The Cyber Ranch Podcast

Howdy, y’all, and welcome to The Cyber Ranch Podcast… AND The Audience 1st Podcast!  What you are about to hear was recorded LIVE! at the CISO XC conference in Dallas-Fort Worth, Texas (my very favorite conference!)  I am your host, Allan Alford, CEO of Alford & Adams Consulting.  I have co-host on this episode, Dani Woolf, of the Audience 1st podcast!  On her show, Dani interviews security buyers so vendors can more efficiently market and sell to them without ruffling their feathers (or piss them off).  What we’re doing on this joint endeavor is interviewing various CISOs and other folks about their roles in cyber.  This week’s show focuses on the cons of cybersecurity – the beefs, gripes, grumps, complaints and fears about cybersecurity.  Next week we’ll end on a positive note, but this show as an opportunity for CISOs to scream into the void.  Without further ado, here we go…
 
WARNING:  Some naughty language this episode.

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  That’s Drew Simonis, CISO @ Juniper Networks, former CSO @ Hewlett Packard Enterprise, former CISO at Willis – you get the idea.  Drew’s posts on LinkedIn are pure fire – not in the hot takes way, but because of the quality of the thinking behind them.  Drew has also been on the show a couple of times now, and we keep inviting him back because he’s always worth hearing from.  Drew and Allan were chatting this afternoon about the idea that oftentimes cybersecurity does not matter – and that that’s okay!  So we decided to record a show on that topic.
 
Drew and Allan share some real-world stories where they put security on hold for the benefit of the business:
VP of R&D had been told he had to get a new product off the ground that was only quasi-planned for. He had properly allocated headcount, but realized his cloud costs were going to rise dramatically.  At the time Allan had a big security initiative he was pushing for out-of-bandwidth.  They met and talked.  His out-of-bandwidth need was stronger than Allan's in terms of benefits to the business.  Allan backed him AND also made sure that his extra cloud spend included a few more security features in AWS.  Win-win.  Drew has a similar tale.
Flat-out, Top line was declining and we could not figure out specifically why. New competitor explained some of it, but not all of it.  Market fatigue?  But that was not all of it.  CRO wanted more sales folks to throw at the problem.  CISO backed him and agave away project budget to support him.
Company had a mismanaged an expansion. Building was paid for, but nobody had thought about the IT costs and headcount.  CIO was trying to figure out where to get bodies to populate the new site.  Allan gave up 2 headcount for 2 more quarters.
Startup: CISO took on Marketing department temporarily when head of Marketing left. Slowed down the security focus, but Marketing needed some hands-on attention beyond what the CEO could give.  It paid off for the business.
CISO Joined forces with head of Pro Services to push through a security initiative that benefited key customers for him (contracts he could now secure), but also gave me some more generalized security comfort.
Spent huge amount of what could have been security operations time training sales teams on security as differentiator in the market. Benefited top line.
Drew and Allan share many more stories and break down why in each of these cases, deprioritizing daily security operations was the right thing to do!
Y'all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest today is Ankur Ahuja, 2x CISO, Ted-X Speaker, Startup Investor, Board Advisor, etc. etc.  Ankur is currently SVP and CISO at Billtrust, and he’s got some Big 4 in his DNA too (ten years, in fact!).  Ankur wanted to chat about how CISOs can drive business growth, so I asked him to come on down to the ‘Ranch and have a chat with me.
 
It's more than attending sales calls.
It's more than security questionnaires
 
Listen for some clever new tips on driving business growth!
 

Melanie Ensign is a communications strategist and corporate anthropologist for cybersecurity, privacy, and risk organizations.  She is founder and CEO of Discernible, a multi-disciplinary Center of Excellence for security, privacy, & risk teams. Her team includes experts in communications, product development and management, compliance, security and privacy engineering, and behavioral science.
Melanie is here at the 'Ranch to talk specifically about the fact that so many CISOs feel they are in organizations that simply don’t care about cybersecurity.  She’s got some good insights into this one, and it’s the perfect topic for her expertise.
Allan asks Melanie:
Allan put up a LinkedIn poll asking folks “Do you feel organizations properly prioritize cybersecurity?” The results were pretty sobering.  What are your thoughts?
Is the problem really the organization or is it us? Probably a mix of the two, or maybe one or the other depending upon the environment and the individual CISO?
Assuming it’s the organization, how can a CISO avoid such organizations in the first place? How do you vet a company for its commitment to cybersecurity?
If you find yourself in a company that does not seem to care about cybersecurity, what should be your next steps?
Allan has emphasized over the years that all CISOs are salespeople times two. We sell the problem, then we sell the solution.  Is that a fair perspective in your mind?  How many other leaders have to sell their mission in general?  I think we all end up selling specifics…
What communication skills can improve the situation for CISOs?

In this episode, Allan tackles the idea of selling the CISO mission.
He deconstructs the types of CISOs and the "selling" they must do.  Sometimes you really are selling, but most of the time you should be solving business problems.
Allan speaks to:
Business objectives met
Business risks reduced
Maturity
And also deconstructs the art of selling itself.
Hint: Business Impact Analysis is a valuable tool in this whole process.
Special thanks to Helen Patton and Melanie Ensign for prompting this exploration.
Y'all be good now!

Our guest this week is Jonathan Rau, VP and Distinguished Engineer over at Query, and a proponent of what he calls "SecDataOps".  Jonathan is quite active on LinkedIn and his takes, though often spicy, tend to be spot-on.  Allan has come to enjoy following Jonathan's posts, and he was excited to have Jonathan come on the show and share his insights.
Allan asks Jonathan, in a VERY lively conversation:
What is SecDataOps?
What is its focal point?
Who should be in charge?
What skills are required to participate?
Who has those skills?
What about the trifecta of people/process/technology?
What is wrong in the community with our approach?
Y'all be good now!

This is part two in our neurodiversity series.  Our guest roster this time also includes Dr. Ursula Alford, a psychologist who routinely works with the neurodiverse populace.
The lineup of guests covers ADHD, Autism, challenges unique to women with neurodiversity, how leaders should manage neurodivergent team members and more.
Y'all be good now!

Geoff Hancock is Deputy CEO and CISO for Access Point Consulting, Former Global Director and CISO over at World Wide Technology.  He’s also a Senior Fellow and Adjunct Professor at George Washington University and has held various C-suite and executive roles at Verizon, CGI Federal Advanced Technology, Microsoft, and Advanced Cybersecurity Group.  He is back at the 'Ranch this week to talk about CISO Communications.
Allan asks Geoff:
You say the first step is prioritizing clarity in communication. What does that mean to you?
Your next step is developing strategic storytelling. Can you elaborate on that one?
How do we enhance crisis communication?
How do we engage stakeholders proactively?
What about data? How do we leverage it in decision making?
How does one bolster their leadership presence?
How do you implement a feedback loop?
What practical tools and strategies can be utilized for effective communication?
It's a fantastic show full of great insights, and you will thoroughly enjoy listening to it.
Y'all be good now!

Join Allan LIVE! at Zero Trust World in Orlando as he asks 12 guests "What does Zero Trust Mean to You?" and a wide variety of other questions.
Conference highlights are discussed as well, including hacker activities, hacker demonstrations, incredible talks, etc.
Allan also learns all about The Tech Degenerates, and organization furthering partnership and comradery amongst cybersecurity vendors, MSPs, MSSPs, CISOs, etc. (Allan has since joined their Discord group!)
Another great highlight is a chat with Carlos Rodriguez about the vCISO life.
This show is sponsored by our good friends at ThreatLocker - visit https://threatlocker.com and tell them you heard about them down here at the 'Ranch!
Y'all be good now!

How does cybersecurity relate to the four horsemen of the apocalypse?  Famine, Pestilence, War, and Death?  In this episode, Dr. Chase Cunningham, renowned Zero Trust expert, author, instructor, Chief Strategy Officer, advisor, etc., examines the 4 conditions on our planet represented by the four horsemen, ties it all to cybersecurity, and then solves it all with Zero Trust.  It's quite a ride and an adventure you should listen to!
Allan tries to keep up in this episode that jumps from topic to topic, but all with a zero trust underpinning.
It's another LIVE! episode recorded at Zero Trust World 2024 in Orlando.
Sponsored by our good friends at ThreatLocker.
Y'all be good now!

Howdy, y'all!  Allan went down to Orlando, Florida and recorded three LIVE! shows at Zero Trust World, a conference sponsored by ThreatLocker.  This is the first of those three shows.
 
James Keeler of LMT Technology Solutions has a steady hand on the incident response wheel and a lot of experience under his belt as well.  After seeing James speak on a panel at Zero Trust World, Allan asked him to be on the show.
 
Join Allan as he asks James to walk us through his philosophy of incident response, the underpinnings, the steps and just about everything else about Incident Response as well.
 
This show is sponsored by our good friends at ThreatLocker - visit https://threatlocker.com and tell them you heard about them down here at the 'Ranch!
 

This week Allan is joined by Leigh Honeywell (CEO of Tall Poppy) Nathan Case (Federal CISO at Snyk), and Ryan Macababbad (Currently looking.  HIRE HER!), three cybersecurity professionals with broad backgrounds in cyber, and all three of whom are neurodivergent.
 
Allan in fact, has been recently diagnosed as being on the autism spectrum, albeit 'high functioning' (as the diagnosis indicates) or 'low support needed' (as the autism community prefers to call it).
 
With his recent diagnosis, Allan decided to reach out to friends in the neurodiverse community to discuss:
The positives of neurodivergence
Neurotypical responses and stereotypes about the ND community
Cybersecurity-specific benefits to being ND
Tips/Advice/Support for those who suspect or know that that they are ND
 

Fun fact:  There are more vulnerabilities and exploits below the OS layer than above it!
CPUs, BIOS, Firmware, embedded Linux, FPGAs, UEFI, PXE...  The list goes on an on.  What are we supposed to do about that?
Allan asked Yuriy to come down to the 'Ranch to discuss this issue with him.  Yuriy is CEO at Eclypsium, member of the Forbes Technology Counsel, Founder of the open source CHIPSEC project, former head of Threat Research at McAfee, form Senior Principle Engineer at Intel…  He is uniquely qualified to discuss these issues.
Full DISCLAIMER: Allan is CISO at Eclypsium.  Note that he asked Yuriy to come on the show, not the other way around.  Nobody knows this space like Yuriy and his team.
Allan asks Yuriy about:
The history of CPU exploits
Unauthorized code in chips in network gear
The various hacks available at this layer
The role of SBOM in all this
The open source CHIPSEC project
It's an eye-opening show to say the least.
Y'all be good now!

In this episode, Allan flies solo, as he is finally willing to speak on an issue he has been mulling and fussing over for some time:  the two-fold CISO laments of:
"We have all the accountability and none of the authority!"
"We don't own the risk - we advise the business"
Allan is refuting both of these claims.
Allan calls up examples such as project managers, contract lawyers, CFOs in his argument.
He also demonstrates that we have far more authority than we think, and also that we can earn even more.
As to advising the business, and the business owning the risk, we have here two contradictions to one of the show's mantras: "BE the business!"
You will hopefully come away from this show with some different perspectives on these two claims.
Y'all be good now! 

We declared a while back that 'not having a seat at the table' was a tired CISO topic.  So we decided to solution the complaint.
Hopefully we pulled it off.
Join Allan and Jim McConnell, Principal at Ask McConnell, LLC and former Fellow in Corporate Security Protection Operations at Verizon, as they take on the challenge of solving this common lament.
There is a fierce round of "answer pong" as they throw out suggestions on how to earn that seat, but they also cover:
What does it mean to have a seat at the table?
Ownership vs. advising
Bridging the chasm between the two
Supplier/Vendor to the business - is that a good model?
BE the business (yes, that always comes up!)
How to become a business expert
And of course, the aforementioned game of Answer Pong as to how to earn that seat.
Y'all enjoy the show, and y'all be good now!

Pat Benoit, CISO at Brinks, returns to the 'Ranch to visit Allan and to chat about his newest achievement - Pat got a NACD Directorship Certification!
Allan has often thought about doing this as well, so he got Pat on the mic to talk about his whole experience:
Why did you do it?
How hard was it?
What was involved?
What do you hope to get out of it?
Did you farm around for alternatives?
Is there more you plan to do?
As topics for shows go, this one is short and sweet.  But Pat, as always, spins a very human tale that will keep you engaged.
Y'all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Ayman Elsawah, who, like Allan these days, is a fractional CISO and founder of his own security company.  He has done the fractional CISO thing many times.  He has also been a professor, a security consultant, and a cloud-specific security consultant.  His tenure includes eBay, NCC Group, Justworks and Masterclass.  Ayman and Allan are talking about how cybersecurity teams can integrate themselves with the rest of the business.
So we talk about the role of the CISO in business enablement all the time. Allan argues, based on the wise words of Scott McCool, a friend and mentor, that we are not here to enable the business.  Rather we are here to BE the business.  The distinction is that enablement still puts the CISO off to the side of the goings on.  Being the business means that the CISO is part of the process, in there with sleeves rolled up alongside CRO, CMO, CFO, CEO, COO, etc.  So let’s ask the question twice:
In a B2B context, what are three things a CISO can do to enable the business?
In a B2B context what are three things a CISO can do to BE the business?
Presumably one of these involves being part of the sales cycle?
Let’s drill in on the company’s products/services. Not talking about sales, but rather the products and services themselves, how can we as security practitioners be an integral part of products and/or services?  What are three ways we can be the business there?
What about the relationships? How do we strengthen being the business with regards to relationships with our peers?
What about customer-facing activities beyond sales? How do we be the business with regards to our customers?
Challenge round, what about B2C? Melanie Ensign in a panel she was part of said that one way Cybersecurity can help B2C is by reducing support tickets.  This is pure genius.  Any other B2C tips?
You have your own podcast, and a newsletter, book…. Tell our listeners all about what you offer the cybersecurity world...
Y'all be good now!

This one was recorded LIVE! in Podcast Alley at the CyberMarketingCon 2023 put on by the Cybersecurity Marketing Society in Austin, Texas.
 
Marketing!?!!?  Say what!?!?
 
Yup!  Allan went down to Austin to catch up with industry players and to participate in the conference as a "creator", i.e., podcaster.
While there Allan ran into his friend Tom LeDuc, CMO at Semperis, and he got Tom to hop on the mic with him to discuss leadership challenges such as conflict, territorialism, jurisdictional disputes, startup mindset vs. bigger mindset...  The two of them cover quite a lot of territory.
Some of Tom's story is obviously CMO-specific, but Allan and Tom both universalize the topics and get to the heart of what matters for all leaders.
This show is not sponsored by Semperis, but Allan wants to clarify and be transparent about the fact that he is an advisor to Semperis.
 
Allan says: "Tom is just a great guy and is fun on the mic!"
Y'all be good now!
 

Howdy, y'all, and welcome to The Cyber Ranch Podcast!  Our guest is Andrew Wilder, Retained CISO at Community Veterinary Partners, Member of the Board of Directors at Washington University in St. Louis, Advisory Board Member, former Global CISO, former Regional CISO... He's got a real history in this game.  What we're talking about today is retained, fractional, virtual, and part-time CISOing...
 
Topics addressed:
 
Challenge of vCISO - do i have a job 6 months from now?
Marketing and sales - building pipeline
OR work for someone else - they get a big cut?
Life insurance in the US is normally employment-based, and paid time off is a thing.  Allan's cancer scare brought all of those risks to light.
Tax benefits to 1099
Work/Life balance - or should that be life/work balance?
Two fulltime vCISO roles at the same time?  Possible...
Fractional, one-offs, consultations
SEC and SolarWinds - a vCISO is not an officer of the company
Andrew calls himself 'retained CISO' - he got that term from our friend Steve Zelewski
Fractional vs. virtual vs. retainers - everyone says retainer is the path to victory, but how does that really work?
 
 

Howdy, y’all, and welcome to The Cyber Ranch Podcast! Our guest this week is John Checco, aka "Checco", who is overdue for being on the show we freely admit!  John is a presence on LinkedIn and in our industry.  He’s the author of “Zero Trust: From Aspirational to Overdue”.  He’s also involved, as you can imagine, in many other things – various advisory roles, ISSA roles, Infraguard roles…  He’s been resident CISO at Proofpoint, for example.  He’s also a fire instructor!  But we asked John to the show specifically to talk about what he calls “The Misfits of Zero Trust”.  John, thank you so much for coming on down to the ‘Ranch!
Questions Allan asks John:
Without revealing any secrets, what was your experience investigating the Zero Trust model for such a large organization?
What are the misfits of Zero Trust?
What’s are some examples of what you have dubbed as “2nd world affectations”?
What’s are some examples of what you call “3rd world affectations”?
Where do we go from here?
Where would you suggest highest priorities?
Is Zero Trust here to stay?
What comes next?
Thank you, listeners, for dropping by the 'Ranch!  Y'all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Luke Jennings, VP of Research & Development at Push Security, former Chief Researcher at Countercept, Principle Security Consultant at MWR…  He’s been around the industry.  Luke is passionate about tracking the evolution of attacks – how are the bad guys morphing and changing their game in response to our new defenses, and more importantly, new technologies that we use in the first place.  Luke, thank you so much for coming on down to the ‘Ranch!
Questions Allan asks Luke:
What is the difference between traditional attacks and the new SaaS cyber kill chain?
Where is the new perimeter in a fully SaaS/remote company? Is it cloud identities?
What is it we’re actually protecting in a fully SaaS/remote company? The data landscape is very distributed now…
You’ve mentioned that certain protective technologies are so good that they have inspired new methods of attack. This is the classic arms race metaphor.  What drove the bad guys into attacking SaaS-native companies?
Walk me through the modern kill chain in a SaaS-native company. I’m thinking in terms of recon, access, lateral, escalation – the old model has changed, has it not?
Let's pick specific attacks from the matrix and review them
Sponsored by our good friends at Push Security.
Check then out at:
https://pushsecurity.com/ranch

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Adam Bateman, CEO and Co-Founder at Push Security, based in the UK.  Another of our cyber friends from across the pond!  Is a former director at the security consultancy MWR who were renowned in the industry for their specialist research and red team capability. Adam started off as a red teamer himself, and then went on to build and lead the detection and response division of MWR, where they specialized in defending organizations against state-sponsored attacks.   Adam came up in the world of offensive security, and it shows in his thinking.  He co-founded Push to protect SaaS-native companies, whose data resides in a bazillion places, protected by a bazillion identities.  Or maybe just by SSO.  But probably a mix.  ½ a bazillion known SaaS apps using SSO and another ½ a bazillion using who knows what identity methods?
After our first chat with Adam, Allan really got to thinking about this idea we bandy about that “identity is the new perimeter!”  Is that the right model? Is it a complete model?  Are there better models to describe our SaaS sprawl security problem?  Allan posted his ideas on LinkedIn and LinkedIn got very vigorously into the conversation.  We thought Adam and Allan could record a show and hash some of these concepts out, and Adam agreed, so here we are!
In one sense, vulnerable Internet-facing credentials have ALWAYS been a problem.  In other words, Identity is not the new perimeter, but is a rather old one.  What are your thoughts?
What is happening in the wild?  What do the attacks actually look like?
Allan Alford Consulting subscribes to over twenty SaaS applications, and Allan is literally a one-man company.  How many SaaS apps are used by the average enterprise?  What percentage of those are in the SSO fold?  This is truly scary.
How do we get everything behind SSO?  How do we get SSO locked down and secure?
What’s our best possible world?  Everything behind SSO with a Yubikey?  Next best is everything behind SSO with Smartphone MFA app?
Back to this perimeter thing:  J. David Christensen agrees with the idea that identity is not a new perimeter.  He says it has always been THE perimeter!  Jamir Fisher agreed.  Robert Mithcell points out that if and identity provider can be compromised, then identity is the M&M defense after all (hard shell, soft center).  Our friend Abhishek Singh says authZ and authN combine to form Zero Trust.  Once you have zero trust, he says, like it or lump it, identity becomes the attack surface.  What are your thoughts on that formula?  We found it to be a rather tidy summation, as did our other friend Dan Holden.  Thoughts?
Lastly, when we talk identity, we always feel the need to point out that humans are just some of the identities crawling our digital world.  Are the solutions we’re crafting for humans using SaaS also good for machine accounts?  Application accounts?  API-to-API connections?
Sponsored by our good friends at Push Security.
Check then out at:
https://pushsecurity.com/ranch

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest is Geoff Hancock, Deputy CEO and CISO for Access Point Consulting, Former Global Director and CISO over at World Wide Technology.  He’s also a Senior Fellow and Adjunct Professor at George Washington University and has held various C-suite and executive roles at Verizon, CGI Federal Advanced Technology, Microsoft, and Advanced Cybersecurity Group.  Yup!  Another well-established guest.  But wait!  There’s more!  Geoff has been involved in the creation and maintenance of the NIST CSF – the cybersecurity framework whose current version (1.1) dictates more security programs on Planet Earth than any other framework, and whose new version (2.0) will soon be ratified and finalized.  2.0 DRAFT and request for comments have already come out and the comments period is now closed.  I asked Geoff to join us here at the ‘Ranch to talk CSF 2.0 with us:
Tell us about your history and relationship with NIST CSF
Let’s talk briefly about the role of frameworks in cybersecurity.  I’m thinking of the “compliance != security” mantra here.
0 vs 1.1 – what are the highlights?
GV (Govern) Function added
Implementation Examples (Long overdue IMHO!)
What else?
Changes to categories – 2 less overall, but other changes as well…
I was glad to see supply chain called out in specific.  That was overdue.  What else was overdue?
What should have been in there that is not?
Describe the process if you would for generating a CSF – we have already seen draft and call for public feedback.  What’s next?
Y'all be good now!

In this SPECIAL EDITION! Allan interviews the 3 CISOs who created the CISO XC series of conferences:
Cecil Pineda
Jaimin Shah
Randy Potts
CISO XC is the only conference for CISOs (and their reports) that is put on my a team of 3 CISOs and an awesome all-CISO advisory board.
And the amount of money CISO XC gives to charity is MIND BOGGLING.  Hint:  This years's goal is greater than some CISO's salaries!!!
In this brief SPECIAL EDITION! you can hear more about CISO XC, its take on it's 3 priorities: Charity,  Community and Collaboration.
AND you can learn how to sign up for the biggest event yet in March, 2024.  That's right!  CISO XC is going nationwide!
https://registration.socio.events/e/cisoxcspring2024
This spring you can meet Randy, Jaimin and Cecil as well as Allan and a host of other Dallas-Fort Worth security folks.  Practitioners attend free, and the conference will be a blast!
Allan will also be giving out a limited number of cowboy hats to those who can answer trivia questions about CISO XC (hints will be provided).
Y'all be good now!

Allan takes the show on the road again, this time at his all-time favorite conference: CISO XC!
He asks a unique question of each guest, who represent a great deal of breadth in our industry:
Dave Belanger, CISO at Bestow Insurance - What is the most effective way to demonstrate and communicate security program progress to the board?
Tera Davis, CEO at CyberOne Security – How does a vendor forge relationships with a customer to be a strategic advisor and not just another vendor?
Andrew Woolen – Account Executive at Semperis – What do you wish CISOs knew about the vendor side of the fence?
Fred Clayton – Vice President Information Security at GI Alliance – What are you doing to develop talent in your teams?
Mickey Disabato – vCISO at Booz Allen Hamilton – What are the big differences between vCISO and CISO?
Alain Espinosa – Global Director Security Operations at Upbound Group – What is the one thing you would change in cybersecurity today?
Josh Kleen -  Enterprise Solutions Architect at Rubrik – As a vendor, how do you see your role in this whole “We’re here to fight the bad guys” thing?
Pat Benoit – Global CISO at Brinks – Why are you sleeping well?
Russell Swinney – CIO & CISO at Infrastructure, Inc. – What is your secret for good staff retention?
Richard Weiss – CISO at AccentCare, Inc. – What are the most unusual, nontraditional cyber skills you have on your team?
Sam Baxter – Global CISO and Data Privacy Officer at AppSpace – What are your favorite sources for staying up to date in this industry?
Michael Anderson – CISO and Deputy CTO at Dallas Independent School District – Outside of the security space, there are inspirations to be had everywhere.  What is the one that has most inspired you in cybersecurity?
Y'all be good now!