The Cyber Ranch Podcast
Ride the cyber trails with one CISO (Allan Alford) and a diverse group of friends and experts who bring a human perspective to cybersecurity.
Episodes
![Technical Case vs. Business Case with Omkhar Arasaratnam](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Mar 01, 2023
Technical Case vs. Business Case with Omkhar Arasaratnam
Wednesday Mar 01, 2023
Wednesday Mar 01, 2023
In this episode, Allan is joined by Omkhar Arasaratnam, a force in the industry and an expert in the intersection of software and security (you may remember Omkhar from an earlier show about supply chain security).
They challenge each other to a game, "Technical Case vs. Business Case", where they must provide both arguments for a given technology deployment. The real subtext here is that whenever these two get together, they always lean towards a technical conversation, so they are challenging themselves.
Topics Covered:
MFA
Service Accounts
Refresh Cycles
Token Expiration
Recovery Emails
Regulatory Mandates
Biometrics
SBOM
It's a lively conversation and we hope you will find value in it!
Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs. Find out more at https://trustmapp.com
![The Implications of ChatGPT and AI with Shaun Marion and ChatGPT](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Feb 22, 2023
The Implications of ChatGPT and AI with Shaun Marion and ChatGPT
Wednesday Feb 22, 2023
Wednesday Feb 22, 2023
Join Allan, Shaun Marion (CISO of McDonald's) and ChatGPT itself for a lively conversation about the implications of this new tool, AI in general, and nuances about ChatGPT's usage.
Even after controls were put into place to prevent ChatGPT from helping the bad guys, Allan and Shaun were able to trick it into giving up details on hacking, authoring phishing emails and more.
Shaun and Allan explore the potential for abuse and the positive promise and excitement that this new era of AI is ushering in.
What are the societal implications of ChatGPT?
What are the positive advances of AI?
Should we be cautious with what we feed ChatGPT?
Hear answers to these questions and more on this week's lively episode.
Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs. Find out more at https://trustmapp.com
![Breach Communications with Heather Noggle](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Feb 15, 2023
Breach Communications with Heather Noggle
Wednesday Feb 15, 2023
Wednesday Feb 15, 2023
How important are communications after your company has been breached? They can make or break customer perception, and the perception of the world. Bad communications are perceived as bad intent.
Joining Allan this week is Heather Noggle, owner of Codistac - a company that specializes in cyber communications, advocacy and awareness. She studied communications in college, and takes this stuff very seriously.
The pair cover LastPasss, Okta and Reddit breaches, comparing the bad to the good.
Topics covered:
Poor editing of communications
Willful non-communication
Obfuscation
Apologies
Letting the lawyers have their say - but not the last say
The balance between speed and accuracy
It's a great conversation and a great show.
Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs. Find out more at https://trustmapp.com
![BISO Bonanza with Ann Hines, James Binford and Matt Winkeler](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Feb 08, 2023
BISO Bonanza with Ann Hines, James Binford and Matt Winkeler
Wednesday Feb 08, 2023
Wednesday Feb 08, 2023
Do you want to be a CISO one day? Are you a CISO today who wants to strengthen your ties into the rest of the business? The Business Information Security Officer (BISO) role is one you should explore.
The role can vary quite a bit, as you will hear on this episode with not one, not two, but three BISOs joining Allan Alford to discuss the role and its nuances: where it fits, what is required, how it is best positioned and managed.
Allan has been a BISO himself and has managed BISOs as well, so the conversation is rapid and productive.
Join Allan along with Ann Hines (BISO @ USAA), James Binford (BISO @ Humana) and Matt Winkeler (BISO @ Equifax) as the explore the BISO role.
Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs. Find out more at https://trustmapp.com
![Developing and Fostering Good Leadership with Joey Rachid and Scott Moser](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Feb 01, 2023
Developing and Fostering Good Leadership with Joey Rachid and Scott Moser
Wednesday Feb 01, 2023
Wednesday Feb 01, 2023
Joining Allan today are two folks who are passionate about leadership – not just practicing good leadership, but instilling good leadership in future generations. Joey Rachid is CISO in the ecommerce and financial services industry, is on advisory boards, has worked for the Big Four, and more importantly is a former US Marine (although all the Marines will tell you there is no such thing as a former Marine!)
Scott Moser is SVP and CISO at Sabre Corporation, has also been a CISO for Caesar’s (the gaming and hospitality company), and has held some very interesting military roles of his own. In a joint branches capacity, Scott has been a CIO in Alaska. For the US Air Force, Scott has been a Commander and an IT Director, all over the world. He has also worked for the Joint Staff in Washington, DC as a branch chief.
These two gentlemen speak about leadership holistically - how to exhibit excellent leadership yourself, how to train for good leaderships, and how to foster it in others.
Sponsor Links:
Thank you to our sponsor TrustMAPP for bringing this episode to life! The TrustMAPP solution gets you out of spreadsheets and slide decks and into managing, measuring and reporting on your cybersecurity with an all-in-one solution that combines cybersecurity frameworks, maturity, risk and business objectives and cross-references them to remediation costs. Find out more at https://trustmapp.com
![Are We Protecting People, Data, or Business? with Nipun Gupta](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Jan 25, 2023
Are We Protecting People, Data, or Business? with Nipun Gupta
Wednesday Jan 25, 2023
Wednesday Jan 25, 2023
This week Allan is joined by Nipun Gupta, and industry veteran who has been a consultant, practitioner, vendor, advisor and investor.
The topic is "What are we really protecting in cyber?" and the nuances of that question are explored in depth - as well as the interrelationships.
Is "protect the business" a guardrail statement while "protect data and people" is the mission?
How do we tie protecting people to protecting the business? For the people? For the business?
How do we map data to the business mission?
How far do we go to protect data?
What about this new DevOps, application-centric world?
Enjoy this conversation! It's a lively one.
![Influences from Outside of Cybersecurity with Peter Schawacker](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Jan 18, 2023
Influences from Outside of Cybersecurity with Peter Schawacker
Wednesday Jan 18, 2023
Wednesday Jan 18, 2023
This week, Allan is joined by Peter Schawacker, CEO @ Nearshore Cyber, former CISO, advisor to MSPs, etc. Another one of Allan's illustrious guests with 25 years in cyber. (https://www.linkedin.com/in/schawacker/). The topic started as all that the two have learned outside of cybersecurity that has helped them in cyber. But it gets way more esoteric than that, and quickly. Detailed show notes and links are provided below because this show is all over the place!
02:11 Point MOOt, Texas: MOO-based virtual city with virtual economy, virtual stock market, various political models of governance and high preponderance of highly interactive bots used for practical and administrative purposes.http://linguafranca.mirror.theinfo.org/9405/moo.htmlhttps://archive.nytimes.com/www.nytimes.com/books/first/l/leonard-bots.html
04:49 A fast tour of the the age of the universe, Planet Earth, and humans' presence on the planet, industrial revolution and the Internet
05:45 The Annex BBS in LAhttps://annex.net/about-us/
05:28 IRChttps://en.wikipedia.org/wiki/Internet_Relay_Chat
06:12 - Arthur C. Clarke - "Any sufficiently advanced technology is indistinguishable from magic."https://lab.cccb.org/en/arthur-c-clarke-any-sufficiently-advanced-technology-is-indistinguishable-from-magic/
07:12 - Iranian refugees, educated folks who spoke 5 languages and had 4 passports
07:49 - Dungeons and Dragonshttps://dnd.wizards.com/
08:05 - Life demands more of us than just having a job
08:16 - Karl Marx, Shakespeare, Julius Caesar, Poetry
08:43 - TI-99 4A and the BASIC language on the Commodore PEThttps://en.wikipedia.org/wiki/TI-99/4Ahttps://en.wikipedia.org/wiki/BASIChttps://en.wikipedia.org/wiki/Commodore_PET
09:02 - Earthlinkhttps://www.encyclopedia.com/economics/encyclopedias-almanacs-transcripts-and-maps/earthlink-inc#:~:text=Earthlink%20Network%20was%20founded%20in,would%20be%20providing%20customer%20service.
09:24 - Tech Writing and List Making
09:41 - Running a SOC for Citi
10:20 - Jack of all trades and the value of curiosity and love, surprises and exploration
11:04 - There is no one cybersecurity - we don't even know what it is yet
11:40 - Cyber as nascent field with great opportunity to leverage other disciplines
13:02 - TOGAF and the CIO's organization and functions and the CISO reporting into the CIOhttps://en.wikipedia.org/wiki/The_Open_Group_Architecture_Framework
14:02 - Nobody knows what a CISO does
14:39 - We can't have it both ways - to have a seat at the table we must own risk and have accountability. Authority can't exist without accountability.
15:13 - Do CISOs know how to buy stuff? Lack of budgeting process.
15:45 - Eff around and find out - security incidents - order out of chaos - crisis management
16:34 - Pen testing as games (game theory):https://en.wikipedia.org/wiki/Game_theory
17:11 - The influence of playing music
18:48 - Wagner's invention of instrumentshttps://www.californiasymphony.org/2018-19-season/epic-bruckner/whats-a-wagner-tuba/
19:12 - The influence of getting sober
19:30 - Chuck Anderson - Best guitar teacher on the planet?https://truefire.com/educators/chuck-anderson/e4187
19:45 - Dissonance and consonance; inverse ratio between complexity and power
20:17 - Entrepreneurial spirit in the music business and an illegal booking company
20:48 - Everything applies everywhere; metaphor and the origins of ideas
21:21 - Marx and Engels - revolutions get stuff done
21:43 - Rothko's artwork compared to The Ramoneshttps://en.wikipedia.org/wiki/Mark_Rothko#:~:text=Mark%20Rothko%20(%2F%CB%88r%C9%92,a%20Latvian%2DAmerican%20abstract%20painter.
22:14 - The subconscious produces genius; we are all geniuses
22:51 - The mathematical concept of Aleph-0 and George Cantor as inventor of discrete mathhttps://mathworld.wolfram.com/Aleph-0.html#:~:text=is%20often%20pronounced%20%22aleph%2Dnull,spelled%20%22aleph%2Dnought.%22
23:40 - Wittgenstein's refutation of Cantor despite computing being based on discrete mathhttps://en.wikipedia.org/wiki/Ludwig_Wittgenstein
24:05 - Divine revelation or bipolar disorder?
24:33 - "The Aleph" short story by Jorge Luis Borgeshttps://web.mit.edu/allanmc/www/borgesaleph.pdf
25:13 - "Weaving the Web" by Tim Berners Lee and Borges foreshadowing hyperlinkshttps://www.amazon.com/Weaving-Web-Original-Ultimate-Destiny/dp/006251587X
25:51 - We need heroes - mentoring without heroes is not possible
27:08 - Learning from the masters in cybersecurity; maybe we will be in history books
29:42 - Gaining sobriety, learning to reach out for help - valuable in cybersecurity
31:10 - Raising children; paternalism and cyber careers
32:32 - Edward de Bono - Lateral Thinkinghttps://www.amazon.com/Lateral-Thinking-Creativity-Step/dp/0060903252
33:13 - "Flow" by Mihaly Csikszentmihalyihttps://www.amazon.com/Flow-Psychology-Experience-Perennial-Classics-ebook/dp/B000W94FE6
![Managing Careers with Luis Valenzuela](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Jan 11, 2023
Managing Careers with Luis Valenzuela
Wednesday Jan 11, 2023
Wednesday Jan 11, 2023
This episode is jam-packed with wisdom that is delivered at a rapid pace. Some folks will find themselves rewinding and taking notes. Luis Valenzuela, Director of Data Loss Prevention and Data Governance at InComm Payments, joins Allan Alford to talk about managing careers - how to manage your own, and, for leaders, how to help your team manage theirs. Topics include:
- Pivotal career transitions
- Is a plan _really_ required?
- Principles, foundations, and successful behaviors
- Practical steps and resources
- Is the power of envisioning enough?
- Tactical and other tips
Y'all enjoy this one, now!
![100th Episode Call-In Special with 21 Guests!](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Jan 04, 2023
100th Episode Call-In Special with 21 Guests!
Wednesday Jan 04, 2023
Wednesday Jan 04, 2023
To celebrate the 100th episode, Allan decided to let the audience participate in the show. 21 people called in and answered a wide variety of questions about cybersecurity. It is a fantastic show and it is very fun to hear all the different perspectives from folks who have just about every role in cybersecurity you can imagine:
00:00:58 - Brent Deterding - What can practioners do to show more love to vendors?00:03:07 - Evgeniy Kharam - How important are soft skills in cybersecurity?00:03:54 - Evgeniy Kharam - What are we doing wrong in cybersecurity?00:05:17 - Andy Ellis - what are we doing right and what are we doing wrong?00:07:15 - Nipun Gupta - What needs to happen to get cybersecurity practitioners to trust cybersecurity vendors?00:10:29 - Brent Forest - What is the value of mentorship in cybersecurity?00:13:48 - Heather Noggle - How do you get small organizations to take cybersecurity more seriously?00:17:34 - Karla Reffold - What piece of advice would you give somone trying to get into cybersecurity?00:19:16 - Will Lin - Where do you think this whole cybersecurity thing is headed?00:22:37 - Jack Powell - What are we doing in cybersecurity that we should not be doing?00:29:17 - Dutch Schwartz - What is missing in cybersecurity?00:36:13 - Kevin Pope - What is your best piece of advice for those entering the cybersecurity field?00:42:42 - Julian Cohen - How do we prioritize our defenses?00:45:22 - Benjamin Corll - What do you love most about being in cybersecurity?00:47:05 - Special Appearance by Chis Cochran and Ron Eddings of Hacker Valley Media00:50:07 - Chris Patteson - How worried should we be about post-quantum cryptography?00:54:03 - Peter Schawacker - What are we doing right in cybersecurity?01:01:45 - Adrian Sanabria - What is it we are not doign in cybersecurity that we should be doing?01:08:38 - Chris Foulon - Where is this whole cybersecurity thing headed?01:13:52 - Claude Mandy - What are we getting wrong in cybersecurity?01:18:25 - Gary Hayslip - What is the trend towards a data-centric security model?01:26:17 - Kirsten Davies - What is going to change with threat intelligence in 2023?01:30:58 - Special Appearnce by Dr. Ursula Alford (Allan's wife)
![Can We Even Measure Risk? with Andy Ellis and Chris Roberts - EXPLICIT](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Dec 14, 2022
Can We Even Measure Risk? with Andy Ellis and Chris Roberts - EXPLICIT
Wednesday Dec 14, 2022
Wednesday Dec 14, 2022
This is another "'E' for explicit" show as this one is another LIVE! show from the CISO XC conference in Dallas-Fort Worth. Why the 'E'? Because halfway through Allan Alford's conversation with Andy Ellis (CISO at Orca, Operating Partner at YL Ventures, former CISO at Akamai), Chris Roberts (CISO at Boom Supersonic) joins the stage with some fine whisky and his own clever takes on measuring risk.
Join Allan, Andy, and Chris as they deconstruct risk, extolling its virtues, and hopefully change the way you think about risk altogether. Is likelihood times impact valid? Is the 5x5 grid valid? What is plausibility vs. probability? Find out on this great LIVE! episode!
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
![Is It Even Our Job to Make Them Care About Cybersecurity? with Yaron Levi](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Dec 07, 2022
Is It Even Our Job to Make Them Care About Cybersecurity? with Yaron Levi
Wednesday Dec 07, 2022
Wednesday Dec 07, 2022
In this episode, Allan Alford plays Devil's advocate - challenging the practitioner community to refute the idea that we should quit trying to make the organization care and simply make suggestions and accept the organization's level of risk tolerance.
Allan posted this topic on LinkedIn and it created quite a buzz. The show features quotes from Simon Goldsmith, Kevin Pope, Malcolm Harkins, and others.
Listen to hear a deconstruction of this position, and hear some great arguments both for and against it. We'll give away the ending - the argument is ultimately refuted - but it is a great thought exercise and a wonderful journey getting to that conclusion. Hint: The show's ending is more apt than ever: "Ya'll be good now!"
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
![Building Cybersecurity Community with Scott Schindler](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Nov 30, 2022
Building Cybersecurity Community with Scott Schindler
Wednesday Nov 30, 2022
Wednesday Nov 30, 2022
Scott Schindler, veteran CISO, vCISO, and adjunct professor joins Allan at the ranch to talk about how to build, strengthen, participate in, contribute to and benefit from a cybersecurity community. Allan chose Scott for this show because of his incredible community focus and the high level of participation and engagement he demonstrates in his own career.
How can we, as privacy and security professionals, overcome our paranoia in order to build community?
How do we, as new members of cybersecurity, break into the community?
How do I start a local community?
How do we welcome others?
What is wrong with the cybersecurity community today that we need to fix?
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
![Geopolitics, APTs and Cybersecurity with Dan Holden](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Nov 16, 2022
Geopolitics, APTs and Cybersecurity with Dan Holden
Wednesday Nov 16, 2022
Wednesday Nov 16, 2022
Dan Holden, a 20+ year industry veteran, former vendor, and current CISO at Big Commerce joins Allan Alford at the ranch to talk about the BIG picture. Join them on this wild trail ride that goes as far back as the Monroe Doctrine of 1823, the pre-cursors to WWI, Regan-era cyber doctrine, cyber and modern warfare, lessons learned from the COVID economy (hint: GDP is now part of critical infrastructure), famous APT heists, modern global imperialism... This show ties these threads together into a forward-looking vision for cybersecurity that includes shifts in global prioritization of cybersecurity, federal regulations, and changes to the VC investment landscape. Saddle up and get ready for a wild ride!
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
![3 Very Practical Tips with Duane Gran](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Nov 09, 2022
3 Very Practical Tips with Duane Gran
Wednesday Nov 09, 2022
Wednesday Nov 09, 2022
This week Allan Alford is joined by Duane Gran, Director of Information Security at Converge Technology Solutions to discuss three different aspects of the CISO craft -- and to offer practical, concrete guidance on how to achieve the right outcomes:
Eliminating the culture of "No!"
Managing Third-Party Risk
Building a "No Blame" Culture
The common thread behind all of these themes is relationship building and goodwill - but the details are well worth the listen!
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
![Should the CISO...? with Andy Bennett](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Nov 02, 2022
Should the CISO...? with Andy Bennett
Wednesday Nov 02, 2022
Wednesday Nov 02, 2022
In this week's show, Allan and his guest Andy Bennett (a very clever CISO with a heck of a pedigree) decide to tackle some thought exercises with a series of questions that all start with "Should the CISO...?"
Should the CISO be the one to decide whether to report breaches?
Should the CISO own the SOC?
Should the CISO report to the CIO?
Should the CISO have an MBA?
Should the CISO be mentoring individual contributors in their team?
Should the CISO be sharing the political realities of “upstairs”?
Should the CISO own Identity?
Enjoy this fantastic conversation that goes to a lot of surprising places!
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
![Tired Topics in Cybersecurity - Part Two with Michael Santarcangelo and Rich Mason](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Oct 26, 2022
Tired Topics in Cybersecurity - Part Two with Michael Santarcangelo and Rich Mason
Wednesday Oct 26, 2022
Wednesday Oct 26, 2022
Once again, Allan, Rich, and Michael dissect topics in our community that are, well, tired. Topics are brought up to spur online debate, but for which a conclusion is never reached. Topics that bifurcate our community without moving our industry forward. Topics that cause us to overly rotate on the wrong areas.
In this show we address:
Defining terms: zero trust, ML, AI, hacker vs. cracker, cybersecurity vs information security
How to pronounce "CISO"
Work from home vs coming to the office
Do we deserve a seat at the table or is it earned?
Hopefully, these three are stepping beyond the tired answers to these topics and are raising the bar on how we should approach the information security profession. You be the judge...
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life! The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
![Tired Topics in Cybersecurity - Part One with Rich Mason and Michael Santarcangelo](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Oct 19, 2022
Tired Topics in Cybersecurity - Part One with Rich Mason and Michael Santarcangelo
Wednesday Oct 19, 2022
Wednesday Oct 19, 2022
We have all seen the conversations on LinkedIn where someone starts with a hotly debated topic, and the debate goes on and on, nothing is concluded, and then the next week, someone else posts the same topic and starts the gerbil wheel spinning again. We have seen this phenomenon with common complaints too. These are, in short, tired conversations.
Join Allan Alford, Rich Mason, and Michael Santarcangelo as they rope in some of these tired topics and propose alternative ways of looking at them.
This one runs a bit longer than usual because the conversation is that good. Also, there are a few naughty words...
In this Part One episode they offer some alternative takes on the following tired topics:
Who should the CISO report to?
Users as the weakest link
Talent Shortage
CISO Burnout
Imposter Syndrome
Awards Marketing
Bad Vendor Behavior
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
![One Tool to Rule Them All with Derly Gutierrez](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Oct 12, 2022
One Tool to Rule Them All with Derly Gutierrez
Wednesday Oct 12, 2022
Wednesday Oct 12, 2022
CISOs and other security executives have relied on spreadsheets to perform a great deal of the management functions of their programs. What if there was a better way? Derly Gutierrez is back on the ranch for a third time now to discuss his alternative - the humble ticketing system. It might seem obvious in some cases, but Derly has pushed the use cases far beyond what you might imagine. Topics Derly and Allan cover include:
Risk Management Lifecycle
Vendor Management Lifecycle
Personnel Onboarding/Offboarding (Joiners, Movers, Leavers)
Data Governance Lifecycle
SOC2 Audits
Internal Audits
UI Considerations
Organizational Familiarity with the Tool
Automation & Integration
In this short but sweet episode, a lot of very practical tips are addressed. Y'all be good now!
Links:
Thank you to our sponsor Axonius for bringing this episode to life!The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
![Cybersecurity Myths & Misconceptions with Josiah Dykstra](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Oct 05, 2022
Cybersecurity Myths & Misconceptions with Josiah Dykstra
Wednesday Oct 05, 2022
Wednesday Oct 05, 2022
Josiah Dykstra, Cybersecurity Technical Fellow at the NSA and Author, kicks up the dust off some previous topics discussed on the Ranch and deepens the conversation on cybersecurity myths and behavioral economics. Prior to the release of his latest book, Cybersecurity Myths and Misconceptions, Josiah breaks down some biases, fallacies, myths, and magical thinking that cybersecurity practitioners fall victim to. Josiah taps into cyber’s psyche and exposes the errors behind practitioners playing make-believe.
Timecoded Guide:
[00:00] Researching cybersecurity psychology & other exciting industry mashups
[09:22] Security logical fallacies: straw man, gambler’s, & ad hominem
[15:19] Cyber cognitive biases: confirmation, omission, and zero risk bias
[19:24] Perverse incentives & cobra effect: security vendors, bug bounties, & cyber insurance
[25:55] Creating an accurate measure of how secure we really are
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
In the context of cybersecurity, what are some examples of magical thinking?
Magical thinking, or the belief that thoughts can influence the material world, appears alongside the most common assumptions in cyber, according to Josiah. Recognizing the harmful practice of cyber practitioners blaming users for bad decisions, Josiah uncovered that many security pros believe the user will make the right choice without any additional training. Unfortunately, this magical thinking only leads to users being unprepared and uneducated.
“We assume users will pick good passwords without providing them education. We can't just think in our heads that things will go right, that never happens. We need to make careful decisions, whether it’s how we configure systems, or develop software, or conduct training.”
Can you walk us through common fallacies in cybersecurity, like the gambler's fallacy?
While the straw man fallacy and ad hominem are often easy to identify in the cyber industry, Josiah explains that the gambler’s fallacy is just as pervasive and detrimental. The gambler’s fallacy involves seeing trends and “hidden” meanings in independent events. Most often, in security, cyber practitioners will believe a breach won’t happen if a company recently had a breach, even though these breaches would have nothing to do with each other.
“Imagine you’re flipping a fair coin, like a penny, and you get heads, heads, heads. Your brain starts to see an error, like, ‘I'm due for tails, if I had so many heads in a row.’ The fact is, the penny doesn't care about the last flip. These are all independent events.”
What about common cyber biases, such as zero risk, confirmation, and omission bias?
The cyber industry is ripe with biases. In fact, over 180 cognitive biases exist. Josiah’s book tackles a select few that appear time and time again, including zero-risk bias. Zero-risk bias is extremely common in cybersecurity. Security is about risk— understanding it, preventing it, and reacting to it. Many cyber companies will put all their eggs in one expensive basket, such as encryption, believing that this will create the impossible scenario of them having “zero” risk.
“We talk in the book a little bit about how you can never get risk to zero, right? Cybersecurity is always about risk management. There is somewhere between more than zero and less than 100% chance that your computer will get infected today.”
“The goal of a security vendor is to keep you secure.” Why is that a misconception?
Just like biases and fallacies, cybersecurity misconceptions can be costly mindset mistakes that lead to easily preventable errors. Josiah wants us to consider that security vendors are not altruistic, they’re running a business and making a sale. While many vendors have a goal to keep customers secure, that will not be the only goal they have. Josiah recommends taking precautions and never assuming the vendor will always put security first.
“The goal of any business is to make money. That's why that business exists. You could argue with me that it isn't an ‘either or.’ They can make money and we can be secured, we can have both, but that's an ideal world. I think, in reality, it's a little bit bumpier than that.”
----------
Links:
Learn more about Josiah Dykstra on his LinkedIn and his website
Check out Josiah’s book, Cybersecurity Myths and Misconceptions: Avoiding the Hazards and Pitfalls That Derail Us
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
![Entrepreneurship After the Golden Handcuffs with Christian Espinosa](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Sep 28, 2022
Entrepreneurship After the Golden Handcuffs with Christian Espinosa
Wednesday Sep 28, 2022
Wednesday Sep 28, 2022
Christian Espinosa, Author, Speaker, and CEO, comes down to the Ranch to talk about the journey of starting, growing, selling, and moving on from the business he created, Alpine Security. From correcting the problems with his high IQ staff to unshackling himself from the golden handcuffs of a business sale, Christian breaks down the specific conflicts he faced on his entrepreneurial journey— and reveals how these experiences have inspired two books about cybersecurity, business ownership, and life itself.
Timecoded Guide:
[00:00] Finding business coherency in the one-page strategic plan
[08:39] Selling Alpine security & transitioning from leader to participant
[13:46] Escaping the golden handcuffs & embarking on a new career journey
[17:35] Outlining seven steps to emotional intelligence in cyber with his first book
[20:34] Embarking on appreciation of life’s little moments with book number two
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
What were the challenges in growing the business you started, and how did you overcome those?
Christian’s inspiration for Alpine Security, his first business, was actually the stress of a conflicted relationship with a CEO he worked with. Feeling misaligned with the company he worked for, Christian left and began his journey towards entrepreneurship, thinking that his work ethic and willingness to do it all would lead to his success. Instead, refusing to delegate and lack of focus on leadership created conflicts between himself and his employees.
“I had to get over myself. Initially, I thought I’d do everything. I thought I could brute force this and make this work. I just tried to do it all myself. If my staff was having problems with something, I would jump in and help, but there's only so many hours in the day.”
Was your intention to sell your business from the beginning? What was the process of selling like?
Although he advises every entrepreneur to have an exit strategy, Christian admits he didn’t initially create one with Alpine Security. After agreeing to a deal with Cerberus, Christian learned the hard way that the process of a business sale can be like a pair of golden handcuffs. Struggling with a lack of control and feeling constantly under scrutiny, Alpine Security eventually lost its founder as Christian embarked on a new journey in his career.
“In my company, I was in charge of the culture, the core values, the emotional intelligence, the touchpoints, the clients, all of that. Now that I was part of the larger organization, I wasn't in charge of that. I had to approach things differently.”
Can you tell us about your first book and the seven-step process it outlines in cybersecurity?
Major struggles during Alpine Security’s founding were due to a lack of emotional intelligence and people skills amongst staff, in Christian’s opinion. These conflicts inspired the 7 steps of emotional intelligence for cybersecurity practitioners that Christian outlines in his first book, The Smartest Person in the Room. These steps include: awareness, mindset, acknowledgement, communication, mono-tasking, empathy, and Kaizen (continuous improvement).
“My first book is really about all the challenges I had in the company I started. 99% of the challenges I had were because of my staff, who were super bright, super high IQ penetration testers that didn't have emotional intelligence or people skills.”
What are you going to do with your new book? Is that also cybersecurity related?
In contrast to his first book, which focused solely on cybersecurity professionals and the struggles they face with people skills in the workplace, Christian’s second book dives deeper into mindset. Focusing more on the value of life and the ideas around mono-tasking, Christian inspires his readers to care more about the micro moments. This second book is all about slowing down, seeing what’s happening around you, and seriously absorbing the information we take in every day— from the big moments to the little moments and everything in between.
“I think a lot of us go through this zombie state in life, going from one thing to the next thing, and we're distracted with our phones and everything else. We're missing a lot of things that are right in front of us.”
----------
Links:
Learn more about Christian Espinosa on his LinkedIn, Twitter, and website
Check out Christian’s book, The Smartest Person in the Room: The Root Cause & New Solutions for Cybersecurity
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
![How APIs Expose Business Logic Flaws with Chuck Herrin](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Sep 21, 2022
How APIs Expose Business Logic Flaws with Chuck Herrin
Wednesday Sep 21, 2022
Wednesday Sep 21, 2022
Chuck Herrin, CTO at Wib, came down to the Ranch to explain the risks and threats currently facing APIs, or application programming interfaces. Simply put, APIs facilitate people and applications in communicating with other applications, but Chuck sees the lack of protocols, regulations, and security plans laid out for these APIs as a massive security threat. Breaking down the process using an API hack he performed as an example, Chuck talks about what the state of API security is and where it needs to be headed.
Timecoded Guide:
[00:00] Bringing a background in finance into the cybersecurity API world
[05:25] "Hacking" a bank’s API using business logic instead of hacking
[12:17] Implementing standard API protocols and processes
[14:27] Flipping the API language and preparing injection threats
[19:03] Evolving defenses overtime to meet both new needs and new risks
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
What does your current role look like and how does it relate to API security?
Chuck began his career in tech and security in the banking industry, and felt particularly concerned over time with the lack of security around APIs and related technology. Now, with his CTO position at Wib, Chuck works with Wib to focus on providing continuous visibility into API attack surfaces. Outside of just the newness and the tech of APId, Chuck explains that there are critical infrastructure and national security ramifications for API security.
“The basic premise is: If you could do it differently, knowing what you know now, what would you build in an API security platform? What I'm bringing to the table is 20 years as a defender in US financial services, where I know what we need from a governance perspective.”
Akamai recently ran a study of internet traffic. What were their findings about APIs?
As someone well researched in his work with APIs, Chuck pays close attention to recent studies, like one from Akamai, that recently claims 91% of their global internet traffic is API traffic. Chuck explains that this is a huge development in the popularity and impact of APIs on global security, especially when relating it to a separate study that estimates 50% of APIs are actually unmanaged. Although this stat seems shocking, many in the industry believe even that estimate is low, and the issue might be even worse than studies are showing.
“91% of the traffic that Akamai handles is API traffic. So, 91% of global internet traffic is API traffic. Another stat which is a little harder to prove estimates that roughly 50% of API's are completely unmanaged.”
You actually performed a hack live on an API, but it wasn't even a hack at all. Can you tell me that story?
At the most recent Black Hat, Chuck dissected and presented a few case studies, one of which was a bank’s API, hacked using a logic-based attack. Using the errors in business logic present within the banking API, Chuck’s team was able to bypass the front-end system and transfer fees, managing to convert money into more valuable currency over and over again. The wildest part, to both Chuck and to presentation attendees, was that this didn’t require tech hacking, it only required exploiting business logic.
“We didn't tear apart the mobile app and find the stored credentials, the API keys, which are probably in there. We didn't crack any passwords. We just abused the logic, and it responded in the way it was designed and here we are.”
If we can’t anticipate every possible business logic flaw or abuse case, how can we reduce the impact and blast radius of API threats?
Reducing the impact of API security threats feels daunting, but Chuck explains that security has to go back to the basics in order to identify and acknowledge what has to change over time. You can't protect what you can't see and our teams have to evolve over time to defend against the changing attackers we might end up facing with APIs. When push comes to shove, Chuck firmly believes in having a defense strongly informed by the offenses and threats around you.
“This was cloud security 10 years ago, and it's API security today, right? History doesn't repeat, but it rhymes. It's the same basics and same fundamentals. Now, you need to change tooling. The attackers evolve over time, and your defenses have to evolve over time.”
----------
Links:
Learn more about Chuck Herrin on LinkedIn and the Wib website
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
![What Is (And Isn’t) a CISO with Matthew Lang](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Sep 14, 2022
What Is (And Isn’t) a CISO with Matthew Lang
Wednesday Sep 14, 2022
Wednesday Sep 14, 2022
Matthew Lang, former CISO at SECU, former CISO of 3D Systems, and former Chief Petty Officer in the US Navy, comes on down to the Ranch to talk about what it really means to be a CISO. Many folks wear the title of CISO, but the role itself is still often considered a confusing mixed bag when talking about what it entails and who should have this role. Matthew walks through what a CISO is, what a CISO isn’t, and where the bridges between the CISO role and other roles in the company should be.
Timecoded Guide:
[00:00] Defining what a CISO isn’t in order to discover what a CISO is
[06:45] Finding the bridges between CISO & other company roles
[12:12] Getting things clear between CISO, COO, CIO, and CEO
[16:20] Understanding a CISO’s peers & meeting with security points of contact
[24:49] What the CISO role should be & solidifying the CISO definition
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
What is the CISO not?
The role of CISO, or Chief Information Security Officer, is nuanced and occasionally complicated to define. However, in Matthew’s opinion, the things that a CISO absolutely is not is (1) a BISO, or Business Information Security Office, and on the other hand, (2) someone with no experience in information security. The strongest CISOs Matthew has come across know how to combine information security experience with an understanding of business, all while being guided by a desire to protect the company and prevent incidents.
“The CISO is a preventer of something bad happening at the organization. You can't prevent every breach, it's never going to happen, but if the CISO is involved, he can possibly prevent a merger or acquisition that is not in the best interest of the company.”
Who should the CISO be interfacing with as we bridge in and out of that defined role?
To be an effective CISO, Matt believes that you have to build strong relationships with individuals in departments like legal and HR. Referring to them as security points of contact, Matthew explains that keeping in touch with these individuals can give the CISO the full scope of the company. Additionally, Matthew says that a CISO should always be friends with the COO, or Chief Operating Officer, because those roles have essential communication between one another.
“If your company is large enough to have a chief operating officer, the CISO and the COO should be the best of friends, because they rely on each other more than they realize.”
How does the Board of Directors shape and influence what the CISO is and isn't?
The Board of Directors’ involvement with a company’s CISO can be just as nuanced as the CISO role itself. Matt explains that the largest gaps between a CISO and the Board they have to report to are due to either a weak board structure or a misunderstanding of security amongst Board members. In Matthew’s experience, being thorough in security explanations with transparency about topics that members may not know helps to bridge the gap and develop a stronger and more positive relationship between the CISO and Board.
“I think, personally, CISOs struggle a lot with their presentations to the Board of Directors, because they don't really know what information the Board wants and the Board won't ask them questions.”
What should be the role of the CISO?
While a large majority of the conversation in this episode is about what a CISO isn’t, Matthew defines what a CISO is using the words “preventer” and “leader.” A CISO should prevent risky behaviors that are not in the best interest of a company, and they lead the cybersecurity division of a company through establishing security and governance practices. Overall, CISOs help a business to meet goals and go where it wants to go safely and effectively, like a good brake system on a high-end car.
“There's a lot of different responsibilities a CISO could have, but I'm gonna say the role is cybersecurity leadership. They should be responsible for establishing the right security and governance type practices, and a framework to scale the business.”
-------------
Links:
Learn more about Matthew Lang’s work with the SECU
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
![Fighting the Increase in Cyber Attacks with Leon Ravenna](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Sep 07, 2022
Fighting the Increase in Cyber Attacks with Leon Ravenna
Wednesday Sep 07, 2022
Wednesday Sep 07, 2022
Leon Ravenna, CISO & CIO at KAR Global, former VP of Security & Compliance at Interactive Intelligence joins Allan this week to talk about the increases in cybersecurity threats and risks - increases in breadth and depth of various attacks and increases in our own problems in dealing with those attacks. It has implications for all of us, as we have not necessarily seen an increase in the right defensive capabilities to maintain parity. COVID and work-from-home have not helped either...
Questions covered this show:
1. You mentioned firewall attacks, social engineering, HR/interview/job fraud. Of course there is ransomware. What else is on the rise?
2. How much has COVID and work-from-home impacted the landscape?
3. What are the vendors doing wrong about this landscape?
4. What are they doing right?
5. So what are the real solutions to these problems? Let’s break it down, starting with ransomware, my personal favorite.
-Firewall attacks
-HR/Interview/Job Fraud
-Phishing
-Insider Threat (another one possibly impacted by work-from-home and COVID)
-Credential Stuffing
-Zero Day Exploits
-1,000 Day Exploits
6. If everything is on the rise, and if spending in cybersecurity is steadily on the rise (it is a rapidly growing industry), then why aren’t we solving the problems?
7. If you could change any one thing in cybersecurity, what would that thing be?
-------------
Links:
Keep up with Leon Ravenna on LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
![Understanding SEC’s Proposal for Cyber Risk Management with Yaron Levi](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Aug 31, 2022
Understanding SEC’s Proposal for Cyber Risk Management with Yaron Levi
Wednesday Aug 31, 2022
Wednesday Aug 31, 2022
Yaron Levi, current CISO at Dolby and former CISO at Blue Cross Blue Shield in Kansas City, comes down to the Ranch to talk about the March 2022 proposal from Securities and Exchange Commission (SEC). Titled the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure, this report has huge implications for cybersecurity in any publicly-traded company. Yaron walks through his research into this report and explains what this means in the future for real-world cyber practitioners.
Timecoded Guide:
[00:00] Introducing the Cybersecurity Risk Management Strategy: Governance and Incident Disclosure
[08:45] Explaining filing 8-Ks and 4-day turnaround disclosures
[14:03] Debating the obligations of a third party in an incident (i.e. supply chain)
[16:04] Comparing SEC’s cyber proposal to accounting’s GAAPs
[25:33] Involving the Board of Directors in cyber risk management
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
This is a proposed set of amendments and not a ruling. What does that mean, in terms of the real world?
Although the proposal was initially released in March 2022, Yaron explains these current rulings have been floating around the industry since 2018 and aren’t expected to become solidified until October 2022. In the meantime, many in the industry are curious about what these regulations mean for any and all cyber practitioners. Yaron understands the concerns many have, but also emphasizes that this is a maturity progression for the cyber industry.
“With everything happening around us over the last several years, we see security becoming a higher priority and a higher maturity in many organizations. By and large, organizations understand that security is not a luxury anymore, or something that doesn't apply to them.”
Is this proposal starting to put some real pressure on organizations to not just give lip service to cybersecurity?
Lip service to cyber is an unfortunate commonality among publicly traded companies that want to look safe without putting the effort or expertise into security. Thankfully, Yaron believes this SEC proposal will accomplish a great deal in encouraging companies to develop and mature their cybersecurity teams and protocols. As cyber management roles and board integration becomes a must, lip service will give way to real strategic change and a better understanding of the impacts and implications of security.
“I think, as we mature as an industry, and as we more and more understand the implications and the impacts of security on everything we do, strategy is something that will be very important for us to have. I would assume that every company will need to have one.”
Is this the right time for people to be excited about if there's gonna be a lot more CISO jobs open up, or if there's gonna be more board seats opening up for CISOs?
Yaron believes this SEC proposal will elevate processes and initiatives already in place to continue to elevate the expertise and opportunities within cyber. While many may see an increase in CISO roles and board opportunities, it's important to note that it is not just about roles and jobs, it’s about cyber’s maturity. Our community, not just in cybersecurity but throughout the world, has become dependent on technology and its vital to have individuals leading with maturity and competence to keep these technical processes secure.
“Overall, I think these strategies are a really positive move, in terms of elevating the conversation, educating, providing more expertise, providing more knowledge, which ultimately, all of us will benefit from. All of us, and community and society in general.”
Do you have any closing thoughts or comments on this SEC proposal?
While Yaron breaks down individual elements of the Securities and Exchange Commission proposal with Allan, he understands that the most essential impact of the proposal is the potential it has to elevate the industry. Maturity and legitimacy is desperately needed in order to create cybersecurity’s own version of generally accepted practices. In the same way that accounting has GAAP, Yaron hopes this SEC proposal is a sign of the cyber industry growing up, coming into its own, and creating more secure processes in risk assessment.
“These proposals are part of our maturity progression and are part of our growing up as an industry and as a practice. This is something that we have to evolve into. We can probably look at other industries and figure out what we can learn and leverage from them.”
-------------
Links:
Keep up with Yaron Levi on Twitter and LinkedIn
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast
![Ask CISO Allan Alford Anything pt. 2](https://pbcdn1.podbean.com/imglogo/image-logo/11835587/Artboard_1_copy_8_EXCELLENT_ctezqt_300x300.jpg)
Wednesday Aug 24, 2022
Ask CISO Allan Alford Anything pt. 2
Wednesday Aug 24, 2022
Wednesday Aug 24, 2022
Allan Alford, CISO/CTO and host of the Cyber Ranch podcast, resumes his session of AMA, or “ask me anything,” to cover the remaining questions left by curious cybersecurity practitioners on his LinkedIn. Previously, Allan posed two questions: If you could ask a 5-time CISO any question, what would it be? How about a cybersecurity startup CTO? Using the responses he received, Allan continues to walk through every topic under the cybersecurity umbrella and give further insight into what it means to be a CISO.
Timecoded Guide:
[00:00] Avoiding FUD (fear, uncertainty, and doubt) in your next cyber risk discussion
[06:10] Facing stressful ransomware situations without proper preparation
[12:11] Hiring hackers as team members & debating the ethics of black hat hackers
[21:20] Addressing cyber risk in an accessible way for your organization's board
[26:41] Understanding the past, present, & future of cybersecurity insurance
Sponsor Links:
Thank you to our sponsor Axonius for bringing this episode to life!
Manual asset inventory just doesn't cut it anymore. That's where Axonious comes in. Take control of security complexities by uncovering gaps in your organization. Sign up for a free walk through of the platform at Axonius.com/Get-A-Tour
Are you comfortable turning on the light in a dark room so we can see what we’re really dealing with? [from: Karen Andersen]
There’s a perception (and not a wrong one) that the CISO’s role is to turn on the light in a dark room and show a company what their biggest cybersecurity risks truly are. However true this may be, Allan wants to point out that explaining and socializing team members to the risks has to be done without inspiring FUD. FUD, also known as fear, uncertainty, and doubt, creates panic around the risks an organization faces every day and only succeeds in unnecessarily stressing out practitioners without a solution in sight.
“It’s very important not to fall into the trap of FUD: fear, uncertainty, and doubt. There’s a difference between socializing what’s wrong, and scaring people with what’s wrong. If you’re going to bring up the risks, at least bring up the beginnings of a solution.”
How effective do you think it would be to hire an actual hacker as a team member? [from: Jaden Turner]
With open positions, skills gaps, and labor shortages in cyber, the answer to the industry’s problems might either fall into the category of people outside of the industry or people who were once on the “wrong” side of it. Although Allan has worked with black hats in the past, he explains that hiring former black hat hackers is still a morality question for a lot of c-suite executives. Their work is often highly skillful and impactful, Allan explains, but many still question what it means to hire professionals that have moved from black hat to white hat.
“I think the bad guys probably have honed their skills better than the red team or the white hats, but then, you get into the morality questions. Do I want to support somebody who was once on the wrong side? Do I believe in reform and giving people a second chance?”
What’s the most difficult decision that you’ve had to make as a CISO that was not directly security related? [from: Brad Voris]
As Allan has gone through five different positions now as a CISO, he has seen it all on the cybersecurity side and the business side. While the cybersecurity decisions are stressful and high risk, Allan explains that there are very difficult decisions to make from a business point of view. Sometimes, a CISO has to make a choice to do what’s right for the business, even if that means that budget, personnel, or materials will be taken away from their security team.
“As a CISO, treating the business as a separate entity makes no sense to me. You have to be part of the business and actively accept that part of your role. There are business decisions that I've had to make that were right for the business and wrong for the security side, per say.”
How do you help other board members make sense of the cyber threat landscape? Why is addressing cyber risks crucial to any company? [from: Ulrich Baum]
Although reporting to a board is an often essential responsibility of any CISOs role, Allan explains that making sense of the cyber threat landscape relies on you being flexible— not your board. The board of your company requires a certain level of reporting and often responds best to a specific format. Instead of fearing a change, embrace the current board you have and learn what makes them tick. Addressing cyber risks is crucial to any company, and having the board understand you fully ensure success for your security team.
“There’s a board that was there before you were there, and you need to learn their ways and means. You need to learn what their concepts of risk are and you need to tailor your cyber risks to fit into that model.”
-------------
Links:
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Continue this conversation on our Discord
Listen to more from the Hacker Valley Studio and The Cyber Ranch Podcast