August 24, 2022
by Cyber Ranch
Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, resumes his session of AMA, or “ask me anything,” to cover the remaining questions left by curious cybersecurity practitioners on his LinkedIn. Previously, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, Allan continues to walk through every topic under the cybersecurity umbrella and give further insight into what it means to be a CISO.
[00:00] Avoiding FUD (fear, uncertainty, and doubt) in your next cyber risk discussion
[06:10] Facing stressful ransomware situations without proper preparation
[12:11] Hiring hackers as team members & debating the ethics of black hat hackers
[21:20] Addressing cyber risk in an accessible way for your organization's board
[26:41] Understanding the past, present, & future of cybersecurity insurance
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Are you comfortable turning on the light in a dark room so we can see what we’re really dealing with? [from: Karen Andersen]
There’s a perception (and not a wrong one) that the CISO’s role is to turn on the light in a dark room and show a company what their biggest cybersecurity risks truly are. However true this may be, Allan wants to point out that explaining and socializing team members to the risks has to be done without inspiring FUD. FUD, also known as fear, uncertainty, and doubt, creates panic around the risks an organization faces every day and only succeeds in unnecessarily stressing out practitioners without a solution in sight.
“It’s very important not to fall into the trap of FUD: fear, uncertainty, and doubt. There’s a difference between socializing what’s wrong, and scaring people with what’s wrong. If you’re going to bring up the risks, at least bring up the beginnings of a solution.”
How effective do you think it would be to hire an actual hacker as a team member? [from: Jaden Turner]
With open positions, skills gaps, and labor shortages in cyber, the answer to the industry’s problems might either fall into the category of people outside of the industry or people who were once on the “wrong” side of it. Although Allan has worked with black hats in the past, he explains that hiring former black hat hackers is still a morality question for a lot of c-suite executives. Their work is often highly skillful and impactful, Allan explains, but many still question what it means to hire professionals that have moved from black hat to white hat.
“I think the bad guys probably have honed their skills better than the red team or the white hats, but then, you get into the morality questions. Do I want to support somebody who was once on the wrong side? Do I believe in reform and giving people a second chance?”
What’s the most difficult decision that you’ve had to make as a CISO that was not directly security related? [from: Brad Voris]
As Allan has gone through five different positions now as a CISO, he has seen it all on the cybersecurity side and the business side. While the cybersecurity decisions are stressful and high risk, Allan explains that there are very difficult decisions to make from a business point of view. Sometimes, a CISO has to make a choice to do what’s right for the business, even if that means that budget, personnel, or materials will be taken away from their security team.
“As a CISO, treating the business as a separate entity makes no sense to me. You have to be part of the business and actively accept that part of your role. There are business decisions that I've had to make that were right for the business and wrong for the security side, per say.”
How do you help other board members make sense of the cyber threat landscape? Why is addressing cyber risks crucial to any company? [from: Ulrich Baum]
Although reporting to a board is an often essential responsibility of any CISOs role, Allan explains that making sense of the cyber threat landscape relies on you being flexible— not your board. The board of your company requires a certain level of reporting and often responds best to a specific format. Instead of fearing a change, embrace the current board you have and learn what makes them tick. Addressing cyber risks is crucial to any company, and having the board understand you fully ensure success for your security team.
“There’s a board that was there before you were there, and you need to learn their ways and means. You need to learn what their concepts of risk are and you need to tailor your cyber risks to fit into that model.”
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations. Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory b...
This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor. The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as w...
This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc. Another one of Allan's illustrious guests with 25 years in cyber. (https://www.linkedin.com/in/schawacker/). The topic started as all that th...
This episode is jam-packed with wisdom that is delivered at a rapid pace. Some folks will find themselves rewinding and taking notes. Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to ta...
To celebrate the 100th episode, Allan decided to let the audience participate in the show. 21 people called in and answered a wide variety of questions about cybersecurity. It is a fantastic show and it is very fun to hear all the different perspec...
This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'? Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventu...
In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk toleranc...
Scott Schindler, veteran CISO, vCISO, and adjunct professor joins Allan at the ranch to talk about how to build, strengthen, participate in, contribute to and benefit from a cybersecurity community. Allan chose Scott for this show because of his incr...
Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture. Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-c...
This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes: ...