The Cyber Ranch Podcast

This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023.  Guests include:
Gary Hayslip, CISO @ Softbank Investment Advisers
Michael Calderin, CISO @ YAGEO Group
David Cross, CISO @ Oracle SaaS Cloud
Audra Streetman, Security Strategist @ Splunk
Adrian Peters, CISO @ Vista Equity Partners
Robin Sundaram, CISO @ RELX
Merritt Baer, Office of the CISO @ AWS
Rob Wood, CISO @ Centers for Medicare & Medicaid Services
Bryan Green, CISO Americas @ ZScaler
Stephanie Derdouri, Sr. Manager, Information Security and Technology Risk Management @ Capital Group
Andres Andreu, CISO @ 2U
Paul Love, CISO & Chief Privacy Officer @ Co-op Solutions
Royce Markose, former CISO
Bob Schuetter, CISO @ Ashland
Susan Thomas, CEO @ 10Fold
Brian Markham, CISO @ EAB
Ken Foster, VP of IT GRC @ FLEETCOR
Elizabeth Martinez, Account Exec @ ThreatLocker
Josiah Dykstra, Senior Fellow, Office of Innovation @ The NSA
Kevin Brown, CEO @ Innit
Brent Deterding, CISO @ Afni
Audra Streetman, Security Strategist @ Splunk
Wendy Whitmore, SVP, Unit 42 @ Palo Alto Networks
I ask my guests several questions including:
How do you impact the top and bottom line?
What topics are you tired of in cybersecurity?
There are also some special interviews at the end - discussions about the RSA conference itself, tech stack sprawl, and personal branding and marketing for CISOs.  Oh - and a question about how vendors and CISOs can work better together AND a conversation about how government and industry can work together in cybersecurity.
Give this one a listen!  It's jam-packed with great insights!
Sponsored by AttackIQ & Semperis.
AttackIQ offers a new fully managed breach and attack simulation service.  They are the premier provider of MITRE ATT&CK-based security control validation.  https://attackiq.com
Semperis provides the industry's most comprehensive Active Directory and Azure AD cyber resilience platform, supported by specialized AD incident response expertise.  https://semperis.com
 
 
 

This week's show is exciting because Allan has been waiting for Andy's book on leadership to come out for quite some time.  The book is called “1% Leadership – Master The Small, Daily Improvements That Set Great Leaders Apart”, and it consists of 54 chapters - each of which presents a specific facet of good leadership in a nearly "buffet style" manner. You can pick and choose topics that resonate with you and dive right in.
Allan picked 6 chapters that resonated with him in particular and got Andy to elaborate:
Chapter 1 - “Personal improvement is a prerequisite to leading professionally”
Chapter 6 - “Gift kindness where it isn’t expected”
Chapter 8 – “An uncompelled apology unburdens everyone”
Chapter 13 - "Your wellness is one of the greatest assets you control" (Listen as Andy hits Allan straight in the feels on this topic)
Chapter 24 – "People need to see versions of themselves to feel welcome"
Chapter 35 - "In general, be vague"
The book is amazing, these particular chapters are amazing, and Andy's expounding upon them is amazing as well!
Y'all be good now!

This episode is a bit scary.  Adrian Sanabria, who on an earlier show busted many cybersecurity myths, is back again, this time analyzing the impact of Large Language Model Artificial Intelligence on a hypothesized skills gap on the bad guy side.
Premise One: Given how many organizations that are vulnerable and that have NOT been breached, the bad guys are suffering the same skills gap we are.
Premise Two: Exploit attacks (think of exploits as ransomware, data hostage situations, threats to publish breached data, etc.) can benefit from LLM AI.
It's really that simple a connecting of the dots.  Adrian and Allan deconstruct the steps of an exploit attack, analyze the capabilities of LLM AI and cross-reference the two.
If they are right, then we have a burden of leveraging and learning LLM AI ourselves, as quickly as possible...
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

This is Part 1 of an incredible series of interviews Allan conducted live at RSA 2023.  Guests include:
Chris Kennedy, CISO @ Citadel
Gary Hayslip, CISO @ Softbank Investment Advisers
Michael Calderin, CISO @ YAGEO Group
Reet  Kaur, CISO @ Portland Community College
Rob LaMagna-Reiter, CISO @ Hudl
Matthew Lang, vCISO
David Cross, CISO @ Oracle SaaS Cloud
Audra Streetman, Security Strategist @ Splunk
Vishal Amin, General Manager of Security Solutions (Federal) @ Microsoft
Adrian Peters, CISO @ Vista Equity Partners
Kelly Shortridge, Author of “Security Chaos Engineering: Sustaining Resilience in Software and Systems”
Robin Sundaram, CISO @ RELX
Merritt Baer, Office of the CISO @ AWS
Tim Rohrbaugh, former CISO & Industry Leader
Rob Wood, CISO @ Centers for Medicare & Medicaid Services
Bryan Green, CISO Americas @ ZScaler
Stephanie Derdouri, Sr. Manager, Information Security and Technology Risk Management @ Capital Group
Andres Andreu, CISO @ 2U
Paul Love, CISO & Chief Privacy Officer @ Co-op Solutions
Royce Markose, former CISO
Bob Schuetter, CISO @ Ashland
I ask my guests several questions:
What is the best part of RSAC 2023 for you?
What is the single most critical skill a security leader needs?
What's missing in cybersecurity?
What is your take on Purple Teaming and MITRE ATT&CK?
How do you co-lead the organization?
There is also a VERY special interview with James Stanley, Chief of Product Development at CISA at the end.  Don't miss it!
Sponsored by Semperis & AttackIQ.
Semperis provides the industry's most comprehensive Active Directory and Azure AD cyber resilience platform, supported by specialized AD incident response expertise.  https://semperis.com
AttackIQ offers a new fully managed breach and attack simulation service.  They are the premier provider of MITRE ATT&CK-based security control validation.  https://attackiq.com
 
 

Leadership skills, technical skills, cybersecurity skills, pluck, drive and determination are all on display as Allan interviews Merav Bahat, CEO @ Dazz and Mickey Bresman, CEO @ Semperis.
Dazz has completed a Series A investment round.  Semperis a Series C.  It turns out that the skills each CEO needs are still remarkably the same.
Saddle up for another episode, where Allan asks his guests:
What’s the coolest thing that has happened for you or to you as a startup CEO?
What has been the biggest single challenge?
What are your top 3 tenets of leadership?
What is the purpose of vision and how clear must it be?
What is the purpose of mission and how clear must it be?
What is your advice to those who would want to become a startup CEO?
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

What is security chaos engineering?  You may remember Kelly Shortridge, our very first guest, who came on the show to talk about behavioral economics and cybersecurity.  Well Kelly is back to talk about her new book, "Security Chaos Engineering: Sustaining Resilience in Software and Systems".
 
Security chaos engineering is derived from chaos engineering, a relatively new discipline in software development that seeks to test distributed computing systems to ensure that they withstand unexpected disruptions.  It's all about resilience, in other words.  Security chaos engineering seeks to do the same for the security of such software systems.
 
Kelly breaks down her book during a lively conversation featuring an opinion or two her cat, Link (yes, a Zelda reference!):
Who should read this book?
Resilience in software and systems
Systems-oriented security
Architecting and designing
Building and delivering
Operating and observing (Allan's favorite chapter as it intersects with one of his Zero Trust tenets)
Responding and recovering
Platform resilience engineering
Security chaos experiments (a very fun chapter!)
Case studies
Note that the book is peppered with references and quotes from other disciplines.  We would expect no less from Kelly.
 
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Bryan Liebert is one smart cookie.  Who bakes cybersecurity cakes.  But seriously, Bryan has been a CISO, consultant, architect, and has served many other roles in cybersecurity.  His specialty is creating simple to digest (we could not help it, sorry!) models for managing and reporting on cybersecurity programs and practices.
Join Bryan and Allan as they serve up (we're still doing it!) a lively and informative episode!
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Adrian Wright, "The Cynical CISO" of LinkedIn fame, joins Allan to discuss four areas where cybersecurity is perhaps getting it wrong:
Cybersecurity viewed as a necessary evil, related to The Twilight Zone
Ownership, Authority, Accountability: Inventory and Means of Control
Are WE the baddies?
(Largely) Forgotten Security Principles
Allan and Adrian dissect cybersecurity practice in this great episode!
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Join us for a SPECIAL EDITON! episode of The Cyber Ranch Podcast LIVE! from CISO XC in Dallas-Fort Worth, Texas!
The topic is data security: its challenges and how to overcome them.
Joining Allan are Cecil Pineda of R1 ("Cecil the CISO") and Gene Moore of Securiti.
The conversation is live and lively, recorded as-is and delivered to you.
Enjoy!
Sponsored by Securiti - https://securiti.ai/

We always think of cybersecurity startups as companies who contribute to the tech stack in an organizational environment - usually the enterprise.  We also think of personal cybersecurity in terms of protecting Grandma or our kids from the bad guys.  But these two worlds intersect far more than you would think, and the techniques for addressing these problems intersect as well.
This week Allan is joined by Leigh Honeywell, CEO at Tall Poppy, to discuss these intersections.  Leigh is uniquely qualified, as her non-traditional startup addresses "personal security outside the firewall", which includes executive protection...
 
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

Emily Heath is a well-known and well-respected figure in cybersecurity.  She has been a CISO three times in a variety of industries, including software and a major airline.  She has been in law enforcement, is a partner at a VC firm, and serves on boards of directors as well.
With this wealth of experience she has come to value design partnerships - working with small startups to help craft their solutions to meet hers and their needs.
But what are some of the challenges in design partnerships?  Allan and Emily tackle the following questions:
What inspires one towards design partnerships?
How can a practitioner design partner help a first-time founder?
Where does the innovation come from in this model?
Does the vast amount of cyber vendors help or hinder the design partnership model?
What are the pros and cons of alternatives to design partnership?
How does a practitioner get started with design partnership?
Sponsored by our good friends at Dazz:
Dazz takes the pain out of the cloud remediation process using automation and intelligence to discover, reduce, and fix security issues—lightning fast. Visit Dazz.io/demo and see for yourself.

This week Allan is joined by Karla Reffold, COO at Orpheus Cyber.  Yes, that makes her a vendor, but, yes, she follow's the show's rules:  She is a friend, not a sponsor; she is not all vendory; and most importantly she is a subject matter expert on this week's topic: advisory boards!
In fact, Karla has written an ebook on the subject which is available here:
https://karlareffold.co.uk/advisory-boards-guide-book
Topics covered in the show:
- The ethical entanglements of being on an advisory board
- Paid vs. unpaid advisory board roles (and cash vs. equity)
- Advisory board roles as kickbacks (yes, it happens)
- Advisors who are customers vs. advisors who are not
- Do advisory board roles help or hurt a CISO's career?
Enjoy!  Y'all be good!
 

Becoming a CISO means changing a lot of perspectives.  Individual contributors need to learn this, and the CISO is the best one to teach them.  "They're never going to get it!" is a mantra used by both sides of that dialogue, and that is not a solution.  Will and Allan discuss:
 
- What precepts really are "obvious"
- How does one onboard leadership and business perspectives?
- What should CISOs do to ensure their teams gain those perspectives?
- What can individual contributors do to ensure that they gain those perspectives?
- The value of self-teaching and mentorship
- Beliefs we should get rid of
 
It's a great conversation!  Ya'll enjoy it!

This episode is a story about an entire vendor encounter gone horribly wrong.  Allan is joined by Paul Moreno, VP of InfoSec at Catawii, formerly SVP of Cybersecurity at Adyen, investor and advisor.  Paul found a cybersecurity vendor.  Paul found good references.  Paul got referrals from peers.  Paul did a PoC.  And after that, it all went downhill.  Paul was kind enough to share his story as he and Allan pick apart the failings and deliberate on ways we can all avoid such encounters.
Topics covered are:
- How to spot lies
- Vetting the vendor's internal security landscape
- ISO 27001 Statement of Applicability
- Breaches and whistleblowing
- GDPR violations in charging to delete data
It is a story you will want to hear, and the analysis just might save you some pain down the road...
Sponsored by Allan Alford Consulting https://allanalford.com/about
 

Join Allan and Dr. Mike Brass (whose degree is in archaeology!) as they jointly explore the technical side of the house vs. the GRC side of the house, noting that GRC can be a great path to CISO.
Hear Mike's journey from IT technician to GRC to CISO.
Topics Allan and Mike cover:
The tension between tech teams and GRC teams, and how a CISO can bridge the two teams
Reasons why GRC makes such a great background for the CISO role (and how to get there)
What engineering/architecture folks should know about GRC
What GRC folks should know about the tech side of the house
What the rest of the business should know about GRC
You also get to hear Mike's journey, which has spanned small and large companies, government think tanks and more!
Sponsored by Allan Alford Consulting https://allanalford.com

We have this idea that we can be perfect.  And we know that idea is unsound.  So we settle for imperfection.  But are we doing that purposefully?  Do we have a conscious plan for embracing imperfection?  How can we, as cyber professionals, embrace our imperfection meaningfully and with intent?
 
Join Allan and Robin Sundaram as they explore this topic, covering areas such as:
NIST CSF is all about imperfection
Embracing CMDB imperfection
Vulnerability Management and Patch Management
Product/Project Rollouts
Dev teams and the pipeline
Imperfection and GRC
It's a great conversation and you are sure to learn a thing or two!
Sponsored by Allan Alford Consulting: https://allanalford.com

In this episode, Allan is joined by Omkhar Arasaratnam, a force in the industry and an expert in the intersection of software and security (you may remember Omkhar from an earlier show about supply chain security).
They challenge each other to a game, "Technical Case vs. Business Case", where they must provide both arguments for a given technology deployment.  The real subtext here is that whenever these two get together, they always lean towards a technical conversation, so they are challenging themselves.
Topics Covered:
MFA
Service Accounts
Refresh Cycles
Token Expiration
Recovery Emails
Regulatory Mandates
Biometrics
SBOM
It's a lively conversation and we hope you will find value in it!
Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com

Join Allan, Shaun Marion (CISO of McDonald's) and ChatGPT itself for a lively conversation about the implications of this new tool, AI in general, and nuances about ChatGPT's usage.
Even after controls were put into place to prevent ChatGPT from helping the bad guys, Allan and Shaun were able to trick it into giving up details on hacking, authoring phishing emails and more.
Shaun and Allan explore the potential for abuse and the positive promise and excitement that this new era of AI is ushering in.
What are the societal implications of ChatGPT?
What are the positive advances of AI?
Should we be cautious with what we feed ChatGPT?
Hear answers to these questions and more on this week's lively episode.
 Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com

How important are communications after your company has been breached?  They can make or break customer perception, and the perception of the world.  Bad communications are perceived as bad intent.
Joining Allan this week is Heather Noggle, owner of Codistac - a company that specializes in cyber communications, advocacy and awareness.  She studied communications in college, and takes this stuff very seriously.
The pair cover LastPasss, Okta and Reddit breaches, comparing the bad to the good.
Topics covered:
Poor editing of communications
Willful non-communication
Obfuscation
Apologies
Letting the lawyers have their say - but not the last say
The balance between speed and accuracy
It's a great conversation and a great show.
Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com

Do you want to be a CISO one day?  Are you a CISO today who wants to strengthen your ties into the rest of the business?  The Business Information Security Officer (BISO) role is one you should explore.
The role can vary quite a bit, as you will hear on this episode with not one, not two, but three BISOs joining Allan Alford to discuss the role and its nuances:  where it fits, what is required, how it is best positioned and managed.
Allan has been a BISO himself and has managed BISOs as well, so the conversation is rapid and productive.
Join Allan along with Ann Hines (BISO @ USAA), James Binford (BISO @ Humana) and Matt Winkeler (BISO @ Equifax) as the explore the BISO role.
Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com

Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations.  Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory boards, has worked for the Big Four, and more importantly is a former US Marine (although all the Marines will tell you there is no such thing as a former Marine!)
Scott Moser is SVP and CISO at Sabre Corporation, has also been a CISO for Caesar’s (the gaming and hospitality company), and has held some very interesting military roles of his own.  In a joint branches capacity, Scott has been a CIO in Alaska.  For the US Air Force, Scott has been a Commander and an IT Director, all over the world.  He has also worked for the Joint Staff in Washington, DC as a branch chief. 
These two gentlemen speak about leadership holistically - how to exhibit excellent leadership yourself, how to train for good leaderships, and how to foster it in others.
Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs.  Find out more at https://trustmapp.com

This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor.
The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as well as the interrelationships.
Is "protect the business" a guardrail statement while "protect data and people" is the mission?
How do we tie protecting people to protecting the business?  For the people?  For the business?
How do we map data to the business mission?
How far do we go to protect data?
What about this new DevOps, application-centric world?
Enjoy this conversation!  It's a lively one.

This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc.  Another one of Allan's illustrious guests with 25 years in cyber.  (https://www.linkedin.com/in/schawacker/).  The topic started as all that the two have learned outside of cybersecurity that has helped them in cyber.  But it gets way more esoteric than that, and quickly.  Detailed show notes and links are provided below because this show is all over the place!
02:11 Point MOOt, Texas: MOO-based virtual city with virtual economy, virtual stock market, various political models of governance and high preponderance of highly interactive bots used for practical and administrative purposes.http://linguafranca.mirror.theinfo.org/9405/moo.htmlhttps://archive.nytimes.com/www.nytimes.com/books/first/l/leonard-bots.html
04:49 A fast tour of the the age of the universe, Planet Earth, and humans' presence on the planet, industrial revolution and the Internet
05:45 The Annex BBS in LAhttps://annex.net/about-us/
05:28 IRChttps://en.wikipedia.org/wiki/Internet_Relay_Chat
06:12 - Arthur C. Clarke - "Any sufficiently advanced technology is indistinguishable from magic."https://lab.cccb.org/en/arthur-c-clarke-any-sufficiently-advanced-technology-is-indistinguishable-from-magic/
07:12 - Iranian refugees, educated folks who spoke 5 languages and had 4 passports
07:49 - Dungeons and Dragonshttps://dnd.wizards.com/
08:05 - Life demands more of us than just having a job
08:16 - Karl Marx, Shakespeare, Julius Caesar, Poetry
08:43 - TI-99 4A and the BASIC language on the Commodore PEThttps://en.wikipedia.org/wiki/TI-99/4Ahttps://en.wikipedia.org/wiki/BASIChttps://en.wikipedia.org/wiki/Commodore_PET
09:02 - Earthlinkhttps://www.encyclopedia.com/economics/encyclopedias-almanacs-transcripts-and-maps/earthlink-inc#:~:text=Earthlink%20Network%20was%20founded%20in,would%20be%20providing%20customer%20service.
09:24 - Tech Writing and List Making
09:41 - Running a SOC for Citi
10:20 - Jack of all trades and the value of curiosity and love, surprises and exploration
11:04 - There is no one cybersecurity - we don't even know what it is yet
11:40 - Cyber as nascent field with great opportunity to leverage other disciplines
13:02 - TOGAF and the CIO's organization and functions and the CISO reporting into the CIOhttps://en.wikipedia.org/wiki/The_Open_Group_Architecture_Framework
14:02 - Nobody knows what a CISO does
14:39 - We can't have it both ways - to have a seat at the table we must own risk and have accountability.  Authority can't exist without accountability.
15:13 - Do CISOs know how to buy stuff?  Lack of budgeting process.
15:45 - Eff around and find out - security incidents - order out of chaos - crisis management
16:34 - Pen testing as games (game theory):https://en.wikipedia.org/wiki/Game_theory
17:11 - The influence of playing music
18:48 - Wagner's invention of instrumentshttps://www.californiasymphony.org/2018-19-season/epic-bruckner/whats-a-wagner-tuba/
19:12 - The influence of getting sober
19:30 - Chuck Anderson - Best guitar teacher on the planet?https://truefire.com/educators/chuck-anderson/e4187
19:45 - Dissonance and consonance; inverse ratio between complexity and power
20:17 - Entrepreneurial spirit in the music business and an illegal booking company
20:48 - Everything applies everywhere; metaphor and the origins of ideas
21:21 - Marx and Engels - revolutions get stuff done
21:43 - Rothko's artwork compared to The Ramoneshttps://en.wikipedia.org/wiki/Mark_Rothko#:~:text=Mark%20Rothko%20(%2F%CB%88r%C9%92,a%20Latvian%2DAmerican%20abstract%20painter.
22:14 - The subconscious produces genius; we are all geniuses
22:51 - The mathematical concept of Aleph-0 and George Cantor as inventor of discrete mathhttps://mathworld.wolfram.com/Aleph-0.html#:~:text=is%20often%20pronounced%20%22aleph%2Dnull,spelled%20%22aleph%2Dnought.%22
23:40 - Wittgenstein's refutation of Cantor despite computing being based on discrete mathhttps://en.wikipedia.org/wiki/Ludwig_Wittgenstein
24:05 - Divine revelation or bipolar disorder?
24:33 - "The Aleph" short story by Jorge Luis Borgeshttps://web.mit.edu/allanmc/www/borgesaleph.pdf
25:13 - "Weaving the Web" by Tim Berners Lee and Borges foreshadowing hyperlinkshttps://www.amazon.com/Weaving-Web-Original-Ultimate-Destiny/dp/006251587X
25:51 - We need heroes - mentoring without heroes is not possible
27:08 - Learning from the masters in cybersecurity; maybe we will be in history books
29:42 - Gaining sobriety, learning to reach out for help - valuable in cybersecurity
31:10 - Raising children; paternalism and cyber careers
32:32 - Edward de Bono - Lateral Thinkinghttps://www.amazon.com/Lateral-Thinking-Creativity-Step/dp/0060903252
33:13 - "Flow" by Mihaly Csikszentmihalyihttps://www.amazon.com/Flow-Psychology-Experience-Perennial-Classics-ebook/dp/B000W94FE6

This episode is jam-packed with wisdom that is delivered at a rapid pace.  Some folks will find themselves rewinding and taking notes.  Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to talk about managing careers - how to manage your own, and, for leaders, how to help your team manage theirs.  Topics include:
- Pivotal career transitions
- Is a plan _really_ required?
- Principles, foundations, and successful behaviors
- Practical steps and resources
- Is the power of envisioning enough?
- Tactical and other tips
 
Y'all enjoy this one, now!

To celebrate the 100th episode, Allan decided to let the audience participate in the show.  21 people called in and answered a wide variety of questions about cybersecurity.  It is a fantastic show and it is very fun to hear all the different perspectives from folks who have just about every role in cybersecurity you can imagine:
00:00:58 - Brent Deterding - What can practioners do to show more love to vendors?00:03:07 - Evgeniy Kharam - How important are soft skills in cybersecurity?00:03:54 - Evgeniy Kharam - What are we doing wrong in cybersecurity?00:05:17 - Andy Ellis - what are we doing right and what are we doing wrong?00:07:15 - Nipun Gupta - What needs to happen to get cybersecurity practitioners to trust cybersecurity vendors?00:10:29 - Brent Forest - What is the value of mentorship in cybersecurity?00:13:48 - Heather Noggle -  How do you get small organizations to take cybersecurity more seriously?00:17:34 - Karla Reffold - What piece of advice would you give somone trying to get into cybersecurity?00:19:16 - Will Lin - Where do you think this whole cybersecurity thing is headed?00:22:37 - Jack Powell - What are we doing in cybersecurity that we should not be doing?00:29:17 - Dutch Schwartz - What is missing in cybersecurity?00:36:13 - Kevin Pope - What is your best piece of advice for those entering the cybersecurity field?00:42:42 - Julian Cohen - How do we prioritize our defenses?00:45:22 - Benjamin Corll - What do you love most about being in cybersecurity?00:47:05 - Special Appearance by Chis Cochran and Ron Eddings of Hacker Valley Media00:50:07 - Chris Patteson - How worried should we be about post-quantum cryptography?00:54:03 - Peter Schawacker - What are we doing right in cybersecurity?01:01:45 - Adrian Sanabria - What is it we are not doign in cybersecurity that we should be doing?01:08:38 - Chris Foulon - Where is this whole cybersecurity thing headed?01:13:52 - Claude Mandy - What are we getting wrong in cybersecurity?01:18:25 - Gary Hayslip - What is the trend towards a data-centric security model?01:26:17 - Kirsten Davies - What is going to change with threat intelligence in 2023?01:30:58 - Special Appearnce by Dr. Ursula Alford (Allan's wife)