In this episode Allan interviews his friend Sameer Sait, former CISO at Amazon, Forcepoint and Arrow Electronics, who joins Allan for a discussion about WHY we measure risk.



It is about more than just asking for money. (And who are you actually asking money from? Hint: It is not the Board).



How does risk measurement change in the beginning of the CISO’s journey vs. later when the program is more mature?



What is the goal of good risk metrics? What is the role of cyber insurance in all this? What about business traction and cooperation with other department’s goals and objectives?



And finally, how does measuring risk affect disposition or risk?



Key Takeaways:



01:20 Sammer's bio


02:30 Asking for money - it's not from the Board


05:58 Measuring risk: inside-out vs. outside-in


11:20 Approaching management with an objective, not a story


12:38 Working with your team, as a team


14:12 The effects of measuring risk


18:36Analyzing the priorities and their consequences


24:36 Good governance vs. good management


26:22 Transference, remediation, and acceptance


30:57 What surprise Sameer in cybersecurity?



Links:



Learn more about Sameer on <a href='https://www.linkedin.com/in/sameersait/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

In this episode Allan interviews his friend Sameer Sait, former CISO at Amazon, Forcepoint and Arrow Electronics, who joins Allan for a discussion about WHY we measure risk.

It is about more than just asking for money.  (And who are you actually asking ...

WHY We Measure Risk w/ Sameer Sait

Apple

Google

Spotify

Amazon

Ride the cyber trails with one CISO (Allan Alford) and a diverse group of friends and experts who bring a human perspective to cybersecurity.

This week, Allan is joined by Frederick Lee aka “Flee”, Chief Security Officer and Head of IT at Gusto, Jeff Man, host of Security & Compliance Weekly, and notorious infosec curmudgeon, and by Kat Valentine, Security and Compliance Weekly co-host.  A few weeks ago Allan appeared on their show to discuss “GRC: ‘What?’ and ‘So What?’.  In that episode, found <a href='https://securityweekly.com/shows/governance-risk-compliance-so-what-part-1-allan-alford-scw-94/'>here</a>, they take a deep dive into GRC in terms of understanding is purpose and value.

In this crossover episode, the group continues the conversation to talk about “GRC: ‘Now what?’ (The cultural impact and implementation, risk register, achieving actionable results and much more).

Join Allan and the Security & Compliance Weekly team as they dive into overcoming cultural barriers, a continued conversation on the order of priority (“RGC” vs. “GRC”, for example), and enlisting allies in the business.

Key Takeaways:

2:20                        Implementing GRC culturally – Flee's take

4:13                        Jeff’s take

6:16                        Kat’s take

10:43                     The CISO – Turning compliance data into actionable results – Jeff’s take as an assessor

13:56                     Kat’s take as an assessor

15:41                     Flee’s take as a CISO

21:13                     Understanding perspectives from all parties

28:10                     Sharing problems upstream/Audits vs. Assessments

34:48                     Flee’s take on “governance vs. doctrine”

37:43                     Risk register – training for self sufficiency

42:40                     Get in touch!

Links:

Check out <a href='https://securityweekly.com/category-shows/security-and-compliance-weekly/'>Security and Compliance Weekly</a>!

Follow Flee on <a href='https://www.linkedin.com/in/fredrickdlee/'>LinkedIn</a> and <a href='https://twitter.com/fredrickl'>Twitter</a>

Follow Jeff Man on <a href='https://www.linkedin.com/in/jeffreyeman/'>LinkedIn</a> and <a href='https://twitter.com/mrjeffman'>Twitter</a>

Follow Kat Valentine on <a href='https://www.linkedin.com/in/kjvalentine/'>LinkedIn</a>

Follow Allan Alford on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/allanalfordintx'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

thecyberranchpodcast.podbean.com/2b2a7234-4f6c-39c2-8220-d93454bd4256

This week, Allan is joined by Frederick Lee aka “Flee”, Chief Security Officer and Head of IT at Gusto, Jeff Man, host of Security & Compliance Weekly, and notorious infosec curmudgeon, and by Kat Valentine, Security and Compliance Weekly co-host.  A few...

GRC: ”Now What?” w/ Security & Compliance Weekly

CISOs complain on social media about bad marketing – when they are targeted inappropriately, or with messages that don’t resonate, or with messages that outright lie. This week Allan Alford decides to hear from the other side, and invites his two favorite CMOs to the show. Julie O’Brien, CMO at AttackIQ, and Nathan Burke, CMO at Axonious, sit down with Allan to send a message to cyber security professionals about the vital role marketing plays in the industry, what is good marketing and bad marking, and how marketing affects all of our careers more than we know. Hear different perspective on topics like buzzwords, cold calls, and the difference between good and bad marketing practices. Backed up with proven experience, this episode is packed with useful info for all cyber practitioners and aspiring practitioners.

 

 Key Takeaways:

02:00 Julie Bio

03:13 Nathan Bio        

04:00 Standing out as a marketer

10:15 Emphasizing what you don’t do as a company, rather than what you do

15:56 A message to CISO’s - Julie

23:00 Nathan’s message to CISO’s

25:55 Allan touches on why innovation occurs on the vendor side

27:45 Buzzwords

33:50 What surprises Nathan and Julie in cyber security?

Links:

Learn more about Nathan on <a href='https://www.linkedin.com/in/nathanwburke/'>LinkedIn</a> and <a href='https://twitter.com/nathanwburke'>Twitter</a>

Check out Julie on <a href='https://www.linkedin.com/in/obrienjuliea/'>LinkedIn</a> and <a href='https://twitter.com/julieaobrien'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

thecyberranchpodcast.podbean.com/63902291-53bf-3154-a2a3-335fdcd9e867

CISOs complain on social media about bad marketing – when they are targeted inappropriately, or with messages that don’t resonate, or with messages that outright lie. This week Allan Alford decides to hear from the other side, and invites his two favorit...

The CMO‘s Perspective w/ Nathan Burke and Julie O‘Brien

Brian Castagna (CISO at Seven Bridges - a genomics company) is a CISO with a proven track record of successfully building information security programs at cloud technology companies. He is on a mission to humanize the new work environment - our own home. Join Allan and Brian as they touch on transitioning from an office environment, both mentally and physically, hiring remotely, work/life balance and much more.

 

Key Takeaways:

01:33 Bio

02:22 Remote work

03:00 Hiring a remote workforce

10:50 What’s the human side of working from home?

17:38 Transitioning from work to home

19:54 Mental transitioning

21:00 Collaboration & strategy

24:30 Layering the human back in

27:19 What surprises you in cyber?

 

Learn more about Brian on <a href='https://www.linkedin.com/in/brian-castagna-1890544/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

thecyberranchpodcast.podbean.com/05aed4d2-d8e6-3400-92b9-5c8f3c32b1c3

Brian Castagna (CISO at Seven Bridges - a genomics company) is a CISO with a proven track record of successfully building information security programs at cloud technology companies. He is on a mission to humanize the new work environment - our own home....

Practical Working (And Hiring!) from Home w/ Brian Castagna

This week, Allan is joined by some serious heavy hitters in cyber. Richard Struse (Director for the Center for Threat-Informed Defense at MITRE Engenuity), Jonathan Baker (Director of Research & Development, Center for Threat-Informed Defense at MITRE Enginuity), and Jonathan Reiber (Sr. Director for Cybersecurity Strategy and Policy @ AttackIQ). The four are here to have a conversation about CISA's new BOD that outlines 290 key vulnerabilities that require focus, the coincidental mapping of the CVE database to MITRE ATT&ACK, and the implications for all of us.  Of special note is the fact that ATT&CK is already mapped to NIST SP 800-53, meaning that we now have an opportunity to move bi-directionally from a threat-informed defense or to start with a framework and back into vulnerabilities. The implications for our industry are huge.

They also discuss briefly an overview of the bi-partisan work in both the Executive and Legislative branches to further cybersecurity interests and the release of CMMC v 2.0. This show is packed.

 

Key Takeaways:

01:58 Backgrounds

04:02 CISA – BOD 22-01, highlighting the key 290 known vulnerabilities

07:45 Helping organizations prioritize vulnerabilities

11:31 Starting with either framework or threats: Which is better?

14:18 Seeing through the politics - What is actually happening behind the scenes?

19:07 Developing the mapping

23:54 Since the invention of CVE

26:14 CMMC v 2.0

29:37 How do we change the game?

31:09 Getting a large organization to agree with vulnerability prioritization

 

Links:

Follow Richard Struse on <a href='https://www.linkedin.com/in/richard-struse/'>LinkedIn</a>

Keep up with Jon Baker on <a href='https://www.linkedin.com/in/jonathanobaker/'>LInkedIn</a>

Follow Jonathan Reiber on <a href='https://www.linkedin.com/in/jonathan-reiber-0141158/'>LinkedIn</a> & his <a href='https://www.jonathanreiber.com/'>website</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/show/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>Attack IQ</a>

thecyberranchpodcast.podbean.com/0b60e28f-c60c-38a0-85e7-3ca959527a1c

This week, Allan is joined by some serious heavy hitters in cyber. Richard Struse (Director for the Center for Threat-Informed Defense at MITRE Engenuity), Jonathan Baker (Director of Research & Development, Center for Threat-Informed Defense at MITRE En...

Threat-Informed Defense, CISA, CVEs and ATT&CK w/ MITRE Engenuity

Mustapha Kebbeh, CISO at Brinks and heavy-hitter in the Dallas/Fort Worth Cyber community, joins Allan again this week as they cover a topic Mustapha noted was absent so far in the series…  Namely, “What is a day in the life of a CISO?” Mustapha and Allan get into details of what they do and don’t do, what their teams do and don’t do, what bits are boring, what bits are surprising, and what bits are the most fun. Join them as they talk about real situations and practical solutions while describing the very best and worst parts of the job.

Key Takeaways:

01:41                     Bio

03:00                     A day in the life of a CISO - examples from the last 3 weeks

07:30                     Being a CISO in a company that knows its risk appetite

11:49                     Product Security

13:53                     The most surprising part about being a CISO

15:33                     The most boring part

22:30                     The most fun part

26:08                     What do you wish you could do as a CISO?

29:42                     Mustapha shares what surprises him the most in cyber security

 

Links:

Learn more about Mustapha on <a href='https://www.linkedin.com/in/mustaphakebbeh/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

thecyberranchpodcast.podbean.com/5330ece5-22c3-309a-b79e-3ea99b9562e9

Mustapha Kebbeh, CISO at Brinks and heavy-hitter in the Dallas/Fort Worth Cyber community, joins Allan again this week as they cover a topic Mustapha noted was absent so far in the series…  Namely, “What is a day in the life of a CISO?” Mustapha and Alla...

A Day in the Life of Two CISOs w/ Mustapha Kebbeh

Omar Khawaja is an experienced CISO with a strong technical background, who managed to find some very creative ways to manage his security program that go against his engineering instincts. Join Allan and Omar as they discuss why trust-based security is the more suitable option to have a fundamentally better security program and team.  Hear why Omar and Allan believe that investing in people will pay far more dividends than the latest tech tool.  And more importantly, gain some very practical and concrete tips for managing and measuring your security program.

 

Key Takeaways:

01:19                     Bio

03:26                     What is wrong with tech-centric security?

06:00                     Using tech tools as nothing more, and using them appropriately

12:22                     Trust, then risk, then control

14:30                     Customer first, always

19:02                     Helping foster a trust-centric culture

28:40                     Culture = mindset = best measurable quality

29:33                     What surprises Omar in cyber security?

32:50                     The “change agent network”

 

Links:

Learn more about Omar on <a href='https://twitter.com/smallersecurity'>Twitter</a> and <a href='https://www.linkedin.com/in/smallersecurity/'>LInkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

thecyberranchpodcast.podbean.com/3bfc38ce-1041-3638-b5d8-9e5c0fbe4ccb

Omar Khawaja is an experienced CISO with a strong technical background, who managed to find some very creative ways to manage his security program that go against his engineering instincts. Join Allan and Omar as they discuss why trust-based security is ...

Practical Trust-Centric Security w/ Omar Khawaja

Allan is joined this week by Emilio Escobar, CISO at Data Dog and former VP of Information Security at Hulu. He is also a long-term developer of Ettercap, a comprehensive suite for man-in-the-middle attacks.

Like many of us, Emilio started his journey in infosec as a hacker kid, exploring the world through modems and BBSs. Emilio is not a security vendor CISO, but is a CISO for a company that is in the supply chain for many other companies. He has to balance internal and external duties as a result.

Come listen as Allan and Emilio discuss the B2B CISO life, the skills required, business alignment, facing customers, and how all of these skills just might define "the modern CISO".

And, yes, they even tackle the age-old question, "How technical should a CISO be?"

 

Key Takeaways:

01:27 Bio

03:10 Security questionnaires and interactions

05:49 Is there a fix to solving vendor risk?

07:17 Utilizing machines for questionnaires

09:33 Leveraging skills

12:50 How technical should a CISO be?

18:01 Understanding other roles in the business

23:48 Balancing internal and external customers

28:17 What surprises you the most in cybersecurity?

 

Links:

Learn more about Emilio on <a href='https://www.linkedin.com/in/emilioesc/'>LinkedIn</a>, and <a href='https://twitter.com/eaescob'>Twitter</a>, and learn about <a href='https://www.ettercap-project.org/'>Ettercap</a>

Follow <a href='https://allanalford.com'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan is joined this week by Emilio Escobar, CISO at Data Dog and former VP of Information Security at Hulu. He is also a long-term developer of Ettercap, a comprehensive suite for man-in-the-middle attacks.
Like many of us, Emilio started his journey in...

CISO in the Supply Chain w/ Emilio Escobar

Allan is joined by Sounil Yu, one of cybersecurity's most well-known contributors. Sounil has a long history in cybersecurity, and is also the inventor of The Cyber Defense Matrix and the DIE Triad.

Sounil and Allan discuss cyber resilience and contrast it with "antifragility", a notion introduced by Nassim Nicholas Taleb. Sounil argues that in cybersecurity, antifragility should be the goal, and not resilience.

Antifragility allows for stronger data protection, as it does not just survive stresses and attacks, but actually encourages them. Sounil explains how antifragility also neatly dovetails with his DIE (Distributed, Immutable, Ephermeral) Triad of data protection, which he contrasts with the CIA (Confidentiality, Intregrity, Avaiability) Triad in the context of the "pets vs. cattle" model.

Join Allan as he learns a great deal in a short amount of time from Sounil...

 

Key Takeaways:

01:23 Bio

02:20 Cyber Defense Matrix

03:10 Is cyber resilience the wrong idea?

04:17 Backups do not equal resilience

05:58 What is antifragility?

09:31 The DIE Triad

14:32 Pets vs. Cattle

18:12 Practical implementation?

20:40 Focusing on recovery

24:28 The Barbell Strategy

27:58 What surprises you in cyber security?


Links:

Learn more about Sounil on <a href='https://www.linkedin.com/in/sounil/'>LinkedIn</a>, and <a href='https://twitter.com/sounilyu'>Twitter</a>, and learn about the <a href='https://cyberdefensematrix.com/'>Cyber Defense Matrix</a>

Follow <a href='https://allanalford.com'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan is joined by Sounil Yu, one of cybersecurity's most well-known contributors. Sounil has a long history in cybersecurity, and is also the inventor of The Cyber Defense Matrix and the DIE Triad.
Sounil and Allan discuss cyber resilience and contrast ...

Is Resilience Even the Goal? Antifragility w/ Sounil Yu

Allan's guest this week is Erik Bloch. Erik Bloch is a cyber security leader, influencer, and pioneer. He currently sits as Senior Director of Detection and Response at Sprinklr, but has held many rolls in cybersecurity, including being a product manager for SIEM products more than once. 

This last point is relevant, because it makes it even more surprising that Erik is convinced that the SOC's utility has passed... 

Join Allan and Erik as they dive deep into why he thinks SOC is failing, the alternatives, what it takes to make an impactful change in incident response, and who to aim it towards. 

This conversation began when Allan read Erik's article on LinkedIn, “RIP SOC. Hello D-IR". 

Key Takeaways: 

01:16 Bio 
02:18 Erik’s article: why is SOC failing? 
05:01 What is the alternative? 
07:29 Implementing fundamentals where it counts 
10:15 Cloud Integration 
17:45 Cloud agnostic tooling solution 
23:27 The inevitability of a one-stop solution 
27:20 Targeting the right audience 
28:17 What surprises Erik in cyber security? 
30:24 Letting go is not easy 

Links: 

Learn more about Erik on <a href='https://www.linkedin.com/in/erikbloch/'>LinkedIn</a>, and <a href='https://twitter.com/ejbloch'>Twitter</a>, and read his <a href='https://www.linkedin.com/pulse/rip-soc-hello-d-ir-erik-bloch/'>LinkedIn article</a>
Follow <a href='https://allanalford.com'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>
Learn more about <a href='https://hackervalley.com'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>
Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan's guest this week is Erik Bloch. Erik Bloch is a cyber security leader, influencer, and pioneer. He currently sits as Senior Director of Detection and Response at Sprinklr, but has held many rolls in cybersecurity, including being a product manager...

Is the SOC Dead? w/ Erik Bloch

Allan's guest is Samara Williams, Manager of Threat Operations at Cardinal Health, speaker, advocate and passionate member of the threat intelligence community.



Samara broke into cyber via a rotational program, sampling many cyber jobs at many cyber companies in a short order - a fantastic start in cyber that turbocharged her maturity and experience. She quickly developed a passion for threat intelligence, and has worked in that space ever since.



Join Samara and Allan for a deep dive into threat intel, its pros and cons, its value, and its potential...



Key Takeaways:



01:28 Bio


02:56 The love/hate relationship with threat intel: yay or nay?


06:07 The steps to threat intel – breaking it dow


15:14 How threat intel can help bridge tactical & operational Practices


19:57 Having a successful SOC program


22:18 Managing the unknown and practicing the fundamentals


26:17 Making a case for prioritizing threat intel


27:55 What surprises Samara in cyber security?



Links:



Learn more about Samara on <a href='https://www.linkedin.com/in/samara-r-williams-%F0%9F%94%B8%EF%B8%8F-9aa24247/'>LinkedIn</a>, and check out her <a href='https://www.ted.com/talks/samara_williams_k33p_y0ur_hit_s_fe'>TedX talk</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan's guest is Samara Williams, Manager of Threat Operations at Cardinal Health, speaker, advocate and passionate member of the threat intelligence community.

Samara broke into cyber via a rotational program, sampling many cyber jobs at many cyber com...

The Value of Threat Intelligence w/ Samara Williams

This week, Allan is joined by Bryan Hurd. Bryan is a multi-talented cyber security professional who has founded and operated programs dating back to the early nineties. Currently Chief of Office for Stroz Friedberg (AON Cyber), he started his career in NCIS, founding the Navy’s first ever cyber counterintelligence program in 1993.



Join Bryan and Allan for a masterclass on ransomware, incident response, and preparedness. Having both consulted on ransomware situations many times, they offer a wealth of practical tips, do’s, don’ts, and gotchas. You can also hear their perspectives on the roles and processes in taking appropriate action when crisis hits.



This is a longer than usual episode, but that is because it is filled with practical advice based on a great deal of experience.



Key Takeaways:



01:20Bio


02:58Is ransomware still the #1 threat to an organization?


07:30Having your incident response team ready and prepared


12:16The roles, processes, and fundamentals of incident response


22:57Modern ransomware extortion components


25:01Encryption & decryption – dealing both strategically


27:10Using software provided by attackers


30:18Response as an executive – being transparent


35:02Public communications


38:41What surprises Bryan in cyber security?



Links:



Learn more about Bryan on <a href='https://www.linkedin.com/in/bryanhurd/'>LinkedIn</a> and on <a href='https://twitter.com/bryan_e_hurd'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

This week, Allan is joined by Bryan Hurd. Bryan is a multi-talented cyber security professional who has founded and operated programs dating back to the early nineties. Currently Chief of Office for Stroz Friedberg (AON Cyber), he started his career in N...

Practical Realities of Ransomware Management w/ Bryan Hurd

Host Allan Alford interviews his friend Helen Patton, advisory CISO at Cisco, and former CISO at Ohio State University. Helen and Allan discuss the career path of the CISO – specifically what comes after the CISO role has been fulfilled - and how there is not a clear path defined for the post-CISO career.



Allan and Helen discuss several models for post-CISO life that they themselves have explored, and that other CISO friends have as well, such as: shifting back and forth from CISO to vendor, shifting back and forth between CISO and advisory CISO roles at VC’s and other entities, becoming CIOs or CTOs, etc.



Helen explains how there is no clearly defined path for a post-CISO life, how no mentors are available to aid with that transition, but also how CISOs can decide to simply change their roles as a CISO. She explains a little bit more about her advisory CISO life and the internal and emotional differences between it and a conventional practitioner CISO role.



Key Takeaways:



0:26 – Intro


1:12 – Helen briefly explains about her background in cyber and about her day job.


2:55 – Helen explains what is the post-CISO life?


5:54 – What are Helen’s thoughts on the different roles of CISOS?


9:21 – How many people are changing from CISO to a consultancy role?


11:04 – Has Helen seen anyone making such transitions and being successful over time?


12:48 – Hypothetically what would happen if there was a major technology shift, but a CISO wasn’t there to supervise it due to being in a non-practitioner role at the time. Would she be missing out on it on critical CISO skills?


15:12 – Helen explains a little bit more about her advisory CISO life.


18:07 – What happens when Helen gets approached by startups who want feedback? Does she see them as competition? Are they up for having conversations with her?


20:47 – Can a CISO become a CEO?


22:37 – Who should the CISO be reporting to and why?


25:34 – What other post-CISO activities are there for CISOS that may not be a fulltime role, such as boards, teaching, writing, speaking?


28:32 – What surprises Helen the most in cyber security?



Links:



Learn more about <a href='https://www.cisohelen.com/'>Helen</a> on <a href='https://www.linkedin.com/in/helenpatton/'>LinkedIn</a> and <a href='https://twitter.com/cisohelen'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Host Allan Alford interviews his friend Helen Patton, advisory CISO at Cisco, and former CISO at Ohio State University. Helen and Allan discuss the career path of the CISO – specifically what comes after the CISO role has been fulfilled - and how there i...

What Comes After the CISO Role? w/ Helen Patton

Allan is joined by George Finney, CSO at Southern Methodist University and author of the book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. 


George’s mission is clear: unite the cybersecurity community through proven strategy, and help preserve and leverage the humanity within cybersecurity. 


He believes that the community as a whole under-plays the human role, and he and Allan discuss potential changes to the way we view security awareness training and the role of users in general. 


Key Takeaways: 


00:18 Intro/Bio 

01:25 George’s story 

04:27 Humans are not the weakest link in cybersecurity 

07:17 How habits affect security awareness 

08:30 The 9 habits and forming your cybersecurity personality 

14:05 How secret keepers build a community 

17:30 Potential improvements to security awareness training 

22:22 The origin of the nine habits 

26:50 What surprises George about cybersecurity still? 


Links: 


Learn more about George on <a href='https://www.linkedin.com/in/georgefinney/'>LinkedIn</a> and on <a href='https://twitter.com/WellAwareSecure'>Twitter</a> and <a href='https://www.amazon.com/Well-Aware-Master-Cybersecurity-Protect/dp/1626347352'>buy his book!</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan is joined by George Finney, CSO at Southern Methodist University and author of the book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. 


George’s mission is clear: unite the cybersecurity community through proven strategy, and help preserve and leverage the humanity within cybersecurity. 


He believes that the community as a whole under-plays the human role, and he and Allan discuss potential changes to the way we view security awareness training and the role of users in general. 


Key Takeaways: 


00:18 Intro/Bio 

01:25 George’s story 

04:27 Humans are not the weakest link in cybersecurity 

07:17 How habits affect security awareness 

08:30 The 9 habits and forming your cybersecurity personality 

14:05 How secret keepers build a community 

17:30 Potential improvements to security awareness training 

22:22 The origin of the nine habits 

26:50 What surprises George about cybersecurity still? 


Links: 


Learn more about George on <a href='https://www.linkedin.com/in/georgefinney/'>LinkedIn</a> and on <a href='https://twitter.com/WellAwareSecure'>Twitter</a> and <a href='https://www.amazon.com/Well-Aware-Master-Cybersecurity-Protect/dp/1626347352'>buy his book!</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan is joined by George Finney, CSO at Southern Methodist University and author of the book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. 
George’s mission is clear: unite the cybersecurity community through proven strategy, ...

Humans Are Not the Weakest Link in Cybersecurity w/ George Finney

Host Allan Alford interviews Benjamin Corll, VP of Cybersecurity and Privacy at Coats, about security orchestration, automation, and response (SOAR).



Bejamin and Allan critique SOAR's promises and premises, what else it could be doing, its pricing and overhead, and lack of standards as well.



But it is not all negative - Benjamin does share stories as well of SOAR's successes in his shop, and of the things it does do well...



Come on down the ranch and give this show a listen!



Key Takeaways:



0:09 – Intro


0:55 – Benjamin's background and day job


3:46 – The premise and the promises of SOAR


6:32 – What else could be automated?


9:25 – Benjamin explains about the trouble ticket system and the change management system


11:57 – The standards for SOAR today


17:19 – How do we improve the cyber posture of all our organizations, making them more secure?


19:34 – Has SOAR managed to stay affordable for those who need it?


22:54 – What SOAR does well, the benefits and the value


26:35 – What has surprised Benjamin the most in information security



Links:



Learn more about Benjamin Corll on <a href='https://www.linkedin.com/in/benjamincorll/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Host Allan Alford interviews Benjamin Corll, VP of Cybersecurity and Privacy at Coats, about security orchestration, automation, and response (SOAR).

Bejamin and Allan critique SOAR's promises and premises, what else it could be doing, its pricing and o...

Does SOAR Meet Its Promises? w/ Benjamin Corll

Host Allan Alford interviews guest James Azar, host of the CyberHub CISO Talk Podcast, and CISO in the financial services space. James and Allan discuss the techniques and approaches of the modern CISO, and contrast this with some of the older approaches of the job. James defines the cultural shift between the old and new as having taken place since September, 2017 (the Equifax breach).



James and Allan discuss the impact on the team, business, clients, customers, and shares their thoughts and experience on how to stay modern. “What keeps you going in cybersecurity?” as the signature final question for each guest has been replaced with “What surprises you the most in cybersecurity?” James is the first guest to answer that question, and his answer is a bit of surprise itself…



Key Takeaways:



0:16 – Intro


1:04 – Bio


2:00 – The modern CISO contrasted with the older CISO


4:46 – What does the modern CISO mean to the team, business, clients and customers?


7:10 – How to interact with the business: building relationships, teams, meetings…


11:18 – How James Azar puts forward a message of security for the company


11:52 – Security Questionnaires and what is wrong with them


12:20 – Picking on SOC 2


12:39 – Operationalizing security within a client customer relationship


14:11 – Shared responsibility model (cloud) and CMMC replacing SOC 2 and SIG and other older standards: 5 or 6 questions


17:50 – How the word “no” keeps the business and team from moving forward


18:06 – CISO choosing business over security and ignoring the subsequent notions of career risk


19:40 – Automation on the technology front and how it changes the modern CISO’s perspective


20:30 - COVID-mandated lockdown and the implications for workers in countries around the world


23:19 - Automating all entry-level positions and bringing entry-level people up


25:45 – What surprises James Azar the most about cyber security



Links:



Learn more about James Azar on <a href='https://www.linkedin.com/in/james-j-azar/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Host Allan Alford interviews guest James Azar, host of the CyberHub CISO Talk Podcast, and CISO in the financial services space. James and Allan discuss the techniques and approaches of the modern CISO, and contrast this with some of the older approaches...

The Modern CISO w/ James Azar

In this, the very first LIVE episode, Allan Alford interviews guests Derly Gutierrez, Head of Information Security at 1010Data, Patrick Benoit, BISO at CBRE, and Mustapha Kebbeh, CISO at Brinks, as they discuss the use of security frameworks in general and over time.



Regarding framework compliance, do we choose one or do we choose many? Do we embrace them fully or partially? What changes our approach to frameworks over time?



Security strategies are explained throughout the episode, along with the notions of business adaptation and adoption, regulation and other requirements, and "minimum viable security" approaches that don't require frameworks at all.



Key Takeaways:



0:43 – Intro


1:53 – Question to Mustapha: pick and choose from a framework or embrace a framework all in one go?


2:47 – Patrick discusses his own approach to Mustapha’s statement


3:26 – The evolution of CFS adoption briefly discussed and the importance of protection


6:59 – Discussion of a possible "least viable security" approach that doesn’t depend on the frameworks at all


9:50 – Maturity models


13:32 – Security strategies


19:56 – The guests answer: What were the toughest challenges working with a framework?


21:56 – The guests share their best success story with frameworks


23:51 – The guests share their journey on business integration


27:56 – The influence of regulation and other requirements



Links:



Learn more about Derly on <a href='https://www.linkedin.com/in/derlyg/'>LinkedIn</a> and <a href='https://twitter.com/DerlyG_CloudSEC'>Twitter</a>

Learn more about Mustapha on <a href='https://www.linkedin.com/in/mustaphakebbeh/'>LinkedIn</a>

Learn more about Patrick on <a href='https://www.linkedin.com/in/patricklbenoit/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

In this, the very first LIVE episode, Allan Alford interviews guests Derly Gutierrez, Head of Information Security at 1010Data, Patrick Benoit, BISO at CBRE, and Mustapha Kebbeh, CISO at Brinks, as they discuss the use of security frameworks in general a...

Frameworks Over Time w/ Derly Gutierrez, Mustapha Kebbeh and Patrick Benoit

On this episode, Allan invites Marilise de Villiers, Founder and CEO at ROAR! Coaching & Consulting, to come on down to the ranch and discuss how to deal with toxic situations, how to overcome obstacles in the workplace, how to avoid burnout, and how to spot our own negative behaviors that interfere with our success.



Marilise and Allan cover toxic workplaces and bosses, share personal stories, and discuss the internal mechanisms which allow external toxicity to harm us, as well as the internal behaviors to prevent that.



They discuss obstacles, and how big obstacles should be embraced. They also talk about "exercising the resilience muscle".



This is a fantastic show with some open and vulnerable moments, as well as with some very practical advice for avoiding burnout and dealing with problems most of us have faced or will face in our information security careers.



Key Takeaways:



1:11 How Marilise got into information security


2:29 About her coaching and consulting practice for information security professionals


3:53 Avoiding CISO burnout despite our intrinsic challenges


5:08 External forces but also our own self-defeating behaviors


7:01 Clarity on who you are and why you are here


9:31 "I am" is the first negative step towards internalizing toxicity around us (neuro plasticity)


11:03 Allan's former toxic boss who "showed him a carnival house mirror" and led to negative internalization


12:21 Marilise has a similar story


14:29 Facing futility and hopelessness in information security


15:19 Caring too much vs. business problems as a control and communication problem


18:23 How to perceive our biggest obstacles


19:28 Get professional help to strengthen your resilience muscle


20:17 Shout-out to Chris Cochran of Hacker Valley Studio and his 'find your super powers' coaching (and other trusted coaches)


21:49 Your best life is on the other side of your biggest obstacle


21:59 There is always another obstacle


23:22 Living your best life TODAY


24:15 The value of resilience and embracing big obstacles


24:57 Marilise's reason for being in cybersecurity



Links:



Learn more about Marilise on <a href='https://www.linkedin.com/in/marilise-de-villiers-9184521a/'>LinkedIn</a> and on <a href='https://twitter.com/marilise77'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

On this episode, Allan invites Marilise de Villiers, Founder and CEO at ROAR! Coaching & Consulting, to come on down to the ranch and discuss how to deal with toxic situations, how to overcome obstacles in the workplace, how to avoid burnout, and how to ...

Burnout, Toxicity, and Overcoming Obstacles w/ Marilise de Villiers

In this episode, Allan interviews Greg Rogers, CISO at Legal & General America, about migrating legacy, monolithic, internally facing, manually tested, waterfall applications to Cloud, CI/CD with automation, customer-facing applications, all with modern development languages and environments.



Greg migrated just about everything legacy to just about everything modern across a series of monolithic applications. In this episode he gives tips on the technical aspects of his journey, tools and techniqes for overcoming cultural barriers as well.



Greg outlines what he did in-house, and what he leveraged from out-of-house - from code to services.



Ultimately, Greg was able to pull of this transition piece by piece, and he shares how he was able to do it.



Lastly, Greg closes with what keeps him going in cybersecurity...



Key Takeaways:



1:19 How Greg got into cyber


4:12 An overview of the challenge


6:39 Greg's biggest security challenges with the project, both cultural and techincal


8:06 The value of engagement and relationship building


8:41 Targeted security awareness training


9:10 Make security fit with what they are already doing for their day jobs


9:25 Regulation as a driver for change


11:32 The challenges posed by regulation


12:06 The challenges of remote access


13:50 How to eat the elephant one bite at a time


14:11 VDI to migrate portions to the cloud


15:29 Identity & Access Management, CASB, SASE, etc.


16:53 Leveraging outside help


18:13 Selecting and settling on a good MSSP


20:21 In-house development vs. off-the-shelf and leveraging external developers


22:43 What the CISO provides in this scenario


24:02 Focusing on the 'gray' areas of security over the black and white


25:25 Improving the security culture and CISO relationships


26:49 What keeps Greg going in cybersecurity



Links:



Learn more about Greg on <a href='https://www.linkedin.com/in/gsrogers/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

In this episode, Allan interviews Greg Rogers, CISO at Legal & General America, about migrating legacy, monolithic, internally facing, manually tested, waterfall applications to Cloud, CI/CD with automation, customer-facing applications, all with modern ...

Migrating from Monolithic to Cloud w/ Greg Rogers

In this episode, Allan's friend Dr. Sam Small, CISO of Zero Fox, joins us to chat about credential stuffing, its implications and the defenses against it.



Several statistics are given from a few industry reports on credential stuffing, including the Verizon DBIR and F5's report.



Several techniques to foil credential stuffing are explored, as well as common traps when combatting credential stuffing. OWASP provides some guidance in this area.



The criminal's abilities vis a vis breach sharing and botnet as a service are discussed as well.



Finally, Sam explains what keeps him going in cybersecurity...



Key Takeaways:



1:08 Sam's background and education in cyber


2:41 Sam defines credential stuffing and explains why we should care about it


4:17 The origins of the term 'credential stuffing' vs. its history


4:39 Is ransomware the end goal of every single kind of cyber attack?


5:22 Botnets as a service to drive credential stuffing attacks


6:33 Allan cites statistics from the Verizon Data Breach Incident Report


7:23 The DDoS aspects and related cloud costs of credential stuffing


8:48 Sam's theory about F5 report statistics on credential stuffing being interestingly somewhat contradictory


10:43 Anecdotally anyway, password reuse appears to be a huge problem still


11:51 Comabating credential stuffing and common traps in doing so


13:23 Credential stuffing and data breaches are not the same thing


14:17 Getting credential stuffers shut down by way of their service providers


15:25 Practical tips from OWASP for preventing credential stuffing in your environment


19:10 The difference between a comprehensive defense and not


20:32 Are obscure usernames useful in the fight?


22:06 Proposal for user-centric federation to monitor account usage everywhere


23:06 Obligations of those who suffered a breach of credentials


25:14 Criminals share data on their side


26:09 What keeps Sam going in cybersecurity



Links:



Learn more about Sam on <a href='https://www.linkedin.com/in/samsmallphd/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

In this episode, Allan's friend Dr. Sam Small, CISO of Zero Fox, joins us to chat about credential stuffing, its implications and the defenses against it.

Several statistics are given from a few industry reports on credential stuffing, including the Ver...

Credential Stuffing w/ Dr. Sam Small

On today’s episode with Allan, we talk “Ugly Exits” with Naomi Buckwalter, Director of Information Security. Of course, to start the episode, Naomi answers Allan’s question of how she got started in cyber.



They circle back to the topic at hand, “Ugly Exits”. Under this umbrella are: being fired, laid off, "burning bridges", or being encouraged to leave in a "voluntary" manner. Allan shares statistics for some of these categories, including a substantial statistic on those who have been outright fired.



When it comes to burning bridges, so many people walk away from a company that is behaving in an unethical manner and putting their employees in unethical situations. To Naomi, this is a frightening common thread. It’s scary how many unethical employers are out there.



Naomi shared a personal story of her ugly exit, and the fact that it was deserved to some extent. She has owned that experience, has learned from it, and has grown as a result.



Allan shares his personal “burned bridge” story which continues to follow him through the industry here and there. He feels his reputation is sullied with a certain small segment of the industry, and that it most likely won’t ever change. But he also takes ownership for how he mishandled the situation.



Rounding out the show, Naomi and Allan talk about earning their stripes and realizing it is all about growth, resiliency and grit. In fact, as humans, they feel sometimes we don’t appreciate the bad things that happen to us, so we can appreciate the grown and the improvements we have made throughout our lives. Reflect back and think about all that you have survived in your past. Out that self-awareness comes the opportunity to improve.



A large portion of growth, whether personal or work, comes from self-reflection. One can learn from it, grow from it and figure out how to navigate the situation should it arise again. Could it be that thinking we are the hero of our own stories is hurting us?



Key Takeaways



1:25 Getting into Cyber


3:22 Burning Bridges


8:56 Mismatches


14:18 Reflecting


19:43 Humanity


23:28 The Firing and One’s Value


28:45 What Keeps You Going



Links:



Learn more about Naomi on <a href='https://www.linkedin.com/in/naomi-buckwalter/'>LinkedIn</a> and on <a href='https://twitter.com/ineedmorecyber'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

On today’s episode with Allan, we talk “Ugly Exits” with Naomi Buckwalter, Director of Information Security.  Of course, to start the episode, Naomi answers Allan’s question of how she got started in cyber.

They circle back to the topic at hand, “Ugly E...

”Ugly Exits” w/ Naomi Buckwalter

On today’s episode with Allan, we have Tim Rohrbaugh, CISO at JetBlue, here to talk about Agile methodology and how it can be applied to an entire security program.



Tim got into cyber through the military. From the military he went into consulting and ended up at JetBlue. At JetBlue that he is always trying to find ways to invest dollars in security programs to balance what is going on. Along with that, he strives to keep his team motivated and moving forward.



Agile is a software programming methodology, and it replaced Waterfall. Waterfall was the traditional model of development, where large chunks of code had to flow from developers to QA, back to developers several times, and finally to release.



Agile, on the other hand, works off user-centric stories, which roll up to bigger stories called epics. Stories are small, discrete goals, met with smaller, discrete chunks of code released in what are called 'sprints'. QA is very rapid as well, leading to rapid release. Agile is characterized by daily 'standup meetings' where literally nobody sits in an effort to keep the meetings as short as possible.



In Agile, product owners come up with ideas and thread those through marketing and development. In appplying this paradigm to running a security teamm, Tim replaces product owners with threat intelligence folks.



This unique approach towards managing a security program means that all decisions are threat-informed, and that small incremental wins are a constant.



But Tim does not stop there. Anyone on the team can create and manage a story to address any specific and immediate security need...



Key Takeaways



1:10 Tim’s background and day job


2:08 JetBlue


2:39 Introduction of Agile


3:57 Tim’s approach


6:15 How Agile is used


8:31 Threats addressed


9:46 Story sourcing


11:03 Creating the story


12:48 Narrative skill


14:08 Metrics


15:53 Risk management aspect


19:00 Not using risk


21:38 Positives


23:20 What keeps Tim going in cyber


24:42 What Tim is looking forward to in cyber



Links:



Learn more about Tim on <a href='https://www.linkedin.com/in/timrohrbaugh/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

On today’s episode with Allan, we have Tim Rohrbaugh, CISO at JetBlue, here to talk about Agile methodology and how it can be applied to an entire security program.

Tim got into cyber through the military.  From the military he went into consulting and ...

Agile for Security Programs w/ Tim Rohrbaugh

With us today is Christina Richmond program Vice President at IDC. She's an industry analyst, and she's here to talk to us all about the analyst lifestyle.



Allan starts the episode asking Christina to share all about how she got into cyber and what her day job is like. Christina actually began by working in the storage space, and discovered security. To her it was like a drug. What does she do throughout her days? Partakes in hundreds and hundreds of calls with companies who need help with launches and marketing, specifically in growing areas of cybersecurity. In essence, there is a lot to being an analyst. But to be successful, you have to be curious!



The best way to put Christina’s job in words, is “learning the whole from the parts.” She talks with individual players, studies market trends, and then circles around again to piece it together. One big feedback loop.



On a side note, Christina would like everyone to know she is looking to hire at the director level! If you know anyone, send them her way. There are certain aspects necessary, and they are: First, understanding the technology. Next, either having been an analyst before or being in market research of some kind. Finally, the soft skills or executive presence.



Christina admits she is not a technologist, but she also says there's a benefit to having a non-technologist covering this space. She thinks it's important to know that analysts take all shapes and sizes, and there is a benefit from bringing in somebody who thinks about the market differently.



In one word, she describes the plight of the analyst as “overwhelmed”. There aren’t enough people, and some people just don’t have enough skills. The skills gap is real. One of the top skills that is missing for practitioners is cloud security, and that is true for analysts as well.



The bottom line for Christina is helping; it is her favorite thing to do. When it comes to changing things, Christina wouldn't throw anything out but would have more people doing more of the work. Because really, there is a resource shortage in the analyst realm.



Finally, Allan as the one question he asks of all his guests, “What keeps you going in cyber, why do you hop out of bed in the morning, jump in your shoes and say, all right, another day of cyber.”



Christina responds, “Every day, there's a new breach, every day someone is suffering because a Florida Water system was poisoned or because the oil the gas pipeline has been interrupted, and we're not going to have gas at our gas stations or because you name it. There are so many reasons to get up every morning. And, I think every cyber security person needs a mission. I'm here to help, I'm the one helping make sure the message gets out. And that's really important to me.”



Key Takeaways



1:17 Christina’s background


3:02 An analyst’s day job


6:02 Learning the whole from the parts


7:46 We’re hiring


11:02 Staying informed and in the game


13:05 Non-technologist


14:22 Plight of the analyst


16:38 Favorite part of the job


18:44 What would Christina change


19:35 How to get the best engagement


23:11 Storytime


25:55 What keeps Christina going



Links:



Learn more about Christina on <a href='https://www.linkedin.com/in/christinarichmond/'>LinkedIn</a> and <a href='https://twitter.com/Xtina_Richmond'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Christina Richmond program Vice President at IDC. She's an industry analyst, and she's here to talk to us all about the analyst lifestyle.

Allan starts the episode asking Christina to share all about how she got into cyber and what her ...

All About Analysts w/ Christina Richmond

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran. Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods.



Allan and Derly refer to studies and surveys about the problems with passwords and the challenges of implementing passwordless approaches.



Derly emphasizes the need for other complementary technologies such as Role-Based Access Control (RBAC), Privileged Access Management (PAM), and system-to-system communications.



The two discuss corporate and personal use of passwordless solutions, talk about legal precedence and the future of passwordless approaches.



Key Takeaways



1:14 How Derly got into cyber


1:58 About Derly's day job as Head of Security


2:34 Allan quotes the 2017 Verizon DBIR on how many breaches involve weak or stolen passwords


3:35 Allan cites NIST 800-63b


4:15 Derly talks about CAC cards in the US DoD


4:50 Derly sides with vendor innovations over NIST guidance


5:56 Allan clarifies the distinction between PINs and passwords


6:52 Derly points out the flaws with biometrics in terms of reliability and assurance


9:09 Allan cites a survey regarding WHY organizations choose passwordless


9:52 How many 'passwordless' solutions still include shared secrets


10:38 Derly talks about corporate vs. personal passwordless solutions and shared secrets as backup for reliability issues


11:37 Derly emphasizes a lack of RBAC and PAM foiling all authentication approaches


13:06 Allan points out the value of Identity and Access Management solutions


13:44 Allan references three vendor approaches towards passwordless for legacy systems such as RADIUS


14:50 Derly takes these methods apart


16:05 Many companies are not doing Role-Based Acces Control, system-to-system communication and Privileged Access Management correctly


17:02 Allan brings up the presence of push attacks


17:38 Allan's definiton of true passwordless authentication


17:56 Derly's definition of true passwordless authentication


21:29 For personal use of biometrics, Allan brings up a disturbing precedent of law enforcement accessing an individual's phone with forced facial recognition


23:17 Derly emphasizes that applications on your phone should have a different authentication factor than access to the phone itself


23:47 "Your home is your castle" has become "Your phone is your castle"


25:06 Allan cites one last survey as to how many of us really are passwordless


26:02 How long before we got to passwordless?


28:06 What keeps Derly going in cyber



Links:



Learn more about Derly on <a href='https://www.linkedin.com/in/derlyg/'>LinkedIn</a> and <a href='https://twitter.com/DerlyG_CloudSEC'>Twitter</a>
Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran.  Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods.

Allan and Derly refer to ...

The Journey to Passwordless Authentication w/ Derly Gutierrez

With us today is Taylor Lehmann, former ciso several times over in the healthcare sector, and currently Americas leader for security, networking, identity, and compliance solution architecture at AWS.



Taylor and Allan talk about application security: why it's important, who are the personas, the value of threat modeling, infrastructure as code, how to get started, and relationships with developers.



Taylor, a Boston boy, starts the show trying to say, "Howdy!" correctly. Taylor started at PWC and grew into a healthcare CISO. He has now transitioned to AWS.



Key Takeaways



1:40 How Taylor got into Cyber


2:58 Taylor’s day job


4:30 Appsec Defined


5:49 Taylor's favorite appsec frameworks


7:48 Why appsec is important


8:55 The personas and roles


11:22 Security training in appsec


12:27 Threat modeling


15:11 Infrastructure as code


20:46 How to get started in appsec


24:12 Devs already know and care about security


25:38 Where does the trope come from that devs don't care?


26:52 Why "DevSecOps" is a bad term


28:00 What keeps Taylor going in cybersecurity



Links:



Learn more about Taylor on <a href='https://www.linkedin.com/in/tlehmanncyber/'>LinkedIn</a> and <a href='https://twitter.com/BostonCyberGuy'>Twitter</a>
Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Taylor Lehmann, former ciso several times over in the healthcare sector, and currently Americas leader for security, networking, identity, and compliance solution architecture at AWS.

Taylor and Allan talk about application security: wh...

Application Security w/ Taylor Lehmann

With us today is Ian Thornton-Trump, Chief Information Security Officer at Cyjax and an ITIL-certified IT professional with 25 years of experience in IT security and information technology.



Ian shares his background which started back in the Canadian military. During those times, "IT" was called "automated data processing", and it is quite clear how far this has advanced. He joined the Royal Canadian Mounted Police and spent a year working on criminal intelligence. Soon after he became a consultant and made his way to the UK in 2015.



Oftentimes organizations have not planned or prepared for risk, and that includes cyber. In that sense, cyber can be compared to the environmental landscapes and infrastructure, which Ian finds eerily similar. A lot of problems created in cyber mimic a lot of the environment problems we face in today’s world. One example is the recent failure of the Texas power grid during a very harsh winter. Investment in cybersecurity is critical.



Allan feels there are a lot of environmental laws, but there are also already some pretty strict cyber laws as well. However, they seem more aimed at the anonymous or extrajurisdictional perpetrators and end up useless when their anonymity is involved. And some cyber laws seem to punish the victim as well - after suffering ransomware you are now penalized for not being prepared for it in the first place? How can we get laws in place that are helping the situation and not blaming the victim?



Ian suggest that positive incentives are the answer. If we can just get companies to do a bare minimum cyber hygiene, by incentivizing them through tax breaks, Ian thinks we could move the ball up more forward, without making it too onerous, to meet some sort of regulatory standard. How do we possibly extend our stretch? Because at the end of the day, the root cause is the “bad guys”, so how do we get to them? America is already doing a lot, but other countries need to put their money where their mouth is.



Ian and Allan discuss President Biden's Executive Order on Cybersecurity. This can enforce behavior in the government, but only suggest behavior in the private sector. To sum up, we're nowhere, and we need to get somewhere because what we've done, at the federal and state level in the United States, is taken a lot of dollars, put them in parking lots, and set fire to them. And then after we finished that exercise, we asked for more dollars. We have to change the entire system from the ground up. And we have to incentivize cyber security.



Key Takeaways



1:10 How Ian got into Cyber


2:21 Ian’s day job


4:18 Issues with infrastructure and environment


7:38 Meaningful laws


12:47 Getting to the bad guys


16:35 Catching “Fred Smith” or someone like him


17:43 Rewards


21:17 Preparedness and helplessness


23:43 Einstein program


26:24 What keeps Ian going



Links:



Learn more about Ian Thorton-Trump on <a href='https://www.linkedin.com/in/ian-thornton-trump-cd-77473a26/'>LinkedIn</a> and <a href='https://twitter.com/phat_hobbit'>Twitter</a>
Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Ian Thornton-Trump, Chief Information Security Officer at Cyjax and an ITIL-certified IT professional with 25 years of experience in IT security and information technology.

Ian shares his background which started back in the Canadian mi...

Solving The Global Cyber Problem w/ Ian Thorton-Trump

With us today is Drew Brown, IT Security Manager at the Commonwealth of Pennsylvania. Drew is here to talk about FAIR and his real-world usage of it and testing it in the trenches.



Drew shares a little bit about his background in cyber, and a little bit about his day job. He spent 15 years in IT. That opened the door then for him to be the CISO for one of the state agencies. Now his title is IT Security Manager but essentially he is responsible for communicating security and risks and working within a law enforcment agency to make sure that what is implemented is secure, it's compliant, and it meets all of the agency objectives.



With FAIR, you start by asking some very basic questions: What is the asset? What is the thing of value that you're trying to protect? Once you understand what that is, you then ask who is going to come after that asset: cyber criminals, nation state, some kind of industrial espionage, hacktivist, or whatever. Or maybe it's Doris in accounting. Either way, you start to work through who might come after that information.



The probability of a guy sitting in his basement, ordering pizzas on your credit card is a different probability than a nation state. On the impact side, we look at six different categories of risk, there's loss to productivity, there's losses in terms of response, how much money are we going to spend? Or do we have to spend to resolve that loss event that incident?



The six forms of loss are productivity, response, replacement, fines and judgments, competitive advantage and reputation. We start looking at what those dollar amounts actually are. But we want to concern ourselves with the most likely and what's the loss magnitude at that most likely value? Now we can go to that executive and say, “Okay, do you want to build a new parking lot? Or do you want to resolve this risk?” Then we can have a business conversation about it.



Allan asks, “What drove you to FAIR?” Drew states that one of the biggest arguments against FAIR that he always hears is, “We don't have enough data points to do this." Drew decided FAIR can help make better decisions about risk. And that is the goal of FAIR anyway - to make better business decisions, better risk decisions.



Digging a little deeper, Allan asks, “Are you confident that it achieved the goals you set out to achieve with it?” In short, the answer is absolutely!



Where FAIR falls shorts comes up. After reflecting, Drew says that it is in the controls analysis piece.



Allan asks Drew what keeps him going in cyber. With a laugh, Drew gives a quick answer of "coffee" and then follows with, “I enjoy that a relationship with my counterparts and then also establishing those relationships with the business and seeing the problems solved.”



What’s coming over the horizon? According to Drew, it’s seeing the normalizing of cybersecurity and making it less of a burden to hire new and diverse talent.



Key Takeaways



1:15 Drew shares his background and day job


2:20 FAIR model


2:56 How FAIR works


5:13 Probability


8:45 What drove you to FAIR


11:42 Goal of FAIR


13:30 Selling to the board


18:16 The honest hat


22:17 RSA announcement


23:32 What keeps Drew going


24:49 What Drew looks forward to



Links:



Learn more about Drew Brown on <a href='https://www.linkedin.com/in/drew-brown-8214675/'>LinkedIn</a>
Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

With us today is Drew Brown, IT Security Manager at the Commonwealth of Pennsylvania. Drew is here to talk about FAIR and his real-world usage of it and testing it in the trenches.

Drew shares a little bit about his background in cyber, and a little bit...

FAIR from the Trenches w/ Drew Brown

With us today is Andy Ellis, operating partner at YL Ventures, former Akamai CSO and newly inducted member of the CSO Hall of Fame. We're here to talk about nonstandard hiring practices and how Andy has built an amazing team using nonstandard approaches.



Andy began his career in cyber ("I remember back then, you know, we didn't call it cyber, but I think we've all given up and, and that's now the name for our career field.") as an Air Force ROTC cadet, spent 20 years at Akamai, and joined an advisor program at YL Ventures.



Andy found a solution that addresses hiring needs and the talent shortage, while also building a very clever and very innovative team.



For new roles, look and see if you have somebody who's almost senior that you can promote to do that job. And backfill the almost senior person instead. Try not to hire senior people, try to hire the most junior person you can get away with and promote everybody up the chain. The real trick is to figure out how your HR and finance teams are going to operate and play them off against each other.



Now that we have covered your promotion from within strategy, let's talk about hiring some folks for certain roles on the team that at a glance would make no sense at all for a CSO. And yet is really, really effective and repeatable.



Andy’s flagship is hiring librarians. There is an entire career field dedicated to managing libraries and learning technical language to be able to do that.



Everyone is in the business of publishing a report about their data, right? This is just taking technical data and technical jargon and making it consumable to people who've never seen this data before. There's an entire industry that does that. We call it journalism. So, we hire journalists to come in and be those storytellers.



Hire teachers. Put a teacher in a position and to learn how deep do they need to go on a daily basis, and then make sure they get one level deeper. Because you're always going to have problems if you teach exactly to your domain knowledge. So, make sure your domain knowledge is always little bit deeper than whatever your job requires which is usually going to be sufficient to keep you out of trouble.



To wrap the show up, Allan asks, “Why aren't the rest of us catching on because this is some amazing stuff that every single hiring manager in cyber could benefit from.”



According to Andy, the simple answer is it's expensive, and it takes a lot of time to do right.



Allan asks, “What keeps you going in cyber?” Andy answers, “I've always seen myself as improving the systems that I walk through, that when I encounter a system, I want to tweak it and figure out what makes it work and make it work better."



Key Takeaways



1:24 Andy shares his background and how he got to cyber


3:12 Working for a venture capital firm


7:12 Hiring and building a team


12:26 The abnormal hires that just make sense


15:46 Clever role adjustments


17:10 More nonstandard hires


19:03 Confused? Whose confusion is it?


21:02 The academy


24:42 Putting a teacher in


25:21 Budget technique


27:09 Why isn’t everyone hiring this way?


28:30 What keeps you going in cyber?



Links:



Learn more about Andy Ellis on <a href='https://www.linkedin.com/in/csoandy/'>LinkedIn</a> and <a href='https://twitter.com/csoandy'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Andy Ellis, operating partner at YL Ventures, former Akamai CSO and newly inducted member of the CSO Hall of Fame. We're here to talk about nonstandard hiring practices and how Andy has built an amazing team using nonstandard approaches....

Clever  Hiring Practices w/ Andy Ellis

Today we talk with Richard Seiersen, co-author of “How to Measure Anything in Cybersecurity Risk”.



Richard shared that at his first CISO position, he was challenged with addressing prioritization of risk, which led to his authoring a book with Doug Hubbard.



What can cyber learn from older risk disciplines? The life table used broadly to measure time-to-event data goes back 500 years.



Businesses keep falling back to the classic 5x5 "likelihood and impact" matrix which is an inconsistent, non-math-based method.



Without math it is really just casting spells in the board room. There are no ratios or explanation of differences, for example.



CISOs are called upon to make a bet about something. We will use subject matter expert opinions, and can make them measurably better. Consistency is key.



Wild guesses can still help constrain the forecast. There are existing models in cyber such as FAIR that provide a more mathematically applied approach.



Statistics came about because people needed to make bets with limited data. Dirty data can be worked with.



Embracing uncertainty is okay. Executives are actually very used to uncertainty.



Cybersecurity as a practice is in its adolescence with a high mortality risk. We need to adopt the grammar of science.



Key Takeaways



0:25 Richard is introduced


1:20 Richard talks about his cyber journey and his day job


3:02 Book talk


5:19 What can cyber learn from older style risk tactics


8:04 5x5 risk matrix


10:05 Improving accuracy


17:00 Gathering an accurate view


19:20 Monte Carlo simulations


22:04 The belief


25:17 Board-ready presentations


26:58 What keeps Richard going in cyber security


28:09 Why statistics were invented



Links:



Learn more about Richard Seiersen on <a href='https://www.linkedin.com/in/richardseiersen/'>LinkedIn</a> and <a href='https://twitter.com/RichardSeiersen'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

Today we talk with Richard Seiersen, co-author of “How to Measure Anything in Cybersecurity Risk”.

Richard shared that at his first CISO position, he was challenged with addressing prioritization of risk, which led to his authoring a book with Doug Hubb...

Measuring Risk w/ Richard Seiersen

With us today, is a very special guest, Accidental CISO, of Twitter fame. His anonymity on Twitter, allows him to be a little more “truthy” about the CISO game than a lot of us can afford to be on social media. We have distorted his voice a bit to protect that anonymity.



“Accidental” shares how he got into cyber, and that is a culmination of being in a career where he had to fill “all” the hats. He stepped away from his CISO role a few years ago and is now in consulting where he has the opportunity to help other people realize they need to build security programs when they have never done it or know how.



How did he become the “Accidental CISO”? Simply by trying to help during the course of going through an audit. They had to identify who was the CISO, and he made the mistake of asking who the security officer was for the company. The answer was, “That’s you.”



Accidental CISO doesn’t think becoming a CISO accidentally is all that uncommon. When going through audits, etc., someone has to be named, someone ends up drawing the short straw.



The role is different than what people think. You can draw on your technical background, but you have to be able to focus on the “why” for the business and all the nuts and bolts that come with it. One must understand this is not a technical role.



Allan shares his pivotal moment in becoming a CISO and realized all he had to do was recognize the business as the system he was hacking.



When Allan asked Accidental CISO about guidance for building a team and getting started, Accidental had one word, “Pray.” In reality, you need to know the skills you need.



Allan and Accidental CISO discuss “selling the functions”. It is tied to the business objectives in so many ways, and companies need a human to seal the endpoints. As they close this discussion loop, Accidental shares how to get the practice off the ground and the importance of relationships.



Sometimes, believe it or not, not having all the knowledge and knowing all the details is a benefit. In addition, being the first CISO for a company is all about educating, communicating and painting a picture.



And of course, Accidental CISO answers Allan’s final question, “Why are you motivated to get out of bed and do more of it?”



Key Takeaways



0:30 Introduction of Accidental CISO of Twitter fame


1:37 How Accidental CISO got into cyber


2:14 Accidental CISO talks about his day job


3:33 The background of Accidental CISO


4:49 The security tool Accidental CISO embraces


5:20 Accidental CISO is not an uncommon “thing”


6:37 Advice to becoming a CISO


9:28 Allan shares a pivotal moment


10:15 Guidance on building and getting a team started


13:58 Selling the functions


16:55 Getting the practice off the ground


20:13 Importance of relationships and letting go


22:24 Being “their” first CISO


26:47 Building a security council


27:49 Why Accidental CISO is motivated to get out of bed each day and do more of it



Links:



Learn more about Accidental CISO on <a href='https://twitter.com/AccidentalCISO'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today, is a very special guest, Accidental CISO, of Twitter fame.  His anonymity on Twitter, allows him to be a little more “truthy” about the CISO game than a lot of us can afford to be on social media. We have distorted his voice a bit to prote...

Becoming a CISO w/ Accidental CISO

Today we talk with Marlys Rodgers, who has been in cyber for over 20 years. She currently is CISO for CSAA Insurance Group and is running security for the company as well as running governance risk and compliance for technology. She shares that it feels like she is constantly balancing assessing with preventing.



Allan brings up breach and attack simulation (BAS), and when it is most appropriate to implement in the context of the maturity of a security program. Marlys feels BAS is most effective when some, or most, of the intended controls are in place so you can focus on areas you need to strengthen. For her company, she was glad they did it earlier rather than later. They had a pretty good lead time to get systems to integrate.



The way you use BAS, especially along with threat intelligence, is really important. If you don’t have a purple team, or a red and blue team how does one start or how do you reorganize? Hear how Marlys did just that. Tag-teaming works best!



How has BAS helped in conversations with the audit team as well as the GRC team? More data gets shared with Audit and they become strong allies. Everyone is happy when fed real-world, real-time information.



BAS is truly changing mindsets, and will ultimately alter prioritization and enhancing and inter-team communications as well.



To wrap up the show, Marlys shares what about her job keeps her getting up in the morning and what she is looking forward to in cyber.



Key Takeaways



0:21 Welcome Marlys


1:13 Short comical discussion on how one should pronounce BAS


1:29 Marlys shares her background and day job


3:35 When BAS comes into the picture


5:00 The trick


6:05 Allan asks Marlys how she stays up with it


8:52 Marlys explains why more time should be spent on extending capabilities


9:38 Suggestions are shared to roll out BAS


12:21 Importance of human elements


13:45 If you don’t have teams, what happens?


16:18 How BAS affects conversations with teams


20:00 Importance of transparency


21:27 Changing people, process and technology with BAS


25:00 Marlys shares the reason she is motivated to stay in cyber


26:01 Marlys shares when she is looking forward to in cyber



Links:



Learn more about Marlys on <a href='https://www.linkedin.com/in/marlys-rodgers/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

Today we talk with Marlys Rodgers, who has been in cyber for over 20 years.  She currently is CISO for CSAA Insurance Group and is running security for the company as well as running governance risk and compliance for technology.  She shares that it feel...

Breach & Attack Simulation w/ Marlys Rodgers

With us today is John Petrie, Counselor to the NTT Global CISO. He is responsible for managing the growing internal security challenges for the NTT operating companies across the globe.



Retired in 1996 from the Marines John began his career in multiple security positions. He shares that his major responsibility of today is creating the enterprise security architecture (“ESA”) for NTT.



Allan used to work for NTT DATA Services, and shares that John is working for the ultimate parent company of the NTT global conglomerate – a full 3 companies of inheritance between John’s company and Allan’s former company. John shares just how big NTT really is throughout 180 countries. Altogether there are 986 companies worldwide, generating over $110 billion in revenue each year. NTT is #62 on the Global Fortune 500.



John shares the full gamut of what an enterprise security architecture really is, how important it is and what it does. There are nine principles to building his ESA, and John outlines them while acknowledging that it is different for every company. Nowadays, the systems designed are for mobility, usability, management, and innovation around the core. Simplicity and resilience are a must!



Further on down the show, Allan and John discuss the 3-year cycle of both technology and business planning, and that not everything is a “one size fits all”. In addition, they talk about mixing and matching popular ESA models, and what that means to the framework.



There is a bit of discussion surrounding what it means to “have a seat at the table” as an information security executive. Everyone needs to be on the same page, to have business buy-in and to create strong business relationships. Security is one of those business voices, and everyone is in it together.



In closing, Allan and John talk about how the focus is not only on technology but on governance and training to get ready for implementation. Along with this, there are fundamental strategic decisions to be made, but ultimately on the large scale it is all about execution and governance.



Key Takeaways:



0:24 Introduction of John Petrie


1:27 How John broke into cyber and how his job looks today


3:08 We get the lo-down on how big NTT really is


4:55 Everything you need to know about ESA


6:46 John shares the 9 principles that provide a foundation for his ESA


6:55 “Aligned Independence”


7:44 “Standards-Based”


7:53 “Manage the Risk”


8:15 “Platform-Based Architecture”


9:49 “Design for Mobility and Usability”


10:00 “Innovate Around ‘The Core’”


10:32 “Simplicity and Resilience”


10:36 Global Remote Work at nearly 100%


11:30 “Supporting Digital Transformation & Strategic Plan”


13:04 Allan and John discuss 1-, 3-, and 5-year cycles


14:40 Not everything is one size fits all


17:02 Length of the process John is currently in


19:15 What occurs during this process


20:44 John shares the plan goal


22:33 The one directive from their CEO


24:16 Fundamental strategic decision


26:41 The large scale


27:31 The key takeaway from this entire discussion according to John


Links:

Learn more about <a href='https://www.cyberthreatalliance.org/biography/john-petrie/'>John</a> on <a href='https://www.linkedin.com/in/johnpetrie/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is John Petrie, Counselor to the NTT Global CISO.  He is responsible for managing the growing internal security challenges for the NTT operating companies across the globe.

Retired in 1996 from the Marines John began his career in multip...

Enterprise Security Architecture: A $110b Case Study w/ John Petrie

With us today are Lynn Dohm, Executive Director of Women in Cybersecurty (WiCyS) and Martha Laughman, Veterans Iniative Lead at WiCyS and Director of Workforce Development at Smoothstack. Lynn and Martha are here to talk about the amazing programs for women and women veterans at WiCyS.



WiCyS is so much more than a conference for women in cybersecurity. Its presence spans the globe and its programs are myriad. Mentorship, student scholarships, training, special interest groups, job boards, veterans' assistance, and apprenticeships are all available.



Smoothstack is a partner of WiCyS, and has created a program for women veteran apprenticeships designed to benefit all parties involved.



The program is based on attitude, aptitude and intitial assessments, but requires no cybersecurity knowledge at the start. Apprentices are paid, trained, and qualified when they come out, working for employers on a two-year contract at a minimum. The program addresses employers' fears over being the first ones to hire and train new talent only to lose them.



WiCyS is a phenomenal organization, and there are ample opporutnities for allies - not just women - to join.



Key Takeaways


0:24 Allan Introducs Lynn and Martha


1:18 Lynn gives an overview of WiCyS' origins


2:06 Lynn explains the many WiCyS worldwide programs outside of the conference itself


6:45 Lynn introduces the veterans' assistance program


7:33 Lynn explains the origins of the veterans' apprenticeship program


8:54 Lynn explains why WiCyS chose Smoothstack and its program for women veterans' apprenticeships


10:14 Lynn explains the specific challenges and needs of women veterans


11:51 Martha shares a bit about her past, and her personal motivations


15:05 Martha elaborates on the program at Smoothstack with a very human story


17:14 Martha outlines the full process of the apprenticeship program


18:10 Martha outlines the tests for entry into the program


20:44 Martha states that employers hiring new talent suffer training overhead followed by attrition


21:40 The Smoothstack/WiCyS program pays candidates to get trained to readiness and guarantees employers two years minimum


23:40 Martha explains that cybersecurity has become a sellers' market and that jobs remain open because employers cannot pay enough


26:20 Lynn explains her motivation and drive to build such programs


27:23 Martha asks our listeners to join WiCyS, noting that membership is very affordable


28:23 Lynn echoes Martha's advice and recommends browsing the WiCyS website


28:47 Allan asks listeners to dontate to WiCyS


Links:

Learn more about WiCyS at <a href='https://www.wicys.org/'>www.wicys.org</a> and on <a href='https://twitter.com/WiCySorg'>Twitter</a> and on <a href='https://www.linkedin.com/company/women-in-cybersecurity-wicys/'>LinkedIn</a>

Learn more about Smoothstack at <a href='https://www.smoothstack.com/'>smoothstack.com</a>

Learn more about Lynn Dohm on <a href='https://www.linkedin.com/in/lynndohm/'>LinkedIn</a> and on <a href='https://twitter.com/lynn_dohm'>Twitter</a>

Learn more about Martha Laughman on <a href='https://www.linkedin.com/in/martha-laughman/'>LinkedIn</a> and on <a href='https://twitter.com/MarthaLaughman'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today are Lynn Dohm, Executive Director of Women in Cybersecurty (WiCyS) and Martha Laughman, Veterans Iniative Lead at WiCyS and Director of Workforce Development at Smoothstack.  Lynn and Martha are here to talk about the amazing programs for...

Programs for Women & Veterans in Cyber w/ WiCyS - SPECIAL EDITION

Howdy, y’all, and welcome to The Cyber Ranch Podcast! With us today is Patrick Benoit, Global Head of Cyber GRC, and BISO at CBRE. Patrick is here to talk about Data Risk Governance, a slightly new twist on an old problem. Like our host, Patrick is also from the Dallas-Fort Worth area of Texas.



To start the conversation, Allan asks Patrick to share a little about himself, his background in information security and what he does at his day job. Patrick began his career in the military, eventually coming over to consulting and enterprise. He has built out more than one BISO program, and has run multiple GRC programs as well. Patrick has a customer-facing security role and believes that all security leaders are also, to some degree, sales leaders.



Allan and Patrick walk through a very practical approach to Data Risk Governance, starting with 'big chunks' and working towards the future with data tagging.



They discuss briefly various rules for dealing with older data and various means of risk measurement.



Ultimately their model is designed to work over a three-year or five-year period, encompassing all data in the organiztion by that time.



Key Takeaways


0:23 Allan introduces Patrck


1:36 Patrick shares his cyber background and his jay job


4:10 Patrick introduces his model of Data Risk Governance, which began as a sales/marketing tool and evolved into a "real" practice


5:59 Patrick introduces the precursors to setting up a proper Data Risk Governance program, which includes data classification among others


8:01 Allan explains how data disocvery and classification can be expensive and yet still only partially succesful


9:12 Patrick advocates his 'one bite at a time' method based at first on broad strokes of known valuable/risky data


10:45 Allan describes multiple data loss stories from his past


12:10 Patrick delineates in more detail the 'big chunks of data' method and his firewall analogy of allow/deny


13:23 Patrick notes that classification followed by tagging is a great approach


13:57 Allan proposes a new-data-only go-forward plan and Patrick agrees


15:56 Patrick talks about how the legal department owns data retention rules


17:30 Talks about how chat messages should be volatile


19:00 Allan proposes usese tagging to manage destruction and retention


21:00 Patrick notes that reducing risk by tagging some of your data is better than tagging none of it


23:30 Patrick discusses his model for quantifying risk vs investment as an 'orders of magnitude' problem with dollars as unit of measure


25:17 Allan proposes the car insurance model to counter Patrick's life insurance model


26:00 Allan talks about accurizing risk measurement and discusses briefly models like FAIR and Bayesian math vs. Patrick's orders of magnitude method


27:09 Patrick uses the 5x5 method not as a specific measurement but more as a visual aid and heatmap


29:11 Patrick explains what keeps him going in information security


Links:

Learn more about Patrick Benoit on <a href='https://www.linkedin.com/in/patricklbenoit/'>LinkedIn</a> and on <a href='https://twitter.com/patrickbenoit'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  With us today is Patrick Benoit, Global Head of Cyber GRC, and BISO at CBRE.  Patrick is here to talk about Data Risk Governance, a slightly new twist on an old problem.  Like our host, Patrick is ...

Data Risk Governance w/ Patrick Benoit

Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Mike Manrod, CISO at Grand Canyon Education. Mike has done quite a bit of research on vishing, smishing and the upcoming STIR/SHAKEN legislation meant to combat those two.



To start the conversation, Allan asks Mike to share a little about himself, his background in information security and what he does at his day job. Mike started as an IT technologist who orginally resented the security team for slowing down technology projects. Then a friend took him to a security conference, and the rest is history.



Mike explains what vishing and smishing are, contrasting them to traditional phishing. Mike and Allan discuss personally targeted vishing and smishing vs. attacks targeted at organizations.



Allan and Mike cover the new STIR/SHAKEN legislation and related RFCs, along with the technical limitations inherent in the approach.



Finally, Allan asks Mike what keeps him going in cybersecurity, including technical challenges and a strong infosec community.



Key Takeaways


0:24 Allan introduces Mike


1:05 Mike explains how he got into cybersecurity and what his daily CISO life is like.


2:48 Mike explains what vishing and smishing are.


3:32 Mike explains the unethical vishing vs. truly illegal vishing and how they might target an organization vs. an individual.


7:18 Mike explains how most smishing is targeted at individuals. SIM swapping and other techniques are generally what is used against enterprises.


8:00 Mike says that smishing is most often used to introduce malware or harvesting user credentials.


9:31 Mike says that smishing, vishing and robocalling definitely mimic the ransomware world where lower-level, even non-technical criminals run the front line of attack.


11:34 Mike compares STIR/SHAKEN to the anti-phishing technologies DKIM, DMARC and SPF.


11:49 Allan explains that those email technologies are opt-in and only effective if all parties choose to opt in.


12:31 Mike explains what STIR/SHAKEN stand for and how they work - they are based on a series of RFCs.


13:43 Mike explains the FCC June 30, 2021 deadline for IP-based carriers to adhere to STIR/SHAKEN. TDM and Cellular networks are asked to implement in good faith.


15:48 Mike says that STIR/SHAKEN is a great step in the right direction. The nature of the problem is that the 'from' value is user-controlled in telco communications.


17:29 Mike sas that an enforced heirachy of tokens will solve the problem ultimately.


18:15 Mike recommend RFC 7340 as the best definition of the problem statement for the telephony challenged end-to-end.


18:45 Mike explains how STIR/SHAKEN also impacts smishing - noting that iMessage and other SMS-derived technologies already offer better security than voice technologies.


19:29 Mike states that a paradigm with certificates bound to number ranges or account ranges is the real solution to the problem.


21:01 Mike explains that fun technical challenges are why he stays in information security - a lack of bordeom.


21:58 Mike also names community as another reason he stays in infosec.


Links:

Learn more about Mike Manrod on <a href='https://www.linkedin.com/in/manrod/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Mike Manrod, CISO at Grand Canyon Edu...

Vishing, Smishing and STIR/SHAKEN w/ Mike Manrod

Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Gabe Lawerence, General Manager of Cyber Security Protection at Toyota Motor North America. Gabe has seen the good and bad of purple teaming, and we’re here today to discuss what a mature purple teaming organization looks like.



To start the conversation, Allan asks Gabe to share a little about himself, his background in information security and what he does at his day job. His path to security hasn’t been linear - he has been a developer, an entrepreneur and a startup owner, slowly making his way to different levels of management in the security space. Gabe runs Enterprise Security at Toyota North America and is responsible for the technical side of the business and manufacturing environment.



When discussing what successful purple teaming looks like, Gabe points to the heightened alert of fidelity being among its greatest benefits. Rather than a red versus blue mindset, purple teaming encourages community and collaboration. Then, Allan asks Gabe to share a specific time he found unexpected success in purple teaming. Gabe gives an example reiterating the advantage of having a red and blue team working collaboratively.



In managing an enterprise, Gabe says there is always something changing. Validating your controls, alerts and responses are just a few of many tasks best tackled in smaller chunks. Embedding the automation from purple teaming as the ongoing environment keeps things in a high functioning state and serves as a persistent health check. Gabe explains how a buffer overflow isn’t exactly instantaneous and combatting lingering attacks.



Though purple teaming has many great benefits, it requires a bit of maturity. Having different teams interact together as they mature ensures they understand each other's roles and can effectively work together. Gabe urges people in the industry to think of themselves not only as part of a specific team, but as a part of a broader collective. In the hiring process, he describes seeking candidates with experience in software development and scripting. Additionally, it’s crucial to be willing and excited to learn and have keen problem solving abilities. In closing, Gabe looks forward to working in server-less spaces like the Cloud in the future and says his favorite thing about his career field is that it never fails to offer something new.



Key Takeaways

0:21 - Host Allan Alford welcomes listeners to the show and introduces Gabe Lawerence.

1:12 - Allan asks Gabe to share about his background and day job.

2:40 - What is successful purple teaming?

4:30 - Gabe shares both positive and negative personal experiences in purple teaming.

9:42 - How do you automate purple teaming?

14:11 - Fine tuning the deployment of the controls.

19:20 - How Gabe designs and hires for his team.

26:20 - What keeps Gabe in Information Security?

Links:

Learn more about Gabe Lawrence on <a href='https://www.linkedin.com/in/geblsd/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

Welcome to The Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts! Today, host and CISO Allan Alford interviews Gabe Lawerence, General Manager of Cy...

Maturing Purple Teaming w/ Gabe Lawrence

In this episode, host and CISO Allan Alford interviews his friend Dutch Schwartz, Principal Security Specialist at Amazon Web Services. Dutch is a vendor, but do not press 'stop' just yet! Dutch is an empathetic outsider, an observor, and a constant learner and researcher. He brings some unique insights to our practice.



Dutch talks about his encounters with CISOs and their direc staffs, and opines on the debate as to how technical a CISO should be (versus business-oriented).



Allan and Dutch discuss healthy vs. unhealthy (Dutch prefers the term 'challenging') security cultures.



Dutch talks about all security efforst aligning with business initiatives, and Allan espouses his theory that all CISO actions should ties to business initiatives, risk reduction, and maturity improvement.



Dutch remains enthused about cybersecurity because of conversations like this very interview.



Key Takeaways

1:32 - Dutch shares his cyber origin story - stumbling into cyber after a militiary career as an officer, and working an integrator for a VAR.

4:54 - Today Dutch works at AWS and supports the largest customers as a cloud security strategist, working with CISOs and their staffs.

5:47 - With Dutch's Fortune 50 customers, he meets wit the CISO on a monthly or bi-monthly basis, depending upon how hands-on the CISOs are. Daily he meets with the CISOs direct reports.

7:04 - Dutch explains that over the years the CISOs' have changed from a more technical bent to a more business and risk-management orientation. Some struggle with this growth.

12:15 - Allan describes his CISOs communication philosophy of "Business Terms First, Risk Terms Second, Technology Terms Third".

13:23 - Allan talks about CISOs asking each other whether they are more technical or business/softskills-oriented.

15:00 - Dutch says that how technical a CISO is depends partially upon risk tolerance.

18:02 - Dutch elaborates that a bad security culture results in more breaches.

19:18 - Dutch explains how a company's culture can be measured.

19:54 - Dutch says culture is not what the leadership preaches, but rather what the factory worker in a remote location believes it to be.

20:16 - Dutch says challenging cultures are the ones where leadership is not aligned.

21:53 - Dutch starts his conversations with his clients by talking first and foremost about business initiatives.

23:40 - Dutch often compares security to quality when getting his clients to understand the overarching perspective.

26:50 - Allan says all CISO initiatives should be tied to business objectives, reduction of known risks, and how his actions might improve maturity.

29:29 - Conversations like this one are what keeps Duth in information security.

Links:

Learn more about Dutch Schwartz on <a href='https://www.linkedin.com/in/dutchschwartz/'>LinkedIn</a> and <a href='https://twitter.com/dutch_26'>Twitter</a>.

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

In this episode, host and CISO Allan Alford interviews his friend Dutch Schwartz, Principal Security Specialist at Amazon Web Services. Dutch is a vendor, but do not press 'stop' just yet! Dutch is an empathetic outsider, an observor, and a constant le...

Interview with a Vendor w/ Dutch Schwartz

In this episode, host and CISO Allan Alford interviews his friend Chris Foulon, Sr. Manager of Cybersecurity at a leading fintech compnay, and co-host of the "Breaking into Cybersecurity" podcast.



Chris has 15 years in information security, having started at the helpdesk years ago. His biggest desire in infosec is helping others. In his day job Chris gets to work with every part of the business.



On the subject of the personnel shortage in cybersecurity, Chris believes that there is no shortage. Rather, he suggests that hiring managers limit their choices by holding out for too high an experience level, and by neglecting diversity and inclusion.



His advice for those who are entering the profession is to combine experience, certifications and education as suited to themselves and the roles they are applying for. He suggests reserach and listening to podcasts like this one. Chris suggests finding a mentor has well.



Chris and Allan discuss diversity, inclusion and allyship at length, going into such details as how job descriptions can discourage diverse candidates.



Chris' motivation in cybersecurity is the fact that the industry is ever-evolving and always presents opportunities for creative problem solving.



Key Takeaways

1:18 - Chris shares his history with cybersecurity

3:20 - Chris describes why he thinks there is no infosec personnel shortage

4:43 - Chris describes how to write a job description to generate more candidates

6:28 - Chris tells people with other backgrounds not to start over in cyber but to move in laterally and learnd the tech

8:02 - Chris explains how to get experience and subject matter expertise before you start you first job

12:35 - Chris talks about certifications

16:11 - Chris talks about including neurodiverse candidates

17:52 - Chris describes how hiring managers can clean their job descriptions to encourage diverse candidates

24:24 - Chris describes the benefits of mentoring

25:24 - Chris describes what motivates him in infosec

26:24 - Chris describes what he is looking forward to in infosec

Links:

Learn more about Chris Foulon on <a href='https://www.linkedin.com/in/christophefoulon/'>LinkedIn</a> and <a href='https://twitter.com/chris_foulon'>Twitter</a>.

Chris' coaching site is <a href='https://cpf-coaching.com/'>CPF Coaching</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

In this episode, host and CISO Allan Alford interviews his friend Chris Foulon, Sr. Manager of Cybersecurity at a leading fintech compnay, and co-host of the "Breaking into Cybersecurity" podcast.

Chris has 15 years in information security, having sta...

Advancing Cybersecurity Careers w/ Christophe Foulon

Today, host and CISO Allan Alford interviews friend and fellow CISO Gary Hayslip. Besides being a brilliant business leader, Gary is an author, mentor, and one of the best all-around humans Allan knows!



To start the conversation, Allan asks Gary to share about himself and his background in cybersecurity. While he had a natural interest in computers and technology more generally, Gary’s formal entrance to the cybersecurity field came during his time in the military. He developed a love for security, and as he’s climbed within the industry in the years after his military service, he’s also developed a strong network as a colleague and mentor. Allan tapped into this shared community through one of its most-used platforms, LinkedIn, to find out what others in the field would most like to learn from Gary.



The first questions deal with topics of leadership and training, and Gary explains his own practices of educating himself and his team. In his own life, he is committed to maintaining up-to-date knowledge of his rapidly changing field through research and reading; such knowledge is necessary if Gary is to lead as effectively as he can. Gary also provides opportunities for his staff to receive continuing education, and he does not worry that he might train employees beyond their roles. Rather, he embraces the privilege of partnering with his staff to see them succeed on their career paths.



There is a lot that goes into Gary’s practice of crafting and leading a team, and the COVID-19 pandemic has caused him to make some coaching changes. One-on-one meetings and conversations about family are more frequent, but the emphasis on building team trust and leading team members to own the business strategy remain constant. Gary assigns team members to take the lead on and complete briefings for different aspects of the strategy, and also expects them to back each other up.



This practice not only fosters ownership of business processes and development of employee skills, but also shapes the kind of culture Gary insists his team have. He requires team members to possess certain soft skills, be people of honesty who take personal responsibility, and be comfortable in team and group contexts. Gary tries to care for his workers by taking harder hours on himself than he expects them to work, but as the conversation wraps up, he explains that he is mainly motivated in his work by love for the community and people in the field!



Key Takeaways

0:21 - Host Allan Alford welcomes listeners to the show and introduces Gary Hayslip.

1:08 - Allan asks Gary to share about his background.

2:08 - The first questions deal with continuing education for Gary and his team.

6:58 - How has Gary’s coaching changed because of COVID-19?

10:54 - What are Gary’s methods for helping his team take on pieces of his strategy?

17:55 - COVID-19 also raises new questions about work-life balance.

21:45 - The next question deals with how Gary develops team culture.

25:39 - What keeps Gary going in cybersecurity?


Links:

Learn more about Gary Hayslip on <a href='https://www.linkedin.com/in/ghayslip/'>LinkedIn</a>.

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

Today, host and CISO Allan Alford interviews friend and fellow CISO Gary Hayslip.  Besides being a brilliant business leader, Gary is an author, mentor, and one of the best all-around humans Allan knows!

To start the conversation, Allan asks Gary to s...

Developing Leadership w/ Gary Hayslip

In this show, host Allan Alford interviews Dr. Rebecca Wynn about information security decisions made during COVID and what the 2021 "reckoning" might look like. Dr. Wynn is a well-recognized CISO and Chief Privacy Officer, who faced some large-scale challenges during 2020. Allan welcomes Dr. Wynn to the cyber ranch!



The show starts with Allan asking Dr. Wynn to introduce herself and to tell the listeners a bit about her background. Dr. Wynn has received quite a lot of recognition in the field.



Allan and Rebecca Wynn share a wealth of connections in the CISO community, and both have consulted with numerous companies over 2020. This positions them to be able to talk to the broad spectrum of COVID-related actions and reactions taken during 2020.



Moving workers to home all over the world resulted in an increased attack surface and increased privacy concerns as well. Security quesionnaires were on the rise, as were deeper investigations into PCI, SOC2, etc. report. COVID, in other words, really emphasized the supply chain risk posture.



Allan and Dr. Wynn discuss the challenges and variety of preparedness for Zero Trust architectures - VPN, VDI, cellular dongles, taking desktop computers home, etc.



Allan and Dr. Wynn talk about supply chain risk, contracts, penalties, and other facets of post-COVID third-party risk.



To close the podcast, Dr. Wynn shares that she loves information security because of great companies out there who are forward-looking and paying real attention to security.



Key Takeaways:


1:18 - Dr. Wynn tells the audience about her information security background and recognitions.

2:43 - Dr. Wynn had to move 10,000 people to work-from-home for COVID.

4:31 - Dr. Wynn tells her clients to check the PCI, SOC2, etc. reports in detail for their supply chain.

5:37 - Allan points out that supply chain questionnaires were on the rise due to COVID.

6:45 - Dr. Wynn elaborates on Zero Trust architectures deployed during COVID and states that Zero Trust is not "one and done".

8:20 - Dr. Wynn encourages her clients to really dig into the risk associated with the supply chain.

9:12 - Allan points out that the Solarwinds breach was really a post-COVID phenomenon in terms of its impact and how folks responded.

10:40 - Allan shares that some companies were not ready for Zero Trust at all vs. those who were so well prepared.

12:49 - Dr. Wynn encourages auditors to go back and visit their 3rd-party risk.

14:34 - Dr. Wynn points and Allan talk about the strength and significance of contracts in the cultures of various companies.

16:50 - Dr. Wynn tells her clients to attach assessments to the contract and asks for transparency.

19:40 - Dr. Wynn encourages her clients to ask their supply chain about end-of-life and end-of-service posture for the technical estate.

23:05 - Allan advocates that vendors have honest conversations with their customers to be transparent about what new risks COVID onboarded.

25:08 - Dr. Wynn predicts that 2021 will be the reckoning for companies who took shortcuts during COVID.

25:42 - Dr. Wynn loves working for forward-looking companies and loves working for the greater good.

26:48 - In Information Security, Dr. Wynn predicts growth and evolution and hopes for a real investment.



Links:

Follow Allan Alford on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Learn more about Dr. Rebecca Wynn on <a href='https://www.linkedin.com/in/rebeccawynncissp/'>LinkedIn</a>.

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

In this show, host Allan Alford interviews Dr. Rebecca Wynn about information security decisions made during COVID and what the 2021 "reckoning" might look like.  Dr. Wynn is a well-recognized CISO and Chief Privacy Officer, who faced some large-scale ...

The Post-COVID Reckoning w/ Dr. Rebecca Wynn - SPECIAL EDITION

In this show, host Allan Alford interviews his friend Chris Castaldo about how to align information security with the business. Chris is the CISO at Crossbeam, and is also the author of the book "Start-Up Secure: Baking Cybersecurity into Your Company from Founding to Exit", available for pre-order at Amazon. Chris, like Allan, views himself as a very business-oriented CISO. Allan welcomes Chris down to the ranch to discuss business orientation and alignment of information security in detail.



The show starts with Allan asking Chris to introduce himself and to tell the listeners a bit of his background. Chris's book fills the void in books for founders that seemed to utterly lack any reference to cybersecurity. Allan recommends the book, as he was one of the lucky few to review the book before its release.



But that is not what they are here to chat about today... Allan asks Chris what it means to be a business-oriented CISO - and what does it look like to NOT be a business-oriented CISO?



Allan asks Chris how a CISO can affect both the bottom line and the top line as well. Allan and Chris discuss the nuances of that conversation in the context of business-to-consumer ("B2C") businesses vs. business-to-business ("B2B") businesses.



Allan and Chris discuss the challenges of striking the balance between meeting the business' security needs and being agile enough to quickly respond to the dynamic and ever-changing nature of the business.



To close the podcast, Chris shares that he loves information security because of its always offering something new, and because of it evolving towards a user-centric approach.



Key Takeaways:


0:36 - Chris tells the audience about his security book for founders.

2:19 - Chris talks about his day job as CISO at Crossbeam.

3:08 - Chris talks about what it means to be a business-oriented CISO - it's mostly about understanding the rest of the business.

6:05 - Chris walks through how a CISO's impact to the top and bottom line varies for startups vs. mature businesses.

7:16 - Chris compares security aspects of a non-security offering to airbags in a car.

9:02 - Allan shares his past as a product security professional and how business-aligned product security in tech companies is.

12:00 - Chris compares B2C to B2B and how business-alignment for the CISO varies across the two.

14:41 - Allan talks about expectations of security vs. liability caps for failing to deliver it: B2B vs. B2C.

18:24 - Chris discusses how to enable security without putting the brakes on the business.

22:40 - Allan explains how some of his basic security controls that also accelerate the business.

25:17 - Chris explains why he loves working in information security.

26:21 - Chris is looking forward to user-oriented cyber security.



Links:

Follow Allan Alford on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Learn more about Chris Castaldo on <a href='https://www.linkedin.com/in/chriscastaldo/'>LinkedIn</a>.

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

In this show, host Allan Alford interviews his friend Chris Castaldo about how to align information security with the business. Chris is the CISO at Crossbeam, and is also the author of the book "Start-Up Secure: Baking Cybersecurity into Your Company ...

Business-Oriented Security w/ Chris Castaldo

Today, host and CISO Allan Alford interviews Omkhar Arasaratnam, a veteran of the cybersecurity industry, on the topic of supply chain security. With a career in security going all the way back to 2004, and with experience working for IBM and several financial institutions before becoming an Engineering Director at Google, Omkhar brings much hard-earned insight to the table!



Looking to tap into that insight, Allan poses two questions for Omkhar. First, how would he characterize or define supply chain security and its implications? And second, how would he explain the SolarWinds breach and its fallout? Omkhar centers his thoughts on the SolarWinds situation, a costly breach in which hackers manipulated a code base and used it as a leverage point to gain access to high-worth targets. This attack required precision and focus, and is of the first public breaches; however, Allan and Omkhar imagine that there will be copycat attacks to come, and that the attack is a wake up call for all those with access to client data to step up their supply chain security.



Both providers and consumers with a hand in supply chain security have a responsibility to tighten their controls. Supplier checks should be more frequent, software suppliers need to be very buttoned-down in how they control their entire build architecture, and those overseeing supply chain security need to carefully navigate the available vehicles for managing supply chain risk. These vehicles, including questionnaires, right to audit, open source/credit-check style tools, and GRC tools, all have benefits and drawbacks, and no company manages supply chain security perfectly.



With a lot of sympathy for SolarWinds, though, Allan and Omkhar think that further work needs to be done in the cybersecurity space to bolster supply chain security measures. Omkar details his own “black box” idea, which he imagines would be a strong component of a more comprehensive security protocol. Allan explains how this comprehensive protocol could function, and while making such a system an international standard is far off, Omkar and Allan agree that there are tools in place for cybersecurity professionals to move toward a better system. There are issues of risk to weigh, myriad solutions to compare, and precursor tasks to address, but it’s time to get a conversation going that will ideally lead to change!



Key Takeaways:

1:10 - Allan asks Omkhar to share about his background before jumping into the main topic.

1:53 - Allan has two questions for Omkhar.

5:09 - Consumers and providers have a responsibility to step up their game.

7:41 - The conversation shifts toward the vehicles for managing supply chain risk.

9:05 - What’s Omkhar’s take on the open source/credit score-style check?

11:55 - Allan and Omkhar turn to Omkhar’s black box idea.

17:22 - Omkhar thinks highly of Allan’s comprehensive approach, but there are obstacles.

21:50 - What are these obstacles, and what is the needed precursor work?

26:20 - As the conversation ends, Allan asks about Omkhar’s motivation and passion.



Links:

Follow Allan Alford on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Learn more about Omkhar Arasaratnam on <a href='https://www.linkedin.com/in/omkhar/'>LinkedIn</a>.

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

Today, host and CISO Allan Alford interviews Omkhar Arasaratnam, a veteran of the cybersecurity industry, on the topic of supply chain security.  With a career in security going all the way back to 2004, and with experience working for IBM and several ...

Supply Chain Security w/ Omkhar Arasaratnam

In this show, host Allan Alford interviews his friend Will Lin about startups and venture capital. Will Lin is a venture capitalist with ForgePoint Capital, focusing exclusively on the information security space. First and foremost, Will views his current role as a way to help others. Allan welcomes Will on to the show to help his listeners learn more about the startup world, the venture capital world, and how those two intersect.



The show starts with Allan asking Will why he thinks startups are such a prevalent force in the cyber security world. Will is not sure, but his hypothesis is that this is in large part due to the ever-changing nature of cyber security. Since needs are constantly changing and each organization has unique needs, startups have popped up to address those specialties and change based on the different needs that arise. His second hypothesis is that there always need to be organizations prepared to address new and emerging threats to security.



For VCs, Will shares that companies and startups go through very natural progression in terms of maturity depending on their framework. Regardless, what it all boils down to is where in their life cycle any organization finds itself. Once the VC is able to identify where the company is in their life cycle, then they can begin to make informed decisions about the company. This will determine the type of funding that VCs will decide to provide. For example, usually when a company is around 10-20 members, they will be looking for series A funding. Typically, series A funding is around 10-25 million dollars, series B is 20-40 million and series C is 50 million and above. By evaluating the total of the investment, observers can estimate the valuation of the company.



While most companies only do a few rounds of fundraising, some companies will experience several late rounds of fundraising and Will advises that this is typically a good thing. The best indicator of health is the number of employees. If the number of employees is going down, that is one of the clearest indicators of regression. Once a VC comes in, though, that is where they are able to lend their experience to help with advising the business, which is Will’s favorite part of his job.



To close the podcast, Will shares that being able to help people and add value to their companies is the thing that keeps him energized and engaged in his position.



Key Takeaways:

0:24 - Listeners are introduced to Allan Alford and his guest, Will Lin.

1:27 - Why do so many people in the security industry rely on startups?

3:29 - What does Will do in his job and how has his background led to his current role?

5:36 - From Will’s perspective, what is the critical split between the first round of angel funding

9:33 - What is the expectation for funding in each different series of investments?

15:19 - What does the VC ownership look like from the perspective of the company?

21:22 - Does Will offer specific advice to the startups that he works with?

24:00 - What is Will’s opinion on startups that grow without any assistance from VCs?

25:48 - What keeps Will energized in his job?



Links:

Follow Allan Alford on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Learn more about Will Lin on <a href='https://www.linkedin.com/in/linwilliam/'>LinkedIn</a>.

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

In this show, host Allan Alford interviews his friend Will Lin about startups and venture capital. Will Lin is a venture capitalist with ForgePoint Capital, focusing exclusively on the information security space. First and foremost, Will views his curr...

Startups & VCs in InfoSec w/ Will Lin

On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Ron Eddings and Chris Cochran from Hacker Valley Studio. The episode begins with Ron and Chris sharing how they came to cyber security and the roles they’ve held in the space.



While they came up in the cyber security space through different channels, they now work together at Marqeta, Ron as a Security Architect Leader and Chris as the Director of Security Engineering. Additionally, together they host the Hacker Valley Podcast. Allan is curious how the podcast affects their day jobs and their day jobs influence the podcast. Ron and Chris explain that it has given them wider contacts with people in the security industry and the opportunity to speak with them about their interests and expertise.



Allan asks Ron and Chris how they stay passionate about their work. Chris says both he and Ron believe in getting better everyday, even if it’s in small increments. Reading books, taking classes, speaking to mentors are all ways that he improves himself and makes sure he stays sharp. Ron shares that he is a collector, and it has led him to collecting experiences. Through these experiences, he is also able to continue getting better and improving himself.



They both share that through the podcast and their jobs, they need to continue learning and working. They’ve taken voice coaching and storytelling lessons to keep on the cutting edge of podcasting. Everyone has a story and the ability to share your own and help others share theirs is essential not only to impeccable podcasting but also being an empathetic and engaged human. In threat intelligence and user awareness training along with other technical skills storytelling is integral to meeting people where they’re at.



As the episode ends, Allan asks Ron and Chris about the future for them and their podcast.



Key Ideas:


:22 - Chris and Ron are introduced.

4:46 - How the podcast influences their day jobs and vice versa.

12:08 - Allan asks Chris and Ron about infusing passion in their work.

16:39 - The importance of storytelling in podcasting.

24:00 - What does the future look for Ron, Chris, and the podcast?



Links:

Follow Allan Alford on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Follow Chris Cochran on <a href='https://www.linkedin.com/in/chriscochrancyber/'>LinkedIn</a> and <a href='https://twitter.com/chriscochrcyber'>Twitter</a>

Follow Ron Eddings on <a href='https://www.linkedin.com/in/ronaldeddings/'>LinkedIn</a> and <a href='https://twitter.com/ronaldeddings'>Twitter</a>

Support Hacker Valley Studio on <a href='https://www.patreon.com/hackervalleystudio'>Patreon</a>.


Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Ron Eddings and Chris Cochran from Hacker Valley Studio. The episode begins with Ron and Chris sharing how they came to cyber security and the roles they’ve held in the space.

...

Storytelling in InfoSec w/ Chris Cochran & Ron Eddings of Hacker Valley

Allan Alford interviews Anne Marie Zettlemoyer about the topic of vulnerability management. Anne Marie is a visiting fellow with the National Security Institute at George Mason University, and one of the all-around sharpest minds Allan knows in information security!



Anne Marie is deeply entrenched in the world of information security, and she loves her work. She began her career in accounting and finance, but by serendipity was introduced to security through a position updating a company’s payment system. From there, she was recruited into the Secret Service, where she developed a passion for the information security field - a field she hasn’t left since! Anne Marie is driven by the energy and nobility of her profession, and she values work as a protector and defender. At the same time, she feels a high level of responsibility to her company and her customers to navigate information security well.



The baseline for security work, Anne Marie says, is the fundamentals. The first line of a security officer’s responsibility is to maintain this sort of system hygiene; this is why Anne Marie is passionate about vulnerability management. In a changing threat landscape, vulnerability management is a basic necessity to keep products and clients safe. Of course, this does not make vulnerability management an easy task.



Practitioners of vulnerability management must also attend to a variety of factors, from issues of regulation and compliance, to CVSS scores and tooling for contextualization, to determining the way in which vulnerability management should be situated within their broader security program (often as a key driver). Within the world of information security, vulnerability management is one of many complex pieces to juggle together, and people like Anne Marie stand at the center of the balancing act. Anne Marie leaves listeners with an idea of how best to approach information security today, but she also leaves them with the prospect of exciting changes on the horizon in the areas of data governance and bridging the gap between speed and security.



Key Takeaways


0:17 - Listeners are introduced to Allan Alford and his guest, Anne Marie Zettlemoyer.

1:12 - Allan asks Anne Marie to walk through her day job.

1:56 - Why is vulnerability management important to Anne Marie?

4:13 - Allan shifts to the subject of motivating people to fix vulnerabilities.

6:26 - Anne Marie’s broad experience gives her a unique experience.

8:41 - Remediations must be obtainable.

10:27 - Overall, fundamentals, partnership, and understanding are needed.

11:27 - Allan and Anne Marie turn to metrics, tooling, and context.

14:38 - Within the security program, where does vulnerability management fit?

18:00 - How did Anne Marie get into vulnerability management?

20:15 - Her job and its responsibilities require certain things.

20:56 - What keeps Anne Marie in the game?

22:20 - What is she looking forward to in the field?



Learn more about Anne Marie Zettlemoyer and connect with her on <a href='https://twitter.com/SolvingCyber'>Twitter</a> and <a href='https://www.linkedin.com/in/anne-marie-zettlemoyer-a161913/'>LinkedIn</a>.

Learn more about Allan Alford and connect with him on <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a> and <a href='https://linkedin.com/in/allanalford'>LinkedIn</a>.

Learn more about <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>, part of the <a href='https://hackervalley.com/'>Hacker Valley Studio</a> family.

Learn more about podcast sponsor <a href='https://axonius.com/'>Axonius</a>.

Support Hacker Valley Studio on <a href='https://www.patreon.com/hackervalleystudio'>Patreon</a>.

Follow Hacker Valley Studio on <a href='https://twitter.com/TheHackerValley'>Twitter</a>.

Allan Alford interviews Anne Marie Zettlemoyer about the topic of vulnerability management.  Anne Marie is a visiting fellow with the National Security Institute at George Mason University, and one of the all-around sharpest minds Allan knows in inform...

Vulnerability Management w/ Anne Marie Zettlemoyer

Behavioral Economics has altered our perceptions of what actually motivates human beings. How do these theories about our more primitive behaviors as well as our intellectual biases apply to information security? Allan Alford & Kelly Shortridge discuss in the context of infosec programs and events in a whirlwind of conversation. Sponsored by our friends at <a href='https://attackiq.com/'>AttackIQ</a>



Podcast: The Cyber Ranch Podcast
Episode 2: Behavioral Economics and InfoSec with Kelly Shortridge



On this episode of The Cyber Ranch Podcast, host Allan Alford is joined by Kelly Shortridge, VP of Product Management at Capsule8. Their conversation begins with Kelly introducing herself and her work. She works in products for a security vendor, and she’s done research into applying behavioral economics to security. Kelly says she grew up with a love of computers, but was mostly about building gaming rigs side of things. Her career in information security began in the investment banking industry, which led her to fall in love with security.



Next, Allan asks Kelly about her work in behavioral economics. Economics is the study of choice, behavioral economics looks at the way humans actually behave by conducting experiments and observing natural occurrences. Humans don’t always behave in the rational, textbook way, but Kelly explains that often their choices are rational when you factor in competing priorities. In information security, this shows up when folks find themselves reacting to threats that have the most attention, rather than those that are proven to be the most pressing. Information security is also affected by hindsight and outcome biases. Kelly explains how our brains try to trick us into blaming a single factor in a crisis, but that is not how the real world or cyber attacks work.



Now that behavioral economics has clued us in to the biases formed by what Kelly affectionately refers to as our “lizard brains,” Allan wonders if we should be optimistic about how we may think and prevent attacks in the future. Kelly isn’t so sure. She explains that changing some systems to be more compatible with our lizard brain has been effective, however knowing how we think doesn’t help people think differently. In InfoSec, there are opportunities to continue making the secure way the easiest way, and circumvent the lizard brain. Other industries have been designing systems and workloads based on the way people behave; Kelly says InfoSec is just behind the curve.



As the episode ends, Allan asks Kelly what keeps her still in InfoSec. Kelly says it is spite. There are still inefficiencies and an industry that pats itself on the back for doing little, that makes her spiteful she says. She wants to be an industry member that adds value to organizations and highlights the user.



Follow Kelly on Twitter as <a href='https://twitter.com/swagitda_'>@swagitda_</a> or on LinkedIn at <a href='https://www.linkedin.com/in/kellyshortridge/'>Kelly Shortridge</a>



Learn more about <a href='https://linkedin.com/in/allanalford'>Allan</a> and the Cyber Ranch Podcast at <a href='https://hackervalley.com/cyberranch'>Hacker Valley Studio</a>



Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

Behavioral Economics has altered our perceptions of what actually motivates human beings.  How do these theories about our more primitive behaviors as well as our intellectual biases apply to information security?  Allan Alford & Kelly Shortridge discu...

Behavioral Economics & InfoSec w/ Kelly Shortridge

A one minute introduction to the show and its format