack is a partner of WiCyS, and has created a program for women veteran apprenticeships designed to benefit all parties involved.

The program is based on attitude, aptitude and intitial assessments, but requires no cybersecurity knowledge at the start. Apprentices are paid, trained, and qualified when they come out, working for employers on a two-year contract at a minimum. The program addresses employers' fears over being the first ones to hire and train new talent only to lose them.

WiCyS is a phenomenal organization, and there are ample opporutnities for allies - not just women - to join.

Key Takeaways

0:24 Allan Introducs Lynn and Martha
1:18 Lynn gives an overview of WiCyS' origins
2:06 Lynn explains the many WiCyS worldwide programs outside of the conference itself
6:45 Lynn introduces the veterans' assistance program
7:33 Lynn explains the origins of the veterans' apprenticeship program
8:54 Lynn explains why WiCyS chose Smoothstack and its program for women veterans' apprenticeships
10:14 Lynn explains the specific challenges and needs of women veterans
11:51 Martha shares a bit about her past, and her personal motivations
15:05 Martha elaborates on the program at Smoothstack with a very human story
17:14 Martha outlines the full process of the apprenticeship program
18:10 Martha outlines the tests for entry into the program
20:44 Martha states that employers hiring new talent suffer training overhead followed by attrition
21:40 The Smoothstack/WiCyS program pays candidates to get trained to readiness and guarantees employers two years minimum
23:40 Martha explains that cybersecurity has become a sellers' market and that jobs remain open because employers cannot pay enough
26:20 Lynn explains her motivation and drive to build such programs
27:23 Martha asks our listeners to join WiCyS, noting that membership is very affordable
28:23 Lynn echoes Martha's advice and recommends browsing the WiCyS website
28:47 Allan asks listeners to dontate to WiCyS

Links:
Learn more about WiCyS at www.wicys.org and on Twitter and on LinkedIn
Learn more about Smoothstack at smoothstack.com
Learn more about Lynn Dohm on LinkedIn and on Twitter
Learn more about Martha Laughman on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Data Risk Governance w/ Patrick Benoit

Wed, 21 Apr 2021 04:55:00 -0500

Howdy, y’all, and welcome to The Cyber Ranch Podcast! With us today is Patrick Benoit, Global Head of Cyber GRC, and BISO at CBRE. Patrick is here to talk about Data Risk Governance, a slightly new twist on an old problem. Like our host, Patrick is also from the Dallas-Fort Worth area of Texas.

To start the conversation, Allan asks Patrick to share a little about himself, his background in information security and what he does at his day job. Patrick began his career in the military, eventually coming over to consulting and enterprise. He has built out more than one BISO program, and has run multiple GRC programs as well. Patrick has a customer-facing security role and believes that all security leaders are also, to some degree, sales leaders.

Allan and Patrick walk through a very practical approach to Data Risk Governance, starting with 'big chunks' and working towards the future with data tagging.

They discuss briefly various rules for dealing with older data and various means of risk measurement.

Ultimately their model is designed to work over a three-year or five-year period, encompassing all data in the organiztion by that time.

Key Takeaways

0:23 Allan introduces Patrck
1:36 Patrick shares his cyber background and his jay job
4:10 Patrick introduces his model of Data Risk Governance, which began as a sales/marketing tool and evolved into a "real" practice
5:59 Patrick introduces the precursors to setting up a proper Data Risk Governance program, which includes data classification among others
8:01 Allan explains how data disocvery and classification can be expensive and yet still only partially succesful
9:12 Patrick advocates his 'one bite at a time' method based at first on broad strokes of known valuable/risky data
10:45 Allan describes multiple data loss stories from his past
12:10 Patrick delineates in more detail the 'big chunks of data' method and his firewall analogy of allow/deny
13:23 Patrick notes that classification followed by tagging is a great approach
13:57 Allan proposes a new-data-only go-forward plan and Patrick agrees
15:56 Patrick talks about how the legal department owns data retention rules
17:30 Talks about how chat messages should be volatile
19:00 Allan proposes usese tagging to manage destruction and retention
21:00 Patrick notes that reducing risk by tagging some of your data is better than tagging none of it
23:30 Patrick discusses his model for quantifying risk vs investment as an 'orders of magnitude' problem with dollars as unit of measure
25:17 Allan proposes the car insurance model to counter Patrick's life insurance model
26:00 Allan talks about accurizing risk measurement and discusses briefly models like FAIR and Bayesian math vs. Patrick's orders of magnitude method
27:09 Patrick uses the 5x5 method not as a specific measurement but more as a visual aid and heatmap
29:11 Patrick explains what keeps him going in information security

Links:
Learn more about Patrick Benoit on LinkedIn and on Twitter
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Vishing, Smishing and STIR/SHAKEN w/ Mike Manrod

Wed, 14 Apr 2021 04:00:00 -0500

Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Mike Manrod, CISO at Grand Canyon Education. Mike has done quite a bit of research on vishing, smishing and the upcoming STIR/SHAKEN legislation meant to combat those two.

To start the conversation, Allan asks Mike to share a little about himself, his background in information security and what he does at his day job. Mike started as an IT technologist who orginally resented the security team for slowing down technology projects. Then a friend took him to a security conference, and the rest is history.

Mike explains what vishing and smishing are, contrasting them to traditional phishing. Mike and Allan discuss personally targeted vishing and smishing vs. attacks targeted at organizations.

Allan and Mike cover the new STIR/SHAKEN legislation and related RFCs, along with the technical limitations inherent in the approach.

Finally, Allan asks Mike what keeps him going in cybersecurity, including technical challenges and a strong infosec community.

Key Takeaways

0:24 Allan introduces Mike
1:05 Mike explains how he got into cybersecurity and what his daily CISO life is like.
2:48 Mike explains what vishing and smishing are.
3:32 Mike explains the unethical vishing vs. truly illegal vishing and how they might target an organization vs. an individual.
7:18 Mike explains how most smishing is targeted at individuals. SIM swapping and other techniques are generally what is used against enterprises.
8:00 Mike says that smishing is most often used to introduce malware or harvesting user credentials.
9:31 Mike says that smishing, vishing and robocalling definitely mimic the ransomware world where lower-level, even non-technical criminals run the front line of attack.
11:34 Mike compares STIR/SHAKEN to the anti-phishing technologies DKIM, DMARC and SPF.
11:49 Allan explains that those email technologies are opt-in and only effective if all parties choose to opt in.
12:31 Mike explains what STIR/SHAKEN stand for and how they work - they are based on a series of RFCs.
13:43 Mike explains the FCC June 30, 2021 deadline for IP-based carriers to adhere to STIR/SHAKEN. TDM and Cellular networks are asked to implement in good faith.
15:48 Mike says that STIR/SHAKEN is a great step in the right direction. The nature of the problem is that the 'from' value is user-controlled in telco communications.
17:29 Mike sas that an enforced heirachy of tokens will solve the problem ultimately.
18:15 Mike recommend RFC 7340 as the best definition of the problem statement for the telephony challenged end-to-end.
18:45 Mike explains how STIR/SHAKEN also impacts smishing - noting that iMessage and other SMS-derived technologies already offer better security than voice technologies.
19:29 Mike states that a paradigm with certificates bound to number ranges or account ranges is the real solution to the problem.
21:01 Mike explains that fun technical challenges are why he stays in information security - a lack of bordeom.
21:58 Mike also names community as another reason he stays in infosec.

Links:
Learn more about Mike Manrod on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Maturing Purple Teaming w/ Gabe Lawrence

Wed, 07 Apr 2021 04:36:00 -0500

Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Gabe Lawerence, General Manager of Cyber Security Protection at Toyota Motor North America. Gabe has seen the good and bad of purple teaming, and we’re here today to discuss what a mature purple teaming organization looks like.

To start the conversation, Allan asks Gabe to share a little about himself, his background in information security and what he does at his day job. His path to security hasn’t been linear - he has been a developer, an entrepreneur and a startup owner, slowly making his way to different levels of management in the security space. Gabe runs Enterprise Security at Toyota North America and is responsible for the technical side of the business and manufacturing environment.

When discussing what successful purple teaming looks like, Gabe points to the heightened alert of fidelity being among its greatest benefits. Rather than a red versus blue mindset, purple teaming encourages community and collaboration. Then, Allan asks Gabe to share a specific time he found unexpected success in purple teaming. Gabe gives an example reiterating the advantage of having a red and blue team working collaboratively.

In managing an enterprise, Gabe says there is always something changing. Validating your controls, alerts and responses are just a few of many tasks best tackled in smaller chunks. Embedding the automation from purple teaming as the ongoing environment keeps things in a high functioning state and serves as a persistent health check. Gabe explains how a buffer overflow isn’t exactly instantaneous and combatting lingering attacks.

Though purple teaming has many great benefits, it requires a bit of maturity. Having different teams interact together as they mature ensures they understand each other's roles and can effectively work together. Gabe urges people in the industry to think of themselves not only as part of a specific team, but as a part of a broader collective. In the hiring process, he describes seeking candidates with experience in software development and scripting. Additionally, it’s crucial to be willing and excited to learn and have keen problem solving abilities. In closing, Gabe looks forward to working in server-less spaces like the Cloud in the future and says his favorite thing about his career field is that it never fails to offer something new.

Key Takeaways
0:21 - Host Allan Alford welcomes listeners to the show and introduces Gabe Lawerence.
1:12 - Allan asks Gabe to share about his background and day job.
2:40 - What is successful purple teaming?
4:30 - Gabe shares both positive and negative personal experiences in purple teaming.
9:42 - How do you automate purple teaming?
14:11 - Fine tuning the deployment of the controls.
19:20 - How Gabe designs and hires for his team.
26:20 - What keeps Gabe in Information Security?

Links:
Learn more about Gabe Lawrence on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at AttackIQ

Interview with a Vendor w/ Dutch Schwartz

Wed, 31 Mar 2021 05:30:00 -0500

In this episode, host and CISO Allan Alford interviews his friend Dutch Schwartz, Principal Security Specialist at Amazon Web Services. Dutch is a vendor, but do not press 'stop' just yet! Dutch is an empathetic outsider, an observor, and a constant learner and researcher. He brings some unique insights to our practice.

Dutch talks about his encounters with CISOs and their direc staffs, and opines on the debate as to how technical a CISO should be (versus business-oriented).

Allan and Dutch discuss healthy vs. unhealthy (Dutch prefers the term 'challenging') security cultures.

Dutch talks about all security efforst aligning with business initiatives, and Allan espouses his theory that all CISO actions should ties to business initiatives, risk reduction, and maturity improvement.

Dutch remains enthused about cybersecurity because of conversations like this very interview.

Key Takeaways
1:32 - Dutch shares his cyber origin story - stumbling into cyber after a militiary career as an officer, and working an integrator for a VAR.
4:54 - Today Dutch works at AWS and supports the largest customers as a cloud security strategist, working with CISOs and their staffs.
5:47 - With Dutch's Fortune 50 customers, he meets wit the CISO on a monthly or bi-monthly basis, depending upon how hands-on the CISOs are. Daily he meets with the CISOs direct reports.
7:04 - Dutch explains that over the years the CISOs' have changed from a more technical bent to a more business and risk-management orientation. Some struggle with this growth.
12:15 - Allan describes his CISOs communication philosophy of "Business Terms First, Risk Terms Second, Technology Terms Third".
13:23 - Allan talks about CISOs asking each other whether they are more technical or business/softskills-oriented.
15:00 - Dutch says that how technical a CISO is depends partially upon risk tolerance.
18:02 - Dutch elaborates that a bad security culture results in more breaches.
19:18 - Dutch explains how a company's culture can be measured.
19:54 - Dutch says culture is not what the leadership preaches, but rather what the factory worker in a remote location believes it to be.
20:16 - Dutch says challenging cultures are the ones where leadership is not aligned.
21:53 - Dutch starts his conversations with his clients by talking first and foremost about business initiatives.
23:40 - Dutch often compares security to quality when getting his clients to understand the overarching perspective.
26:50 - Allan says all CISO initiatives should be tied to business objectives, reduction of known risks, and how his actions might improve maturity.
29:29 - Conversations like this one are what keeps Duth in information security.

Links:
Learn more about Dutch Schwartz on LinkedIn and Twitter.
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Advancing Cybersecurity Careers w/ Christophe Foulon

Wed, 24 Mar 2021 05:00:00 -0500

In this episode, host and CISO Allan Alford interviews his friend Chris Foulon, Sr. Manager of Cybersecurity at a leading fintech compnay, and co-host of the "Breaking into Cybersecurity" podcast.

Chris has 15 years in information security, having started at the helpdesk years ago. His biggest desire in infosec is helping others. In his day job Chris gets to work with every part of the business.

On the subject of the personnel shortage in cybersecurity, Chris believes that there is no shortage. Rather, he suggests that hiring managers limit their choices by holding out for too high an experience level, and by neglecting diversity and inclusion.

His advice for those who are entering the profession is to combine experience, certifications and education as suited to themselves and the roles they are applying for. He suggests reserach and listening to podcasts like this one. Chris suggests finding a mentor has well.

Chris and Allan discuss diversity, inclusion and allyship at length, going into such details as how job descriptions can discourage diverse candidates.

Chris' motivation in cybersecurity is the fact that the industry is ever-evolving and always presents opportunities for creative problem solving.

Key Takeaways
1:18 - Chris shares his history with cybersecurity
3:20 - Chris describes why he thinks there is no infosec personnel shortage
4:43 - Chris describes how to write a job description to generate more candidates
6:28 - Chris tells people with other backgrounds not to start over in cyber but to move in laterally and learnd the tech
8:02 - Chris explains how to get experience and subject matter expertise before you start you first job
12:35 - Chris talks about certifications
16:11 - Chris talks about including neurodiverse candidates
17:52 - Chris describes how hiring managers can clean their job descriptions to encourage diverse candidates
24:24 - Chris describes the benefits of mentoring
25:24 - Chris describes what motivates him in infosec
26:24 - Chris describes what he is looking forward to in infosec

Links:
Learn more about Chris Foulon on LinkedIn and Twitter.
Chris' coaching site is CPF Coaching
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

Developing Leadership w/ Gary Hayslip

Wed, 17 Mar 2021 05:00:00 -0500

Today, host and CISO Allan Alford interviews friend and fellow CISO Gary Hayslip. Besides being a brilliant business leader, Gary is an author, mentor, and one of the best all-around humans Allan knows!

To start the conversation, Allan asks Gary to share about himself and his background in cybersecurity. While he had a natural interest in computers and technology more generally, Gary’s formal entrance to the cybersecurity field came during his time in the military. He developed a love for security, and as he’s climbed within the industry in the years after his military service, he’s also developed a strong network as a colleague and mentor. Allan tapped into this shared community through one of its most-used platforms, LinkedIn, to find out what others in the field would most like to learn from Gary.

The first questions deal with topics of leadership and training, and Gary explains his own practices of educating himself and his team. In his own life, he is committed to maintaining up-to-date knowledge of his rapidly changing field through research and reading; such knowledge is necessary if Gary is to lead as effectively as he can. Gary also provides opportunities for his staff to receive continuing education, and he does not worry that he might train employees beyond their roles. Rather, he embraces the privilege of partnering with his staff to see them succeed on their career paths.

There is a lot that goes into Gary’s practice of crafting and leading a team, and the COVID-19 pandemic has caused him to make some coaching changes. One-on-one meetings and conversations about family are more frequent, but the emphasis on building team trust and leading team members to own the business strategy remain constant. Gary assigns team members to take the lead on and complete briefings for different aspects of the strategy, and also expects them to back each other up.

This practice not only fosters ownership of business processes and development of employee skills, but also shapes the kind of culture Gary insists his team have. He requires team members to possess certain soft skills, be people of honesty who take personal responsibility, and be comfortable in team and group contexts. Gary tries to care for his workers by taking harder hours on himself than he expects them to work, but as the conversation wraps up, he explains that he is mainly motivated in his work by love for the community and people in the field!

Key Takeaways
0:21 - Host Allan Alford welcomes listeners to the show and introduces Gary Hayslip.
1:08 - Allan asks Gary to share about his background.
2:08 - The first questions deal with continuing education for Gary and his team.
6:58 - How has Gary’s coaching changed because of COVID-19?
10:54 - What are Gary’s methods for helping his team take on pieces of his strategy?
17:55 - COVID-19 also raises new questions about work-life balance.
21:45 - The next question deals with how Gary develops team culture.
25:39 - What keeps Gary going in cybersecurity?

Links:
Learn more about Gary Hayslip on LinkedIn.
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Axonius

The Post-COVID Reckoning w/ Dr. Rebecca Wynn - SPECIAL EDITION

Mon, 15 Mar 2021 05:00:00 -0500

In this show, host Allan Alford interviews Dr. Rebecca Wynn about information security decisions made during COVID and what the 2021 "reckoning" might look like. Dr. Wynn is a well-recognized CISO and Chief Privacy Officer, who faced some large-scale challenges during 2020. Allan welcomes Dr. Wynn to the cyber ranch!

The show starts with Allan asking Dr. Wynn to introduce herself and to tell the listeners a bit about her background. Dr. Wynn has received quite a lot of recognition in the field.

Allan and Rebecca Wynn share a wealth of connections in the CISO community, and both have consulted with numerous companies over 2020. This positions them to be able to talk to the broad spectrum of COVID-related actions and reactions taken during 2020.

Moving workers to home all over the world resulted in an increased attack surface and increased privacy concerns as well. Security quesionnaires were on the rise, as were deeper investigations into PCI, SOC2, etc. report. COVID, in other words, really emphasized the supply chain risk posture.

Allan and Dr. Wynn discuss the challenges and variety of preparedness for Zero Trust architectures - VPN, VDI, cellular dongles, taking desktop computers home, etc.

Allan and Dr. Wynn talk about supply chain risk, contracts, penalties, and other facets of post-COVID third-party risk.

To close the podcast, Dr. Wynn shares that she loves information security because of great companies out there who are forward-looking and paying real attention to security.

Key Takeaways:

1:18 - Dr. Wynn tells the audience about her information security background and recognitions.
2:43 - Dr. Wynn had to move 10,000 people to work-from-home for COVID.
4:31 - Dr. Wynn tells her clients to check the PCI, SOC2, etc. reports in detail for their supply chain.
5:37 - Allan points out that supply chain questionnaires were on the rise due to COVID.
6:45 - Dr. Wynn elaborates on Zero Trust architectures deployed during COVID and states that Zero Trust is not "one and done".
8:20 - Dr. Wynn encourages her clients to really dig into the risk associated with the supply chain.
9:12 - Allan points out that the Solarwinds breach was really a post-COVID phenomenon in terms of its impact and how folks responded.
10:40 - Allan shares that some companies were not ready for Zero Trust at all vs. those who were so well prepared.
12:49 - Dr. Wynn encourages auditors to go back and visit their 3rd-party risk.
14:34 - Dr. Wynn points and Allan talk about the strength and significance of contracts in the cultures of various companies.
16:50 - Dr. Wynn tells her clients to attach assessments to the contract and asks for transparency.
19:40 - Dr. Wynn encourages her clients to ask their supply chain about end-of-life and end-of-service posture for the technical estate.
23:05 - Allan advocates that vendors have honest conversations with their customers to be transparent about what new risks COVID onboarded.
25:08 - Dr. Wynn predicts that 2021 will be the reckoning for companies who took shortcuts during COVID.
25:42 - Dr. Wynn loves working for forward-looking companies and loves working for the greater good.
26:48 - In Information Security, Dr. Wynn predicts growth and evolution and hopes for a real investment.

Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Learn more about Dr. Rebecca Wynn on LinkedIn.
Sponsored by our good friends at Axonius

Business-Oriented Security w/ Chris Castaldo

Wed, 10 Mar 2021 05:00:00 -0600

In this show, host Allan Alford interviews his friend Chris Castaldo about how to align information security with the business. Chris is the CISO at Crossbeam, and is also the author of the book "Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit", available for pre-order at Amazon. Chris, like Allan, views himself as a very business-oriented CISO. Allan welcomes Chris down to the ranch to discuss business orientation and alignment of information security in detail.

The show starts with Allan asking Chris to introduce himself and to tell the listeners a bit of his background. Chris's book fills the void in books for founders that seemed to utterly lack any reference to cybersecurity. Allan recommends the book, as he was one of the lucky few to review the book before its release.

But that is not what they are here to chat about today... Allan asks Chris what it means to be a business-oriented CISO - and what does it look like to NOT be a business-oriented CISO?

Allan asks Chris how a CISO can affect both the bottom line and the top line as well. Allan and Chris discuss the nuances of that conversation in the context of business-to-consumer ("B2C") businesses vs. business-to-business ("B2B") businesses.

Allan and Chris discuss the challenges of striking the balance between meeting the business' security needs and being agile enough to quickly respond to the dynamic and ever-changing nature of the business.

To close the podcast, Chris shares that he loves information security because of its always offering something new, and because of it evolving towards a user-centric approach.

Key Takeaways:

0:36 - Chris tells the audience about his security book for founders.
2:19 - Chris talks about his day job as CISO at Crossbeam.
3:08 - Chris talks about what it means to be a business-oriented CISO - it's mostly about understanding the rest of the business.
6:05 - Chris walks through how a CISO's impact to the top and bottom line varies for startups vs. mature businesses.
7:16 - Chris compares security aspects of a non-security offering to airbags in a car.
9:02 - Allan shares his past as a product security professional and how business-aligned product security in tech companies is.
12:00 - Chris compares B2C to B2B and how business-alignment for the CISO varies across the two.
14:41 - Allan talks about expectations of security vs. liability caps for failing to deliver it: B2B vs. B2C.
18:24 - Chris discusses how to enable security without putting the brakes on the business.
22:40 - Allan explains how some of his basic security controls that also accelerate the business.
25:17 - Chris explains why he loves working in information security.
26:21 - Chris is looking forward to user-oriented cyber security.

Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Learn more about Chris Castaldo on LinkedIn.
Sponsored by our good friends at AttackIQ

Supply Chain Security w/ Omkhar Arasaratnam

Wed, 03 Mar 2021 05:00:00 -0600

Today, host and CISO Allan Alford interviews Omkhar Arasaratnam, a veteran of the cybersecurity industry, on the topic of supply chain security. With a career in security going all the way back to 2004, and with experience working for IBM and several financial institutions before becoming an Engineering Director at Google, Omkhar brings much hard-earned insight to the table!

Looking to tap into that insight, Allan poses two questions for Omkhar. First, how would he characterize or define supply chain security and its implications? And second, how would he explain the SolarWinds breach and its fallout? Omkhar centers his thoughts on the SolarWinds situation, a costly breach in which hackers manipulated a code base and used it as a leverage point to gain access to high-worth targets. This attack required precision and focus, and is of the first public breaches; however, Allan and Omkhar imagine that there will be copycat attacks to come, and that the attack is a wake up call for all those with access to client data to step up their supply chain security.

Both providers and consumers with a hand in supply chain security have a responsibility to tighten their controls. Supplier checks should be more frequent, software suppliers need to be very buttoned-down in how they control their entire build architecture, and those overseeing supply chain security need to carefully navigate the available vehicles for managing supply chain risk. These vehicles, including questionnaires, right to audit, open source/credit-check style tools, and GRC tools, all have benefits and drawbacks, and no company manages supply chain security perfectly.

With a lot of sympathy for SolarWinds, though, Allan and Omkhar think that further work needs to be done in the cybersecurity space to bolster supply chain security measures. Omkar details his own “black box” idea, which he imagines would be a strong component of a more comprehensive security protocol. Allan explains how this comprehensive protocol could function, and while making such a system an international standard is far off, Omkar and Allan agree that there are tools in place for cybersecurity professionals to move toward a better system. There are issues of risk to weigh, myriad solutions to compare, and precursor tasks to address, but it’s time to get a conversation going that will ideally lead to change!

Key Takeaways:
1:10 - Allan asks Omkhar to share about his background before jumping into the main topic.
1:53 - Allan has two questions for Omkhar.
5:09 - Consumers and providers have a responsibility to step up their game.
7:41 - The conversation shifts toward the vehicles for managing supply chain risk.
9:05 - What’s Omkhar’s take on the open source/credit score-style check?
11:55 - Allan and Omkhar turn to Omkhar’s black box idea.
17:22 - Omkhar thinks highly of Allan’s comprehensive approach, but there are obstacles.
21:50 - What are these obstacles, and what is the needed precursor work?
26:20 - As the conversation ends, Allan asks about Omkhar’s motivation and passion.

Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Learn more about Omkhar Arasaratnam on LinkedIn.
Sponsored by our good friends at AttackIQ

Startups & VCs in InfoSec w/ Will Lin

Wed, 24 Feb 2021 05:00:00 -0600

In this show, host Allan Alford interviews his friend Will Lin about startups and venture capital. Will Lin is a venture capitalist with ForgePoint Capital, focusing exclusively on the information security space. First and foremost, Will views his current role as a way to help others. Allan welcomes Will on to the show to help his listeners learn more about the startup world, the venture capital world, and how those two intersect.

The show starts with Allan asking Will why he thinks startups are such a prevalent force in the cyber security world. Will is not sure, but his hypothesis is that this is in large part due to the ever-changing nature of cyber security. Since needs are constantly changing and each organization has unique needs, startups have popped up to address those specialties and change based on the different needs that arise. His second hypothesis is that there always need to be organizations prepared to address new and emerging threats to security.

For VCs, Will shares that companies and startups go through very natural progression in terms of maturity depending on their framework. Regardless, what it all boils down to is where in their life cycle any organization finds itself. Once the VC is able to identify where the company is in their life cycle, then they can begin to make informed decisions about the company. This will determine the type of funding that VCs will decide to provide. For example, usually when a company is around 10-20 members, they will be looking for series A funding. Typically, series A funding is around 10-25 million dollars, series B is 20-40 million and series C is 50 million and above. By evaluating the total of the investment, observers can estimate the valuation of the company.

While most companies only do a few rounds of fundraising, some companies will experience several late rounds of fundraising and Will advises that this is typically a good thing. The best indicator of health is the number of employees. If the number of employees is going down, that is one of the clearest indicators of regression. Once a VC comes in, though, that is where they are able to lend their experience to help with advising the business, which is Will’s favorite part of his job.

To close the podcast, Will shares that being able to help people and add value to their companies is the thing that keeps him energized and engaged in his position.

Key Takeaways:
0:24 - Listeners are introduced to Allan Alford and his guest, Will Lin.
1:27 - Why do so many people in the security industry rely on startups?
3:29 - What does Will do in his job and how has his background led to his current role?
5:36 - From Will’s perspective, what is the critical split between the first round of angel funding
9:33 - What is the expectation for funding in each different series of investments?
15:19 - What does the VC ownership look like from the perspective of the company?
21:22 - Does Will offer specific advice to the startups that he works with?
24:00 - What is Will’s opinion on startups that grow without any assistance from VCs?
25:48 - What keeps Will energized in his job?

Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Learn more about Will Lin on LinkedIn.
Sponsored by our good friends at Axonius

Storytelling in InfoSec w/ Chris Cochran & Ron Eddings of Hacker Valley

Mon, 22 Feb 2021 12:08:00 -0600

On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Ron Eddings and Chris Cochran from Hacker Valley Studio. The episode begins with Ron and Chris sharing how they came to cyber security and the roles they’ve held in the space.

While they came up in the cyber security space through different channels, they now work together at Marqeta, Ron as a Security Architect Leader and Chris as the Director of Security Engineering. Additionally, together they host the Hacker Valley Podcast. Allan is curious how the podcast affects their day jobs and their day jobs influence the podcast. Ron and Chris explain that it has given them wider contacts with people in the security industry and the opportunity to speak with them about their interests and expertise.

Allan asks Ron and Chris how they stay passionate about their work. Chris says both he and Ron believe in getting better everyday, even if it’s in small increments. Reading books, taking classes, speaking to mentors are all ways that he improves himself and makes sure he stays sharp. Ron shares that he is a collector, and it has led him to collecting experiences. Through these experiences, he is also able to continue getting better and improving himself.

They both share that through the podcast and their jobs, they need to continue learning and working. They’ve taken voice coaching and storytelling lessons to keep on the cutting edge of podcasting. Everyone has a story and the ability to share your own and help others share theirs is essential not only to impeccable podcasting but also being an empathetic and engaged human. In threat intelligence and user awareness training along with other technical skills storytelling is integral to meeting people where they’re at.

As the episode ends, Allan asks Ron and Chris about the future for them and their podcast.

Key Ideas:

:22 - Chris and Ron are introduced.
4:46 - How the podcast influences their day jobs and vice versa.
12:08 - Allan asks Chris and Ron about infusing passion in their work.
16:39 - The importance of storytelling in podcasting.
24:00 - What does the future look for Ron, Chris, and the podcast?

Links:
Follow Allan Alford on LinkedIn and Twitter
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Follow Chris Cochran on LinkedIn and Twitter
Follow Ron Eddings on LinkedIn and Twitter
Support Hacker Valley Studio on Patreon.

Sponsored by our good friends at Axonius

Vulnerability Management w/ Anne Marie Zettlemoyer

Wed, 10 Feb 2021 05:00:00 -0600

Allan Alford interviews Anne Marie Zettlemoyer about the topic of vulnerability management. Anne Marie is a visiting fellow with the National Security Institute at George Mason University, and one of the all-around sharpest minds Allan knows in information security!

Anne Marie is deeply entrenched in the world of information security, and she loves her work. She began her career in accounting and finance, but by serendipity was introduced to security through a position updating a company’s payment system. From there, she was recruited into the Secret Service, where she developed a passion for the information security field - a field she hasn’t left since! Anne Marie is driven by the energy and nobility of her profession, and she values work as a protector and defender. At the same time, she feels a high level of responsibility to her company and her customers to navigate information security well.

The baseline for security work, Anne Marie says, is the fundamentals. The first line of a security officer’s responsibility is to maintain this sort of system hygiene; this is why Anne Marie is passionate about vulnerability management. In a changing threat landscape, vulnerability management is a basic necessity to keep products and clients safe. Of course, this does not make vulnerability management an easy task.

Practitioners of vulnerability management must also attend to a variety of factors, from issues of regulation and compliance, to CVSS scores and tooling for contextualization, to determining the way in which vulnerability management should be situated within their broader security program (often as a key driver). Within the world of information security, vulnerability management is one of many complex pieces to juggle together, and people like Anne Marie stand at the center of the balancing act. Anne Marie leaves listeners with an idea of how best to approach information security today, but she also leaves them with the prospect of exciting changes on the horizon in the areas of data governance and bridging the gap between speed and security.

Key Takeaways

0:17 - Listeners are introduced to Allan Alford and his guest, Anne Marie Zettlemoyer.
1:12 - Allan asks Anne Marie to walk through her day job.
1:56 - Why is vulnerability management important to Anne Marie?
4:13 - Allan shifts to the subject of motivating people to fix vulnerabilities.
6:26 - Anne Marie’s broad experience gives her a unique experience.
8:41 - Remediations must be obtainable.
10:27 - Overall, fundamentals, partnership, and understanding are needed.
11:27 - Allan and Anne Marie turn to metrics, tooling, and context.
14:38 - Within the security program, where does vulnerability management fit?
18:00 - How did Anne Marie get into vulnerability management?
20:15 - Her job and its responsibilities require certain things.
20:56 - What keeps Anne Marie in the game?
22:20 - What is she looking forward to in the field?

Learn more about Anne Marie Zettlemoyer and connect with her on Twitter and LinkedIn.
Learn more about Allan Alford and connect with him on Twitter and LinkedIn.
Learn more about The Cyber Ranch Podcast, part of the Hacker Valley Studio family.
Learn more about podcast sponsor Axonius.
Support Hacker Valley Studio on Patreon.
Follow Hacker Valley Studio on Twitter.

Behavioral Economics & InfoSec w/ Kelly Shortridge

Wed, 03 Feb 2021 05:00:00 -0600

Behavioral Economics has altered our perceptions of what actually motivates human beings. How do these theories about our more primitive behaviors as well as our intellectual biases apply to information security? Allan Alford & Kelly Shortridge discuss in the context of infosec programs and events in a whirlwind of conversation. Sponsored by our friends at AttackIQ

Podcast: The Cyber Ranch Podcast Episode 2: Behavioral Economics and InfoSec with Kelly Shortridge

On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Kelly Shortridge, VP of Product Management at Capsule8. Their conversation begins with Kelly introducing herself and her work. She works in products for a security vendor, and she’s done research into applying behavioral economics to security. Kelly says she grew up with a love of computers, but was mostly about building gaming rigs side of things. Her career in information security began in the investment banking industry, which led her to fall in love with security.

Next, Allan asks Kelly about her work in behavioral economics. Economics is the study of choice, behavioral economics looks at the way humans actually behave by conducting experiments and observing natural occurrences. Humans don’t always behave in the rational, textbook way, but Kelly explains that often their choices are rational when you factor in competing priorities. In information security, this shows up when folks find themselves reacting to threats that have the most attention, rather than those that are proven to be the most pressing. Information security is also affected by hindsight and outcome biases. Kelly explains how our brains try to trick us into blaming a single factor in a crisis, but that is not how the real world or cyber attacks work.

Now that behavioral economics has clued us in to the biases formed by what Kelly affectionately refers to as our “lizard brains,” Allan wonders if we should be optimistic about how we may think and prevent attacks in the future. Kelly isn’t so sure. She explains that changing some systems to be more compatible with our lizard brain has been effective, however knowing how we think doesn’t help people think differently. In InfoSec, there are opportunities to continue making the secure way the easiest way, and circumvent the lizard brain. Other industries have been designing systems and workloads based on the way people behave; Kelly says InfoSec is just behind the curve.

As the episode ends, Allan asks Kelly what keeps her still in InfoSec. Kelly says it is spite. There are still inefficiencies and an industry that pats itself on the back for doing little, that makes her spiteful she says. She wants to be an industry member that adds value to organizations and highlights the user.

Follow Kelly on Twitter as @swagitda_ or on LinkedIn at Kelly Shortridge

Learn more about Allan and the Cyber Ranch Podcast at Hacker Valley Studio

Sponsored by our good friends at AttackIQ

1-Minute Introduction

Fri, 15 Jan 2021 05:00:00 -0600

A one minute introduction to the show and its format