In this episode Allan interviews his friend Sameer Sait, former CISO at Amazon, Forcepoint and Arrow Electronics, who joins Allan for a discussion about WHY we measure risk.



It is about more than just asking for money. (And who are you actually asking money from? Hint: It is not the Board).



How does risk measurement change in the beginning of the CISO’s journey vs. later when the program is more mature?



What is the goal of good risk metrics? What is the role of cyber insurance in all this? What about business traction and cooperation with other department’s goals and objectives?



And finally, how does measuring risk affect disposition or risk?



Key Takeaways:



01:20 Sammer's bio


02:30 Asking for money - it's not from the Board


05:58 Measuring risk: inside-out vs. outside-in


11:20 Approaching management with an objective, not a story


12:38 Working with your team, as a team


14:12 The effects of measuring risk


18:36Analyzing the priorities and their consequences


24:36 Good governance vs. good management


26:22 Transference, remediation, and acceptance


30:57 What surprise Sameer in cybersecurity?



Links:



Learn more about Sameer on <a href='https://www.linkedin.com/in/sameersait/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

In this episode Allan interviews his friend Sameer Sait, former CISO at Amazon, Forcepoint and Arrow Electronics, who joins Allan for a discussion about WHY we measure risk.

It is about more than just asking for money.  (And who are you actually asking ...

WHY We Measure Risk w/ Sameer Sait

Apple

Google

Spotify

Amazon

Ride the cyber trails with one CISO (Allan Alford) and a diverse group of friends and experts who bring a human perspective to cybersecurity.

“Having a seat at the table doesn’t mean getting your way all the time. It means having a seat and I think that is very important to understand.” - Brent Deterding 
In this episode, Allan is joined by the CISO at Afni, Brent Deterding, to explore how CISOs can earn and keep their seat at the executive table. Brent was a fan of the <a href='https://hackervalley.com/cyberranch/learned-helplessness-in-cybersecurity-w-steve-mancini/'>Learned Helplessness</a> episode of The Cyber Ranch Podcast with Steve Mancini, and furthered the conversation as it relates to the often espoused topic of CISOs needing a seat at “the table.” Brent discusses the power of shifting your mindset, how lack of confidence has created a cycle of self sabotaging, and ways we can collectively improve our current standing.
 
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at <a href='http://axonius.com/simone'>axonius.com/simone</a>
 
Guest Bio:
Brent is an Executive CISO whose mission is to enable Afni and its global workforce to support their customers securely and confidently. Prior to being a CISO, for over 20 years, he was a security practitioner with a security vendor specializing in threat detection, incident response, and security strategy. His efforts helped hundreds of organizations detect, respond to, and mitigate attacks.
 
Additional Links:
Stay in touch with Brent Deterding on <a href='https://www.linkedin.com/in/brent-deterding/'>LinkedIn</a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a> 
Continue this conversation on our <a href='https://discord.com/invite/avaeNEprYG'>Discord</a>
Listen to more from the<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

“Having a seat at the table doesn’t mean getting your way all the time. It means having a seat and I think that is very important to understand.” - Brent Deterding 
In this episode, Allan is joined by the CISO at Afni, Brent Deterding, to explore how CISOs can earn and keep their seat at the executive table. Brent was a fan of the <a href='https://hackervalley.com/cyberranch/learned-helplessness-in-cybersecurity-w-steve-mancini/'>Learned Helplessness</a> episode of The Cyber Ranch Podcast with Steve Mancini, and furthered the conversation as it relates to the often espoused topic of CISOs needing a seat at “the table.” Brent discusses the power of shifting your mindset, how lack of confidence has created a cycle of self sabotaging, and ways we can collectively improve our current standing.
 
Sponsor Links: 
Thank you to our sponsor Axonius for bringing this episode to life!
Life is complex. But it’s not about avoiding challenges or fearing failure. Just ask Simone Biles — the greatest gymnast of all time. Want to learn more about how Simone controls complexity? Watch her video at <a href='http://axonius.com/simone'>axonius.com/simone</a>
 
Guest Bio:
Brent is an Executive CISO whose mission is to enable Afni and its global workforce to support their customers securely and confidently. Prior to being a CISO, for over 20 years, he was a security practitioner with a security vendor specializing in threat detection, incident response, and security strategy. His efforts helped hundreds of organizations detect, respond to, and mitigate attacks.
 
Additional Links:
Stay in touch with Brent Deterding on <a href='https://www.linkedin.com/in/brent-deterding/'>LinkedIn</a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a> 
Continue this conversation on our <a href='https://discord.com/invite/avaeNEprYG'>Discord</a>
Listen to more from the<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

thecyberranchpodcast.podbean.com/773c19f2-2c91-3715-8e94-3d57bd20cc7d

“Having a seat at the table doesn’t mean getting your way all the time. It means having a seat and I think that is very important to understand.” - Brent Deterding 
In this episode, Allan is joined by the CISO at Afni, Brent Deterding, to explore how CIS...

Getting a Seat at “The Table” w/ Brent Deterding

“Knowing what’s in your software, in your organization, can help you quickly determine if you are impacted by a new vulnerability.” - Chris Castaldo 
In this episode, Allan is joined by author and CISO, Chris Castaldo, to share his knowledge on Software Bills of Materials (SBOMs) and their potential implications and use. Chris explains the concept and purpose of SBOMs, his tips for signing and securing SBOMs in terms of the CI/CD pipeline, and his thoughts on SBOMs being a roadmap for “bad guys.” Lastly, he shares advice on managing and understanding contracts. 
Listen to Chris Castado’s previous Cyber Ranch episode <a href='https://hackervalley.com/cyberranch/business-oriented-security-w-chris-castaldo/'>here</a> and be sure to grab a copy of his <a href='https://www.amazon.com/Start-Up-Secure-Cybersecurity-Company-Founding/dp/1119700736'>book</a>! 
 
Guest Bio:
Chris Castaldo is the author of “Start-up Secure: Baking Cybersecurity into your Company from Founding to Exit”. He is an experienced and industry recognized CISO with over 20 years of experience in cybersecurity. Chris is an expert in building cybersecurity programs from the ground up and specializes in applying cybersecurity in start-ups from seed to exit. He is also a Visiting Fellow at the National Security Institute (NSI) at George Mason University's Antonin Scalia Law School.
 
Links:
Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>
Stay in touch with Chris Castaldo on <a href='https://www.linkedin.com/in/chriscastaldo/'>LinkedIn</a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a> 
Continue this conversation on our <a href='https://discord.com/invite/avaeNEprYG'>Discord</a>
Listen to more from the<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

“Knowing what’s in your software, in your organization, can help you quickly determine if you are impacted by a new vulnerability.” - Chris Castaldo 
In this episode, Allan is joined by author and CISO, Chris Castaldo, to share his knowledge on Software Bills of Materials (SBOMs) and their potential implications and use. Chris explains the concept and purpose of SBOMs, his tips for signing and securing SBOMs in terms of the CI/CD pipeline, and his thoughts on SBOMs being a roadmap for “bad guys.” Lastly, he shares advice on managing and understanding contracts. 
Listen to Chris Castado’s previous Cyber Ranch episode <a href='https://hackervalley.com/cyberranch/business-oriented-security-w-chris-castaldo/'>here</a> and be sure to grab a copy of his <a href='https://www.amazon.com/Start-Up-Secure-Cybersecurity-Company-Founding/dp/1119700736'>book</a>! 
 
Guest Bio:
Chris Castaldo is the author of “Start-up Secure: Baking Cybersecurity into your Company from Founding to Exit”. He is an experienced and industry recognized CISO with over 20 years of experience in cybersecurity. Chris is an expert in building cybersecurity programs from the ground up and specializes in applying cybersecurity in start-ups from seed to exit. He is also a Visiting Fellow at the National Security Institute (NSI) at George Mason University's Antonin Scalia Law School.
 
Links:
Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>
Stay in touch with Chris Castaldo on <a href='https://www.linkedin.com/in/chriscastaldo/'>LinkedIn</a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a> 
Continue this conversation on our <a href='https://discord.com/invite/avaeNEprYG'>Discord</a>
Listen to more from the<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

thecyberranchpodcast.podbean.com/3ac2d715-9f22-3a45-a52c-9a685ea72056

“Knowing what’s in your software, in your organization, can help you quickly determine if you are impacted by a new vulnerability.” - Chris Castaldo 
In this episode, Allan is joined by author and CISO, Chris Castaldo, to share his knowledge on Software ...

All About SBOMs w/ Chris Castaldo

What would you do if you could build your security program from scratch? 
In this episode, Allan is joined by the Head of Security at Fleet, Guillaume Ross, to talk about his time building out an innovative and out-of-the-box security program and the steps he took to make it all happen. Guillaume walks us through how he developed and maintained a serverless, container based environment, his tips for securing PCs and Macs within a serverless environment, and how to establish department and business buy-in and overall cooperation. Lastly, he details steps to ensure resilience in an ‘everything as code’ security model. 
Some of what he builds might seem obvious – other parts will genuinely surprise you! 
 
Guest Bio:
Guillaume Ross is the Head of Security at Fleet Device Management. He likes securing organizations, clouds, products and more, by refusing to implement the same things that have been tried and failed thousands of times already.
 
Links:
Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>
Stay in touch with Guillaume Ross on <a href='https://www.linkedin.com/in/guillaumeross/'>LinkedIn</a> and <a href='https://twitter.com/gepeto42'>Twitter</a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a> 
Continue this conversation on our <a href='https://discord.com/invite/avaeNEprYG'>Discord</a>
Listen to more from the<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

thecyberranchpodcast.podbean.com/4f45ab9d-ffe2-3903-917e-66e842d301f5

What would you do if you could build your security program from scratch? 
In this episode, Allan is joined by the Head of Security at Fleet, Guillaume Ross, to talk about his time building out an innovative and out-of-the-box security program and the ste...

Total Greenfield Innovation w/ Guillaume Ross

What are the security implications of cryptocurrency and NFTs and what do we need to know in order to transact safely? In this episode, Allan is joined by the Chief Security Officer at Kraken, Nick Percoco, to talk about securing the cryptocurrency and NFT spaces. Allan and Nick reflect on the events of the Mt. Gox bitcoin breach of 2013, address some of the most common misconceptions about crypto assets, and explore the biggest security challenges users and retail investors face when navigating the space. Lastly, Nick considers what cybersecurity lessons can be drawn from the security practices within the cryptocurrency ecosystem.
 
Guest Bio:
Nicholas Percoco has more than 25 years of security & technology experience, and is the Chief Security Officer at Kraken - a global digital asset exchange - where he is responsible for Security, IT, Technical Project Management, Operational Resiliency and Engineering.
 
Links:
Stay in touch with Nick Percoco on <a href='https://www.linkedin.com/in/c7five/'>LinkedIn </a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>
Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>
Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/fcf339ab-9b26-3065-98a3-b78d7e56f30c

What are the security implications of cryptocurrency and NFTs and what do we need to know in order to transact safely? In this episode, Allan is joined by the Chief Security Officer at Kraken, Nick Percoco, to talk about securing the cryptocurrency and N...

Securing Cryptocurrency and NFTs w/ Nick Percoco

Allan is joined by the Vice President of Security at Code42, Tommy Todd, to talk about how the tech stack can “play well with others”. In this episode, Tommy takes a deep dive into exploring how APIs and automation can help solve our needs in cybersecurity – from incident response to the tech stack. The two discuss how to evaluate security products during a Proof Of Concept (POC) for integration capabilities and tips on addressing ROI concerns.
 
Guest Bio:
Tommy Todd has over 20 years of cybersecurity experience, primarily focused on data privacy and data protection strategies. Prior to Code42, he served in security roles at Symantec, Ionic Security, and Optiv as well as many other firms. Throughout his career, he has acted as a leader, mentor, engineer, architect, and consultant to solve difficult data protection challenges. 
 
Links:
Stay in touch with Tommy Todd on <a href='https://www.linkedin.com/in/tommy-todd/'>LinkedIn </a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>
Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>
Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/1af359b3-b2d7-34ca-a0b4-a5c097838f74

Allan is joined by the Vice President of Security at Code42, Tommy Todd, to talk about how the tech stack can “play well with others”. In this episode, Tommy takes a deep dive into exploring how APIs and automation can help solve our needs in cybersecuri...

”Playing Well With Others” - The Tech Stack w/ Tommy Todd

Allan is joined by the founder and CEO of Living Security, Ashley Rose, to speak about her experiences as a female entrepreneur and leader in a male dominated industry. She details the story behind her non-traditional route into cybersecurity and how she leverages her unique skills and vision to disrupt and transform the community. Ashley shares how she overcomes bias and business challenges in the field as well as the inspiration behind her creative marketing strategies. Lastly, the two highlight the lack of diversity and representation in the space and give advice to young entrepreneurs and females in, and breaking into, cybersecurity. 
 
Guest Bio:
As the CEO of Living Security, Ashley has been the driving force behind the company’s rapid growth. Since its founding in 2017, Living Security has raised more than $20 million for growth and product development and accelerated revenue growth for three consecutive years. Ashley is also continually working to build a diverse and inclusive organization around the belief that the team should reflect the community at large.
 
Links:
Stay in touch with Ashley Rose on <a href='https://www.linkedin.com/in/ashley-m-rose/'>LinkedIn </a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>
Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>
Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/50021aa0-04b9-338f-b001-2fd1190c7453

Allan is joined by the founder and CEO of Living Security, Ashley Rose, to speak about her experiences as a female entrepreneur and leader in a male dominated industry. She details the story behind her non-traditional route into cybersecurity and how she...

Thriving In A Male Dominated Industry w/ Ashley Rose

This episode of the Cyber Ranch Podcast was recorded LIVE on stage at the CISO 360 Conference in New York City, hosted by Pulse Conferences. Nick Vigier, a seasoned CISO and former CIO, joins Allan in addressing the elephant in the room: Why don’t CISOs and CIOs don’t get along?
Nick draws on his experience in both positions to share his unique perspective on the CISO and CIO relationship. In this episode, Allan and Nick highlight the operating differences between the two positions and explore the opposing interests that exist around topics such as budgets and reporting structure. Lastly, Nick shares why engaging in empathetic conversations around metrics, business impact, and risk management is the ultimate key to a more harmonious relationship.
 
Guest Bio:
Nick is a technology and security leader focused on innovation to drive business results. In his 18 years of security leadership, he has focused on building high performance teams to ensure security is a business driver rather than a cost center. His focus on all areas of security ranging from physical security to risk management through to application security, infrastructure security, and operations gives him a unique perspective on how security can positively impact an organization. 
 
Links 
Stay in touch with Nick Vigier on <a href='https://www.linkedin.com/in/nickvigier/'>LinkedIn </a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>
Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>
Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/199e62d4-67d2-39ad-98fd-84d45051a988

This episode of the Cyber Ranch Podcast was recorded LIVE on stage at the CISO 360 Conference in New York City, hosted by Pulse Conferences. Nick Vigier, a seasoned CISO and former CIO, joins Allan in addressing the elephant in the room: Why don’t CISOs ...

Why CISOs and CIOs Don’t Get Along w/ Nick Vigier

This topic couldn’t be more relevant given recent events in the security community. Allan Alford is joined by Steve Mancini, CISO at Eclypsium, to have a refreshing conversation about the negative messaging, thinking, and tropes in cybersecurity - not just the stuff that the press says about us, or even the stuff we say about each other - but the self-defeating stuff we think and say to ourselves.
Steve addresses the reinforcement of negative catchphrases and how it affects the psyche of the community and explores how burnout is creating a culture of sleepless nights and masochistic badges of honor. Lastly, they emphasize the importance of empathy and support within the community and remind us that humans are our greatest asset, not our weakest links.


Guest Bio:
Steve Mancini is the CISO at Eclypsium, former Deputy CISO at Cylance, and an advisory board member for several cyber companies.


Links:
Stay in touch with Steve Mancini on <a href='https://www.linkedin.com/in/sharkey/'>LinkedIn </a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>
Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>
Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/b9492a0d-7372-3e57-a352-333e8b979f70

This topic couldn’t be more relevant given recent events in the security community. Allan Alford is joined by Steve Mancini, CISO at Eclypsium, to have a refreshing conversation about the negative messaging, thinking, and tropes in cybersecurity - not ju...

Learned Helplessness in Cybersecurity w/ Steve Mancini

There are numerous personality tests available to help identify personality traits, but many of them have very little scientific validity or reliability.  Such tests often aspire to explain what you are good at and what you are bad at, and miss the mark. In this episode, Allan is joined by his friend and owner of Rising Tide Security, Nick Vigier, to explore CliftonStrengths – a personality measurement that focuses less on ability, and more upon your predilections - what energizes you, and what and drains you - and with a pretty good degree of scientific validity and reliability. Nick and Allan explore what makes CliftonStrengths different from the other personality assessments and how Nick leverages that information to better understand his team and colleagues, and to help folks find the right role in cybersecurity. The two sit down to dissect Allan’s own assessment results to identify his top 5 energizers, as well as his top energy drainers. And lastly, Nick shares why he favors the idea of personality development plans vs professional development plans in the workplace. 
 
Guest Bio:
Nick Vigier is the Owner of Rising Tide Security and former CISO at ID.me, DigitalOcean, and former CIO at Gemini. Nick is a technology and security leader focused on innovation to drive business results. In his 18 years of security leadership, he has focused on building high performance teams to ensure security is a business driver rather than a cost center. His focus on all areas of security ranging from physical security to risk management through to application security, infrastructure security, and operations gives him a unique perspective on how security can positively impact an organization. 
 
Links:
Stay in touch with Nick Vigier on <a href='https://www.linkedin.com/in/paolasaibene/'>LinkedIn </a>and <a href='https://twitter.com/CISO_Nick'>Twitter</a>. Take the CliftonStrengths assessment <a href='https://www.gallup.com/cliftonstrengths/en/home.aspx?utm_source=google&utm_medium=cpc&utm_campaign=us_strengths_branded_cs_ecom&utm_term=cliftonstrengths&gclid=Cj0KCQjw5-WRBhCKARIsAAId9FnZDII_9TDf3ZyERu5TSrFQzXn5ceXDJrmFn4oqIDlEdEcn78mKkWkaAt2gEALw_wcB'>here</a>
Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>
Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>
Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/f7e33ef7-366f-3659-8469-be065ab3145d

There are numerous personality tests available to help identify personality traits, but many of them have very little scientific validity or reliability.  Such tests often aspire to explain what you are good at and what you are bad at, and miss the mark....

Leveraging Employee Strengths for Cyber Roles w/ Nick Vigier

In the episode, Allan is joined by the Principal at Teknion Data Solutions, Paola Saibene, to bring clarity to an often misunderstood topic: data governance. Paola helps to distinguish the difference between data governance and data management, examines the intersection between data ethics and cybersecurity, and explores the best methodology for applying risk frameworks. Lastly, she takes time to express the importance of being people focused and “humanizing” cybersecurity.

 

Guest Bio:

Paola Saibene is the Principal at Teknion Data Solutions, Former CISO, CEO, VP of Enterprise Risk Management, Data Privacy Officer, Strategy Officer, CTO, and CIO.  



Links:

Stay in touch with Paola Saibene on <a href='https://www.linkedin.com/in/paolasaibene/'>LinkedIn </a> 

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/bd09f984-bbe6-3e0a-ac3d-678023a285bc

In the episode, Allan is joined by the Principal at Teknion Data Solutions, Paola Saibene, to bring clarity to an often misunderstood topic: data governance. Paola helps to distinguish the difference between data governance and data management, examines ...

A Full Data Approach w/ Paola Saibene

With a looming skills/people gap in cybersecurity and retention at an all time low, it begs the question: Where is everyone? In this episode, Allan Alford and guest Jessie Bolton sit down to discuss the elusive “Great Resignation” and how it is affecting the cybersecurity community. Tune in to get the answers to the questions we are all asking ourselves, like: why are people resigning, how has the pandemic shifted our perspectives on work and boundary setting, how is the “great resignation” impacting security organizations, and how can we attempt to solve this issue?

 

Links:

Follow Jessie Bolton on <a href='https://www.linkedin.com/in/cyberworkforcepartner/'>LinkedIn</a>

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/38e89125-5743-3dd8-ae3c-08233d477def

With a looming skills/people gap in cybersecurity and retention at an all time low, it begs the question: Where is everyone? In this episode, Allan Alford and guest Jessie Bolton sit down to discuss the elusive “Great Resignation” and how it is affecting...

The Great Resignation & Cybersecurity w/ Jessie Bolton

In this episode, Allan is joined by the President at National Security Corporation, Navy veteran, and host of the CISO Tradecraft podcast, G. Mark Hardy. This show takes a fascinating dive into the origins of data risk management, measurement, and quantification. G Mark explores the stories and advice given from some of the greatest leaders in this space – whose advice still rings true today. 

 

Key Takeaways:

01:52  G Mark’s bio

06:43  FIPS-65 - the “grandaddy” of risk management

11:34  The ALE method, explained!

14:35  Oldies, but STILL goodies 

18:12  A stroll down risk management memory lane

28:56  Revering “the greats”

37:22  What do you value and what’s your currency? 

 

Links:

Stay in touch with G. Mark Hardy on <a href='https://www.linkedin.com/in/gmarkhardy/'>LinkedIn </a> 

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/5eb1d7b9-79c3-3d44-9918-47539ddfa204

In this episode, Allan is joined by the President at National Security Corporation, Navy veteran, and host of the CISO Tradecraft podcast, G. Mark Hardy. This show takes a fascinating dive into the origins of data risk management, measurement, and quanti...

How Old is Data Risk Management? w/ G. Mark Hardy

In this episode of The Cyber Ranch Podcast, Allan is joined by the CISO at Real Time Resolutions, Randy Potts. The two sit down to have a refreshing and raw conversation about the caretaking, responsibility, and code of ethics for CISOs - or lack thereof, and how to get back in touch with our “why” and mission. 

 

Disclaimer: This episode briefly mentions pornography and gambling within an important and relevant context, and has therefore been categorized as explicit. 

 

Key Takeaways:

01:43  Randy’s bio

03:08  Caring for “the people”

09:08  Stewards and custodians of data

14:10  Servant leadership

16:57  CISOs as caretakers

18:53  Doing the right thing

21:18  CISO code of conduct - or lack thereof

24:55  How do we fix this? 

29:06  It’s nice to be nice

 

Links:

Stay in touch with Randy Potts on <a href='https://www.linkedin.com/in/randolphp/'>LinkedIn </a> 

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at<a href='https://www.axonius.com/'> Axonis</a>

In this episode of The Cyber Ranch Podcast, Allan is joined by the CISO at Real Time Resolutions, Randy Potts. The two sit down to have a refreshing and raw conversation about the caretaking, responsibility, and code of ethics for CISOs - or lack thereof, and how to get back in touch with our “why” and mission. 

 

Disclaimer: This episode briefly mentions pornography and gambling within an important and relevant context, and has therefore been categorized as explicit. 

 

Key Takeaways:

01:43  Randy’s bio

03:08  Caring for “the people”

09:08  Stewards and custodians of data

14:10  Servant leadership

16:57  CISOs as caretakers

18:53  Doing the right thing

21:18  CISO code of conduct - or lack thereof

24:55  How do we fix this? 

29:06  It’s nice to be nice

 

Links:

Stay in touch with Randy Potts on <a href='https://www.linkedin.com/in/randolphp/'>LinkedIn </a> 

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at<a href='https://www.axonius.com/'> Axonis</a>

thecyberranchpodcast.podbean.com/29eeeb09-a164-3246-9efb-d1b23eb3ef12

In this episode of The Cyber Ranch Podcast, Allan is joined by the CISO at Real Time Resolutions, Randy Potts. The two sit down to have a refreshing and raw conversation about the caretaking, responsibility, and code of ethics for CISOs - or lack thereof...

CISOs as Caretakers w/ Randy Potts

In this episode, Allan is joined by David Belanger, CISO at Maxor National Pharmacy, to talk about the challenges of breaking into cybersecurity. David discusses the importance of establishing mentor/mentee relationships in the community, why building a personal brand and expanding your network is a must when finding work, and tips for newcomers looking to break into the field. Lastly, the two touch on the power of visualization and staying humble throughout your career journey.

 

Key Takeaways: 

01:27  Bio & CISO life

02:57  Let’s define Mentor/Mentee

04:21  What makes cybersecurity mentorship unique?

07:10  Developing a long & short-term strategy 

13:16  Mentors are essential

18:05  Formal vs. organic mentorships

22:10  Get out of your comfort zone

25:55  Advice for newcomers

30:15  Visualizing your success

32:00  Staying humble

 

Links: 

Stay in touch with David Belanger on <a href='https://www.linkedin.com/in/dbelanger1/'>LinkedIn </a> 

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at<a href='https://www.axonius.com/'> Axonius</a>

thecyberranchpodcast.podbean.com/b93ea66b-8c4a-3397-9fb1-befbc6e250da

In this episode, Allan is joined by David Belanger, CISO at Maxor National Pharmacy, to talk about the challenges of breaking into cybersecurity. David discusses the importance of establishing mentor/mentee relationships in the community, why building a ...

Cyber Mentoring w/ David Belanger

In this episode, Allan invites Mark Butler, an Advisory CISO at TRACE3, to talk about tech stack rationalization and how to get the most out of your technology investment. Mark shares advice on everything from how to properly analyze, identify, and consolidate your tools, both in the stack and cloud environment, to coaching your application specialists on embracing change. 

 

Key Takeaways

01:10  Bio

02:36  What is tech stack rationalization?

03:46  Where to get started

06:20  Evaluation - a 3 prong approach

08:08  The security architecture alignment

10:51  What about contractual obligations?

13:18  The “best of breed” strategy 

17:37  Rationalizing the cloud 

21:00  Data analysis - tooling, extraction, metrics

25:24  The 3rd party tool conundrum 

27:50  The future of cloud rationalization 

29:40  How to resolve tech overlap?

32:19  Embracing change

34:37  Mark’s advice on emotional intelligence

 

 

Stay in touch with Mark Butler on <a href='https://www.linkedin.com/in/markabutler/'>LinkedIn</a>  

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.axonius.com/'>Axonius</a>

thecyberranchpodcast.podbean.com/b1f801c3-7c4b-364d-894b-145b078d9932

In this episode, Allan invites Mark Butler, an Advisory CISO at TRACE3, to talk about tech stack rationalization and how to get the most out of your technology investment. Mark shares advice on everything from how to properly analyze, identify, and conso...

Rationalizing the Tech Stack w/ Mark Butler

In this episode, Allan is joined LIVE on stage at FutureCon Dallas 2022 by U.S Bank Senior Cloud Penetration Tester, co-author of The Pen Tester Blueprint, podcast host, and college instructor, Phillip Wiley. Phillip journeys into his past to share how he went from pro wrestler to pentester, gives writing advice to future authors in the field, explores the art of pentesting, and the best starter certifications for pentesters. Lastly, Phillip explores the best advice he’s ever received and the dangers of burnout. 

 

Key takeaways: 

01:27  Phillip's origin story - wrestling men and bears

03:04  The Pwn School Project

04:47  The Hacker Factory Podcast

06:55  Always a way to cyber

10:18  An opportunity to write

14:08  The Art of Pentesting

17:19  Getting square on terminology

24:42  The limitless child

27:25  The skinny on certs

30:23  Mentors

35:06  Back in the pentesting lab

37:14  When does threat modeling factor?

43:50  Coloring in purple

 

Follow Phillip Wiley on<a href='https://www.linkedin.com/in/phillipwylie/'> LinkedIn</a> and<a href='https://twitter.com/PhillipWylie'> Twitter</a>

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.axonius.com/'>Axonius</a>

In this episode, Allan is joined LIVE on stage at FutureCon Dallas 2022 by U.S Bank Senior Cloud Penetration Tester, co-author of The Pen Tester Blueprint, podcast host, and college instructor, Phillip Wiley. Phillip journeys into his past to share how he went from pro wrestler to pentester, gives writing advice to future authors in the field, explores the art of pentesting, and the best starter certifications for pentesters. Lastly, Phillip explores the best advice he’s ever received and the dangers of burnout. 

 

Key takeaways: 

01:27  Phillip's origin story - wrestling men and bears

03:04  The Pwn School Project

04:47  The Hacker Factory Podcast

06:55  Always a way to cyber

10:18  An opportunity to write

14:08  The Art of Pentesting

17:19  Getting square on terminology

24:42  The limitless child

27:25  The skinny on certs

30:23  Mentors

35:06  Back in the pentesting lab

37:14  When does threat modeling factor?

43:50  Coloring in purple

 

Follow Phillip Wiley on<a href='https://www.linkedin.com/in/phillipwylie/'> LinkedIn</a> and<a href='https://twitter.com/PhillipWylie'> Twitter</a>

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.axonius.com/'>Axonius</a>

thecyberranchpodcast.podbean.com/a283875d-07bc-38e3-ba16-dfdc364f9b93

In this episode, Allan is joined LIVE on stage at FutureCon Dallas 2022 by U.S Bank Senior Cloud Penetration Tester, co-author of The Pen Tester Blueprint, podcast host, and college instructor, Phillip Wiley. Phillip journeys into his past to share how h...

Penetration Testing Programs LIVE w/ Phillip Wiley

Allan is joined by Yaron Levi, CISO at Dolby, to talk about the SOC and why we are going about it all wrong. Allan and Yaron identify and examine the three main areas of concern: the data, the analyst, the analysis – and how to improve upon them. Lastly, Yaron shares his thoughts on what steps and approaches need to be taken in order to successfully accomplish the SOC’s goal.  

 

Key Takeaways:

01:35  Bio

02:36  What are we doing wrong in the SOC?

06:54  Hypothesizing

11:22  How much gets left out when we make a hypothesis?

13:42  Anti-fragility & business outcomes

16:30  Business objective + threat model example

21:09  Lead with the why/ downstream applications

27:06  What outside influence has helped you inside cyber?

 

Learn more about Yaron on <a href='https://twitter.com/0xL3v1'>Twitter</a> and  <a href='https://www.linkedin.com/in/yaronrl/'>LinkedIn</a>

Follow<a href='https://allanalford.com/'> Allan Alford</a> on<a href='https://linkedin.com/in/allanalford'> LinkedIn</a> and<a href='https://twitter.com/AllanAlfordinTX'> Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the<a href='https://store.hackervalley.com/'> Hacker Valley Store</a>

Learn more about<a href='https://hackervalley.com/'> Hacker Valley Studio</a> and<a href='https://hackervalley.com/cyberranch'> The Cyber Ranch Podcast</a>

Sponsored by our good friends at<a href='https://www.axonius.com/'> Axonius </a>

thecyberranchpodcast.podbean.com/35b7fa74-5f1d-3210-9ff6-0b5bad2185bf

Allan is joined by Yaron Levi, CISO at Dolby, to talk about the SOC and why we are going about it all wrong. Allan and Yaron identify and examine the three main areas of concern: the data, the analyst, the analysis – and how to improve upon them. Lastly,...

What We’re Doing Wrong in the SOC w/ Yaron Levi

Allan is joined by Rafal Los, industry innovator, strategist, and personality. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Additionally, Rafal is a founder and host of the Down the Security Rabbithole Podcast - an industry podcast delivering a weekly take on cybersecurity since 2011. Join Allan and Rafal as they discuss cyber security centers of excellence, metrics, marketing and acceptance in this conversation between two friends.

 

Key Takeaways:

01:56 Bio

04:27 Goals for Cybersecurity Center of Excellence (CoE)

06:44 How do you birth a Cybersecurity CoE?

09:45 Selling your service

15:18 Cost - who pays in the end and how?

17:10 Getting management on board

24:22 It’s not all about cost – but it is.

26:37 Metrics

31:05 Quality metrics

34:33 Your mess for less

38:02 What is something outside cyber that helps on the inside?

 

Links:

Follow <a href='https://allanalford.com/'>Allan</a> on <a href='https://www.linkedin.com/in/allanalford/'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Follow Rafal Los on <a href='https://www.linkedin.com/in/rmlos/'>LinkedIn</a> and <a href='https://twitter.com/Wh1t3Rabbit?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor'>Twitter</a>

Check out his <a href='http://podcast.wh1t3rabbit.net/'>podcast</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

thecyberranchpodcast.podbean.com/e44bce5f-2d2b-3df2-bfa9-7f2066fdf57f

Allan is joined by Rafal Los, industry innovator, strategist, and personality. His career spans 20+ years while working inside companies from the Fortune 10 to a firm of less than 10. Additionally, Rafal is a founder and host of the Down the Security Rab...

Cybersecurity Centers of Excellence w/ Rafal Los

Join Allan as he discusses investing in cybersecurity startups with the perfect guest for the subject: Kathy Wang, CISO at Very Good Security, investor at Silicon Valley CISO Investments, investor at Firebolt Ventures, and former founder as well!

Allan and Kathy talk about investment goals, the process from start to finish, how to get started, the buy-in costs, returns, what to expect, partnering, etc.

Join them as they dive into this fascinating topic:

DISCLAIMER: NOBODY ON THIS SHOW IS A FINANCIAL ADVISOR OR PLANNER, AND NOTHING SAID ON THIS SHOW CONSTITUTES FINANCIAL ADVICE. OPINIONS EXPRESSED ON THIS SHOW ARE JUST THAT – OPINIONS – AND YOU SHOULD NOT USE THEM TO CONDUCT YOUR FINANCIAL AFFAIRS. CONSULT A LICENSED EXPERT INSTEAD OF US!

 

Key Takeaways:

02:14 Bio

02:54 Getting into cyber security investing

05:28 Spotting good investments

09:13 What’s the process?

15:15 Ranging investments | partnerships

22:35 29 no's and 1 yes – is that reality?

26:20 Seeking investment? Start here.

29:31 Be willing to work with other people

30:57 What is something from outside of infosec that helped you in infosec?

 

Links:

Follow Kathy Wang on <a href='https://www.linkedin.com/in/kathywang/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.axonius.com/'>Axonius</a>

thecyberranchpodcast.podbean.com/e7943b6e-91d1-36c1-bcae-ad4c4934a31a

Join Allan as he discusses investing in cybersecurity startups with the perfect guest for the subject: Kathy Wang, CISO at Very Good Security, investor at Silicon Valley CISO Investments, investor at Firebolt Ventures, and former founder as well!
Allan a...

Investing in Cybersecurity Startups w/ Kathy Wang

In this special episode, Allan invites a few familiar voices back to the show, conducts a countdown of his Top 5 most popular shows, and reviews some of the most common guest responses. Lastly, Allan issues some important thank you's and shares a few comments and feedback from the listeners.

 

Highlights:

Top 3 guest answers to "What keeps you going in cybersecurity?"

Top 3 guest answers to "What surprises you the most in cybersecurity?"

Top 5 shows by download

 

Visits from:

Tim Rohrbaugh, CISO - Jet Blue

Chris Cochran & Ron Eddings - Hacker Valley Media

Drew Brown, who has held many security leadership roles and who is an avid user of the FAIR methodology of risk measurement

Richard Seiersen, former CISO, famed champion of measuring risk, and author of "The Metrics Manifesto: Confronting Security with Data"

Accidental CISO of Twitter fame

 

THANK YOU to all of our listeners, Hacker Valley Media, our fantastic guests, and to everyone who helped get us to 50 shows!!!

 

Links:

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.axonius.com/'>Axonius</a>

thecyberranchpodcast.podbean.com/8f1ca171-0553-38ec-93ee-f6ffe06660ef

In this special episode, Allan invites a few familiar voices back to the show, conducts a countdown of his Top 5 most popular shows, and reviews some of the most common guest responses. Lastly, Allan issues some important thank you's and shares a few com...

50th Episode Special w/ Many Guests

Allan hosts a live podcast at the August, 2021 CISO XC event in the Dallas-Forth Worth area. He is joined by Chris Roberts, chief geek at Hillbilly Hit Squad, and Cecil Pineda, then head of the vICSO and GRC programs at Critical Start. The topic is Minimum Viable security, tactical frameworks, the challenges with large frameworks, and the challenges of competing frameworks.

This show was recorded after happy hour and the audience and participants both imbibed.  It's a rowdy show and features some explicit content.

 

Key Takeaways:

0:00 Allan’s holiday greeting

0:39 Allan introduces the live show, guests and issues a disclaimer about naughty language

2:02 Chris Roberts on Minimum Viable Security

2:42 Cecil on his love/hate relationship with compliance and the need for weighting controls

4:25 Allan proposes “tactical frameworks”

5:38 Chris challenges the crowd on their asset management successes

7:43 Allan introduces “See it, manage it, secure it.” (Which he flagrantly stole from Steve Williams @ NTT DATA Services)

8:53 Cecil says: data discovery comes before DLP

10:17 Chris challenges Allan’s idea that MFA should “just happen” in order to capture at least 90% of ransomware threats

12:07 Cecil proposes a compromise – 30% of controls meet a higher CMMI requirement than the 70%

13:48 Chris says even the 30% are not even being met in most environments

14:56 Allan’s full proposal on a tactical framework (that includes Chris’ emphasis on asset management)

16:07 Chris states that we have to agree on the subset frameworks in order to achieve success.  Diverse frameworks actually harm the industry.

17:56 Chris challenges the crowd to hire interns and those new to the industry

20:02 Allan misattributes the total control count in NIST CSF.  We mentioned whiskey, right?

21:35 Barring regulated environments, Allan doubles down on his tactical framework idea

22:13 Chris says we must challenge the authors of all these frameworks

22:50 Allan points out that frameworks are implicitly behind the fast pace of the industry after going through committee

23:53 Chris criticizes the notion that compliance = security

24:57 Insurance carriers insist now upon framework compliance and are getting smarter

26:53 Chris says full compliance with a framework even still is useful only as a point in time exercise

28:22 We have to simplify compliance

28:59 Allan proposes SBOM, CMMC-like maturity awareness, and the shared responsibility model as the solution to the compliance problem

30:57 Chris says that will take ten years to sort out

31:49 Chris says “take the money out of compliance”

35:37 Cecil talks about self-attestation and standards that are needed on auditing processes

 36:41 Allan says frameworks exist in the first place with the goal of getting secure

37:14 Chris disagrees and states (using naughty metaphors) that frameworks compete out of hubris

38:26 An audience member suggests “trust but verify” as the reason frameworks exist in the first place

41:24 Cecil deconstructs the practicality of shared responsibility, extending it into the business

43:28 Chris proposes working with insurance companies to create a consolidated or tactical framework

 

Links:

Chris Roberts - <a href='https://www.linkedin.com/in/sidragon1/'>LinkedIn</a>

Cecil Pineda - <a href='https://www.linkedin.com/in/ceciltheciso/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

 

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

thecyberranchpodcast.podbean.com/0f8c289d-c52a-3ddf-841b-516c714fea63

Allan hosts a live podcast at the August, 2021 CISO XC event in the Dallas-Forth Worth area. He is joined by Chris Roberts, chief geek at Hillbilly Hit Squad, and Cecil Pineda, then head of the vICSO and GRC programs at Critical Start. The topic is Minim...

Minimum Viable Security w/ Chris Roberts & Cecil Pineda: EXPLICIT CONTENT

In this episode, Allan is joined by Marnie Wilking, CISO at Wayfair. Marnie has directed Information Security and multi-discipline Risk Management Programs for more than 15 years --  providing a unique set of skills and experience to manage operational risks and improve risk management among diverse businesses. Join Allan and Marnie as they define organizational resilience, discuss its goals and enablers, and analyze the COVID pandemic through its lens.

 

Key Takeaways:

01:26  Bio

03:42  Organizational resilience

06:40  COVID benefits; business enabling?

09:47  Building hybrid work environments

11:11  Virtual offices and home fatigue

17:14  Bullets dodged in organizational resilience

20:51  Tabletop exercises

27:16  Office conflicts and mailing troubles

30:38  Communication in resilience

32:29  What surprises Marnie in cyber security?

 

Links:

Learn more about Marnie on <a href='https://www.linkedin.com/in/marnie-huss-wilking/'>LinkedIn</a> and <a href='https://www.crunchbase.com/person/marnie-wilking'>Crunchbase</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

thecyberranchpodcast.podbean.com/fc0f63d8-5f57-3d3c-a999-a378a7163c64

In this episode, Allan is joined by Marnie Wilking, CISO at Wayfair. Marnie has directed Information Security and multi-discipline Risk Management Programs for more than 15 years --  providing a unique set of skills and experience to manage operational r...

Organizational Resilience w/ Marnie Wilking

Welcome to another live show of the Cyber Ranch! Allan is joined by Dan Doggendorf, a creative cybersecurity leader with a passion for simplicity, efficiency, accountability, common sense, and honesty. The duo discusses the ins and outs of being a VCISO, how one walks the path and what the industry can do to make this role better. This show was conducted at the Cybersecurity Conference 9 (CSC 9) conducted by the North Texas Chapter of ISSA. All proceeds from the event went directly to scholarships for the Collin College cybersecurity program.

 

Key Takeaways:

 

01:47 - Bio

02:33 - vCISO life

04:18 - The path to an independent contractor

07:46 - Should you specialize?

10:46 - Strategizing experience in cyber security

14:26 - Challenges of being a CISO & vCISO

19:04 - Staying connected as a vCISO

23:17 - Victories as a vCISO                       

27:06 - The bad times and mistakes made as a vCISO

29:52 - What should change for vCISOs?

30:51 - Advice for future vCISOs

34:09 - What surprises Dan in cyber security?

 

Links:

Learn more about Dan on <a href='https://www.zintro.com/profile/dan-doggendorf'>Zintro</a> and <a href='https://www.linkedin.com/in/dandoggendorf'>LInkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

thecyberranchpodcast.podbean.com/4840d042-a512-3bc4-816e-808e0264a653

Welcome to another live show of the Cyber Ranch! Allan is joined by Dan Doggendorf, a creative cybersecurity leader with a passion for simplicity, efficiency, accountability, common sense, and honesty. The duo discusses the ins and outs of being a VCISO,...

The vCISO Life w/ Dan Doggendorf

This week, Allan is joined by Frederick Lee aka “Flee”, Chief Security Officer and Head of IT at Gusto, Jeff Man, host of Security & Compliance Weekly, and notorious infosec curmudgeon, and by Kat Valentine, Security and Compliance Weekly co-host.  A few weeks ago Allan appeared on their show to discuss “GRC: ‘What?’ and ‘So What?’.  In that episode, found <a href='https://securityweekly.com/shows/governance-risk-compliance-so-what-part-1-allan-alford-scw-94/'>here</a>, they take a deep dive into GRC in terms of understanding is purpose and value.

In this crossover episode, the group continues the conversation to talk about “GRC: ‘Now what?’ (The cultural impact and implementation, risk register, achieving actionable results and much more).

Join Allan and the Security & Compliance Weekly team as they dive into overcoming cultural barriers, a continued conversation on the order of priority (“RGC” vs. “GRC”, for example), and enlisting allies in the business.

 

Key Takeaways:

2:20 Implementing GRC culturally – Flee's take

4:13 Jeff’s take

6:16 Kat’s take

10:43 The CISO – Turning compliance data into actionable results – Jeff’s take as an assessor

13:56 Kat’s take as an assessor

15:41 Flee’s take as a CISO

21:13 Understanding perspectives from all parties

28:10 Sharing problems upstream/Audits vs. Assessments

34:48 Flee’s take on “governance vs. doctrine”

37:43 Risk register – training for self sufficiency

42:40 Get in touch!

 

Links:

Check out <a href='https://securityweekly.com/category-shows/security-and-compliance-weekly/'>Security and Compliance Weekly</a>!

Follow Flee on <a href='https://www.linkedin.com/in/fredrickdlee/'>LinkedIn</a> and <a href='https://twitter.com/fredrickl'>Twitter</a>

Follow Jeff Man on <a href='https://www.linkedin.com/in/jeffreyeman/'>LinkedIn</a> and <a href='https://twitter.com/mrjeffman'>Twitter</a>

Follow Kat Valentine on <a href='https://www.linkedin.com/in/kjvalentine/'>LinkedIn</a>

Follow Allan Alford on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/allanalfordintx'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

thecyberranchpodcast.podbean.com/2b2a7234-4f6c-39c2-8220-d93454bd4256

This week, Allan is joined by Frederick Lee aka “Flee”, Chief Security Officer and Head of IT at Gusto, Jeff Man, host of Security & Compliance Weekly, and notorious infosec curmudgeon, and by Kat Valentine, Security and Compliance Weekly co-host.  A few...

GRC: ”Now What?” w/ Security & Compliance Weekly

CISOs complain on social media about bad marketing – when they are targeted inappropriately, or with messages that don’t resonate, or with messages that outright lie. This week Allan Alford decides to hear from the other side, and invites his two favorite CMOs to the show. Julie O’Brien, CMO at AttackIQ, and Nathan Burke, CMO at Axonious, sit down with Allan to send a message to cyber security professionals about the vital role marketing plays in the industry, what is good marketing and bad marking, and how marketing affects all of our careers more than we know. Hear different perspective on topics like buzzwords, cold calls, and the difference between good and bad marketing practices. Backed up with proven experience, this episode is packed with useful info for all cyber practitioners and aspiring practitioners.

 

 Key Takeaways:

02:00 Julie Bio

03:13 Nathan Bio        

04:00 Standing out as a marketer

10:15 Emphasizing what you don’t do as a company, rather than what you do

15:56 A message to CISO’s - Julie

23:00 Nathan’s message to CISO’s

25:55 Allan touches on why innovation occurs on the vendor side

27:45 Buzzwords

33:50 What surprises Nathan and Julie in cyber security?

Links:

Learn more about Nathan on <a href='https://www.linkedin.com/in/nathanwburke/'>LinkedIn</a> and <a href='https://twitter.com/nathanwburke'>Twitter</a>

Check out Julie on <a href='https://www.linkedin.com/in/obrienjuliea/'>LinkedIn</a> and <a href='https://twitter.com/julieaobrien'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

thecyberranchpodcast.podbean.com/63902291-53bf-3154-a2a3-335fdcd9e867

CISOs complain on social media about bad marketing – when they are targeted inappropriately, or with messages that don’t resonate, or with messages that outright lie. This week Allan Alford decides to hear from the other side, and invites his two favorit...

The CMO‘s Perspective w/ Nathan Burke and Julie O‘Brien

Brian Castagna (CISO at Seven Bridges - a genomics company) is a CISO with a proven track record of successfully building information security programs at cloud technology companies. He is on a mission to humanize the new work environment - our own home. Join Allan and Brian as they touch on transitioning from an office environment, both mentally and physically, hiring remotely, work/life balance and much more.

 

Key Takeaways:

01:33 Bio

02:22 Remote work

03:00 Hiring a remote workforce

10:50 What’s the human side of working from home?

17:38 Transitioning from work to home

19:54 Mental transitioning

21:00 Collaboration & strategy

24:30 Layering the human back in

27:19 What surprises you in cyber?

 

Learn more about Brian on <a href='https://www.linkedin.com/in/brian-castagna-1890544/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

thecyberranchpodcast.podbean.com/05aed4d2-d8e6-3400-92b9-5c8f3c32b1c3

Brian Castagna (CISO at Seven Bridges - a genomics company) is a CISO with a proven track record of successfully building information security programs at cloud technology companies. He is on a mission to humanize the new work environment - our own home....

Practical Working (And Hiring!) from Home w/ Brian Castagna

This week, Allan is joined by some serious heavy hitters in cyber. Richard Struse (Director for the Center for Threat-Informed Defense at MITRE Engenuity), Jonathan Baker (Director of Research & Development, Center for Threat-Informed Defense at MITRE Enginuity), and Jonathan Reiber (Sr. Director for Cybersecurity Strategy and Policy @ AttackIQ). The four are here to have a conversation about CISA's new BOD that outlines 290 key vulnerabilities that require focus, the coincidental mapping of the CVE database to MITRE ATT&ACK, and the implications for all of us.  Of special note is the fact that ATT&CK is already mapped to NIST SP 800-53, meaning that we now have an opportunity to move bi-directionally from a threat-informed defense or to start with a framework and back into vulnerabilities. The implications for our industry are huge.

They also discuss briefly an overview of the bi-partisan work in both the Executive and Legislative branches to further cybersecurity interests and the release of CMMC v 2.0. This show is packed.

 

Key Takeaways:

01:58 Backgrounds

04:02 CISA – BOD 22-01, highlighting the key 290 known vulnerabilities

07:45 Helping organizations prioritize vulnerabilities

11:31 Starting with either framework or threats: Which is better?

14:18 Seeing through the politics - What is actually happening behind the scenes?

19:07 Developing the mapping

23:54 Since the invention of CVE

26:14 CMMC v 2.0

29:37 How do we change the game?

31:09 Getting a large organization to agree with vulnerability prioritization

 

Links:

Follow Richard Struse on <a href='https://www.linkedin.com/in/richard-struse/'>LinkedIn</a>

Keep up with Jon Baker on <a href='https://www.linkedin.com/in/jonathanobaker/'>LinkedIn</a>

Follow Jonathan Reiber on <a href='https://www.linkedin.com/in/jonathan-reiber-0141158/'>LinkedIn</a> & his <a href='https://www.jonathanreiber.com/'>website</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/show/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>Attack IQ</a>

thecyberranchpodcast.podbean.com/0b60e28f-c60c-38a0-85e7-3ca959527a1c

This week, Allan is joined by some serious heavy hitters in cyber. Richard Struse (Director for the Center for Threat-Informed Defense at MITRE Engenuity), Jonathan Baker (Director of Research & Development, Center for Threat-Informed Defense at MITRE En...

Threat-Informed Defense, CISA, CVEs and ATT&CK w/ MITRE Engenuity

Mustapha Kebbeh, CISO at Brinks and heavy-hitter in the Dallas/Fort Worth Cyber community, joins Allan again this week as they cover a topic Mustapha noted was absent so far in the series…  Namely, “What is a day in the life of a CISO?” Mustapha and Allan get into details of what they do and don’t do, what their teams do and don’t do, what bits are boring, what bits are surprising, and what bits are the most fun. Join them as they talk about real situations and practical solutions while describing the very best and worst parts of the job.

Key Takeaways:

01:41                     Bio

03:00                     A day in the life of a CISO - examples from the last 3 weeks

07:30                     Being a CISO in a company that knows its risk appetite

11:49                     Product Security

13:53                     The most surprising part about being a CISO

15:33                     The most boring part

22:30                     The most fun part

26:08                     What do you wish you could do as a CISO?

29:42                     Mustapha shares what surprises him the most in cyber security

 

Links:

Learn more about Mustapha on <a href='https://www.linkedin.com/in/mustaphakebbeh/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

thecyberranchpodcast.podbean.com/5330ece5-22c3-309a-b79e-3ea99b9562e9

Mustapha Kebbeh, CISO at Brinks and heavy-hitter in the Dallas/Fort Worth Cyber community, joins Allan again this week as they cover a topic Mustapha noted was absent so far in the series…  Namely, “What is a day in the life of a CISO?” Mustapha and Alla...

A Day in the Life of Two CISOs w/ Mustapha Kebbeh

Omar Khawaja is an experienced CISO with a strong technical background, who managed to find some very creative ways to manage his security program that go against his engineering instincts. Join Allan and Omar as they discuss why trust-based security is the more suitable option to have a fundamentally better security program and team.  Hear why Omar and Allan believe that investing in people will pay far more dividends than the latest tech tool.  And more importantly, gain some very practical and concrete tips for managing and measuring your security program.

 

Key Takeaways:

01:19                     Bio

03:26                     What is wrong with tech-centric security?

06:00                     Using tech tools as nothing more, and using them appropriately

12:22                     Trust, then risk, then control

14:30                     Customer first, always

19:02                     Helping foster a trust-centric culture

28:40                     Culture = mindset = best measurable quality

29:33                     What surprises Omar in cyber security?

32:50                     The “change agent network”

 

Links:

Learn more about Omar on <a href='https://twitter.com/smallersecurity'>Twitter</a> and <a href='https://www.linkedin.com/in/smallersecurity/'>LInkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

thecyberranchpodcast.podbean.com/3bfc38ce-1041-3638-b5d8-9e5c0fbe4ccb

Omar Khawaja is an experienced CISO with a strong technical background, who managed to find some very creative ways to manage his security program that go against his engineering instincts. Join Allan and Omar as they discuss why trust-based security is ...

Practical Trust-Centric Security w/ Omar Khawaja

Allan is joined this week by Emilio Escobar, CISO at Data Dog and former VP of Information Security at Hulu. He is also a long-term developer of Ettercap, a comprehensive suite for man-in-the-middle attacks.

Like many of us, Emilio started his journey in infosec as a hacker kid, exploring the world through modems and BBSs. Emilio is not a security vendor CISO, but is a CISO for a company that is in the supply chain for many other companies. He has to balance internal and external duties as a result.

Come listen as Allan and Emilio discuss the B2B CISO life, the skills required, business alignment, facing customers, and how all of these skills just might define "the modern CISO".

And, yes, they even tackle the age-old question, "How technical should a CISO be?"

 

Key Takeaways:

01:27 Bio

03:10 Security questionnaires and interactions

05:49 Is there a fix to solving vendor risk?

07:17 Utilizing machines for questionnaires

09:33 Leveraging skills

12:50 How technical should a CISO be?

18:01 Understanding other roles in the business

23:48 Balancing internal and external customers

28:17 What surprises you the most in cybersecurity?

 

Links:

Learn more about Emilio on <a href='https://www.linkedin.com/in/emilioesc/'>LinkedIn</a>, and <a href='https://twitter.com/eaescob'>Twitter</a>, and learn about <a href='https://www.ettercap-project.org/'>Ettercap</a>

Follow <a href='https://allanalford.com'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan is joined this week by Emilio Escobar, CISO at Data Dog and former VP of Information Security at Hulu. He is also a long-term developer of Ettercap, a comprehensive suite for man-in-the-middle attacks.
Like many of us, Emilio started his journey in...

CISO in the Supply Chain w/ Emilio Escobar

Allan is joined by Sounil Yu, one of cybersecurity's most well-known contributors. Sounil has a long history in cybersecurity, and is also the inventor of The Cyber Defense Matrix and the DIE Triad.

Sounil and Allan discuss cyber resilience and contrast it with "antifragility", a notion introduced by Nassim Nicholas Taleb. Sounil argues that in cybersecurity, antifragility should be the goal, and not resilience.

Antifragility allows for stronger data protection, as it does not just survive stresses and attacks, but actually encourages them. Sounil explains how antifragility also neatly dovetails with his DIE (Distributed, Immutable, Ephermeral) Triad of data protection, which he contrasts with the CIA (Confidentiality, Intregrity, Avaiability) Triad in the context of the "pets vs. cattle" model.

Join Allan as he learns a great deal in a short amount of time from Sounil...

 

Key Takeaways:

01:23 Bio

02:20 Cyber Defense Matrix

03:10 Is cyber resilience the wrong idea?

04:17 Backups do not equal resilience

05:58 What is antifragility?

09:31 The DIE Triad

14:32 Pets vs. Cattle

18:12 Practical implementation?

20:40 Focusing on recovery

24:28 The Barbell Strategy

27:58 What surprises you in cyber security?


Links:

Learn more about Sounil on <a href='https://www.linkedin.com/in/sounil/'>LinkedIn</a>, and <a href='https://twitter.com/sounilyu'>Twitter</a>, and learn about the <a href='https://cyberdefensematrix.com/'>Cyber Defense Matrix</a>

Follow <a href='https://allanalford.com'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>

Learn more about <a href='https://hackervalley.com'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan is joined by Sounil Yu, one of cybersecurity's most well-known contributors. Sounil has a long history in cybersecurity, and is also the inventor of The Cyber Defense Matrix and the DIE Triad.
Sounil and Allan discuss cyber resilience and contrast ...

Is Resilience Even the Goal? Antifragility w/ Sounil Yu

Allan's guest this week is Erik Bloch. Erik Bloch is a cyber security leader, influencer, and pioneer. He currently sits as Senior Director of Detection and Response at Sprinklr, but has held many rolls in cybersecurity, including being a product manager for SIEM products more than once. 

This last point is relevant, because it makes it even more surprising that Erik is convinced that the SOC's utility has passed... 

Join Allan and Erik as they dive deep into why he thinks SOC is failing, the alternatives, what it takes to make an impactful change in incident response, and who to aim it towards. 

This conversation began when Allan read Erik's article on LinkedIn, “RIP SOC. Hello D-IR". 

Key Takeaways: 

01:16 Bio 
02:18 Erik’s article: why is SOC failing? 
05:01 What is the alternative? 
07:29 Implementing fundamentals where it counts 
10:15 Cloud Integration 
17:45 Cloud agnostic tooling solution 
23:27 The inevitability of a one-stop solution 
27:20 Targeting the right audience 
28:17 What surprises Erik in cyber security? 
30:24 Letting go is not easy 

Links: 

Learn more about Erik on <a href='https://www.linkedin.com/in/erikbloch/'>LinkedIn</a>, and <a href='https://twitter.com/ejbloch'>Twitter</a>, and read his <a href='https://www.linkedin.com/pulse/rip-soc-hello-d-ir-erik-bloch/'>LinkedIn article</a>
Follow <a href='https://allanalford.com'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>
Purchase a Cyber Ranch Podcast T-Shirt at the <a href='https://store.hackervalley.com/'>Hacker Valley Store</a>
Learn more about <a href='https://hackervalley.com'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>
Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan's guest this week is Erik Bloch. Erik Bloch is a cyber security leader, influencer, and pioneer. He currently sits as Senior Director of Detection and Response at Sprinklr, but has held many rolls in cybersecurity, including being a product manager...

Is the SOC Dead? w/ Erik Bloch

Allan's guest is Samara Williams, Manager of Threat Operations at Cardinal Health, speaker, advocate and passionate member of the threat intelligence community.



Samara broke into cyber via a rotational program, sampling many cyber jobs at many cyber companies in a short order - a fantastic start in cyber that turbocharged her maturity and experience. She quickly developed a passion for threat intelligence, and has worked in that space ever since.



Join Samara and Allan for a deep dive into threat intel, its pros and cons, its value, and its potential...



Key Takeaways:



01:28 Bio


02:56 The love/hate relationship with threat intel: yay or nay?


06:07 The steps to threat intel – breaking it dow


15:14 How threat intel can help bridge tactical & operational Practices


19:57 Having a successful SOC program


22:18 Managing the unknown and practicing the fundamentals


26:17 Making a case for prioritizing threat intel


27:55 What surprises Samara in cyber security?



Links:



Learn more about Samara on <a href='https://www.linkedin.com/in/samara-r-williams-%F0%9F%94%B8%EF%B8%8F-9aa24247/'>LinkedIn</a>, and check out her <a href='https://www.ted.com/talks/samara_williams_k33p_y0ur_hit_s_fe'>TedX talk</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan's guest is Samara Williams, Manager of Threat Operations at Cardinal Health, speaker, advocate and passionate member of the threat intelligence community.

Samara broke into cyber via a rotational program, sampling many cyber jobs at many cyber com...

The Value of Threat Intelligence w/ Samara Williams

This week, Allan is joined by Bryan Hurd. Bryan is a multi-talented cyber security professional who has founded and operated programs dating back to the early nineties. Currently Chief of Office for Stroz Friedberg (AON Cyber), he started his career in NCIS, founding the Navy’s first ever cyber counterintelligence program in 1993.



Join Bryan and Allan for a masterclass on ransomware, incident response, and preparedness. Having both consulted on ransomware situations many times, they offer a wealth of practical tips, do’s, don’ts, and gotchas. You can also hear their perspectives on the roles and processes in taking appropriate action when crisis hits.



This is a longer than usual episode, but that is because it is filled with practical advice based on a great deal of experience.



Key Takeaways:



01:20Bio


02:58Is ransomware still the #1 threat to an organization?


07:30Having your incident response team ready and prepared


12:16The roles, processes, and fundamentals of incident response


22:57Modern ransomware extortion components


25:01Encryption & decryption – dealing both strategically


27:10Using software provided by attackers


30:18Response as an executive – being transparent


35:02Public communications


38:41What surprises Bryan in cyber security?



Links:



Learn more about Bryan on <a href='https://www.linkedin.com/in/bryanhurd/'>LinkedIn</a> and on <a href='https://twitter.com/bryan_e_hurd'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

This week, Allan is joined by Bryan Hurd. Bryan is a multi-talented cyber security professional who has founded and operated programs dating back to the early nineties. Currently Chief of Office for Stroz Friedberg (AON Cyber), he started his career in N...

Practical Realities of Ransomware Management w/ Bryan Hurd

Host Allan Alford interviews his friend Helen Patton, advisory CISO at Cisco, and former CISO at Ohio State University. Helen and Allan discuss the career path of the CISO – specifically what comes after the CISO role has been fulfilled - and how there is not a clear path defined for the post-CISO career.



Allan and Helen discuss several models for post-CISO life that they themselves have explored, and that other CISO friends have as well, such as: shifting back and forth from CISO to vendor, shifting back and forth between CISO and advisory CISO roles at VC’s and other entities, becoming CIOs or CTOs, etc.



Helen explains how there is no clearly defined path for a post-CISO life, how no mentors are available to aid with that transition, but also how CISOs can decide to simply change their roles as a CISO. She explains a little bit more about her advisory CISO life and the internal and emotional differences between it and a conventional practitioner CISO role.



Key Takeaways:



0:26 – Intro


1:12 – Helen briefly explains about her background in cyber and about her day job.


2:55 – Helen explains what is the post-CISO life?


5:54 – What are Helen’s thoughts on the different roles of CISOS?


9:21 – How many people are changing from CISO to a consultancy role?


11:04 – Has Helen seen anyone making such transitions and being successful over time?


12:48 – Hypothetically what would happen if there was a major technology shift, but a CISO wasn’t there to supervise it due to being in a non-practitioner role at the time. Would she be missing out on it on critical CISO skills?


15:12 – Helen explains a little bit more about her advisory CISO life.


18:07 – What happens when Helen gets approached by startups who want feedback? Does she see them as competition? Are they up for having conversations with her?


20:47 – Can a CISO become a CEO?


22:37 – Who should the CISO be reporting to and why?


25:34 – What other post-CISO activities are there for CISOS that may not be a fulltime role, such as boards, teaching, writing, speaking?


28:32 – What surprises Helen the most in cyber security?



Links:



Learn more about <a href='https://www.cisohelen.com/'>Helen</a> on <a href='https://www.linkedin.com/in/helenpatton/'>LinkedIn</a> and <a href='https://twitter.com/cisohelen'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Host Allan Alford interviews his friend Helen Patton, advisory CISO at Cisco, and former CISO at Ohio State University. Helen and Allan discuss the career path of the CISO – specifically what comes after the CISO role has been fulfilled - and how there i...

What Comes After the CISO Role? w/ Helen Patton

Allan is joined by George Finney, CSO at Southern Methodist University and author of the book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. 


George’s mission is clear: unite the cybersecurity community through proven strategy, and help preserve and leverage the humanity within cybersecurity. 


He believes that the community as a whole under-plays the human role, and he and Allan discuss potential changes to the way we view security awareness training and the role of users in general. 


Key Takeaways: 


00:18 Intro/Bio 

01:25 George’s story 

04:27 Humans are not the weakest link in cybersecurity 

07:17 How habits affect security awareness 

08:30 The 9 habits and forming your cybersecurity personality 

14:05 How secret keepers build a community 

17:30 Potential improvements to security awareness training 

22:22 The origin of the nine habits 

26:50 What surprises George about cybersecurity still? 


Links: 


Learn more about George on <a href='https://www.linkedin.com/in/georgefinney/'>LinkedIn</a> and on <a href='https://twitter.com/WellAwareSecure'>Twitter</a> and <a href='https://www.amazon.com/Well-Aware-Master-Cybersecurity-Protect/dp/1626347352'>buy his book!</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan is joined by George Finney, CSO at Southern Methodist University and author of the book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. 


George’s mission is clear: unite the cybersecurity community through proven strategy, and help preserve and leverage the humanity within cybersecurity. 


He believes that the community as a whole under-plays the human role, and he and Allan discuss potential changes to the way we view security awareness training and the role of users in general. 


Key Takeaways: 


00:18 Intro/Bio 

01:25 George’s story 

04:27 Humans are not the weakest link in cybersecurity 

07:17 How habits affect security awareness 

08:30 The 9 habits and forming your cybersecurity personality 

14:05 How secret keepers build a community 

17:30 Potential improvements to security awareness training 

22:22 The origin of the nine habits 

26:50 What surprises George about cybersecurity still? 


Links: 


Learn more about George on <a href='https://www.linkedin.com/in/georgefinney/'>LinkedIn</a> and on <a href='https://twitter.com/WellAwareSecure'>Twitter</a> and <a href='https://www.amazon.com/Well-Aware-Master-Cybersecurity-Protect/dp/1626347352'>buy his book!</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Allan is joined by George Finney, CSO at Southern Methodist University and author of the book Well Aware: Master the Nine Cybersecurity Habits to Protect Your Future. 
George’s mission is clear: unite the cybersecurity community through proven strategy, ...

Humans Are Not the Weakest Link in Cybersecurity w/ George Finney

Host Allan Alford interviews Benjamin Corll, VP of Cybersecurity and Privacy at Coats, about security orchestration, automation, and response (SOAR).



Bejamin and Allan critique SOAR's promises and premises, what else it could be doing, its pricing and overhead, and lack of standards as well.



But it is not all negative - Benjamin does share stories as well of SOAR's successes in his shop, and of the things it does do well...



Come on down the ranch and give this show a listen!



Key Takeaways:



0:09 – Intro


0:55 – Benjamin's background and day job


3:46 – The premise and the promises of SOAR


6:32 – What else could be automated?


9:25 – Benjamin explains about the trouble ticket system and the change management system


11:57 – The standards for SOAR today


17:19 – How do we improve the cyber posture of all our organizations, making them more secure?


19:34 – Has SOAR managed to stay affordable for those who need it?


22:54 – What SOAR does well, the benefits and the value


26:35 – What has surprised Benjamin the most in information security



Links:



Learn more about Benjamin Corll on <a href='https://www.linkedin.com/in/benjamincorll/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Host Allan Alford interviews Benjamin Corll, VP of Cybersecurity and Privacy at Coats, about security orchestration, automation, and response (SOAR).

Bejamin and Allan critique SOAR's promises and premises, what else it could be doing, its pricing and o...

Does SOAR Meet Its Promises? w/ Benjamin Corll

Host Allan Alford interviews guest James Azar, host of the CyberHub CISO Talk Podcast, and CISO in the financial services space. James and Allan discuss the techniques and approaches of the modern CISO, and contrast this with some of the older approaches of the job. James defines the cultural shift between the old and new as having taken place since September, 2017 (the Equifax breach).



James and Allan discuss the impact on the team, business, clients, customers, and shares their thoughts and experience on how to stay modern. “What keeps you going in cybersecurity?” as the signature final question for each guest has been replaced with “What surprises you the most in cybersecurity?” James is the first guest to answer that question, and his answer is a bit of surprise itself…



Key Takeaways:



0:16 – Intro


1:04 – Bio


2:00 – The modern CISO contrasted with the older CISO


4:46 – What does the modern CISO mean to the team, business, clients and customers?


7:10 – How to interact with the business: building relationships, teams, meetings…


11:18 – How James Azar puts forward a message of security for the company


11:52 – Security Questionnaires and what is wrong with them


12:20 – Picking on SOC 2


12:39 – Operationalizing security within a client customer relationship


14:11 – Shared responsibility model (cloud) and CMMC replacing SOC 2 and SIG and other older standards: 5 or 6 questions


17:50 – How the word “no” keeps the business and team from moving forward


18:06 – CISO choosing business over security and ignoring the subsequent notions of career risk


19:40 – Automation on the technology front and how it changes the modern CISO’s perspective


20:30 - COVID-mandated lockdown and the implications for workers in countries around the world


23:19 - Automating all entry-level positions and bringing entry-level people up


25:45 – What surprises James Azar the most about cyber security



Links:



Learn more about James Azar on <a href='https://www.linkedin.com/in/james-j-azar/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

Host Allan Alford interviews guest James Azar, host of the CyberHub CISO Talk Podcast, and CISO in the financial services space. James and Allan discuss the techniques and approaches of the modern CISO, and contrast this with some of the older approaches...

The Modern CISO w/ James Azar

In this, the very first LIVE episode, Allan Alford interviews guests Derly Gutierrez, Head of Information Security at 1010Data, Patrick Benoit, BISO at CBRE, and Mustapha Kebbeh, CISO at Brinks, as they discuss the use of security frameworks in general and over time.



Regarding framework compliance, do we choose one or do we choose many? Do we embrace them fully or partially? What changes our approach to frameworks over time?



Security strategies are explained throughout the episode, along with the notions of business adaptation and adoption, regulation and other requirements, and "minimum viable security" approaches that don't require frameworks at all.



Key Takeaways:



0:43 – Intro


1:53 – Question to Mustapha: pick and choose from a framework or embrace a framework all in one go?


2:47 – Patrick discusses his own approach to Mustapha’s statement


3:26 – The evolution of CFS adoption briefly discussed and the importance of protection


6:59 – Discussion of a possible "least viable security" approach that doesn’t depend on the frameworks at all


9:50 – Maturity models


13:32 – Security strategies


19:56 – The guests answer: What were the toughest challenges working with a framework?


21:56 – The guests share their best success story with frameworks


23:51 – The guests share their journey on business integration


27:56 – The influence of regulation and other requirements



Links:



Learn more about Derly on <a href='https://www.linkedin.com/in/derlyg/'>LinkedIn</a> and <a href='https://twitter.com/DerlyG_CloudSEC'>Twitter</a>

Learn more about Mustapha on <a href='https://www.linkedin.com/in/mustaphakebbeh/'>LinkedIn</a>

Learn more about Patrick on <a href='https://www.linkedin.com/in/patricklbenoit/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

In this, the very first LIVE episode, Allan Alford interviews guests Derly Gutierrez, Head of Information Security at 1010Data, Patrick Benoit, BISO at CBRE, and Mustapha Kebbeh, CISO at Brinks, as they discuss the use of security frameworks in general a...

Frameworks Over Time w/ Derly Gutierrez, Mustapha Kebbeh and Patrick Benoit

On this episode, Allan invites Marilise de Villiers, Founder and CEO at ROAR! Coaching & Consulting, to come on down to the ranch and discuss how to deal with toxic situations, how to overcome obstacles in the workplace, how to avoid burnout, and how to spot our own negative behaviors that interfere with our success.



Marilise and Allan cover toxic workplaces and bosses, share personal stories, and discuss the internal mechanisms which allow external toxicity to harm us, as well as the internal behaviors to prevent that.



They discuss obstacles, and how big obstacles should be embraced. They also talk about "exercising the resilience muscle".



This is a fantastic show with some open and vulnerable moments, as well as with some very practical advice for avoiding burnout and dealing with problems most of us have faced or will face in our information security careers.



Key Takeaways:



1:11 How Marilise got into information security


2:29 About her coaching and consulting practice for information security professionals


3:53 Avoiding CISO burnout despite our intrinsic challenges


5:08 External forces but also our own self-defeating behaviors


7:01 Clarity on who you are and why you are here


9:31 "I am" is the first negative step towards internalizing toxicity around us (neuro plasticity)


11:03 Allan's former toxic boss who "showed him a carnival house mirror" and led to negative internalization


12:21 Marilise has a similar story


14:29 Facing futility and hopelessness in information security


15:19 Caring too much vs. business problems as a control and communication problem


18:23 How to perceive our biggest obstacles


19:28 Get professional help to strengthen your resilience muscle


20:17 Shout-out to Chris Cochran of Hacker Valley Studio and his 'find your super powers' coaching (and other trusted coaches)


21:49 Your best life is on the other side of your biggest obstacle


21:59 There is always another obstacle


23:22 Living your best life TODAY


24:15 The value of resilience and embracing big obstacles


24:57 Marilise's reason for being in cybersecurity



Links:



Learn more about Marilise on <a href='https://www.linkedin.com/in/marilise-de-villiers-9184521a/'>LinkedIn</a> and on <a href='https://twitter.com/marilise77'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

On this episode, Allan invites Marilise de Villiers, Founder and CEO at ROAR! Coaching & Consulting, to come on down to the ranch and discuss how to deal with toxic situations, how to overcome obstacles in the workplace, how to avoid burnout, and how to ...

Burnout, Toxicity, and Overcoming Obstacles w/ Marilise de Villiers

In this episode, Allan interviews Greg Rogers, CISO at Legal & General America, about migrating legacy, monolithic, internally facing, manually tested, waterfall applications to Cloud, CI/CD with automation, customer-facing applications, all with modern development languages and environments.



Greg migrated just about everything legacy to just about everything modern across a series of monolithic applications. In this episode he gives tips on the technical aspects of his journey, tools and techniqes for overcoming cultural barriers as well.



Greg outlines what he did in-house, and what he leveraged from out-of-house - from code to services.



Ultimately, Greg was able to pull of this transition piece by piece, and he shares how he was able to do it.



Lastly, Greg closes with what keeps him going in cybersecurity...



Key Takeaways:



1:19 How Greg got into cyber


4:12 An overview of the challenge


6:39 Greg's biggest security challenges with the project, both cultural and techincal


8:06 The value of engagement and relationship building


8:41 Targeted security awareness training


9:10 Make security fit with what they are already doing for their day jobs


9:25 Regulation as a driver for change


11:32 The challenges posed by regulation


12:06 The challenges of remote access


13:50 How to eat the elephant one bite at a time


14:11 VDI to migrate portions to the cloud


15:29 Identity & Access Management, CASB, SASE, etc.


16:53 Leveraging outside help


18:13 Selecting and settling on a good MSSP


20:21 In-house development vs. off-the-shelf and leveraging external developers


22:43 What the CISO provides in this scenario


24:02 Focusing on the 'gray' areas of security over the black and white


25:25 Improving the security culture and CISO relationships


26:49 What keeps Greg going in cybersecurity



Links:



Learn more about Greg on <a href='https://www.linkedin.com/in/gsrogers/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

In this episode, Allan interviews Greg Rogers, CISO at Legal & General America, about migrating legacy, monolithic, internally facing, manually tested, waterfall applications to Cloud, CI/CD with automation, customer-facing applications, all with modern ...

Migrating from Monolithic to Cloud w/ Greg Rogers

In this episode, Allan's friend Dr. Sam Small, CISO of Zero Fox, joins us to chat about credential stuffing, its implications and the defenses against it.



Several statistics are given from a few industry reports on credential stuffing, including the Verizon DBIR and F5's report.



Several techniques to foil credential stuffing are explored, as well as common traps when combatting credential stuffing. OWASP provides some guidance in this area.



The criminal's abilities vis a vis breach sharing and botnet as a service are discussed as well.



Finally, Sam explains what keeps him going in cybersecurity...



Key Takeaways:



1:08 Sam's background and education in cyber


2:41 Sam defines credential stuffing and explains why we should care about it


4:17 The origins of the term 'credential stuffing' vs. its history


4:39 Is ransomware the end goal of every single kind of cyber attack?


5:22 Botnets as a service to drive credential stuffing attacks


6:33 Allan cites statistics from the Verizon Data Breach Incident Report


7:23 The DDoS aspects and related cloud costs of credential stuffing


8:48 Sam's theory about F5 report statistics on credential stuffing being interestingly somewhat contradictory


10:43 Anecdotally anyway, password reuse appears to be a huge problem still


11:51 Comabating credential stuffing and common traps in doing so


13:23 Credential stuffing and data breaches are not the same thing


14:17 Getting credential stuffers shut down by way of their service providers


15:25 Practical tips from OWASP for preventing credential stuffing in your environment


19:10 The difference between a comprehensive defense and not


20:32 Are obscure usernames useful in the fight?


22:06 Proposal for user-centric federation to monitor account usage everywhere


23:06 Obligations of those who suffered a breach of credentials


25:14 Criminals share data on their side


26:09 What keeps Sam going in cybersecurity



Links:



Learn more about Sam on <a href='https://www.linkedin.com/in/samsmallphd/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

In this episode, Allan's friend Dr. Sam Small, CISO of Zero Fox, joins us to chat about credential stuffing, its implications and the defenses against it.

Several statistics are given from a few industry reports on credential stuffing, including the Ver...

Credential Stuffing w/ Dr. Sam Small

On today’s episode with Allan, we talk “Ugly Exits” with Naomi Buckwalter, Director of Information Security. Of course, to start the episode, Naomi answers Allan’s question of how she got started in cyber.



They circle back to the topic at hand, “Ugly Exits”. Under this umbrella are: being fired, laid off, "burning bridges", or being encouraged to leave in a "voluntary" manner. Allan shares statistics for some of these categories, including a substantial statistic on those who have been outright fired.



When it comes to burning bridges, so many people walk away from a company that is behaving in an unethical manner and putting their employees in unethical situations. To Naomi, this is a frightening common thread. It’s scary how many unethical employers are out there.



Naomi shared a personal story of her ugly exit, and the fact that it was deserved to some extent. She has owned that experience, has learned from it, and has grown as a result.



Allan shares his personal “burned bridge” story which continues to follow him through the industry here and there. He feels his reputation is sullied with a certain small segment of the industry, and that it most likely won’t ever change. But he also takes ownership for how he mishandled the situation.



Rounding out the show, Naomi and Allan talk about earning their stripes and realizing it is all about growth, resiliency and grit. In fact, as humans, they feel sometimes we don’t appreciate the bad things that happen to us, so we can appreciate the grown and the improvements we have made throughout our lives. Reflect back and think about all that you have survived in your past. Out that self-awareness comes the opportunity to improve.



A large portion of growth, whether personal or work, comes from self-reflection. One can learn from it, grow from it and figure out how to navigate the situation should it arise again. Could it be that thinking we are the hero of our own stories is hurting us?



Key Takeaways



1:25 Getting into Cyber


3:22 Burning Bridges


8:56 Mismatches


14:18 Reflecting


19:43 Humanity


23:28 The Firing and One’s Value


28:45 What Keeps You Going



Links:



Learn more about Naomi on <a href='https://www.linkedin.com/in/naomi-buckwalter/'>LinkedIn</a> and on <a href='https://twitter.com/ineedmorecyber'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://www.uptycs.com/'>Uptycs</a>

On today’s episode with Allan, we talk “Ugly Exits” with Naomi Buckwalter, Director of Information Security.  Of course, to start the episode, Naomi answers Allan’s question of how she got started in cyber.

They circle back to the topic at hand, “Ugly E...

”Ugly Exits” w/ Naomi Buckwalter

On today’s episode with Allan, we have Tim Rohrbaugh, CISO at JetBlue, here to talk about Agile methodology and how it can be applied to an entire security program.



Tim got into cyber through the military. From the military he went into consulting and ended up at JetBlue. At JetBlue that he is always trying to find ways to invest dollars in security programs to balance what is going on. Along with that, he strives to keep his team motivated and moving forward.



Agile is a software programming methodology, and it replaced Waterfall. Waterfall was the traditional model of development, where large chunks of code had to flow from developers to QA, back to developers several times, and finally to release.



Agile, on the other hand, works off user-centric stories, which roll up to bigger stories called epics. Stories are small, discrete goals, met with smaller, discrete chunks of code released in what are called 'sprints'. QA is very rapid as well, leading to rapid release. Agile is characterized by daily 'standup meetings' where literally nobody sits in an effort to keep the meetings as short as possible.



In Agile, product owners come up with ideas and thread those through marketing and development. In appplying this paradigm to running a security teamm, Tim replaces product owners with threat intelligence folks.



This unique approach towards managing a security program means that all decisions are threat-informed, and that small incremental wins are a constant.



But Tim does not stop there. Anyone on the team can create and manage a story to address any specific and immediate security need...



Key Takeaways



1:10 Tim’s background and day job


2:08 JetBlue


2:39 Introduction of Agile


3:57 Tim’s approach


6:15 How Agile is used


8:31 Threats addressed


9:46 Story sourcing


11:03 Creating the story


12:48 Narrative skill


14:08 Metrics


15:53 Risk management aspect


19:00 Not using risk


21:38 Positives


23:20 What keeps Tim going in cyber


24:42 What Tim is looking forward to in cyber



Links:



Learn more about Tim on <a href='https://www.linkedin.com/in/timrohrbaugh/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

On today’s episode with Allan, we have Tim Rohrbaugh, CISO at JetBlue, here to talk about Agile methodology and how it can be applied to an entire security program.

Tim got into cyber through the military.  From the military he went into consulting and ...

Agile for Security Programs w/ Tim Rohrbaugh

With us today is Christina Richmond program Vice President at IDC. She's an industry analyst, and she's here to talk to us all about the analyst lifestyle.



Allan starts the episode asking Christina to share all about how she got into cyber and what her day job is like. Christina actually began by working in the storage space, and discovered security. To her it was like a drug. What does she do throughout her days? Partakes in hundreds and hundreds of calls with companies who need help with launches and marketing, specifically in growing areas of cybersecurity. In essence, there is a lot to being an analyst. But to be successful, you have to be curious!



The best way to put Christina’s job in words, is “learning the whole from the parts.” She talks with individual players, studies market trends, and then circles around again to piece it together. One big feedback loop.



On a side note, Christina would like everyone to know she is looking to hire at the director level! If you know anyone, send them her way. There are certain aspects necessary, and they are: First, understanding the technology. Next, either having been an analyst before or being in market research of some kind. Finally, the soft skills or executive presence.



Christina admits she is not a technologist, but she also says there's a benefit to having a non-technologist covering this space. She thinks it's important to know that analysts take all shapes and sizes, and there is a benefit from bringing in somebody who thinks about the market differently.



In one word, she describes the plight of the analyst as “overwhelmed”. There aren’t enough people, and some people just don’t have enough skills. The skills gap is real. One of the top skills that is missing for practitioners is cloud security, and that is true for analysts as well.



The bottom line for Christina is helping; it is her favorite thing to do. When it comes to changing things, Christina wouldn't throw anything out but would have more people doing more of the work. Because really, there is a resource shortage in the analyst realm.



Finally, Allan as the one question he asks of all his guests, “What keeps you going in cyber, why do you hop out of bed in the morning, jump in your shoes and say, all right, another day of cyber.”



Christina responds, “Every day, there's a new breach, every day someone is suffering because a Florida Water system was poisoned or because the oil the gas pipeline has been interrupted, and we're not going to have gas at our gas stations or because you name it. There are so many reasons to get up every morning. And, I think every cyber security person needs a mission. I'm here to help, I'm the one helping make sure the message gets out. And that's really important to me.”



Key Takeaways



1:17 Christina’s background


3:02 An analyst’s day job


6:02 Learning the whole from the parts


7:46 We’re hiring


11:02 Staying informed and in the game


13:05 Non-technologist


14:22 Plight of the analyst


16:38 Favorite part of the job


18:44 What would Christina change


19:35 How to get the best engagement


23:11 Storytime


25:55 What keeps Christina going



Links:



Learn more about Christina on <a href='https://www.linkedin.com/in/christinarichmond/'>LinkedIn</a> and <a href='https://twitter.com/Xtina_Richmond'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Christina Richmond program Vice President at IDC. She's an industry analyst, and she's here to talk to us all about the analyst lifestyle.

Allan starts the episode asking Christina to share all about how she got into cyber and what her ...

All About Analysts w/ Christina Richmond

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran. Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods.



Allan and Derly refer to studies and surveys about the problems with passwords and the challenges of implementing passwordless approaches.



Derly emphasizes the need for other complementary technologies such as Role-Based Access Control (RBAC), Privileged Access Management (PAM), and system-to-system communications.



The two discuss corporate and personal use of passwordless solutions, talk about legal precedence and the future of passwordless approaches.



Key Takeaways



1:14 How Derly got into cyber


1:58 About Derly's day job as Head of Security


2:34 Allan quotes the 2017 Verizon DBIR on how many breaches involve weak or stolen passwords


3:35 Allan cites NIST 800-63b


4:15 Derly talks about CAC cards in the US DoD


4:50 Derly sides with vendor innovations over NIST guidance


5:56 Allan clarifies the distinction between PINs and passwords


6:52 Derly points out the flaws with biometrics in terms of reliability and assurance


9:09 Allan cites a survey regarding WHY organizations choose passwordless


9:52 How many 'passwordless' solutions still include shared secrets


10:38 Derly talks about corporate vs. personal passwordless solutions and shared secrets as backup for reliability issues


11:37 Derly emphasizes a lack of RBAC and PAM foiling all authentication approaches


13:06 Allan points out the value of Identity and Access Management solutions


13:44 Allan references three vendor approaches towards passwordless for legacy systems such as RADIUS


14:50 Derly takes these methods apart


16:05 Many companies are not doing Role-Based Acces Control, system-to-system communication and Privileged Access Management correctly


17:02 Allan brings up the presence of push attacks


17:38 Allan's definiton of true passwordless authentication


17:56 Derly's definition of true passwordless authentication


21:29 For personal use of biometrics, Allan brings up a disturbing precedent of law enforcement accessing an individual's phone with forced facial recognition


23:17 Derly emphasizes that applications on your phone should have a different authentication factor than access to the phone itself


23:47 "Your home is your castle" has become "Your phone is your castle"


25:06 Allan cites one last survey as to how many of us really are passwordless


26:02 How long before we got to passwordless?


28:06 What keeps Derly going in cyber



Links:



Learn more about Derly on <a href='https://www.linkedin.com/in/derlyg/'>LinkedIn</a> and <a href='https://twitter.com/DerlyG_CloudSEC'>Twitter</a>
Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran.  Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods.

Allan and Derly refer to ...

The Journey to Passwordless Authentication w/ Derly Gutierrez

With us today is Taylor Lehmann, former ciso several times over in the healthcare sector, and currently Americas leader for security, networking, identity, and compliance solution architecture at AWS.



Taylor and Allan talk about application security: why it's important, who are the personas, the value of threat modeling, infrastructure as code, how to get started, and relationships with developers.



Taylor, a Boston boy, starts the show trying to say, "Howdy!" correctly. Taylor started at PWC and grew into a healthcare CISO. He has now transitioned to AWS.



Key Takeaways



1:40 How Taylor got into Cyber


2:58 Taylor’s day job


4:30 Appsec Defined


5:49 Taylor's favorite appsec frameworks


7:48 Why appsec is important


8:55 The personas and roles


11:22 Security training in appsec


12:27 Threat modeling


15:11 Infrastructure as code


20:46 How to get started in appsec


24:12 Devs already know and care about security


25:38 Where does the trope come from that devs don't care?


26:52 Why "DevSecOps" is a bad term


28:00 What keeps Taylor going in cybersecurity



Links:



Learn more about Taylor on <a href='https://www.linkedin.com/in/tlehmanncyber/'>LinkedIn</a> and <a href='https://twitter.com/BostonCyberGuy'>Twitter</a>
Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Taylor Lehmann, former ciso several times over in the healthcare sector, and currently Americas leader for security, networking, identity, and compliance solution architecture at AWS.

Taylor and Allan talk about application security: wh...

Application Security w/ Taylor Lehmann

With us today is Ian Thornton-Trump, Chief Information Security Officer at Cyjax and an ITIL-certified IT professional with 25 years of experience in IT security and information technology.



Ian shares his background which started back in the Canadian military. During those times, "IT" was called "automated data processing", and it is quite clear how far this has advanced. He joined the Royal Canadian Mounted Police and spent a year working on criminal intelligence. Soon after he became a consultant and made his way to the UK in 2015.



Oftentimes organizations have not planned or prepared for risk, and that includes cyber. In that sense, cyber can be compared to the environmental landscapes and infrastructure, which Ian finds eerily similar. A lot of problems created in cyber mimic a lot of the environment problems we face in today’s world. One example is the recent failure of the Texas power grid during a very harsh winter. Investment in cybersecurity is critical.



Allan feels there are a lot of environmental laws, but there are also already some pretty strict cyber laws as well. However, they seem more aimed at the anonymous or extrajurisdictional perpetrators and end up useless when their anonymity is involved. And some cyber laws seem to punish the victim as well - after suffering ransomware you are now penalized for not being prepared for it in the first place? How can we get laws in place that are helping the situation and not blaming the victim?



Ian suggest that positive incentives are the answer. If we can just get companies to do a bare minimum cyber hygiene, by incentivizing them through tax breaks, Ian thinks we could move the ball up more forward, without making it too onerous, to meet some sort of regulatory standard. How do we possibly extend our stretch? Because at the end of the day, the root cause is the “bad guys”, so how do we get to them? America is already doing a lot, but other countries need to put their money where their mouth is.



Ian and Allan discuss President Biden's Executive Order on Cybersecurity. This can enforce behavior in the government, but only suggest behavior in the private sector. To sum up, we're nowhere, and we need to get somewhere because what we've done, at the federal and state level in the United States, is taken a lot of dollars, put them in parking lots, and set fire to them. And then after we finished that exercise, we asked for more dollars. We have to change the entire system from the ground up. And we have to incentivize cyber security.



Key Takeaways



1:10 How Ian got into Cyber


2:21 Ian’s day job


4:18 Issues with infrastructure and environment


7:38 Meaningful laws


12:47 Getting to the bad guys


16:35 Catching “Fred Smith” or someone like him


17:43 Rewards


21:17 Preparedness and helplessness


23:43 Einstein program


26:24 What keeps Ian going



Links:



Learn more about Ian Thorton-Trump on <a href='https://www.linkedin.com/in/ian-thornton-trump-cd-77473a26/'>LinkedIn</a> and <a href='https://twitter.com/phat_hobbit'>Twitter</a>
Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Ian Thornton-Trump, Chief Information Security Officer at Cyjax and an ITIL-certified IT professional with 25 years of experience in IT security and information technology.

Ian shares his background which started back in the Canadian mi...

Solving The Global Cyber Problem w/ Ian Thorton-Trump

With us today is Drew Brown, IT Security Manager at the Commonwealth of Pennsylvania. Drew is here to talk about FAIR and his real-world usage of it and testing it in the trenches.



Drew shares a little bit about his background in cyber, and a little bit about his day job. He spent 15 years in IT. That opened the door then for him to be the CISO for one of the state agencies. Now his title is IT Security Manager but essentially he is responsible for communicating security and risks and working within a law enforcment agency to make sure that what is implemented is secure, it's compliant, and it meets all of the agency objectives.



With FAIR, you start by asking some very basic questions: What is the asset? What is the thing of value that you're trying to protect? Once you understand what that is, you then ask who is going to come after that asset: cyber criminals, nation state, some kind of industrial espionage, hacktivist, or whatever. Or maybe it's Doris in accounting. Either way, you start to work through who might come after that information.



The probability of a guy sitting in his basement, ordering pizzas on your credit card is a different probability than a nation state. On the impact side, we look at six different categories of risk, there's loss to productivity, there's losses in terms of response, how much money are we going to spend? Or do we have to spend to resolve that loss event that incident?



The six forms of loss are productivity, response, replacement, fines and judgments, competitive advantage and reputation. We start looking at what those dollar amounts actually are. But we want to concern ourselves with the most likely and what's the loss magnitude at that most likely value? Now we can go to that executive and say, “Okay, do you want to build a new parking lot? Or do you want to resolve this risk?” Then we can have a business conversation about it.



Allan asks, “What drove you to FAIR?” Drew states that one of the biggest arguments against FAIR that he always hears is, “We don't have enough data points to do this." Drew decided FAIR can help make better decisions about risk. And that is the goal of FAIR anyway - to make better business decisions, better risk decisions.



Digging a little deeper, Allan asks, “Are you confident that it achieved the goals you set out to achieve with it?” In short, the answer is absolutely!



Where FAIR falls shorts comes up. After reflecting, Drew says that it is in the controls analysis piece.



Allan asks Drew what keeps him going in cyber. With a laugh, Drew gives a quick answer of "coffee" and then follows with, “I enjoy that a relationship with my counterparts and then also establishing those relationships with the business and seeing the problems solved.”



What’s coming over the horizon? According to Drew, it’s seeing the normalizing of cybersecurity and making it less of a burden to hire new and diverse talent.



Key Takeaways



1:15 Drew shares his background and day job


2:20 FAIR model


2:56 How FAIR works


5:13 Probability


8:45 What drove you to FAIR


11:42 Goal of FAIR


13:30 Selling to the board


18:16 The honest hat


22:17 RSA announcement


23:32 What keeps Drew going


24:49 What Drew looks forward to



Links:



Learn more about Drew Brown on <a href='https://www.linkedin.com/in/drew-brown-8214675/'>LinkedIn</a>
Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

With us today is Drew Brown, IT Security Manager at the Commonwealth of Pennsylvania. Drew is here to talk about FAIR and his real-world usage of it and testing it in the trenches.

Drew shares a little bit about his background in cyber, and a little bit...

FAIR from the Trenches w/ Drew Brown

With us today is Andy Ellis, operating partner at YL Ventures, former Akamai CSO and newly inducted member of the CSO Hall of Fame. We're here to talk about nonstandard hiring practices and how Andy has built an amazing team using nonstandard approaches.



Andy began his career in cyber ("I remember back then, you know, we didn't call it cyber, but I think we've all given up and, and that's now the name for our career field.") as an Air Force ROTC cadet, spent 20 years at Akamai, and joined an advisor program at YL Ventures.



Andy found a solution that addresses hiring needs and the talent shortage, while also building a very clever and very innovative team.



For new roles, look and see if you have somebody who's almost senior that you can promote to do that job. And backfill the almost senior person instead. Try not to hire senior people, try to hire the most junior person you can get away with and promote everybody up the chain. The real trick is to figure out how your HR and finance teams are going to operate and play them off against each other.



Now that we have covered your promotion from within strategy, let's talk about hiring some folks for certain roles on the team that at a glance would make no sense at all for a CSO. And yet is really, really effective and repeatable.



Andy’s flagship is hiring librarians. There is an entire career field dedicated to managing libraries and learning technical language to be able to do that.



Everyone is in the business of publishing a report about their data, right? This is just taking technical data and technical jargon and making it consumable to people who've never seen this data before. There's an entire industry that does that. We call it journalism. So, we hire journalists to come in and be those storytellers.



Hire teachers. Put a teacher in a position and to learn how deep do they need to go on a daily basis, and then make sure they get one level deeper. Because you're always going to have problems if you teach exactly to your domain knowledge. So, make sure your domain knowledge is always little bit deeper than whatever your job requires which is usually going to be sufficient to keep you out of trouble.



To wrap the show up, Allan asks, “Why aren't the rest of us catching on because this is some amazing stuff that every single hiring manager in cyber could benefit from.”



According to Andy, the simple answer is it's expensive, and it takes a lot of time to do right.



Allan asks, “What keeps you going in cyber?” Andy answers, “I've always seen myself as improving the systems that I walk through, that when I encounter a system, I want to tweak it and figure out what makes it work and make it work better."



Key Takeaways



1:24 Andy shares his background and how he got to cyber


3:12 Working for a venture capital firm


7:12 Hiring and building a team


12:26 The abnormal hires that just make sense


15:46 Clever role adjustments


17:10 More nonstandard hires


19:03 Confused? Whose confusion is it?


21:02 The academy


24:42 Putting a teacher in


25:21 Budget technique


27:09 Why isn’t everyone hiring this way?


28:30 What keeps you going in cyber?



Links:



Learn more about Andy Ellis on <a href='https://www.linkedin.com/in/csoandy/'>LinkedIn</a> and <a href='https://twitter.com/csoandy'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today is Andy Ellis, operating partner at YL Ventures, former Akamai CSO and newly inducted member of the CSO Hall of Fame. We're here to talk about nonstandard hiring practices and how Andy has built an amazing team using nonstandard approaches....

Clever  Hiring Practices w/ Andy Ellis

Today we talk with Richard Seiersen, co-author of “How to Measure Anything in Cybersecurity Risk”.



Richard shared that at his first CISO position, he was challenged with addressing prioritization of risk, which led to his authoring a book with Doug Hubbard.



What can cyber learn from older risk disciplines? The life table used broadly to measure time-to-event data goes back 500 years.



Businesses keep falling back to the classic 5x5 "likelihood and impact" matrix which is an inconsistent, non-math-based method.



Without math it is really just casting spells in the board room. There are no ratios or explanation of differences, for example.



CISOs are called upon to make a bet about something. We will use subject matter expert opinions, and can make them measurably better. Consistency is key.



Wild guesses can still help constrain the forecast. There are existing models in cyber such as FAIR that provide a more mathematically applied approach.



Statistics came about because people needed to make bets with limited data. Dirty data can be worked with.



Embracing uncertainty is okay. Executives are actually very used to uncertainty.



Cybersecurity as a practice is in its adolescence with a high mortality risk. We need to adopt the grammar of science.



Key Takeaways



0:25 Richard is introduced


1:20 Richard talks about his cyber journey and his day job


3:02 Book talk


5:19 What can cyber learn from older style risk tactics


8:04 5x5 risk matrix


10:05 Improving accuracy


17:00 Gathering an accurate view


19:20 Monte Carlo simulations


22:04 The belief


25:17 Board-ready presentations


26:58 What keeps Richard going in cyber security


28:09 Why statistics were invented



Links:



Learn more about Richard Seiersen on <a href='https://www.linkedin.com/in/richardseiersen/'>LinkedIn</a> and <a href='https://twitter.com/RichardSeiersen'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

Today we talk with Richard Seiersen, co-author of “How to Measure Anything in Cybersecurity Risk”.

Richard shared that at his first CISO position, he was challenged with addressing prioritization of risk, which led to his authoring a book with Doug Hubb...

Measuring Risk w/ Richard Seiersen

With us today, is a very special guest, Accidental CISO, of Twitter fame. His anonymity on Twitter, allows him to be a little more “truthy” about the CISO game than a lot of us can afford to be on social media. We have distorted his voice a bit to protect that anonymity.



“Accidental” shares how he got into cyber, and that is a culmination of being in a career where he had to fill “all” the hats. He stepped away from his CISO role a few years ago and is now in consulting where he has the opportunity to help other people realize they need to build security programs when they have never done it or know how.



How did he become the “Accidental CISO”? Simply by trying to help during the course of going through an audit. They had to identify who was the CISO, and he made the mistake of asking who the security officer was for the company. The answer was, “That’s you.”



Accidental CISO doesn’t think becoming a CISO accidentally is all that uncommon. When going through audits, etc., someone has to be named, someone ends up drawing the short straw.



The role is different than what people think. You can draw on your technical background, but you have to be able to focus on the “why” for the business and all the nuts and bolts that come with it. One must understand this is not a technical role.



Allan shares his pivotal moment in becoming a CISO and realized all he had to do was recognize the business as the system he was hacking.



When Allan asked Accidental CISO about guidance for building a team and getting started, Accidental had one word, “Pray.” In reality, you need to know the skills you need.



Allan and Accidental CISO discuss “selling the functions”. It is tied to the business objectives in so many ways, and companies need a human to seal the endpoints. As they close this discussion loop, Accidental shares how to get the practice off the ground and the importance of relationships.



Sometimes, believe it or not, not having all the knowledge and knowing all the details is a benefit. In addition, being the first CISO for a company is all about educating, communicating and painting a picture.



And of course, Accidental CISO answers Allan’s final question, “Why are you motivated to get out of bed and do more of it?”



Key Takeaways



0:30 Introduction of Accidental CISO of Twitter fame


1:37 How Accidental CISO got into cyber


2:14 Accidental CISO talks about his day job


3:33 The background of Accidental CISO


4:49 The security tool Accidental CISO embraces


5:20 Accidental CISO is not an uncommon “thing”


6:37 Advice to becoming a CISO


9:28 Allan shares a pivotal moment


10:15 Guidance on building and getting a team started


13:58 Selling the functions


16:55 Getting the practice off the ground


20:13 Importance of relationships and letting go


22:24 Being “their” first CISO


26:47 Building a security council


27:49 Why Accidental CISO is motivated to get out of bed each day and do more of it



Links:



Learn more about Accidental CISO on <a href='https://twitter.com/AccidentalCISO'>Twitter</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://axonius.com/'>Axonius</a>

With us today, is a very special guest, Accidental CISO, of Twitter fame.  His anonymity on Twitter, allows him to be a little more “truthy” about the CISO game than a lot of us can afford to be on social media. We have distorted his voice a bit to prote...

Becoming a CISO w/ Accidental CISO

Today we talk with Marlys Rodgers, who has been in cyber for over 20 years. She currently is CISO for CSAA Insurance Group and is running security for the company as well as running governance risk and compliance for technology. She shares that it feels like she is constantly balancing assessing with preventing.



Allan brings up breach and attack simulation (BAS), and when it is most appropriate to implement in the context of the maturity of a security program. Marlys feels BAS is most effective when some, or most, of the intended controls are in place so you can focus on areas you need to strengthen. For her company, she was glad they did it earlier rather than later. They had a pretty good lead time to get systems to integrate.



The way you use BAS, especially along with threat intelligence, is really important. If you don’t have a purple team, or a red and blue team how does one start or how do you reorganize? Hear how Marlys did just that. Tag-teaming works best!



How has BAS helped in conversations with the audit team as well as the GRC team? More data gets shared with Audit and they become strong allies. Everyone is happy when fed real-world, real-time information.



BAS is truly changing mindsets, and will ultimately alter prioritization and enhancing and inter-team communications as well.



To wrap up the show, Marlys shares what about her job keeps her getting up in the morning and what she is looking forward to in cyber.



Key Takeaways



0:21 Welcome Marlys


1:13 Short comical discussion on how one should pronounce BAS


1:29 Marlys shares her background and day job


3:35 When BAS comes into the picture


5:00 The trick


6:05 Allan asks Marlys how she stays up with it


8:52 Marlys explains why more time should be spent on extending capabilities


9:38 Suggestions are shared to roll out BAS


12:21 Importance of human elements


13:45 If you don’t have teams, what happens?


16:18 How BAS affects conversations with teams


20:00 Importance of transparency


21:27 Changing people, process and technology with BAS


25:00 Marlys shares the reason she is motivated to stay in cyber


26:01 Marlys shares when she is looking forward to in cyber



Links:



Learn more about Marlys on <a href='https://www.linkedin.com/in/marlys-rodgers/'>LinkedIn</a>

Follow <a href='https://allanalford.com/'>Allan Alford</a> on <a href='https://linkedin.com/in/allanalford'>LinkedIn</a> and <a href='https://twitter.com/AllanAlfordinTX'>Twitter</a>

Learn more about <a href='https://hackervalley.com/'>Hacker Valley Studio</a> and <a href='https://hackervalley.com/cyberranch'>The Cyber Ranch Podcast</a>

Sponsored by our good friends at <a href='https://attackiq.com/'>AttackIQ</a>

Today we talk with Marlys Rodgers, who has been in cyber for over 20 years.  She currently is CISO for CSAA Insurance Group and is running security for the company as well as running governance risk and compliance for technology.  She shares that it feel...