August 17, 2022
by Cyber Ranch
Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, changes things up this week with a session of AMA, or “ask me anything”. Instead of hosting a guest, Allan takes center stage. On LinkedIn, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, he walks through every topic under the cybersecurity umbrella and gives further insight into what it means to be a CISO.
[00:00] Seeing the best of the job in the often thankless role of CISO
[06:04] Building teams through learning strengths vs the negative perception of employee poaching
[09:50] Starting out in IT & transitioning to CISO through consistent skill-building
[15:18] Learning from past CISO mistakes & embracing business first, risk second, cyber third
[27:23] Understanding the industry with a technical CISO point of view & a hacker’s mindset
[38:06] Managing the many highs and lows of becoming a CISO
Axonius gives his customers a comprehensive, always up-to-date asset inventory, helps uncover security gaps, and automates as much of the manual remediation as you want. Give your team's time back by checking out Axonius at axonius.com/platform/cybersecurity-asset-management
What skills and education level helped you land your first CISO position? [from: John Rosario]
Although he’s taken numerous CISO roles since his first position, Allan is quick to admit that he never applied for his first CISO gig. Instead, he was tapped on the shoulder and asked. Beginning his career in IT, Allan found opportunities when the company he was working for seemed to be lacking in the security space. Diving into product security after his roles in IT, Allan found himself asked by a CIO to combine his backgrounds and become a CISO.
“I was always the guy that played with the security stuff back in those days. I had a good product security background, and ultimately, parlayed those into a combined role when I became a CISO.”
Talking to your younger self: What’s the most important thing you would do differently after the knowledge you have from five gigs? [from: Ori Stein]
Compromise is king, even in the C suite, but Allan didn’t understand this as an early-stage CISO. Instead, Allan feels regret in recalling his lack of willingness to see other business concerns beyond security. He feels as if a successful, impactful CISO needs to not only prioritize security as their mission, but also needs to see the bigger picture of why a budget line or resource has to be used for something other than security at certain points in time.
“I think that was probably my single biggest failing as an early CISO: taking the security mission to be the penultimate mission of the company and refusing to acknowledge there were other business pressures and needs, where perhaps security had to take a backseat.”
What keeps you going in the field beyond passion for security, amidst the talent shortage, lack of cultural understanding, internal corporate budget challenges, and high stress? [from: Stephan Timler]
Cybersecurity is already a high-stakes, high-stress industry. However, pressures from staffing shortages, skills gaps, and budgeting challenges (all of which got worse during the pandemic) create an environment that burns out employees, including CISOs. For Allan, keeping himself going relies on a combination of his calling to help others, his love for the industry, and his own hacker-mindset curiosity to find out not only how something works, but also how to make it work in his favor.
“Number one, for me, is that it truly is a noble calling. I don't think we should ever lose sight of that. We are the good guys doing the right thing for the right players and the right people. It's a noble calling.”
What's the best and worst thing about being a CISO? [from: Ofer Shaked]
There’s a great deal of ups and downs that come from being a CISO, but thankfully, a major positive has been being able to answer the noble calling to help organizations become more secure. When a CISO can look back and see how well an organization has done because of them, Allan describes this feeling as invaluable. On the unfortunate flipside, being a CISO for an organization that doesn’t understand the role and only wants someone to check boxes can be extremely disheartening. Allan warns that he’s yet to meet a CISO that hasn’t encountered that at some point in their career.
“When you can look back on your body of work, and see that it had a meaningful impact; you can look at this organization and know this place is more secure than it was when you walked in the door…that’s probably the best feeling [for a CISO].”
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
This week's show is exciting because Allan has been waiting for Andy's book on leadership to come out for quite some time. The book is called “1% Leadership – Master The Small, Daily Improvements That Set Great Leaders Apart”, and it consists of 54 ...
This episode is a bit scary. Adrian Sanabria, who on an earlier show busted many cybersecurity myths, is back again, this time analyzing the impact of Large Language Model Artificial Intelligence on a hypothesized skills gap on the bad guy side. Pre...
This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023. Guests include: Chris Kennedy, CISO @ Citadel Gary Hayslip, CISO @ Softbank Investment Advisers Michael Calderin, CISO @ YAGEO Group Reet Kaur, CISO @ Portland C...
Leadership skills, technical skills, cybersecurity skills, pluck, drive and determination are all on display as Allan interviews Merav Bahat, CEO @ Dazz and Mickey Bresman, CEO @ Semperis. Dazz has completed a Series A investment round. Semperis a S...
What is security chaos engineering? You may remember Kelly Shortridge, our very first guest, who came on the show to talk about behavioral economics and cybersecurity. Well Kelly is back to talk about her new book, "Security Chaos Engineering: Sust...
Bryan Liebert is one smart cookie. Who bakes cybersecurity cakes. But seriously, Bryan has been a CISO, consultant, architect, and has served many other roles in cybersecurity. His specialty is creating simple to digest (we could not help it, sorr...
Adrian Wright, "The Cynical CISO" of LinkedIn fame, joins Allan to discuss four areas where cybersecurity is perhaps getting it wrong: Cybersecurity viewed as a necessary evil, related to The Twilight Zone Ownership, Authority, Accountability: Invent...
Join us for a SPECIAL EDITON! episode of The Cyber Ranch Podcast LIVE! from CISO XC in Dallas-Fort Worth, Texas! The topic is data security: its challenges and how to overcome them. Joining Allan are Cecil Pineda of R1 ("Cecil the CISO") and Gene Moo...
We always think of cybersecurity startups as companies who contribute to the tech stack in an organizational environment - usually the enterprise. We also think of personal cybersecurity in terms of protecting Grandma or our kids from the bad guys. ...
Emily Heath is a well-known and well-respected figure in cybersecurity. She has been a CISO three times in a variety of industries, including software and a major airline. She has been in law enforcement, is a partner at a VC firm, and serves on bo...