The Cyber Ranch Podcast

Howdy, y'all!  Allan is taking this week off to spend time with family and to give thanks for all the wonderful things in his life - including y'all!
For those who don't track it, there is no Cyber Ranch Podcast four times  a year:
American Thanksgiving week
Christmas week
Black Hat week
RSA week
That gives Allan enough breaks throughout the year to preserve his sanity.
Y'all be good now!

Warning, there might be some naughty language in this one!
The challenge was issued!!!! Allan teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who won???
"Won"?
That's right!  Allan, along with George  K and George A from Bare Knuckles & Brass Tacks joined forces with Aaron Pritz and Cody Rivers of Simply Solving Cyber!Together, this trifecta of podcasters weighed in on the October bonanza that is Cybersecurity Awareness Month. While the month started humbly to raise awareness for the general public, it has now become an excuse for vendors to inundate infosec professionals' inboxes with inane messaging.Introducing: The Cyber Community Month challenge!Vendors: we challenged you to come up with campaigns that give back to the customer community rather than sending awareness spam.Client-side practitioners: We asked you to show us how you engage local communities, volunteer at schools, help nonprofits, etc. to spread cyber knowledge!This is the conclusion and awards ceremony!
Shout-outs to our winners, all of whom did something special for the community.
Carlos Guerrero (deserves special note as a truly committed community builder!)
Gerson Rodriguez
Guidepoint Security
Bugcrowd
Enjoy the show, and y'all be good now!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Our guest today is Evan Wolff, partner at Crowell & Moring, and Allan's favorite cyber attorney.  Evan has led and managed 100s of investigations including cybersecurity, data breach, insider threats, security incidents and suspected terrorist incidents. Evan also teaches a class at Columbia University in New York City on “Great Hacks in Cybersecurity”.  Evan and Allan are good friends and Evan is friends with many other CISOs as well.  Evan has never lost sight of his cybersecurity roots, and is still worthy of the title “hacker”.  Evan is our go-to whenever the intersection of law and cybersecurity arises.  As such, he was the first one we thought of to chat about the latest SEC/SolarWinds situation.  Evan, thank you so much for coming on down to the ‘Ranch!
 
What kind of lawyer is Evan and why can he speak on this topic?
What does disclosure mean, how does this change disclosure?
What is the role of the CISO in all this?
Key Takeaways?
What countries do not have extradition treaties with the USA?  (Obviously a tongue in cheek question!)

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  That’s Tim Rohrbaugh, Founder/Principal at DefaultDenySec, former CISO for JetBlue Airways, advisor, investor: yup!  Another Cyber Ranch guest with an awesome history!  Tim and Allan were chatting a while back about budgeting cybersecurity programs, and they found out that they disagreed on a rather key point.  In true Cyber Ranch fashion, Allan immediately asked Tim to come back to the show and to dig into the issue with him.  They are starting with disagreement, which always makes for a better show...
Allan maintains that the cybersecurity budget should be tied to specific risks identified vs. specific business processes and/or assets as determined by Business Impact Analysis. In other words, we identify WHAT we care about, use BIA to tell ourselves HOW MUCH we care, and then we chart the risks to those processes and assets.  We then stack rank the risks based on impact but also plausibility (see prior show with Andy Ellis and Chris Roberts as to why Allan uses plausibility and not probability).  We then can sit down with the business and say:
For $x we can address these top 5 risks
For $y we can address these top 7 risks
Etc, etc.
Budgets are tight? Lower the risks addressed.  It’s that simple!
NOTE: Allan is cheating here with this simplification.  Run rate matters.  Our existing tech stack is already in play before we address specific risks.  So there is accretion there that must be acknowledged.  And the question is also begged:  How much does the already established run rate actually tackle specific risks vs. broad strokes?  EDR, for example, should already be present.  Do we say that EDR addresses the ransomware risk or the data leakage risk of HR data or the data theft risk of customer data, and/or…  You get the point.  Allan's model is not perfect.  But what Allan has ALWAYS stood against is the idea that the cyber budget should simply be expressed as percentage of revenue or percentage of IT budget or percentage of anything external to cybersecurity, really.
Tim, disagrees and finds flaws in Allan's model:
Should we be tied to IT budget at all?  Tim says YES!
Should we only be a percentage of revenue or overall organizational budget?  Tim says YES!
What is the value in capping budget via external measures like %age of IT spend or %age of revenue?
How do we tackle run rate vs. specific projects in your model? How does one choose what remains and what gets cut from the to-do list when budget tightening occurs?
What other benefits exist to Tim's model?
Is there a way to reconcile the two models? Is that reconciliation even necessary?

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  We're joined today by Jacqueline (AKA “Jack”) Powell, CISO at Allianz Life and former Deputy CISO at Hanes.  She has also consulted, and has worked at Chevron, General Dynamics, and SACI.  Jack has an illustrious career!  Jack is here today talking with Allan about the new SEC regulations about cybersecurity.  For our listeners, the final version of the SEC ruling came out in late July, and publicly traded companies in America have 5 months to comply.  Mid-December is when the switch gets thrown…
Topics covered in this show:
The new ruling and tell me its highlights
Disclosure
Risk Management
Board expertise
What are the implications of the disclosure rules?  What are the challenges businesses face?  What tools can be leveraged?
It seems that “materiality” is the key term upon which all of this pivots. That term has definition and precedence in financial circles, but how is a cybersecurity professional to interpret it?
What are the implications of the Risk Management rule? If you work with a cybersecurity framework like NIST CSF, for example, you’ve already got at least the basics in place?
And now we get to Board Expertise… CISOs are all anticipating getting board roles overnight, but it’s not that easy. NACD in conjunction with CISA put some material together.
How should CISOS prepare themselves to be ready for a possible board role?

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  That’s Kymberlee Price, strategic security consultant, Black Hat content review board member, former Sr. Director of Product Security at New Relic, former Principal Security Manager at Microsoft – Kym has held a variety of roles in our industry, but with one common theme: Kym is an outstanding team builder.  She has moved around the various facets of cybersecurity over her career, but always with an eye towards turnarounds, creating new teams, and most importantly, integrating those teams with the rest of the business.  Kym is the sort of professional whom companies design job roles for, as what she does is both amazing and necessary.  Kym, thank you so much for coming on down the ‘The Ranch!
What are the hallmarks of an excellent team?
How do you measure results?

Chris Tillett is a well-known figure in our industry.  He is in product management and R&D at Palo Alto Networks.  He is also a great guy, funny, and can wield the snark quite well.  He is the perfect foil for Allan Alford as the two of them take the gloves off, pick on one another, and tear apart bad vendor and bad CISO behaviors.  LIVE!  At Black Hat!
 
The two tackle some of the most sensitive pain points on both sides of the fence, and get into solutioning some of the most common CISO/vendor problems.  All while donating to Black Girls Code whenever a buzzword gets used.
 
Their ultimate conclusion?  We'd better figure out how to lock arms, as the bad guys have no problems coordinating with each other.
 
Come together.  Right now.  Over The Cyber Ranch Podcast.
 
Sponsored by Palo Alto Networks XSIAM.
Find out more at a workshop near you!

Howdy, y’all, and welcome to The Cyber Ranch Podcast!  Joining Allan this week is Ron Nissim, CEO @ Entitle.  Yes, this is one of our rare shows with a vendor as a guest.  Why?  Because in this case, the vendor was more highly informed than any of Allan’s practitioner friends he was able to query about the subject.  And what is that subject? Permissions Management.  One that we’ve never done a deep dive into on this show, and one that’s overdue.  So without further ado, enjoy hearing Ron chat with Allan.
What are the fundamental tenants of proper permissions management?
What are the goals?
What does the tech stack look like? different categories you're going to pursue?
What are the differences between mid-market and enterprise when it comes to permissions management?
What is missing still in permissions management?
What does next 3-5 years look like?
How does permissions lifecycle tie into identity lifecycle?
What is broken with RBAC?

Allan is joined by AJ Grotto: William J. Perry International Security Fellow and Founding Director of the Program on Geopolitics, Technology and Governance at Stanford University.  He also serves as the faculty lead for the cyber policy specialization that the university offers through its master's in international policy program .  He’s also a visiting fellow at the Hoover Institution.  He’s talking with me today about Cybersecurity spend vs. cybersecurity efficacy.  AJ, thanks so much for coming on down to ‘The Ranch!
The below points are mostly followed, but the pair also get into CISOs embracing risk, CISOs owning risk, and buying 'lemons' in the cybersecurity market:
So Cybersecurity Ventures says 2023 spending is growing 15% year over year. Between awareness training and tech stack, they are estimating $198+ billion in spend this year on cybersecurity.  Techcrunch analyzed the estimated shrinkage of budgets this year based on economic conditions:  45% of budgets remain unchanged or even increased.  3% of budgets were cut by an average of 21.2%.  So these figures hold close to steady despite the economic downturn.   We spend more and more on cybersecurity every year.  When does this end?
Conversely, InfoSecurity Magazine says ransomware attacks surged by 74% in 2023. Wired reports an increase for 2023 as well.  We can dig into Verizon and IBM annual reports to see generally trends of year-over-year increases as well.  Verizon shows 13% increase with a curve that’s trending upward more quickly each year.  What gives?
How do we solve this? How do we bridge this gap?
Tactically, we have tech stacks and awareness training and GRC. What is our spend story there vs. this looming threat landscape?
Is the solution to spend less, but more intelligently? In other words, crafty rationalization where we still get full coverage, but spend less?
If we can never close the gap between spend and threat, what are we to do?
Sponsored by our good friends at Seraphic Security.
Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.

Warning: Some naughty language in this show, but well placed naughty language!
Challenge issued!!!! Allan has teamed up with TWO other podcasts to take on the insufferable marketing that floods the cybersecurity industry in the month of October! Who among you will win???
Win?
That's right!  Allan, along with George  K and George A from Bare Knuckles & Brass Tacks joins forces with Aaron Pritz and Cody Rivers of Simply Solving Cyber!Together, this trifecta weighs in on the October bonanza that is Cybersecurity Awareness Month. While the month started to raise awareness for the general public, it’s now become an excuse for vendors to inundate infosec professionals' inboxes with inane messaging.Introducing: The Cyber Community Month challenge!Vendors: we’re challenging you to come up with campaigns that give back to the customer community rather than sending awareness spam.Client-side practitioners: Show us how you engage local communities, volunteer at schools, help nonprofits, etc. to spread cyber knowledge!We’re awarding prizes in November. Share your efforts on social media with the hashtag #CyberCommunityChallenge
Sponsored by our good friends at Entitle.
Entitle is how cloud-forward companies provide employees with granular and just-in-time access within their cloud infrastructure and SaaS applications.  Whether it's providing access to production for on-cal engineers or granting access to customer data when a support ticket is opened, Entitle easily integrates with your stack, offering self-serve access requests, instant visibility into your cloud entitlements and making user access reviews a breeze.  Learn more at entitle.io
 
 

Nearly 43% of cyber-attacks are on small businesses.
82% of ransomware attacks were targeted at companies with less than 1000 employees.
61% of SMBs were the target of a Cyberattack in 2021.
37% of companies hit by ransomware had fewer than 100 employees.
And yet...
36% of small businesses have no concern whatsoever about cyberattacks. Another 59% of small business owners who have no cybersecurity believe that their company is too minuscule to be targeted.
47% of businesses that have less than 50 employees don’t allocate any funds towards cybersecurity. While 51% of small businesses don’t utilize any IT security measures.
The threat is real, but preparedness is not.  Join Allan and Georges Merchak as they tackle the nuances of protecting small organizations.  Georges is an industry veteran who has held many full-time practitioner roles, but also consulting roles.  Georges has served small business.
Together they address:
Vs. bigger businesses, what are the challenges and benefits for the small guys? Are there any benefits?
Is there value for a CISO to consult with these guys?
What is different about their attack surface?
So security is their least concern, and yet it sure seems like it should be a big concern. How do we educate them?
What’s the maturity rollout? There is no way you can tackle a small business’ entire cyber problem in one go…
What are the low-hanging fruit? Some very practical steps?
Y'all enjoy!
Sponsored by our good friends at Seraphic Security.
Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.
 

You know you're being watched, right?
Imagine for some reason you needed to bury a treasure where nobody would ever find it.  In today's society, how could you even do that?  How can you get from Point A to Point B without being observed or tracked in some way?
Did you know that you can be listened to through smart lightbulbs?
This episode features the infamous and always gracious Chris Roberts, back again on the 'Ranch during this LIVE! recording from the HIP Global 2023 conference in NYC.
Chris and Allan talk about these subjects and more in an eye-opening show about just how much folks can see you and hear you.
Join in and become just a little more paranoid...
Sponsored by our good friends at Seraphic Security.
Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.

In this LIVE! show at Black Hat, Allan and his friend George Finney (recurring guest, CISO @ SMU, multi-times author and CEO of Well Aware Security) discuss cybersecurity in popular culture.  They talk about the impact on real-world cybersecurity practices of such non-fiction gems as Clifford Stoll's book The Cuckoo's Egg and such cheesy fictional accounts as the movie Swordfish.
It might have made you grown, but it might have inspired you and others.
It might have represented what we do well enough that you can refer people to it who ask after our craft.  Or maybe the portrayal was so bad it was laughable.
Join Allan and George LIVE! at Black Hat as they pick apart their favorites and take suggestions from the audience as well... Hack the Planet!
Sponsored by our good friends at Seraphic Security.
Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.

Did you miss Black Hat this year?  Well you won't miss the great conversations that were had, as Allan captured so many good ones for this special Black Hat retrospective episode.
 
Did you get to attend Black Hat this year?  See if your experience was as amazing as Allan's!  This show is LIVE and untarnished.  It's the real Black Hat experience!
 
In this episode, Allan talks to (in alphabetical order, with timestamps):
 
1:02 - Dani Woolf, Founder & CEO at Audience 1st
3:06 - Daniel Blackford, Manager of Threat Research @ Proofpoint
6:48 - Dean Sysman, CEO @ Axonius
8:19 - Deepen Desai, Global CISO & Head of Security Research @ ZScaler
15:39 - G. Mark Hardy, host of the CISO Tradecraft Podcast
18:42 - Glen Pendley, CTO @ Tenable
23:54 - Kayne McGladrey, Field CISO @ Hyperproof
24:52 - Leigh Honeywell, CEO @ Tall Poppy
25:52 - Masha Sedova, CEO @ Elevate Security
28:47 - Nate Warfield, Director of Research @ Eclypsium
31:43 - Rich Berthao, Cybersecurity Leader, Planner, and Innovator
32:41 - Rob Labbé, CEO and CISO in Residence for the Mining and Metals ISAC
This show captures an amazing week!
Sponsored by our good friends at Seraphic Security.
Seraphic helps you defend your digital workplace with security and DLP for every browser and essential desktop apps like Microsoft Teams, Slack, Asana, and Notion. Protect against compromise and prevent data loss via the web with Seraphic.

A brief thank you to our listeners and a request for feedback on the show.
We'll catch y'all next week!

The OpenSSF is doing invaulable work for the cybersecurity community.  And their new managing director happens to be Omkhar Arasaratnam, whose appearance on the show a while back created one of our most popular episodes ever!  Omkhar is back to talk about the OpenSSF:
What is the OpenSSF and how does it relate to the Linux Foundation?
What is the organization's mission?
What is the organization's vision?
What exciting projects are taking place (and a sneak peek about some upcoming announcements at Black Hat!)
What mark do you want to leave on the OpenSSF as Managing Director?
Omkhar is an expert in DevOps and CI/CD.  He is an expert in security.  His passion is supply chain security.  You can see where all of this can come together in his new role and make amazing things happen for your industry.  Y'all enjoy, and y'all be good now!

Cloud security remediation can be a daunting task that impacts Dev, Sec and Ops teams all.  And it can be a huge, manual, pain in the...  You get the idea.  But there are techniques to navigate it and to overcome many of the common traps and hurdles.
Tunde Oni-Daniel is a grizzled veteran in our industry who has managed to maintain his enthusiasm, passion and energy for the job.  Tunde is an expert on cloud remediation and together he and Allan discuss:
Cloud lifecycle
Challenges when findings happen
Drift management
Bugs vs vulnerabilities
Sec/Dev/Ops relationships with regards to remediation
What works, what's fast?
The next 3-5 years of cloud remediation
This one is a phenomenal show packed full of practical tips and high energy.
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

In this episode, Allan and Drew tackle and interesting subject that was suggested by Drew and that Allan posted for the LinkedIn community to gather around: things we believe in cybersecurity that we cannot prove.
The LinkedIn conversation was phenomenal, and Drew and Allan do a great job of summarizing it and calling out the underpinnings behind much of what we believe in this industry.
Questions Allan asks Drew:
What inspired this topic?
What were some of your favorites from the LinkedIn thread?
What are the underlying themes here?
Is BYOD security really a thing?
Are third-party risk assessments useful?
Special thanks to LinkedIn posters:
Peter Schawacker
John Prokap
Duane Gran
Brian Campbell
Matthew Dimmick
Graham Lewendon
Marcus W.
Dmitriy Sokolovskiy
And everyone who participated in a very lively thread...
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Kate is a legend in our industry, is a multiple times board member herself as well as having reported to boards in a wide variety of roles.  She is currently Chief Trust Officer at Aon.  Allan and Kate have intended to get her down to The Cyber Ranch for some time, but the stars finally aligned in this fantastic episode jam-packed with great advice.
 
Do please forgive the sound quality on this one.  It was recorded on the road, and the conversation was too amazing to re-record despite the quality issues.
 
Kate and Allan cover:
Best human approaches in board communicating – everything but the presentation itself
How to get to know your board both individually and collectively
What to present
What not to present
Best tips and tricks overall
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

This week Allan flies solo and tackles a variety of questions that came in from LinkedIn - including his origin story.
Allan tackles the following questions:
How does a CISO protect themselves from prosecution?
How does one get value from a cybersecurity assessment?
How should one pick a cybersecurity solution or company?
How do you "disconnect" from cybersecurity?
How to start and sustain a cybersecurity podcast - why and why not?
Allan's orgin story
Allan argues with himself over two issues
NOTE: Allan states: "I have no idea why anyone would want to hear my origin story, but here it is.  You can skip it if you like.  It runs from roughly 19 minutes to 24 minutes."
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

The MOVEit breach has been top of mind, especially with Solar Winds and Colonial Pipeline and log4j and all the others having been so recent.  It is easy to blame the victims.  It is easy to make excuses that nobody can defend against a Zero Day.  There are a lot of easy responses to these kinds of affairs.
But what Allan and Anne Marie Zettlemoyer get into in this episode is a variety of questions around the assumptions:
Start with a quick summary of the MOVEit exploit and Clop.
 How does this attack compare to SolarWinds?
What can we do to prepare for zero-day exploits?
Is society (and the business world) getting jaded to ransomware attacks and breaches? Is this affecting their investments in cyber?
Is a post-breach CISO really rolling in the assets and resources the way so many assume?
What are the long-term implications for a business, its stock prices, and its CISO investment?
This is another episode that strives to get deeper than the surface.  We hope you learn something from it, and we hope you enjoy it as well.  Y'all be good now!
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

This episode was recorded LIVE at the 2023 Symmetry Systems Unconference on Zero Trust, adjunct to RSAC 2023.
Allan is joined by his friend Claude Mandy, former CISO, former analyst, and now Chief Evangelist at Symmetry Systems.  Like Allan, Claude is a Zero Trust enthusiast.  The podcast was the capstone to a long day of Zero Trust presentations, panels, book reviews and other great topics and conversations.
Join Allan and Claude at this live recording that covers:
- How does DSPM fit into Zero Trust?
- Allan's victory at a recent Digital Fight Club event where he championed Zero Trust
- Overcoming Zero Trust marketing hype
- Is Zero Trust a framework, an architecture, or something else?  Hint: Claude says it's something else.
- What are the biggest challenges in implementing Zero Trust?
- What are the benefits to the business of Zero Trust?
- Security is about the intersection of Data & Entities - not about Assets
- What are the most exciting aspects of RSAC 2023 for Claude and Allan?

Money is the hardest thing for a CISO to acquire.  As with last week's show on Time, Money has to be spent wisely as well.  Perhaps the tricks to spend it wisely directly relate to how we can acquire more the next cycle to achieve the mission we know we need to achieve.  In this episode we cover:
- What are the best methods for securing a budget?
- How do you structure your budget to align with business costs (COGS, R&D, CAC...)?
- What are some good ways to save money as a CISO?
- How do you best lower vendor costs for the long term?
- How can a CISO help make money for the business?
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Time is one of our most precious commodities as security practitioners.  And yet we have traditional time sinkholes where we waste time, lose time, and spend time.  Join Allan and Paul Robinson, Founder and Managing Director at Tempus Network, as they explore several of these areas and give concrete tips on how to save time as security practitioners:
- Keeping up with industry trends
- Managing cyber incidents
- Third-party questionnaires (both directions!)
- Vendor onboarding
- Work from home vs. going into the office
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Join Allan and his guest Jay Adams, CISO @ Enchoice and former security architect for several large private and public sector efforts - from M&A activities to massive public portals.
Jay is going through TX-RAMP right now, and both he and Allan have done research on FedRAMP and StateRAMP as well.
What are the differences?  Why might you choose one over the other?  What are the gotchas?
This is a great show and you'll get to learn a bit about Allan's brief foray into state government as well...
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.