August 24, 2022
by Cyber Ranch
Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, resumes his session of AMA, or “ask me anything,” to cover the remaining questions left by curious cybersecurity practitioners on his LinkedIn. Previously, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, Allan continues to walk through every topic under the cybersecurity umbrella and give further insight into what it means to be a CISO.
[00:00] Avoiding FUD (fear, uncertainty, and doubt) in your next cyber risk discussion
[06:10] Facing stressful ransomware situations without proper preparation
[12:11] Hiring hackers as team members & debating the ethics of black hat hackers
[21:20] Addressing cyber risk in an accessible way for your organization's board
[26:41] Understanding the past, present, & future of cybersecurity insurance
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Are you comfortable turning on the light in a dark room so we can see what we’re really dealing with? [from: Karen Andersen]
There’s a perception (and not a wrong one) that the CISO’s role is to turn on the light in a dark room and show a company what their biggest cybersecurity risks truly are. However true this may be, Allan wants to point out that explaining and socializing team members to the risks has to be done without inspiring FUD. FUD, also known as fear, uncertainty, and doubt, creates panic around the risks an organization faces every day and only succeeds in unnecessarily stressing out practitioners without a solution in sight.
“It’s very important not to fall into the trap of FUD: fear, uncertainty, and doubt. There’s a difference between socializing what’s wrong, and scaring people with what’s wrong. If you’re going to bring up the risks, at least bring up the beginnings of a solution.”
How effective do you think it would be to hire an actual hacker as a team member? [from: Jaden Turner]
With open positions, skills gaps, and labor shortages in cyber, the answer to the industry’s problems might either fall into the category of people outside of the industry or people who were once on the “wrong” side of it. Although Allan has worked with black hats in the past, he explains that hiring former black hat hackers is still a morality question for a lot of c-suite executives. Their work is often highly skillful and impactful, Allan explains, but many still question what it means to hire professionals that have moved from black hat to white hat.
“I think the bad guys probably have honed their skills better than the red team or the white hats, but then, you get into the morality questions. Do I want to support somebody who was once on the wrong side? Do I believe in reform and giving people a second chance?”
What’s the most difficult decision that you’ve had to make as a CISO that was not directly security related? [from: Brad Voris]
As Allan has gone through five different positions now as a CISO, he has seen it all on the cybersecurity side and the business side. While the cybersecurity decisions are stressful and high risk, Allan explains that there are very difficult decisions to make from a business point of view. Sometimes, a CISO has to make a choice to do what’s right for the business, even if that means that budget, personnel, or materials will be taken away from their security team.
“As a CISO, treating the business as a separate entity makes no sense to me. You have to be part of the business and actively accept that part of your role. There are business decisions that I've had to make that were right for the business and wrong for the security side, per say.”
How do you help other board members make sense of the cyber threat landscape? Why is addressing cyber risks crucial to any company? [from: Ulrich Baum]
Although reporting to a board is an often essential responsibility of any CISOs role, Allan explains that making sense of the cyber threat landscape relies on you being flexible— not your board. The board of your company requires a certain level of reporting and often responds best to a specific format. Instead of fearing a change, embrace the current board you have and learn what makes them tick. Addressing cyber risks is crucial to any company, and having the board understand you fully ensure success for your security team.
“There’s a board that was there before you were there, and you need to learn their ways and means. You need to learn what their concepts of risk are and you need to tailor your cyber risks to fit into that model.”
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
This week's show is exciting because Allan has been waiting for Andy's book on leadership to come out for quite some time. The book is called “1% Leadership – Master The Small, Daily Improvements That Set Great Leaders Apart”, and it consists of 54 ...
This episode is a bit scary. Adrian Sanabria, who on an earlier show busted many cybersecurity myths, is back again, this time analyzing the impact of Large Language Model Artificial Intelligence on a hypothesized skills gap on the bad guy side. Pre...
This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023. Guests include: Chris Kennedy, CISO @ Citadel Gary Hayslip, CISO @ Softbank Investment Advisers Michael Calderin, CISO @ YAGEO Group Reet Kaur, CISO @ Portland C...
Leadership skills, technical skills, cybersecurity skills, pluck, drive and determination are all on display as Allan interviews Merav Bahat, CEO @ Dazz and Mickey Bresman, CEO @ Semperis. Dazz has completed a Series A investment round. Semperis a S...
What is security chaos engineering? You may remember Kelly Shortridge, our very first guest, who came on the show to talk about behavioral economics and cybersecurity. Well Kelly is back to talk about her new book, "Security Chaos Engineering: Sust...
Bryan Liebert is one smart cookie. Who bakes cybersecurity cakes. But seriously, Bryan has been a CISO, consultant, architect, and has served many other roles in cybersecurity. His specialty is creating simple to digest (we could not help it, sorr...
Adrian Wright, "The Cynical CISO" of LinkedIn fame, joins Allan to discuss four areas where cybersecurity is perhaps getting it wrong: Cybersecurity viewed as a necessary evil, related to The Twilight Zone Ownership, Authority, Accountability: Invent...
Join us for a SPECIAL EDITON! episode of The Cyber Ranch Podcast LIVE! from CISO XC in Dallas-Fort Worth, Texas! The topic is data security: its challenges and how to overcome them. Joining Allan are Cecil Pineda of R1 ("Cecil the CISO") and Gene Moo...
We always think of cybersecurity startups as companies who contribute to the tech stack in an organizational environment - usually the enterprise. We also think of personal cybersecurity in terms of protecting Grandma or our kids from the bad guys. ...
Emily Heath is a well-known and well-respected figure in cybersecurity. She has been a CISO three times in a variety of industries, including software and a major airline. She has been in law enforcement, is a partner at a VC firm, and serves on bo...